IDENTIKEY Server Windows Installation Guide 3.1
Disclaimer of Warranties and Limitations of Liabilities Disclaimer of Warranties and Limitations of Liabilities The Product is provided on an 'as is' basis, without any other warranties, or conditions, express or implied, including but not limited to warranties of merchantable quality, merchantability of fitness for a particular purpose, or those arising by law, statute, usage of trade or course of dealing. The entire risk as to the results and performance of the product is assumed by you. Neither we nor our dealers or suppliers shall have any liability to you or any other person or entity for any indirect, incidental, special or consequential damages whatsoever, including but not limited to loss of revenue or profit, lost or damaged data of other commercial or economic loss, even if we have been advised of the possibility of such damages or they are foreseeable; or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers and suppliers shall not exceed the amount paid by you for the Product. The limitations in this section shall apply whether or not the alleged breach or default is a breach of a fundamental condition or term, or a fundamental breach. Some states/countries do not allow the exclusion or limitation or liability for consequential or incidental damages so the above limitation may not apply to you. Copyright Copyright 2010 VASCO Data Security, Inc., VASCO Data Security International GmbH. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc. Trademarks VASCO, Vacman, IDENTIKEY, axsguard, DIGIPASS, and are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. Document Version: 2.0
Table of Contents Table of Contents 1 2 Introduction... 9 1.1 Software Components... 9 1.2 System Requirements... 11 1.3 Available Guides... 13 Pre-installation Tasks... 15 2.1 3 IDENTIKEY Server Component... 15 Set Up Data Store for IDENTIKEY Server... 18 3.1 Active Directory... 18 3.2 ODBC Database... 20 3.3 Serial Number and Maintenance ID... 21 4 Start IDENTIKEY Server Installation... 22 5 Install IDENTIKEY Server in Basic Mode ODBC... 24 6 7 8 9 5.1 Basic Installation Mode... 24 5.2 Basic Installation... 25 Install IDENTIKEY Server in Advanced mode - ODBC... 42 6.1 Advanced Installation... 42 6.2 Set Up a Hardware Security Module... 68 Install IDENTIKEY Server - Active Directory... 72 7.1 Active Directory Scenario and Decisions... 72 7.2 Install IDENTIKEY Server for Active Directory... 73 Deploy IDENTIKEY Server Administration Web Interface... 104 8.1 Deploy Administration Web Interface on the same machine as IDENTIKEY Server... 104 8.2 Deploy Administration Web Interface on a Dedicated Machine...113 8.3 Web Administration Setup Tool... 114 Post-Installation Tasks... 117 9.1 Licensing... 117 9.2 Backup Strategy... 117 9.3 Audit Settings... 117 9.4 Database Tasks... 118 9.5 Set Up User Self Management and OTP Request Websites... 120 3
Table of Contents 9.6 Increase Tomcat Memory Allocation (64-bit Only)... 121 10 Install Additional IDENTIKEY Server... 123 10.1 Install IDENTIKEY Server Component... 123 10.2 Configure Additional IDENTIKEY Servers... 123 10.3 Replication... 123 11 Add Components to Installation... 124 12 Repair Installation... 125 13 Uninstall IDENTIKEY Server... 126 13.1 Data Removal... 126 13.2 Ports... 126 14 Extend Data Store Schema... 127 15 Upgrade IDENTIKEY Server... 130 15.1 Upgrade Paths... 130 15.2 System Requirements... 130 15.3 Upgrade IDENTIKEY Server for 32-bit and 64-bit Windows... 130 15.4 Additional Features for IDENTIKEY Server for 64-bit Windows...135 16 Technical Support... 136 4
Table of Contents Illustration Index Image 1: IDENTIKEY Server Installation Welcome Window...22 Image 2: IDENTIKEY Server Installation Welcome Window...23 Image 3: IDENTIKEY Server Installation - Installation Type Window...25 Image 4: IDENTIKEY Server Installation -License Agreement Window...26 Image 5: IDENTIKEY Server Installation - Select Installation Path Window...27 Image 6: IDENTIKEY Server Installation - Installation Progress Window...28 Image 7: IDENTIKEY Server Installation - Installation Progress Window...29 Image 8: IDENTIKEY Server Installation - Installation Progress Window - PostgreSQL...30 Image 9: IDENTIKEY ServerConfiguration Wizard - Start Window...31 Image 10: IDENTIKEY ServerConfiguration Wizard - IP Address Window...32 Image 11: IDENTIKEY ServerConfiguration Wizard - First Administrator Window...33 Image 12: IDENTIKEY ServerConfiguration Wizard - License Window...34 Image 13: IDENTIKEY ServerConfiguration Wizard - Server Functionality Window...35 Image 14: IDENTIKEY ServerConfiguration Wizard - Server Certificate Window...36 Image 15: IDENTIKEY ServerConfiguration Wizard Deploy Administration Web Interface Window...36 Image 16: IDENTIKEY ServerConfiguration Wizard - RADIUS Topology Window... 37 Image 17: IDENTIKEY Server Configuration Wizard - RADIUS Client Window...38 Image 18: IDENTIKEY Server Configuration Wizard - RADIUS Backend Window...38 Image 19: IDENTIKEY Server Configuration Wizard Summary Window...39 Image 20: IDENTIKEY Server Configuration Wizard - Completion Window...39 Image 21: Import DPX Files Window...40 Image 22: IDENTIKEY Server Installation Complete Window...41 Image 23: IDENTIKEY Server Select Installation Type Window...42 Image 24: IDENTIKEY Server Installation - Data Storage Window...43 Image 25: IDENTIKEY Server Installation Select Components Window...44 Image 26: IDENTIKEY Server Installation License Agreement Window...45 Image 27: IDENTIKEY Server Installation Custom Setup window...46 Image 28:IDENTIKEY Server Installation Ready to Install IDENTIKEY Server window...47 Image 29: Installing IDENTIKEY Server progress window...48 Image 30: IDENTIKEY Server Setup Wizard Completed window...49 Image 31: IDENTIKEY Server Installation - Select Components window...50 Image 32: IDENTIKEY Server Configuration Wizard - Start Window...51 Image 33: IDENTIKEY Server Configuration Wizard Hardware Security Module...51 Image 34: IDENTIKEY Server Configuration Wizard Hardware Security Module Storage Key...52 5
Table of Contents Image 35: IDENTIKEY Server Configuration Wizard Hardware Security Module Data Encryption Key...53 Image 36: IDENTIKEY Server Configuration Wizard Select Database Window... 53 Image 37: IDENTIKEY Server Configuration Wizard - Database Window...54 Image 38: IDENTIKEY Server Configuration Wizard - User ID/Domain conversion Window...55 Image 39: IDENTIKEY Server Configuration Wizard - Master Domain Window...55 Image 40: IDENTIKEY Server Config IP Address Window...56 Image 41: IDENTIKEY Server First Administrator Window...57 Image 42: IDENTIKEY Server Sensitive Data Encryption Window...57 Image 43: IDENTIKEY Server Custom Data Encryption Window...58 Image 44: IDENTIKEY Server Load Data Encryption Window...59 Image 45: IDENTIKEY Server Configuration Wizard License Window...59 Image 46: IDENTIKEY Server Configuration Wizard Server Functionality Window...60 Image 47: IDENTIKEY Server Configuration Wizard Server Certificate Window...61 Image 48: IDENTIKEY Server Configuration Wizard Server Certificate Password Window...61 Image 49: IDENTIKEY Server SSL Server Certificate Selection...62 Image 50: IDENTIKEY Server Automatic Server Location Support...63 Image 51: IDENTIKEY Server Web Admin Client Window...64 Image 52: IDENTIKEY ServerSample Web Client Window...64 Image 53: IDENTIKEY Server Configuration Wizard Summary Window...65 Image 54:Select Components completed Window...66 Image 55:Installation Completed page...67 Image 56: IDENTIKEY Server Setup - Installation Type window...73 Image 57: IDENTIKEY Server Setup - Data Storage window...74 Image 58: IDENTIKEY Server Setup Digipass Extension for Active Directory Prerequisites window... 75 Image 59: Microsoft.NET license agreement...76 Image 60: IDENTIKEY Server Setup Digipass Extension for Active Directory Prerequisites window... 77 Image 61: IDENTIKEY Server Setup Digipass Extension for Active Directory Prerequisites installation complete window... 78 Image 62: IDENTIKEY Server Setup - Select Components Window...79 Image 63: IDENTIKEY Server Setup Wizard Start Page...80 Image 64: IDENTIKEY Server Setup - License Agreement Window...81 Image 65: IDENTIKEY Server Setup - Custom Setup window...82 Image 66: IDENTIKEY Server Setup - Ready to Install IDENTIKEY Server window...83 Image 67: Installing IDENTIKEY Server progress window...84 Image 68: IDENTIKEY Server Setup Wizard finish window...85 Image 69: IDENTIKEY Server Installed Select Components...86 Image 70: IDENTIKEY Server Configuration Wizard Start Window...87 6
Table of Contents Image 71: IDENTIKEY Server Configuration Wizard - Active Directory Pre-requisites Window...87 Image 72: IDENTIKEY Server Configuration Wizard Digipass Configuration Domain Window...88 Image 73: IDENTIKEY Server Configuration Wizard Active Directory Certificate Authority Window...89 Image 74: IDENTIKEY Server Configuration Wizard IP Address Window...89 Image 75: IDENTIKEY Server Configuration Wizard First Administrator Window...90 Image 76: IDENTIKEY Server Configuration Wizard Sensitive Data Encryption Window...90 Image 77: IDENTIKEY Server Configuration Wizard Custom Data Encryption Window...91 Image 78: IDENTIKEY Server Configuration Wizard Load Data Encryption Window...92 Image 79: IDENTIKEY Server Configuration Wizard License Window...92 Image 80: IDENTIKEY Server Configuration Wizard Server Functionality Window...93 Image 81: IDENTIKEY Server Configuration Wizard SSL Server Certificate Window...94 Image 82: IDENTIKEY Server Configuration Wizard SSL Server Certificate Password Window...94 Image 83: IDENTIKEY Server Configuration Wizard SSL Server Certificate Selection Window...95 Image 84: IDENTIKEY Server Configuration Wizard - Automatic Server Location Support...95 Image 85: IDENTIKEY Server Configuration Wizard Web Admin Client Window...97 Image 86: IDENTIKEY Server Configuration Wizard Sample Web Client Window...97 Image 87: IDENTIKEY Server Configuration Wizard Domain Service Account Window...98 Image 88: IDENTIKEY Server Configuration Wizard Summary Window...99 Image 89:Deploying IDENTIKEY Server Web Administration Module Window...99 Image 90:Deploying IDENTIKEY Server Web Administration Module Wizard Results Window...100 Image 91: IDENTIKEY Server Installation Complete Window...101 Image 92: IDENTIKEY Server Installation Custom Setup Window...102 Image 93: Windows Start Menu showing location of Active Directory Users and Computers...103 Image 94: My Computer - Manage...105 Image 95: IDENTIKEY Server Computer Management console...105 Image 96: Apache Tomcat Introduction page...106 Image 97: Apache Tomcat Manager login...107 Image 98: Apache Tomcat Manager...108 Image 99: Apache Tomcat Manager...109 Image 100: Administration Web Interface login...110 Image 101: Apache Tomcat memory pool...111 Image 102: Location of struts.properties file...112 Image 103: IDENTIKEY Server Installation Welcome Window...131 Image 104: IDENTIKEY Server Data Storage Window...132 Image 105: IDENTIKEY Server 3.1 Update Window...133 Image 106: IDENTIKEY Server Setup Upgrade Window...134 7
Table of Contents Image 107: IDENTIKEY Server Database Configuration Wizard Window...135 8
Introduction 1 Introduction This Installation Guide is designed to provide you with the information you will need in order to install IDENTIKEY Server. It will guide you through preparation, installation and post-installation tasks which may be required for your system. 1.1 Software Components IDENTIKEY Server consists of various components, some necessary and some optional. 1.1.1 Required Components IDENTIKEY Server The IDENTIKEY Server is a server component that performs authentication, signature validation, administration and provisioning tasks. It runs as a Windows service. Data Store The following data stores are supported: ODBC either the embedded PostgreSQL database supplied with IDENTIKEY Server, or your own Active Directory Web Administration Interface Allows all IDENTIKEY Server data store administration tasks to be carried out over a web interface. 1.1.2 Optional Components Embedded Database An embedded PostgreSQL database is available for use with IDENTIKEY Server. Note The embedded PostgreSQL database is NOT available for 64-bit Windows. Embedded Web Application Server Apache Tomcat may be installed as the embedded web application server for the Web Administration Interface. 9
Introduction Virtual DIGIPASS Message Delivery Component This is a Service that is responsible for delivering One Time Passwords through a text message HTTP gateway to a User s mobile phone. DIGIPASS TCL Command-Line Administration Administration may also be carried out using DIGIPASS TCL Command-Line Administration Utility, which allows interactive command-line and scripted administration of IDENTIKEY Server data. Audit Viewer The Audit Viewer is a GUI application that can display and filter audit messages from the IDENTIKEY Server. It can read the data from text files and ODBC databases or receive a live feed from the IDENTIKEY Server. OTP Request Site This is a miniature web site that allows a User to request a Virtual DIGIPASS OTP to be sent to their mobile phone. User Self Management Web Site This is a miniature web site that allows Users to make appropriate changes to their own DIGIPASS settings, such as PIN changes. This is used in a RADIUS environment, when the normal authentication requests are made using a CHAP-based protocol and therefore PIN changes and other 'self-management' features are not possible. 1.1.3 DIGIPASS Authentication for Windows Logon DIGIPASS Authentication for Windows Logon is a separate module which integrates VASCO's two-factor authentication into Windows logins. It requires extra licensing to be supported in IDENTIKEY Server. For more information on this module, see the DIGIPASS Authentication for Windows Logon Product Guide. 1.1.4 IDENTIKEY Server SDK The Software Development Kit allows creation of custom SOAP clients and authentication engines, using the SOAP interface. This is an upgrade add-on to IDENTIKEY Server and will only be available for installation if it has been purchased. It requires a separate installation program. 1.1.5 Data Migration Tool The VASCO Data Migration Tool is a general-purpose utility that allows you to migrate your data from one VASCO product to another. It requires a separate installation. 10
Introduction 1.2 System Requirements 1.2.1 Server Component IDENTIKEY Server requires: Windows Server 2008 (32-bit or 64-bit) with Service Pack 2 or above Windows Server 2008 R2 (64-bit only) Windows Vista (32-bit) with Service Pack 2 or above Windows XP (32-bit) with Service Pack 3 or above Windows Server 2003 (32-bit or 64-bit) with Service Pack 2 or above Windows Server 2003 R2 (32-bit or 64-bit) with Service Pack 2 or above Windows Small Business Server 2003 with Service Pack 1 or above Windows Small Business Server 2008 (64-bit only) with Service Pack 2 or above 1.2.2 Administration Web Interface The Administration Web Interface can be run on the following operating systems: Windows Server 2008 (32-bit or 64-bit) with Service Pack 2 or above Windows Server 2008 R2 (64-bit only) Windows Vista (32-bit) with Service Pack 2 or above Windows XP (32-bit) with Service Pack 2 or above Windows 2003 (32-bit or 64-bit) with Service Pack 2 or above Windows 2003 R2 (32-bit or 64-bit) with Service Pack 2 or above The Administration Web Interface can be run on any Java web application server running: Java Runtime Environment version 5.0 or above Java Server Pages version 2.0 or above Java Servlets version 2.4 or above It has been tested primarily on Apache Tomcat 5.5. It is compatible with most common browsers, including: Internet Explorer 6.0 Internet Explorer 7.0 Mozilla Firefox 2.0 11
Introduction Opera 9.0 Netscape 8.1 (a few cosmetic issues appear with this browser) 1.2.3 Other Components The Message Delivery Component, Audit Viewer and DIGIPASS TCL Command-Line Administration require: Windows Server 2003 (32-bit or 64-bit) with Service Pack 2 or above Windows Server 2003 R2 (32-bit or 64-bit) with Service Pack 2 or above Windows XP Professional (32-bit) with Service Pack 3 or above Windows Vista (32-bit) with Service Pack 1 or above Windows 2008 (32-bit or 64-bit) GUI version with Service Pack 2 or above The Request OTP and User Self Management Websites require any web server capable of running CGI. 1.2.4 Requirements Specific to Active Directory DIGIPASS Extension for Active Directory Users and Computers Active Directory Users and Computers Snap-In Active Directory set up for SSL In the following cases, SSL must be available for IDENTIKEY Server components to connect to Active Directory: IDENTIKEY Server not installed on a Domain Controller. Administration Interfaces not installed on a Domain Controller. IDENTIKEY Server and/or Administration Interface(s) on a Domain Controller, but accessing data in another domain. An Enterprise Certificate Authority must be installed in the forest to enable SSL. Windows Certificate Services is available as an optional Windows component. However, if you do not wish to install a CA, you can select during installation not to use SSL. Prerequisites 1. If Active Directory is installed on a Windows 2003 machine and it is being managed using a Windows XP machine, you will have to download the Admin Pack from the Microsoft website and install it on the XP machine. 2. If Active Directory is installed on a Windows 2008 machine, and it is being managed using a Windows Vista machine, Vista SP1 must be downloaded from the Microsoft website and installed on the Vista machine. Then the Remote Server Administration Tools package must be downloaded from the Microsoft website and installed and enabled on the Vista machine. 12
Introduction 1.2.5 Requirements Specific to ODBC Database IDENTIKEY Server will support most modern ODBC-compliant relational, transactional databases. It has been tested on the following databases: Oracle 11g Microsoft SQL Server 2005 Full Enterprise Edition and Express DB2 8.1 (32-bit) and 9.1 (64-bit) Sybase Adaptive Server Anywhere 11.0 PostgreSQL 8.3 Note Please note that when setting up a DB2 database the page size should be set to at least 8192k. A smaller page size will create an error when IDENTIKEY Server attempts to connect to the database. 1.2.6 Requrements Specific to HSM SafeNet ProtectServer is the only Hardware Security Module supported by IDENTIKEY Server. If a Hardware Security Module is to be used with IDENTIKEY Server the following SafeNet software is required on the machine on which will be installed: Network or PCI Access Provider v4.00 ProtectToolKit C Runtime Library v4.00 1.2.7 Language IDENTIKEY Server is designed to function on any language version of Windows. However, the product has only been comprehensively tested on English language versions of Windows. 1.3 Available Guides The following IDENTIKEY Server guides are available: Product Guide The Product Guide will introduce you to the features and concepts of IDENTIKEY Server and the various options you have for using it. 13
Introduction Getting Started Guide The Getting Started Guide will lead you through a standard setup and testing of key IDENTIKEY Server features. Windows Installation Guide Use this guide when planning and working through an installation of IDENTIKEY Server in a Windows environment. Linux Installation Guide Use this guide when planning and working through an installation of IDENTIKEY Server in a Linux environment. Administrator Reference In-depth information required for administration of IDENTIKEY Server. This includes references such as data attribute lists, backup and recovery and utility commands. Performance and Deployment Guide Contains information on common deployment models and performance statistics. Help Files Context-sensitive help accompanies the Administration Web Interface and DIGIPASS Extension for Active Directory Users and Computers. IDENTIKEY Server SDK Programmers Guide In-depth information required to develop using the SDK. 14
Pre-installation Tasks 2 Pre-installation Tasks This section outlines the preparation that you need to do before installing IDENTIKEY Server. Please note that to perform pre-installation and installation tasks you must be logged in as Administrator on the system where IDENTIKEY Server is to be installed.the administrator User ID must be a built-in Administrator, not a normal User ID with administrator privileges. 2.1 IDENTIKEY Server Component The following tasks must be completed before installing the IDENTIKEY Server on a machine. 2.1.1 Data Store Type Before starting other pre-install tasks, you must decide on the type of data store to be used. Microsoft Active Directory Integrate DIGIPASS-related data with Active Directory and Windows user accounts using the Active Directory Users and Computers Snap-In. Embedded Database A PostgreSQL database may be installed with IDENTIKEY Server. This can only be used with 32-bit Windows. Note If you will be installing IDENTIKEY Server with the embedded PostgreSQL database, you will need to run the installation on the machine itself, rather than via Remote Desktop or another remote connection. Other ODBC Database Include DIGIPASS-related data in a new or existing ODBC database. The database may be located on any machine to which the IDENTIKEY Server can connect. 2.1.2 Master Domain IDENTIKEY Server has the concept of a Master Domain. This domain has special significance in two ways: It is used as the default domain, when no domain is specified. Only Administrators in the Master Domain may be assigned the privilege to view data from all domains. Administrators in other domains will only ever be able to view data in their own domain. 15
Pre-installation Tasks The default name for the Master Domain is master. If you prefer to use another name, you will need to enter this name during the Configuration Wizard. 2.1.3 User ID and Domain Name Conversion The IDENTIKEY Server may be configured to handle User IDs and domain names in a number of ways. It is important that these are set up before data is added to the database. Before installing, decide which settings to use. Case-sensitivity The IDENTIKEY Server may be configured to save and retrieve User IDs and domain names in lower case, upper case or with no conversion (data is saved or searched on exactly as entered). The configuration required will depend on your company's requirements and the capabilities of the database used as the data store. See the Encoding and Case-Sensitivity topic in the Administrator Reference for more information. The case conversion of User IDs and domain names is set using the Configuration Wizard immediately after installation, or by running the IDENTIKEY Server Configuration utility at any time afterwards. Caution Changing case conversion after the initial configuration may require modification of all User IDs and domain names in the data store. Windows name resolution Enable Windows Name Resolution to allow the IDENTIKEY Server to use Windows functionality to resolve a UserID as entered during a login into a User ID and Domain. This feature is recommended if all User accounts correspond to Windows (Active Directory) User accounts. If they do not correspond, the feature will not be suitable. Windows Name Resolution works well with Dynamic User Registration. See the Product Guide for more information. 2.1.4 System Clock The IDENTIKEY Server requires that: Your server s time is set correctly in relation to GMT, and The time zone and daylight savings indicators are set correctly. All machines hosting the IDENTIKEY Server component must be very closely clock-synchronized. 16
Pre-installation Tasks 2.1.5 Domain Name Services If DIGIPASS Authentication for Windows Logon will be in use with the IDENTIKEY Server, you may need a reverse zone implemented, with a PTR record existing for each client Windows machine. This is required for Dynamic Component Registration. 2.1.6 Embedded PostgreSQL Database 2.1.6.1 Local Users Group Permissions If the local Users group has restricted permissions on the Program Files directory, the installation of the PostgreSQL database may fail. To avoid this problem, two options are available: Set the required permissions for the local Users group Create the PostgreSQL service account before installation and set the required permissions for it (it is usually created automatically during installation) The PostgreSQL service account requires a User ID of dppostgres and password of p!ss&0rd. The permissions required for the Program Files directory are: Read & Execute List Folder Contents Read 2.1.7 User Self Management Website If the Self Manangement website is to be installed on Windows 2008, please note the following : 1. When adding the IIS role, the 'IIS Backwards Compatibility with IIS6' feature must be installed and enabled. 2. The 'CGI' feature must be selected when installing IIS on Windows 2008 to enable the User Admin web sites to function correctly. 17
Set Up Data Store for IDENTIKEY Server 3 Set Up Data Store for IDENTIKEY Server IDENTIKEY Server may use either Microsoft's Active Directory or an ODBC-compliant database as its data store. The data store is selected during installation. Active Directory If IDENTIKEY Server will use Active Directory as its data store, the steps in 3.1 Active Directory must be followed before installing IDENTIKEY Server. ODBC Database If IDENTIKEY Server will use the embedded PostgreSQL database as its data store, no specific database setup is required before installing IDENTIKEY Server. If IDENTIKEY Server will use another ODBC database as its data store, then follow the steps in 3.2 ODBC Database before installing IDENTIKEY Server. 3.1 Active Directory 3.1.1 Checklist Decisions The following checklist contains the key decisions to make before you start: Approve the Schema Extensions If your company has an approval process to go through for extensions to the Active Directory Schema, then go through this process. Enterprise Root Certificate Server If a new Certificate Server is required, and your company requires an approval process to be followed to install one, go through this process. Identify the DIGIPASS Configuration Domain Either identify an existing Domain or sub-domain into which the DIGIPASS Configuration Container should be added, or plan to create a new one. Domain Administrator Select a Domain Administrator account in the DIGIPASS Configuration Domain to use in installing IDENTIKEY Server. Installation Location Decide where to install the IDENTIKEY Server. 18
Set Up Data Store for IDENTIKEY Server If you are installing with the purpose of going through a basic evaluation process, installing onto a Domain Controller is recommended. This will mean that SSL will not need to be set up in order for the IDENTIKEY Server to function. 3.1.2 Active Directory Setup Run the addschema command to extend the Active Directory schema: 1. Log into the Schema Master as a member of the Schema Administrators group. 2. Copy dpadadmin.exe from the CD-IMAGE\Software\Windows\X86 or amd64\utilities\dpadadmin installation directory on the installation CD onto the Schema Master 3. Open a command prompt in the location to which it was copied. 4. Type: dpadadmin addschema -v 3.1.3 5. If DPADadmin detects that Schema extensions are not currently permitted, it will prompt you whether to enable them or not. Enter y to enable them, or n to cancel. 6. Wait several minutes for the Schema extensions to replicate to all the domains and for the local Domain Controller to update its internal data caches. SSL Setup The IDENTIKEY Server can use SSL when communicating with Active Directory. For this to work correctly, an Enterprise root Certificate Authority must exist in the forest. It may be installed on any server in the forest, if the server selected is available to the Domain Controller(s) used by the IDENTIKEY Server. Alternatively, an option is provided during installation to not use SSL in communications between the IDENTIKEY Server and Active Directory. If LDAP SSL will be disabled, no Certificate Authority is required. 1. If not already available, install Certificate Services on the selected machine. This is a Windows component you may need access to the original Windows installation files or CD/DVD. 2. Generate the Enterprise root CA certificate. 3. You may need to wait several minutes to allow the Domain Controllers to enrol for Domain Controller certificates. 19
Set Up Data Store for IDENTIKEY Server 3.2 ODBC Database The following steps must only be followed if IDENTIKEY Server will be using an ODBC database other the embedded PostgreSQL database as its data store. If IDENTIKEY Server will be using the embedded database, setup is automatic during installation and configuration. 3.2.1.1 Checklist Decisions The following checklist contains the key decisions to make before you start: Database Location and Setup A number of decisions may be required for the ODBC database to be used: The server on which the database will be located. Will the data for the IDENTIKEY Server will be stored in a new database, or added to an existing database? Will a new schema be used? New Database Decide the collation sequence to be used for example, case-sensitivity. Database User Accounts Create or select database user accounts for: Modifying the database schema (database administrator account required). IDENTIKEY Server (see the Administrator Reference for details on the permissions required). 3.2.1.2 Modify Database Structure DPDBADMIN Utility If the embedded ODBC database is not being used, the addschema command must be run to set up the required schema in the database to be used for IDENTIKEY Server. Run the addschema command: 1. Copy dpdbadmin.exe from the CD-IMAGE\Software\Windows\X86 or amd64\utilities\dpdbadmin directory on the installation CD or zip file onto the computer from which the database can be accessed. 2. Create an ODBC Data Source for the database on the computer, if one does not currently exist. 3. Open a command prompt in the location to which it was copied. 4. Enter: dpdbadmin addschema u user_name p password -d dsn 20
Set Up Data Store for IDENTIKEY Server Ensure that the User ID and password used are that of the database administrator account. For further details on DPDBADMIN, see 14 Extend Data Store Schema. Note Due to limitations with Microsoft SQL Server 2005 Express Edition on 64-bit operating systems, DSN entries must be registered as user DSN entries, not system DSN entries. Permissions If the database user account used by the IDENTIKEY Server is not the owner of the tables and is not a database administrator account, it must be granted permissions for the tables, or ownership of the tables transferred. Note Ensure that it is possible for the account(s) mentioned to reference the tables by name without a schema prefix. If this cannot be done, see the Administrator Reference for advanced setup instructions. 3.3 Serial Number and Maintenance ID You must have a product Serial Number and a company Maintenance ID unless you are installing an evaluation version of IDENTIKEY Server. If these have not been issued to you, contact your VASCO supplier. 21
Start IDENTIKEY Server Installation 4 Start IDENTIKEY Server Installation The installation program will guide you through installing IDENTIKEY Server and the initial configuration necessary to get it operational. It will launch one or more Windows Installers (MSI) followed by the IDENTIKEY Server Configuration Wizard. Note If you are running the installation on Microsoft Windows Vista or Microsoft Windows 2008 core, the windows shown in this guide may look slightly different to those displayed onscreen, but the procedure will be the same. Image 1: IDENTIKEY Server Installation Welcome Window 1. If autorun is enabled on the installation machine the installer will start up when the CD is inserted. If it does not start automatically then double click on autorun.exe. The Welcome window will be displayed. 2. Click Install Identikey Server 3.1 to start the installation. The Welcome window will be displayed. 22
Start IDENTIKEY Server Installation Image 2: IDENTIKEY Server Installation Welcome Window 3. Click Next to continue. The three subsequent chapters cover the three types of installation scenario. Choose the instructions to follow depending on which type of installation you wish to perform: Basic installation, using the embedded PostgreSQL database as data store see 5 Install IDENTIKEY Server in Basic Mode ODBC Advanced installation, using an ODBC-compliant database as data store see 6 Install IDENTIKEY Server in Advanced mode - ODBC Advanced installation, using Active Directory as data store see 7 Install IDENTIKEY Server - Active Directory 23
Install IDENTIKEY Server in Basic Mode ODBC 5 Install IDENTIKEY Server in Basic Mode ODBC There are two installation modes available - Basic and Advanced. If you do not wish to use default installation and configuration settings, follow the instructions in 6 Install IDENTIKEY Server in Advanced mode - ODBC. 5.1 Basic Installation Mode Basic Installation will install the following: IDENTIKEY Server PostgreSQL database Administration Web Interface Apache Tomcat Java JRE Message Delivery Component (MDC) Audit Viewer After the IDENTIKEY Server has been installed the Configuration Wizard will be started up in Basic mode, which means that there will be limited configuration choices, with many settings set to default values. Note Only the embedded PostgreSQL database is available in Basic Installation mode. Basic Installation is NOT available on 64-bit Windows. 24
Install IDENTIKEY Server in Basic Mode ODBC 5.2 Basic Installation 1. The Installation Type window will be displayed. Image 3: IDENTIKEY Server Installation - Installation Type Window 2. Click Perform a basic installation. 3. Click Next. The End-User License Agreement screen will be displayed. 25
Install IDENTIKEY Server in Basic Mode ODBC Image 4: IDENTIKEY Server Installation -License Agreement Window 4. Read the agreement carefully. 5. To accept the License Agreement, check the box I accept the terms in the License Agreement and click Next. If you do not accept the License Agreement, and click Cancel, the install will terminate. The Select Installation Path window will be displayed. 26
Install IDENTIKEY Server in Basic Mode ODBC Image 5: IDENTIKEY Server Installation - Select Installation Path Window 6. If you want to install the IDENTIKEY Server somewhere other than the default location, use the browse button to indicate where. 7. Click Next to continue. The Installation Progress window will be displayed. 27
Install IDENTIKEY Server in Basic Mode ODBC Image 6: IDENTIKEY Server Installation - Installation Progress Window 8. Click on Install. The IDENTIKEY Server installation will begin. 28
Install IDENTIKEY Server in Basic Mode ODBC Image 7: IDENTIKEY Server Installation - Installation Progress Window The Installer will install each component in turn, checking each one off on the Installation Progress window as it goes. 29
Install IDENTIKEY Server in Basic Mode ODBC Image 8: IDENTIKEY Server Installation - Installation Progress Window - PostgreSQL When the Installer gets to the Run configuration Wizard step, the IDENTIKEY Server Configuration Wizard will be started automatically. The Installer runs a contracted version of the wizard, which uses default values for some settings. 30
Install IDENTIKEY Server in Basic Mode ODBC Image 9: IDENTIKEY ServerConfiguration Wizard - Start Window 9. Click Next to continue. The IP Address window will be displayed. 31
Install IDENTIKEY Server in Basic Mode ODBC Image 10: IDENTIKEY ServerConfiguration Wizard - IP Address Window 10. Enter the IP address for the IDENTIKEY Server. 11. Click Next. The First Administrator window will be displayed. 32
Install IDENTIKEY Server in Basic Mode ODBC Image 11: IDENTIKEY ServerConfiguration Wizard - First Administrator Window 12. Enter a User ID and Password. Confirm the password and click Next The Licence Key window will be displayed. Use this page to load the license for IDENTIKEY Server, or click Next to continue and apply the license at a later date. 33
Install IDENTIKEY Server in Basic Mode ODBC Image 12: IDENTIKEY ServerConfiguration Wizard - License Window 13. Navigate to a license file using the... button, or click Request a license from 'vasco.com'. Click Next to continue. Note The 'Request a License from vasco.com' button will not be available for Windows 2008 Core, as there is no browser available to load the web site. To obtain a license from vasco.com for Windows 2008 Core you will have to download the license on another machine and copy it across to the Windows 2008 Core machine. 34
Install IDENTIKEY Server in Basic Mode ODBC Image 13: IDENTIKEY ServerConfiguration Wizard - Server Functionality Window The functionality that is permitted by the license loaded on the previous window is selected by default. If no license was loaded only restricted functionality will be available. 14. Click to de-select any functions not required. 15. Click Next to continue. 35
Install IDENTIKEY Server in Basic Mode ODBC Image 14: IDENTIKEY ServerConfiguration Wizard - Server Certificate Window 16. Enter a Password for the SSL Server Certificate and confirm it. 17. Click Next to continue. Use this window to deploy the Administration Web Interface. Image 15: IDENTIKEY ServerConfiguration Wizard Deploy Administration Web Interface Window 36
Install IDENTIKEY Server in Basic Mode ODBC There are three choices: Deploy Administration Web Interface and connect it to the local IDENTIKEY Server. Click this choice to automatically deploy the Administration Web Interface and associate it with the local IDENTIKEY Server without having to enter further details Deploy Administration Web Interface and connect it to a remote IDENTIKEY Server. Click this choice to deploy the Administration Web Interface, and also supploy the SOAP URL of the remote server on which the required IDENTIKEY Server resides. Do not deploy Administration Web Interface. Click this choice to enable you to deploy the Administration Web Interface later. Click Next to continue to the RADIUS Topology page. Image 16: IDENTIKEY ServerConfiguration Wizard - RADIUS Topology Window 18. Select the format of RADIUS topology required. 19. Click Next to continue. If you selected IDENTIKEY Server as a standalone RADIUS server, fill in the details of the RADIUS Client and click Next to continue. If you selected IDENTIKEY Server in front of RADIUS server, fill in the details of the RADIUS Client and RADIUS Backend and click Next to continue.. 37
Install IDENTIKEY Server in Basic Mode ODBC Image 17: IDENTIKEY Server Configuration Wizard - RADIUS Client Window Image 18: IDENTIKEY Server Configuration Wizard - RADIUS Backend Window The Summary window will be displayed. 38
Install IDENTIKEY Server in Basic Mode ODBC Image 19: IDENTIKEY Server Configuration Wizard Summary Window 20. A summary of the settings will be displayed. Click Proceed to continue. Image 20: IDENTIKEY Server Configuration Wizard - Completion Window 39
Install IDENTIKEY Server in Basic Mode ODBC During the deployment of the Administration Web Interface, the Installer will deploy the Administration Web Interface application to the Apache web server using the IDENTIKEY Server certificate. The IDENTIKEY Server Certificate file will be generated during installation and will be placed in the certificate store file with the default password "ikwebpassword". The location of the server certificate files is \<install directory>\bin\ikeycerts.pem and \<install directory>\bin\ikeypvk.pem (Public and Private certificates respectively) The location of the certificate keystore is \<install directory>\webadmin\keystore.jks 21. Click Finish to complete the configuration. The Import DPX files window will be displayed. Image 21: Import DPX Files Window 22. The Import DPX Files step is optional. To bypass this step, click Next to continue. To import a DPX file: a. Enter the location of the DPX file, or click Browse to navigate to the file. b. Enter the Transport Key, which will be supplied by VASCO to accompany the DPX file. c. Enter the User ID, password and Server IP for the IDENTIKEY Server that is being installed. d. Click Import to install the DPX file. When installation is complete, the Installation Completed window will be displayed. 40
Install IDENTIKEY Server in Basic Mode ODBC Image 22: IDENTIKEY Server Installation Complete Window 23. Click Finish when the installation is complete. 41
Install IDENTIKEY Server in Advanced mode - ODBC 6 Install IDENTIKEY Server in Advanced mode - ODBC Advanced Installation allows you to customize your installation and configuration in detail. If you wish to use only default installation and configuration options, see 5 Install IDENTIKEY Server in Basic Mode ODBC. 6.1 Advanced Installation The first window to be displayed will be the Install Type window. Image 23: IDENTIKEY Server Select Installation Type Window 1. Select the Advanced Installation option button. 2. Click Next. The Data Storage window will be displayed. 42
Install IDENTIKEY Server in Advanced mode - ODBC Image 24: IDENTIKEY Server Installation - Data Storage Window 3. Select the ODBC Database option button. 4. Click Next. The Select Components window will be displayed. 43
Install IDENTIKEY Server in Advanced mode - ODBC Image 25: IDENTIKEY Server Installation Select Components Window 5. Click the IDENTIKEY Server 3.1 button. The IDENTIKEY Server Setup Wizard start window will be displayed. 6. Click Next to continue. The License Agreement screen will be displayed. 44
Install IDENTIKEY Server in Advanced mode - ODBC Image 26: IDENTIKEY Server Installation License Agreement Window 7. Read the agreement carefully. 8. To accept the License Agreement, check the box I accept the terms in the License Agreement and click Next. If you do not accept the License Agreement, and click Cancel, the install will terminate. The next screen to be displayed will be the Custom Setup Window. 45
Install IDENTIKEY Server in Advanced mode - ODBC 9. Select the features that you want to be installed by clicking on the icons on the window. Click the Reset button to reset all your choices. 10. Click Next to continue. Image 27: IDENTIKEY Server Installation Custom Setup window The Ready to Install IDENTIKEY Server window will be displayed. 11. Click Install to continue. The Installing IDENTIKEY Server progress window will be displayed. 46
Install IDENTIKEY Server in Advanced mode - ODBC Image 28:IDENTIKEY Server Installation Ready to Install IDENTIKEY Server window 12. Click the Next button to continue when it becomes available. 47
Install IDENTIKEY Server in Advanced mode - ODBC Image 29: Installing IDENTIKEY Server progress window 13. Click Finish to complete the installation of IDENTIKEY Server. The IDENTIKEY Server Setup Wizard finish window will be displayed. 48
Install IDENTIKEY Server in Advanced mode - ODBC Image 30: IDENTIKEY Server Setup Wizard Completed window 14. The Installer will install the component for each button that is selected. Each installation after the IDENTIKEY Server install is optional. 49
Install IDENTIKEY Server in Advanced mode - ODBC Image 31: IDENTIKEY Server Installation - Select Components window 15. When the Installer gets to the Run configuration Wizard step, click the Run Configuration Wizard button and the IDENTIKEY Server Configuration Wizard will be started. 50
Install IDENTIKEY Server in Advanced mode - ODBC Image 32: IDENTIKEY Server Configuration Wizard - Start Window 16. Click Next to continue. The Hardware Security Module window will be displayed. For more information about setting up a Hardware Security Module see 6.2 Set Up a Hardware Security Module. Image 33: IDENTIKEY Server Configuration Wizard Hardware Security Module 51
Install IDENTIKEY Server in Advanced mode - ODBC If a Hardware Security Module is being used, click the Use the available Hardware Security Module(s) and navigate to the PKCS11 library. Otherwise, click the Do not use a Hardware Security Module. In both circumstances click Next to continue. 17. If a Hardware Security Module is being used, the HSM Storage Key page will be displayed. Image 34: IDENTIKEY Server Configuration Wizard Hardware Security Module Storage Key 18. Enter the Storage key label, Slot ID and check the Key access Private box if required. Enter the Token Label and Token PIN if the Key Access Private box has been checked. Click Next to continue. 52
Install IDENTIKEY Server in Advanced mode - ODBC Image 35: IDENTIKEY Server Configuration Wizard Hardware Security Module Data Encryption Key Enter the Sensitive data Key Label, and check Key Access Private if requried. Enter the Token Label and Token PIN if the Key Access Private box has been checked. Click Next to continue. 19. Click Next to continue. 20. The Select Database window will be displayed. Image 36: IDENTIKEY Server Configuration Wizard Select Database Window 53
Install IDENTIKEY Server in Advanced mode - ODBC 21. Select the type of database that is to be used with this installation of IDENTIKEY Server. 22. Click Next to continue. The Database window will be displayed. Image 37: IDENTIKEY Server Configuration Wizard - Database Window a. Enter the ODBC Data Source name for the database that IDENTIKEY Server will use, and if required, a Username and Password. b. Click Next to continue. The User ID/Domain conversion window will be displayed. 54
Install IDENTIKEY Server in Advanced mode - ODBC Image 38: IDENTIKEY Server Configuration Wizard - User ID/Domain conversion Window 23. Select the Case conversion format that you require. 24. Tick the Use Windows Name Resolution checkbox to enable IDENTIKEY Server to use Windows Name Resolution. This is recommended if Dynamic User Registration is to be enabled. 25. Click Next to continue. The Master Domain window will be displayed. Image 39: IDENTIKEY Server Configuration Wizard - Master Domain Window 55
Install IDENTIKEY Server in Advanced mode - ODBC 26. Enter the name of the Master Domain where the first administrator account will be created. 27. Click Next to continue. The IP Address window will be displayed. Image 40: IDENTIKEY Server Config IP Address Window 28. Select the IP address for the IDENTIKEY Server. 29. Click Next to continue. The First Administrator window will be displayed. The first administrator account can be used to login to IDENTIKEY Server (e.g. using the webadmin) and will have a full set of administrative privileges. 56
Install IDENTIKEY Server in Advanced mode - ODBC Image 41: IDENTIKEY Server First Administrator Window 30. The Sensitive Data Encryption window will be displayed. The Sensitive Data Encryption windows are only displayed if the HSM option has not been selected. Image 42: IDENTIKEY Server Sensitive Data Encryption Window 57
Install IDENTIKEY Server in Advanced mode - ODBC Note If you will be using a custom encryption key for sensitive data, this should be set before DIGIPASS are imported to the 'live' version of the IDENTIKEY Server. See the Sensitive Data Encryption topic in the Administrator Reference for more information. 31. Selecting the Custom with embedded and custom key combination option will result in the Custom Data Encryption windown being displayed. Image 43: IDENTIKEY Server Custom Data Encryption Window If you select the Load From File option the Load Data Encryption window will be displayed. 58
Install IDENTIKEY Server in Advanced mode - ODBC Image 44: IDENTIKEY Server Load Data Encryption Window 32. With either of the above screens, click Next. The License window will be displayed. Image 45: IDENTIKEY Server Configuration Wizard License Window 33. Navigate to a licence file using the... button, or click Request a licence from 'vasco.com' 59
Install IDENTIKEY Server in Advanced mode - ODBC Note The Request a Licence from 'vasco.com' button will not be available for Windows 2008 Core, as there is no browser available to load the web site. To obtain a licence from vasco.com for Windows 2008 Core you will have to download the licence on another machine and copy it across to the Windows 2008 Core machine. Image 46: IDENTIKEY Server Configuration Wizard Server Functionality Window 34. The functions that are available on the Server Functionality window will be determined by your license. Click in the check box to either select or de-select an available function. Click Next to continue. The SSL Server Certificate Installation window will be displayed. 60
Install IDENTIKEY Server in Advanced mode - ODBC Image 47: IDENTIKEY Server Configuration Wizard Server Certificate Window 35. To generate and install a test certificate: a. Select Generate and install a new test certificate. b. Click Next. Image 48: IDENTIKEY Server Configuration Wizard Server Certificate Password Window c. Enter a password for the new certificate. d. Click Next. 61
Install IDENTIKEY Server in Advanced mode - ODBC To install a custom certificate: a. Select Install my own SSL certificate. b. Click Next. Image 49: IDENTIKEY Server SSL Server Certificate Selection 36. c. Enter the location and filename for a private key file (.pvk), or browse to the file. d. Enter the private key password, if required. e. Enter the location and filename for the trusted certificates file (.pem), or browse to the file. f. Click Next. The Automatic Server Location Support window will be displayed. Select a DNS registration option from the drop-down menu: 62
Install IDENTIKEY Server in Advanced mode - ODBC Image 50: IDENTIKEY Server Automatic Server Location Support To skip automatic DNS registration now, select No DNS Service registration. To use DNS service registration with a DNS server supporting Dynamic DNS: a. Select the DNS service registration with a DNS server supporting Dynamic DNS option. b. Enter the name of the DNS domain. c. Enter the IP address of the Target Host machine. d. Select the priority for connections to the IDENTIKEY Server - Primary server or Backup server. To use DNS service registration with a DNS server supporting TSIG authentication: 37. a. Select the DNS service registration with a DNS server supporting Dynamic DNS with TSIG authentication option. b. Enter the name of the DNS domain. c. Enter the Fully Qualified Domain Name of the Target Host machine. d. Select the priority for connections to the IDENTIKEY Server - Primary server or Backup server. e. Enter the full path and filename for the shared key file. Click on Test Settings to test that the DNS server settings are correct. The Configuration Wizard will test the connection and list the result on-screen. 63
Install IDENTIKEY Server in Advanced mode - ODBC 38. Click on Next. The Web Admin Client window will be displayed. Image 51: IDENTIKEY Server Web Admin Client Window 39. Click Next to continue. The Sample Web Client window will be displayed. 40. Enter the IP address of the location of the Web Administration Client. Image 52: IDENTIKEY ServerSample Web Client Window 64
Install IDENTIKEY Server in Advanced mode - ODBC 41. Enter the IP address of a web client to be used by the Sample Web Pages in the SDK. This page is optional and only needs to be used if the SDK is to be installed. Click Next to continue. Image 53: IDENTIKEY Server Configuration Wizard Summary Window 42. A summary of the settings will be displayed. Click Proceed to continue. 43. Click Finish to complete the configuration. 44. The Select Components window will be displayed showing which components have been installed. 65
Install IDENTIKEY Server in Advanced mode - ODBC Image 54:Select Components completed Window 45. Click Next to continue. The Installation Completed window will be displayed. 66
Install IDENTIKEY Server in Advanced mode - ODBC Image 55:Installation Completed page Note The Embedded Database is NOT available with 64-bit Windows. 67
Install IDENTIKEY Server in Advanced mode - ODBC 6.2 Set Up a Hardware Security Module 6.2.1 Hardware Security Module Setup 6.2.1.1 Pre-Requisites Software The following software must be installed on the HSM: Version 2.07 or higher of the SafeNet ProtectServer firmware The following software must be installed on the machine on which HSM administration tasks will be carried out: Network or PCI Access Provider v4.00 ProtectToolKit C Software Development Kit v4.00 Protect Processing Orange Software Development Kit v3.00 Administrator Account The setup process requires administration privileges in at least one administration token and one user token on the Hardware Security Module. Firmware Module The VACMAN Controller Firmware Module file aal2sdk - should be copied to the machine on which the HSM administration will take place. 6.2.1.2 Configuration Hardware Security Module 1. Install the Hardware Security Module. VACMAN Controller Firmware To install VACMAN Controller Firmware Module in the Hardware Security Module: 2. Generate SSL certificate in the user slot: a. At a command prompt, enter: ctcert c -s<userslotid> -k -z<keysize> -l<certificatename> where <UserSlotID> is the ID of the slot on which the certificate should be generated, <KeySize> is the length of private key required, and <CertificateName> is the name you want to give the certificate. 68
Install IDENTIKEY Server in Advanced mode - ODBC KeySize must be at least 1024. b. 3. Enter the requested information. Transfer the certificate to admin slot: a. To do this via command prompt, enter: ctcert x -l<certificatename> -s<userslotid> -f<certexportfilename> ctcert I -f<certexportfilename> -s<adminslotid> -l<certificatename> where <CertificateName> is the name of the certificate that you entered when generating the certificate, <UserSlotID> is the ID of the slot in which the certificate was generated, <CertExportFileName> is the filename of the certificate, and <AdminSlotID> is the ID of the administration slot to which the certificate is being copied. 4. Mark the certificate as trusted: a. At a command prompt, enter: ctcert t -l<certificatename> -s<adminslotid> where <CertificateName> is the name of the certificate that you entered when generating the certificate, and <AdminSlotID> is the ID of the administration slot to which the certificate has been copied. 5. Use the trusted certificate to sign the VACMAN Controller Firmware Module: a. At a command prompt, enter: mkfm -k"<userslotlabel>(<pin>)/<certificatename>" -faal2sdk -oaal2sdk.fm where <UserSlotLabel> is the label for the user slot on which the certificate was generated, <PIN> is the administrator PIN for the token and <CertificateName> is the name of the certificate that you entered when generating the certificate. 6. Upload firmware module into HSM: a. At a command prompt, enter: ctconf -b<certificatename> -jaal2sdk.fm where <CertificateName> is the name of the certificate that you entered when generating the certificate Create Storage Key 7. Using the Key Management Utility, create a secret key to use as IDENTIKEY Server's storage key. This will require an administrator login to the token. Note the token label and key label used. Required key attributes: double or triple DES sensitive wrap and unwrap enabled private optional exportable optional if key backup in use 69
Install IDENTIKEY Server in Advanced mode - ODBC All other options disabled Create Sensitive Data Key 8. Using the Key Management Utility, create a sensitive data key. This will require an administrator login to the token, and can be created in the same or different slot to the storage key created earlier. Note the token label and key label used. Required attributes: AES 128-bit encrypt enabled decrypt enabled sensitive Other attribute settings are optional. Replicate to required slots If using multiple Hardware Security Modules with IDENTIKEY Server, the keys created above must be replicated to the other HSMs. The following steps will require attributes specific to your HSM setup. Consult the PTK Administration Manual typical file name ptk_c_administration_manual_rev-c.pdf for more information. 9. Generate an identity keypair, using the ctident gen command. 10. Create a trust relationship, using the ctident trust command. 11. Replicate the token, using the ctkmu rt command. 6.2.2 IDENTIKEY Server Setup 6.2.2.1 Pre-requisites The following software must be installed on the machine on which IDENTIKEY Server will be installed: Network or PCI Access Provider v4.00 ProtectToolKit C Runtime Library v4.00 6.2.2.2 Configuration 1. Ensure that licensing for IDENTIKEY Server includes Hardware Security Module functionality. 2. Install IDENTIKEY Server. 3. Configure HSM encryption and connection details in the IDENTIKEY Server Configuration Wizard: 70
Install IDENTIKEY Server in Advanced mode - ODBC 4. a. Select Use the available Hardware Security Module(s) in the Hardware Security Module screen. b. Click on the Browse button and browse to the HSM connection library file. For Windows installations, this will typically be named cryptoki.dll and located in the PTKC runtime installation directory. For Linux installations, it will typically be named libcryptoki.so and copied automatically to the chroot environment the location will be provided by default. c. Click on Next. d. Enter the name of the storage key created earlier, and the slot ID in which it was created. e. If the key was set as private, enter the token label and PIN. f. Click on Next. g. Enter the name of the sensitive data key created earlier. h. If the key was set as private, enter the token label and PIN. i. Click on Next. j. Continue with IDENTIKEY Server configuration. Add environment variables: a. ET_HSM_NETCLIENT_READ_TIMEOUT_SECS set to value of 1 b. ET_HSM_NETCLIENT_WRITE_TIMEOUT_SECS set to value of 1 c. ET_HSM_NETCLIENT_CONNECT_TIMEOUT_SECS set to value of 1 71
Install IDENTIKEY Server - Active Directory 7 Install IDENTIKEY Server - Active Directory 7.1 Active Directory Scenario and Decisions. This 'typical installation' process uses the following decisions and scenario: Implementation Decisions The following decisions were taken for the purposes of this installation process: The Schema extensions have been approved. The DIGIPASS Configuration Domain has been identified as the existing sub-domain, test.dm3.vasco. The member server SVR of the sub-domain test.dm3.vasco will be used to install IDENTIKEY Server. This requires an Enterprise Certificate Authority to be installed in the forest, so that SSL is enabled. The instructions will take you through installing Windows Certificate Services onto a Domain Controller in the Forest Root domain. Note To perform the actions required to install IDENTIKEY Server you must be logged in as the Domain Administrator. The scenario A Domain dm3.vasco (this is the Forest Root Domain). A sub-domain test.dm3.vasco of dm3.vasco. The sub-domain acts as the DIGIPASS Configuration Domain and contains all the configuration data, including Policies and Components. A single Server SVR, a member server in the DIGIPASS Configuration Domain. A Domain Controller DC-02 acting as the Schema Master on dm3.vasco. Certificate Server will be installed on DC-02. 7.1.2 Extend Schema Run the addschema command: 1. Log into the machine from which schema changes will be made (DC-02). 2. Copy dpadadmin.exe onto the machine. 3. Open a command prompt in the location to which it was copied. 4. Type: 72
Install IDENTIKEY Server - Active Directory dpadadmin addschema 5. If DPADadmin detects that Schema extensions are not currently permitted, it will prompt you whether to enable them or not. Enter y to enable them, or n to cancel. 6. Wait several minutes for the Schema extensions to replicate to the sub-domain and for the local Domain Controller to update its internal data caches. To check, use the following command: dpadadmin checkschema 7.2 Install IDENTIKEY Server for Active Directory 1. The Installation Type window will be displayed. Image 56: IDENTIKEY Server Setup - Installation Type window 2. Click on the Advanced Installation option button. Click Next to continue. The Data Storage window will be displayed. 73
Install IDENTIKEY Server - Active Directory Image 57: IDENTIKEY Server Setup - Data Storage window 3. Select the Active Directory option button. 4. Click Next. 5. The Digipass Extension for Active Directory Prerequisites page will be displayed. The functions on this page are optional, and need only be used if DIGIPASS and DIGIPASS User administration is to be performed on this machine. 74
Install IDENTIKEY Server - Active Directory Image 58: IDENTIKEY Server Setup Digipass Extension for Active Directory Prerequisites window 6. If you wish to use the Digipass Extension for Active Directory Users and Computers on this machine: a. If the.net 2.0 Framework is to be installed, click the.net 2.0 Framework button. The Microsoft.NET Framework 3.0 SP1 Setup window will be displayed. i Read the license and click to either accept or not accept the terms. ii Click Install to continue or Cancel to cancel the set up. 75
Install IDENTIKEY Server - Active Directory Image 59: Microsoft.NET license agreement. b. If the MMC 3.0 Framework is to be installed, click the MMC 3.0 Framework button. 76
Install IDENTIKEY Server - Active Directory Image 60: IDENTIKEY Server Setup Digipass Extension for Active Directory Prerequisites window. The Software Update Installation Wizard for your operating system will be displayed. i Click Next to continue. The Digipass Extension for Active Directory Prerequisites window will be displayed, showing the results of the installations. ii Click Next to continue. 77
Install IDENTIKEY Server - Active Directory Image 61: IDENTIKEY Server Setup Digipass Extension for Active Directory Prerequisites installation complete window. c. If the IDENTIKEY Server is being installed on Microsoft Windows Vista or Microsoft Windows 2008, a hotfix provided by Microsoft must be installed to enable the Active Directory Users and Computers extension to work. If it is not already installed on the machine, the Active Directory Query Form Hotfix button will be enabled. Click this button to install the hotfix. Please note that the Active Directory Query Form Hotfix button will remain unavailable on any operating system other than Microsoft Windows Vista or Microsoft Windows 2008. The Select Components window will be displayed. 7. Click IDENTIKEY Server 3.1 to start the installation wizard. 78
Install IDENTIKEY Server - Active Directory Image 62: IDENTIKEY Server Setup - Select Components Window 8. The IDENTIKEY Server Setup Wizard start window will be displayed. Click Next to continue. 79
Install IDENTIKEY Server - Active Directory Image 63: IDENTIKEY Server Setup Wizard Start Page. The License Agreement screen will be displayed. 80
Install IDENTIKEY Server - Active Directory Image 64: IDENTIKEY Server Setup - License Agreement Window 9. Read the agreement carefully. 10. To accept the License Agreement, tick the I accept the terms in the License Agreement checkbox and click Next. If you do not accept the License Agreement, and click Cancel - the install will terminate. 11. To select the features that you want to be installed click on the icons on the window. Click the Reset button to reset all your choices. Click Next to continue. 81
Install IDENTIKEY Server - Active Directory Image 65: IDENTIKEY Server Setup - Custom Setup window 12. The Ready to Install IDENTIKEY Server window will be displayed. Click Install to continue. 82
Install IDENTIKEY Server - Active Directory Image 66: IDENTIKEY Server Setup - Ready to Install IDENTIKEY Server window The Installing IDENTIKEY Server progress window will be displayed. 13. Click the Next button to continue when it becomes available. 83
Install IDENTIKEY Server - Active Directory Image 67: Installing IDENTIKEY Server progress window The IDENTIKEY Server Setup Wizard finish window will be displayed. 14. Click Finish to complete the installation of IDENTIKEY Server. 84
Install IDENTIKEY Server - Active Directory Image 68: IDENTIKEY Server Setup Wizard finish window 15. The Installer will install the component for each button that is selected. Each installation after the IDENTIKEY Server install is optional. 85
Install IDENTIKEY Server - Active Directory Image 69: IDENTIKEY Server Installed Select Components 16. When the Installer gets to the Run Configuration Wizard step, click the Run Configuration Wizard button. The IDENTIKEY Server Configuration Wizard will be started. 86
Install IDENTIKEY Server - Active Directory Image 70: IDENTIKEY Server Configuration Wizard Start Window 17. Click Next to continue. The Active Directory pre-requisites window will be displayed. 18. Read the information and make sure all the pre-requisites have been met before clicking Next. Image 71: IDENTIKEY Server Configuration Wizard - Active Directory Pre-requisites Window 19. If this is not the first IDENTIKEY Server to be installed, tick the This is NOT the first IDENTIKEY Server to be installed check box. Wait for the Active Directory changes made during the installation of the first 87
Install IDENTIKEY Server - Active Directory IDENTIKEY Server to replicate fully. You must be logged into the machine as a Domain Administrator in the machine s Domain. 20. Click Next. The Digipass Configuration Domain window will be displayed. 21. Enter the fully qualified name of the Domain in which IDENTIKEY Server should store its configuration data. This domain must currently exist. Image 72: IDENTIKEY Server Configuration Wizard Digipass Configuration Domain Window 22. Click Next. The Active Directory Certificate Authority window will be displayed. 88
Install IDENTIKEY Server - Active Directory Image 73: IDENTIKEY Server Configuration Wizard Active Directory Certificate Authority Window 23. Click on the Disable LDAP SSL option box if you want to disable LDAP SSL. If you do not want LDAP SSL to be disabled, the instructions in 3.1.3 SSL Setup must be followed to ensure that LDAP SSL will work correctly. 24. Click Next to continue. The IP address winow will be displayed. Image 74: IDENTIKEY Server Configuration Wizard IP Address Window 89
Install IDENTIKEY Server - Active Directory 25. Enter the IP address for the IDENTIKEY Server. 26. Click Next to continue. Image 75: IDENTIKEY Server Configuration Wizard First Administrator Window 27. Enter a User ID and Password for the First Administrator. Confirm the password and click Next. The Sensitive Data Encryption window will be displayed. Image 76: IDENTIKEY Server Configuration Wizard Sensitive Data Encryption Window 90
Install IDENTIKEY Server - Active Directory Note If you will be using a custom encryption key for sensitive data, this should be set before DIGIPASS are imported to the 'live' version of the IDENTIKEY Server. See the Sensitive Data Encryption topic in the Administrator Reference for more information. 28. To use IDENTIKEY Server's standard encryption settings: a. Select the Standard with embedded key option button b. Click on Next. To use custom encryption settings, either: Image 77: IDENTIKEY Server Configuration Wizard Custom Data Encryption Window a. Select the Custom with embedded and custom key combination option button. b. Enter the Storage key. c. Select a cipher. OR 91
Install IDENTIKEY Server - Active Directory Image 78: IDENTIKEY Server Configuration Wizard Load Data Encryption Window 29. a. If you have created your own Data Encryption file, select the Load from file option button. b. Browse to the file in this window. c. Enter the password. Click Next. The License window will be displayed. Image 79: IDENTIKEY Server Configuration Wizard License Window 92
Install IDENTIKEY Server - Active Directory 30. Navigate to a license file using the... button, or click Request a licence from 'vasco.com'. Note The Request a License from 'vasco.com' button will not be available for Windows 2008 Core, as there is no browser available to load the web site. To obtain a licence from vasco.com for Windows 2008 Core you will have to download the licence on another machine and copy it across to the Windows 2008 Core machine. 31. Click Next. The Server Functionality window will be displayed. Image 80: IDENTIKEY Server Configuration Wizard Server Functionality Window The functions that are available on this window will be determined by your license. Those shown above are available by default. 32. Click in check boxes to either select or de-select the required functionality. 33. Click Next to continue. The SSL Server Certificate Installation window will be displayed. 93
Install IDENTIKEY Server - Active Directory Image 81: IDENTIKEY Server Configuration Wizard SSL Server Certificate Window 34. To use an SSL certificate generated by the Configuration Wizard: a. Select the Generate and install a new test certificate option button. b. Click on Next. Image 82: IDENTIKEY Server Configuration Wizard SSL Server Certificate Password Window c. Enter a password for the new certificate. To use a commercial SSL Server Certificate: 94
Install IDENTIKEY Server - Active Directory a. Select the Install my own SSL certificate option button. b. Click on Next. Image 83: IDENTIKEY Server Configuration Wizard SSL Server Certificate Selection Window c. Browse to the certificate file. d. Enter the password for the certificate. e. Click on Next. Image 84: IDENTIKEY Server Configuration Wizard - Automatic Server Location Support 95
Install IDENTIKEY Server - Active Directory To skip automatic DNS registration now, select No DNS Service registration. To use DNS service registration with a DNS server supporting Dynamic DNS: f. Select the DNS service registration with a DNS server supporting Dynamic DNS option. g. Enter the name of the DNS domain. h. Enter the IP address of the Target Host machine. i. Select the priority for connections to the IDENTIKEY Server - Primary server or Backup server. To use DNS service registration with a DNS server supporting TSIG authentication: a. Select the DNS service registration with a DNS server supporting Dynamic DNS with TSIG authentication option. b. Enter the name of the DNS domain. c. Enter the Fully Qualified Domain Name of the Target Host machine. d. Select the priority for connections to the IDENTIKEY Server - Primary server or Backup server. e. Enter the full path and filename for the shared key file. To use DNS service registration with a DNS server supporting Secure Dynamic Update 35. a. Select the DNS service registration with a DNS server supporting Dynamic DNS with Secure Dynamic Update option b. Enter the name of the DNS domain. c. Enter the Fully Qualified Domain Name of the Target Host machine. d. Select the priority for connections to the IDENTIKEY Server - Primary server or Backup server. e. Enter the full path and filename for the shared key file. Click on Test Settings to test that the DNS server settings are correct. The Configuration Wizard will test the connection and list the result on-screen. 36. Click on Next. The Web Admin Client window will be displayed. 96
Install IDENTIKEY Server - Active Directory Image 85: IDENTIKEY Server Configuration Wizard Web Admin Client Window 37. Enter the IP address of the Web Administration Client. Click Next to continue. The Sample Web Client window will be displayed. Image 86: IDENTIKEY Server Configuration Wizard Sample Web Client Window 38. Enter the IP address of a web client to be used by the Sample Web Pages in the SDK. This page is optional and only needs to be used if the SDK is to be installed. 39. Click on Next. If Active Directory is installed on the same machine as IDENTIKEY Server, and the machine is on a domain, but as a member server, the Domain Service Account screen will be displayed. 97
Install IDENTIKEY Server - Active Directory Image 87: IDENTIKEY Server Configuration Wizard Domain Service Account Window This window allows you to specify a domain account that you want IDENTIKEY Server to run under. Caution The User ID specified MUST be a member of domainadmins group. Failure to ensure that this is the case can cause security issues. 40. Click Next to continue. A summary of the settings will be displayed. 98
Install IDENTIKEY Server - Active Directory Image 88: IDENTIKEY Server Configuration Wizard Summary Window 41. Check the settings carefully, then click Proceed to continue. 42. Click Finish to complete the configuration. Image 89:Deploying IDENTIKEY Server Web Administration Module Window The Web Administration Module, if installed, will now be deployed. 43. Enter a Key store password and confirm it. 99
Install IDENTIKEY Server - Active Directory 44. Click Deploy. The Web Administration Module will be installed automatically. Click Cancel to stop the Web Administration Module from being installed. Image 90:Deploying IDENTIKEY Server Web Administration Module Wizard Results Window 45. Check the Result field and click Close to continue or Cancel to exit the Installer. If you clicked Close the Installation Completed window will be displayed 100
Install IDENTIKEY Server - Active Directory Image 91: IDENTIKEY Server Installation Complete Window 7.2.1 46. Click Finish when the installation is complete. 47. Restart your computer. 48. When your computer has restarted, refer to 9 Post-Installation Tasks for further steps that may need to be performed. Install Active Directory Users and Computers Extension on a Child Domain To install the Active Directory Users and Computers Extension on a child domain follow the instructions below. 1. Install IDENTIKEY Server on the machine with the parent domain. 2. Log in to the child domain machine, making sure you have administration authority. 3. On the child domain machine, run the IDENTIKEY Server installation as detailed above until you get to the Custom Setup window. When you get to this window uncheck every component EXCEPT the Active Directory User and Computers extension. 101
Install IDENTIKEY Server - Active Directory Image 92: IDENTIKEY Server Installation Custom Setup Window. 4. Continue with the IDENTIKEY Server Installation instructions from the Custom Setup window as detailed above. After the installation has finished you will see the Active Directory Users and Computers item on the Start Menu under VASCO\Identikey Server. 102
Install IDENTIKEY Server - Active Directory Image 93: Windows Start Menu showing location of Active Directory Users and Computers. 103
Deploy IDENTIKEY Server Administration Web Interface 8 Deploy IDENTIKEY Server Administration Web Interface If the Administration Web Interface and the embedded Tomcat server is installed with IDENTIKEY Server, the Administration Web Interface will be deployed automatically by the Configuration Wizard. However, if the Administration Web Interface was not deployed automatically during installation of IDENTIKEY Server, or you want to install the Administration Web Interface on a different machine, follow the instructions in this chapter. 8.1 Deploy Administration Web Interface on the same machine as IDENTIKEY Server The Administration Web Interface is provided as a.war (web archive) file, webadmin.war. This web application must be deployed in a Java web application server before it can be used. 8.1.1 Deploy Administration Web Interface in Apache Tomcat Server (32-bit Windows only) If the Administration Web Interface is not installed at the same time as the Tomcat server, the setup program can still deploy it automatically in an installed Tomcat server. To deploy the Administration Web Interface in an Apache Tomcat server: 8.1.2 1. Run the setup.exe file if it is not still running.. 2. Click on 6. Deploy Web Administration in Apache Tomcat. 3. Enter the location of the IDENTIKEY Server certificate if it differs from the default. 4. Enter the location of the Administration Web Interface keystore if it differs from the default. 5. Enter and confirm a new password for the keystore. 6. Click on Deploy. Deploy Administration Web Interface in Apache Tomcat Server Manual Instructions The following instructions may be used where deployment via the setup program has failed: 1. If you have not restarted the machine since installing, the Tomcat service may need to be started manually: a. Go to the desktop. b. Right-click on My Computer. 104
Deploy IDENTIKEY Server Administration Web Interface Image 94: My Computer - Manage c. Click on Manage. The Computer Management console will be displayed. Image 95: IDENTIKEY Server Computer Management console d. Expand the Services and Applications heading. e. Click on Services. f. Right-click on Apache Tomcat. g. Select Start. 105
Deploy IDENTIKEY Server Administration Web Interface 2. Create a Tomcat administrator. a. Open <install-dir>\tomcat\tomcat 5.5\conf\tomcat-users.xml, b. Add the following lines to this file before the final </tomcat-users> and save the changes: <role rolename="manager"/> <role rolename="admin"/> <user username="admin" password="" roles="admin,manager"/> 3. Open a browser window. 4. Go to localhost:<port on which the web application server is listening>. Typically the port number will be 8080. The Tomcat introduction page should be displayed. Image 96: Apache Tomcat Introduction page 5. Click on Tomcat Manager. The Tomcat Manager login window will be displayed. 106
Deploy IDENTIKEY Server Administration Web Interface Image 97: Apache Tomcat Manager login 6. Log in using admin as your username and a blank password. The Tomcat Web Application Manager will be opened. 7. Scroll down to the WAR file to deploy section. 107
Deploy IDENTIKEY Server Administration Web Interface Image 98: Apache Tomcat Manager 8. Click on the Browse button. 9. Find and select the webadmin.war file typically in c:\program files\vasco\identikey Server 3.1\webadmin. 10. Click on Open. 11. Click on Deploy. 12. An entry titled /webadmin should appear in the Applications list. 108
Deploy IDENTIKEY Server Administration Web Interface Image 99: Apache Tomcat Manager 13. Restart the Apache Tomcat service: a. Go to the desktop. b. Right-click on My Computer. c. Click on Manage. d. Expand the Services and Applications heading. e. Click on Services. f. Right-click on Apache Tomcat. g. Select Restart. 14. Go back to the browser window. 15. Click on the new /webadmin entry. The Administration Web Interface login screen should be displayed. 109
Deploy IDENTIKEY Server Administration Web Interface Image 100: Administration Web Interface login 16. 8.1.3 Log in using the username and password entered in the Configuration Wizard. Java Memory Pool The memory pool for Java has be large enough to accommodate the largest administration operations you will perform with the Administration Web Interface. e.g. Import DPX and user files. The embedded Tomcat provided by VASCO has a 128 megabyte memory pool, however another Tomcat version may only have the default 64 megabyte memory pool. You can increase the memory pool if necessary by opening the Apache Tomcat Properties window, selecting the Java tab, and updating the Maximum memory pool field. You must then restart Tomcat. If an operation fails with an out of memory error, increase the pool size by going to Start>Vasco>Identikey Server>Tomcat Monitor. Click on the Java tab. 110
Deploy IDENTIKEY Server Administration Web Interface Image 101: Apache Tomcat memory pool 8.1.4 Upload Limit An upload limit of 5 megabytes has been set in the Administration Web Interface for user DPX import files. To change this value go to the place where Tomcat is installed (usually Program Files\VASCO\Identikey Server\Tomcat). Go to the Tomcat 5.5\webapps\webadmin\WEB-INF\classes directory, double-click the struts.properties file and edit the struts.multipart.maxsize value: #set max upload size to 5 meg. struts.multipart.maxsize=52428800 111
Deploy IDENTIKEY Server Administration Web Interface Image 102: Location of struts.properties file. Save the file then restart Tomcat. 8.1.5 Using the Administration Web Interface with Internet Explorer In order for some of the Administration Web Interface pages to work on Microsoft Windows using Internet Explorer 7, active scripting must be enabled and the URL for the Administration Web Interface must be added to the trusted sites. 1. Open Internet Explorer. 2. Go to Tools > Internet Option. Click on the Security Tab. 3. Highlight Internet globe icon, click on the Custom Level.. button. 4. Scroll down to the Active Scripting option and click Enable. 5. Click the OK button, and then the OK button again. To add the URL for the Administration Web Interface to the trusted sites: 6. Stay on the Security Tab. 7. Select the green Trusted Sites icon. 112
Deploy IDENTIKEY Server Administration Web Interface 8.2 8. Click the Sites button. 9. Ensure that the Require server verification (https:) for all sites in this zone check box is NOT selected. 10. Add the URL of the Administration Web Interface. 11. Click the Add button, and then the Close button. 12. Click the OK button. 13. Restart Internet Explorer. Deploy Administration Web Interface on a Dedicated Machine These instructions describe how to install the IDENTIKEY Server Administration Web Interface on a different machine to the IDENTIKEY Server. 1. Use setup.exe to install: a. IDENTIKEY Server, but only select the Web Administration component. Note The Administration Web Interface is set up differently depending on the data store in use by IDENTIKEY Server. Ensure that you select the correct data store either Active Directory or ODBC Database - during installation. 2. b. Java c. Tomcat Copy the ikeycerts.pem file from the IDENTIKEY Server installation. The file is typically located in the c:\program files\vasco\identikey Server 3.1\bin directory on the machine that contains the IDENTIKEY Server. Copy the file to the c:\program files\vasco\identikey Server 3.1\webadmin directory on the machine on which you are installing the Administration Web Interface. 3. Stop the Tomcat service on the machine on which you are installing the Administration Web Interface using the Tomcat monitor (see 8.1.2 Deploy Administration Web Interface in Apache Tomcat Server Manual Instructions above) 4. Copy the webadmin.war file from c:\program files\vasco\identikey Server 3.1\webadmin to c:\program files\vasco\identikey 3.1\tomcat\Tomcat 5.5\webapps. 5. Run the following command on the machine on which you are installing the Administration Web Interface: (See 8.3 Web Administration Setup Tool) java -jar admintool.jar certificate add <keystore file name> <password> <certificate file> Where <keystore file name> is the keystore file name. e.g. c:\program files\vasco\identikey Server 3.1\webadmin\keystore.jks 113
Deploy IDENTIKEY Server Administration Web Interface Where <password> is your own password. Where <certficatefile> is the path/name of the file which contains the server certificate as used in Step 2. This command will create a new keystore for the Web Administration in Tomcat. 6. Run the following command on the machine on which you are installing the Administration Web Interface. This command will add the server entry to the Web Administration Setup tool: java -jar admintool.jar server add <servername> <server url> Where <servername> for the name of the server Where <server url> for the URL you want to use to access the server 7. Start the Tomcat service. 8. Log in as previously described. Select the server on the log in screen to correspond with the server on which you have installed the Web Administration. 8.3 Web Administration Setup Tool 8.3.1 Overview The Web Administration Setup Tool is a Java application that allows the set up and configuration of the Administration Web Interface. The Web Administration Setup Tool is used for managing SSL certificates as well as IDENTIKEY Servers to which the Administration Web Interface can connect. The Web Administration Setup Tool requires a Java Runtime Environment. The information created using the Web Administration Setup Tool can be viewed via the Administration Web Interface. Any changes made using the Web Administration Setup Tool will not be reflected in the Web Administration application until the Administration Web Interface is restarted. The Web Administration Setup Tool stores its information using the Java preferences API. Under Windows it uses the Windows registry. 8.3.2 Running the Application 1. Open a command prompt. 2. Navigate to the directory in which the Java executable is located. 3. Enter the following command: java -jar admintool.jar 114
Deploy IDENTIKEY Server Administration Web Interface 8.3.3 Available Commands The commands should be in the following format: java -jar admintool.jar <command> [options] The following commands are available: Setup Tool Command Explanation autoadd <name> <url> <certificate archive> <password> <connection limit> <connection timeout> Creates a new IDENTIKEY Server connection for the Administration Web Interface If a certificate archive and password is specified, the IDENTIKEY Server's SSL certificate will be added to it. If no certificate archive is specified, it will be added to the existing keystore. A connection limit (number of concurrent connections to allow) and connection timeout may also be specified. server list List the available IDENTIKEY SOAP servers server add <name> <url> <connection_timeout> <connection limit> Add a new IDENTIKEY Server connection. A connection limit (number of concurrent connections to allow) and connection timeout may also be specified. server delete <name> Remove an existing IDENTIKEY Server server default <name> Set the specified IDENTIKEY SOAP server as the default server localaddress <name> <local address> Specify a local IP address to specify when connecting to the provided server name. certificate list Displays the list of certificate alias which are in the used certificate archive certificate list <certificate archive> <passphrase> Displays the list of certificate alias which are in the specifiedcertificate archive (opened using the specified passphrase) certificate add <certificate archive> <passphrase> <certificate file> <name> Installs the certificate into an existing or new certificate archive using the provided passphrase and alias the certificate using the provided name. certificate delete <certificate archive> <passphrase> <name> Removes the certificate with the specified alias from the provided certificate delete <certificate archive> <passphrase> Removes the certificate with the default alias "IdentikeyServer" certificate archive using the provided password. autoadd <name> <url> <certificate archive> <passphrase> Combines the functionality of the server add and certificate add commands and automates the retrieval of the certificate from the IDENTIKEY Server. 8.3.4 Command Usage Examples 8.3.4.1 Adding an IDENTIKEY Server To add an IDENTIKEY Server, navigate to the i<install dir>\webadmin directory and then run the command java -jar admintool.jar autoadd new_server https://10.2.1.1:8888 115
Deploy IDENTIKEY Server Administration Web Interface This command will create a new IDENTIKEY Server record which will be displayed in the Administration Web Interface using the name new_server and will connect to the IDENTIKEY SOAP communicator using http (inherent to SOAP) at address 10.2.1.1 using port 8888 (as configured for the IDENTIKEY Server). NOTE Protocol strings must be provided (http or https for SSL connections). You can verify that this server has been created by running the following command: java -jar admintool.jar server list which will display the current list of servers. NOTE The server name and url are considered to be unique. Attempting to add another server with a different name and the same url will fail (adding a server with the same name and different url will overwrite the existing server's entry) 8.3.4.2 Adding a certificate To connect to an IDENTIKEY Server which is using an SSL connection we must add the server's certificate to the Web Administration application's certificate archive. The certificate used by the IDENTIKEY Server is usually created with the filename ikeycerts.pem and located in : <install dir>\bin To add this certificate to the Administration Web Interface's certificate archive, run the following command: java -jar admintool.jar autoadd new_server webadmin.jks ourpassword \etc\vasco\ikeycerts.pem where the webadmin.jks is the Administration Web Interface's keystore filename and ourpassword is the password we use to make sure that no-one can simply add another certificate to our Administration Web Interface's certificate archive. Once this certificate has been added we can connect to the IDENTIKEY Server. NOTE Make sure that the connection url to the server is updated (https is used as opposed to http). All other commands provided are extensions of these two basic commands. 116
Post-Installation Tasks 9 Post-Installation Tasks 9.1 Licensing Each IDENTIKEY Server will require a license key to be loaded into its Server record even if you are using an evaluation license. If this is not completed during the install process, it will need to be done before the IDENTIKEY Server can be used for authentication, signature validation or provisioning. Refer to the Licensing section of the Administration Reference for instructions. 9.1.1 Evaluation Serial Number If you do not obtain a license key file during installation of the IDENTIKEY Server, but wish to use an evaluation license, you will need to use this serial number on the VASCO licensing site: 012E900762. 9.2 Backup Strategy Consider a backup strategy to be put in place for files which will require backing up. For more information, see the Backup and Recovery section of the Administrator Reference. 9.3 Audit Settings Configure how and when the IDENTIKEY Server will record audit messages. Text File If auditing to a text file, you will need to decide how often a new text file should be created. By default, a new text file is created monthly. To change this frequency, modify the variables used in the file name. For example, if the IDENTIKEY Server is configured to write to a text file set to IdentikeyServer-{year}-{month}.audit, a new text file will be created monthly. If the text file name is set to IdentikeyServer-{year}-{month}-{mday}.audit, a new text file will be created daily. For more information, see the Auditing section of the Administrator Reference. Event Log If auditing primarily to the Windows Event Log, ensure that the Event Log is configured to not overwrite old entries automatically. This is the default setting. To check: 1. Open the Event Log. 2. Right-click on the specific log to which the IDENTIKEY Server will be auditing. 117
Post-Installation Tasks 3. Select Properties. 4. Select Do not overwrite events (clear log manually) from the When maximum log size is reached option button group. 5. Click on OK. 9.4 Database Tasks 9.4.1 Embedded Database: dppostgres account When IDENTIKEY Server is installed with the embedded database, a local machine account called dppostgres is created on the installation machine. If installed on a domain controller, this account will be a domain account which has privileges to log on as a service and locally. The privileges to log on locally may be removed manually. Note The dppostgres account is not automatically deleted upon uninstallation of IDENTIKEY Server. Changing the dppostgres account password If the password for the dppostgres account is modified, it must also be changed for the PostgreSQL Database Server 8.3 service running on the machine. To do this: 1. Open the Computer Management console (right-click on My Computer and select Manage) 2. Expand the Services and Applications node, and click on Services. 3. Scroll down the Services list to PostgreSQL Database Server 8.3. Double-click on the entry. 4. Click on the Log On tab. 5. Enter the new password in the Password and Confirm Password fields. 6. Click on Apply. Note If the dppostgres account password is changed, it should be changed back to the default before uninstalling and reinstalling IDENTIKEY Server. If not, the new installation will fail. 9.4.2 Configure Connection Parameters You may wish to increase the number of connections attempted to the database if: 118
Post-Installation Tasks The load on the database will be high, and Changes to the connection settings will be efficient with the database and database driver in question. Setting an idle timeout will allow connections which are no longer required to be closed as soon as possible, which may lower the load on the database server. See the Administrator Reference for more information. 9.4.3 Additional Databases If additional databases are required for backup, failover or load-balancing purposes, configure the IDENTIKEY Server to use them now. See the Additional ODBC Databases topic in the Product Guide and the Database Connection Handling topic in the Administrator Reference for more information. 9.4.4 Permissions for Windows Group Check If you plan to use the Windows Group Check feature, additional permissions need to be set up. Add LocalSystem ( SYSTEM ) to either Administrators or the Account Operators Windows group on the server to allow the IDENTIKEY Server to run a group check: 1. Go to the desktop and right-click on My Computer. 2. Click on Manage. 3. Expand the Local Users and Groups node. 4. Click on Groups. 5. Right-click on Administrators or Account Operators. 6. Click on Add to Group... 7. Click on Add... 8. Click on Locations... 9. Select the local machine and click on OK. 10. Enter SYSTEM in the object name memo. 11. Click on OK. 119
Post-Installation Tasks A new entry will be added to the Members list. 9.5 Set Up User Self Management and OTP Request Websites To set up the User Self Management and OTP Request Websites you need to deploy the web pages to a web server such as IIS and configure the CGI used by the web site with the location of the IDENTIKEY Server. The web sites consist of HTML pages with JavaScript, CSS and image files and the CGI. Therefore it can be deployed in a wide variety of web servers. The CGI needs to be located in a directory where it can be executed. For Windows 2003 you are able to automatically deploy the VASCO Self Management websites to the IIS websites during installation. This creates a new web site directory for the VASCO Self-Management Web Sites in the IIS Manager, under which the User Self Management website (dpselfservice) and the OTP Request website (requestotp) are deployed. These web sites should be manually started by right-clicking on the VASCO SelfManagement Web Sites and selecting 'Start'. Alternatively, you may install the User Self Management and OTP Request Websites manually using the following instructions: 1. Open the IIS Window. Ensure that the 'IIS Backwards Compatibility with IIS6' feature is installed and enabled. 2. Go to websites\default web site. 3. Create a virtual directory (right click on default VASCO web site, create virtual directory) for the web site you are installing. A wizard will appear: 120
Post-Installation Tasks a. Enter the virtual directory name. b. Browse to where the websites have been installed to usually Program Files\VASCO\Identikey Server 3.1\websites c. Check execute. d. Click Finish. 4. Highlight the virtual directory and right click. Select Properties. Check read on the Virtual Directory tab. 5. Run the Configuration GUI for the web site you are setting up. One is installed for each web site. They usually under Program Files\VASCO\Identikey Server 3.1\web site name. When the virtual directory is opened in a browser the following page should be displayed: 9.6 Increase Tomcat Memory Allocation (64-bit Only) If you are intending to import a large number of Users on a 64-bit machine, we recommend that you use the DIGIPASS TCL Command Line Administration facility to perform the import. See the IDENTIKEY Server Administrator Reference for more details about the TCL. However, if you cannot use DIGIPASS TCL Command Line Administration facility, you will have to increase Tomcat's memory allocation. To do this you need to: 1. Open Service Manager. 2. Locate and stop the Apache Tomcat service. 121
Post-Installation Tasks 3. Open the Tomcat Monitor located in Start -> Programs -> VASCO -> Identikey Server -> Tomcat Monitor 4. Select the Java tab 5. Enter minimum value (eg 256) into the Initial memory pool field 6. Enter maximum value (eg 512) into the Maximum memory pool field 7. Click OK You will also have to extend Tomcat's timeout limit. 1. Navigate to the C:\Program Files\VASCO\Identikey 3.1\tomcat\Tomcat 5.5\conf directory. 2. Edit the web.xml file. 3. 4. Find the session-timeout tag: <session-timeout>30</session-timeout> The value 30 in the above example is 30 minutes. Edit it to increase the timeout value to at least 45 5. Save and close the file 6. Start the Apache Tomcat service 122
Install Additional IDENTIKEY Server 10 Install Additional IDENTIKEY Server The process for installing additional IDENTIKEY Servers is as follows: 10.1 1. Install and configure the IDENTIKEY Server as a stand-alone server. 2. Test that it is working satisfactorily as a stand-alone server. 3. Set up IDENTIKEY Server Replication, if required, with one of the existing IDENTIKEY Servers. This process uses a database from an existing IDENTIKEY Server to overwrite the new IDENTIKEY Server's database.this is not required where Active Directory is used as the data store. 4. See the IDENTIKEY Server Advanced Configuration section of the Administrator Reference for more information on setting up additional IDENTIKEY Servers. Install IDENTIKEY Server Component See 4 Start IDENTIKEY Server Installation for instructions on installing the IDENTIKEY Server on a machine. 10.2 Configure Additional IDENTIKEY Servers Follow the same process as in the Configure IDENTIKEY Server section in this manual. However, these settings will be overwritten when replication is set up: Master Domain User ID/Domain name conversion You will need to request a License Key for each additional IDENTIKEY Server. 10.3 Replication Replication may be required between IDENTIKEY Servers. See the Replication section of the Administration Reference for instructions on setting up replication. 123
Add Components to Installation 11 Add Components to Installation To add components to an existing installation: 1. Go to Control Panel > Add/Remove programs. 2. Highlight IDENTIKEY Server. Click on Change. The welcome window will be displayed. Click Next and click the Change button.. 3. Select the components you want to add to the installation and click on Next. 4. Click Change again to begin the installation. The Installation Progress dialog will be displayed, showing the progress of your installation. 5. Click Finish when this process is complete. 124
Repair Installation 12 Repair Installation The installation of the IDENTIKEY Server may need to be repaired if files have been corrupted, deleted or lost. 1. Go to Control Panel > Add/Remove programs. 2. Highlight IDENTIKEY Server. Click on Repair. The IDENTIKEY Server. Setup Wizard welcome window will be displayed. Click Next and click the Repair button.. 3. On the Ready to Repair IDENTIKEY Server. window click Repair. 4. The Repair Progress dialog will be displayed, showing the progress of your repair. 5. Choose whether to restart your machine now or later. 6. Click Finish when this process is complete. 125
Uninstall IDENTIKEY Server 13 Uninstall IDENTIKEY Server 13.1 Data Removal When you uninstall IDENTIKEY Server, the database and the data inside it will not be removed. If you wish to delete it, you need to do this manually. The simplest way to remove all data is to remove the schema modifications. This will drop all the tables used by IDENTIKEY Server. If you do not wish to delete the data, it is possible to re-install IDENTIKEY Server without losing this data. Remove Schema Modifications The dropschema command in the DPDBADMIN command line utility can be used to remove all schema modifications from the database, deleting all data relating to IDENTIKEY Server. Refer to the DPDBADMIN section of the Administration Reference for instructions. 13.2 Ports If ports have been opened on the firewall during installation, they must be closed following uninstallation. Refer to the IDENTIKEY Server Administrator Reference guide for Open Port Numbers on the Firewall. 126
Extend Data Store Schema 14 Extend Data Store Schema The addschema command is used to create all required tables in an existing database, if they are not already there. Each table will be checked individually to see if it is already there and if not, will be added. This command is intended to be run manually by an administrator before IDENTIKEY Server is installed. It may be necessary to go through an approval process in your company before running this command. You may also need to have a database administrator run the command for you. This depends on your company s structure and rules for control of the database. This command may also be used to create the tables required for auditing to an ODBC database. Prerequisite Information Database Administrator Account In order to successfully modify the database structure, you will need the username and password of a database administrator account that is able to make changes to the database schema for example, creating tables. You must pass these credentials to the command in the parameters. Database Name You will need the ODBC Data Source Name of the database (as registered with Windows or Linux as an ODBC Data Source). Master Domain Name You can specify the name of the Master Domain (see 2.1.2 Master Domain) when you add the database schema. However if you do not do it at that time, the Configuration Wizard can change it. UserID/Domain Name Conversion The Case Conversion option for UserIDs and Domain names may be specified (see for more information) during the database schema modification. Alternatively, the setting may be modified using the Configuration Wizard. This should, however, be finalised before User data is entered into the data store. The Case Conversion option for UserIDs and Domain names may be specified (see the Encoding and Case Sensitivity topic in the Administrator Reference for more information) during the database schema modification. Alternatively, the setting may be modified using the Configuration Wizard. This should, however, be finalised before User data is entered into the data store. Modify the Database Structure 1. Follow the instructions for the installation that you have: a. For Windows, open a command prompt and navigate to the installation s bin directory by typing: cd <install dir>\bin 2. Type: 127
Extend Data Store Schema dpdbadmin addschema u user_name p password -d dsn 3. See below for more details regarding the required parameters. The progress and success/failure of the command will be displayed in the command prompt window. If there was a failure, it can be run again after the problem has been rectified. Command Line Syntax dpdbadmin addschema -d dsn [ u user_name] [ p password] [-domain domain_name] [-case case_conversion] [-vdsuser alternatename] [-vdsuserattr alternatename] [-vdsdomain alternatename] [-vdscontrol alternatename] [-vdsdigipass alternatename] [-vdsdpapplication alternatename] [-vdspolicy alternatename] [vdsbackend alternatename] [-vdscomponent alternatename] [-vdsorgunit alternatename] [-vdsdpsoftparams alternatename] [-vdsreport alternatename] [-vdsreportformat alternatename] [-audit] [-noserver] [-nouser] [-utf8factor factor] [-q] [-v] [-l file_name] Table 1: DPDBADMIN addschema Command Line Options Option Description -d ODBC Data Source Name (DSN) -u User name of a database administrator (if required). -p Password of the database administrator. This option may be omitted if they have a blank password. -domain Specify the Master Domain to be used. If not specified, it will be master. The Domain will be created if it does not already exist. -case Specify to convert User IDs and domain names to either upper or lower case. The value must be either upper or lower. vdsuser Alternative name for the DIGIPASS User table to be created. vdsuserattr Alternative name for the DIGIPASS User Attribute table to be created. vdsdomain Alternative name for the Domain table to be created. vdscontrol Alternative name for the Control table to be created. vdsdigipass Alternative name for the DIGIPASS table to be created. vdsdpapplication Alternative name for the DIGIPASS Application table to be created. vdspolicy Alternative name for the Policy table to be created. vdsbackend Alternative name for the Back-end Server table to be created. vdscomponent Alternative name for the Component table to be created. vdsorgunit Alternative name for the Organizational Unit table to be created. vdsdpsoftparams Alternative name for the DPSoft Parameters table to be created. vdsreport Alternative name for the Report Definition table to be created. vdsreportformat Alternative name for the Report Format table to be created. vdsconfiguration Alternative name for the Configuration table to be created. vdsofflineauthdata Alternative name for the Offline Authentication Data table to be created. -audit Create the Audit tables. 128
Extend Data Store Schema Option Description -noserver Do not create the main tables used by the IDENTIKEY Server. This should only be used with the -audit option, when you only want to create the auditing tables. -nouser Do not create DIGIPASS User table. This option is not currently supported. -utf8factor On certain databases (such as Oracle and DB2), column sizes are specified in bytes, not characters, by default. When UTF-8 encoding is used to store data, for full Unicode support, one character may be represented as more than one byte. Normally 2 or 3 characters are used, depending on the language, but some characters require 4. If your data will include a lot of non-english characters, you can increase the size of certain columns by a factor to allow for the extra bytes. The value of the parameter should be 2, 3 or 4. Typically, 3 is sufficient. The columns affected by this are the User Name (not User ID) and various Description fields. On other databases, column sizes are specified in characters, and this parameter is not needed. -q Quiet mode, will not output commentary text. -v Verbose mode. -l Log output to file file_name. DPDBADMIN addschema Command Sample dpdbadmin addschema u DBAdmin p pwd3498 -d UserDb -domain mydomain -case lower This command will modify the database structure of the ODBC database with the data source name of UserDb. It uses a database administrator account with the User ID of DBAdmin and password pwd3498. A non-default Master Domain will be used, called mydomain. It specifies to convert domain names and User IDs to lower case. dpdbadmin addschema u DBAdmin p pwd3498 -d AuditDb -audit -noserver This command will create only the auditing tables in the ODBC database with the data source name of AuditDb. It uses a database administrator account with the User ID of DBAdmin and password pwd3498. 129
Upgrade IDENTIKEY Server 15 Upgrade IDENTIKEY Server If you already have an installation of IDENTIKEY Server, you can upgrade to a new version. Caution Please back up your data store and configuration file before starting the upgrade process. 15.1 Upgrade Paths 15.1.1 32-bit and 64-bitWindows For 32-bit and 64-bit Windows you can upgrade directly from IDENTIKEY Server 3.1.0 to the latest version. Be aware that when upgrading between IDENTIKEY Server 3.1.0 and IDENTIKEY Server 3.1 SR2 using an ODBC data store, schema changes are required. Ensure that appropriate planning and precautions have taken place before upgrading. 15.2 System Requirements The system requirements for upgrading to the latest IDENTIKEY Server are defined in the 1.2 System Requirements section in this manual. 15.3 Upgrade IDENTIKEY Server for 32-bit and 64-bit Windows 1. If autorun is enabled on the installation machine the installer will start up when the CD is inserted. If it does not start automatically then double click on autorun.exe. The Welcome window will be displayed. 130
Upgrade IDENTIKEY Server Image 103: IDENTIKEY Server Installation Welcome Window 2. Click Next to continue. The Data Storage window will be displlayed. 131
Upgrade IDENTIKEY Server Image 104: IDENTIKEY Server Data Storage Window Select the data storage type. Click Next to continue. 3. The Identikey Server 3.1 Update window will be displayed. It should indicate that it has found a version of IDENTIKEY Server and intends to update it to the latest version. Click Upgrade Identikey Server 3.1 to continue. 132
Upgrade IDENTIKEY Server Image 105: IDENTIKEY Server 3.1 Update Window 4. The IDENTIKEY Server Setup Wizard window will be displayed. Click Next to continue. 133
Upgrade IDENTIKEY Server Image 106: IDENTIKEY Server Setup Upgrade Window 5. The standard installation screens will be displayed. Wait for them to complete then click Run Configuration Wizard. The Configuration Wizard windows will be displayed as for advanced installation for the data source selected. See 6.1 Advanced Installation for ODBC or 7.2 Install IDENTIKEY Server for Active Directory for Active Directory for more information about completing the Configuraiton Wizard information. The only difference between the upgrade and the installation Configuration Wizard is that if an ODBC data store is used a message will be displayed regarding schema changes. Click Yes to continue. 134
Upgrade IDENTIKEY Server Image 107: IDENTIKEY Server Database Configuration Wizard Window 6. 15.4 If you are upgrading a 64-bit IDENTIKEY Server from 3.1.0 to 3.1 SR2, you have the opportunity to add the Administration Web Interface at this point. See 15.4 Additional Features for IDENTIKEY Server for 64-bit Windows for more details. Additional Features for IDENTIKEY Server for 64-bit Windows These instructions are to add the Administration Web Interface to IDENTIKEY Server 3.1 SR2 which has been upgraded from IDENTIKEY Server 3.1.0. 1. On the Installation CD double click on autorun.exe. 2. Click on Next. 3. Select the installation type (there may not be a choice). 4. Select the Data Store. Click Next. 5. Click Apache Tomcat 5.5 and wait for it to load. 6. Click Run Configuration Wizard and complete the configuration wizard details. 135
Technical Support 16 Technical Support If you encounter problems with a VASCO product please do the following: 1. Check whether your problem has already been solved and reported in the Knowledge Base at the following URL: http://www.vasco.com/support. 2. If there is no solution in the Knowledge Base, please contact the company which supplied you with the VASCO product. If your supplier is unable to solve your problem, they will automatically contact the appropriate VASCO expert. 136