Follow the instructions in this article to setup the vSEC:CMS on first use.
Note: The PKI used here will be an MS CA. If another CA is to be used please refer to the Administration guide for details on configuring a connection to such a CA.
Note: This use case is not applicable with the vSEC:CMS Demo version.
Step 1 - Install the vSEC:CMS
1. Start the vSEC:CMS installer and click I Agree.
2. Select the Server option and click Next.
3. Select the default location for the installation or click Browse to install to a different location. Click Install to begin the installation.
4. When complete click Close.
Step 2 - Initialize the vSEC:CMS
1. Attach the System Owner smart card and start the application from the short cut icon on the desktop.
Important: The System Owner smart card will typically be provided by your provider OR you can issue the System Owner smart card using the Activator tool. See the article Activator Tool for details on using this tool.
Important: Minimum version 10.7.185 of the Thales IDPrime smart card minidriver (sometimes referred to as Safenet driver) needs to be installed on the server where the vSEC:CMS is installed.
2. Click the Random button to allow the vSEC:CMS to auto generate a random value for the administration key for the System Owner smart card or manually enter a value of 48 hexadecimal characters. Click the Copy button and save this key value to a secure location. This key will be required in the future if it is necessary to perform PIN unblock for this System Owner smart card .
3. Enter a PIN code passcode for the System Owner smart card and confirm. The PIN code needs to be a minimum of 4 characters.
4. Enter a backup passcode that will be required when performing a restore in the future. Click the Copy button to save this passcode to a secure location for future use when required. This backup passcode will be required in the future if it is required to perform a restore of the vSEC:CMS therefore it is critical that this passcode is stored in a secure location.
5. The logon dialog will now be shown. Enter the PIN created earlier to authenticate and start the application console.
6. Close the application console before moving to the next step.
Step 3 – Create Windows Account
By default, the vSEC:CMS is configured to run under the Windows SYSTEM account. It will be required to create a dedicated Windows account for the vSEC:CMS service. This account should only be used for the vSEC:CMS service.
The Windows account does not need to be a specific type; therefore, domain user type is sufficient but you will need to configure specific permissions for this account as described below in the section Configure Windows Permissions.
Important: It is recommended to configure the Windows account password to never expire. If the dedicated Windows account password is not configured to never expire then the vSEC:CMS service will fail to start if the Windows password is changed.
Configure vSEC:CMS Service
1. Once a dedicated Windows account is created open up Windows service, services.msc, and stop the service vSEC:CMS Service.
2. Right click the service vSEC:CMS Service and select Properties.
3. Go to the Log On tab and select This account radio button. Manually enter the Windows user account name created in Step 1.
Important: The Windows account name should be entered in the Windows account format pre-2000. For example, if the Windows account name is cms_service and the domain name is VERSATILESECURI, therefore the account name should be entered as: VERSATILESECURI\csm_service. If the account name is not entered in this format the CMS service may not start automatically after a server restart.
Configure Windows Permissions
It will be required to give full control (allow all permissions) to the dat folder and all files and folders within it to the Windows user account that the service is running under. The dat folder will typically be located in the location where the vSEC:CMS was installed, typically C:\Program Files (x86)\Versasec\vSEC_CMS S-Series if the default location was chosen during installation. Typically, these permissions can be granted by following the steps below, but these steps may not be applicable in your environment. Therefore, consult with your Windows IT administrator who should be able to set these if you do encounter issues with this.
1. Right click the dat folder and select Properties.
2. Go to the Security tab and click the Edit button and add the specific Windows user account created. Give the user full control and click Apply.
3. Additionally, it will be necessary to configure specific permissions to a registry folder for this Windows account. Open registry editor using regedit and browse to below location:
Right click on the Service folder and select Permissions. Click the Add button and add the Windows user created and give them full control. Click Apply and close.
4. Start the vSEC:CMS Service from the Windows service. Now the S-Service service will run under the dedicated Windows account.
Important: If the vSEC:CMS does not startup and shows an error that the database specified does not exist this is typically because the Windows user account cannot access the dat folder and/or cannot write/execute in the dat folder. Make sure that the Windows user account can access and read/write/execute in this folder.
Additionally, check that the registry key below is set to a value of 0:
Important: If the vSEC:CMS is configured to use MS SQL as the database it will be required to add the dedicated Windows user account to the MS SQL database.
Important: If the vSEC:CMS is configured to use MS CA it is required that the dedicated Windows account has permissions on the CA to revoke certificates. For example, in the Windows certsrv console right click the CA and select Properties. Then from the Security tab ensure that the dedicated Windows user account is in a Group or user list with minimum permission of Issue and Manage Certificates.
Additionally, if using MS CA and certificate operations, such as issue or revoke, are being performed from the USS, then in this case the USS will perform operations on the CA using the dedicated Windows account. The CMS service will connect to the CA remotely in this case, therefore it is important that the correct Interface Flags, as defined in MS Certificate Services Remote Administration Protocol are set. This flag is configured on the CA server in the registry key:
It is expected that a skilled MS Certificate Services integration engineer would be performing this check and configuration if it is required to be configured. Otherwise if this flag is not configured correctly you may get a warning from the USS application stating “The certificate cannot be revoked automatically as the Certification Authority (CA) is currently unreachable. The revocation request will be cached and will be sent to the CA when the CA is available.”
Step 4 - Configure Backup Settings
1. Log on again to the application console with the System Owner token. You will be presented with a warning that the automatic backup of the database is not configured. Click Ok.
2. From Options - Settings page ensure that the Automatic backup enabled check box is enabled. Click the Schedule button. Click the Perform backup now button to ensure that the backup can be written to the location specified above in the Backup folder.
Important: It is important to ensure that this location is included in your IT backup routines as this file would be required in the future if you need to restore the system after a system failure. If this backup file is not available there is a risk that all smart card tokens managed by the vSEC:CMS will be unmanageable.
Step 5 - Setup Connection to AD
1. From Options - Connections click the Add button. Select Active Directory and click Ok.
2. Enter a template name and it is recommended to select Use current user credentials to use the current logged on Windows credential. Alternatively, if you are not on the domain, uncheck the Use current user credentials and manually enter the AD server name and the Windows credential to connect with. Click the Test button and search for a user in your AD to ensure connectivity. Click Save to save and close.
Step 6 - Setup Connection to MS CA
1. From Options - Connections click the Add button. Select Certificate Authorities and click Ok.
2. Enter a template name and select the Windows CA (Microsoft Enterprise Certification Authority) from the drop-down list.
3. Click the Select CA button which will launch a dialog from where it is possible to specify the DC from where the CA configuration information should be read. As the vSEC:CMS would normally be on a server connected to the DC then select the Use from domain radio button and click the Ok button. If the vSEC:CMS is not on the domain select the Use specific server radio button and enter the server details for the DC and the Windows account to connect with. The Windows account should be the Windows sAMAccountName.
4. The enterprise CA server details should now be populated in the drop-down lists. Select the appropriate server for your configuration.
5. Click the Templates button to view all the available CA templates. Enable the Show all checkbox and click the Update button to view all available templates.
6. As this is the first setup of the connection to the CA an Enrollment Agent (EA) certificate will be required. An EA certificate will need to be available for any operator who will be issuing certificates on behalf of other users. Since this is the first setup it will be necessary to request an EA. In the Enrollment Agent section enable Sign server side. This will automatically grey out Proxy through server setting as we want all Operator console certificate issuance's to be proxied through server. Click the Request button to start the issuance. If more than one EA certificate templates are configured on the CA a dialog will be presented from which the EA certificate template that is to be used should be selected. An EA certificate will then be issued to the local certificate store for the Windows account that the vSEC:CMS is running under.
Important: The EA certificate will be issued to the Windows account that vSEC:CMS service is running under. The certificate template configured directly on the CA will need to have disabled the checkbox This number of authorized signatures from the Issuance Requirements tab on the CA template.
Important: The dedicated Windows account that the vSEC:CMS service runs under will need to have the appropriate permissions on the CA template that it is using in order to connect to it. The permission in this case is Enroll which needs to be set from the Security tab of the template. This permission will need to be set on any CA template that the vSEC:CMS is using. Additionally, the Windows account that the vSEC:CMS service runs under will perform the revocation requests on the CA. Therefore, this user needs to have Issue and Manage Certificates permissions on the CA, which are configurable from the certsrv console on the CA.
7. Click the Save button to complete the setup.
This completes the use case.