How can we help?

Delivery of Unblock Codes by Operator

Anthony - Versasec Support
Anthony - Versasec Support
  • Updated

Introduction

An Operator of the vSEC:CMS can deliver a PIN unblock cryptogram and unblock codes through preconfigured delivery channels to the credential holder. Therefore, several different delivery channels can be configured that an operator can then select as the best way to deliver the unblock codes. There are 2 types of unblock codes:

  • Cryptogram;
  • Unblock code.

A cryptogram is a response code that can only be generated by the vSEC:CMS. This will typically be performed when unblocking a credential when the credential is offline. A cryptogram is generated from a challenge code generated by the credential that is to be unblocked. There is a one-to-one relationship between the challenge code and the generated cryptogram, therefore if the challenge code is invalidated the cryptogram will not be valid when attempting to unblock the credential.

An unblock code is a code that can only be generated by the vSEC:CMS which can then be used to perform a PIN unblock when the credential is online.

Follow the instructions in this article for details on how this can be configured and used in vSEC:CMS.

Configure Credential Template Using Cryptogram

This section will describe how the vSEC:CMS can be configured to provide several different delivery channels for the generated cryptogram that can then be sent to the credential holder. The delivery options available are email and SMS. The credential unblock in this case will be performed on a credential that is offline.

From Templates - Card Templates select an already configured credential template and click the Edit button. In the Template Details section scroll down and select the Edit link for Offline PIN unblock. Enable the Operator can send cryptogram to user checkbox and click the Configure button.

Click the Add button to add a delivery channel mechanism. Currently it will be possible to configure email or SMS as the delivery channel. In this example, we will configure an email notification.

Enter a template name and select email from the drop-down list. Select the email server configured that is to be used from the Outgoing Email Server drop-down list.

Click the Edit email template button to configure the actual content of the email that will be sent to the credential user. The message content can be either in MHTML or plain text.

If an MHTML file is used for the email content it will be necessary to select the Html radio button and click the Import button to select and import the MHTML file into the application. It is possible to place vSEC:CMS variables into the MHTML page which will be used as placeholders to be replaced by actual data that can be retrieved by the application.

If plain text is used for the email content it will be necessary to select the Text radio button. Enter the email address that the email will be sent from into the From field.

Important
You must enter proper email syntax into the From field otherwise the email will fail to be sent. For example if you enter TEST for this field it will fail to send but if you enter TEST@example.com then this will not fail to be sent.

The To field should contain the variable for the user email address. In order to place the variable into the field, select the variable from the Variables drop-down list and select Copy. A short description will appear below the drop-down list providing a brief description of the variable. Right click the field and select paste. A CC and BCC can be provided if required. Enter an appropriate subject into the Subject field. For the message body, enter an appropriate message and at minimum add the variable placeholder ${SelfServicePinUnblockCode} which will write the actual cryptogram in the delivery message to the credential holder. Additional variable placeholders can be added to the message. If a variable cannot be resolved when exporting the data, the variable name will be used instead, for example, if the variable ${UserPin} is used and for some reason the user PIN cannot be retrieved from the application then the value exported will be the variable name, i.e. ${UserPin}. Click Ok to save the template.

Important
When adding variable placeholders to either MHTML or plain text the variable needs to be entered correctly i.e. the variables are case sensitive.

Additional delivery templates can be added. Whatever templates are added here will be displayed in the delivery dialog to allow the operator to select the best possible delivery channel that should be used when sending the actual message to the credential holder.

Click the Test button to test an actual delivery.

Save the Card Template. When a credential holder then calls the helpdesk requesting a cryptogram to unblock their credential, an operator, with permissions to perform PIN unblock, can use this mechanism to deliver the cryptogram. From Actions - Smart Card Unblock the operator will search for the credential holder as normal. Then in the Challenge-response/Offline section enter the supplied challenge code in the field provided. The operator will generate the cryptogram by clicking the Cryptogram button and authenticating as the operator. Once the cryptogram is generated the operator can click the Deliver button and select the delivery channel from the dialog provided. The cryptogram will be sent via the selected channel to the credential holder. The credential holder should enter this value and set a new PIN code to complete the unblock.

Configure Credential Template Using Unblock Code

This section will describe how vSEC:CMS can be configured to provide several different delivery channels for the generated unblock code that can then be sent to the credential holder. The delivery options available are email and SMS. The credential unblock in this case will be performed on a credential that is online.

From Templates - Card Templates select an already configured credential template and click the Edit button. In the Template Details section select the Edit link for General. In the Self-service using the following template section click the Manage button. Edit an already configured template.

In the PIN Unblock Codes section click the Expiration button to configure the lifetime for an unblock code that can be generated and provided to the credential holder. You can configure the lifetime to minutes, hours, days and weeks. 

Note
If you do not configure the expiration feature then the unblock code generated will never expire. However, any subsequent unblock code that is generated will invalidate the previous code generated.

Enable the Operator may generate unblock codes checkbox. Enable the Deliver manually checkbox and click the Configure button.

Click the Add button to add a delivery channel mechanism. Currently it will be possible to configure email or SMS as the delivery channel. In this example, we will configure an email notification.

Enter a template name and select email from the drop-down list. Select the email server configured that is to be used from the Outgoing Email Server drop-down list.

Click the Edit email template button to configure the actual content of the email that will be sent to the smart card user. The message content can be either in MHTML or plain text.

If an MHTML file is used for the email content it will be necessary to select the Html radio button and click the Import button to select and import the MHTML file into the application. It is possible to place vSEC:CMS variables into the MHTML page which will be used as placeholders to be replaced by actual data that can be retrieved by the application.

If plain text is used for the email content it will be necessary to select the Text radio button. Enter the email address that the email will be sent from into the From field.

Important
You must enter proper email syntax into the From field otherwise the email will fail to be sent. For example if you enter TEST for this field it will fail to send but if you enter TEST@example.com then this will not fail to be sent.

The To field should contain the variable for the user email address. In order to place the variable into the field, select the variable from the Variables drop-down list and select Copy. A short description will appear below the drop-down list providing a brief description of the variable. Right click the field and select paste. A CC and BCC can be provided if required. Enter an appropriate subject into the Subject field. For the message body, enter an appropriate message and at minimum add the variable placeholder ${SelfServicePinUnblockCode} which will write the actual cryptogram in the delivery message to the credential holder. Additional variable placeholders can be added to the message. If a variable cannot be resolved when exporting the data, the variable name will be used instead, for example, if the variable ${UserPin} is used and for some reason the user PIN cannot be retrieved from the application then the value exported will be the variable name, i.e. ${UserPin}. Click Ok to save the template.

Important
When adding variable placeholders to either MHTML or plain text the variable needs to be entered correctly i.e. the variables are case sensitive.

Additional delivery templates can be added. Whatever templates are added here will be displayed in the delivery dialog to allow the operator to select the best possible delivery channel that should be used when sending the actual message to the credential holder.

Click the Test button to test an actual delivery.

Save the Card Template. When a credential holder then calls the helpdesk requesting an unblock code to unblock their credential, an operator, with permissions to perform PIN unblock, can use this mechanism to deliver the unblock code. From Actions - Smart Card Unblock the operator will search for the credential holder as normal. Then in the Self-service section click the PIN Unblock code button and authenticate as the operator when requested. Once the unblock code is generated the operator can click the Deliver button and select the delivery channel from the dialog provided. The cryptogram will be sent via the selected channel to the credential holder. The credential holder should enter this value and set a new PIN code to complete the unblock.