Follow the instructions in this article to setup the vSEC:CMS on first use.
Note: The PKI used here will be an MS CA. If another CA is to be used please refer to the Administration guide for details on configuring a connection to such a CA.
Note: This use case is not applicable with the vSEC:CMS Demo version.
Step 1 - Install the vSEC:CMS
1. Start the vSEC:CMS installer and click I Agree.
2. Select the Server option and click Next.
3. Select the default location for the installation or click Browse to install to a different location. Click Install to begin the installation.
4. When complete click Close.
Step 2 - Initialize the vSEC:CMS
1. Attach the System Owner smart card and start the application from the short cut icon on the desktop.
Important: The System Owner smart card will typically be provided by your provider OR you can issue the System Owner smart card using the Activator tool. See the article Activator Tool for details on using this tool.
Important: Minimum version 10.7.185 of the Thales IDPrime smart card minidriver (sometimes referred to as Safenet driver) needs to be installed on the server where the vSEC:CMS is installed.
2. Click the Random button to allow the vSEC:CMS to auto generate a random value for the administration key for the System Owner smart card or manually enter a value of 48 hexadecimal characters. Click the Copy button and save this key value to a secure location. This key will be required in the future if it is necessary to perform PIN unblock for this System Owner smart card .
3. Enter a PIN code passcode for the System Owner smart card and confirm. The PIN code needs to be a minimum of 4 characters.
4. Enter a backup passcode that will be required when performing a restore in the future. Click the Copy button to save this passcode to a secure location for future use when required. This backup passcode will be required in the future if it is required to perform a restore of the vSEC:CMS therefore it is critical that this passcode is stored in a secure location.
5. The logon dialog will now be shown. Enter the PIN created earlier to authenticate and start the application console.
Step 3 - Configure Backup Settings
1. After logging on for the first time the System Owner operator will be presented with a warning that the automatic backup of the database is not configured. Click Ok.
2. From Options - Settings page ensure that the Automatic backup enabled check box is enabled. Click the Schedule button. Click the Perform backup now button to ensure that the backup can be written to the location specified above in the Backup folder.
Important: It is important to ensure that this location is included in your IT backup routines as this file would be required in the future if you need to restore the system after a system failure. If this backup file is not available there is a risk that all smart card tokens managed by the vSEC:CMS will be unmanageable.
Step 4 - Setup Connection to AD
1. From Options - Connections click the Add button. Select Active Directory and click Ok.
2. Enter a template name and it is recommended to select Use current user credentials to use the current logged on Windows credential. Alternatively, if you are not on the domain, uncheck the Use current user credentials and manually enter the AD server name and the Windows credential to connect with. Click the Test button and search for a user in your AD to ensure connectivity. Click Save to save and close.
Step 5 - Setup Connection to MS CA
1. From Options - Connections click the Add button. Select Certificate Authorities and click Ok.
2. Enter a template name and select the Windows CA (Microsoft Enterprise Certification Authority) from the drop-down list.
3. Click the Select CA button which will launch a dialog from where it is possible to specify the DC from where the CA configuration information should be read. As the vSEC:CMS would normally be on a server connected to the DC then select the Use from domain radio button and click the Ok button. If the vSEC:CMS is not on the domain select the Use specific server radio button and enter the server details for the DC and the Windows account to connect with. The Windows account should be the Windows sAMAccountName.
Important: If Use from domain is selected then the logged-on Windows account will be used to connect to the CA. Therefore, the Windows account will need to have the appropriate permissions on the CA to connect to it.
Important: If the CA connection is used in conjunction with vSEC:CMS User Self-Service (USS) then the Windows account used to connect to the CA when performing certificate operations in the USS will be the dedicated Windows account that the CMS is configured to run under. Therefore, the dedicated Windows account will need to have the appropriate permissions on the CA to connect to it.
4. The enterprise CA server details should now be populated in the drop-down lists. Select the appropriate server for your configuration.
5. Click the Templates button to view all the available CA templates. Enable the Show all checkbox and click the Update button to view all available templates.
6. As this is the first setup of the connection to the CA an Enrollment Agent (EA) certificate will be required to be issued to the System Owner operator token. An EA is required for any operator who will be issuing certificates on behalf of other users. Since this is the first setup it will be necessary to request an EA. Click the Request button. If more than one EA certificate template is configured on the CA a dialog will be presented from which the EA certificate template that is to be used should be selected.
Important: The EA certificate will be issued to the current logged on Windows account if the Use from domain radio button is selected when configuring the DC connection above. If the DC connection is configured with a specific Windows account, when Use specific server is selected above for DC connection, then the EA certificate will be issued for that Windows account. In either case the certificate template configured directly on the CA will need to have disabled the checkbox This number of authorized signatures from the Issuance Requirements tab on the CA template.
7. The message Stored on: Operator token will be shown below the drop-down field indicating that the EA is stored on the operator token. Click the Save button to complete the setup.
This completes the use case.