SmartCMS - Bit4id | Support

Bit4id Italia

Via Diocleziano, 107

80125 – Napoli

Tel. +39 081 7625600

Fax. +39 081 19731930

[email protected]

Roma

Piazza Marconi, 15

00144 – Roma

Tel. +39 06 3280 3633

Fax. +39 06 3280 3631

www.bit4id.com

Milano

Tel. +39 02 40042990

Fax. +39 02 45500675

www.bit4id.com

Bit4id Iberica s.l.

Barcellona

Barcelona Advanced Industry Park

C/ Marie Curie, 8-14

08042 – Barcelona

Tel: +34 902 60 20 30

[email protected]

Lisbona

Alameda Bonifácio Lázaro Lozano, 13

Edificio B – 1º E

2780-125 Oeiras (Lisboa)

Tel: +351 214 694 060

Fax: +351 214 694 069

[email protected]

Lima

Mártir Olaya, nº 129

Oficina 1102

Centro Empresarial Pardo, torre A

(Miraflores) – Lima

Tel: +(51) 1 242 9994

[email protected]

Guatemala

5ª Avenida, 15-45 zona 10, Torre 1,

oficina 206

Condominio Centro Empresarial

01010 – Guatemala

Tel: +502 44888144

[email protected]

[email protected]

Bit4id Ltd

Londra

2 London Wall Buildings

London EC2M 5UU – UK

Tel. +44 1422 570673

Fax +44 20 78553780

[email protected]

SmartCMS

PKI infrastructure for issuance and management

of cryptographic devices and digital certificates

http://www.bit4id.com/

http://www.bit4id.com/

THE BEST INFORMATION

TECHNOLOGY 4 IDENTIFICATION

WWW.BIT4ID.COM

pag. 2 di 39

Summary

1 EXECUTIVE SUMMARY 4

2 COMPANY PROFILE 5

2.1 QUALITY CERTIFICATES 5

2.2 REFERENCES AND MAIN CUSTOMERS 6

3 OVERVIEW OF THE PROPOSAL 9

4 TECHNICAL FEATURES OF SMARTCMS 11

4.1 ARCHITECTURE 11

4.1.1 CLIENT 11

4.1.2 WEB SERVER 13

4.1.3 APPLICATION SERVER 14

4.1.4 DBMS 14

4.1.5 CA SERVICE GATEWAY 15

4.1.6 SCALABILITY 15

4.1.7 MODULARITY 15

5 SMARTCMS WEB INTERFACE 17

6 FUNCTIONAL FEATURES OF SMARTCMS 22

6.1 FUNCTIONAL ARCHITECTURE 22

6.2 ORGANIZATIONS, DIVISIONS AND OFFICERS MANAGEMENT 22

6.3 AUTHENTICATION MODULE 24

6.4 USERS PROFILE 24

6.5 OPERATORS MANAGEMENT 28

7 PERSONAL DATA MODULE 28

8 MANAGEMENT OF SECRET CODES 29

9 AUDITING – TRACKING OPERATIONS 30

10 DEVICE CUSTOMIZATION 31

11 ENROLMENT OF DIGITAL CERTIFICATES 33

12 PREDEFINED FLOWS OF PROVISIONING 34

13 CERTIFICATE RENEWAL 35

14 API 36

15 MANAGEMENT AND ADMINISTRATION TOOLS 37



WWW.BIT4ID.COM

pag. 3 di 39

15.1 INTERACTIVE SHELL 37

15.2 DATA BACKUP AND RESTORE 37

15.3 SUPPORT TO FIXTURES 37

15.4 SUPPORT TO AUTOMATIC MIGRATIONS 37

15.5 ENVIRONMENT AWARE CONFIGURATION 38

15.6 UPDATE WITH HOT SWAP 38

15.7 ADVANCED LOGGING SYSTEM 38

16 MONITORING 39



WWW.BIT4ID.COM

pag. 4 di 39

1 Executive summary

Bit4ID has successfully developed many Governmental and Enterprise Public Key

Infrastructures and Credential Management Systems. With over 10 million of enrolled

users, ranging from state officials to physicians, from train drivers to business owners,

our systems are key components for many organizations and central state bodies,

offering an unparalleled flexibility and exceptional integration with existing

infrastructures and business procedures, delivering value to our users across the

entire life-cycle of digital certificates.

This document presents the architecture and the main features of smartCMS a top-

notch Public Key Infrastructure System designed and developed by Bit4ID.

SmartCMS is the synergy of the most advanced PKI building blocks that Bit4ID has

improved to perfection bringing new features, a modularized architecture and

playing as a cornerstone of our digital DNA architecture and vision.

This paper shows how Bit4ID smartCMS harmonizes the various elements of a PKI

infrastructure and business processes and Bit4ID relevant skills in design and

deployment of integrated and comprehensive solutions.

The workflows, processes and the configurations discussed in this document

represent only a limited subset of all the possible customization achievable with the

smartCMS and they have been chosen with the intent of explaining the flexibility of

the system. It must be understood that smartCMS can accommodate the needs

and processes of any complex organization; the development team of Bit4id in the

initial phase of the project deployment gathers detailed requirements from the

customer in order to tailor the solution on the most specific use case.

In the following we will discuss and present the key features of smartCMS:

Multi-tier architecture with web based interface

Role-based access control with multiple authentication methods

Customizable authorization workflows, certificates templates, data forms

Multi-tenancy of client organizations on the same platform with complete

separation of user data and access rights

Multiple CA can be used in the back end to issue certificates

Batch import of users from external DBs, Directories.

Web services interfaces: HTTP REST, SOAP, JS



WWW.BIT4ID.COM

pag. 5 di 39

2 Company profile

Founded in 2004, Bit4id operates in the information security industry and in particular

in the "digital identity" industry, as suggested by the company name itself: Bit4id -

Best Information Technology for Digital Identity.

Bit4id develops and markets products, systems and services based on PKI

technology with applications and customers in the areas of public administration,

banking, Trusted Service Provider (Certificate Authority), system integrators and in

general where digital signature capabilities, authentication and encryption are

required. Other products and marketed systems are developed and manufactured

in the research and development center of Bit4id in Naples. Group turnover

exceeds 10 million Euros with approximately 100 people employed in offices in Italy

(Naples, Rome, Milan), in Spain (Barcelona), Peru (Lima), the UK (London), in India (

New Delhi).

The range of products and systems by Bit4id includes four market segments:

Hardware Devices such as smartcard readers and cryptographic token for

authentication and digital signature;

Software and client-side applications such as drivers and system libraries for

interfacing applications to cryptographic devices (PKCS # 11, CSP, TokenD

...), applications for digital signatures and encryption;

Strong authentication systems on corporate networks or the Internet and

single-sign-on systems with token or smartcard (for example with the Regional

Service Card or Electronic Identity Card), and digital signature systems

massive for dematerialization;

Services and projects for authentication, digital signature and encryption with

the registration of users interfacing a Trusted Service Provider to issue digital

certificates, and through token and remotely;

From the geographical point of view Bit4id has a recognized leadership position in

Italy, has a strong presence in Spain, numerous customers in other European

countries (mainly in Portugal, Poland, Bulgaria, Czech Republic, Slovenia, Romania,

Hungary), South America (Peru, Ecuador), in India and in Macao in China.

2.1 Quality certificates

Bit4id has the following quality certificates:

ISO 9001 (Quality Management System) for the design, production and sale of

solutions, ICT systems and products;



WWW.BIT4ID.COM

pag. 6 di 39

ISO 14001 (Environmental Management System) for the design, production

and sale of solutions, systems and ICT products;

ISO 27001 (the Information Security Management System) for the design,

production and sale of solutions, ICT systems and products.

2.2 References and main customers

The main references of Bit4id related to technologies and solutions for digital

signature, PKI infrastructure and devices are shown in Table 1. These references list

first PKI systems, then digital signature systems and finally cryptographic tokens and

smart cards.

Among the main customers of Bit4id we highlight the following:

Trusted Service Providers

o ArubaPEC

o Poste Italiane

o InfoCert

o Actalis

o Namirial

o InfoCert

o Banca Intesa

o Telecom Italia Trust

o Notartel

o Camerfirma (Spagna)

o RedAbogacìa (Spagna)

o Firmaprofessional

o Izenpe

o Microsec (Ungheria)

o Trans Sped (Romania)

o Prvini Cert. Auth. (Repubblica Ceca)

o GSE (Colombia)

o Camerdata (Colombia)

o E-Sign (Cile)

o CertChile (Cile)

o CertiNet (Cile)

o Consejo de la Judicatura (Equador)

o Macao Post (Cina)

o Haryana Elect. Dev (India)

o E-Mudhra (India)



WWW.BIT4ID.COM

pag. 7 di 39

Professional bodies

o Società Italiana Autori ed Editori

o CGCOM (Spagna)

o Oficina de Normalizacion Previsional (Perù)

o Superintendencia Nacional de los Registros Publicos (Perù)

Hospitals and Regional Health Systems

o Regione Veneto

o ULSS Treviso

o ULSS Taranto

o ULSS Rovigo

o ULSS Legnago

o ULSS Adria

o Azienda Ospedaliera Papa Giovanni XXIII Bergamo

o Azienda Ospedaliera S. Anna Ferrara

Customer Project Year

Uanataca

Spagna

Complete PKI (CA, Sub-CA, RA, VA, TSA) 2016

OMC - Consejo

General De

Colegios Oficiales

De Medicos Spagna

Registration Authority Software, Credential

Management System and Enrollment Station 2015

Asetelsos CIA. Ltda

Equador

Complete PKI (CA, Sub-CA, RA, VA, TSA) and PKI

tokens 2014

Trenitalia SpA

Italia

Credential Management System and PKI tokens 2014



WWW.BIT4ID.COM

pag. 8 di 39

Customer Project Year

Notartel S.P.A

Italia

Complete PKI and Remote Digital Signature System 2012

Aruba PEC S.P.A

Italia

Registration Authority Software, Credential

Management System and Enrollment Station 2010

Hospital Clinic

Barcelona

Spagna

Web-based digital signature system 2016

Cybersec

Perù

Automated Batch Signature Server and Time

Stamping Server 2016

Gestores

Spagna

Remote Digital Signature System 2016

Insolutions per

Banca BBVA

Perù



Postecom

Italia

Digital signature software client 2014

Notartel

Italia

Validation Authority Server 2010

Società italiana

autori ed editori

Italia



Table 1 – Most relevant references of the projects developed by Bit4id.



WWW.BIT4ID.COM

pag. 9 di 39

3 Overview of the proposal

SmartCMS is the result of the expertise, of the experience and of the successful

projects completed by Bit4id.

Our many satisfied customers are the best guarantee of the quality and reliability of

the product from the point of view of the functional and technical characteristics,

but especially of its security features.

SmartCMS is the Bit4id solution for the management of the entire lifecycle of

cryptographic objects and security devices (key pairs, digital certificates, smart

cards, tokens) from the issuance until the natural expiration or destruction.

SmartCMS offers every component and functionality to allow the key operations for

the provisioning of cryptographic credentials and security devices. It is

characterised by an extreme ease of users registration, by speed of enrolment and

by flexibility of credentials and devices management.

SmartCMS offers a complete set of functionalities for the electrical and graphical

customisation of devices through a user-friendly GUI that utilises the most powerful

navigation metaphors typical of high performance web applications.

The present document explains both the technical and functional features of

smartCMS, also describing the default workflow for the enrolment and provisioning

of cryptographic devices and certificates.

Nevertheless the support for other workflows is possible by properly configuring the

system during deployment.

smartCMS flexibly manages:

smartcards, both contact and contactless, from multiple vendors as long as a

suitable PKCS#11 interface is provided

a wide range of possible applications (E-government, Payment, Corporate,

Healthcare, EMV, Education, Fidelity, Ad Hoc)

native integration with different Italian and international Trusted Service

Providers

native integration with several certification authority software

the most common relational DBMS on the market



WWW.BIT4ID.COM

pag. 10 di 39

SmartCMS reduces to the minimum the time and cost associated with the

deployment and management of smart cards, tokens and in general digital

certificates.

SmartCMS is a system completely designed and developed in Italy, based on the

long experience on PKI (Public Key Infrastructures) projects implemented both in

Italy and in the international market by Bit4id.

SmartCMS benefits from a large number of installations and therefore it is a mature

product specific for managing the lifecycle of cryptographic objects such as key

pairs, digital certificates, smartcards, and e-ID cards.

The proposed solution is characterised by:

performance and scalability

ease of use and efficiency

cost-effective installation, maintenance and update

use of high quality and reliable solutions, products and technologies

flexibility of customization

modularity and expandability

Therefore smartCMS is the most complete RA and Digital Certificate Management

System on the market that also includes all the functionalities needed for managing

cryptographic devices, from issuance to expiration/destruction:

Registration

Production

Life-cycle management

User Profile Management

Certificate Profile Management

Graphical Customisation

Profile Management

Generation/Import of Secret Codes

Management of the paper documentation associated with issuance



WWW.BIT4ID.COM

pag. 11 di 39

4 Technical features of smartCMS

In this paragraph we will describe in detail the technical features of smartCMS. This

system has been developed with a highly modular architecture in order to meet

customer needs from small to big enterprises.

4.1 Architecture

SmartCMS is implemented as a multi-tier web application based on open standards

and therefore can be used through an internet browser.

The system architecture has been designed keeping in mind two main factors:

1. Simplicity and flexibility of deployment

2. General scalability of the system

The general architecture of the system usually presents the interaction of the five

following elements:

1. client

2. webserver

3. application server

4. database server

5. gateway to the CA services

An high level overview of the system architecture is reported in figure 1.

4.1.1 Client

In the smarRA software architecture, the client is used by the different types of

system users (in certain configurations with self-service functionalities also directly by

cardholders) with different privileges.

The client is a standard internet browser with an additional browser extension

developed by Bit4id and called Universal Key Chain (UKC) that allows for the

interaction of the different hardware components requested by the specific type of

enrollment, like smartcard readers, tokens, printers, webcams, etc.

The UKC is a sandbox that allows the automatic and safe distribution of digitally

signed applications to extend the browser capability quickly and efficiently, so to

enable functions like smartcard logon, interaction with smartcard printers and other



WWW.BIT4ID.COM

pag. 12 di 39

Figure 1. Registration Authority Software Architecture.

functions that would otherwise require the installation and configuration of

dedicated applications.

The UKC has an automatic updating function that makes distribution of fixes and

release of additional features easy and convenient.



WWW.BIT4ID.COM

pag. 13 di 39

Installation and use of the UKC does not require administrative rights and therefore it

is possible even in cases when users have a profile with limited permissions.

Furthermore, to guarantee a “zero-stress” experience even for enterprise users, the

UKC uses the browser configuration for all the activities requiring an internet access,

therefore exploiting the proxy configuration already set on client systems without

the need of additional actions.

The UKC for Microsoft Windows operating systems supports the following browsers:

Internet Explorer

Mozilla Firefox

Google Chrome

The web application is built according to the most recent and established standard

web technologies, like semantic HTML5 and standard CSS, guaranteeing the

maximum efficiency and compatibility with modern and common internet

browsers.

The client interacts with the webserver by using the standard HTTPS protocol.

4.1.2 Web Server

The web server is the component of the architecture responsible for receiving and

answering requests from the clients, with the highest efficiency and security.

SmartCMS back-end is based on the open source webserver Nginx, amongst the

most reliable and fast webservers available on the market.

This component directly deals with all the static resources that are part of the

graphical interface (images, CSS, JavaScript, etc.) and talks with an Application

Server to deal with the requests that require dynamic processing.

The web server architecture is robust, scalable and secure. It consists of a master

process and a number of configurable worker processes that run with a user profile

with no privileges and offers a very low memory footprint (10,000 inactive HTTP keep-

alive connections consume only 2.5MB of memory).

Nginx runs on various OS platforms such as UNIX, GNU/Linux, BSD, Mac OS X, Solaris,

and Windows. Important features are HTTP/1.1 support, SSL, SNI, TLSv1.1, and TLSv1.2,

FastCGI, with simple load balancing and fault tolerance.



WWW.BIT4ID.COM

pag. 14 di 39

4.1.3 Application Server

The application server is implemented as a standard WSGI application using the

multiplatform Python language.

This layer is modular and completely decoupled from any external system with

which it communicates only through adapters on specific interfaces.

In particular, the interaction with the DB server is implemented through a DB

adapter that guarantees the full support to the most common DBMS, both

commercial and open source, like PostgreSQL, MySQL, Oracle and many others.

This solution, in addition to ensuring obvious advantages of decoupling and

compatibility with different DBMSs, allows exploiting the communication protocols

and specific optimizations of the selected system, ensuring a performance that

would otherwise be lost in favor of the compatibility.

The application server is equipped with administrative interfaces for the monitoring

and tuning of performance and it is configurable to produce the desired level of

log messages that can be redirected to a standard log server.

The system supports update without service interruption through hot swap, which

means the most recent version is installed and tested automatically in a separate

context from the version in use. This will then be replaced immediately without

interruption for the connected users. In case of problems it is possible to roll back to

the previous version automatically or at the request of the system administrator.

4.1.4 DBMS

The DBMS is a key component of the architecture: the DBMS stores all the system

data and all the data of the user session.

The DB server is a completely transparent component of the application

architecture thanks to the level of indirection offered by the DB Adapter.

All the possible configurations with the DBMS chosen for the installation are

therefore supported:

1. Clustering

2. Automatic reply

3. Sharding

Being a relational database, the database structure is as important as the data itself

and very often after an application update (or a new module installation) changes



WWW.BIT4ID.COM

pag. 15 di 39

have to be applied to both the tables and the relations of the database. The

update process is particularly delicate since all the changes to the database

structure have to be performed without data loss.

The DB Adapter of the CMS provides full support to data migration. This allows to

define procedures with a description of the changes to the database structure, and

they can be executed in a transactional way (forward and backward), safely

implementing all the necessary changes to the data in the database.

4.1.5 CA Service Gateway

This component has been designed to decouple the system from the specific web

services offered by each CA software or Trusted Service Provider for the emission of

certificates and for the management of their lifecycle (suspension, reactivation,

and revocation). This allows using smartCMS to work simultaneously with different

certificate providers, or in other words it works as a broker of CA.

It permits the interaction with different CA software using the specific protocols and

interfaces of the chosen system without impact on the core system.

4.1.6 Scalability

The entire system has been designed from the beginning with the clear intent of

ensuring scalability. This is achieved by appropriately choosing the components

amongst the best available on the market and designing an application without

particular constraints for the architecture scalability.

In particular, the Application Server contains a completely stateless application. This

means that the application does not keep in the memory any information related

to the state of the application and to the user sessions.

All the information related to the state is kept and indexed efficiently in the DB

Server.

It is therefore possible to increase as desired the number of nodes in the Application

Server, because each request can be fulfilled in the same way by each of the

nodes.

The same can be said of the web server nodes that support the most common and

established techniques of load balancing and failover.

4.1.7 Modularity

SmartCMS was developed with a modular architecture to allow for easy

configuration of the system to cope with different scenarios.



WWW.BIT4ID.COM

pag. 16 di 39

The primary goal in the design of the smartCMS architecture was to ease the

modeling of the data workflow (input and output) and to reduce the costs of

integration into existing architectures. The system is made of a main component

decoupled from the different modules, and it is configured using the IoC (Inversion

of Control) pattern. The dependences towards external modules are not specified

in the code, but are injected through the configuration of an IoC container.

This allows achieving two very important advantages:

Independence from implementation: since the modules are real

implementations of well-defined application interfaces (here with interface

we mean the definition of messages that an object can receive, as in the

context of an object oriented programming language), modifying a module

or even its complete replacement does not interfere with the behavior of the

other parts of the system.

No need for initialization code: all systems designed with common imperative

programming languages need to have some sort of initialization instructions.

These contain a direct reference to dependences or to a service locator,

component queried to obtain the correct reference to the dependence to

be used. With the IoC pattern this need does not exist, removing the reason

itself for an initialization code. Also, thanks to this approach, it is not necessary

to re-compile the entire system.



WWW.BIT4ID.COM

pag. 17 di 39

5 smartCMS Web Interface

SmartCMS presents a user-friendly web interface from which it is possible to manage

the entire life cycle of PKI credentials and devices.

As previously mentioned, the system was developed to be modular and flexible in

order to be able to effectively model the workflows of different organizations. In

particular it possible to define:

Different roles with different privileges

Authentication methods

Certificates templates

Data forms

Submission/notification/authorization workflows

Email templates

Moreover the system is able to model a hierarchical organization with arbitrary

complexity.

In this paragraph we will describe as an example the web interface of some typical

system installations from the point of view of a super administrator. It is understood

that it is possible to configure different flows and user profiles depending on

customer needs.

Figure 2. smartCMS web interface: homepage.



WWW.BIT4ID.COM

pag. 18 di 39

Home Page

The home page of the system might be configured to report some useful statistics

on the number of active registration offices, registration officers and devices or

other relevant parameters that the customer wish to monitor.

As an example, Figure 1 depicts the home page of the smartCMS installation Bit4id

provided to Buffetti Group, a national chain for professional services to lawyers and

accountant in Italy. The screenshot shows the number of active Registration Offices,

number of operators enabled and number of devices activated.

Request management

The status of the requests for digital signature devices and certificates can be

managed by the subsequent sub-menu of the web interface. Here there is a list of

the requests entered in the system which are characterized by attributes such as

ordinal number, registration office, card holder name, device type, status of the

request (approved, pending, produced, etc.), registration date, production date.

These attributes can be used to sort the list by setting different filters.

In figure 3 we report a screenshot of the page of the smartCMS where it is shown

the list of recorded requests with their status.

Figure 3. smartCMS web interface: requests management.

On the same page it is also possible to insert a new request or in other words to

register a new user by properly filling a data sheet with the details of the user as

shown in figure 4. More information on the personal data module can be found in

paragraph 7.



WWW.BIT4ID.COM

pag. 19 di 39

Figure 4. smartCMS web interface: registration of a new user.

Registration offices

The system administrator can create new organizations and enable different

registration offices within a single organization, thus reproducing the real

hierarchical structure.

Figure 5. smartCMS web interface: registration of a new registration office.

As shown in figure 5, each registration office can be identified by a number of

synthetic parameters such as number of operators, number of requests and so on.



WWW.BIT4ID.COM

pag. 20 di 39

These parameters can be used to apply filters and to search a specific registration

office. The type and number of such parameters is configurable on the needs of the

customer.

Operators and Security Officers

Different types of security officers characterized by different privileges can be

assigned to each organization and/or registration offices in the “Operators” page

of the smartCMS web interface as shown in the following picture. As usual

advanced search options enable the administrator to sort the list of the active

operators as per different attributes.

Figure 6. smartCMS web interface: management of security officers.

Management of issued devices

Another useful management option is the possibility to have an overview of the

issued devices with information about the serial number, the status and the name of

user to which the device is assigned. We report in figure 7 the list of the devices with

their status.



WWW.BIT4ID.COM

pag. 21 di 39

Figure 7. smartCMS web interface: management of issued devices.



WWW.BIT4ID.COM

pag. 22 di 39

6 Functional features of smartCMS

6.1 Functional architecture

From a functional point of view, smartCMS is a solution designed according to the

typical modular approach: each functionality is fulfilled by a component

independent from any other components in the system.

A direct consequence of this modular approach is that the whole system can be

described by describing each separate subsystem. A more detailed description of

each module is given in the following paragraphs.

Figure 8. smartCMS functional modules.

6.2 Organizations, divisions and officers management

SmartCMS can be effectively implemented when users involved in the issuance

process belong to an organization that is managed in a hierarchical structure. In

particular, one can configure any chosen number of divisions and offices, even

spread over several hierarchical levels.



WWW.BIT4ID.COM

pag. 23 di 39

Figure 9. Management of a hierarchical organization.

smartCMS is therefore suitable to be used in complex organizations with many

different operating units.

Users with the proper permissions can define a set of Organizations. Each

organization can subsequently be divided into Divisions. Each of which can have a

specific competence (e.g. specific geographical region of interest) and therefore it

will have access only to a subset of the whole system data.

A certain number of operators can be assigned to each organization and to each

division. As we will see in the following, these operators will be characterized by their

specific roles.

A profile can be easily assigned to each operator on the basis of its role, or more

exactly he can receive a profile by defining the specific permissions. These can be

assigned to an individual operator or to all the operators that belong to a particular

operating unit.

System users are registered in relation to the operational units they belong to, thus

reflecting the actual structure of the organization.

This module allows to easily assign specific privileges to a section of the organization

or to a particular office, and also to easily implement the data visibility policies.

It is possible and easy to implement the deactivation of an office or the temporary

activation of a new one, for example to support contingent needs or enrolment

campaigns, keeping under control all the transactions performed by the system.



WWW.BIT4ID.COM

pag. 24 di 39

This module permits a quick configuration of data visibility policies and of access

rules for users.

A one-click function is supported to restrict access by restricting privileges to users of

a particular office or branch of the organization. This function allows users of the

relative offices to access the system only for the device lifecycle management

operations (suspending, reactivating and revoking), and only for the devices of their

exclusive competency.

6.3 Authentication module

SmartCMS requires authentication of all users who wish to make use of its

application interface providing a tool for the identification of the same.

The authentication module plays a critical role since it unlocks all the functionality of

the entire system. For this reason, the authentication module has been designed

bearing in mind the most stringent security requirements.

Nonetheless, it still provides a significant level of configurability by allowing

customization based on the requirements of the particular installation.

smartCMS is provided with the native support to the following authentication

mechanisms that can be used in an interchangeable way:

username and password, with internal or external storage of credentials

(external database, LDAP, etc.)

strong authentication based on a digital certificate stored inside a smartcard

or token (default mode, according to the strict security requirements of the

application)

Single Sign On solutions developed by Bit4id

6.4 Users profile

The system provides for different user categories depending on the granted

privileges (which are defined on the basis of the tasks they have to perform).

The typical profiles provided are:

Registration Officer (RO). This is the person who is appointed by the Organization for

the face-to-face recognition of the subscriber and, more generally, to manage part

of the relationship with the same. The duties performed by the RO are:

face-to-face recognition of the subscriber;



WWW.BIT4ID.COM

pag. 25 di 39

filling out the paper forms with the personal information of the subscribers;

data entry into the CMS data base of personal information of the subscribers;

delivery of token/card to the subscriber, after collection from the

personalization center;

The data visibility for the RO is restricted to the single enrollments that he performed.

Delegated Officer (DO). This is the person in charge of the following operations:

token/card personalization (on board key pair generation and certificate

download), if the workflow of decentralized issuance had been chosen;

delivery of token/card;

revocation of certificates;

any other task performed also by the RO;

The Delegated Officer can operate on any enrollment performed at the registration

office of its competence. However it is worth to highlight that the system

administrator can still assign different privileges to Delegated Officers in order to

partially restrict the set of actions they can undertake. For example, there could be

the need to restrict data visibility to the single enrollments performed by the

Delegated Officer instead of giving them the visibility over the enrollments of the

entire office to which they belong.

Bureau Officer (BO). In case of a workflow with centralized production of tokens a

Personalization Bureau should be appointed by the main Organization and

authorized by the single registration office. The Bureau Officers have similar

privileges to the Delegated Officers, in particular they:

receive the paper requests signed by the subscribers and completed with all

the needed details (e.g.: type of signature device, address for the delivery of

secret codes, personal information of the subscriber, personal information of

the RO in charge that carried out the face-to-face recognition, etc.);

perform data entry into the CMS data base with personal information of the

subscribers;

eventually perform verification on the validity of the documents provided by

the subscriber;



WWW.BIT4ID.COM

pag. 26 di 39

carry out token/card personalization (key pair generation and certificate

download);

package the device with the accompanying letter for the subscriber;

send everything to the subscriber or to the registration office of competence.

If the data entry was already performed by the Registration Officer, then the Bureau

Officer will proceed from point 3.

System Administrators (SA). They have privileges such as to modify system

configuration parameters (e.g. DB connection, log management, maintenance

operations).

Help Desk (HD). These are call center operators, they have similar privileges to that

of the Delegated Officer, in particular with reference to token life-cycle

management such as suspension, reactivation, revocation. However HD operators

have data visibility on the entire number of devices issued by any registration office.

Audit Operators (AO). These are operators who are allowed to display auditing files.

Token Holder (TH). This is the subscriber of the digital signature service.



WWW.BIT4ID.COM

pag. 27 di 39

Tab

le 2

– U

sers

pro

file

s a

nd

privile

ge

s.



WWW.BIT4ID.COM

pag. 28 di 39

6.5 Operators management

smartCMS presents a specific section dedicated to the management of operators.

In this section the following functionalities are offered:

addition of a new operator

elimination of an operator

deactivation of an operator (e.g. temporarily disable the access of an

operator)

reactivation of an operator (opposite of the previous operation)

definition of the default task (at the time of creation of a new operator, the

system requires to associate him to a specific division of the organization with

a specific role characterized by a precise set of privileges and permissions)

addition of a new task

elimination of a task

Being all the previous operations supported, smartCMS allows a flexible

management of operators, fully adapting to the needs of a dynamic organization

with complex operational workflows and with a high level of staff turnover.

In addition to the modalities previously described, smartCMS offers a feature for

batch import of a set of operators: giving in input to the system a file (of type CSV

with a specific format), smartCMS will create new operators with the specific roles

and tasks as indicated in the input file.

7 Personal data module

The management of personal data of card holders as well as of all the people

involved in the issuance process is particularly important in security-critical workflows

such as that related to the distribution of devices containing certificates of digital

identity.

A key point is the way in which the information to be recorded for each individual is

entered into the system and the validation rules.

The personal data module of smartCMS can be natively extended through arbitrary

mixings. At the initial configuration stage, it is possible to define the list of attributes

Table 2

– Users

profiles

and

privileg

es.



WWW.BIT4ID.COM

pag. 29 di 39

to be added or modified in the personal data sheet, in devices data sheet and in

all the entities that are relevant for the data model, and for each of them specifying

the type of data and the validation rules.

The other modules of the system will recognize the new attributes as native, allowing

for the visualization in the application screens, and for their use with the search filters

and in the writing of batch procedures and in the report models.

The personal data module also allows the definition of the external sources (web

services, database, etc.) for the use in the system of assisted compiling, when the

information in the personal data sheet have to be manually inserted by a human

operator, or when they need to be integrated during an automatic procedure.

8 Management of secret codes

This module implements the complete lifecycle management of the secret codes

for the operation of the devices issued by smartCMS.

Cryptographic tokens are usually issued together with some security codes needed

for their use, like PIN and PUK codes and codes to be used in special circumstances,

for example one or more emergency codes to be used in case of theft or loss in

order to revoke the certificates.

The module for management of secret codes provides generation, import and

production of secret codes associates to devices.

smartCMS maintains an encrypted database of secret codes and assigns devices

to a specific scratch card during the customisation stage. Both the explicit

association by an operator (in case for example he has to choose a scratch card

amongst the ones already produced and in the warehouse of the operational unit)

and the totally automatic management by the system are supported.

This module allows the generation in batches of cards of secrets, using an algorithm

that generates unique sequences. This algorithm takes in input strong random

numbers, the same as the ones inside a smartcard or an HSM (generation in

hardware).

In addition to the internal generation of cards within the system, it is also possible to

import batches of scratch cards in the most common data exchange formats (CSV,

XML, JSON), even in encrypted form.



WWW.BIT4ID.COM

pag. 30 di 39

The module can also write the security codes in a security envelope modality. In this

case the codes are printed using a printer on envelops provided with copying

cover and blacked patterns.

In this case it is preferred not to provide the registration offices with the necessary

hardware, but the production of the lots created within the CMS system can be

outsourced by exporting data. The data must be encrypted with the public key of

an authorized service center, in turn equipped with the proper software for

decryption.

Therefore it will be a third party manufacturer to take charge of the production,

always using as support the security envelopes or, as alternative, scratch cards.

The batches in this way generated will be marked as “to be generated” and they

will get into the production cycle of the devices as soon as their receipt will be

confirmed by an authorised operator

The secret codes information is saved cyphered in the database and can be

decrypted only by the operators with the right permissions.

Usually the cards of secrets are uniquely identified by a numerical code that in

some cases has to be inserted by a human operator. To reduce human errors and

to make reading the codes easier, these are generated calculating a control

number according to Luhn algorithm, the same as for credit card numbers or IMEI

numbers, and it is possible to print them as a barcode.

Typing the scratch card identifying number by the operator is a highly critical

operation, because it happens at the stage of recording the request, creating a

unique relationship between the specific cryptographic device and the

corresponding scratch card. In fact, at production stage, the specific device is

electronically personalised to ensure that its PIN/PUK codes are the ones on the

corresponding envelop of secrets.

9 Auditing – tracking operations

The auditing module included in the proposed solution allows tracking, in a

database separated from the one supporting the application, all the important

events that modify the data in the system.

The module is natively supported by the system and, once defined the list of entities

that have to be tracked; it does not need any configuration, not even after the



WWW.BIT4ID.COM

pag. 31 di 39

customization of the data model of the application, or after the installation of

additional modules.

Each time an entity in the database is created, updated or deleted, a new entry is

saved in the auditing database.

Each entry of the auditing system contains a sort of snapshot made of the exact

copy of the records affected by the events together with some supporting

information, including:

time reference, precise to the second

the identify number of the operator that has caused the tracking event

the type of event, for example “Insertion”, “Modification”, “Elimination”

The information in the database of the auditing module can be accessed by the

operators with the right permissions through the graphic interface of the front-end

and through the interactive shell.

Within the front-end it is possible to navigate through the auditing log by date or

filtering it by simply specifying a filter expression. Also, since all the auditing log

entries are associated with the objects affected by the tracking events, it is possible

to access the audit trail of each object, that corresponds to the complete history of

the object, from its creation to the time of the query.

The data can be exported in the most used format for data interchange, like CSV,

JSON, and XML.

Using the HSM module it is possible to export the data signed digitally by one of the

certificates configured according to the most recent Italian and European

regulatory standards (CAdES, PAdES, and XAdES), for the uses allowed by the law.

10 Device customization

smartCMS device customization module allows the configuration of device profiles

that can be produced by the system. Smartcards and more in general the devices

of the CMS here proposed can go through various stages of customization,

including:

graphical customisation: the plastic support can be customised with:

o graphics and backgrounds



WWW.BIT4ID.COM

pag. 32 di 39

o text boxes with personal data of the holder

o barcode

o picture of the holder if required

electronic customisation: key pairs are generated on the device and the

associated certificates are imported on the device

data customisation: the personal data file set in the profile is loaded on the

device

codes customisation: the codes of access to the device are updated in

compliance with the card of secrets associated at production stage

All these operations can be reconfigured and remodeled to specify the type of

device to manufacture. The customization module therefore allows to define a file

called “device profile” that contains both the necessary logic to define the

expected steps of customization, and also the parameters and the necessary data

to define the behavior of each of them, like for example the images to be used for

the graphical customization of a smartcard.

The set of available profiles for a specific system installation can be configured at

the deployment stage. In this way once the system is running all the expected

profiles will be available to the operators.

The proposed system supports an arbitrary number of profiles that can also be

interactively selected in the browser at the time of production (if this feature has

been made available by the module configuration).

The device customization module uses an active component that is automatically

installed inside the browser (even on workstations without administrative rights)

taking charge of the installation and automatic update of all the modules needed

for the hardware interface (smartcards, USB tokens, printers).

The solution here proposed guides the smartcard through Bit4id Universal

Middleware. This is an established implementation of the PKCS#11 standard that

allows the complete interfacing with the most common smart cards in the market,

including:

SiemensCardOS

Oberthur COSMOID-ONE

Gemalto e-ID Citizen

STIncardIncrypto34v.2



WWW.BIT4ID.COM

pag. 33 di 39

STIncardTouch&Sign2048

Athena IDProtect

The profiles of device customization are compatible with the software of Bit4id

smartCMS batch station that provides an advanced environment for the production

of device batches in off-line batch modality, in a consistent way with the proposed

system.

With regards to the graphical customization, during production it is possible to see a

print preview of the card that is going to be issued.

The real added value of smartCMS is the extreme simplicity of production. In fact

the installation of the active component releases the operator from the need of

installing on his own machine the drivers needed to guide both the electronic

customization devices and the graphical customization stations.

11 Enrolment of digital certificates

The enrolment module deals with the procedures for the certificate request

generation and with the secure communication with the Certification Authority

(CA) application services responsible for the issuing.

This module independently from the CA emission service allows the following

operations:

emission of a certificate

emission of a batch of certificates (for the CAs that support this)

suspension (temporary revocation) of a certificate

reactivation of a suspended certificate

revocation of a certificate

revocation of a batch of certificates (for the CAs that support this)

renewal of a certificate

This module supports the web services of the main Italian CAs (InfoCert, PosteCOM,

IT-Telecom, Actalis, Intesa, ArubaPEC).



WWW.BIT4ID.COM

pag. 34 di 39

12 Predefined flows of provisioning

In its basic configuration smartCMS supports by default some predefined flows of

device issuing. The predefined modalities are:

1. interactive mode: the devices are produced in the context of an interactive

session within the browser. The certificates are imported in the token and the

device is directly created. This modality is useful when issuing a device from an

office

2. batch mode: the devices are created in batch and subsequently distributed to

the holders. When possible, the enrolment module uses the interfaces of the CA

services for the massive issuing of certificates

3. self-enrolment: after registration, the devices are delivered to the holders with no

certificates on board. Afterwards the holder will autonomously produce his own

device by completing the operations through a safe internet service

The enrolment module also allows the configuration of the operations for the Life

Cycle Management of certificates, i.e. suspension/reactivation and revocation,

permitting the execution of operations according to the following modalities:

1. indirect mode: the holder makes an enquiry with the issuing office or an Help

Desk operator and requires the update of the state of the certificates that

belong to him. The operator authorizes the operation and proceeds, through a

dedicated function of the graphic interface, by forwarding in real-time the

request to the CA. This operation can be carried out in two separate times, by

first collecting all the requests in a buffer and then revoking them in batch. The

system registers the operation saving the personal information of the operator

that has been performing the operation

2. direct mode: Direct mode does not require the participation of an operator

unless there is a help request from the user (or in case of a phone call

procedure). The user accesses the portal and navigates to the page of the

service suspension; then fill out a form with at least the following fields:

a) First name

b) Last name

c) Unique identification number

d) User code (secret code of suspension)



WWW.BIT4ID.COM

pag. 35 di 39

e) Reason for the request for suspension (a combo)

The system collects the request, suspending the validity of the certificate.

The CMS system forwards the suspension request to the CA for the certificates

associated with the device of the owner.

13 Certificate Renewal

One of the main characteristics of the solution proposed in this document is

certificate renewal. For all the certificates about to expire, smartCMS generates a

message with the instructions for the renewal procedure. This message will also

contain information about the possible administrative paperwork needed in order

to use the service. The time between expire and the renewal message can be

decided as desired.

This communication is sent in an email directly to the holder together with a link to

follow to access the automatic procedure of certificate renewal.

The automatic procedure of certificate renewal allows to automatically substitute

the certificates on board of the device used by the holder with new certificates

issued by an issuing procedure digitally signed using the subscription certificate that

is expiring.

In case the integration of a property payment system (plafond) is required and

above all if some compensation has to be paid, the system can suggest the

necessary links to the electronic plafond, for the check-out of the payment due as

compensation for the renewal service.

To carry out the operation the holder will simply need to download from a web

portal, like the one for the services, a self-installing client software.

For the renewal the holder has to download an application that performs the

following steps:

[optional] acquisition of the holder’s credentials to access his electronic

plafond

[optional] verification of the availability of the necessary credit for the

renewal operation

certificate renewal generating on-board the needed cryptographic objects

and appropriately communicating with smartCMS

[optional] charging the appropriate fee from the holder’s plafond



WWW.BIT4ID.COM

pag. 36 di 39

At the end of the procedure the user is notified of the operation outcome and

of the new expiry date of his certificates.

14 API

smartCMS is a complex system that offers many possibilities of integration with other

information systems of organisations that adopt it. It is therefore very important to

have both simple and powerful tools to share information and to coordinate the

enterprise workflows.

The Application Programming Interface (API) module implements one of the

interfaces of interaction between the proposed system and the outside world.

Unlike the administration front-end and shell, the API module exports applicative

interfaces to be used by other software.

All the operations implemented at the system controller level, of which the ones

implemented by the front-end are a subset, can be presented in the form of a web

service, which can be safely called by the authorised clients. The API module

therefore allows to configure which calls to make available from outside, the

supported protocols and also the level of required access.

The API of smartCMS can be published according to one or more of the following

protocols:

JSON over HTTP

HTTP Representational State Transfer (REST)

Obviously, as well as being able to publish public services (for example the service

that lists the offices), it is possible to configure services whose access is limited to a

predefined list of applications.

For this reason the module permits to configure a system of authorisation based on

API Keys, identification codes that are used by the client applications to prove their

identity with the system.



WWW.BIT4ID.COM

pag. 37 di 39

15 Management and administration tools

smartCMS is completed with the stack of dedicated instruments for the main

management and maintenance activities, ordinary and extraordinary, imagined

for an enterprise system.

15.1 Interactive Shell

The system proposed is equipped with an interactive shell that allows the execution

of simple system commands, as re-start, data backup and restore, management of

log files, and optimisation of static resources.

Using the interactive shell a user with administrative rights can write scripts to

automate the batch and maintenance procedures.

It is possible in fact to write in a simple and intuitive manner queries or procedures of

data update by using the object model of smartCMS

15.2 Data backup and restore

The proposed system supports in a native manner a native tool of data backup and

restore that is independent of the database in use. Backup files are saved in an

abstract format that is interpreted and translated by the module. This restores the

data on another database, even if it is configured on a DBMS different from the

system from which the backup has been extracted.

15.3 Support to fixtures

Often it is convenient to define a set of test data, for example to support bug fixing

processes, in the writing of unitary tests, or purely for testing reasons.

smartCMS supports the (automatic or interactive) uploading on the database of

structured test files (in JSON, XML, and YAML format) called fixtures.

To implement a fixture it is possible to write it using a common text editor, or it is

possible to directly export it from a working copy of the system, through a

dedicated command of the administrative shell.

15.4 Support to automatic migrations

All IT systems that depend on a relational database present a specific structure of

tables and relational links that, in case of update or extension of the software



WWW.BIT4ID.COM

pag. 38 di 39

modules, need to be re-tuned. These operations of refactoring can be extremely

complex and costly and have to support the database structure update without

data loss.

smartCMS natively integrates support to database migrations, a procedure that

allows to define the revisions of the relational scheme in the form of a simple script

that describes at a high level the modifications to be applied, directly using the

object model of smartCMS.

The system therefore allows migrating the database, forward or backward,

automatically from one revision to another, applying the relevant migrations in a

fully transactional contest, safely away from the risk of data loss.

Migrations can be listed or applied automatically or manually, through a series of

appropriate commands of the administrative shell.

15.5 Environment aware configuration

smartCMS natively suggests the creation of disjoint set of configuration profiles to

support the installation and deployment in separate environments.

It is very simple for system administrators creating installations of smartCMS with

specific configurations.

The most common case is to always have a separate active version of smartCMS for

the production environment and for one or more environments of staging or testing.

15.6 Update with hot swap

smartCMS provides the possibility of deploying updated versions of the software

directly on a running system, pushing updates without interruption of service.

The hot-swap system is implemented independently from the application server

chosen for the installation and can be managed in details by a series of dedicated

commands of the administrative shell.

15.7 Advanced logging system

smartCMS implements a subsystem for the management of log messages that is

particularly flexible. It is in fact possible to define in a granular and specific way for

each module:

verbosity of messages



WWW.BIT4ID.COM

pag. 39 di 39

format of the log file

physical support where to save the messages (file on disc, server syslog,

relational database)

The administrative shell integrates a series of commands for the real time monitoring

of the logs with the possibility of visualising and filtering logs from different

installations at the same time (like in the case of configurations that include

clustering).

smartCMS natively integrates the support to Bit4id Smartlog. This is the solution for

managing the registrations of all logical accesses to the processing systems and to

the electronic archives by the system administrators.

16 Monitoring

smartCMS allows the real time monitoring of services and of the indexes for the

running of the system.

In particular it is possible to monitor the correct functioning of the various subsets

(both internal and external to the system, like the enrolment services) through a

series of convenient commands of the administrative shell.

SmartCMS - Bit4id | Support

Documents

Transcript of SmartCMS - Bit4id | Support