Identikey Server Product Guide

Transcription

1 Identikey Server Product Guide

2 Disclaimer of Warranties and Limitations of Liabilities Disclaimer of Warranties and Limitations of Liabilities The Product is provided on an 'as is' basis, without any other warranties, or conditions, express or implied, including but not limited to warranties of merchantable quality, merchantability of fitness for a particular purpose, or those arising by law, statute, usage of trade or course of dealing. The entire risk as to the results and performance of the product is assumed by you. Neither we nor our dealers or suppliers shall have any liability to you or any other person or entity for any indirect, incidental, special or consequential damages whatsoever, including but not limited to loss of revenue or profit, lost or damaged data of other commercial or economic loss, even if we have been advised of the possibility of such damages or they are foreseeable; or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers and suppliers shall not exceed the amount paid by you for the Product. The limitations in this section shall apply whether or not the alleged breach or default is a breach of a fundamental condition or term, or a fundamental breach. Some states/countries do not allow the exclusion or limitation or liability for consequential or incidental damages so the above limitation may not apply to you. Copyright Copyright 2009 VASCO Data Security, Inc., VASCO Data Security International GmbH. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc. RADIUS Documentation Disclaimer The RADIUS documentation featured in this manual is focused on supplying required information pertaining to the RADIUS server and its operation in the Identikey Server environment. It is recommended that further information be gathered from your NAS/RAS vendor for information on the use of RADIUS. Trademarks VASCO, Vacman, IDENTIKEY, axs GUARD, DIGIPASS, and are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. Document Version: 1.1

3 Table of Contents Table of Contents 1 Overview What is Identikey Server? What is a Digipass? Types of Digipass Structure of Identikey Server Identikey Server in a RADIUS Environment Identikey Server in a Web Environment Administration Components Identikey Server Data Model Integrating Your Systems With Identikey Server SOAP SSL Available Guides User Authentication Process Logging in with a Digipass Authentication Process Overview Identifying the Component Record Digipass User Account Lookup and Checks Local Authentication Back-End Authentication Authorization Profiles/Attributes Host Code Generation Supported RADIUS Password Protocols Unsupported by Identikey Server Signature Validation Process Signing a Transaction How Do I Generate a Signature? Time based signature Event Based Signature Static Signature Signature Verification Process Policy Settings Software Digipass Provisioning Software Digipass Provisioning Overview

4 Table of Contents Provisioning Scenarios DP110 Provisioning Overview What are the steps in registration of a Software Digipass? What are the steps in activation? Reactivation Administration Interfaces Data Administration System Administration What do I need to use? Digipass User Accounts Digipass User Account Creation Changes to Stored Static Password Administration Privileges Digipass Importing Digipass Assigning Digipass to Users Digipass Record Functions Digipass Programming Digipass Record Settings Virtual Digipass Implementation Considerations Client Components Component Types Server Components Server Component Policies Policy Inheritance Pre-Loaded Policies Reporting Reporting Overview Report Definition Standard Reports Custom Reports

5 Table of Contents 11.5 Report Generation Process Report Usage and Change Permissions Making Data Available to Reports Identikey Data Store Active Directory ODBC Database Sensitive Data Encryption Licensing Overview Obtaining and Loading a License Key Auditing and Tracing Audit System Tracing Message Delivery Component What is the Message Delivery Component? Starting the Message Delivery Component User Self Management Web Site What is the User Self Management Web Site? Customizing the User Self Management Web Site

6 Table of Contents Illustration Index Image 1: GO Image 2: GO Image 3: GO Image 4: DP Image 5: DP Image 6: DP Image 7: DP Image 8: DP Image 9: DP Image 10: Structure of Identikey Server...14 Image 11 : SSL handshake process...32 Image 12 : Login Methods...34 Image 13: Authentication Process Overview...35 Image 14: Name Resolution with Active Directory...39 Image 15: Name Resolution with ODBC database...40 Image 16 - Dynamic User Registration Process...44 Image 17: User Account Link...46 Image 18: Virtual Digipass Login...49 Image 19: Multiple Digipass Assignment...51 Image 20: The steps in Back-End Authentication for Novell edirectory and ADAM...59 Image 21: Steps of Signature Verification Process...68 Image 22: Steps of Provisioning...73 Image 23: Digipass for Mobile Scenario 1 process...75 Image 24: Digipass for Web Scenario 1 Process...77 Image 25: Digipass for Web Scenario 2 Process...78 Image 26: Digipass for Web Scenario 3 Process...80 Image 27: DP110 Scenario Image 28: DP110 Scenario Image 29: Steps of Software Digipass Registration...85 Image 30: Steps of Software Digipass Activation...87 Image 31: Self Assignment Process...99 Image 32: Auto Assignment Process Image 33: Manual Assignment Process Image 34: Policy Inheritance

7 Table of Contents Image 35: Reporting Structure Image 36: Report Grouping Image 37: Report Generation Process Image 38: Digipass Record Locations - Digipass Pool Image 39: Digipass Record Locations - Parent Organizational Unit Image 40: Digipass Record Locations - Individual Organizational Units Image 41: Domains and Organizational Units Image 42: Digipass Record Locations Domain Root Image 43: Digipass Record Location Parent Organizational Unit Image 44: Digipass Record Location s Individual Organizational Units Image 45: Additional ODBC databases Image 46: Multiple Identikey Server Using Single Database Image 47: Replication between a Primary and Backup Identikey Server Image 48: Replication between Primary, Backup, and Disaster Recovery in Identikey Server Image 49: Replication between three Identikey Servers Image 50: Complex Identikey Server Replication Scenario Image 51: Audit System Overview Image 52: Audit Viewer Image 53: User Self Management Web Site

8 Overview 1 Overview 1.1 What is Identikey Server? Identikey Server is a server product designed to support the deployment, use and administration of VASCO Digipass technology. It can be easily integrated with existing applications using a Software Developer Kit (SDK). Identikey Server provides support for the following primary functions: Digipass One Time Password Authentication Digipass Signature Validation Software Digipass Provisioning Administration and Reporting Auditing Identikey Server is designed to be easily usable with Web applications and has a Web-based Administration interface. 1.2 What is a Digipass? A Digipass is a device for providing One Time Passwords and Digital Signatures to a User. A Digipass may be provided to each person whom an organization wishes to be able to log into their system using a One Time Password (OTP). The User obtains an OTP from the Digipass to use instead of, or as well as, a static password when logging in. In addition, a Digipass may be provided for the user to sign transaction data. The user enters key details of the transaction into their Digipass and receives a signature. They enter the signature into a transaction confirmation page in order to confirm that they authorize the transaction. Virtual Digipass is a mechanism where an OTP is generated by the server and sent by text message to the User's mobile phone. In this case, a physical Digipass device is not needed. A Software Digipass may be installed onto your computer, or onto a mobile device such as a Blackberry or Javaenabled mobile phone. It can be used to generate an OTP or a Signature in the same way as a physical Digipass device. 8

9 Overview 1.3 Types of Digipass Each Digipass is programmed with at least one Digipass Application and a unique secret. The Digipass Application uses this secret when generating One Time Passwords and Signatures. Each type of Digipass Application generates One Time Passwords or Signatures from different data, and in slightly different ways: Response Only Creates a One Time Password based on the current date and time or on the number of uses (events). Challenge/Response Creates a One Time Password (also referred to as a 'Response') based on a numerical challenge given on a login page. This may be either a challenge custom-created for the specific Digipass, or a randomly created challenge. The One Time Password may also be based on the date and time. Digital Signature Digital Signature Digipass Applications are typically used in online banking. The Digipass generates a unique code - referred to as a 'Digital Signature' - based on a number of transaction data fields entered, plus (optionally) the date and time or number of uses (events). Multi-Mode Multi-mode Digipass are Digipass that are capable of being used in all of the above modes. This setting is used mainly for Digipass for Web. 9

10 Overview Hardware Digipass Hardware Digipass are devices specifically designed for creation of One Time Passwords and Digital Signatures. Depending on the model supplied, they may be used for Response Only, Challenge/Response and Digital Signature methods. The three basic types of hardware Digipass are: Digipass without keypads These are the simplest type of Digipass. They have a triggering mechanism - typically a button or action, such as pulling the Digipass open - which causes a One Time Password to be generated. They have only one Application, which is always Response Only. Image 1: GO 3 Image 2: GO 5 Image 3: GO 6 10

11 Overview Digipass with keypads These are typically capable of supporting more than one Application, and can be programmed so that a PIN must be entered before a One Time Password or Digital Signature may be generated. Image 4: DP 585 Image 5: DP 260 Image 6: DP

12 Overview Smartcard reader Digipass These provide two-factor authentication based on smartcard technology in a similar way to the above two types. The smartcard itself provides the 'secret' that is used to generate OTPs and Digital Signatures. Image 7: DP Image 8: DP 805 Software Digipass Software Digipass may be installed onto a Blackberry, Java-enabled mobile phone or other mobile device. The User then accesses a Digipass application to obtain a One Time Password or Digital Signature. They typically support Response Only, Challenge/Response or Digital Signature Digipass Applications. Distribution of Software Digipass is controlled by Identikey Server using Provisioning scenarios. See 4 Software Digipass Provisioning for more information. Digipass for Web Digipass for Web is a Java applet that runs on your internet browser. Digipass for Web can generate One Time Passwords and Digital Signatures. Digipass for Web supports the Multi-Mode Application type. Digipass for Mobile Digipass for Mobile is a Java applet that will run on your Java enabled mobile phone or Blackberry. Digipass for Mobile can generate One Time Passwords and Digital Signatures Hardware/Software Digipass The Digipass 110 is currently the only Digipass available which combines the security of a hardware Digipass with the portability of a software Digipass. It consists of a secure USB stick used with a Java applet on the User's 12

13 Overview computer. It holds the cryptographic information used in generating One Time Passwords for the User. Distribution of the Java applet used with the DP 110 is handled by Identikey Server in the same way as Software Digipass. See 4 Software Digipass Provisioning for more information. Image 9: DP Virtual Digipass Virtual Digipass can be used instead of hardware Digipass tokens, or as a backup mechanism when a User has mislaid their hardware Digipass. Using Virtual Digipass means that a User may receive a One Time Password on their mobile phone via text message. There are two forms of Virtual Digipass available: Primary Virtual Digipass are treated by Identikey Server almost identically to hardware and software Digipass - a record of each Primary Virtual Digipass must be imported into the data store, and may then be assigned to a User automatically or manually. The User will typically log in with their User ID and static password, have a text message sent to their mobile phone, and then enter the One Time Password from the text message in the second stage of their login. The Backup Virtual Digipass feature allows a User to request a One Time Password sent to their mobile phone if they do not have their usual Digipass at hand. It may be limited by number of uses or days of use - eg. a User may be limited to 2 days' usage, after which they will again need to use their usual Digipass to log in. 13

14 Overview 1.4 Structure of Identikey Server The diagram below shows the basic structure of an organization's existing applications integrated with Identikey Server. Image 10: Structure of Identikey Server 14

15 Overview Customer Web Applications Identikey Server provides support for web applications through an SDK based on the standard SOAP protocol. These applications may cover operational tasks such as authentication and signature validation, provisioning of Software Digipass or administration of Identikey Server. SOAP over HTTPS is supported, versions 1.1 and 1.2. 'Document Literal' binding is used. A variety of SOAP client SDKs have been tested Remote Access Clients Identikey Server supports the RADIUS protocol (according to RFC 2865) for remote network access authentication, to the same level as VACMAN Middleware 3.0. Some applications are written using RADIUS as an authentication protocol, and these applications will also be supported. The SEAL protocol is a proprietary VASCO protocol used by the VASCO authentication modules. At the time of writing this includes the Digipass Packs for Citrix Web Interface, Outlook Web Access and IIS Basic Authentication. Identikey Server supports these SEAL client applications to the same level as VACMAN Middleware Identikey Server The Identikey Server is a Service which receives and processes requests from the various client components. It may refer to a Back-End System for a part of the processing tasks. Identikey Server has a modular architecture incorporating the following key concepts: Communicator Modules For each protocol by which requests can be received, a Communicator module is present. Each Communicator can be enabled or disabled as preferred, subject to support in the license. The following Communicators are present: SOAP (requires a license option) RADIUS (requires a license option) SEAL (does not require a license option) Scenario Modules For each major group of functionality in the Identikey Server, a Scenario module is present. Each Scenario can be enabled or disabled as preferred, subject to support in the license. The following Scenarios are present: Authentication (requires a license option) Signature Validation (requires a license option) 15

16 Overview Provisioning (requires a license option) Administration (does not require a license option) Reporting (does not require a license option) Replication (does not require a license option) Administration (does not require a license option) Audit Scenarios (does not requrire a license option) Configuration (does not require a license option) Back-End Systems A Back-End System is used as an authority for user accounts and static passwords, before a user account is created in Identikey Server and the user starts to use a Digipass. In addition, for RADIUS it may be used to provide RADIUS attributes back to the RADIUS client, as Identikey Server does not provide RADIUS attribute support on its own. See 2.6 Back-End Authentication for more information Database Server Identikey Server uses Active Directory or an ODBC-compliant database to store administration and configuration data. An embedded PostreSQL database is included in the installation package. 16

17 Overview 1.5 Identikey Server in a RADIUS Environment Identikey Server can be used in a RADIUS environment in a number of ways, depending on your company's requirements. In the following scenarios, a RADIUS Client may be a dial-up NAS (Network Access Server), firewall/vpn appliance, Wireless Access Point, or another device that uses the RADIUS protocol for user authentication. Some software applications can also use RADIUS for authentication, for example Microsoft Internet Security and Acceleration Server (ISA), and can therefore also act as RADIUS Clients. In the RADIUS protocol, 'attributes' are used for authorization and configuration of the remote access session in many cases. Identikey Server is specialized in providing strong authentication using Digipass, but is not designed to provide authorization. If authorization attributes are required, a RADIUS server product is used in conjunction with Identikey Server Stand-alone: No RADIUS Attributes Required In this scenario, Identikey Server is used on its own, without a RADIUS server. Identikey Server can generally be used without a RADIUS server if: RADIUS attributes are not required One of the supported password protocols is used: PAP, CHAP, MS-CHAPv1, MS-CHAPv2 17

18 Overview Proxy Target: RADIUS Server Acts as Proxy In this scenario, a RADIUS server acts as a proxy for authentication, effectively delegating the authentication process to Identikey Server. The RADIUS server provides the authorization attributes after Identikey Server has accepted the user credentials. A RADIUS server can forward authentication to Identikey Server if: The RADIUS server supports the proxying of authentication while returning attributes itself The RADIUS server can forward the authentication request using one of the supported password protocols is used: PAP, CHAP, MS-CHAPv1, MS-CHAPv2 The RADIUS server supports an Access-Challenge response from Identikey Server, if required. The AccessChallenge mechanism is used for Challenge/Response and Virtual Digipass, although it is still possible to use Virtual Digipass without that mechanism. If the RADIUS server is capable, this scenario allows Identikey Server to operate in an environment that uses certificate-based EAP protocols such as PEAP and EAP-TTLS. To make this work, the RADIUS server decrypts the user credentials into a simpler protocol before forwarding the request to Identikey Server. 18

19 Overview Intermediary: RADIUS Server as Back-End Server In this scenario, Identikey Server will forward requests to a RADIUS server in order to retrieve authorization attributes, after validating the One Time Password. It is necessary to provide a static password to the RADIUS server to achieve this. Therefore, there are two methods of implementing this: Log in with OTP Only Using this method, the User only enters their OTP (including a PIN if used). Identikey Server has to learn the static password for the User, so that when the User gives the correct OTP, it can send the static password to the RADIUS server. This method can be used if: One of the supported password protocols is used: PAP, CHAP, MS-CHAPv1, MS-CHAPv2 The static passwords can be 'learnt' by Identikey Server If PAP is used, Identikey Server has the ability to learn the static passwords automatically. The User has to perform at least one login with their static password if the RADIUS server accepts the password, Identikey Server can learn it. However, if one of the other password protocols is used, this process is not possible. In that case, there are a few other ways in which the passwords can be learnt, through administrative data entry or using the User SelfManagement Web Site. 19

20 Overview Log in with Password and OTP Using this method, the User enters their static password and OTP at each login. Identikey Server validates the OTP and if correct, forwards the static password to the RADIUS server. This method can be used if: The PAP password protocol is used, because CHAP and MS-CHAP hash the password and OTP together inseparably 20

21 Overview 1.6 Identikey Server in a Web Environment Soap Integration Identikey Server has a SOAP module that can be used to integrate Identikey Server with web applications. The Identikey Server SOAP interface allows the following Identikey Server functions to be integrated into web applications: User Authentication Signature validation Software Digipass Provisioning Administration Reporting IIS Module In an IIS Web environment, Identikey Server can also use a component that plugs into Internet Information Services (IIS) to intercept authentication requests. This component, the IIS Module, verifies the credentials with Identikey Server first. Normally this means verification of the One Time Password (OTP). If the OTP is valid, the static password is given back to IIS as if the user had entered it, and the normal web site authentication process completes the login. To enable verification by Identikey Server it is necessary to provide a static password, typically the Windows password, to IIS. Therefore, there are two methods of implementing this: Log in with OTP only Using this method, the User only enters their OTP (including a PIN if used). Identikey Server has to learn the static password for the User, so that when the User gives the correct OTP, it can give the static password back to IIS. 21

22 Overview Identikey Server has the ability to learn the static passwords automatically if they are Windows passwords. The User has to perform at least one login with their static password if this password is validated by Windows, Identikey Server can learn it. The same process can also be used if the static passwords are held in a RADIUS server however, the Identikey Server license must have RADIUS support activated for this to be enabled. This process is not possible if the static passwords are not Windows or RADIUS passwords. In that case, administrative entry is required for the passwords. 22

23 Overview Log in with Password and OTP Using this method, the User enters their static password and OTP at each login. Identikey Server validates the OTP and if correct, returns just the static password to IIS. This method may be necessary when the static passwords are not Windows passwords, for example they may be Novell passwords. It also may be suitable if you do not want Identikey Server to store your users' Windows passwords (although they are strongly encrypted). 1.7 Administration Components Web Administration A web-based administration application is provided with Identikey Server to enable administrators to carry out the majority of administration functions for the system. The Web Administration package allows administrators to perform tasks such as: Administer User accounts Administer Digipass Define the organizational structure Manage Policies Create and run reports Manage Client components 23

24 Overview Manage and Configure the Identikey Server The Web Administration application uses the Identikey Server's SOAP administration interface to manage data Digipass Extension for Active Directory Users and Computers An extension to Active Directory Users and Computers is available. This extension allows administration of Digipass User accounts and Digipass records where Identikey Server uses Active Directory as its data store The Audit System The Audit System tracks operations carried out by Identikey Server. Each operation generates audit messages that are written to either a text file or a database. Audit information can be used to generate reports, for example, the number of failed authentications over a certain period. Audit information can also be used by Identikey Server system administrators to monitor system performance, or suspicious activity The Audit Viewer System administrators can use the Audit Viewer program to view Audit information. It allows System administrators to filter the audit information to make it easier to view and understand. The Audit Viewer also allows you to view audit information from different sources. Using the Audit Viewer information helps system administrators to troubleshoot effectively, and to keep track of significant events in the system Reporting The Web Administration package contains a reporting module. This module contains the tools required to run a set of standard reports and to create and run custom reports. Reports may be based on User account and Digipass data as well as audit data. Formatting templates can be used to convert the output into the preferred format, using XSLT Digipass TCL Command-Line Administration An extension to TCL is used for command-line administration tasks. The full power of TCL scripting can be used in order to automate bulk or regular administration tasks. A stand-alone TCL interpreter is also provided so that this functionality can be used where there is no TCL environment present already. The TCL extension uses the Identikey Server to manage the data store. It uses the SEAL protocol to communicate with the Identikey Server. 24

25 Overview Identikey Server Configuration The Identikey Server uses a local XML text file to store certain configuration settings. These can be managed using a graphical user interface program. There is also a Configuration Wizard program available to carry out certain maintenance tasks such as changing the IP address of the server. 25

26 Overview 1.8 Identikey Server Data Model Identikey Server can use either an ODBC database (including the embedded PostgreSQL database) or Active Directory as its data store. The data model will vary slightly between ODBC and Active Directory stores. The following kinds of record are stored in the Identikey Server data store: Digipass record A Digipass record must exist in the data store for each Digipass in use. This record contains: Information about the Digipass (eg. serial number and model) The names and programming parameters of Applications in the Digipass The status of various options (eg. Digipass lock) Some of the information in this record is encrypted together in what is called the 'Digipass Blob'. There is one 'Blob' per Application Digipass User account record Each User who will be logging in using Digipass authentication will require a Digipass User account. The Digipass User account record contains information needed by Identikey Server such as authentication settings. A Digipass must be assigned to a Digipass User account before it can be used for authentication. Administrative privileges are assigned to Digipass User accounts and therefore a Digipass User account is needed for each administrator Component record Component records are created to represent: Identikey Servers Authentication, Signature and Provisioning client components Administration client components They are used for the following main purposes: For clients, to indicate that it is permitted to process a request from that client and to specify a Policy (see below) to be used For RADIUS Clients, to hold the Shared Secret To hold a License Key for Identikey Servers and IIS Modules Policy record 26

27 Overview Policies specify various settings that affect the request handling processes. Each request is handled according to a Policy that is identified by the applicable Component record. There are many Policy settings including the following examples: Whether Local and/or Back-End authentication should be used Whether various automatic management features should be used The Digipass Application types required Backup Virtual Digipass settings Back-End Server record A Back-End Server record is required when a RADIUS or LDAP server is to be used by Identikey Server for authentication. It is possible to create more than one Back-End Server record, for fail-over purposes. You can also allocate different Back-End Servers for different user domains Domain record Domains form the basis for the Organizational Structure in an ODBC database. Where Identikey Server uses Active Directory as its data store, the standard Active Directory Domains are used instead. Active Directory Identikey Server operates within the pre-existing Active Directory domain and Organizational Unit structure. Each Digipass User and Digipass must belong to a domain in Active Directory. User IDs must be unique within a domain, but may be repeated between domains. While Digipass User account and Digipass records can belong to any domain, a single domain is identified during installation as the Digipass Configuration Domain. This domain is used to store the Component, Policy and BackEnd Server records. It is also used as a default domain for user lookup, when no domain is specified. ODBC Database Domains perform the following functions: allow different user groups to be separated provide the ability to limit administrator activities to the administrator's own domain (delegated administration) allocate unassigned Digipass records to different Domains, for example to mirror the geographic location of the devices Each Digipass User and Digipass must belong to a domain. One domain is identified as the Master Domain this will be the default domain when none is specified. In addition, administrators in the Master Domain can be given rights to access data in all domains, where other administrators are limited to data in their own domain. User IDs must be unique within a domain, but may be repeated between domains. Digipass serial numbers must 27

28 Overview be unique in the database Organizational Unit record Organizational Units, like Domains, are handled differently depending on whether the Identikey Server uses Active Directory or an ODBC database as its data store. Active Directory Where Identikey Server uses Active Directory as its data store, the standard Active Directory Organizational Units are used instead. Digipass User accounts and Digipass records are normally stored in Organizational Units or the Users container. A special container called Digipass-Pool is created during installation to hold unassigned Digipass, although they can be located in Organizational Units instead. Administration duties may be assigned to administrators per Organizational Unit, in the same way that regular user administration is delegated at that level. ODBC Database Where Identikey Server uses an ODBC database as its data store, Organizational Units allow further compartmentalisation of Digipass User accounts, Digipass records and administration duties. Organizational Units are included to: provide the ability to limit administrator activities to the administrator's own Organizational Unit (delegated administration) allocate unassigned Digipass records to different Organizational Units, for example to mirror the geographic location of the devices Digipass User accounts and Digipass records may belong to an Organizational Unit, but this is not mandatory. 1.9 Integrating Your Systems With Identikey Server SOAP Interfaces SOAP interfaces are provided to support the following functions: User Authentication Signature Validation Software Digipass Provisioning Administration Reporting 28

29 Overview You need to acquire the SDK for SOAP for further information RADIUS RADIUS support is present for authentication (Access-Requests) using PAP, CHAP, MS-CHAP and MS-CHAP2. MPPE keys are generated for MS-CHAP and MS-CHAP2. If you have an existing RADIUS Server, Identikey Server can use it as a Back-End System in order to retrieve RADIUS attributes from it. Alternatively, you can use the RADIUS Server as an authority to permit dynamic creation of user accounts in Identikey Server and verification of static passwords Custom Back-End Integration You can write your own plug-in Engine to attach Identikey Server to your own back end system. This would be used primarily as an authority to permit dynamic creation of user accounts in Identikey Server and for verification of static passwords. Refer to the SDK Overview Guide for further information Back-End Integration There are a number of systems that can be used as Back-Ends to Identikey Server. These back-ends can be used as an authority on authentication data. The following back-ends can be used: Microsoft Active Directory Microsoft ADAM Novell e-directory Refer to 2.6 Back-End Authentication for further information. 29

30 Overview 1.10 SOAP SSL What is SSL? SSL stands for Secure Sockets Layer, which is a cryptographic protocol that provides secure communications over the Internet for , web browsing and, in this case, connection of two web-based applications via SOAP. SSL is the method by which a client can obtain a secure connection to a SSL-enabled server. The SSL-enabled server can identify itself to the client in a trusted manner before any information is passed between the client and the SSL-enabled server Terms Used in SSL Some of the terms used in describing the function of SSL are specific to SSL and cryptography. Listed below are some of the terms used in this chapter, and what they mean: Handshake Procedure - The client machine and the SSL-enabled server establish a trusted and secure connection before any sensitive information is passed between them Certificate - The certificate in this context is an encrypted file attached to a message. Certificate Authority - a trusted third party used to issue the certificates. Each browser will have a list of trusted Certificate Authorities it can use to check against the signature on a certificate. Public Key - A key used to encrypt and decrypt information that is known to the SSL-enabled server and clients that use it. Private Key - A key known only to the SSL-enabled server that is used to decrypt information. Symmetrical Encryption - encryption that uses only one key to encrypt and decrypt information. Asymmetric Encryption - encryption that uses two keys to encrypt and decrypt information How Does SSL work? 1. A client initiates a connection using a handshake procedure. The client connects to an SSL-enabled server (the server), requesting a secure connection. 2. The server sends back an encrypted certificate which usually contains the server name, the Certificate Authority and the server's public key. 3. The client decrypts the certificate using the server's public key. The client checks the Certificate Authority against its browser's list of trusted Certificate Authorities. 4. The client then encrypts a random number using the server's public key and sends this back to the server. This will be the secret that the client and server use to encrypt information passed between them. 5. The server then decrypts the random number using the private key. The nature of the public and private keys is that information encrypted with the public key can only be decrypted by the private key. 30

31 Overview 6. Information encrypted using the generated secret is passed between the client and server. If any part of the handshake procedure fails the whole handshake procedure will fail SSL, SOAP and Identikey Server If you want to write SOAP interfaces for Identikey Server, the server side of SSL is mandatory. The SOAP client must utilize SSL to verify the server when attempting to connect. When setting up the SOAP Communication Protocol on the Identikey Server Configuration application, you can specify whether the client certificate is required: Never - the client certificate is never required. Optional - the client certificate is optional Required - The client certificate is required Required - Signed Address Only - The Server must include its IP address in the certificate. The client will match this IP address against that of the server it is connecting to. If they don't match the handshake will fail. Similarly, the client certificate must include the IP address of the client. The Server will check the IP address from the client certificate against the client it is establishing a connection with, and the handshake will fail if the two IP addresses don't match. The Identikey Server Configuration application provides a test SSL certificate. The test SSL certificate is time limited so it will expire after a period of time. When the test SSL certificate expires you can recreate it from the configuration application. Alternatively purchase an SSL certificate with a longer expiry period. 31

32 Overview Image 11 : SSL handshake process The Identikey Server Configuration application SOAP Communication protocol page also contains a check box labelled Re-Verify on Re-Negotiation. Check this box to force the connection between SOAP and the Identikey Server to be re-verified each time a connection is established. Please note that this may cause problems with performance and so should not be checked unless absolutely necessary Available Guides 32

33 Overview The following Identikey Server guides are available: Product Guide The Product Guide will introduce you to the features and concepts of Identikey Server and the various options you have for using it. Getting Started Guide The Getting Started Guide will lead you through a standard setup and testing of key Identikey Server features. Windows Installation Guide Use this guide when planning and working through an installation of Identikey Server in a Windows environment. Linux Installation Guide Use this guide when planning and working through an installation of Identikey Server in a Linux environment. Administrator Reference In-depth information required for administration of Identikey Server. This includes references such as data attribute lists, backup and recovery and utility commands. Performance and Deployment Guide Contains information on common deployment models and performance statistics. Help Files Context-sensitive help accompanies the Administration Web Interface and Digipass Extension for Active Directory Users and Computers. Identikey Server SDK Programmers Guide In-depth information required to develop using the SDK. 33

34 User Authentication Process 2 User Authentication Process 2.1 Logging in with a Digipass The diagram below shows a typical login process for the three basic login methods supported by Identikey Server. Image 12 : Login Methods 34

35 User Authentication Process 2.2 Authentication Process Overview Identikey Server Authenticates logins in two basic ways: Using information from its data store ('local' authentication) Asking a Back-End system for verification of information ('back-end' authentication) The exact authentication process used by Identikey Server will vary depending on settings in the applicable Policy and Digipass User account. The diagram below shows the basic process followed when authenticating a Digipass User login. Image 13: Authentication Process Overview 35

36 User Authentication Process 2.3 Identifying the Component Record The component making an authentication request will be identified using: Component Type A name provided by the SOAP application, or a fixed name such as RADIUS Client, Citrix Web Interface, Outlook Web Access or Administration Program Location the source IP address of the request The component lookup and verification processes are a little different according to the type of component, as outlined below RADIUS Client Component Check For a RADIUS Client, the following component checks are made: Component Record exists A Component record for the RADIUS Client must exist, otherwise the request is discarded without responding: Type = RADIUS Client Location = the source IP address of the request OR if there is no RADIUS client at the specified location, Location = default Shared Secret is set The Component record must have a Shared Secret value set, otherwise the request is discarded without responding. Any RADIUS Client which does not have an explicit Component record will be handled using the default RADIUS Client Component if it exists IIS Module Component Check For an IIS Module Component the following component checks are made: Component Record exists A Component record for the IIS module must exist, otherwise the request is discarded without responding: Type = IIS module Location = the source IP address of the request 36

37 User Authentication Process 2.4 Digipass User Account Lookup and Checks Identikey Server performs a number of checks before proceeding to local authentication User ID and Domain Resolution In Identikey Server, Digipass User accounts are identified using a User ID and a Domain, not just a User ID. There are a few ways to do this: Windows Name Resolution In Windows environments, there are a few ways to provide these details when logging in: Using NT4-style domain qualification in front of the User ID: DOMAIN\userid Using User-Principal-name (e.g. userid@domain) With separate User ID and Domain fields (this is not possible using RADIUS) When Digipass User accounts correspond to Windows user accounts, the Windows Name Resolution feature can be used to support these three login formats. With ODBC or an embedded database, it is optional whether to user Windows Name Resolution or not. However, if the Windows Name Resolution process is enabled and fails, the login is rejected. Therefore, a login with a User ID that does not correspond to a Windows user account will be rejected. With this feature enabled, Windows is used to resolve the NT4-style and User-Principal-Name User ID formats. Windows Name Resolution is enabled using the Identikey Server Configuration program. Click the Configure Advanced Settings button on the ODBC Connection tab to get the Advanced Settings dialog; check the Use Windows User Name Resolution checkbox Simple Name Resolution When Windows Name Resolution is not used, the following formats are available: Using a similar format to User-Principal-Name: user@domain With separate User ID and Domain fields If the user@domain format is used for the User ID, the Identikey Server will look for a Domain record with the name given after If the Domain is found, part will be stripped from the User ID before the authentication process continues. If it is not found, the User ID will be left as user@domain, and no Domain will be identified. In that case, the Default Domain processing will be used, as described next. 37

38 User Authentication Process Default Domain Using either Windows or Simple Name Resolution, if none of the above formats are used, only the User ID is given, with no Domain qualification. It is still necessary to identify the Domain in order to look up the Digipass User account. The Default Domain can be configured in the following ways: In the Policy record, the Default Domain field can be set. If this is set, it will be used when no Domain has been identified by the Windows or Simple Name Resolution. When the Policy has no Default Domain set, the Master Domain will be used Active Directory User Account When Active Directory is used as the data store, Digipass User accounts are always attached to Active Directory User accounts. Therefore, if an authentication request is received for a User who does not have an account in Active Directory, the request is rejected. This is not mandatory for an ODBC or embedded database. 38

39 User Authentication Process Summary Active Directory The full process of User ID and Domain name resolution is illustrated in the following diagram, for the case where Active Directory is the data store: Image 14: Name Resolution with Active Directory 39

40 User Authentication Process Summary ODBC Database The full process of User ID and Domain name resolution is illustrated in the following diagram. Image 15: Name Resolution with ODBC database 40

41 User Authentication Process Windows Group Check (optional) Specific Windows Groups can be selected for authentication by the Identikey Server when all Users are Windows accounts. This Windows Group Check feature might be used when: Deploying Digipass in stages. Users are not required to log in using a Digipass until they are put into a Windows group. They can be put into the group in manageable stages. Two-factor authentication is needed only for access to sensitive data, which has been granted to certain Users (for example, administrators). Only this group of people will require Digipass, and will be authenticated by the Identikey Server. Other Users will be authenticated by another authentication method. Most Users will have Digipass and be permitted to log in to the system, but some Users should not be authenticated under any circumstances. Authentication is needed for the live Audit Viewer connection to the Identikey Server, when using Active Directory as the data store. The Group Check can be used to limit which users are allowed to connect, for example to the Domain Admins group. When the Group Check is active, Users who are in one of the defined groups go through the full authentication process. However, there are a few Group Check Modes that control the outcome for Users who are not in one of the groups. The Group Check Mode is defined in the Policy. One or more Windows Group names must be defined in a Group List in the Policy. Group membership is checked within the User's own domain only, therefore these Groups must exist in each domain where there are Users who need to be included in a Group. Important Note When the Group Check is used, if the Group Check fails, the login will fail. This will occur for a user who is unknown to Windows. The following Group Check Modes are available: 'Pass Back' Mode The full name in the Policy property sheet for this mode is: Pass requests for users not in listed groups back to host system The Identikey Server does not handle authentication for Users who are not in one of the defined groups. These Users are handled by the host system (eg. IIS). In effect, this means that they do not need to have Digipass User accounts and they do not need to use a Digipass to log on. As soon as the Group Check indicates that the User is not to be handled, authentication processing stops and the 'not handled' result is returned. This mode is suitable for staged deployment of Digipass and for the case where only certain Users need strong (Digipass) authentication. 41

42 User Authentication Process 'Reject' Mode The full name in the Policy property sheet for this mode is: Reject requests for users not in listed groups The Identikey Server rejects authentication immediately for Users who are not in one of the defined groups. This mode is suitable for restricting which Users are permitted to log in 'Back-End' Mode The full name in the Policy property sheet for this mode is: Use only Back-End Authentication for users not in listed groups This mode can be used when Back-End Authentication is set up (see 2.6 Back-End Authentication). The Identikey Server will just use Back-End Authentication for Users who are not in one of the defined groups. For example, if RADIUS Back-End Authentication is used, the job of authenticating Users not in the defined groups is delegated to the RADIUS server. No lookup will be carried out for the Digipass User account, and no further Local Authentication will be carried out. Back-End Authentication will be used for the out-of-group Users even if the Policy setting for Back-End Authentication is set to None. In that case, the in-group Users would be authenticated only by Local Authentication, while the out-of-group Users would be authenticated only by Back-End Authentication. However, it is necessary to define the Back-End Protocol Policy setting. This mode is suitable for staged deployment of Digipass and for the case where only certain Users need strong (Digipass) authentication Digipass User Account Lookup The Identikey Server checks that the User attempting to log in has a Digipass User account in the Identikey Server data store. The User ID and Domain Resolution performed earlier determines the search criteria to look up the Digipass User account. If a Digipass User account is found, the Disabled and Locked indicators are checked. If either is set to Yes, the authentication request is rejected immediately. If no Digipass User account is found, then Policy settings will determine whether the Identikey Server continues processing or rejects the authentication request: If Local Authentication is required, a Digipass User account must exist. It is only possible to proceed if the Dynamic User Registration feature is enabled. This is explained further below. If Local Authentication is not required, authentication processing can proceed without a Digipass User account. If the Local Authentication Policy setting is None, no Local Authentication is required. If it is set to 42

43 User Authentication Process Digipass/Password or Digipass Only, Local Authentication is required Dynamic User Registration Dynamic User Registration (DUR) allows Digipass User accounts to be created automatically when their credentials are validated by Back-End Authentication. The correct static password will be sufficient to permit a Digipass User account to be created. DUR saves the administrative work of manually creating or importing Digipass User accounts. It is typically used in conjunction with: the Digipass Auto-Assignment feature, which will assign the next available Digipass to the new Digipass User account as it is created, or the Digipass Self-Assignment feature, which will allow the new User to assign a Digipass to their account as part of their login process For more details on these Digipass assignment features, see 7 Digipass. In order to control the creation of new accounts, DUR can be used with: the Windows Name Resolution feature (mandatory for Active Directory). This will prevent more than one Digipass User account being created for the same Windows User account, when they use different User ID formats to log in the Windows Group Check feature, so that a staged creation of Digipass User accounts and assignment of Digipass is achieved A typical DUR process using Auto-Assignment and the Windows Group Check is illustrated below. 43

44 User Authentication Process Image 16 - Dynamic User Registration Process 44

45 User Authentication Process 2.5 Local Authentication Local Authentication is a term used to describe the Identikey Server authenticating a User based on information in its data store. Typically the Digipass One Time Password is required, but in other cases a static password may be sufficient. The Local Authentication Policy setting indicates whether to perform Local Authentication, and if so, whether a static password is permitted. This setting is overridden by the same setting in the Digipass User account, unless that has the value Default. However, this setting in the Digipass User account would typically be used only for rare special case Users. Using the Windows Group Check in Back-End Mode, this setting can be overridden. If a User is not in the list of groups, no Local Authentication will be performed. The possible values for the Local Authentication setting are as follows: None No Local Authentication will take place. Digipass/Password A Digipass One Time Password or static password may be verified. As a general rule, until a User starts to use a Digipass, they may continue to authenticate with their static password. Digipass Only A Digipass One Time Password must be verified. Users without Digipass will not be able to log in. However, SelfAssignment is still possible, as an OTP is used as part of the process Digipass Lookup The first step of Local Authentication is to search for Digipass records applicable to the login. Normally, this is a simple search for all Digipass assigned to the Digipass User account. However, there are exceptions: No Digipass User Account If there is no Digipass User account, no search will be done. This can occur if Dynamic User Registration is enabled Policy Restrictions The Policy can specify restrictions on which types of Digipass and/or Digipass Applications may be used. Any combination of the following restrictions can be defined: 45

46 User Authentication Process Application Names - a list of named Applications. Only Digipass that have one or more of the named Applications will be usable. Application Type - either Response Only, Challenge/Response or Multi-Mode. Only Digipass with that Application Type will be usable, except Multi-Mode will match all application types. Digipass Type - a list of models such as DPGO3, DP260. Only Digipass from the listed models will be usable. Therefore, it is possible that a Digipass User account that has a Digipass assigned is not able to use that Digipass to log in, when a certain Policy applies. They will be regarded as a User without a Digipass in that case. In a different kind of login, a different Policy may apply, with no restrictions. Then they would be treated as a User with a Digipass. For example, a company has Go 3 Digipass (DPGO3) and Primary Virtual Digipass (DPVTL). The Outlook Web Access login permits both, so its Policy does not restrict Digipass Types. However the RADIUS VPN login requires the Go 3, so its Policy specifies Digipass Type = DPGO Linked User Accounts If a person has two Digipass User accounts, for example an administrative account and a 'normal user' account, the two accounts can be linked together. This provides the ability for the two accounts to share a Digipass. The Digipass is assigned to one of the accounts, then the other account is linked to it. Digipass record Attached to main User account Digipass User account 1 User Account Link Digipass User account 2 User can log into either account using the same Digipass Image 17: User Account Link When an authenticating Digipass user account is linked to another, the search for Digipass will be done for the other account. In the example above, Digipass User account 2 is linked to Digipass User account 1. The Digipass is assigned to Digipass User account 1. When Digipass User account 1 logs in, the Digipass search is for that account. When Digipass User account 2 logs in however, the Digipass search is for Digipass User account 1. 46

47 User Authentication Process Authentication with Digipass When the Digipass lookup returns at least one Digipass record, authentication processing requires a valid One Time Password to succeed, unless: All Digipass found are within a Grace Period. This feature is described below. The User successfully requests a Challenge for Challenge/Response (see below). The User successfully requests a Virtual Digipass One Time Password (see below) Server PIN A Server PIN may be required in addition to the One Time Password. The Server PIN is entered during login with the OTP - instead of a Digipass PIN, which is entered into the Digipass device. In some cases a new Server PIN may need to be set. This gives the following permutations: OTP - the normal login where a Server PIN is not required. PINOTP - the normal login where a Server PIN is required. PINOTPnewpinnewpin - to change the Server PIN, the new PIN is put twice after the OTP. OTPnewpinnewpin - to set the Server PIN on first use, when no initial PIN was programmed, the new PIN is put twice after the OTP. This is also necessary after an administrative PIN reset Grace Period Each Digipass may be given a Grace Period when it is assigned to a Digipass User account. The Grace Period is there to allow some time before the User receives the Digipass and learns how to use it. The first time that the User logs in successfully with their Digipass, the Grace Period is ended. After that, they have to continue to use the Digipass. The Grace Period is time limited, so that the User is not able to delay too long before they start to use the Digipass. The Grace Period can be set during manual administrative assignment of Digipass as well as during AutoAssignment. However, it is not applicable to Self-Assignment, because the User must use the Digipass to complete the Self-Assignment process. The Grace Period cannot apply when the Local Authentication setting is Digipass Only. During the Grace Period, if OTP validation fails, the static password is checked. If the static password is valid, Local Authentication succeeds (but note that Back-End Authentication, if used, can subsequently still cause the overall login to fail). The password is compared against the Digipass User account's password value. However, if the Digipass User account does not have a password set, the password has to be verified with Back-End Authentication. If there is no Back-End Authentication and no password in the Digipass User account, Grace Period password logins will not work. 47

48 User Authentication Process If the passwords do not match and Back-End Authentication is enabled, the password will be verified with BackEnd Authentication Challenge Generation There are two modes of Challenge generation for Challenge/Response: 2-Step Challenge/Response This mode can be used for Web authentication, where Challenge/Response is supported. In this mode, the authentication process takes place in two steps. First, the User requests a Challenge to be generated for them. The Policy defines how this request should be made, with the Request Method and Request Keyword settings (see below for more details on Request Methods). The Challenge is generated specifically for their Digipass, according to its programming. Assuming that the request for the Challenge is accepted and a Challenge is returned, the User submits a second step login with the Response to the Challenge as their OTP. This second step goes through the whole authentication process again to verify the Response. 1-Step Challenge/Response This mode is also possible for Web authentication, where Challenge/Response is supported. In this mode, the User sees only one logon step. This mode is suitable for time-based Challenge/Response, but is less secure for nontime based Challenge/Response. If an attacker manages to capture some valid Responses, they can repeatedly request new Challenges until one they know comes up again. A random Challenge is requested automatically by the Web Application and presented to the User on the login page. A general-purpose Challenge is generated, without reference to any particular Digipass' programming. The User logs in with their Response to the Challenge as their OTP Virtual Digipass OTP Generation Using Virtual Digipass, the authentication process takes place in two steps. First, the User requests an OTP to be generated and delivered to them. The Policy defines how this request should be made, with the Request Method and Request Keyword settings (see below for more details on Request Methods). The OTP is generated specifically for their Digipass, according to its programming. It is sent to their mobile phone number, as recorded in the Digipass User account. Backup Virtual Digipass has additional restrictions on usage, to keep the cost of text messages down. These are verified before an OTP will be generated. These restrictions are described in 7 Digipass. Assuming that the request for the OTP is accepted and an OTP is generated and delivered successfully, the User submits a second step login with the OTP. This second step goes through the whole authentication process again to verify the OTP. This process is illustrated below: 48

49 User Authentication Process Image 18: Virtual Digipass Login Requesting a Virtual Digipass OTP - User Perspective There are three ways a User might request a One Time Password to be delivered with either a Primary or Backup Virtual Digipass: 2-step Login Two login prompts are used to provide an easy-to-use login interface for Users with Virtual Digipass. The first prompt is used to request an OTP, the second to enter the received OTP. This can be used with applications which support 2-step logins eg. Citrix Web Interface, RADIUS with support for Challenge/Response. Two 1-step Logins The User must attempt two logins, the first of which will fail but will initiate the sending of an OTP to the User s mobile. This is used when the 2-step login process is not supported - eg. RADIUS without support for Challenge/Response, Web HTTP Basic Authentication. 49

50 User Authentication Process OTP Request Site Alternatively - especially if a more user-friendly option than the previous is needed - Users can go to the OTP Request site when they need an OTP sent to their mobile phone, then login normally at the usual login screen Request Method and Keyword For 2-Step Challenge/Response and Virtual Digipass, the method of requesting a Challenge or OTP respectively can be defined in the Policy. The methods for Primary Virtual Digipass and Backup Virtual Digipass are defined separately. The request methods are: Password - the static password. Keyword - a fixed keyword, which can be blank. PasswordKeyword - the static password followed by a fixed keyword, with no whitespace or separating characters inbetween. KeywordPassword - a fixed keyword followed by the static password, with no whitespace or separating characters inbetween. None - no method, the feature is disabled. Note If Password is set for the Request Method, and a User's Digipass is still within the Grace Period, Identikey Server may process the authentication with the password only and not as a 2-Step Challenge/Response or Virtual Digipass login. The static password in the request method is compared against the Digipass User account's password value. However, if the Digipass User account does not have a password set, the password has to be verified with BackEnd Authentication. If there is no Back-End Authentication and no password in the Digipass User account, the request methods that use a password will not work. If the passwords do not match and Back-End Authentication is enabled, the password will be verified with BackEnd Authentication. The methods of requesting these three login processes can be the same. When it recognizes a request, the Identikey Server will verify that there is a Digipass capable of that login process. If there is not, it will ignore the request. For example, say that the request methods for Primary and Backup Virtual Digipass are both defined as keyword otp. A User has a Go 3 with Backup Virtual Digipass enabled. When they login with the keyword otp, the Identikey Server will produce a Backup Virtual Digipass OTP, because the User does not have a Primary Virtual Digipass. 50

51 User Authentication Process Multiple Digipass or Digipass Applications A Digipass User may have multiple Digipass assigned to their User account, and/or multiple Applications enabled for a Digipass. If so, the Identikey Server will need to know which Digipass and Digipass Application will be used for a particular login for the User. Image 19: Multiple Digipass Assignment Once the Policy restrictions on Applications and Digipass Types are taken into account, there may still be more than one Digipass Application that could be used. In that case, the Identikey Server will check the OTP with each one. Any one of them can validate the OTP. A Grace Period may be applied to each Digipass assigned to a Digipass User. Because an applied Policy might restrict which Digipass can be used during a login, the Grace Period on each Digipass is independent of other Digipass. This means that if a User is assigned two Digipass, each with a Grace Period of seven days, the User may log in using one Digipass within the seven-day period (ending the Grace Period for that Digipass) without affecting the Grace Period for the other Digipass. Example The company has set up Policies which require a Response Only login via the local area network, and a Challenge/Response login via the internet limited to certain employees. John has two Digipass assigned to him a DP300 with the Challenge/Response application enabled, and a Go 3 with a Response Only application. The Digipass are both assigned on Tuesday. John receives his Go 3 on Friday, and immediately uses an OTP to login. His grace period for the Go 3 ends at that time in future he must use the Go 3 when logging into the intranet from the LAN. 51

52 User Authentication Process Over the weekend, John needs to access the company intranet from home. Because a Challenge/Response login is required via the internet and he does not yet have his DP300, he uses only his User ID and static password to log in. As he is still within the grace period for the DP300, the login is valid Authentication without Digipass When the Digipass lookup does not return a Digipass record, authentication processing requires a static password check to succeed. In addition, Self-Assignment is possible when the Digipass lookup does not return any Digipass Static Password Verification The password is compared against the Digipass User account's password value. If the static password is valid, Local Authentication succeeds (but note that Back-End Authentication, if used, can subsequently still cause the overall login to fail). However, if the Digipass User account does not have a password set, the password has to be verified with BackEnd Authentication. If there is no Back-End Authentication and no password in the Digipass User account, authentication without Digipass cannot work. Similarly, during Dynamic User Registration, where there is no Digipass User account yet, the password has to be verified with Back-End Authentication. If the passwords do not match and Back-End Authentication is enabled, the password will be verified with BackEnd Authentication. If the Local Authentication setting is Digipass Only, static password verification on its own is not permitted. An OTP must be used during login. This is possible using Self-Assignment Self-Assignment A User is able to assign a Digipass to their Digipass User account using the Self-Assignment mechanism, when permitted by the Policy settings. The Assignment Mode setting must be Self-Assignment. In order for Self-Assignment to succeed, the User needs to provide the following: A static password, validated by Back-End Authentication. The Serial Number of an available Digipass record. A valid OTP for the Digipass. A new Server PIN, if required. The Self-Assignment process is possible during Dynamic User Registration. It is also possible when the Local Authentication setting is Digipass Only. Response Only For a Digipass that supports Response Only, the User needs to enter the following in the password login field, 52

53 User Authentication Process depending on whether a Server PIN is needed or not: SERIALNUMBERpasswordOTP where a Server PIN is not required. SERIALNUMBERpasswordPINOTP where a Server PIN is required. SERIALNUMBERpasswordOTPnewpinnewpin where a Server PIN is required and no initial PIN was set. Challenge/Response For a Digipass that supports only Challenge/Response, this process requires two steps. In the first step, the static password and Serial Number are given. This results in a Challenge being returned. If the correct Response is given to the Challenge, the Self-Assignment is successful. Step 1: SERIALNUMBERpassword Step 2: OTP Serial Number Format The SERIALNUMBER may be entered in one of two formats, depending on the Serial No. Separator Policy setting. No separator specified the full 10 digit Serial Number must be entered, with no dashes (-) or spaces, for example Separator value specified the Serial Number can be entered as written on the back of the Digipass, for example

54 User Authentication Process 2.6 Back-End Authentication Back-End Authentication is a term used to describe the process of checking User credentials with another system. It is used primarily for: Enabling automatic management features such as Dynamic User Registration and Self-Assignment Static password verification for Users who do not have a Digipass and for Virtual Digipass Retrieval of RADIUS attributes from a RADIUS server Password Replacement - allowing the User to log in with just a One Time Password, in an environment where the Windows password is required (eg. Outlook Web Access) Identikey Server supports Back-End Authentication with the following systems: Windows Microsoft Active Directory Microsoft ADAM Novell e-directory RADIUS Custom solution (requires SDK) An Identikey Server can authenticate Windows Users via Windows or LDAP Active Directory Back-End Authentication. Windows Back-End Authentication should be used where the Identikey Server is installed on a Windows machine which is a member server of the Windows domain. LDAP Back-End Authentication may be used where the machine on which it is installed is either not a member server of the Windows domain, or running a Linux operating system. The Back-End Authentication Policy setting indicates whether to perform Back-End Authentication, and if so, when to do it. This setting is overridden by the same setting in the Digipass User account, unless that has the value Default. However, this setting in the Digipass User account would typically be used only for rare special case Users. Using the Windows Group Check in Back-End Mode, this setting can be overridden. If a User is not in the list of groups, Back-End Authentication will be performed whether it is enabled or not. The Back-End Protocol setting indicates which type of Back-End Authentication is to be used. The possible values for the Back-End Authentication setting are as follows: None The Identikey Server will not utilize Back-End Authentication. Always The Identikey Server will use Back-End Authentication for every authentication request. This is necessary if you require RADIUS attributes for each login. 54

55 User Authentication Process If Needed Back-End Authentication will only be used in situations where Local Authentication is not sufficient and to support certain features: Dynamic User Registration Self-Assignment Password Autolearn (see below) Requesting a Challenge or Virtual Digipass OTP, when the Request Method includes a Password Static password authentication, when verifying a Virtual Digipass password-otp combination or during the Grace Period Stored Static Password The Digipass User account has a Stored Static Password field. When Back-End Authentication is used, this field can be used: To store the static password required for Back-End Authentication. This means that the User does not need to type in the static password at each login, they only need enter the OTP. The Identikey Server can retrieve the Stored Static Password from the Digipass User account and use it for Back-End Authentication. To support Password Replacement. Back-End Authentication is used to learn the static password so that it can be replayed to the host system (eg. Outlook Web Access) when a successful OTP is given. Two product features are used to support this usage of the Stored Static Password: Stored Password Proxy and Password Autolearn Stored Password Proxy When the Stored Password Proxy setting is enabled in the Policy, the Identikey Server will retrieve the Stored Static Password from the Digipass User account. If Back-End Authentication is required for a login, the Stored Static Password will be used. If there is a host system (eg. Outlook Web Access), the Stored Static Password will be returned to it, for it to complete its login process. However, if the User enters a static password in front of their OTP, the static password they enter will take precedence over Stored Static Password. In that case, the Stored Static Password will not be used at all for that login. When the Stored Password Proxy setting is not enabled in the Policy, the Stored Static Password will not be used for Back-End Authentication. If Back-End Authentication is required for a login, the User will have to enter the static password. This is done in front of the OTP if an OTP is also used. Similarly, if there is a host system that requires a static password to be returned, the User will have to enter the static password. 55

56 User Authentication Process Password Autolearn When the Password Autolearn feature is enabled in the Policy, the Identikey Server will automatically store the static password when it is verified by Back-End Authentication. This can happen at any time from Dynamic User Registration onwards. If the User's static password has changed in the Back-End Authentication system, they will need to provide the new static password during their next login. This is done in front of the OTP if an OTP is used. When the Identikey Server sees that the User has entered a static password, if it does not match the Stored Static Password already, Back-End Authentication will occur to verify the new password. If it is verified, the Stored Static Password will be updated Back-End Server Records A Back-End Server record is required for RADIUS and LDAP-based Back-End authentications. It contains connection information for the system to be used. Typically, only one Back-End Server record will be required for LDAP Back-End Authentication, whereas RADIUS Back-End Authentication will require a record per RADIUS Server to be used Fail-over Strategy Each Back-End Server record is assigned a Priority. This comes into effect when multiple Back-End Servers are available, and the Identikey Server must decide which to use for a Back-End Authentication request. It will attempt to connect to the Back-End Server with the highest Priority rating. If it is not available after the set No. of Retries, the Identikey Server will attempt to connect to the Back-End Server with the next-highest Priority rating. If the Identikey Server repeatedly fails to get a response from a Back-End Server, it will ignore it for some minutes before trying it again. Therefore, a temporary slow response will not prevent the Identikey Server from using a Back-End Server. But a consistent availability problem will cause it to stop using the Back-End Server for a while, when it has an alternative Domain-Specific Back-End Servers Back-End Server records may be configured for use with a specific Domain. This may be useful when multiple Back-End servers exist with different groups of User records on each. When the Identikey Server has to choose a Back-End Server, it will search for those records in the Domain identified by the User ID and Name Resolution process. If any are found, it will only use those Back-End Servers for that Domain. If none are found, it will use the Back-End Servers that are not assigned to a Domain. 56

57 User Authentication Process RADIUS Back-End Authentication Identikey Server can pass RADIUS return attributes from the Back-End server to the client. Back-End Authentication is supported with the following protocols: PAP CHAP MS-CHAP MS-CHAP2 with MPPE key generation Note Identikey Server does not provide stand-alone RADIUS attribute support Microsoft Active Directory Back-End Authentication using LDAP protocol Note For instructions on setting up a Back-End Server record for an Active Directory server, see the Administration Web Interface online help. When using Microsoft Active Directory with Identikey Server for Back-End Authentication: The Domain Controllers must be Windows Server 2003 or higher. Microsoft Windows 2000 is not supported If the global catalog is set up (via Administration Web Interface -> Back End -> Settings) and no back-end components have been defined, domain discovery via the global catalog will be used to search for the User. If domain discovery via the global catalog is to be used, Users must be set up in the same Domain on Active Directory as they are on Identikey Server The Identikey Server must be configured to use the DNS server containing the DNS records of the Active Directory server or an entry has to be present in the host file that maps the IP of the Active Directory domain controller to the fully qualified domain name of the domain controller. On Linux this has to be configured on both the host OS and chroot level. Note The Active Directory back end may be configured to authenticate Active Directory users via an instance of ADAM that has been installed on the domain controller, with the condition that the user's Identikey Server domain and Active Directory domain have the same name. The ADAM 57

58 User Authentication Process instance will automatically delegate authentication to Active Directory The steps in Back-End Authentication for Active Directory are: 1. Identify the Active Directory Domain Controller using the LDAP Back End Server entries in the data store or the Global Catalog. Supported User Logon Format for Microsoft Active DirectoryUserid Format 2. Source of Userid UserID SAMAccountName attribute of the user MYREALM\userid Fully qualified domain name + SAMAccountName attribute of the user userid@mydomain.com SamAccountName attribute of the user + fully qualified domain name Identikey Server will bind to the directory server that handles the authentication request it will use the UserID and the password specified in the authentication request received by the Identikey Server. If the bind succeeds, the user authentication is deemed to be successful. If the bind fails, the authentication is deemed to have failed. Note Identikey Server only supports SASL.Digest-MD5 binding as the client authentication mechanism for binding with the supported Back-End authentication servers Novell e-directory Back End Authentication using LDAP protocol Note For instructions on setting up a Back-End Server record for an e-directory server, see the Administration Web Interface online help. The version of Novell e-directory used for LDAP Back-End Authentication on Identikey Server must be version 8.7 or higher. The following rules must be followed to set up Novell e-directory for LDAP Back-End Authentication on Identikey Server: If anonymous binding is disabled on the edirectory server the Security Principal DN has to be an edirectory account that has the necessary permissions to search the directory for the user accounts that have to be authenticated. Each userid has to be unique below the search Base Distinguished name in the LDAP structure. 58

59 User Authentication Process Partitioning is not supported, although exactly the same search Base Distinguished name may be used on different servers. Novell e-directory must be enabled with Universal Password. Supported User Logon Format for Novell e-directoryuserid Format Source of Userid UserID Userid of the user MYREALM\userid Fully qualified domain name + Userid of the user userid@mydomain.com Userid attribute of the user + fully qualified domain name The steps in Back-End Authentication for Novell edirectory are: 1. Identify the edirectory server based on the edirectory Back-End entries in Identikey Server. 2. Bind to edirectory using the security principal DN and password defined for the edirectory back-end if principal details specified. 3. Search edirectory for the FQDN of the user that has to be authenticated (starting from the Base Search DN). 4. Try to authenthicate with edirectory using a bind with the FQDN and password of the user to be authenticated Note Identikey Server only supports SASL.Digest-MD5 binding as the client authentication mechanism for binding with the supported Back-End authentication servers. Image 20: The steps in Back-End Authentication for Novell edirectory and ADAM 59

60 User Authentication Process ADAM Back End Authentication using LDAP protocol Note For instructions on setting up a Back-End Server record for an ADAM server, see the Administration Web Interface online help. 60

61 User Authentication Process The following rules must be followed to set up ADAM for LDAP Back-End Authentication on Identikey Server: If anonymous binding is disabled the security Principal DN has to be an ADAM account that belongs to the READERS role Note ADAM back end authentication is not available for users in an instance of ADAM that has been installed on a Domain Controller or on a machine that is a member of the domain. Supported User Logon Format for ADAMUserid Format Source of Userid UserID Common name of the user MYREALM\userid Fully qualified domain name + common name of the user userid@mydomain.com Common name attribute of the user + fully qualified domain name The steps in Back-End Authentication for ADAM are: 1. Identify the ADAM server based on the ADAM Back-End entries in Identikey Server. 2. Bind to ADAM using the security principal DN and password defined for the ADAM back-end if principal details specified. 3. Search ADAM for the FQDN of the user that has to be authenticated (starting from the Base Search DN). 4. Try to authenthicate with ADAM using a bind with the FQDN and password of the user to be authenticated Note Identikey Server only supports SASL.Digest-MD5 binding as the client authentication mechanism for binding with the supported Back-End authentication servers. 61

62 User Authentication Process 2.7 Authorization Profiles/Attributes A Web Application using SOAP may retrieve authorization data from Digipass User Accounts. For example, a lookup key in the web application's database. Some IIS Modules utilise User attributes to allow a web site to retrieve authorization information from local Windows accounts. Individual User attributes may be set for a Digipass User account. The Identikey Server will return these attributes to the Web Application during authentication if requested User Attribute Settings Attribute Group An Attribute Group is specified by the Web Application as a parameter to the authorization request. When multiple IIS Modules are in use, the specified Attribute Group ensures that only attributes required by the specific Web Application are used. Name A name for the attribute as expected by the Web Application. Usage Basic indicates that the attribute is for use by the IIS 6 Module for Basic Authentication. Other options are available for Digipass Plug-In for SBR and are not relevant for Identikey Server. Value The Value set for an attribute will be the required value of the named attribute. 2.8 Host Code Generation If the Web Application requests a Host Code and the Digipass is capable of generating one then Identikey Server will generate a Host Code and the application will display it to the User. The User generates a Host Code on their Digipass and checks that it is the same as the one on the screen. Host Code generation is passed as a parameter in the authentication request. There are two options: Optional - only return a Host Code if the Digipass is Host Code capable Required - Digipass must be Host Code capable or the request will fail. 62

63 User Authentication Process 2.9 Supported RADIUS Password Protocols The following protocols are supported by Identikey Server: PAP CHAP MS-CHAP with MPPE (Microsoft Point-to-Point Encryption) MS-CHAP2 with MPPE Some protocols do not support all authentication features of Identikey Server. See 2.10 Unsupported by Identikey Server and the Login Permutations section of the Administrator Reference for more information. 63

64 User Authentication Process 2.10 Unsupported by Identikey Server Limitations of RADIUS Password Protocols Some features of the Identikey Server are not supported with CHAP or MS-CHAP. These protocols hash login data together, making separation of various entries impossible. The unsupported features are outlined below: Self-Assignment of Digipass cannot be performed. The Server PIN cannot be changed. Challenge/Response is not supported. Windows Back-End Authentication is not supported unless the User ID and Windows password are manually stored, and Stored Password Proxy is enabled. Password Autolearn is not supported, as clear text passwords cannot be identified. The User Self-Management Web Site, when utilized, can circumvent many of these problems by allowing Users to manage their account and Digipass. It uses RADIUS with the PAP password protocol. Users can: Perform Self-Assignment Change their Server PIN Change their own Stored Static Password Unsupported RADIUS Password Protocols MS-CHAP with LM Hash The password change mechanism for MS-CHAP and MS-CHAP2 EAP Limitations of International Character Support A number of Identikey Server components provide international character support, and some limitations apply: Database International character support in the database is dependent on the individual database driver. See the Encoding and Case Sensitivity topic in the Administrator Reference for more information. RADIUS International character support in the Identikey Server using the RADIUS protocol is dependent on the RADIUS Client(s) being used. If a RADIUS Client uses UTF-8 encoding, international characters will be fully supported. If a RADIUS Client uses a localized encoding (eg. ISO ), the same locale setting must be configured on each 64

65 User Authentication Process machine. Web For the Digipass Pack for OWA Basic Authentication and the Digipass Pack for OWA Forms Authentication, international character support is limited to a single configured encoding. See the Guide for the specific Digipass Pack for more information. DPADMINCMD DPADMINCMD supports international characters, but your console window must be able to support the characters or they will not display correctly Limitations of Web Basic Authentication Some features of the Identikey Server are not supported with the HTTP Basic Authentication mechanism. This mechanism does not support a 2-step login process. The unsupported features are outlined below: Challenge/Response is not supported. 65

66 Signature Validation Process 3 Signature Validation Process 3.1 Signing a Transaction Identikey Server will allow you to sign transaction data using a Digipass that is set up to generate digital signatures. A digital signature is based on transaction details entered into the Digipass. The Digipass uses the transaction details and an embedded secret to generate a signature, which is typically entered into a confirmation page to proceed with the transaction. This signature will be validated by the server if it is incorrect the transaction will not be permitted to proceed. 3.2 How Do I Generate a Signature? Signature generation will be an application on your Digipass. 1. Select the Signature application on your Digipass. 2. Enter the required transaction details. Digipass can be programmed to accept up to eight transaction data fields such as: transaction amount transaction ID destination account number The Digipass will generate a signature and display it on its screen. Enter the generated signature into the transaction you are signing and submit the transaction. Real Time Signature Validation Real Time Signature Validation is signature validation that is performed in real-time, such as through an online banking application. A typical scenario is where a User creates a transaction, say, paying a bill on a banking website. The transaction requires a signature so the User enters the relevant details into their Digipass. The Digipass produces a signature and the User enters this into the website and then submits the transaction. The transaction details and signature are verified by Identikey Server and a status message is returned straight to the web page the User is on. The User knows within the time it takes to process a normal transaction whether or not the transaction they submitted has been verified. 66

67 Signature Validation Process Deferred Signature Validation Deferred time Signature Validation is signature validation that is not performed in real time. An example scenario may be that a User submits a transaction online with the signature generated by the Digipass. The transaction will then enter a queue to be verified. The User receives a message that the transaction has gone into a queue. A batch job picks up the transaction and verifies it against the policies and details of the Digipass. The User may not know until minutes or hours later that the transaction has been signed and verified. It is important in this case for the User to keep a record of the time the transaction was submitted, as this may be important if the transaction is challenged. 3.3 Time based signature The signature application may be time based. This means that the Digipass will generate a different signature for the same input data at different times. The signature validation procedure relies on the time on the Digipass and the time on Identikey Server being synchronized to within an acceptable tolerance. Each time a One Time Password or a signature is generated the Identikey Server records the difference in times between the Digipass and itself. The time based signature validation procedure also uses Time Steps to verify signatures. A Time Step is a setting which specifies the number of seconds between generations of a One Time Password on a Digipass. The Identikey Server will use the time step and the known difference in time between itself and the Digipass to verify signatures. Use the STimeWindow policy setting to set the tolerance allowable for signature verification. Time based signatures can be real-time or deferred. If deferred time based signatures are used they may be reverified at a later date by comparing the input details against the signature produced by the Digipass, as long as the time the transaction was performed is known. 3.4 Event Based Signature The signature application may be event based. This means that it contains a numeric counter that increases every time a signature is generated. The signature process relies on an event counter to enable each signature to be unique. The Digipass and Identikey Server need to have synchronized event counters. The tolerance for the difference between the event counters can be set by using the Event Windows policy setting. During Real Time Signature Validation the event counter on Identikey Server is updated with the value used by the Digipass, to keep the two event counter values synchronized. During Deferred Time Signature Validation the event counters for transactions generated on the Digipass may get out of step with the event counter held on Identikey Server. Setting the Event Window policy setting will enable signed transactions to be processed in any order without causing a verification error. 67

68 Signature Validation Process 3.5 Static Signature These signatures are generated using neither time or event counter. They will always produce the same signature for the same input. There is no difference between real-time and deferred time with these signatures. 3.6 Signature Verification Process Digital Signatures are verified by Identikey Server using a number of specific checks. Image 21: Steps of Signature Verification Process Component Checks Identikey Server will try to identify the application from which the request for registration came. There must be a component record on the data store for that application. A client component record must exist for the Signature Verification application and location from which it connects to the server. The component type is set as a parameter by the application; the location is the source IP address of the SOAP address. 68

69 Signature Validation Process Policy Checks Identikey Server identifies the policy to use in the signature authentication from the client component record and checks the validity of the policy User Account Lookup and Checks Identikey Server checks the User Account to : Ensure that the User ID and Domain have been defined Perform the Windows Group Check if necessary Check whether a User Account exists Check whether the User account is disabled or locked if it already exists. Dynamic User Registration is NOT possible. If the User Account does not exist then the check will fail Signature Validation A search is performed for a Digipass that is assigned to the User that fulfils the Signature policy limits. If more than one Digipass is found the list is filtered by using the Serial Number for the Digipass, which will have to be passed into the signature process as a parameter. Allowance should be made when designing the web page that will allow transactions to be signed, to make sure that Users with more than one Digipass can enter a Serial Number to identify which one is being used. When the correct Digipass is identified the Digipass type is checked. The Digipass type must be either 'SG' (Signature) or 'MM' (Multi Mode) to allow signatures. The signature is then verified and a response is produced Finalization The relevant parts of the Data Store are updated after the signature validation has been carried out successfully. A response is produced. The Audit data is updated with the transactions that took place and the result of those transactions. If the Web Application requests a Confirmation Code and the Digipass is capable of generating one then Identikey Server will generate a Confirmation Code and the application will display it to the User. The User generates a Confirmation Code on their Digipass and checks that it is the same as the one on the screen. Confirmation Code generation is passed as a parameter in the authentication request. There are two options: Optional - only return a Confirmation Code if the Digipass is Confirmation Code capable Required - Digipass must be Confirmation Code capable or the request will fail. 69

70 Signature Validation Process 3.7 Policy Settings There are specific Policy settings for signature verification. See the Policy Properties topic in the Field Listings section of the Administration Reference for information on these settings. Event Window - the allowable difference between the Digipass event counter and Identikey Server event counter. OnlineSG specifies how signatures will be verified. STimeWindow - Shows the acceptable difference in time between the time set on the Digipass and the time set on Identikey Server for signatures. The lowest value is 2, the highest is

71 Software Digipass Provisioning 4 Software Digipass Provisioning 4.1 Software Digipass Provisioning Overview What is a Software Digipass? Software Digipass are software versions of Digipass that provide authentication and signature functions for Javaenabled mobile devices and web browsers. They generate a One Time Password or Digital Signature for you in the same way as a hardware Digipass. See 1.3 Types of Digipass for more information. Each Software Digipass requires: Software installed on the client device An applet for Digipass for Mobile An applet for Digipass for Web An applet for DP110 A unique activation code Each Software Digipass will have to be installed on the host device, then activated using an activation code. It can then be used to generate One Time Passwords and Digital Signatures Software Digipass Types The following types are supported by the Provisioning function in Identikey Server: Digipass for Mobile The Digipass for Mobile is a Java applet that runs on any Java enabled mobile phone or BlackBerry. You can use it to generate a One Time Password or Digital Signature on demand. Digipass for Web The Digipass for Web is a Java applet that runs on your internet browser using cookies for data storage. You must therefore have cookies enabled on your internet browser. Digipass for Web will also generate a One Time Password or Digital Signature on demand. DP110 The DP110 is a hybrid Digipass. This means that there is a hardware component, and a software component. A Java applet runs on your internet browser, and a USB stick is plugged in to the same machine. These two components together will generate a One Time Password on demand. 71

72 Software Digipass Provisioning What is Provisioning? The term 'Provisioning' in Identikey Server refers to delivery, registration, and activation of the software. The three steps of provisioning are: 1. Software Delivery You are free to deliver the software in any way you choose. You can either deliver software to Users, or allow them to download the software from a secure site. The code required for activation of the Software Digipass or DP110 - the Activation Code - may be delivered 'online' to the Software Digipass application or DP110 that requires it, or it may be delivered 'offline' Online delivery Online delivery means that the Activation Code is delivered directly to the application that is going to use it. If the Activation Code is delivered in this way the User will never see it. This option is available for Digipass for Web, DP110, and Digipass for Mobile 2.5. Offline Delivery Offline delivery means delivering the Activation Code using a mechanism such as , text message or fax. In Digipass for Web the Activation Code will typically be delivered in an containing a link. The applet reads the Activation Code from the link. 2. User/Digipass Registration The Digipass records must be imported from a DPX file before Registration can occur. Each Software Digipass User requires a Digipass User account on Identikey Server. The User accounts can either be imported into Identikey Server, created individually, or created dynamically during registration if Dynamic User Registration is available. For Software Digipass to work, a Digipass record needs to be allocated to the User account. This can be done in two ways: a. Manually by an Administrator using, for example, the Web Administration interface. b. Automatically. This is where the Digipass is assigned to the User account during the Registration process. This will allocate the first Digipass of the correct type and functional ability that it can to the User. In Identikey Server this functionality is known as Auto Assignment. See the Digipass chapter in the Product Guide for more details. The second step of Registration is to generate an activation code and send it to the User. 3. Activate Software Each Software Digipass needs to be activated before it can be used. This means that Identikey Server is informed that all the components are in place for the Software Digipass and you are ready to use it. There are two stages to activation: 72

73 Software Digipass Provisioning a. Delivering the Activation Code to the software b. Sending the first One Time Password to the server. Image 22: Steps of Provisioning Which Server Components implement Provisioning? There are two main components and one optional component required to implement Provisioning: Web Application - Customer written. The Web Application controls the user interaction during Provisioning. The Web Application uses the SOAP SDK to communicate with Identikey Server. Refer to the SOAP SDK documentation for more information. The Web Application: Can make the Software Digipass software available for download Has to arrange delivery of the Activation Code to the User Sends the first One Time Password to Identikey Server Identikey Server Identikey Server handles Digipass User accounts and Digipass records. It generates Activation Codes, verifies One Time Passwords and stores static passwords. Back-End System The Back-End System can be used by Identikey Server for Dynamic User Registration and/or static password verification. See 2.6 Back-End Authentication for more information. 73

74 Software Digipass Provisioning 4.2 Provisioning Scenarios The following scenarios show how Provisioning will work for different Digipass in different situations. Refer to the table below for the scenario that best fits your requirements: Scenarios User account User knows on Identikey Static Server Password Provisioning Policy Local Auth Back-End Auth Digipass Type Back-End Protocol Dynamic User Registration Digipass for Mobile 1 Y Y None None MOB Digipass for Web 1 Y Y None None WEB Digipass for Web 2 Y Y Digipass Only or None Digipass/ Password WEB Digpass for Web 3 N Y Digipass Only or Always or If Digipass/ Needed Password WEB10 Windows, RADIUS, LDAP, custom Enabled DP110 1 Y Y None DP DP110 2 N Y Always DP110 Windows, RADIUS, LDAP, custom - None Digipass for Mobile Scenario 1 - Activation codes are encrypted with pre-loaded static password Pre-Conditions The User account has been created on Identikey Server The User knows their static password The static password has been imported into Identikey Server The provisioning policy has been defined with the following settings No Local Authentication (Digipass/Password) No Back-End Authentication (None) Digipass type 'MOB25' 74

75 Software Digipass Provisioning Image 23: Digipass for Mobile Scenario 1 process Procedure The User enters their mobile number and their mobile type (Java or BlackBerry) into the Provisioning website. The Provisioning webserver sends an Text Message to the mobile number which contains the URL to be used to download the DP4Moble applet. The User uses the URL to download the Digipass for Mobile applet, and then installs the applet on their mobile phone. The User enters their User ID into the applet, and the applet sends a 75

76 Software Digipass Provisioning registration request to the webserver, which sends a registration request to Identikey Server. Identikey Server assigns the Digipass for Mobile Digipass to the user, generates an encrypted activation code and sends it to the Digipass for Mobile applet. When the User has the serial number and activation code the second part of the activation can take place. The User enters their static password into the Software Digipass to activate it. The One Time Password is then generated and submitted to the Provisioning Server and from this server to Identikey Server to complete the activation procedure. A response will be received on the mobile phone indicating whether the activation has been successful Digipass for Web There are three scenarios that can be employed when activating Digipass for Web. They all have different preconditions. Which scenario is employed will depend on how Identikey Server is implemented. Scenario 1 Activation codes are encrypted with pre-loaded static passwords Pre-conditions. User account has been created on Identikey Server The User knows their static password The static password has been imported into Identikey Server Provisioning policy defined with the following settings: No Local Authentication (None) No Back-end Authentication (None) 76

77 Software Digipass Provisioning Process Image 24: Digipass for Web Scenario 1 Process Procedure The User enters their user ID, address and PIN on the website. If registration is successful the Digipass for Web applet is provided with the serial number of the Digipass that is to be activated and an encrypted activation code. Note that the PIN is not sent to the server but is used locally by the Digipass for Web applet. The User will have to re-enter their User ID, PIN and password to decrypt the Activation Code and complete 77

78 Software Digipass Provisioning activation. The applet decrypts the Activation Code, activates itself and sends a One Time Password to the server. A response will be received indicating whether the activation has been successful. Options To make sure that the User changes their static password, extra fields can be added to the second page in this scenario. Fields can be added to the input page so that the User can enter a new static password, and then enter it again for confirmation. The User needs to do this so that the original password can only be used once, for activation. The new password can be used for re-activation. See Reactivation section below. Scenario 2 Pre-Loaded User Accounts and Static Passwords Pre-conditions. the User account has been created on Identikey Server the User knows their static password The static password has been imported into Identikey Server The provisioning policy has been defined with the following settings: Local Authentication (Digipass Only or Digipass/Password) No Authentication (None) Process Image 25: Digipass for Web Scenario 2 Process Procedure The User enters their user ID, address, static password and PIN on the registration website. If registration is successful the serial number of the Digipass that is to be activated and an activation code are delivered to the Digipass for Web applet. The User re-enters the User ID and PIN. Digipass for Web generates a One Time Password and then submits this with the serial number to the server. Activation then takes place. A response will be received indicating whether the activation has been successful. Options To make sure that the User changes their static password, extra fields can be added to the second page in this scenario. Fields can be added to the input page so that the User can enter a new static password, and then enter it again for confirmation. The User needs to do this so that the original password can only be used once, for activation. The new password can be used for re-activation. See Reactivation section below. 78

79 Software Digipass Provisioning Scenario 3 Dynamic Registration using Back-End System Pre-conditions the User account has not been created on Identikey Server the User knows their static password for their account in the Back-End system The Provisioning policy has been defined with the following settings: 79

80 Software Digipass Provisioning Local Authentication (Digipass Only or Digipass/Password) Back-End Authentication (Always or If Needed) Back-End Protocol (Windows, RADIUS, LDAP Back-End authentication, or Custom name) Dynamic User Registration EnabledProcess Image 26: Digipass for Web Scenario 3 Process 80

81 Software Digipass Provisioning Procedure The procedure very similar to scenario 2; the User will not see a difference. The difference for the Identikey Server is that the Back-End system is used to verify the User Id and Password. If they are OK, and account is created automatically in Identikey Server. Options To make sure that the User changes their static password, extra fields can be added to the second page in this scenario. Fields can be added to the input page so that the User can enter a new static password, and then enter it again for confirmation. The User needs to do this so that the original password can only be used once, for activation. The new password can be used for re-activation. See 4.6 Reactivation section below. 4.3 DP110 Provisioning Overview The DP110 is a hardware/software combination Digipass. It does not require any software to be installed on the client side to enable it to run, but it does require the correct policy settings to be provided, followed by activation. There are two scenarios that can be employed when activating a DP110. They both have different pre-conditions. Which scenario is used will depend on how Identikey Server is implemented Scenario 1 Pre-Conditions User account created User knows historical secret Historical Secret imported in Identikey Server (as static password) Provisioning policy defined with following settings: Local Authentication NO Back-End authentication Digipass type is 'DP110' 81

82 Software Digipass Provisioning Process Image 27: DP110 Scenario 1 Procedure The User opens the browser on his PC, and goes to the registration page of the DP110 provisioning website. The DP110 provisioning website generates a challenge which will be used to encrypt the new server PIN. The User enters their user ID, static password, new server PIN, confirmation of new server PIN, and DP110 serial number on the registration website. The DP110 Applet generates a Challenge Encrypted Static Password (CESPR) using the generated challenge and the new server PIN. 82

83 Software Digipass Provisioning On the server side, the CESPR is verified. If verification is successful the DP110 is assigned to the User, and the initial PIN is set. The Digipass Grace Period is set according to pre-defined parameters. The activation page is returned if the provisioning is successful, or an error message will be returned if the provisioning is not successful Scenario 2 Pre-Conditions User Account NOT created User knows historical secret to allow authentication by a legacy back-end system Provisioning policy defined with the following settings: NO local authentication (None) Back-End authentication (Always) Digipass type DP110 83

84 Software Digipass Provisioning Process Image 28: DP110 Scenario 2 84

85 Software Digipass Provisioning Procedure The User enters their user ID, static password, challenge, CESPR, and DP110 serial number on the registration website. On the server side, the user is authenticated on the Back-End. If the Back-End authentication is successful the User is then registered to Identikey Server using Dynamic User Registration. The DP110 is then assigned to the User, and the initial PIN is set. The Digipass Grace Period is set according to pre-defined parameters. A response will be received indicating whether the activation has been successful. 4.4 What are the steps in registration of a Software Digipass? Image 29: Steps of Software Digipass Registration Identify Component Identikey Server will try to identify the application from which the request for registration came. A client 85

86 Software Digipass Provisioning component record must exist for the Provisioning application and location from which it connects to the server. The component type is set as a parameter by the application; the location is the source IP address of the SOAP request Identify Policy Identikey Server identifies the policy to use in the registration from the client component record and checks the validity of the policy. The following settings on the policy will not be used as they are not relevant to Provisioning. Digipass Assignment Settings Challenge Settings Digipass User Account Lookup and Checks Identikey Server checks the User Account to: Ensure that the User Account and Domain have been defined Perform the Windows Group Check if necessary Check whether a User Account exists Check whether the User account is disabled or locked if it already exists Local Authentication Local Authentication is an optional step in Software Digipass Registration. If Local Authentication is performed a static password MUST be entered. The static password will be verified against the static password held against the User Account. If the static password is not verified or no User Account exists or the User Account exists but has no password recorded against it, the registration will fail if Back-End Authentication is not enabled. If Back-End Authentication is enabled then the Back-End system will verify the password. If the password is verified but there is no User Account in Identikey Server, an account will be created. Dynamic User Registration must be enabled for this to succeed Back-End Authentication The static password will be authenticated by the Back-End system. If the Back-End System does not verify the credentials, Registration will fail Digipass Assignment The Registration process will perform the following steps: Search for an applicable Digipass according to the criteria on the policy associated with the User account that 86

87 Software Digipass Provisioning is capable of activation. If one was not found, Assign the first applicable and available Digipass record to the User Account F Activation Code Generation The reactivation restrictions are checked. If this is a reactivation and reactivation is allowed, then the User Account and the Digipass record already exist in Identikey Server and will be used in the following steps. The Activation Code is generated using the first capable application in the Digipass. The Activation Code may be encrypted with the User's password if the password was not verified by Local and Back-End authentication Finalization In the finalization step the created Users and assignment are confirmed to the Data Store. Records are written to the Audit system to record the actions that have taken place, and the results. A response is sent to the User to confirm registration or to show an error message if activation failed. 4.5 What are the steps in activation? Image 30: Steps of Software Digipass Activation Identify Policy, Component, and Digipass User Account Lookup and Checks 87

88 Software Digipass Provisioning The activation process performs the same Identify Policy and Digipass User Account Lookup and Checks as the registration process, except that the User Account MUST already exist Verify One Time Password The One Time Password is verified against the Digipass record Activation The Digipass is set to ACTIVE in the data store and the grace period will end, if one was set Finalization In the Finalization step the activation is confirmed to the Data Store. Records are written to the Audit system to record the actions that have taken place, and the results. A response is sent to the User to confirm activation or show an error message if activation failed. 4.6 Reactivation From time to time software Digipass will have to be reactivated. This may occur rarely for Digipass for Mobile, such as when the User buys a new mobile phone, or it may occur more often for Digipass for Web, such as when the User clears the cookies in their browser Reactivation is carried out in the same way as the original activation, but the User account will already exist with a capable Digipass assigned. The registration process will use the assigned Digipass to generate the Activation Code. Configuration Settings can be set up to set the following limits: Activation Limit - this will limit the number of activations that can be performed on one Software Digipass. Minimum Interval - This sets the minimum time interval between reactivations. Maximum Locations - This sets the maximum number of locations a Software Digipass can be activated from, such as home, office, laptop. This only applies to Digipass for Web. Note The activation limits apply to all activation attempts. If an activation fails in the second stage this will still count as an activation, and will count against the activation limits. These settings are defined in the Scenarios Section of the Identikey Server Configuration 88

89 Administration Interfaces 5 Administration Interfaces The main user interfaces available for administration of Identikey Server are introduced in this section. 5.1 Data Administration Where Identikey Server uses an ODBC database including the embedded PostgreSQL database as its data store, all data administration can be carried out using the Administration Web Interface. Where Identikey Server uses Active Directory as its data store, Digipass User accounts and Digipass records are administered via the Active Directory Users and Computers Snap-In, rather than the Administration Web Interface. Active Directory Users and Computers Snap-In Administration Web Interface ODBC Database - Digipass Users Digipass Policies Clients Back End Servers Organization Reports System Active Directory Digipass Users Digipass Policies Clients Back End Servers Reports System Administration Web Interface The Administration Web Interface is a web-based administration tool. ODBC Database Data available for administration in the Administration Web Interface Users Digipass Policies Clients Back End Servers Organization Reports System Active Directory Policies Clients Back End Servers Reports System 89

90 Administration Interfaces Note Only Administrators have access to the Administration Web Interface. If you do not have Administrator access you will not be able to use the Administration Web Interface. User Accounts If Identikey Server uses an ODBC database including the embedded PostgreSQL database as its data store, the Administration Web Interface can be used for the following tasks: Import Digipass User accounts singly or in bulk Create Digipass User accounts Edit Digipass User accounts Disable Digipass User accounts Delete Digipass User accounts Search for User Accounts The Administration Web Interface allows you to search for Digipass User account records in a number of ways: Search directly by entering the User ID Search for the User that a specific Digipass belongs to by searching for the Digipass and double clicking on the User on the Digipass details screen You can enter the first few characters of the User ID followed by a wildcard (*). A results list will be provided from which you can select the User required. Digipass Record Administration If Identikey Server uses an ODBC database including the embedded PostgreSQL database as its data store, the Administration Web Interface can be used for the following tasks: Import Digipass either individually or in bulk Create Digipass records Reset Digipass Reset PIN for a Digipass Assign Digipass Unassign Digipass Activate and deactivate applications for Digipass Unlock a Digipass Search for Digipass Records The Administration Web interface allows you to search for Digipass in a number of ways: 90

91 Administration Interfaces You can search directly for the Digipass by entering the Digipass Serial Number You can search for Digipass that belong to a User by searching on the User and then double clicking on the Digipass on the User Details Screen You can enter the first few numbers of the Digipass Serial Number followed by a wildcard (*). This will provide you with a list from which you can select the Digipass you require. You can search based on the description field of a Digipass record. Policy Policy records can be edited, created or deleted using the Administration Web Interface. New Policy records can be created using a wizard. Client Records The Administration Web Interface allow you to create, manage, and delete Client Records. Back End Server records The Administration Web Interface can be used to edit, create or delete Back End Server Records, and configure general Back End authentication settings. Domain and Organizational Unit Records Use the Administration Web Interface to add, maintain, or delete a Domain or an Organizational Unit. Reports The Administration Web Interface allows you to run existing reports and to create new reports. See 11 Reporting for more details System The System tab allows you to administer the system. You can add or remove Identikey Servers, administer the licence, configure the Identikey Server and manage administrative sessions Starting the Administration Web Interface Ensure that the web server service (Windows) or daemon (Linux) is running. Open a browser window and type in the IP address and port number used by the Administration Web Interface. You will need to log in with an Identikey Server administrator account. 91

92 Administration Interfaces Digipass Extension for Active Directory Users & Computers The Digipass Extension for Active Directory Users and Computers allows administration of Digipass User accounts and Digipass records within the Active Directory Users and Computers interface. Note The Digipass Extension for Active Directory Users and Computers is only available where Active Directory is utilized as the data store. The extension adds context menu options, User property sheet tabs and a property sheet for the Digipass records, as outlined below. Connection No logon screen is presented by the extension - an implicit logon to Active Directory will be carried out using your current Windows user context. It will connect to the same Domain Controller as the Active Directory Users and Computers connection. The extension will make its own LDAP connection to Active Directory. Administration does not take place via the Identikey Server. Your administrative permissions will depend on the permissions that your Active Directory user account has within Active Directory. When do new settings take effect? When settings are changed with the extension, the new values may not always take effect immediately. See 2.4 Active Directory Replication Issues in the Administration Reference Guide for more information Context Menu Extensions VASCO context menu options are available on the following containers in the tree pane: The Users container All Organizational Units The Digipass-Pool, Digipass-Reserve and Digipass-Configuration containers Additional context menu options are available when right-clicking on one or more User records in the result pane: User Property Sheet Extensions Additional tabs are available when viewing the property sheet of a User record: The Digipass User Account tab contains extra information about the Digipass User account required by Identikey Server. This includes settings such as authentication policy overrides, and the date and time that a 92

93 Administration Interfaces Digipass User account was created. The Digipass Assignment tab contains information on all Digipass assigned to the Digipass User. These Digipass can be administered from this tab, including unassignment or enabling Backup Virtual Digipass. Digipass may also be assigned to the Digipass User from this tab. The Provisioning tab contains features related to the distribution and special administration of software Digipass and DP Digipass Record Administration Digipass information may be viewed via the property sheet of its assigned User, or by turning on Advanced Features. This allows you dependent on permissions - to see Digipass records wherever they are located in Active Directory (typically in the Digipass-Pool container if unassigned), view properties and use a number of context menu actions. For more details on these actions, see 7 Digipass. The context menu of the Digipass record contains options for bulk management. The property sheet for the Digipass record shows full details of the Digipass and all its Applications and enables all administration tasks for the record. Search for Digipass Records The Digipass Extension for Active Directory Users and Computers allows you to search for specific Digipass records, or Digipass records meeting set criteria. This functionality can be useful when you have Digipass records in various places throughout Active Directory Digipass TCL Command-Line Administration Digipass TCL Command-Line Administration allows interactive command-line and scripted administration of Digipass related data. It has a number of possible uses: Interactive command-line administration Scripted administration Complex bulk administration tasks Reporting on the data in the data store It is an extension of the TCL 8.4 scripting language, and administrators will require a basic competence in TCL in order to use the command-line utility. See the Digipass TCL Command-Line Administration topic in the Administrator Reference for more information. 93

94 Administration Interfaces 5.2 System Administration Identikey Server Configuration The Identikey Server uses a local XML text file for various configuration settings. This can be administered using a graphical user interface referred to as Identikey Server Configuration, or via the Administration Web Interface. To run the Identikey Server Configuration tool, go to the install directory and run Identikey Server Configuration. When settings are changed with this program, the Identikey Server must be restarted before the new values take effect. The program will do this for you when you exit. The following groups of settings are configured using Identikey Server Configuration. For more detail, see the Administrator Reference, Configuration Settings section. Communication Protocols - Set up SOAP, RADIUS, or SEAL protocols Scenarios Plug-ins - define your Back-End Authentication plug-in engines Database Storage - add additional ODBC databases with optional encryption settings Auditing - Enable/Disable audit methods Replication - Specify Replication settings Audit Viewer Use the Audit Viewer to view Audit Messages. Audit messages consist of warnings and errors generated by Identikey Server Admintool.jar The Admintool.jar tool can be used to configure the Administration Web Interface. It allows: Modifications to the list of Identikey Servers which may be administered from the Administration Web Interface Configuration of SSL certificates Configuration Wizard The Configuration Wizard is run initially after installation set-up mode. After installation it can be run in maintenance mode. Use it to change IP addresses and modify other configuration settings. See the Administrator Reference, Configuration Settings section for more information. 94

95 Administration Interfaces 5.3 What do I need to use? The administration interface needed depends on the tasks required, and the data store used by Identikey Server Helpdesk If Identikey Server uses an ODBC database as its data store, you will typically use the Administration Web Interface. If Identikey Server uses Active Directory as its data store, you will typically use the Digipass Extension for Active Directory Users and Computers User/Digipass Administrator The main tools you will use are: Web Administration Interface Digipass Extension for Active Directory Users and Computers (AD only) Digipass TCL Command Line Administration Authentication Server Configuration System Administration The main tools you will use are: Identikey Server Configuration Audit Viewer Configuration Wizard 95

96 Digipass User Accounts 6 Digipass User Accounts 6.1 Digipass User Account Creation A Digipass User account can be created in the following ways: Use the Administration Web Interface to import Users from a file Manually create User records using the Create User function on the Administration Web Interface Dynamically during processing if Dynamic User Registration is enabled Manual Creation A Digipass User Account can be created manually by an administrator using the Administration Web Interface Dynamic User Registration When the Identikey Server receives an authentication request for a User without a Digipass User account, it can check the credentials with the back-end authenticator (eg. Windows). If the authentication is successful with the back-end authenticator, the Identikey Server can create a Digipass User account automatically for the User. This process is called Dynamic User Registration (DUR) and can be enabled via the Administration Web Interface. This feature is commonly used in conjunction with Auto-Assignment, so that the new account is immediately assigned a Digipass. Note ODBC Database (including embedded database): If the data store is case-sensitive and the Identikey Server has not been configured to convert User IDs and Domains to upper or lower case, the potential exists for multiple Digipass User accounts to be created for a single User. For example, if a User logs in with 'jsmith' on one occasion, and JSmith on another, two Digipass User accounts may be created jsmith and JSmith. This can be avoided by: Enabling Windows Name Resolution in the Identikey Server Configuration GUI, if the underlying user accounts are Windows user accounts. See the ODBC Connection and Domains and Organizational Units topics in the Administrator Reference for more information. This is highly recommended. 96

97 Digipass User Accounts Configuring the Identikey Server to convert all User IDs and domains to upper or lower case. See the Encoding and Case-Sensitivity topic in the Administrator Reference for more information. 6.2 Changes to Stored Static Password If Stored Password Proxy is enabled, any changes to a User's password on a back-end system need to be communicated to the Identikey Server. This can be done using Password Autolearn Password Autolearn If Password Autolearn is enabled, a User may directly log in with their new static password in front of their OTP. If it does not match the static password stored by the Identikey Server, it can be verified with the back-end authenticator. If correct, the Identikey Server will store the new static password for future use and authenticate the User. 6.3 Administration Privileges Administration of data in an ODBC database is performed through the Authentication Server to control the administrator's access to data. An administrator may be assigned permissions based on: Type of permission (eg. Read, Create) Type of object (eg. Digipass, Policy) The Domain and Organizational Unit in which the administrator account is located will determine their range of administration access: If the account belongs to an Organizational Unit, the administrator will be able to administer User accounts and Digipass belonging to that Organizational Unit. If the account does not belong to an Organizational Unit, the administrator will be able to administer all Digipass and User accounts in the Domain to which they belong. If the account belongs to the Master Domain, the administrator may be able to administer all Digipass and User accounts in the database. This depends on the 'Acces Data in All Domains' Privilege, which is only available to administrators in the Master Domain. See the Administrator Reference for more information. 97

98 Digipass 7 Digipass 7.1 Importing Digipass Digipass records may be imported into Identikey Server via its Administration Web Interface. Digipass can be imported either one at a time, or many can be imported at one time. The Digipass that are to be imported must be downloaded to a file in the.dpx format. The Digipass Import Wizard guides you through the steps of importing Digipass from the.dpx file. You can specify the applications that will be available with the imported Digipass, and whether the imported Digipass will be set as Active or Inactive on import. You can also specify if existing Digipass will be updated with the data from the.dpx import file. 7.2 Assigning Digipass to Users Digipass may be assigned to Users in a number of ways, depending on the requirements of your company. For example, a company with only a few User accounts may use Manual Assignment. A larger company needing to distribute large numbers of Digipass may find it easier to simply distribute the Digipass and require each User to go through Self-Assignment. Note Digipass records must be imported into the data store before being assigned to Users. 98

99 Digipass Self-Assignment A Digipass may be assigned to a User by their own action. The User must log in and include the serial number, static password and One Time Password. This informs the Identikey Server of the assignment, and provided that the User enters the details correctly, a link will be made between the Digipass record and the User account. A grace period is not used for this method. Image 31: Self Assignment Process 99

100 Digipass Auto-Assignment The Identikey Server can automatically assign an available Digipass when a Digipass User account is created using Dynamic User Registration (DUR). The correct Digipass must then be delivered to the User. A grace period is typically set, which allows a number of days in which the User may still log in using only their static password. Image 32: Auto Assignment Process Manual Assignment A selected Digipass is manually assigned to a specific Digipass User account. The Digipass must then be sent out 100

101 Digipass to the User. A grace period is typically set, during which the User may still log in using only their static password. Image 33: Manual Assignment Process 7.3 Digipass Record Functions A number of functions are available to administer Digipass records. These are typically required for maintenance eg. a User has forgotten their Server PIN, or a Digipass has been locked Reset Application A Digipass Application may need to be reset if the time difference between it and the server needs to be recalculated. This would typically be for time-based Response Only Digipass after a very long period of inactivity. The 'reset' widens the allowable time window for the next login, allowing the User to log in and the Identikey Server 101

102 Digipass to calculate the current time shift Set Event Counter If the event count for an event-based application has become unsynchronised between the Digipass and the server, this function can be used to set the server event count to the event count on the Digipass Reset PIN If a User s Server PIN needs to be changed usually because the User has forgotten it then it can be reset, and the User can create a new Server PIN when they next log in. This may be done when unassigning or re-assigning a Digipass Force PIN Change This function can be used when an administrator wants a User to change their Server PIN on their next login. This may be desirable as a security measure Set PIN A User s Server PIN can be set to a specific value and communicated to the User Unlock Digipass If a User incorrectly enters their Digipass PIN into their Digipass a predetermined number of times, the Digipass will become locked. Once locked, the assistance of an administrator will be required to unlock it. This function allows an administrator to provide the User with an Unlock Code to enter into their Digipass Reset Application Lock If a User has attempted to log in with incorrect details too many times, the Digipass Application used may be locked, depending on Policy settings. This function can be used to set the record for the Digipass Application to the status of unlocked. This differs from User locking, as the User may still log in with a different Digipass Test a Digipass Application Use this function to check that a Digipass Application is working as expected. There is also a function to test the Backup Virtual Digipass functionality. This works for either One Time Password or Signature Reset Activation Use this function to reset the Event Counter, Activation time and Activation location on a Digipass. 102

103 Digipass 7.4 Digipass Programming A Digipass is programmed using a Digipass Programmer and the necessary software. This may be done by your company or by your supplier. Common settings which may affect your administration tasks are explained below Digipass PIN A Digipass PIN may be required for a Digipass. If set, the PIN must be entered into the Digipass before obtaining a One Time Password. This means that just possessing the Digipass is not enough to log in to a network the person logging in must also know the Digipass PIN. Digipass PIN settings include: An Initial PIN can be set for a Digipass. The PIN must then be sent to the User of the Digipass, typically separate from the Digipass delivery. First Use PIN Modification allows a Digipass to require a PIN change from the User upon first use. PIN Change allows a User to change their PIN as desired. The PIN Length can be set for a Digipass. Digipass Lock sets the number of consecutive faulty PIN entries allowed before the Digipass is locked Time/Event-based Digipass Applications Response Only Response Only Digipass Applications can be either time-based or event-based: Time-based A time-based Application will change the OTP to be displayed based on the current time. The common time step used is 36 seconds and means that the OTP to be displayed will change every 36 seconds, whether or not an OTP has been requested from the Digipass. Event-based An event-based Digipass Application will display a new OTP each time a request for an OTP is made. Challenge/Response Challenge/Response Digipass Applications can be either time-based or non-time-based: Time-based A time-based Challenge/Response Digipass Application will generate an OTP based on the Challenge given and the current time. The common time step used is 9 hours ('slow challenge'). This would mean that if the exact same Challenge were given to a Digipass within a 9 hour period, the Digipass Application will generate the same OTP. 103

104 Digipass However, Challenges are very rarely repeated within such a time period. Non-time-based A non-time-based Challenge/Response Digipass Application will generate an OTP based only on the Challenge given. Signature Time-based The signature application may be time based. This means that the Digipass will generate a different signature for the same input data at different times. Event-based The signature application may be event based. This means that it contains a numeric counter that increases every time a signature is generated. Neither Time- nor Event-based These signatures are generated using neither time or event counter. They will always produce the same signature for the same input. There is no difference between real-time and deferred time with these signatures OTP Length The length of the OTP (excluding check digit) generated by the Digipass for Response Only and Challenge/Response Digipass Applications. Check Digit A check digit may be added to each OTP. This is generated from the response and allows for faster invalidation of incorrect OTPs Challenge Length The length of the Challenge (excluding check digit) which should be expected by the Digipass. This is used by the Challenge/Response Digipass Application. Check Digit A check digit may be expected with each Challenge. This is generated by the server from the Challenge and allows the Digipass to reject most invalid Challenges Signature Length The length of the Signature generated by the Digipass. 104

105 Digipass Signature Data Fields These are the data fields that may be provided when signing a transaction. There may be from 1 to 8 fields, each with a minimum length of 0 and a maximum length of 16. Check Digit A check digit is optional. 7.5 Digipass Record Settings These settings are kept in the record for a Digipass Application, and affect which OTP is expected by the Identikey Server Time/Event-based Settings Time Step Used The time step used by the Digipass Application (see Time/Event-based Digipass Applications for more information). Last Time Shift Time Shift records any misalignments between the time recorded on the Digipass and the time recorded on the server, each time a User logs in. This ensures that if either clock drifts from the correct time, an allowance can be made by the Identikey Server and the User will still be able to log in. If the time drift goes beyond the allowable time window between User logins, the Digipass record will have to be reset (this allows for recalculation of the time drift). Example Time window may be 5 steps in either direction. This means that 11 OTPs would be considered valid the exact OTP for that time, and the OTPs for the 5 time steps either side of the exact time. If the OTP given is for a different time step, the time shift for that Digipass will be recorded. The next time the User logs in, the expected OTP will be calculated based on that time shift. Last Event Value The current number of uses of the Digipass Application, according to the Digipass. This can get out of sync with the number of uses recorded by the Identikey Server when: Login failures occur for other reasons than incorrect OTP The Digipass has been used without a login (eg. children have been playing with it) The Digipass is being used to log in to two separate systems 105

106 Digipass The purpose of this setting is much the same as the Last Time Shift setting it allows the Identikey Server to track any shifts between the event count recorded by itself and the Digipass Server PIN The term 'Server PIN' is used to mean a PIN that the user enters into the login password field in front of the OTP displayed on the Digipass. It is checked by the authenticating server. The 'Digipass PIN' referred to earlier indicates a PIN entered into a keypad on the Digipass. That is checked by the device itself, and is never transmitted to the server. There are a number of Server settings regulating Server PINs: PIN Supported Whether a PIN must be included in a User's login. PIN Change On Is a User allowed to change their Server PIN for this Digipass? Force PIN Change Must the User change their Server PIN the next time they log in? PIN Length The length of the current Server PIN. PIN Minimum Length The minimum PIN length required by the Server Backup Virtual Digipass Policy and Digipass settings Several settings dictate how a User may utilize the Backup Virtual Digipass feature. These settings are: Enable or disable Backup Virtual Digipass and enable method (eg. Required). Time limit/expiry (applies to Time Limited enable only) Maximum number of times a User may make use of the Backup Virtual Digipass. The above settings may be set both at the Policy level and at the Digipass record level. Individual settings override Policy settings for an individual Digipass, but some Policy settings (see below) may be used to automatically set Digipass settings which are blank when the Backup Virtual Digipass is first utilized by the User. 106

107 Digipass Time Limit and Max. Uses/User Policy Setting Time Limit Max. Uses/User Digipass Setting Enabled Until Uses Remaining Table 1: Backup Virtual Digipass Policy/Digipass Settings If Backup Virtual Digipass is enabled for a Digipass and set to Time Limited, and the Enabled Until field in the Digipass property sheet is blank on their first use of the Backup Virtual Digipass, their time limit will begin on their first use of the feature. The expiry date (today s date + Time Limit) will then be displayed in the Enabled Until field. If a Max. Uses/User is set for the relevant Policy and a Digipass record's Uses Remaining field in their User property sheet is blank on their first use of the Backup Virtual Digipass, a number (Max Uses/User) will be automatically entered into their Uses Remaining field and immediately decremented by 1. Note If a User has Backup Virtual Digipass enabled with Enabled Until date set and their Uses Remaining has been set (automatically or manually), whichever of these expires first will disable Backup Virtual Digipass for the User. eg. Backup Virtual Digipass is enabled for a User as Time Limited, and the server Time Limit setting is 3 days. The Max. Uses/User Policy setting is 5. When the User first makes use of the Backup Virtual Digipass, their Enabled Until is set to a date 3 days hence and their Uses Remaining to 4. During the next 48 hours, they log in 4 more times. Although the User s time limit does not run out for another 24 hours, their Uses Remaining is now 0 and Backup Virtual Digipass is disabled. 107

108 Digipass 7.6 Virtual Digipass Implementation Considerations Digipass Assignment Options With the introduction of Virtual Digipass, there are several different assignment combinations that can be used. The first option in the table below does not utilize Virtual Digipass. The others include a Virtual Digipass in either a backup or primary mode. Primary Backup Digipass None User must log in using a Digipass. Digipass Backup Virtual Digipass User usually logs in using a Digipass, but may utilize the Backup Virtual Digipass feature where required. Usage of the feature may be limited. Digipass (temporarily disallowed) Backup Virtual Digipass User must log in using the Backup Virtual Digipass feature. This might be used while a User s Digipass is lost, until the Digipass is recovered. Primary Virtual Digipass N/A User is assigned a Virtual Digipass and must log in using it. Table 2: Digipass Options Cost Your company will probably need to pay an amount for each text message sent. In some countries, mobile phone owners might need to pay an amount for each text message received on their mobile phone. This will need to be taken into consideration when deciding how to implement Virtual Digipass functionality Security Hardware Digipass devices provide the highest level of security. Virtual Digipass provides a lower, although still high, level of security. This needs to be weighed against other considerations before deciding whether your company will implement Virtual Digipass, and if so, how it will be implemented Convenience Virtual Digipass is more convenient than a hardware Digipass for many Users. Only one s usual mobile phone is required: there are no extra devices to carry around. Users who do not habitually carry their mobile phone with them, though, are likely to find a GO 3 or GO 1 easier to transport. For Users with the Backup Virtual Digipass enabled, it might be the difference between going to work to pick up a forgotten Digipass and getting important work done at home. 108

109 Digipass Gateway and account Your company will need the use of an text message gateway and an account with the gateway. The Message Delivery Component will need configuration information for the gateway and the Username and password for the account. Your VASCO supplier can assist with this process Limiting Usage of Virtual Digipass Use of Virtual Digipass may be limited by: Using Backup Virtual Digipass only. Minimizing the number of Users assigned a Primary Virtual Digipass. A User s Primary Virtual Digipass use cannot be limited. The Backup Virtual Digipass feature may be enabled as an emergency backup for Users who have left their primary Digipass at home, or for other reasons do not have access to their primary Digipass. Use of this feature can be limited for each Digipass by: Time period Set a time period in which a User may access the Backup Virtual Digipass. After this period has expired, any Virtual Digipass requests from the User will be rejected. If the User is still unable to use their Digipass, the time period must then be extended by an administrator. Once they have started using their Digipass again, the administrator must reset the time period if the User is to be allowed to use Backup Virtual Digipass again. Number of Uses Set a maximum number of times a User may request an OTP using the Backup Virtual Digipass feature. When the User has reached this number of uses, any further OTP requests from the User will be rejected. This must be reset by an administrator if further use of the Backup Virtual Digipass is required for the User. Global and Individual Backup Virtual Digipass settings Backup Virtual Digipass options can be set globally or individually, to allow a standard policy for all Digipass with exceptions made where necessary. Global settings will affect all Digipass whose individual option is set to 'Default'. Global options are defined in the Policy that controls authentication. Therefore, by using multiple Policies, you have some additional flexibility Backup Virtual Digipass Usage Guidelines Some questions which will need to be answered before arriving at a Backup Virtual Digipass usage guidelines are: Will any users have access to Backup Virtual Digipass? If so, will all users have access to Backup Virtual Digipass? 109

110 Digipass Will usage of Backup Virtual Digipass be limited? If so, how? Time-limited? Limited number of uses? Some Possible Guidelines Guideline Pro Con Backup Virtual Digipass disabled for all enabled for individual Users as required. Low text message costs Manual enable for each User and circumstance. Possible heavy administration load. Backup Virtual Digipass enabled for all either time/number of usage limit set. Predictable text message costs Administrator may need to reset limits frequently medium administration load. Backup Virtual Digipass enabled for all no limits set. Lighter administration load Possible high text message costs. Table 3: Backup Virtual Digipass Example Guidelines Resetting Virtual Digipass Restrictions When a User has reached their limit of Virtual Digipass use, an administrator must reset their limit Virtual Digipass Login options A decision must be made as to how Users will log in using Virtual Digipass. In particular, Users with a hardware Digipass and the Backup Virtual Digipass enabled must be able to request an OTP to be sent to their mobile when required, but to login using the hardware Digipass at other times. The simplest method for the User is to allow a 2-step login process, where the User enters their User ID and password only, triggering an OTP Request, and are redirected to a second login page to enter the OTP sent to them. To use this method, though, your system must be set up to allow 2-step logins. Check with your system administrator if unsure. Alternatives to the 2-step login are a sequence of two 1-step logins or the use of a specific web page to request an OTP, separate from the login page screen. See the Administrator Reference for information on possible login permutation. 110

111 Client Components 8 Client Components 8.1 Component Types SOAP Client Programs SOAP client programs will not be called 'SOAP clients'. The program itself specifies the type, as a parameter to each request. A client component record must exist for this type at the location (IP address) where the application runs. The policy in the component record will be used for all processing of requests from this client Administration Program Creating a Component record for a VASCO administration program - either the Web Administration Interface or the Audit Viewer - allows a Policy to be set for connections from that program. A Component record MUST exist for each Web Administration Interface or any other administration program using SOAP. For the Identikey Server SEAL interface for TCL and the Audit Viewer, SEAL Require administration client component registration configuration setting determines whether an Administration Program component must be provided or not RADIUS Client A RADIUS Client Component record is required when clients will be sending authentication requests to the Identikey Server using the RADIUS protocol. The Identikey Server will check the Component record to find: The Shared Secret to use in communicating with the RADIUS Client. The Policy to apply to the authentication request. A default RADIUS Client Component record is automatically created during installation of Identikey Server. This can be deleted and specific records created for each location. Note The default RADIUS Client created during installation will be given a Shared Secret of default. 111

112 Client Components IIS Module A Component record is required for any IIS Modules used with Identikey Server. The Component record will be checked whenever the IIS Module sends an authentication request to the Identikey Server. The Identikey Server will check: That the Component record contains a valid License Key for a Client module Which Policy to apply to the authentication request The following client types fall under this category: Citrix Web Interface Outlook Web Interface IIS 6 Module 112

113 Server Components 9 Server Components 9.1 Server Component A Server Component record holds the License Key for a specific Identikey Server. This Component record will be checked when the Identikey Server is started. The Identikey Server will check for: License Key. If the License Key is missing, invalid or expired, all authentication except for administration logons will be refused. The following items need to be supported in the Licence Key: RADIUS SOAP Authentication scenario Signature Validation scenario Provisioning scenario The Policy to use for SEAL administration logins. If an ODBC database (including the embedded PostgreSQL database) is used as the data store, the Policy will be applied to all administration logins (including live audit connections) for which an Administration Program Component record is not found. A Server Component record is automatically created for each Identikey Server as it is installed. 113

114 Policies 10 Policies 10.1 Policy Inheritance Policies may be set up in a hierarchy, where one Policy will inherit most of its attributes from a parent Policy, but with some modifications for a slightly different scenario. Image 34: Policy Inheritance 114

115 Policies In the example above, all attributes are inherited from the parent Policy. The attributes shown in the child policies above are explicitly set, which make the policy different from the parent policy. The explicitly set attributes in the child policies override those of the parent policies Show Effective Settings As the various levels of settings in Policy inheritance can get confusing, functionality is available which allows you to view the settings effective for a selected Policy, taking inherited settings into account. The text below shows the effective settings for the Identikey Server RADIUS Self-Assignment Policy: Effective Policy Settings [Local/Back-End Authentication] Local Authentication : Digipass/Password Back-End Authentication : Always Back-End Protocol : RADIUS User Accounts] Dynamic User Registration : Yes Password Autolearn : Yes Stored Password Proxy : Yes Default Domain: (none) User Lock Threshold : 3 [Windows Group Check] Group Check Option : No Check Group List: (none) [Digipass Assignment] Assignment Mode : Self-Assignment Grace Period (days) : 0 Serial No. Separator : Search up Organizational Unit Hierarchy : Yes [Digipass Settings] Application Names Application Type : No Restriction Digipass Types PIN Changed Allowed : Yes [1-Step Challenge Response] Enabled : No Challenge Length : 0 Challenge Check Digit : No [2-Step Challenge Response] Request Method : Keyword Request Keyword [Primary Virtual Digipass] Request Method : Password Request Keyword [Backup Virtual Digipass] Enabled : No Maximum Days : 0 Maximum Uses : 0 Request Method : KeywordPassword Request Keyword : otp [Digipass Control Parameters] Identification Time Window :

116 Policies Signature Time Window:24 Event Window : 20 Initial Time Window : 6 Identification Threshold : 0 SignatureThreshold : 0 Check Challenge Flag : 1 Level of Online Signature : 0 Allowed Inactive Days : 0 You will note that the settings listed above include those set in Policies from which the Identikey Server RADIUS Self-Assignment Policy inherits. 116

117 Policies 10.2 Pre-Loaded Policies These Policies are created for the Identikey Server on installation of the Identikey Server. They provide an example for setting up Policies in a typical environment. Table 4: Pre-Loaded Policies Policy Name Base Policy Parent Policy - Identikey Administration Base Policy Logon Description Non-Default Settings Globally applicable settings. In general, all other Policies should inherit from this, directly or indirectly. User Lock Threshold=3 PIN Change Allowed=Yes Challenge Request Method=Keyword Primary VDP Request Method=Password Backup VDP Request Method=KeywordPassword Backup VDP Request Keyword=otp Identification Time Window=20 Check Challenge Mode=1 Event Window=20 Sync Window=6 Online Signature Level= 0 Identification Threshold=0 Local Authentication=None Back-End Authentication=None DUR=No Password Autolearn=No Stored Password Proxy=No Group Check Mode=No Check Assignment Mode=Neither Search Up OU Path=No Application Types=No Restriction 1-Step Challenge/Response=No 1-Step Challenge Check Digit=No Backup VDP Enabled=No Settings for an administration logon including Audit Viewer live connection. Separated from the main authentication policies to avoid accidental interference. Locking is off to reduce the chance of a lock-out. Local Authentication=Digipass/Password User Lock Threshold=0 117

118 Policies Policy Name Identikey Local Authentication Parent Policy Base Policy Description Non-Default Settings Settings applicable to all Identikey Local Server authentication Policies, Authentication=Digipass/Password including local authentication. In general, all other Identikey Server Policies using local authentication should inherit from this, directly or indirectly. Identikey Windows Identikey Local Password Replacement Authentication Identikey Server model for password replacement and Dynamic User Registration, using Windows back-end authentication and a Windows group check. Back-End Authentication=Always Back-End Protocol=Windows DUR=Yes Assignment Mode=Neither Group Check Mode=Pass Back Group List=Digipass Users Password Autolearn=Yes Stored Password Proxy=Yes Identikey Microsoft AD Identikey Local Password Replacement Authentication Identikey Server model for password replacement for Microsoft Active Directory Local Auth=Default Backend Auth=Always Backend Protocol=Microsoft AD DUR=Yes Password Autolearn=Yes Stored Password Proxy=Yes Identikey Novell edirectory Password Replacement Identikey Local Authentication Identikey Server model for password replacement for Novell e-directory Local Auth=Default Backend Auth=Always Backend Protocol=Novell e-directory DUR=Yes Password Autolearn=Yes Stored Password Proxy=Yes Identikey Microsoft ADAM Password Replacement Identikey Local Authentication Identiky Server model for password replacement for Microsoft ADAM Local Auth=Default Backend Auth=Always Backend Protocol=Microsoft ADAM Password Autolearn=Yes Stored Password Proxy=Yes Identikey Windows Auto-Assignment Identikey Windows Password Replacement Identikey Server model for AutoAssignment based on the Windows password replacement model. Assignment Mode=Auto-Assignment Search Up OU Path=Yes Grace Period=7 Identikey Microsoft AD Auto Assignment Identikey Local Authentication Identikey Server model for Auto Assignment for Microsoft Active Directory Local Auth=Default Backend Auth=If Needed Backend Protocol=Microsoft AD Assignment Mode=Auto-Assignment Search-Up-OU-Path=Yes 118

119 Policies Policy Name Parent Policy Description Non-Default Settings Identikey Microsoft Identikey Microsoft ADAM Auto Assignment ADAM Password Replacement Identikey Server model for Auto Assignment for Microsoft ADAM Local Auth = Default Backend Auth = If Needed Backend Protocol = Microsoft ADAM Assignment Mode = Auto-Assignment Search-Up-OU-Path = Yes Identikey Windows Self- Identikey Windows Assignment Password Replacement Identikey Server model for SelfAssignment based on the Windows password replacement model. Assignment Mode=Self-Assignment Search Up OU Path=Yes Self Assignment Separator= Identikey Microsoft AD Self Assignment Identikey Server model for SelfAssignment for AD Password Replacement Local Auth = Default Backend Auth = Always Backend Protocol = Microsoft AD Assignment Mode = Self-Assignment Search-Up-OU-Path = Yes Identikey Server model for SelfAssignment for ADAM Password Replacement Local Auth = Default Backend Auth = If Needed Backend Protocol = Microsoft ADAM Assignment Mode = Self-Assignment Search-Up-OU-Path = Yes Identikey Novell e- Identikey Server model for selfdirectory Password assignment for Novell e-directory Replacement Local Auth = Default Backend Auth = Always Backend Protocol = Novell e-directory Assignment Mode = Self-Assignment Search-Up-OU-Path = Yes Identikey Microsoft AD Password Replacement Identikey Microsoft Identikey Microsoft ADAM Self Assignment ADAM Password Replacement Identikey Novell edirectory Self Assignment Identikey RADIUS Identikey Local Password Replacement Authentication Identikey Server model for password replacement and Dynamic User Registration using a RADIUS server for back-end authentication. Identikey RADIUS Auto- Identikey Local Assignment Authentication Identikey Server model for AutoGrace Period=7 Assignment based on the RADIUS Search Up OU Path=Yes password replacement model. Assignment Mode=Self-Assignment Identikey RADIUS SelfAssignment Identikey Local Authentication Identikey Server model for SelfSearch Up OU Path=Yes Assignment based on the RADIUS Assignment Mode=Self-Assignment password replacement model. Self Assignment Separator= Identikey Back-End Authentication Base Policy Identikey Server model for only Backend Protocol=RADIUS Back-End Authentication. Change Backend Authentication=Always the back-end Protocol to the one required. Backend Authentication=Always Backend Protocol=RADIUS Password Autolearn=Yes Stored Password Proxy=Yes 119

120 Policies Policy Name Parent Policy Description Non-Default Settings Identikey DP110 Provisioning 1 Base Policy Identikey Digipass for Web Local Auth = Digipass/Password Provisioning model scenario 1 1-Step Challenge/Response=Yes-Any Activation codes are encrypted challenge with pre-loaded static passwords. Identikey DP110 Provisioning 2 Base Policy Identikey DP110 Provisioning model scenario 2 - Dynamic Registration using Back-End System. Change the Back-End Protocol to the one required. Local Auth = Digipass/Password Back-End Authentication = Always 1-Step Challenge/Response=Yes Any challenge Identikey DP4Mobile Register Base Policy Identikey Digipass for Mobile Register - pre-loaded User accounts and static passwords. Online Signature Level = 1 Multiple Signatures allowed in same Time Step Identikey DP4Web Provisioning 1 Base Policy Identikey Digipass for Web Provisioning model scenario 1 Activation codes are encrypted with pre-loaded static passwords. Identikey DP4Web Provisioning 2 Base Policy Identikey Digipass for Web Provisioning model scenario 2 pre-loaded User accounts and static passwords. Identikey DP4Web Provisioning 3 Base Policy Identikey Digipass for Web Local Auth = Digipass/Password Provisioning model scenario 3 DUR=Yes Dynamic Registration using BackEnd System. Change the Back-End Protocol to the one required. Local Auth = Digipass/Password Identikey Deferred Time Base Policy signature Verfication Deferred time signature verification settings: Time based. Identikey Real-Time signature verfication 1 Base Policy Real-time signature verification Online signature level = 1 - Multiple settings: Time-based, several Signatures allowed in same Time Step signatures are allowed in the same timestep but 2 identical successive signatures will be rejected. Identikey Real-Time signature verfication 2 Base Policy Real-time signature verification settings: Time-based, one signature allowed per timestep. Online signature level = 2 - Only 1 Signature/Time Step allowed Identikey Real-Time signature verfication 3 Base Policy Deferred time signature verification settings: Event based, off-line mode. Signature Time Window = 24 Signature Time Window =

121 Reporting 11 Reporting 11.1 Reporting Overview Image 35: Reporting Structure The Identikey Server Reporting facility allows you to create reports from the Identikey Server database information, and from the Audit information. The main uses for reports are: Troubleshooting User Troubleshooting administrators can generate reports to enable them to troubleshoot authentication failures for specific users. System Troubleshooting system administrators can generate Identikey Server reports to analyse and solve system problems System Audits System administrators can generate reports to carry out audits of Digipass or administrator actions. Security Audits 121

122 Reporting System administrators can generate reports to analyse suspicious activity. Accounting Reports can be generated to count the number of authentication requests per user or organizational unit. A number of standard reports are available, but if the report you require is not among them you can create your own (custom) report Report Definition Reports are made up of the following elements: Report Type Data Store Grouping Level Query Formatting Template These elements combine to produce a report. They are present for standard reports, and you can select properties from each of these elements to create a custom report Report Type There are four report types. All reports are based on these report types. List Analysis Report Detailed Analysis Report Distribution Analysis Report Trend Analysis Report. The List Analysis Report lists all items that match the criteria specified in the report definition. For example, a list of users with no Digipass assigned. The Detailed Analysis Report shows detail of the events specified in the report definition. For example, a detailed list of failed authentications for a User. The Distribution Analysis Report will show counts of events and objects. For example, the number of failed authentications for a domain. The Trend Analysis Report shows a trend over a period of time for a the objects specified in the report definition. For Trend Analysis Reports there is an extra parameter. The period of time for which the data needs to be extracted must be specified. The choice is: Hour Day 122

123 Reporting Month Year Each report, whether standard or custom, will be based on these report types. Each report type retrieves its information from either the audit data, the Data Store, or from both sources Data Source Each report is generated from data existing on Identikey Server. The choices for Data Source are as follows: Users. This will generate the report based on the User information from the Identikey Server Data Store. Users + Audit Data. This will generate the report based on the User information mentioned above, and the Audit Data from Identikey Server. Digipass. This will generate the report based on the Digipass information from the Identikey Server Data Store. Digipass + Audit Data. This will generate the report based on the Digipass information mentioned above, and the Audit Data from Identikey Server. Audit Data only. This will generate the report based on the Audit data only Grouping Level The Grouping Level specifies how the data in the report will be grouped. The Grouping Level choices are: Client Domain Organizational Unit User Digipass If a Detail or List report is set at Grouping Level of User, each user will be represented individually. If a Detail or List report is set at Grouping Level of Organizational Unit, the data for all the Users in that Organizational Unit will be added together and represented only once under the Organizational Unit. In the example below, the Grouping Level has been set to User, because each User has an individual row on the report. 123

124 Reporting Image 36: Report Grouping Query The Query specifies the search criteria that are used when the data is extracted from the Data Store or Audit Data. For example, to generate a report for a specific Audit message, such as 'Authentication' or 'DP4WEB', you can specify in your Query that Audit Message = 'Authentication'. Then you will only receive information on 'Authentication' Audit Messages in your report. It is possible to add further query criteria just for one run of a report. Queries can be simple, as the query above, or they can be a combination of criteria, such as Audit Message = 'Authentication', User Name = 'User5'. 124

125 Reporting Formatting Templates Report data is always generated into XML, then an XSLT transformation is applied to give the output. The XSLT transformation requires a formatting template. Each report definition requires at least one template so that it can be produced in the format required. Each report definition can have more than one Formatting Template. The template to be used can be selected when running the report Standard Reports The Identikey Server reporting package will come with standard reports. Standard reports are provided for the most common administration tasks. The standard reports can be grouped by their use: Reports produced by the Helpdesk to help with troubleshooting functional problems Detailed authentication report User authentication history report Detailed Digipass registration report Detailed activity summary report Detailed Signature Validation report Detailed Provisioning report Signature Validation history report Reports produced by System administrators to help with troubleshooting system problems Failed Operations summary report Succeeded Operations summary report Reports produced by Administrators for Accounting information Authentication activity by user report Authentication activity by client report Provisioning activity by user report Provisioning activity by client report Transaction Signing Activity by User Application report Transaction Signing Activity by Client report Reports produced by Administrators for System auditing information Administration activity summary report Digipass availability by type report Digipass deployment trend report Digipass deployment by type report 125

126 Reporting Authentication trend report Transaction Signing Activity Trend Provisioning activity trend report Account lock trend report Digipass assignment activity summary report 11.4 Custom Reports If there is not a standard report that meets your requirements, you can create a custom report using the Report Definition Wizard on the Identikey Server Web Administration application. A custom report can be created based on one of the available report types. Variables such as the subject of the report, and selection criteria can be specified to create the report you require Report Generation Process Report generation relies on a number of components. An SQL query must be defined to retrieve the data that is required for the report. A report type must be selected from the list available. The result of the SQL query and the report type are then combined into an XML report. The XML report and the report format template are combined to produce the finished report in the required format. Image 37: Report Generation Process 126

127 Reporting 11.6 Report Usage and Change Permissions Each report definition has an owner. The owner is usually the Administrator that created the report, but ownership can be transferred to another Administrator in the same Domain. Permissions are associated with each report that control: Who can run the report. Use can be restricted to the report owner, or it can be granted to other administrators. Who can change the report definitions. The ability to change the report format and details can be restricted to the report owner, or it can be granted to other administrators. Who can view the report Usage permissions There are three types of usage permissions: Private only the owner can view and run the report. Public all administrators in all domains can view and run the report. Domain the report can be run and viewed only by administrators that belong to the domain where the report was defined Change Permissions There are three types of change permissions: Private only the owner can change the report. Public all administrators in all domains can change the report. Domain the report can be changed only by administrators that belong to the domain where the report was defined Permissions for standard reports The standard reports have 'private' permissions relating to changing the reports, and 'public' permissions relating to running and viewing the reports. 127

128 Reporting 11.7 Making Data Available to Reports When you are using data to create reports it makes sense to consider the way in which your data is stored and archived. The reports you can run use the audit data and the Data Store. An issue arises when you have more than one Identikey Server in your system. Audit messages can be stored on a database or in local text files. The database storage option can be local or centralised; text files are local. A report can only be run on one source of audit data, so if there is more than one Identikey Server you have the following options to enable reports to run on all the audit data: Online Centralized Database. Have a centralized Audit database. All Identikey Servers write to this database all the time. All reports can be run against this database all the time. If the centralized database is used it must be configured to be fast enough and big enough to cope with the load of Audit data. Offline Centralized Database Write the Audit data locally but periodically load the local data to a centralized Audit database. Each Identikey Server must be configured to read the Audit data from the centralized database. Reports will only contain data up to the last load to the centralized Audit Database. Offline Centralized Database with Reporting Server Write the Audit data locally but periodically load the local data to a centralized Audit database. Each Identikey Server must be configured to read the Audit data from the local Audit data source. A reporting server can be installed that is configured to read its data from the centralized Audit database. Reports that need to use up to the minute data can be run on the server that retrieves its data locally. An example of this would be a user activity report for troubleshooting. Reports that need to use global data can be run on the reporting server. Reports will only contain data up to the last load to the centralized Audit Database. No Centralized Audit Data Configure each Identikey Server to retrieve Audit report data locally. An option to Upload Audit Data is available in the Configuration Wizard. This will allow you to configure Identikey Server to upload local Audit Data to a centralized Audit Database Archiving Strategy If you are running reports that will require data which is spread out over a long period of time, the reports will take a long time to run as the volume of data gets bigger. The best way of dealing with this growth is to archive the data. It is best to develop a good archiving strategy when your system is being implemented. Consider the kind of data you will want to report on, and the length of time you would like data to be available before being archived. Remember, archived data cannot be reported upon. 128

129 Identikey Data Store 12 Identikey Data Store 12.1 Active Directory What is Stored in Active Directory? The following information is stored in Active Directory: Digipass User accounts Digipass and Digipass Application records Digipass configuration records (Policies, Components, Back-End Servers, Reports and Report Formats) Identikey Server Configuration information Schema Extensions User attributes vasco-userext class Extra VASCO attributes are added to an Active Directory User record via an 'auxiliary class' vasco-userext on the User class. Digipass and Digipass Application records The vasco-dptoken class is used to store Digipass attributes. It is also a container, in which vasco-dpapplication records for that Digipass are stored. Upon assignment to a User, the Digipass record is stored in the same location as the User. Policies, Components and Back-End Servers Policy, Component, Back-End Server, Report and Report Format records are stored in vasco-policy, vascocomponent, vasco-backendserver, vasco-report and vasco-reportformat objects respectively. They are located in a single Digipass-Configuration container in a single Domain Digipass Records Location of Digipass Records When a Digipass is assigned to a User, it is moved to the same location as the Digipass User account it is assigned to. This makes it easier to set up the permissions necessary for delegated administration. 129

130 Identikey Data Store Note A Digipass record will not automatically be moved when the User account to which it is assigned is moved to another location. When moving User accounts within Active Directory, ensure that the records of any assigned Digipass are manually moved to the same location. Unassigned Digipass records may be stored in various places in the data store: Digipass Pool A container called Digipass-Pool is created during installation. This is intended as a general store for unassigned Digipass. Organizational Units If an Organizational Unit structure is used in the data store, Digipass can be loaded or moved either into the exact Organizational Units where the User accounts to which they will be assigned are located, or into a few key Organizational Units in the hierarchy where they may be assigned to Users in lower level Organizational Units. Users Container When Active Directory is used as the data store, Digipass can be loaded into the Users container so they are available for Users in that container. However, it is not recommended to use the Users container for either User accounts or Digipass. When looking for an available Digipass to assign to a User, the Identikey Server will first look in the same Organizational Unit as the specific User account. The Search Upwards in Organizational Unit hierarchy option, when enabled, allows the Identikey Server to search in parent Organizational Units and the Digipass Pool container. This option may be set at the Policy level for system searches (eg. Auto-Assignment and SelfAssignment) or at the time of the search for manual assignment. Note The Identikey Server will always find or assign the closest available Digipass record to the selected User record(s) Delegated Administration in Active Directory If the assignment is manual (performed by an administrator), it will only find and successfully assign Digipass from locations where the administrator has the correct permissions. The administrator must have read permission for Digipass objects in the location to find a Digipass record, and if it needs to be moved to the User's location, they must have delete permission for Digipass objects to successfully assign the Digipass. If the administrator has sufficient permissions to view a Digipass record but not to assign it, the assignment will fail. 130

131 Identikey Data Store Table 5: Summary of Digipass Record Location Options Record Location Pros Cons Digipass Pool Digipass are available to be assigned to all Users, regardless of the Organizational Unit structure. Only administrators with access to the Digipass Pool may view or modify records for unassigned Digipass. This also means that only those administrators may manually assign Digipass. An extra permission must be assigned to all administrators who should be able to assign Digipass (if they are not Domain Admins). It is not possible to strictly subdivide the unassigned Digipass among the Organizational Units according to quotas. Organizational Unit Digipass may be portioned out to various Organizational Units. This is particularly useful where a company is contracted to provide authentication services to multiple companies, or where various departments have different Digipass quota. If an Organizational Unit runs out of Digipass to assign its Users, more Digipass records must be manually moved to the right location. Users Container Digipass can be assigned to any User in the Users container. Digipass in the Users container are only available to User accounts stored there. 131

132 Identikey Data Store Typical Digipass Location Models Digipass Pool A centralised point of access and importation can be implemented by using the Digipass Pool to hold unassigned Digipass records. This option requires less calculation and high-level administration, as Digipass records are all imported into one area and there is no need to manually move records or calculate the exact number of Digipass required for each Organizational Unit or group of Units. However, permissions will need to be set up to permit delegated administrators access to move the Digipass out of the container upon assignment. The Digipass Pool is treated as the Domain Root by the Identikey Server, as Digipass records may not be saved in the Domain Root. Image 38: Digipass Record Locations - Digipass Pool In the diagram above, the Identikey Server is shown searching upwards through the Organizational Unit structure for available Digipass to assign to a Digipass User in the Organizational Unit B1. Because no available Digipass are found in B1, it searches in B, then in the Digipass Pool. Administrator 1 needs delegated administrator permissions for the Organizational Unit B and its child Organizational Units. They must also have read and delete permissions for Digipass objects in the Digipass Pool container. Note The Search Upwards in Organizational Unit hierarchy option must be enabled for this model to function correctly. 132

133 Identikey Data Store Parent Organizational Units Unassigned Digipass can be kept in key Organizational Units, and made available to their lower level Organizational Units. This requires a delegated administrator to have permissions not only for the Organizational Unit in which the User accounts are stored, but also read, write and delete permissions for Digipass objects in the Organizational Unit in which the Digipass are stored. Image 39: Digipass Record Locations - Parent Organizational Unit In the diagram above, the Identikey Server can search in the parent Organizational Unit for available Digipass. The delegated administratration permissions can be set up in two basic ways: Administrator 1 has full admin permissions for Organizational Unit B and its child Organizational Units. She does not require any other permissions to assign Digipass from Organizational Unit B to a User in Organizational Unit B1. Administrator 2 has full admin permissions for Organizational Unit A2 only. He has read and delete permissions for Digipass objects in Organizational Unit A in order to assign Digipass from Organizational Unit A to a User in Organizational Unit A2. Note The Search Upwards in Organizational Unit hierarchy option must be enabled for this model to function correctly. 133

134 Identikey Data Store Individual Organizational Units Digipass can be loaded or moved into each Organizational Unit where and when they are required. It is then easy to set up permissions for delegated administrators to assign them only within their scope of control. If all Digipass in the Organizational Unit are assigned, more Digipass will need to be moved in manually by a Domain Admin before they can be assigned by a delegated administrator. 134

135 Identikey Data Store Image 40: Digipass Record Locations - Individual Organizational Units In the diagram above, unassigned Digipass are stored in the exact Organizational Units in which they will be assigned. Each delegated administrator only requires permissions within their specific Organizational Unit(s). Note The Search Upwards in Organizational Unit hierarchy option does not need to be enabled for this model. Combination of models Digipass may be stored in the Digipass Pool as well as some or all Organizational Units. If no unassigned Digipass records are found in the Organizational Unit, and the Search Upwards in Organization Unit hierarchy option is enabled, the Identikey Server will search upwards to the Domain Root and search in the Digipass Pool for an available, unassigned Digipass record Permissions Needed by the Identikey Server The installation process will ensure that the Identikey Server has sufficient permissions. This is achieved by assigning permissions in the domain to the in-built RAS and IAS Servers group. It is necessary to make sure that the Identikey Server is added to that group Administrative Permissions Administrative permissions for Identikey Server administrators are controlled using Active Directory security 135

136 Identikey Data Store properties. See the Permissions Needed by Administrators topic in the Administrator Reference for more information. Domain Administrators may view and edit all Digipass and Digipass User information in their domain, plus Digipass Configuration information if the Digipass Configuration Container is located in their domain. No permissions setup is required for them. Delegated Administrators may view and edit all Digipass and Digipass User information within their administrative scope of control. It is necessary to grant them full control, create and delete permissions over the Digipass and Digipass Application objects within their scope. Reduced Rights Administrators may perform a subset of the administration tasks. 'Property sets' are defined with the directory which can be used to enable or limit them in various Digipass administration tasks (eg. Access to the Digipass blob) Active Directory Command Line Utility This utility has to perform several tasks that are needed at various times during installation and upgrade if Active Directory is selected, or afterwards for maintenance. Some of the commands are run automatically by the installation program, while others are run manually. The commands that are run automatically can be run manually also, for example to troubleshoot why the installation is not succeeding. Table 6: DPADadmin tasks Command Description addschema Extend the Active Directory schema. checkschema Check that the schema extensions are all present. setupdomain Sets up the Digipass Configuration Container in the specified domain. setupaccess Assign permissions to a Windows group including: Full read access to everything in the domain Full control over vasco-dptoken objects Full control over vasco-dpapplication objects Ability to create and delete vasco-dptoken objects Full write access to extension attributes on user objects This command can optionally be used to also add a machine to the group. 136

137 Identikey Data Store Active Directory Replication For more details of Active Directory Replication see Active Directory Replication Issues in the Administration Reference Guide ODBC Database You may use the embedded PostgreSQL database supplied with Identikey Server, or another ODBC-compliant database What is Stored in the Data Store? The following information is stored in the data store: Digipass User accounts Digipass and Digipass Application records Digipass configuration records (Policies, Components, Back-End Servers, Reports and Report Formats) Identikey Server Configuration information Domains and Organizational Units Image 41: Domains and Organizational Units Domains and Organizational Units are included in the ODBC database in a way that mirrors the data structure used by Active Directory. Organizational Units are designed to hold User accounts and Digipass records. They allow grouping of Users according to department, job function, or other criteria. They also allow Digipass to be allocated for Auto- 137

138 Identikey Data Store Assignment to single or multiple groups of Users. Both Domains and Organizational Units can be used to limit administrators to a group of Users and/or Digipass Location of Digipass Records When a Digipass is assigned to a User, it is moved to the same Organizational Unit as the Digipass User account to which it is assigned. Note When a User account is moved to an Organizational Unit, all Digipass records assigned to it will also be moved. A Digipass record assigned to a User cannot be moved - the User account must be moved. Unassigned Digipass records may be allocated to various places in the Organizational Unit structure: Master Domain During installation, a default domain is created. Digipass are imported to the Master Domain, and may then be moved to other domains and Organizational Units. Organizational Units If an Organizational Unit structure is used in the database, Digipass can be moved either into the exact Organizational Units where the User accounts to which they will be assigned are located, or into a few key Organizational Units in the hierarchy where they may be assigned to Users in lower level Organizational Units. When looking for an available Digipass to assign to a User, the Identikey Server will first look in the same Organizational Unit as the specific User account, if the User account belongs to an Organizational Unit. The Search Upwards in Organizational Unit hierarchy option, when enabled, allows the Identikey Server to search in parent Organizational Units and the Digipass Pool container. This option may be set at the Policy level for system searches (eg. Auto-Assignment and Self-Assignment) or at the time of the search for manual assignment. Note The Identikey Server will always find or assign the closest available Digipass record to the selected User record(s). If the User account being assigned a Digipass does not belong to an Organizational Unit, the Identikey Server will look for an available Digipass in the domain which does not belong to an Organizational Unit. 138

139 Identikey Data Store Typical Digipass Location Models Domain Root Digipass records may be stored in the Domain Root while unassigned. This option allows a centralised point of access for assignment of Digipass. It also requires less calculation and high-level administration - Digipass records are all stored in one area and there is no need to manually move records or calculate the exact number of Digipass required for each Organizational Unit or group of Units. Administrators must belong to the Domain only (not an Organizational Unit) to assign Digipass from the Domain Root. Image 42: Digipass Record Locations Domain Root In the diagram above, the Identikey Server searches upwards through the Organizational Unit structure for available Digipass to assign to a Digipass User in the Organizational Unit B1. Because no available Digipass are found in B1, it searches in B, then in the Domain root. The administrator account must be located in the domain root (no Organizational Unit) in order for this model to work successfully. Note The Search Upwards in Organizational Unit hierarchy option must be enabled for this model to function correctly. 139

140 Identikey Data Store This option is simplified if an Organizational Unit structure is not used in the database. User accounts and Digipass records may all be stored in the Master Domain. The Search Upwards in Organizational Unit hierarchy option does not need to be enabled in this case. Parent Organizational Units Unassigned Digipass can be kept in key Organizational Units, and made available to their lower level Organizational Units. Image 43: Digipass Record Location Parent Organizational Unit In the diagram above, the Identikey Server can search in the parent Organizational Unit for available Digipass. Administrators will need to belong to the parent Organizational Unit. Note The Search Upwards in Organizational Unit hierarchy option must be enabled for this model to function correctly. 140

141 Identikey Data Store Individual Organizational Units Digipass can be loaded or moved into each Organizational Unit where and when they are required. If all Digipass in the Organizational Unit are assigned, more Digipass will need to be moved in manually by a Domain Admin before they can be assigned. Image 44: Digipass Record Location s Individual Organizational Units In the diagram above, unassigned Digipass are stored in the exact Organizational Units in which they will be assigned. Administrator accounts belonging to the Organizational Units A1 and A2 have administration privileges in their own Organizational Unit only. Note The Search Upwards in Organizational Unit hierarchy option does not need to be enabled for this model. Combination of models Digipass may be stored in the Master Domain as well as some or all Organizational Units. If no unassigned Digipass records are found in the Organizational Unit, and the Search Upwards in Organization Unit hierarchy option is enabled, the Identikey Server will search upwards to the Domain Root and search in the Digipass Pool for an available, unassigned Digipass record Permissions Needed by the Identikey Server Identikey Server will require either: 141

142 Identikey Data Store a database administrator account for the database, ownership of the VASCO tables, or permissions to insert, remove, read and modify rows in VASCO tables. See the Administrator Reference for more information. This is set up automatically in the case of the embedded database option Database Command Line Utility This utility has to perform several tasks that are needed at various times during installation and upgrade, or afterwards for maintenance. Some of the commands are run automatically by the installation program, while others are run manually. The commands that are run automatically can be run manually also, for example to troubleshoot why the installation is not succeeding. Command Description addschema Modify the database structure to create the required VASCO tables. checkschema Check that the required database modifications and/or table name remappings have been completed. dropschema Remove all database schema modifications from the database. Table 7: DPDBadmin commands 142

143 Identikey Data Store Additional ODBC Databases A synchronized backup database may be set up for the Identikey Server. This helps to ensure continuous service if the main database fails. The synchronization can be a shadow database, a mirror or a replicated copy. The required synchronization must be set up according to the instructions provided by the database vendor. It is strongly recommended to minimize the synchronization delay. Once the database and any synchronization is set up, create a Data Source Name for the new database and add it to the Identikey Server Configuration GUI. Image 45: Additional ODBC databases See the Database Connection Handling topic in the Administrator Reference Guide for more information. 143

144 Identikey Data Store Multiple Identikey Servers If more than one Identikey Server is installed on the system, some additional setup may be required. Multiple Identikey Servers Using Same Database If more than one Identikey Server is using the one ODBC database, no additional setup steps are required. A backup database should be considered. Image 46: Multiple Identikey Server Using Single Database 144

145 Identikey Data Store Replication When multiple Identikey Servers are in use each with their own database, they can be configured to replicate data changes between them, to keep all database synchronized Common Scenarios Primary and Backup Identikey Servers The most common, and most basic, replication setup is used when a company has two Identikey Servers one primary, to which all authentication requests are customarily sent, and a backup Identikey Server for use when the primary server is busy or unavailable. Replication is usually set to occur very frequently. Image 47: Replication between a Primary and Backup Identikey Server 145

146 Identikey Data Store Primary, Backup and Disaster Recovery Identikey Servers This scenario is often used when a company requires an offsite disaster recovery Identikey Server and database. Image 48: Replication between Primary, Backup, and Disaster Recovery in Identikey Server Other Scenarios Other replication scenarios may also be used. For example, a company may have three Identikey Servers, all replicating to each other. This may keep data up to date better than a simpler replication chain. 146

147 Identikey Data Store Image 49: Replication between three Identikey Servers Or, a company might require two Primary Identikey Servers, each with a backup Identikey Server, and add in an extra replication link to speed up data communications: Image 50: Complex Identikey Server Replication Scenario 147

148 Identikey Data Store 12.3 Sensitive Data Encryption Sensitive data is encrypted by the Identikey Server using an embedded key. If needed, this encryption may be strengthened by including a custom encryption key. See the Administrator Reference Guide for more information. 148

149 Licensing 13 Licensing 13.1 Overview VASCO products are licensed per Component record in the data store. The licensing relies upon a License Key which is checked when the Identikey Server starts. This License Key is tied to the location (IP address) where the Identikey Server is installed, and stored in the Component record for the Identikey Server. The Identikey Server will not authenticate a user without a correct License Key, except to permit administration. SOAP, RADIUS, and the Authorization, Signature Validation and Provisioning scenarios all require a License Key. Client modules such as the IIS 6 Module or Citrix Web Interface also require a License Key to be loaded into their Component record. The Identikey Servers to which they connect will otherwise reject all authentication requests from them. Evaluation License An evaluation license means that you can use its full functionality until the evaluation period runs out. At the end of this period, you will need to either uninstall the product or buy a permanent license. Contact your distributor or the appropriate VASCO Reseller representative to acquire the licences you will need. For your convenience, the evaluation serial number is embedded in the installation program. You will still need to obtain and load a license key. Client module licenses can also be evaluation (time-limited) licenses Obtaining and Loading a License Key The Identikey Server Configuration Wizard will guide you through the process of requesting and loading a License Key. However, if for some reason it is not possible to complete the licensing at installation time, the Web Administration Interface can be used to obtain and load a License Key for a Component. This process must be completed for each Identikey Server, and requires an active internet connection to open the Manage Identikey ServerPage. 149

150 Auditing and Tracing 14 Auditing and Tracing 14.1 Audit System The VASCO Audit System consists of a number of auditing modules which save audit messages to a specific format (eg. text file or database) and an Audit Viewer which can open, display and filter audit messages from various sources. Image 51: Audit System Overview Audit messages are primarily generated by the Identikey Server. They may be recorded by a number of different methods: Windows Event Log (to be viewed in the Event Log Viewer) Syslog (In Linux environments) Text file ODBC-compliant database Audit messages may also be passed directly to an Audit Viewer as a live feed Configure Auditing Output Auditing output from the Identikey Server can be configured using the Identikey Server Configuration. See the Configuration section of the Administrator Reference for more information. 150

151 Auditing and Tracing Audit Viewer Image 52: Audit Viewer The Audit Viewer can retrieve messages from several different sources and display audit messages from each in separate windows. Audit messages may be filtered by message type, date and time, or the contents of specific fields Starting the Audit Viewer Windows Use the Start menu (by default, Programs -> VASCO -> Identikey Server -> Audit Viewer) or go to the Identikey Server installation/bin directory. Linux 1. Navigate to the Identikey Server installation directory (by default, /opt/vasco/identikey). 2. Start the Audit Viewer by entering these commands: vds_chroot <IK install directory> /bin/bash dpauditviewer 151

152 Auditing and Tracing Audit message types Type Description Error The message contains details about a system, configuration, licensing or some internal error. Errors do not include normal processing events such as failed logins. Warning Warning messages contain details about potential problems within the system. This could include details such as a failed connection attempt to a database Information Informational messages provide details about events within the system that need to be recorded but do not indicate errors or potential errors. Success Success messages contain details about processing events that were correctly processed. This may include successful authentications or successful administration commands. Failure Failure messages contain details about processing events that failed. This may include rejected authentications, or administration actions that failed. Table 8: Audit message types Active Directory Auditing Active Directory auditing may be enabled and configured to record access and modifications to Digipass-related data used by the Identikey Server. See the Active Directory Auditing topic in the Administrator Reference for more information Tracing The level of tracing for the Identikey Server can be configured using the Identikey Server Configuration utility. Tracing messages will be recorded to a text file. See the Tracing section in the Administrator Reference for more information, and instructions on configuring tracing for the Identikey Server. 152

153 Message Delivery Component 15 Message Delivery Component 15.1 What is the Message Delivery Component? The Message Delivery Component (MDC) interfaces with a gateway service to send a One Time Password to a User s mobile phone. The MDC acts as a service, accepting messages from the Identikey Server, which are then forwarded to a text message gateway via the HTTP/HTTPS protocol. Since every gateway uses different submission parameters, a set of configuration values is required, which can be administered by the MDC Configuration GUI. See the Configuration section of the Administrator Reference for more information Starting the Message Delivery Component Windows The MDC service can be started and stopped through the Windows Service Manager Console. Linux To start the MDC daemon: 1. Enter the chroot environment: vds_chroot <IK install directory> /bin/bash 2. Navigate to usr/share/vasco/init.d 3. Enter the command:./mdc start 153

154 User Self Management Web Site 16 User Self Management Web Site 16.1 What is the User Self Management Web Site? The User Self Management Web Site allows Users to perform functions which are unavailable during a usual login either because the functionality is disabled within the Identikey Server configuration, or because CHAP or another protocol is in use which does not allow the functionality: User Registration and Auto-Assignment Self-Assignment Password Synchronization PIN Change Login Test The site can also be used to help Users get started with their Digipass while they are still in the office and help is available. Image 53: User Self Management Web Site 154