Introduction

From the Lifecycle page operators can perform credential management tasks. Credentials managed by vSEC:CMS have different status depending on where the credential is in its lifecycle. vSEC:CMS uses workflows to manage the credential through its lifecycle. From the Lifecycle page, operators can manage the credential. When an operator opens the Lifecycle page and with a user credential attached to the host on which the vSEC:CMS application is running the diagram will inform them of where the user credential is in its lifecycle by placing a credential icon over the oval processes state. For example, from the diagram below it is possible to determine that the attached user credential is unregistered in the system from the credential icon which is over the Unegistered oval process in the diagram. When in this state the operator can change the status of the credential to Registered or Issued as indicated by the dotted credential icon that appears when you mouse over the oval processes available from the diagram.

Register Credential

In order to register a credential, simply attach a new, unregistered credential to the system and click the Registered oval process. Click the Execute button if only one credential is to be registered or the Batch button if more than one credential is to be registered at a time, which allows for a streamlined registration flow.

The registration of the credential will result in the creation of a new credential administration key, diversified from the vSEC:CMS application master key. This new key will replace the default credential manufacturer administration key. The credential PIN(s) will be blocked and any fingerprint(s) will be blocked if the credential supports this feature. The credential needs to be connected to the system to perform this task.

Issue Credential

The credential status changes to Issued when a credential is issued from a credential template. Click the Issued oval process and select the credential template from the Select card template drop-down list that is to be used. Click the Execute button if only one credential is to be issued or the Batch button if more than one credential is to be issued at a time, which allows for a streamlined flow. During this process, the Issue Card settings as set in the credential template, will be issued for the token during this workflow.

Initiate Credential

The credential status changes to Active when the credential PIN is set on the credential, i.e. the credential is initiated. In this workflow, the user’s credential PIN will be unblocked and a new PIN set on the credential. The credential can either be connected to the system or disconnected from the system to perform this task.

Initiate When Credential in Possession of Operator

If the user credential that is to be initiated is in the possession of the operator, attach the user credential and click the Active oval to select the operation to be performed. You will notice that vSEC:CMS automatically determines the user ID. Click the Execute button to start the flow.

The operator can now enter a new user PIN and confirm this value, or if the user is with the operator, the user can enter their own PIN. The credential policy requirements set on the credential need to be satisfied.

Initiate When Credential in Possession of End-user

In order to initiate a credential where the credential is in the possession of the end user, click the Search button to select the user.

Select the user and click OK.

Click the Active oval to select the operation to be performed.

Click the Execute button to start the operation.

The end user will need to provide a challenge which the operator should enter into the Smart card challenge field. A checksum is automatically calculated to validate that the challenge entered corresponds to the value received from the end user. Click the Cryptogram button to generate a cryptogram that needs to be sent back to the end user to allow them to unblock the PIN on their credential.

Inactivate Credential

The credential status changes to Inactive when the inactivate credential option is performed. In this workflow, vSEC:CMS application will block access to the credential administration key i.e. it will not be possible to unblock the credential should it become blocked. The credential can either be connected to the system or disconnected from the system to perform this task. During this process, the Inactivate Card settings as set on the credential template, will be performed.

Inactivate when Credential in Possession of Operator

If the credential that is to be inactivated is in possession of the operator, attach the credential and click the Inactive oval to select the operation to be performed. You will notice that vSEC:CMS automatically determines the user ID. Click the Execute button if only one credential is to be inactivated or click the Batch button if more than one credential is to be inactivated.

Inactivate when Credential is not in Possession of Operator

In order to inactivate a credential where the credential is not in the possession of the operator, click the Search button to select the user.

Click the Inactive oval to select the operation to be performed and click the Execute button to start the operation.

Activate Credential

The credential status changes to Active when the activate credential option is performed. In this workflow, vSEC:CMS application will unblock access to the credential administration key i.e. it will be possible to unblock the user credential should it become blocked. The credential can either be connected to the system or disconnected from the system to perform this task. During this process, the Activate Card settings as set on the credential template, will be performed.

Activate when Credential in Possession of Operator

If the credential that is to be activated is in possession of the operator, attach the credential and click the Active oval to select the operation to be performed. You will notice that vSEC:CMS automatically determines the user ID. Click the Execute button if only one credential is to be activated or click the Batch button if more than one credential is to be activated.

Activate when Credential is not in Possession of Operator

In order to activate a credential where the credential is not in the possession of the operator, click the Search button to select the user.

Click the Active oval to select the operation to be performed and click the Execute button to start the operation.

Lock Credential

The credential status changes to Locked when the lock credential option is performed. In this workflow, the credential PIN will be blocked. The credential needs to be connected to the system to perform this task. During this process, the Lock Card settings as set on the credential template, will be performed.

Attach the credential and click the Locked oval. Click the Execute button if only one credential is to be locked or the Batch button if more than one credential is to be locked.

Unlock Credential

The credential token status changes to Issued when the unlock credential option is performed. This workflow will result in the credential being unlocked and the credential status changing to Issued. The credential needs to be connected to the system to perform this task. Click the Issued oval process and click the Execute button if only one credential is to be unlocked or the Batch button if more than one credential is to be unlocked at a time, which allows for a streamlined flow. During this process, the Unlock Card settings as set on the credential template, will be performed.

Revoke Credential

The credential status changes to Revoked when the revoke credential option is performed. This workflow will result in the certificate(s) on the credential being revoked by vSEC:CMS application sending a revocation notification to the CA. The credential can either be connected to the system or disconnected from the system to perform this task. During this process, the Revoke Card settings as set on the credential template, will be performed.

Revoke when Credential is in Possession of Operator

If the credential that is to be revoked is in possession of the operator, attach the credential and click the Revoke oval to select the operation to be performed. You will notice that vSEC:CMS automatically determines the user ID. Click the Execute button to start the flow.

Select a revocation reason from the available list in the Revocation reason drop-down list and add a more descriptive comment in the text field if required.

Revoke when Credential is not in Possession of Operator

In order to revoke a credential where the credential is not in the possession of the operator, click the Search button to select the user. Click the Execute button to start the revocation flow.

Select a revocation reason from the available list in the Revocation reason drop-down list and add a more descriptive comment in the text field if required.

Retire Credential

The credential status changes to Retired when the retire credential option is performed. From this workflow, the credential template settings on the credential will be removed and the PIN(s) will be blocked. Also, it will allow the credential to be re-used. The credential needs to be connected to the system to perform this task. During this process, the Retire Card settings as set on the credential template, will be performed.

Attach the credential and click the Retire oval. Click the Execute button if only one credential is to be retired or the Batch button if more than one credential is to be retired.

Delete Credential

Important: Only credentials that are reported as damage/lost/stolen should be deleted. Once a credential is deleted it will never be able to be reused.

The credential token status changes to Deleted when the delete credential option is performed. This workflow will result in the credential being deleted from vSEC:CMS application database with any transaction logs remaining intact. The number of licensed credentials allowed to be managed by vSEC:CMS application will be decreased by one. The deleted credential cannot be registered again with vSEC:CMS and it will not be possible to perform any administration operations with a deleted credential. The credential can either be connected to the system or disconnected from the system to perform this task.

Delete when Credential is in Possession of Operator

Attach the user credential and click the Delete oval. Click the Execute button to start the flow. A warning dialog will appear to ensure that the operator fully understands the consequences if this operation is performed.

If the credential certificate needs to be revoked, select a revocation reason from the available list in the Revocation reason drop down list and add a more descriptive comment in the text field if required.

Delete when Credential is not in Possession of Operator

In order to delete a credential where the credential is not in the possession of the operator, click the Search button to select the user. Click the Execute button to start the flow. A warning dialog will appear to ensure that the operator fully understands the consequences if this operation is performed.

If the credential certificate needs to be revoked, select a revocation reason from the available list in the Revocation reason drop down list and add a more descriptive comment in the text field if required.

Unregister Credential

In order to unregister a credential, simply attach an already managed credential to the system and click the Unregister oval process. The unregister workflow will reset the administration key of the credential to its default credential manufacturer administration key value. It will only be possible to unregister credentials whose status is in Registered or Retired states. The credential needs to be connected to the system to perform this task.

Attach the user credential and click the Unregistered oval. Click the Execute button if only one credential is to be unregistered or the Batch button if more than one credential is to be unregistered.