Before beginning this article, it is necessary that you have successfully completed the article Install and Configure vSEC:CMS on First Use.
Biometrics (BIO) is the means by identifying an individual from their unique fingerprint. The BIO must be verified before you can perform security tasks with the credential, such as credential logon to a workstation, or creating a digital signature.
It is possible to manage the lifecycle of credentials that have a BIO applet available on the credential using the vSEC:CMS. Follow the instructions in this article to configure the support for the management of such credential tokens.
Currently, the management of the Morpho ypsID S3 BIO credential is supported.
It will be necessary to have the Sagem ypsID S3 and Idemia ypsID S3 Bio drivers installed on hosts where you will manage the credentials from.
Step 1 – Configure Credential Type
Navigate to Options – Credentials page. Attach the credential that is to be managed and wait a few moments for the system to read the credential and filter for it.
If the credential is already in the list of support credential configurations you will see the credential filtered for this type and it will be shown as selected. You can then jump to the next step.
If the credential is not auto selected then click the Add button. Enter a template name and click the Add button. With the credential attached click the Get button to allow the system to auto detect the ATR and Mask and click Ok. In Administration Key section select DES-EDE2(16) for the Key type and enter a value of 4B454E434558544155544841444D494E for key on credential before and after registration. For Credential Access select Use native access if possible and click Save to save and close.
Step 2 – Configure BIO Policy
Navigate to Templates – BIO Policies and click the Add button. Enter a template name and for Credential type select the ypsID S3 credential.
The User Verification Method (UVM) configures the method that the user can authenticate to the credential to perform security tasks such as Window credential logon, for example. The available methods are:
PIN only: select this method if it is required that the user should only be allowed to authenticate to the credential by providing the credential PIN.
Fingerprint only: select this method if it is required that the user should only be allowed to authenticate to the credential by providing their fingerprint.
Fingerprint or PIN: select this method if it is required that the user should authenticate to the credential by providing their PIN or their fingerprint.
Fingerprint and PIN: select this method if it is required that the user should authenticate to the credential by providing their PIN and their fingerprint.
Enter the allowed number of times that a fingerprint can be presented before the credential is blocked into the Number of false fingerprint verifications before block field.
Enter the required minimum number of fingerprints that can be enrolled onto the credential into the Min. required number of fingerprints field.
Enter the maximum number of fingerprint templates allowed to be enrolled onto the credential into the Max. number of fingerprint templates field.
From the Allowed Fingers window, it is possible to select/deselect which finger the user can use when enrolling their fingerprint.
Step 3 – Configure Credential Template
1. From Templates – Credential Templates click the Add
2. Click the Edit link for General.
3. Enter a template name and attach the credential token that is to be issued and click the Detect button to allow the vSEC:CMS to detect the credential token type that is to be used for this credential template. Click Ok to close the dialog.
4. Allow all other default settings in the General dialog and click Ok to save the settings and close this dialog.
5. Click the Edit link for Issue Credential.
6. From User ID Options section enable Assign User ID and select the AD connection already configured.
7. From BIO Options enable the Apply BIO Policy checkbox and select the BIO policy already created in the previous step from the drop-down list.
8. From Enroll Certificate Options section enable Enroll certificate(s) and click the Add Select the CA connection already configured from the Certificate Authority drop down list and select the credential logon certificate template (we will use a credential logon certificate template in this example) as configured on your CA from the Certificate template list and click Ok to save and close the dialog.
9. Allow all other defaults for the Issue Credential dialog and click Ok to save and close.
10. Click the Edit link for Initiate Credential and enable the Enroll fingerprints
11. Click Ok to save and close the credential template configuration.
It is important that the Windows credential logon certificate template on the CA is configured to require an authorized signature. From the Issuance Requirements tab for the certificate template properties on the CA make sure to enable This number of authorized signatures and set a value of 1 and for Application policy drop down list select the Certificate Request Agent option.
Step 4 – Issue the Credential Token
We can now issue the credential token.
If you wish to centrally issue the credential token you can do this by navigating to the Lifecycle page and issuing the credential token like you would any other credential token.
Alternatively, if you wish to issue the credential token via a self-service mechanism you can do this using the vSEC:CMS USS application. Again, this would be same procedure as issuing any token via self-service. If you do plan to use self-service then you need to configure this support in the credential template.
In either case, whether issuing centrally or via self-service, when attempting to initiate the credential the user will be prompted to enroll their fingerprint.