2 Securing Devices

When you install MyID, the settings on the Device Security page of the Security Settings workflow are configured to require you to use customer GlobalPlatform keys and random Security Officer PINs (SOPINs). The system is also configured to display warnings if your system is not securely configured:

Security configuration warning

The message is:

The system is not configured for production use - check the MyID system security checklist document for further information.

If this warning appears, you must review the settings on the Device Security tab on the Security Settings workflow:

Setting

Default value

Description

Display warnings for unsecured issuance

Yes

Displays a warning on the login screen if the system is not securely configured and an attempt is made to issue credentials.

You must ensure that your system is configured appropriately according to the guidance provided in the System Security Checklist and your own security policy. If you want to run MyID with secure settings disabled (for example, for test or demonstration systems) and this option is not available to be edited on your system, contact customer support to discuss your requirements, quoting reference SUP-273.

Enable Customer GlobalPlatform Keys

Yes

Whether the installation supports Java applets. If you do not have this option set, you will be unable to write customer GlobalPlatform keys to your cards.

Require Random Security Officer PIN

Yes

If this is set to Yes but the Security Officer PIN Type is set to Factory, cards cannot be issued.

Security Officer PIN Type

Random

Random – Generate a random SOPIN and set it on the card to be initialized (higher security).

Factory – Leave the default SOPIN on the card (low security).

Show all devices

No

When set to No, restricts the list of devices on this page to the smart cards known to support GlobalPlatform or PIV 9B keys.

When set to Yes, displays all devices known to MyID.

Note: You can also set the requirements for customer GlobalPlatform and PIV 9B keys for each device type supported by your system. If the option is set to Yes, and the card supports the feature, MyID requires the customer key to be configured before issuing devices of this type.

If you change any of the options on this screen away from the default, your system will be potentially insecure, and MyID will display an appropriate warning when logging in to MyID or when issuing a smart card that would be affected.