1.2 Driver Overviews

The IAS drivers provide a means for the different solution components to communicate and work together. The drivers are a vital part of the IAS solution.

The following sections provide information about each driver:

1.2.1 PIV Life Cycle Driver

The PIV Life Cycle driver acts as a traffic director for the solution. It verifies that all expected attributes are included in each step of the process and either allows the process to continue if all requirements are met, or halts the process if requirements are not met.

1.2.2 PIV Workflow Driver

The PIV Workflow driver provides a means for the various roles to perform tasks related to requesting and provisioning PIV cards for users.

1.2.3 Enrollment Driver

The Enrollment driver for the Honeywell SmartPlus system does the following tasks in the PIV provisioning scenario:

  • Creates application user accounts in the Honeywell SmartPlus Enrollment system.

  • Provisions sponsor-approved appellation information from the Identity Manager system to the Honeywell SmartPlus Enrollment system.

  • Publishes biometric data and vetting confirmation from the Honeywell SmartPlus Enrollment system to the Identity Manager system.

  • Deletes cardholder biometric data from the Honeywell SmartPlus Enrollment system upon termination of the user.

The driver contains policies to detect events that indicate when data should be provisioned to or deprovisioned from the Honeywell SmartPlus Enrollment system. It also contains an event “listener” capability that allows it to receive data transmissions from the Honeywell SmartPlus Enrollment system.

In order to maintain a simple interface with Identity Manager, the driver is configured to only respond to state changes in the fipsBioStatus attribute.

The value of this attribute is modified only by the Enrollment driver or PIV Life Cycle driver. After the initial provisioning information is added by the sponsor to the user through the PIV Workflow, the PIV Life Cycle driver sets the fipsBioStatus attribute to a value of Biometric Enrollment Ready.

This modification event triggers the driver to send the account creation and sponsor enrollment data to the Biometric Enrollment server. If the information is sent and provisioned successfully, the fipsBioStatus attribute is set to Biometric Enrollment in Progress. If the information fails to be sent to the server, fipsBioStatus is set to Biometric Enrollment Failure and the fipsBioStatusReason and fipsBioStatusExplanation attributes contain the reason for the failure.

The PIV Life Cycle driver receives the modify event for the fipsBioStatus attribute and updates the PIV provisioning state attributes. If the information is submitted successfully to the Honeywell SmartPlus Enrollment server, the registrar notifies the applicant to report to the biometric enrollment station, as indicated in Figure 1-2.

Figure 1-2 Enrollment Driver

After the information is entered into the Honeywell SmartPlus Enrollment server, the registrar sends the completed biometric data package to the driver for storage in the Identity Vault. The driver stores the biometric data and updates the fipsBioStatus attribute with a value of either Biometric Enrollment Complete or Biometric Enrollment Failure. The fipsBioStatusReason and fipsBioStatusExplanation attributes can be updated with relevant success or failure information.

The role of the Enrollment driver is finished at this point in the Identity Assurance Solution.

1.2.4 CMS Driver

The CMS driver for ActivIdentity Active ID is used for the following tasks in the PIV provisioning scenario:

  • Creates applicant user accounts in the Card Management System.

  • Sends a Card Production Request (CPR) containing all required data to the Card Management System.

  • Notifies Identity Manager of a Card Issued or a Credential Issued event from the Card Management System.

  • Sends card information (card serial number, FIPS 201 required certificate, CHUID) back to Identity Manager.

  • Sends a Card Termination Request to the Card Management System.

The driver contains policies to detect events that indicate when data should be provisioned to or deprovisioned from the Card Management System.

In order to maintain a simple interface with Identity Manager, the driver is configured to only respond to state changes in the fipsCMSStatus attribute.

The value of this attribute is modified only by the CMS driver or by the PIV Life Cycle driver. After the enrollment process is completed successfully, the PIV Life Cycle driver sets the fipsCMSStatus attribute to a value of PIV Card Production Request Ready and then to CMS User Provisioning Ready. See Figure 1-3.

Figure 1-3 Card Management System Driver

If the sponsor approves the PIV issuance, the CMS driver sends a User Add request to the Card Management System. If the User Add request is successful, the fipsCMSStatus attribute is set to CMS User Provisioning Complete. If the Add request fails, the fipsCMSStatus attribute is set to CMS User Provisioning Failed and the fipsCMSStatusReason attribute and fipsCMSStatusExplanation attribute explain why the process failed.

When the CMS User Provisioning is complete, the PIV Life Cycle driver sets the fipsPIVStatus attribute to CMS User Provisioning Complete and ensures that all attributes for a Card Provisioning Request (CPR) are present for the user. If so, the PIV Life Cycle driver sets the fipsCMSStatus attribute and the fipsPIVStatus attribute to PIV Card Production Request Ready.

The CMS driver gathers all available attributes, builds the Card Production Request, and submits it to the Card Management System. If the sponsor approves the Card Production Request, the PIV Life Cycle driver sets the fipsCMSStatus attribute and the fipsPIVStatus attribute to PIV Card Production Approved. The Card Management System driver then sends a production request to the Card Management System and sets the fipsCMSStatus attribute to PIV Card Issuance Ready.

The CMS driver forwards the results of the card issuance procedure. It sets the fipsCMSStatus attribute to PIV Card Issued and the fipsCMSPhysicalCardSN attribute to the card’s serial number value. It also retrieves and stores the card’s certificates from the Card Management System in Identity Manager.

1.2.5 PACS Integration Driver

The PACS Integration driver for the Honeywell SmartPlus system is used for the following tasks in the PIV provisioning scenario:

  • Creates applicant user accounts in the Physical Access Control system (PACS).

  • Sends information to the Honeywell SmartPlus PACS system, stating what locations the user has access to.

  • Deletes the user from the Honeywell SmartPlus PACS system upon termination.

The driver contains policies to detect events that indicate when data should be provisioned to or deprovisioned from the Honeywell SmartPlus PAC system.

In order to maintain a simple interface with Identity Manager, the driver is configured to only respond to state changes in the fipsPACSStatus attribute.

The value of this attribute is modified only by the PACS Integration driver or by the PIV Life Cycle driver. After the PIV card is issued to the applicant, the PIV Life Cycle driver sets the fipsPACSStatus attribute to a value of PACS Activation Ready. See Figure 1-4.

Figure 1-4 Physical Access Control System Driver

This modification event triggers the driver to send the applicant’s PIV card information to the Honeywell SmartPlus PACS system. If the information is sent and provisioned successfully, the fipsPACSStatus attributes is set to PACS Activation Ready. If the information fails to be sent to the system, the fipsPACSStatus is set to PACS Activation Failed and the fipsPACSStatusReason and fipsPACSStatusExplanation attributes contain the reason for the failure.

The Honeywell SmartPlus PAC system receives the applicant’s information and allows the applicant physical access to the place of employment.