Introduction
It is possible to configure the export of certificate data when performing life cycle operations from vSEC:CMS. This can be used if it is required to update external systems with certificate related information when life cycle tasks are performed.
Configure Certificate Data Export
From Templates – Credential Templates select an already configured credential template that you wish to use for this functionality and click the Edit button.
In the Issue credential section click the Edit button.
Select the certificate you want to extract data for in the Enroll Certificate Options section and click the Export button. Click the Manage button and click Add.
It is possible to export data to file OR MS SQL table.
If the data is to be exported to file select the type File (Export to file) from the Target drop-down list and follow the instructions in this paragraph to configure this type. Select Write automatically to file option if it is required to write to file when the life cycle operation is configured to export the data. Click the Format button to configure the file format and select the data that can be exported to file. Currently Delimited text, XML format and JSON format is supported with encoding of either UTF-8 or UTF-16. The data that is selected to be exported can be configured so that the sequence of the entries as written to the export data file can be set. Use the Up and Down button to configure the sequence of data variables as written to file. Click the Browse button to select a file that the application will write the data to. From the Permissions section, it is possible to configure the operators with specific roles who will be allowed to export the data. Click Save when complete.
It is not possible to cache the data that is to be exported, therefore this option is disabled here.
If the data export is configured to write data to XML file it is important to note that special characters will be handled differently because XML syntax uses some characters for tags and attributes therefore it is not possible to directly use those characters inside XML tags or attribute values. For these characters, the vSEC:CMS uses the numeric character reference instead of that character as defined in the XML standard.
If the data is to be exported to an SQL table select the type SQL (Export to SQL database) from the Target drop-down list and follow the instructions in this paragraph to configure this type. Select Write to database automatically option when the life cycle operation is configured to export the data. Select the SQL DB from the Database drop-down list. It will be required that a connection to the SQL table that the data should be written to is already added from Options – Connections – SQL Database (see the article Using MS SQL with vSEC:CMS and follow the instructions in the section MS SQL Support for Export of vSEC:CMS Data). Click the Test button to test that connection to the database is functional. Click the Configure fields button to configure the mappings of the vSEC:CMS variables to the SQL database columns. Click the Get button to retrieve the table that the data should be exported to and select this from the drop-down list if multiple tables are available. From the Variables table select an entry and click Edit value button. Select All from the drop-down list and select the variable that should be mapped to. If a static value is to be written to the table during export then enter the value in the Static field. From the Permissions section, it is possible to configure the operators with specific roles who will be allowed to export the data. Click Save when complete.
It is not possible to cache the data that is to be exported, therefore this option is disabled here.
Once the data export has been configured then it will be necessary to enable this for each of the life cycle tasks where this is possible. From the credential template enable the Export certificate data option. Currently it is possible to enable this for the following life cycle task:
- Issue
- Initiate
- Inactivate
- Activate
- Lock
- Revoke
For other CMS related operations the data export will be performed automatically and these will not be possible to configure. These are certificate related actions performed from the self-service application and from Actions – Certificate(s)/Keys.
The vSEC:CMS variables that can be exported are described in the table below.
|
CMS Variable Name |
Description |
|
UserEmail |
The users email address. This will be retrieved from AD mail attribute if an email address exists. |
|
RevocationReasonStr |
This is the revocation reason in string format specific to MS CA as defined in MS API. This data will be exported when the managed credential token is revoked. See the OCSP_BASIC_REVOKED_INFO as defined in the MS API wincrypt.h. |
|
RevocationReason |
This is the revocation reason value (0 to 8) specific to MS CA as defined in MS API. This data will be exported when the managed credential token is revoked. See the OCSP_BASIC_REVOKED_INFO as defined in the MS API wincrypt.h. |
|
RevocationComment |
This is revocation reason comment, if applied, that will be exported when the managed credential token is revoked. |
|
PivUuid |
This is the UUID that will be exported if the credential token issued is a PIV credential. |
|
PivOrgAffiliation |
This is the organization affiliation data that will be exported if the credential token issued is a PIV credential. |
|
PivNameLast |
This is the last name of the user that will be exported if the credential token issued is a PIV credential. |
|
PivNameFirst |
This is the first name of the user that will be exported if the credential token issued is a PIV credential. |
|
PivFascn |
This is the FASCN data that will be exported if the credential token issued is a PIV credential. |
|
PivEmployeeAffiliation |
This is the employee affiliation data that will be exported if the credential token issued is a PIV credential. |
|
OperatorName |
This is the name of the operator who performed the operation. |
|
OperatorDn |
This is the DN of the operator who performed the operation. |
|
DbCredentialsTemplateName |
This is the credential template name that was used. |
|
DbCredentialsTemplate |
This is an internal vSEC:CMSID for the credential templated used. |
|
DbCredentialsStatusStr |
This is the current status of the managed credential in string format. |
|
DbCredentialsStatus |
This is an internal vSEC:CMSID for the credential status. |
|
DbCredentialsRfidWiegandCode |
This is the Wiegand code used if RFID encoding is configured as part of the credential template life cycle management. |
|
DbCredentialsRfidWiegandCredentialId |
This is the Wiegand code ID if RFID encoding is configured as part of the credential template life cycle management. |
|
DbCredentialsRfidCsnHexRev |
This is the RFID CSN HEX encoding reversed value as set on the managed token. |
|
DbCredentialsRfidCsnHex |
This is the RFID CSN HEX encoding value as set on the managed token. |
|
DbCredentialsRfidCsnDecRev |
This is the RFID CSN DEC encoding reversed value as set on the managed token. |
|
DbCredentialsRfidCsnDec |
This is the RFID CSN DEC encoding value as set on the managed token. |
|
DbCredentialsRfidCsn |
This is the RFID CSN encoding value as set on the managed token. |
|
DbCredentialsOtpTokenId |
This is an internal vSEC:CMS ID for the operator token ID that performed the operation. |
|
DbCredentialsIdGuid |
This is the GUID of the user who the managed credential token is issued to. |
|
DbCredentialsIdDn |
This is the DN of the user who the managed credential token is issued to. |
|
DbCredentialsExpireStr |
This is the date when the certificate will expire in string format. |
|
DbCredentialsExpiresInDays |
This is the number of days that the certificate is valid for. |
|
DbCredentialsExpire |
This is the number of days that the certificate is valid for in decimal format. |
|
DbCredentialsDeviceId |
This is the device ID of the device that the credential token was issued on. |
|
DbCredentialsCsn |
This is the CSN of the token that a life cycle operation was performed on. |
|
DbCredentialsCertificatesValidToStr |
This is the date when the certificate will expire in string format. |
|
DbCredentialsCertificatesValidTo |
This is the date when the certificate will expire in decimal format. |
|
DbCredentialsCertificatesValidFromStr |
This is the date that the certificate in valid from in string format. |
|
DbCredentialsCertificatesValidFrom |
This is the date that the certificate in valid from in decimal format. |
|
DbCredentialsCertificatesTemplateName |
This is the CA connection template name used when performing the lifecycle operation. |
|
DbCredentialsCertificatesTemplate |
This is the internal vSEC:CMSID for the CA connection template name used when performing the lifecycle operation. |
|
DbCredentialsCertificatesSerialRev |
This is the certificate serial number in reverse order. |
|
DbCredentialsCertificatesSerial |
This is the certificate serial number. |
|
DbCredentialsCertificatesIssuerRev |
This is the issuer name in reverse order. |
|
DbCredentialsCertificatesIssuer |
This is the issuer name. |
|
DbCredentialsCertificatesIssuedToRev |
This is the name of the user who the certificate was issued to in reverse order. |
|
DbCredentialsCertificatesIssuedTo |
This is the name of the user who the certificate was issued to. |
|
DbCredentialsCertificatesHashRev |
This is the hash of the issued certificate in reverse order. |
|
DbCredentialsCertificatesHash |
This is the hash of the issued certificate. |
|
DbCredentialsCertificatesData |
This is base16 HEX encoded certificate X509 data. Note: The certificate data is not stored in vSEC:CMS repository, therefore this data will only be available when it is received from the CA at issuance time. The size of the base16 encoded data depends on the X509 size. |
|
DbCredentialsCertificatesDataB64 |
This is base64 HEX encoded certificate X509 data. Note: The certificate data is not stored in vSEC:CMS repository, therefore this data will only be available when it is received from the CA at issuance time. The size of the base64 encoded data depends on the X509 size. |
|
DbCredentialsAssignedStr |
This is the date that the certificate was assigned to the user in string format. |
|
DbCredentialsAssigned |
This is the date that the certificate was assigned to the user in decimal format. |
|
CurrentTimeStr |
This is the time that the operation was performed in string format. |
|
CurrentTimeLong |
This is the time that the operation was performed in decimal format. |
|
CredentialProcessId |
This is internal vSEC:CMS ID for the life cycle operations performed. See the Credential Process ID table below for a description of the IDs. |
|
CredentialProcess |
This is the name of the life cycle process performed. |
Credential Process ID Table
|
ID |
Description |
|
1 |
This ID indicates that a managed token is registered with the vSEC:CMS. |
|
2 |
This ID indicates that a managed token is unregistered with the vSEC:CMS. |
|
3 |
This ID indicates that a managed token had a credential update operation performed. |
|
4 |
Assigned as an internal system ID and will not be an exported value. |
|
5 |
Assigned as an internal system ID and will not be an exported value. |
|
6 |
Assigned as an internal system ID and will not be an exported value. |
|
7 |
Assigned as an internal system ID and will not be an exported value. |
|
8 |
This ID indicates that a managed token is issued with the vSEC:CMS. |
|
9 |
This ID indicates that a managed token is initiated with the vSEC:CMS. |
|
10 |
This ID indicates that a managed token is activated with the vSEC:CMS. |
|
11 |
This ID indicates that a managed token is inactivated with the vSEC:CMS. |
|
12 |
This ID indicates that a managed token is locked with the vSEC:CMS. |
|
13 |
This ID indicates that a managed token is unlocked with the vSEC:CMS. |
|
14 |
This ID indicates that a managed token is revoked with the vSEC:CMS. |
|
15 |
This ID indicates that a managed token is retired with the vSEC:CMS. |
|
16 |
This ID indicates that a managed token is deleted with the vSEC:CMS. |
|
17 |
Assigned as an internal system ID and will not be an exported value. |
|
18 |
Assigned as an internal system ID and will not be an exported value. |
|
19 |
Assigned as an internal system ID and will not be an exported value. |
|
20 |
Assigned as an internal system ID and will not be an exported value. |
|
21 |
Assigned as an internal system ID and will not be an exported value. |
|
22 |
Assigned as an internal system ID and will not be an exported value. |
|
23 |
Assigned as an internal system ID and will not be an exported value. |
|
24 |
Assigned as an internal system ID and will not be an exported value. |
|
25 |
This ID indicates that a managed token is reissued with the vSEC:CMS. |
|
26 |
Assigned as an internal system ID and will not be an exported value. |
|
27 |
This ID indicates that a managed token has its certificate deleted from Actions – Certificate/Keys with the vSEC:CMS. |
|
28 |
This ID indicates that a managed token has a new certificate issued from Actions – Certificate/Keys with the vSEC:CMS. |