What is FICAM
FICAM is the acronym for Federal Identity, Credential, and Access Management, an architectural roadmap and implementation guide designed to help U.S. federal government agencies improve their services' security, cost, and interoperability. FICAM addresses the intersection of digital identities, secure credentials, and access control into one comprehensive management approach. It also supports the integration of physical access control with enterprise identity and access systems and enables information sharing across systems and agencies with common access controls and policies.
Key benefits include increased security, compliance with laws and regulations, improved interoperability, enhanced customer service, elimination of redundancy, and increased protection of personally identifiable information. The federal government had to move from low-security proximity cards to high-security Personal Identity Verification (PIV) smart cards with security certificates to achieve these benefits.
Identiv’s FICAM Solution includes the following hardware and software components
Prerequisite:
The FED Unlimited Edition of Velocity (v3.6 SP2 or later), and a license for the Velocity Certificate Checking Service (v3.6.5.108 or later)
Each controller running in FICAM mode must include a SNIB3 communications expansion board (with firmware v2.01.0005 or later) and an RS-485 Readers Expansion Board (RREB), or the equivalent functionality built onto the mainboard
M2, M8, Mx, Mx-1, or Mx-1-ME controllers (CCM firmware v7.5.63 or later)
To enroll PIV, PIV-I, or TWIC cards into Velocity, you also need a smart card reader with contacts (such as Identiv's SPR332 v2.0 Secure Class 2 PIN pad reader)
FICAM-capable RS-485 card readers (such as Identiv’s uTrust TS Government readers, Veridt’s Stealth Bio, or Stealth Dual readers)
FICAM uses larger data structures that require more memory per credential, you should consider adding a memory expansion board to each controller running in FICAM mode or the user can switch to SNIB3 DB mode for extra user capacity
For more information about Identiv’s FICAM Solution, see: https://www.identiv.com/products/physical-access/hirsch-government-ficam-solution
For most customers, Identiv’s FICAM solution enables you to upgrade an existing Velocity system, instead of having to purchase and install a new physical access control system.
Installing and Licensing the Velocity Cert Check Service
Installing and Licensing the Velocity Cert Check Service (VCCS), which consists of the following three tasks:
Purchasing and Installing the VCCS
Obtaining a license for the VCCS from Identiv
Adding the license key for the VCCS to the Velocity License Manager
Purchasing and Installing the Velocity Cert Check Service
Contact Identiv to purchase the VCCS
Obtain the installation file for the VCCS from Identiv, and copy it to your Velocity Server
Locate the installation file (such as VelocityCertService_3.8.5.29.exe), then right-click on it and choose the “Run as administrator” from the pop-up menu
While running the VCCS setup, a dialog appears displaying the ValidationSystemID as shown. Please make a note of this ID.
If your Velocity system is already running the previous certificate checking service provided by Identiv’s Professional Services Group, the installer will automatically upgrade your system to use the new Velocity Cert Check Service, and your existing configuration settings will be migrated from the config.xml file into the Velocity database.
Obtaining license for the Velocity Cert Check Service
If you have forgotten to make a note of the ValidationSystemID while running the VCCS setup, follow the steps 1 till 3 below to get the System ID.
Right-click on the icon for Velocity’s Service Control Manager (in the Windows tray), and choose Settings
In the resulting Velocity Settings dialog:
Click on the Velocity Cert Check Service entry in the left-hand pane
On the resulting Velocity Cert Check Service Settings page, click on the Configure button
On the General page of the resulting Velocity Cert Check Service Configuration dialog, copy the value in the System ID field, then paste it into an email message
For details about “Enforce FICAM Strict Compliance” checkbox, refer the Velocity help pages under Home > FICAM Solution > Configuring and Managing the Velocity Cert Check Service > Velocity Cert Check Service Configuration dialog > General pageRight-click on the icon for Velocity’s Service Control Manager, and choose Velocity License Manager
On the resulting Velocity License Manager window, copy the value of the Velocity Server ID field (on the top line), then paste it into the email message
Compose your email message so that:
It is addressed to vlas@identiv.com
It has a Subject such as “License Request for Velocity Cert Check Service“
The Body includes both the System ID value and the Server ID values
Send the email message
Adding the license key for the VCCS to the Velocity License Manager
To add the license key for the Velocity Cert Check Service to the Velocity License Manager:
Right-click on the icon for Velocity’s Service Control Manager, and choose Velocity License Manager
Copy the license key (which is a large block of letters and numbers) in the email message from Identiv to the Windows Clipboard. On the Velocity License Manager window, paste the license key into the Add / Renew License field, then click the Add / Renew button.
Now, the VCCS is installed and licensed on your system.
Use the `GenerateTemporaryValidationKey.exe` tool located in the VCCS install directory to generate a temporary Validation Engine license key. This temporary key populates the VLAS license, enabling 30-day use.
The temporary key allows the user to provide Identiv with the necessary information to issue a permanent VLAS license containing the Validation Key parameter. This ensures that the user can use VCCS for 30-days while waiting for the HID to process the permanent license.
Enabling FICAM Mode on Velocity System
After the Velocity Cert Check Service has been installed and licensed, follow the steps below to enable FICAM mode.
Click on the menu button in the upper left corner of Velocity’s main window
Click on the Preferences button at the bottom of the drop-down menu
On the General tab of the resulting Velocity Preferences dialog, check the Enable the FICAM Mode checkbox
For more details about FICAM Degraded Mode Timeout, refer the Velocity help pages under Home > FICAM Solution > Enabling FICAM Mode and Specifying the FICAM Degraded Mode Timeout settingRestart the Velocity client and all Velocity Services for the configuration to apply
Creating the User Defined Fields for PIV Smart Card Readers
To map the data on a PIV card to fields in the Velocity database and use it for FICAM:
From the Enrollment Manager’s menu bar, choose the Tools > User Defined Fields…
On the User Defined Fields page of the resulting User Defined Setup dialog, create the user-defined fields needed for the data of a PIV card, with the Caption and Type specified
When you are finished creating the user-defined fields, click the OK button
From the Enrollment Manager’s menu bar, choose the Tools > Preferences
On the General page of the resulting Preferences dialog, click on the drop-down list in the UDF Name Parsing section and select the user-defined field you created earlier for the Full Name, then click the OK button. (This text data will be parsed into separate First Name, Middle Name, and Last Name fields.)
Click the OK button on the message dialog informing you that these changes will not take effect until after the Enrollment Manager has been restarted, then close and reopen the Enrollment Manager
Creating a Credential Template for PIV and PIV-I Smart Cards
After you have created the user-defined fields for a PIV card, and specified the mappings between the data objects on a PIV card and the corresponding user-defined fields (which is part of the procedure in Configuring a PIV Reader for Enrolling PIV Cards), you can create a credential template for PIV cards which concatenates the appropriate set of numeric user-defined fields to construct the Federal Agency Smart Credential Number (FASCN).
To create a new credential template for FICAM PIV cards, perform the following steps.
In Velocity’s main window, expand the System Tree (in the left pane of the Administration module) to display the Velocity Configuration > Credential Templates folder, and click on that folder
In the right pane of the Administration module, double-click the Add New Template item
In the New Credential Template Properties dialog, specify the appropriate values on the General page
In the Description field, type a unique descriptive name for this new credential template
From the Badge Template drop-down list, select (None) because you will not be creating new printed badges
From the IDF drop-down list, select an entry that includes Card
From the card Type drop-down list, select 200-bit FASCN
Click on the UDF… button (on the right of the Data field)
On the Concatenate FASCN UDFs dialog, select the corresponding numeric UDF (previously defined in Creating the User-Defined Fields for a PIV Card) from each drop-down list, then click OK
For creating a credential template for PIV-I smart cards, follow steps 1 till 3. In the Concatenate FASCN UDFs dialog, for UDF field selection on Agency Code, select 'UUID' from the drop-down for PIV-I card.
Unlike the PIV cards, the PIV-I cards accept only one UUID value.
Setting up the Door Properties
The RS-485/OSDP reader configuration for FICAM must be configured for an entry reader or exit reader.
FICAM-Related Options on the Setup (or General) Page
The fields and options that appear on this setup page vary somewhat depending on which value is selected for the Reader Interface option. For example, When the RS-485 Interface value is selected for the Reader Interface option, the RS-485/OSDP group of fields and options appear:
Velocity supplies a default reader name, such as Reader 01
From the Disable reader above this level drop-down, select the threat level for the door
Note: Threat level is a numeric value assigned to each card reader for access to be granted. If the card threat level is greater than or equal to both the reader's and the system's threat level, access is granted. If the card threat level is less than either, access is denied. Changing the system's threat level can act to either grant or deny access to all the doors in the facility. The greater the number, the greater the threat level.Choose the appropriate RS-485 reader model from the Reader Type drop-down
The exact value for this OSDP Address field depends on the reader's manufacturer, and whether the reader is used for entry or exit. For example,
an Identiv reader's address should be set to 0 when it is the door’s entry reader, and set to 1 when it is the door’s optional exit reader
a Veridt reader's address should be set to 1 when it is the door’s entry reader, and set to 2 when it is the door’s optional exit reader
The Update Reader Firmware... button appears only when the RS-485 Interface value is selected for the Reader Interface option and the selected Reader Type is one of the available TS readers by Identiv
FICAM-Related Options on the Card Reader Setup
Select the RS-485 Interface value for the Reader Interface option on the Setup page, to display the following version of the Card Reader Setup page as below.
Select the appropriate Custom Card Codes from the drop-down to remap the data. Only those card data maps previously defined for this system appear in this drop-down list.
For FICAM, select Hex Pass-Through (NP) option in MATCH Algorithm (any bits)
Check Enable Keypad only if the reader includes a keypad for entering PIN codes
For FICAM, select PIV-I/PIV-C, 32 Hex Digit UUID option in Fixed bit length cards
For FICAM, select either 200 bits in, 32 digits out or 128 bits in, 32 digits out in PIV Card (FASCN handling)
Click OK, the Reader configurations gets downloaded to the controller
Reopen the Door Properties window
If secure OSDP reader type is used, then Goto Entry Reader > Card Reader Setup tab and click the Initiate Secure OSDP Connection button as shown
The reader restarts and comes back online, click OK
The reader firmware version is available in the General tab.
Importing PIV root certificate
To import PIV root certificate into the Trusted Root Certification Authorities Certificates on a new Velocity System:
Open the Microsoft Management Console (MMC) by clicking Start > Run type mmc and press Enter
In the Console window, choose File > Add/Remove Snap-in..
Under Available snap-ins, select Certificates and click Add then click OK
Select Computer Account and click Next
Click Local computer: (the computer this console is running on) and Finish
On the resulting Console window, select Certificates (Local Computer) > Certificates > More Actions > All Tasks > Import..
In the Certificate Import Wizard window, click Next to continue to import the certificate.
Select Browse to import the certificate and click Next
After choosing the Security type files. Click Next to proceed to Completing the Certificate Import Wizard window and click Finish as shown.
The successful certificate import wizard window appears, click OK to close the wizard
For detailed instructions on how to configure the Windows system to trust the Federal Common Policy CA G2 (FCPCA G2) certificate, refer How to configure Windows System to trust the FCPCA G2 Certificate.
Setting up PIV Reader for Enrolling and Managing FICAM Credentials
To enroll PIV, PIV-I cards in Velocity, a smart card reader with contacts is required. At the card enrollment station, set up a smart card reader with contacts, such as Identiv's SPR332 v2.0 Secure Class 2 PIN pad reader.
To configure a PIV reader for enrolling PIV cards:
From the Enrollment Manager’s menu bar, choose the Tools > Device Configuration…
On the Device Configuration dialog, select PIV Reader tab
Make sure that the Enable PIV reader(s) option is checked
Make sure that the Default Card Type is set to FIPS 201 Contact
Click the Map UDF Fields… button
On the Map UDF Fields window:
Select the Auto Map button to automatically map between like-named data objects on a PIV card and the corresponding user-defined fields that you created earlier in the UDF setup dialog previous
To manually map fields, click on an entry in the Document Field list, and drag it onto the corresponding entry in the UDF Field list
After you have finished specifying all of the mappings, click the Apply button, and then click the Close button
Back on the Device Configuration dialog, click the OK button
Click the OK button on the message dialog informing you that these changes will not take effect until after the Enrollment Manager has been restarted, then close and reopen the Enrollment Manager
Enrolling a FICAM Credential
Insert a PIV card into the Smart Card Reader
In the Enrollment Manager, click on the Add Person item in the left pane
At the bottom of the Personal Information pane on the right, click the Scan button
On the PIV Reader page of the resulting Verify Scanner Data dialog, verify that the Type is set to FIPS 201 Contact, and then click the Read Card button
On the resulting Card PIN dialog, type the PIN for this card and then click OK
After the card’s data has been read, click the Validate Certificates button
You may optionally click the View buttons to view the security certificates
Click the Accept button to close the Verify Scanner Data dialog
Back in the Enrollment Manager, click the Apply button (in the lower right corner of the Personal Information pane)
Click on the Add New Credential from Template item, choose an appropriate credential template from the resulting Select Credential Template dialog, and click OK
In the resulting credential properties dialog, verify that the FASCN field is populated, and click OK
Download this new credential to your controllers
Remove the PIV card from your enrollment reader, and test the card at an appropriate door reader, to verify that everything is working properly