Document toolboxDocument toolbox

JCOP 3 cards with Idopte middleware

This article includes updates for Smart ID 23.04.9 and 23.10.3.

This article contains details specific to the use of JCOP 3 cards with the Idopte Middleware.

Only cards with one specific custom profile are supported.

Signature slot support

Define signature slot location

The current card profile supports up to two signature certificates, protected by a dedicated signature PIN. Two authentication certificates and two confidentiality certificates can be written onto the card, protected by the normal PIN.

To select the slot, you need to specify the location. Valid location values are (case insensitive) Signature and Confidentiality. If omitted or set to any other value, the authentication container will be used. Key archival or recovery is only possible with the Confidentiality location.

  • Define the signature slot location in the encoding description. 

    Example: Signature slot location

    [Application_X] location=#Signature ...

     

Keyset configuration

Configure keysets

Some operations require one or more keysets to be defined to enable external authentication and secure channel establishment. Each keyset configuration consists of a key label in an HSM (for example connected to the Inside Server), and in most cases a key path indicating a matching key on the card.

The following values are used in the example below:

Keyset

Key label in HSM

Key path on card

Keyset

Key label in HSM

Key path on card

AD ("activate/deactivate")

theKeyLabel1

theKeyPath1

ADMIN

theKeyLabel2

theKeyPath2

PUK

theKeyLabel3

theKeyPath3

FileMgmt

theKeyLabel4

theKeyPath4

PINAD

theKeyLabel5

n/a

Do the following:

  • Define the keyset configuration. 

    Example: Keyset configuration

    [Description] ... KeysetAD=#theKeyLabel1:theKeyPath1 KeysetADMIN=#theKeyLabel2:theKeyPath2 KeysetPUK=#theKeyLabel3:theKeyPath3 KeysetFileMgmt=#theKeyLabel4:theKeyPath4 KeysetPinAD=#theKeyLabel5

    You can also use mapped fields:

    Example: Keyset configuration - mapped field

    [Fields] KEYSET_AD= [Description] ... KeysetAD=KEYSET_AD

     

Configuration overview

Overview of which keyset parameters to configure, depending on the use-case:

 

KeysetAD

KeysetADMIN

KeysetPUK

KeysetPINAD

KeysetFileMgmt

 

KeysetAD

KeysetADMIN

KeysetPUK

KeysetPINAD

KeysetFileMgmt

ICCSN reading

Card initialization

Keypair generation

Key import (key archival/recovery)

Certificate writing

Cert+key deletion

PIN change (via old PIN)

must be absent

Unblock PIN (via PUK keyset, PIN pad reader) 

Unblock PIN (via PUK keyset, normal reader)

may be set anyway

EF data objects access

 

Card initialization

Card initialization steps for explanation only (not executed by the user)

  • External authentication with an AD keyset.

  • Mutual authentication with an ADMIN keyset. This is potentially done multiple times during initialization.

  • Login with transport PIN (parameter "IdopteTransportPin=..."). For information about decrypting the transport PIN, see section "Credentials: Decrypt fields using Inside Server" in Credentials - Standard service tasks in Identity Manager. 

  • Initialization of global PIN (parameter "PIN=...") and signature PIN (parameter "SignPIN=...").

  • Unblocking the single-use PUKs for global/signature PINs as these are already present on the card (to match existing cards using the same profile).

  • Unblocking AD PIN, it is already present on the card.

  • Blocking the transport PIN.

Keyset parameters required: KeysetAD and KeysetADMIN.

Each of the three PINs (transport/global/signature) must come from a mapped field, or be typed on a PIN pad. Using a PIN dialog is not supported for card initialization.

The step below be run only once , attempting to initialize an already initialized ("activated") card will result in an error.

  • Define the initialization of the card in the encoding description (executed by the user).

Example

Example: Card initialization (PIN pad reader only)

Change and unblock PIN

Change signature/global PIN

You can change the global and/or signature PIN with the user entering the old and new PIN(s) in a dialog or through a PIN pad reader.

  • Change the signature/global PIN in the encoding description. 

Example

Example: Signature PIN change (via PIN pad reader or dialog, auto-detected)

 

Unblock signature/global PIN

You can unblock the global and/or signature PIN, with the user entering the new PIN(s) in a dialog.

  • Unblock the global/signature PIN in the encoding description. 

Example

Example: Signature PIN unblocking (via normal reader)
Example: Global PIN unblocking (via PIN pad reader or dialog, auto-detected)

Delete certificates and keys

Delete certificates and RSA keys from card

You can bulk-delete all existing certificates and RSA keys from the card. Selective deletion of individual certificates and keys is not supported.

  • Delete all existing certificates and RSA keys from the card in the encoding description. 

Example

Example: Delete all keys and certificates (from card)

 

Certificate requests

Request certificates

The card profile supports storage of up to six certificates and associated 2048 bit RSA keypairs organized into three "containers".

 

auth

sign

conf

 

auth

sign

conf

Location parameter value

"default" (optional)

"signature" (mandatory)

"confidentiality" (mandatory)

Associated PIN type

global ("PIN=...")

signature ("SignPIN=...")

global ("PIN=...")

Keypair generation + PKCS#10 request

Keypair import (key archival / recovery)

Maximum number of certificates

2

2

2

Three new certificates are requested in the example below: authentication, signature, and confidentiality (using key archival for the latter).

Key archival of a historical confidentiality cert must be done. The service task "Cert: Load Key History List" must be configured to recover only a single certificate, otherwise the limit of allowed certificates will be exceeded. For more information, see section "Cert: Load Key History List" in Standard service tasks in Identity Manager.

  • Define the request for multiple certificates in the encoding description.

Example

Example: Request multiple certificates

 

 

EF data containers

Read EF data objects

Smart ID Identity Manager supports reading the http://EF.Id (Card Holder Identification) and EF.Fonction (Professional information) data containers.

Do the following in the encoding description:

  1. In the [Description] section, set readDataObjects to "true".

  2. In the [Description] section, provide the file management keyset.

  3. In the [Fields] section, add the keys of the data you want to read.

    • The keys for the EF.Fonction container are ef.function.job, ef.function.postingPlace and ef.function.productionDate.

    • The keys for the http://EF.Id container are ef.id.familyName, ef.id.firstName, ef.id.rio, ef.id.uin, ef.id.orgName1 and ef.id.orgName2.

  4. In the Encoding Fields tab, set the added fields to "Read" and map them to a process variable.

Example

Example: Reading of EF data objects

Update EF data containers

Smart ID Identity Manager supports updating the http://EF.Id (Card Holder Identification) and EF.Fonction (Professional information) data containers.

Do the following in the encoding description:

  1. In the [Description] section, provide the file management keyset.

  2. In the [Description] section, set the keys of the data you want to update and map them to a field. Any keys you omit will keep their old value.

    • The keys for the EF.Fonction container are ef.function.job, ef.function.postingPlace and ef.function.productionDate.

    • The keys for the http://EF.Id container are ef.id.familyName, ef.id.firstName, ef.id.rio, ef.id.uin, ef.id.orgName1 and ef.id.orgName2.

  3. In the [Fields] section, define the fields you referenced in the previous step.

  4. In the Encoding Fields tab, set the value of the fields. To clear a field in a data container, map it to an empty value.

Example

Example: Update EF data objects

Idopte middleware limitations

Serial number reading

When reading the ICCSN, the full value serial from EF_SN (without tag and length bytes) is returned.

Example

This is an example for a card which is shown in the Idopte middleware user interface as follows:
Card model: IAS ECC 9-250-03
Serial number: 2702338220012

Additional information

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions