What is FICAM
FICAM is the acronym for Federal Identity, Credential, and Access Management, an architectural roadmap and implementation guide designed to help U.S. federal government agencies improve their services' security, cost, and interoperability. FICAM addresses the intersection of digital identities, secure credentials, and access control into one comprehensive management approach. It also supports the integration of physical access control with enterprise identity and access systems and enables information sharing across systems and agencies with common access controls and policies.
Key benefits include increased security, compliance with laws and regulations, improved interoperability, enhanced customer service, elimination of redundancy, and increased protection of personally identifiable information. The federal government had to move from low-security proximity cards to high-security Personal Identity Verification (PIV) smart cards with security certificates to achieve these benefits.
Identiv’s FICAM Solution includes the following hardware and software components
Prerequisite:
The FED Unlimited Edition of Velocity must be updated to the version 3.6 SP2 or later release, and you must obtain a license for the Velocity Certificate Checking Service (version 3.6.5.108 or later)
Each controller running in FICAM mode must include a SNIB3 communications expansion board (with SNIB3 firmware version 2.01.0005 or later) and an RS-485 Readers Expansion Board (RREB), or have the equivalent functionality built onto the mainboard
M2, M8, Mx, Mx-1, or Mx-1-ME controllers (CCM firmware version 7.5.63 or later)
To enroll PIV, PIV-I, or TWIC cards into Velocity, you also need a smart card reader with contacts (such as Identiv's SPR332 v2.0 Secure Class 2 PIN pad reader)
New FICAM-capable RS-485 card readers (such as Identiv’s uTrust TS Government readers, Veridt’s Stealth Bio, or Stealth Dual readers) are required
FICAM uses larger data structures that require more memory per credential, you should consider adding a memory expansion board to each controller running in FICAM mode or the user can switch to SNIB3 DB mode for extra user capacity
For more information about Identiv’s FICAM Solution, see the following Web page:
https://www.identiv.com/products/physical-access/hirsch-government-ficam-solution
For most customers, Identiv’s FICAM solution enables you to upgrade an existing Velocity system, instead of having to purchase and install a new physical access control system.
Installing and Licensing the Velocity Cert Check Service
Installing and Licensing the Velocity Cert Check Service (VCCS), which consists of the following three tasks:
Purchasing and Installing the VCCS
Obtaining a license for the VCCS from Identiv
Adding the license key for the VCCS to the Velocity License Manager
Purchasing and Installing the Velocity Cert Check Service
Contact Identiv to purchase the VCCS
Obtain the installation file for the VCCS from Identiv, and copy it to your Velocity Server
Locate the installation file (such as VelocityCertService_3.8.5.29), then right-click on it and choose the “Run as administrator” command from the pop-up menu
While running the VCCS setup, a dialog appears displaying the ValidationSystemID as shown. Please make a note of this ID.
If your Velocity system is already running the previous certificate checking service provided by Identiv’s Professional Services Group, the installer will automatically upgrade your system to use the new Velocity Cert Check Service, and your existing configuration settings will be migrated from the config.xml file into the Velocity database.
Obtaining license for the Velocity Cert Check Service
If you have forgotten to make a note of the ValidationSystemID while running the VCCS setup, follow the steps 1 till 3 below to get the System ID.
Right-click on the icon for Velocity’s Service Control Manager (in the Windows tray), and choose Settings.
In the resulting Velocity Settings dialog:
Click on the Velocity Cert Check Service entry in the left-hand pane.
On the resulting Velocity Cert Check Service Settings page, click on the Configure button.
On the General page of the resulting Velocity Cert Check Service Configuration dialog, copy the value in the System ID field to the Windows Clipboard, then paste it into an email message.
For details about “Enforce FICAM Strict Compliance” checkbox, refer the Velocity help pages under Home -> FICAM Solution -> Configuring and Managing the Velocity Cert Check Service -> Velocity Cert Check Service Configuration dialog –> General pageRight-click on the icon for Velocity’s Service Control Manager (in the Windows tray), and choose Velocity License Manager.
On the resulting Velocity License Manager window, copy the value of the Velocity Server ID field (on the top line) to the Windows Clipboard, then paste it into the email message.
Compose your email message so that:
It is addressed to vlas@identiv.com
It has a Subject such as “License Request for Velocity Cert Check Service“
The Body includes both the System ID value and the Server ID values
Send the email message
Adding the license key for the VCCS to the Velocity License Manager
To add the license key for the Velocity Cert Check Service to the Velocity License Manager:
Right-click on the icon for Velocity’s Service Control Manager (in the Windows tray), and choose Velocity License Manager.
Copy the license key (which is a large block of letters and numbers) in the email message from Identiv to the Windows Clipboard. On the Velocity License Manager window, paste the license key into the Add / Renew License field, then click the Add / Renew button.
Now, the VCCS is installed and licensed on your system.
Use the `GenerateTemporaryValidationKey.exe` tool found in the VCCS install directory to generate a temporary Validation Engine license key. This temporary key can populate the VLAS license, enabling 30-day use.
The temporary key allows the user to provide Identiv with the necessary information to issue a permanent VLAS license containing the Validation Key parameter. This ensures that the user can use VCCS for 30-days while waiting for the HID to process the permanent license.
Enabling FICAM Mode on Velocity System
After the Velocity Cert Check Service has been installed and licensed, follow the steps below to enable FICAM mode.
Click on the menu button in the upper left corner of Velocity’s main window.
Click on the Preferences button at the bottom of the drop-down menu.
On the General tab of the resulting Velocity Preferences dialog, check the Enable the FICAM Mode checkbox.
For more details about FICAM Degraded Mode Timeout, refer the Velocity help pages under Home -> FICAM Solution -> Enabling FICAM Mode and Specifying the FICAM Degraded Mode Timeout setting.Restart the Velocity client and all Velocity Services for the configuration to apply.
Creating the User Defined Fields for PIV Smart Card Readers
To map the data on a PIV card to fields in the Velocity database and use it for FICAM:
From the Enrollment Manager’s menu bar, choose the Tools > User Defined Fields… command.
On the User Defined Fields page of the resulting User Defined Setup dialog, create the user-defined fields needed for the data of a PIV card, with the Caption and Type specified.
When you are finished creating the user-defined fields, click the OK button.
From the Enrollment Manager’s menu bar, choose the Tools > Preferences command.
On the General page of the resulting Preferences dialog, click on the drop-down list in the UDF Name Parsing section and select the user-defined field you created earlier for the Full Name, then click the OK button. (This text data will be parsed into separate First Name, Middle Name, and Last Name fields.)
Click the OK button on the message dialog informing you that these changes will not take effect until after the Enrollment Manager has been restarted, then close and reopen the Enrollment Manager.
Creating a Credential Template for PIV and PIV-I Smart Cards
After you have created the user-defined fields for a PIV card, and specified the mappings between the data objects on a PIV card and the corresponding user-defined fields (which is part of the procedure in Configuring a PIV Reader for Enrolling PIV Cards), you can create a credential template for PIV cards which concatenates the appropriate set of numeric user-defined fields to construct the Federal Agency Smart Credential Number (FASCN).
To create a new credential template for FICAM PIV cards, perform the following steps.
In Velocity’s main window, expand the System Tree (in the left pane of the Administration module) to display the Velocity Configuration > Credential Templates folder, and click on that folder.
In the right pane of the Administration module, double-click the Add New Template item.
In the New Credential Template Properties dialog, specify the appropriate values on the General page.
In the Description field, type a unique descriptive name for this new credential template
From the Badge Template drop-down list, select (None) because you will not be creating new printed badges
From the IDF drop-down list, select an entry that includes Card
From the card Type drop-down list, select 200-bit FASCN
Click on the UDF… button (on the right of the Data field)
On the Concatenate FASCN UDFs dialog, select the corresponding numeric UDF (previously defined in Creating the User-Defined Fields for a PIV Card) from each drop-down list, then click OK.
For creating a credential template for PIV-I smart cards, follow steps 1 till 3. In the Concatenate FASCN UDFs dialog, for UDF field selection on Agency Code, select 'UUID' from the drop-down for PIV-I card.
Unlike the PIV cards, the PIV-I cards accept only one UUID value.
Setting up the Door Properties
The RS-485/OSDP reader configuration for FICAM must be configured for an entry reader or exit reader.
FICAM-Related Options on the Setup (or General) Page
The fields and options that appear on this setup page vary somewhat depending on which value is selected for the Reader Interface option. For example, When the RS-485 Interface value is selected for the Reader Interface option, the RS-485/OSDP group of fields and options appear:
Velocity supplies a default reader name, such as Reader 01.
From the Disable reader above this level drop-down, select the threat level for the door.
Note: Threat level is a numeric value assigned to each card reader for access to be granted. If the card threat level is greater than or equal to both the reader's and the system's threat level, access is granted. If the card threat level is less than either, access is denied. Changing the system's threat level can act to either grant or deny access to all the doors in the facility. The greater the number, the greater the threat level.Choose the appropriate RS-485 reader model from the Reader Type drop-down.
The exact value for this OSDP Address field depends on the reader's manufacturer, and whether the reader is used for entry or exit. For example,
an Identiv reader's address should be set to 0 when it is the door’s entry reader, and set to 1 when it is the door’s optional exit reader
a Veridt reader's address should be set to 1 when it is the door’s entry reader, and set to 2 when it is the door’s optional exit reader
The Update Reader Firmware... button appears only when the RS-485 Interface value is selected for the Reader Interface option and the selected Reader Type is one of the available TS readers by Identiv.
FICAM-Related Options on the Card Reader Setup
Select the RS-485 Interface value for the Reader Interface option on the Setup page, to display the following version of the Card Reader Setup page as below.
Select the appropriate Custom Card Codes from the drop-down to remap the data. Only those card data maps previously defined for this system appear in this drop-down list.
For FICAM, select Hex Pass-Through (NP) option in MATCH Algorithm (any bits).
Check Enable Keypad only if the reader includes a keypad for entering PIN codes.
For FICAM, select PIV-I/PIV-C, 32 Hex Digit UUID option in Fixed bit length cards.
For FICAM, select either 200 bits in, 32 digits out or 128 bits in, 32 digits out in PIV Card (FASCN handling).
Click OK. The Reader configurations gets downloaded to the controller.
Reopen the Door Properties window.
If secure OSDP reader type is used, then Goto Entry Reader->Card Reader Setup tab and click the Initiate Secure OSDP Connection button as shown.
The reader restarts and comes back online. Click OK.
The reader firmware version is available in the General tab.
Importing PIV root certificate
To import PIV root certificate into the Trusted Root Certification Authorities Certificates on a new Velocity System:
Open the Microsoft Management Console (MMC) by clicking Start->Run-> type mmc and hit [Enter].
In the Console window, choose File-> Add/Remove Snap-in..
Under Available snap-ins, select Certificates and click Add then click OK.
Select Computer Account and click Next.
Click Local computer: (the computer this console is running on) and Finish.
On the resulting Console window, select Certificates (Local Computer)-> Certificates-> More Actions-> All Tasks-> Import..
In the Certificate Import Wizard window, click Next to continue to import the certificate.
Select Browse to import the certificate and click Next.
After choosing the Security type files. Click Next to proceed to Completing the Certificate Import Wizard window and click Finish as shown.
The successful certificate import wizard window appears. Click OK to close the wizard.
For detailed instructions on how to configure the Windows system to trust the Federal Common Policy CA G2 (FCPCA G2) certificate, refer How to configure Windows System to trust the FCPCA G2 Certificate.
Setting up PIV Reader for Enrolling and Managing FICAM Credentials
To enroll PIV, PIV-I cards in Velocity, a smart card reader with contacts is required. At the card enrollment station, set up a smart card reader with contacts, such as Identiv's SPR332 v2.0 Secure Class 2 PIN pad reader.
To configure a PIV reader for enrolling PIV cards:
From the Enrollment Manager’s menu bar, choose the Tools > Device Configuration… command.
On the Device Configuration dialog, select PIV Reader tab.
Make sure that the Enable PIV reader(s) option is checked.
Make sure that the Default Card Type is set to FIPS 201 Contact.
Click the Map UDF Fields… button.
On the Map UDF Fields window:
Select the Auto Map button to automatically map between like-named data objects on a PIV card and the corresponding user-defined fields that you created earlier in the UDF setup dialog previous.
To manually map fields, click on an entry in the Document Field list, and drag it onto the corresponding entry in the UDF Field list.
After you have finished specifying all of the mappings, click the Apply button, and then click the Close button.
Back on the Device Configuration dialog, click the OK button.
Click the OK button on the message dialog informing you that these changes will not take effect until after the Enrollment Manager has been restarted, then close and reopen the Enrollment Manager.
Enrolling a FICAM Credential
Insert a PIV card into the Smart Card Reader.
In the Enrollment Manager, click on the Add Person item in the left pane.
At the bottom of the Personal Information pane on the right, click the Scan button.
On the PIV Reader page of the resulting Verify Scanner Data dialog, verify that the Type is set to FIPS 201 Contact, and then click the Read Card button.
On the resulting Card PIN dialog, type the PIN for this card and then click OK.
After the card’s data has been read, click the Validate Certificates button.
You may optionally click the View buttons to view the security certificates.
Click the Accept button to close the Verify Scanner Data dialog.
Back in the Enrollment Manager, click the Apply button (in the lower right corner of the Personal Information pane).
Click on the Add New Credential from Template item, choose an appropriate credential template from the resulting Select Credential Template dialog, and click OK.
In the resulting credential properties dialog, verify that the FASCN field is populated, and click OK.
Download this new credential to your controllers.
Remove the PIV card from your enrollment reader, and test the card at an appropriate door reader, to verify that everything is working properly.