Certificate and Password Management Issues


Intended Audience

Software Suppliers

Date of Change

30 October 2020

Situation

An End User cannot access the UKNI MVS as they do not know the password and/or do not have the certificate, because their Software Supplier has setup credentials on their behalf.

Background

The End User has contacted SecurMed in an attempt to resolve their access issues.

There are a number of symptoms an End User may report:

  • The End User is unable to access the UKNI MVS using the Web GUI because they do not have the certificate or the current password
  • The End User cannot obtain the certificate from the SWS because the SWS did not store the certificate when they installed it within the software
  • The End User cannot obtain the current password because the SWS did not record it when they changed it using their software
  • The End User receives an HTTP 403 Forbidden error because the certificate is not installed locally

Recommendations

Software Providers should:

  1. Store the Certificate file and the passphrase when downloaded such that they are recoverable
  2. Record the new password when the current password is changed
  3. Communicate any changes to the password or certificate to all parties
  4. Establish a process to enable End Users to manage the password in their software
  5. Establish a process to reset the password using the Web GUI

Important Information

The following information is provided to aid understanding for some of the main issues affecting End Users.

Passwords

  • Password reset is a self-service function available from the NMVS GUI, which requires the certificate to be installed to the local device.
  • SecurMed can set a one-time password if the End User is unable to use the self-service password reset, e.g. when the certificate is not installed to the local device.
    • This new one-time password must be changed on first use in the software.
    • Note: Setting a one-time password is equivalent to resetting the account back to the initial state when the account was first created.
  • When changing or resetting the password, there is no need to download or install the certificate again. The certificate is valid for 2 years, see Certificates below.
  • SecurMed CANNOT inform the End User of their current password
  • The User Password is valid for 365 days from the date it is changed or set.* 

* This is longer than may be expected for a user password but in our situation normal access to the UKNI MVS is system-to-system so regularly changing passwords will present an unreasonable overhead for end user system administration. This longer cycle is deemed acceptable given that multi-factor authentication is enforced, i.e. the requirement for a certificate. 

Certificates

  • The certificate (.p12) file is ONLY available to download from the NMVS PKI Portal for 60 days from the date of certificate creation
  • The certificate is valid for 2 years from the date of certificate creation
  • 60 days prior to the certificate expiring, the End User (System (MVS) Contact) will receive notification and reminders indicating that they need to download and install a new certificate, which will have been created automatically by the UKNI MVS
DOWNLOAD PDF