Manage Operator Credential

Introduction

To access the vSEC:CMS Admin or Agent Application consoles, possessing an Operator Credential (OC) is essential. This article outlines various scenarios for issuing and managing OCs within vSEC:CMS.

Use Cases Overview

This article covers the following use cases:

• Creating and issuing the 1st administrator role OC.
• Issuing additional OC centrally.
• Issuing additional OC via vSEC:CMS User Self-Service (USS).
• Miscellaneous OC use cases.

Prerequisites:

• Complete the System Owner Hardware Credential setup as outlined in the Setup Evaluation Version article.
• Confirm the existence of a credential configuration for the credential you intend to use. Refer to the Add Credential Configuration article before proceeding.

Creating and Issuing the 1st Administrator Role OC

It is recommended to issue at least one OC with a System Administrator role and store the System Owner (SO) credential in a secure location.

Create OC Template:

1. Log in to the console with the System Owner (SO) credential.
2. Navigate to Templates > Card Templates and click Add.
3. Click the Edit link beside General to configure general options.

4. Attach the OC credential, enter template name, then click Detect for vSEC:CMS to identify the attached credential.
5. After identifying the credential type, click OK to close the dialog.

6. Tick the vSEC:CMS Operator Card checkbox and choose Authentication Only Operator Card from the drop-down menu.
7. Leave all other settings as default and click OK to close and save.

8. From Template Details, scroll to the Issue Card section and click Edit.
9. In the User ID Options section, enable Assign User ID and select the Active Directory connection from the drop-down list.
10. To enable the OC to be used for PC login, go to the Enroll Certificate Options section and enable the Enroll certificate(s) checkbox.
11. Then click Add, select a Smartcard Logon template, and click OK.
12. Scroll down to the bottom of the dialog and click OK to save and close, keeping all other settings unchanged.
13. Finally, click OK to save and close the template.

Issue OC

From the Lifecycle page attach the credential that is to be used as OC and click the Issued oval. Select the credential template from the drop-down list and click Execute. 

You will be prompted to enter your System Owner (SO) PIN before the issuance will begin. Then you will be prompted to select the user from AD that the OC will be issued to. 

Select the user and then you will be prompted to select what roles the OC will be assigned. Select all roles from Selected Role(s) and click Select to continue.

At the end of the process you will get a short summary dialog of what operations were performed. 

The OC will now show as Issued. The credential PIN by default will be blocked. You will need to set a PIN before you can use the credential. Click the Active oval followed by the Execute button. You will be prompted to authenticate again and then set a PIN that meets the policy supported on the credential. 

Once you complete this then the OC can be used to log onto vSEC:CMS console and perform all system administrator roles in the system. It is recommended to lock away securely the SO credential at this time and only use it for emergency scenarios. 

Issue Additional OC Centrally

An OC should be issued to any person who will perform administration / configuration functions or common daily tasks such as credential issuance / renewal or credential reset / unblock. You can define what functions or roles the OC is allowed to perform to a very granular level. See the articles Operator Roles and Role Configuration for details on this.

In this section we will use the default role configuration for Restricted and demonstrate how you can configure an OC template for this and issue it centrally. 

Create OC Template

1. Log onto the console with an OC that has a role that will allow for the creation of credential templates and issuance. Navigate to Templates – Card Templates and click the Add button.

Click the Edit link beside General. Enter a template name and attach a credential that is to be issued as the OC and click the Detect button and wait for the vSEC:CMS to detect the OC type and click Ok.

Enable vSEC:CMS Operator Card checkbox and from the drop-down list select Authentication Only Operator Card.

Leave all other settings as default and click Ok to close and save.

2. Click the Edit link beside Issue Card. In the User ID Options section enable Assign user ID and select the AD connection in the drop-down list.

Optionally, you may want to issue a certificate to the credential during the issuance process. For example, the Operator who the OC is to be issued to may want to use the credential to log onto their PC. In this case, in the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select a Windows logon certificate template and click Ok. 

Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close.

3. Click Ok to save and close the template.

Issue OC

From the Lifecycle page attach the credential that is to be used as OC and click the Issued oval. Select the credential template from the drop-down list and click Execute. 

You will be prompted to enter your OC PIN before the issuance will begin. Then you will be prompted to select the user from AD that the new OC will be issued to. 

Select the user and then you will be prompted to select what roles the OC will be assigned. Select the Restricted role from Selected Role(s) and click Select to continue.

At the end of the process you will get a short summary dialog of what operations were performed. 

The OC will now show as Issued. The credential PIN by default will be blocked. You will need to set a PIN before you can use the credential. Click the Active oval followed by the Execute button. You will be prompted to authenticate again and then set a PIN that meets the policy supported on the credential. 

Once you complete this then the OC can be used to log onto vSEC:CMS console and perform all roles as configured for the role Restricted.

Issue Additional OC via USS

An OC should be issued to any person who will perform administration / configuration functions or common daily tasks such as credential issuance / renewal or credential reset / unblock. You can define what functions or roles the OC is allowed to perform to a very granular level. See the articles Operator Roles and Role Configuration for details on this.

In this section we will use the default role configuration for Restricted and demonstrate how you can configure an OC template for this and issue it via USS. 

Create OC Template

1. Log onto the console with an OC that has a role that will allow for the creation of credential templates and issuance. Navigate to Templates – Card Templates and click the Add button.

Click the Edit link beside General. Enter a template name and attach a credential that is to be issued as the OC and click the Detect button and wait for the vSEC:CMS to detect the OC type and click Ok.

Click the Manage button beside Self-service using the following template. Click the Add button. Enter a template name and enable Self-issuance enabled and Retire card enabled checkboxes. From the User Authentication for PIN Unblock drop-down list select Use windows credentials to authenticate user. Leave all other settings as is and click the Save button to save and close. 

Click Close and from the main General dialog enable Self-service using the following template and from the drop-down list select the template just created. Leave all other settings as is and click Ok to save and close the dialog.

Enable vSEC:CMS Operator Card checkbox and from the drop-down list select Authentication Only Operator Card.

Click the Roles button and enable Automatically set selected role(s) during issuance and select Restricted. Click Ok to save and close. 

Leave all other settings as default and click Ok to close and save.

2. Click the Edit link beside Issue Card. Select the checkbox Automatically initiate cards after issuance and Issue by user(s) radio button. Click the Configure button in the User ID Options section. Select the AD connection already configured from User ID from drop down list and select Supplied domain credentials from Authenticate user using drop down list. Click Ok to save and close.

In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button if you plan to issue a certificate to the OC. Select the certificate template that you want to issue to the OC. In this example we will issue a Windows logon certificate template and click Ok. Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close. 

3. Click Ok to save and close the template configuration dialog.

Issue OC

On a client machine it will be necessary to install the vSEC:CMS User Self-Service (USS) application. Use the vSEC:CMS Client MSI to install this component. It is recommended to install the USS silently as it is possible to pass in the URL link to the backend vSEC:CMS server that the USS needs to communicate with. This will remove the requirement to manually configure the USS to communicate with the backend in this case.

Open a command Window as administrator and change to the location where the MSI installer is located. Run the command similar to below

Where USSGRPC points to the backend gPRC service where vSEC:CMS is installed and USSPCL=4 configures the USS client to use gRPC.

Important: Depending on the credential that you are testing with it will be necessary to have the appropriate credential drivers installed on your host. Please check with the credential provider that you have the correct credential drivers installed.

Start the My Smartcard from the shortcut icon on the client desktop. Go to the My Profile page. With the credential attached that is to be issued select the template and click the Issue button. 

Enter the domain credentials of the user to authenticate.

At the end of the process you will be prompted to enter a PIN for the credential to complete the flow.

Once you complete this then the credential can be used to log into the Operator console and your domain environment.

Miscellaneous OC Use Cases

This section will describe other important use cases/information that you should be aware of. 

Removing OC

It can be required to remove OC for vSEC:CMS when persons leave or no longer work on your vSEC:CMS system. You should only remove OC via these mechanisms below which will result in the OC being removed from the system completely:

• If you have physical possession of the OC then from Lifecycle you should Revoke - Retire - Unregister the OC;
• If you don’t have physical possession of the OC then from Lifecycle you should Search for the OC account and Revoke - Delete the OC. This would normally be done when the OC is reported as lost or damaged.

Operator Table

From Options - Operators the complete list of all OCs will be listed. This section will describe the important details about this table.

Table Column Names

ID

This is the internal vSEC:CMS identifier for the OC record.

Name

This is the name assigned to the OC, normally this is the display name for the user.

Role(s)

These will be the role(s) that the OC has been assigned.

CSN

This is the hardware credential unique serial number.

Type

This is the type of OC, normally Authentication Only.

Register at

This is the timestamp of when the OC was issued.

Last logon at

This is the timestamp of when the OC last logged onto the Admin or Agent console.

Last Dynamic Role(s)

This is the last dynamic role(s) assigned to the OC if the role(s) are assigned by AD Group membership (see the article Configure Operator Roles using AD Groups for more information).

Button Options

Update Keys

It is possible to update the vSEC:CMS with the authentication key(s) used to authenticate an OC when logging into the console. If for some reason an authentication key is not available anymore a new one can be added. It will be necessary to log onto the console with a functioning OC and then click the Update keys button. Attach the OC that you need to add an authentication key to and select it from the reader drop down list and follow the on screen flow to complete the flow.

Add service key store

From the Add service key store dialog the operator service wizard will set up the operator service key store (OSKS). The OSKS is an always online OC that can perform administration operations on managed credentials. It is recommended that a HSM is used in conjunction for best security practises.

Details

Select an OC and click the Details button to retrieve more information about the OC selected.

The Name field is the name of who the OC is assigned to.

The Created field is the time and date that the OC was created on the system.

The CSN is the card serial number for the OC.

The Reader is the reader name that the OC is attached to.

The Status is the current status for the OC.

Additional information is provided in the window below the fields already described.

Activate

Select an OC from the table and click the Activate button to activate an OC if it is inactivated.

Inactivate

Select an OC from the table and click the Inactivate button to inactivate an OC if it is required.

Edit

The Edit dialog will allow OCs who have the appropriate permissions to add/remove roles for an OC. Select an OC from the table and click the Edit button to adjust the role permissions for the selected OC.

Add

Click Add to add an OC to the system. The OC that you wish to add needs to be already issued in vSEC:CMS.

Delete

This option will only be available when in the Evaluation Version. This will allow you to remove the assigned SO credential from the system and return it to its default factory state. For example, you may want to completely reset your evaluation system and therefore want to get back all hardware credentials used so they can be reused. 

Copy

Click the Copy button to copy the contents of the table which can then be pasted into a text editor if required.