Introduction
On the Lifecycle page, operators can manage credentials. Credentials within vSEC:CMS have various statuses reflecting their position in the lifecycle. vSEC:CMS uses workflows to guide credentials through this lifecycle.
When an operator accesses the Lifecycle page with a user credential attached to the host running the vSEC:CMS application, a diagram shows the credential's lifecycle status by placing an icon over the corresponding process state. For example, in the diagram below, it's clear that the attached user credential is currently unregistered in the system, as indicated by the icon over the Unregistered process. At this stage, the operator can update the credential status to Registered or Issued by hovering over the available processes in the diagram, which display dotted credential icons.
Register Credential
To register a credential, simply attach a new, unregistered credential to the system and click the Registered oval process. Click the Execute button if only one credential is to be registered or the Batch button if more than one credential is to be registered at a time, enabling a streamlined registration flow.
Registering the credential will result in the creation of a new credential administration key, distinct from the vSEC:CMS application master key. This new key will replace the default credential manufacturer administration key. The credential PIN(s) will be blocked, and any fingerprint(s) will be blocked if the credential supports this feature. Ensure that the credential is connected to the system to perform this task.
Issue Credential
The credential status changes to Issued when a credential is issued from a credential template. Click the Issued oval process and select the credential template from the Select card template drop-down list that is to be used. Click the Execute button if only one credential is to be issued or the Batch button if more than one credential is to be issued at a time, which allows for a streamlined flow. During this process, the Issue Card settings as set in the credential template, will be issued for the token during this workflow.
Initiate Credential
The credential status changes to Active when the credential PIN is set on the credential, i.e. the credential is initiated. In this workflow, the user’s credential PIN will be unblocked and a new PIN will be set on the credential. The credential can either be connected to the system or disconnected from the system to perform this task.
Initiation with Operator Possession
If the user credential that is to be initiated is in the possession of the operator, attach the user credential and click the Active oval to select the operation to be performed. You will notice that vSEC:CMS automatically determines the user ID. Click the Execute button to start the flow.
The operator can now enter a new user PIN and confirm this value, or if the user is with the operator, the user can enter their PIN. The credential policy requirements set on the credential need to be satisfied.
Initiation with End-user Possession
To initiate a credential when the end-user has possession:
- Click Search to select the user.
- Select the user and click OK.
- Click the Active oval.
- Click Execute to start the operation.
The end user provides a challenge, entered by the operator into the Smart card challenge field. A checksum validates the challenge. Click Cryptogram to generate a cryptogram for the end user to unblock their PIN.
Inactivate Credential
The credential status changes to Inactive when the inactivate credential option is performed. In this workflow, vSEC:CMS application will block access to the credential administration key i.e. it will not be possible to unblock the credential should it become blocked. The credential can either be connected to the system or disconnected from the system to perform this task. During this process, the Inactivate Card settings as set on the credential template, will be performed.
Inactivation with Operator Possession
If the operator possesses the credential that needs to be inactivated, attach the credential and click the Inactive oval to select the operation. You will notice that vSEC:CMS automatically determines the user ID. Click the Execute button if only one credential is to be inactivated, or click the Batch button if more than one credential needs to be inactivated.
Inactivation without Operator Possession
To inactivate a credential where the credential is not in the possession of the operator, click the Search button to select the user.
Click the Inactive oval to select the operation to be performed and click the Execute button to start the operation.
Activate Credential
The credential status changes to Active when the activate credential option is performed. In this workflow, vSEC:CMS application will unblock access to the credential administration key i.e. it will be possible to unblock the user credential should it become blocked. The credential can either be connected to the system or disconnected from the system to perform this task. During this process, the Activate Card settings as set on the credential template, will be performed.
Activation with Operator Possession
If the operator possesses the credential that needs to be activated, attach the credential and click the Active oval to select the operation. You will notice that vSEC:CMS automatically determines the user ID. Click the Execute button if only one credential is to be activated, or click the Batch button if more than one credential needs to be activated.
Activation without Operator Possession
To activate a credential where the credential is not in the possession of the operator, click the Search button to select the user.
Click the Active oval to select the operation to be performed and click the Execute button to start the operation.
Lock Credential
The credential status changes to Locked when the lock credential option is performed. In this workflow, the credential PIN will be blocked. The credential needs to be connected to the system to perform this task. During this process, the Lock Card settings as set on the credential template, will be performed.
Attach the credential and click the Locked oval. Click the Execute button if only one credential is to be locked or the Batch button if more than one credential is to be locked.
Unlock Credential
The credential token status changes to Issued when the Unlock Credential option is performed. This workflow will result in the credential being unlocked and the credential status changing to Issued.
The credential needs to be connected to the system to perform this task. Click the Issued oval process and click the Execute button if only one credential is to be unlocked or the Batch button if more than one credential is to be unlocked at a time, which allows for a streamlined flow. During this process, the Unlock Card settings as set on the credential template, will be performed.
Revoke Credential
The credential status changes to Revoked when the revoke credential option is performed. This workflow will result in the certificate(s) on the credential being revoked by vSEC:CMS application sending a revocation notification to the CA. The credential can either be connected to the system or disconnected from the system to perform this task. During this process, the Revoke Card settings as set on the credential template, will be performed.
Revocation with Operator Possession
If the operator possesses the credential to be revoked, attach the credential and click the Revoke oval to select the operation. You will notice that vSEC:CMS automatically determines the user ID. Click the Execute button to proceed.
Choose a revocation reason from the available options in the Revocation reason drop-down list and add a more descriptive comment in the text field if needed.
Revocation without Operator Possession
To revoke a credential where the credential is not in the possession of the operator, click the Search button to select the user. Click the Execute button to start the revocation flow.
Select a revocation reason from the available list in the Revocation reason drop-down list and add a more descriptive comment in the text field if required.
Retire Credential
The credential status changes to Retired when the Retire Credential option is performed. This workflow removes the credential template settings and blocks the PIN(s), allowing the credential to be reused. The credential must be connected to the system to perform this task. During this process, the Retire Card settings configured on the credential template will be applied.
Attach the credential and click the Retire oval. Click the Execute button if only one credential is to be retired, or the Batch button if more than one credential is to be retired.
Delete Credential
The credential token status changes to 'Deleted' when the 'Delete Credential' option is performed. This action removes the credential from the vSEC:CMS application database while retaining transaction logs. The number of licensed credentials managed by the vSEC:CMS application decreases by one.
Once deleted, the credential cannot be re-registered or used for any administrative operations within vSEC:CMS. The credential can be either connected or disconnected from the system to perform this task.
Only delete credentials that are reported as damaged, lost, or stolen.
Once a credential is deleted, it cannot be reused.
Deletion with Operator Possession
Attach the user credential and click the Delete oval, then click the Execute button to initiate the process. A warning dialog will appear to confirm that the operator understands the consequences of this operation.
If the credential certificate needs to be revoked, select a reason from the dropdown list and add a descriptive comment in the text field, if necessary.
Deletion without Operator Possession
To delete a credential when it is not in the possession of the operator, click the Search button to select the user, then click the Execute button to start the process. A warning dialog will appear to confirm that the operator understands the consequences of this operation.
If the credential certificate needs to be revoked, select a reason from the dropdown list and add a descriptive comment in the text field, if necessary.
Unregister Credential
To unregister a credential, attach an already managed credential to the system and click the Unregister oval process. This workflow resets the administration key of the credential to its default manufacturer value. Unregistering is only possible for credentials in the Registered or Retired states. The credential must be connected to the system to perform this task.
Attach the user credential and click the Unregistered oval. Click the Execute button for a single credential or the Batch button for multiple credentials.