Setting up MyID when you have existing PIV cards

4.8 Setting up MyID when you have existing PIV cards

If you already have issued PIV cards from a system other than MyID, and are switching over to use MyID as your PIV card management system, you must bear in mind that PIV cards use a value called the credential number, along with other attributes, to form a unique identified known as the FASC-N. You must avoid clashes between the FASC‑N on the issued cards and the new cards issued by MyID.

Note: The FASC-N only appears on FIPS 201 PIV cards – PIV-I and CIV cards do not allow use of the FASC-N. A GUID is used instead to uniquely identify the card. PIV-I and CIV cards will have the credential number set to a fixed value of 999999. This occurs when the agency code is set to 9999.

The base credential number is set at installation of the product.

By default it is set to 250000 for a new installation.

If the installation is an upgrade from a previous version of MyID, no change is made to the credential number.
If you have existing PIV cards in circulation (issued by another CMS or managed service, using the same agency code as you intend to use), you must:
- Amend the value of the base credential number before you starting issuing cards in the production environment, or
- Supply the credential number for each card as part of the request generated using the Lifecycle API; this means that an external system must ensure that the value provided is unique and not duplicated within your agency.

There are various approaches that can be taken to managing the uniqueness of the credential number:

Card requests are generated by MyID

When a card is requested (either new issuance or a replacement) the next available credential number is assigned and stored as part of the user account. The base credential number will be incremented at this point.
Card requests are generated by an external system

You can import a credential number using the Lifecycle API. It is stored as part of the MyID user account. MyID does not change the base credential number.
Card requests are generated by both MyID and an external system.
- Separate credential number ranges
  
  A distinct number range is assigned to each system. When a card request is created in MyID, the base credential number is incremented. When an external system creates a card request there is no change to the base credential number.
  
  You must monitor usage of credential numbers to ensure the numbers do not overlap.
- MyID controls the credential number
  
  The configuration option Credential Number Per Device identifies the field holding the credential number; this is used at card issuance. You can remove the value of this configuration option, meaning that each card issuance will generate a new credential number and not retrieve it from the user account. When this occurs, the base value is incremented by 1. The credential number used is stored against the user account.

Note: The base credential number managed by MyID will roll over from 999999 to 000000, as credential number is a six-digit value. This causes the re-use of existing values.

If you want to change the base credential number used by MyID, contact Intercede customer support, quoting reference SUP-127. The credential number must be carefully considered to ensure that duplicate credential numbers are not used.

See also section 5.5, Setting credential numbers for more information.