Configuring the CPR
In compliance with SP 800-73-3, it is strongly recommended that you use the CPR The Card Production Request (CPR) contains a list of user-specific attributes that will be stored, fully or partially, in the PIV Metadata database, and will be loaded on the PIV card during the issuance. 2.1.8 schema to issue PIV Personal Identity Verification (technical standard of "HSPD-12") cards. ActivID CMS is configured by default using this standard. This guide assumes that your system will be configured to comply with this new revision. However, ActivID CMS will continue to issue cards with a system configured using previous CPRs (for example, those that are compliant with SP 800-73-1) until the CPR schema has been upgraded.
To issue PIV-Compliant cards, you must set the attribute PIV Policy to PIV-I.
-
This can be configured in the CPR, with the attribute <hsp:policy> (see the corresponding figure below).
OR
-
When the CPR Policy entry does not exist, it can be configured in the ActivID CMS PIVEnrollment.properties configuration file with the attribute policy = (see the corresponding figure below).
The attribute in the CPR takes priority over the PIVEnrollment.properties. The following table lists the resulting PIV compliance mode with difference policies defined in the CPR and PIV Plug-in.
|
PIV Policy in CPR |
PIV Policy in PIVEnrollment.properties |
Resulting PIV Policy |
|---|---|---|
|
<absent> |
<absent> |
PIV |
|
PIV |
<any> |
PIV |
|
PIV-I |
<any> |
PIV-I |
|
<absent> |
PIV |
PIV |
|
<absent> |
PIV-I |
PIV-I |
When in a PIV-I-compliant mode:
-
GUID is used in place of FASC-N for subject alternative names and biometric objects signature.
-
FASC-N will start with 9999 9999 999999 (Agency Code + System Code + Credential number).
PIV Policy Attribute in the CPR
PIV Policy Attribute in PIVEnrollment.properties
