Novell IDENTITY ASSURANCE SOLUTION ADMINISTRATION GUIDE
Identity Assurance Solution 3.0.2 Administration Guide
Novell
Identity Assurance Solution
novdocx (en) 11 December 2007
3.0.2
February 15, 2008
www.novell.com
ADMINISTRATION GUIDE
Legal Notices
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on
the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws.
You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the
Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on
exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
novdocx (en) 11 December 2007
Copyright © 2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or
more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (en) 11 December 2007
novdocx (en) 11 December 2007
Contents
About This Guide 7
1Overview 9
1.1 System-Wide Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2 Agency-Specific Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.3 What’s Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2 Managing System-Wide Roles 13
2.1 System Role Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.1.1 Add a User to a System-Wide Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.1.2 Remove a User from a System-Wide Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2 System Security Officer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3 Activator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3.1 No Applicant Match for Shipped Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3.2 Wrong Cards Shipped to Valid Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.4 Registrar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
novdocx (en) 11 December 2007
3 Managing Agency-Specific Roles 15
3.1 Agency Sponsor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1.1 Card Destruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1.2 Create a New User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.1.3 Delete a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.1.4 Display Applicant Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.1.5 Request Card Reissuance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.1.6 Request Card Reprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.1.7 Sponsor New Applicant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.1.8 Update Applicant Employment Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.2 Agency Adjudicator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.2.1 Change To Adjudication Record (Manual) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.3 Agency Security Officer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.3.1 Card Destruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.3.2 Change PIV Card Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.3.3 Invalid Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.3.4 Invalid Source Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.3.5 Impersonation Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.3.6 Request Card Reprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.4 Agency Role Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.4.1 Add a User to an Agency-Specific Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.4.2 Remove a User from an Agency-Specific Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4 Troubleshooting 25
4.1 Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.1.1 Do Not Use Enter Key When Requesting Applicant Card . . . . . . . . . . . . . . . . . . . . . 25
4.1.2 Required Browser for IAS Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.1.3 COULD_NOT_FIND_USER Error While Retrieving User
AIMS_NO_SUCH_WALLET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Contents 5
A IAS Administration Security 27
A.1 Signed Workflows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
A.2 Novell Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
A.3 Third-Party Products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
B Documentation Updates 29
B.1 February 8, 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
B.1.1 Upgraded IAS from 3.0.1 to 3.0.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
B.1.2 Documentation Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
C Documentation Updates 31
C.1 February 15, 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
C.1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
novdocx (en) 11 December 2007
6 Identity Assurance Solution 3.0.2 Administration Guide
About This Guide
This guide provides information on performing basic administration tasks for the Identity Assurance
Solution.
Chapter 1, “Overview,” on page 9
Chapter 2, “Managing System-Wide Roles,” on page 13
Chapter 3, “Managing Agency-Specific Roles,” on page 15
Chapter 4, “Troubleshooting,” on page 25
Appendix A, “IAS Administration Security,” on page 27
Audience
This guide is intended for system administrators and system integrators.
novdocx (en) 11 December 2007
Feedback
We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to www.novell.com/documentation/feedback.html and enter your
comments there.
Documentation Updates
For the most recent version of the Identity Assurance Solution Administration Guide, visit the
Identity Assurance Solution Documentation Web site (http://www.novell.com/documentation/
ias301/index.html).
Documentation Conventions
®
In Novell
items in a cross-reference path.
A trademark symbol (
trademark.
When a single pathname can be written with a backslash for some platforms or a forward slash for
other platforms, the pathname is presented with a backslash. Users of platforms that require a
forward slash, such as Linux* or UNIX*, should use forward slashes as required by your software.
documentation, a greater-than symbol (>) is used to separate actions within a step and
®
, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
About This Guide
7
novdocx (en) 11 December 2007
8 Identity Assurance Solution 3.0.2 Administration Guide
1
Overview
Novell® has partnered with third-party companies to build a solution that offers an integrated logical
and physical control system that complies with Homeland Security Presidential Directive 12
(HSPD-12). HSPD-12 directs the implementation of a new standardized badging process, which is
designed to enhance security, reduce identity fraud, and protect the personal privacy of users who
are issued government identification.
Identity Assurance Solution provides a complete system for managing the enrollment, issuance,
access control, and retirement of Personal Identification Verification (PIV) cards. This solution is in
compliance with the Federal Information Processing Standards Publication 201 (FIPS 201) and
provides components such as an Identity Management System (IDMS), a User Enrollment/
Biometric Capture system, a Card Management System (CMS), and Logical and Physical Access
Control Systems (LACS/PACS).
During the installation of the Identity Assurance Solution, several roles are created. These roles and
their associated tasks are based on the General Services Administration (GSA) standards. Those
users who are assigned to these roles can perform their tasks by using the User Application for
Provisioning through a Web browser.
novdocx (en) 11 December 2007
1
This document outlines the roles and tasks performed by each role for the Identity Assurance
Solution.
1.1 System-Wide Roles
This solution includes the following system-wide roles:
Table 1-1 System-Wide Roles
System-Wide Role Description Tasks
System Role Administrator
For more information, see
Section 2.1, “System Role
Administrator,” on page 13.
System Security Officer
For more information, see
Section 2.2, “System Security
Officer,” on page 14.
Responsible for adding and removing
other users from roles in the system.
Can add or remove users from all
system-wide roles and from the
agency role administrator’s role for
each agency. Cannot add or remove
users from agency-specific roles.
Responsible for viewing and
managing the audit log. Does not
have any specific workflow tasks but
is responsible to enforce the rules
and policies related to PIV card
requests, activations, and issuances.
Add a User to a System-
Wide Role
Remove a User from a
System-Wide Role
No workflow tasks
Overview
9
System-Wide Role Description Tasks
novdocx (en) 11 December 2007
Activator
For more information, see
Section 2.3, “Activator,” on
page 14.
Registrar
For more information, see
Section 2.4, “Registrar,” on
page 14.
Runs the CMS system. Responsible
for activating an applicant's PIV card
after it comes back from the card
production facility. Verifies the
applicant’s identity by using a
biometric scan and oversees the
personalization of the card by
generating keys, loading certificates
onto the card, and initializing the
card’s PIN number. Sends all this
information to the Identity Vault and
notifies the system that the card has
been issued.
Runs the biometric enrollment
system. The registrar does the
identity-proofing and captures the
applicant’s identification information
and biometric data. This information
is forwarded to the Idenitity Vault.
1.2 Agency-Specific Roles
This solution includes the following agency-specific roles:
No Applicant Match for
Shipped Cards
Section 2.3.2, “Wrong Cards
Shipped to Valid Address,”
on page 14
No workflow tasks
Table 1-2 Agency-Specific Roles
Agency-Specific Role Description Tasks
Agency Sponsor
For more information, see
Section 3.1, “Agency
Sponsor,” on page 15.
Responsible for initiating a PIV card
request on behalf of an applicant and
is the only user that can initiate a PIV
card request. Updates an applicant's
employment status (terminated,
active, or suspended) and modifies
information about the applicant in the
system (change the applicant's
name, job title, etc.).
Card Destruction
Create a New User
Delete a User
Display Applicant
Request Card Reissuance
Request Card Reprint
Sponsor New Applicant
Update Applicant
Agency Adjudicator
For more information, see
Section 3.2, “Agency
Adjudicator,” on page 20.
Responsible for performing
background checks on applicants. At
the end of the biometric enrollment
process, initiates an Automated
Fingerprint Identification System
(AFIS) check and the manually
performs a National Agency Check
with Inquiries (NACI) check or FBI
check. Based on the results of these
checks, determines if the card
request can proceed.
Change To Adjudication
Information
Employment Status
Record (Manual)
10 Identity Assurance Solution 3.0.2 Administration Guide
Loading...