From version 6.10 it is possible to write custom data onto a users credential. There may be use cases where you want to write custom data to a credential that can then be checked using a custom application as an additional check when authenticating or authorizing a user.
This article will describe how you can configure and use this feature.
The credential type needs to support the Microsoft Minidriver (MD) specification in order to use this feature.
It will be required that at minimum you have already successfully completed the configuration steps described in the article Setup Evaluation Version of vSEC:CMS. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.
It will be necessary to have the appropriate credential drivers (MD) installed on your host. Please check with the credential provider that you have the correct credential drivers installed.
Configure Smart Card Access
Typically the smart card access is already set to the correct type but for completeness we will cover this in the article.
From Options - Smart Card Access attach an MD credential that you will manage with the vSEC:CMS. The vSEC:CMS will filter the card type and present the entry in the table. There are several different types of MD credentials, therefore the entry that is filtered will depend on the credential type. For example, if you are managing an IDPrime MD 830 credential then you would see as below.
Click the Edit button and for Smart Card Access make sure that Use minidriver if possible is selected and click Save to save and close.
If the table is empty when you attach the credential to filter for the card type then you should follow the instructions in the article Add Credential Configuration for details on how to add the correct template for the card type that you use.
1. From Templates – Card Templates click the Add button.
Click the Edit link beside General. Enter a template name and attach an MD credential that is to be managed by this template and click the Detect button and wait for the vSEC:CMS to detect that it is an MD credential and click Ok.
Check Enable custom data on card and leave all other settings as default and click Ok to close and save.
2. Click the Edit link beside Issue Card and configure how you wish the card to be issued in regards to where the user should be provisioned from and what (if any) certificates etc should be issued. It is expected that reader of this article has understanding on using card templates from within vSEC:CMS.
3. At the bottom of the Template Details you should see Custom Data on Card. Click the Edit link to configure the settings for the custom data.
Click the Configure button.
The Filename is the name of the actual file that will be written to the credential. The name can be changed if required.
The Permissions setting is shown for information purposes. In order to write/edit the contents of the file will require administrative access on the credential. Reading contents will not require any special permissions.
The UI label is the label name used when views of the data are available from different locations of the Admin, Agent and User consoles of vSEC:CMS. The label name can be changed if required.
Click Add to configure the data that is to be collected and written to the credential. The ID is a decimal internal unique ID for the particular record that will be automatically generated. The Key is a key identifier name for the record and the Label is the name that will be shown when the data is viewed from other locations of the Admin, Agent and User consoles of vSEC:CMS. You can enter a more descriptive description into the Description field if required.
From Field Properties enable Mandatory if it is required that data needs to exist/be present when issuing the credential. Enable Modify at issuance if it will be possible to change the data during issuance. Enable Modify at update if it will be possible to change the data during update flows. Enable Hidden in view to hide the data from being shown from other locations of the Admin, Agent and User consoles of vSEC:CMS. Enable Hidden in issuance to hide the data from being shown during issuance. Enable Hidden in update to hide the data from being shown during update flows. For the Field Value you can enter a static value or variable that maps to a directory attribute or internal system attribute.
Enable Sign data using and select an already configured certificate signer object template (from Options - Connections - Object Signers) that will be used to sign the data to ensure data integrity. You can click the Get global field list to get a list of all fields configured within vSEC:CMS including their ID’s and labels.
From the Lifecycle page attach a blank MD credential to your host.
Click the Issued oval and select the template from Select card template drop-down list and click Execute.
You will be prompted to enter your Operator passcode before the issuance will begin. Select the user from your directory and depending on how you configure the custom data enter the value(s) required.
At the end of the process you will get a short summary dialog of what operations were performed.
The credential will now show as Issued. The credential PIN by default will be blocked. You will need to set a PIN before you can use the credential. Click the Active oval followed by the Execute button. You will be prompted to authenticate again and then set a PIN that meets the policy supported on the credential. Once you complete this then the credential can be used for whatever use case(s) required in your environment.
The custom data on a credential can be viewed and edited/updated from different locations of the Admin, Agent and User applications.
From the Admin condole you can see/edit the data from Actions - Custom Data on Card and Actions - Smart Card Information.
From the Agent condole you can see the data from the Credential Info tab.
From the User application you can see the data from the Credentials Details dialog.