There are two links for managing tokens in the Agent Operations tab: List Tokens and Search Tokens. Both of these options return lists of tokens; a token can be selected from the search results and have further operations performed on it, such as changing the token status, editing the token settings, reviewing the token's certificates, and showing the operations previously performed on the token.
Selecting the List Tokens link in the Agent Operations tab does an automatic search for all tokens configured through the TPS and lists them all in the returned search results.
To search for specific tokens, click on the Search Tokens link in the Agent Operations tab. Then supply either the user ID of the token owner or the token ID.
The token associated with that ID will be listed with information such as the date it was created and last modified, key information, the owner's UID, and the token status.
Selecting a token shows the token's detail page.
Four operations can be performed on the token through this page:
-
Changing the token status.
-
Editing the token policy.
NOTE
Agents can only modify the policy in effect for the token and add a new token. Administrators can also change the user ID of the owner and delete tokens.
-
Listing the certificates stored on the token.
-
Showing the operations performed on the token.
Agents can change the status of the token. Token status affects key recovery policies; the status of the token impacts whether a key should be recovered from the DRM or reissued, whether new tokens will be blocked because there are already active existing tokens, and whether to issue or revoke temporary tokens.
The status is changed through the token details page, which is shown by listing or searching for tokens and then selecting a token from the returned list.
There are six possible token statuses:
-
The token is physically damaged.
For this status, the TPS revokes the user certificates and marks the token lost.
-
The token has been permanently lost.
For this status, the TPS revokes the user certificates and marks the token lost.
-
The token is temporarily lost or unavailable.
For this status, the TPS puts the user certificates on hold and marks the token inactive.
-
The lost token has been found.
For this status, the TPS takes the certificates off hold and marks the token active .
-
The lost token cannot be found (permanently lost).
For this status, the TPS revokes the certificates and marks the token lost.
-
This token has been terminated.
For this status, the TPS terminates the token and deems the token useless.
To change the status, select the menu item, and click Go.
Clicking the Edit button opens up a page listing the token owner UID, the token CUID, the token status, and the token policy. Agents can edit one field for a token in this page, setting the policy that is in effect.
The two supported token policies are RE_ENROLL, which allows a user to re-enroll certificates with the same token, and PIN_RESET which allows the token user to initiate a PIN reset operation. The values for both of these are either YES or NO. Both policies can be set by separating them with a semi-colon. For example, to allow the user to reset his PIN but to disallow re-enrolling with the same token, the policy would be as follows:
RE_ENROLL=NO;PIN_RESET=YES
NOTE
If the PIN_RESET policy is not set, then user-initiated PIN resets are allowed by default. If the policy is present and is changed from NO to YES, then a PIN reset can be initiated by the user once; after the PIN is reset, the policy value automatically changes back to NO.
More token information can be modified through the Administrator Operations tab.
Clicking the Show Certificates button in the token details page returns a list of all certificates stored on that token and information such as certificate ID, certificate type, and serial number.
The TPS stores the complete history of certificates' status, so that all changes in status can be reviewed. However, the status shown on the token is that last status of the certificate at the time the token was formatted. The status of the certificates on the token may not immediately reflect the real status of the certificates. It is possible to have multiple tokens with the same certificate information on them; it then is possible for the certificate status on these tokens to become out of sync with the status information in the CA database. When viewing these tokens in the TPS agents page, then, the certificate information can be inconsistent.
For example, Token #1 has two certificates stored on it, an encryption certificate (Encrypt #1) and a signing certificate (Signing #1). If Token #1 is lost, then both of its certificates are revoked, so both Encrypt #1 and Signing #1 are marked as revoked. When the user is issued a new token, Token #2, then Encrypt #1 is recovered, and a new signing certificate, Signing #2, is issued. The status for the three certificates, then, is as follows:
-
Signing #1 - revoked
-
Signing #2 - active
-
Encrypt #1 - active
If Token #1 is found, then the the certificates for Token #2 are revoked and the certificates for Token #1 are reactivated. The status for the three certificates, then, is as follows:
-
Signing #1 - active
-
Signing #2 - revoked
-
Encrypt #1 - active
Through the TPS agent's page, however, viewing Token #1 shows Signing #1 is active; viewing Token #2 shows that Signing #1 is revoked. This is because that Signing #1 was still revoked when Token #2 was formatted, and that information was not updated when Token #1 was subsequently formatted.
To find the current status of certificates, view an active token, and list the certificates. Active tokens always have the most current certificate status. For information on listing certificates stored on tokens, see Section 8.3.3, “Listing Token Certificates”.
