Known Problems and Limitations

If you plan to use a User Attribute for Card Binding that is different than the default, then this must be set before you begin issuing any smart cards.

Note that the Oracle database installation script displays “old” and “new” statements. Those are informational messages from SQL Plus that can be safely ignored.

Installation of HID CMS on a mapped network drive is not supported. The setup program will not prevent the installation, but HID CMS will not operate correctly. Please make sure to use a local drive.

Do not use a Credential Management System Security Key Password that starts with one or more spaces.

If you are using a multiple-partition HSM with several HID CMS instances, make sure that you configure the “cmsslot.ini” file as described in the tech note specific to your HSM model. Failure to do so before starting the HID CMS installation may result in the deletion in the HSM of the transport key from your other HID CMS instances.

If you are having multiple partitions connected to your HID CMS instance during installation, you must disable the partitions not used by HID CMS during HID CMS installation and re-enable them at the end of the installation. (IACMS-3066)

When adding a peer server to an HID CMS pool, it is recommended to install the new peer server with a custom install without HID CMS Databases, then apply any relevant service pack and hotfixes to the new HID CMS Server.

When upgrading from ActivID CMS 5.13, multiple devices per user must not have been activated.

Starting from HID CMS 6.0, the “cms_portal” directory is renamed “aims.war”. Unless stated otherwise, any instruction applying to the old “cms_portal” directory should be interpreted as applying to the new “aims.war” directory.

Starting from HID CMS 6.0, the “settings” directory is hidden and read-only. Its content should not be modified without express instructions.

Before performing the upgrade, make sure that all the indexes created manually (for performance reasons) are deleted.

If you changed the attended / unattended HID CMS startup mode manually, the HID CMS upgrade will revert to the startup mode selected during the previous ActivID CMS installation. (P1395-100445)

On ActivID CMS 5.1 or higher, if you need to install a custom profile that was initially delivered for a previous version of ActivID CMS, then the custom profiles readme instructions need to be adapted. Specifically, the following line cannot be applied as is:

• Apply the files from the "cms_portal" directory included in this delivery into the "CMS" installation folder (by default “C:\Program Files\HID Global\Card Management System” folder). Set the Winzip “Use folders names” option.

It should read as follows:

• Copy the sub-directories/files from the “cms_portal\WEB-INF\conf\services\custom” directory included in this delivery into the “%PROGRAMDATA%\HID Global\Credential Management System\Shared Files\services\custom” directory.

• Copy the sub-directories/files from the “cms_portal\WEB-INF\conf\services\repositories” directory included in this delivery into the “%PROGRAMDATA%\HID Global\Credential Management System\Shared Files\services\custom” directory.

When upgrading to HID CMS 6.2, it is necessary to upgrade each peer server.

If you are using an IdenTrust CA that was configured using a previous version of ActivID CMS, when you upgrade to the current version of HID CMS, you will need to obtain your current account credentials for accessing the REST API and then update your CA with those credentials. For details about how to update your configuration, see Configuring the IdenTrust Certificate Authority.

To successfully uninstall the HID CMS databases via the HID CMS installation program, prior to starting the uninstall process, you must ensure that no user is currently accessing the databases and that the HID CMS server is not running. (P1395-100148)

In the Windows Control Panel, Programs and Features screen, for HID CMS, you only have access to the Change option. To uninstall, select Change, then select Uninstall in the wizard. (P1395-100338)

In order to use Chrome or Edge browsers with Windows server 2022, on the IIS Manager, you need to enable the setting 'Disable TLS 1.3 over TCP'.

Sometimes (when ActivClient is not installed), the client loses the connection to the readers. In that case, just close the browser and open it again.

After upgrading to ActivID CMS 5.6 or later, to be able to use the Crescendo Card C2300 (Applet 3.0) with the profiles "Enterprise Contactless - Crescendo C2300" or "Enterprise - Crescendo C2300" the ATR2Product.properties file needs to be modified as follows:

• Remove the leading "#" symbol from the lines shown below in order to uncomment them. The result should be:

  Copy

  3BD596FF8191FE1FC34332333030CC = HID_CRESC_2300_DEFAULT
  3B858001433233303046 = HID_CRESC_2300_DEFAULT

• Add a “#” symbol at the very beginning of the lines shown below in order to comment them. The result should be:

  Copy

  #3BD596FF8191FE1FC34332333030CC = HID_CRESC_2300_DEFAULT_2
  #3B858001433233303046 = HID_CRESC_2300_DEFAULT_2

ActivID CMS 5.6 introduced a regression on the old "Enterprise Contactless - Crescendo C2300" and "Enterprise - Crescendo C2300" profiles that prevented the PIN from being shared. This regression is fixed in ActivID CMS 5.7 or later. If those profiles were created in ActivID CMS 5.6, new profiles must be created from scratch (not duplicated) to get rid of the mistake.

For all the C2300 profiles (old and new), when the card or the key is issued using a policy created after upgrade and then successfully recycled, the FIDO credentials are always revoked.

Sometimes when an “Enterprise – Crescendo” device issuance fails, the request retry feature fails. In that case, cancel the request, recycle the card, and restart the issuance.

OATH slots for the “Enterprise – Crescendo”, “Enterprise – Crescendo (no FIDO)”, and “Enterprise – Crescendo (no SEOS)” profiles using AAA: the OATH slots are HOTP, TOTP, OCRA, in that order. For each customized slot using AAA as authentication server, the Credential Type must be the same as the Application Name; otherwise, the device will not be properly issued or recycled.

• YubiKey devices issued by CMS use compressed certificates, which are not supported currently by the YubiKey Minidriver. As a result, for the time being, it is not possible to use the YubiKey Minidriver with a YubiKey device issued using CMS.

• When issuing a YUBIKEY FIPS with the "YUBIKEY v5" profile, the ACR for CARD AUTHENTICATION KEY is not compliant with the SP800-73-4 specification. Indeed, it is PIN protected instead of Always Accessible.

  Note: The problem is not present on YUBIKEY 5 NFC.

• Yubikey 5 NFC and Yubikey FIPS do not support profiles with a Facial Image bigger than 3063 bytes.

• Yubikey devices cannot be issued using Luna SA HSM firmware 6.24.x and above in FIPS mode. (IACMS-2573)

• The YUBIKEY FIPS profile can also be used to issue Yubikey 5 devices after associating the pre-issuance ID with the appropriate ATR. However, the OATH application personalization is not supported on Yubikey 5 devices.

• On the server side:

  • HID CMS is now compliant with Java 11, so if you implemented server plugins, they must not use entry points that have been deprecated in Java 11.

• On the client side:

  • CCM API on the client side is NOT compliant with Java 8 anymore. Java 11 at least is required.

• • Starting from HID CMS 6.0, the support for the following Credential Authorities was removed:

  • Symantec v7

  • OpenTrust eID

• Starting from HID CMS 6.0, the support of Entrust using the “Entrust Authority ESP” template is deprecated.

• Starting from HID CMS 6.0, the UniCERT client is 551.954. The UniCERT server should be upgraded accordingly.

• Starting from HID CMS 6.0, the Microsoft CA must be configured with a KRA if the certificate templates are configured with “Archive subject's encryption private key” selected.

• Starting from HID CMS 6.0, if using AAA and multiple devices per user, only one device must have the AAA OTP configured.

• Starting from ActivID CMS 5.11, the Datacard and Fargo legacy EPI builder printing options are removed. Their support required obsolete technologies no longer supported by browsers.

• Starting from ActivID CMS 5.1, Entrust 8.1 SP1 is no longer supported; customers still using Entrust 8.1 SP1 should migrate to 8.3 or 10 prior to upgrading to the current version of HID CMS.

• AAA 6.7.2 is no longer supported; customers still using AAA 6.7.2 should migrate to AAA 6.8 or AAA 7.0 prior to upgrading to the current version of HID CMS.

• ActivClient version 7.2.1 (or higher) is required when using HID CMS 6.2 to issue Crescendo C2300 or Crescendo Key cards, or Yubikey devices.

  Note: ActivClient version 7.3 (or higher) is required when using ECC keys.

• To generate OTPs leveraging the OATH standard, ActivID Authentication Server 8.3 (or higher) or AAA 7.0.0.55 (or higher) is required.

• LDAP secure connections can no longer be disabled using the HID CMS GUI. Hostname verification can be disabled by updating the JVM configuration, setting the "com.sun.jndi.ldap.object.disableEndpointIdentification" flag to True.

• In ActivID CMS 5.13, security was reinforced so that only users from at least one of the configured user groups are returned in the search results.

Some HSM names changed as of January 1st, 2020, following Gemalto acquisition by Thales Group.

Gemalto SafeNet was replaced by Thales in the CMS Documentation and SafeNet Assured Technologies is now called Thales Trusted Cyber Technologies.

The nShield HSM product line was also acquired by Entrust Datacard.

Thales

• Using Thales firmware 6.22.0 or above, you need to update the configuration of the HSM to make the CKM_RSA_PKCS_KEY_PAIR_GEN function available: update the crystoki.ini file installed by the Thales Luna HSM Client by adding RSAKeyGenMechRemap=1 under the configuration file's [Misc] section. (IACMS-624)

• For Thales Luna, you must use firmware prior to 7.4.

Entrust nShield

• You must use a firmware version prior to 12.70.

Note that once HID CMS has issued a smart card, that smart card will not be usable in other HID CMS systems, even if the smart card is recycled, unless the other HID CMS system knows the smart card security keys that are in the initial HID CMS system.

You cannot log on to the HID CMS legacy Operator Portal from a different machine than the one you last used unless you logged out from your previous session. This is not a technical issue but a security feature of HID CMS.

HID CMS incorrectly lets the operator set the maximum number of wrong PIN tries in the device policy for a PIV card using third-party applets (this is not the case for HID ActivID applets). This value is actually set by the card manufacturer. What is set in the device policy UI is ignored by HID CMS.

In some cases, retrying to perform a request that previously failed might display a message asking for reauthorization of the request.

In order to securely log out from HID CMS, it is recommended to clean the SSL cache by closing the web browser.

HID CMS does not support Dynamic Group with the Oracle Directory Server.

User lookup has a limit of 100 users. If you reach that limit, you must refine the search criteria to return a smaller set of users.

Adding a user group when there are more than 100,000 users can take a few minutes. It is recommended to let HID CMS finish the operation without interrupting it.

The root certificate of the HID CMS server certificate must be installed on the HID CMS Issuance Station; otherwise, the HID CMS client will not allow connection to the HID CMS server for security reasons.

It is not possible to update a device policy on an HID CMS instance that has more than 100,000 cards issued. We recommend instead duplicating an existing policy and immediately modifying it.

When issuing a PKCS#11 device that has a shorter maximum PIN length that the one specified in the HID CMS default PKCS#11 card profile, its issuance will fail. Update the HID CMS device policy with a maximum PIN length that matches the one supported by the PKCS#11 device.

In the rare case of an issue during a card update where the portal seems to be non-responsive on the cardholder station, it is recommended to wait a few minutes before retrying the operation as this allows a timeout on the HID CMS server to detect the issue and update the state of the card appropriately.

When attempting to access the Admin Portal to enter the HID CMS startup credentials, access may be denied if the fully qualified domain name of the HID CMS server is not registered in the DNS server. This is more likely to happen if the server HID CMS runs on is not part of a Windows domain. You can use localhost to access the ActivID CMS Admin Portal instead of the FQDN (however this will result in a certificate mismatch warning in the browser). You can also modify the IIS domain restriction to add the HID CMS server name concatenated to the Connection-specific DNS Suffix.

In some rare situations, the HID CMS portal has been shown to freeze during a device operation (for example, personalization). However, it seems that the back-end operations complete successfully. If a freeze occurs, give HID CMS enough time to complete the device operations (if the reader has a blinking LED that’s a useful clue), and simply restart your browser.

When CMS is configured with directories of different types, AAA credentials (i.e., SKI, OATH) are not supported.

If a user ID exists in more than one directory configured in CMS, the user groups must be configured to let CMS manage the user ID from only one of the directories.

ActivID CMS User Portal requires that the workstation trusts the CA used by HID CMS.

Performing an application update will fail if the smart card PIN is locked. Please submit an unlock request, which will perform the PIN unlock; and then execute the pending application update.

Accessing the ActivID CMS User Portal from a mobile device is not supported.

When the User Portal is launched, a blank page may sometimes be displayed. The recommended workaround consists in re-launching the User Portal.

Entrust PKI

Customers need to upgrade to Entrust Security Manager 8.3 or 10 prior to upgrading to the current version of HID CMS.

Changing the Entrust CA by only updating the entrust.ini file is not supported. Please ensure that you use the CMS UI for that and that no HID CMS device policy is referencing the old CA before changing to the new one in order to avoid card policy corruption.

Issuance of “shared encryption certificates” (recovery mode) is limited to 1 certificate when using Entrust CA. (IACMS-1378)

IdenTrust

The HID CMS setup process ensures that any prior version of the IdenTrust Credential Provider is replaced by the integrated one.

If you are using an IdenTrust CA that was configured using a version of ActivID CMS prior to 5.10, when you upgrade to ActivID CMS 5.10 or higher, you will need to obtain your current account credentials for accessing the REST API and then update your CA with those credentials. For details about how to update your configuration, see Configuring the IdenTrust Certificate Authority.

Microsoft PKI

No known issues at the time of the release.

OpenTrust Enterprise PKI (IdealX)

No known issues at the time of the release.

Symantec MPKI v8

No known issues at the time of the release.

Verizon UniCERT with UPI

The upgrade to ActivID CMS 5.4 and later restores the Java default configuration, so the customization of the TrustStore needed for Verizon UPI CA (P1395-100740) needs to be re-applied after installation of this version.

ActivID CMS 5.4 adds support for UniCERT 5.5.1. Customers who want to upgrade to UniCERT 5.5.1, are advised to do so before upgrading to ActivID CMS 5.4 and higher. UniCERT UPI Client 5.5.1 has no backward compatibility with UniCERT 5.4.

There are known issues with recovery. In CA-managed or CMS-managed mode, it is impossible to recover and manage the history for a user.

Once a Gemalto PIV card has been personalized, it is not possible to modify the PKI key size available on that card.

When using the PIV Toolkit, please make sure to update the “metadata.key” property in the PIVEnrollment.properties, PIVNotification.properties, and generic_plugin.properties to reflect what is appropriate for your LDAP. For example, for Active Directory, use "sAMAccountName"; for Sun, use "uid"; for Critical Path, use "cn".

When using on card key history, the actual size available on the user card may be different than what HID CMS expects, and in this case, the user may see a “memory error (card side)” error message if there is not enough space available on the card.

Due to a difference of interpretation of the “Maximum Number of Wrong PIN Tries Before Locking the Card” between HID CMS and the SafeNet eToken devices, when locking the PIN of a SafeNet eToKen via the ActivID CMS User Portal, the SafeNet eToken PIN is locked after the maximum retries defined in the HID CMS Device Policy PIN Application + 1 (e.g.: if the maximum number of retries is set to 5 in HID CMS, the SafeNet eToken is locked after 6 tries).

The “Change PIN at first use” option of the SafeNet eToken devices is not compatible with the ActivID CMS User Portal. It is recommended to either disable this option in the SafeNet Authentication Client, or to ensure that the user performs a Change PIN operation using the SafeNet Authentication Client before accessing the ActivID CMS User Portal.

The HID CMS Operator Portal and User Portal do not support multiple PKCS#11 device middlewares on the same workstation.

A device policy for a mobile app certificate cannot be updated or deleted, even after all issued mobile devices have been terminated. (IACMS-758)

The serial number used by HID CMS as the unique identifier for iOS mobile app certificates is the mobile device UDID; this number can be retrieved using iTunes. The “Mobile SN” visible in the HID CMS Help Desk is a shorter identifier; it is the iOS serial number that can be viewed from the iPhone settings screen. (IACMS-737)

As documented in the Operator Guide, only 1 device policy for mobile app certificates should be assigned per user group. If multiple mobile app certificate policies are assigned, then issuance of the mobile app certificates will fail. (IACMS-761)

At the end of the mobile app certificate issuance process, if the user reports in the ActivID CMS User Portal that the mobile app certificate personalization failed, then HID CMS will terminate the device, and the certificates will be revoked (or not) depending on the device policy; the device will not appear as a managed device in HID CMS; the device is ready to be personalized again. If the mobile app certificate was actually successfully personalized, even though the user reported differently, then HID CMS will not be able to manage the device. (IACMS-1271)

When using a directory where the UserID is the uid rather than the CN (e.g., Novell, Oracle, Tivoli directories), then the UserID is not visible in the certificate properties when displayed on iOS (Apple iOS limitation). (IACMS-1318)

The user is advised to stay in the same location during Mobile Smart Card local issuance. For security reasons, if the IP address of the device changes, the issuance will fail.

If the remote issuance fails for a particular reason, it is recommended that the administrator perform a RETRY on the HID CMS portal; this reactivates the issuance request and gives the user the possibility of a second issuance attempt of the Crescendo Mobile.(IACMS-1965)

If the maximum number of authorized incorrect initial passwords is reached during the remote issuance of the Crescendo Mobile, the request status on the HID CMS side remains PENDING and does not change to FAILED. The issuance request in this case should be CANCELED and a new one should be created. (IACMS-1964)

To perform Remote Issuance with Crescendo Mobile for Android on devices with Android 9, HID CMS must be customized with a server certificate containing a Subject Alternative Name (SAN), as Android 9 deprecates the fall back to the commonName (CN).

Remote Issuance with Android 9 devices does not work with HID CMS auto-generated certificates.

PIV criteria or any enrollment plug-in attributes are not supported as criteria for FindUsers or FindUsersID.

For custom PIV Badging Stations: the CCM API does not leverage the Bio verification plug-in or the printing features of HID CMS. Custom Badging Stations must support their own printing and bio verification methods from the client side as no printing or bio verification functions are available through CCM API.

In the Java CCM API, "findWalletIds" does not support a less precise TIMESTAMP for the criteria “CRITERIA_WALLET_TIMESTAMP” with "CRITERIA_COMPARISON_EQUAL". It is recommended to use "greater than" or "less than", instead of "equal to".

In the Java CCM API, the Credential Manager: performProcess method does not throw an InvalidStateException.

C++/Java CCM API: Unable to execute Card Manager Lock or Unlock request through Operator Portal after submitting the request using CCM API.

C++/Java CCM API: Interoperability: Self-Issuance in ActivID CMS User Portal fails if card is bound using CCM API.

CCM API: SyncListener: Credential events are not generated with the VeriSign MPKI 7 CA.

The Operator Portal only allows issuing 1 smart card (or Windows virtual smart card) and 1 mobile device (mobile app certificates) per user. The CCM API does not enforce these limits. However, in this version, HID Global only supports this configuration. (IACMS-668)

If using a Tool provided by HID Global in the \Tools folder of the HID CMS delivery, you will need to copy the \SDK directory (of the HID CMS delivery) to the same level as the \Tools directory.

Asure ID

If you upgrade your Asure ID installation to a new version after configuring HID CMS to connect to Asure ID, you will need to reconfigure HID CMS to link to the new version: Locate the AsureIDService.exe.config file on your workstation (you installed this file as part of the HID CMS configuration for Asure ID, as documented in Installing ActivID CMS). Locate the “newversion” fields and update them to the new Asure ID version. Then restart the Windows service called “AsureIDService”.

AsureID service 5.6 is required when using Chrome browser for printing.