Before beginning this article, it is necessary that you have successfully completed the article Install and Configure vSEC:CMS on First Use.
Biometrics (BIO) is the means by identifying an individual from their unique fingerprint. The BIO must be verified before you can perform security tasks with the smart card, such as smart card logon to a workstation, or creating a digital signature.
It is possible to manage the lifecycle of smart cards that have a BIO applet available on the smart card using the vSEC:CMS. Follow the instructions in this article to configure the support for the management of such smart card tokens.
Important: Currently, the management of the Morpho ypsID S3 BIO smart card is supported.
Important: It will be necessary to have the Sagem ypsID S3 and Idemia ypsID S3 Bio drivers installed on hosts where you will manage the smart cards from.
Step 1 – Configure Smart Card Type
Navigate to Options – Smart Cards page. Attach the smart card that is to be managed and wait a few moments for the system to read the smart card and filter for it.
If the smart card is already in the list of support smart card configurations you will see the smart card filtered for this type and it will be shown as selected. You can then jump to the next step.
If the smart card is not auto selected then click the Add button. Enter a template name and click the Add button. With the smart card attached click the Get button to allow the system to auto detect the ATR and Mask and click Ok. In Administration Key section select DES-EDE2(16) for the Key type and enter a value of 4B454E434558544155544841444D494E for key on card before and after registration. For Smart Card Access select Use native access if possible and click Save to save and close.
Step 2 – Configure BIO Policy
Navigate to Templates – BIO Policies and click the Add button. Enter a template name and for Card type select the ypsID S3 card.
The User Verification Method (UVM) configures the method that the user can authenticate to the smart card to perform security tasks such as Window smart card logon, for example. The available methods are:
PIN only: select this method if it is required that the user should only be allowed to authenticate to the card by providing the card PIN.
Fingerprint only: select this method if it is required that the user should only be allowed to authenticate to the card by providing their fingerprint.
Fingerprint or PIN: select this method if it is required that the user should authenticate to the card by providing their PIN or their fingerprint.
Fingerprint and PIN: select this method if it is required that the user should authenticate to the card by providing their PIN and their fingerprint.
Enter the allowed number of times that a fingerprint can be presented before the card is blocked into the Number of false fingerprint verifications before block field.
Enter the required minimum number of fingerprints that can be enrolled onto the card into the Min. required number of fingerprints field.
Enter the maximum number of fingerprint templates allowed to be enrolled onto the card into the Max. number of fingerprint templates field.
From the Allowed Fingers window, it is possible to select/deselect which finger the user can use when enrolling their fingerprint.
Step 3 – Configure Card Template
1. From Templates – Card Templates click the Add
2. Click the Edit link for General.
3. Enter a template name and attach the smart card token that is to be issued and click the Detect button to allow the vSEC:CMS to detect the smart card token type that is to be used for this card template. Click Ok to close the dialog.
4. Allow all other default settings in the General dialog and click Ok to save the settings and close this dialog.
5. Click the Edit link for Issue Card.
6. From User ID Options section enable Assign User ID and select the AD connection already configured.
7. From BIO Options enable the Apply BIO Policy checkbox and select the BIO policy already created in the previous step from the drop-down list.
8. From Enroll Certificate Options section enable Enroll certificate(s) and click the Add Select the CA connection already configured from the Certificate Authority drop down list and select the smart card logon certificate template (we will use a smart card logon certificate template in this example) as configured on your CA from the Certificate template list and click Ok to save and close the dialog.
9. Allow all other defaults for the Issue Card dialog and click Ok to save and close.
10. Click the Edit link for Initiate Card and enable the Enroll fingerprints
11. Click Ok to save and close the card template configuration.
Important: It is important that the Windows smart card logon certificate template on the CA is configured to require an authorized signature. From the Issuance Requirements tab for the certificate template properties on the CA make sure to enable This number of authorized signatures and set a value of 1 and for Application policy drop down list select the Certificate Request Agent option.
Step 4 – Issue the Smart Card Token
We can now issue the smart card token.
If you wish to centrally issue the smart card token you can do this by navigating to the Lifecycle page and issuing the smart card token like you would any other smart card token.
Alternatively, if you wish to issue the smart card token via a self-service mechanism you can do this using the vSEC:CMS USS application. Again, this would be same procedure as issuing any token via self-service. If you do plan to use self-service then you need to configure this support in the card template.
In either case, whether issuing centrally or via self-service, when attempting to initiate the smart card the user will be prompted to enroll their fingerprint.