Introduction
vSEC:CMS is an innovative, easily integrated, and cost-effective Credential Management System (CMS) designed to assist you in deploying and managing credentials within your organization.
vSEC:CMS is fully functional with Minidriver-enabled credentials, such as smart cards, USB tokens, and virtual smart cards, including Windows Hello for Business (WHfB). It streamlines all aspects of credential management by seamlessly connecting to enterprise directories, certificate authorities, physical access control systems, email servers, log servers, biometric fingerprint readers, PIN mailers, and more. With vSEC:CMS, organizations can issue credentials to employees, personalize them with authentication details, and manage the entire credential lifecycle – all directly from this off-the-shelf product.
When first setting up vSEC:CMS, start by connecting to the server where vSEC:CMS is installed using Remote Desktop Protocol (RDP). After configuring the system, we strongly advise switching to a client-server connection method instead of relying on RDP for better performance.
Architecture
The vSEC:CMS client-server architecture utilizes both an RPC framework and SOAP with the following protocols:
- gRPC with HTTP/2 or HTTP/2 over TLS
- SOAP with HTTP or HTTPS
However, for simplicity, we will refer to it as HTTP(S).
Main Components of vSEC:CMS:
- vSEC:CMS Service: This Windows service is responsible for managing the vSEC:CMS database and operator account management for authorized users. It operates as a Windows service, defaulting to run under the SYSTEM account.
- vSEC:CMS SOAP/gRPC Service: Another Windows service, this component facilitates communication with the vSEC:CMS Service. It serves as the SOAP/gRPC service for the vSEC:CMS Agent, vSEC:CMS Admin, and the vSEC:CMS User Application.
- vSEC:CMS Agent or vSEC:CMS Admin: Each operator utilizes either of these components, operating within the user's context.
- vSEC:CMS User Application: This component is executed on an end user's workstation, enabling self-service credential operations with both conventional smart cards and virtual smart cards.
vSEC:CMS Service
The vSEC:CMS Service manages the internal SQL Database, which is stored in the [DAT] folder beside the service executable (CmsService.exe). By default, this folder has access permissions set for MS Windows SYSTEM user and the Windows user who installed the application. Optionally, the Database can be hosted in an external SQL database.
Before version 5.8, the security keys used by vSEC:CMS were stored on the Operator Credentials. From version 5.8, these keys will be stored on the server in an encrypted key store. These keys can optionally be stored in HSM if required.
The Database contains several tables. These tables contain information about the credentials managed and configuration settings used for the vSEC:CMS. The database is encrypted with keys stored on the Agent Credential; therefore, the database can only be accessed when an operator credential is available.
If the application is configured for backup, the vSEC:CMS Service encrypts the database and stores the backup file in the configured location.
If configured, the vSEC:CMS Service will send status information to the Windows Event Log.
vSEC:CMS gRPC/SOAP Service
The vSEC:CMS gRPC/SOAP Service facilitates secure communication via encrypted shared memory and HTTP(S) between vSEC:CMS components: Agent, Admin, and User Application.
It comprises three Windows services:
- vSEC:CMS - Operator Console Service
- vSEC:CMS - User Self Service
- vSEC:CMS - RSDM Service
Security is ensured through RSA-2048 encryption over SOAP/gRPC HTTPS channels connecting the Service to vSEC:CMS components.
When SOAP is used:
- SOAP-XML requests via Windows Web Services API (WWSAPI) are sent over HTTP/HTTPS to the vSEC:CMS SOAP Service.
- This service sends requests to the vSEC:CMS Windows service through encrypted shared memory.
- Responses are received, and XML responses are constructed and returned.
For gRPC:
- Server endpoints are implemented in the same services as SOAP endpoints.
Both SOAP and gRPC responses are parsed using WWSAPI by vSEC:CMS components.
vSEC:CMS Agent & vSEC:CMS Admin
Each operator launches either the vSEC:CMS Agent or vSEC:CMS Admin within their user's context, serving as their application interface. Operators must log in using a valid Agent Credential for two-factor authentication. The tasks that operators can perform are defined by their assigned roles, rather than the application interface used.
Agent Credentials contain security keys, accessible with a valid PIN.
The vSEC:CMS Agent or vSEC:CMS Admin Application communicates with the database through the vSEC:CMS gRPC/SOAP Service.
Communication with Directory Servers and Certification Authorities (CAs) is essential for handling Managed Credentials. Directory Servers are accessed via the LDAP(S) protocol, typically on ports 389 or 636, while Certification Authorities (CAs) use the DCOM/RPC protocol, usually on port 135.
Communication between the vSEC:CMS Agent, vSEC:CMS Admin, and the credential is handled through the credential Minidriver or the native Application Protocol Data Unit (APDU), depending on how credential access is configured. Certificate keys are generated on the credential, and certificate requests are sent to the CA using the Microsoft ICertRequest API.
vSEC:CMS User Application
The vSEC:CMS User Application is initiated for each user on their workstation, offering a user-friendly interface for self-service operations on their credential. Communication occurs exclusively through the vSEC:CMS gRPC/SOAP Service, utilizing the HTTP(S) protocol. The connection and port settings are configurable via the vSEC:CMS Admin interface.
vSEC:CMS RSDM
The vSEC:CMS Remote Security Device Management (RSDM) is a Windows service that is installed on each client machine where vSEC:CMS manages credentials, whether virtual or physical. When the RSDM service starts, it sends a registration request to the server-side RSDM service. The communication during registration occurs through the vSEC:CMS gRPC/SOAP Service, using the HTTP(S) protocol.
Furthermore, the RSDM service can receive push notifications from the server-side. These notifications are transmitted via User Datagram Protocol (UDP) broadcasting, which alerts the client of any pending events on the server that require processing.
Ports and Protocols
The following table outlines the ports and protocols used by vSEC:CMS, as shown in the architecture diagram. It is assumed that there are no firewalls between the vSEC:CMS service and any external component with which it communicates.
It is important to note that the listed ports are provided as a guideline only, as they may vary depending on your specific environment configuration.
| Application | Rule Type | Source System | Destination System | L7 Application/Service | Default Port | L4 Protocol |
|---|---|---|---|---|---|---|
| vSEC:CMS Operator Console | Inbound | External user | MS CA Service | DCOM/RPC | 135 | TCP |
| vSEC:CMS Operator Console | Inbound | External user | Directory | LDAP(S) | 389 or 636 | TCP |
| vSEC:CMS Operator Console | Inbound | External user | vSEC:CMS SOAP/gRPC Service | HTTP(S) | 80 or 443 | TCP |
| vSEC:CMS User Self-Service | Inbound | External user | vSEC:CMS SOAP/gRPC Service | HTTP(S) | 80 or 443 | TCP |
| vSEC:CMS RSDM Service | Inbound | External user | vSEC:CMS SOAP/gRPC Service | HTTP(S) | 80 or 443 | TCP |
| vSEC:CMS RSDM Service | (optional) Outbound | CMS service | Client RSDM service | Proprietary | Client configurable | UDP |
| vSEC:CMS Service | Outbound | CMS service | MS CA Service | DCOM/RPC | 135 | TCP |
| vSEC:CMS Service | Outbound | CMS service | Directory | LDAP(S) | 389 or 636 | TCP |
| vSEC:CMS Service | Outbound | CMS service | HSM | Proprietary for HSM | Depends on HSM | TCP |
| vSEC:CMS Service | Outbound | CMS service | Database | ODBC | 1433 | TCP |
Hardware Requirements
Supported Server Platforms for vSEC:CMS Installation:
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
Virtual servers are supported.
Minimum Hardware Requirements for vSEC:CMS Server:
- Processor: 2 GHz or faster
- RAM: 8 GB or greater
- Storage OS: 40 GB or greater
- Storage DB: 2GB or greater
- Connection: Gigabit Ethernet
Recommended Hardware Requirements for Optimal vSEC:CMS Server Performance:
- Processor: Intel Xeon with 2 GHz or faster
- RAM: 16 GB or greater
- Storage OS: 40 GB or greater
- Storage DB: 2GB or greater
- Connection: Gigabit Ethernet
Recommended Hardware Requirements for Optimal vSEC:CMS Client performance:
- Processor: Intel i5 with 1.90 GHz or faster
- RAM: 4 GB or greater
- Storage OS: 40 GB or greater
- Connection: Gigabit Ethernet
Software Requirements
Depending on the credential that you are using it will be necessary to have the appropriate credential drivers installed on your host. Please check with the credential provider that you have the correct credential drivers installed.
Additionally, for versions before 6.0, Microsoft .NET Framework 4.7.2 should be installed on any host where vSEC:CMS components are installed. From version 6.0 and above Microsoft .NET Framework 4.8 should be installed.
You can validate what version of Microsoft .NET Framework is installed on your host by running the Powershell command below to see the full version information:
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -Name version -EA 0 | Where { $_.PSChildName -Match '^(?!S)\p{L}'} | Select PSChildName, version
vSEC:CMS caches data in this location %userprofile%\AppData\Local\Versasec, both on client and server. Putting a virus scanner exclusion on this folder can be beneficial, especially in larger deployments, for performance purposes.
Supported Credentials
For the complete list of supported credentials, please refer to this link.
PKI Support
It's possible to utilize a variety of PKI providers with vSEC:CMS. For a complete list of supported PKI providers, please refer to our product flyer available here.
For information on whether vSEC:CMS covers your CA-specific workflows, please contact Versasec at info@versasec.com.