Before beginning this article, it is necessary that you have successfully completed the article Install and Configure S-Series on First Use.
Follow the instructions in this article to configure and issue the first Full-Featured Operator Token ( Full-Featured OT) in the S-Series. It is important to have at least one Full-Featured OT in your installation which has a role of System Administrator, more of which will be described in this article.
A Full-Featured OT is a smart card token that has been issued with a vSEC:CMS Operator Applet.
Important: If the smart card token(s) that are to be issued as Full-Featured OT don't have the vSEC:CMS Operator Applet issued on them then follow the instructions in the article Activator Tool for details on how to issue them. Please consult with your provider to check if they have already issued your Full-Featured OT with the vSEC:CMS Operator Applet already issued.
Important: The Full-Featured OT in this case needs to be a Gemalto IDPrime MD 830 or Gemalto .NET smart card.
Note: The PKI used here will be an MS CA.
1. Navigate to Options – Smart Cards page. When the page is loaded attach the Full-Featured OT that you will use with the S-Series. The S-Series will filter the card type and present the attached card.
2. Select the entry and click Edit.
If the Full-Featured OT is a Gemalto IDPrime MD 830 then for Smart Card Access ensure that Use minidriver if possible is selected and click Save.
If the Full-Featured OT is a Gemalto .NET then for Smart Card Access ensure that Use native access if possible is selected and click Save.
3. From Templates - Card Templates click the Add button.
4. Click the Edit link for General.
5. Enter a template name and attach the Full-Featured OT to your host and click the Detect button. A dialog will be displayed and if the Full-Featured OT is a valid token you will see information displayed as: “applicable to: Generic minidriver card, IDPrime MD, vSEC:CMS Operator” if a Gemalto IDPrime MD 830 is used and if a Gemalto .NET card is used the message will display “applicable to: .NET card with v220.127.116.11 minidriver applet, vSEC:CMS Operator”. Click Ok to close the dialog.
6. Enable the vSEC:CMS Operator Card checkbox and from the drop-down list select the Full Featured Operator Card option.
7. Click the Roles button. From this dialog, it is possible to configure how the operator can select the role(s) that will be applied to the issued operator smart card during the issuance. If the issuing operator is to be allowed to manually select the role that is to be applied during issuance then select the option Select Operator Role manually during issuance. If it is required to automatically set the role during the issuance then select the option Automatically set selected role(s) during issuance and select the available roles from the list available that are to be set. In this article, we will select Select Operator Role manually during issuance as we want to select specific role(s) for this first Full-Featured OT .
8. Click Ok to save the settings.
9. Click the Edit link for Issue Card.
10. For Assign user ID select the AD connection that should have been configured already in the article about installing and configuring the S-Series on first use.
11. Enable the Enroll certificate(s) check box and click the Add button.
12. Select the CA that should have been configured already in the article about installing and configuring the S-Series on first use from the Certificate authority drop down list and select the Certificate template that is to be issued to the Full-Featured OT. This would typically be an Enrollment Agent (EA) certificate template. Click Ok to save and close the dialog.
13. Click Ok to save and close the dialog which should close the card template configuration.
Important: It is important that the EA certificate template on the CA is configured to require an authorized signature. From the Issuance Requirements tab for the certificate template properties on the CA make sure to enable This number of authorized signatures and set a value of 1 and for Application policy drop down list select the Certificate Request Agent option.
Step 2 - Issue Full-Featured OT
1. From the Lifecycle page attach the Full-Featured OT that is to be issued and click the Issued oval. Select the card template from the Select card template drop-down list and click the Execute button.
2. Enter the System Owner token PIN (Passcode) code when prompted.
3. Select a user from AD that the Full-Featured OT is to be issued to.
4. Select the role(s) that this Full-Featured OT will have. As this is the first Full-Featured OT that is to be issued you should select all roles for this particular operator.
5. When the issuance completes a message dialog indicating that an authentication key has been added to the S-Series will appear followed by a short summary dialog with details on what operations have been performed.
The Full-Featured OT is now in an Issued state as can be seen from the process diagram. By default, the smart card PIN will be blocked so it will be necessary to unblock the smart card. Typically, the person who will use this smart card (the operator in this use case) will set the PIN code on the smart card.
6. Click the Active oval and click the Execute button.
7. Enter the System Owner token PIN (Passcode) code when prompted.
8. Enter the PIN code that will be set on the Full-Featured OT. Click Initiate to set the PIN code on the smart card and make it active.
9. A summary dialog will appear. Click Ok to close.
The smart card will now be in an active state and can be used by the operator to log onto the S-Series.
It is recommended at this time to close the application and store the System Owner smart card in a safe, only to be used in emergency circumstances. The issued Full-Featured OT can now be provided to the operator who can use it to log on and start configuring and issuing smart card tokens as required.
This completes the use case.