Follow the instructions in this article to upgrade to version 22.214.171.124 or above from a version prior to 126.96.36.199 and where MS CA is used. The article will describe how you should configure the Enrollment Agent (EA) credential to use the Windows service account on the server side.
Important: Before completing this article it will be necessary that you have completed the update as described in this article here.
Step 1 – Create Windows Account
By default, the vSEC:CMS is configured to run under the Windows SYSTEM account. It will be required to create a dedicated Windows account for the vSEC:CMS service. This account should only be used for the vSEC:CMS service.
Note: If you already have a system that is configured to run under a dedicated Windows account you can jump to Step 2 below.
The Windows account does not need to be a specific type; therefore, domain user type is sufficient but you will need to configure specific permissions for this account as described below in the section Configure Windows Permissions.
Important: It is recommended to configure the Windows account password to never expire. If the dedicated Windows account password is not configured to never expire then the vSEC:CMS service will fail to start if the Windows password is changed.
Configure vSEC:CMS Service
1. Once a dedicated Windows account is created open up Windows service, msc, and stop the service vSEC:CMS Service.
2. Right click the service vSEC:CMS Service and select Properties.
3. Go to the Log On tab and select This account radio button. Manually enter the Windows user account name created in Step 1.
Important: The Windows account name should be entered in the Windows account format pre-2000. For example, if the Windows account name is cms_service and the domain name is VERSATILESECURI, therefore the account name should be entered as: VERSATILESECURI\csm_service. If the account name is not entered in this format the CMS service may not start automatically after a server restart.
Configure Windows Permissions
It will be required to give full control to the dat folder of the vSEC:CMS for the Windows user account. The dat folder will typically be located in the location where the vSEC:CMS was installed, typically C:\Program Files (x86)\Versasec\vSEC_CMS S-Series if the default location was chosen during installation.
1. Right click the dat folder and select Properties.
2. Go to the Security tab and click the Edit button and add the specific Windows user account created. Give the user full control and click Apply.
3. Additionally, it will be necessary to configure specific permissions to a registry folder for this Windows account. Open registry editor using regedit and browse to below location:
Right click on the Service folder and select Permissions. Click the Add button and add the Windows user created and give them full control. Click Apply and close.
4. Start the vSEC:CMS Service from the Windows service. Now the S-Service service will run under the dedicated Windows account.
Important: If the vSEC:CMS does not startup and shows an error that the database specified does not exist this is typically because the Windows user account cannot access the dat folder and/or cannot write/execute in the dat folder. Make sure that the Windows user account can access and read/write/execute in this folder.
Additionally, check that the registry key below is set to a value of 0:
Important: If the vSEC:CMS is configured to use MS CA it is required that the dedicated Windows account has permissions on the CA to revoke certificates. For example, in the Windows certsrv console right click the CA and select Properties. Then from the Security tab ensure that the dedicated Windows user account is in a Group or user list with minimum permission of Issue and Manage Certificates.
Additional Important Information
1. From the Operator console, when issuing/re-issuing smart cards with certificates from the Lifecycle or Actions – Certificate(s)/keys page, the vSEC:CMS uses the current Windows logged on user if the CA connection is configured to Use from domain. Therefore, this user needs to have Enroll permissions on the CA certificate template. Otherwise the vSEC:CMS will use the credentials that have been configured from the CA connection when opening the Select CA dialog from the CA connector.
2. From the Operator console when a smart card is being revoked the vSEC:CMS uses the current Windows logged on user if the CA connection is configured to Use from domain. Therefore, this user needs to have Issue and Manage Certificates permissions on the CA, which are configurable from the certsrv console on the CA. Otherwise the vSEC:CMS will use the credentials that have been configured from the CA connection when opening the Select CA dialog from the CA connector.
Step 2 – Configure EA Server Side
An EA certificate will need to be available for any operator who will be issuing certificates on behalf of other users. Since this is the first setup of EA server side, it will be necessary to request an EA.
RDP directly to the vSEC:CMS server, open the operator console and log on with the System Owner operator token.
Important: It will only be possible to do this task with the System Owner operator token.
Navigate to Options – Connections and select the CA that needs to be configured and click Edit. In the Enrollment Agent section enable Sign server side. This will automatically grey out Proxy through server setting as all Operator console certificate issuances should be proxied through server.
If your system is already setup for self-service then you should see an EA available for selection from the drop-down box. Select this in that case. If this is not the case the Request button is enabled and you should click this button to start the issuance. If more than one EA certificate templates are configured on the CA a dialog will be presented from which the EA certificate template that is to be used should be selected. An EA certificate will then be issued to the local certificate store for the Windows account that the vSEC:CMS is running under.
Important: The EA certificate template configured directly on the CA that needs to be used here will need to have disabled the checkbox This number of authorized signatures from the Issuance Requirements tab on the CA template. Additionally, the Windows account that the vSEC:CMS is running under needs to have Allow configured for Enroll permission from the Security tab of the certificate template on the CA.
Click the Save button to complete the configuration change.
Important: Once you have made this change it will not be necessary to have an EA certificate on the operator token. For operator tokens that do have an EA on them the system will not use these anymore.