Credential management

Verasec vSEC:CMS

4min

This document shows how to configure the Futurex KMES Series 3 with vSEC:CMS by using Futurex PKCS #11 libraries. For additional questions about your KMES Series 3 device, see the relevant user guide.

Application description

From the Versasec documentation website: vSEC:CMS S-Series (vSEC:CMS) is an innovative, easily integrated, and cost-effective Credential Management System (CMS) that helps you deploy and manage credentials within your organization.

The vSEC:CMS is fully functional with minidriver-enabled credentials such as smart cards, and it streamlines all aspects of managing credentials by connecting to enterprise directories, certificate authorities, physical access control systems, email servers, log servers, biometric fingerprint readers, PIN mailers... the list goes on. With vSEC:CMS organizations can issue badges to employees, personalize the badges with authentication credentials, and manage the lifecycle of the badges - directly from the off-the-shelf product.

Architecture components

vSEC:CMS is separated into the following main components:

  • vSEC:CMS Service: An MS Windows service that manages the vSEC:CMS database in addition to operator account management for those operators who have access to vSEC:CMS. This service runs as an MS Windows service and is installed by default to run under the MS Windows SYSTEM account
  • vSEC:CMS SOAP/gRPC Service: An MS Windows service that communicates with the vSEC:CMS Service and is the SOAP/gRPC service for the vSEC:CMS Agent or vSEC:CMS Admin and the vSEC:CMS User Self-Service Console.
  • vSEC:CMS Agent or vSEC:CMS Admin: Run by each operator in the user's context;
  • vSEC:CMS User: Run on an end user's workstation on which credential users can perform self-service credential operations with conventional smart cards or virtual smart cards.

HSM support in vSEC:CMS

You can use an HSM to store the master keys used when performing administration key operations with the vSEC:CMS, such as registering a smart card token or PIN unblock operations. The vSEC:CMS interfaces with the HSM through the PKCS #11 protocol. You should use the HSM key management tools available from the HSM vendor for all management functions around the master key stored on the HSM.

Integration overview

This guide covers the following tasks:

  1. Install Futurex PKCS #11.
  2. Configure KMES Series 3.
  3. Edit the Futurex PKCS #11 configuration file.
  4. Configure the Futurex PKCS #11 library in vSEC:CMS.
  5. Create an Operator Service Key Store with HSM.

The following sections show you how to perform these tasks.