ActivID CMS Configuration

ActivID CMS Start-Up Modes

ActivID CMS supports the following two start-up modes:

  • Attended mode: Once ActivID CMS starts up, this mode requires administrator intervention to enter information that launches the ActivID CMS service (and to manage the process as needed). The credentials to be entered are:

    • Security key password

    • Password to connect to the ActivID CMS databases

    • HSM PIN (if required)

  • Unattended mode: ActivID CMS starts up automatically following a successful logon to Windows (without requiring the intervention of an administrator). There is no need to provide passwords and PINs in order for ActivID CMS to start up and be available. In this mode, passwords are stored obfuscated in the ActivID CMS configuration file.

Important: It is recommended that for production environments, the ActivID CMS server be run in the attended mode.

Operator Role Security Recommendations

For security reasons, a given operator can access only the ActivID CMS functions that are authorized by their role. When defining roles on the Operator Portal, you can enable/disable access to specific tasks listed in the Services section of the Role Creation and Role Update dialog boxes.

Important: To avoid security risks due to a potential privilege escalation, it is strongly recommended to disable access to all the tasks detailed in the following table when defining a restricted (Operator Dependent) role.

Task

Associated CMS Privileges

Configuration -> User Groups -> New User Group

Operator can create a user group and assign any LDAP Lightweight Directory Access Protocol group or branch to it.

Configuration -> User Groups -> Update User Group

Operator can update any user group and assign any LDAP group or branch to it

Configuration -> Roles -> New Role

Operator can create a new role with other rights

Configuration -> Roles -> Update Role

Operator can modify any existing role, including its own. For instance, uncheck the "Operator-Dependent" access restrictions

Configuration -> Operators -> New Operator

Operator can assign any group to the newly created operator. There is no user group notion here

Configuration -> Operators -> Update Operator

Operator can modify any operator’s rights (excluding his/her own rights)

If access to the tasks listed in table above is not disabled, it will be possible for an operator with the associated privileges to create a new operator with elevated access rights.

ActivID CMS Keystore

The ActivID CMS keystore is located in the ActivID CMS AIMSEE database, which is protected using a master key that can only be accessed using the security key password (that is supplied during the ActivID CMS install). The ActivID CMS keystore contains the following credentials:

  • ActivID CMS account configuration for accessing third-party systems (for example, LDAP and a variety of CAs)

  • Database user passwords

  • HSM PIN (if required)

Client, Web Server, and Root Certificates

ActivID CMS uses certificates for internal SSL authentication between its servers (for example, between the Operator portal and the card content server) and for mutual authentication between the Portal server and the client/Operators systems. For example, a Web server certificate must be issued to the site hosting the ActivID CMS site and a client certificate is used whenever a component requires client authentication (for example, the card content server to the ActivID CMS Portal). In addition, ActivID CMS verifies that the certificate being used to authenticate is signed by a trusted CA.

The client, Web server and CA root certificates are all typically requested, issued, and installed as part of the initial ActivID CMS installation. During ActivID CMS installation, certificates can either be self-generated (ActivID CMS-generated and signed certificates), or you can use certificates that have been requested and signed by your organization’s issuing CA (this is considered more secure and is recommended for your production deployments). The client certificate is a password-protected .pfx file.

Note: For ActivID CMS-generated certificates, the client.pfx and server.pfx files are protected by the password hidglobal.

It is recommended that a procedure for renewing the client, Web server and CA root certificates be implemented and followed. Specifically, it is recommended that the passwords for the .pfx files be securely stored to make the certificate renewing process more secure and efficient.

Derived Credential Certificates and Keys

For issuing derived credentials, ActivID CMS is also configured by default to use auto-generated certificates and signing keys (OTA Certificate, SCEP Certificate, Device Root certificate). These credentials are used to protect the personalization process of derived credentials.

Important: It is highly recommended to replace these auto-generated credentials at installation time. These credentials should be stored in the ActivID CMS HSM.

PIN Management

The PINs of Operator cards must be changed on a periodic basis (every 30, 90, or 180 days) with 90 days being the recommended interval.