From version 6.3.3 it is possible to configure vSEC:CMS to change the Global Platform (GP) key for Thales IDPrime MD 930 smart cards during the registration process with a GP key that is managed through vSEC:CMS. Typically this configuration would be used with a HSM where the manufacturer GP root key is stored on a HSM and vSEC:CMS would then diversify a new GP key during the registration process.
In this article we will describe how this can be done using a Thales IDPrime MD 930 that supports changing of GP key along with a Thales Luna T-Series HSM.
You need to use the 64-bit version of vSEC:CMS to use the functionality described in this article.
The following components should be installed on the vSEC:CMS server:
- Latest version of Safenet minidriver;
- Functional Thales Luna T-Series HSM client with PKCS#11 support.
A number of configuration steps need to be carried out before you can use this functionality.
Step 1 - Enable Functionality
As this feature will not commonly be used it will be necessary to enable it. From the File - Program Settings menu enable this feature as below and click Ok.
Step 2 - Configure Connection to HSM
Navigate to Options - Connections and click Add.
Select Hardware Security Module (HSM). Enter a template name and from the drop-down list select SafeNet T-Series. The PKCS11 DLL name and URL should automatically populate. Select the Slot you wish to use and the PIN. Click Check connection to ensure the communication to the HSM is functional and click Save to save and close.
Step 3 - Configure Smart Card Configuration
Navigate to Options - Smart Cards and select the entry IDPrime MD and delete the entry.
Attach an IDPrime MD 930 card and click Add and then click Add again. Select the correct reader that you have attached the 930 card into and click Get.
Depending on how quick your environment is it may take some time to read the card details and populate the ATR and Mask fields.
Click Ok to save and close.
You should then see similar to below. Click Save to save and close.
Step 4 - Configure GP Settings
Navigate to Options - Smart Cards and select the entry IDPrime MD and click the Edit button. Click the SM Key(s) button. Click the HSM button.
In this dialog we configure the GP key which will be used from the HSM. This will be the expected GP value when the card is registered with vSEC:CMS. Additionally, this GP key value will be set on the card when the card is unregistered with vSEC:CMS. From the HSM Connection drop-down field select your HSM. Enable the Use key stored in HSM and presuming that you already have the key available in your HSM select the correct key from the Key drop-down field. You will see additional information about the key in the window below the field. Click Ok to save and close.
Enable the Take ownership when managing the smart card checkbox and select Diversified key option. This will configure vSEC:CMS to generate a new GP key replacing the existing one when registering a card with vSEC:CMS. Click Ok to save and close.
Step 5 - Create Template
The next step will be to configure a card template to be used when registering and issuing a card. We will keep the configuration very basic in this article.
Navigate to Templates - Card Templates and click the Add button.
Click the Edit link in General.
Enter a template name and click the Detect button. With a card that is to be managed attached make sure to select the correct card reader. You should see something similar to below. Click Ok to continue.
Leave all other settings as is and click Ok to close the configuration.
Click Edit link in Issue Card.
Click the Manage button in the User ID Options section. Click Add. Enter a template name and in the drop-down field select String. Enter 6 for the Length of generated ID string and click Save.
Enable Assign user ID and select the string template from the drop-down field. Leave all other settings as is and click Ok to save and close.
Click Ok to save and close the template.
Register and Issue
You should now be able to register and issue the card. During this flow the default GP key will be replaced with a new value diversified from the HSM. The card will also be issued and managed by vSEC:CMS at the end of the issuance.
From the Lifecycle page attach a card and click the Issued oval and Execute. Follow the on-screen prompts to complete the registration and issuance.
You can verify that the GP key is now managed by vSEC:CMS. Navigate to Repository - Smart Cards and select the card that you just issued. Click the Details button and you should see similar to below.
If you later Revoke - Retire - Unregister a card from the Lifecycle dialog the GP key will be set back to the value as configured in Step 4.