vSEC:CMS S-series User Licence (Server version)

vSEC:CMS S-Series Version 5.9 is now available.

Enhancements found in vSEC:CMS S5.9 include the following:

• Update CA/PKI connections to: digicert ONE, Entrust: CA and neXus
• New smart card printers supported from both Fargo and Datacard
• Extended PIV credential management functionality
• Closer integrations with prioritized Thales Digital Identity & Security products
• Extended Yubico YubiKey functions
• Major updates to the vSEC:CMS Operator Console in regards to UX (new graphics). performance (faster communication), convenience (SSO logon) and
• supportability (unique dialog identifiers)
• Brand new upgrade procedure: Updating to the latest version of vSEC:CMS now requires a Maintenance Code 
• New Microsoft AD-GlobalCatalog (GC) search functionality
• First Beta version of vSEC:CMS User Self-Service for Apple macOS

------------------------------------------------------------ 

vSEC:CMS S5.7 adds support for the following:

• WHfB (Windows Hello for Business) containers managed like any other Physical or Virtual Smart Card
• OpenID Connect (OIDC) for secondary/recovery IdP authentication
• Thales/Gemalto Data Protection on Demand (DPoD) 64-bit integration
• Extended support of CryptoVision PKI applet
• Important Thales/Gemalto credential additions: MultiApp V4x, eToken 5110 CC (940), and IDPrime PIV 2.1.
• Optional automatic revocation
• Graphical card layout print testing
• Updated operator user experience (UX)
• Advanced PIN generation options
• Updated list of supported credentials

-----------------------------------------------------------------

vSEC:CMS 5.5 adds support for the following:

• Fingerprint enrollment using Oberthur PIV 8.1 smart cards
• Gemalto IDPrime MD 3940 smart cards
• Gemalto PIV 3.0 smart cards
• Identiv uTrust MD smart cards
• R-END/R-MAC in the GlobalPlatform secure messaging for Oberthur PIV 8.1 (2.4.1-SPE)
• PUC-based challenge/response PIN unblock for all vSEC:CMS supported PIV smart cards

New features within vSEC:CMS include the following:

• Subscription-based licensing
• Ability to export certificate data when performing life cycle / certificate operations.
• Option to server-side import PKCS#12/PFX files for smart card issuance
• HSM protected GlobalPlatform keys for Oberthur PIV 8.1 cards
• Smart card delete function is added to the SOAP API
• New configuration option to set if Operator Console shall do certificate requests to Microsoft CA directly or via vSEC:CMS server (proxy)
• Added functionality to allow for the reconfiguration of MS SQL connection when the local internal database is empty
• Ability to rebuild local cached database from MS SQL
• Versasec-Activator SO Session: Once a System Owner card has been used to authenticate, the System Owner PIN is not asked for again for 10 minutes, enabling
• issuance of multiple operator cards
• A feature has been added to allow manual creation of System Owner cards
• Manual deletion of operator accounts
• The error returned on life cycle card issuance is now configurable
• Ability to store only overview data for RSDM device info

vSEC:CMS Connectors (see figure above)

1. Smart card printer for batch operations
2. User directory for looking up users
3. File and database servers
4. Secure transport of PIN codes
5. Event & log management
6. User photo capture
7. Certificate/PKI services
8. Physical access control systems
9. Hardware security module
10. Secondary/out-of-band communication
11. Key archival & key recovery
12. Credential provider -login screen interface
13. Remote security device management
14. User self-service application
15. Physical & virtual smart cards/tokens
16. Administrative operator console

Smart cards are secure devices that are used for many purposes, with perhaps the most important being as combined identification badges for enterprises.

With all professional smart card use, the cards must be managed across the entirety of the smart card lifecycle.

At the base level, personalization tasks include setting PIN codes, setting policies, loading certificates, provisioning and setting management keys.

At the management level, tasks include unblocking PIN codes, setting new PIN codes, and renewing and issuing new certificates.

Revocation typically ends the smart card lifecycle, but it is also the point when the card can be personalized again.

All of these tasks and many more are handled by the vSEC:CMS smart card management system. 

Lifecycle management

All smart card operations within vSEC:CMS focus on the smart card lifecycle.

We use a state diagram to graphically visualize the lifecycle;

the diagram clearly shows the operator each card, its location in the lifecycle and available actions/processes from this state.

The same diagram is also used by the administrator when configuring the processes.

Credentials are generally user authentication devices such as physical smart cards, vertical smart cards or tokens. The number of supported credential types is continuously increasing with every new product version.

The table below is showing the supported credentials.

NOTE

✔ The credential is supported by the product.

vSEC:CMS Connectors (see figure above)

1. Smart card printer for batch operations
2. User directory for looking up users
3. File and database servers
4. Secure transport of PIN codes
5. Event & log management
6. User photo capture
7. Certificate/PKI services
8. Physical access control systems
9. Hardware security module
10. Secondary/out-of-band communication
11. Key archival & key recovery
12. Credential provider -login screen interface
13. Remote security device management
14. User self-service application
15. Physical & virtual smart cards/tokens
16. Administrative operator console

The vSEC:CMS S-Series is an innovative, easily integrated and cost-effective smart card management system that helps organizations deploy and manage smart cards quickly and efficiently. The vSEC:CMS S-Series is clientserver based.

It streamlines all aspects of smartcard management by easily connecting to enterprise directories, certificate authorities, smart card printers,external databases, physical access control systems,and more.

The S-Series is designed for several operators and users working in parallel without a need for synchronization;

each operator requires access to the operator application and the operator’s operator smart card only.

 Operating Systems:

• Client/Operator/User Self-service:
• MS Windows 7, 8, 10, 2008, 2012, 2016

 Server: 

• MS Windows 2008, 2012, 2016

 Smart Cards:

• Gemalto .NET, .NET BIO, IDPrime PIV & MD
• Raak Technologies C2
• Morpho ypsID S2/S3
• Athena CNS & IDProtect
• Safenet eToken PRO
• ACS ACOS5-64 & Cryptomate64
• Oberthur Authentic, IAS ECC & PIV, PIV 8.1
• Feitian ePass2003 Token
• Avtor CryptoCard337
• HID C200, C1150
• Taglio C2, PIVKey 
• T-Systems TCOS
• Yubico YubiKey PIV
• SafeTrust-PIV on Placard
• Virtual smart cards (MS, vSEC & Charismatics)
• Mifare DESFIRE EV1
• Java Card with Cryptovision eID Applet v2.8
• Java Card with Open FIPS 201 Applet v2.8
• MS Minidriver enabled cards 

 Card Features:

• Printer support for graphical personalization
• PIN mailers (both email and regular mail)
• Contactless RFID interface
• Batch processing
• Card stock management

 Compatibility:

• User directory: MS Active Directory, IBM-LDAP,
  OpenLDAP and LDAP v2/v3
• Card DB: SQL comp or local file
• Certificate Authority: MS CA, Entrust, Symantec
  MPKI, EJBCA, neXus PKI, Opentrust PKI and
  Verizon UniCERT CA, DigiCert CA
• HSM: Gemalto SafeNet Luna, Utimaco HSM and Engage BlackVault
• Card Printers: Fargo HDP5000, Datacard SR300,
  Magicard Prima 4 and Evolis Primacy
• Migration path to and from MS FIM/CLM
• Upgrade path from vSEC:CMS K and T-Series
• Upgrade path from Gemalto IDAdmin 100/DAS vSEC:CMS Plugin API, Scripting, WebStart

 Security Features:

• Secure key storage
• Secure backup and synchronization of databases
• Disaster recovery for stolen/lost tokens
• Encrypted audit log
• Granular access control
• Approval work flows
• Connects logical and physical access control
• Key archival and key restore processes
• Fingerprint template management
• Failover clustering for high availability

Performance:

• The system is tested and is functional with
  300 000 registered user smart cards and 100
  parallel operators interacting with the system
• Load balancing for high scalability