Install Credentials for the First Operator on the Workstation

Credentials are the PKI keys and digital certificate that are used by the first operator to connect to ActivID CMS. Transport Layer Security (TLS) 1.2 with mutual authentication (client and server) is the authentication method used. If you chose to have the system automatically generate certificates for your SSL connection, then follow the steps below to install the client credentials for the first operator on the workstation.

  • The path for the default folder location containing the credentials is %PROGRAMDATA%\HID Global\Credential Management System\Local Files\Certificates.

  • The client.pfx and server.pfx files are protected by the password hidglobal.

Note: The hidglobal password is used with auto-generated certificates. Otherwise, the password entered must be the same one indicated during the setup with the user’s certificates.

  1. Copy the certificates to your workstation (see Required Certificates).

  2. Import the CA The Certificate Authority (CA) issues and manages security credentials and public keys for message encryption in a networks environment. root certificate and the client.pfx file into your browser. For more information, refer to Managing Operators.

    Important: The URLs for the Operator Portal and User Portal must both be added as Trusted Sites in the user’s browser.

  3. Connect ActivID CMS on a workstation and do the following:

Prerequisites:  

  • Install credentials for the first operator on the workstation.

  • Have a device available for issuance.

Issue a device to the first operator that contains the operator’s PKI credentials (keys and certificate) used for SSL connection to the ActivID CMS Operator Portal. The operator uses the credentials stored on the device instead of the credentials stored on the workstation, which increases the level of security.

For detailed procedures about issuing a device, refer to Issuing Devices.

  1. Connect to ActivID CMS as the first operator using credentials stored on the workstation.

  2. Declare a CA and a directory.

  3. Create a user group containing the first operator.

  4. Create a device policy containing at least one PKI application. The credentials that are stored in this application must be usable for authentication to ActivID CMS (that is, should be usable as a client certificate for SSL).

  5. Assign the device policy to the user group created in step 3.

  6. Issue the device to the first operator using the local issuance process. (Write down the device PIN. It is required for authenticating to the ActivID CMS Operator Portal.)

  7. Enroll the first operator. Assign the Administrator role (full access rights) to the operator.

Prerequisites: Issue a device to the first operator and test it.

Once you have issued a device to the first operator, it is recommended to remove the first operator’s credentials (client.pfx file) from the ActivID CMS workstation.

If the operator has not been enrolled correctly, you are automatically redirected to the User Portal. In this case, register the first operator’s credentials on the workstation, connect to the ActivID CMS Operator Portal, and then enroll the first operator.

Follow the instructions provided in the browser documentation for removing installed certificates.

Prerequisites: Issue a device to the first operator.

Check to be sure that the device you issued to the first operator (see Issue a Device to the First Operator ) is working correctly.

  1. Insert the operator’s device into the smart card reader (where applicable) on the client workstation.

  2. Connect to ActivID CMS using the URL and designated operator port.

  3. Ask the operator to enter their device PIN.

The system then authenticates the user with the certificate stored on the operator’s device. If the operator has been enrolled correctly, he/she is able to access ActivID CMS as an administrator (full rights).

For information about advanced configurations, see Advanced Configuration.