Out with the old: vSEC:CMS and Yubikey PIV Tokens can replace Legacy Microsoft PKI Systems

In the ever-changing landscape of cyber security and personnel authentication, one of the most time-consuming and difficult tasks is migrating or replacing an old or end-of-life (EOL) security system. With PKI systems, this cannot be more true.

Moving devices, managing old certificates, and minimizing user overhead and issues is difficult at best without a strong migration path. With the announcement from Microsoft that its Microsoft Identity Manager and Forefront Identity Manager platforms (MIM and FIM) are approaching end-of-life dates, companies are scrambling to find the most seamless and cost-effective route of migration.

Enter Versasec’s vSEC:CMS S-Series.

vSEC:CMS addresses the sticky migration issue by allowing users to import and manage legacy credentials previously used in MIM and FIM. A good case example of how to use Versasec in this way comes from Sandia National Labs, which faced the same issue of an end-of-life management system and a user base of 25,000 employees/users with legacy cards and credentials that would potentially need to be migrated.

Migrating Smart cards from MIM and FIM is accomplished using a built-in export wizard in the vSEC:CMS S-Series Console. With this tool, users can export smart cards and tokens from Microsoft and third-party smart card managers into the vSEC:CMS console. As tokens are imported, they can be replaced or phased out as the new Yubikey PIV tokens are issued to users. Users can also request the new credential themselves using the vSEC:CMS User Self-Service tool, making it easier for IT staff to deploy new tokens.

In August 2020, Envoy Data, Versasec, and the Sandia National Labs Engineering staff began deploying the vSEC:CMS solution in a series of remote assistance sessions. Activities included the following:

  • Producing and deploying the CMS console
  • Configuring MD830 and Yubikey token templates
  • Building a CMS connection to Active Directory, CA, and other supporting services
  • Configuring User Self-Service Portal
  • Confirming working deployment to MD830 and Yubikey tokens
  • Creating documentation of the deployment and configuration process (conducted by Sandia in this case).

After confirming creation of working tokens and verifying the token policies were in the correct format, the configuration services were concluded.

"The main benefits from the vSEC:CMS, for us is the ability to manage the YubiKey FIPS, manage the Gemalto IDPrime series smartcards and give us the ability to import management data from MIM. The other capabilities that we are also using is the ability to manage the YubiKey PIV card stock and only issue certificates to devices that we have authorized in the CMS. We are also using the User Self-Service portal for device activation to help us with distribution during the Covid-19 pandemic. The ability to renew certificates from the User Self-Service portal will be a big gain on supporting the device."