3.7. Using Security Officer Mode

The Smart Card Manager, in conjunction with the latest TPS subsystem, supports a special security officer mode of operation. This mode, presented as an alternative to the standard user-centric mode, allows a supervisory individual, (a security officer), the ability to oversee the face to face enrollment of regular users in a given organization.

After an individual has been enrolled, they are issued a smart card containing the necessary certificates required to perform company-supported cryptographic operations, such as encrypted email and secure website access.

Security officer mode provides the following functionality:

Enrollment of security officers.
Enrollment of individuals under the supervision of a security officer, including:
- The ability to search for an individual within an organization.
- An interface that displays a photo and other pertinent information about an individual.
- The ability to enroll approved individuals.
Other functions provided by this mode include:
- An interface to format or reset a user's card.
- An interface to format or reset a security officer's card.
- An interface to enroll a temporary card for a user that has misplaced their primary card.
- An interface to store TPS server information on a card. This server information, or "Phone Home" information, is used by the Smart Card Manager to contact a given TPS server installation.

Working in the security officer mode falls into two distinct areas:

Creating and managing security officers.
Managing regular users by security officers.

When security officer mode is enabled, the Smart Card Manager uses an external user interface provided by the server. This interface takes control of smart card operations in place of the local XUL code that the Smart Card Manager normally uses.

The external interface maintains control until security officer mode is disabled.

3.7.1. Enabling Security Officer Mode

To set up security officer mode:

Open the Smart Card Manager installation directory.
On Microsoft Windows, this is C:/Program Files/Red Hat/ESC/esc.exe.
On Red Hat Enterprise Linux, this is /usr/lib/esc-1.0.1/
Open the defaults/preferences/esc-prefs.js file.
Edit the password prompt parameter in the esc-prefs.js file and set the value to no, meaning the prompt is enabled:
```
pref("esc.disable.password.prompt","no");
```

NOTE

Ensure that the Smart Card Manager is running and that its icon is displayed in the system tray (Windows) or in the notification area (Red Hat Enterprise Linux).

3.7.2. Managing Security Officers

3.7.2.1. Enrolling a New Security Officer

Run the esc command with the -secmod to open the security officer enrollment form. This has the format:
```
./esc -secmode SECURITY_URL/cgi-bin/so/enroll.cgi
```
NOTE
The esc command can be run from any location.
SECURITY_URL is the pre-determined URL of the external TPS security interface. Referencing the enroll.cgi file opens the security officer enrollment page. For example:
```
./esc -secmode http://test.host.com:7888/cgi-bin/so/enroll.cgi
```
This opens the security officer enrollment page.
In the Security Officer Enrollment window, enter the LDAP user name and password of the new security officer and a password that will be used with the security officer's smart card.
Click Enroll My Smartcard.

This produces a smart card which contains the certificates needed by a security officer to gain access to the application, so that regular users can be enrolled and managed within the system.

3.7.2.2. Formatting an Existing Security Officer Smart Card

Click Format SO Card. Because the security officer card is already inserted, the following screen displays:
Click Format to begin the operation.

When the card is successfully formatted, the security officer's card values are reset. Another security officer's card must be used to enter security officer mode and perform any further operations.

3.7.2.3. Closing Security Officer Mode

Click Close to leave security officer mode. The Smart Card Manager now operates normally.

3.7.3. Managing Regular Users

The security officer Station page manages regular users through operations such as enrolling new or temporary cards, formatting cards, and setting the Phone Home URL.

3.7.3.1. Opening the User's Smart Card Interface

Run the esc command with the -secmod to open the security officer mode. This has the format:
```
./esc -secmode SECURITY_URL/cgi-bin/sow/welcome.cgi
```
NOTE
The esc command can be run from any location.
SECURITY_URL is the pre-determined URL of the external TPS security interface. Referencing the welcome.cgi file opens the security officer station page. For example:
```
./esc -secmode http://test.host.com:7888/cgi-bin/sow/welcome.cgi
```
This opens the security officer welcome page.
NOTE
Ensure that there is a valid and enrolled security officer card plugged into the computer. A security officer's credentials are required to access the following pages.
Click Continue to display the security officer Station page. You may be prompted to enter the password for the security officer's card. This is required for SSL client authentication.

3.7.3.2. Enrolling a New User

Click the Enroll New Card link to display the Security Officer Select User page.
Enter the LDAP name of the user who is to receive a new smart card.
Click Continue. If the user exists, the Security Officer Confirm User page opens.
Compare the photo of the user with the person actually present. Verify any other information presented on the screen.
If all the details are correct, click Continue to display the Security Officer Enroll User page. This page prompts the officer to insert a new smart card into the computer.
If the smart card is properly recognized, enter the new password for this card and click Start Enrollment.

A successful enrollment produces a smart card that a user can use to access the secured network and services for which the smart card was made.

3.7.3.3. Enrolling a Temporary Card for an Existing User

Click Enroll Temporary Card.
Follow the instructions given in Section 3.7.3.2, “Enrolling a New User”.

A successful enrollment produces a smart card which is valid for a limited time. The user can use this card until it expires.

3.7.3.4. Formatting a Smart Card

Click Format Card to display the page used to format or reset an existing smart card.
Ensure that a card is inserted into the computer.
Click Format to reset the card.

After successful completion, this card can be used to enroll another user.

3.7.3.5. Setting a Home URL on a Smart Card

Click Set Home URL to display the screen used to write a new home URL onto the card. This "home URL" tells the Smart Card Manager where to locate the TPS servers.
This feature may prove useful if any of the TPS server information has changed since a given card was used.
Ensure that a valid card is inserted into the computer.
Click Format. The result will be a card with the new phone home information stored on the card.