Configuring ActivID CMS for UniCERT UPI PKI

In this section, we describe how to configure ActivID CMS to connect to your Verizon UniCERT UPI CA, and then to create and configure your device profile.

Configuring the Certificate Authority

Prerequisites: In order to use SSL to communicate with the Verizon UniCERT UPI CA, you must first:

Create a JKS TrustStore to load the trusted certificates, for example:

Copy

keytool -import -alias root1  -keystore UpiTrust.jks -file UpiCA.cer –storepass <password>

Save the UpiTrust.jks file into %PROGRAMDATA%\Hid Global\Credential Management System\Shared Files\Certificates.
Edit the file cms_installation_dir\wildfly\bin\standalone.conf.bat (for example, using Notepad)

Add the following line at the very end of that file:

Copy

set "JAVA_HOME=%JAVA_HOME% -Djavax.net.ssl.trustStore=%PROGRAMDATA%\HID Global\Credential Management System\Shared Files\Certificates\UpiTrust.jks"

This section describes how to configure the ActivID CMS Operator Portal for Verizon UniCERT UPI.

For detailed instructions on creating connections to CAs in ActivID CMS, refer to Procedures for Configuring Connections to Certificate Authorities.

Log on to the ActivID CMS Operator Portal with an ActivID CMS Administrator certificate.
Click the Configuration tab, and then click Repositories.
Click Add Certificate Authority, and then from the drop-down list, select Verizon Unicert UPI Authority. For Template, accept Default UPI configuration template.
Click Submit.
Enter a Name for the Certificate Authority.
Enter all the required values.
Note:
- If you are using SSL, refer to the prerequisites abpve.
- If you are using an HSM A Hardware Security Module (HSM) securely stores secret key material. They are similar to large-storage, multisession smart cards. However, unlike smart cards, they are used mainly on the server side of a system., refer to Configuration Using the RRO Stored in an HSM.
Click Test to verify the CA configuration.
Click Create. A confirmation message appears.
Click Done.

Creating the Device Policy

This section illustrates how to create a device policy that issues Verizon UniCERT UPI certificates to the user smart card. For more information about creating a device policy, refer to Creating a Device Policy.

To create a device policy, perform the following tasks:

Log on to the ActivID CMS Operator Portal with an ActivID CMS Administrator certificate.
Click the Configuration tab, and then click Policies.
Depending upon the number of PKI applications to be used, add a new device policy.
Click Next, and then add the corresponding PKI1 applications.
Click the Configure button associated with PKI1 to display the Device Policy - Set Application Information page.
In the Friendly Name field, enter a valid, descriptive name for the certificate in use for the device policy.
In the Provider drop-down menu, select Verizon Unicert UPI Authority.
Depending on the Provisioning Method selected, different fields appear. Perform the appropriate tasks based on your selection.

Note: Selecting the Recover Credential option is the equivalent of setting the former Recover Application option (available in previous ActivID CMS versions) to Yes.
- Provisioning Method set to Create Credential
  1. If you select Create Credential for the Provisioning Method, select Template as encryption template (key escrow) or authentication template (non-escrow) as per your requirement. The encryption template allows key escrow.
  2. Click Submit.
  1. Enter values in all the required fields.
  2. Click Set.
- Provisioning Method set to Recover Credential
  1. If you select Recover Credential for the Provisioning Method, the Recovery Mode options become available. Select ActivID CMS Managed.
  2. Under Recovery Settings, select Revoke for Replacement.
  3. Click Submit.
Click Save.