User Manual
User Management
User Login
To log into the PKI-as-a-Service Portal you need to use a SmartCard-HSM. There is no other way to obtain access.
Your SmartCard-HSM provides for two-factor authentication: You need to have access to the card or token and need to know the PIN. The Portal authenticates the token using the Device Authentication Key that each SmartCard-HSM contains from production.
The Portal maintains user accounts using your e-mail address as the unique identifier. The SmartCard-HSM you use to authenticate for login is linked to your account. You can have multiple cards or tokens registered for your account.
There are two ways to create a user account in the Portal:
- Using Self-Enrollment (if allowed by the operator) or
- through enrollment in a TrustCenter.
Linking the account with the token used for authentication involves sending an activation code to the e-mail used for account creation. That way the system ensures, that only the holder of the e-mail account can register a token to that account.
Self-Enrollment
Self-Enrollment (if enabled by the operator) automatically starts when you try to login using a SmartCard-HSM card or token not yet registered.
Insert your card or token and press "Continue" or reload the page.
The Portal requires an OCF Web-Client running on your local computer. If you see the following message
then the browser could not redirect the activation request to the client. Make sure the Smart Card Shell or OCF Web-Client is running. In the Smart Card Shell make sure that "Start background web client" is checked in the preferences.
If not, check the option and restart the Smart Card Shell. It should open port 27001 on localhost. The Smart Card Shell integrates the OCF client, there is no need to have both running.
If the port is open, you can see the browser connecting to the web client in the trace tab:
If the web-client was successfully activiated, then you are prompted to enter the PIN for your SmartCard-HSM.
The PIN dialog may be hidden by some other window, sometimes it can't grab the focus from the browser windows.
After entering the correct PIN, the card or token is authenticated and you are logged in.
If the token or card was not registered yet, you are prompted to enter your e-mail address.
The Portal then sends a 6 digit activation code to this e-mail address. Use this activation code in the next step. You can always come back later and start over with the same token. The portal will continue here in the activation process.
If you did not receive an activation code, then check the e-mail address. If that is wrong, click on the "Didn't get an activation code" to fix the e-mail address.
If you are using an instance of the portal that does not have the ability to send e-mails (e.g. when you are trying the portal software locally), then you need to lookup the activation code in the log file.
If the correct activation code was entered, you are prompted to select your notification settings. You can change your settings later by opening the "Register Token" service request.
Now you have completed your self-enrollment and should see your first service request on the left side of the screen. Service requests are the central workflow in the portal. You can start service requests from the "Home" menu or from context menues attached to UI elements.
Next you can create a Trust Center and start managing you own PKI and SmartCard-HSM base.