Then I choose the downloaded license file, restart the computer and the installation is complete Figure Next click on "Gateway Settings" tab and check "Edit advanced settings" box and fill the form according to the following parameters Figure 18 and Figure 19 :. Please note that you need to enter the connection strings in one line without line brakes! Figure 19 - Configured advanced settings. In "Gateway results" tab you need to edit success message rule Figure If this pattern agrees with the one in the response message then sending was successful.
In "Gateway results" tab you can also edit failure message rule Figure If this pattern is also in the response message then sending was unsuccessful. I will use a demo dpx file.
So select "DemoVDP. The key for the demo file is: You will get a confirmation: "The file was imported successfully" Figure I will create a user to test Virtual Digipass. The name of my user will be "example john". I also provide a password and a logon name for this user Figure If it is done, right click on the created user and select "Properties" Figure Click on "Digipass Assignment" tab and then on "Assign" menu item in it Figure Click on "RESP" tab which is named after the type of application.
This option may be omitted if they have a blank password. The Domain will be. The value must be. This should only be used with the -audit. When UTF-8 encoding is used to store data, for full Unicode support, one character may. Normally 2 or 3 characters are used, depending on the.
If your data will include a lot of non-English characters,. The value of the. Typically, 3 is sufficient. The columns affected by this are the User. On other databases, column sizes are specified in characters, and this parameter is not needed.
A non-default. It specifies to convert domain names and User IDs to lower case. Read the Troubleshooting topic in the Administrator Reference for help in discovering the source of your. If you do not find the information you need in the Knowledge Base, please contact the company that sold you. Image Identikey Server Configur. Image Identikey Server Config I. Note Install Identikey Server in Ad. Install Identikey Server in Advance. Enter or browse to the location.
Image Select Components complete. Install Identikey Server - Active D. Image Identikey Server Setup Wi. Image Identikey Server Setup -. Image Installing Identikey Serv. Image Identikey Server Installe. Check the Result field and clic. Image Windows Start Menu showin. Image My Computer - Manage c. Image Apache Tomcat Manager log. Image Apache Tomcat Manager Click the Sites button. Deploy I. The load on the database will be hi. Check execute.
Click Finish. The entire risk as to the results and performance of the product is assumed by you. Neither we nor our dealers or suppliers shall have any liability to you or any other person or entity for any indirect, incidental, special or consequential damages whatsoever, including but not limited to loss of revenue or profit, lost or damaged data of other commercial or economic loss, even if we have been advised of the possibility of such damages or they are foreseeable; or for claims by a third party.
Our maximum aggregate liability to you, and that of our dealers and suppliers shall not exceed the amount paid by you for the Product. The limitations in this section shall apply whether or not the alleged breach or default is a breach of a fundamental condition or term, or a fundamental breach.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc.
Document Version: 1. It will guide you through preparation, installation and post-installation tasks which may be required for your system. It runs as a Windows service. This is an upgrade add-on to Identikey Server and will only be available for installation if it has been purchased.
It requires a separate installation program. It requires a separate installation. Identikey Server Windows Installation Guide 9 1. It is compatible with most common browsers, including: Internet Explorer 6.
Administration Interfaces not installed on a Domain Controller. Windows Certificate Services is available as an optional Windows component. Prerequisites 1. If Active Directory is installed on a Windows machine and it is being managed using a Windows XP machine, you will have to download the Admin Pack from the Microsoft website and install it on the XP machine. If Active Directory is installed on a Windows machine, and it is being managed using a Windows Vista machine, Vista SP1 must be downloaded from the Microsoft website and installed on the Vista machine.
Then the Remote Server Administration Tools package must be downloaded from the Microsoft website and installed and enabled on the Vista machine.
A smaller page size will create an error when Identikey Server attempts to connect to the database. Introduction Identikey Server is designed to function on any language version of Windows. However, the product has only been comprehensively tested on English language versions of Windows.
Windows Installation Guide Use this guide when planning and working through an installation of Identikey Server in a Windows environment. Linux Installation Guide Use this guide when planning and working through an installation of Identikey Server in a Linux environment. Administrator Reference In-depth information required for administration of Identikey Server. This includes references such as data attribute lists, backup and recovery and utility commands.
Performance and Deployment Guide Contains information on common deployment models and performance statistics. Pre-installation Tasks Please note that to perform pre-installation and installation tasks you must be logged in as Administrator on the system where Identikey Server is to be installed. Note If you will be installing Identikey Server with the embedded PostgreSQL database, you will need to run the installation on the machine itself, rather than via Remote Desktop or another remote connection.
The database may be located on any machine to which the Identikey Server can connect. This domain has special significance in two ways: It is used as the default domain, when no domain is specified.
Administrators in other domains will only ever be able to view data in their own domain. If you prefer to use another name, you will need to enter this name during the Configuration Wizard. It is important that these are set up before data is added to the database. Case-sensitivity 2.
The configuration required will depend on your company's requirements and the capabilities of the database used as the data store. The case conversion of User IDs and domain names is set using the Configuration Wizard immediately after installation, or by running the Identikey Server Configuration utility at any time afterwards.
Caution Changing case conversion after the initial configuration may require modification of all User IDs and domain names in the data store. This feature is recommended if all User accounts correspond to Windows Active Directory User accounts.
See the Product Guide for more information. Identikey Server Windows Installation Guide 15 2. To avoid this problem, two options are available: Set the required permissions for the local Users group Create the PostgreSQL service account before installation and set the required permissions for it it is usually created automatically during installation The PostgreSQL service account requires a User ID of dppostgres and password of p!
The data store is selected during installation. Enterprise Root Certificate Server If a new Certificate Server is required, and your company requires an approval process to be followed to install one, go through this process. Identify the Digipass Configuration Domain Either identify an existing Domain or sub-domain into which the Digipass Configuration Container should be added, or plan to create a new one.
Installation Location Decide where to install the Identikey Server. Identikey Server Windows Installation Guide 17 3. Run the addschema command to extend the Active Directory schema: 1.
Log into the Schema Master as a member of the Schema Administrators group. Open a command prompt in the location to which it was copied.
Type: 3. If DPADadmin detects that Schema extensions are not currently permitted, it will prompt you whether to enable them or not. Enter y to enable them, or n to cancel.
Wait several minutes for the Schema extensions to replicate to all the domains and for the local Domain Controller to update its internal data caches. For this to work correctly, an Enterprise root Certificate Authority must exist in the forest. It may be installed on any server in the forest, if the server selected is available to the Domain Controller s used by the Identikey Server. Alternatively, an option is provided during installation to not use SSL in communications between the Identikey Server and Active Directory.
Generate the Enterprise root CA certificate. You may need to wait several minutes to allow the Domain Controllers to enrol for Domain Controller certificates. Identikey Server Windows Installation Guide 18 3. Will the data for the Identikey Server will be stored in a new database, or added to an existing database?
Will a new schema be used? New Database Decide the collation sequence to be used — for example, case-sensitivity. Database User Accounts Create or select database user accounts for: 3. If the embedded ODBC database is not being used, the addschema command must be run to set up the required schema in the database to be used for Identikey Server.
Run the addschema command: 1. If the database user account used by the Identikey Server is not the owner of the tables and is not a database administrator account, it must be granted permissions for the tables, or ownership of the tables transferred. Note Ensure that it is possible for the account s mentioned to reference the tables by name without a schema prefix.
If this cannot be done, see the Administrator Reference for advanced setup instructions. Note If you are running the installation on Microsoft Windows Vista or Microsoft Windows core, the windows shown in this guide may look slightly different to those displayed onscreen, but the procedure will be the same. If it does not start automatically then double click on autorun. The Welcome window will be displayed. Start Identikey Server Installation The three subsequent chapters cover the three types of installation scenario.
If you do not wish to use default installation and configuration settings, follow the instructions in 6 Install Identikey Server in Advanced mode - ODBC.
Identikey Server Windows Installation Guide 23 5. The Installation Type window will be displayed. Click Perform a basic installation. Click Next. The End-User License Agreement screen will be displayed.
Read the agreement carefully. If you do not accept the License Agreement, and click Cancel, the install will terminate. The Select Installation Path window will be displayed. If you want to install the Identikey Server somewhere other than the default location, use the browse button to indicate where. The Installation Progress window will be displayed. Click on Install. The Identikey Server installation will begin. The Installer runs a contracted version of the wizard, which uses default values for some settings.
The IP Address window will be displayed. Enter the IP address for the Identikey Server. Enter a User ID and Password. Note The 'Request a License from vasco. To obtain a license from vasco. Image Identikey Server Configuration Wizard - Server Functionality Window The functionality that is permitted by your current license is selected by default. Click to de-select any functions not required.
Enter a Password for the Server Certificate and confirm it. A summary of the settings will be displayed. Click Proceed to continue. The Identikey Server Certificate file will be generated during installation and will be placed in the certificate store file with the default password "ikwebpassword". Click Finish to complete the configuration. The Import DPX files window will be displayed. To bypass this step, click Next to continue. To import a DPX file: a.
Enter the location of the DPX file, or click Browse to navigate to the file. Click Import to install the DPX file. Click Finish when the installation is complete. Select the Advanced installation option button. The Data Storage window will be displayed.
The Select Components window will be displayed. Click the Identikey Server 3. The License Agreement screen will be displayed. The next screen to be displayed will be the Custom Setup Window. Click the Reset button to reset all your choices. Click the Next button to continue when it becomes available. Each installation after the Identikey Server install is optional.
The Select Database window will be displayed. The Master Domain window will be displayed. Select the Case conversion format that you require. This is recommended if Dynamic User Registration is to be enabled.
The first administrator account can be used to login to Identikey Server e. The Sensitive Data Encryption window will be displayed. Selecting the Custom with embedded and custom key combination option will result in the Custom Data Encryption windown being displayed.
With either of the above screens, click Next. The License window will be displayed. Click in the check box to either select or de-select an available function. This page is optional and only needs to be used if the SDK is to be installed. Enter of browse to the location of the Web Administration key-store.
Enter and confirm the key-store password. Click Deploy to continue. Click Deploy and the Web Administration Module will be installed automatically. Click Cancel to stop the Web Administration Module from being installed. Check the Result field and click Close to continue or Cancel to exit the Installer.
This 'typical installation' process uses the following decisions and scenario: Implementation Decisions The following decisions were taken for the purposes of this installation process: The Schema extensions have been approved. The scenario 7. The sub-domain acts as the Digipass Configuration Domain and contains all the configuration data, including Policies and Components. Certificate Server will be installed on DC Log into the machine from which schema changes will be made DC Type: dpadadmin addschema 5.
Monitoring Frequency Load balancers regularly monitor the health of each server. A load balancer automatically removes an offline or otherwise malfunctioning server from rotation, thereby preventing any authentication requests from reaching that server.
Carefully consider the frequency at which the load balancer should check each server. Persistence An important issue when operating a load-balanced service is how to handle information that must be kept across the multiple requests in a user's session. If this information is stored locally on one back end server, then subsequent requests going to different back end servers would not be able to find it.
This might be cached information that can be recomputed, in which case load-balancing a request to a different back end server just introduces a performance issue. One solution to the session data issue is to send all requests in a user session consistently to the same back end server.
This is known as "persistence" or "stickiness". A large downside to this technique is its lack of automatic failover: if a backend server goes down, its pre-session information becomes inaccessible, and sessions depending on it are lost. Deployment Considerations High-availability Each load balancer should be deployed together with a backup load-balancer mode primary-backup to ensure high-availability no single point of failure.
Advantages No data introspection possible by load-balancer. Disadvantages Not supported by all load balancers. Persistence Only persistence via client IP address is supported. SSL Bridging With this load balancing method, the load balancer acts as end-point or terminator of all connections: n n SSL tunnel between the client and the load-balancer SSL tunnel 1 in the following diagram. SSL tunnel 2 in the following diagram. Image 9: SSL Bridging load balancing method Advantages Since the load balancer acts as SSL tunnel end-point, the load-balancer can introspect the client request contents and easily handle persistent sessions.
Disadvantages The load-balancer can introspect all sensitive information communicated by the client as it will at a some point in time be available in the clear on the load balancer. This security risk should be evaluated when this setup is considered.
In case self-signed certificates are used, the certificates should be imported into the load-balancer to establish trust with the back-end servers. Environments that require a rolling upgrade typically support high-availability services, where the authentication service absolutely cannot be taken offline.
Before proceeding with a rolling upgrade, you must first address the different usability and load management issues involved. This domain has special significance in two ways: 1.
It is used as the default domain, when no domain is specified. Only administrators in the Master Domain may be assigned the privilege to view data from all domains. Administrators in other domains can view data in their own domain only. The default name for the Master Domain is master. If you prefer, you can specify another name when you add the database schema.
If the schema has already been added, you can change the Master Domain name during an advanced installation.
Deployment Considerations Note In the basic installation, the default name master is used. To change it, use the Administration Web Interface. Only Administrators in the Master Domain may be assigned the privilege to view data from all domains. Administrators in other domains will only ever be able to view data in their own domain. Domains can be used to divide administration between specific organizational divisions for example, where some administrators should only have access to a single group of users.
These domains may mirror actual domains in the corporate network. They allow grouping of Users according to department, job function, or other criteria. Active Directory Deployment Considerations 4. Intra-site replication is usually quite fast but changes on one Domain Controller may still take several minutes to be replicated to other Domain Controllers.
Inter-site replication may be quite slow — an hour or more between replications is common. Replication occurs when more than one Domain Controller exists in a domain. The connection to the DC fails soon after login, before replication has occurred.
The login succeeds where it should have failed OTP replay. Replication occurs. The later modification will overwrite the earlier when replication occurs. Old Data Used After Attribute Modified are exacerbated when the old information used on the second Domain Controller is updated based on old information. As the updated record on the second Domain Controller now has a later modification date, the end result is that the changed information on the first Domain Controller is overwritten incorrectly.
The problem shown in the aforementioned example may also occur in a Force PIN Change set by an administrator. A newer entry from the cache is always used in preference to an older record from Active Directory.
The cache age should be a little longer than the typical replication interval. The default is 10 minutes seconds. If you calculate that your typical replication interval will be more than ten minutes, the cache age may be increased by modifying the Blob-Cache Max-Age setting in the configuration file i.
Cross-Domain access for administrators is a less likely requirement, however. The following instructions discuss cross-Domain permissions using a combination of Domain Local and Domain Global groups.
It is also possible to use Universal groups in a native mode Domain, but this is not covered in the following subsections. The following instructions illustrate how to do this.
Create a Domain Global group. Create or use an existing Domain Local group. Domain Local groups For each other Domain: 1. Create a Domain Local group. Give the Domain Local group the required permissions. The value must be. This should only be used with the -audit. When UTF-8 encoding is used to store data, for full Unicode support, one character may.
Normally 2 or 3 characters are used, depending on the. If your data will include a lot of non-English characters,. The value of the. Typically, 3 is sufficient. The columns affected by this are the User. On other databases, column sizes are specified in characters, and this parameter is not needed. A non-default. It specifies to convert domain names and User IDs to lower case.
Listed below are the files supplied with the Identikey Server and the location — relative to the chroot jail — in which. Table 3: List of files and file locations for Identikey Server. Server Linux Installation Guide. Table 4: List of directories and permissions for Identikey Server. Read the How to Troubleshoot topic in the Administrator Reference for help in discovering the source of your.
If you do not find the information you need in the Knowledge Base, please contact the company that sold you. Only after doing these steps, if your needs are still not completely met please contact VASCO support:. Option Description Extend Data Stor. Package Location File Name vasco-md.
The entire risk as to the results and performance of the product is assumed by you. Neither we nor our dealers or suppliers shall have any liability to you or any other person or entity for any indirect, incidental, special or consequential damages whatsoever, including but not limited to loss of revenue or profit, lost or damaged data of other commercial or economic loss, even if we have been advised of the possibility of such damages or they are foreseeable; or for claims by a third party.
Our maximum aggregate liability to you, and that of our dealers and suppliers shall not exceed the amount paid by you for the Product.
The limitations in this section shall apply whether or not the alleged breach or default is a breach of a fundamental condition or term, or a fundamental breach. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc. Document Version: 1. It will guide you through preparation, installation and post-installation tasks which may be required for your system.
This allows it to be run on almost any Linux distribution. It runs as a daemon. Web Administration Interface Allows all Identikey Server data store administration tasks to be carried out over a web interface. Identikey Server Linux Installation Guide 5 1. This is an upgrade add-on to Identikey Server and will only be available for installation if it has been purchased.
It requires a separate installation program. It is compatible with most common browsers, including: Internet Explorer 6. It has been tested on the following databases: PostgreSQL 8. Identikey Server is designed to function on any language version of Linux however, the product has only been comprehensively tested on English language versions.
Windows Installation Guide Use this guide when planning and working through an installation of Identikey Server in a Windows environment. Linux Installation Guide Use this guide when planning and working through an installation of Identikey Server in a Linux environment. Administrator Reference In-depth information required for administration of Identikey Server.
This includes references such as data attribute lists, backup and recovery and utility commands. Performance and Deployment Guide Contains information on common deployment models and performance statistics. Pre-installation Tasks Please note that to perform pre-installation and installation tasks you must be logged in as Administrator on the system where Identikey Server is to be installed.
Note 2. If you choose the basic installation, this will be installed and configured by default. This domain has special significance in two ways: 1. It is used as the default domain, when no domain is specified. Administrators in other domains will only ever be able to view data in their own domain. If you prefer to use another name, you can specify your preferred name when you add the database schema. If the schema has already been added, you can change the Master Domain name during an advanced installation.
Note In the basic installation, the default Master Domain name is used. To modify this, use the Administration Web Interface. Identikey Server Linux Installation Guide 10 2. It is important that these are set up before data is added to the database.
Therefore before installing, decide which of these options to use. Case-sensitivity The Identikey Server may be configured to save and retrieve User IDs and domain names in lower case, upper case or with no conversion data is saved or searched on exactly as entered. The configuration required will depend on your company's requirements and the capabilities of the database used as the data store. If the schema has already been added, you can set the case conversion option using the Identikey Server Configuration Wizard, or by running the Identikey Server Configuration utility at any time afterwards.
Identikey Server Linux Installation Guide 11 2. A basic installation will install and set up a Tomcat web server automatically. If you do not have one, it will need to be set up now. If performed before installation of the product, the License file may be uploaded to the data store during the initial configuration. Identikey Server Linux Installation Guide 12 3 Installation Packages Overview Installation Packages Overview Manual installation of packages is not required, as installation and configuration are run within a chroot jail.
See 4 Basic Installation or 5 Advanced Installation for installation instructions. All packages are optional, but all packages with dependencies must be installed with their dependencies. Table 1: Packages included in Identikey Server distribution Package Description Dependencies vasco-3rdparty Provides base C runtime libraries to the Identikey Server libc6 vasco-aal3seal Provides SEAL library support libc6 vasco-audit-core Libraries to access Identikey Server auditing data vasco-audit-viewer Allows an auditor to view the auditing data generated by the Identikey Server.
An SMS gateway is required. This installation option is best suited to evaluation, test and low-demand settings. See 5 Advanced Installation for instructions. Open a command line prompt. Run install. Enter basic. Enter yes to agree to the License conditions.
Identikey Server will be installed. Some configuration will be required: 9. In the original command window, enter the location — relative to the installation directory — and filename of the license file. Entering no will disable that specific scenario for that IK. Enter a private key password to be used for the server SSL certificate. A summary of the configuration will be displayed. Identikey Server Linux Installation Guide 16 Enter y to accept the configuration options shown.
Enter y to import Digipass records from a file, or n to skip this step. If you entered y, enter this information: i administrator user name ii Domain to import to iii the location and file name of the Digipass import file Basic Installation iv Transport key for demo Digipass, this will be — 32 ones b. Enter y to import Digipass records from another import file, or n to finish import.
Identikey Server Linux Installation Guide 17 5 Advanced Installation Advanced Installation An advanced installation of Identikey Server allows complete control over software components to be installed, and the configuration to be completed. Note If you wish to have a quick, default install and configuration, run the installation in basic mode. See 4 Basic Installation for instructions.
Note 5. Check your database documentation for details on using it with selinux. The following checklist contains the key decisions to make before you start. Type of database to be used Will a new schema be used? New Database Decide the collation sequence to be used — for example, case-sensitivity and data encryption options. Database User Accounts Create or select database user accounts for: Modifying the database schema database administrator account required.
Identikey Server Linux Installation Guide 18 5. Enter advanced 4. Enter yes to agree to the License conditions 6. If you wish to use another database, enter no.
To install the Administration Web Interface on this machine, enter yes. To install the OTP Request web site on this machine, enter yes.
To install the User Self Management web site on this machine, enter yes. To install the Audit Viewer on this machine, enter yes. Open a new command prompt to complete the database installation and setup. Identikey Server Linux Installation Guide 19 5. No manual setup is required. Additional steps must be followed to fully set up your database to work with Identikey Server.
For other products, follow the generic instructions below: 5. Identikey Server Linux Installation Guide 20 5. Identikey Server Linux Installation Guide 21 5. No environment variables are required.
A compatibility issue may occur if your system has a version of OpenSSL prior to 0. Identikey Server Linux Installation Guide 23 5. This applies to Sybase Adaptive Server Anywhere That script should be run to set the necessary variables. It is located in the Sybase bin directory, eg. See your Sybase documentation for further information on these variables. Identikey Server Linux Installation Guide 25 5. Identikey Server Linux Installation Guide 28 5. As user db2admin, enter the following commands: db2 catalog tcpip node dbnode remote server catalog database at node connect user 5.
0コメント