SmartCMS - Bit4id | Support
Transcript of SmartCMS - Bit4id | Support
Bit4id Italia
Via Diocleziano, 107
80125 – Napoli
Tel. +39 081 7625600
Fax. +39 081 19731930
Roma
Piazza Marconi, 15
00144 – Roma
Tel. +39 06 3280 3633
Fax. +39 06 3280 3631
www.bit4id.com
Milano
Tel. +39 02 40042990
Fax. +39 02 45500675
www.bit4id.com
Bit4id Iberica s.l.
Barcellona
Barcelona Advanced Industry Park
C/ Marie Curie, 8-14
08042 – Barcelona
Tel: +34 902 60 20 30
Lisbona
Alameda Bonifácio Lázaro Lozano, 13
Edificio B – 1º E
2780-125 Oeiras (Lisboa)
Tel: +351 214 694 060
Fax: +351 214 694 069
Lima
Mártir Olaya, nº 129
Oficina 1102
Centro Empresarial Pardo, torre A
(Miraflores) – Lima
Tel: +(51) 1 242 9994
Guatemala
5ª Avenida, 15-45 zona 10, Torre 1,
oficina 206
Condominio Centro Empresarial
01010 – Guatemala
Tel: +502 44888144
Bit4id Ltd
Londra
2 London Wall Buildings
London EC2M 5UU – UK
Tel. +44 1422 570673
Fax +44 20 78553780
SmartCMS
PKI infrastructure for issuance and management
of cryptographic devices and digital certificates
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 2 di 39
Summary
1 EXECUTIVE SUMMARY 4
2 COMPANY PROFILE 5
2.1 QUALITY CERTIFICATES 5
2.2 REFERENCES AND MAIN CUSTOMERS 6
3 OVERVIEW OF THE PROPOSAL 9
4 TECHNICAL FEATURES OF SMARTCMS 11
4.1 ARCHITECTURE 11
4.1.1 CLIENT 11
4.1.2 WEB SERVER 13
4.1.3 APPLICATION SERVER 14
4.1.4 DBMS 14
4.1.5 CA SERVICE GATEWAY 15
4.1.6 SCALABILITY 15
4.1.7 MODULARITY 15
5 SMARTCMS WEB INTERFACE 17
6 FUNCTIONAL FEATURES OF SMARTCMS 22
6.1 FUNCTIONAL ARCHITECTURE 22
6.2 ORGANIZATIONS, DIVISIONS AND OFFICERS MANAGEMENT 22
6.3 AUTHENTICATION MODULE 24
6.4 USERS PROFILE 24
6.5 OPERATORS MANAGEMENT 28
7 PERSONAL DATA MODULE 28
8 MANAGEMENT OF SECRET CODES 29
9 AUDITING – TRACKING OPERATIONS 30
10 DEVICE CUSTOMIZATION 31
11 ENROLMENT OF DIGITAL CERTIFICATES 33
12 PREDEFINED FLOWS OF PROVISIONING 34
13 CERTIFICATE RENEWAL 35
14 API 36
15 MANAGEMENT AND ADMINISTRATION TOOLS 37
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 3 di 39
15.1 INTERACTIVE SHELL 37
15.2 DATA BACKUP AND RESTORE 37
15.3 SUPPORT TO FIXTURES 37
15.4 SUPPORT TO AUTOMATIC MIGRATIONS 37
15.5 ENVIRONMENT AWARE CONFIGURATION 38
15.6 UPDATE WITH HOT SWAP 38
15.7 ADVANCED LOGGING SYSTEM 38
16 MONITORING 39
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 4 di 39
1 Executive summary
Bit4ID has successfully developed many Governmental and Enterprise Public Key
Infrastructures and Credential Management Systems. With over 10 million of enrolled
users, ranging from state officials to physicians, from train drivers to business owners,
our systems are key components for many organizations and central state bodies,
offering an unparalleled flexibility and exceptional integration with existing
infrastructures and business procedures, delivering value to our users across the
entire life-cycle of digital certificates.
This document presents the architecture and the main features of smartCMS a top-
notch Public Key Infrastructure System designed and developed by Bit4ID.
SmartCMS is the synergy of the most advanced PKI building blocks that Bit4ID has
improved to perfection bringing new features, a modularized architecture and
playing as a cornerstone of our digital DNA architecture and vision.
This paper shows how Bit4ID smartCMS harmonizes the various elements of a PKI
infrastructure and business processes and Bit4ID relevant skills in design and
deployment of integrated and comprehensive solutions.
The workflows, processes and the configurations discussed in this document
represent only a limited subset of all the possible customization achievable with the
smartCMS and they have been chosen with the intent of explaining the flexibility of
the system. It must be understood that smartCMS can accommodate the needs
and processes of any complex organization; the development team of Bit4id in the
initial phase of the project deployment gathers detailed requirements from the
customer in order to tailor the solution on the most specific use case.
In the following we will discuss and present the key features of smartCMS:
Multi-tier architecture with web based interface
Role-based access control with multiple authentication methods
Customizable authorization workflows, certificates templates, data forms
Multi-tenancy of client organizations on the same platform with complete
separation of user data and access rights
Multiple CA can be used in the back end to issue certificates
Batch import of users from external DBs, Directories.
Web services interfaces: HTTP REST, SOAP, JS
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 5 di 39
2 Company profile
Founded in 2004, Bit4id operates in the information security industry and in particular
in the "digital identity" industry, as suggested by the company name itself: Bit4id -
Best Information Technology for Digital Identity.
Bit4id develops and markets products, systems and services based on PKI
technology with applications and customers in the areas of public administration,
banking, Trusted Service Provider (Certificate Authority), system integrators and in
general where digital signature capabilities, authentication and encryption are
required. Other products and marketed systems are developed and manufactured
in the research and development center of Bit4id in Naples. Group turnover
exceeds 10 million Euros with approximately 100 people employed in offices in Italy
(Naples, Rome, Milan), in Spain (Barcelona), Peru (Lima), the UK (London), in India (
New Delhi).
The range of products and systems by Bit4id includes four market segments:
Hardware Devices such as smartcard readers and cryptographic token for
authentication and digital signature;
Software and client-side applications such as drivers and system libraries for
interfacing applications to cryptographic devices (PKCS # 11, CSP, TokenD
...), applications for digital signatures and encryption;
Strong authentication systems on corporate networks or the Internet and
single-sign-on systems with token or smartcard (for example with the Regional
Service Card or Electronic Identity Card), and digital signature systems
massive for dematerialization;
Services and projects for authentication, digital signature and encryption with
the registration of users interfacing a Trusted Service Provider to issue digital
certificates, and through token and remotely;
From the geographical point of view Bit4id has a recognized leadership position in
Italy, has a strong presence in Spain, numerous customers in other European
countries (mainly in Portugal, Poland, Bulgaria, Czech Republic, Slovenia, Romania,
Hungary), South America (Peru, Ecuador), in India and in Macao in China.
2.1 Quality certificates
Bit4id has the following quality certificates:
ISO 9001 (Quality Management System) for the design, production and sale of
solutions, ICT systems and products;
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 6 di 39
ISO 14001 (Environmental Management System) for the design, production
and sale of solutions, systems and ICT products;
ISO 27001 (the Information Security Management System) for the design,
production and sale of solutions, ICT systems and products.
2.2 References and main customers
The main references of Bit4id related to technologies and solutions for digital
signature, PKI infrastructure and devices are shown in Table 1. These references list
first PKI systems, then digital signature systems and finally cryptographic tokens and
smart cards.
Among the main customers of Bit4id we highlight the following:
Trusted Service Providers
o ArubaPEC
o Poste Italiane
o InfoCert
o Actalis
o Namirial
o InfoCert
o Banca Intesa
o Telecom Italia Trust
o Notartel
o Camerfirma (Spagna)
o RedAbogacìa (Spagna)
o Firmaprofessional
o Izenpe
o Microsec (Ungheria)
o Trans Sped (Romania)
o Prvini Cert. Auth. (Repubblica Ceca)
o GSE (Colombia)
o Camerdata (Colombia)
o E-Sign (Cile)
o CertChile (Cile)
o CertiNet (Cile)
o Consejo de la Judicatura (Equador)
o Macao Post (Cina)
o Haryana Elect. Dev (India)
o E-Mudhra (India)
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 7 di 39
Professional bodies
o Società Italiana Autori ed Editori
o CGCOM (Spagna)
o Oficina de Normalizacion Previsional (Perù)
o Superintendencia Nacional de los Registros Publicos (Perù)
Hospitals and Regional Health Systems
o Regione Veneto
o ULSS Treviso
o ULSS Taranto
o ULSS Rovigo
o ULSS Legnago
o ULSS Adria
o Azienda Ospedaliera Papa Giovanni XXIII Bergamo
o Azienda Ospedaliera S. Anna Ferrara
Customer Project Year
Uanataca
Spagna
Complete PKI (CA, Sub-CA, RA, VA, TSA) 2016
OMC - Consejo
General De
Colegios Oficiales
De Medicos Spagna
Registration Authority Software, Credential
Management System and Enrollment Station 2015
Asetelsos CIA. Ltda
Equador
Complete PKI (CA, Sub-CA, RA, VA, TSA) and PKI
tokens 2014
Trenitalia SpA
Italia
Credential Management System and PKI tokens 2014
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 8 di 39
Customer Project Year
Notartel S.P.A
Italia
Complete PKI and Remote Digital Signature System 2012
Aruba PEC S.P.A
Italia
Registration Authority Software, Credential
Management System and Enrollment Station 2010
Hospital Clinic
Barcelona
Spagna
Web-based digital signature system 2016
Cybersec
Perù
Automated Batch Signature Server and Time
Stamping Server 2016
Gestores
Spagna
Remote Digital Signature System 2016
Insolutions per
Banca BBVA
Perù
Automated Batch Signature Server and Time
Stamping Server 2015
Postecom
Italia
Digital signature software client 2014
Notartel
Italia
Validation Authority Server 2010
Società italiana
autori ed editori
Italia
Automated Batch Signature Server and Time
Stamping Server 2009
Table 1 – Most relevant references of the projects developed by Bit4id.
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 9 di 39
3 Overview of the proposal
SmartCMS is the result of the expertise, of the experience and of the successful
projects completed by Bit4id.
Our many satisfied customers are the best guarantee of the quality and reliability of
the product from the point of view of the functional and technical characteristics,
but especially of its security features.
SmartCMS is the Bit4id solution for the management of the entire lifecycle of
cryptographic objects and security devices (key pairs, digital certificates, smart
cards, tokens) from the issuance until the natural expiration or destruction.
SmartCMS offers every component and functionality to allow the key operations for
the provisioning of cryptographic credentials and security devices. It is
characterised by an extreme ease of users registration, by speed of enrolment and
by flexibility of credentials and devices management.
SmartCMS offers a complete set of functionalities for the electrical and graphical
customisation of devices through a user-friendly GUI that utilises the most powerful
navigation metaphors typical of high performance web applications.
The present document explains both the technical and functional features of
smartCMS, also describing the default workflow for the enrolment and provisioning
of cryptographic devices and certificates.
Nevertheless the support for other workflows is possible by properly configuring the
system during deployment.
smartCMS flexibly manages:
smartcards, both contact and contactless, from multiple vendors as long as a
suitable PKCS#11 interface is provided
a wide range of possible applications (E-government, Payment, Corporate,
Healthcare, EMV, Education, Fidelity, Ad Hoc)
native integration with different Italian and international Trusted Service
Providers
native integration with several certification authority software
the most common relational DBMS on the market
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 10 di 39
SmartCMS reduces to the minimum the time and cost associated with the
deployment and management of smart cards, tokens and in general digital
certificates.
SmartCMS is a system completely designed and developed in Italy, based on the
long experience on PKI (Public Key Infrastructures) projects implemented both in
Italy and in the international market by Bit4id.
SmartCMS benefits from a large number of installations and therefore it is a mature
product specific for managing the lifecycle of cryptographic objects such as key
pairs, digital certificates, smartcards, and e-ID cards.
The proposed solution is characterised by:
performance and scalability
ease of use and efficiency
cost-effective installation, maintenance and update
use of high quality and reliable solutions, products and technologies
flexibility of customization
modularity and expandability
Therefore smartCMS is the most complete RA and Digital Certificate Management
System on the market that also includes all the functionalities needed for managing
cryptographic devices, from issuance to expiration/destruction:
Registration
Production
Life-cycle management
User Profile Management
Certificate Profile Management
Graphical Customisation
Profile Management
Generation/Import of Secret Codes
Management of the paper documentation associated with issuance
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 11 di 39
4 Technical features of smartCMS
In this paragraph we will describe in detail the technical features of smartCMS. This
system has been developed with a highly modular architecture in order to meet
customer needs from small to big enterprises.
4.1 Architecture
SmartCMS is implemented as a multi-tier web application based on open standards
and therefore can be used through an internet browser.
The system architecture has been designed keeping in mind two main factors:
1. Simplicity and flexibility of deployment
2. General scalability of the system
The general architecture of the system usually presents the interaction of the five
following elements:
1. client
2. webserver
3. application server
4. database server
5. gateway to the CA services
An high level overview of the system architecture is reported in figure 1.
4.1.1 Client
In the smarRA software architecture, the client is used by the different types of
system users (in certain configurations with self-service functionalities also directly by
cardholders) with different privileges.
The client is a standard internet browser with an additional browser extension
developed by Bit4id and called Universal Key Chain (UKC) that allows for the
interaction of the different hardware components requested by the specific type of
enrollment, like smartcard readers, tokens, printers, webcams, etc.
The UKC is a sandbox that allows the automatic and safe distribution of digitally
signed applications to extend the browser capability quickly and efficiently, so to
enable functions like smartcard logon, interaction with smartcard printers and other
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 12 di 39
Figure 1. Registration Authority Software Architecture.
functions that would otherwise require the installation and configuration of
dedicated applications.
The UKC has an automatic updating function that makes distribution of fixes and
release of additional features easy and convenient.
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 13 di 39
Installation and use of the UKC does not require administrative rights and therefore it
is possible even in cases when users have a profile with limited permissions.
Furthermore, to guarantee a “zero-stress” experience even for enterprise users, the
UKC uses the browser configuration for all the activities requiring an internet access,
therefore exploiting the proxy configuration already set on client systems without
the need of additional actions.
The UKC for Microsoft Windows operating systems supports the following browsers:
Internet Explorer
Mozilla Firefox
Google Chrome
The web application is built according to the most recent and established standard
web technologies, like semantic HTML5 and standard CSS, guaranteeing the
maximum efficiency and compatibility with modern and common internet
browsers.
The client interacts with the webserver by using the standard HTTPS protocol.
4.1.2 Web Server
The web server is the component of the architecture responsible for receiving and
answering requests from the clients, with the highest efficiency and security.
SmartCMS back-end is based on the open source webserver Nginx, amongst the
most reliable and fast webservers available on the market.
This component directly deals with all the static resources that are part of the
graphical interface (images, CSS, JavaScript, etc.) and talks with an Application
Server to deal with the requests that require dynamic processing.
The web server architecture is robust, scalable and secure. It consists of a master
process and a number of configurable worker processes that run with a user profile
with no privileges and offers a very low memory footprint (10,000 inactive HTTP keep-
alive connections consume only 2.5MB of memory).
Nginx runs on various OS platforms such as UNIX, GNU/Linux, BSD, Mac OS X, Solaris,
and Windows. Important features are HTTP/1.1 support, SSL, SNI, TLSv1.1, and TLSv1.2,
FastCGI, with simple load balancing and fault tolerance.
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 14 di 39
4.1.3 Application Server
The application server is implemented as a standard WSGI application using the
multiplatform Python language.
This layer is modular and completely decoupled from any external system with
which it communicates only through adapters on specific interfaces.
In particular, the interaction with the DB server is implemented through a DB
adapter that guarantees the full support to the most common DBMS, both
commercial and open source, like PostgreSQL, MySQL, Oracle and many others.
This solution, in addition to ensuring obvious advantages of decoupling and
compatibility with different DBMSs, allows exploiting the communication protocols
and specific optimizations of the selected system, ensuring a performance that
would otherwise be lost in favor of the compatibility.
The application server is equipped with administrative interfaces for the monitoring
and tuning of performance and it is configurable to produce the desired level of
log messages that can be redirected to a standard log server.
The system supports update without service interruption through hot swap, which
means the most recent version is installed and tested automatically in a separate
context from the version in use. This will then be replaced immediately without
interruption for the connected users. In case of problems it is possible to roll back to
the previous version automatically or at the request of the system administrator.
4.1.4 DBMS
The DBMS is a key component of the architecture: the DBMS stores all the system
data and all the data of the user session.
The DB server is a completely transparent component of the application
architecture thanks to the level of indirection offered by the DB Adapter.
All the possible configurations with the DBMS chosen for the installation are
therefore supported:
1. Clustering
2. Automatic reply
3. Sharding
Being a relational database, the database structure is as important as the data itself
and very often after an application update (or a new module installation) changes
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 15 di 39
have to be applied to both the tables and the relations of the database. The
update process is particularly delicate since all the changes to the database
structure have to be performed without data loss.
The DB Adapter of the CMS provides full support to data migration. This allows to
define procedures with a description of the changes to the database structure, and
they can be executed in a transactional way (forward and backward), safely
implementing all the necessary changes to the data in the database.
4.1.5 CA Service Gateway
This component has been designed to decouple the system from the specific web
services offered by each CA software or Trusted Service Provider for the emission of
certificates and for the management of their lifecycle (suspension, reactivation,
and revocation). This allows using smartCMS to work simultaneously with different
certificate providers, or in other words it works as a broker of CA.
It permits the interaction with different CA software using the specific protocols and
interfaces of the chosen system without impact on the core system.
4.1.6 Scalability
The entire system has been designed from the beginning with the clear intent of
ensuring scalability. This is achieved by appropriately choosing the components
amongst the best available on the market and designing an application without
particular constraints for the architecture scalability.
In particular, the Application Server contains a completely stateless application. This
means that the application does not keep in the memory any information related
to the state of the application and to the user sessions.
All the information related to the state is kept and indexed efficiently in the DB
Server.
It is therefore possible to increase as desired the number of nodes in the Application
Server, because each request can be fulfilled in the same way by each of the
nodes.
The same can be said of the web server nodes that support the most common and
established techniques of load balancing and failover.
4.1.7 Modularity
SmartCMS was developed with a modular architecture to allow for easy
configuration of the system to cope with different scenarios.
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 16 di 39
The primary goal in the design of the smartCMS architecture was to ease the
modeling of the data workflow (input and output) and to reduce the costs of
integration into existing architectures. The system is made of a main component
decoupled from the different modules, and it is configured using the IoC (Inversion
of Control) pattern. The dependences towards external modules are not specified
in the code, but are injected through the configuration of an IoC container.
This allows achieving two very important advantages:
Independence from implementation: since the modules are real
implementations of well-defined application interfaces (here with interface
we mean the definition of messages that an object can receive, as in the
context of an object oriented programming language), modifying a module
or even its complete replacement does not interfere with the behavior of the
other parts of the system.
No need for initialization code: all systems designed with common imperative
programming languages need to have some sort of initialization instructions.
These contain a direct reference to dependences or to a service locator,
component queried to obtain the correct reference to the dependence to
be used. With the IoC pattern this need does not exist, removing the reason
itself for an initialization code. Also, thanks to this approach, it is not necessary
to re-compile the entire system.
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 17 di 39
5 smartCMS Web Interface
SmartCMS presents a user-friendly web interface from which it is possible to manage
the entire life cycle of PKI credentials and devices.
As previously mentioned, the system was developed to be modular and flexible in
order to be able to effectively model the workflows of different organizations. In
particular it possible to define:
Different roles with different privileges
Authentication methods
Certificates templates
Data forms
Submission/notification/authorization workflows
Email templates
Moreover the system is able to model a hierarchical organization with arbitrary
complexity.
In this paragraph we will describe as an example the web interface of some typical
system installations from the point of view of a super administrator. It is understood
that it is possible to configure different flows and user profiles depending on
customer needs.
Figure 2. smartCMS web interface: homepage.
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 18 di 39
Home Page
The home page of the system might be configured to report some useful statistics
on the number of active registration offices, registration officers and devices or
other relevant parameters that the customer wish to monitor.
As an example, Figure 1 depicts the home page of the smartCMS installation Bit4id
provided to Buffetti Group, a national chain for professional services to lawyers and
accountant in Italy. The screenshot shows the number of active Registration Offices,
number of operators enabled and number of devices activated.
Request management
The status of the requests for digital signature devices and certificates can be
managed by the subsequent sub-menu of the web interface. Here there is a list of
the requests entered in the system which are characterized by attributes such as
ordinal number, registration office, card holder name, device type, status of the
request (approved, pending, produced, etc.), registration date, production date.
These attributes can be used to sort the list by setting different filters.
In figure 3 we report a screenshot of the page of the smartCMS where it is shown
the list of recorded requests with their status.
Figure 3. smartCMS web interface: requests management.
On the same page it is also possible to insert a new request or in other words to
register a new user by properly filling a data sheet with the details of the user as
shown in figure 4. More information on the personal data module can be found in
paragraph 7.
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 19 di 39
Figure 4. smartCMS web interface: registration of a new user.
Registration offices
The system administrator can create new organizations and enable different
registration offices within a single organization, thus reproducing the real
hierarchical structure.
Figure 5. smartCMS web interface: registration of a new registration office.
As shown in figure 5, each registration office can be identified by a number of
synthetic parameters such as number of operators, number of requests and so on.
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 20 di 39
These parameters can be used to apply filters and to search a specific registration
office. The type and number of such parameters is configurable on the needs of the
customer.
Operators and Security Officers
Different types of security officers characterized by different privileges can be
assigned to each organization and/or registration offices in the “Operators” page
of the smartCMS web interface as shown in the following picture. As usual
advanced search options enable the administrator to sort the list of the active
operators as per different attributes.
Figure 6. smartCMS web interface: management of security officers.
Management of issued devices
Another useful management option is the possibility to have an overview of the
issued devices with information about the serial number, the status and the name of
user to which the device is assigned. We report in figure 7 the list of the devices with
their status.
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 21 di 39
Figure 7. smartCMS web interface: management of issued devices.
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 22 di 39
6 Functional features of smartCMS
6.1 Functional architecture
From a functional point of view, smartCMS is a solution designed according to the
typical modular approach: each functionality is fulfilled by a component
independent from any other components in the system.
A direct consequence of this modular approach is that the whole system can be
described by describing each separate subsystem. A more detailed description of
each module is given in the following paragraphs.
Figure 8. smartCMS functional modules.
6.2 Organizations, divisions and officers management
SmartCMS can be effectively implemented when users involved in the issuance
process belong to an organization that is managed in a hierarchical structure. In
particular, one can configure any chosen number of divisions and offices, even
spread over several hierarchical levels.
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 23 di 39
Figure 9. Management of a hierarchical organization.
smartCMS is therefore suitable to be used in complex organizations with many
different operating units.
Users with the proper permissions can define a set of Organizations. Each
organization can subsequently be divided into Divisions. Each of which can have a
specific competence (e.g. specific geographical region of interest) and therefore it
will have access only to a subset of the whole system data.
A certain number of operators can be assigned to each organization and to each
division. As we will see in the following, these operators will be characterized by their
specific roles.
A profile can be easily assigned to each operator on the basis of its role, or more
exactly he can receive a profile by defining the specific permissions. These can be
assigned to an individual operator or to all the operators that belong to a particular
operating unit.
System users are registered in relation to the operational units they belong to, thus
reflecting the actual structure of the organization.
This module allows to easily assign specific privileges to a section of the organization
or to a particular office, and also to easily implement the data visibility policies.
It is possible and easy to implement the deactivation of an office or the temporary
activation of a new one, for example to support contingent needs or enrolment
campaigns, keeping under control all the transactions performed by the system.
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 24 di 39
This module permits a quick configuration of data visibility policies and of access
rules for users.
A one-click function is supported to restrict access by restricting privileges to users of
a particular office or branch of the organization. This function allows users of the
relative offices to access the system only for the device lifecycle management
operations (suspending, reactivating and revoking), and only for the devices of their
exclusive competency.
6.3 Authentication module
SmartCMS requires authentication of all users who wish to make use of its
application interface providing a tool for the identification of the same.
The authentication module plays a critical role since it unlocks all the functionality of
the entire system. For this reason, the authentication module has been designed
bearing in mind the most stringent security requirements.
Nonetheless, it still provides a significant level of configurability by allowing
customization based on the requirements of the particular installation.
smartCMS is provided with the native support to the following authentication
mechanisms that can be used in an interchangeable way:
username and password, with internal or external storage of credentials
(external database, LDAP, etc.)
strong authentication based on a digital certificate stored inside a smartcard
or token (default mode, according to the strict security requirements of the
application)
Single Sign On solutions developed by Bit4id
6.4 Users profile
The system provides for different user categories depending on the granted
privileges (which are defined on the basis of the tasks they have to perform).
The typical profiles provided are:
Registration Officer (RO). This is the person who is appointed by the Organization for
the face-to-face recognition of the subscriber and, more generally, to manage part
of the relationship with the same. The duties performed by the RO are:
face-to-face recognition of the subscriber;
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 25 di 39
filling out the paper forms with the personal information of the subscribers;
data entry into the CMS data base of personal information of the subscribers;
delivery of token/card to the subscriber, after collection from the
personalization center;
The data visibility for the RO is restricted to the single enrollments that he performed.
Delegated Officer (DO). This is the person in charge of the following operations:
token/card personalization (on board key pair generation and certificate
download), if the workflow of decentralized issuance had been chosen;
delivery of token/card;
revocation of certificates;
any other task performed also by the RO;
The Delegated Officer can operate on any enrollment performed at the registration
office of its competence. However it is worth to highlight that the system
administrator can still assign different privileges to Delegated Officers in order to
partially restrict the set of actions they can undertake. For example, there could be
the need to restrict data visibility to the single enrollments performed by the
Delegated Officer instead of giving them the visibility over the enrollments of the
entire office to which they belong.
Bureau Officer (BO). In case of a workflow with centralized production of tokens a
Personalization Bureau should be appointed by the main Organization and
authorized by the single registration office. The Bureau Officers have similar
privileges to the Delegated Officers, in particular they:
receive the paper requests signed by the subscribers and completed with all
the needed details (e.g.: type of signature device, address for the delivery of
secret codes, personal information of the subscriber, personal information of
the RO in charge that carried out the face-to-face recognition, etc.);
perform data entry into the CMS data base with personal information of the
subscribers;
eventually perform verification on the validity of the documents provided by
the subscriber;
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 26 di 39
carry out token/card personalization (key pair generation and certificate
download);
package the device with the accompanying letter for the subscriber;
send everything to the subscriber or to the registration office of competence.
If the data entry was already performed by the Registration Officer, then the Bureau
Officer will proceed from point 3.
System Administrators (SA). They have privileges such as to modify system
configuration parameters (e.g. DB connection, log management, maintenance
operations).
Help Desk (HD). These are call center operators, they have similar privileges to that
of the Delegated Officer, in particular with reference to token life-cycle
management such as suspension, reactivation, revocation. However HD operators
have data visibility on the entire number of devices issued by any registration office.
Audit Operators (AO). These are operators who are allowed to display auditing files.
Token Holder (TH). This is the subscriber of the digital signature service.
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 27 di 39
Tab
le 2
– U
sers
pro
file
s a
nd
privile
ge
s.
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 28 di 39
6.5 Operators management
smartCMS presents a specific section dedicated to the management of operators.
In this section the following functionalities are offered:
addition of a new operator
elimination of an operator
deactivation of an operator (e.g. temporarily disable the access of an
operator)
reactivation of an operator (opposite of the previous operation)
definition of the default task (at the time of creation of a new operator, the
system requires to associate him to a specific division of the organization with
a specific role characterized by a precise set of privileges and permissions)
addition of a new task
elimination of a task
Being all the previous operations supported, smartCMS allows a flexible
management of operators, fully adapting to the needs of a dynamic organization
with complex operational workflows and with a high level of staff turnover.
In addition to the modalities previously described, smartCMS offers a feature for
batch import of a set of operators: giving in input to the system a file (of type CSV
with a specific format), smartCMS will create new operators with the specific roles
and tasks as indicated in the input file.
7 Personal data module
The management of personal data of card holders as well as of all the people
involved in the issuance process is particularly important in security-critical workflows
such as that related to the distribution of devices containing certificates of digital
identity.
A key point is the way in which the information to be recorded for each individual is
entered into the system and the validation rules.
The personal data module of smartCMS can be natively extended through arbitrary
mixings. At the initial configuration stage, it is possible to define the list of attributes
Table 2
– Users
profiles
and
privileg
es.
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 29 di 39
to be added or modified in the personal data sheet, in devices data sheet and in
all the entities that are relevant for the data model, and for each of them specifying
the type of data and the validation rules.
The other modules of the system will recognize the new attributes as native, allowing
for the visualization in the application screens, and for their use with the search filters
and in the writing of batch procedures and in the report models.
The personal data module also allows the definition of the external sources (web
services, database, etc.) for the use in the system of assisted compiling, when the
information in the personal data sheet have to be manually inserted by a human
operator, or when they need to be integrated during an automatic procedure.
8 Management of secret codes
This module implements the complete lifecycle management of the secret codes
for the operation of the devices issued by smartCMS.
Cryptographic tokens are usually issued together with some security codes needed
for their use, like PIN and PUK codes and codes to be used in special circumstances,
for example one or more emergency codes to be used in case of theft or loss in
order to revoke the certificates.
The module for management of secret codes provides generation, import and
production of secret codes associates to devices.
smartCMS maintains an encrypted database of secret codes and assigns devices
to a specific scratch card during the customisation stage. Both the explicit
association by an operator (in case for example he has to choose a scratch card
amongst the ones already produced and in the warehouse of the operational unit)
and the totally automatic management by the system are supported.
This module allows the generation in batches of cards of secrets, using an algorithm
that generates unique sequences. This algorithm takes in input strong random
numbers, the same as the ones inside a smartcard or an HSM (generation in
hardware).
In addition to the internal generation of cards within the system, it is also possible to
import batches of scratch cards in the most common data exchange formats (CSV,
XML, JSON), even in encrypted form.
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 30 di 39
The module can also write the security codes in a security envelope modality. In this
case the codes are printed using a printer on envelops provided with copying
cover and blacked patterns.
In this case it is preferred not to provide the registration offices with the necessary
hardware, but the production of the lots created within the CMS system can be
outsourced by exporting data. The data must be encrypted with the public key of
an authorized service center, in turn equipped with the proper software for
decryption.
Therefore it will be a third party manufacturer to take charge of the production,
always using as support the security envelopes or, as alternative, scratch cards.
The batches in this way generated will be marked as “to be generated” and they
will get into the production cycle of the devices as soon as their receipt will be
confirmed by an authorised operator
The secret codes information is saved cyphered in the database and can be
decrypted only by the operators with the right permissions.
Usually the cards of secrets are uniquely identified by a numerical code that in
some cases has to be inserted by a human operator. To reduce human errors and
to make reading the codes easier, these are generated calculating a control
number according to Luhn algorithm, the same as for credit card numbers or IMEI
numbers, and it is possible to print them as a barcode.
Typing the scratch card identifying number by the operator is a highly critical
operation, because it happens at the stage of recording the request, creating a
unique relationship between the specific cryptographic device and the
corresponding scratch card. In fact, at production stage, the specific device is
electronically personalised to ensure that its PIN/PUK codes are the ones on the
corresponding envelop of secrets.
9 Auditing – tracking operations
The auditing module included in the proposed solution allows tracking, in a
database separated from the one supporting the application, all the important
events that modify the data in the system.
The module is natively supported by the system and, once defined the list of entities
that have to be tracked; it does not need any configuration, not even after the
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 31 di 39
customization of the data model of the application, or after the installation of
additional modules.
Each time an entity in the database is created, updated or deleted, a new entry is
saved in the auditing database.
Each entry of the auditing system contains a sort of snapshot made of the exact
copy of the records affected by the events together with some supporting
information, including:
time reference, precise to the second
the identify number of the operator that has caused the tracking event
the type of event, for example “Insertion”, “Modification”, “Elimination”
The information in the database of the auditing module can be accessed by the
operators with the right permissions through the graphic interface of the front-end
and through the interactive shell.
Within the front-end it is possible to navigate through the auditing log by date or
filtering it by simply specifying a filter expression. Also, since all the auditing log
entries are associated with the objects affected by the tracking events, it is possible
to access the audit trail of each object, that corresponds to the complete history of
the object, from its creation to the time of the query.
The data can be exported in the most used format for data interchange, like CSV,
JSON, and XML.
Using the HSM module it is possible to export the data signed digitally by one of the
certificates configured according to the most recent Italian and European
regulatory standards (CAdES, PAdES, and XAdES), for the uses allowed by the law.
10 Device customization
smartCMS device customization module allows the configuration of device profiles
that can be produced by the system. Smartcards and more in general the devices
of the CMS here proposed can go through various stages of customization,
including:
graphical customisation: the plastic support can be customised with:
o graphics and backgrounds
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 32 di 39
o text boxes with personal data of the holder
o barcode
o picture of the holder if required
electronic customisation: key pairs are generated on the device and the
associated certificates are imported on the device
data customisation: the personal data file set in the profile is loaded on the
device
codes customisation: the codes of access to the device are updated in
compliance with the card of secrets associated at production stage
All these operations can be reconfigured and remodeled to specify the type of
device to manufacture. The customization module therefore allows to define a file
called “device profile” that contains both the necessary logic to define the
expected steps of customization, and also the parameters and the necessary data
to define the behavior of each of them, like for example the images to be used for
the graphical customization of a smartcard.
The set of available profiles for a specific system installation can be configured at
the deployment stage. In this way once the system is running all the expected
profiles will be available to the operators.
The proposed system supports an arbitrary number of profiles that can also be
interactively selected in the browser at the time of production (if this feature has
been made available by the module configuration).
The device customization module uses an active component that is automatically
installed inside the browser (even on workstations without administrative rights)
taking charge of the installation and automatic update of all the modules needed
for the hardware interface (smartcards, USB tokens, printers).
The solution here proposed guides the smartcard through Bit4id Universal
Middleware. This is an established implementation of the PKCS#11 standard that
allows the complete interfacing with the most common smart cards in the market,
including:
SiemensCardOS
Oberthur COSMOID-ONE
Gemalto e-ID Citizen
STIncardIncrypto34v.2
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 33 di 39
STIncardTouch&Sign2048
Athena IDProtect
The profiles of device customization are compatible with the software of Bit4id
smartCMS batch station that provides an advanced environment for the production
of device batches in off-line batch modality, in a consistent way with the proposed
system.
With regards to the graphical customization, during production it is possible to see a
print preview of the card that is going to be issued.
The real added value of smartCMS is the extreme simplicity of production. In fact
the installation of the active component releases the operator from the need of
installing on his own machine the drivers needed to guide both the electronic
customization devices and the graphical customization stations.
11 Enrolment of digital certificates
The enrolment module deals with the procedures for the certificate request
generation and with the secure communication with the Certification Authority
(CA) application services responsible for the issuing.
This module independently from the CA emission service allows the following
operations:
emission of a certificate
emission of a batch of certificates (for the CAs that support this)
suspension (temporary revocation) of a certificate
reactivation of a suspended certificate
revocation of a certificate
revocation of a batch of certificates (for the CAs that support this)
renewal of a certificate
This module supports the web services of the main Italian CAs (InfoCert, PosteCOM,
IT-Telecom, Actalis, Intesa, ArubaPEC).
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 34 di 39
12 Predefined flows of provisioning
In its basic configuration smartCMS supports by default some predefined flows of
device issuing. The predefined modalities are:
1. interactive mode: the devices are produced in the context of an interactive
session within the browser. The certificates are imported in the token and the
device is directly created. This modality is useful when issuing a device from an
office
2. batch mode: the devices are created in batch and subsequently distributed to
the holders. When possible, the enrolment module uses the interfaces of the CA
services for the massive issuing of certificates
3. self-enrolment: after registration, the devices are delivered to the holders with no
certificates on board. Afterwards the holder will autonomously produce his own
device by completing the operations through a safe internet service
The enrolment module also allows the configuration of the operations for the Life
Cycle Management of certificates, i.e. suspension/reactivation and revocation,
permitting the execution of operations according to the following modalities:
1. indirect mode: the holder makes an enquiry with the issuing office or an Help
Desk operator and requires the update of the state of the certificates that
belong to him. The operator authorizes the operation and proceeds, through a
dedicated function of the graphic interface, by forwarding in real-time the
request to the CA. This operation can be carried out in two separate times, by
first collecting all the requests in a buffer and then revoking them in batch. The
system registers the operation saving the personal information of the operator
that has been performing the operation
2. direct mode: Direct mode does not require the participation of an operator
unless there is a help request from the user (or in case of a phone call
procedure). The user accesses the portal and navigates to the page of the
service suspension; then fill out a form with at least the following fields:
a) First name
b) Last name
c) Unique identification number
d) User code (secret code of suspension)
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 35 di 39
e) Reason for the request for suspension (a combo)
The system collects the request, suspending the validity of the certificate.
The CMS system forwards the suspension request to the CA for the certificates
associated with the device of the owner.
13 Certificate Renewal
One of the main characteristics of the solution proposed in this document is
certificate renewal. For all the certificates about to expire, smartCMS generates a
message with the instructions for the renewal procedure. This message will also
contain information about the possible administrative paperwork needed in order
to use the service. The time between expire and the renewal message can be
decided as desired.
This communication is sent in an email directly to the holder together with a link to
follow to access the automatic procedure of certificate renewal.
The automatic procedure of certificate renewal allows to automatically substitute
the certificates on board of the device used by the holder with new certificates
issued by an issuing procedure digitally signed using the subscription certificate that
is expiring.
In case the integration of a property payment system (plafond) is required and
above all if some compensation has to be paid, the system can suggest the
necessary links to the electronic plafond, for the check-out of the payment due as
compensation for the renewal service.
To carry out the operation the holder will simply need to download from a web
portal, like the one for the services, a self-installing client software.
For the renewal the holder has to download an application that performs the
following steps:
[optional] acquisition of the holder’s credentials to access his electronic
plafond
[optional] verification of the availability of the necessary credit for the
renewal operation
certificate renewal generating on-board the needed cryptographic objects
and appropriately communicating with smartCMS
[optional] charging the appropriate fee from the holder’s plafond
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 36 di 39
At the end of the procedure the user is notified of the operation outcome and
of the new expiry date of his certificates.
14 API
smartCMS is a complex system that offers many possibilities of integration with other
information systems of organisations that adopt it. It is therefore very important to
have both simple and powerful tools to share information and to coordinate the
enterprise workflows.
The Application Programming Interface (API) module implements one of the
interfaces of interaction between the proposed system and the outside world.
Unlike the administration front-end and shell, the API module exports applicative
interfaces to be used by other software.
All the operations implemented at the system controller level, of which the ones
implemented by the front-end are a subset, can be presented in the form of a web
service, which can be safely called by the authorised clients. The API module
therefore allows to configure which calls to make available from outside, the
supported protocols and also the level of required access.
The API of smartCMS can be published according to one or more of the following
protocols:
JSON over HTTP
HTTP Representational State Transfer (REST)
Obviously, as well as being able to publish public services (for example the service
that lists the offices), it is possible to configure services whose access is limited to a
predefined list of applications.
For this reason the module permits to configure a system of authorisation based on
API Keys, identification codes that are used by the client applications to prove their
identity with the system.
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 37 di 39
15 Management and administration tools
smartCMS is completed with the stack of dedicated instruments for the main
management and maintenance activities, ordinary and extraordinary, imagined
for an enterprise system.
15.1 Interactive Shell
The system proposed is equipped with an interactive shell that allows the execution
of simple system commands, as re-start, data backup and restore, management of
log files, and optimisation of static resources.
Using the interactive shell a user with administrative rights can write scripts to
automate the batch and maintenance procedures.
It is possible in fact to write in a simple and intuitive manner queries or procedures of
data update by using the object model of smartCMS
15.2 Data backup and restore
The proposed system supports in a native manner a native tool of data backup and
restore that is independent of the database in use. Backup files are saved in an
abstract format that is interpreted and translated by the module. This restores the
data on another database, even if it is configured on a DBMS different from the
system from which the backup has been extracted.
15.3 Support to fixtures
Often it is convenient to define a set of test data, for example to support bug fixing
processes, in the writing of unitary tests, or purely for testing reasons.
smartCMS supports the (automatic or interactive) uploading on the database of
structured test files (in JSON, XML, and YAML format) called fixtures.
To implement a fixture it is possible to write it using a common text editor, or it is
possible to directly export it from a working copy of the system, through a
dedicated command of the administrative shell.
15.4 Support to automatic migrations
All IT systems that depend on a relational database present a specific structure of
tables and relational links that, in case of update or extension of the software
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 38 di 39
modules, need to be re-tuned. These operations of refactoring can be extremely
complex and costly and have to support the database structure update without
data loss.
smartCMS natively integrates support to database migrations, a procedure that
allows to define the revisions of the relational scheme in the form of a simple script
that describes at a high level the modifications to be applied, directly using the
object model of smartCMS.
The system therefore allows migrating the database, forward or backward,
automatically from one revision to another, applying the relevant migrations in a
fully transactional contest, safely away from the risk of data loss.
Migrations can be listed or applied automatically or manually, through a series of
appropriate commands of the administrative shell.
15.5 Environment aware configuration
smartCMS natively suggests the creation of disjoint set of configuration profiles to
support the installation and deployment in separate environments.
It is very simple for system administrators creating installations of smartCMS with
specific configurations.
The most common case is to always have a separate active version of smartCMS for
the production environment and for one or more environments of staging or testing.
15.6 Update with hot swap
smartCMS provides the possibility of deploying updated versions of the software
directly on a running system, pushing updates without interruption of service.
The hot-swap system is implemented independently from the application server
chosen for the installation and can be managed in details by a series of dedicated
commands of the administrative shell.
15.7 Advanced logging system
smartCMS implements a subsystem for the management of log messages that is
particularly flexible. It is in fact possible to define in a granular and specific way for
each module:
verbosity of messages
THE BEST INFORMATION
TECHNOLOGY 4 IDENTIFICATION
WWW.BIT4ID.COM
pag. 39 di 39
format of the log file
physical support where to save the messages (file on disc, server syslog,
relational database)
The administrative shell integrates a series of commands for the real time monitoring
of the logs with the possibility of visualising and filtering logs from different
installations at the same time (like in the case of configurations that include
clustering).
smartCMS natively integrates the support to Bit4id Smartlog. This is the solution for
managing the registrations of all logical accesses to the processing systems and to
the electronic archives by the system administrators.
16 Monitoring
smartCMS allows the real time monitoring of services and of the indexes for the
running of the system.
In particular it is possible to monitor the correct functioning of the various subsets
(both internal and external to the system, like the enrolment services) through a
series of convenient commands of the administrative shell.