# Functional Features of smartCMS smartCMS is designed according to a **modular functional architecture**, where each subsystem is independent and can be extended or replaced without affecting the rest of the platform. This section describes in full detail all functional modules as defined in the SmartCMS technical documentation. img # 1. Functional Architecture The system is composed of several interoperable subsystems: - Organizational and hierarchical modeling - Role‑based access and operator management - Personal data management - Authentication mechanisms - Device lifecycle and customization - Secret code generation and assignment - Certificate lifecycle (issuance, suspension, revocation, renewal) - Auditing and traceability - Monitoring - Batch processing - API integration Each module can be independently configured and extended. # 2. Organizations, Divisions and Officers Management SmartCMS supports **complex hierarchical organizations** consisting of: - Organizations - Divisions - Registration offices (ROs) - Operators with specific roles and privileges img ### Features - Unlimited number of organizational levels - Custom visibility rules - Delegation of privileges by unit - Assignment of operators to divisions or offices - Quick activation/deactivation of offices (e.g., temporary onboarding campaigns) The system enables **data visibility policies**, ensuring that each operator sees only data relevant to their unit. # 3. Authentication Module Access to SmartCMS requires user authentication. Supported mechanisms include: - Username & password (internal DB or external LDAP/Directory) - Strong authentication via digital certificate on smart card or USB token - Bit4id Single Sign‑On (SSO) mechanisms The authentication module: - Controls access to all system functionalities - Applies high‑security standards - Can be configured depending on deployment requirements - Works seamlessly with the UKC (Universal KeyChain) # 4. Users Profile (Roles Overview) SmartCMS defines several operational profiles with fine‑grained permissions: ### **Registration Officer (RO)** Handles face‑to‑face identity verification, data entry, and device delivery. RO visibility is limited to the enrollments they personally carried out. ### **Delegated Officer (DO)** Manages: - Token personalization - Certificate download - Device delivery - Revocations - Other RO tasks They may see all requests within their office (configurable). ### **Bureau Officer (BO)** Used in centralized issuance flows (Personalization Bureau). Responsible for: - Receiving signed paper requests - Data validation - Device personalization - Packaging and shipping of personalized devices ### **System Administrator (SA)** Manages: - System configuration - DB connections - Logging - Maintenance operations ### **Help Desk (HD)** Executes lifecycle management operations: - Suspension - Reactivation - Revocation Across all offices. ### **Audit Officer (AO)** Accesses the auditing system. ### **Token Holder (TH)** End user. Access is limited to: - Self‑service portal - Certificate renewal - PIN reset - Token status operations # 5. Operators Management SmartCMS provides a complete management panel for all operators. Supported operations: - Add new operator - Remove operator - Renew or deactivate operator access - Assign default roles and tasks - Associate operators with divisions/offices - Import operators in **batch** (CSV with predefined structure) This flexibility supports organizations with high turnover or distributed operational models. # 6. Personal Data Module One of the most powerful modules in SmartCMS. ### Key Features - Arbitrary extension of personal data fields - Custom data types and validation rules - Integration with external data sources (web services, DB lookups) - Dynamic recognition of new attributes across: - UI pages - Search filters - Batch processing - Reporting templates This module ensures compliance with identification requirements in regulated environments such as eIDAS or national ID systems. # 7. Management of Secret Codes (PIN/PUK) SmartCMS includes a secure subsystem for the complete lifecycle of **secret codes**, such as: - PIN - PUK - Emergency codes - Device reset codes ### Features - Generation of secret codes using strong RNG (smart card or HSM) - Batch creation of scratch cards - Import/export (CSV, XML, JSON) - Encrypted storage in DB - Optional **security envelope printing** - Luhn algorithm for human‑error minimization - Barcode support - Automatic or manual assignment during device production Operators may also delegate code production to authorized third‑party centers. # 8. Auditing – Tracking Operations SmartCMS integrates a complete auditing subsystem: - Separate auditing database - Tracks **every modification** to system data - Captures: - Timestamp - Operator ID - Operation type (Insert, Modify, Delete) - Pre/post state snapshot - Fully navigable from UI - Export to CSV, JSON, and XML - Digital signature of exported logs (CAdES, PAdES, XAdES) via HSM This meets regulatory requirements for forensic traceability. # 9. Device Customization SmartCMS supports end‑to‑end customization of devices (smart cards, tokens). Customization includes: ### 9.1 Graphical Customization - Background images - Logos - Personal data printed on device - Barcode - User photo - Preview of print layout in real time ### 9.2 Electronic Customization - On‑card key pair generation - Import of certificate objects - Secure initialization - Middleware components loaded via browser (no admin privileges required) ### 9.3 Data Customization - Populate on‑device data files as per profile definition ### 9.4 Codes Customization - PIN/PUK assignment aligned with scratch‑card batch Device profiles (templates) are fully configurable. # 10. Enrolment of Digital Certificates The enrollment module manages: - Certificate request creation - Communication with CA services - Certificate issuance - Batch issuance (where CA supports it) - Suspension - Reactivation - Revocation - Renewal Supported Italian and international CA interfaces include: - InfoCert - PosteCOM - IT‑Telecom - Actalis - Intesa - ArubaPEC # 11. Predefined Flows of Provisioning SmartCMS supports three main provisioning models: ### **1. Interactive Mode** - Device personalized during an operator session - Certificate downloaded directly onto the device ### **2. Batch Mode** - Centralized mass production - Ideal for large campaigns or bureau workflows ### **3. Self‑Enrolment** - Device delivered without certificate - User completes activation via **Self‑Service Portal** - PIN reset - Suspension/reactivation - Revocation - Virtual token requests img # 12. Certificate Renewal SmartCMS automatically: - Detects certificates approaching expiration - Sends renewal notifications to holders - Provides a dedicated renewal portal - Allows automatic replacement of certificates on devices - Supports payment integration (optional) - Uses the existing certificate to authenticate the renewal request (signing) The renewal client application: 1. Authenticates user 2. Optionally verifies payment 3. Generates new keys (if required) 4. Obtains new certificates from CA 5. Updates device 6. Provides renewal confirmation # 13. API Module SmartCMS exposes its internal functionalities via APIs supporting: - JSON over HTTP - REST (HTTP) API endpoints may include: - Requests - Devices - Certificates lifecycle - Offices - Operators - Self‑service API keys can be assigned to specific client applications with definable privileges. # 14. Management and Administration Tools SmartCMS includes: ### 14.1 Interactive Shell - Restart services - Backup/restore DB - Log inspection - Static resource optimization - Script automation via object model ### 14.2 Data Backup and Restore - DB‑agnostic backup formats - Cross‑DBMS restoration capability ### 14.3 Fixtures - Automated or manual import of test data ### 14.4 Automatic Migrations - Scriptable schema updates - Forward/backward migrations - Transactional safety ### 14.5 Environment-Aware Configuration - Separate profiles for production, staging, testing ### 14.6 Hot‑Swap Updates - Deploy new versions with **zero downtime** ### 14.7 Advanced Logging System - Per‑module verbosity - Custom log formats - Syslog or DB destinations - Integration with **Bit4id Smartlog** # 15. Monitoring SmartCMS can monitor: - Internal services - External CA services - System health - Performance metrics Monitoring is accessible via both UI and administrative shell. # Summary This module overview shows that SmartCMS provides: - Complete PKI lifecycle automation - Fully configurable workflows - Advanced personalization options - Secure auditing and monitoring - A robust API for integration smartCMS is a mature, powerful, and flexible solution for any scenario requiring secure credential management.