Introduction
From version 5.8 it is possible to set up vSEC:CMS S-Series (vSEC:CMS) with all of its features without requiring a license to use it. This will be referred to as an evaluation version. You can migrate to a licensed version if you wish to use vSEC:CMS to manage your credentials at a future time without having to reconfigure all of the settings you may have configured in this phase. This article will describe how you can set up and use vSEC:CMS in this evaluation phase. The article will cover the following:
- Install vSEC:CMS;
- Setup a connection to your Active Directory;
- Setup a connection to your PKI;
- Setup a credential template that will allow you to issue a Windows logon certificate to any credential that vSEC:CMS support;
- Issue a Windows logon certificate to a credential;
- Log onto a Windows client using the issued credential.
The PKI used here will be a Microsoft Certificate Authority (CA). If another CA is to be used please refer to the Administration guide for details on configuring a connection to such a CA.
Prerequisites
Hardware Requirements
The vSEC:CMS can be installed on following server platforms:
Virtual servers are supported.
- Microsoft Windows 2016 Server;
- Microsoft Windows 2019 Server;
- Microsoft Windows 2022 Server.
The server minimum hardware requirement:
- At minimum 2 Processor with 2 GHz or faster;
- Memory 8 GB RAM or greater;
- Available disk space on server of 40 GB or greater for the operating system plus 2GB or greater for the vSEC:CMS database.
For optimal performance though the following hardware requirements are recommended:
Server recommended hardware requirement where the vSEC:CMS is installed:
- At minimum 2 Intel Xeon processors with 2 GHz or faster;
- Memory 16 GB or greater;
- Available disk space on server of 40 GB or greater for the operating system plus 2GB or greater for the vSEC:CMS database;
- Gigabit-LAN (1.000 Mbit/s).
Client recommended hardware requirements for any workstation that vSEC:CMS operator console is installed on:
- At minimum 2 Intel i7 processors with 3.6 GHz or faster;
- Memory 8 GB or greater;
- Gigabit-LAN (1.000 Mbit/s).
Software Requirements
Depending on the credential that you are using it will be necessary to have the appropriate credential drivers installed on your host. Please check with the credential provider that you have the correct credential drivers installed.
For versions prior to 6.0 Microsoft .NET Framework 4.7.2 should be installed on any host where vSEC:CMS components are installed. From version 6.0 and above Microsoft .NET Framework 4.8 should be installed.
You can validate what version of Microsoft .NET Framework is installed on your host by running the Powershell command below to see the full version information:
Setup
It is recommended that you perform ALL setup and configuration tasks directly on the server where you have installed vSEC:CMS.
1. RDP to the server where vSEC:CMS is to be installed and start the installer vSECCMS_Setup_X.X.X.exe and select I Agree to consent to the license agreement, where X.X.X is the specific version you are deploying;
2. Select Server: Installation of the Server component (including Admin application) to install the server component and click Next;
3. Accept the default location for the installation or change this if required and click Install;
4. Once complete click Close to finish.
We now have a fully installed version of vSEC:CMS and we can start the Operator Console (OC) from the shortcut icon on the desktop.
It is possible to install silently if this is required. Run the installer with /S as a parameter, for example: vSEC_CMS_Setup.exe /S
First Time Startup
On starting the OC for the first time you will receive a message dialog prompting you to create a passcode as no passcode has been set.
It is important to set one up at this stage to protect access even in this evaluation phase. Select Yes and create a passcode that will be used to log onto the OC.
Creation of System Owner Hardware Credential
It is not mandatory for the evaluation version to create a System Owner (SO) credential. We strongly recommend creating the System Owner credential since it will be a mandatory step to migrate to the Production license version. Any of the vSEC:CMS supported hardware credentials can be used for this step.
Depending on the credential that you are testing with it will be necessary to have the appropriate credential drivers installed on your host. Please check with the credential provider that you have the correct credential drivers installed.
From the File menu select Add System Owner Card. With a supported credential connected to your host you should select the credential from the reader list.
If you are using a PIV supported credential then it will be necessary to register the credential before it can be issued as an SO credential. You need to click the link to register the credential as in the example below before you can complete the other steps described below.
Click the Random button to allow vSEC:CMS to generate a random unblock key and click the Copy button. You should save this information to a secure location as this may be needed in the future if you need to unblock the credential. Enter a PIN and confirm. Uncheck the Activate production license or subscription checkbox as you are still using the evaluation version and click the Add button. Below is an example of how the setting would look.
Once complete a summary dialog will appear describing what steps were performed. The credential will then be managed by vSEC:CMS. If you wish to revert back to use passcode only to access the vSEC:CMS then from the Options - Operators select the System Owner in the table and click the Delete button to revert back to passcode only.
Once you create the SO you should issue at minimum one Operator Credential (OC) with a role of System Administrator. Please refer to the article Manage Operator Credential for details on this.
Connection Configurations
Before Beginning the next steps it is important that vSEC:CMS service is configured to run under a dedicated Windows domain account. Follow the instructions in the article Configure Dedicated Windows Service Account for details on this.
AD Configuration
1. From Options - Connections click Add and select Active Directory and click Ok.
2. Enter a template name and presuming that vSEC:CMS is on a server that can access the AD it is recommended to select Use current user credentials. In the Server drop-down list select the AD you wish to use and click the Test button to verify that you can connect to and find a user in your AD.
vSEC:CMS only performs reads from AD.
If you are not connected to AD then you can uncheck Use current user credentials and manually enter an AD hostname/IP address and user and password to connect with.
Click Save to save and close the configuration.
CA Configuration
Prerequisites
Versasec is not responsible for CA configuration and setup. It is expected that a skilled PKI engineer is performing these tasks. Information provided here is only as a guide.
Before going into the details on how to configure the CA connection in vSEC:CMS it is important that you have made the necessary configurations on the CA. For the purposes of the example use case described in this article we will need to have the following CA templates available:
- Enrollment Agent (EA) template;
- Windows logon template.
It is required to have an EA certificate available when an operator or a user, via the self-service, is issuing a certificate to their credential for a Microsoft CA. The vSEC:CMS service runs under the local System account on the server that it is installed on. We therefore need to issue the EA to this local System account.
If the connection configured in step 2 of CA Connection Configuration below was Use specific server then you would need to issue the EA to the Windows account configured for the connection.
In the CA you will need to have an EA template configured for this account. You can do this, for example, by making a duplicate of the default EA template on the CA. It is required to give the account permissions on the CA template to enroll. Below is an example of how this can be done:
On the CA snap-in select Manage to create the new template.
Right click the default template Enrollment Agent and select Duplicate Template.
You can leave all settings in their default state except for the permissions on the actual template. From the Security tab click the Add button. Presuming that you followed the instructions to setup vSEC:CMS service to run under a dedicated Windows account, add that account and at minimum give it Enroll permission.
Click Apply and Ok to save and close. You should then publish the template so it is available in your environment.
Now you should create a template for the Windows logon template. On the CA snap-in select Manage to create the new template.
Right click the default template Smartcard Logon and select Duplicate Template.
From the Issuance Requirements tab enable This number of authorized signatures and enter a value of 1. In the Application policy drop-down section select Certificate Request Agent.
From the Security tab click the Add button. Presuming that you followed the instructions to setup vSEC:CMS service to run under a dedicated Windows account, add that account and at minimum give it Enroll permission.
Click Apply and Ok to save and close. You should then publish the template so it is available in your environment.
Finally, the dedicated Windows account will need to be given revocation permissions on the CA. Right click the root of your CA and select Properties.
From the Security tab click the Add button. Presuming that you followed the instructions to setup vSEC:CMS service to run under a dedicated Windows account, add that account and at minimum give it Issue and Manage Certificates in the Allow checkbox.
Click Apply and Ok to save and close. This should complete the necessary configurations on the CA.
CA Connection Configuration
1. From Options - Connections click Add and select Certificate Authorities and click Ok.
2. Enter a template name and from the drop-down list select Windows CA (Microsoft Enterprise Certification Authority). Click the Select CA button to select how to connect to the domain controller where we retrieve the CA details. Normally as the vSEC:CMS is installed on a server on the domain that has access to the domain controller it is recommended to select Use from domain. If the vSEC:CMS is not on the domain then select the Use specific server and enter the details of the domain controller you wish to connect to. Click Ok to save and close.You should see now the CA details in the Enterprise CA Server dialog. To ensure you are communicating with the CA you can click the Templates button and select Show all checkbox and click the Update button and you should see all the CA templates that are available in your environment.
3. In the Enrollment Agent section enable Sign server side checkbox and click the Request button. If you have more than one certificate templates in your environment that is an EA type then a dialog will popup requesting you to select the EA template you wish to use. Select the one you created for vSEC:CMS and click Ok. An EA certificate will then be issued to the local System account. Click Save to save and close the dialog.
Credential Configuration
1. From Templates - Card Templates click the Add button.
Click the Edit link beside General. Enter a template name. Presuming that you are using one of the minidriver credentials that is supported by vSEC:CMS select Minidriver (Generic minidriver card) for Card type. Leave all other settings as default and click Ok to close and save.
2. Click the Edit link beside Issue Card. In the User ID Options section enable Assign user ID and select the AD connection configured earlier in the drop-down list. In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select the Windows logon certificate template created earlier and click Ok. Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close.
3. Click Ok to save and close the template configuration dialog.
Issue Credential
From the Lifecycle page attach a blank credential to your host. If it is a credential that is supported by vSEC:CMS you should see the reader and the credential similar to below.
Depending on the credential that you are testing with it will be necessary to have the appropriate credential drivers installed on your host. Please check with the credential provider that you have the correct credential drivers installed.
Click the Issued oval and select the template from Select card template drop-down list and click Execute.
You will be prompted to enter your System Owner passcode before the issuance will begin. Then you will be prompted to select the user from AD that the credential will be issued to. Select the user and at the end of the process you will get a short summary dialog of what operations were performed.
The credential will now show as Issued. The credential PIN by default will be blocked. You will need to set a PIN before you can use the credential. Click the Active oval followed by the Execute button. You will be prompted to authenticate again and then set a PIN that meets the policy supported on the credential.
Once you complete this then the credential can be used to log onto your domain environment.
Comments
0 comments
Please sign in to leave a comment.