Certificate and Password Management Issues
Intended Audience: Software Suppliers
Date of Change: 20 August 2019
Situation: An End User cannot access the UK MVS as they do not know the password and/or do not have the certificate, because their Software Supplier has setup credentials on their behalf.
Background: The End User has contacted SecurMed UK in an attempt to resolve their access issues.
There are a number of symptoms an End User may report:
- The End User is unable to access the UK MVS using the Web GUI because they do not have the certificate or the current password
- The End User cannot obtain the certificate from the SWS because the SWS did not store the certificate when they installed it within the software
- The End User cannot obtain the current password because the SWS did not record it when they changed it using their software
- The End User receives an HTTP 403 Forbidden error because the certificate is not installed locally
Software Providers should:
- Store the Certificate file and the passphrase when downloaded such that they are recoverable
- Record the new password when the current password is changed
- Communicate any changes to the password or certificate to all parties
- Establish a process to enable End Users to manage the password in their software
- Establish a process to reset the password using the Web GUI
The following information is provided to aid understanding for some of the main issues affecting End Users.
- SecurMed UK CANNOT reset the password for the End User. This is a self-service function available from the NMVS GUI, which requires the certificate to be installed to the local device
- SecurMed UK CANNOT change the password for the End User. This can be performed from the NMVS GUI (with the certificate installed) or using the End User software
- When changing or resetting the password, there is no need to download or install the certificate again. The certificate is valid for 2 years, see Certificates below.
- SecurMed UK CANNOT inform the End User of their current password
- The User Password is valid for 365 days from the date it is changed or set.*
* This is longer than may be expected for a user password but in our situation normal access to the UK MVS is system-to-system so regularly changing passwords will present an unreasonable overhead for end user system administration. This longer cycle is deemed acceptable given that multi-factor authentication is enforced, i.e. the requirement for a certificate.
- The certificate (.p12) file is ONLY available to download from the NMVS PKI Portal for 60 days from the date of NMVS account creation **
- The certificate is valid for 2 years from the date of NMVS account creation **
- 60 days prior to the certificate expiring, the End User (System (MVS) Contact) will receive notification and reminders indicating that they need to download and install a new certificate, which will have been created automatically by the UK MVS
** Credentials are usually sent within 24-48 hours after NMVS account creation and should be received with 5-10 days