It is possible to issue what is referred to as a Full-Featured Operator Credential (FFOC). A FFOC is a credential that is installed with the vSEC:CMS applet. The vSEC:CMS applet will store license information and the master key that is used for key diversification functions in vSEC:CMS. Typically you will issue credentials of this type for operators who will take an administrator role with vSEC:CMS.
For vSEC:CMS versions installed from 5.8 or above it is not necessary to issue FFOCs.
You will need to have either a Thales ID Prime MD 830 token or a Thales ID Prime .NET token that our CMS applet can be written to. For the Thales ID Prime MD 830 token it needs to be a specific type of this token. Your provider should be able to provide this to you. Additionally, the token should be in default factory state.
The instructions in this article will presume that you have a clean never before used token, therefore it will be in its default factory state.
Step 1 - Check Credential Type
As mentioned above only 2 types of credential can be used as a FFOC. Here we will describe how you can ensure that you have the appropriate credential.
Check IDPrime .NET
Open the vSEC:CMS console and navigate to Actions - Smart Card Information and make sure that the Card Configuration is as in below screenshot.
Check IDPrime MD 830
On the back of the credential you should see a label vSEC:CMS printed on the credential like in the screenshot below.
Step 2 - Install vSEC:CMS Applet
Using the Activator Tool (AT) it will be possible to install the vSEC:CMS applet. The AT is a standalone application that is located in the tools folder of the vSEC:CMS installation. The AT is named Versasec-Activator.exe in this folder. The AT requires internet access so it may be necessary to copy the AT to a host that has internet access if the vSEC:CMS is installed in a restricted environment.
The Thales IDPrime smart card minidriver (sometimes referred to as Safenet driver) needs to be installed on the host where you are running the AT from. The minimum version that should be installed is 10.8.
The host where you are running the AT from will need to have an internet connection.
In order to provision the FFOC, start the AT.
DO NOT attach the FFOC that is to be issued to the host at this time.
It will be necessary to have either the SO token or an already issued full-featured operator token attached to the host where you are running the AT. You should see that the License Information pane is filled with the specific licensing details as applicable to your system.
Click the Issue Operator Card button to begin the process. You will be prompted to enter the PIN to authenticate.
You will be prompted to remove the credential from the reader and attach the FFOC to the same reader that we want to issue the applet to.
It is important that you follow the on-screen instructions during this process otherwise the provisioning of the applet will fail. It may take a few minutes to complete the provisioning. Once done you can then take the FFOC and this can be issued to an operator for use in the vSEC:CMS, typically issued from the Lifecycle page of the vSEC:CMS console.
If the process fails or you wish to restore the token to default state you can click the Clean Smart Card button to perform a restore to default state.
Step 3 - Issue FFOC in vSEC:CMS
In this step we will make the assumption that you don’t have a FFOC template in your system.
Navigate to Templates - Card Template and click Add.
Click Edit beside General. Enter a template name and attach the FFOC that is to be issued and click the Detect button. Depending on the FFOC type (see Step 1 above) you will see different information displayed.
If it is a .NET then you will see like below. Important label here is that you see vSEC:CMS Operator. Click Ok to close.
If it is a 830 then you will see like below. Important label here is that you see vSEC:CMS Operator. Click Ok to close.
Enable vSEC:CMS Operator Card and from the drop-down list select Full Featured Operator Card.
Leave all other settings as is and click Ok to save and close.
Click Edit beside Issue Card. Presuming that a connection to your directory already exists, enable Assign user ID and select the connection from the drop-down list.
Additionally, presuming that the FFOC will be used to issue other credentials and a MS PKI is used, an enrollment agent certificate should be issued to the credential. Enable Enroll certificate(s) and click Add to select the already created template from your CA that is to be issued.
Leave all other settings as is and click Ok to close.
Click Ok to save and close the template.
Now you can issue the FFOC from the Lifecycle page.