Before beginning this article, it is necessary that you have successfully completed the article Install and Configure vSEC:CMS on First Use.
Follow the instructions in this section to setup and configure the vSEC:CMS such that it will be possible to issue and manage smart card tokens using the vSEC:CMS User Self-Service (USS) application. After completing this configuration, it will be possible to issue a blank smart card token with a smart card logon certificate, perform smart card PIN unblock and perform certificate renewal from the USS application.
Note: The PKI used in this example use case will be an MS CA.
Note: The smart card type that will be managed in this use case will be a generic mini-driver smart card token.
Step 1 - Setup Encrypted Key Store
In order to use USS, it will be necessary to install an Operator Service Key Store (OSKS) in the vSEC:CMS.
Follow the instructions in the article Create Operator Keystore for details on how to setup OSKS.
Step 2 - Setup USS Connection
1. From Options - Connections click the Configure button. Select User Self-Service and click right arrow button to add it to selected connectors and click Ok.
2. Click the User Self-Service frame added to open up the configuration dialog.
3. From version 5.7 you have a choice of 2 communication protocols. Select Enable Soap if the communication protocol to be used is SOAP and enable gRPC if you wish to use gRPC. You can configure the template to support both and then on the client you can configure which method it should use (see Advanced USS Configuration section in the document User Self-Service Advanced Guide).
Note: Currently SSL/TLS and load balancing are not supported for gRPC due to limitations in gRPC.
4. Enter the host name of the vSEC:CMS server in the field below All adapters and the port that the server will listen on. If SOAP and gRPC are configured you need to enter a different port number for each interface.
5. The setting Enable get service metadata is enabled and cannot be configured from this dialog. It is shown for information purpose. This is a WSDL web services scheme to tell potential clients about the structure of the web service.
6. Optionally, enable the Use SSL checkbox if it is required to use communication over SSL/TLS.
7. If the clients on which the USS is installed are configured to go through a HTTP proxy then in the Server connection point section enable the Customized endpoint address and enter the URL of the end point, i.e. the URL that should be configured on the end user's client workstation.
8. If SSL/TLS is used then from the Server certificate select the server certificate to use for the SSL/TLS. This certificate needs to be available in the MS certificate store for the local machine in the Personal store.
9. Click Ok to save the configuration. Additionally, make sure the Windows service vSEC:CMS User Self Service is running and that the local firewall has a rule for the port number configured to allow HTTP traffic.
Step 3 - Setup USS Card Template
1. Navigate to Options - Smart Cards page. When the page is loaded attach the smart card token that is to be issued with the vSEC:CMS. The vSEC:CMS will filter the card type and present the smart card template available in the vSEC:CMS.
2. Select the entry and click Edit. ForSmart Card Access ensure that Use minidriver if possible is selected and click Save.
3. From Templates - Card Templates click the Add button.
4. Click the Edit link for General.
5. Enter a template name and attach the smart card token that is to be issued and click the Detect button to allow the vSEC:CMS to detect the smart card token type that is to be used for this card template.
6. Click the Manage button to configure the USS template. Click the Add button. Enter a template name. In the User Authentication for PIN Unblock drop-down box select which authentication method should be used when performing unblocks. Refer to the document User Self-Service Advanced Guide and look in the section User Authentication for PIN Unblock for more details on this. In the PIN Unblock Codes section leave all settings as is. Click the Save button to save and close the dialog and navigate back to the General dialog.
7. From the General dialog select the Self-service using the following checkbox and select the USS template from the drop-down list created in the previous step.
8. Leave all other default settings in the General dialog and click Ok to save the settings and close this dialog.
9. Click the Edit link for Issue Card.
10. From General Options enable the Automatically initiate cards after issuance check box and select the Issue by User(s) radio button.
11. Click the Configure button and select the AD already configured from the User ID from drop down list. For Authenticate user using drop down list select Supplied domain credentials (note: in versions prior to 5.1.0 this was named Windows domain credentials) and click Ok to save and close the dialog.
Alternatively, from the Authenticate user using drop down list you can select the option Current logged on windows credentials. If this option is selected then during the self-service issuance the current logged on Windows credential will be used for the smart card issuance. In this case the end user will not be requested to enter an authentication credential. It is therefore strongly recommended to make sure that the smart card PIN is blocked at the end of the issuance flow. Then the user should go through an unblock PIN flow thereby to ensure the user performs a secondary authentication step. In order to disable the setting of a PIN at the end of the issuance flow you should disable the Automatically initiate cards after issuance check box in the General Options section.
Important: The AD connection used here needs to be configured from Options - Connections to use current user credentials. From the AD connection dialog ensure that the checkbox Use current user credentials is checked.
12. From Enroll Certificate Options section enable Enroll certificate(s) and click the Add button. Select the CA already configured from the Certificate Authority drop down list and select the smart card logon certificate template as configured on your CA from the Certificate template list and click Ok to save and close the dialog.
13. Leave all other default settings for the Issue Card dialog and click Ok to save and close.
Important: It is important that the Windows smart card logon certificate template on the CA is configured to require an authorized signature. From the Issuance Requirements tab for the certificate template properties on the CA make sure to enable This number of authorized signatures and set a value of 1 and for Application policy drop down list select the Certificate Request Agent option.
Step 4 - Setup USS Application
On the client device connected to your domain it will be necessary to install the USS application. The USS application will need to be configured to connect to the vSEC:CMS application in order to perform self-service functions. The USS application uses TCP/IP as the communication protocol; therefore, a URL will need to be configured on the USS application.
For details on installing the USS see the document Installing the vSEC:CMS MSI Client for details.
Important: It is required to have English installed as Region and Language settings on the host where the USS application is to be installed, i.e. English needs to be installed but does not need to be set as the default language on the client.
Additionally, if you do not pass in the URL from command prompt when installing the USS, it is possible to configure the URL post installation. Follow the instructions below to configure the URL.
1. From a command dialog start the USS application configuration dialog to configure the vSEC:CMS. For example, if the USS application is installed on a Windows 64-bit OS and is installed in the default location then run the command: vSEC_CMS_T_USS.exe -configure from the root installation of the USS.
2. Go to the Server tab and enter the full URL for the vSEC:CMS as configured in Setup USS Connection above. Click the Test button to ensure connectivity. If the communication is successful a success dialog should appear. Click the Close button to save and close the dialog.
Step 5 - Issue Smart Card from USS Application
1. On the client host start the USS application from the My Smartcard shortcut icon on the desktop.
2. Click the My Profile link and with a blank smart card attached click the Issue button to begin the issuance process.
3. From the drop-down list in reader, make sure to select the correct card reader that the smart card token is inserted in. Select the template in the card template drop-down list as configured above and click the Issue button.
4. Enter the Windows domain user name and password to authenticate and click Ok.
5. The issuance process will now perform a number of operations. Once complete the user will be prompted to set a PIN code on the smart card token. Enter a PIN that meets the PIN policy requirements and click the Initiate button to complete the issuance.
6. This completes the issuance flow.
Step 6 - Perform Online PIN Unblock from USS Application
1. If it is required to perform a PIN unblock from the USS application go to the My PIN page and select the Unblock PIN (Crypto) radio button. Enter a new PIN code that meets the PIN policy requirements and confirm this value. Click the Unblock button to proceed.
2. Enter the Windows domain user name and password to authenticate and click Ok. In the background, a challenge-response will be performed with the vSEC:CMS to complete the unblock. Once complete a success dialog will appear.
3. This completes the online PIN unblock.
Step 7 - Perform Certificate Renewal from USS Application
1. If it is required to perform a certificate renewal from the USS application go to the My Certificates page and select the certificate from the list of available certificates and click the Reissue button.
2. Enter the smart card token PIN to authenticate and complete the certificate renewal.
3. This completes the certificate renewal.