Enrolling with PIV and PIV-I Velocity Enrollment Manager



Similar documents
Velocity 3.1 KB640 Release Notes

Smart Cards and Biometrics in Physical Access Control Systems

Federal Identity, Credentialing, and Access Management. Personal Identity Verification Interoperable (PIV-I) Test Plan. Version 1.1.

What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form. December 3, 2012

Required changes to Table 6 2 in FIPS 201

Strong Authentication for PIV and PIV-I using PKI and Biometrics

GSA FIPS 201 Evaluation Program

intertrax Suite intertrax exchange intertrax monitor intertrax connect intertrax PIV manager User Guide Version

solutions Biometrics integration

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

Practical Challenges in Adopting PIV/PIV-I

Audio: This overview module contains an introduction, five lessons, and a conclusion.

The Convergence of IT Security and Physical Access Control

NIST Test Personal Identity Verification (PIV) Cards

NOAA HSPD-12 PIV-II Implementation October 23, Who is responsible for implementation of HSPD-12 PIV-II?

NIST s FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Masaryk University in Brno Faculty of Informatics

HSPD-12 Implementation Architecture Working Group Concept Overview. Version 1.0 March 17, 2006

The Convergence of IT Security and Physical Access Control

Government Compliance Document FIPS 201, FIPS 197, FIPS 140-2

Glossary (from the Velocity 3.5 SP1 Online Help)

Employee Express - PIV Card Registration Instructions

1. The human guard at the access control entry point determines whether the PIV Card appears to be genuine and has not been altered in any way.

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

intertrax MOBILE PIV

Life After PIV. Authentication In Federated Spaces. Presented to. Card Tech/Secure Tech. May By Lynne Prince Defense Manpower Data Center

STATEMENT OF WORK. For

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

SAGEM MA520 READERS FINGER & SMART CARD ENROLLMENT

US Security Directive FIPS 201

Expiring Certificates on LincPass Cards

Allegion AD-300 Installation Application Note. 1.0 Hardware Requirements. 2.0 Software/Licensing Requirements

NACCU Migrating to Contactless:

Implementing Federal Personal Identity Verification for VMware View. By Bryan Salek, Federal Desktop Systems Engineer, VMware

GAO PERSONAL ID VERIFICATION. Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards

Issuance and use of PIV at FAA

Jolly Encoder Configuration Guide

Using the ievo fingerprint reader with Net2

U.S. Department of Housing and Urban Development

IDaaS: Managed Credentials for Local & State Emergency Responders

Understanding the differences in PIV, PIV-I, PIV-C August 23, 2010

Check Point FDE integration with Digipass Key devices

I N F O R M A T I O N S E C U R I T Y

User Guide Remote PIV to VDI Using a PIV Card

S-SupremaConfigurationGuide-DOC 7/23/2014. Suprema Biometrics Configuration Guide ACS OnSite Aparato

The Government-wide Implementation of Biometrics for HSPD-12

Physical Access Control System (PACS) in a Federal Identity, Credentialing and Access Management (FICAM) Framework

Get Smart Card Ready. How to Recover Your Old (Expired) Certificates

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)

How to Use Your LincPass Credential

Edge Metrics Data Center User Manual

HSPD-12 Homeland Security Presidential Directive #12 Overview

Announcing Approval of Federal Information Processing Standard (FIPS) Publication 201-2,

Physical Access Control with BACnet White Paper

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Tactics, Techniques, & Procedures (TTP) Dual Persona Personal Identity Verification (PIV) Authorization Certificate

Document Digital Signature

Guard All Security Symposium. Identity and Access Management

L-1 Fingerprint Reader Solutions. V-Flex 4G

Electronic Access Control Solutions

Contactless Solutions

FOUR PILLARS FOR A SUCCESSFUL PIV ECOSYSTEM

MULTI-FACTOR AUTHENTICATION SET-UP

Comodo Mobile Device Manager Software Version 1.0

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

PIV Data Model Test Guidelines

ACCESS CONTROL SYSTEM

Basic Mercury Powered NXT Configuration in Doors.NET TM Application Note. 1.0 Adding an NXT-MSC Controller to the NXT Gateway

Token User Guide. Version 1.0/ July 2013

PrivateServer HSM Integration with Microsoft IIS

Moving to Multi-factor Authentication. Kevin Unthank

Velocity Web Services Client 1.0 Installation Guide and Release Notes

Secure Held Print Jobs. Administrator's Guide

BIOMETRIC SOLUTIONS 2013 ISSUE

No additional requirements to use the PIV I card for physical facility access have been identified.

How to setup a network printer using HP Universal Printer Driver

Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems Version 2.3

Justice Management Division

Comodo Web Application Firewall for Plesk Software Version 2.11

Emergency Response Official Credentials A Smart Card Alliance White Paper. Salvatore D Agostino CEO, IDmachines LLC sal@idmachines.

Digitus Biometrics Product Catalogue. Request a quote or design assistance by ing sales@digitus-biometrics.com or calling

SYMMETRY PRODUCT OVERVIEW

Architecture for Issuing DoD Mobile Derived Credentials. David A. Sowers. Master of Science In Computer Engineering

Computer prepare to work with the eid card using Internet Explorer

Fingerprint Identity User Manual for the Griaule Biometric Framework Rev 1.00

User Guide Remote Access to VDI/Workplace Using PIV

Application Note. Example of user log on Magelis HMI with XB5S5B2L2 biometric switch. Advanced Technical Support - Brazil. Version: 1.

SYMMETRY. DATASHEET ACCESS CONTROL Product Overview

Comodo One Software Version 1.8

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

Administration Guide ActivClient for Windows 6.2

10713 N FM 620 Suite 201 Austin, TX FA ONE version 4.0 Server Installation and Setup Guide FA, Inc.

Derived credentials. NIST SP ( 5.3.5) provides for long term derived credentials

support HP MFP Scan Setup Wizard 1.1

Aperio Online. Aperio. Online Programming Application Manual. Aperio Online Quick Installation Guide, Document No: ST A, Date: 8 juli 2013

Transcription:

Enrolling with PIV and PIV-I Velocity Enrollment Manager

Overview The Homeland Security Presidential Directive 12 (HSPD-12) called for a common identification standard to be adopted by all Federal Government Agencies. The Person Identity Verification (PIV) credential has been issued to over 8 million Federal employees (almost four million people). The PIV credential is a smart card operating at 13.56 MHz with a specific data module called End-Point. Certain data is available by a free read, while other personal data requires a personal (secret) PIN (personal identification number) to access (for example the required biometric fingerprint data). PIV card users can utilize their cards in Physical Access Control Systems (PACS) in a number of ways based on the required level of assurance at the specific locations they are permitted to access. At the lowest level of assurance a free read of the Card Holder Unique Identifier (CHUID) data object, and at the highest level of assurance, a multi-factor authentication using Public Key Infrastructure (PKI). The CHIUD contains a Federal Agency Smart Credential (FASC-N), which is used to enroll a user in Velocity, providing a unique credential number for use in the Physical Access Control System (PACS). In a PKI implementation, the FASC-N is used but the certificates on the card (the card certificate in the case of contactless CAK and the Person Certificate in the case of contact PAK ) are used to validate the card and user. For Government contractors, cards are issued with the same card data module, and the same CHUID, however the first three fields of the FASC-N contain only 9 s. These cards are called PIV-I (interoperable). Correct implementation of these cards requires the PACS to utilize the Universal Unique Identification (UUID) number rather that the FASCN. PIV-I cards include the PKI certificates that enable the CAK/PAK schema. Velocity provides the ability to enroll PIV cards on HIRSCH PACS with the appropriate read and MATCH custom settings. The following pages will assist in establishing the devices and Enrollment Manager Settings to enroll the PIV and PIV-I cards into the Velocity system. Page 1

To have the PIV read into the Velocity access control system the following setups need to be established. 1. Create the following User Defined Fields in Enrollment Manager. Name Parsing Text Agency Code System Code Credential Credential Series Individual Credential Issue Person Identifier Organizational Category Organization Identifier Person Org Assoc Category Expiration Date Date Locate under Enrollment Manager > Tools > User Defined Fields. Figure 1 - User Defined Fields Page 2

2. For PIV the Name field must be Parsed, split between First, Middle and Last Name. Properties Enrollment Manager Tools > Preferences Change the UDF Name Parsing field to the UDF defined. Figure 2 Enrollment Manager Preferences 3. Establish the device for reading the card and install by USB. The driver for the device must be downloaded from the internet as Velocity does not supply the driver. a. SCR3310 b. SCR3311 Figure 3 - CRSCMCEUSB Card Reader Page 3

4. The RUU device may also be used to enroll the PIV card. Be sure to have the correct firmware installed on the device using the Cogent software. This will allow for the addressing TCP/IP and will enable the choice for enrollment on the Device Configuration RUU tab. Figure 4 - RUU PIV version 5. If an Enrollment Station is being used, the Special Handling needs to be established under Device Configuration. Enrollment Manager > Tools > Device Configuration > Credential Enrollment Figure 5 - Device Configuration Special Handling Note: The reader used for the enrollment must have the MATCH custom settings as well as the correct firmware for the data to pass correctly into the Enrollment Manager Fields. Page 4

6. Select Enrollment Manager Tools > Device Configuration and map the UDF fields to each device used for card reads. Figure 6 UDF Field Mapping for Enrollment Click and Drag to UDF Field. Note: For PIV-I cards, the UDF Field of UUID/GUID is the only field that is necessary to map for credentialing. This field will need to be added to the UDF Fields if both types of cards are being enrolled into Enrollment Manager if previously not added. Enrollment Manager > Tools > User Defined Fields be sure to select Unique Text as the UDF type. 7. Close and reopen Enrollment Manager. There should now be a scan button 8. Select Add Person and select the scan button. Page 5 Figure 7 - Card Reader PIV Figure 8 Users PIN code to unlock data.

9. Select the device to read the card if multiple devices are being used. 10. To read all the fields, the card holder will need to enter their PIN to unlock the card. This applies to both PIV and PIV-I card. Once OK is selected, the card will read and the fields will show the data. [Give it a few seconds, and the data will fill in the fields above, and also the output window.]. 11. Click Accept for the data to populate the UDF fields in Enrollment Manager. Figure 10 Scanned Data from PIV/TWIC Card Page 6 Figure 9 Enrolled TWIC from Scan Note the UUID/GUID is all zeros.

12. Click Apply to download. You are now ready to issue a credential. Page 7

For PIV Credentials - 200 bit FASCN 13. Add New Credential Figure 11 - Add New Credential - UDF MATCH Note: The PIV and PIV-I cards may use IDF 2 for use with just the card presented at the reader. If any other IDF is selected, a PIN will be required. This should never be the secret PIN that the user has to unlock the data on the card. The 200-bit FASCN will populate the UDF concatenate window. Select the corresponding UDF fields created and click OK. This will produce the FASCN that will be used for the card read. Page 8

To locate the UDF concatenate window, select the UDF button on the Data field. Figure 12 UDF button on Credential General Tab This will supply a 32 digit number in both the Data field and the FASCN field. Figure 13- FASCN Assignment Select the Function Tab and assign the appropriate Door Group for this individual. All Limits o Threat Authority and 2 Person Rule may be assigned Options o Special Needs Access and Passback Executive Override may be assigned Click OK and the PIV credential has been issued. Verification of download may be seen in the Event Viewer. Page 9

For PIV-I Credentials The UUID/GUID is the unique text that is used for the credential. Using the contact reader, the card will be read just like the PIV card, with the addition of the UUID. To read all the data the card holder will also need to enter their PIN number. NOTE: The PIV-I card has 9999 instead of a Government Agency Code. Assign a Door Group function and any Limits or Options for this credential. Figure 14 - PIV-I card with PIN Figure Identive 15 The UUID/ Learning GUID Center will have 1900 numbers Carnegie and Building letters. B Santa Ana, California 92705 949-250-8888 Page 10

.Door Properties - PIV HID iclass reader with 200 bit firmware using a MATCH2 set with Custom 27-28 - 29 Entry Reader Setup Tab Special Handling- 200 bit FASCN Bypass Present PIV card and access granted. Figure 16 - Entry Reader Settings Note: MATCH special settings for the corresponding bit formats 64 bits Custom 24,25,or 26 75 bits Custom 18, 20 or 21 128 bits Custom 18,20,21,24,25,26,27,28,and 29[PIV only] 200 bits Custom 27,28,or 29 Note: Along with the MATCH custom settings, the firmware on the reader must also correspond to the bit format. Page 11

For PIV-I cards HID iclass with 128 bit firmware and MATCH2 with Custom 27-29 The PIV-I card uses the FASCN Bypass to allow the UUID to be used Along with the Wiegand HEX Pass-through, the card reads the same at the door The Door Properties is different, using the Enable Wiegand Hex Pass- Through to enable the UUID/GUID to pass through Presented to the reader, the PIV-I card will issue an access grant If the reader has the ability to read both formats, then the cards enrolled will read by presenting the card o If the Agency Code is all 9s the reader will pass through the UUID Velocity Enrollment Manager has all the ability to read both PIV and PIV-I cards. The trick is to make sure all the corresponding devices are established with the correct formats. Enrollment Station o MATCH Custom settings o Reader firmware Device Configuration o User Defined Fields to map the data o Name Parsing is PIV cards are being read Scanning the card o PIN needed for name field Door Properties o Reader settings Page 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information