Credential Provider Context Configuration

A Credential Provider Context is an instance of a Credential Provider that creates and manages particular kinds of credentials for a particular credential source. The ConfigurationTemplate specifies the information the Credential Provider needs from the operator in order to generate a particular Credential Provider Context.

ActivID CMS retrieves a ConfigurationTemplate for each Credential Provider Context to be instantiated. ActivID CMS passes configuration data it obtains from the operator in the form of a Configuration to the Credential Provider for purposes of initialization during the following system lifecycle stages:

  • At ActivID CMS startup (for pre-existing Credential Provider Contexts), this occurs at ActivID CMS startup time

  • During introduction of a new Credential Provider into a running ActivID CMS system

Once initialized, each Credential Provider Context is ready to serve as a Credential Provider for a specific Credential source; for example, a Certificate Authority (CA). A Credential Provider Context has a pre-defined set of capabilities. These capabilities make it possible to specify to ActivID CMS those functionalities that are supported for credentials managed by the Credential Provider. Capabilities may include the following:

  • Which lifecycle management processes are supported for the credentials produced by this Credential Provider (for PKI, the capabilities that can be specified are):

    • Suspend

    • Resume

    • Revoke

  • Whether the Credential Provider supports batch operations (meaning if it can manage or issue multiple credentials at the same time) or not. A Credential Provider can specify individually which, if any, batch operations it supports and these may include:

    • Batch creation support

    • Batch deletion support

    • Batch credential lifecycle processes

    • Batch update support

  • Whether the Credential Provider supports import of credentials from a source external to the credential source.

  • Ability to support certain credential management update actions:

    • recover

    • pki.renew

    • pki.rekey
    • Note: An individual Credential Provider Context can use its Credential Profiles to further restrict the set of supported actions and processes

A Credential Provider Context may also require the ActivID CMS Infrastructure to support certain services, such as particular External Operations. A credential update action differs from a credential lifecycle process in the following way: a credential update call to the Credential Provider triggers a modification of the security module content for which the Credential is intended.

For example, in the PKI case, a pki.rekey update action triggers the update of a corresponding security module (the new key and corresponding certificate are injected into the security module).

On the other hand, a credential lifecycle process such as revoke-only notifies the CA The Certificate Authority (CA) issues and manages security credentials and public keys for message encryption in a networks environment. that the corresponding certificate has been revoked. Nothing changes with respect to the certificate contained in the corresponding security module.

In other words, the key difference is that a credential update action modifies the value of the Credential (for example, a new key or certificate) on the security module while a credential lifecycle process just modifies the lifecycle state of the Credential.