Introduction
This article will describe how you can setup and use vSEC:CMS to issue and manage your virtual credential (VC) via a self-service client. The article will cover the following:
- Setup a template that will allow you to create and issue a Windows logon certificate to a VC from vSEC:CMS User Self-Service (USS) application;
- Issue a Windows logon certificate to the VC;
- Log onto a Windows client using the issued VC.
The PKI used here will be a Microsoft Certificate Authority (CA). If another CA is to be used please refer to the Administration guide for details on configuring a connection to such a CA.
It will be required that at minimum you have already successfully completed the configuration steps described in the article Setup Evaluation Version of vSEC:CMS. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.
Prerequisites
The below information is important to be aware of:
- It will be required to have a TPM 1.2 or later available on any client where the VC is to be created and issued;
- If you use Windows 10 client it is recommended to use Microsoft Virtual Smart Card (MS VC);
- For Windows 7 clients you will need to use vSEC:CMS Virtual Smart Card (vSEC:CMS VC).
If you are setting up a configuration where MS VC is going to be used then follow instructions in the MS VC Configuration section below.
If you are setting up a configuration where vSEC:CMS VC is going to be used then follow instructions in the vSEC:CMS VC Configuration section below.
MS VC Configuration
The instructions in this section should only be followed if you are setting up a configuration where MS VC is to be created and issued.
Self-Service Connection
If you don’t have a connection for self-service already set up then from Options - Connections click the Add button and select User Self-Service and click Ok. Enable the Enable gRPC checkbox as we will use gRPC for this article.
Please ensure that you have read through the article vSEC:CMS Client-Server Communication which gives more details on vSEC:CMS client-server architecture.
Depending on your environment settings enter a hostname and port to listen on. You can also setup support for SSL if you wish to use HTTPS for secure communication between the client and server. If you use SSL it is important that the HostIP address field is entered with the name of the server as it appears in the SSL certificate. The SSL certificate should be a machine certificate available on the vSEC:CMS server.
Make sure that the vSEC:CMS - User Self-Service service is running after you configure this in Windows services.
Remote Security Device Management Connection
If you don’t have a connection for Remote Security Device Management (RSDM) service already set up then from Options - Connections click the Add button and select RSDM Service and click Ok. Enable the Enable gRPC checkbox as we will use gRPC for this article.
Please ensure that you have read through the article vSEC:CMS Client-Server Communication which gives more details on vSEC:CMS client-server architecture.
Depending on your environment settings enter a hostname and port to listen on. You can also setup support for SSL if you wish to use HTTPS for secure communication between the client and server. If you use SSL it is important that the HostIP address field is entered with the name of the server as it appears in the SSL certificate. The SSL certificate should be a machine certificate available on the vSEC:CMS server.
The port needs to be different from the port configured for USS.
Make sure that the vSEC:CMS - RSDM Service service is running after you configure this in Windows services.
Credential Configuration
1. From Options - Device Management enable Enable automatic device registration checkbox.
If you don’t have machine certificates issued to your hosts then you should enable the Force collecting certificates checkbox, otherwise the RSDM component on the client will try to register the client device machine certificate and if none exist the registration will fail.
2. From Templates - Card Templates click the Add button.
Click the Edit link beside General. Enter a template name. Select VSC (Virtual Smart Card) for Card type.
Click the Manage button beside Self-service using the following template. Click the Add button. Enter a template name and enable Self-issuance enabled and Retire card enabled checkboxes. From the User Authentication for PIN Unblock drop-down list select Use windows credentials to authenticate user. Leave all other settings as is and click the Save button to save and close.
Click Close and from the main General dialog enable Self-service using the following template and from the drop-down list select the template just created. Leave all other settings as is and click Ok to save and close the dialog.
3. Click the Edit link beside Issue Card. Select the checkbox Automatically initiate cards after issuance and Issue by user(s) radio button.
Click the Virtual SC button and enable Try to create a virtual smart card checkbox. In the Allow maximum field enter the total number of MS VC that can be created on the client. In this example we will enter 4. It is recommended to enable the Stop issuance when fail to create a virtual smart card to prevent the issuance process from continuing if the MS VC creation process fails for some reason.
Click the Configure button in the User ID Options section. Select the AD connection already configured from User ID from drop down list and select Supplied domain credentials from Authenticate user using drop down list. Click Ok to save and close.
In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select the Windows logon certificate template created earlier and click Ok. Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close.
Click Ok to save and close the template configuration dialog.
Issue Credential
On a client machine it will be necessary to install the vSEC:CMS User Self-Service (USS) and the vSEC:CMS Remote Security Device Management (RSDM) application. Use the vSEC:CMS Client MSI to install these components. It is recommended to install silently as it is possible to pass in the URL link to the backend vSEC:CMS server that the USS and RSDM need to communicate with. This will remove the requirement to manually configure the USS and RSDM to communicate with the backend in this case.
Open a command Window as administrator and change to location where the MSI installer is located.
msiexec /i "vSEC_CMS Client 64bit.msi" /quiet ADDLOCAL=USS,RSDM USSGRPC="https://2016-server:8445" USSPCL=4 RSDMGRPC="https://2016-server:8446" RSDMPCL=4
Where USSGRPC and RSDMGRPC point to the backend services where vSEC:CMS is installed and USSPCL=4 and RSDMPCL=4 configure the client to use gRPC.
The client host will automatically reboot when running above command so make sure you have saved any material you may be working on when performing this task.
Start the My Smartcard from the shortcut icon on the client desktop. Go to the My Profile page. With the credential attached that is to be issued click the Issue button.
Enter the domain credentials of the user to authenticate.
At the end of the process you will be prompted to enter a PIN for the credential to complete the flow.
Once you complete this then the credential can be used to log onto your domain environment.
vSEC:CMS VC Configuration
The instructions in this section should only be followed if you are setting up a configuration where vSEC:CMS VC is to be created and issued.
Self-Service Connection
If you don’t have a connection for self-service already set up then from Options - Connections click the Add button and select User Self-Service and click Ok. Enable the Enable gRPC checkbox as we will use gRPC for this article.
Please ensure that you have read through the article vSEC:CMS Client-Server Communication which gives more details on vSEC:CMS client-server architecture.
Depending on your environment settings enter a hostname and port to listen on. You can also setup support for SSL if you wish to use HTTPS for secure communication between the client and server. If you use SSL it is important that the HostIP address field is entered with the name of the server as it appears in the SSL certificate. The SSL certificate should be a machine certificate available on the vSEC:CMS server.
Make sure that the vSEC:CMS - User Self-Service service is running after you configure this in Windows services.
Remote Security Device Management Connection
If you don’t have a connection for Remote Security Device Management (RSDM) service already set up then from Options - Connections click the Add button and select RSDM Service and click Ok. Enable the Enable gRPC checkbox as we will use gRPC for this article.
Please ensure that you have read through the article vSEC:CMS Client-Server Communication which gives more details on vSEC:CMS client-server architecture.
Depending on your environment settings enter a hostname and port to listen on. You can also setup support for SSL if you wish to use HTTPS for secure communication between the client and server. If you use SSL it is important that the HostIP address field is entered with the name of the server as it appears in the SSL certificate. The SSL certificate should be a machine certificate available on the vSEC:CMS server.
The port needs to be different from the port configured for USS.
Make sure that the vSEC:CMS - RSDM Service service is running after you configure this in Windows services.
Credential Configuration
1. From Options - Device Management enable Enable automatic device registration checkbox.
If you don’t have machine certificates issued to your hosts then you should enable the Force collecting certificates checkbox, otherwise the RSDM component on the client will try to register the client device machine certificate and if none exist the registration will fail.
2. From Options - Virtual Smart Card enable Support for vSEC:CMS Virtual Smart Card enabled and click the Apply button.
3. From Templates - Card Templates click the Add button.
Click the Edit link beside General. Enter a template name. Select Versasec Virtual Smart Card (Virtual Smart Card) for Card type.
Click the Manage button beside Self-service using the following template. Click the Add button. Enter a template name and enable Self-issuance enabled and Retire card enabled checkboxes. From the User Authentication for PIN Unblock drop-down list select Use windows credentials to authenticate user. Leave all other settings as is and click the Save button to save and close.
Click Close and from the main General dialog enable Self-service using the following template and from the drop-down list select the template just created. Leave all other settings as is and click Ok to save and close the dialog.
4. Click the Edit link beside Issue Card. Select the checkbox Automatically initiate cards after issuance and Issue by user(s) radio button. Click the Configure button in the User ID Options section.
Click the Virtual SC button and enable Try to create a virtual smart card checkbox. In the Allow maximum field enter the total number of vSEC:CMS VC that can be created on the client. Currently it is only possible to create 1, therefore enter a value of1. It is recommended to enable the Stop issuance when fail to create a virtual smart card to prevent the issuance process from continuing if the vSEC:CMS VC creation process fails for some reason.
Select the AD connection already configured from User ID from drop down list and select Supplied domain credentials from Authenticate user using drop down list. Click Ok to save and close.
In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select the Windows logon certificate template created earlier and click Ok. Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close.
Click Ok to save and close the template configuration dialog.
Issue Credential
On a client machine it will be necessary to install the vSEC:CMS User Self-Service (USS), the vSEC:CMS Remote Security Device Management (RSDM) application and the vSEC:CMS VC application. Use the vSEC:CMS Client MSI to install these components. It is recommended to install silently as it is possible to pass in the URL link to the backend vSEC:CMS server that the USS and RSDM need to communicate with. This will remove the requirement to manually configure the USS and RSDM to communicate with the backend in this case.
Open a command Window as administrator and change to location where the MSI installer is located.
msiexec /i "vSEC_CMS Client 64bit.msi" /quiet ADDLOCAL=USS,RSDM USSGRPC="https://2016-server:8445" USSPCL=4 RSDMGRPC="https://2016-server:8446" RSDMPCL=4
Where USSGRPC and RSDMGRPC point to the backend services where vSEC:CMS is installed and USSPCL=4 and RSDMPCL=4 configure the client to use gRPC.
The client host will automatically reboot when running above command so make sure you have saved any material you may be working on when performing this task.
Start the My Smartcard from the shortcut icon on the client desktop. Go to the My Profile page. With the credential attached that is to be issued click the Issue button.
Enter the domain credentials of the user to authenticate.
At the end of the process you will be prompted to enter a PIN for the credential to complete the flow.
Once you complete this then the credential can be used to log onto your domain environment.