4.2 Configuring MyID for FIPS 201-3 card issuance (PIV)

To set up the enrollment and issuance models you require for your installation of MyID for PIV, you must follow these steps:

Step

Description

See

Configure PIV Signing Certificate on MyID Server

PIV card issuance must be electronically signed using a certificate. The certificate must be issued and configured on the MyID server.

See section 4.5, Configure server signing certificates

Configure Certificate Authority

A connection must be established to the Certificate Authority to allow certificate policies to be downloaded and configured for issuance by MyID.

Specific data attributes must be included in each certificate for PIV compliance – but note that these attributes may be different if you are using MyID for a non US Federal site (PIV-I or CIV).

The integration guide for your CA.

Configure Cryptographic Keys

PIV Cards are secured using cryptographic keys that are written to the card. These keys must be configured in MyID to allow issuance, and then update of the keys to a value only known to MyID.

See section 5.1, PIV card application administration key (9B).

Configure card layouts

FIPS 201 defines the physical layout of a PIV card as well as the electronic elements. MyID is supplied with card layout templates that are ready to use, but can also be customized to meet any specific needs.

See section 5.4, Setting up the credential profile.

See section 5.4.1, Updating existing card layouts.

Configure credential profiles

Credential profiles define what content is to be added to the PIV card and the issuance model used to issue the card.

If you are using MyID for a non US Federal site (PIV-I or CIV), ensure you select the appropriate card data model.

See section 5.4, Setting up the credential profile.

Configure MyID groups

In MyID, the group can be used to represent an agency. This requires some specific data to be added that is used to form data written to each PIV card issued to the agency.

See section 5.6, Manage agencies

Configure User Data Sources

You can add and amend PIV user attributes using the following:

  • MyID Core API. This requires the configuration of a data feed from your enrollment system.

  • Manually adding users with the MyID workflow Add Person.

  • Importing users from a connected LDAP compliant directory using MyID Desktop or the MyID Operator Client.

  • The PIV applicant editing screens allows PIV specific attributes to be updated and fingerprint and facial biometric enrollment to take place.

  • Lifecycle API. This is deprecated in favor of the MyID Core API.

See section 5.15, Editing PIV applicants.

Configure Notifications

MyID can generate notifications to other systems during issuance or cancellation. This can be used to ensure that other systems are kept up to date with the latest information from MyID.

For more information on notifications, contact customer support quoting reference SUP-222.

Configure roles for Agency-specific processes

Configuration of MyID roles helps role separation to be enforced, and provides access to necessary operations for each user.

The Roles, groups, and scope section in the Administration Guide.