Security Modes
The PKI renewal software can be configured to start in either of two modes: attended or unattended. The PKI renewal software enables the ActivID CMS operator client certificate to be stored either as a pfx file, or in a hardware security module (HSM). The following table lists the supported configurations in this ActivID CMS release.
|
ACR Mode |
Operator Client Certificate Storage |
PFX File Password |
Hardware Security Module (HSM) PIN |
User Database Password |
|---|---|---|---|---|
|
Unattended |
PFX file |
XML configuration file |
N/A |
XML configuration file |
|
Unattended |
HSM |
N/A |
XML configuration file |
XML configuration file |
|
Attended |
HSM |
N/A |
Prompted |
Prompted |
Attended and Unattended Modes
The attended mode is compatible only with the manual renewal process. The attended mode is for use with an HSM-based configuration (operator client certificates stored in the HSM).
When running the manual renewal process in attended mode, the operator is prompted for the following information in the Enter Secure Credentials window:
-
Database user password
-
HSM Personal Identification Number (PIN)
In the unattended mode, the credentials In the context of ActivID, a credential is a collection of one or more credential elements that together provide some form of digitally provable identity. In the context of PIV, a credential refers to the completed PIV card itself. stored in the XML configuration file are obfuscated.
Security Mode Configuration
Configure the security mode implemented by editing the securityMode= line as shown in the following example:
<?xml version=”1.0” encoding=”UTF-8”?>
<common securityMode=”unattended”>Modify the security mode by editing the common.xml file as follows:
-
Locate and open the common.xml file (typically in the conf folder).
-
Locate the XML root element common.
-
Modify the securityMode= attribute to match the desired security mode:
-
“unattended” for the unattended mode
-
“attended” for the attended mode
If unattended mode is selected, you need to perform the secret key configuration as follows:
-
Locate the secret key configuration section:
Copy…
<secret filename="./conf/secrets.jks" encryptedPassword="password" attended="false"/>
… -
Replace “password” with a password of your own choosing by entering this password in clear text.
Refer to Password Encryption for more information on the password encryption.
Important: Before executing the check.bat file, you should perform all the configuration steps inPKI Renewal Software Configuration.
-
-
Save and close the common.xml file to save your configuration changes.
