Introduction
This article will describe how you can configure vSEC:CMS to support the lifecycle management of Thales IDPrime MD 840/940 (or 3840/3940 if dual-interface is used) credentials . The article will cover the following:
- Setup a template that will allow you to create and issue a Windows logon certificate to an IDPrime MD 840/940 credential from vSEC:CMS console application;
- Issue a Windows logon certificate to the credential;
- Log onto a Windows client using the issued credential.
The PKI used here will be a Microsoft Certificate Authority (CA). If another CA is to be used please refer to the Administration guide for details on configuring a connection to such a CA.
It will be required that at minimum you have already successfully completed the configuration steps described in the article Setup Evaluation Version of vSEC:CMS. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.
It will be necessary to have the appropriate credential drivers (minidriver) installed on your host. Please check with the credential provider that you have the correct credential drivers installed.
If you are looking to issue 4096 key size and/or ECC certificates then look at the section Configure Template with 4096 Key Size or ECC Certificates below.
Configure Smart Card Access
Typically the smart card access is already set to the correct type but for completeness we will cover this in the article.
From Options - Smart Card Access attach an IDPrime MD 840/940 credential that you will manage with the vSEC:CMS. The vSEC:CMS will filter the card type and present the entry in the table.
Click the Edit button and for Smart Card Access make sure that Use minidriver if possible is selected and for Default OTP PIN just enter 8 2s and Default PUC enter 6 0s. Click Save to save and close.
If the table is empty when you attach the credential to filter for the card type then you should follow the instructions in the article Add Credential Configuration for details on how to add the correct template for the card type that you use.
Credential Configuration
1. From Templates – Card Templates click the Add button.
Click the Edit link beside General. Enter a template name and attach an IDPrime MD 840/940 credential that is to be managed by this template and click the Detect button and wait for the vSEC:CMS to detect that it is an IDPrime MD credential and click Ok.
Leave all other settings as default and click Ok to close and save.
2. Click the Edit link beside Issue Card. In the User ID Options section enable Assign user ID and select the AD connection in the drop-down list.
In this example we will create and apply a PIN policy which will be set on the credential during the issuance. In the Card PIN Options section click the Manage button and Add. Enter a template name and for Smart Card PIN select Primary card PIN. Leave all other settings as is. For further details on the specific PIN policy settings see the bottom section of this article for details.
In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select the Windows logon certificate template created earlier and for Card key container you need to select Sign & Decrypt RSA 1024/2048.Click Ok to save and close.
Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close.
3. Click Ok to save and close the template.
Issue Credential
From the Lifecycle page attach a blank IDPrime MD 840/940 credential to your host.
Click the Issued oval and select the template from Select card template drop-down list and click Execute.
Click the Issued oval and select the template from Select card template drop-down list and click Execute.
You will be prompted to enter your Operator passcode before the issuance will begin. Then you will be prompted to select the user from AD that the credential will be issued to. Select the user and at the end of the process you will get a short summary dialog of what operations were performed.
The credential will now show as Issued. The credential PIN by default will be blocked. You will need to set a PIN before you can use the credential. Click the Active oval followed by the Execute button. You will be prompted to authenticate again and then set a PIN that meets the policy supported on the credential. As the credential supports 2 PINs a second PIN will need to be set for the qualified Digital signature PIN even though this is not typically used. The PIN code needs to meet the PIN policy as set on the card.
Once you complete this then the credential can be used to log onto your domain environment.
Configure Template with 4096 Key Size or ECC Certificates
IDPrime MD 940 range of credentials support issuing RSA key size of 4096 and/or Elliptic Curve Cryptography (ECC) certificates. This section will describe how you can configure a template to use this in vSEC:CMS.
It will be expected that you have configured the certificate template on the CA to support either of these cases.
If you are setting this up it is recommended to create a new card template in these cases.
Credential Configuration
1. From Templates – Card Templates click the Add button.
Click the Edit link beside General. Enter a template name and attach an IDPrime MD 940 credential that is to be managed by this template and click the Detect button and wait for the vSEC:CMS to detect that it is an IDPrime MD credential and click Ok.
Leave all other settings as default and click Ok to close and save.
2. Click the Edit link beside Issue Card. In the User ID Options section enable Assign user ID and select the AD connection in the drop-down list.
In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select the Windows logon certificate template created earlier and for the Card key container you need to select Sign & Decrypt RSA 1024/2048/4096.Click Ok to save and close.
Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close.
3. Click Ok to save and close the template.
You can then issue the credential from the Lifecycle page as you would any other credential.
840/940 PIN Policy Details
This section will describe in detail the different settings that can be applied as PIN policy when issuing an 840/940 credential.
The Smart Card PIN drop down box has 3 options available since these credentials have 3 different types of PINs. Depending on how you plan to use the credentials you should configure each of the different options to your needs. Refer to the hardware credential provider documentation for deeper details on what the different PIN types mean and how they can be used.
Enable Linked mode to ensure that the Primary card PIN, Qualified signature PIN and OTP-PIN (If available) will be handled the same way. This means that vSEC:CMS ensures that the PIN policy is the same for all as well as the PIN value when the user is changing and/or unblocking a PIN or vSEC:CMS is setting a PIN at card initiate. This is a very specific use case which is not normally used.
By enabling the Adjacent positions allowed check box a PIN which has repeated characters adjacent to one another will be allowed. Enter the number of allowed adjacent positions in the Allowed repetitions field. The value entered will set the number of times that a character can be repeated in adjacent positions. For example, if this value is set to 4 then 1111c1 and aaaa1a are allowed PIN values and 11111c and aaaaa1 are not allowed PIN values.
The value set here cannot exceed Max appearance value that is configured in the field described below.
The Max appearance configures the PIN policy to set the allowed number of appearances of a character in a PIN but it is not possible to specify which character. For example, if the value for Max appearance is set to 2 then the PIN value 0001 would not be allowed whereas the PIN value 0011 would be allowed.
The Max length of sequence is the number of times that a sequence of characters is allowed, for example 1,2,3,4,5,6...For example, if this parameter is set to 4 then 1234c5 and abcd1e are allowed PIN values and 12345c and abcde1 are not allowed PIN values.
The Max repeated characters configure the PIN policy to set the number of different characters that can be repeated at least once. For example, if this value is set to 1 this means one character can be repeated but it is not possible to specify which one.
For PIN length, the Min configures the PIN policy to set the minimum length that the credential PIN needs to be when the user is setting their PIN and the Max configures the PIN policy to set the allowed maximum length that the credential PIN can be when the user is setting their PIN.
The Max PIN length supported for this card cannot be greater than 16.
Enable the Character set restrictions check box in order to be able to configure specific character combinations to be used when setting a PIN. If this checkbox is not enabled then all characters will be allowed to be used when setting a PIN.
If the Character set restrictions checkbox is enabled then it is possible to configure specific allowed characters when setting a PIN. These can be set to either Allowed or Mandatory or both. If Alphabetic uppercase is enabled then the PIN must contain an upper-case character. If Alphabetic lowercase is enabled then the PIN must contain a lower-case character. If None alphabetic is enabled then the PIN must contain a character that is neither numeric or alphabetic, for example, any of these characters would qualify in this case - !"£$%^&*(). If None Ascii is enabled then the PIN must contain a non-ascii character.
The Disable unblock checkbox configures the PIN policy, if enabled, such that if a user blocks their credential it will not be possible to unblock the credential using either administration key or PUC.
The Disable change will disable PIN change on the card, i.e. the policy will not allow the user to change the PIN.
Enable the Unblock using admin checkbox in order to be able to unblock a smart PIN using the administration key as set on the credential.
The Support SSO check box configures the PIN policy, if enabled, to support the feature whereby a user needs to enter their PIN once only during a session as long as the credential is not removed.
The New PIN must differ checkbox configures the PIN policy, if enabled, to ensure that the new PIN entered is not the same as the previous PIN set on the credential.
The Secure PIN input is a feature introduced in Windows 7 for the user to securely enter their credential PIN.
From the drop-down list for Purpose a number of options are available. These are Authentication PIN, Digital Signature PIN, Encryption PIN, Non Repudiation PIN and Administrator. Depending on the private key operation, the Windows operating system or application that is using the credential will present a dialog, for example, requesting the PIN for authentication if the user is performing Windows credential logon. Normally you would set this to Primary smart card PIN.
From the drop-down list for PIN Type a number of options are available. These are:
Regular PIN: the normal alpha/numeric PIN set for private key operations.
External PIN(Bio or Pinpad): the PIN will need to be provided as a fingerprint or using an external PIN pad reader.
Challenge/Response PIN: the PIN will be provided as a challenge/response to authenticate the user.
No PIN: no PIN entry will be required.
The External PIN flags drop down list provides options for PIN pad readers if these are used. Leave the option as No flag if either a PIN pad reader is not used or you do not need to set specific flags if a PIN pad reader is used. Select the option No regular fallback which will result in the credential not being allowed to be used for Windows logon if the card reader is not a PIN pad reader. Select No auto PIN pad if it is allowed for the credential to be used for Windows logon with a PIN pad reader and the PIN type as set on the credential is regular PIN. Select No regular fallback + No auto PIN pad if it is required to meet both conditions as already described. Please note that the settings described here are specific to Thales ID Prime MD cards. If further details are required on these specific settings please consult with your Thales provider.
From the drop-down list for Cache a number of options are available:
Normal: normal cache behaviour in the CSP.
Timed: time based cache in CSP. The validity is set as a parameter in milliseconds.
Not cached: no cache for the user credential in CSP.
Always prompt: always prompt the user for their credential PIN.
Enable Update AD password when changing card PIN if it is required to synchronize the PIN with the credential holders AD password. See the article Synchronize Credential PIN with Active Directory Password for more details on how this feature can be used.
Enable Server managed PIN policy if it is required to have PIN management tasks managed and triggered from the server-side. See the article Server Managed PIN Policy for more details on how this feature can be used.