Creating a Device Policy That Recovers Credentials

The example described in this section is a device policy that recovers one PKI credential.

  1. Complete the procedures in Creating a Device Policy from step 3 to step 10.

    2. Important: The policy that recovers credentials must be based on a device profile containing at least the same number of PKI slots as are in the initial policy. If it contains a smaller number of PKI slots, then the issuance of the replacement device will fail

    When the Device Policy - Set Application Information page appears:

  2. For the Provisioning Method option, select Recover Credential.

  3. For the Recovery Mode, select and configure one of the following options according to the location of the credential to recover.

    Important: For security reasons, ActivID CMS enforces the following rules:

    • If a device policy contains at least one PKI application that recovers but does not revoke credentials, then the policy is unavailable for replacing lost or stolen devices.

    • If a device policy contains at least one PKI application that recovers and does revoke credentials, then this policy is unavailable for replacing forgotten devices.

    • When assigning a Device Policy that recovers credentials, some options in the device policies table might be unavailable for the security reasons defined above.

    • ActivID CMS Managed—For key recovery for standard replacement, applications update, and re-issuance operations.

      • Application to Recover drop-down list—Select the application you want to recover from the original device (this means that credentials on this PKI slot contain a certificate template that escrows credentials).

      • Revoke for Replacement option—Select this option if you want to revoke credentials when a device replacement request is executed.

      Note: The ActivID CMS Managed option is not available for mobile app certificate device policies.

    • Shared Encryption Credential—A PKI credential, already issued to the same user, whose key has been archived by ActivID CMS on the Certificate Authority.

      • Index in History drop-down list—Select number indicating position of credential to recover in the list of shared encryption credentials available (newest item is at position 1).

        Note:  

        • The Shared Encryption Credential option is the only recovery mode supported for mobile app certificate device policies.

        • Currently, shared encryption credentials are only available for PKI applications using Microsoft or Entrust Certificate Authorities.

        • Currently, when using mobile app certificates, you can only recover the latest shared encryption credential on mobile devices.

    • CA Managed— Credential to recover is NOT present in the ActivID CMS system but is on an external CA The Certificate Authority (CA) issues and manages security credentials and public keys for message encryption in a networks environment.. The selected certificate authority must provide at least one credential profile template that supports key archiving. The list of templates only contains those templates that support key archiving, (for example, with the “usage” information set to ExternalKeyRecovery for an Entrust CA, or with “Request Handling” set to “Archive subject’s encryption private key” for a Microsoft CA.) The CA Managed field is only available if there is at least one such certificate template. For a Microsoft CA, the certificates to be recovered must be registered in the user LDAP Lightweight Directory Access Protocol attribute userCertificate.

      Important: For a Microsoft CA, if you are not using a Microsoft AD directory, the CA Managed option is Not supported and another recovery mode must be selected.

      Note:  

      • The CA Managed option is not available for mobile app certificate device policies.

      • The CA Managed option is only supported for Microsoft, Entrust and Verizon certificate authorities.

      • When this option is used with the Microsoft CA, a different LDAP user attribute can be selected to define the list of certificates available for a user to recover. To enable this, it is necessary to:

        • Create a MsProvider.properties file containing the line ldap.userCertificate=<New LDAP attribute to use> in a directory located under: %PROGRAMDATA%\HID Global\Credential Management System\Shared Files\(Note that the file name and contents are case-sensitive.)

        • Make sure that the new LDAP attribute has the same characteristics as the X509-Cert attribute (userCertificate).

  4. Revocation Settings—By default, the credentials are revoked for all the listed states of the device (terminated, damaged, expired, updated, re-issued). You can clear the check box(es) to indicate any state(s) for which you do not want to revoke the credentials. For example, if you clear the Damaged check box, the credentials in a device in the Damaged state will not be revoked. This option enables organizations to maintain smaller certificate revocation lists (CRL); it should be used without compromising security, by selecting only the options relevant to your deployment (for example, when you are sure that a damaged device will never be used again).

    5. Important: When defining a PKI application for a mobile app certificate device policy that recovers a shared encryption credential, all the Revocation Settings options are unchecked by default. The goal is to avoid revoking shared encryption credentials present on a mobile device when that device is terminated or updated in safe conditions, which would impact the same encryption credential present on another device, such as a primary smart card.
    Note: You can provide a revocation reason for each state of the device. For details, see Procedure 2: Updating a Connection to a CA.

  5. Optionally, in the Friendly Name Configuration section, enter the values in the User Name Prefix and User Name Suffix fields.

  6. Click Submit.