Create Operator Service Key Store

Anthony - Versasec Support
Anthony - Versasec Support
  • Updated

Introduction

If it is required to configure vSEC:CMS to

  • Support vSEC:CMS User Self-Service OR;
  • Issue an Authentication Only Operator (AOO) token OR;
  • An HSM for all master key operations

then it is necessary to add what is referred to as an Operator Service Key Store (OSKS). The OSKS will then be used by the vSEC:CMS to perform administration key operations. Administration key operations require access to a master key used by the vSEC:CMS.

The OSKS can be in two forms:

  • An encrypted key store;
  • A HSM;

This article will describe the different OSKS setups depending on what form of OSKS you use.

Important
If you have installed vSEC:CMS starting from version 5.8 or later then the OSKS will have been automatically installed as part of the installation process, therefore you do not need to perform the steps in this article.

Generate OSKS Installer

Using the Activator Tool (AT) it will be possible to generate the OSKS installer. The AT is a standalone application that is located in the tools folder of the vSEC:CMS installation. The AT is named Versasec-Activator.exe in this folder. The AT requires internet access so it may be necessary to copy the AT to a host that has internet access if the vSEC:CMS is installed in a restricted environment.

Important
The Thales IDPrime smart card minidriver (sometimes referred to as Safenet driver) needs to be installed on the host where you are running the AT from. The minimum version that should be installed is 10.8.
Important
The host where you are running the AT from will need to have an internet connection.
Important
It will be required to use the System Owner (SO) token to perform this task.

In order to generate the OSKS installer start the AT. Attach the SO token and from the Smart Card Selection select the reader from the drop-down list that the SO is inserted into.

Click the Create Key Store button. Enter the PIN for the SO when prompted. At the end of the process you will be prompted to save the OSKS installer. Save the installer to complete this process.

Then you should move this installer to the server where the vSEC:CMS is installed.

Setup Encrypted Key Store

Follow the instructions in this section on how to configure vSEC:CMS to use an encrypted key store for OSKS.

Important
It will be required to RDP to the server where the vSEC:CMS is installed to perform all the steps below.
Important
The OSKS in this case is an encrypted component that runs as a service which is accessible only by the vSEC:CMS.
Important
The Operator needs to use the System Owner Card in order to carry out this process.

1. Copy the installation package created in the Generate OSKS Installer section above to the vSEC:CMS server. Make sure to close any open vSEC:CMS consoles and start the installation.

2. When the installation completes log onto the vSEC:CMS console with the SO token.

Important
You should see a message dialog informing you that the package was successfully installed. If you do not see this message dialog then the installation was not successful.

3. From the Options – Security page enable Allow external smart card administration key loading and Enable operator service key store check boxes.

4. From the Options – Operators page click the Add service key store button. Enter a name for the store name and click the Add button to create the encrypted key store.

When complete you will see that the OSKS is added and that it is active. This completes the setup.

Setup Key Store with HSM

Follow the instructions in this section on how to configure vSEC:CMS to use an HSM for OSKS. During this process, the master key stored on the SO token will be migrated to the HSM.

Important
It will be required to RDP to the server where the vSEC:CMS is installed to perform all the steps below.
Important
The OSKS in this case is an encrypted component that runs as a service which is accessible only by the vSEC:CMS.
Important
The Operator needs to use the System Owner Card in order to carry out this process.
Important
It will be necessary to have a connection to the HSM from Options – Connections already setup before starting these steps.

1. Copy the installation package created in the Generate OSKS Installer section above to the vSEC:CMS server. Make sure to close any open vSEC:CMS consoles and start the installation.

2. When the installation completes log onto the vSEC:CMS console with the SO token.

Important
You should see a message dialog informing you that the package was successfully installed. If you do not see this message dialog then the installation was not successful.

3. From the Options – Security page enable Allow external smart card administration key loading and Enable operator service key store check boxes.

4. From the Options – Operators page click the Add service key store button. You should see that the Key store field is automatically populated with HSM. Enter a name for the Store name field and click the Add button to create the key store.

5. When complete you will see that the service key store is added and that it is active. This completes the setup. The vSEC:CMS will use the master key stored in the HSM for any operations requiring administration key operations from now on.