Articles in this section

See more

vSEC:Cloud

Avatar
Anthony - Versasec Support
  • Updated
Follow

Introduction

vSEC:CLOUD is, as the name suggests, a cloud service of our credential management software. Fully subscription based and deployed in a virtual private cloud, Versasec will manage server hosting and upgrades for customers of all sizes.

We use industry standard best practice architecture to host and manage your credential system in a virtual private cloud. There will be a separation of customers who connect to their environment by site-to-site VPN. Using Microsoft Azure for hosting, Versasec will completely manage the VM server where  your vSEC:CMS services run.

vSECCLOUD.azure-architecture.png

The connections and settings will be the same for the end customer. They will connect to the vSEC:CMS using vSEC:CMS Admin application to configure their specific settings. Then using vSEC:CMS Agent and vSEC:CMS User they can provision and manage their credentials.

vSECCLOUD.connections.png

Setup and Configure

When you get setup as a vSEC:CLOUD customer you will receive a URL that should be used to connect to your private cloud VM instance of vSEC:CMS. Follow the instructions in this section to setup and configure your environment to be able to use vSEC:CLOUD. In this article we will describe the following:

  • How to install and configure vSEC:CMS Admin application to connect to vSEC:CLOUD;
  • How to configure a connection to your on-prem AD directory for user provisioning;
  • How to configure a connection to your on-prem CA for user provisioning;
  • How to issue a credential to a user with a Windows logon credential from the vSEC:CMS Admin.

Pre-requisites

The following will need to available:

  • A site-to-site VPN already setup and operational from your on-prem to vSEC:CLOUD;
  • URLs already provided by Versasec for your connection to vSEC:CLOUD for the vSEC:CMS Admin and Agent applications and vSEC:User applications.

Hardware Requirements

On the hosts where you run vSEC:CMS components we recommend the following:

  • At minimum 2 Intel i7 processors with 3.6 GHz or faster
  • Memory 8 GB or greater;
  • Gigabit-LAN (1.000 Mbit/s).

Software Requirements

On the hosts where you run vSEC:CMS components the following software components should be installed:

  • Microsoft .NET Framework 4.8;
  • The latest credential drivers for the supported credential that you will manage with vSEC:CLOUD.

Install vSEC:CMS Admin Application

You should have already downloaded the latest version of vSEC:CMS from our downloads page. 

Follow the instructions in the article Install Admin Application and use the URL already provided by Versasec to connect to your vSEC:CMS instance. You are free to use either SOAP or gRPC for the connection protocol but we recommend that you use gRPC as this is a more efficient protocol. 

After starting the vSEC:CMS Admin application from your desktop for the first time you will be asked to enter the URL. Enter the URLs provided and for protocol select Prefer gRPC. Click Test buttons to ensure connectivity and click Ok

Untitled.png

First Time Startup

When you log into the vSEC:CMS Admin application for the first time you will receive a message dialog prompting you to create a passcode as no passcode has been set.

It is important to set one up at this stage to protect access even in this evaluation phase. Select Yes and create a passcode.

Creation of System Owner Hardware Credential

It is not mandatory for the evaluation version to create a System Owner (SO) credential. We strongly recommend creating the System Owner credential since it will be a mandatory step to migrate to the Production license version. Any of the vSEC:CMS supported hardware credentials can be used for this step.

Important
Depending on the credential that you are testing with it will be necessary to have the appropriate credential drivers installed on your host. Please check with the credential provider that you have the correct credential drivers installed.
If you are connecting to a host where the vSEC:CMS Admin application is running via RDP then it will be required that USB redirection is allowed such that the locally connected smart card that is to be used as SO is available to the host.
Once you create the SO credential, and presuming it is used when upgrading to a production system, it will only be possible to reset the credential to its factory settings if the credential vendor provides tools to reset their credential. Some credential vendors do not provide such tools, therefore in that case once the SO credential is created it will not be possible to reset it to its default factory state. However, if you are still in evaluation mode and you wish to start from scratch, then you can restore the SO credential to its default state. Navigate to Options - Operators and select the System Owner in the table and click the Delete button to restore it to its default factory state.
Ensure that a credential configuration exists for the credential that you are going to use here. See the article Add Credential Configuration before starting below.

From the File menu select Add System Owner Card. With a supported credential connected to your host you should select the credential from the reader list.

Note
If you are using a PIV supported credential then it will be necessary to register the credential before it can be issued as an SO credential. You need to click the link to register the credential as in the example below before you can complete the other steps described below.

Click the Random button to allow vSEC:CMS to generate a random unblock key and click the Copy button. You should save this information to a secure location as this may be needed in the future if you need to unblock the credential. Enter a PIN and confirm. Uncheck the Activate production license or subscription checkbox as you are still using the evaluation version and click the Add button. Below is an example of how the setting would look.

Once complete a summary dialog will appear describing what steps were performed. The credential will then be managed by vSEC:CMS. If you wish to revert back to use passcode only to access the vSEC:CMS then from the Options - Operators select the System Owner in the table and click the Delete button to revert back to passcode only.

Important
Once you create the SO you should issue at minimum one Operator Credential (OC) with a role of System Administrator. Please refer to the article Manage Operator Credential for details on this.

Setup Connectors to On-Prem AD and CA

This section will describe how you can configure connection to your AD and CA so they can be used later in the card template configuration.

Setup AD Connection

Navigate to Options - Connections and click the Add button. Select Active Directory and click Ok.

Enter a template name and enter the details specific to your on-prem environment with regards to the AD and account that you will connect with. Below is an example of what you need to enter, where:

  • <ON-Prem-AD> is the name (host name or IP address) if your AD server;
  • <ON-Prem-Domain> is the domain name for your environment;
  • <Windows-Account> is the Windows account name that you will connect with
  • Password is the Windows account password that you are connecting with.

Click the Test button to ensure connectivity. If the connecting is communicating with your AD you should be able to search for users from your AD.

Important
vSEC:CMS will only read from AD.

Untitled.png

Setup CA Connection

Navigate to Options - Connections and click the Add button. Select Certificate Authorities and click Ok

Enter a template name and click Select CA. Select Use specific server option and enter the your DC server details which contains the details about your CA into the Server field. Additionally you will need to provide a Windows account to connect to the CA with. For example, if your domain name is my-domain and the Windows account name is my-windows-account then enter my-domain\my-windows-account into the Windows logon name field and the associated password for this account into the Password field. Click Ok to save and close.

Note
The Windows account used here will need to have the appropriate permissions on the CA to be able to connect to, enroll and revoke on the CA.

Untitled.png

In the Enrollment Agent section enable Sign server side check box. Enable Disable retrieving renewed certificates before revocation check box. Click the Request button to issue an Enrollment Agent (EA) certificate that will be issued to the Windows account that was used when configuring the connection to CA in the previous section above. This certificate will be stored in the Windows certificate store for the local SYSTEM Windows account on the server where vSEC:CMS server is running. Click Save to save and close the configuration.

Note
You will need to make sure that the EA template on the CA is configured correctly. See the section CA Configuration in the article Setup Evaluation Version for details on how this can be configured.

Untitled.png

Configure Credential Template

1. From Templates - Card Templates click the Add button.

Click the Edit link beside General. Enter a template name. Presuming that you are using one of the minidriver credentials that is supported by vSEC:CMS select Minidriver (Generic minidriver card) for Card type. Leave all other settings as default and click Ok to close and save.

2. Click the Edit link beside Issue Card. In the User ID Options section enable Assign user ID and select the AD connection configured earlier in the drop-down list. In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select a Windows logon certificate template and click Ok. Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close.

3. Click Ok to save and close the template configuration dialog.

Issue Credential

From the Lifecycle page attach a blank credential to your host. If it is a credential that is supported by vSEC:CMS you should see the reader and the credential similar to below.

Important
Depending on the credential that you are testing with it will be necessary to have the appropriate credential drivers installed on your host. Please check with the credential provider that you have the correct credential drivers installed.

Click the Issued oval and select the template from Select card template drop-down list and click Execute.

You will be prompted to enter your System Owner passcode before the issuance will begin. Then you will be prompted to select the user from AD that the credential will be issued to. Select the user and at the end of the process you will get a short summary dialog of what operations were performed.

The credential will now show as Issued. The credential PIN by default will be blocked. You will need to set a PIN before you can use the credential. Click the Active oval followed by the Execute button. You will be prompted to authenticate again and then set a PIN that meets the policy supported on the credential.

Once you complete this then the credential can be used to log onto your domain environment.

Related articles

Comments

0 comments

Article is closed for comments.