Before beginning this article, it is necessary that you have successfully completed the article Install and Configure S-Series on First Use.
Follow the instructions in this article to setup the S-Series whereby it will be possible to issue smart card tokens that can be used as operator tokens. This means that it will not be necessary to have an operator smart card pre-loaded with a vSEC:CMS operator applet.
Note: The PKI used in this example use case will be an MS CA.
Note: The smart card type that will be managed in this use case will be a generic mini-driver smart card token.
Step 1 - Setup Encrypted Key Store
In order to use an Authentication Only Operator (AOO) token an Operator Service Key Store (OSKS) will need to be installed in the S-Series .
Follow the instructions in the article Create Operator Keystore for details on how to setup OSKS.
Step 2 - Setup Card Template
1. From Templates - Card Templates click the Add button.
2. Click the Edit link beside General.
3. Enter a template name and attach a generic mini-driver smart card that is to be used as the AOO smart card and click the Detect button.
4. Click Ok and enable the vSEC:CMS Operator Card check box and from the drop-down list and select Authentication Only Operator Card.
5. Click the Roles button. From this dialog, it is possible to configure how the operator can select the role(s) that will be applied to the issued operator smart card during the issuance. If the issuing operator is to be allowed to manually select the role that is to be applied during issuance then select the option Select Operator Role manually during issuance. If it is required to automatically set the role during the issuance then select the option Automatically set selected role(s) during issuance and select the available roles from the list available that are to be set. In this example, we will select Select Operator Role manually during issuance.
6. Leave all other settings as is and click Ok to save the settings and close this dialog.
7. Click the Edit link for Issue Card.
8. For Assign user ID select the already configured AD connection. Enable the Enroll certificate(s) check box and click the Add button.
9. Select the already configured CA connection from the Certificate authority drop-down list and select the certificate template that is to be issued to the AOO Token. This would typically be an EA certificate template if the operator is required to issue smart card tokens with certificates.
10. Click Ok to save and close the dialog.
11. Leave all other default settings for the Issue Card dialog and click Ok to save and close.
Important: It is important that the Windows certificate template on the CA is configured to require an authorized signature. From the Issuance Requirements tab for the certificate template properties on the CA make sure to enable This number of authorized signatures and set a value of 1 and for Application policy drop down list select the Certificate Request Agent option.
Step 3 -Issue AOO Token
1. From the Lifecycle page attach the smart card token that is to be issued and click the Issued oval. Select the card template from the Select card template drop-down list and click the Execute button.
2. Enter the Operator token PIN (Passcode) code when prompted.
3. Select a user from AD that the smart card token is to be issued to.
4. When the issuance completes a message dialog indicating that an authentication key has been added to the S-Series will appear followed by a short summary dialog with details on what operations have been performed.
The smart card token is now in an Issued state as can be seen from the process diagram. By default, the smart card PIN will be blocked so it will be necessary to unblock the smart card. Typically, the person who will use this smart card will set the PIN code on the smart card.
5. Click the Active oval and click the Execute button.
6. Enter the Operator token PIN (Passcode) code when prompted.
7. Enter the PIN code that will be set on the smart card token. Click Initiate to set the PIN code on the smart card and make it active.
8. A summary dialog will appear. Click Ok to close.
This completes the use case.