2.11 Setting up OPACITY

The Open Protocol for Access Control Identification and Ticketing with privacY (OPACITY) provides a secure, high speed contactless interface for smart cards that support the protocol. MyID supports OPACITY Zero Key Management (ZKM), enabling interoperability with a range of readers or terminals.

When MyID personalizes the smart card, a Card Verifiable Certificate (CVC) is created on the card which is digitally signed, allowing an application to determine whether it trusts the card sufficiently to communicate over the contactless interface.

The OPACITY information on the smart card is reset when you erase the card; however, if you cancel the card using any other process (for example, Cancel Credential) the OPACITY information is not removed from the card, as the card is not physically affected by remote cancellation processes, and no certificate revocation takes place for the CVC.

Optionally, a pairing code can be generated when MyID personalizes the card, preventing the use of OPACITY over the contactless interface until a device has been able to provide the correct pairing code; this code is reset on the card when you erase it.

Note: MyID does not communicate with smart cards over the OPACITY contactless interface. You must always connect a smart card to a smart card reader to communicate with MyID.

2.11.1 Smart cards supported for OPACITY

See the tables of supported features in each chapter in this document for details of which cards support OPACITY. Any additional information about the specifics of the smart cards' support for OPACITY is detailed in the interoperability section in the appropriate chapter.

2.11.2 Setting up the CVC signing certificate

When MyID personalizes a smart card to support OPACITY, it creates a Card Verifiable Certificate (CVC) on the card; this certificate is digitally signed, which means that you must configure MyID to use a signing certificate for this purpose.

The signing certificate must be an ECC certificate with an appropriate size for the cards being issued; for example, IDEMIA ID-One PIV 2.4.1 cards support P256 and P384, therefore ECC NIST P384 Curve is recommended.

To configure the signing certificate in the MyID registry:

1. On the MyID application server, log on using the MyID COM+ account.

2. Request a certificate that will be protected by CNG (Key Storage Provider). You can issue a certificate from any certificate authority as long as it is available to CNG.

   Note: Do not enable strong private key protection on the certificate, as this will prevent processing of the request by the MyID account.

3. Once the certificate has been generated, install and save it as a .cer file (either Base64/PEM or binary format). You must save it in a location accessible to the MyID application, so save it to the Components folder within the MyID installation folder.

   Note: You may need administrative privileges to save files to this area.

4. Enter the filename of the certificate in the system registry.

   1. From the Start menu, run regedit.

   2. Navigate to:

      HKEY_LOCAL_MACHINE\SOFTWARE\Intercede\Edefice\PIV

      If this key does not exist, you can create it.

   3. Set the value of the following string to the full path and filename of the certificate:

      CVCSigningCertificate

      Create the value if it does not exist.

2.11.3 Setting up the credential profile

You must set up a credential profile in MyID to allow you to issue smart cards with support for OPACITY.

To set up a credential profile for OPACITY support:

1. From the Configuration category, select Credential Profiles.
2. Edit an existing credential profile or create a new one.

3. In the Issuance Settings section, set the following options:

   • OPACITY – set this to one of the following values:
     • None – Do not attempt to perform OPACITY personalization.
     • OPACITY without Pairing Codes – Personalize the OPACITY CVC but do not set an OPACITY pairing code.
     • OPACITY with Pairing Codes – Personalize the OPACITY CVC and generate and set an OPACITY pairing code.

   • Send Pairing Code Emails – when the card is issued, send an email to the cardholder containing the pairing code.

     See section 2.11.4, Distributing the pairing code

4. In the Mail Documents section, set the following option:

   • Select PIN Mailing Document – select a PIN mailing document template that contains the user's pairing code.

     See section 2.11.4, Distributing the pairing code for details of your options for distributing pairing codes.

5. Complete the credential profile.

See the Managing credential profiles section in the Administration Guide for details of setting up credential profiles.

Note: MyID can personalize a smart card to support OPACITY when it is issued; however, it cannot update an already-issued smart card to a new version of the credential profile that has had OPACITY added. If you want to issue smart cards to support OPACITY, you must set up the credential profile to support OPACITY before you initially issue the cards. Alternatively, you can reprovision a smart card to add OPACITY support with an updated credential profile, as this carries out a full personalization.

2.11.4 Distributing the pairing code

If you are setting up your smart cards to use pairing codes for OPACITY, you must send the code to the cardholder when the card is issued. You can provide the pairing code in the following ways:

• Using an email template.

  Select the Send Pairing Code Emails option in the credential profile, and MyID sends an email to the cardholder's email address using the Pairing Code Notification email template. You can edit this template using the Email Templates workflow.

  For information on editing email templates, see the Changing email messages section in the Administration Guide.

  To confirm that a pairing code has been sent in an email notification, you can review the Notifications Manager workflow.

• Using a PIN mailing document.

  Note: Only the Collect Card and Batch Collect Card workflows supports mailing document templates. Other workflows, for example Print Mailing Document, use the previous Microsoft Word-based mail merge document templates, which do not support pairing codes. If you are using card activation, you are recommended to send pairing codes in an email instead.

  Select a mailing document template from the Select PIN Mailing Document option in the credential profile, and MyID generates a document when the card is issued that you can print and send to the cardholder.

  To include the pairing code in a mailing document, you must add the following substitution code to the template:

  %%rawdevice.PairingCode_decrypt%%

  For details of configuring templates for PIN mailing documents, contact customer support, quoting reference SUP-255.

  To confirm that a pairing code has been printed, you can review the Audit Reporting workflow for the Print Mailing Document operation.

  Note: If you generate a mailing document and the document contains the text "Pairing Code" instead of an actual pairing code, check that you have set the OPACITY option in the credential profile to OPACITY with Pairing Codes.

2.11.5 Identifying SPE cards

You can confirm whether a card has been issued with support for OPACITY Secure PIN Entry (SPE) by using the Identify Card workflow. The Chip Type displayed in the workflow includes "SPE" if the card requires OPACITY Secure PIN Entry.

2.11.6 Audit details

You can confirm that a card has been issued with support for OPACITY by checking the Audit Reporting workflow in MyID.

1. From the Reports category, select Audit Reporting.
2. From the Operation drop-down list, select Issue Card.
3. Click Search.

4. Click the green icon on the audit record for the card issuance you want to view.

   This displays the breakdown of the actions carried out during the card issuance.

5. Click the green icon for the top action in the list.

6. In the Audit Information Gathered dialog, click Card Content.

   At the bottom of the list, an entry similar to the following means that the card has been issued with support for OPACITY:

   2019-04-04 15:18:56 Personalised the Secure Messaging CVC object. Success

2.11.7 Troubleshooting OPACITY smart cards

If you see an error similar to the following when attempting to collect a smart card set up for OPACITY:

Unable to perform the requested operation
Solutions:
A problem occurred attempting to process your selection.
Please contact your administrator.
Error Number: 890493

The audit for the failure may additionally mention the LoadCVC operation.

This error may be caused by the following:

• Using an older version of MyID Desktop.

  Update your client software to the latest version.

• Using a smart card reader that does not support extended APDU commands.

  Use a smart card reader that supports extended APDU commands; see section 5.5.7, Smart card readers supported for OPACITY for details.

• Attempting to create a CVC but the CVC signing certificate is not present or invalid.

  Set up a CVC signing certificate; see section 2.11.2, Setting up the CVC signing certificate.

If you see an error similar to the following:

An unexpected error has occurred.
Solutions:
Please contact your administrator.
Error Number: -2147220720

The extra information may contain the following:

Error: 0x80040310: Not logged into card
Extra Info: Error caused by function Unlock Pin

This error may be caused by attempting to collect an SPE card using a credential profile that is not set up for OPACITY.