CMS 2.4 is now live in CIS

Featured / Nicola Dawes / Martin Fell

Summary of changes

NHS Digital will be making an update to Card Management Services (CMS) within the Care Identity Service (CIS) application. This will significantly improve the speed of smartcard operations, including: issuance, print, renewal, repair, cancel and passcode management.

The changes will also introduce contactless issuance and print options on Magicard printers for Gemalto Series 6 and Oberthur Series 8 smartcards. This further reduces the time taken to issue and print smartcards.

RAM / RAA can see now see two options for connected Magicard printers:

CMS 2.4.0 will also deprecate some smartcard operations for older SR1 and SR5 Oberthur middlewares including issuance, renew, repair and cancel.

Passcode Unlock and Passcode Change operations will continue to function as normal on machines with SR1 and SR5 middleware installed. Authentication will not be affected on any version of identity agent or middleware.

Upgrade to Oberthur Middleware SR8 is recommended. Software and installation guidance can be found here: http://nww.hscic.gov.uk/dir/downloads/

Renewal of Oberthur Series 8 Smartcards

This release introduces support for the renewal of both applets on Series 8 Smartcards, on machines which only have Gemalto Middleware installed. This change will resolve the issue of users performing a self-renewal of their Series 8 Smartcard on a machine with Gemalto Middleware and then being advised they either need to renew their smartcard, or that their certificates have expired, when used on a machine with Oberthur Middleware installed. This update only applies to users who have HSCIC Identity Agent v1 or NHS Digital Identity Agent v2.0 or later installed.

Deprecation of Oberthur Middleware SR1 and SR5 certificate-based operations

This release will stop Oberthur Middleware versions SR1 and SR5 from being able to perform issuance, renew, repair or cancel on Series 8 Smartcards. Any RAs still using either of these versions of middleware are recommended to upgrade to SR8 as soon as possible to continue working normally. Any trusts which have installed either SR1 or SR5 for non-RA users should either upgrade to SR8 or remove Oberthur Middleware completely from their machines.

Oberthur Middleware is not required for normal users in either authentication or the self-renewal of smartcards.

The correct removal method for both SR1 and SR5 is to use the NHSD SR8 installer and upgrade to SR8 - and then remove SR8. Admin rights are required for this activity and the machine will need to be restarted.

The SR8 installer can be downloaded from http://nww.hscic.gov.uk/dir/downloads/

Full list of changes for this release

1. Now renews both applets on Series 8 Smartcards for users with HSCIC IA v1, NHSD IA v2.0 or later.
2. Card Removal Check (broken spring) is now dynamically changed for users of IA v2.2 or later. Users with IA v2.2 or later will no longer be required to restart the identity agent when self-renewing a Series 8 Smartcard.
3. SR1 & SR5 are now blocked from performing issuance, renew, repair and cancel and Series 8 Smartcards. This change affects both end-users and RAs. Authentication is not affected on any version of identity agent or middleware type. Unlock or change passcode will still function regardless of the middleware type installed.
4. Resolves an issue where the RA smartcard and the subject smartcard can get swapped during issuance. This can result in CIS advising you Oberthur Middleware is needed to issue a GEM Smartcard, or alternatively can attempt to issue a Series 8 Smartcard on GEM-only machines.
5. Resolves an issue where the wrong Process ID is captured during self-renewal of Series 8 Smartcards when two user accounts are logged on to the same machine concurrently (fast-user-switching). This could cause self-renewal to fail as CMS does not acknowledge the IA client has been restarted and the user perpetually gets the message advising them to restart identity agent.
6. Allows users of IA v2.2.2.0 to perform CMS operations when they have a mobile SIM reader / card suppressed by the IA. This change blocks CMS detecting the mobile SIM as an additional smartcard during smartcard operations.
7. Updates to the DLLs to
   • make certificate-based CMS activities faster
   • make printing faster
   • enable the contactless Smartcard reader on Magicard printers

Users with a Magicard Printer will now get two printers showing in the selection box when they print a smartcard. This functionality works with Gemalto Series 6 and Oberthur Series 8 Smartcards. Contactless printing is not supported with Gemalto Series 4 or Series 5 Smartcards.

This release is scheduled for go live OOH on 10 April 2019. There are no user changes or software installations required as all the updates will be dynamically loaded the next time a user performs any CMS operation.