Before beginning this article, it is necessary that you have successfully completed the article Install and Configure vSEC:CMS on First Use.
This article will describe how to configure the vSEC:CMS in order to manage the lifecycle of the Gemalto IDPrime MD 840/3840 smart card tokens (MD 840/3840) as these tokens have unique behavior to other smart card tokens in the Gemalto IDPrime MD suite. In this use-case we will configure the smart card token to be issued with a Windows smart card logon certificate.
Note: The PKI used in this example use case will be an MS CA.
Step 1 - Configure Smart Card Access
1. From Options - Smart Cards attach a MD 840/3840 smart card that you will manage with the vSEC:CMS. The vSEC:CMS will filter the card type and present the card template.
2. Click the Edit button and for Smart Card Access select Use minidriver if possible.
Step 2 - Configure Smart Card Template
1. From Templates - Card Templates click the Add button.
2. Click the Edit link beside General.
3. Enter a template name and attach a MD 840/3840 smart card that is to be managed by this template and click the Detect button. You should see information in the window showing that an ID Prime MD 840 is detected. Click Ok to close out of the dialog.
4. Accept all default settings in the General dialog and click Ok to save the settings and close this dialog.
5. Click the Edit link for Issue Card.
6. From User ID Options section enable Assign User ID and select the AD connection already configured.
From Card PIN Options section click the Manage button for Card PIN Options. Click the Add button to add a new PIN policy configuration. Depending on the smart card PIN selected different options will be available. From this dialog, it is possible to configure the PIN policy for Gemalto MD 840/3840 smart cards.
The Template Name field can be changed as required to provide a descriptive name for the template policy.
The Card type field indicates the card types that the template can be applied to. Select the Smart Card PIN that the policy will be applied to from the available drop-down list.
Enable the Linked mode option if the card is to be used in linked mode. This feature will allow you to synchronize the PIN set on the smart card when the card is activated. Therefore, the PIN set at activation will be the same PIN for both the primary card PIN and the qualified signature PIN. Additionally, if an OTP applet is used and available on the smart card the PIN for OTP would be synchronized with the same PIN set during the activation.
By enabling the Adjacent positions allowed check box a PIN which has repeated characters adjacent to one another will be allowed. Enter the number of allowed adjacent positions in the Allowed repetitions field. The value entered will set the number of times that a character can be repeated in adjacent positions. For example, if this value is set to 4 then 1111c1 and aaaa1a are allowed PIN values and 11111c and aaaaa1 are not allowed PIN values. It is important to note that the value set here cannot exceed Max appearance value that is configured in the field described below. The Max appearance configures the PIN policy to set the allowed number of appearances of a character in a PIN but it is not possible to specify which character. For example, if the value for Max appearance is set to 2 then the PIN value 0001 would not be allowed whereas the PIN value 0011 would be allowed. The Max length of sequence is the number of times that a sequence of characters is allowed, for example 1,2,3,4,5,6...For example, if this parameter is set to 4 then 1234c5 and abcd1e are allowed PIN values and 12345c and abcde1 are not allowed PIN values. The Max repeated characters configure the PIN policy to set the number of different characters that can be repeated at least once. For example, if this value is set to 1 this means one character can be repeated but it is not possible to specify which one.
For PIN length, the Min configures the PIN policy to set the minimum length that the smart card PIN needs to be when the user is setting their PIN and the Max configures the PIN policy to set the allowed maximum length that the smart card PIN can be when the user is setting their PIN. It is not possible to set the Max PIN length greater than 16 as the smart card does not support this.
Enable the Character set restrictions check box in order to be able to configure specific character combinations to be used when setting a PIN. If this check box is not enabled then all characters will be allowed to be used when setting a PIN. If the Character set restrictions check box is enabled then it is possible to configure specific allowed characters when setting a PIN. These can be set to either Allowed or Mandatory or both. If Alphabetic uppercase is enabled then the PIN must contain an upper-case character. If Alphabetic lowercase is enabled then the PIN must contain a lower-case character. If None alphabetic is enabled then the PIN must contain a character that is neither numeric or alphabetic, for example, any of these characters would qualify in this case - !"£$%^&*(). If None Ascii is enabled then the PIN must contain a non-ascii character.
The Disable unblock check box configures the PIN policy, if enabled, such that if a user blocks their smart card it will not be possible to unblock the smart card using either administration key or PUC. The Disable change will disable PIN change on the card, i.e. the card will not allow the user to change the PIN. Enable the Unblock using admin check box in order to be able to unblock a smart PIN using the administration key as set on the smart card. Enable the Unblock using PUC if it is required to set and use a PUC to unblock the smart card. The Support SSO check box configures the PIN policy, if enabled, to support the feature whereby a user needs to enter their PIN once only during a card session as long as the smart card is not removed. The Secure PIN input is a feature introduced in Windows 7 for the user to securely enter their smart card PIN.
From Purpose a number of options are available. These are Primary smart card PIN, Authentication PIN, Digital Signature PIN , Encryption PIN, Non Repudiation PIN, Administrator and Unblock only PIN. Select the appropriate one required for the policy that is to be configured. For PIN Type a number of options are available. Select Regular PIN which is for the normal alpha/numeric PIN set for private key operations. Select External PIN(Bio or Pinpad) which is the PIN required to be provided as a fingerprint or using an external PIN pad reader. Select Challenge/Response PIN which is the PIN to be provided as a challenge/response to authenticate the user. Select No PIN which will mean that no PIN entry will be required. For Cache select Normal which will use the normal cache behavior in the CSP. Select Timed which is time based cache in CSP. The Cache validity is set as a parameter in milliseconds. Select Not cached which will mean that no cache for the user smart card in CSP is configured. Select Always prompt which will mean that the smart card user will always be prompted for their smart card PIN.
Once the PIN policy is configured then enable the Apply PIN Configuration checkbox and select the PIN policy just created in the drop-down list.
From Enroll Certificate Options section enable Enroll certificate(s) and click the Add button. Select the CA connection already configured from the Certificate Authority drop down list and select the smart card logon certificate template as configured on your CA from the Certificate template list. From Card key container select Sign and Decrypt RSA 1024/2048 and click Ok to save and close the dialog.
Accept all other defaults for the Issue Card dialog and click Ok to save and close.
7. Click Ok to save and close the template.
Important: It is important that the Windows smart card logon certificate template on the CA is configured to require an authorized signature. From the Issuance Requirements tab for the certificate template properties on the CA make sure to enable This number of authorized signatures and set a value of 1 and for Application policy drop down list select the Certificate Request Agent option.
Step 3 - Issue Smart Card Token
1. From the Lifecycle page attach the smart card token that is to be issued and click the Issued oval. Select the card template from the Select card template drop-down list and click the Execute button.
2. Enter the Operator token PIN (Passcode) code when prompted.
3. Select a user from AD that the smart card token is to be issued to.
4. When the issuance completes a message dialog indicating that an authentication key has been added to the vSEC:CMS will appear followed by a short summary dialog with details on what operations have been performed.
The smart card token is now in an Issued state as can be seen from the process diagram. By default, the smart card PIN will be blocked so it will be necessary to unblock the smart card. Typically, the person who will use this smart card will set the PIN code on the smart card.
5. Click the Active oval and click the Execute button.
6. Enter the Operator token PIN (Passcode) code when prompted.
7. Enter the PIN code that will be set on the smart card token. Click Initiate to set the PIN code on the smart card and make it active.
8. A summary dialog will appear. Click Ok to close.
9. As the smart card supports 2 PINs a second PIN will need to be set for the qualified Digital signature PIN even though this is not typically used. The PIN code needs to meet the PIN policy as set on the card. Click Initiate to set the PIN code on the smart card and make it active.
10. A summary dialog will appear. Click Ok to close.
11. The smart card will now be in an active state and can be used to perform Windows Smart Card logon.
Step 4 - Perform Windows Smart Card Logon
On a Windows system connected to the domain attach the smart card token and enter the smart card PIN code created earlier to logon.
This completes the use case.