vSEC:CLOUD

Anthony - Versasec Support
Anthony - Versasec Support
  • Updated

Introduction

vSEC:CLOUD is, as the name suggests, a cloud service of our credential management software. Fully subscription-based and deployed in a virtual private cloud, Versasec will manage server hosting and upgrades for customers of all sizes.

We use industry-standard best practice architecture to host and manage your credential system in a virtual private cloud. There will be a separation of customers who connect to their environment by site-to-site VPN. Using Microsoft Azure for hosting, Versasec will completely manage the VM server where your vSEC:CMS services run.

vsec-cloud-architecture.png

The connections and settings will be the same for the end customer. They will connect to the vSEC:CMS using vSEC:CMS Admin application to configure their specific settings. Then using vSEC:CMS Agent and vSEC:CMS User they can provision and manage their credentials.

vSECCLOUD.connections.png

Setup and Configure

When you become a vSEC:CLOUD customer, you will receive a URL that should be used to connect to your private cloud VM instance of vSEC:CMS. Follow the instructions in this section to set up and configure your environment to be able to use vSEC:CLOUD. This article will describe the following:

  • How to install and configure vSEC:CMS Admin application to connect to vSEC:CLOUD.
  • How to configure a connection to your on-premises AD directory for user provisioning.
  • How to configure a connection to your on-premises CA for user provisioning.
  • How to issue a credential to a user with a Windows logon credential from the vSEC:CMS Admin Application.

Pre-requisites

The following will need to be available:

  • A site-to-site VPN already configured and operational from on-premises to vSEC:CLOUD.
  • URLs already provided by Versasec for your connection to vSEC:CLOUD for the vSEC:CMS Admin, Agent Application, and User Application.

Hardware Requirements

On the hosts where you run vSEC:CMS components we recommend the following:

  • Processor: Intel i5 with 2 GHz or faster
  • RAM: 8 GB or greater
  • Storage OS: 40 GB or greater
  • Connection: Gigabit Ethernet

Software Requirements

On the hosts where you run vSEC:CMS components the following software components should be installed:

  • Microsoft .NET Framework 4.8.
  • The latest credential drivers for the supported credential that you will manage with vSEC:CLOUD.

Install vSEC:CMS Admin Application

You should have already downloaded the latest version of vSEC:CMS from our downloads page. 

Follow the instructions in the article Install Admin Application and use the URL already provided by Versasec to connect to your vSEC:CMS instance. You are free to use either SOAP or gRPC for the connection protocol but we recommend that you use gRPC as this is a more efficient protocol. 

After starting the vSEC:CMS Admin application from your desktop for the first time you will be asked to enter the URL. Enter the URLs provided and for protocol select Prefer gRPC. Click Test to ensure connectivity and click OK.

Untitled.png

First Time Startup

When you log into the vSEC:CMS Admin Application for the first time you will receive a message dialog prompting you to create a passcode as no passcode has been set.

It is important to set one up at this stage to protect access even in this evaluation phase. Select Yes and create a passcode.

Creation of System Owner Hardware Credential

The evaluation version doesn't need to create a System Owner (SO) credential. But we strongly recommend creating the System Owner credential since it will be a mandatory step to migrate to the Production license version. Any of the vSEC: CMS-supported hardware credentials can be used for this step.

Important
Depending on the credential that you are testing with it will be necessary to have the appropriate credential drivers installed on your host. Please check with the credential provider that you have the correct credential drivers installed.
If you are connecting to a host where the vSEC:CMS Admin application is running via RDP then it will be required that USB redirection is allowed such that the locally connected smart card that is to be used as SO is available to the host.
Once you create the SO credential, and presuming it is used when upgrading to a production system, it will only be possible to reset the credential to its factory settings if the credential vendor provides tools to reset their credential. Some credential vendors do not provide such tools, therefore in that case once the SO credential is created it will not be possible to reset it to its default factory state. However, if you are still in evaluation mode and you wish to start from scratch, then you can restore the SO credential to its default state. Navigate to Options - Operators and select the System Owner in the table and click the Delete button to restore it to its default factory state.
Ensure that a credential configuration exists for the credential that you are going to use here. See the article Add Credential Configuration before starting below.

From the File menu select Add System Owner Card. With a supported credential connected to your host you should select the credential from the reader list.

Note
If you are using a PIV-supported credential then it will be necessary to register the credential before it can be issued as an SO credential. You need to click the link to register the credential as in the example below before you can complete the other steps described below.

Click the Random button to allow vSEC:CMS to generate a random unblock key and click the Copy button. You should save this information to a secure location as this may be needed in the future if you need to unblock the credential. Enter a PIN and confirm. Uncheck the Activate production license or subscription checkbox as you are still using the evaluation version and click the Add button. Below is an example of how the setting would look.

Once complete a summary dialog will appear describing what steps were performed. The credential will then be managed by vSEC:CMS. If you wish to revert to using passcode only to access the vSEC:CMS then from the Options - Operators select the System Owner in the table and click the Delete button to revert to passcode only.

Important
Once you create the SO you should issue at minimum one Operator Credential (OC) with a role of System Administrator. Please refer to the article Manage Operator Credential for details on this.

Setup Connectors to On-Prem AD and CA

This section will describe how you can configure connections to your AD and CA so they can be used later in the card template configuration.

Setup AD Connection

Navigate to Options - Connections and click the Add button. Select Active Directory and click OK.

Enter a template name and input the details specific to your on-premises environment regarding the AD and account you will connect with. Below is an example of what you need to input, where:

  • <ON-Prem-AD> is the name (hostname or IP address) of your AD server.
  • <ON-Prem-Domain> is the domain name for your environment.
  • <Windows-Account> is the Windows account name that you will connect with.
  • Password is the Windows account password that you are connecting with.

Click the Test button to ensure connectivity. If the connecting is communicating with your AD you should be able to search for users from your AD.

Important
vSEC:CMS will only read from AD.

Untitled.png

Setup CA Connection

Navigate to Options - Connections and click the Add button. Select Certificate Authorities and click Ok

Enter a template name and click Select CA. Select the Use specific server option and enter your DC server details which contain the details about your CA into the Server field. Additionally, you will need to provide a Windows account to connect to the CA. For example, if your domain name is my-domain and the Windows account name is my-windows-account then enter my-domain\my-windows-account into the Windows logon name field and the associated password for this account into the Password field. Click OK to save and close.

Note
The Windows account used here will need to have the appropriate permissions on the CA to be able to connect to, enroll, and revoke on the CA.

Untitled.png

In the Enrollment Agent section enable the Sign server side check box. Enable Disable retrieving renewed certificates before revocation check box. Click the Request button to issue an Enrollment Agent (EA) certificate that will be issued to the Windows account that was used when configuring the connection to CA in the previous section above. This certificate will be stored in the Windows certificate store for the local SYSTEM Windows account on the server where vSEC:CMS server is running. Click Save to save and close the configuration.

Note
You will need to make sure that the EA template on the CA is configured correctly. Refer to the Configure Active Directory Certificate Services article for details on how this can be configured.

Untitled.png

Configure Credential Template

1. From Templates - Card Templates click the Add button.

Click the Edit link beside General. Enter a template name. Presuming that you are using one of the minidriver credentials that is supported by vSEC:CMS select Minidriver (Generic minidriver card) for Card type. Leave all other settings as default and click OK to close and save.

2. Click the Edit link beside Issue Card. In the User ID Options section enable Assign user ID and select the AD connection configured earlier in the drop-down list. In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select a Windows logon certificate template and click Ok. Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close.

3. Click OK to save and close the template configuration dialog.

Issue Credential

From the Lifecycle page attach a blank credential to your host. If it is a credential that is supported by vSEC:CMS you should see the reader and the credential similar to below.

Important
Depending on the credential that you are testing with it will be necessary to have the appropriate credential drivers installed on your host. Please check with the credential provider that you have the correct credential drivers installed.

Click the Issued oval select the template from the Select card template drop-down list and click Execute.

You will be prompted to enter your System Owner passcode before the issuance will begin. Then you will be prompted to select the user from AD that the credential will be issued to. Select the user and at the end of the process you will get a summary dialog of what operations were performed.

The credential will now show as Issued. The credential PIN by default will be blocked. You will need to set a PIN before you can use the credential. Click the Active oval followed by the Execute button. You will be prompted to authenticate again and then set a PIN that meets the policy supported on the credential.

Once you complete this then the credential can be used to log onto your domain environment.