ActivID CMS Deployment

There are two types of client workstations used for ActivID CMS:

Operator workstations (used to access the ActivID CMS Operator Portal).
Self-service workstations (used to access the ActivID CMS User Portal).

The following figure illustrates an ActivID CMS deployment (Card and Credential Management solution).

ActivID Credential Management System Deployment

An operator is a trusted individual who has the administration rights to perform operation-specific tasks. Each operator has a specific role. For security reasons, a given operator can access only the ActivID CMS functions that are authorized by the role that s/he is assigned. Only an operator with an Active status can access the ActivID CMS Operator Portal.

The following table lists the tasks that operators can perform and provides cross references to the specific sections that describe these tasks.

Tasks that Operators Can Perform
Operators Can...	For More Information
Configure directories, certificate authorities (CAs), and servers (if they have administrative rights)	Configuring Repositories
Create roles	Managing Roles
Create and update device policies	Configuring Device Policies
Create and update group assignments (if they have administrative rights)	Configuring Group Assignments
Perform Help Desk operations	Using the Help Desk
Manage users and user groups	Managing Users
Perform device queries and view device inventories	Querying Devices and Device Inventories
Customize ActivID CMS	Customizing ActivID Credential Management System
Enroll users (print images)	Configuring ActivID CMS for Printing

Requirements for Connecting Card Readers to an Operator Workstation

To connect to ActivID CMS, an operator inserts a smart card into the card reader attached to the workstation. Operators establish a secure connection with mutual authentication to the ActivID CMS Portal using this card, which contains a digital certificate. To establish this type of connection, the following conditions must be met:

The client (browser) ensures that the ActivID CMS Portal is trusted.
The server (in this case, the ActivID CMS Portal) verifies that the client is trusted (using the operator's credentials stored on the card).

There are different requirements for connecting card readers to operator workstations, depending on the operator’s role.

Administering and configuring ActivID CMS requires only one card reader for authentication.
Help Desk requires two card readers (one for authenticating the operator, the other for updating end-user cards).
Card issuance and printing requires one stand-alone card reader (for authenticating the operator) and one embedded card reader (connected to the printer, since all card encoding is done during printing).

Self-Service Workstation (ActivID CMS User Portal)

ActivID CMS User Portal Welcome Page

The ActivID CMS User Portal is a Web-based interface that users can use to access the self-service ActivID CMS functions. Users can log on to the ActivID CMS User Portal from a desktop computer or a dedicated kiosk (also referred to as a “self-service” workstation). The only equipment required for the self-service workstation is a single card reader and the ActivID ActivClient^® middleware (or a PKCS#11 middleware compliant with ActivID CMS).

Note: Starting with ActivID CMS 5.8, the ActivID ActivClient middleware is not required if using a Google Chrome™ or Microsoft Edge browser. For details about the requirements for using these browsers, refer to About Using Google Chrome or Microsoft Edge Browsers

From the ActivID CMS User Portal, users can:

Prepare a smart card for first use.
Personalize a virtual smart card.
Start the issuance of credentials on a mobile device (which completes on the mobile device itself).
Get the latest updates for the device.
Report a device incident (lost, stolen, or damaged).
Unlock a device that has been locked for security reasons.
Change the card's PIN.
Download escrowed certificates.
Change private, user-chosen security questions and answers.

Users who log on to the ActivID CMS User Portal use different authentication methods that depend upon system configuration and the state of the device.

Smart Card PIN: User inserts card into reader and enters a card PIN. The card verifies the PIN. If the PIN is correct, then access is granted. This method requires a digital certificate on the smart card.
LDAP Password: User enters user name and LDAP password. If they match, then access is granted. This method assumes an LDAP password has been set for the user.
Answers to Security Questions: User enters user name and provides answers in response to security questions, such as: “What is your favorite color?” or “What is your lucky number?” Access is granted if the correct answers are provided.
Initial Password: User inserts smart card into the card reader and enters an initial password. The initial password is a static password that is generated by an ActivID CMS operator to enable the user to connect to the ActivID CMS User Portal to self-enroll his/her device. This initial password is not stored on the card, and it can be used only once.
Emergency Password: User inserts smart card into the card reader and enters an emergency password. (The ActivID CMS operator provides an emergency password as an alternative method of authentication to the user portal when the user’s smart card is lost, damaged, locked, or stolen.) This emergency password is not stored on the card, and it can be used only once.

For information on the ActivID CMS User Portal, refer to the HID ActivID Credential Management System User Portal User Guide.