Skip to main content
This document shows how to configure the Futurex KMES Series 3 with vSEC:CMS by using Futurex PKCS #11 libraries. For additional questions about your KMES Series 3 device, see the relevant user guide.

Application description

From the Versasec documentation website (support.versasec.com/): vSEC:CMS is an innovative, easily integrated, and cost-effective Credential Management System (CMS) designed to help you deploy and manage credentials within your organization. vSEC:CMS is fully functional with Minidriver-enabled credentials, such as smart cards, USB tokens, and virtual smart cards, including Windows Hello for Business (WHfB). It streamlines all aspects of credential management by seamlessly connecting to enterprise directories, certificate authorities, physical access control systems, email servers, log servers, biometric fingerprint readers, PIN mailers, and more. With vSEC:CMS, your organization can issue credentials to employees, personalize them with authentication details, and manage the entire credential life cycle – all directly from this off-the-shelf product.

Architecture

The vSEC:CMS client-server architecture uses both an RPC framework and SOAP with the following protocols:
  • gRPC with HTTP/2 or HTTP/2 over TLS
  • SOAP with HTTP or HTTPS
However, for simplicity, this guide refers to it as HTTP(S). The following list describes the main components of vSEC:CMS: -vSEC:CMS Service: This Windows service manages the vSEC:CMS database and operator account management for authorized users. It operates as a Windows service, defaulting to run under the SYSTEM account.
  • vSEC:CMS SOAP/gRPC Service: Another Windows service, this component facilitates communication with the vSEC:CMS Service. It serves as the SOAP/gRPC service for the vSEC:CMS Agent, vSEC:CMS Admin, and the vSEC:CMS User Application.
  • vSEC:CMS Agent or vSEC:CMS Admin: Each operator uses either of these components, operating within the user’s context.
  • vSEC:CMS User Application: This component, executed on an end user’s workstation, enables self-service credential operations with both conventional smart cards and virtual smart cards.

HSM support in vSEC:CMS

You can use an HSM to store the master keys used when performing administration key operations with the vSEC:CMS, such as registering a smart card token or PIN unblock operations. The vSEC:CMS interfaces with the HSM through the PKCS #11 protocol. You should use the HSM key management tools available from the HSM vendor for all management functions around the master key stored on the HSM.

Integration overview

This guide covers the following tasks:
  1. Install Futurex PKCS #11.
  2. Configure KMES Series 3.
  3. Edit the Futurex PKCS #11 configuration file.
  4. Configure the Futurex PKCS #11 library in vSEC:CMS.
  5. Create an Operator Service Key Store with HSM.
The following sections show you how to perform these tasks.