Introduction
Starting from version 5.8, it is possible to set up vSEC:CMS with all its features without requiring a license, referred to as an evaluation version. You can migrate to a licensed version if you wish to manage your credentials using vSEC:CMS in the future without reconfiguring all settings made during the evaluation phase.
This article will guide you through the following steps:
- Installing vSEC:CMS
- Setting up a connection to your Active Directory
- Setting up a connection to your PKI
- Configuring a credential template to issue a Windows logon certificate to any supported credential
- Issuing a Windows logon certificate to a credential
- Logging onto a Windows client using the issued credential.
The PKI utilized here will be a Microsoft Certificate Authority (CA). If another CA is to be used, please refer to the Administration guide for details on configuring a connection to such a CA.
Hardware Requirements
vSEC:CMS can be installed on the following server platforms:
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
Virtual servers are supported.
Server Minimum Hardware Requirement:
- Processor: 2 GHz or faster
- RAM: 8 GB or greater
- Storage OS: 40 GB or greater
- Storage DB: 2GB or greater
- Connection: Gigabit Ethernet
For optimal vSEC:CMS Server performance, the following hardware requirements are recommended:
- Processor: Intel Xeon with 2 GHz or faster
- RAM: 16 GB or greater
- Storage OS: 40 GB or greater
- Storage DB: 2GB or greater
- Connection: Gigabit Ethernet
For optimal vSEC:CMS Client performance, the following hardware requirements are recommended:
- Processor: Intel i5 with 1.90 GHz or faster
- RAM: 4 GB or greater
- Storage OS: 40 GB or greater
- Connection: Gigabit Ethernet
Software Requirements
Depending on the credential that you are using it will be necessary to have the appropriate credential drivers installed on your host. Please check with the credential provider that you have the correct credential drivers installed.
For versions before 6.0, Microsoft .NET Framework 4.7.2 should be installed on any host where vSEC:CMS components are installed. From version 6.0 and above Microsoft .NET Framework 4.8 should be installed.
You can validate what version of Microsoft .NET Framework is installed on your host by running the PowerShell command below to see the full version information:
PS C:\> Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -Name version -EA 0 | Where { $_.PSChildName -Match '^(?!S)\p{L}'} | Select PSChildName, version
Installing Server Software
It is recommended to perform all setup and configuration tasks directly on the server where vSEC:CMS is installed.
Installation Steps:
- Connect to the server where vSEC:CMS is installed via Remote Desktop Protocol (RDP).
- Launch the vSECCMS_Setup_X.Y.Z.exe installer and accept the license agreement
by selecting I Agree. - Select Server: Installation of the Server to install the server component (including Admin Application). Proceed with the installation by clicking Next.
- Install the software by either accepting the default location or selecting a custom location, then clicking the Install button.
- Once the installation is complete, click Close to finish.
Now, you can launch the vSEC:CMS Admin Application from the desktop shortcut since the installation is complete.
Note
It is possible to install silently by running the installer in PowerShell with /S as a parameter:
PS C:\> .\vSECCMS_Setup_X.Y.Z.exe /S
First Time Startup
When launching the vSEC:CMS Admin Application for the first time, you will encounter a message prompting you to create a passcode since none has been set yet.
Setting Up a Passcode
For security reasons, it is crucial to establish a passcode during this stage. Please follow these steps:
- Select Yes when prompted.
- Set up a passcode to log into the vSEC:CMS Admin Application.
Creation of System Owner Hardware Credential
In the evaluation version, creating a System Owner (SO) credential is optional, but highly recommended. This credential is crucial for migrating to the Production license version, and any hardware credential supported by vSEC:CMS can be utilized for this purpose.
Preparation Steps:
- Ensure that your host has the necessary credential drivers installed.
- Enable RemoteFX USB Redirection on the vSEC:CMS server, this enables smart card redirection to the server.
- Before proceeding, confirm the existence of a credential configuration for the intended credential. Refer to the Add Credential Configuration article for guidance.
Adding System Owner Credential:
- Navigate to the File menu and select Add System Owner Card.
- With a supported credential connected to your host, select the credential from the reader list.
- If using a PIV-supported credential as an SO credential, you must first register it.
Generating Random Unblock Key:
- Click the Random button to allow vSEC:CMS to generate a random unblock key.
- Save this information to a secure location for future unblocking needs.
- Enter a PIN and confirm.
- Uncheck the Activate production license or subscription checkbox if you are using the evaluation version.
- Click the Add button.
Completion of the Process:
- After the process is complete, a summary dialog will describe which steps were performed.
- The credential is now fully managed by vSEC:CMS.
Resetting SO Credential:
- To reset the SO credential to its factory settings, use tools provided by the credential vendor.
- If not provided, resetting the credential is not possible.
- In evaluation mode, the SO credential can be restored to its default state by navigating to Options - Operators, selecting the System Owner, and clicking Delete.
Post-Creation Tasks:
- After creating the SO, issue at least one Operator Credential (OC) with a System Administrator role.
- Refer to the Manage Operator Credential article for further details.
Setting Up Connections
Configuring vSEC:CMS to establish connections with various components is crucial for its proper functionality. Below are the necessary configuration steps to ensure seamless communication between vSEC:CMS and its essential components.
Preparation Steps:
- Ensure that the vSEC:CMS service is configured to run under a dedicated Windows domain user account. For detailed instructions, refer to the article Configure Dedicated Windows Service Account.
- Confirm that all configurations for the Active Directory Certificate Services CA are in place. Detailed instructions are provided in the article Configure Active Directory Certificate Services.
Adding Active Directory Connection:
- Go to Options > Connections.
- Click on Add and choose Active Directory, then click Ok.
- Enter a name for the template.
- To add an Active Directory connection, go to Options, then select Connections. Click on Add and choose Active Directory, then click Ok.
- Select Use current user credentials if vSEC:CMS is on a server with Active Directory access.
- Choose the directory server from the dropdown list and click Test to verify the connection.
You should be able to perform directory lookups.
- If you are not connected to AD, you can uncheck Use current user credentials and manually enter an AD hostname/IP address, user, and password to connect with.
- Click Save to save and close the configuration.
Adding Certification Authority Connection:
- Navigate to Options > Connections.
- Click on Add and select Certificate Authorities, then click OK.
- Enter a template name and select Windows CA (Microsoft Enterprise Certification Authority) from the drop-down list.
- Click on the Select CA button to choose how to connect to the domain controller.
- If vSEC:CMS is installed on a server within the domain, select Use from domain.
- If vSEC:CMS is not installed on a server within the domain, select Use specific server and enter the details of the domain controller.
- Click OK to save and close.
- Verify CA details in the Enterprise CA Server by clicking the Templates button and selecting the Show all checkbox.
- Click the Update button to verify the necessary certificate templates are available in your environment.
- Enable the Sign server side checkbox in the Enrollment Agent section.
- Click the Request button to request the Enrollment Agent certificate.
- If multiple EA templates exist, select the desired one for vSEC:CMS.
- An EA certificate will be issued to the dedicated vSEC:CMS service account.
- Click Save to apply the changes and close the dialog.
If you cannot connect and or retrieve the CA templates one tip to ensure that you can communicate with the CA is to open PowerShell as administrator on the server where vSEC:CMS is installed and run (this should return a list of available CA templates from the Microsoft CA):
$certAdmin = New-Object -ComObject CertificateAuthority.Admin
$certAdmin.GetCAProperty("[FQDN-CA-Server]\[CA-Friendly-Name]", 0x1D, 0, 4, 0)
Where "[FQDN-CA-Server]\[CA-Friendly-Name]" is the CA you are connecting to from the connection dialog like in example below:
Credential Configuration
With credential configuration, you can tailor the features and define the type of credential to be used, offering precise control and customization for your credential needs.
Creating Card Templates:
- From Templates > Card Templates, click the Add button.
- Click the Edit link beside General to configure general options.
- Enter a template name, and click Detect. Make sure that you have attached the credential that is to be issued and the correct reader is selected. Click Ok to save and close.
- Leave all other settings as default, and click OK to save and close.
Configuring Issue Card:
- Click the Edit link beside Issue Card.
- Enable Assign user ID in the User ID Options section and select the Active Directory connection configured earlier.
- Enable Enroll certificate(s) in the Enroll Certificate Options section.
- Click the Add button, select the Smartcard Logon certificate template created earlier, and click OK.
- Leave other settings as is and click OK to save and close.
Saving Template Configuration:
Click OK to save and close the template configuration dialog.
Issuing Credential
Depending on the credential that you are using, it will be necessary to have the appropriate credential drivers installed on your host. Please check with the credential provider that you have the correct credential drivers installed.
Initiating Credential Issuance:
- From the Lifecycle page, attach a blank credential to your host.
Executing Issuance:
- Click the Issued oval and select the template from the Select card template drop-down list.
- Click Execute.
- Enter your System Owner passcode and select the user from AD for the credential issuance.
- Review the summary dialog of the performed operations.
Activating Credential:
- The credential PIN will be blocked by default.
- Click the Active oval and click Execute.
- Authenticate and set a PIN meeting the policy supported on the credential.
Once completed, the credential can be used to log onto the domain environment.