Overview
Using the vSEC:CMS User Self-Service (USS) application it is possible for a user to manage their credential. From the USS the user can perform typical self-service functions such as:
- Credential issuance;
- Credential renewal and update;
- Credential PIN reset;
- Credential retirement.
An overview of the architecture is provided in the diagram below.
USS is a Windows native client. It will be deployed to any client where a user will manage their own credential from. It communicates with the vSEC:CMS server component either through a SOAP interface or through a gRPC interface. It is recommended that you use gRPC as this has higher performance advantages over the more traditional SOAP protocol.
Installation
USS is packaged into an MSI installer. See the article Installing the vSEC:CMS MSI Client for details on how to use the MSI to install USS.
Configuration Client-Side
It is possible to configure specific settings that you require to be available in your USS deployment. You can configure the available settings by passing in -configure parameter when starting the USS application.
It is recommended to use GPO for making the specific configurations that are described below. See the article Configure Windows GPO for details on this.
If it is not possible to use GPO for configuring the settings below then you can create the configuration required on a test client and all of the configuration settings will be saved to a file named cms_app.set. This file will be located in the root of where the USS was installed (normally here: C:\Program Files (x86)\Versasec\vSEC_CMS Self-service). This file can then be pushed/copied to all clients where USS is installed and placed in the root installation folder.
Open a command prompt as administrator and go to the location where USS is installed, typically C:\Program Files (x86)\Versasec\vSEC_CMS Self-service.
vSEC_CMS_T_USS.exe -configure
Settings
From the Settings tab a number of configuration options are available.
Check for card update on insert
In this section, it is possible to configure the behavior of the USS application when the application is started and the user attaches their credential.
The USS needs to be running in the system tray for this feature to be available. Messages will appear as a balloon message dialog from the system tray.
The following options are available:
- Do not select any of the options such that the USS application will not perform any check on the user credential when attached;
- Select Check for PIN Change. The USS application will check if it is required for the user to change the PIN on the credential when the credential is attached to the user's computer. For example, it is possible to set a flag on the credential to change the credential PIN on first use. If this is set on the credential the USS application will notify the user that they need to change their PIN. The credential used will need to support the change PIN on first use feature;
- Select Check for PIN Unblock. The USS application will check if it is required for the user to unblock their PIN on the credential when the credential is attached to the user's computer. If the PIN is blocked a popup will inform the user that they need to unblock the PIN;
- Select Check for card update. The USS application will check to see if there are any updates pending that need to be performed on the credential such as certificate renewal.
Smart Card Reader
If it is required to restrict what credential reader(s) a user can have access to click the Configure button. This will open a dialog with a list of all available credential readers connected to your computer. Select which reader(s) that should not be available when using the USS application.
Smart Card Access
From the Smart Card Access section, it is possible to configure how the USS will attempt to communicate with the credential. Communication to the credential can be natively or through the credential minidriver. Depending on the credential used it will be necessary to set the correct access type for the communication.
The configurations available are:
Force minidriver usage: The USS application will only use the credential minidriver installed on the user's computer if this option is configured. If there is no minidriver available then no operations will be possible with the credential.
Use minidriver if possible: The USS application will attempt to use the credential minidriver installed on the user's computer if this option is configured. If there is no minidriver installed then the USS application will attempt to use native access. If native access is not supported for the credential then no operations will be possible with the credential.
Use native access if possible: The USS application will attempt to use the native access to the credential if this option is configured. If native access to the credential is not supported then the USS application will attempt to use the minidriver interface. If there is no minidriver available then no operations will be possible with the credential.
Force native access: The USS application will only use the native access to the credential if this option is configured. If native access to the credential is not supported then no operations will be possible with the credential.
Enable the Enable challenge/response for offline PUC based unblock if it is required to be able to perform credential unblock using challenge/response for PUC only supported credentials. For example, PIV tokens only support unblock through PUC. But using this configuration in the USS it will be possible to use challenge/response. Additionally, it will be necessary to enable support for this feature on the server side. The Enable challenge/response for offline PUC based unblock setting would need to be enabled on the vSEC:CMS from the Options – Security page using the Operator Console.
Permissions
From the Permissions tab a number of configuration options are available. The table below lists all available functionality by default that is available in the USS application.
Action |
Description |
Default Setting |
My Certificates |
This is the certificates page that is available from the USS main application window which will list all certificates on the user’s credential. |
Available |
My Smart Card |
This is a dialog that can be opened from the File menu. This will present detailed technical details about the attached user credential which can be useful when troubleshooting issues. |
Available |
My Profile |
This is the page available from the USS main application window where a user can set an authentication passphrase for authenticating to the self-service server where configured; issue a blank credential (either physical credential or virtual credential) and enter approval code. |
Available |
My Profile – Approve |
This is an option from the My Profile page where, if configured, an approval option in the form of an approval code can be provided in order for the user to authenticate before they are allowed to issue a credential. |
Available |
My Profile – Retire |
This is an option from the My Profile page where, if configured, the user can retire the attached credential. |
Available |
My Profile – Issue |
This is an option from the My Profile page where, if configured, the user can issue the attached credential. |
Available |
My Profile – Destroy |
This is an option from the My Profile page where, if configured, the user can destroy the attached credential. This is only applicable for virtual credential. |
Available |
My Team |
This is a placeholder for future functionality that will be added to the USS application. Currently no functionality will be available from this action item. |
Hidden |
My Updates |
This page will show pending credential update operations that should be performed on the credential. These would typically be certificate renewal when a certificate is due to expire. |
Hidden |
My PIN |
This is the page available from the USS main application window where a user can change their PIN and unblock their PIN. |
Available |
My PIN – Change PIN |
This is an option from the My PIN page where it is possible to change the PIN for the attached credential. |
Available |
My PIN – Unblock (Crypto) |
This is an option from the My PIN page where it is possible to unblock the PIN for the attached credential either online or offline. |
Available |
My PIN – Unblock (PUC) |
This is an option from the My PIN page where it is possible to unblock the PIN for the attached credential using PUC code. |
Available |
My Profile - Approve |
This button will be available to user’s who can approve unblock PIN requests. |
Available |
My Certificates - Delete |
This is the delete button available from the My Certificates page. If this button is available a user can select a certificate on the credential and delete it. |
Hidden |
My Certificates – Import |
This is the import button available from the My Certificates page. If this button is available a user can import a certificate onto the credential. |
Hidden |
My Certificates – Default |
This is the default button available from the My Certificates page. If this button is available a user can select a certificate on the credential and make it the default certificate on the credential. |
Hidden |
My Certificates – My PIN |
This is the PIN button available from the My Certificates page. If this button is available a user can click the button and the application will go to the My PIN page. |
Hidden |
My Certificates – Reissue |
This button will allow for the reissue of the certificate selected that was issued on the credential during the smart card issuance. |
Available |
My Certificates – Recover |
This button will allow for the recovery of a certificate that has been configured for key recovery in the card template. |
Available |
Check for Updates |
By default, the USS application will be configured to not check for product updates. If this feature is enabled then the application will check the Versasec product updates web service and prompt the user to update their product version. |
Hidden |
Save diagnostic trace |
This option is available from Help – Diagnostic from the file menu. This will allow a user to save a diagnostic log which is useful when troubleshooting issues. |
Available |
Key archival – Recovery |
This functionality will allow a key to be archived and/or recovered to the credential if this is configured on the credential template. |
Available |
Dialog – Updates |
This functionality will allow for a credential update dialog to be launched when a credential that needs to be updated is attached and the USS application is running in system tray mode. |
Available |
My WHfB |
This is the page available from the USS main application window where a user can view their WHfB container and its contents. |
Hidden |
Dialog - Change PIN |
By default this feature is disabled. This should be enabled if My PIN is hidden but you still want server-side change PIN enforced. |
Hidden |
In order to configure any of the options available in the table above follow the instructions below. For example, if it is required to not allow users to delete certificates from the USS application then it will be necessary to perform the following steps:
1. Select the Action item My Certificates - Delete and click the Delete button.
2. Select the item deleted in the previous step and from the drop-down list select Hidden and click Add.
3. The item will now be listed in the main window and the Delete button will not be available from the My Certificates page of the USS application.
Server
From the Server tab a number of configuration options are available.
Here you will configure the URL of the vSEC:CMS service that the USS application will communicate with when performing self-service operations and the protocol that will be used for the communication.
It is recommended to use gRPC protocol as this provides improved performance capabilities compared to SOAP.
Select Prefer Soap which will result in the USS attempting to use SOAP and if it cannot communicate via SOAP then it will attempt to use gRPC;
Select Prefer gRPC which will result in the USS attempting to use gRPC and if it cannot communicate via gRPC then it will attempt to use SOAP;
Select Force Soap which will result in the USS attempting to use SOAP and if it cannot communicate via SOAP then it will fail to communicate;
Select Force gRPC which will result in the USS attempting to use SOAP and if it cannot communicate via SOAP then it will fail to communicate.
For example, if the vSEC:CMS server has an IP address of 172.0.0.10 and the connection on the vSEC:CMS is configured for HTTP access on port 8080 using SOAP protocol, then the following should be entered into the Server URL (SOAP) field: http://172.0.0.10:8080/uss
It is necessary to add /uss after the host name/IP address and port number when configuring SOAP. Click the Test button to test if the communication to the backend URL is successful. You will get a success dialog if it is possible to communicate with the backend.
For gRPC URL only enter the host name/IP address along with the port in the field provided. For example, if the vSEC:CMS server has an IP address of 172.0.0.10 and the connection on the vSEC:CMS is configured for HTTP access on port 8080 using SOAP protocol, then the following should be entered into the Server URL (gRPC) field:
http://172.0.0.10:8081
Click the Test button to test if the communication to the backend URL is successful. You will get a success dialog if it is possible to communicate with the backend.
The protocol settings and URL settings will be set in the registry of the client in the location [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Versatile Security\vSEC_CMS_T]. These registry names are: cms.server.protocol, grpc.server.url and soap.server.url. The cms.server.protocol can have 4 different values:
- 1 - which sets Prefer SOAP;
- 2 - which sets Prefer gRPC;
- 3 - which sets Force SOAP;
- 4 - which sets Force gRPC.
It may be necessary to open firewall ports in order for the USS to communicate to the vSEC:CMS.
System Tray Mode
In a lot of scenarios it will be required to have the USS running in the system tray. It is possible to start USS in system tray mode by passing the parameter -s to the USS executable. For example, open a command prompt as administrator and go to the location where the USS is installed, typically C:\Program Files\Versasec\vSEC_CMS Self-service for 64-bit version and C:\Program Files (x86)\Versasec\vSEC_CMS Self-service for 32-bit version.
vSEC_CMS_T_USS.exe -s
Normally, this can be scripted and pushed out as part of your software deployment. For example purposes, if all users that log onto a client should have the USS running in the system tray then you would need to add a shortcut to the USS executable vSEC_CMS_T_USS.exe in the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.
Additionally, it may be common that you log onto your client without having established a connection to your backend, for example you need to log into your VPN first. In this case the end user will receive an error dialog that connection could not be established. Later when you have established a connection to your backend the USS will not reconnect with the backend. In this case you should pass in an additional parameter -autoconnect. This will suppress the error message when a connection could not be made and then when the connection comes up the USS will auto connect.
The target should look like below if the USS is installed into the default location (for 64bit version):
"C:\Program Files\Versasec\vSEC_CMS Self-service\vSEC_CMS_T_USS.exe" -s -autoconnect
Suppress Warnings at Startup
If the USS is configured to connect to the vSEC:CMS backend and for whatever reason the client is offline then when starting the USS a message dialog will be displayed warning the user that the USS could not connect to the vSEC:CMS. This message dialog can be suppressed by passing in a parameter -autoconnect when starting the application. For example, open a command prompt as administrator and go to the location where USS is installed, typically C:\Program Files (x86)\Versasec\vSEC_CMS Self-service.
vSEC_CMS_T_USS.exe -autoconnect
Additionally, starting the USS with this parameter will allow the USS to reconnect to the backend if and when the backend is available.
Configure USS in Kiosk Mode
If it is required to configure the USS to be used in kiosk mode it will be necessary to include a file named cms_app.cfg and this should be placed beside the USS executable file which is typically installed to C:\Program Files (x86)\Versasec\vSEC_CMS vSEC:CMS.
The contents of the file should be similar to below:
The factory signature in the below sample is not a complete signature. If you plan to use kiosk mode please use this signature value:
KXpC+EQaYM+DSqPx+ur6dycgzQgq3xL1BdBGmaI89+8UTNvVY1rCL73F+bSdsI11XVJlBuwRHjhKFhpeNzcSIO7oykRyqJ/7DB/8YZ5rD7o/+p0uXNxzMpY6Va6I5WTUjaiw8KeZJ6uQ10ye4VIuJ2fi8LBr/2WUZ+l39O5zW8k=
<?xml version="1.0" encoding="UTF-8"?> <config> <factory signature="KXpC+EQa..."> <std/> <force/> </factory> <oem> <std></std> <force> <option> <gui> <mode>0x00000001</mode> </gui> </option> </force> </oem> </config> |
The section <gui> needs to be set with the value 0x00000001 if the USS should be run in kiosk mode. In order to run the USS in normal mode then change this value to 0x00000000.
If the USS is to be run in kiosk mode then the file cms_app.cfg needs to be pushed/copied to all clients where USS is installed and placed in the root installation folder, typically here C:\Program Files (x86)\Versasec\vSEC_CMS vSEC:CMS if the USS is installed to default location.
Customise USS Layout
It is possible to change the default icon that appears in the top left of the main USS application dialog. By default, a vSEC:CMS icon will be shown.
Additionally, it is possible to change the splash screen image that is displayed when you launch the USS application. By default, NYC skyline will be shown.
In order to make these changes it will be necessary to include a file named cms_app.cfg and this should be placed beside the USS executable file which is typically installed to C:\Program Files (x86)\Versasec\vSEC_CMS S-Series if you have installed the 32-bit version or C:\Program Files\Versasec\vSEC_CMS S-Series if you have installed the 64-bit version.
The contents of the file would be as below (if 64-bit version is installed into default location):
<?xml version="1.0" encoding="UTF-8"?> <config> <factory signature="KXpC+EQa.."> <std/> <force/> </factory> <oem> <std></std> <force> <option> <gui> <!-- Company logo top left of main app dialog --> <logo> <!-- Types: bmp. Size: 220 x 40 --> <file>C:\Program Files\Versasec\vSEC_CMS Self-service\logo.bmp</file> </logo> <!—Splash screen Image --> <startimg> <!-- Types: bmp, png. Size: 1012 x 637 --> <file>C:\Program Files\Versasec\vSEC_CMS Self-service\splashscreen.png</file> </startimg> </gui> </option> </force> </oem> </config> |
Where signature value should be: KXpC+EQaYM+DSqPx+ur6dycgzQgq3xL1BdBGmaI89+8UTNvVY1rCL73F+bSdsI11XVJlBuwRHjhKFhpeNzcSIO7oykRyqJ/7DB/8YZ5rD7o/+p0uXNxzMpY6Va6I5WTUjaiw8KeZJ6uQ10ye4VIuJ2fi8LBr/2WUZ+l39O5zW8k=
The element <gui> needs to have <logo> and <startimg> elements. Inside these elements a <file> element will point to the location where these images will reside.
For the <logo> image the file needs to be of type BMP or PNG and have a size of 220 x 40 pixels.
For the <startimg> image the file needs to be of type BMP or PNG and have a size of 1012 x 637 pixels.
Configure USS Server-Side
If USS is to be used then it will be required to configure this on the server-side in the credential template. In this section the different configuration options will be described.
If you do use USS the vSEC:CMS - User Self-Service service needs to be running. It is recommended that you configure the server Startup type to run as Automatic (Delayed Start) as in the example dialog below to ensure that the service starts after a system reboot.
In order to enable USS support for a credential template go to Templates - Card Template and in the General section click the Manage button.
Click the Add button. Enter a name in the Template name field.
If it is required that the end user will be allowed to self issue their credential from the USS client then enable Self-issuance enabled. Additionally, if it is required that the end user will be allowed to retire their credential from the USS client then enable the Retire card enabled checkbox. These functions will be performed from the My Profile page in the USS application.
If self-issuance is enabled it will be required to enable Issue by User(s) in the Issue Cardsection of the credential template. See the article Manage Hardware Credentials using vSEC:CMS User Self-Servicefor a complete example of how this might be configured in a real-life scenario.
In the User Authentication for PIN Unblock section 3 options are available from the drop-down list, Use passphrase to authenticate user, Use windows credentials to authenticate user and Use smartcard challenge/response.
If OAuth is configured in your environment (from Connections - OAuth Identity Provider (IdP)) then you will see the OAuth template in User Authentication for PIN Unblock drop-down list. Select the OAuth template that should then be used when authenticating the user during unblock operations.
Use passphrase to authenticate user
Select the Use passphrase to authenticate user if it is required that the user who is performing the unblock operation from the USS application is required to enter a passphrase to authenticate during the unblock procedure.
Enable the System generates passphrase at card issuance if the vSEC:CMS application should generate a passphrase for the user when issuing the user's credential.
Enable the User may change passphrase checkbox if the user is allowed to change their passphrase from the USS application.
Click the Deliver button to create an email or SMS template that will be used to send the generated passphrase to the user at credential issuance. See the section below for further details on this.
Email and SMS Template Configuration
If it is planned to send notifications to the end user via email or SMS then follow the instructions in this section.
Add Email Passphrase Notification Template
Click the Add button to add a template.
Enter a template name and select the Outgoing Email Server from the drop-down list. The email server connection will need to be already configured from Options - Connections - Email.
Click the Edit email template button.
Enter a From email address and enter the variable name that should be used to retrieve the user email from the user directory. Enter a CC and BCC if required. Enter an appropriate subject for the email.
For the email body two options are available - html or text. If Html is selected it will be necessary to import a MHT file which contains the content of the email body. MHT files can be created using MS Word for example. vSEC:CMS variable names can be used which will be replaced with actual data, for example the user's name can be retrieved from the user directory.
When adding variable placeholders to either MHTML or plain text the variable needs to be entered correctly i.e. the variables are case sensitive.
If text is selected enter the appropriate message body and use vSEC:CMS variables to populate specific details such as the user's name for example.
Click Ok to save the email template and click Save to close and save.
Add SMS Notification Template
Click the Add button to add a template.
Enter a template name and select SMS from the drop-down list.
Click the Manage button and click Add to add an SMS provider.
Currently the SMS providers that can be used are TeleSign, Certificall, Clickatell, Tyntec and Dolphin. Also it is possible to configure a Generic HTTP SMS connector if the provider supports HTTP.
Enter a template name and the Service address and Service mobile address fields will automatically be entered with the details for TeleSign. In the Credentials section enter the credentials as provided by TeleSign. Click Save to save and close the dialog. Then from the drop-down list for SMS Provider select the template just created.
For the other supported SMS providers (Certificall, Clickatell, Tyntec and Dolphin) the protocol used is SMS over HTTP as this is the protocol supported by these providers. If additional providers not listed here do support SMS over HTTP then the generic HTTP provider can be configured. Sample configurations have been pre-set for the providers supported. It is necessary to check with your provider to determine what parameters are required.
For example, if you are using Clickatell as your provider then enter a template name and select Clickatell from the available SMS providers. Enter the service address and the protocol required. In the Parameters section pre-set parameters are already provided. The user, password and api_id need to be configured with your specific credentials. The to and text will be assigned to variables mapped to attributes as the phone number will need to be retrieved for the user typically from a user directory and the text needs to be retrieved.
Click the Edit SMS template button to create a SMS message template. Enter a phone number in the Phone number field. This would typically be a variable that is mapped to an attribute in the user directory. In the message window enter the message content that you wish to send. From the Variables drop-down list select a variable that is required and click the Copy button to copy the variable value which can then be pasted into the message window. Click Ok to save the settings.
When adding variable placeholders the variable needs to be entered correctly i.e. the variables are case sensitive.
Configure Passphrase Policy
Click the Policy button to configure a passphrase policy that needs to be met when the user sets their passphrase. By enabling the Adjacent positions allowed check box a passphrase which has repeated characters adjacent to one another will be allowed. Enter the number of allowed adjacent positions in the Allowed repetitions field. The value entered will set the number of times that a character can be repeated in adjacent positions. For example, if this value is set to 4 then 1111c1 and aaaa1a are allowed passphrase values and 11111c and aaaaa1 are not allowed passphrase values.
The value set here cannot exceed Max appearance value that is configured in the field described below.
The Max appearance configures the passphrase policy to set the allowed number of appearances of a character in a passphrase but it is not possible to specify which character. For example, if the value for Max appearance is set to 2 then the passphrase value 0001 would not be allowed whereas the passphrase value 0011 would be allowed.
The Max length of sequence is the number of times that a sequence of characters is allowed, for example 1,2,3,4,5,6...For example, if this parameter is set to 4 then 1234c5 and abcd1e are allowed passphrase values and 12345c and abcde1 are not allowed passphrase values.
The Max repeated characters configure the passphrase policy to set the number of different characters that can be repeated at least once. For example, if this value is set to 1 this means one character can be repeated but it is not possible to specify which one.
The Tries counter configures the passphrase policy to set the number of incorrect passphrase entry attempts a user can attempt before the flow will be terminated. The user will then need to request resetting of the passphrase.
Enable the Character set restrictions checkbox in order to be able to configure specific character combinations to be used when setting a passphrase. If this checkbox is not enabled then all characters will be allowed to be used when setting a passphrase.
If the Character set restrictions checkbox is enabled then it is possible to configure specific allowed characters when setting a passphrase. These can be set to either Allowed or Mandatory or both. If Alphabetic uppercase is enabled then the passphrase must contain an upper-case character. If Alphabetic lowercase is enabled then the passphrase must contain a lower-case character. If None alphabetic is enabled then the passphrase must contain a character that is neither numeric or alphabetic, for example, any of these characters would qualify in this case - !"£$%^&*(). If None Ascii is enabled then the passphrase must contain a non-ascii character.
The New passphrase must differ checkbox configures the passphrase policy, if enabled, to ensure that the new passphrase entered is not the same as the previous passphrase set.
For Passphrase length, the Min configures the passphrase policy to set the minimum length that the passphrase needs to be when the user is setting their passphrase and the Max configures the passphrase policy to set the allowed maximum length that the passphrase can be when the user is setting their passphrase.
Use windows credentials to authenticate user
Select Use windows credentials to authenticate user if it is required for the user to provide their Windows domain username and password as the authentication credential during the smart card unblock flow.
Use smartcard challenge/response
Select Use smartcard challenge/response if it is required for the user to perform the unblock via a helpdesk type flow. The flow in this case will be similar to the flow when the user is offline. See the article Perform PIN Unblock and look in the section Offline PIN Reset for details on what that flow will look like.
PIN Unblock Codes
In the PIN Unblock Codes section several options are available.
Enable the Enable checkbox to configure the support of this feature.
It is mandatory that this setting is enabled otherwise it will not be possible to create and save a self-service template.
Click the Expiration button to configure the lifetime for an unblock code that can be generated and provided to the credential holder. Different methods of how unblock codes can be sent are described in the sections below. You can configure the lifetime to minutes, hours, days and weeks.
If you do not configure the expiration feature then the unblock code generated will never expire. However, any subsequent unblock code that is generated will invalidate the previous code generated.
User may request unblock code via console
Enable the User may request unblock code via console if the user who the credential is issued to is allowed to request unblock code from the USS. Enable the Approval checkbox if it is required that any request for an unblock code from a user requires approval before the code is provided to the user. Click the Configure button to configure the approval as would be set in a Windows AD environment. See the section below Configure Approval in AD Environment for further details on this.
If Approval is enabled it will be necessary to enable and configure the Deliver option described below otherwise it will not be possible to savethe template configuration.
Enable the Force authentication checkbox if it is required that the user needs to authenticate before they can proceed with an unblock request. Depending on what authentication mechanism is configured in the User Authentication for PIN Unblock the user will be prompted to present an authentication credential. Enable the Deliver checkbox if it is required to configure an email or SMS template that can be used to send an email or SMS to the user with the unblock code when they request an unblock code. See the section Email and SMS Template Configuration above for details on this.
If the Approval and Deliver options are not enabled then the user will only need to enter their passphrase when performing a PIN unblock from the USS application. In this case the PIN unblock will occur in the background. This is the least secure configuration method possible.
Operator may generate unblock codes
A user whose credential is blocked may request an unblock code in order to unblock the credential. This would typically be conducted through a dedicated helpdesk service.
Enable the Operator may generate unblock codes if it is to be allowed for operators with the appropriate permissions to generate PIN unblock codes for user credentials issued and managed by the vSEC:CMS. Enable the Show code checkbox if the PIN unblock code will be displayed to the operator when they request the PIN unblock code from Actions - Smart Card Unblock. The operator would then need to provide this code back to the user in order for them to perform the PIN unblock.
Enable Enforce usage if exists if is allowed for an operator to generate an unblock code for a managed credential when the end user, via the self-service, does not remember their authentication credentials to perform an online unblock. In this case the end user can contact their helpdesk and request that an unblock code is generated and provided back. This then will be used to unblock the managed credential.
Enable the Deliver check box if it is required to configure an email or SMS template that can be used to send an email or SMS to the user with the unblock code when the operator requests an unblock code. Enable the Deliver at issuance check box to configure the vSEC:CMS to send an email or SMS of an unblock code that will be sent when the credential is issued for the first time. Enable the Deliver manually checkbox if it is required to send an unblock code to the credential holder via email or SMS. Click the Configure button to configure the channel that the unblock code will be sent through. Click the Test button to perform a test to ensure that the configured delivery channels are functional. Refer to the article Delivery of Smart Card Unblock Codes for more details on this particular feature.
For email or SMS configuration see the section Email and SMS Template Configuration above for details on this.
It is mandatory that at least one of the configuration options, User may request unblock code via console or Operator may generate unblock codes, are enabled here otherwise it will not be possible to create and save a self-service template.
Configure Approval in AD Environment
In this section guidelines on how to configure approval workflows in a Window AD environment are provided.
This is only a guideline and it is expected that a MS Windows server engineer with the appropriate knowledge and expertise would conduct this setup.
Users
In the table below the test users in this example and their locations in terms of organizational units (OU) are listed. The OU help-desks are supposed to be the users that are not allowed to get approval of admins for self-service tasks. In the OU called self-service are the users that are supposed to be allowed to perform self-service tasks which are approved by admins from the group Admins.
Users |
OU = help-desk |
OU = self-service |
Group: Admins |
user0 |
|||
user1 |
X |
||
user2 |
X |
||
admin0 |
|||
admin1 |
X |
Permission Configuration
The permission selected is the built in Windows permission Reset password. Any extended permission can be used which is configurable in the vSEC:CMS.
Below are examples of permissions on OU=help-desk and for OU=self-service for the Admins group:
Validating Permissions in AD
You can check that the permissions are correctly configured by checking the Effective Permissions on the users in the user object for the Admin Group.
Validating Permission Using vSEC:CMS
It is possible to validate permissions from the vSEC:CMS to ensure that the environment is configured correctly. When the vSEC:CMS is configured for approval it is possible to validate the permissions configured.
Select the Extended Rights configured from the available drop-down list and enable Self approval not allowed if it is required that all unblock PIN requests require approval from another person, i.e. it will not be possible for a person to approve their own approval request. In the Test Permission section, it is possible to test with actual users. For requester click the Get button to select a user who can request PIN unblock. For Approver click the Get button to select a user who can approve such a request and click Check Permission button. If the Windows server environment is configured correctly a success dialog will be presented.