For the vSEC:CMS, only operators with the permission to unblock can unblock an operator smart card. If an operator card used to log into the vSEC:CMS application console is blocked 3 options are available to unblock the token.
Option 1 - Offline Unblock Using Challenge-Response
1. When an operator attempts to log onto the vSEC:CMS application console where their operator token is blocked, an Unblock Operator Token dialog is presented. The operator token serial number and challenge code will be displayed.
2. The operator will need to contact an operator who has permission to unblock the token and provide the challenge code to this operator. Then this operator should log onto the vSEC:CMS application console and navigate to Actions - Smart Card Unblock and click the Search button to find the operator whose token is blocked.
3. This operator should then enter the challenge code in the field provided and click the Cryptogram button to generate the unblock code.
4. This operator will then provide back the cryptogram to the operator whose token is blocked. This cryptogram should then be entered into the Cryptogram field and then the token PIN (passcode) can be set. Once it is set the operator can log onto the application console.
Important: There is a one-to-one relationship between the challenge code and resultant cryptogram generated therefore this process needs to be carried out in one step. This means it is not possible to send the challenge code and then later try to enter the cryptogram as this will be a new session with the token which therefore means a new challenge code would be generated.
Option 2 - Online Unblock
If the operator who has blocked their operator token is physically present with another operator who has permission to perform unblock then follow the steps here to perform the unblock.
1. An operator who has permission to unblock the token should log onto the vSEC:CMS application console and navigate to Actions - Smart Card Unblock.
2. Attach the blocked operator token which will update this page with the details of the token. The operator whose token is blocked should then enter a new PIN and confirm and click the Unblock button to complete the unblock operation. Once it is set the operator can log onto the application console.
Option 3 - Unblock via USS
If the card template used to issue the operator token that is blocked is configured to support USS operations then it is possible to perform an unblock using the USS application. How the unblock operation can be performed in this case will depend on what is configured for the USS template.
Unblock System Owner Operator Token
The System Owner operator token is unique to each vSEC:CMS installation. Only one System Owner token will exist per vSEC:CMS installation. If this token is blocked follow the instructions here to unblock this token.
1. When you attempt to log on with the System Owner token that is blocked an Unblock Operator Token dialog is presented. The operator token serial number and challenge code will be displayed.
2. The person using the System Owner token will need to know the administration key for the System Owner token. Click the Get button which will open a new dialog and the administration key should be entered into the field provided and the calculate cryptogram button should be clicked. This will automatically generate a cryptogram (unblock code) and a new PIN (passcode) can be set.
Important: The administration key value would have been set and recorded during the initialization of the vSEC:CMS on first use. If this key was not securely recorded at this time it will not be possible to unblock this token.