IDENTIKEY Appliance Administrator Guide

Transcription

1 IDENTIKEY Appliance Administrator Guide

2 Disclaimer of Warranties and Limitations of Liabilities Legal Notices Copyright VASCO Data Security, Inc., VASCO Data Security International GmbH. All rights reserved. Trademarks VASCO, VACMAN, IDENTIKEY, axsguard, DIGIPASS, CertiID, CRONTO, CRONTOSIGN, MYDIGIPASS.COM, the MYDIGIPASS.COM MD Lock logo, the DP+ logo, the VASCO V logo and the Cronto logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO reserves all rights to the trademarks, service marks and logos of VASCO and its subsidiaries. Intellectual Property VASCO Software, documents and related materials ( Materials ) made available on the Site contain proprietary and confidential information. All title, rights and interest in VASCO Software and Materials, updates and upgrades thereof, including software rights, copyrights, patent rights, trade secret rights, sui generis database rights, and all other intellectual and industrial property rights, vest exclusively in VASCO or its licensors. No VASCO Software or Materials published in this Site may be downloaded, copied, transferred, disclosed, reproduced, redistributed, or transmitted in any form or by any means, electronic, mechanical or otherwise, for any commercial or production purpose, except as otherwise marked or when expressly permitted by VASCO in writing. Disclaimer VASCO accepts no liability for the accuracy, completeness, or timeliness of Site content, or for the reliability of links to and content of external or third party websites. VASCO shall have no liability under any circumstances for any loss, damage, or expense incurred by you, your company, or any third party arising from the use or inability to use VASCO Software or Materials, or any third party material available or downloadable from the Site. VASCO will not be liable in relation to any loss/damage caused by modification of these Legal Notices or Site content. Reservation VASCO reserves the right to modify these Notices and the content at any time. VASCO likewise reserves the right to withdraw or revoke consent or otherwise prohibit use of the VASCO Software or Materials if such use does not conform to the terms of any written agreement between VASCO and you, or other applicable terms that VASCO publishes from time to time. Document Version: 15/01/15

3 Table of Contents Table of Contents 1 2 Introduction Audience and Purpose of this Document Available Guides...10 Administration Interfaces for IDENTIKEY Appliance Administration Interfaces Access to the Configuration Tool and Administration Web Interface Log into the IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Interface Manual Settings in the Configuration Tool Overview Instructions Enabling Services...19 IDENTIKEY Appliance Administration Web Interface: Basic Configuration Client Records User Records DIGIPASS Records and Assignment...24 System Administrator Disable the default sysadmin User Account Create Administrator Accounts...27 Typical DIGIPASS Authentication Module Setup Create a Client Component Install the Module on the Corresponding Server Delete the Temporarily Created Client Component Policies and Settings...35 A Typical RADIUS Setup Overview RADIUS Client Configuration Creating a Client Component Using the Administration Web Interface Optionally Modifying Policies and Settings using the Administration Web Interface...38 DIGIPASS Authentication for Windows Logon IDENTIKEY Appliance Configuration

4 Table of Contents Configuration of Windows Group Check in the Administration Web Interface Password Randomization Export Server Certificate (optional) Client Installation and Configuration...50 LDAP User Synchronization Overview Creating a Synchronization Profile Microsoft Active Directory Synchronization Novell edirectory Synchronization Other LDAP Server Synchronizations Back-End Authentication RADIUS Back-End Authentication Novell edirectory Back-End Authentication Microsoft Active Directory Back-End Authentication ADAM Back-End Authentication Tivoli Back-End Authentication Replication Wizard Overview Create a Replication Link Replication Status Replication Removal Wizard Secure Sockets Layer (SSL) Server Certificate Client Certificate How to Set Up Signing and Provisioning Overview SOAP Communication Protocol Enabling Signing and Provisioning Services Configuring Signature and Provisioning Set Ups How to set up Virtual DIGIPASS Importing Virtual DIGIPASS records Setting up the Message Delivery Component Editing an IDENTIKEY Appliance Policy

5 Table of Contents 14.4 Test Virtual DIGIPASS Assigning the Policy to a Client for using Virtual DIGIPASS Reporting Other Reporting Tasks Create Custom Report Definition Configuring RADIUS setups Overview How to Set Up a Stand-Alone IDENTIKEY Appliance in RADIUS Environment How to Set Up IDENTIKEY Appliance as RADIUS Proxy Target How to Set Up as Intermediate Server How To Integrate Wireless Networking with IDENTIKEY Appliance How to Customize the RADIUS Attributes Dictionary IDENTIKEY Authentication Server Discovery with Windows Logon Overview Register IDENTIKEY Appliance with DNS Server Server Discovery Section Test Policy Settings Test Local Authentication Test RADIUS Back-End Authentication Test Management Features Administration Tasks Scheduled Task Management Monitoring Overview Disk Use Logging Auditing Trace Files SNMP Configuration Downloading VASCO MIBs Performance Monitoring Enable Performance Monitoring

6 Table of Contents 22.2 Filters Plug-In System Monitoring System OS events IDENTIKEY Appliance Configuration Tool Events IDENTIKEY Authentication Server Events Configuring an SNMP Trap Handler Best Practices for SNMP Notification Targets Troubleshooting Overview Information Sources Specific Problems LDAP User Synchronization Issues LDAP Back-End Authentication Setup Issues Support If you encounter a problem Remote Support and other Support Details

7 Table of Contents Illustration Index Image 1: IDENTIKEY Appliance Configuration Tool SSL Certificate warning Image 2: Login Pages: IDENTIKEY Appliance Configuration Tool (left) and IDENTIKEY Authentication Server Administration Web Interface (right)...14 Image 3: IDENTIKEY Authentication Server Administration Web Interface home page Image 4: IDENTIKEY Appliance Configuration Tool home page Image 5: Configuration Tool>Settings Image 6: Configuration Tool > IDENTIKEY Authentication Server > Scenarios Image 7: Clients > Register > Client Type Image 8: Users > Create Image 9: Import DIGIPASS.dpx file Image 10: DIGIPASS Assignment Image 11: Disabling the sysadmin User Account Image 12: Create User Account Image 13: Assign Administrator Privileges Image 14: IDENTIKEY Authentication Server Administration Web Interface register clients Image 15: IDENTIKEY Authentication Server Administration Web Interface > Create New Client Image 16: Stand-alone IDENTIKEY Appliance in a RADIUS Environment Image 17: IDENTIKEY Appliance Administration Web Interface Image 18: IDENTIKEY Appliance Administration Web Interface > Create New (RADIUS) Client Image 19: Configuration Tool > Network Image 20: IDENTIKEY Authentication Server Administration Web Interface Image 21: Administration Web Interface > Create a New Client Image 22: Policies Image 23: DCR tab Image 24: Restricting Dynamic Component Registration with Windows Group Check Image 25: Configuring Password Randomization Image 26: Configuration Tool> IDENTIKEY Authentication Server > SOAP Communicator Image 27: Configuration Tool > IDENTIKEY Authentication Server > LDAP User Synchronization Image 28: Configuration Tool > IDENTIKEY Authentication Server > LDAP User Synchronization: Add button Image 29: Synchronization Profile Settings Image 30: Example Filter and Attribute Mappings for Microsoft Active Directory 2003/ Image 31: Viewing properties for an example object in a Microsoft Active Directory Image 32: Example Filter and Attribute Mappings for Novell edirectory Image 33: IDENTIKEY Appliance as Intermediate Server for OTP only Image 34: Authentication Back-Ends Image 35: Enabling RADIUS Back-End Image 36: Administration Web Interface > Back-End > Register RADIUS Back-End tab Image 37: Administration Web Interface > Policies> List>Edit Policy Screen Image 38: Enabling Novell edirectory Back-End Image 39: Administration Web Interface > Back-Ends tab > edirectory Image 40: Manual Configuration of the Simple Password Image 41: Enabling Microsoft Active Directory Image 42: Configuration Tool > Network Image 43: Administration Web Interface > Back-Ends > Register Active Directory Back-End Image 44: Administration Web Interface > Back-Ends Image 45: Administration Web Interface > Back-Ends > Settings Image 46: Enabling ADAM Back-End Image 47: Administration Web Interface > Back-Ends tab > ADAM Image 48: Enabling IBM Tivoli Back-End Image 49: Administration Web Interface > Back-Ends tab > Tivoli Image 50: Replication Wizard Step 1: Welcome Screen Image 51: Replication Wizard Step 2: Remote IP Address Screen Image 52: Replication Wizard Step 3: Set Up Replication Screen

8 Table of Contents Image 53: Replication Wizard Step 4: Setup Processing Screen Image 54: Replication Setup Processing Screen Feedback Image 55: Replication Status Screen in the Configuration Tool Image 56: Replication Servers Screen in the Administration Web Interface Image 57: Remove Replication Wizard step Image 58: Remove Replication Wizard step Image 59: IDENTIKEY Authentication Server menu list Image 60: Server Certificate Configuration Image 61: Client Certificate Configuration Image 62: Configuration Tool > IDENTIKEY Authentication Server > SOAP Communicator Image 63: Configuration Tool > IDENTIKEY Authentication Server > Scenarios Image 64: Message Delivery Component Screen Image 65: System > Settings screen Image 66: Message Settings Image 67: Customized report dataflow Image 68: IDENTIKEY Appliance as RADIUS Proxy Target Image 69: Wireless setup Image 70: Roaming Wireless Setup Image 71: Component Records and Roaming Wireless Setup Image 72: Uploading a custom dictionary Image 73:Configuration Tool > IDENTIKEY Authentication Server > Server Discovery: Image 74: Configuration Tool > IDENTIKEY Authentication Server > Server Discovery Image 75: Disk Use Overview Image 76: Configuring Logging Image 77: Configuring Remote Logging Image 78: Viewing Logs Image 79: Simple Log Filter Entry and Result Image 80: Advanced Filter Icon Image 81: Advanced Filter Fields Image 82: Downloading System Log Files Image 83: IDENTIKEY Authentication Server Audit Settings Image 84: Viewing the Live Audit Viewer Image 85: Simple Log Filter Entry and Result Image 86: Advanced Filter Icon Image 87: Audit Filter Fields Image 88: Exporting from the Audit Viewer Image 89: Exporting Audit Files Image 90: Downloading Audit Files Image 91: Configuring IDENTIKEY Authentication Server Tracing Image 92: Configuring MDC Tracing Image 93: Configuring LDAP User Synchronization Tracing Image 94: Downloading IDENTIKEY Authentication Server Trace Files Image 95: Enabling SNMP version 2c Image 96: Enabling SNMP version Image 97: Downloading MIBs Image 98: Adjust notification settings

9 Table of Contents Index of Tables Table 1: Microsoft Active Directory 2003/2008 Filter Settings...56 Table 2: Novell edirectory Filter Settings...59 Table 3: Wireless settings Table 4: Changes for the Policy Table 5: Component Record Settings Table 6: Log Filter Fields Table 7: Audit Filter Fields Table 8: Audit Export Fields Table 9: Processes Monitored Via SNMP Traps

10 Introduction 1 Introduction 1.1 Audience and Purpose of this Document The provides in-depth guidance for performing common or complicated tasks on the IDENTIKEY Appliance and the IDENTIKEY Authentication Server. If not stated otherwise, the information in this guide also applies to IDENTIKEY Virtual Appliance. 1.2 Available Guides Other documents in the set of IDENTIKEY Appliance documentation include: The IDENTIKEY Appliance Product Guide, which is intended for technical experts interested in learning about the IDENTIKEY Appliance. This document describes the structure of the product, the concepts underpinning authentication and how the IDENTIKEY Appliance can support authentication within your IT infrastructure. The IDENTIKEY Appliance Administrator Reference Guide. This document provides lists of field explanations and other reference data for technical experts using the IDENTIKEY Appliance and is intended for reference only. Information is provided in table format for quick reference. The IDENTIKEY Appliance Installation and Maintenance Guide, which explains the steps required to connect the IDENTIKEY Appliance to your network, first-time configuration and maintenance procedures, such as for example updating and re-licensing. The IDENTIKEY Authentication Server SDK Programmer's Guide, which provides in-depth information required for development work using the SDK. This document is only relevant to SOAP Authentication, Electronic Signatures and Provisioning with the IDENTIKEY Appliance. A set of DIGIPASS Windows Logon Guides, which provide information on the concepts, installation and configuration, setting up and testing of Windows Logon. Additionally the DIGIPASSWindows User Guide provides information for end-users. Two Password Synchronization Manager Guides, for installation and end users respectively. A Guide for each IIS Filter, for installation and end users. Access to the IDENTIKEY Appliance guides is provided via the IDENTIKEY Appliance Configuration Tool. Manuals for IDENTIKEY Appliance add-ons are provided on the CDROM delivered with the appliance. 10

11 Administration Interfaces for IDENTIKEY Appliance 2 Administration Interfaces for IDENTIKEY Appliance 2.1 Administration Interfaces There are three administration interfaces available with the IDENTIKEY Appliance. These are: The Rescue Tool, which is used as a rescue tool to manage limited settings (explained in the IDENTIKEY Appliance Installation and Maintenance Guide). The IDENTIKEY Appliance Configuration Tool, which is used for installation, licensing and maintenance of the IDENTIKEY Appliance. The Administration Web Interface, used for daily administration of the system after licensing of the IDENTIKEY Appliance. How to access the IDENTIKEY Appliance Configuration Tool and the Administration Web Interface is explained below. 11

12 Administration Interfaces for IDENTIKEY Appliance 2.2 Access to the Configuration Tool and Administration Web Interface Caution: Using the default sysadmin User Account for accessing the Configuration Tool is less secure than using a new User Account which requires DIGIPASS One-Time Password authentication. We therefore recommend using the Administrator User Account created via the IDENTIKEY Authentication Server Setup Wizard and disabling the sysadmin account as soon as possible. The IDENTIKEY Appliance Configuration Tool and Administration Web Interface are accessed using a standard Web browser. Access is secured by SSL (Secure Socket Layer) encryption over the HTTPS protocol. Note The URL used to access the administration interfaces for IDENTIKEY Appliance is : IDENTIKEY Appliance IPaddress>/ This URL will point to the IDENTIKEY Appliance Welcome Page from the Welcome Page you access both the IDENTIKEY Appliance Configuration Tool and the Administration Web Interface. The IDENTIKEY Appliance Welcome Page offers you two links leading to the IDENTIKEY Appliance Configuration Tool to further configure the IDENTIKEY Appliance and to the IDENTIKEY Authentication Server Administration Web Interface, allowing daily management. Until first-time configuration, licensing, and IDENTIKEY Authentication Server Setup Wizard configuration have been completed (as explained in the IDENTIKEY Appliance Installation and Maintenance Guide), only the link to the IDENTIKEY Appliance Configuration Tool is active. After licensing, the link to the IDENTIKEY Authentication Server Administration Web Interface is also enabled. For information on how to configure the administration interface access, refer to the IDENTIKEY Appliance Installation and Maintenance Guide. 12

13 Administration Interfaces for IDENTIKEY Appliance 2.3 Log into the IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Interface Logging into the administration interfaces requires the following steps: 1. Enter the URL for the interface into the browser. As you are accessing a website secured with a self-signed certificate, the browser presents a warning asking you to accept the certificate to continue. Note: The procedure for accepting a certificate varies between browsers. Internet Explorer is used in the example below. 13

14 Administration Interfaces for IDENTIKEY Appliance Image 1: IDENTIKEY Appliance Configuration Tool SSL Certificate warning Accept the certificate according to your browser's instructions. 2. After the certificate has been accepted, access the required interface by clicking on the interface title on the Welcome Page. This will open the corresponding login page of the interface you are accessing. Image 2: Login Pages: IDENTIKEY Appliance Configuration Tool (left) and IDENTIKEY Authentication Server Administration Web Interface (right) 14

15 Administration Interfaces for IDENTIKEY Appliance 3. Log on, using administrator login credentials. The default administrative user name and factory default password is: User: sysadmin Password: sysadmin Be aware that the password may have already been changed by a network administrator, and that new administrative user accounts may have been created; also, the default sysadmin user may have been disabled. Note: The IDENTIKEY Authentication Server Setup Wizard must be completed (as described in the IDENTIKEY Appliance Installation and Maintenance Guide) before the IDENTIKEY Authentication Server Administration Web Interface can be accessed. 15

16 Administration Interfaces for IDENTIKEY Appliance Image 3: IDENTIKEY Authentication Server Administration Web Interface home page Image 4: IDENTIKEY Appliance Configuration Tool home page 16

17 Manual Settings in the Configuration Tool 3 Manual Settings in the Configuration Tool 3.1 Overview After first-time installation has been completed, manual configurations in the IDENTIKEY Appliance Configuration Tool are possible. This allows you to: alter settings which were entered during the Configuration Wizard configure additional settings, such as for Virtual DIGIPASS (Message Delivery Component). For more information on manual configuration without the wizard, please refer to the IDENTIKEY Appliance Product Guide Installation Configurations section and the IDENTIKEY Appliance Administrator Reference Guide, Configuration Tool Field Listings section. 3.2 Instructions 1. Login to the Configuration Tool following the instructions provided in section 2 Administration Interfaces for IDENTIKEY Appliance. 2. Enter or alter settings as required (see image below). 17

18 Manual Settings in the Configuration Tool Image 5: Configuration Tool>Settings 18

19 Manual Settings in the Configuration Tool 3.3 Enabling Services IDENTIKEY Appliance services (Authentication, Provisioning and Signatures) are enabled by default. To enable/disable services: 1. Log on to the Configuration Tool (see section 2 Administration Interfaces for IDENTIKEY Appliance). 2. Navigate to Authentication Server > Scenarios (see image below). 3. Enable or disable services by checking the appropriate check box. Image 6: Configuration Tool > IDENTIKEY Authentication Server > Scenarios For a detailed explanation of the different services, please refer to the IDENTIKEY Appliance Product Guide. For an explanation of the fields on the tab screen, please refer to the IDENTIKEY Appliance Administrator Reference Guide. 19

20 IDENTIKEY Appliance Administration Web Interface: Basic Configuration 4 IDENTIKEY Appliance Administration Web Interface: Basic Configuration This section explains how to perform basic configuration tasks in the IDENTIKEY Authentication Server Administration Web Interface. All the instructions described in this section need to be completed in the IDENTIKEY Authentication Server Administration Web Interface. For more information on the concepts introduced in this section and how they operate during an authentication attempt, please refer to the IDENTIKEY Appliance Product Guide, User Authentication Process section. Three further configurations are essential to support Authentication, Electronic Signatures or Provisioning: Client components need to be registered for authentication (or other) services on the IDENTIKEY Appliance User records need to be registered on the IDENTIKEY Appliance DIGIPASS devices need to be registered on the IDENTIKEY Appliance and assigned to user accounts In the following sections, we provide instructions for these configurations. 4.1 Client Records A client component record is required for each service that is to be run on the IDENTIKEY Authentication Server, such as RADIUS, or SEAL. Each service, (for example authentication), in the network, which needs to access IDENTIKEY Authentication Server services, must be registered on the IDENTIKEY Authentication Server as a client component for access to be allowed and policies to be applied. For further conceptual information, please refer to the following sections of the IDENTIKEY Appliance Product Guide Client Components Policies sections. For a list and explanation of the relevant fields, please refer to the IDENTIKEY Appliance Administrator Reference Guide. Client records are registered on the IDENTIKEY Authentication Server under the Clients tab of the IDENTIKEY Authentication Server Administration Web Interface. This requires the following steps: 1. Select the Clients tab and the Register option 2. Identify the Client Type 3. Add a Location 20

21 IDENTIKEY Appliance Administration Web Interface: Basic Configuration 4. Enter a Policy ID 5. Identify the Protocol ID 6. Enter optional settings if required, e.g. a RADIUS Shared Secret 7. Click on Create Image 7: Clients > Register > Client Type 21

22 IDENTIKEY Appliance Administration Web Interface: Basic Configuration 4.2 User Records There are four methods of registering Users on IDENTIKEY Authentication Server: 1. Creating Users manually when required. User records are registered on the IDENTIKEY Authentication Server under the Users tab of the server's Administration Web Interface. Image 8: Users > Create To create a User record manually, perform the following steps: 22

23 IDENTIKEY Appliance Administration Web Interface: Basic Configuration a. Click on the Users tab and select Create b. Add a User ID (mandatory) c. Select a Domain (mandatory) d. The other fields are optional. e. Click on Create 2. Import a User file which contains one or more User records through the User Import screen of the IDENTIKEY Authentication Server Administration Web Interface. The User file should be a comma separated variable (csv) text file, which can be uploaded to import users. See the IDENTIKEY ApplianceAdministrator Reference Guide, Importing Users with Comma Separated Values Files section for more details. An example.csv file is provided on the CDROM delivered with your IDENTIKEY Appliance. 3. Configure Dynamic User Registration (DUR) as a policy setting in the IDENTIKEY Authentication Server Administration Web Interface (Policies > User tab). DUR allows Users to be registered automatically the first time they logon. For more information on DUR, please refer to the IDENTIKEY Appliance Product Guide, Dynamic User Registration section. 4. Configure LDAP Synchronization with a Directory Server in the Configuration Tool, as explained in section 9 LDAP User Synchronization. 23

24 IDENTIKEY Appliance Administration Web Interface: Basic Configuration 4.3 DIGIPASS Records and Assignment DIGIPASS records can only be imported into the IDENTIKEY Authentication Server from a.dpx file issued by your supplier for your specific DIGIPASS hardware devices. The file can be uploaded using the DIGIPASS > Import screen of the IDENTIKEY Authentication Server Administration Web Interface. Image 9: Import DIGIPASS.dpx file DIGIPASS records can be assigned to User accounts in the IDENTIKEY Authentication Server Administration Web Interface in three ways: 1. View an unassigned DIGIPASS record or User record, clicking on ASSIGN and complete the ASSIGN wizard. The specific DIGIPASS hardware device for the record must be supplied to the User. 2. Auto-assignment - the User does not have a DIGIPASS device assigned, and the applicable policy permits auto-assignment. An unassigned DIGIPASS record is searched for and automatically allocated to the User on first-time logon. The specific DIGIPASS hardware device for the record must be supplied to the User. 3. Self-assignment: the DIGIPASS device is in the User's possession and the applicable policy permits selfassignment. The User completes a self-assignment process. For more information, please refer to the IDENTIKEY Appliance Product Guide, DIGIPASS Assignment Options section. 24

25 IDENTIKEY Appliance Administration Web Interface: Basic Configuration Image 10: DIGIPASS Assignment 25

26 System Administrator 5 System Administrator After running the IDENTIKEY Authentication Server Setup Wizard (see the IDENTIKEY Appliance Installation and Maintenance Guide for details), a new administrator account is created. It is recommended that the built-in sysadmin account be disabled after the new administrator account has been created. The new administrator account can then be used to log in to the IDENTIKEY Appliance Configuration Tool and the Administration Web Interface. 5.1 Disable the default sysadmin User Account To disable/enable the old default sysadmin User Account: 1. Log onto the Configuration Tool with the new System Administrator User Account. 2. Navigate to Settings > Authentication. 3. Click the Disabled check box to disable the sysadmin User Account. Click the Disabled check box again to enable the sysadmin User Account. When enabling the sysadmin User Account you will be have to enter and confirm a new password. Image 11: Disabling the sysadmin User Account 26

27 System Administrator 5.2 Create Administrator Accounts Further administrator accounts may be required. Typically, administrator accounts are created in the master domain; the administrative privileges of such accounts apply throughout all domains if they also have the Access data in all domains administrative privilege. However, it is also possible to create an administrator account for a specific domain only. The administrative privileges of such accounts will only apply to the domain on which they are created. To create an Administrator Account: 1. Log into the IDENTIKEY Authentication Server Administration Web Interface. 2. Select Users > Create. 3. Enter a User ID for the administrator. 4. Enter the name of the master domain. 5. Enter Static Password and confirm. 6. Click Create. 7. Click the Click here to manage link. 8. Click Admin Privileges. 9. Click Edit. 10. Assign the necessary user and DIGIPASS admin privileges by selecting the privilege name and clicking the Add button. To access the Configuration Tool, assign the axsguard System Administration privilege. Note that this is the only privilege required to access the Configuration Tool, all other privileges are for IDENTIKEY Authentication Server access. 11. When complete, click Save. VASCO recommends that you use DIGIPASS authentication for all administrator accounts. For more information about this, refer to section 4.3 DIGIPASS Records and Assignment. For more information about administrator privileges, refer to the IDENTIKEY Appliance Administration Privileges section of the IDENTIKEY Appliance Administrator Reference. 27

28 System Administrator Image 12: Create User Account 28

29 System Administrator Image 13: Assign Administrator Privileges 29

30 Typical DIGIPASS Authentication Module Setup 6 Typical DIGIPASS Authentication Module Setup In this section, we explain how to configure a typical DIGIPASS Authentication Module setup (e.g. OWA or Citrix). The following DIGIPASS Authentication Modules are supported: DIGIPASS Authentication for IIS Basic DIGIPASS Authentication for OWA Basic DIGIPASS Authentication for OWA Forms DIGIPASS Authentication for Citrix Web Interface DIGIPASS Authentication for Remote Desktop Web Access DIGIPASS Authentication for Steel-Belted RADIUS Server Before installing the module with the IDENTIKEY Appliance, you must have: An IDENTIKEY Appliance, which has already been installed (see the IDENTIKEY Appliance Installation and Maintenance Guide for instructions). Module software on the Citrix, OWA, IIS, or SBR server, which is available on the CD-ROM provided with your IDENTIKEY Appliance. Installing a DIGIPASS Authentication Module with the IDENTIKEY Appliance requires the following steps: Acquire a module license Create a Client Component in the IDENTIKEY Authentication Server Administration Web Interface Install the module on the Citrix OWA, IIS or SBR Server. Note The IDENTIKEY Appliance Authentication service must be enabled before a DIGIPASS Authentication Module setup is configured. Please see section 3.3 Enabling Services for instructions on how to enable the Authentication service/scenario. 6.1 Create a Client Component An Administration Program Client Component must be created on IDENTIKEY Authentication Server to allow a module client to create a client component on the IDENTIKEY Appliance. 1. Log in to the IDENTIKEY Authentication Server Administration Web Interface. 30

31 Typical DIGIPASS Authentication Module Setup 2. Create a new Client Component, by clicking on Clients > Register. 31

32 Typical DIGIPASS Authentication Module Setup Image 14: IDENTIKEY Authentication Server Administration Web Interface register clients 3. Enter the details shown below and click on Create. Note: Enter the IP address of the server on which the module is installed in the Location field. 32

33 Typical DIGIPASS Authentication Module Setup Image 15: IDENTIKEY Authentication Server Administration Web Interface > Create New Client Tip: This temporary Administration Program Client Component can be deleted after the IIS module client has created a Client Component on the IDENTIKEY Authentication Server Administration Web Interface 33

34 Typical DIGIPASS Authentication Module Setup 6.2 Install the Module on the Corresponding Server For installation instructions please refer to the installation sections of the relevant DIGIPASS Authentication Module Administrator Guide as indicated below. The module software and the relevant guides are provided on the CDROM which was supplied with your IDENTIKEY Appliance: OWA 2003 with basic authentication: DIGIPASS Authentication for OWA Basic Administrator Guide OWA 2003 with form-based authentication: DIGIPASS Authentication for OWA Forms Administrator Guide OWA 2007 with basic authentication: DIGIPASS Authentication for OWA Basic Administrator Guide OWA 2007 with form-based authentication: DIGIPASS Authentication for OWA Forms Administrator Guide Citrix Server: DIGIPASS Authentication for Citrix Web Interface Administrator Guide Generic IIS Server: DIGIPASS Authentication for IIS Basic Administrator Guide Remote desktop Web Access: DIGIPASS Authentication for Remote Desktop Web Access Administrator Guide Steel-Belted RADIUS: DIGIPASS Authentication for Steel-Belted RADIUS Server Administrator Guide In the Installation Wizard enter the following values in the relevant fields: Field Name Value Authentication Server IP Address IP address of your IDENTIKEY Appliance. Port Keep the default setting. Select the option to create the component record Automatically and enter User credentials for an administrative user Default settings: the administrator user credentials that were provided during processing of the IDENTIKEY Authentication Server Setup Wizard. Upload the relevant module Client License Key. 6.3 Delete the Temporarily Created Client Component During installation a valid Client Component is created for module authentication, with a valid policy. Remove the temporarily created Client Component in the IDENTIKEY Authentication Server Administration Web Interface using the following instructions: 1. Click on the Clients tab, and select List. 2. Check the box for the Client Component type Administration Program, with SEAL protocol. 3. Click on Delete. 34

35 Typical DIGIPASS Authentication Module Setup 6.4 Policies and Settings During installation a new Client Component is created, for which the Policy can be modified. For more information on the possible policy settings, please refer to the Policies section of the IDENTIKEY Appliance Product Guide, available via the Help button in the Configuration Tool. Caution: Back-end Authentication is always needed because of the nature of module setup. Please see the IDENTIKEY Appliance Product Guide for more information. 35

36 A Typical RADIUS Setup 7 A Typical RADIUS Setup 7.1 Overview IDENTIKEY Appliance can be used in a RADIUS environment in a number of ways, depending on your company's requirements. In this section, we explain how to configure a typical RADIUS setup. Image 16: Stand-alone IDENTIKEY Appliance in a RADIUS Environment In the illustrated example, a RADIUS Client is configured for DIGIPASS authentication only towards the IDENTIKEY Appliance. RADIUS clients can be one of the following: A dial-up NAS (Network Access Server), Firewall or VPN appliance Wireless Access Point Any another device which uses the RADIUS protocol for user authentication. Note: The IDENTIKEY Appliance Authentication service must be enabled before a RADIUS setup is configured. Please see section 3.3 Enabling Services for instructions on how to enable the Authentication service/scenario. 36

37 A Typical RADIUS Setup 7.2 RADIUS Client Configuration Configure your RADIUS client to send requests to the IDENTIKEY Appliance IP address, using the default RADIUS port: for authentication requests, the default RADIUS port is UDP 1812 for accounting requests, the default RADIUS port is UDP 1813 Tip The port can be changed on the IDENTIKEY Appliance if necessary: navigate to the IDENTIKEY Authentication Server > RADIUS Communicator tab. 7.3 Creating a Client Component Using the Administration Web Interface Access the Administration Web Interface as explained in section 2 Administration Interfaces for IDENTIKEY Appliance. 1. Click on Clients -> Register (see image below) Image 17: IDENTIKEY Appliance Administration Web Interface 37

38 A Typical RADIUS Setup 2. Enter this data: Client Type: Select RADIUS Client Location: Enter the IP address of the RADIUS client Policy ID: Select the policy you want to use for this RADIUS client Protocol ID: Select RADIUS Shared Secret: Enter the shared secret used by the RADIUS client 3. Click on Create. Image 18: IDENTIKEY Appliance Administration Web Interface > Create New (RADIUS) Client 7.4 Optionally Modifying Policies and Settings using the Administration Web Interface The example illustrated above configures DIGIPASS authentication only in the assigned policy. Other authentication settings (e.g. local or back-end authentication) and authentication options (e.g. grace period, assignment methods) can also be configured. For more information on the possible policy settings, please refer to the Policies section of the IDENTIKEY Appliance Product Guide, available via the Help button in the Configuration Tool. For a list and explanation of the pre-loaded default Policies, please refer to the IDENTIKEY Appliance Reference Guide. 38

39 A Typical RADIUS Setup Different policy options are also explained with examples of practical setups using a RADIUS simulator client in section 19 Test Policy Settings. 39

40 DIGIPASS Authentication for Windows Logon 8 DIGIPASS Authentication for Windows Logon This section explains how to setup DIGIPASS Authentication for Windows Logon (Windows Logon), which requires the following steps: configuration of the IDENTIKEY Appliance: authentication attempts from Windows Logon clients are only allowed if a Client Component exists on the IDENTIKEY Appliance. If the Dynamic Client component feature is used, only one Default Client Component is required for all Windows Logon clients in the network. Windows Group Check, however, can restrict automatic creation of a copy of the default client component to pre-defined groups. installation and configuration of the DIGIPASS Authentication for Windows Logon software on the Windows clients. It is possible to optionally configure an _SRV record in the network's DNS server, thus providing automatic detection of the available IDENTIKEY Appliances and fail-over functionality to the Windows Logon clients in the network. This optional configuration is explained in 18 IDENTIKEY Authentication Server Discovery with Windows Logon. For an introduction to DIGIPASS Authentication for Windows Logon with the IDENTIKEY Appliance, please refer to the IDENTIKEY Appliance Product Guide. For more detailed information on DIGIPASS Authentication for Windows Logon, please refer to the DIGIPASS Authentication for Windows Logon Guides provided on the CDROM delivered with your IDENTIKEY Appliance. Note The IDENTIKEY Appliance Authentication service must be enabled before a Windows Logon setup is configured. Please see section 3.3 Enabling Services for instructions on how to enable the Authentication service/scenario. 8.1 IDENTIKEY Appliance Configuration DNS setup Client components for Windows Logon are created with DNS names in the Location field (please refer to the IDENTIKEY Appliance Product Guide, IDENTIKEY Appliance with Windows Logon section for more information). Since authentication attempts are received from IP addresses, the IDENTIKEY Appliance needs to resolve the IP addresses to DNS names, to identify the correct Client Components. This IP-to-name information needs to be present in the DNS server configured in the IDENTIKEY Appliance Configuration Tool Settings > Network. 40

41 DIGIPASS Authentication for Windows Logon Image 19: Configuration Tool > Network Tip The required IP-to-name information is already available if a reverse DNS zone is present in the DNS server of an Active Directory setup. In such a setup, therefore, we recommend configuring the IP address of the DNS server as the IDENTIKEY Appliance DNS server. Please refer to the Microsoft documentation for more information on configuring a DNS server and reverse zones. 41

42 DIGIPASS Authentication for Windows Logon Configuration of Microsoft Active Directory Back-End Authentication An LDAP Active Directory back-end authentication record is required by the IDENTIKEY Appliance for this setup. Refer to the IDENTIKEY Appliance Product Guide for more information. For instructions on how to activate Active Directory back-end authentication and how to create a back-end server record, please see section 10 Back-End Authentication. Steps for adjusting a policy and creating a client component are not required, however. These aspects are explained in the following sections Changing the Default Client Component To change the Default Client Component: 1. Log in to the IDENTIKEY Authentication Server Administration Web Interface 2. Select Clients > List Image 20: IDENTIKEY Authentication Server Administration Web Interface 3. Check the IDENTIKEY Windows Logon Client check box and click CHANGE POLICY. 42

43 DIGIPASS Authentication for Windows Logon 4. From the Policy ID drop-down list, select either Windows Logon Online Authentication - LDAP AD Backend or Windows Logon Online and Offline Auth - LDAP AD Back-end policy, depending on whether you need offline authentication. 5. Click OK. For more information on offline authentication, please refer to the IDENTIKEY Appliance Product Guide. Image 21: Administration Web Interface > Create a New Client 8.2 Configuration of Windows Group Check in the Administration Web Interface To restrict Dynamic Component Registration using Windows Group Check in the IDENTIKEY Authentication Server Administration Web Interface: 1. Click on the Policies tab. 2. Scroll down to the related Policy, e.g. Windows Logon Online Authentication - LDAP AD Back-end and select it by clicking on the policy name. 43

44 DIGIPASS Authentication for Windows Logon Image 22: Policies 3. Click on the DCR tab and click EDIT. 44

45 DIGIPASS Authentication for Windows Logon Image 23: DCR tab 4. Click to Enable Dynamic Component registrations. 5. Select Accept requests for clients listed in groups. 6. Select to Add Windows Groups Available. Available Windows Groups will be listed. 45

46 DIGIPASS Authentication for Windows Logon Image 24: Restricting Dynamic Component Registration with Windows Group Check For more information on the relevant fields, please refer to the IDENTIKEY Appliance Reference Guide or the IDENTIKEY Authentication Server Administration Web Interface online help. For more information on the concept of Windows Group Check, please refer to the IDENTIKEY Appliance Product Guide. 8.3 Password Randomization Windows Logon can be configured to provide Password Randomization. Password randomization replaces the static password used to authenticate the Windows client to the Windows domain with a random password, thereby always forcing the user to use DIGIPASS OTP authentication. 46

47 DIGIPASS Authentication for Windows Logon After a successful authentication towards the IDENTIKEY Appliance, the static password is changed to a randomized password in the Microsoft AD infrastructure. Randomized passwords have strict formatting rules and only the length of the password can be set. For more information on password randomization, please refer to the IDENTIKEY Appliance Product Guide. To enable and set the length of Randomized passwords for Windows Logon: 1. Log on to the IDENTIKEY Authentication Server Administration Web Interface 2. Click on the Policies tab. 3. Select the related Policy, e.g. Windows Logon Online Authentication - LDAP AD Back-end. 4. Click on the Password Randomization tab. 5. Enable Password Randomization and set the password length. Image 25: Configuring Password Randomization 47

48 DIGIPASS Authentication for Windows Logon 8.4 Export Server Certificate (optional) If Windows Logon is configured to verify the server certificate, the certificate must be registered in the certificate store on the client workstation. This requires the certificate to be exported from the IDENTIKEY Appliance Configuration Tool, and imported to client workstations. Tip: A self-signed or purchased certificate can be uploaded (see section 12 Secure Sockets Layer) To export the server certificate: 1. Log in to the IDENTIKEY Appliance Configuration Tool. 2. Navigate to IDENTIKEY Authentication Server > SOAP Communicator. 3. Click on the Download button to download the certificate. Image 26: Configuration Tool> IDENTIKEY Authentication Server > SOAP Communicator The server certificate can be imported in two ways: 48

49 DIGIPASS Authentication for Windows Logon Locally on each client workstation using the Microsoft Management Console (MMC). This is only practical for small installations. Using a Group Policy, which is recommended for larger installations. For more information, please refer to the guides listed in the following section. 49

50 DIGIPASS Authentication for Windows Logon 8.5 Client Installation and Configuration For information on installation and configuration of the client software, please refer to the following guides provided on the CDROM delivered with your IDENTIKEY Appliance: DIGIPASS Windows Logon Product Guide, which explains concepts related to Windows Logon; DIGIPASS Windows Logon Installation Guide, which provides instructions for installation; DIGIPASS Windows Logon User Manual, which provides some conceptual information and also client configuration instructions; DIGIPASS Windows Logon Getting started, which provides quick guidelines on how to configure the Windows Logon. 50

51 LDAP User Synchronization 9 LDAP User Synchronization 9.1 Overview This section describes the IDENTIKEY Appliance User Synchronization. LDAP User Synchronization can be configured in the Configuration Tool and supports automatic creation and updating of User Accounts on the IDENTIKEY Appliance from records stored on an LDAP Server. (Other methods of User Account creation using the Administration Web Interface include creating users manually, importing User Records, and Dynamic User Registration: see the section on DIGIPASS User Accounts in the IDENTIKEY Appliance Product Guide for further information.) LDAP User Synchronization is the process of synchronizing records from an LDAP Server, not the process of authenticating with an LDAP Back-end server. For information on LDAP Back-end Authentication please see section 10 Back-End Authentication. LDAP User Synchronization is not server-specific and therefore requires configuring specifically for different LDAP Servers. To set up an LDAP Synchronization requires manual configuration of a Synchronization Profile in the Configuration Tool. Once the appropriate settings and mappings have been configured, synchronization between the LDAP Server and the IDENTIKEY Appliance is automatic. Accessing and logging onto the IDENTIKEY Appliance Configuration Tool is explained in section 2 Administration Interfaces for IDENTIKEY Appliance. In the following sections, we explain: how to create a Synchronization Profile in the IDENTIKEY Appliance how to configure synchronization for Microsoft Active Directory, with: example filter settings example attribute settings, and instructions on how to find LDAP Server Attribute names with Active Directory how to configure synchronization for Novell edirectory, with: example filter settings example attribute settings, and instructions on how to find LDAP Server Attribute names with Novell edirectory how to configure synchronization for other LDAP Servers. For explanations of the concepts of LDAP Synchronization, please refer to the IDENTIKEY Appliance Product Guide, LDAP Synchronization section. 51

52 LDAP User Synchronization Notes: 1. User Account settings are called source Attributes in the LDAP Server and destination Properties in the IDENTIKEY Appliance. 2. Authentication with LDAP Server credentials for User Accounts which have been synchronized requires a Back-end Server Record to be configured. Back-end passwords are not usually synchronized due to LDAP Server security restrictions. For further information, please refer to the IDENTIKEY Appliance Product Guide, LDAP Synchronization section. For practical guidance on how to configure a Back-end Server Record, see section 10 Back-End Authentication. Tip: For help with specific issues which may arise with LDAP User Synchronization, please see section 24.4 LDAP User Synchronization Issues. 52

53 LDAP User Synchronization 9.2 Creating a Synchronization Profile LDAP User Synchronization is set up in the Configuration Tool and requires the following steps: 1. Access the Configuration Tool as explained in section 2 Administration Interfaces for IDENTIKEY Appliance. 2. Navigate to Authentication Server > LDAP User Synchronization (see image below). Image 27: Configuration Tool > IDENTIKEY Authentication Server > LDAP User Synchronization 53

54 LDAP User Synchronization 3. Click ADD to open a screen for configuring an LDAP synchronization profile (see image below). Image 28: Configuration Tool > IDENTIKEY Authentication Server > LDAP User Synchronization: Add button 4. Configure the fields (example settings are also shown in the image below). There are four types of settings: server settings provide details of the source LDAP Server. User management, Search base, and Filter settings define the location, depth and accounts to be synchronized from the source directory. attribute mapping synchronizes specific properties on the IDENTIKEY Appliance to values from LDAP source parameters; destination properties can be defined as a constant or the value of a specified source parameter. If nothing is specified, a default value is used. hierarchy mappings (Create missing OU's, Mirror OU structure, Include LDAP Children, and Return DIGIPASS to Parent OU on Move/Delete) define whether the destination structure mirrors the source structure and whether existing Accounts should be updated (see Example below). 5. Click Save to finish. 54

55 LDAP User Synchronization For more information on the concepts of LDAP User Synchronization, please refer to the section on LDAP user synchronization in the IDENTIKEY Appliance Product Guide. For more information on LDAP User Synchronization settings, please refer to the Configuration Tool: Field Listings section in the IDENTIKEY Appliance Administrator Reference Guide,. Image 29: Synchronization Profile Settings Example: These examples match Profiles 1 and 3 in the IDENTIKEY Appliance Product Guide, Managing Source and Destination Hierarchies section. Example Profile 1: The LDAP Source hierarchy has Users in Organizational Units below the Search Base Domain. The Mirror OU structure and Create missing OU are not checked, although the option to synchronize all User Accounts at and below the Search Base is configured. Users are all synchronized to the single (flat name) destination address in the IDENTIKEY Appliance hierarchy. No sub-organizational units are created. Example Profile 3: The LDAP Source hierarchy has Users in Organizational Units below the Search Base Domain. The options to synchronize all User Accounts at and below the Search Base, to mirror the Organizational Unit structure and Create missing Organizational Units are selected. The structure of the LDAP Server is replicated in the IDENTIKEY Appliance. 55

56 LDAP User Synchronization Tip The Enable box must be checked for the Synchronization Profile to become operational. Note: 1. At least one attribute must always be mapped to the IDENTIKEY Appliance User ID property. 2. Some IDENTIKEY Appliance User Properties cannot be retrieved from an LDAP Server, e.g. Local Authentication, Back-end Authentication and Password. These Properties can only be synchronized to a constant value. The Type constant needs to be selected for the Attribute mapping entry and the value inserted in the Source/Attribute Value column. If the values are omitted, default values are used. For possible and default values of these Properties, please refer to the IDENTIKEY Appliance Administrator Reference Guide, User Properties section. 3. Only one mapping can be configured for each IDENTIKEY Appliance User Property. 9.3 Microsoft Active Directory Synchronization Example Filtering and Mapping For Microsoft Active Directory (tested with versions 2003 and 2008), the filter entries in the table (and image) below retrieve all Users from the Search Base, without retrieving other objects such as Groups, Contacts or Computers etc. Table 1: Microsoft Active Directory 2003/2008 Filter Settings Microsoft Active Directory 2003/2008 Attribute Value samaccountname * givenname * objectclass person Example mappings of commonly used Microsoft Active Directory 2003/2008 Attributes to their IDENTIKEY Appliance Properties are shown in the image below. 56

57 LDAP User Synchronization Image 30: Example Filter and Attribute Mappings for Microsoft Active Directory 2003/ Finding Attribute Names The previous examples can also be adapted to your organization's needs, for example if a more refined filter is required or if other LDAP Server Attributes values need to be synchronized to a certain IDENTIKEY Appliance User Property. To add Filter or Mapping entries, you need to know the Attribute name in the Active Directory. Note: The method for finding Attribute names explained here may not apply to your particular version of Active Directory. If this is the case, please refer to the Help files or documentation for your Active Directory (see also section 9.5 Other LDAP Server Synchronizations). To view User Account Attributes on your Microsoft Active Directory: 57

58 LDAP User Synchronization 1. Log on to the Microsoft Active Directory 2. Run the program adsiedit.msc 3. Navigate to a source User Account 4. Right click on the User Account in the left window and select Properties (see image below). Image 31: Viewing properties for an example object in a Microsoft Active Directory For an alternative method of finding LDAP Server Attribute names, refer to section 9.5 Other LDAP Server Synchronizations. 58

59 LDAP User Synchronization 9.4 Novell edirectory Synchronization Example Filtering and Mapping For Novell edirectory (tested with version 8.8 SP2), the filter entry in the table (and image) below retrieves all Users from the Search Base. Table 2: Novell edirectory Filter Settings Novell edirectory Attribute objectclass Value Person Example mappings of commonly used Novell edirectory Attributes to their IDENTIKEY Appliance Properties are shown in the image below. Image 32: Example Filter and Attribute Mappings for Novell edirectory Finding Attribute Names The previous examples can also be adapted to your organization's needs, for example if a more refined filter is required or if other LDAP Server Attribute values need to be synchronized to a certain IDENTIKEY Appliance User Property. 59

60 LDAP User Synchronization To add Filter or Mapping entries, you need to know the Attribute name in the Novell edirectory, which can be found in your edirectory documentation: To find information on LDAP Schema and Attributes: click on the Help button in Novell imanager navigate to: Novell edirectory Documentation > Developer Documentation > Novell edirectory Schema Reference > Base Object Class Definition > User. To find information on configuring LDAP settings: click on the Help button in Novell imanager navigate to: Novell edirectory Documentation > Understanding LDAP Services for Novell edirectory and Configuring LDAP Services for Novell edirectory. 9.5 Other LDAP Server Synchronizations To create a Synchronization Profile for your LDAP Server, you will need to know the names of the LDAP Attributes used to identify users. Two methods for finding Attribute names are: viewing the Attribute list for a specific User Account using an LDAP search tool or an LDAP browser. An example of an LDAP search tool is ldapsearch from OpenLDAP.org. This method has the disadvantage that some Attributes may not be listed for the specific User Account viewed, if they are not mandatory for all User Accounts. viewing the LDAP schema from the LDAP Server. This may be available in the LDAP Server documentation or can be retrieved as explained in the Tip below. Tip: retrieving an LDAP schema with a command line LDAP search tool 1. Retrieve the location of the schema object in the LDAP Server. For this LDAP request, the search base should be the root DN of your LDAP Server, the scope should be set to 'base', and the requested attribute should be the word 'subschemasubentry'. e.g. using ldapsearch: ldapsearch -H ldap://ldapserver -b dc=example,dc=com -s base subschemasubentry 2. Send an LDAP request with the resulting value for 'subschemasubentry' acquired in step 1 as search base, the scope again set to 'base', and the requested attribute to 'objectclasses'. e.g. using ldapsearch: ldapsearch -H ldap://ldapserver -b cn=subschema -s base objectclasses 3. In the LDAP schema, look for the attributes of the relevant object class, which is likely to be 'person', 'organizationalperson', 'inetorgperson', or 'user'. 60

61 Back-End Authentication 10 Back-End Authentication Back-End Authentication is a term used to describe the process of checking User credentials with another system. In this section, we explain standard IDENTIKEY Appliance Back-End authentication set-ups with: RADIUS Novell edirectory Microsoft Active Directory ADAM Tivoli Note: SSL is available for Active Directory and Tivoli Back-End authentication. Image 33: IDENTIKEY Appliance as Intermediate Server for OTP only Configuration requires the following steps: 1. Enable Back-End authentication in the IDENTIKEY Appliance Configuration Tool. 2. Creating a Back-End Record in the IDENTIKEY Authentication Server Administration Web Interface. 3. Edit a Policy for Back-End authentication in the IDENTIKEY Authentication Server Administration Web Interface. 4. Create a Client Component and assign the Policy to it in the IDENTIKEY Authentication Server Administration Web Interface. For more information on Back-End authentication, please refer to the Back-End Authentication section of the IDENTIKEY Appliance Product Guide. 61

62 Back-End Authentication 10.1 RADIUS Back-End Authentication Enable RADIUS Back-End Authentication To activate RADIUS Back-End server authentication in the IDENTIKEY Appliance Configuration Tool: 1. Navigate to Authentication Server > Authentication Back-Ends. Image 34: Authentication Back-Ends 2. Scroll down and check the box to enable RADIUS Back-End authentication. 62

63 Back-End Authentication Image 35: Enabling RADIUS Back-End 3. Click on Save. Add a RADIUS Back-End Server Record To add a RADIUS Back-End server record in the IDENTIKEY Authentication Server Administration Web Interface: 1. Select IDENTIKEY Authentication Server > RADIUS Communicator. 2. Enable RADIUS by clicking the check box. 3. Complete the necessary fields. Note that: 1812 is the default Authentication Port, but you need to use the appropriate port for your installation. Entries for the Accounting fields are only necessary when accounting is required is the default Accounting Port, but you need to use the appropriate port for your installation. For Authentication and Account IP addresses, enter the IP address of the Back-End RADIUS Server. Enter the Shared Secret used by the Back-End RADIUS Server. The Timeout field is mandatory. For more information on these settings, please refer to the IDENTIKEY Authentication Server Administration Web Interface. 4. Click on Create to finish. 63

64 Back-End Authentication Image 36: Administration Web Interface > Back-End > Register RADIUS Back-End tab Adjusting Authentication Policy Settings 1. Access the IDENTIKEY Authentication Server Administration Web Interface as explained in section 2.2 Access to the Configuration Tool and Administration Web Interface. 2. Select Policies > List. All available policies are listed. 3. Select the Policy to be used and click on Edit. 4. For Local Authentication, select DIGIPASS only (local authentication is always used with a DIGIPASS). 5. For Back-End Authentication, select : Always (Back-End authentication is always used). 6. For Back-End Protocol select RADIUS. 7. Click on Save to finish. 64

65 Back-End Authentication Image 37: Administration Web Interface > Policies> List>Edit Policy Screen The example illustrated above configures DIGIPASS only authentication with RADIUS Back-End authentication in the assigned policy. Other authentication settings and authentication options (e.g. grace period, assignment methods) can also be configured. For more information on the possible policy settings, please refer to the Policies section of the IDENTIKEY Appliance Product Guide, which is also available via the Help button in the IDENTIKEY Appliance Configuration Tool. For a list and explanation of the pre-loaded default Policies, please refer to the IDENTIKEY Appliance Reference Guide. Different policy options are also explained with examples of practical setups using a RADIUS simulator client in section 19 Test Policy Settings. Create a Client Record and Assign the Policy 1. To create a Client Record in the IDENTIKEY Authentication Server Administration Web Interface, follow the instructions provided in section 4.1 Client Records. 2. Assign the Policy for which you have adjusted the Back-End authentication settings (as instructed above) in the Policy ID field. 65

66 Back-End Authentication 10.2 Novell edirectory Back-End Authentication Enabling Novell edirectory Back-End Authentication To activate Novell edirectory Back-End Server authentication in the Configuration Tool: 1. Navigate to IDENTIKEY Authentication Server > Authentication Back-Ends. 2. Scroll down and check the box to enable edirectory Back-End authentication. 3. Click on Save. Image 38: Enabling Novell edirectory Back-End Add a Novell edirectory Back-End Server Record To add an edirectory Back-End server record in the IDENTIKEY Authentication Server Administration Web Interface: 1. Select the Back-End tab. 2. Select edirectory for the type of Back-End server to be registered. 3. Complete the necessary fields. Please note that the Timeout field is mandatory. For more information on these settings, please refer to the IDENTIKEY Appliance Administrator Reference Guide. 4. Click on Create to finish. 66

67 Back-End Authentication Image 39: Administration Web Interface > Back-Ends tab > edirectory 67

68 Back-End Authentication Caution Within Novell edirectory, different password verification mechanisms exist for different services requested. The IDENTIKEY Appliance uses SASL Digest-MD5 LDAP authentication, which is only supported using the simple password mechanism. Successful authentication with edirectory therefore requires one of two options: 1. Configuring the simple password manually for each User account within edirectory 2. Enabling Universal Passwords, to automatically synchronize all password mechanisms within edirectory. For information on how to configure Universal passwords, please refer to your Novell edirectory documentation. Image 40: Manual Configuration of the Simple Password 68

69 Back-End Authentication Edit Authentication Policy Settings Follow the instructions provided under 10.1 Adjusting Authentication Policy Settings for adjusting Policy settings to configure Back-End Authentication, using Novell edirectory instead of RADIUS for the Back-End Protocol field. Creating a Client Record and Assigning the Policy Follow the instructions under 10.1 Create a Client Record and Assign the Policy for creating a Client Record and assigning a Policy for Novell edirectory Back-End authentication Microsoft Active Directory Back-End Authentication With Microsoft Active Directory there are two possibilities: If only a single domain controller with one domain is in use, the Back-End Server record can be registered on the IDENTIKEY Appliance. This record will be used to retrieve the Back-End Server during User Authentications. Instructions are explained in section Single Domain with Single Domain Controller. If multiple domains and/or multiple domain controllers are in use, Back-End Server records can be searched for using the Global Catalog Server. This requires the Global Catalog Server settings to be configured in the IDENTIKEY Appliance, as explained in section Multiple domains: Global Catalog Server Setup. For conceptual information on both setups, please refer to the IDENTIKEY Appliance Product Guide Active Directory Back-End Authentication via LDAP When the Active Directory back-end is to be authenticated via the LDAP protocol, the LDAP back-end needs to be configured. The following steps necessary for this configuration: After setting up SSL on the LDAP back-end, export the CA Certificate accordingly: 1. Launch the Windows Certification Authority application. This is typically launched via Start > Administrative Tools > Certification Authority on most Windows servers. 2. Select a certification authority, right-click it, and select Properties. 3. In the Properties window, click the View Certificate button. 4. In the Certificate window, select the Details tab and click the Copy to File button. Doing so will launch the Certificate Export Wizard. 5. In the Certificate Export Wizard, click Next. 6. Select Base-64 encoded X.509 and click Next. 7. Specify the path and name of the CA Certificate file and click Next. 8. Click Finish to export the certificate. 69

70 Back-End Authentication Enable Microsoft Active Directory Back-End Authentication After exporting the certificate, you will need to enable Microsoft Active Directory back-end authentication and upload the exported certificate. To do so: Navigate to IDENTIKEY Authentication Server > Authentication Back-Ends. Toggle the Enabled check box in the Microsoft Active Directory section. [Optional applies, if the Active Directory back-end is to be authenticated via the LDAP protocol.] Doing so will enable the Upload AD SSL Certificate field. Use the Browse button to navigate to the exported CA Certificate file. Click Save. Image 41: Enabling Microsoft Active Directory Single Domain with Single Domain Controller A single domain controller setup requires: Activate Microsoft Back-End Authentication in the IDENTIKEY Appliance Configuration Tool Configure the IDENTIKEY Appliance DNS Server in the IDENTIKEY Appliance Configuration Tool Add a Microsoft Active Directory Back-End Server Record in the IDENTIKEY Authentication Server Administration Web Interface Adjust Authentication Policy Settings in the IDENTIKEY Authentication Server Administration Web Interface 70

71 Back-End Authentication Configure a Client Record and assigning the Policy in the IDENTIKEY Authentication Server Administration Web Interface Configuring the IDENTIKEY Appliance DNS Server Caution Although not mandatory, VASCO recommends using the AD domain controller as the DNS server to avoid issues with Microsoft SPN implementation. For more information on aspects requiring attention when configuring this setup, please refer to section 24.5 LDAP Back-End Authentication Setup Issues. Additional configuration is needed when the IDENTIKEY Appliance cannot directly connect to the IP address of the AD domain controller (for example with NAT). For more information, refer to section 24 Troubleshooting. To configure the AD domain controller (with the DNS Server role) as the DNS server for the IDENTIKEY Appliance in the IDENTIKEY Appliance Configuration Tool: Navigate to Settings > Network. Complete the DNS server(s) field. Click on Save. Image 42: Configuration Tool > Network 71

72 Back-End Authentication Add a Microsoft Active Directory Back-End Server Record Caution: Security Principal ID If Enable SSL is used, the format for the Security Principal ID is the DN, e.g. cn=administrator, cn=users, dc=vasco, dc=com If Enable SSL is not used, the format for the Security Principal ID is the sam Account Name, e.g. Administrator To add an Active Directory Back-End server record in the IDENTIKEY Authentication Server Administration Web Interface: Select the Back-End > Register Active Directory Back-End. Complete the necessary fields. Location is the IP address of the Active Directory server Please note that the Timeout field is mandatory 3. For more information on these settings, please refer to the IDENTIKEY Appliance Administrator Reference Guide. Click on Create to finish. Image 43: Administration Web Interface > Back-Ends > Register Active Directory Back-End 72

73 Back-End Authentication Adjust Authentication Policy Settings Follow the instructions provided under 10.1 Adjusting Authentication Policy Settings for adjusting Policy settings to configure Back-End Authentication, using Microsoft Active Directory instead of RADIUS for the Back-End Protocol field. Create a Client Record and Assigning the Policy Follow the instructions under 10.1 Create a Client Record and Assign the Policy for creating a Client Record and assigning a Policy for Active Directory Back-End authentication Multiple domains: Global Catalog Server Setup In this setup, multiple domain controllers are present. Instead of creating Back-End records for each server, a simpler method is used to configure the Global Catalog Server settings in the IDENTIKEY Authentication Server Administration Web Interface. This setup requires: Activate Microsoft Back-End Authentication in the Configuration Tool Configure the IDENTIKEY Appliance DNS Server in the Configuration Tool Configure the Global Catalog Server settings Configure the Authentication Policy Settings Configure a Client Record and assigning the Policy Note: When using the Global Server Catalog, a Back-End Server Record in the IDENTIKEY Authentication Server Administration Web Interface is not necessary. For more information on the Global Catalog Server setup, please refer to the IDENTIKEY Appliance Product Guide, Back-End Authentication section. Enable Microsoft Active Directory Back-End Authentication To activate Microsoft Active Directory Back-End server authentication in the IDENTIKEY Appliance Configuration Tool, please follow the instructions under Enable Microsoft Active Directory Back-End Authentication. Configure the IDENTIKEY Appliance DNS Server To configure the AD domain controller (with the DNS Server role) as the DNS server for the IDENTIKEY Appliance in the IDENTIKEY Appliance Configuration Tool, please follow the instructions above under Configuring the IDENTIKEY Appliance DNS Server. 73

74 Back-End Authentication Caution Although not mandatory, VASCO recommends using the AD domain controller as the DNS server to avoid issues with Microsoft SPN implementation. For more information on aspects requiring attention when configuring this setup, please refer to section 24.5 LDAP Back-End Authentication Setup Issues.. Configure Global Catalog Server Settings The following configuration enables the IDENTIKEY Appliance to use information in the Global Catalog Server to retrieve the correct domain controller whenever LDAP AD Back-End Authentication is required. For further information on setting up a Global Catalog Server, please refer to the Microsoft documentation. To configure the Global Catalog Server on the IDENTIKEY Appliance: 1. Navigate to Back-End > Settings. Image 44: Administration Web Interface > Back-Ends 2. Enter the settings as shown in the image below. Please note that: 74

75 Back-End Authentication The Global Catalog Location is the IP address or DNS name of the domain controller acting as the Global Catalog Server The Global Catalog Port is 3268 by default, but may need adapting for your setup Principal ID and Principal Password are credentials with read access in the Global Catalog Server 3. Click on Create to finish. Image 45: Administration Web Interface > Back-Ends > Settings Adjusting Authentication Policy Settings Follow the instructions provided under 10.1 Adjusting Authentication Policy Settings for adjusting Policy settings to configure Back-End Authentication, using Microsoft Active Directory instead of RADIUS for the Back-End Protocol field. Creating a Client Record and Assigning the Policy 75

76 Back-End Authentication Follow the instructions under 10.1 Create a Client Record and Assign the Policy for creating a Client Record and assigning a Policy for Active Directory Back-End authentication. 76

77 Back-End Authentication 10.4 ADAM Back-End Authentication Enable ADAM Back-End Authentication To activate ADAM Back-End Server authentication in the IDENTIKEY Appliance Configuration Tool: 1. Access the IDENTIKEY Appliance Configuration Tool as explained in section 2.2 Access to the Configuration Tool and Administration Web Interface. 2. Navigate to IDENTIKEY Authentication Server > Authentication Back-Ends. 3. Scroll down and check the box to enable ADAM Back-End authentication. 4. Click on Save. Image 46: Enabling ADAM Back-End Add an ADAM Back-End Server Record To add an ADAM Back-End server record in the IDENTIKEY Authentication Server Administration Web Interface: 1. Select the Back-End tab. 2. Select ADAM as the type of Back-End server to be registered. 3. Complete the necessary fields. Please note that the Timeout field is mandatory. For more information on these settings, please refer to the IDENTIKEY Appliance Administrator Reference Guide. 77

78 Back-End Authentication 4. Click on Create to finish. Image 47: Administration Web Interface > Back-Ends tab > ADAM Adjust Authentication Policy Settings Follow the instructions provided under 10.1 Adjusting Authentication Policy Settings for adjusting Policy settings to configure Back-End Authentication, using ADAM instead of RADIUS for the Back-End Protocol field. Creating a Client Record and Assigning the Policy Follow the instructions under 10.1 Create a Client Record and Assign the Policy for creating a Client Record and assigning a Policy for ADAM Back-End authentication. 78

79 Back-End Authentication 10.5 Tivoli Back-End Authentication Enabling Tivoli Back-End Authentication To activate Tivoli Back-End Server authentication in the Configuration Tool: 1. Navigate to IDENTIKEY Authentication Server > Authentication Back-Ends. 2. Scroll down and check the box to Enable Tivoli Back-End authentication. 3. If SSL is used, an SSL certificate must be uploaded. The SSL certificate can be acquired from a trusted Certificate Authority, or a self-signed certificate can be created. If a self-signed certificate is created, it must be created as a.der file, with data type Binary DER. Browse to upload the Certificate. 4. Click on Save. Image 48: Enabling IBM Tivoli Back-End Add a Tivoli Back-End Server Record To add an Tivoli Back-End server record in the Administration Web Interface: 1. Select the Back-End tab. 2. Select Tivoli for the type of Back-End server to be registered. 3. Complete the necessary fields. Please note that: Enable SSL must be checked The Timeout field is mandatory For more information on these settings, please refer to the IDENTIKEY Appliance Administrator Reference Guide. 4. Click on Create to finish. 79

80 Back-End Authentication Image 49: Administration Web Interface > Back-Ends tab > Tivoli Adjust Authentication Policy Settings Follow the instructions provided in 10.1 Adjusting Authentication Policy Settings for adjusting Policy settings to configure Back-End Authentication, using Tivoli instead of RADIUS for the Back-End Protocol field. Create a Client Record and Assign the Policy Follow the instructions in 10.1 Create a Client Record and Assign the Policy for creating a Client Record and assigning a Policy for Tivoli Back-End authentication. 80

81 Replication Wizard Replication Wizard Overview Multiple IDENTIKEY Appliances can be configured to synchronize by exchanging data between them. This process is called replication. In this section, we explain: how to set up replication in the Configuration Tool how to view the replication status in the Configuration Tool and the Administration Web Interface how to remove a replication link in the Configuration Tool For more information on the concept of replication please refer to the Replication section of the IDENTIKEY Appliance Product Guide,. For more information on the fields available for configuring replication, please see the IDENTIKEY Appliance Administrator Reference Guide Create a Replication Link We provide here the instructions on how to create a link between multiple IDENTIKEY Appliances. This procedure can be repeated for creating further links. All the instructions for creating a replication link need to be completed in the Configuration Tool. Replication can only be configured between two IDENTIKEY Appliances for which the first-time configuration and licensing wizards have been completed (see the IDENTIKEY Appliance Installation and Maintenance Guide). One IDENTIKEY Appliance is specified as the source, initiating synchronization towards the other, which is called the target. After initial synchronization, replication is performed in both directions and both IDENTIKEY Appliances have equivalent roles. Cautions: 1. The database on the target IDENTIKEY Appliance is erased during replication, and overwritten by the source IDENTIKEY Appliance database. An IDENTIKEY Appliance already included in a replication setup cannot be configured as a target for a second source IDENTIKEY Appliance. A new IDENTIKEY Appliance being added to a replication setup can only be defined as a target. The wizard auto-detects the existing source IDENTIKEY Appliance. 2. Only Auditing and Administration Web Interface settings are replicated: Configuration Tool settings are not replicated. This allows activation of different services on IDENTIKEY Appliances within a replication setup. However, this also means that some settings, such as enabling LDAP Active Directory back-end authentication (see 10.3 Microsoft Active Directory Back-End Authentication ), need to be configured manually on each replication peer. 3. Replication is not possible between different IDENTIKEY Appliance versions. 4. Replication links present on the IDENTIKEY Appliance are removed on upgrading. 81

82 Replication Wizard NOTE. Items 3 and 4 apply only if the IDENTIKEY data models of two IDENTIKEY Appliances differ from one another, which is almost exclusively the case only when upgrading from one IDENTIKEY Authentication Server version to another IDENTIKEY Authentication Server version (patch upgrades excluded). Replication setup requires the following steps: 1. Access the Configuration Tool of the target IDENTIKEY Appliance (explained in section 2 Administration Interfaces for IDENTIKEY Appliance ). 2. Select Authentication Server > Authentication Server Replication, and click on Add. This initiates the Replication Wizard. 3. Follow the guidelines provided in the Replication Wizard screens as shown below. The Replication Processing screen remains active and listens for connections from the source IDENTIKEY Appliance. 82

83 Replication Wizard Image 50: Replication Wizard Step 1: Welcome Screen Image 51: Replication Wizard Step 2: Remote IP Address Screen 83

84 Replication Wizard Image 52: Replication Wizard Step 3: Set Up Replication Screen Image 53: Replication Wizard Step 4: Setup Processing Screen 84

85 Replication Wizard Access the Configuration Tool of the source IDENTIKEY Appliance (explained in section 2 Administration Interfaces for IDENTIKEY Appliance ). Select Authentication Server > Authentication Server Replication, and click on Add. This initiates the Replication Wizard. Follow the guidelines provided in the Replication Wizard screens as shown above, except for selecting Replication Source instead of Replication Target in step 2. The Replication Processing screens on both the source and target IDENTIKEY Appliances now show the status of the replication process (see example below). When the Replication Process has finished, close the wizards on the source and target IDENTIKEY Appliances by clicking on the Finish button. This completes the replication setup. Image 54: Replication Setup Processing Screen Feedback. 85

86 Replication Wizard Tip: If the source and target IDENTIKEY Appliances are separated by a network firewall, some firewall ports need to be opened. For more information, refer to the IDENTIKEY Appliance Administrator Reference Guide, 'Firewall Ports' section. 86

87 Replication Wizard 11.3 Replication Status Overview In the following two sections, we describe the replication status reported in the: Configuration Tool Administration Web Interface Configuration Tool Accessing and logging onto the IDENTIKEY Appliance Configuration Tool is explained in section 2 Administration Interfaces for IDENTIKEY Appliance. Click on the Replication menu topic in the Configuration Tool to see a list of the active replication links. For each IDENTIKEY Appliance linked to a replication setup, a button is provided to stop the replication link (see image below). Clicking on this button initiates the Replication Removal Wizard (explained below). Image 55: Replication Status Screen in the Configuration Tool 87

88 Replication Wizard Administration Web Interface Accessing and logging onto the IDENTIKEY Appliance Administration Web Interface is explained in section 2 Administration Interfaces for IDENTIKEY Appliance. Click on the System tab and selecting Get Replication Status in the Administration Web Interface to show a list of the IDENTIKEY Appliances for which the Replication Wizard has been successfully completed for a replication setup (see image below). For each IDENTIKEY Appliance referenced, the following data is listed: the connection status (connected or not) the time and date of the last update the number of messages queued, i.e. the number of replication entries yet to be sent in this replication setup. Image 56: Replication Servers Screen in the Administration Web Interface 88

89 Replication Wizard 11.4 Replication Removal Wizard To remove a replication setup requires removing both the source and target IDENTIKEY Appliances, using the Replication Removal Wizard in the Configuration Tool. This process requires the following steps at both sites of the replication link, i.e. in the Configuration Tools of both IDENTIKEY Appliances: Click on Replication, Identifiers, to view the list of IDENTIKEY Appliances currently linked to a replication setup Click to remove the IDENTIKEY Appliance; this initiates the Replication Removal Wizard which has two steps (shown in the images below). Image 57: Remove Replication Wizard step 1 89

90 Replication Wizard Image 58: Remove Replication Wizard step 2 90

91 Secure Sockets Layer (SSL) 12 Secure Sockets Layer (SSL) In this section we provide instructions for configuring: A Server Certificate for SOAP, SEAL and RADIUS (self-signed or commercial) A Client Certificate for SOAP and SEAL Cipher Suite Security Levels for SOAP, SEAL and RADIUS For more information on the concepts of the Server and Client Certificates and Cipher Suite Security Levels, refer to the SSL section in the IDENTIKEY Appliance Product Guide and the IDENTIKEY Appliance Administrator Reference. For an explanation of the relevant configuration fields, please refer to the IDENTIKEY Appliance Administrator Reference Server Certificate This section explains how to upload and download Server Certificates for all protocols, including SOAP, SEAL and RADIUS. Server Certificates can be self-signed or commercial. To upload a Server Certificate: 1. In the IDENTIKEY Appliance Configuration Tool navigate to Authentication Server > SEAL Communicator, SOAP Communicator, or Radius Communicator, depending on what the certificate is being used for. 91

92 Secure Sockets Layer (SSL) Image 59: IDENTIKEY Authentication Server menu list 2. For an explanation of the SSL cipher suite security levels, please refer to the IDENTIKEY Appliance Administrator Reference. To set the security level select Very High, High, Medium, or Low. 3. For the default self-signed Certificate, select Self-signed. For a custom self-signed or commercial Certificate, select Custom. Browse to the certificate to be uploaded. An uploaded certificate should be in the PEM format. The PEM file should contain the certificate and the private key file related to the uploaded certificate. Use of the certificate may be password protected, in which case the password should be entered on this screen. 4. Click on Save to finish. 92

93 Secure Sockets Layer (SSL) Image 60: Server Certificate Configuration Tip: The certificate can be downloaded using the disk icon Client Certificate This section explains how to upload the Certificate Authority (CA) Signing Certificate(s) for the IDENTIKEY Appliance to validate Client Certificates of connecting SOAP and SEAL clients. The Certificate must be in PEM format. Multiple Certificate Authority Signing Certificates can be used for validating client certificates, but must be uploaded in a single PEM formatted file. To upload a CA Signing Certificate (only possible for SOAP and SEAL) to the IDENTIKEY Appliance Certificate Store: 1. In the IDENTIKEY Appliance Configuration Tool navigate to Authentication Server > SEAL Communicator, SOAP Communicator or Radius Communicator, depending on what the certificate is being used for. 2. Scroll down to the Client Certificate area and set the Require Client Certificate field to Optional, Required or Required-signed address only. 3. Browse to the CA Certificate Store which contains the client certificate. 93

94 Secure Sockets Layer (SSL) 4. The Re-Verify on Negotiation field should be used sparingly and only if necessary. This check box is clicked to perform the SSL handshake each time you reconnect. If you reconnect each time you send a message you should leave this box unchecked as it will slow performance. 5. For SEAL communicators: click Automatically Trust Certificates to trust server certificates automatically. 6. Click on Save to finish. Image 61: Client Certificate Configuration 94

95 How to Set Up Signing and Provisioning 13 How to Set Up Signing and Provisioning 13.1 Overview In this section we provide information for setting up Signature and Provisioning services with the IDENTIKEY Appliance. Electronic Signatures are used for transaction authentication and integrity checking. Software DIGIPASS are software versions of DIGIPASS that provide authentication and Electronic Signature functions for Java-enabled mobile devices and web browsers. Provisioning is the process of safely delivering computer files containing JAVA programs (MIDlet) and data (Secrets and Security Applications) to the mobile devices or web browser. For a detailed explanation of the different services/scenarios, please refer to the IDENTIKEY Appliance Product Guide SOAP Communication Protocol Electronic Signatures and Provisioning are only supported by the SOAP communication protocol. SOAP setups require SSL, and a server certificate is required for the SSL connection. To download a server certificate from the IDENTIKEY Appliance: 1. Log in to the Configuration Tool. 2. Select IDENTIKEY Authentication Server > SOAP Communicator 3. Click on the disk icon (see image below) to download the certificate. Tip: A self-signed or purchased certificate can be uploaded (see section 12 Secure Sockets Layer). 95

96 How to Set Up Signing and Provisioning Image 62: Configuration Tool > IDENTIKEY Authentication Server > SOAP Communicator 13.3 Enabling Signing and Provisioning Services Instructions for enabling IDENTIKEY Appliance services in the Configuration Tool have been presented in section 3.3 Enabling Services. Additionally, certain settings for Provisioning can also be configured in the Configuration Tool (see image below). For more information on the contents of this page, please refer to the IDENTIKEY Appliance Administrator Reference Guide. 96

97 How to Set Up Signing and Provisioning Image 63: Configuration Tool > IDENTIKEY Authentication Server > Scenarios 13.4 Configuring Signature and Provisioning Set Ups Configuration for Electronic Signatures and Provisioning is requires the use of the Software Development Kit. Explaining these configurations therefore falls outside the scope of this manual. For instructions on the practical setup of Signing and Provisioning, please refer to the IDENTIKEY Authentication Server SDK Programmer's Guide. 97

98 How to set up Virtual DIGIPASS 14 How to set up Virtual DIGIPASS Setting up the Virtual DIGIPASS requires the following steps: Import Virtual DIGIPASS records Set up the Message Delivery Component Edit the IDENTIKEY Authentication Server Policy Test the Virtual DIGIPASS Assign the Policy to the appropriate Client For more information on Virtual DIGIPASS authentication, please refer to the IDENTIKEY Appliance Product Guide Message Delivery Component section. 98

99 How to set up Virtual DIGIPASS 14.1 Importing Virtual DIGIPASS records You will receive Primary Virtual DIGIPASS records in a.dpx file, with a DPX File Key, as you would receive with normal DIGIPASS records (see section 4.3 DIGIPASS Records and Assignment). Import them as you would normal DIGIPASS records. Backup Virtual DIGIPASS do not have records of their own. Information on Backup Virtual DIGIPASS is contained in the record for the DIGIPASS which is being supplemented by the Backup Virtual DIGIPASS. 99

100 How to set up Virtual DIGIPASS 14.2 Setting up the Message Delivery Component All the instructions described in this section need to be completed in the IDENTIKEY Appliance Configuration Tool. The Message Delivery Component (MDC) is necessary to support Virtual DIGIPASS authentication. The MDC interfaces with a gateway service to send a One Time Password to a User s mobile phone, an address or via voice message. The MDC acts as a service, accepting messages from the IDENTIKEY Appliance which are then forwarded to an address or to a text message gateway via the HTTP/HTTPS protocol SMS Gateway Configuration Since every gateway uses different submission parameters, certain settings are required, which can be configured through the IDENTIKEY Appliance Configuration Tool. Depending on the type of gateway server to use, different configurations are possible. The settings required are listed below. To configure SMS gateway settings with an SMS server, you need to enter the following information in the IDENTIKEY Appliance Configuration Tool: Name display name of the MDC profile; ad-hoc field used primarily to describe and further identify the profile Profile actual name of the MDC profile Enabled if selected, this gateway is enabled The URL to access the gateway server The user name and password for the gateway account The required query string The query method (GET or POST) required by the gateway To configure SMS gateway settings with an SMPP server, you need to enter the following information in the IDENTIKEY Appliance Configuration Tool: Name display name of the MDC profile; ad-hoc field used primarily to describe and further identify the profile Profile actual name of the MDC profile Enabled if selected, this gateway is enabledthe URL to access the gateway server The URL to access the gateway server The port used to connect to the gateway The user name and password for the gateway account The SMPP system type The SMPP source address number and Numbering Plan Indicator (NPI) The SMPP destination address NPI 100

101 How to set up Virtual DIGIPASS First contact your gateway provider for this information, and if you have any difficulties, please contact your supplier. MDC for SMS gateway setup requires the following steps: 1. Select Authentication Server > Message Delivery Component in the IDENTIKEY Appliance Configuration Tool. 2. Enable the Message Delivery Component settings. 3. Select the type of server to be used by clicking Add SMS Server or Add SMPP Server. 4. Complete the fields for the selected server with the information gathered above. 5. Click Add to activate the settings. Image 64: Message Delivery Component Screen Result options which can be configured for MDC setup allow messages returned from the gateway to be modified. Modifications allow more user friendly feedback to be forwarded to the auditing system. For information on how to configure result options, please refer to the IDENTIKEY Appliance Administrator Reference Guide. 101

102 How to set up Virtual DIGIPASS For more information on Auditing, please see section 21.4 Auditing and also refer to the Auditing section in the IDENTIKEY Appliance Product Guide section. For more information on the fields available for MDC setup, please refer to the IDENTIKEY Appliance Administrator Reference Guide Gateway Configuration To configure gateway settings, you need to enter into the following information in the IDENTIKEY Appliance Configuration Tool: Name display name of the MDC profile; ad-hoc field used primarily to describe and further identify the profile Profile actual name of the MDC profile Enabled if selected, this gateway is enabled The URL to access the gateway server The SMTP relay host, port and connection security (No SSL/TLS, Use SSL or Use TLS). If SSL or TLS are used, a certificate is required, which needs to be retrieved from the Gateway. This needs to be uploaded in PEM format. SMTP authentication (optional) From address MDC for gateway setup requires the following steps in the IDENTIKEY Appliance Configuration Tool: 1. Select Authentication Server > Message Delivery Component in the IDENTIKEY Appliance Configuration Tool. 2. Enable the Message Delivery Component settings. 3. Click the Add SMTP Server button. 4. Complete the fields with the necessary information. 5. Click Add to activate the settings. 102

103 How to set up Virtual DIGIPASS Image 65: System > Settings screen Voice Gateway Configuration To configure voice gateway settings, you need to enter into the following information in the IDENTIKEY Appliance Configuration Tool: Name display name of the MDC profile; ad-hoc field used primarily to describe and further identify the profile Profile actual name of the MDC profile Enabled if selected, this gateway is enabled The URL to access the gateway server The user name and password for the gateway account The phone number prefix for the voice settings The required query string The query method (GET or POST) required by the gateway 103

104 How to set up Virtual DIGIPASS MDC for voice gateway setup requires the following steps in the IDENTIKEY Appliance Configuration Tool: Select Authentication Server > Message Delivery Component in the IDENTIKEY Appliance Configuration Tool. 1. Enable the Message Delivery Component settings. 2. Click the Add Voice Server button. 3. Complete the fields with the necessary information. 4. Click Add to activate the settings. SMS/ Message Configuration To customize the message sent by the MDC, access the Message Settings screen. To do so, navigate to Authentication Server > Message Settings. Image 66: Message Settings To designate where the One Time Password appears in the message, use the variable [OTP] Importing and Exporting Gateway Definitions The IDENTIKEY Appliance Configuration Tool allows you to import and export gateway definitions. This allows you upload a description file and easily apply gateway settings to the Message Delivery Component of different 104

105 How to set up Virtual DIGIPASS IDENTIKEY Appliance instances or to import gateway settings from IDENTIKEY Authentication Server to IDENTIKEY Appliance (and vice versa). The Import feature also makes it easier to apply gateway settings for supported third-party SMS gateway provider services. To import a gateway definition: 1. Select Authentication Server > Message Delivery Component in the IDENTIKEY Appliance Configuration Tool. 2. Select the required delivery method. 3. Enable that delivery method by selecting the corresponding check box. 4. Click the Import gateway button. 5. Browse to the gateway description file and click the Import button. 6. Edit the newly imported file and check the imported details from the file. 7. Configure load-balancing, failover, and/or failback by specifying: a. the order in which the gateway definition appears on the gateway list; do so by dragging the gateway to the required position in the table in the overview screen. b. the Server Type (Primary or Backup) in the details screen of the relevant gateway. 8. Click the Apply button. 9. Click the OK button. 105

106 How to set up Virtual DIGIPASS 14.3 Editing an IDENTIKEY Appliance Policy Policies can be edited to use a: Primary Virtual DIGIPASS Backup Virtual DIGIPASS or both With a Backup Virtual DIGIPASS, restrictions are possible by time or number of uses. For guidance on implementing Virtual DIGIPASS and restrictions, please refer to the IDENTIKEY Appliance Product Guide, Virtual DIGIPASS section. You may need to read the policy information in the Product Guide before following these instructions Primary Virtual DIGIPASS Set Up Policy 1. Open the Administration Web Interface. 2. Click on Policies -> List. 3. Select the policy in which you wish to enable the use of Virtual DIGIPASS. 4. Click on the Virtual DIGIPASS tab. 5. Click Edit. 6. Select a Virtual DIGIPASS Delivery Method , SMS or Voice. 7. Select one of the following options as the Request Method: Keyword user enters the Request Keyword into the password field. Password - user enters their static password only into the password field. KeywordPassword user enters the Request Keyword, followed by their static password, into the password field. PasswordKeyword - user enters their static password, followed by the Request Keyword, into the password field. KeywordOnly None 8. If you have selected an option which includes the use of a Request Keyword, enter it in the PVDP Request Keyword field. 9. Click on Save. 106

107 How to set up Virtual DIGIPASS Backup Virtual DIGIPASS Permitted, Not Mandatory Open the Administration Web Interface. Click on Policies -> List. Select the Policy in which you wish to enable the use of Virtual DIGIPASS. Click Edit. Click on the Virtual DIGIPASS tab. Select a Virtual DIGIPASS Delivery Method , SMS or Voice. Select Yes Permitted from the Enable Backup VDP drop down list. If desired, enter a maximum number of uses. This will be calculated for each person using a Backup Virtual DIGIPASS. Click on Save. Permitted, Not Mandatory, Time-Limited Open the Administration Web Interface. Click on Policies -> List. Select the policy in which you wish to enable the use of Virtual DIGIPASS. Click Edit. Click on the Virtual DIGIPASS tab. Select a Virtual DIGIPASS Delivery Method , SMS or Voice. Select Yes Time Limited from the Enable Backup VDP drop down list. Enter a time limit (in days) into the Time Limit field. At the end of this time period calculated from their first use - the user will no longer be permitted to use a Backup Virtual DIGIPASS. If desired, enter a maximum number of uses. This will be calculated for each person using a Backup Virtual DIGIPASS. Mandatory Open the Administration Web Interface. Click on Policies -> List. Select the Policy in which you wish to enable the use of Virtual DIGIPASS. Click Edit. Click on the Virtual DIGIPASS tab. Select a Virtual DIGIPASS Delivery Method , SMS or Voice. Select Yes Required from the Enable Backup VDP drop down list. If desired, enter a maximum number of uses. This will be calculated for each person using a Backup Virtual DIGIPASS. Click on Save. 107

108 How to set up Virtual DIGIPASS Backup Virtual DIGIPASS may also be enabled for individual users, via each DIGIPASS record. Settings in the user record overrule equivalent policy settings Test Virtual DIGIPASS Primary Virtual DIGIPASS To test a Primary Virtual DIGIPASS: 1. Open the Administration Web Interface. 2. Click on DIGIPASS -> List. 3. Click on the Virtual DIGIPASS to be tested. 4. From the Application Type tab click on the Test VDP button Select a Virtual DIGIPASS Delivery Method , SMS or Voice. Enter the Mobile Phone Number or Address to which the OTP should be sent. 7. Click on Generate. The Administration Web Interface will attempt to send an OTP to the Message Delivery Component, which will attempt to forward it to the configured SMS Gateway or mail server. The success or failure of these attempts will be displayed. 8. If the OTP was received by by the requested method, enter it into the OTP field and click on Verify. The success or failure of the verification attempt will be displayed. Backup Virtual DIGIPASS To test a Backup Virtual DIGIPASS: 1. Open the Administration Web Interface. 2. Click on DIGIPASS -> List. 3. Click on the DIGIPASS belonging to the Backup Virtual DIGIPASS to be tested. 4. From the Application Type tab click on the Test BVDP button Select a Virtual DIGIPASS Delivery Method , SMS or Voice. Enter the Mobile Phone Number or Address to which the OTP should be sent. 7. Click on Generate. The Administration Web Interface will attempt to send an OTP to the Message Delivery Component, which will attempt to forward it to the configured SMS Gateway, , or voice server. The success or failure of these attempts will be displayed. 8. If the OTP was received by by the requested method, enter it into the OTP field and click on Verify. The success or failure of the verification attempt will be displayed. 108

109 How to set up Virtual DIGIPASS 14.5 Assigning the Policy to a Client for using Virtual DIGIPASS 1. Open the Administration Web Interface. 2. Click on Client -> List. 3. Select the Client for which you wish to enable the use of Virtual DIGIPASS. 4. Click on Edit. 5. Select from drop down list the Policy for which you have enabled Virtual DIGIPASS. Click on Save. Tip: See also section 4.1 Client Records on creating a new client component. 109

110 Reporting 15 Reporting IDENTIKEY Appliance provides a wide range of reporting options, with low-level control of aspects including desired fields, runtime query options, permissions, templates and scheduling. You can use either pre-defined standard reports, which can be edited, or you can create your own customized reports. Reports are managed from the Administration Web Interface. For more information on reports, see the IDENTIKEY Appliance IDENTIKEY Appliance Product Guide. 110

111 Reporting 15.1 Other Reporting Tasks You can use the Administration Web Interface to view, edit, define, delete or run existing reports. A Report Definition Wizard simplifies the task of creating new custom reports Viewing Reports To view a list of existing reports, mouse-over the REPORTS tab in the Administration Web Interface and select LIST from the A full list of available reports is displayed. To view details of a single report, click on the Report Name. The Report Definition page is displayed, with details including: Domain Name, Report Type, Grouping Level, Data Source and Time Frequency. From this page you can Edit, Run or Delete the report by clicking the appropriate button. See below for more detail on these operations. Additional report details can be viewed by clicking the tabs for Fields, Queries, Permissions and Templates. For more information on these features, see below, Creating Reports with the Report Definition Wizard. Viewing Finished Reports If you choose to run a report immediately, you can view the finished PDF or HTML report by clicking the link in the Summary tab window. If you have scheduled a report to run at a later time, you can view the finished report by clicking on the Servers tab and selecting Retrieve Reports. Note There is a known issue with downloading PDF reports via https in Microsoft Internet Explorer 7 and 8. For troubleshooting details see PDF Download Running Reports To run an existing report: 1. Start running a report by either of the following methods: 111

112 Reporting Open a report for viewing (as above) and click the Run button. Mouse over the REPORTS tab and click Run report, select the desired report from the displayed list, and click Next The Report Settings tab is displayed. Choose the Template to use (HTML, PDF or XML) and specify the Time Period for the report. Click Next. 3. The Runtime Queries tab is displayed. Define the query required (if any) and click Next. 4. The Schedule Task tab is displayed. You can run the report immediately, or enter details to run a scheduled report in the background. Only PDF reports can be run from the background. Click Next. 5. The Finish tab displays any confirmation or error messages. If you chose to run the report immediately, you can click Open to view the report. Otherwise click Finish to close. Changing Report Owners By default, the report owner is the user who created that report. To assign a report to another owner: Locate the desired report from the list of available reports in the Administration Web Interface, and click on the Report Name. 2. Click on the Permissions tab, then click the Change Owner button. 3. The Change Report Owner window is displayed, with three tabs: In the Search tab, enter available information (e.g. Organizational Unit, Account Status, etc) and click Search. The Select User tab shows a list of users whose data matched your search criteria. Select the desired user and click Change Owner. The Finish tab verifies the change you wish to make. Click Finish to apply the change. Creating Reports with the Report Definition Wizard If standard IDENTIKEY Appliance reports do not meet your requirements, you can either edit an existing report or create a new custom report using the Report Definition Wizard in the Administration Web Interface. The Report Definition Wizard guides you through the following series of information tabs: Describe Report Options Define Fields Define Query Query Overview Permissions Templates Finish At any time, you can click Cancel to cancel all settings and leave the wizard, or click Help for context-sensitive assistance. 112

113 Reporting To run the Report Definition Wizard: 1. Mouse over the Reports tab, then click Define Report on the drop down menu. 2. The Describe Report tab is displayed. Enter a Report Name. The name must be unique. You can use up to 60 characters. Select the Type of report from the list provided. Enter a Report description. This should explain what the report contains, and what it is to be used for. Click Next to continue. 3. The Options tab is displayed. Select the Grouping Level from the drop down list. This will define the way in which data is grouped on the report. Select the Data Source from the Click Next to continue. 4. If you are creating a Detailed Analysis or List Analysis report, and you selected audit data for the Data Source, then the Define Fields tab is displayed. (If not, the Define Query tab is shown, in which case you can ignore this step). If you do not want to create a field-level filter, simply click Next. All field data will be included by default. To create a field-level filter, enter a Display Name and select a Field Name from the available Then select the Operation you wish to perform on the chosen field and click the Create button.. Repeat the above step to create further field data filters if required. When you are done, click Next. 5. The Define Query tab is displayed. To define a query, enter a Query name, select the required Field, and choose a Condition from the drop down list. Some conditions (e.g. isblank) do not require an entry in the Value field. Any entry in the value field for these conditions will be ignored. Time values can be expressed in text (e.g. last six months ). When you are done, click the Add New button. Repeat this step to create additional query filters if required. You can only specify one data field per query, so if you want to specify more than one field you must define more than one query. When you are finished, click Next. 6. The Define New Query tab displays a list of queries that were entered on the previous tab. To view details of a query, click on the query name. When you have finished reviewing query details, click Next. 7. The Permissions tab is displayed. Specify who can alter and run the report by selecting the appropriate Usage Permissions and Update Permissions. Note that the owner is the person who created the report (unless re-assigned). Click Next to continue. 8. The Templates tab is displayed. If you do not want to use the default XML or PDF templates (this option is selected by default) then provide a new Template Name and browse to the location of the Template Definition file. Click Save to continue. 9. The Finish tab displays a summary of report information. Any confirmation or error messages are shown on this page. Click Finish to close the Report Definition Wizard. You should now be able to see your new report when you view the available report list. 113

114 Reporting Editing Reports To edit a report: 1. Mouse-over the REPORTS tab in the Administration Web Interface and select LIST from the 2. A full list of available reports is displayed. Click on the desired Report Name. 3. The Report Definition tab is displayed. If you wish to edit the information on this tab, click the Edit button. Fields in the Report Definition tab will become available for editing. 4. Alternatively, if you wish to edit field, query, permissions or template data, click on the appropriate tab and then click Edit. 5. When you have finished editing data in each tab, click Save. For further information on editable fields, see Creating Reports with the Report Definition Wizard Deleting Reports To delete an existing report: Mouse-over the REPORTS tab in the Administration Web Interface and select LIST from the 2. A full list of available reports is displayed. Either: Select the check box beside the report and click the Delete button at the bottom of the page, or Click on the desired Report Name and then click the Delete button. 3. A confirmation window pops up. Click OK to delete the report. Customizing PDF and HTML Reports You can produce customized IDENTIKEY Appliance reports with your own logo, header, and footer design. To do this, you must: 1. Follow the instructions below to create a template in either: XML (for PDF reports) or XSLT (for HTML reports). 2. Use the the Administration Web Interface to upload the custom report template and link it to an IDENTIKEY Appliance report. The custom template will be linked with that report thereafter. It can also be linked with other reports. If you delete a custom template, the associated report(s) will revert to the default IDENTIKEY Appliance template. The following diagram shows how IDENTIKEY Appliance report data is transformed into a finished report. 114

115 Reporting age 67: Customized report dataflow Im Custom PDF Report Templates Custom PDF report templates are defined in XML. To create a custom PDF report template, open a text editor (or code editor) and create a new file, formatted like the example shown below. <VASCO> <PDFTemplate> <content> <image src="c:\pictures\blah.jpg"/> <header align="left">my left-aligned header</header> <footer align="right">my right-aligned footer</footer> </content> <layout> <orientation>portrait</orientation> <paper-size>a4</paper-size> </layout> </PDFTemplate> </VASCO> 115

116 Reporting The src attribute of the image tag specifies the location of a header image, and should be an absolute file path. The align attribute defines the alignment of the headers and footers. Possible values for this attribute are: left center right The orientation tag defines the PDF report's orientation, and has two possible values: Portrait Landscape The paper-size tag defines the size of the PDF report when printed. The following table lists the different paper sizes per value: Value Paper Size (in pts) A0 2380x3368 A1 1684x2380 A2 1190x1684 A3 842x1190 A4 595x842 A5 421x595 A6 297x421 Letter 612x792 Broadsheet 1296x1584 Ledger 1224x792 Tabloid 792x1224 Executive 522x756 XSLT Templates for HTML Reports The structure of an XSLT template is considerably more complex than XML. To view the formatting structure, see the default XSLT files that are installed with IDENTIKEY Appliance. Each default report provided by IDENTIKEY Appliance has a corresponding XSLT script for producing HTML output. To view the corresponding XSLT script of a report: 1. Click on the REPORTS tab in the Administration Web Interface and select LIST from the 2. Click on the desired report to open it. 3. Click on the Template tab. 116

117 Reporting 4. Click the HTML link. Doing so will open the XSLT template for that report. Linking a custom template to a report: Once you have created a custom template, you can link it to a report as follows: Click on the REPORTS tab in the Administration Web Interface and select LIST from the 2. Click on the desired report to open it. 3. Click on the Template tab. 4. Click Edit. Doing so will provide new options. 5. Click Choose File and locate the new XML or XSLT template file (as created above). 6. Enter a Template Name and click the Upload button. 7. The new template will be uploaded and associated with that report. Report Retrieval Only reports created in PDF format can be retrieved via the Administration Web Interface. To retrieve a PDF report: 1. Click on the System tab and select Report Retrieval from the 2. This page may be used in two ways: a. To Delete, Change Ownership or Take Ownership of one or more reports from this page, select the desired report or reports and click on the appropriate button. b. Click on the report name to go to the Manage Reportfile page from where you can Delete, Change Ownership, Take Ownership or Download a report. i 3. If the Download option is selected, you may either Open the report immediately, or save the report to a specified location. See the help in the Administration Web Interface for information on how to Change Ownership or Take Ownership of a report. 117

118 Create Custom Report Definition 16 Create Custom Report Definition In this section, we explain the steps required to create a custom report definition. Before attempting to create a custom report definition, we recommend that you read the Reporting section of the IDENTIKEY Appliance Product Guide. 1. Open the Administration Web Interface. 2. Click on the Reports tab and select Define report from the drop-down list. 3. Type a name for the report definition. 4. Select the type of report definition required: List Analysis Report a list of all items that match the criteria specified in the report definition Detailed Analysis Report - detail of selected events Distribution Analysis Report - counts of events and/or objects Trend Analysis Report trends in event or object numbers over a specified period of time 5. Enter a description for the report definition something which will help you and/or other administrators know what data will be found in the report. 6. Select a grouping level: Client connections requested and/or approved by machines with Client Component records Data from Audit sources only Domain DIGIPASS and DIGIPASS User information Data from data store (e.g. list of DIGIPASS Users by Domain) or Audit sources (e.g. rejected authentication requests) Organizational Unit DIGIPASS and DIGIPASS User information Data from data store (e.g. list of DIGIPASS Users by Organizational Unit) or Audit sources (e.g. rejected authentication requests) User DIGIPASS and DIGIPASS User information Data from data store (e.g. list of DIGIPASS Users with DIGIPASS assigned) or Audit sources (e.g. rejected authentication requests) DIGIPASS DIGIPASS information Data from data store (e.g. list of unassigned DIGIPASS) or Audit sources 7. Click on Next 8. Enter a name for the new query. 9. Click on Add New. 10. Select the name of a field, the condition, and the value on which to filter. 118

119 Create Custom Report Definition Example To report on rejected authentication requests, select Audit:Code from the Field drop down list, select Equals from the Condition drop down list, and enter I in the Value field. 11. Click on Next. 12. If desired, add more queries. 13. Click on Next. 14. Select Usage and Update permissions. Usage permissions control which administrators may view a report Update permissions control which administrators may modify a report definition. 15. Click on Next. 16. To use the standard XML template, Select the Use the default XML template only option button. Or to use a custom template, select the Add new template in addition to default XML template option button and enter the location of the template and a name to use in referring to it. 17. Click on Save. 18. Click on Finish. 119

120 Configuring RADIUS setups 17 Configuring RADIUS setups 17.1 Overview In this section we describe how to configure three example RADIUS setups: a stand-alone IDENTIKEY Appliance in a RADIUS environment an IDENTIKEY Appliance as a RADIUS Proxy Target an IDENTIKEY Appliance as an intermediate Server For more information on RADIUS setups, please refer to the IDENTIKEY Appliance Product Guide, 'RADIUS Environments' section. 120

121 Configuring RADIUS setups 17.2 How to Set Up a Stand-Alone IDENTIKEY Appliance in RADIUS Environment A typical setup has been explained in section 7 A Typical RADIUS Setup. 121

122 Configuring RADIUS setups 17.3 How to Set Up IDENTIKEY Appliance as RADIUS Proxy Target Image 68: IDENTIKEY Appliance as RADIUS Proxy Target You may wish to use this topology if: The RADIUS server supports the proxying of authentication while returning attributes itself The RADIUS server can forward the authentication request using one of the supported password protocols is used: PAP, CHAP, MS-CHAPv1, MS-CHAPv2 The RADIUS server supports an Access-Challenge response from IDENTIKEY Appliance, if required. The Access-Challenge mechanism is used for Challenge/Response and Virtual DIGIPASS, although it is still possible to use Virtual DIGIPASS without that mechanism. If the RADIUS server is capable, this scenario allows IDENTIKEY Appliance to operate in an environment that uses certificate-based EAP protocols such as PEAP and EAP-TTLS. To make this work, the RADIUS server decrypts the user credentials into a simpler protocol before forwarding the request to IDENTIKEY Appliance Information required IP address of the RADIUS server Shared secret used by the RADIUS server 122

123 Configuring RADIUS setups Instructions Administration Web Interface The RADIUS Server (see image above) needs to be registered as a RADIUS Client on the IDENTIKEY Authentication Server Administration Web Interface. 1. Click on Clients -> Register 2. Enter this data: Client Type: Select RADIUS Client Location: Enter the IP address of the RADIUS server Policy ID: Select the policy you want to use Protocol ID: Select RADIUS Shared Secret: Enter the shared secret used by the RADIUS server 3. Click on Create. Tip: Please see also section 4.1 Client Records. RADIUS Server Configuration as a RADIUS Client to the IDENTIKEY Appliance Configure your RADIUS server to send authentication requests to the IDENTIKEY Appliance (the IP/port of the RADIUS communicator can be found in the Configuration Tool > IDENTIKEY Authentication Server > RADIUS Communicator. 123

124 Configuring RADIUS setups 17.4 How to Set Up as Intermediate Server Setting up IDENTIKEY Appliance as an intermediate server follows the same procedure as explained in the previous section, with a RADIUS back-end server for authentication, as explained in Section 10 Back-End Authentication. 124

125 Configuring RADIUS setups 17.5 How To Integrate Wireless Networking with IDENTIKEY Appliance This how-to will guide you through integrating IDENTIKEY Appliance with a wireless network. See the Wireless RADIUS section of the IDENTIKEY Appliance Product Guide for an explanation of the features to be used here. Image 69: Wireless setup 125

126 Configuring RADIUS setups Configure Wireless Access Point Configure each Wireless Access Point to use settings as explained in the table below. Table 3: Wireless settings Setting Value Encryption protocol WAP Enterprise or WAP2 Enterprise Encryption algorithm AES RADIUS protocol One of the supported EAP or PEAP protocols: EAP-TTLSv0/PAP EAP-TTLSv0/CHAP EAP-TTLSv0/MS-CHAP EAP-TTLSv0/MS-CHAPv2 EAP-TTLSv0/EAP-MS-CHAPv2 EAP-TTLSv0/EAP-GTC PEAPv0/EAP-MS-CHAPv2 PEAPv0/EAP-GTC PEAPv1/EAP-MS-CHAPv2 PEAPv1/EAP-GTC RADIUS server Enter the IP address and the RADIUS port (default 1812) for the IDENTIKEY Appliance. Shared Secret A passphrase used to authenticate the RADIUS Client and IDENTIKEY Appliance to each other. Caution VASCO does not recommend the use of the TKIP encryption algorithm on wireless networks due to inherent security issues. If your Wireless Access Point does not support wireless session settings from the configured RADIUS server, change the default reauthperiod configuration setting to the required period before a Fast Reconnect should be attempted. One hour is the recommended period Configure Supplicant Where possible, configure the supplicant to request authentication details for every full authentication. If this is not configured, each automatic full reconnection attempt (not fast reconnect) will cause a failed authentication. 126

127 Configuring RADIUS setups Configure IDENTIKEY Appliance Policy record Copy the Identikey Local Authentication Policy record, and make the setting changes in the table below in the RADIUS tab for the new Policy. Table 4: Changes for the Policy Setting Supported protocols Value Secure 127

128 Configuring RADIUS setups Component record Create a Component record for each Wireless Access Point using the settings in the table below. Table 5: Component Record Settings Setting Value Component Type RADIUS Client Location <IP address of the Wireless Access Point> Protocol RADIUS Shared Secret <as entered in the Wireless Access Point configuration> Policy If this is the only Wireless Access Point in use, link to the Policy created above. If this is will NOT be the only Wireless Access Point in use, see section Multiple Wireless Access Points. Multiple Wireless Access Points If multiple Wireless Access Points are in use, you have the option of allowing roaming connections between Wireless Access Points. The ability of a supplicant to perform a Fast Reconnect with IDENTIKEY Appliance, and roam between Wireless Access Points, depends on two factors: SSID If a Wireless Access Point's SSID is identical to that of the Wireless Access Point with which the current Session was created, the supplicant will be able to attempt a Fast Reconnect. Policy If the Component record for the Wireless Access Point passing on a Fast Reconnect request has the same Policy record as the Component record for the Wireless Access Point with which the current Session was created, IDENTIKEY Appliance will process the Fast Reconnect request No Roaming Wireless Connections Having no roaming wireless connections means that a User will be required to perform a full authentication if moving to a new Wireless Access Point. To configure the system this way, set each Wireless Access Point's SSID to a different value. 128

129 Configuring RADIUS setups Allow Roaming Wireless Connections SSID Image 70: Roaming Wireless Setup Where roaming connections will be in use, assign the same SSID to all Wireless Access Points in each zone. Policy Records Roaming connections, one zone Create one Policy record only. Roaming connections, multiple zones Create a Policy record with the required settings, and copy it to new Policy records until you have the same number of Policies as roaming zones needed. Component Records Roaming connections, one zone Link all Component records to the Policy created earlier. 129

130 Configuring RADIUS setups Roaming connections, multiple zones Assign each Policy to a wireless roaming zone. Component records for each Wireless Access Point in a roaming zone should be assigned to the same Policy. Image 71: Component Records and Roaming Wireless Setup 130

131 Configuring RADIUS setups 17.6 How to Customize the RADIUS Attributes Dictionary A RADIUS attributes dictionary is available for use with IDENTIKEY Appliance, for assigning RADIUS attributes to Users and groups of Users. A default dictionary is supplied, but this may be replaced with a custom dictionary. Attributes may be added, modified or removed by editing the file Uploading a Custom Dictionary To upload a custom dictionary: 1. In the IDENTIKEY Appliance Configuration Tool navigate to Authentication Server > Radius Communicator and enable the RADIUS Communicator by selecting the corresponding check box. 2. Browse to and upload the custom dictionary. 3. Click on Save to finish. Image 72: Uploading a custom dictionary 131

132 Configuring RADIUS setups Note: The default dictionary remains available for download even after uploading a custom dictionary. See the IDENTIKEY Appliance Reference Guide for details of the format for custom dictionaries. 132

133 IDENTIKEY Authentication Server Discovery with Windows Logon 18 IDENTIKEY Authentication Server Discovery with Windows Logon 18.1 Overview IDENTIKEY Authentication ServerDiscovery is a feature which allows DIGIPASS Authentication for Windows Logon clients to find an IDENTIKEY Authentication Server by querying a DNS Server. In order for IDENTIKEY Authentication Server Discovery to work, these conditions must exist: the DIGIPASS Windows Logon client must have IDENTIKEY Authentication Server Discovery enabled. Information on how to activate this is available in the DIGIPASS Windows Logon Guides, provided on the CDROM delivered with the IDENTIKEY Authentication Server. an SRV record for the IDENTIKEY Authentication Server(s) must exist on the DNS Server to be queried see section 18.2 Register IDENTIKEY Appliance with DNS Server for more information. Windows Logon must be enabled both in the IDENTIKEY Authentication Server's License Key and in its Authentication Scenario for information on licensing, please refer to the IDENTIKEY Appliance Product Guide, Licensing section Register IDENTIKEY Appliance with DNS Server An SRV record may be created on the DNS Server using the DNS Registration option in the IDENTIKEY Authentication Server Configuration. See 18.3 Server Discovery Section below for instructions. Note If an IDENTIKEY Authentication Server will be available to client machines in other trusted Active Directory domains, an SRV record must be manually created on the DNS server(s) that services the client domain. 133

134 IDENTIKEY Authentication Server Discovery with Windows Logon 18.3 Server Discovery Section This section allows you to register the IDENTIKEY Authentication Server with a DNS server. This allows DIGIPASS Windows Logon clients to discover a local IDENTIKEY Authentication Server. The following two DNS service registration options are available: Authentication Type set to None For DNS Service Registration with a DNS server supporting dynamic DNS anonymously, Authentication Type needs to be set to None (see image below). Use this method if your DNS Server(s) do not require authentication or SSL in order to add SRV records 1. Select the DNS service registration with a DNS server supporting Dynamic DNS option. 2. Enter the name of the DNS domain. 3. Select the priority for connections to the IDENTIKEY Authentication Server - Primary server or Backup server. Image 73:Configuration Tool > IDENTIKEY Authentication Server > Server Discovery: 134

135 IDENTIKEY Authentication Server Discovery with Windows Logon Authentication Type set to TSIG For DNS Service Registration with a DNS server supporting dynamic DNS with TSIG authentication, Authentication Type needs to be set to TSIG (see image below). This service registration method utilizes a shared key file which is shared between IDENTIKEY Authentication Server, the DNS, and the application. Transactions are signed using the shared key file. Use this method if: Your DNS Server(s) are configured to accept TSIG-authenticated changes only: 1. Select the DNS service registration with a DNS server supporting Dynamic DNS with TSIG authentication option. 2. Enter the full path and file name for the shared key file. 3. Enter the name of the DNS domain. 4. Select the priority for connections to the IDENTIKEY Authentication Server - Primary server or Backup server. Image 74: Configuration Tool > IDENTIKEY Authentication Server > Server Discovery 135

136 IDENTIKEY Authentication Server Discovery with Windows Logon Caution: Active Directory DNS Server does not support Dynamic DNS with TSIG authentication: the anonymous option must be used. For instructions on how to configure this, please refer to the Active Directory documentation. Note If two or more IDENTIKEY Authentication Servers are registered with the DNS server and given the same priority, the first available SRV record will be the one used by the DIGIPASS Windows Logon Client. 136

137 Test Policy Settings 19 Test Policy Settings In this section we provide instructions to test policy settings using a RADIUS Simulator for: Local and Back-End authentication DIGIPASS assignment options To complete these tests, you will need to: 1. Download the RADIUS Simulator from the CDROM delivered with your IDENTIKEY Appliance. 2. Install the RADIUS Simulator on a client machine, which you will use with the IDENTIKEY Appliance to create and configure settings, and test them. At various points in the process, test logins are recommended to ensure that the previous steps have not caused unexpected problems. This also helps in troubleshooting, as it helps to pinpoint where in the process a problem occurred. 137

138 Test Policy Settings The following steps illustrate the basic testing procedure: 1. Test direct logins to IDENTIKEY Appliance. 2. Test Back-End Authentication via IDENTIKEY Appliance. 3. Test management features. The following configurations are necessary before testing is possible: Create a User account, as explained in section 4.2 User Records. DEMO DIGIPASS records need to be imported and assigned to the account, as explained in section 4.3 DIGIPASS Records and Assignment. The DEMO DIGIPASS dpx files can be found on the CDROM provided with delivery of your IDENTIKEY Appliance. A RADIUS Client Component need to be registered on the IDENTIKEY Appliance, as explained in section 4.1 Client Records. A test Policy needs to be created, as follows: 1. Open the Administration Web Interface. 2. Click on Policies -> Create. 3. Enter the required information: a. Policy ID: Test b. Inherits from: Policy Local Authentication 4. Enter a description if desired. 5. Click on Create. 138

139 Test Policy Settings Modifying the Test Policy Each scenario will require modification of the Test Policy created following the instructions above. To edit the Test Policy: 1. Open the IDENTIKEY Authentication Server Administration Web Interface. 2. Click on Policies > List. 3. Find and click on the Test Policy. 4. Click on the required tab: Local Authentication and Back-End Authentication settings can be found under the Policy tab Dynamic User Registration, Password Autolearn and Stored Password Proxy settings can be found under the User tab. Application Type, Assignment Mode, Grace Period, Serial Number Separator and Search Upwards in Org. Unit Hierarchy settings can be found under the DIGIPASS tab. Challenge/Response settings can be found under the Challenge tab. 5. Click on Edit. 6. Make the required changes. 7. Click on Save. Testing a Login via the RADIUS Client Simulator In each scenario, you will need to attempt a login, using the RADIUS Client Simulator. Once it is configured correctly, simply follow the directions below to try a login: 1. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window. 2. Enter the User ID for the User account you are using for test logins in the User ID field. 3. Enter the password for the User account and (if required) an OTP from the DIGIPASS in the Password field. 4. Click on the Login button. 5. The Status information field will indicate the success or failure of your login. 139

140 Table of Contents 19.1 Test Local Authentication This topic covers testing logins handled by the IDENTIKEY Appliance, with no back-end authentication enabled. Three login methods will be covered: Static password (does not require a DIGIPASS) Response Only (requires a DIGIPASS with a Response Only application) Challenge/Response (requires a DIGIPASS with a Challenge/Response application) Static Password Modify Test Policy Make these changes to the Test Policy (see Modifying the Test Policy for instructions): Set Local Auth. to DIGIPASS/Password. Set Back-End Auth. to None. Set Password Autolearn to Yes. Check Grace Period Check the record for the DIGIPASS being used for testing. The grace period should be set for a time in the future. If it is not, the static password login will fail. Test Login Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for instructions), using the DIGIPASS User ID and static stored password Response Only Modify Test Policy Make these changes to the Test Policy (see Modifying the Test Policy for instructions): Set Application Type to Response Only. Set Local Auth. to Digipass/Password. Set Back-End Auth. to None. Test Login Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for instructions), using the DIGIPASS User ID and the OTP from your DIGIPASS. 140

141 Table of Contents Challenge/Response Modify Test Policy Make these changes to the Test Policy (see Modifying the Test Policy for instructions): Set Application Type to Challenge/Response. Set 2-step Challenge/Response Request Method to Keyword. Set Keyword to 2StepCR. Set Local Auth. to Digipass/Password. Set Back-End Auth. to None. Test Login Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for instructions), using the DIGIPASS User ID and the keyword (2StepCR). Enter the Challenge provided by the RCS into your DIGIPASS. Enter the same DIGIPASS User ID and the Response provided by your DIGIPASS. 141

142 Test Policy Settings 19.2 Test RADIUS Back-End Authentication In this topic, you will be guided through configuring the IDENTIKEY Appliance to use a RADIUS Back-End Server, and testing Back-End Authentication using that Back-End Server. 142

143 Test Policy Settings Set up Back-End RADIUS Server There are some steps you will need to follow in order to set up the RADIUS Server to be used for Back-End Authentication: Requirements To complete the recommended steps, you will need: An installed RADIUS Server. An administrator login for the RADIUS server. Create RADIUS Client records Create a RADIUS Client record within the RADIUS Server for the machine on which the RADIUS Client Simulator will be running and the machine on which the IDENTIKEY Appliance is installed. Without this RADIUS Client record, requests from the RADIUS Client Simulator will be rejected. You will also need to create a RADIUS Client record for the machine on which the IDENTIKEY Authentication Server is running. Without this RADIUS Client record, proxied requests from the IDENTIKEY Authentication Server will be rejected. Create a User account Create a User account in the RADIUS Server, or identify an existing account that can be used if preferred. Make sure this account has the necessary permissions so that a RADIUS Access-Request from both the RADIUS Client Simulator and from the IDENTIKEY Appliance will be accepted (given the correct password of course). Also make sure this account has some RADIUS reply attributes. Enable Tracing Depending on the RADIUS Server product, some facilities will be available for tracing. This may be referred to as logging or debugging instead. If this is enabled, it will help to find out what is happening if the observed behavior is not as expected. 143

144 Test Policy Settings Test Direct Login to RADIUS Server Once the RADIUS Server has been set up, attempt a direct login using the RADIUS Client Simulator and the User account created for testing. 1. Open the RADIUS Client Simulator. 2. Enter the IP address of the RADIUS Server. 3. Enter Authentication and Accounting port numbers if they vary from the default. 4. Enter the Shared Secret you entered for the RADIUS Client created earlier. 5. Select a protocol to use. 6. Click on any port icon to attempt a login. 7. Enter the User ID and password and click on Login. 8. The reply attributes set up for that User account should be displayed in the RADIUS Client Simulator. 144

145 Test Policy Settings Configure IDENTIKEY Appliance for RADIUS Back-End Authentication Local and Back-End Authentication Local and back-end authentication means that both the IDENTIKEY Appliance and the RADIUS Server will authenticate a login. This allows RADIUS reply attributes to be retrieved from the RADIUS Server. In this scenario, it is normal to use the Password Autolearn and Stored Password Proxy features. With these features enabled, the IDENTIKEY Appliance will learn the user's RADIUS Server password, so that the user does not need to log in with both their password and DIGIPASS One Time Password at each login. However, the first time that the user logs in, they will need to provide their RADIUS Server password so that the IDENTIKEY Appliance can learn it. In subsequent logins, they can just log in with their One Time Password and the IDENTIKEY Appliance will send the stored password to the RADIUS Server. Make these changes to the Test Policy (see Modifying the Test Policy for instructions): Set Local Auth. to Digipass/Password. Set Back-End Auth. to Always. Set Back-End Protocol to RADIUS. Set Password Autolearn to Yes. Set Stored Password Proxy to Yes Create Back-End Server Record The IDENTIKEY Appliance needs to be able to locate the RADIUS Server. This requires a Back-End Server record in the data store. To create a new Back-End Server record: 1. Open the Administration Web Interface. 2. Click on Back-End -> Register RADIUS Back-End. 3. Enter a display name for the Back-End Server in the Back-End Server ID field. 4. Enter the Authentication and Accounting IP Address and Port values. 5. Enter the Shared Secret that was configured in the RADIUS Client record in the RADIUS Server for IDENTIKEY Appliance. 6. Enter a suitable Timeout and No. of Retries. 7. Click Create to create the record. 145

146 Test Policy Settings Test Logins with Local and Back-End Authentication 1. Configure the Test Policy for the login method to be tested e.g. Response-Only, Challenge/Response. 2. Ensure that the RADIUS Client Simulator client record is using the configured Policy. In the RADIUS Client Simulator: 3. Enter the IP address of the IDENTIKEY Appliance. 4. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window. 5. Enter the User ID for the User account you are using for test logins in the User ID field. 6. Enter the User account's RADIUS Server password followed by an OTP from the DIGIPASS in the Password field. There should be no spaces between the password and the OTP. 7. Click on the Login button. 8. The Status information field will indicate the success or failure of your logon. Below you should see the RADIUS reply attributes from the RADIUS Server. 9. Enter a new OTP from the DIGIPASS into the Password field, without the RADIUS Server password in front. 10. Click on the Login button. 11. The Status information field will indicate the success or failure of your logon. Below you should see the RADIUS reply attributes from the RADIUS Server. 146

147 Test Policy Settings 19.3 Test Management Features In this topic, you will be guided through the testing of basic management features in IDENTIKEY Appliance. 147

148 Test Policy Settings Auto-Assignment Initial Setup 1. Open the Administration Web Interface. 2. Click on Clients -> List. 3. Click on the client record for the RADIUS Client Simulator. 4. Ensure that the Test Policy is selected in the Policy drop down list. 5. Click on OK. 6. Make these changes to the Test Policy (see Modifying the Test Policy for instructions): Set Local Auth. to DIGIPASS/Password. Set Back-End Auth. to Always. Set Back-End Protocol to RADIUS. Set Password Autolearn to Yes. Set Stored Password Proxy to Yes. Set Dynamic User Registration to No. Set Assignment Mode to Neither. Set Grace Period 7 days is the standard time period used. Set Search Upwards in Organizational Unit hierarchy to Yes. Set Application Type to No Restriction. 7. Create or use a User account in the RADIUS Server which does not currently have a corresponding DIGIPASS User account. 8. Check that at least one unassigned DIGIPASS is available in the DIGIPASS Container. Test Auto-Assignment - 1 In the following test, both Dynamic User Registration and Auto-Assignment should fail, meaning that a DIGIPASS User account will not be created, and a DIGIPASS will not be assigned to the User. This shows that the IDENTIKEY Appliance record has been configured successfully. In the RADIUS Client Simulator: 9. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window. 10. Enter the User ID for the RADIUS Server User account you created earlier (step 7) in the User ID field. 11. Enter the password for the RADIUS Server User account. 12. Click on the Login button. The Status information field will indicate the success or failure of your logon. 148

149 Test Policy Settings Check Test Results To check whether a DIGIPASS User account has been created for the User, search for the User account record in the Administration Web Interface. If it does not exist, the test has been successful. Modify Settings 13. Make these changes to the Test Policy (see Modifying the Test Policy for instructions): Set Dynamic User Registration to Yes. Set Assignment Mode to Auto-Assignment. Test Auto-Assignment - 2 In the following test, both Dynamic User Registration and Auto-Assignment should succeed, meaning that a DIGIPASS User account will be created, and an available DIGIPASS will be assigned to the User. In the RADIUS Client Simulator: 14. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window. 15. Enter the User ID for the RADIUS Server User account you created earlier (step 7) in the User ID field. 16. Enter the password for the User account. 17. Click on the Login button. The Status information field will indicate the success or failure of your logon. Check Test Results To check whether a DIGIPASS User account has been created for the User, search for the User account record in the Administration Web Interface. To check whether a DIGIPASS has been assigned to the User: 18. Click on Assigned DIGIPASS. 19. If a DIGIPASS is listed, the User has been assigned the listed DIGIPASS. 20. Check the Grace Period End field to see that a Grace Period of the correct length (7 days by default) has been set. Check Grace Period Password login 21. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's User ID and password only. If the Grace Period is still effective, this should be successful. OTP login 22. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's User ID and One Time Password. This should be successful. 149

150 Test Policy Settings Password login 23. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's User ID and password only. As the OTP login from the previous step should have ended the Grace Period for the DIGIPASS, this login should fail. 24. Check the Grace Period End in the User record. It should contain today's date. 150

151 Table of Contents Self-Assignment To complete this test, you will need to have a DIGIPASS physically available, and free to be assigned to a test User account. Initial Setup 1. Make these changes to the Test Policy (see Modifying the Test Policy for instructions): Set Dynamic User Registration to No. Set Assignment Mode to Neither. Set Search Upwards in Organizational Unit hierarchy to Yes. Set Serial Number Separator to :. 2. Create or use a User account in the RADIUS Server which does not currently have a corresponding DIGIPASS User account. 3. Check that the desired DIGIPASS is in the DIGIPASS Container and unassigned. 151

152 Table of Contents Test Self-Assignment - 1 In the following test, both Dynamic User Registration and Self-Assignment should fail, meaning that a DIGIPASS User account will not be created, and the selected DIGIPASS will not be assigned to the User. In the RADIUS Client Simulator: 1. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window. 2. Enter the User ID for the RADIUS Server User account you created earlier (step 7) in the User ID field. 3. Enter the Serial Number for the DIGIPASS, the Separator, the RADIUS Server User's Password, a Server PIN (if required) and a One Time Password from the DIGIPASS into the Password field. e.g password (see the Login Permutations topic in the Administrator Reference for more information). 4. Click on the Login button. The Status information field will indicate the success or failure of your logon. Check Test Results A successful test should result in a failed login and no new DIGIPASS User account created. To check whether a DIGIPASS User account has been created for the User, search for the User account record in the Administration Web Interface. Modify Settings 5. Make these changes to the Test Policy (see Modifying the Test Policy for instructions): Set Dynamic User Registration to Yes. Set Assignment Mode to Self-Assignment. Test Self-Assignment - 2 In the following test, both Dynamic User Registration and Self-Assignment should succeed, meaning that a DIGIPASS User account will be created, and the intended DIGIPASS will be assigned to the User. In the RADIUS Client Simulator: 6. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window. 7. Enter the User ID for the RADIUS Server User account you created earlier (step 7) in the User ID field. 8. Enter the Serial Number for the DIGIPASS, the Separator, the RADIUS Server User's Password, a Server PIN (if required) and a One Time Password from the DIGIPASS into the Password field. e.g password (see the Login Permutations topic in the Administrator Reference for more information). 9. Click on the Login button. The Status information field will indicate the success or failure of your logon. 152

153 Table of Contents Check Test Results To check whether a DIGIPASS User account has been created for the User, search for the User account record in the Administration Web Interface. To check whether the DIGIPASS has been assigned to the User: 10. Click on DIGIPASS Assignment. 11. If the DIGIPASS is listed under this tab, it has been assigned to the DIGIPASS User account. Check Grace Period 12. Check that a Grace Period has not been set. Password login 13. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's User ID and password only. This should fail, as a Grace Period is not set for a Self-Assignment. OTP login 14. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's User ID and One Time Password. This should be successful. 153

154 Administration Tasks 20 Administration Tasks 20.1 Scheduled Task Management Certain IDENTIKEY Appliance tasks can be scheduled. Use the following information to manage these scheduled tasks. To view a list of scheduled tasks, mouse-over the Servers tab in the IDENTIKEY Appliance Administration Web Interface window and select Task Management from the drop-down list. A full list of scheduled tasks is displayed. From this page you can Edit, Run or Delete the Task by clicking the appropriate button. See below for more detail on these operations Changing Task Schedules To edit a Task: Mouse-over the Tasks tab in the IDENTIKEY Appliance Administration Web Interface window and select LIST from the drop-down list. 2. A full list of available Tasks is displayed. Click on the desired Task Name. 3. The Task Definition tab is displayed. If you wish to edit the information on this tab, click the Edit button. Fields in the Task Definition tab will become available for editing. 4. Alternatively, if you wish to edit field, query, permissions or template data, click on the appropriate tab and then click Edit. 5. When you have finished editing data in each tab, click Save. Deleting Scheduled Tasks To delete an existing Task: 1. Mouse-over the Servers tab in the IDENTIKEY Appliance Administration Web Interface window and select Task Management from the drop-down list. 2. A full list of available Tasks is displayed. Either: Select the check box beside the Task and click the Delete button at the bottom of the page, or Click on the desired Task Name and then click the Delete button. 3. A confirmation window pops up. Click OK to delete the Task. 154

155 Monitoring 21 Monitoring 21.1 Overview The Log File Management screen in the Configuration Tool provides an overview (explained in section 21.2 Disk Use) of disk use by monitoring information generated and stored on the IDENTIKEY Appliance. There are three sources of information: Logging: if you encounter a problem with the IDENTIKEY Appliance Configuration Tool, you need to search the Logging information. Logged events are presented in a live viewer. We explain how to manage and use Log files in section 21.3 Logging. Auditing: if you encounter a problem with any actions in the Administration Web Interface, or with IDENTIKEY Authentication Server services such as authentication, you need to search the Audit files. Audit records are presented in a live viewer. We explain how to manage and use Audit files in section 21.4 Auditing. Tracing: if you are unable to identify the problem from information provided from Auditing or Logging, you can also use Tracing. Tracing information can be viewed in a text editor, as explained in section 21.5 Trace Files. For more information on the concepts of logging, auditing and tracing, please refer to the IDENTIKEY Appliance Product Guide. In addition to monitoring on the IDENTIKEY Appliance, it is also possible to enable the Secure Network Management Protocol (SNMP), which is a protocol used in network management systems to monitor devices on the network which may need attention. SNMP thus allows the IDENTIKEY Appliance to be monitored by a managing application. How to configure SNMP is explained in section 21.6 SNMP Configuration. 155

156 Monitoring 21.2 Disk Use For an overview of the disk space used for the three types of monitoring: 1. Navigate to Monitoring > Logfile Management. The top part of the Log File Management screen shows the disk space used for storage of the three types of data (see image below). 2. To view: the number and sizes of Audit database parts, select the Databases row (see image below). the number and sizes of Trace files, select the Trace Files row. the number and sizes of Log files, select the System Logs row. Image 75: Disk Use Overview Note: Disk space used for a data source, and the combined sizes of database parts, log files or trace file sizes do not necessarily match due to additional space being used for disk partition. 156

157 Monitoring 21.3 Logging Overview Log files contain information generated about events in the IDENTIKEY Appliance Configuration Tool, for instance information about functionalities such as updating, backup and restore. An example log line might be: 'Backup was created successfully'. Logged events are accumulated in a file to a maximum of 80,000 lines, after which a new file is opened. A certain number of files are archived, but rotation means that the oldest file is replaced by the latest file. Log files are therefore automatically cleaned. Log data can also be sent to a remote syslog-compliant server. In this section we provide instructions on: configuring logging (see section Configuring Logging) configuring remote logging (see section Configuring Remote Logging) viewing and filtering files in the live log viewer (see section Viewing and Filtering Log Files) downloading and deleting log files (see section Downloading and Deleting Log Files) 157

158 Monitoring Configuring Logging To configure the type of Logging: 1. Access the Configuration Tool as explained in section 2 Administration Interfaces for IDENTIKEY Appliance. 2. Navigate to Settings > Logging (see image below) and click on the arrow to view the drop-down list of Log levels to select from. For an explanation of the different levels of logging, please refer to the IDENTIKEY Appliance Administrator Reference Guide 3. Click on Save to finish. Image 76: Configuring Logging 158

159 Monitoring Configuring Remote Logging To configure Remote Logging: 1. Access the Configuration Tool as explained in section 2 Administration Interfaces for IDENTIKEY Appliance. 2. Navigate to Settings > Logging (see image below) and enter the IP address of the syslog-compliant server for viewing log data remotely. Multiple IP addresses can be entered in a comma separated list. 3. Click on the arrow to view the different levels of logging. For an explanation of these levels, please refer to the IDENTIKEY ApplianceAdministrator Reference Guide. 4. Click on Save to finish. Image 77: Configuring Remote Logging For more information on the relevant fields, please refer to the IDENTIKEY Appliance Administrator Reference Guide. 159

160 Monitoring Viewing and Filtering Log Files To view and filter Log files using the live Log viewer: 1. Access the Configuration Tool as explained in section 2 Administration Interfaces for IDENTIKEY Appliance. 2. Navigate to Monitoring > System Logs (see image below). Image 78: Viewing Logs 160

161 Monitoring 3. Filtering is possible using the simple or advanced filters. To use the simple filter, enter in the Filter field the characters to be searched for in the message part of the log (e.g. start in the image below). Only logs with content matching the filter field entry will be listed (see result in the lower part of the image below).to clear the filter, click on the X icon (see image below). Image 79: Simple Log Filter Entry and Result To use the advanced filter, click on the arrow (highlighted in the image below) to the right of the Filter field to open the Advanced Filter dialog (see second image below). How to search using any of the filter fields is explained in the table below. Image 80: Advanced Filter Icon 161

162 Monitoring Image 81: Advanced Filter Fields Table 6: Log Filter Fields Type Description Start Date Click on the icon to select a date from the calendar. Only records after the date specified are displayed. End Date Click on the icon to select a date from the calendar. Records up to and including the entered date are displayed. Facility is Click on the drop down menu to select one of the facility types, e.g. kern, user, or mail. Only logs referencing this facility are displayed. Level at least Click on the drop down menu to select one of the levels, e.g. error or warning. Only logs referencing this level are displayed. For a list of the log levels, please refer to the IDENTIKEY Appliance Administrator Reference Guide. Program contains Enter a search string. Only records with a program matching the search string are displayed. Process ID Enter the process ID to use as a filter parameter for your search. Message contains Enter a search string. Only records with a message matching the search string are displayed. Note: It is only possible to access the Advanced Filter when the Simple Filter is clear. To clear the simple filter, click on the X icon by the Filter field. 162

163 Monitoring Downloading and Deleting Log Files To download or delete Log files: 1. Access the Configuration Tool as explained in section 2 Administration Interfaces for IDENTIKEY Appliance. 2. Navigate to Monitoring > Log File Management and click on System Logs. Available log files will be listed below. 3. Click on the disk icon to the right of an available log file to download it or the trash can icon to delete it (see image below). Image 82: Downloading System Log Files Note: Clicking on the trash can to delete the log file will also delete all older log files. 163

164 Monitoring 21.4 Auditing Overview Auditing is the information generated about events in the IDENTIKEY Authentication Server component and includes, amongst others, information about administration events, authentication attempts and RADIUS accounting. An example event might be: User successfully authenticated. Audit files can be viewed and managed in the Configuration Tool. Audit records are accumulated to a database part for one month or to a maximum of 500 MB, whichever limit is reached first. The IDENTIKEY Appliance detects when audit data is using too much hard disk space and automatically cleans the oldest information. In this section we provide instructions on: Overview of IDENTIKEY Authentication Server audit settings viewing, filtering and exporting files in the live Audit viewer (see section Viewing and Filtering Audit Files) exporting Audit files (see section Exporting Audit Files) downloading and deleting Audit files (see section Downloading and Deleting Audit Files) IDENTIKEY Authentication Server Audit Settings Via the IDENTIKEY Authentication Server audit settings in the IDENTIKEY Appliance Configuration Tool, you can: specify which message type is sent to the Syslog, enable the Remote Audit Viewer and configure its associated settings, enable SSL connections for the Audit Viewer, including setting the level of the used SSL cipher suite, downloading a server certificate and setting a password for the certificate, configure the verification of the client certificate and associated settings. 164

165 Monitoring Image 83: IDENTIKEY Authentication Server Audit Settings To configure the settings for auditing IDENTIKEY Authentication Server, navigate to Authentication Server > Audit Settings in the IDENTIKEY Appliance Configuration Tool. The following sections outline the audit settings for IDENTIKEY Authentication Server in the IDENTIKEY Appliance Configuration Tool. For a detailed description of these fields, refer to the section on Configuration Tool field listings in the IDENTIKEY Appliance Administration Reference Send Audit Messages to Syslog settings Here you can select the message types that are to be sent to the Syslog. Available message types are: Error Warning Info Success Failure For a detailed description of the audit message types, refer to the IDENTIKEY Appliance Product Guide. 165

166 Monitoring Remote Audit Viewer settings Here you can enable the remote Audit Viewer and configure the following settings: Set the maximum number of Audit Viewer clients connected to the same time, Set the maximum period of time in seconds until an authentication times out, and Select the types of audit messages to be sent. For a detailed description of the audit message types, refer to the IDENTIKEY Appliance Product Guide Audit Viewer SSL settings: enable SSL connections If you wish to secure the audit connection with SSL you can do so by enabling SSL connections for the Audit Viewer. This means that your browser will use an SSL-secured connection (i.e. via HTTPS) SSL Cipher Suite Security Level settings Select the required cipher suite security level for the Audit Viewer here. IDENTIKEY Authentication Server supports SSL cipher suites defined under the security levels Very High, High, Medium, and Low. For more information, refer to the section on SSL Cipher Suites in the IDENTIKEY Appliance Administration Reference Server Certificate and Certificate Password settings You can upload a server certificate that was previously generated and stored, or you can download a new certificate. You can also set a password for the certificate here. For more information on the server certificate, refer to section 12.1 Server Certificate Client Certificate Verification settings You can configure the following here: Set IDENTIKEY Authentication Server to require a client certificate whenever a client attempts a connection. Download a certificate from the Certificate Authority (CA) Certificate Store. Configure IDENTIKEY Authentication Server to perform an SSL handshake each time the Audit Viewer is reconnected to IDENTIKEY Authentication Server. Enabling this option may incur a performance penalty, thus this option should only be enabled if absolutely necessary. Set IDENTIKEY Authentication Server to automatically trust certificates; this option guarantees certificate verification by copying the necessary certificate details (during each connection). For more information on the client certificate, refer to section 12.2 Client Certificate Viewing and Filtering Audit Files To view and filter audit files using the live Audit Viewer: 166

167 Monitoring 1. Access the Configuration Tool as explained in section 2 Administration Interfaces for IDENTIKEY Appliance. 2. Navigate to Monitoring > Audit Logs (see image below). Image 84: Viewing the Live Audit Viewer 167

168 Monitoring 3. Filtering is possible using the Simple or Advanced Filters. Note: It is only possible to access the Advanced Filter when the Simple Filter is clear. To clear the simple filter, click on the X icon by the Filter field. To use the simple filter, enter in the Filter field the characters to be searched for in the message part of the Audit information (e.g. SOAP in the image below). Only lines with content matching the filter field entry will be listed (see result in the lower part of the image below).to clear the filter, click on the X icon (see image below). Image 85: Simple Log Filter Entry and Result To use the advanced filter, click on the arrow (highlighted in the image below) to the right of the Filter field to open the Advanced Filter dialog (see second image below). How to search using any of the filter fields is explained in the table below. Image 86: Advanced Filter Icon 168

169 Monitoring Image 87: Audit Filter Fields Table 7: Audit Filter Fields Type Description Start date Click on the icon to select a date from the calendar. Only records after the date specified are displayed. End date Click on the icon to select a date from the calendar. Records up to and including the entered date are displayed. Type is Click on the drop down menu to select one of the message types described in the table above. Only records referencing this message type are displayed. Source contains Searching on this field is only relevant if you have a Replication Setup (see section 11 Replication Wizard). Enter the name of the relevant IDENTIKEY Authentication Server. Only records generated from this server are displayed. Category contains Enter a category type, e.g. Administration or Authentication. Only records with a category matching the category entered in this field are displayed. Code contains Enter an error code. Only records with a matching error code are displayed. For a list of possible error codes, please refer to the IDENTIKEY Appliance Administrator Reference Guide. Host contains Enter an IP address. Only records with a matching IP address are displayed. Hostname contains Enter a host name. Only records with a matching host name are displayed. Description contains Enter a string. Only records with a matching string in the Description field are displayed. Field...contains Click on the drop down menu to select a field. All possible fields which can be searched on are listed. Select a field, and enter the matching string to be searched for. Only matching records are displayed. 169

170 Monitoring Exporting Audit Files To export Audit files using the live Audit viewer: 1. Access the Configuration Tool as explained in section 2 Administration Interfaces for IDENTIKEY Appliance. 2. Navigate to Monitoring > Audit Logs (see image below). 3. Click on Export (see highlighted field to right in the image below). A dialog opens (see second image below). Fields are explained in the table below. Image 88: Exporting from the Audit Viewer Image 89: Exporting Audit Files 170

171 Monitoring Table 8: Audit Export Fields Type Description Start date Click on the icon to select a date from the calendar. Only records after the date specified are displayed. End date Click on the icon to select a date from the calendar. Records up to and including the entered date are displayed. Source Searching on this field is only relevant if you have a Replication Setup (see section 11 Replication Wizard). Enter the name of the relevant IDENTIKEY Authentication Server. Only records generated from this server are displayed. Category Enter a category type, e.g. Administration or Authentication. Only records with a category matching the category entered in this field are displayed. Host Audit records can be exported for all servers, or only the local host. Output Format Export data can be formatted: for IDENTIKEY Authentication Server compatibility: this allows the exported data to be imported to an IDENTIKEY Authentication Server server acting as a dedicated reporting server in a setup with multiple IDENTIKEY Authentication Server and/or IDENTIKEY Appliance servers. Comma Separated Variable (CSV) compatibility: this commonly used format allows the data to be imported by other auditing systems (see Note below). Note: The CSV format option for exporting auditing data creates a file in which the separator character is a tab, not a comma, although still called CSV format Downloading and Deleting Audit Files To download or delete Audit files: 1. Access the Configuration Tool as explained in section 2 Administration Interfaces for IDENTIKEY Appliance. 2. Navigate to Monitoring > Logfile Management and click on Database (see image below). Available Audit files will be listed below. 3. Click on the disk icon to the right of an available Audit file to download it or the trash can icon to delete it. The arrow next to the trash can icon indicates that multiple logs are available and will be deleted (see image below). 171

172 Monitoring Image 90: Downloading Audit Files Note: 1. Downloading is the same as the export functionality described above and uses the IDENTIKEY Authentication Server compatible format. 2. Clicking on the trash can to delete the log file will also delete all older log files. 172

173 Monitoring Secure Auditing How does Secure Auditing work? Secure Auditing appends a cryptographic signature to each line of the audit output. External auditors can then cryptographically verify each signature and verify that no lines have been deleted or added from the audit information. Secure Auditing messages are divided into epochs. An epoch is a period of processing delimited either by time or by the number of audit messages written to the output. The length of processing for each epoch is defined during initial configuration. A new epoch always begins at midnight. A new encryption key is generated for each epoch, based on the more secure master key. A message is written to the output to indicate the beginning and end of an epoch. If an HSM is being used, Secure Auditing relies on public and private keys on the HSM for encryption. Where an HSM is not being used, Secure Auditing uses a Master Audit Keystore, and public and private keys randomly generated for each epoch. In IDENTIKEY Appliance, you can only configure secure auditing via the IDENTIKEY Authentication Server Setup Wizard. As such, you will need to perform a factory default to configure it again. For instructions on how to configure secure auditing, refer to the IDENTIKEY Appliance Installation and Maintenance Guide Secure Auditing Verification Tool Secure Auditing output can be verified using the Secure Auditing Verification Tool. This tool scans the Secure Auditing output and verifies that all the entries are in order, and that nothing has been removed or added. Processing results are produced, and the process is either passed or failed. You can optionally specify a trace file to which Secure Auditing lines which fail verification will be written. This tool is provided in the CD-ROM delivered with IDENTIKEY Appliance How to use the Secure Auditing Verification Tool The Secure Auditing Verification Tool is a command line tool. 1. On Windows, open the Command Prompt. 2. To start the Secure Auditing Verification Tool, enter auditvt -cert <certname> -audit_file <auditfilename> -trace_file <tracefilename> where: <certname> is the absolute path of the Audit Master Public Keypair, in PEM format. 173

174 Monitoring If using an HSM, the following will apply: If using Safenet HSM export the certificate file using the instructions in the Safenet HSM documentation If using Thales nshield, export the public key using the IDENTIKEY Appliance Configuration Wizard in Maintenance mode. If you're not using an HSM you can use <installation directory>\bin\auditmaster.cer <auditfilename > is the absolute path Secure Auditing output file that you want to verify. <tracefilename> is a file to which Secure Audit file entries that don't pass verification can be written. This parameter is optional. 3. The Secure Auditing Verification Tool will scan the specified file and produce results similar to those shown above. The overall status of the file is shown at the end of the messages. In this case the status is Passed. 174