PIV System Architecture

To receive a PIV card, applicants are sponsored in the Identity Management System (IDMS) by someone authorized to do so in the company.

Someone operating the enrollment station captures all the information required before a PIV card can be issued to an applicant (demographic data, identity traits, copies of ID documents, etc.). The captured information is submitted to the IDMS.

Someone else with appropriate role(s) to use the IDMS proceeds with a background check according to FIPS 201 Federal Information Processing Standard 201 (NIST standard for HSPD-12/PIV). requirements and then submits all necessary information to the ActivID CMS which initiates the card issuance process. The following figure represents the PIV card issuance model.

PIV Card Issuance Model

ActivID CMS is responsible for PIV card issuance. It supports two issuance models.

• One-step issuance:

  • In this model, ActivID CMS is responsible for complete card personalization Refers generically to a card issuance, re-issuance, or update..

  • The activation process combines both personalization and activation of the card in one step.

  • Once issued, the card can be used to access both physical and logical systems.

• Two-step issuance:

  • In this model, ActivID Batch Management System (BMS) is responsible for creating batch production requests containing all PIV card personalization information (including Biometric and CHUID Card Holder Unique Identifier signed data) and for submitting them to the card production The process of producing a full or partially personalized card that results in the card being bound to a cardholder and put into a locked state. facility.

  • The card production facility notifies ActivID BMS of card production and fulfills the card production requests (encompasses card printing and PIV card personalization, but not personalization of PIV PKI containers).

  • Once produced, the card must be activated at a local issuance station. This process includes 1:1 fingerprint verification of the user and unlocking the card. The activation process also includes personalization of the PKI application and notification back to the IDMS system of card issuance.

The PIVenrollment plug-in An enrollment plug-in is involved every time a user attribute is set or retrieved by ActivID CMS. This makes it possible to map user attributes to repositories other than ActivID CMS’ standard LDAP (for example, such as IDMS, databases, or XML files). is the ActivID CMS component that processes Card Production Requests submitted by the Identity Proofing and Registration System (IDPRS). It performs the following tasks:

• Verifies the CPR The Card Production Request (CPR) contains a list of user-specific attributes that will be stored, fully or partially, in the PIV Metadata database, and will be loaded on the PIV card during the issuance. signature.

• Parses the CPR document.

• Optionally, verifies conformance of a subset of enrollment attributes with the PIV standard. (The PIV enrollment plug-in can be configured to verify the validity of some of the attributes passed in the CPR against standard expected values. For more information, see the plug-in documentation.)

• Stores individual CPR attributes in the PIV repository.

ActivID CMS is delivered with a reference PIV enrollment plug-in that can be customized to meet specific deployment needs, such as providing additional check on the CPR (check against list of approved sponsors/registrars, check of certificate attributes, etc.) or storing the CPR attributes in a different repository.

The PIV Static Data plug-in is used internally in ActivID CMS to personalize PIV user data (CHUID and demographic data) on the card.

The PIV notification plug-in is the ActivID CMS component that notifies the IDPRS system of PIV issuance and card lifecycle changes.

ActivID CMS is delivered with a reference notification plug-in that logs relevant events to a file. It is intended that integrators customize the PIV notification plug-in for use with their specific IDPRS system.

The PIV repository stores the CPR enrollment attributes.