Nexus Documentation

Space shortcuts

Page tree

CURL vulnerability information (CVE-2023-38545)
Nexus awareness advisory on Microsoft's update KB5014754

Visit Nexus to get an overview of Nexus' solutions, read customer cases, access the latest news, and more.

This article describes how to configure the RCO R-CARD M5 Admin API Service, to enable integration between the Smart ID Physical Access component in Smart ID Identity Manager and RCO R-CARD M5 via an Admin API.

R-CARD M5 is an Access Control System provided by RCO and managed via a Restful API. After integration, all administration of Users, Access Token and Entitlements (besides defining them) should be done in Identity Manager, never in R-CARD M5. 

For details on which data can be imported and exported from RCO R-CARD M5, see About import and export to Physical Access.


Expand/Collapse All

Prerequisites

The following prerequisites apply:

  • Physical Access and RCO R-CARD M5 Admin API Docker container/service are installed. See Deploy Smart ID.
  • RCO R-CARD M5 Admin API 5.48.0 is required, Physical Access tested on it. 
  • The message queue server must be running.
  • If MIFARE card technology is used, the PACS MIFARE number must be available as raw data (not encrypted, truncated, or similar). 
  • A working network connection to the connected physical access control systems (PACS) must be in place. 

Configure RCO Service data fields

The RCO data is configured in the configuration table in the Physical Access database. All configuration is cached when the service starts so any configuration changes will require the service to be restarted in order to take effect.

To connect to a PACS system:

  1. Log in to Physical Access admin panel as an admin user.
    All configured PACS connector services are listed, as well as Generic configurations to define the messaging queue. 
  2. Click on a system to do updates.
    All database entries are listed. 
  3. To update an entry, click on the icon. Edit as needed and then click Update
  4. To create an entry, click on +Create. Select Group, enter Key, Value and Index, and then click Create

group: messagingqueue

keyData typeRequired or OptionalDescription
serverstringRequired

IP Address of Message Queue Server. If it is installed on the local server then we can use localhost. If we are accessing this server remotely then need to mention IP address.

usernamestringRequired

Username of message queue server.

Default value: “guest”

passwordstringRequired

Password of message queue server.

Default value: “guest”

systemstringRequired

Defines which messaging queue to be used, either "rabbitmq" or "azureservicebus".

Default value: "rabbitmq"

group: general

keyData typeRequired or OptionalDescription
deleteUserOnNoEntitlementstringOptional

Defines if the user shall be deleted if no active entitlement assignment are present for that user.

Valid values: true or false.

Default: true

deleteUserOnNoAccessTokenstringOptional

Defines if the user shall be deleted if no active access tokens are present for that user.

Valid values: true or false.

Default: true 

heartbeatInterval

intOptional

Heartbeat interval is the time difference between two successive heartbeats, and it is used to know if the system is in active (running) or in inactive (stopped) state.

Default value and minimum value: 60 seconds. If it is set less than 60 seconds, it will be considered as 60 seconds to update the status.

group: rco.system

keyData typeRequired or OptionalDescription

systemName

stringOptional

The name of the RCO system.

Default: RCARDSYSTEM

username

stringOptional

The username that will be used when logging in to the RCO system.

Default: rcard

passwordstringOptional

The password that will be used when logging in to the RCO admin service.

Default: 1234

systemIdstringRequired

System ID of RCO system.

Default: 1 

apiTypestringRequired

API Type of RCO admin service.

Default: main 

apiKeystringRequired

API Key provided with RCO M5 License from RCO.

Default: XXXX

group: rco.general

keyData typeRequired or OptionalDescription
apiUrlstringRequired

API URL of RCO admin Restful Service of RCO M5 Admin Service.

Default: https://www.rcotest.com/M5AdminAPI/

recordFetchLimitstringRequired

API data import limit for entitlements from RCO Admin API.

By default it value is -1 and it loads all entitlements available in PACS system.

Default: -1

useDomainNamesboolOptional

Whether to include the domain name in the name of entitlements imported in Physical Access.
Default: true

domainNameSeparatorstringOptional

The string that will separate the domain name and the name of the access group.
Default: " – "

group: rco.export

keyData typeRequired or OptionalDescription
layoutIdentifierType stringRequired

This is a type of identifier which we want to use to refer layout of access token.

group: export

keyData typeRequired or OptionalDescription
userfieldmappings stringOptional

userfieldmappings is used to export additional data of users to RCO R-CARD M5. The value in is a combination of table_name.value_of_type_column, field_id_of_rco. This configuration setting is the mapping between the Physical Access table field and RCO R-CARD M5 field Id.

User column fields can be sent by adding the configuration user.column_name, rco_field_id.

The following table shows sample configurations for userfieldmappings:

system

keyvaluegroupindex
RCOM5userfieldmappingsuser.title,Customfield1export0
RCOM5userfieldmappingsuser.ssn,Customfield2export1
RCOM5userfieldmappingsemail.work,Emailexport2
RCOM5userfieldmappingsaddress.work,Addressexport3
RCOM5userfieldmappingsphone.mobile,Phone3export4
RCOM5userfieldmappingsuseradditionalfield.EmploymentText,EmploymentTextexport5

RCO R-CARD M5 Admin API does not support standard mappings for "Ssn", "Reference" and "Extra" fields, user can map them to Custom-fields and make them visible on RCO R-CARD M5 UI by configuring user data fields(Menu->settings/settings/system/User data fields).

group: rco.card.mapping.default

This group defines how to export card numbers by default, when a card’s layout does not have a specific mapping.

keyData typeRequired or OptionalDescription
layoutstringRequiredThe name of the card layout to match (case insensitive) for this mapping. Each layout may only be mapped once.

cardNumberIdentifier 

stringOptional

The default identifier type to read card numbers.

Default: mifare

format

stringOptional

The format that the card number should be converted into before exporting it to RCO.

Valid values: Linear, LinearReverse, Block, BlockReverse.

Default: Linear

length

intOptional

The length that the card number should be trimmed (leading digits) or padded (with leading zeroes) to after converting it.

Default: 9

group: rco.card.mapping

This group contains compound configuration elements using the config_index column. For each unique config_index value in this group, each key defined below must be defined exactly once. Note that this group is not required as a whole, and should only be used if you have specific requirements for one or more card layouts.

keyData typeRequired or OptionalDescription

layout

stringOptionalThe name of the card layout to match (case insensitive) for this mapping. Each layout may only be mapped once.

cardNumberIdentifier

stringOptionalThis indicates the identifier for card number.

format

stringOptional

The format that the card number should be converted into before exporting it to RCO.

Valid values: Linear, LinearReverse, Block, BlockReverse.

lengthintOptionalThe length that the card number should be trimmed (leading digits) or padded (with leading zeroes) to after converting it.

Example

Example configuration for card mapping settings:

system

keyvaluegroupindex
RCOM5layoutLinearReverse

rco.card.mapping

1
RCOM5cardNumberIdentifiermifare

rco.card.mapping

1
RCOM5length9rco.card.mapping1
RCOM5formatLinearReverserco.card.mapping1
RCOM5layoutskiprco.card.mapping2
RCOM5cardNumberIdentifiermifarerco.card.mapping2
RCOM5length9rco.card.mapping2
RCOM5formatskiprco.card.mapping2

Restart service

  1. Restart the RCO R-CARD M5 Admin API connector service:

    Restart Physical Access RCO R-CARD M5 Admin API connector
    cd <SMARTIDHOME>/compose/physicalaccess
docker-compose restart smartid-pa-rcom5

This article is valid for Smart ID 22.04 and later.

Related information

Copyright 2023 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions