This article will describe how you can setup and use vSEC:CMS to issue and manage a Thales IDPrime Virtual credential (IDPV) via a self-service client. The article will cover the following:
- Set up a credential template that will allow you to issue a Windows logon certificate to an IDPV credential from vSEC:CMS User Self-Service (USS) application;
- Issue a Windows logon certificate to an IDPV credential using the template just created;
- Log onto a Windows client using the issued IDPV credential.
The PKI used here will be a Microsoft Certificate Authority (CA). If another CA is to be used please refer to the Administration guide for details on configuring a connection to such a CA.
It will be required that at minimum you have already successfully completed the configuration steps described in the article Setup Evaluation Version of vSEC:CMS. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.
It will be required that you have installed a fully operational IDPV client on your host where you perform the self-service issuance. Instructions on how to install and setup your IDPV client should be provided by Thales.
If you don’t have a connection for self-service already set up then from Options - Connections click the Add button and select User Self-Service and click Ok. Enable the Enable gRPC checkbox as we will use gRPC for this article.
Please ensure that you have read through the article vSEC:CMS Client-Server Communication which gives more details on vSEC:CMS client-server architecture.
Depending on your environment settings enter a hostname and port to listen on. You can also setup support for SSL if you wish to use HTTPS for secure communication between the client and server. If you use SSL it is important that the HostIP address field is entered with the name of the server as it appears in the SSL certificate. The SSL certificate should be a machine certificate available on the vSEC:CMS server.
Make sure that the vSEC:CMS - User Self-Service service is running after you configure this in Windows services.
Ensure that a credential configuration exists for the credential that you are going to use here. In this particular case you should see a template named IDPrime MD Virtual. See the article Add Credential Configuration before starting below.
1. From Templates - Card Templates click the Add button.
Click the Edit link beside General. Enter a template name. For Card type select Minidriver (Generic minidriver card, Virtual Smart Card).
Click the Manage button beside Self-service using the following template. Click the Add button. Enter a template name and enable Self-issuance enabled and Retire card enabled checkboxes. From the User Authentication for PIN Unblock drop-down list select Use windows credentials to authenticate user. Leave all other settings as is and click the Save button to save and close.
Click Close and from the main General dialog enable Self-service using the following template and from the drop-down list select the template just created. Leave all other settings as is and click Ok to save and close the dialog.
2. Click the Edit link beside Issue Card. Select the checkbox Automatically initiate cards after issuance and Issue by user(s) radio button. Click the Configure button in the User ID Options section. Select the AD connection already configured from User ID from drop down list and select Supplied domain credentials from Authenticate user using drop down list. Click Ok to save and close.
In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select the Windows logon certificate template created earlier and click Ok. Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close.
3. Click Ok to save and close the template configuration dialog.
On a client machine it will be necessary to install the vSEC:CMS User application. Use the vSEC:CMS Client MSI to install this component. It is recommended to install it silently as it is possible to pass in the URL link to the backend vSEC:CMS server that the client needs to communicate with. This will remove the requirement to manually configure the vSEC:CMS User application to communicate with the backend in this case.
Open a command Window as administrator and change to the location where the MSI installer is located.
msiexec /i "vSEC_CMS Client 64bit.msi" /quiet ADDLOCAL=USS USSGRPC="https://2016-server:8445" USSPCL=4
Where USSGRPC points to the backend gPRC service where vSEC:CMS is installed and USSPCL=4 configures the vSEC:CMS User application client to use gRPC.
The client host will automatically reboot when running above command so make sure you have saved any material you may be working on when performing this task.
It will be required to have Safenet Minidriver installed on the host where you are running this. It is recommended to have the latest version that is available. Check with Thales or your provider on details on how to get the latest version of their minidriver.
Start the vSEC:CMS User application from the shortcut icon on the client desktop. Go to the Credential tab. With the credential attached that is to be issued click the Issue button.
Enter the domain credentials of the user to authenticate.
At the end of the process you will be prompted to enter a PIN for the credential to complete the flow.
Once you complete this then the credential can be used to log onto your domain environment.