31.2 Device Security page (Security Settings)

Setting

Display warnings for unsecured issuance

Default value

Yes

Description

Displays a warning on the login screen if the system is not securely configured and an attempt is made to issue credentials.

Further information

Review the System Security Checklist before disabling this option, and ensure that your system is configured appropriately according to the guidance provided and your own security policy. See the Securing Devices section in the System Security Checklist guide for details.

 

Setting

Enable Customer GlobalPlatform Keys

Default value

Yes

Description

Whether the installation supports Java applets. If you do not have this option set, you will be unable to write customer GlobalPlatform keys to your cards.

Further information

See section 7.2, Enabling GlobalPlatform keys.

 

Setting

Manage PIV 9E key on supported devices

Default value

No

Description

Updates the PIV 9E Key, if it is supported by the device. The card symmetric 9E key is diversified from the 9B Master Key, and is changed to the customer master key during card issuance, and using the factory master key when the card is erased.

Set this option to Yes to update the PIV 9E key on supported devices during issuance and erasure. Set this option to No to prevent any attempt to update the PIV 9E key on issuance or erasure.

Further information

 

 

Setting

Require Random Security Officer PIN

Default value

Yes

Description

If this is set to Yes but the Security Officer PIN Type is set to Factory, cards cannot be issued.

Further information

 

 

Setting

Security Officer PIN Type

Default value

Random

Description

Random – Generate a random SOPIN and set it on the card to be initialized (higher security).

Factory – Leave the default SOPIN on the card (low security).

Further information

 

 

Setting

Show all devices

Default value

No

Description

When set to No, restricts the list of devices on this page to the smart cards known to support GlobalPlatform or PIV 9B keys.

When set to Yes, displays all devices known to MyID.

Further information

 

 

Note: You can also set the requirements for customer GlobalPlatform and PIV 9B keys for each device type supported by your system. If the option is set to Yes, and the card supports the feature, MyID requires the customer key to be configured before issuing devices of this type.

If you change any of the options on this screen away from the default, your system will be potentially insecure, and MyID will display an appropriate warning when logging in to MyID or when issuing a smart card that would be affected. See section 29.4, System security for more information.

The Securing Devices section in the System Security Checklist document contains important information on securing your system.