Enable and Configure Smart Card Profiles

Instant ID as a Service supports printing Smart Cards in both standard and custom formats. For a full list of card formats available, refer to Supported Smart Cards. For a full list of supported Entrust printers, see Supported Smart Card Printers.

Instant ID as a Service supports Field Connections between Smart Card Profiles and External Databases. For more information on connecting fields in Smart Card Profiles, refer to Field Connections and Configure Field Connections.For more information on connecting a Smart Card Profile to an External Database, refer to Enable and Configure an External Database for Enrollments and Connect a Smart Card Profile to an External Database.

Note: Smart cards are only available with the Professional package.

Create a Smart Card Profile for HID Chip Types

  1. Click Main Menu menu button > Smart Card Profiles. The Smart Card Profiles page opens.
  2. Click the Add icon . The Choose a Smart Card Profile dialog box appears.
  3. Select the Chip Type (either HID iClass or HID Prox) of the profile.
  4. Click Next. The Create Smart Card Profile page appears.
  5. (Optional) Take a tour of the page.
    1. Click the browse icon on the right of the Create Smart Card Profile page header.
    2. Select Star Tour from the drop-down menu. An indicator appears besides the Name field.
    3. Click the indicator . The Add Smart Card Tour box appears to describe the field.
    4. Click Next to proceed through descriptions of the profile fields and page buttons.
  6. Enter the Name for the profile.
  7. Select the Card Format. Any selection besides Custom will populate the Bits and Parity Bits fields with a default representation of Card values ("X" for Bits and "P" for Parity Bits) and supported field formats defaults as Decimal (with the option to change to Hexadecimal) and display the resulting Facility Code and Card Number configurations from the card.
  8. Verify the values in the Bits and Parity Bits fields.
  9. Click Save.
  10. Click Test. The Test Card panel opens.
  11. Select a printer from the drop-down menu.
  12. Click Test Card. The progress bar appears and the page displays the results when the test is complete.

    13. Note: The Test button instructs Instant ID as a Service to read back the Card Number and Facility Code from the Smart Card from the submitted Profile, rather than to print a Smart Card while testing the configuration. To print a Smart Card for an existing enrollment, you must first Configure Field Connections.

  13. Verify that the test results display the correct Card Number and Facility Code.
    1. If there is any problem in the Test Card result:
      1. Click Save As button to create a copy of the Smart Card profile.
      2. Modify the Parity Bits (represented as "P") and Bits (represented as "X") to adjust the field length.
      3. Save the profile.
      4. Repeat Step 10.

Note: If the test fails to produce the correct Card Number or Facility Code, a dialog box will appear allowing you to navigate to the Printer Queue page for troubleshooting.

Create a Mifare DESFire Smart Card Profile

Instant ID as a Service supports Mifare DESFire EV1 and EV2 smart cards on single-wire, cloud-enabled printers with HID Omnikey or DUALi smart card readers. Smart Card Profiles configured for DESFIRE Chip Types can read and write data on Mifare DESFire smart cards. Multiple Applications, multiple Application Files per Application, and multiple Application Fields per Application File are available, depending on the DESFire card in use. Mifare DESFire EV1 cards support 28 Applications and 32 files per Application. Mifare DESFire EV2 cards support unlimited Applications and 32 files per Application.

Available Key Types include AES, DES, and Triple DES (2k3DES), with sizes of 16 bytes, 8 bytes, and 16 bytes respectively.

All Keys should be entered in Hexadecimal format only. Select UID in Step 8.c.i. below to set Instant ID as a Service to convert data read from a card into another format.

If the EV1/EV2 card is fresh and has not been used for creating an application, the default Master Key will be set as 0's and in DES format. To convert the card to an AES Key Type, select DES as the PICC Master Key Type, select AES as the Overwrite PICC Master Key Type, and enter the desired Overwrite PICC Master Key value.

If the EV1/EV2 card has been reformatted, or if its Master Key or any of its applications have been changed, check with the card provider for the PICC Master Key and Key Type assigned in that card for accessing an existing application, and any existing Application ID and Application Keys before configuring the Smart Card Profile.

Follow the steps below to create a Smart Card Profile for Mifare DESFire smart cards.

  1. Click Main Menumenu button > Smart Card Profiles. The Smart Card Profiles page opens.
  2. Click the Add icon . The Choose a Smart Card Profile dialog box appears.
  3. Select DESFIRE as the Chip Type.
  4. Click Next. The Create Smart Card Profile page appears.
  5. Enter the Name for the profile.
  6. Select the PICC Master Key Type (either AES, DES, or Triple DES (2k3DES)).

    7. Note: AES, DES, and Triple DES (2k3DES) Key Types have sizes of 16 bytes, 8 bytes, and 16 bytes respectively.

  7. Enter the PICC Master Key corresponding to either the AES, DES, or Triple DES (2k3DES) type selected. PICC Master Keys must be 32 bits and entered in Hexadecimal format.
  8. (Optional) Enter the PICC Master Key Settings. Every Card Type has a default PICC Master Key Setting. Enter this value if the PICC Master Key Settings should be overwritten.

    Note: Enter only when Master Key Settings need to be changed in the card. For more information, see Mifare DESFire Key Settings.

    1. Select the Overwrite PICC Master Key type. The PICC Master Key Type can be overwritten from AES to DES and vice versa.
    2. Enter as the Overwrite PICC Master Key the DES or AES values corresponding to the Overwrite PICC Master Key Type selection. Keys must be entered in Hexadecimal format.

      3. Note: The value entered in the Overwrite PICC Master Key field will be the new value. For more information, see Mifare DESFire Key Settings.

    3. (Optional) Enter the Version. The Version must be two characters long, 01 to FF.

      4. Note: The Version field is mandatory if the Overwrite PICC Master Key Type has been set to AES.

    4. (Optional) Select the UID check box when reading UID is required. Instant ID as a Service will create a static UID field for the Smart Card Profile that can be mapped to an Enrollment Design field via Field Connections.
      1. Select the UID Format (Decimal or Hexadecimal).

        2. Note: Instant ID as a Service will convert data read from the card to the chosen data format and apply it to any mapped enrollment fields.

  9. Click the Add icon in the lower-left corner of the browser to add an application to the profile.
  10. Enter the Application ID. The Application ID must be 6 characters long, 000001 to FFFFFF in hexadecimal format (0-9, A-F).
    1. (Optional) Enter the Application Master Key Settings. The Application Master Key Settings must be 2 characters long, 01 to FF.
    2. (Optional) Enter the Application Auxiliary Key Settings. The Application Auxiliary Key Settings must be 2 characters long, 01 to FF.

      3. Note: Selecting an Overwrite PICC Master Key Types will require different Application Auxiliary Key Settings, depending on the number of Application Keys added to the Smart Card Profile. For more information, see Mifare DESFire Key Settings.

  11. (Optional) Click the Add icon below Application Keys. The Add Application Key dialog box appears.
    1. Enter the Key Number. The Key Number must be a decimal value, 0 to 13.
    2. Select the Key Type (AES, DES, or Triple DES (2k3DES)).
    3. Enter the Key. Keys must be entered in Hexadecimal format.
    4. (Optional) Select the Overwrite Key Type (AES, DES, or Triple DES (2k3DES)).

      Note: Application Keys can only be overwritten within same Key Type; i.e., the selected Key Type and Overwrite Key Type must match. Only the PICC master key can be changed from DES to AES or AES to DES

      1. Enter the Overwrite Key. Keys must be 8 bytes for DES, or 16 bytes for either AES or TripleDES (2k3DES), in hexadecimal format (0-9, A-F). Ensure the entered value matches the selected Key Type and Overwrite Key Type for the Application Key.
      2. If the Overwrite Key Type has been set to AES, enter the Version.

        3. Note:Version is mandatory when the Overwrite PICC Master Key Type has been set to AES.

    5. Click Add in the dialog box.
  12. Click the Add icon below Application Files.
    1. Enter the File ID. The File ID must be 2 characters long, 01 to FF.
    2. Select the Communication Mode (PLAIN, PLAINMAC, or ENCIPHERED) with which to transmit data to the card. This determines how data is wrote and read from the smart card chip, where PLAIN indicates that the data is unencrypted, PLAINMAC indicates that a MAC is added for data integrity check, and ENCIPHERED indicates the date is encrypted.
    3. Enter the file's Size (in Bytes) as a decimal value to specify the size which all fields in this file will be written to or read from.
    4. Select the access rights for keys to determine the authentication required for reading data from a file, for writing data, for performing both operations, or for changing access rights.
      1. Select the Read access (Free Access or Deny Access).
      2. Select the Write access (Free Access or Deny Access).
      3. Select the Read & Write access (Free Access or Deny Access).
      4. Select the Change Access Rights access (Free Access or Deny Access).

        5. Note: Access right provide security for the application created on the EV1/EV2 card. For additional security, Entrust recommends changing the default PICC Master Key and using an application Overwrite Key to protect the card information.

  13. Click the Add icon below Application Fields. The Add Application Field dialog box appears.

    14. Note: All data are mandatory for both Read and Write Operations.

    1. Enter the Field Name.
    2. Enter the Byte Offset. The entered value must be a decimal value that starts with 0.

      3. Note: Refer to Mifare's DESfire documentation to determine the appropriate Byte Offset for the Communication Mode selected in Step 12.b.

    3. Enter the Length. The Length should be within the file size limits entered in Step 12.c. above.
    4. Select the Field Data Format (Decimal, Hexadecimal, or ASCII). The Field Data Format instructs Instant ID as a Service in how to interpret the results of a Read Operation.
    5. Select the Operation (Read or Write). Write Operations allow Instant ID as a Service to create Applications, Application Files, and Application Fields on a DESfire card if they don't already exist, or to update them if they do exist.
    6. Click Add in the dialog box.
  14. Click the upper Add button (within the Application Files pane) to save the file to the profile.
  15. Click the lower Add button (within the Applications pane) to save the application to the profile.
  16. Click the Save button to save the profile to Instant ID as a Service.

Format a Mifare DESFire Smart Card

Follow the steps below to format Mifare DESFire smart cards in order to remove any existing data on the card using the PICC Master Key associated with the Smart Card Profile being used to format the card. To format a card, the Key Type is required and the PICC Master Key is the only value needed.

Note: Depending on your PICC Master Key Settings, you may not be able to format the smart card.

  1. Click Main Menumenu button > Smart Card Profiles. The Smart Card Profiles page opens.
  2. Select an existing Smart Card Profile or create a new one.
  3. Click the Format button in the bottom-right of the page. The Format Card dialog box appears.
  4. Select the Printer Name for the printer with which to format the card.
  5. Select the Hopper of the printer with which to format the card.
  6. Click the Confirm Format check box .
  7. Click Format in the dialog box.

Create a Mifare Classic Smart Card Profile

Instant ID as a Service supports Mifare Classic smart cards.

Each Mifare Classic chip profile can have multiple numbers of fields; the data from these fields are stored in the individual bytes on the chip. The operator can choose whether they want to read or write the information from or to the card. The Data Format specifies the type of data being read from/written to the card. At least one field must be present in order to save the chip profile.

Both Mifare Classic 1k and 4k smart cards allow the operator to specify which bytes will be allocated for user data. Mifare Classic cards are comprised of sectors, blocks, and bytes.

Key configurations are required and provide chip security and authentication to the user data embedded on the chip. At least one key configuration must be provided to read/write to the chip. Multiple key configurations can be provided, but only one key configuration can be tied to a single sector at a time.

Follow the steps below to create a Smart Card Profile for Mifare Classic smart cards.

  1. Click Main Menu menu button > Smart Card Profiles. The Smart Card Profiles page opens.
  2. Click the Add icon . The Choose a Smart Card Profile dialog box appears.
  3. Select Mifare Classic as the Chip Type.
  4. Click Next. The Create Smart Card Profile page appears.
  5. Enter the Name for the profile.
    1. Click the purple icon next to the Name field to begin a guided tour of Mifare Classic cards.
  6. From the Card Size drop-down list, select the size (1k/4k).
  7. Select or unselect the CSN checkbox, as needed. Checking the CSN box will read the Card Serial Number from the card.
  8. From the CSN Format drop-down list. select Hexadecimal or Decimal.
  1. Under Key Configuration, click the Add icon to add a new Key Configuration. The Add Key Configuration window displays. Update the fields as described below.

    1. Name: Add the name of the key (required).

    2. Sectors: Select from the following sectors:

      1. For 1k cards - Sectors 0 - 15.

      2. For 4k cards - Sectors 0 - 39.

    3. Transport Key A: This is prepopulated, but can be edited. This is the default key used for communication between the card and the reader.

      1. Required.

      2. 12 Hexadecimal characters.

      3. Occupies bytes 0 – 5 in the trailing block.

      4. Defaults to FFFFFFFFFFFF.

    4. Transport Key B: Used to add an extra layer of security for use cases that require a second level of encryption.

      1. Optional.

      2. 12 Hexadecimal characters.

      3. Occupies bytes 10 – 15 in trailing block.

    5. New Key A: Any changes must meet the following criteria:

      1. Must be at least 12 characters long.

      2. Can only contain Hex characters.

    6. New Key B: Any changes must meet the following criteria:

      1. Must be at least 12 characters long.

      2. Can only contain Hex characters.

      3. If this key exists, Transport Key B must also exist.

    7. Access Key: Used for authentication and accessing data blocks on the card.

      1. Optional.

      2. 6 Hexadecimal characters.

      3. Occupies bytes 6 – 8 in trailing block, with byte 9 available for user data.

      4. Note: Users can choose which key the data blocks will authenticate with using the Authenticate Using Key B checkbox. Authentication will default to Key A if this box is unchecked. Please refer to the Mifare Classic documentation in order to determine which access conditions are needed for your use case.

    8. Click Add to add the Key Configuration.
    9. Click Cancel to exit without saving.
  1. Under Fields, click the Add icon to add fields to be included on the card. The Add Mifare Classic Field window displays. Update the fields as described below.

    1. Name: Add the name of the field (required).

    2. Data Format: Select from Hexadecimal, Decimal, or ASCII. This specifies the type of data being read from/written to the card and is represented on the enrollment form.

    3. Operation: Select Read or Write.

    4. Sectors: Select from the following sectors:

      1. For 1k cards - Sectors 0 - 15.

      2. For 4k cards - Sectors 0 - 39.

    5. Select Type: Choose from the following options:

      1. Multi Select - Allows for the selection of a range of bytes. Select a start byte and an end byte, and all bytes in between are also selected. In this mode, only individual bytes can be deselected.

      2. Single Select - Allows for selecting/deselecting one byte at a time.

    6. Click Select All to select all bytes in the Byte Configuration grid.

    7. Click Clear All to deselect all bytes in the Byte Configuration grid.

    8. Click Add to add the fields to the card.

    9. Click Cancel to exit without saving.

  1. Click Cancel to exit without saving the profile.

  2. Click Save to save the profile.

  3. Click Save As to save a copy of the current profile as a new profile.

Configure Field Connections

  1. From the Main MenuMain Menu, select Enrollment Designs. The Enrollment Designs page opens.
  2. Select Field ConnectionsField Connections to edit the field connections for that enrollment design. The Field Connections page opens.
  3. From the Source list, select the name of the Smart Card Profile to connect to the enrollment design. The Connect fields from the source to the Enrollment Design panel displays the fields of the Smart Card Profile.
  4. Connect the fields of the Smart Card Profile to the desired fields of the Enrollment Design.
  5. Click Save.
  6. Enroll a record and click the Save and Print button to print a credential on an existing onboarded Printer with Omnikey smart card reader.

Once the job has succeeded, the field connected values will be populated in an enrollment record and card will be printed with Card Number and Facility Code generated from the field connections of the Enrollment Design.

Note: For Smart Card Profiles with a DESFire Chip Type or a Mifare Classic Chip Type, Instant ID as a Service currently supports Field Connections via Text fields only.

For more information, refer to Field Connections.

Note: Smart card fields can be stored in default supported database as well as an External Database table.

Connect a Smart Card Profile to an External Database

Instant ID as a Service supports Field Connections between Smart Card Profiles and External Databases. To connect a Smart Card Profile to an External Database, follow the steps below.

  1. Click Main Menumenu button >Enrollment Designs. The Enrollment Designs page opens.
  2. Select the Enrollment Design with fields connected to a Smart Card Profile to link with an external database.
  3. Click SettingsEnrollment Design Settings.
  4. Select Use External Database?.
  5. Choose an External Database from the drop-down list. A confirmation dialog box appears.
  6. Click Save.
  7. Select Field ConnectionsField Connections to edit the field connections for that enrollment design. The Field Connections page opens.
  8. Verify the source field connections from the Enrollment Design column display the tables from the External Database.
  9. Click the Table drop-down menu to choose a table from the database.
  10. Verify the fields from the chosen table appear in the Table column. The Connect fields from the source to the Enrollment Design panel displays the table's columns.
  11. Connect the Table Columns to the desired fields of the Enrollment Design connected to the Smart Card Profile.
  12. Click Save.
  13. Enroll a record and click the Save and Print button to print a credential on an existing onboarded Printer with Omnikey smart card reader.

Once the job has succeeded, the field connected values will be populated in an enrollment record and card will be printed with Card Number and Facility Code generated from the field connections of the Enrollment Design. For more information, refer to Enable and Configure an External Database for Enrollments.