Introduction
From version 5.9.3 it is possible to set a flag for managed credentials for the time when a PIN will expire if the credential template is configured to support server side PIN expiry management as described in this article.
This article will describe how you can configure setting this flag in the vSEC:CMS database for credentials that have not been set with this flag before. This may be required for credentials that are imported from another CMS system into vSEC:CMS.
Configuration
It is recommended to perform these configuration steps directly on the server where vSEC:CMS is running.
A prerequisite is that you have at least one credential template configured as described in the article here.
Step 1 - Set Registry Flag
On the server where vSEC:CMS is running open Regedit and in this location [HKEY_CURRENT_USER\SOFTWARE\Versatile Security\vSEC_CMS_T] set a type DWORD named app.behave.showsupport and give it a value of 1.
Step 2 - Set the PIN Expiry Flag
Log onto vSEC:CMS console and from Help - Support Console select Pin expiration sanity check and click Perform.
You should get a dialog similar to below indicating that some records don’t have a PIN expiry flag set in the database.
You can press CTRL+C and paste the data into Notepad to see what records don’t have such a flag. Click Yes to continue which will open a dialog similar to below.
Select Randomize and in the Before and After fields enter the days that the PIN expiry flag will be randomly set relative to the PIN validity already set for the credential template. In this example we have one credential template already created and one credential was found which did not have a PIN expiry flag. We set 3 days before and after for the randomize option therefore in this case the PIN expiry could be set to 97, 98, 99, 100, 101, 102 or 103 days into the future from the day that you are currently setting this up.
If you do not select Randomize then the PIN expiry will be set to 100 days (in this example) into the future from the day that you are currently setting this up.
In the Smart Cards to Update section we list all templates found where managed cards do not have a PIN expiry flag set. You should select only the template(s) that you want to update before completing the update.
Select Ok to set the flag in the database and complete.
This should complete the process.
Additional Details
You can validate that a credential PIN expiry flag is set by selecting a record from Repository - Smart Cards. Click the Details button and you will see something similar to below in the Last PIN change section depending on how you configured the expiry in your template.
If you are migrating from another CMS system to vSEC:CMS it is important to migrate the credentials into a template that has server side managed PIN configured as described in this article.