Certificate & Password Management Issues

< Back

 

Intended Audience: Software Suppliers

Date of Change: 20 August 2019

Situation: An End User cannot access the UK MVS as they do not know the password and/or do not have the certificate, because their Software Supplier has setup credentials on their behalf.

Background: The End User has contacted SecurMed UK in an attempt to resolve their access issues.

There are a number of symptoms an End User may report:

  • The End User is unable to access the UK MVS using the Web GUI because they do not have the certificate or the current password
  • The End User cannot obtain the certificate from the SWS because the SWS did not store the certificate when they installed it within the software
  • The End User cannot obtain the current password because the SWS did not record it when they changed it using their software
  • The End User receives an HTTP 403 Forbidden error because the certificate is not installed locally

Recommendations:

Software Providers should:

    1. Store the Certificate file and the passphrase when downloaded such that they are recoverable
    2. Record the new password when the current password is changed
    3. Communicate any changes to the password or certificate to all parties
    4. Establish a process to enable End Users to manage the password in their software
    5. Establish a process to reset the password using the Web GUI

Important Information:
The following information is provided to aid understanding for some of the main issues affecting End Users.

Passwords

  • SecurMed UK CANNOT reset the password for the End User. This is a self-service function available from the NMVS GUI, which requires the certificate to be installed to the local device
  • SecurMed UK CANNOT change the password for the End User. This can be performed from the NMVS GUI (with the certificate installed) or using the End User software
  • When changing or resetting the password, there is no need to download or install the certificate again. The certificate is valid for 2 years, see Certificates below.
  • SecurMed UK CANNOT inform the End User of their current password
  • The User Password is valid for 365 days from the date it is changed or set.*

* This is longer than may be expected for a user password but in our situation normal access to the UK MVS is system-to-system so regularly changing passwords will present an unreasonable overhead for end user system administration. This longer cycle is deemed acceptable given that multi-factor authentication is enforced, i.e. the requirement for a certificate.

Certificates

  • The certificate (.p12) file is ONLY available to download from the NMVS PKI Portal for 60 days from the date of NMVS account creation **
  • The certificate is valid for 2 years from the date of NMVS account creation **
  • 60 days prior to the certificate expiring, the End User (System (MVS) Contact) will receive notification and reminders indicating that they need to download and install a new certificate, which will have been created automatically by the UK MVS

** Credentials are usually sent within 24-48 hours after NMVS account creation and should be received with 5-10 days

Click to download a printable pdf copy of our Technical Bulletin.