0% found this document useful (0 votes)

63 views189 pages

IDENTIKEY Appliance Administrator Guide

Uploaded by

tjrayner83

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

63 views189 pages

IDENTIKEY Appliance Administrator Guide

Uploaded by

tjrayner83

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 189

IDENTIKEY Appliance

Administrator Guide

3.18
Disclaimer of Warranties and Limitations of Liabilities

Legal Notices
Copyright © 2008–2019 OneSpan North America, Inc. All rights reserved.

Trademarks
OneSpan™, DIGIPASS ® and CRONTO® are registered or unregistered trademarks of OneSpan North America Inc.,
OneSpan NV and/or OneSpan International GmbH (collectively "OneSpan") in the U.S. and other countries.

OneSpan reserves all rights to the trademarks, service marks and logos of OneSpan and its subsidiaries.

All other trademarks or trade names are the property of their respective owners.

Intellectual Property
OneSpan Software, documents and related materials (“Materials”) contain proprietary and confidential information.
All title, rights and interest in OneSpan Software and Materials, updates and upgrades thereof, including software
rights, copyrights, patent rights, industrial design rights, trade secret rights, sui generis database rights, and all other
intellectual and industrial property rights, vest exclusively in OneSpan or its licensors. No OneSpan Software or Mater-
ials may be downloaded, copied, transferred, disclosed, reproduced, redistributed, or transmitted in any form or by
any means, electronic, mechanical or otherwise, for any commercial or production purpose, except as otherwise
marked or when expressly permitted by OneSpan in writing.

Disclaimer
OneSpan accepts no liability for the accuracy, completeness, or timeliness of content, or for the reliability of links to
and content of external or third party websites.

OneSpan shall have no liability under any circumstances for any loss, damage, or expense incurred by you, your com-
pany, or any third party arising from the use or inability to use OneSpan Software or Materials, or any third party mater-
ial made available or downloadable. OneSpan will not be liable in relation to any loss/damage caused by
modification of these Legal Notices or content.

Reservation
OneSpan reserves the right to modify these Notices and the content at any time. OneSpan likewise reserves the right
to withdraw or revoke consent or otherwise prohibit use of the OneSpan Software or Materials if such use does not
conform to the terms of any written agreement between OneSpan and you, or other applicable terms that OneSpan
publishes from time to time.

Contact us
Visit our website: https://www.onespan.com
Resource center: https://www.onespan.com/resource-center
Technical support and knowledge base: https://www.onespan.com/support

If there is no solution in the knowledge base, contact the company that supplied you with the OneSpan product.

Date last modified: 7/24/2019

Table of Contents

1. Introduction 16

1.1. IDENTIKEY Appliance Documentation Set 16

2. Administration Interfaces for IDENTIKEY Appliance 17

2.1. Administration Interfaces 17

2.2. Accessing the Configuration Tool and the Administration Web Interface 17

2.3. Launching IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web
Interface 18

3. Manual Settings in the Configuration Tool 22

3.1. Enabling Services 22

4. IDENTIKEY Appliance Administration Web Interface Basic Configuration 24

4.1. Client Component Records 24

4.2. Client Component Types 25

4.3. User Records 28

4.4. DIGIPASS Records and Assignment 29

4.5. DIGIPASS Licensing and Activation 32

5. IDENTIKEY Appliance Administration Web Interface: User Dashboard 36

5.1. Working with the User Dashboard 36

5.2. View Audit Message Page 39

5.3. Generating Reports via the Reports Tab 40

5.4. Configuring the User Dashboard 40

6. System Administrator Accounts 42

6.1. Disabling the Default sysadmin User Account 42

6.2. Creating Additional Administrator Accounts 43

7. Typical DIGIPASS Authentication Module Setup 45

7.1. Create a Client Component 45

IDENTIKEY Appliance 3.18 – Administrator Guide iii

Table of Contents

8. Typical RADIUS Setup 49

8.1. RADIUS Client Configuration 49

9. DIGIPASS Authentication for Windows Logon 52

9.1. Configuring IDENTIKEY Appliance 52

9.2. Configuring Password Randomization 54

9.3. Exporting the Server Certificate (Optional) 56

9.4. Installing and Configuring the Client Software 56

10. LDAP User Synchronization 57

10.1. Overview 57

10.2. LDAP Synchronization Profiles 58

10.3. Microsoft Active Directory Synchronization 60

10.4. NetIQ eDirectory Synchronization 62

10.5. Other LDAP Server Synchronizations 63

11. Back-End Authentication 65

11.1. RADIUS Back-End Authentication 66

11.2. NetIQ eDirectory Back-End Authentication 69

11.3. Microsoft Active Directory Back-End Authentication 70

11.4. IBM Security Directory Server Back-End Authentication 75

12. Replication 76

12.1. Replication Wizard 76

12.2. Audit Logs 83

13. Secure Sockets Layer (SSL) 85

13.1. Managing Certificates 85

13.2. Using Server Certificates 87

13.3. Using CA Certificates for Client Verification 89

14. Setting Up Signing and Provisioning 92

IDENTIKEY Appliance 3.18 – Administrator Guide iv

Table of Contents

14.1. SOAP Communication Protocol 92

14.2. Enabling Signing and Provisioning Services 92

14.3. Configuring Signature and Provisioning Setups 92

15. Setting Up Virtual Mobile Authenticator 93

15.1. Importing Virtual Mobile Authenticator Records 93

15.2. Setting Up Message Delivery Component (MDC) 93

15.3. Setting Up IDENTIKEY Appliance Policies for Virtual Mobile Authenticator 97

15.4. Testing Virtual Mobile Authenticator 99

15.5. Assigning Policies to Clients for Using Virtual Mobile Authenticator 100

16. Reporting 102

16.1. Working With Reports 102

16.2. Creating Reports Using the Report Definition Wizard 105

16.3. PDF and HTML Report Customization 106

16.4. Report Retrieval 109

17. Configuring RADIUS Environments 110

17.1. Stand-Alone IDENTIKEY Appliance in RADIUS Environment 110

17.2. IDENTIKEY Appliance as RADIUS Proxy Target 111

17.3. IDENTIKEY Appliance as Intermediate Server 113

17.4. Wireless RADIUS 115

17.5. Customizing the RADIUS Attributes Dictionary 119

18. IDENTIKEY Authentication Server Discovery 121

18.1. Registering IDENTIKEY Appliance with DNS Server 121

18.2. Server Discovery 121

19. Test Policy Settings 124

19.1. Basic Testing Procedure - Prerequisites and Configurations 124

19.2. Test Local Authentication 126

IDENTIKEY Appliance 3.18 – Administrator Guide v

Table of Contents

19.3. Test RADIUS Back-End Authentication 127

19.4. Test Management Features 130

20. Administration Tasks 135

20.1. Scheduled Task Management 135

21. Monitoring 136

21.1. Overview 136

21.2. Disk Use 137

21.3. Logging 137

21.4. Auditing 143

21.5. Tracing 153

21.6. Configuring SNMP 157

21.7. Downloading OneSpan MIB Files 161

22. Performance Monitoring 163

22.1. Filters 163

22.2. Plugins 165

23. System Monitoring 166

23.1. Configuring System Monitoring for System OS Events 166

23.2. Configuring System Monitoring for IDENTIKEY Appliance Configuration Tool Events 168

23.3. Configuring System Monitoring for IDENTIKEY Authentication Server Events 171

23.4. Configuring SNMP Trap Handlers 172

23.5. Best Practices for SNMP Targets 173

24. Troubleshooting 175

24.1. Connection Problems 175

24.2. Dynamic Component Registration Problems 175

24.3. Administration Web Interface Connectivity 176

24.4. DIGIPASS User Account Locking 176

IDENTIKEY Appliance 3.18 – Administrator Guide vi

Table of Contents

24.5. DIGIPASS Event Counter Out of Sync 178

24.6. Wireless RADIUS Authentication Failures 180

24.7. LDAP User Synchronization Issues 181

24.8. LDAP Back-End Authentication Setup Issues 182

25. Support 184

25.1. Support Procedure 184

25.2. Allowing Remote Support Connections 184

IDENTIKEY Appliance 3.18 – Administrator Guide vii

Table of Contents

Illustration Index

Image 1: IDENTIKEY Appliance Configuration Tool SSL Certificate Warning 18

Image 2: Login Pages - IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Interface 19

Image 3: IDENTIKEY Authentication Server Administration Web Interface Home Page 20

Image 4: IDENTIKEY Appliance Configuration Tool Home Page 21

Image 5: Enabling or Disabling Services in IDENTIKEY Appliance Configuration Tool 23

Image 6: Adding a Client Component in IDENTIKEY Authentication Server Administration Web Interface 25

Image 7: Adding a Client Component in IDENTIKEY Authentication Server Administration Web Interface 29

Image 8: Adding a Client Component in IDENTIKEY Authentication Server Administration Web Interface 30

Image 9: DIGIPASS Assignment 31

Image 10: Disabling the User Account sysadmin 42

Image 11: Creating User Account (1) – Completing User Details 44

Image 12: Creating User Account (2) – Editing Administration Privileges 44

Image 13: Registering Clients in the IDENTIKEY Authentication Server Administration Web Interface 46

Image 14: Create a new administration program client in the IDENTIKEY Authentication Server Administration Web Interface 47

Image 15: Stand-Alone IDENTIKEY Appliance in a RADIUS Environment 49

Image 16: Registering Clients in the IDENTIKEY Authentication ServerAdministration Web Interface 50

Image 17: Create a New RADIUS Client in the IDENTIKEY Authentication Server Administration Web Interface 51

Image 18: Configuration of IP-to-Name Resolving in the IDENTIKEY Appliance Configuration Tool 53

Image 19: Configuring Password Randomization 55

Image 20: Creating LDAP Synchronization Profiles in the Configuration Tool 58

Image 21: Configuring the LDAP Synchronization Profile 59

Image 22: Example Filter and Attribute Mappings for Microsoft Active Directory 2003/2008 61

Image 23: Properties of an Example Object in Microsoft Active Directory 62

Image 24: Example Filter and Attribute Mappings for NetIQ eDirectory 63

Image 25: IDENTIKEY Appliance as Intermediate Server for OTP only 65

Image 26: Authentication Back-Ends 66

Image 27: Editing RADIUS Back-End Policy 68

Image 28: Manual Configuration of the Simple Password 70

IDENTIKEY Appliance 3.18 – Administrator Guide viii

Table of Contents

Image 29: Configuring Active Directory Domain Controller for IDENTIKEY Appliance 72

Image 30: Global Catalog Server Settings for IDENTIKEY Appliance 74

Image 31: Replication Wizard Step 2 - Setting Up Database Copying from Local to Remote 77

Image 32: Replication Wizard Step 2 - Setting Up Database Copying from Remote to Local 78

Image 33: Replication Setup Processing Screen Feedback 79

Image 34: Replication Wizard Step 2 - Setting Up Database Copying - Databases Synchronized 81

Image 35: Replication Status in the IDENTIKEY Appliance Configuration Tool 82

Image 36: Replication Status in the IDENTIKEY Authentication Server Administration Web Interface 83

Image 37: Server Certificate Configuration (SEAL) 89

Image 38: Client Certificate Configuration (SEAL) 91

Image 39: Customized Report Data Flow 107

Image 40: Stand-Alone IDENTIKEY Appliance in a RADIUS Environment 110

Image 41: IDENTIKEY Appliance as RADIUS Proxy Server 112

Image 42: IDENTIKEY Appliance as Intermediate Server (OTP-Only) 113

Image 43: IDENTIKEY Appliance as Intermediate Server (OTP-Password) 114

Image 44: Wireless RADIUS Components 115

Image 45: Roaming Wireless Connections - Assigning the Same SSID to All Wireless Access Points 118

Image 46: Roaming Wireless Connections - Policy and Component Record Details 119

Image 47: Uploading a Custom RADIUS Dictionary 120

Image 48: Configuration Tool IDENTIKEY Authentication Server Discovery without Authentication Type 122

Image 49: Configuration Tool IDENTIKEY Authentication Server Discovery with TSIG as Authentication Type 123

Image 50: IDENTIKEY ApplianceConfiguration Tool Disk Use Overview 137

Image 51: Configuring Logging 138

Image 52: Configuring Remote Logging 139

Image 53: Live Log Viewer 140

Image 54: Viewing Logs 140

Image 55: Simple Log Filter Entry and Result 141

Image 56: Using the Advanced Filter 141

Image 57: Advanced Log Filter Fields 142

IDENTIKEY Appliance 3.18 – Administrator Guide ix

Table of Contents

Image 58: Downloading System Log Files 143

Image 59: Configuring IDENTIKEY Authentication Server Audit Settings in the Configuration Tool 144

Image 60: Live Audit Viewer 146

Image 61: Viewing the Live Audit Viewer 146

Image 62: Simple Audit Filter Entry and Result 147

Image 63: Using the Advanced Filter 147

Image 64: Advanced Audit Filter Fields 148

Image 65: Exporting from the Audit Viewer 149

Image 66: Exporting Audit Files 149

Image 67: Downloading Audit Files 151

Image 68: Configuring Tracing for IDENTIKEY Authentication Server 154

Image 69: Configuring Tracing for Message Delivery Component (MDC) 155

Image 70: Configuring Tracing for LDAP User Synchronization 156

Image 71: Managing Trace Files 157

Image 72: Configuring SNMP v2c 159

Image 73: Configuring SNMP v3 159

Image 74: Downloading VASCO MIB Files 162

Image 75: Adding Filter in Performance Monitoring 164

Image 76: Configuring Notification Settings 169

Image 77: Configuring Support Connections 185

Image 78: Selecting Support Certificate 185

IDENTIKEY Appliance 3.18 – Administrator Guide x

Table of Contents

Table Index

Table 1: Dashboard Used Clients - Displayed Fields 37

Table 2: Report Definition Criteria 40

Table 3: Field Values for Installation 48

Table 4: Microsoft Active Directory 2003/2008 Filter Settings 60

Table 5: NetIQ eDirectory Filter Settings 62

Table 6: Certificate Restrictions 88

Table 7: Paper-Size Values (for customized PDF/HTML reports) 108

Table 8: Required Wireless Access Point Settings 116

Table 9: Component Record Settings for Each Wireless Access Point 117

Table 10: Policy and Component Record Details when allowing roaming Wireless Connections 118

Table 11: Log Filter Fields 142

Table 12: Audit Filter Fields 148

Table 13: Audit Export Fields 150

Table 14: Processes Monitored Via SNMP Traps 166

IDENTIKEY Appliance 3.18 – Administrator Guide xi

Table of Contents

Procedure Index

Procedure 1: Logging on to the administration interfaces 18

Procedure 2: Enabling or disabling services 22

Procedure 3: Registering client records in IDENTIKEY Authentication Server 24

Procedure 4: Creating a user record manually 28

Procedure 5: Inspecting recent user activity 38

Procedure 6: Inspecting recent DIGIPASS activity 39

Procedure 7: Configuring the recent activity settings 41

Procedure 8: Disabling the default sysadmin user account 42

Procedure 9: Creating an administrator account 43

Procedure 10: Creating a Client Component: DIGIPASS Authentication Module 45

Procedure 11: Deleting the temporarily created Client Component 48

Procedure 12: Creating a Client Component: RADIUS client 50

Procedure 13: Restricting Dynamic Component Registration with Windows Group Check 53

Procedure 14: Changing the default Client Component 54

Procedure 15: Enabling randomized passwords for Windows Logon and setting the password length 55

Procedure 16: Creating an LDAP synchronization profile 58

Procedure 17: Viewing user account attributes on your Microsoft Active Directory 61

Procedure 18: Configuring back-end authentication 65

Procedure 19: Enabling RADIUS back-end authentication 66

Procedure 20: Adding a RADIUS back-end server record 66

Procedure 21: Adjusting authentication policy settings 67

Procedure 22: Creating a client record and assign the policy 68

Procedure 23: Enabling NetIQ eDirectory back-end authentication 69

Procedure 24: Adding a NetIQ eDirectory back-end server record 69

Procedure 25: Exporting a CA certificate 71

Procedure 26: Enabling Microsoft Active Directory back-end authentication 71

Procedure 27: Configuring the AD domain controller (with the DNS server role) as the DNS server for IDENTIKEY Appliance 72

Procedure 28: Adding an Active Directory back-end server record in the IDENTIKEY Authentication Server Administration Web Interface 72

IDENTIKEY Appliance 3.18 – Administrator Guide xii

Table of Contents

Procedure 29: Configuring the global catalog server on IDENTIKEY Appliance 74

Procedure 30: Enabling IBM Security Directory Server back-end authentication 75

Procedure 31: Adding an IBM Security Directory Server back-end server record 75

Procedure 32: Setting up replication between two systems with no replication setup 77

Procedure 33: Setting up replication between replicated and non-replicated systems 79

Procedure 34: Setting up replication between synchronized systems 80

Procedure 35: Removing replications 83

Procedure 36: Editing a server or CA certificate 85

Procedure 37: Downloading a server or CA certificate 86

Procedure 38: Deleting a server or CA certificate 86

Procedure 39: Adding a server certificate 86

Procedure 40: Adding a trusted root certification authority (CA) bundle 87

Procedure 41: Selecting a server certificate for a communicator component 89

Procedure 42: Selecting a CA certificate/bundle for a communicator component 90

Procedure 43: Setting up an SMS gateway for Message Delivery Component (MDC) 94

Procedure 44: Setting up an email gateway for Message Delivery Component (MDC) 95

Procedure 45: Setting up a voice gateway for Message Delivery Component (MDC) 96

Procedure 46: Importing a gateway definition 96

Procedure 47: Setting up a policy for Primary Virtual Mobile Authenticator 97

Procedure 48: Setting up a policy for Backup Virtual Mobile Authenticator (Permitted, Not Mandatory) 98

Procedure 49: Setting up a policy for Backup Virtual Mobile Authenticator (Permitted, Not Mandatory, Time-Limited) 98

Procedure 50: Setting up a policy for Backup Virtual Mobile Authenticator (Mandatory) 99

Procedure 51: Testing Primary Virtual Mobile Authenticator 99

Procedure 52: Testing Backup Virtual Mobile Authenticator 100

Procedure 53: Assigning a policy to a client for using Virtual Mobile Authenticator 100

Procedure 54: Running an existing report 102

Procedure 55: Changing the report owner 104

Procedure 56: Editing a report 104

Procedure 57: Deleting a report 104

IDENTIKEY Appliance 3.18 – Administrator Guide xiii

Table of Contents

Procedure 58: Creating a report 105

Procedure 59: Viewing a report's corresponding XSLT script 109

Procedure 60: Linking a custom template to a report 109

Procedure 61: Deploying Stand-Alone IDENTIKEY Appliance in RADIUS Environment 110

Procedure 62: Deploying IDENTIKEY Appliance as a RADIUS proxy server 112

Procedure 63: Deploying IDENTIKEY Appliance as an intermediate server 114

Procedure 64: Uploading a custom RADIUS dictionary 120

Procedure 65: Registering DNS service without authentication type 122

Procedure 66: Registering DNS service with TSIG as the authentication type 122

Procedure 67: Creating a test policy 124

Procedure 68: Testing directly logging on the RADIUS server 128

Procedure 69: Create new back-end server record 129

Procedure 70: Viewing a scheduled task 135

Procedure 71: Editing a scheduled task 135

Procedure 72: Configuring the type of logging 138

Procedure 73: Configuring remote logging 138

Procedure 74: Viewing and filtering log files 140

Procedure 75: Downloading and deleting log files 142

Procedure 76: Viewing and filtering audit files 146

Procedure 77: Exporting audit files 149

Procedure 78: Downloading and deleting audit files 150

Procedure 79: Using the Secure Auditing Verification Tool 152

Procedure 80: Configuring tracing for IDENTIKEY Authentication Server 153

Procedure 81: Configuring tracing for Message Delivery Component (MDC) 154

Procedure 82: Configuring Tracing for LDAP user synchronization 155

Procedure 83: Managing Trace Files 156

Procedure 84: Configuring SNMP Settings 158

Procedure 85: Downloading OneSpan MIB files 161

Procedure 86: Configuring system monitoring targets for system OS events 167

IDENTIKEY Appliance 3.18 – Administrator Guide xiv

Table of Contents

Procedure 87: Configuring system monitoring targets for IDENTIKEY Appliance Configuration Tool events 169

Procedure 88: Adding a system monitoring filter for IDENTIKEY Appliance Configuration Tool events 170

Procedure 89: Configuring system monitoring targets for IDENTIKEY Authentication Server events 171

Procedure 90: Configuring an SNMP trap handler 172

Procedure 91: Unlocking a locked DIGIPASS user account manually 177

Procedure 92: Resetting the error count manually (ODBC) 178

Procedure 93: Resetting the error count manually (AD) 178

Procedure 94: Re-importing a DIGIPASS authenticator 179

Procedure 95: Allowing remote support connections 184

IDENTIKEY Appliance 3.18 – Administrator Guide xv

1. Introduction

1. Introduction
IDENTIKEY Appliance Administrator Guide is part of the documentation set about IDENTIKEY Appliance. It provides
in-depth guidance for performing common or complicated tasks on IDENTIKEY Appliance and IDENTIKEY Authentic-
ation Server.

If not stated otherwise, the information in this guide also applies to IDENTIKEY Virtual Appliance.

Warning
Components or features described in this document may need to be configured to meet the standards of the Gen-
eral Data Protection Regulation (GDPR). If your organization is collecting or in any capacity processing data on cit-
izens of a European Union country, your organization is subject to the GDPR. For more information on this subject
matter, refer to the IDENTIKEY Appliance General Data Protection Regulation Compliance Guide.

1.1. IDENTIKEY Appliance Documentation Set

The following IDENTIKEY Appliance guides are available:

n IDENTIKEY Appliance Administrator Guide. Explains the steps needed for administration tasks, including
monitoring and troubleshooting.
n IDENTIKEY Appliance Administrator Reference. Provides field explanations and other organized reference
material for technical experts using IDENTIKEY Appliance intended for reference only.
n IDENTIKEY Appliance Installation and Maintenance Guide. Explains the steps required to connect the
IDENTIKEY Appliance to your network, first-time configuration and maintenance procedures, such as
updating and re-licensing.
n IDENTIKEY Appliance Product Guide. Describes the structure of the product, the concepts underpinning
authentication and how IDENTIKEY Appliance can support authentication within an existing infrastructure.
n IDENTIKEY Appliance General Data Protection Regulation Compliance Guide: provides general information
about the EU General Data Protection Regulation (GDPR), its implications on IDENTIKEY Appliance and
provides instructions to achieve GDPR compliance where additional adaptations or procedures are
required.
n IDENTIKEY Authentication Server SDK Programmer Guide. Provides in-depth information required for devel-
opment work using the SDK. This document is relevant to SOAP Authentication, electronic signatures and
provisioning using the IDENTIKEY Appliance.
n Documents about DIGIPASS Authentication for Windows Logon. Provide information about the concepts,
installation and configuration, setup, and procedures to test DIGIPASS Authentication for Windows Logon.
n Two Password Synchronization Manager guides for installation and usage information.
n Filter guides for each available filter for installation and usage information.

Access to the IDENTIKEY Appliance documentation is provided via the IDENTIKEY Appliance Configuration Tool.
Manuals for IDENTIKEY Appliance add-ons are provided on the CD-ROM delivered with the appliance.

IDENTIKEY Appliance 3.18 – Administrator Guide 16

2. Administration Interfaces for IDENTIKEY Appliance

2.1. Administration Interfaces

IDENTIKEY Appliance provides three administration interfaces:

n The Rescue Tool, which is used to manage limited settings (for more information, refer to the IDENTIKEY
Appliance Installation and Maintenance Guide).
n The IDENTIKEY Appliance Configuration Tool, which is used for installation, licensing, and maintenance of
the IDENTIKEY Appliance.
n The Administration Web Interface, used for daily administration of the system after licensing IDENTIKEY
Appliance.

2.2. Accessing the Configuration Tool and the Administration Web Interface

Warning
Using the default user account sysadmin for accessing the Configuration Tool is less secure than using a new
user account which requires DIGIPASS one-time password authentication. OneSpan therefore recommends using
the administrator user account created via the IDENTIKEY Authentication Server Setup Wizard, and disabling the
system administrator account as soon as possible.

The IDENTIKEY Appliance Configuration Tool and Administration Web Interface are accessed using a standard web
browser. Access is secured by SSL (Secure Socket Layer) encryption via the HTTPS protocol.

Note
The URL used to access the administration interfaces for IDENTIKEY Appliance is :

https://<appliance_ip_address>/

This URL will point to the IDENTIKEY Appliance Welcome Page – from the Welcome Page you access both the
IDENTIKEY Appliance Configuration Tool and the Administration Web Interface.

The IDENTIKEY Appliance Welcome Page offers you two links leading to the IDENTIKEY Appliance Configuration
Tool to further configure IDENTIKEY Appliance, and to the IDENTIKEY Authentication Server Administration Web Inter-
face, allowing daily management. Until first-time configuration, licensing, and the IDENTIKEY Authentication Server
Setup Wizard configuration have been completed, only the link to the IDENTIKEY Appliance Configuration Tool is
active. After licensing, the link to the IDENTIKEY Authentication Server Administration Web Interface is also
enabled.

For more information about configuring IDENTIKEY Authentication Server and the administration interface access,
refer to the IDENTIKEY Appliance Installation and Maintenance Guide.

IDENTIKEY Appliance 3.18 – Administrator Guide 17

2. Administration Interfaces for IDENTIKEY Appliance

2.3. Launching IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server
Administration Web Interface

Launching the administration interfaces consists of several steps:

Procedure 1: Logging on to the administration interfaces

1. Enter the URL for the interface in the browser. As you are accessing a web site secured with a self-signed
certificate, the browser presents a warning, asking you to accept the certificate to continue.

Note
The procedure for accepting a certificate varies between browsers. Internet Explorer is used in the
example below.

Image 1: IDENTIKEY Appliance Configuration Tool SSL Certificate Warning

Accept the certificate according to your browser's instructions.

2. After the certificate has been accepted, access the required interface by clicking on the interface title on
the Welcome Page. This will open the corresponding login page of the interface you are accessing.

IDENTIKEY Appliance 3.18 – Administrator Guide 18

2. Administration Interfaces for IDENTIKEY Appliance

Image 2: Login Pages - IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server
Administration Web Interface

3. Log on using administrator login credentials. The default administrative user name and factory default
password is:

n User: sysadmin
n Password: sysadmin

Be aware that the password may have already been changed by a network administrator, and that new
administrative user accounts may have been created; also, the default user sysadmin may have been
disabled.

Note
The IDENTIKEY Authentication ServerSetup Wizard must be completed (as described in the IDENTIKEY
Appliance Installation and Maintenance Guide ) before the IDENTIKEY Authentication Server Admin-
istration Web Interface can be accessed.

IDENTIKEY Appliance 3.18 – Administrator Guide 19

2. Administration Interfaces for IDENTIKEY Appliance

Image 3: IDENTIKEY Authentication Server Administration Web Interface Home Page

IDENTIKEY Appliance 3.18 – Administrator Guide 20

2. Administration Interfaces for IDENTIKEY Appliance

Image 4: IDENTIKEY Appliance Configuration Tool Home Page

IDENTIKEY Appliance 3.18 – Administrator Guide 21

3. Manual Settings in the Configuration Tool

After first-time installation has been completed, manual configurations in the IDENTIKEY Appliance Configuration
Tool are possible. This allows you to

n alter settings which were entered during the Configuration Wizard

n configure additional settings, such as for Virtual Mobile Authenticator (Message Delivery Component).

For more information about manual configuration without the wizard, refer to the section on installation con-
figurations in the IDENTIKEY Appliance Product Guide, and the section on configuration tool field listings in the
IDENTIKEY Appliance Administrator Reference.

To adjust the settings manually, log on to the Configuration Tool (see 2.3. Launching IDENTIKEY Appliance Con-
figuration Tool and IDENTIKEY Authentication Server Administration Web Interface). Navigate to Configuration Tool
> Settings, select the relevant item from the Settings menu, and enter or adjust the settings as required.

3.1. Enabling Services

IDENTIKEY Appliance includes the following services:

n Authentication
n Provisioning
n Signatures

These services are enabled by default but can be manually disabled or enabled:

Procedure 2: Enabling or disabling services

IDENTIKEY Appliance 3.18 – Administrator Guide 22

3. Manual Settings in the Configuration Tool

2. Navigate to Authentication Server > Scenarios.

3. Enable or disable services by selection the corresponding check box.

Image 5: Enabling or Disabling Services in IDENTIKEY Appliance Configuration Tool

For more information about the different service and screen fields, refer to the IDENTIKEY Appliance Product Guide
and the IDENTIKEY Appliance Administrator Reference.

IDENTIKEY Appliance 3.18 – Administrator Guide 23

4. IDENTIKEY Appliance Administration Web Interface Basic Configuration

4. IDENTIKEY Appliance Administration Web Interface Basic Con-

figuration
This section explains how to perform basic configuration tasks in the IDENTIKEY Authentication Server Admin-
istration Web Interface of IDENTIKEY Appliance. All the instructions described in this section need to be completed
in the IDENTIKEY Authentication Server Administration Web Interface.

For more information on the concepts introduced in this section and how they operate during an authentication
attempt, refer to the section on the user authentication process in the IDENTIKEY Appliance Product Guide.

Three further configurations are essential to support authentication, electronic signatures, or provisioning:

n Client Components need to be registered for authentication (or other) services on IDENTIKEY Appliance
n User records need to be registered on IDENTIKEY Appliance
n DIGIPASS authenticators need to be registered on IDENTIKEY Applianceand assigned to user accounts

In the following sections, we provide instructions for these configurations.

4.1. Client Component Records

A Client Component record is required for each service that is to be run on IDENTIKEY Authentication Server, such
as RADIUS, or SEAL.

Each service (for example authentication) in the network, which needs to access IDENTIKEY Authentication Server
services, must be registered on IDENTIKEY Authentication Server as a Client Component for access to be allowed
and policies to be applied. For further conceptual information, refer to the sections on Client Components and
policies of the IDENTIKEY Appliance Product Guide; for a list and explanation of the relevant fields, refer to the
IDENTIKEY Appliance Administrator Reference.

Client records are registered in IDENTIKEY Authentication Server under the Clients tab of the IDENTIKEY Authentic-
ation Server Administration Web Interface.

Procedure 3: Registering client records in IDENTIKEY Authentication Server

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Navigate to Clients > Register .
3. Identify the client type.
4. Enter a policy ID.
5. Identify the protocol ID.
6. Enter optional settings if required, e.g. a RADIUS Shared Secret or Character Encoding
7. Select the Enabled check box to enable the new client.
8. Click on Create.

IDENTIKEY Appliance 3.18 – Administrator Guide 24

4. IDENTIKEY Appliance Administration Web Interface Basic Configuration

Image 6: Adding a Client Component in IDENTIKEY Authentication Server Administration Web Interface

4.2. Client Component Types

4.2.1. SOAP Client Programs

SOAP client programs are not called 'SOAP clients'. The program itself specifies the type as a parameter to each
request. A client component record must exist for this type at the location (IP address) where the application runs.
The policy in the component record will be used for all processing of requests from this client.

4.2.2. Administration Program

Creating a component record for a OneSpan administration program (e.g. Administration Web Interface or Audit
Viewer) allows a policy to be set for connections from that program.

A component record must exist for each Administration Web Interface or any other administration program using
SOAP and SEAL.

IDENTIKEY Appliance 3.18 – Administrator Guide 25

4. IDENTIKEY Appliance Administration Web Interface Basic Configuration

4.2.3. IDENTIKEY User Websites

IDENTIKEY User Websites is a pre-defined SOAP-based client component used for OneSpan User Websites clients.
The client component record will be checked whenever the OneSpan User Websites client sends request to
IDENTIKEY Appliance.

One client component record must exist for each OneSpan User Websites client installed at different locations
(IP address). Each client component record requires a valid license key.

4.2.4. RADIUS Client

A RADIUS client component record is required when clients will be sending authentication requests to IDENTIKEY
Appliance using the RADIUS protocol. The IDENTIKEY Appliance will check the component record to find:

n the shared secret to use for communicating with the RADIUS client
n the policy to apply to the authentication request

A default RADIUS client component record is automatically created during installation of IDENTIKEY Appliance. This
can be deleted and specific records created for each location.

Note
The default RADIUS client created during installation will be given a shared secret by default.

For information about a typical setup of a RADIUS client, see 8. Typical RADIUS Setup.

4.2.5. DIGIPASS Authentication Module

A component record is required for any DIGIPASS Authentication Module used with IDENTIKEY Appliance. The com-
ponent record will be checked whenever the DIGIPASS Authentication Module sends an authentication request to
the IDENTIKEY Appliance. The IDENTIKEY Appliance will check:

n that the component record contains a valid license key for a client module
n which policy to apply to the authentication request

The following client types fall into this category:

n Citrix Web Interface (DIGIPASS Authentication for Citrix Web Interface)

n Outlook Web Access (DIGIPASS Authentication for OWA Basic and DIGIPASS Authentication for OWA Forms)
n IIS Module (DIGIPASS Authentication for IIS Basic)
n Windows Remote Desktop Web (DIGIPASS Authentication for Remote Desktop Web Access)
n SBR Plug-In (DIGIPASS Authentication for Steel-Belted RADIUS Server)
n Citrix Storefront (DIGIPASS Authentication for Citrix StoreFront)
n Microsoft ADFS (DIGIPASS Authentication for Microsoft ADFS)
n Epic Hyperspace (DIGIPASS Authentication for Epic Hyperspace)

IDENTIKEY Appliance 3.18 – Administrator Guide 26

4. IDENTIKEY Appliance Administration Web Interface Basic Configuration

For information about a typical setup of a DIGIPASS Authentication Module, see 7. Typical DIGIPASS Authentic-
ation Module Setup.

4.2.6. DIGIPASS Authentication for Windows Logon

There are two pre-defined client components for DIGIPASS Authentication for Windows Logon:

n DIGIPASS Authentication for Windows Logon is a pre-defined SOAP-based client component used for
DIGIPASS Authentication for Windows Logon 2.x. Client component records of this type require a valid cli-
ent component license.

Client component records of this type are required for all client IP addresses used to log on to Windows via
DIGIPASS Authentication for Windows Logon 2.x. However, unlike DIGIPASS Authentication for Windows
Logon 1.x, you can define client component records to cover IP address ranges instead of individual client
component records for each individual IP address.

n Identikey Windows Logon Client is a pre- defined SEAL- based client component used for DIGIPASS
Authentication for Windows Logon 1.x. Client component records of this type do not require a client com-
ponent license

A client component record of this type is required for each client IP address used to log on to Windows via
DIGIPASS Authentication for Windows Logon 1.x. DIGIPASS Authentication for Windows Logon 1.x uses
Dynamic Component Registration (DCR) to ensure that the correct client component record is available
when required.

Dynamic Component Registration (DCR) must be enabled in the Windows Logon policy.

Warning
If your organization is impacted by the General Data Protection Regulation (GDPR), note that for being GDPR-com-
pliant, DIGIPASS Authentication for Windows Logon requires the Verify server SSL certificate box to be checked in
the DIGIPASS Authentication for Windows Logon Configuration Center.

For more information on GDPR, refer to the IDENTIKEY Appliance General Data Protection Regulation Compliance
Guide.

4.2.7. IDENTIKEY Federation Server

An IDENTIKEY Federation Server client component record for IDENTIKEY Authentication Server is required when
IDENTIKEY Federation Server is used for authentication to different Web applications. IDENTIKEY Federation Server
communicates with IDENTIKEY Authentication Server via the SEAL protocol. For more information about the func-
tionalities of and settings for IDENTIKEY Federation Server, refer to the IDENTIKEY Federation Server Product Guide.

Note
If you register IDENTIKEY Federation Server as a client, IDENTIKEY Authentication Server will require you to upload

IDENTIKEY Appliance 3.18 – Administrator Guide 27

4. IDENTIKEY Appliance Administration Web Interface Basic Configuration

a valid IDENTIKEY Federation Server license.

4.3. User Records

IDENTIKEY Authentication Server offers the following methods of registering users:

n Creating users manually when required. User records are registered on IDENTIKEY Authentication Server
under the Users tab of the server's Administration Web Interface (see Procedure 4: Creating a user record
manually).
n Import a user file which contains one or more user records through the User Import screen of the
IDENTIKEY Authentication Server Administration Web Interface. The user file should be a comma-sep-
arated variable (csv) text file, which can be uploaded to import users. For more information, refer to the
IDENTIKEY Appliance Administrator Reference, Section "Importing Users". An example .csv file is provided
with the IDENTIKEY Appliance delivery package.
n Configure Dynamic User Registration (DUR) as a policy setting in IDENTIKEY Authentication Server Admin-
istration Web Interface, under Policies > User. DUR allows registering users automatically at the first time
they log on. For more information about DUR, refer to the IDENTIKEY Appliance Product Guide.
n Configure LDAP synchronization with a directory server in the Configuration Tool (see 10. LDAP User Syn-
chronization.

Procedure 4: Creating a user record manually

1. In the IDENTIKEY Authentication Server Administration Web Interface, navigate to Users > Create.
2. Add a user ID (mandatory).
3. Select a domain (mandatory).
4. If required, enter data in the other fields - optional.
5. Click Create.

IDENTIKEY Appliance 3.18 – Administrator Guide 28

4. IDENTIKEY Appliance Administration Web Interface Basic Configuration

Image 7: Adding a Client Component in IDENTIKEY Authentication Server Administration Web Interface

4.4. DIGIPASS Records and Assignment

DIGIPASS records can only be imported into the IDENTIKEY Authentication Server from a .dpx file issued by your sup-
plier for your specific DIGIPASS authenticator or authenticators. The file can be uploaded in the IDENTIKEY
Authentication Server Administration Web Interface, under DIGIPASS > Import .

IDENTIKEY Appliance 3.18 – Administrator Guide 29

4. IDENTIKEY Appliance Administration Web Interface Basic Configuration

Image 8: Adding a Client Component in IDENTIKEY Authentication Server Administration Web Interface

DIGIPASS records can be assigned to user accounts in the IDENTIKEY Authentication Server Administration Web
Interface in three ways:

1. View an unassigned DIGIPASS or user record, click on ASSIGN and complete the ASSIGN wizard. The spe-
cific DIGIPASS authenticator for the record must be supplied to the user.
2. Auto-assignment - the user does not have a DIGIPASS authenticator assigned, and the applicable policy
permits auto-assignment. An unassigned DIGIPASS record is searched for and automatically allocated to
the user upon logging in for the first-time. The specific DIGIPASS authenticator for the record must be sup-
plied to the user.

Note
When maker– checker authorization is enabled, assigning a DIGIPASS authenticator requires the
approval of a checker administrator. In that case, Auto-Assignment is not available.

3. Self-assignment: the DIGIPASS authenticator is in the user's possession, and the applicable policy permits
self-assignment. The user completes a self-assignment process.

IDENTIKEY Appliance 3.18 – Administrator Guide 30

4. IDENTIKEY Appliance Administration Web Interface Basic Configuration

Image 9: DIGIPASS Assignment

For more information, please refer to the IDENTIKEY Appliance Product Guide.

IDENTIKEY Appliance 3.18 – Administrator Guide 31

4. IDENTIKEY Appliance Administration Web Interface Basic Configuration

4.5. DIGIPASS Licensing and Activation

4.5.1. Standard Licensing and Activation

The standard licensing model applies to models of the DIGIPASS authenticator that are pre-provisioned ex factory,
and software DIGIPASS using standard one-step activation.

The standard activation process involves generating an activation code and sending it to a software DIGIPASS sep-
arately or as part of the full activation data.

4.5.2. DIGIPASS Multi-Device Licensing and Activation

As of version 3.7, IDENTIKEY Authentication Server supports a new model for licensing and activating a
DIGIPASS authenticator: Multi-Device Licensing and Multi-Device Activation.

This new licensing and activation model applies to the following models of the DIGIPASS authenticator:

n E-signature DIGIPASS: DIGIPASS 760

n Software DIGIPASS: DIGIPASS for Mobile and DIGIPASS for APPS

Note
The new functionalities introduced in the context of Multi-Device Licensing, Multi-Device Activation, and the
Secure Channel feature are aimed at the banking security market only. This implies that certain of these func-
tionalities will not be available for typical enterprise security deployments.

Warning
The Multi-Device Licensing and Multi-Device Activation functionality using the Secure Channel feature requires a
SOAP provisioning and / or SOAP signature license!

With the Multi-Device Licensing model and its one-to-one relationship between a user account and a DIGIPASS
serial number license, a user account can optionally be bound to several DIGIPASS instances. Multi-Device Activ-
ation, which is an activation process in two steps, guarantees that only the intended end user can perform the
device activation.

4.5.3. Multi-Device Licensing

With the Multi-Device Licensing model, each DIGIPASS serial number corresponds to a unique DIGIPASS license;
consequently, for each DIGIPASS device compliant with the Multi-Device Licensing model, the corresponding .dpx
file contains one DIGIPASS master activation application for each DIGIPASS license. These DIGIPASS instances are
represented in IDENTIKEY Authentication Server as DIGIPASS with a single DIGIPASS master activation application.

IDENTIKEY Appliance 3.18 – Administrator Guide 32

4. IDENTIKEY Appliance Administration Web Interface Basic Configuration

One DIGIPASS license allows to instantiate several DIGIPASS instances bound to the same DIGIPASS license.
DIGIPASS instances are not different from DIGIPASS activated in the standard process with regard to the rep-
resentation of DIGIPASS applications. IDENTIKEY Authentication Server creates the DIGIPASS instance(s) for a par-
ticular license during the Multi-Device Activation process.

The number of instances that can be activated for each DIGIPASS license is limited to a predefined threshold which
is configured by OneSpan at the time of order. A maximum number of 99 instances can be configured, and each
DIGIPASS instance can have from 1 to 8 DIGIPASS authentication or e-signature application(s). These DIGIPASS
instances are represented in IDENTIKEY Authentication Server as DIGIPASS with the same base serial number as
the bound DIGIPASS license, appended with the instance sequence number.

4.5.4. Multi-Device Activation

In the Multi-Device Activation process, two separate activation messages are used for activating the device(s). This
serves to guarantee that only the intended end user, and not an adversary who has intercepted one of the mes-
sages, can perform the activation. Multi-Device Activation is a different process from the standard software
DIGIPASS activation and requires DIGIPASS devices and .dpx files compliant with the Multi-Device Licensing model.
When a compliant DIGIPASS device is activated, settings and secrets are written into the device.

4.5.4.1. Master activation applications and activation messages

The Multi-Device Activation process uses the master activation application which contains an individual master
activation key for each DIGIPASS license. Every DIGIPASS license must be linked to a single user account. Two sep-
arate activation messages are used in the activation process; the first activation message (Activation Message 1)
allows activating a DIGIPASS license in the device, the second activation message (Activation Message 2) allows
activating a DIGIPASS instance of a license in the device.

Note
Both activation messages should be delivered to the end user via authentic channels. For instance, Activation
Message 1 should be delivered via a secure letter or e-mail and Activation Message 2 should be delivered via the
online banking application.

Activation Message 1 may be used several times to allow activation of multiple DIGIPASS instances (of one
DIGIPASS license) on multiple DIGIPASS devices, if necessary. The validity period for Activation Message 1 is con-
figurable in your IDENTIKEY Authentication Server policy. On the other hand, Activation Message 2 can be used for
effective activation for one DIGIPASS instance only.

Note
Each DIGIPASS license will be used several times for activation of several DIGIPASS instances (in several DIGIPASS
devices) for one user account; however, only one license will be consumed for the activation of the different
DIGIPASS instances for one user account.

IDENTIKEY Appliance 3.18 – Administrator Guide 33

4. IDENTIKEY Appliance Administration Web Interface Basic Configuration

4.5.4.2. DIGIPASS instance sequence number

With each activation of a new DIGIPASS instance, IDENTIKEY Authentication Server will generate new DIGIPASS
applications. A sequence number will be incremented for each new DIGIPASS instance issued from the same
license. The number of instances which can be issued from a license will be limited to a pre-defined threshold
between 1 and 99 (configured by OneSpan at the time of order). The different DIGIPASS instances of one user
share the base serial number (the serial number of the DIGIPASS license), but will be appended with a unique
sequence number for the DIGIPASS instance. The keys of the DIGIPASS instance applications will be different for
each instance.

4.5.5. Secure Channel Feature

Secure Channel is an optional feature applicable to DIGIPASS devices compliant with the Multi-Device Activation
process (in the context of Multi-Device Licensing). The optional use of the secure channel feature after activation
of a DIGIPASS instance allows protecting the messages that are exchanged between the server- and the client-
side.

Note
The secure channel will be usable only if the Secure Channel feature has been ordered from and configured by
OneSpan at the time of order.

The Secure Channel feature applies a new protocol that uses payload keys to protect the confidentiality and
authenticity of the message's payload. A single master payload key is shared among all DIGIPASS instances linked
to a certain DIGIPASS license, enabling the end user to transparently use multiple DIGIPASS devices to answer the
transaction request message.

The Secure Channel feature requires the mandatory provisioning of a payload key represented on the server-side
by a payload key BLOB. In this case, first a payload key will have to be generated once for each DIGIPASS license.
The different DIGIPASS instances activated from one DIGIPASS license must share the same payload key. After the
activation, the payload key will protect the request and deactivation messages for exchange between the server
and the client devices that have been activated using a particular DIGIPASS license (for a particular user account).

The parameters used to generate the request body for Secure Channel messages can be configured via the Secure
Channel tab in the policy properties page of the Administration Web Interface.

If the Secure Channel feature has not been ordered, IDENTIKEY Authentication Server will not generate and pro-
vision any payload key.

4.5.5.1. Secure Channel-Based Authentication Process

For authentication transactions via the Secure Channel feature, IDENTIKEY Authentication Server generates a
request message, based on the transaction details provided via the client application or a custom request body,
and delivers it to the client application. The request message is generated by IDENTIKEY Authentication Server
upon the Get Secure Challenge and Get Signing Request commands, and is bound to the
DIGIPASS authenticator selected for the relevant transaction. The client application then generates either a QR

IDENTIKEY Appliance 3.18 – Administrator Guide 34

4. IDENTIKEY Appliance Administration Web Interface Basic Configuration

code or a color QR code, which represents this request message, and delivers it to the end user, who scans this
image, using a DIGIPASS authenticator that is compliant with the Secure Channel feature. The
DIGIPASS authenticator generates a response for this request message which the end user enters into the client
application; IDENTIKEY Authentication Server validates this response and returns the result to the client application
which completes the signature authentication process.

4.5.6. Push Notification via the DIGIPASS App

IDENTIKEY Authentication Server supports authentications via Push Notification - this authentication method uses a
push mode to enable the DIGIPASS App on a mobile device to authenticate the user. For detailed information on
the DIGIPASS App, refer to the DIGIPASS App and DIGIPASS for Mobile product documents; for detailed information
on the Push Notification feature and required components, refer to the Push Notification Getting Started Guide,
which is part of the IDENTIKEY Authentication Server documentation suite. For detailed information how to activate
the DIGIPASS App and the required steps to upgrade the DIGIPASS App to enable Push Notification, refer to the
OneSpan User Websites Administrator Guide.

Online Activation of the DIGIPASS App

After downloading the DIGIPASS App from the relevant market place of the mobile device, the user must activ-
ate the DIGIPASS App via the OneSpan User Websites. To do so, users must enter their user name and pass-
word in the Self-Registration, Auto-Assignment, and Online Activation for DIGIPASS App page. If back-end
authentication is successful, a color QR code containing the required activation data is displayed on the Self-
Registration, Auto-Assignment, and Online Activation for DIGIPASS App page. To complete the activation pro-
cess, the user needs to scan the color QR code using their DIGIPASS App.

Upgrading to Push Notification

DIGIPASS App prior to version 2.1 must be upgraded to support push–notification-based authentications; the
same applies to DIGIPASS App 2.1 if Push Notification has not been configured during the activation process.

To upgrade to Push Notification, users must enter their user name, password, and the DIGIPASS serial number
in the Upgrading to Push Notification page. If back-end authentication is successful, a color QR code con-
taining the required upgrade data is displayed on the page. To complete the upgrade process, the user needs
to scan the color QR code using their DIGIPASS App.

IDENTIKEY Appliance 3.18 – Administrator Guide 35

5. IDENTIKEY Appliance Administration Web Interface: User Dashboard

5. IDENTIKEY Appliance Administration Web Interface: User Dash-

board
The User Dashboard of the IDENTIKEY Authentication Server Administration Web Interface allows you to easily man-
age, monitor, and troubleshoot DIGIPASS user accounts, with the Dashboard tab providing an overview of the most
important user settings in one place. The information shown in this tab includes general user settings, a list of
recent users and DIGIPASS activities, used clients, and assigned DIGIPASS authenticator for a selected user. To edit
these settings or view full details, switch to the corresponding tabs in the Administration Web Interface. For more
information, refer to 5.1. Working with the User Dashboard.

In addition, the User Dashboard facilitates user-specific report creation and provides easy access to audit mes-
sages for a single user or DIGIPASS activity record. For more information, refer to 5.1.7. Generating Reports via the
Dashboard Tab, 5.3. Generating Reports via the Reports Tab, and 5.2. View Audit Message Page.

5.1. Working with the User Dashboard

The Dashboard tab of the User Properties page in the Administration Web Interface provides an overview of the
most important settings for the selected user such as user information, assigned DIGIPASS, used clients, and
recent activity.

5.1.1. Account Overview

This section lists information about the user account:

n Last authentication
n Account status
n Expires
n Static password
n Administration privileges

To view all user account settings or to change settings, switch to the User Account tab of the User Properties page.

5.1.2. Policy Overrides

This section lists the policy override settings for the user:

n Local authentication
n Back-end authentication
n Offline authentication
n Max Days Between Authentications
n Virtual DIGIPASS
n Virtual signature

IDENTIKEY Appliance 3.18 – Administrator Guide 36

5. IDENTIKEY Appliance Administration Web Interface: User Dashboard

To change the policy override settings, switch to the Policy Overrides tab of the User Properties page.

5.1.3. User Info

This section contains general user information:

n User name
n Phone
n Mobile
n Email address
n Description

To view all user info settings or to change settings, switch to the User Account tab of the User Properties page.

5.1.4. Assigned DIGIPASS

This section contains information about the five last used DIGIPASS assigned to the selected user, and includes the
following:

n Serial number
n DIGIPASS type
n Status
n Active applications
n Virtual Mobile Authenticator (VDP)

For a complete list of assigned DIGIPASS, switch to the Assigned DIGIPASS tab of the User Properties page.

5.1.5. Recent Activity

This section shows the most recent activity records for the user.

To view all recent activity records, switch to the Recent Activity tab of the User Properties page.

5.1.6. Used Clients

This section lists the five last client components used by the selected user, and includes the following:

Table 1: Dashboard Used Clients - Displayed Fields

Field Contents
Time The time at which the last activity for the relevant used client was recorded.

IDENTIKEY Appliance 3.18 – Administrator Guide 37

5. IDENTIKEY Appliance Administration Web Interface: User Dashboard

Table 1: Dashboard Used Clients - Displayed Fields (continued)

Field Contents

Client Type States which type the used client is.

Click the client identifier to go to the Client Properties page for this client.
Policy ID The policy related to the used client.

Click the policy ID to go to the Policy Properties page for this policy.

To view all recently used clients, switch to the Recent Activity tab of the User Properties page.

5.1.7. Generating Reports via the Dashboard Tab

The QUICK REPORT button in the User Dashboard of the selected user allows an administrator to quickly generate
a user-specific report. By default, IDENTIKEY Authentication Server generates a Detailed Activity Summary report.

Once IDENTIKEY Authentication Server has successfully generated the report, the Administration Web Interface
takes you to the Summary page of the Run Report wizard. Here you can open the generated report, or you can gen-
erate a new report with changed settings. To change the settings, navigate to the corresponding tab in the wizard.

For more information about generating user-specific reports via the Reports tab in the User Properties page, refer
to 5.3. Generating Reports via the Reports Tab.

5.1.8. Inspecting Recent User and DIGIPASS Activity

Depending on the global configuration settings and your administrative privileges, you can use the User Dashboard
to view information about recent user and DIGIPASS activities, including authentication, signature, provisioning,
and administration actions.

The list of recent activities contains detailed information for each record, such as a description of the action, the
category it belongs to, the time it was audited, used client and DIGIPASS (in case of recent user activity), and the
associated policy. Each record has an icon which indicates whether the action was successful, and provides addi-
tional troubleshooting information in case of failure.

To be able to view the list of recent user activities, you need the View Recent User Activity administrative privilege.
For the list of recent DIGIPASS activities, you need the View Recent DIGIPASS Activity administrative privilege.

Procedure 5: Inspecting recent user activity

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Do either of the following:
n To view a summary of the most recent user activities, switch to the USERS > Dashboard
tab.

IDENTIKEY Appliance 3.18 – Administrator Guide 38

5. IDENTIKEY Appliance Administration Web Interface: User Dashboard

n To view the complete list of recent user activities, switch to the USERS > Recent Activity
tab.

You can click on the DIGIPASS, client, or policy ID entry of each record to view the respective
DIGIPASS Properties, Client Properties, or Policy Properties page. If you have the View Audit
Information administrative privilege, you can also click on the audit message code to view
the respective View Audit Message page(see 5.2. View Audit Message Page).

Procedure 6: Inspecting recent DIGIPASS activity

You can click on the client or policy ID entry of each record to view the respective Client Properties or Policy
Properties page. If you have the View Audit Information administrative privilege, you can also click on the
audit message code to view the respective View Audit Message page (see 5.2. View Audit Message Page).

For a list of DIGIPASS operations and IDENTIKEY Authentication Server events included in recent user and DIGIPASS
activities, refer to the IDENTIKEY Authentication Server Product Guide, Section "Recent User Activities" and "Recent
DIGIPASS Activities".

For more information about configuring the User Dashboard, see 5.4. Configuring the User Dashboard.

5.2. View Audit Message Page

The View Audit Message page displays the details of a single audit message for the user or DIGIPASS recent activity
on a single page and provides access to all relevant audit message fields. To view this page, the administrator
must have the View Audit Information administration privilege; if this applies, they can access the View Audit Mes-
sage page by selecting the relevant audit message code displayed in the Recent Activity page.

The number of displayed audit records for recent user or DIGIPASS activity can be restricted by time and number.
This means that audit records older than a certain time threshold are excluded from the result. Furthermore, only a
total number of records are returned. The number of records displayed is limited on application level and can be
configured via the Administration Web Interface configuration file, in the global server configuration. This means
that the configured limits apply to all IDENTIKEY Authentication Server instances within a replicated environment.

When an administrator accesses audit records through the recent activity commands, this administration action is
recorded; all enabled auditing methods are used for this.

IDENTIKEY Appliance 3.18 – Administrator Guide 39

5. IDENTIKEY Appliance Administration Web Interface: User Dashboard

5.3. Generating Reports via the Reports Tab

The Reports tab of the User Properties page provides a list of reports that can be run via this tab. That list is a sub-
set of the global list of reports in IDENTIKEY Authentication Server, where the currently viewed user is automatically
preselected in the run-time query definition. For a complete list of reports that are by default available in this tab,
refer to the IDENTIKEY Appliance Administrator Reference, Section "Reporting".

This subset can be retrieved from the global report set by filtering the reports according to different sets of defin-
ition criteria (see Table 2: Report Definition Criteria).

Table 2: Report Definition Criteria

Group Level Possible Report Type Data Source
User
DIGIPASS n List Analysis
n Detailed Analysis
n Distribution Analysis
Organizational Unit Users + audit
Organizational Unit n List Analysis DIGIPASS + audit

Using these criteria to create a customized report allows you to also include this report in the results list.

5.3.1. Running a Report

IDENTIKEY Authentication Server Administration Web Interface offers the following options in the Reports tab for
running selected reports:

n RUN. Starts the Run Report wizard for the selected report and takes you to step 2 of the wizard, Report Set-
tings. The default values are pre-filled and the custom query for the currently viewed user is added. By
default, the time zone of the Administration Web Interface client is used and the reporting period is six
months. The default reporting period can be configured in the webadmin.properties file.
n RUN WITH DEFAULTS. Generates the selected report immediately for the currently viewed user with the
default values applied.

5.4. Configuring the User Dashboard

You can configure the User Dashboard by restricting the available views and returned data result sets.

Restricting the available view means that certain tabs of the User Dashboard can be hidden using administrative
privileges . Different help desk administrators may have different privileges to view only recent user or recent
DIGIPASS activity, or both.

IDENTIKEY Appliance 3.18 – Administrator Guide 40

5. IDENTIKEY Appliance Administration Web Interface: User Dashboard

The number of recent user and DIGIPASS activity records displayed can be restricted by time and number. This
means that activity records older than a certain time threshold are excluded from the result. Furthermore, only a
total number of records are returned.

Procedure 7: Configuring the recent activity settings

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Switch to SERVERS > Global Configuration tab.
3. Configure the recent activity settings via the Auditing tab.

IDENTIKEY Appliance 3.18 – Administrator Guide 41

6. System Administrator Accounts

A new administrator account is created after running the IDENTIKEY Authentication Server Setup Wizard (see
IDENTIKEY Appliance Installation and Maintenance Guide).

6.1. Disabling the Default sysadmin User Account

OneSpan recommends to disable the built-in sysadmin account after the new administrator account has been
created. The new administrator account can then be used to log in to the IDENTIKEY Appliance Configuration Tool
and Administration Web Interface.

Procedure 8: Disabling the default sysadmin user account

1. Log on to the Configuration Tool with the new system administrator user account (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).

2. Navigate to Settings > Authentication.

3. To disable the sysadmin user account, clear Enabled.

Select Enabled again to enable the sysadmin user account. When enabling the sysadmin user
account you will be prompted to type and confirm a new password.

Image 10: Disabling the User Account sysadmin

IDENTIKEY Appliance 3.18 – Administrator Guide 42

6. System Administrator Accounts

6.2. Creating Additional Administrator Accounts

Further administrator accounts may be required. Typically, administrator accounts are created in the master
domain; the administrative privileges of such accounts apply throughout all domains if they also have the access
data in the administrative privileges for all relevant domains. It is also possible to create an administrator account
for a specific domain only. The administrative privileges of such accounts will only apply to the domain in which
they are created.

Procedure 9: Creating an administrator account

2. Navigate to Users > Create.

3. Type a user ID for the administrator.

4. Type the name of the master domain.

5. Type a static password twice to prevent typing errors.

6. Click Create.

7. Select Click here to manage.

8. Switch to the Admin Privileges page.

9. Click Edit.

10. Assign the necessary user and DIGIPASS administrative privileges by selecting the respective privilege
name.

To access the Configuration Tool, assign the Appliance Administration privilege. Note that this is the only
privilege required to access the Configuration Tool, all other privileges are used to configure access to
IDENTIKEY Authentication Server.

11. Click Save.

IDENTIKEY Appliance 3.18 – Administrator Guide 43

6. System Administrator Accounts

Image 11: Creating User Account (1) – Completing User Details

Image 12: Creating User Account (2) – Editing Administration Privileges

IDENTIKEY Appliance 3.18 – Administrator Guide 44

7. Typical DIGIPASS Authentication Module Setup

In this section, we explain how to configure a typical DIGIPASS Authentication Module (DAM) setup - the following
DAM are supported:

n Citrix Web Interface (DIGIPASS Authentication for Citrix Web Interface)

Before installing the DAM with IDENTIKEY Appliance, you must have:

n An instance of IDENTIKEY Appliance, which has already been installed (refer to the IDENTIKEY Appliance
Installation and Maintenance Guide).
n Module software on the Citrix, OWA, IIS, or SBR server, which is available in the IDENTIKEY Appliance deliv-
ery package.

Installing a DAM with IDENTIKEY Appliance requires the following steps:

n Acquire a module license

n Create a Client Component in the IDENTIKEY Authentication Server Administration Web Interface
n Install the module on the Citrix , OWA, IIS, or SBR Server.

Note
The IDENTIKEY Appliance Authentication service must be enabled before a DIGIPASS Authentication Module setup
is configured. For more information about enabling the Authentication service / scenario, see Chapter 3.
Manual Settings in the Configuration Tool.

7.1. Create a Client Component

An Administration Program Client Component must be created in IDENTIKEY Authentication Server to allow a mod-
ule client to create a Client Component in IDENTIKEY Appliance.

Procedure 10: Creating a Client Component: DIGIPASS Authentication Module

IDENTIKEY Appliance 3.18 – Administrator Guide 45

7. Typical DIGIPASS Authentication Module Setup

2. Navigate to Clients > Register to create a new Client Component.

Image 13: Registering Clients in the IDENTIKEY Authentication Server Administration Web Interface
3. Enter the required data:
n Client Type: Select Administration Program
n Location: Enter the IP address of the server where the module is installed.
n Policy ID: Select the policy you want to use for this client.
n Protocol ID: Select SOAP.
n Shared Secret: Enter the shared secret used by the client.

IDENTIKEY Appliance 3.18 – Administrator Guide 46

7. Typical DIGIPASS Authentication Module Setup

4. Click CREATE.

Image 14: Create a new administration program client in the IDENTIKEY Authentication Server Admin-
istration Web Interface

Tip
This temporary administration program Client Component can be deleted after the IIS module client has created
a Client Component on the IDENTIKEY Authentication Server Administration Web Interface.

7.1.1. Installing a DIGIPASS Authentication Module

For detailed installation instructions of the DIGIPASS Authentication Module refer to the installation sections of the
relevant DIGIPASS Authentication Module Administrator Guide. The module software and the relevant guides are
provided in the IDENTIKEY Appliance delivery package.

In the Installation Wizard, enter the values in the relevant fields as specified in Table 3: Field Values for Installation,
and upload the client license key for the relevant module.

IDENTIKEY Appliance 3.18 – Administrator Guide 47

7. Typical DIGIPASS Authentication Module Setup

Table 3: Field Values for Installation

Field Name Value
Authentication Server IP Address IP address of your instance of IDENTIKEY Appliance.
Port Retain the default setting.
Select the option to create the component record Auto- Default settings: the administrator user credentials that were provided
matically, and enter user credentials for an admin- during processing of the IDENTIKEY Authentication Server Setup Wiz-
istrative user ard.

During installation a valid Client Component is created for module authentication, with a valid policy. Remove the
temporarily created Client Component in the IDENTIKEY Authentication Server Administration Web Interface.

Procedure 11: Deleting the temporarily created Client Component

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Navigate to Clients > List.
3. Select the check box for Client Component type Administration Program with the SEAL protocol.
4. Click DELETE.

7.1.2. Policies and Settings

During installation a new Client Component is created, for which the policy can be modified.

For more information on the possible policy settings, refer to the section on policies in the IDENTIKEY Appliance
Product Guide.

Warning
Back-end authentication is always needed because of the nature of module setup. Please see the IDENTIKEY
Appliance Product Guide for more information.

IDENTIKEY Appliance 3.18 – Administrator Guide 48

8. Typical RADIUS Setup

IDENTIKEY Appliance can be used in a RADIUS environment in a number of ways; in the following sections, the con-
figuration of a typical RADIUS setup is explained.

Image 15: Stand-Alone IDENTIKEY Appliance in a RADIUS Environment

In the illustrated example, a RADIUS client is configured for DIGIPASS authentication only towards IDENTIKEY Appli-
ance. A RADIUS client can be one of the following:

n Dial-up Network Access Server (NAS)

n Firewall or VPN appliance
n Wireless Access Point
n Any another device which uses the RADIUS protocol for user authentication.

Note
The IDENTIKEY Appliance Authentication service must be enabled before a RADIUS setup is configured. For more
information about enabling the Authentication service/scenario, see 3. Manual Settings in the Configuration
Tool.

8.1. RADIUS Client Configuration

Configure your RADIUS client to send requests to the IDENTIKEY Appliance IP address, using the default RADIUS
port:

n for authentication requests, the default RADIUS port is UDP 1812

n for accounting requests, the default RADIUS port is UDP 1813

Tip
The port can be changed on IDENTIKEY Appliance, if necessary: navigate to IDENTIKEY Authentication Server >
RADIUS Communicator.

IDENTIKEY Appliance 3.18 – Administrator Guide 49

8. Typical RADIUS Setup

Procedure 12: Creating a Client Component: RADIUS client

1. Log in to the IDENTIKEY Authentication Server Administration Web Interface.

2. Navigate to Clients > Register to create a new Client Component.

Image 16: Registering Clients in the IDENTIKEY Authentication ServerAdministration Web Interface
3. Enter the required data:
n Client Type: Select RADIUS Client
n Location: Enter the IP address of this RADIUS client
n Policy ID: Select the policy you want to use for this client
n Protocol ID:Select RADIUS
n Shared Secret: Enter the shared secret used by this client

IDENTIKEY Appliance 3.18 – Administrator Guide 50

8. Typical RADIUS Setup

4. Click CREATE.

Image 17: Create a New RADIUS Client in the IDENTIKEY Authentication Server Administration Web Inter-
face

8.1.1. Optionally Modifying Policies and Settings using the Administration Web Interface

The example illustrated above configures DIGIPASS authentication only in the assigned policy. Other authentication
settings (e.g. local or back-end authentication) and authentication options (e.g. grace period, assignment meth-
ods) can also be configured. For more information on the possible policy settings, refer to the Policies section of
the IDENTIKEY Appliance Product Guide. For a list and explanation of the pre-loaded default policies, refer to the
IDENTIKEY Appliance Administrator Reference.

Different policy options are also explained with examples of practical setups using a RADIUS simulator client in Sec-
tion19. Test Policy Settings.

IDENTIKEY Appliance 3.18 – Administrator Guide 51

9. DIGIPASS Authentication for Windows Logon

Setting up DIGIPASS Authentication for Windows Logon requires the following steps:

n Configuring IDENTIKEY Appliance. Authentication attempts from Windows Logon clients are only allowed if
a Client Component exists on IDENTIKEY Appliance.
n Installing and configuring the DIGIPASS Authentication for Windows Logon software on the Windows cli-
ents.

It is possible to optionally configure an _SRV record in the network's DNS server, thus providing automatic detec-
tion of the available instances of IDENTIKEY Appliance and fail-over functionality to the Windows Logon clients in
the network (see 18. IDENTIKEY Authentication Server Discovery).

For more information on GDPR, refer to the IDENTIKEY Appliance General Data Protection Regulation Compliance
Guide.

For basic information about using DIGIPASS Authentication for Windows Logon with IDENTIKEY Appliance, refer to
the IDENTIKEY Appliance Product Guide. For more information about DIGIPASS Authentication for Windows Logon,
refer to the DIGIPASS Authentication for Windows Logon Guides provided on the IDENTIKEY Appliance delivery pack-
age.

Note
The IDENTIKEY Appliance Authentication service must be enabled before a Windows Logon setup is configured.
For more information about enabling the authentication service/scenario, see 3. Manual Settings in the Con-
figuration Tool.

9.1. Configuring IDENTIKEY Appliance

9.1.1. Configuring Dynamic Component Registration (DCR)

Note
Dynamic Component Registration (DCR) is only supported for DIGIPASS Authentication for Windows Logon 1.x.

9.1.1.1. Setting Up DNS for Dynamic Component Registration (DCR)

Client components for Windows Logon are created with DNS names in the Location field (refer to the IDENTIKEY
Appliance Product Guide, Section "DIGIPASS Authentication for Windows Logon"). Since authentication attempts
are received from IP addresses, IDENTIKEY Appliance needs to resolve the IP addresses to DNS names to identify

IDENTIKEY Appliance 3.18 – Administrator Guide 52

9. DIGIPASS Authentication for Windows Logon

the correct Client Component instances. This IP-to-name information needs to be present in the DNS server, con-
figured in the IDENTIKEY Appliance Configuration Tool, via Settings > Network.

Image 18: Configuration of IP-to-Name Resolving in the IDENTIKEY Appliance Configuration Tool

Tip
The required IP-to-name information is already available if a reverse DNS zone is present in the DNS server of an
Active Directory setup. In such a setup, OneSpan recommends configuring the IP address of the DNS server as the
IDENTIKEY Appliance DNS server. Refer to the relevant Microsoft documentation for more information about con-
figuring a DNS server and reverse zones.

9.1.1.2. Configuring Windows Group Check for Dynamic Component Registration (DCR)
Procedure 13: Restricting Dynamic Component Registration with Windows Group Check

IDENTIKEY Appliance 3.18 – Administrator Guide 53

9. DIGIPASS Authentication for Windows Logon

2. Switch to the POLICIES page and select the respective policy, e.g. Windows Logon Online Authentication -
LDAP AD Back-End.

3. Switch to the DCR tab and click Edit.

4. Select Yes to enable Dynamic Component Registration.

5. Select Accept requests for clients listed in groups.

6. Click ADD NEW to add Windows groups available. With this, available windows groups will be listed.

For more information about the particular fields, refer to the IDENTIKEY Appliance Administrator Reference or the
IDENTIKEY Authentication Server Administration Web Interface Online Help. For more information about Windows
Group Check in general, refer to the IDENTIKEY Appliance Product Guide.

9.1.2. Configuring Microsoft Active Directory Back-End Authentication

An LDAP Active Directory back-end authentication record is required by IDENTIKEY Appliance for this setup. For
more information, refer to the IDENTIKEY Appliance Product Guide.

For more information about activating Active Directory back-end authentication and creating back-end server
records, see 11. Back-End Authentication. Adjusting a policy and creating a client component are not required.

Procedure 14: Changing the default Client Component

2. Select CLIENTS > List.

3. Select DIGIPASS Authentication for Windows Logon and click CHANGE POLICY.

4. From the Policy ID list menu, select either the Windows Logon Online Authentication - LDAP AD Back-End
or Windows Logon Online and Offline Auth - LDAP AD Back-End policy, as required.

5. Click OK.

For more information about offline authentication, refer to the IDENTIKEY Appliance Product Guide.

9.2. Configuring Password Randomization

Windows Logon can be configured to provide password randomization. Password randomization replaces the
static password used to authenticate the Windows client to the Windows domain with a random password,
thereby always forcing the user to use DIGIPASS OTP authentication.

IDENTIKEY Appliance 3.18 – Administrator Guide 54

9. DIGIPASS Authentication for Windows Logon

After a successful authentication towards IDENTIKEY Appliance, the static password is changed to a randomized
password in the Microsoft Active Directory infrastructure. Randomized passwords have strict formatting rules, and
only the length of the password can be set. For more information about password randomization, refer to the
IDENTIKEY Appliance Product Guide.

Procedure 15: Enabling randomized passwords for Windows Logon and setting the password length

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Switch to the POLICIES page and select the relevant policy, e.g. Windows Logon Online Authentication -
LDAP AD Back-end.
3. Open the Password Randomization tab.
4. Select Yes from the Enabled list menu.
5. Enter the value for the password length in the Back-End Password Length field.

Image 19: Configuring Password Randomization

Note
If the Password Randomization feature of IDENTIKEY Authentication Server is used, the policy used in

IDENTIKEY Appliance 3.18 – Administrator Guide 55

9. DIGIPASS Authentication for Windows Logon

IDENTIKEY Authentication Server must not apply password proxying for the changeBackendPass-
word SOAP command because this would lead to a user with a randomized password being able to
change their password.

9.3. Exporting the Server Certificate (Optional)

If Windows Logon is configured to verify the server certificate, the certificate must be registered in the cer-
tificate store on the client workstation. This requires the certificate to be exported using the IDENTIKEY
Appliance Configuration Tool and imported to the client workstations.

For information about exporting server certificates using the IDENTIKEY Appliance Configuration Tool, see
13. Secure Sockets Layer (SSL).

The server certificate can be imported in two ways:

n Locally on each client workstation using the Microsoft Management Console (MMC). This is only
practical for small installations.
n Using a group policy, which is recommended for larger installations.

9.4. Installing and Configuring the Client Software

For information about installing and configuring the client software, refer to the following documents
provided as part of the delivery package of your IDENTIKEY Appliance:

n DIGIPASS Authentication for Windows Logon Product Guide. Explains concepts related to Windows
Logon.
n DIGIPASS Authentication for Windows Logon Installation Guide. Provides instructions for install-
ation.
n DIGIPASS Authentication for Windows Logon User Manual. Provides conceptual information and cli-
ent configuration instructions.
n DIGIPASS Authentication for Windows Logon Getting Started Guide. Provides quick guidelines
about configuring DIGIPASS Authentication for Windows Logon.

IDENTIKEY Appliance 3.18 – Administrator Guide 56

10. LDAP User Synchronization

10.1. Overview

LDAP user synchronization is the process of synchronizing records from an LDAP Server, not the process of authen-
ticating with an LDAP back-end server.

Replication is the process of replicating data between separate instances of IDENTIKEY Appliance (see 12. Rep-
lication).

LDAP user synchronization can be configured in the Configuration Tool and supports automatic creation and updat-
ing of user accounts on the IDENTIKEY Appliance from records stored on an LDAP server. Other methods of creating
user accounts using the Administration Web Interface include creating user accounts manually, importing user
accounts, and Dynamic User Registration(refer to the section on DIGIPASS user accounts in the IDENTIKEY Appli-
ance Product Guide for further information).

LDAP user synchronization is the process of synchronizing records from an LDAP Server, not the process of authen-
ticating with an LDAP back-end server. For information about LDAP back-end authentication, see 11. Back-End
Authentication.

LDAP user synchronization is not server-specific and must be configured particularly for different LDAP servers, e.g.
for Microsoft Active Directory 2008 or for NetIQ eDirectory. To set up an LDAP synchronization requires manual con-
figuration of a synchronization profile in the Configuration Tool. Once the appropriate settings and mappings have
been configured, synchronization between the LDAP server and the IDENTIKEY Appliance is carried out auto-
matically.

Accessing and logging onto the IDENTIKEY Appliance Configuration Tool is explained in 2. Administration Inter-
faces for IDENTIKEY Appliance.

In the following sections, we explain:

n How to create a synchronization profile in IDENTIKEY Appliance

n How to configure synchronization for Microsoft Active Directory, with:
n Example filter settings
n Example attribute settings, and
n Instructions on how to find LDAP server attribute names with Active Directory
n How to configure synchronization for NetIQ eDirectory, with:
n Example filter settings
n Example attribute settings, and
n Instructions on how to find LDAP server attribute names with NetIQ eDirectory
n How to configure synchronization for other LDAP servers.

For more information about of the concepts of LDAP synchronization, refer to the IDENTIKEY Appliance Product
Guide, Section "LDAP Synchronization".

Note
1. User account settings are called Source Attributes in the LDAP server and destination properties in the

IDENTIKEY Appliance 3.18 – Administrator Guide 57

10. LDAP User Synchronization

IDENTIKEY Appliance.
2. Authentication with LDAP server credentials for user accounts which have been synchronized requires a
back-end server record to be configured. Back-end passwords are not usually synchronized due to LDAP
server security restrictions. For further information, refer to the LDAP Synchronization section in the
IDENTIKEY Appliance Product Guide. For more information about configuring a back-end server record,
see 11. Back-End Authentication.

Tip
For more information about specific issues which may arise with LDAP user synchronization, see 24.7. LDAP User
Synchronization Issues.

10.2. LDAP Synchronization Profiles

LDAP user synchronization and the synchronization profiles are set up in the Configuration Tool. For more inform-
ation about synchronization profiles, refer to IDENTIKEY Appliance Product Guide.

Procedure 16: Creating an LDAP synchronization profile

Image 20: Creating LDAP Synchronization Profiles in the Configuration Tool

IDENTIKEY Appliance 3.18 – Administrator Guide 58

10. LDAP User Synchronization

3. Click Add to open a screen for configuring an LDAP synchronization profile:

Image 21: Configuring the LDAP Synchronization Profile

4. Configure the fields (example settings are also shown in the image below). There are four types of set-
tings:
n Server settings provide details of the source LDAP server .
n User management, search base, and filter settings define the location, depth, and accounts to be
synchronized from the source directory.
n Attribute mapping synchronizes specific properties in IDENTIKEY Appliance to values from LDAP
source parameters. Destination properties can be defined as a constant or the value of a spe-
cified source parameter. If nothing is specified, a default value is used.
n Hierarchy mappings (Create missing OU's, Mirror OU structure, Include LDAP Children, and Return
DIGIPASS to Parent OU on Move/Delete) define whether the destination structure mirrors the
source structure and whether existing accounts should be updated (see Example below).
5. Click Save to finish.

For more information on the concepts of LDAP user synchronization in general, refer to the section on LDAP user
synchronization in the IDENTIKEY Appliance Product Guide; for more information on theLDAP user synchronization
settings, refer to the Configuration Tool: Field Listings section in the IDENTIKEY Appliance Administrator Reference.

Example
These examples match Profiles 1 and 3 in the IDENTIKEY Appliance Product Guide, Managing Source and Destin-
ation Hierarchies section.

IDENTIKEY Appliance 3.18 – Administrator Guide 59

10. LDAP User Synchronization

Example Profile 1: The LDAP source hierarchy has users in organizational units below the search base domain.
The Mirror OU Structure and Create Missing OU'soptions are not selected, although the option to synchronize all
user accounts at and below the search base is configured. Users are all synchronized to the single (flat name)
destination address in the IDENTIKEY Appliance hierarchy. No sub-organizational units are created.

Example Profile 3: The LDAP source hierarchy has users in organizational units below the search base domain.
The Mirror OU Structure and Create Missing OU's options to synchronize all user accounts at and below the
search base are selected. The structure of the LDAP server is replicated in IDENTIKEY Appliance.

Tip
The Enable box must be checked for the synchronization profile to become operational.

Note
1. At least one attribute must always be mapped to the IDENTIKEY Appliance user ID property.
2. Some IDENTIKEY Appliance user properties cannot be retrieved from an LDAP server, e.g. local authen-
tication, back-end authentication, and password. These properties can only be synchronized to a con-
stant value. The Type constant needs to be selected for the attribute mapping entry and the value
inserted in the Source/Attribute Value column. If the values are omitted, default values are used. For pos-
sible and default values of these properties, refer to the IDENTIKEY Appliance Administrator Reference,
User Properties section.
3. Only one mapping can be configured for each IDENTIKEY Appliance user property.

10.3. Microsoft Active Directory Synchronization

For Microsoft Active Directory (tested with versions 2003 and 2008), the filter entries in the table (and image)
below retrieve all users from the search base, without retrieving other objects such as groups, contacts, or com-
puters etc.

Table 4: Microsoft Active Directory 2003/2008 Filter Settings

Microsoft Active Dir- Value
ectory 2003/2008 Attrib-
ute

sAMAccountName *

givenName *

objectClass person

Example mappings of commonly used Microsoft Active Directory 2003/2008 attributes to their IDENTIKEY Appliance
properties are shown in Image 22: Example Filter and Attribute Mappings for Microsoft Active Directory 2003/2008:

IDENTIKEY Appliance 3.18 – Administrator Guide 60

10. LDAP User Synchronization

Image 22: Example Filter and Attribute Mappings for Microsoft Active Directory 2003/2008

10.3.1. Finding Attribute Names

The previous examples can also be adapted to your organization's needs, for example if a more refined filter is
required or if other LDAP server attribute values need to be synchronized to a certain IDENTIKEY Appliance user
property.

To add filter or mapping entries, you need to know the attribute name in Active Directory.

Note
The method for finding Attribute names explained here may not apply to your particular version of Active Dir-
ectory. If this is the case, refer to the Help files or product documentation for your Active Directory (see also sec-
tion 10.5. Other LDAP Server Synchronizations).

Procedure 17: Viewing user account attributes on your Microsoft Active Directory

1. Log on to Microsoft Active Directory.

2. Run the adsiedit.msc program.
3. Navigate to a source user account .
4. Right-click on the user account in the left window and select Properties.

IDENTIKEY Appliance 3.18 – Administrator Guide 61

10. LDAP User Synchronization

Image 23: Properties of an Example Object in Microsoft Active Directory

For an alternative method of finding LDAP server attribute names, see 10.5. Other LDAP Server Synchronizations.

10.4. NetIQ eDirectory Synchronization

10.4.1. Example Filtering and Mapping

For NetIQ eDirectory (tested with version 8.8 SP2), the filter entry in the table (and image) below retrieves all users
from the search base.

Table 5: NetIQ eDirectory Filter Settings

NetIQ eDirectory Attrib- Value
ute

objectClass person

Example mappings of commonly used NetIQ eDirectory attributes to their IDENTIKEY Appliance properties are
shown in the image below.

IDENTIKEY Appliance 3.18 – Administrator Guide 62

10. LDAP User Synchronization

Image 24: Example Filter and Attribute Mappings for NetIQ eDirectory

10.4.2. Finding Attribute Names

To add filter or mapping entries, you need to know the attribute name in NetIQ eDirectory which can be found in
the NetIQ eDirectory product documentation.

10.5. Other LDAP Server Synchronizations

To create a synchronization profile for your LDAP server, you will need to know the names of the LDAP attributes
used to identify users. Two methods for finding attribute names are:

n Viewing the attribute list for a specific user account using an LDAP search tool (e.g. ldapsearch from
OpenLDAP.org) or an LDAP browser. This method has the disadvantage that some attributes may not be

IDENTIKEY Appliance 3.18 – Administrator Guide 63

10. LDAP User Synchronization

listed for the specific user account viewed, if they are not mandatory for all user accounts.
n Viewing the LDAP schema from the LDAP server. This may be available in the LDAP server documentation
or can be retrieved as explained in the example below.

Example
Retrieving an LDAP schema with a command line LDAP search tool

1. Retrieve the location of the schema object in the LDAP server. For this LDAP request, the search base
should be the root DN of your LDAP server, the scope should be set to base, and the requested attribute
should be the word subschemaSubentry. e.g. using ldapsearch:
ldapsearch -H ldap://ldapserver -b dc=example,dc=com -s base sub-
schemaSubentry

2. Send an LDAP request with the resulting value for subschemaSubentry acquired in Step 1 as search
base, the scope again set to base, and the requested attribute to objectClasses. e.g. using ldapsearch:
ldapsearch - H ldap://ldapserver -b cn=Subschema -s base
objectClasses

3. In the LDAP schema, look for the attributes of the relevant object class, which is likely to be person,
organizationalPerson, inetOrgPerson, or user.

IDENTIKEY Appliance 3.18 – Administrator Guide 64

11. Back-End Authentication

back-end authentication is a term used to describe the process of checking user credentials with another system.
In this section, we explain standard back-end authentication set-ups with:

n RADIUS
n NetIQ eDirectory
n Microsoft Active Directory
n IBM Security Directory Server

Note
SSL is available for Active Directory and IBM Security Directory Server back-end authentication.

Image 25: IDENTIKEY Appliance as Intermediate Server for OTP only

Procedure 18: Configuring back-end authentication

1. Enable back-end authentication in the IDENTIKEY Appliance Configuration Tool.

2. Create a back-end record in the IDENTIKEY Authentication Server Administration Web Interface.
3. Edit a policy for back-end authentication in the IDENTIKEY Authentication Server Administration Web Inter-
face.
4. Create a client component and assign the policy to it in the IDENTIKEY Authentication Server Admin-
istration Web Interface.

IDENTIKEY Appliance 3.18 – Administrator Guide 65

11. Back-End Authentication

For more information about back-end authentication, refer to the IDENTIKEY Appliance Product Guide , Section
Back-End Authentication.

11.1. RADIUS Back-End Authentication

Procedure 19: Enabling RADIUS back-end authentication

Image 26: Authentication Back-Ends

3. Select Enabled for the RADIUS back end.
4. Click SAVE.

Procedure 20: Adding a RADIUS back-end server record

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Open the Back-End tab and select Register RADIUS Back-End.
3. Complete the necessary fields, and note the following points for the relevant fields:
n 1812 is the default Authentication Port, but you need to use the port that was selected for your
installation.

IDENTIKEY Appliance 3.18 – Administrator Guide 66

11. Back-End Authentication

n Entries in the Accounting IP Address and Accounting Port fields are only necessary when account-
ing is required.
n 1813 is the default accounting port , but you need to use the port that was selected for your install-
ation.
n Enter the IP address of the back-end RADIUS server in the Authentication IP Address and Account
IP Address fields.
n Enter the shared secret used by the back-end RADIUS server in the Shared Secret and Confirm
Shared Secret fields.
n Entering a value in the Timeout (seconds) field is mandatory.
n In the Retries field, enter the number of retries before abandoning attempts to send an authen-
tication request to the RADIUS server.
n Enter the encoding/locale format required by the RADIUS server in the Character Encoding field.
n Specify whether to include the realm in the userName RADIUS attribute of an authentication
request.
n Specify the realm to be included in the userName RADIUS attribute of an authentication request
in the Custom Realm field.

4. Click CREATE to finish.

Procedure 21: Adjusting authentication policy settings

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Navigate to Policies > List - here, all available policies are listed.
3. Select the policy to be used and click Edit.
4. For local authentication, select Digipass only (local authentication is always used with a
DIGIPASS authenticator).
5. For back-end authentication, select Always (back-end authentication is always used).

IDENTIKEY Appliance 3.18 – Administrator Guide 67

11. Back-End Authentication

6. For Back-End Protocol select RADIUS.

7. Click SAVEto finish.

Image 27: Editing RADIUS Back-End Policy

The example illustrated above configures DIGIPASSonly authentication with RADIUS back-end authentication in the
assigned policy. Other authentication settings and authentication options (e.g. grace period, assignment methods)
can also be configured.

For more information on the possible policy settings, refer to the Policies section of the IDENTIKEY Appliance
Product Guide, which is also available via the Help button in the Configuration Tool. For a list and explanation of
the pre-loaded default policies, refer to the IDENTIKEY Appliance Administrator Reference .

Different policy options are also explained with examples of practical setups using a RADIUS simulator client in Sec-
tion 19. Test Policy Settings.

Procedure 22: Creating a client record and assign the policy

1. To create a client record in the IDENTIKEY Authentication Server Administration Web Interface, follow the
instructions provided in 4.1. Client Component Records.
2. Assign the policy for which you have adjusted the back-end authentication settings (as instructed above)
in the Policy ID field.

IDENTIKEY Appliance 3.18 – Administrator Guide 68

11. Back-End Authentication

11.2. NetIQ eDirectory Back-End Authentication

Procedure 23: Enabling NetIQ eDirectory back-end authentication

1. Launch the IDENTIKEY Appliance Configuration Tool and enter your credentials (see Section 2.3. Launch-
ing IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face). Navigate to Authentication Server > Authentication Back-Ends (see Image 26: Authentication Back-
Ends).
2. Select Enabled for the NetIQ eDirectory back end.
3. Click SAVE.

Procedure 24: Adding a NetIQ eDirectory back-end server record

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Open the Back-End tab and select Register eDirectory Back-End.
3. Complete the necessary fields, and note that the Timeout field is mandatory.
4. Click CREATE to finish.

Warning
Within NetIQ eDirectory, different password verification mechanisms exist for different services requested.
IDENTIKEY Appliance uses SASL Digest-MD5 LDAP authentication, which is only supported using the simple pass-
word mechanism. Successful authentication with eDirectory therefore requires one of two options:

1. Configuring the simple password manually for each user account within eDirectory.
2. Enabling Universal Passwords, to automatically synchronize all password mechanisms within eDir-
ectory. For information on how to configure Universal Passwords, refer to your NetIQ eDirectory product
documentation.

IDENTIKEY Appliance 3.18 – Administrator Guide 69

11. Back-End Authentication

Image 28: Manual Configuration of the Simple Password

To adjust the authentication policy settings, follow the instructions provided under Procedure 21: Adjusting authen-
tication policy settings for adjusting policy settings to configure back-end authentication, using NetIQ eDirectory
instead of RADIUS for the back-end protocol field.

To create a client record and assign the policy, follow the instructions under Procedure 22: Creating a client record
and assign the policy for creating a client record and assigning a policy for NetIQ eDirectory back-end authen-
tication.

11.3. Microsoft Active Directory Back-End Authentication

With Microsoft Active Directory you have two different options:

n If only a single domain controller with one domain is in use, the back-end server record can be registered
on IDENTIKEY Appliance. This record will be used to retrieve the back-end server during user authen-
tications. For more information, see Section 11.3.2. Single Domain with Single Domain Controller.
n If multiple domains and / or multiple domain controllers are in use, back-end server records can be
searched for using the global catalog server. This requires the global catalog server settings to be con-
figured in IDENTIKEY Appliance. For more information, see11.3.3. Multiple Domains: Global Catalog Server
Setup.

For more information about the concepts of both setups, refer to the IDENTIKEY Appliance Product Guide.

IDENTIKEY Appliance 3.18 – Administrator Guide 70

11. Back-End Authentication

11.3.1. Enable Microsoft Active Directory Back-End Authentication

When the Active Directory back end is to be authenticated via the LDAP protocol, the LDAP back end needs to be
configured. After setting up SSL on the LDAP back end, export a certification authority (CA) certificate:

Procedure 25: Exporting a CA certificate

1. Launch the Windows Certification Authority application. This is typically launched via Start > Admin-
istrative Tools > Certification Authority on most Windows servers.
2. Select a certification authority, right-click it, and select Properties.
3. In the Properties window, click the View Certificate button.
4. In the Certificate window, select the Details tab and click the Copy to File button. Doing so will launch the
Certificate Export Wizard.
5. In the Certificate Export Wizard, click Next.
6. Select Base-64 encoded X.509 and click Next.
7. Specify the path and name of the CA Certificate file and click Next.
8. Click Finish to export the certificate.

After exporting the certificate, you will need to enable Microsoft Active Directory back-end authentication and
upload the exported certificate.

Procedure 26: Enabling Microsoft Active Directory back-end authentication

1. Launch the IDENTIKEY Appliance Configuration Tool and enter your credentials (see Section 2.3. Launch-
ing IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Navigate to Authentication Server > Authentication Back-Ends (see Image 26: Authentication Back-Ends).
3. Select Enabled for the Microsoft Active Directory back end.
4. From the AD SSL Certificate list in the Microsoft Active Directory section, select a certificate authority cer-
tificate. This AD SSL Certificate list contains all valid and trusted CA certificates that were imported using
the Certificate Management tab.
5. Click SAVE.

11.3.2. Single Domain with Single Domain Controller

A single domain controller setup requires:

n Activate Microsoft back-end authentication in the Configuration Tool.

n Configure the DNS server in the Configuration Tool.
n Add a Microsoft Active Directory back-end server record in the IDENTIKEY Authentication Server-
Administration Web Interface.
n Adjust the authentication policy settings in the IDENTIKEY Authentication ServerAdministration Web Inter-
face.
n Configure a client record and assign the policy in the IDENTIKEY Authentication ServerAdministration Web
Interface.

IDENTIKEY Appliance 3.18 – Administrator Guide 71

11. Back-End Authentication

Warning
Although not mandatory, VASCO recommends using the AD domain controller as the DNS server to avoid issues
with Microsoft SPN implementation. For more information about aspects requiring attention when configuring
this setup, see Section 24.8. LDAP Back-End Authentication Setup Issues.

Additional configuration is needed when the cannot directly connect to the IP address of the AD domain controller
(for example with NAT). For more information, see Section 24. Troubleshooting.

Procedure 27: Configuring the AD domain controller (with the DNS server role) as the DNS server for IDENTIKEY
Appliance

Image 29: Configuring Active Directory Domain Controller for IDENTIKEY Appliance
4. Click SAVE.

Procedure 28: Adding an Active Directory back-end server record in the IDENTIKEY Authentication Server Admin-
istration Web Interface

Warning
Security Principal ID:

If Enable SSL is used, the format for the security principal ID is the DN, e.g.

IDENTIKEY Appliance 3.18 – Administrator Guide 72

11. Back-End Authentication

cn=Administrator, cn=Users, dc=vasco, dc=com

If Enable SSL is not used, the format for the security principal ID is the sAM Account Name, e.g. Administrator.

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Navigate to Back-End > Register Active Directory Back-End.
3. Complete the necessary fields, and note the following points for the relevant fields:
n Enter the IP address of the Active Directory server in the Location field.
n Entering a value in the Timeout field is mandatory.

For more information about these settings, refer to the IDENTIKEY Appliance Administrator Reference.

4. Click Create to finish.

To adjust the authentication policy settings, follow the instructions provided under Procedure 21: Adjusting authen-
tication policy settings for adjusting policy settings to configure back-end authentication, using Microsoft Active Dir-
ectory instead of RADIUS for the back-end protocol field.

11.3.3. Multiple Domains: Global Catalog Server Setup

In this setup, multiple domain controllers are present. Instead of creating back-end records for each server, a sim-
pler method is used to configure the global catalog server settings in the IDENTIKEY Authentication Server Admin-
istration Web Interface. This setup requires

n Activate Microsoft back-end authentication in the Configuration Tool

n Configure the DNS server in the Configuration Tool
n Configure the global catalog server settings
n Configure the authentication policy settings
n Configure a client record and assigning the policy

Note
When using the global server catalog, no back-end server record is required in the IDENTIKEY Authentication
Server Administration Web Interface.

For more information about the global catalog server setup, refer to the IDENTIKEY Appliance Product Guide, Sec-
tion "Back-End Authentication".

For more information about activating Microsoft Active Directory back-end server authentication in the Con-
figuration Tool, see 11.3. Microsoft Active Directory Back-End Authentication.

IDENTIKEY Appliance 3.18 – Administrator Guide 73

11. Back-End Authentication

For more information about configuring AD domain controllers (with the DNS server role) as DNS servers for
IDENTIKEY Appliance in the IDENTIKEY Appliance Configuration Tool, see Procedure 27: Configuring the AD domain
controller (with the DNS server role) as the DNS server for IDENTIKEY Appliance.

Procedure 29: Configuring the global catalog server on IDENTIKEY Appliance

The following configuration enables IDENTIKEY Appliance to use information in the global catalog server to retrieve
the correct domain controller whenever LDAP Active Directory back-end authentication is required.

For further information about setting up a global catalog server, refer to the Microsoft product documentation.

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Navigate to Back-End > Settings.
3. Complete the necessary fields, and note the following points for the corresponding fields:
n the Global Catalog Location is the IP address or DNS name of the domain controller acting as the
global catalog server.
n 3268 is the default Global Catalog Port ; this value may need adapting to correspond to your
setup.
n Principal ID and Principal Password are credentials with read access in the global catalog server.

Image 30: Global Catalog Server Settings for IDENTIKEY Appliance

4. Click Create to finish.

IDENTIKEY Appliance 3.18 – Administrator Guide 74

11. Back-End Authentication

To adjust the authentication policy settings, follow the instructions provided under Procedure 21: Adjusting authen-
tication policy settings for adjusting policy settings to configure back-end authentication, using Microsoft Active Dir-
ectory instead of RADIUS for the back-end protocol field.

11.4. IBM Security Directory Server Back-End Authentication

Procedure 30: Enabling IBM Security Directory Server back-end authentication

Procedure 31: Adding an IBM Security Directory Server back-end server record

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Open the Back-End tab and select Register IBM Directory Back-End.
3. Complete the necessary fields, and note the following points for the relevant fields:
n Enable SSL must be selected.
n Entering a value in the Timeout field is mandatory.

For more information about these settings, refer to the IDENTIKEY Appliance Administrator Reference.

4. Click CREATE to finish.

To adjust the authentication policy settings, follow the instructions provided under Procedure 21: Adjusting authen-
tication policy settings for adjusting policy settings to configure back-end authentication, using IBM Security Dir-
ectory Server instead of RADIUS for the back-end protocol field.

IDENTIKEY Appliance 3.18 – Administrator Guide 75

12. Replication

12. Replication
Two instances of IDENTIKEY Appliance can be configured to synchronize data changes between each other. This
process is called replication, and can be set up using the Replication Wizard. The replication process ensures that
each database is up-to-date with the latest modified data changes.

This chapter will explain:

n How to set up replication in the Configuration Tool

n How to view the replication status in the Configuration Tool and Administration Web Interface
n How to remove a replication link in the Configuration Tool

For more information on what is being replicated and common replication setups, refer to the "Replication" sec-
tion in the IDENTIKEY Appliance Product Guide.

For more information on the fields available for configuring replication, refer to the IDENTIKEY
Appliance Administrator Reference.

12.1. Replication Wizard

12.1.1. Creating a Replication Link

This section provides instructions on creating a replication link between two instances of IDENTIKEY Appliance. All
the steps involved in creating a replication link must be completed in the Configuration Tool.

Replication can only be performed between two instances of IDENTIKEY Appliance , where the first-time con-
figuration and licensing wizards have already been configured (see the IDENTIKEY Appliance Installation and Main-
tenance Guide). For the replication setup, the instance of IDENTIKEY Appliance initiating the replication must be
specified as the source, and the instance that the data are copied to must be specified as the target. After rep-
lication has been initiated, the process is performed in both directions, where both instances of IDENTIKEY Appli-
ance are synchronized.

Note
1. Only the authentication setup can be replicated. Audit logs can be copied between two systems in a rep-
lication setup.
2. Replication between different major versions of IDENTIKEY Appliance is not possible.
3. During most upgrades, replication links that are present on the instance of IDENTIKEY Appliance are
removed.

12.1.1.1. Replication Scenarios

IDENTIKEY Appliance supports several replication scenarios to help administrators create, maintain, and share mul-
tiple instances of the same database in different locations. The following replication scenarios are available:

IDENTIKEY Appliance 3.18 – Administrator Guide 76

12. Replication

n Setup between two systems with no prior replication setup

n Setup between a system with replication established and a non-replicated instance of IDENTIKEY Appli-
ance
n Setup between two systems with an established replication link

Setup between two non-replicating systems

In this scenario, neither instance of IDENTIKEY Appliance has a replication setup established. A replication con-
nection must be established between the two instances to synchronize the databases. In this setup scenario, the
content of the source database is copied to the target database.

Warning
During replication, the database of the target IDENTIKEY Appliance is erased, and overwritten by the source
IDENTIKEY Appliance database.

Procedure 32: Setting up replication between two systems with no replication setup

1. On the source instance of IDENTIKEY Appliance, launch the IDENTIKEY Appliance Configuration Tool and
enter your credentials (see 2.3. Launching IDENTIKEY Appliance Configuration Tool and IDENTIKEY
Authentication Server Administration Web Interface).
2. Navigate to Authentication Server > Authentication Server Replication, and click Add. This initiates the Rep-
lication Wizard. Click Next to start the replication setup process.
3. On the Setting up Database Copying page, enter the following information:
n Remote IP Address: Enter the IP address of the target instance of IDENTIKEY Appliance.
n Copy Remote Audit Log: This is optional. Uncheck this field if you don't need a copy of the remote
audit log.
n Database Copying Path: Select Copy local database to remote and click Next.

Image 31: Replication Wizard Step 2 - Setting Up Database Copying from Local to Remote

IDENTIKEY Appliance 3.18 – Administrator Guide 77

12. Replication

4. On the Setup Replication page, you need to confirm that the information from the previous page is correct
and click Next. This instance of IDENTIKEY Appliance goes into listening mode, and waits for the remote IP
address to connect.
5. Launch the IDENTIKEY Appliance Configuration Tool on the target instance and enter the respective cre-
dentials, and navigate to Authentication Server > Authentication Server Replication, and click Add to ini-
tiate the Replication Wizard.
6. On the Setting up Database Copying page, enter the following information:
n Remote IP Address: Enter the IP address of the source instance of IDENTIKEY Appliance.
n Copy Remote Audit Log: This is optional. Uncheck this field if you don't need a copy of the remote
audit log.
n Database Copying Path: Select Copy remote database to local and click Next.

Image 32: Replication Wizard Step 2 - Setting Up Database Copying from Remote to Local
7. On the Setup Replication page, you need to confirm that the information from the previous page is correct
and click Next. A connection is now established between the two instances.
8. The Replication Setup Processing page opens and the setup is prepared on both instances.

IDENTIKEY Appliance 3.18 – Administrator Guide 78

12. Replication

9. Complete the replication set up process by clicking the Finish button on both instances.

Image 33: Replication Setup Processing Screen Feedback

Tip
If the source and target instances of IDENTIKEY Appliance are separated by a network firewall, some firewall
ports need to be opened. For more information, refer to the IDENTIKEY Appliance Administrator Reference, Sec-
tion "Firewall Ports".

Setup connection between a system with replication established and a non-replicated systems

In this scenario, you must have one instance of IDENTIKEY Appliance (source) that has already been replicated, and
you want to copy this database to another IDENTIKEY Appliance instance (target).

Note
The database of an instance of IDENTIKEY Appliance in an active replication can not be overwritten.

Note
An instance of IDENTIKEY Appliance that has already been included in a replication setup can not be configured
as a target for a second source IDENTIKEY Appliance. A new instance of IDENTIKEY Appliance that is added to a
replication setup can only be defined as a target.

Procedure 33: Setting up replication between replicated and non-replicated systems

IDENTIKEY Appliance 3.18 – Administrator Guide 79

12. Replication

3. On the Setting up Database Copying page, enter the following information:

n Remote IP Address: Enter the IP address of the source instance of IDENTIKEY Appliance.
n Copy Remote Audit Log: This is optional. Uncheck this field if you don't need a copy of the remote
audit log.
n Database Copying Path: Select Copy remote database to local and click Next.
4. On the Setup Replication page, you need to confirm that the information from the previous page is correct
and click Next. This instance of IDENTIKEY Appliance goes into listening mode, and waits for the remote IP
address to connect.
5. Launch the IDENTIKEY Appliance Configuration Tool on the source instance and enter the respective cre-
dentials, and navigate to Authentication Server > Authentication Server Replication, and click Add to ini-
tiate the Replication Wizard.
6. On the Setting up Database Copying page, enter the following information:
n Remote IP Address: Enter the IP address of the target instance of IDENTIKEY Appliance.
n Copy Remote Audit Log: This is optional. Uncheck this field if you don't need a copy of the remote
audit log.
n Database Copying Path: Select Copy local database to remote and click Next.
7. On the Setup Replication page, you need to confirm that the information from the previous page is correct
and click Next. A connection is now established between the two instances.
8. The Replication Setup Processing page opens and the setup is prepared on both instances.
9. Complete the replication set up process by clicking the Finish button on both instances.

Setup replication between synchronized systems

In this scenario, both instances of IDENTIKEY Appliance have a replication link established.

Note
Both instances of IDENTIKEY Appliance have an indirect replication link, therefore it is not possible to connect to
groups from another replication link.

Procedure 34: Setting up replication between synchronized systems

1. On the target instance of IDENTIKEY Appliance, launch the IDENTIKEY Appliance Configuration Tool and
enter your credentials (see 2.3. Launching IDENTIKEY Appliance Configuration Tool and IDENTIKEY
Authentication Server Administration Web Interface).
2. Navigate to Authentication Server > Authentication Server Replication, and click Add. This initiates the Rep-
lication Wizard. Click Next to start the replication setup process.
3. On the Setting up Database Copying page, enter the following information:
n Remote IP Address: Enter the IP address of the source instance of IDENTIKEY Appliance.
n Copy Remote Audit Log: This is optional. Uncheck this field if you don't need a copy of the remote
audit log.
n Database Copying Path: Select Databases are already synchronized and click Next.

IDENTIKEY Appliance 3.18 – Administrator Guide 80

12. Replication

Image 34: Replication Wizard Step 2 - Setting Up Database Copying - Databases Synchronized
4. On the Setup Replication page, you need to confirm that the information from the previous page is correct
and click Next. This instance of IDENTIKEY Appliance goes into listening mode, and waits for the remote IP
address to connect.
5. Launch the IDENTIKEY Appliance Configuration Tool on the source instance and enter the respective cre-
dentials, and navigate to Authentication Server > Authentication Server Replication, and click Add to ini-
tiate the Replication Wizard.
6. On the Setting up Database Copying page, enter the following information:
n Remote IP Address: Enter the IP address of the target instance of IDENTIKEY Appliance.
n Copy Remote Audit Log: This is optional. Uncheck this field if you don't need a copy of the remote
audit log.
n Database Copying Path: Select Databases are already synchronized and click Next.
7. On the Setup Replication page, you need to confirm that the information from the previous page is correct
and click Next. A connection is now established between the two instances.
8. The Replication Setup Processing page opens and the setup is prepared on both instances.
9. Complete the replication set up process by clicking the Finish button on both instances.

12.1.2. Replication Status

Launch the IDENTIKEY Configuration Tool to verify the replication status (see 2.3. Launching IDENTIKEY Appliance
Configuration Tool and IDENTIKEY Authentication Server Administration Web Interface). Click the Authentication
Server menu item, and select Authentication Server Replication in the pop-up of the Configuration Tool to see a list
of active replication links. For each linked instance of IDENTIKEY Appliance to a replication setup, a button is
provided to stop the replication link (see Image 35: Replication Status in the IDENTIKEY Appliance Configuration
Tool). Clicking on this button initiates the Replication Removal Wizard .

IDENTIKEY Appliance 3.18 – Administrator Guide 81

12. Replication

Image 35: Replication Status in the IDENTIKEY Appliance Configuration Tool

To verify the replication status via the IDENTIKEY Authentication Server Administration Web Interface you must
login to the interface (see 2.3. Launching IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication
Server Administration Web Interface). Click the System tab and select Get Replication Status in the Administration
Web Interface to show a list of the instances of IDENTIKEY Appliance for which the Replication Wizard has suc-
cessfully completed a replication setup (see Image 36: Replication Status in the IDENTIKEY Authentication Server
Administration Web Interface ). For each instance of IDENTIKEY Appliance referenced, the following data is listed:

n Connection status (connected or not)

n Time and date of the last update
n Number of messages queued, i.e. the number of replication entries yet to be sent in this replication setup.

IDENTIKEY Appliance 3.18 – Administrator Guide 82

12. Replication

Image 36: Replication Status in the IDENTIKEY Authentication Server Administration Web Interface

12.1.3. Replication Removal Wizard

To disable replication between two systems, the Replication Removal Wizard needs to be run on each instance to
unlink the replication connection.

Procedure 35: Removing replications

1. Launch the IDENTIKEY Appliance Configuration Tool and enter your credentials (see Section 2.3. Launch-
ing IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Click the Authentication Server menu item, and select Authentication Server Replication in the pop-up of
the Configuration Tool to see a list of currently linked instances to a replication setup.
3. By clicking the icon , you will initiate the Replication Removal Wizard to unlink the two connected
instances. To proceed click Next.
4. On the Removal Processing page, click Finish once all the steps in the replication removal process are suc-
cessfully completed.

12.2. Audit Logs

Audit messages are copied during replication from the remote audit database, when the Copy Remote Audit Log
checkbox is checked on the Setting up Database Copying page of the Replication Wizard.

IDENTIKEY Appliance 3.18 – Administrator Guide 83

12. Replication

After the user has set up a replication connection, an audit management deamon begins to listen for connections
from other deamons that have replication links established. A service runnning in the background checks peri-
odically if new auditing data has been written on the other systems, and if this is the case, the data is copied.

Note
Audit logs are copied, they are not replicated.

Audit messages are copied in batches of 1000 messages, starting with the oldest audit messages.

IDENTIKEY Appliance 3.18 – Administrator Guide 84

13. Secure Sockets Layer (SSL)

This section contains information about:

n Managing certificates used by IDENTIKEY Appliance

n Configuring server certificates for SOAP, SEAL, and RADIUS (self-signed or commercial)
n Configuring client certificates for SOAP and SEAL

For more information about the concepts of the server and client certificates and cipher suite security levels, refer
to the IDENTIKEY Appliance Product Guide and the IDENTIKEY Appliance Administrator Reference , Section “SSL”.

For more information about the relevant configuration fields, refer to the IDENTIKEY Appliance Administrator Refer-
ence.

13.1. Managing Certificates

Using the Certificate Management page in the Configuration Tool you can manage all server and certification
authority (CA) certificates used by all components of IDENTIKEY Appliance.

Server certificates
Server certificates contain public and private keys and are usually used to secure connections to a server or a
component using SSL, e.g. SEAL communicator, SOAP communicator, Configuration Tool, etc.

Trusted Root Certificate Authorities

Trusted certification authority (CA) certificates are typically used to determine which client certificates to trust.
Trusted CA certificates often come in bundles containing several different trusted root CA's.

IDENTIKEY Appliance Root CA

IDENTIKEY Appliance contains a built-in certification authority (CA) used to sign all automatically generated
default certificates. This list contains the root CA certificate for the IDENTIKEY Appliance CA.

13.1.1. Editing Server or CA Certificates

Procedure 36: Editing a server or CA certificate

2. Navigate to Settings > Certificates.

3. Select the certificate in the respective list and click Edit.

IDENTIKEY Appliance 3.18 – Administrator Guide 85

13. Secure Sockets Layer (SSL)

The Edit Certificate Dialog appears.

4. Edit the certificate as required and click Update.

If you want to upload the signed certificate for a pending certificate signing request (CSR), you can specify
the certificate file in the Upload Signed Certificate box.

13.1.2. Downloading Server or CA Certificates

Procedure 37: Downloading a server or CA certificate

1. Navigate to Settings > Certificates.

2. Select the certificate in the respective list and click Download certificate.

13.1.3. Deleting Server or CA Certificates

Procedure 38: Deleting a server or CA certificate

1. Navigate to Settings > Certificates.

2. Select the certificate in the respective list and click Delete.

13.1.4. Adding Server Certificates

Procedure 39: Adding a server certificate

1. Navigate to Settings > Certificates.

2. Click Add Certificate in the Server Certificates section.

The Add Certificate Wizard appears.

3. Do one of the following:

n If you want to create a new certificate:

a. In the Certificate Source page, select Create New Certificate.

b. Specify the certification authority to sign the certificate.

Select Appliance Signs The Certificate , if you want to use the built-in root CA of the
IDENTIKEY Appliance to create a self-signed certificate.

IDENTIKEY Appliance 3.18 – Administrator Guide 86

13. Secure Sockets Layer (SSL)

Select Third Party Signs The Certificate, if you want to have a third-party CA to create a
certificate.

c. Specify the subject data for the certificate request.

If you chose to use the built-in CA, the certificate is being created and added to the
Server Certificate list.

If you chose to use a third-party CA, a certificate signing request (CSR) is being created
and can be downloaded to submit to the respective CA. When the third-party CA has cre-
ated your certificate, upload the signed certificate using the Edit Certificate Dialog.

n If you want to upload an existing certificate:

a. In the Certificate Source page, select Upload Certificate.

b. Specify the certificate file to upload.

The certificate must be a Base64-encoded X.509 certificate file (usually a .PEM file), con-
taining the certificate and the respective private key file. Certificate chains can be
included with the certificate within one single certificate file using the PEM file format.

If required, type the private key password.

4. Click Finish to close the wizard.

13.1.5. Adding Trusted Root Certification Authority (CA) Bundles

Procedure 40: Adding a trusted root certification authority (CA) bundle

1. Navigate to Settings > Certificates.

2. Click Add Authority in the Trusted Root Certificates Authorities section.

The Add Authority Wizard appears.

3. Specify the certificate or certificate bundle to upload.

The certificate must use the PEM file format. Multiple certificate authority signing certificates can be used
for validating client certificates, but must be uploaded in a single file.

4. Click Next to add the certificate bundle to the Trusted Root Certificate Authorities list.

5. Click Finish to close the wizard.

13.2. Using Server Certificates

Server certificates are typically used to secure connections to a server or a component using SSL.

IDENTIKEY Appliance 3.18 – Administrator Guide 87

13. Secure Sockets Layer (SSL)

IDENTIKEY Appliance uses server certificates to secure the following components:

n SEAL Communicator
n SOAP Communicator
n RADIUS Communicator
n Live Audit
n IDENTIKEY Appliance Configuration Tool
n Remote Support
n Secure Auditing

Whenever you need to specify a server certificate for these components you select the respective certificate from a
list containing all valid server certificates created or uploaded using the Certificate Management tab. Whether a cer-
tificate is valid and applicable for a particular component depends on the component (see Table 6: Certificate
Restrictions).

Table 6: Certificate Restrictions

Component Certificate Restrictions
SEAL Communicator n Not expired
n RSA
SOAP Communicator n Not expired
n RSA
RADIUS Communicator n Not expired
n RSA
Live Audit n Not expired
n RSA
IDENTIKEY Appliance Configuration Tool n Not expired
n RSA, DSA, or elliptic curve
Remote Support n Not expired
n Signed by OneSpan
Secure Auditing n Not expired
n Elliptic curve prime256v1

By default, some server certificates are created by the built-in CA during installation:

n Certificate for SEAL, SOAP, and RADIUS

This server certificate is used by all components using the SEAL, SOAP, and RADIUS protocols, by default,
the SEAL communicator, the SOAP communicator, the RADIUS communicator, and Live Audit.

n Configtool SSL certificate

This server certificate is used by the IDENTIKEY Appliance Configuration Tool. A new default certificate is
automatically created whenever you change the host name. If you upload and select a custom certificate,
that custom certificate remains and no new certificate is created, even if the host name is changed.

The following procedure describes exemplarily how to change the server certificate for the communicator com-
ponents.

IDENTIKEY Appliance 3.18 – Administrator Guide 88

13. Secure Sockets Layer (SSL)

Procedure 41: Selecting a server certificate for a communicator component

1. In the IDENTIKEY Appliance Configuration Tool navigate to Authentication Server > SEAL Communicator,
Authentication Server > SOAP Communicator, or Authentication Server > RADIUS Communicator, depend-
ing on what the certificate is being used for.

2. If you are using RADIUS, set the security level (Very High, High, Medium, or Low).

For more information about the SSL cipher suite security levels, refer to the IDENTIKEY Appliance Admin-
istrator Reference.

3. Select a certificate from the Server Certificate list.

The Server Certificate list contains all valid certificates you have previously created/imported using the Cer-
tificate Management tab (see 13.1. Managing Certificates).

Image 37: Server Certificate Configuration (SEAL)

4. Click Save to finish.

13.3. Using CA Certificates for Client Verification

Client certificates are used when connecting to secure remote services to verify and confirm the identity of those
remote services (authenticity), typically by verifying the client certificates using trusted root CA's.

IDENTIKEY Appliance uses CA certificates/bundles to verify client certificates of the following components:

n SEAL Communicator
n SOAP Communicator
n IBM Security Directory Server Back-End Servers

IDENTIKEY Appliance 3.18 – Administrator Guide 89

13. Secure Sockets Layer (SSL)

n Active Directory (AD) Back-End Servers

n Live Audit
n Message Delivery Component (MDC) SMS Servers
n Message Delivery Component (MDC) SMPP Servers
n Message Delivery Component (MDC) SMTP Servers
n Message Delivery Component (MDC) Voice Servers

Whenever you need to specify a client certificate for one of these components you select the respective certificate
from a list containing all valid and trusted CA certificates imported using the Certificate Management page.

By default, IDENTIKEY Appliance already contains the cURL CA root certificate bundle.

The following procedure describes exemplarily how to change the client certificate for the communicator com-
ponents.

Procedure 42: Selecting a CA certificate/bundle for a communicator component

2. Navigate to Authentication Server > SEAL Communicator or Authentication Server > SOAP Communicator,
depending on the communicator component to configure.

3. Set Require Client Certificate to Optional, Required or Required-signed address only.

4. Select a CA certificate/bundle from the CA Certificate Store list.

The CA Certificate Store list contains all valid and trusted CA certificates you have previously cre-
ated/imported using the Certificate Management page (see 13.1. Managing Certificates).

5. If required, select Re-Verify on Re-Negotiation.

This option should be used sparingly and only if really necessary. It performs the SSL handshake each
time you reconnect. If you reconnect each time you send a message you should not select this option as it
will slow performance.

6. If you are using SEAL, select Automatically Trust Certificates to trust server certificates automatically.

7. Click Save to finish.

IDENTIKEY Appliance 3.18 – Administrator Guide 90

13. Secure Sockets Layer (SSL)

Image 38: Client Certificate Configuration (SEAL)

IDENTIKEY Appliance 3.18 – Administrator Guide 91

14. Setting Up Signing and Provisioning

This section provides information about setting up signature and provisioning services with IDENTIKEY Appliance.

Electronic Signature is used for transaction authentication and integrity checking.

Software DIGIPASS are software versions of DIGIPASS authenticator that provide authentication and Electronic Sig-
nature functions for Java-enabled mobile devices and web browsers. Provisioning is the process of safely deliv-
ering computer files containing Java programs (MIDlet) and data (secrets and security applications) to the mobile
devices or web browser.

For more information about different services and scenarios, refer to the IDENTIKEY Appliance Product Guide.

14.1. SOAP Communication Protocol

Electronic signatures and provisioning are only supported by the SOAP communication protocol. SOAP setups
require SSL, and a server certificate is required for the SSL connection.

For more information about downloading server certificates using the IDENTIKEY Appliance Configuration Tool, see
13. Secure Sockets Layer (SSL).

14.2. Enabling Signing and Provisioning Services

Signing and provisioning services can be enabled and configured using the Configuration Tool (see 3.1. Enabling
Services).

For more information about scenario settings, refer to the IDENTIKEY Appliance Administrator Reference.

14.3. Configuring Signature and Provisioning Setups

Configuration for electronic signature and provisioning requires the use of the Software Development Kit (SDK) and
is beyond scope of this document. For more information about setting up signing and provisioning, refer to the
IDENTIKEY Authentication Server SDK Programmer's Guide.

IDENTIKEY Appliance 3.18 – Administrator Guide 92

15. Setting Up Virtual Mobile Authenticator

This section provides information about setting up Virtual Mobile Authenticator.

Setting up Virtual Mobile Authenticator requires the following steps:

n Importing Virtual Mobile Authenticator records

n Setting up Message Delivery Component (MDC)
n Preparing a IDENTIKEY Authentication Server policy
n Testing Virtual Mobile Authenticator
n Assigning the policy to the appropriate client component

For more information about authenticating using Virtual Mobile Authenticator, refer to the IDENTIKEY Appliance
Product Guide, Section "Message Delivery Component (MDC)".

15.1. Importing Virtual Mobile Authenticator Records

You receive Primary Virtual Mobile Authenticator records in a DIGIPASS transport file (.dpx), with a DPX file key, as
you receive with standard DIGIPASS records. Import them like standard DIGIPASS records (see 4.4. DIGIPASS
Records and Assignment).

Backup Virtual Mobile Authenticator do not have records of their own. Information about Backup Virtual Mobile
Authenticator is contained in the record of the DIGIPASS authenticator which is supplemented by Backup Virtual
Mobile Authenticator.

15.2. Setting Up Message Delivery Component (MDC)

All instructions in this section need to be completed using the IDENTIKEY Appliance Configuration Tool.

Message Delivery Component (MDC) is necessary to support Virtual Mobile Authenticator authentication. MDC inter-
faces with a gateway service to send a one-time password (OTP) to a user’s mobile phone, email address, or via
voice message. It acts as a service, accepting messages from IDENTIKEY Appliance which are then forwarded to
an email address or to a text message gateway via the HTTP/HTTPS protocol.

15.2.1. Configuring an SMS Gateway

Since every gateway uses different submission parameters, certain settings are required, which can be configured
using the IDENTIKEY Appliance Configuration Tool. Depending on the type of gateway server used, different con-
figurations are possible.

To configure SMS gateway settings with an SMS server, you need to specify the following information in the
IDENTIKEY Appliance Configuration Tool:

IDENTIKEY Appliance 3.18 – Administrator Guide 93

15. Setting Up Virtual Mobile Authenticator

n Name. The display name of the MDC profile; ad-hoc field used primarily to describe and further identify
the profile.
n Profile. The actual name of the MDC profile.
n Enabled. If selected, the gateway is enabled.
n The URL to access the gateway server.
n The user name and password for the gateway account.
n The required query string.
n The query method (GET or POST) required by the gateway.

To configure SMS gateway settings with an SMPP server, you need to specify the following information in the
IDENTIKEY Appliance Configuration Tool:

n Name. The display name of the MDC profile; ad-hoc field used primarily to describe and further identify
the profile.
n Profile. The actual name of the MDC profile.
n Enabled. If selected, the gateway is enabled.
n The URL to access the gateway server.
n The port used to connect to the gateway.
n The user name and password for the gateway account.
n The SMPP system type.
n The SMPP source address number and Numbering Plan Indicator (NPI).
n The SMPP destination address NPI.

Contact your gateway provider for this information. If you have any issues, contact your supplier.

Procedure 43: Setting up an SMS gateway for Message Delivery Component (MDC)

1. Launch the IDENTIKEY Appliance Configuration Tool and enter your credentials (see Section 2.3. Launch-
ing IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Navigate to Authentication Server > Message Delivery Component.
3. Enable the Message Delivery Component settings.
4. Select the type of server to be used by clicking Add SMS Server or Add SMPP Server.
5. Complete the fields for the selected server with the information gathered before.
6. Click Add to activate the settings.

Result options which can be configured for MDC setup allow messages returned from the gateway to be modified.
Modifications allow more user friendly feedback to be forwarded to the auditing system. For more information
about configuring result options, refer to the IDENTIKEY Appliance Administrator Reference.

For more information about auditing, see 21.4. Auditing and refer to the IDENTIKEY Appliance Product Guide, Sec-
tion "Auditing". For more information about the particular MDC settings, refer to the IDENTIKEY Appliance Admin-
istrator Reference.

IDENTIKEY Appliance 3.18 – Administrator Guide 94

15. Setting Up Virtual Mobile Authenticator

15.2.2. Configuring an Email Gateway

To configure email gateway settings, you need to specify the following information in the IDENTIKEY Appliance Con-
figuration Tool:

n Name. The display name of the MDC profile; ad-hoc field used primarily to describe and further identify
the profile.
n Profile. The actual name of the MDC profile.
n Enabled. If selected, the gateway is enabled.
n The URL to access the gateway server.
n The SMTP relay host, port and connection security (No SSL/TLS, Use SSL or Use TLS). If SSL or TLS are
used, a certificate is required, which needs to be retrieved from the email gateway. This needs to be
uploaded in PEM format.
n SMTP authentication (optional).
n The from address.

Procedure 44: Setting up an email gateway for Message Delivery Component (MDC)

1. Launch the IDENTIKEY Appliance Configuration Tool and enter your credentials (see Section 2.3. Launch-
ing IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Naviagte to Authentication Server > Message Delivery Component.
3. Enable the Message Delivery Component settings.
4. Click Add SMTP Server.
5. Complete the fields for the selected server with the information gathered before.
6. Click Add to activate the settings.

15.2.3. Configuring a Voice Gateway

To configure voice gateway settings, you need to enter into the following information in the IDENTIKEY Appliance
Configuration Tool:

n Name. The display name of the MDC profile; ad-hoc field used primarily to describe and further identify
the profile.
n Profile. The actual name of the MDC profile.
n Enabled. If selected, the gateway is enabled.
n The URL to access the gateway server.
n The user name and password for the gateway account.
n The phone number prefix for the voice settings.
n The required query string.
n The query method (GET or POST) required by the gateway.

IDENTIKEY Appliance 3.18 – Administrator Guide 95

15. Setting Up Virtual Mobile Authenticator

Procedure 45: Setting up a voice gateway for Message Delivery Component (MDC)

1. Launch the IDENTIKEY Appliance Configuration Tool and enter your credentials (see Section 2.3. Launch-
ing IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Naviagte to Authentication Server > Message Delivery Component.
3. Enable the Message Delivery Component settings.
4. Click Add Voice Server.
5. Complete the fields for the selected server with the information gathered before.
6. Click Add to activate the settings.

15.2.4. Configuring SMS and Email Messages

You can customize the messages sent by MDC using the IDENTIKEY Authentication Server Administration Web Inter-
face (via Servers > Global Configuration). That page contains three tabs, corresponding to the message types sent
by MDC. Switch to the corresponding tab to customize the message settings. To designate where the one-time
password appears in the message, use the placeholder string [OTP].

For more information, refer to the IDENTIKEY Appliance Administrator Reference.

15.2.5. Importing and Exporting Gateway Definitions

The IDENTIKEY Appliance Configuration Tool allows you to import and export gateway definitions. This allows you
to upload a description file and easily apply gateway settings to Message Delivery Component of different
IDENTIKEY Appliance instances or to import gateway settings from an IDENTIKEY Authentication Server instance to
IDENTIKEY Appliance (and vice versa).

Importing gateway definitions also makes it easier to apply gateway settings for supported third- party
SMS gateway provider services.

Procedure 46: Importing a gateway definition

1. Select Authentication Server > Message Delivery Component in the IDENTIKEY Appliance Configuration
Tool.

2. Enable the required delivery method by selecting the corresponding check box.

3. Click Import gateway.

4. Browse to the gateway description file and click Import.

5. Edit the newly imported file and verify the imported details from the file.

6. Configure load-balancing, failover, and/or failback:

IDENTIKEY Appliance 3.18 – Administrator Guide 96

15. Setting Up Virtual Mobile Authenticator

a. Specify the order in which the gateway definition appears on the gateway list by dragging the
gateway to the required position in the table in the overview screen.
b. Specify the server type (Primary or Backup) in the details screen of the relevant gateway.

7. Click Apply.

8. Click OK.

15.3. Setting Up IDENTIKEY Appliance Policies for Virtual Mobile Authenticator

Policies can be edited to use:

n Primary Virtual Mobile Authenticator

n Backup Virtual Mobile Authenticator
n Both

With Backup Virtual Mobile Authenticator, restrictions are possible by time or number of uses. For more inform-
ation about on implementing Virtual Mobile Authenticator and restrictions, refer to the IDENTIKEY Appliance Product
Guide, Section "Virtual Mobile Authenticator".

15.3.1. Setting Up Policies for Primary Virtual Mobile Authenticator

Procedure 47: Setting up a policy for Primary Virtual Mobile Authenticator

2. Select Policies > List.

3. Select the policy in which you wish to enable Virtual Mobile Authenticator.

4. Switch to the Virtual Mobile Authenticator tab.

5. Click Edit.

6. Select a delivery method for Virtual Mobile Authenticator: Email, SMS, or Voice.

7. Select one of the following options as the request method:

n Default. Use the setting of the parent policy.

n None. Do not use Primary Virtual Mobile Authenticator.
n Keyword. Use the request keyword, with or without another item. The user needs to type the
request keyword into the password field. This is permitted to be blank.
n Keyword Only. Only the keyword will be accepted.

IDENTIKEY Appliance 3.18 – Administrator Guide 97

15. Setting Up Virtual Mobile Authenticator

n Password. Use the static password. The user needs to type the static password into the password
field.
n KeywordPassword. Use the request keyword followed by the static password. The user needs to
type the request keyword followed by the static password into the password field. No separator
characters or white spaces are allowed between them.
n PasswordKeyword. Use the static password followed by the request keyword. The user needs to
type the static password followed by the request keyword into the password field. No separator
characters or white spaces are allowed between them.

8. If you have selected an option which includes the use of a request keyword, type it in the PVDP Request
Keyword box.

9. Click Save.

15.3.2. Setting Up Policies for Backup Virtual Mobile Authenticator

Procedure 48: Setting up a policy for Backup Virtual Mobile Authenticator (Permitted, Not Mandatory)

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Select Policies > List.
3. Select the policy in which you wish to enable Virtual Mobile Authenticator.
4. Switch to the Virtual Mobile Authenticator tab.
5. Click Edit.
6. Select a delivery method for Virtual Mobile Authenticator: Email, SMS, or Voice.
7. Select Yes – Permitted from the Enable Backup VDP list.
8. (OPTIONAL) Type the maximum number of uses. This will be calculated for each person using Backup Vir-
tual Mobile Authenticator.
9. Click Save.

Procedure 49: Setting up a policy for Backup Virtual Mobile Authenticator (Permitted, Not Mandatory, Time-Lim-
ited)

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Select Policies > List.
3. Select the policy in which you wish to enable Virtual Mobile Authenticator.
4. Switch to the Virtual Mobile Authenticator tab.
5. Click Edit.
6. Select a delivery method for Virtual Mobile Authenticator: Email, SMS, or Voice.
7. Select Yes – Time Limited from the Enable Backup VDP list.
8. Type a time limit (in days) in the Time Limit box. When the time period has passed (calculated from the
first use), a user will no longer be permitted to use Backup Virtual Mobile Authenticator.
9. (OPTIONAL) Type the maximum number of uses. This will be calculated for each person using Backup Vir-

IDENTIKEY Appliance 3.18 – Administrator Guide 98

15. Setting Up Virtual Mobile Authenticator

tual Mobile Authenticator.

10. Click Save.

Procedure 50: Setting up a policy for Backup Virtual Mobile Authenticator (Mandatory)

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).Administration Web Interface
2. Select Policies > List.
3. Select the policy in which you wish to enable Virtual Mobile Authenticator.
4. Switch to the Virtual Mobile Authenticator tab.
5. Click Edit.
6. Select a delivery method for Virtual Mobile Authenticator: Email, SMS, or Voice.
7. Select Yes – Required from the Enable Backup VDP list.
8. (OPTIONAL) Type the maximum number of uses. This will be calculated for each person using Backup Vir-
tual Mobile Authenticator.
9. Click Save.

Tip
Backup Virtual Mobile Authenticator may also be enabled for individual users via each DIGIPASS record. Settings
in the user record overrule equivalent policy settings.

15.4. Testing Virtual Mobile Authenticator

15.4.1. Testing Primary Virtual Mobile Authenticator

Procedure 51: Testing Primary Virtual Mobile Authenticator

2. Select DIGIPASS > List.

3. Select the Virtual Mobile Authenticator to be tested.

4. Switch to the Application Type tab and click Test VDP.

5. Select a delivery method for Virtual Mobile Authenticator: Email, SMS, or Voice.

6. Type the mobile phone number or email address to which the one-time password (OTP) should be sent.

7. Click Generate.

IDENTIKEY Appliance 3.18 – Administrator Guide 99

15. Setting Up Virtual Mobile Authenticator

The Administration Web Interface will attempt to send an OTP via Message Delivery Component (MDC),
which will attempt to forward it to the configured SMS gateway, mail, or voice server.

The result of the delivery attempt will be displayed.

8. When the OTP has been delivered using the requested method, type into the OTP box and click Verify.

9. The result of the verification attempt will be displayed.

15.4.2. Testing Backup Virtual Mobile Authenticator

Procedure 52: Testing Backup Virtual Mobile Authenticator

2. Select DIGIPASS > List.

3. Select the DIGIPASS record belonging to the Backup Virtual Mobile Authenticator to be tested.

4. Switch to the Application Type tab and click Test BVDP.

5. Select a delivery method for Virtual Mobile Authenticator: Email, SMS, or Voice.

6. Type the mobile phone number or email address to which the one-time password (OTP) should be sent.

7. Click Generate.

The Administration Web Interface will attempt to send an OTP via Message Delivery Component (MDC),
which will attempt to forward it to the configured SMS gateway, mail, or voice server.

The result of the deliver attempt will be displayed.

8. When the OTP has been delivered using the requested method, type into the OTP box and click Verify.

9. The result of the verification attempt will be displayed.

15.5. Assigning Policies to Clients for Using Virtual Mobile Authenticator

Procedure 53: Assigning a policy to a client for using Virtual Mobile Authenticator

IDENTIKEY Appliance 3.18 – Administrator Guide 100

15. Setting Up Virtual Mobile Authenticator

5. Select the policy in which you want to enable Virtual Mobile Authenticator in the Policy list.
6. Click Save.

For more information about creating new client components, see 4.1. Client Component Records.

IDENTIKEY Appliance 3.18 – Administrator Guide 101

16. Reporting

16. Reporting
IDENTIKEY Appliance provides a wide range of reporting options, with low-level control of aspects including
required fields, run-time query options, permissions, templates, and scheduling.

You can use either predefined standard reports, which can be edited, or you can create your own customized
reports.

Reports are managed using the IDENTIKEY Authentication Server Administration Web Interface. You can use the
Administration Web Interface to view, edit, define, delete, or run existing reports. A Report Definition wizard sim-
plifies the task of creating new custom reports.

For more information about reports, refer to the IDENTIKEY Appliance Product Guide.

16.1. Working With Reports

Basic reporting tasks are done using the Report Definition Wizard in the Administration Web Interface.

To view a list of existing reports, Select REPORTS > List in the Administration Web Interface. A full list of available
reports appears.

To view details of a single report, click the respective report name. This opens the Report Definition page, with
details including:

n Domain Name
n Report Type
n Grouping Level
n Data Source
n Time Frequency

To view additional report details, select the Fields tab, Queries tab, Permissions tab, and Templates tab. For more
information, see 16.2. Creating Reports Using the Report Definition Wizard.

Viewing Finished Reports

If you choose to run a report immediately, you can view the finished PDF or HTML report via Open Report in
the Summary page. If you have scheduled a report to run at a later time, you can view the finished report by
navigating to SYSTEM > Report Retrieval.

Procedure 54: Running an existing report

1. Select the report to run:

a. Select REPORTS > Run report.

b. Select the report to run from the list.

IDENTIKEY Appliance 3.18 – Administrator Guide 102

16. Reporting

c. Click NEXT, if you want to configure the report before creating it. Continue with the next step.

-OR-

Click RUN WITH DEFAULTS to run the report automatically with default settings. The subsequent
wizard pages are not displayed and you are redirected directly to the Summary page.

The RUN and RUN WITH DEFAULTS buttons are also available in the User Properties page and
allow the administrator to generate user-specific reports in the context of the User Dashboard of
IDENTIKEY Authentication Server Administration Web Interface (see 5.3. Generating Reports via
the Reports Tab).

-OR-

a. Select REPORTS > List.

b. Click the report name of the respective report in the list.

c. Click RUN.

-OR-

a. Click the Quick Report button in the User Dashboard of the selected user. By default, IDENTIKEY
Authentication Server generates a Detailed Activity Summary report but the type of report can be
changed and the report settings specified in the Administration Web Interface properties con-
figuration during the installation of IDENTIKEY Authentication Server.

Note
When you configure a different type of report to be generated by clicking QUICK REPORT, its usage must
be allowed in all domains by all administrators by adjusting the settings and permissions as follows:

n Report location: Master Domain

n Report usage permission: Public - All administrators in the different domains can update this
report

2. Specify the report settings.

Select the report template via Template to use, either HTML, PDF, or XML.

Specify the time period to include in the report. This option is available only if the query definition for this
report does not contain an Audit:Timestamp condition.

3. (OPTIONAL) Define any run-time query required.

4. Specify at which time to run the report.

n Select Run immediately to run the report at once when you click RUN. The Administration Web
Interface is blocked as long as the report is being created.

IDENTIKEY Appliance 3.18 – Administrator Guide 103

16. Reporting

n Select Run in background to schedule the report generation. The report is being created in the
background and you can continue working with Administration Web Interface. This option is avail-
able for PDF reports only!

5. Click RUN.

The Finish page appears displaying any confirmation or error messages.

6. If you chose to run the report immediately, you can open it now via OPEN REPORT.

7. Click FINISH to complete the wizard.

Procedure 55: Changing the report owner

1. Select REPORTS > List in the Administration Web Interface. A full list of available reports appears.

2. Locate the desired report in the list and click the report name.

3. Switch to the Permissions tab and click CHANGE OWNER.

The Change Report Owner wizard appears.

4. Enter available information to specify the new owner, e.g. organizational unit, account status, etc. and
click SEARCH.

The Select User page appears showing a list of users whose data matched the search criteria.

5. Select the desired user and click CHANGE OWNER.

Procedure 56: Editing a report

1. Select REPORTS > List in the Administration Web Interface. A full list of available reports appears.

2. Locate the desired report in the list and click the report name.

3. Switch to the appropriate tab and click EDIT to edit the information in the respective tab.

The fields in the respective tab become available for editing.

Alternatively, if you wish to edit field or query definitions use ADD NEW.

4. After editing the report settings as desired, click SAVE.

For more information, see 16.2. Creating Reports Using the Report Definition Wizard.

Procedure 57: Deleting a report

1. Select REPORTS > List in the Administration Web Interface. A full list of available reports appears.

2. Locate the desired report in the list and click the report name.

3. Click DELETE.

A confirmation message appears.

IDENTIKEY Appliance 3.18 – Administrator Guide 104

16. Reporting

4. Click OK to delete the report.

16.2. Creating Reports Using the Report Definition Wizard

If standard IDENTIKEY Appliance reports do not meet your requirements, you can either edit an existing report or
create a new custom report using the Report Definition Wizard in the Administration Web Interface.

The Report Definition Wizard guides you through the following series of pages:

n Describe Report
n Options
n Define Fields
n Define Query
n Query Overview
n Permissions
n Templates
n Finish

At any time, you can click Cancel to leave the wizard, or click Help on each page for context-sensitive assistance.

Procedure 58: Creating a report

1. In the Administration Web Interface, mouse over the Reports tab, then click Define Report on the drop-
down menu.

Doing so will display the Describe Report page.

2. In the Describe Report page:

a. Enter a Report Name. The name must be unique. You can use up to 60 characters.
b. Select the Type of report from the list provided.
c. Enter a Report description. This should explain what the report contains, and what it is to be used
for.
d. Click Next to continue.

Doing so will display the Options page.

3. In the Options page:

a. Select the Grouping Level from the drop-down list. This will define the way in which data is
grouped on the report.
b. Select the Data Source from the drop-down list.
c. Click Next to continue.
4. If you are creating a Detailed Analysis or List Analysis report, and you selected audit data for the Data
Source, then the Define Fields tab will be displayed. If not, ignore this step.
a. If you do not want to create a field-level filter, simply click Next. All field data will be included by
default.
b. To create a field-level filter, enter a Display Name and select a Field Name from the available
drop-down list. Then select the Operation you wish to perform on the chosen field and click the
Create button.

IDENTIKEY Appliance 3.18 – Administrator Guide 105

16. Reporting

c. Repeat the above step to create further field data filters if required. When you are done, click
Next.
5. The Define Query page is displayed.
a. To define a query, enter a Query name, select the required Field, and choose a Condition from the
drop down list.
b. Some conditions (e.g. isblank) do not require an entry in the Value field. Any entry in the value
field for these conditions will be ignored. Time values can be expressed in text (e.g. “last six
months”).
c. When you are done, click the Add New button.
d. Repeat this step to create additional query filters if required. You can only specify one data field
per query, so if you want to specify more than one field you must define more than one query.
e. When you are finished, click Next.
6. The Define New Query page now displays a list of queries that were entered previously. To view details of
a query, click on the query name. When you have finished reviewing query details, click Next.

Doing so will display the Permissions page.

7. In the Permissions page, specify who can alter and run the report by selecting the appropriate Usage Per-
missions and Update Permissions. Note that the owner is the person who created the report (unless re-
assigned). Click Next to continue.

Doing so will display the Templates page.

8. In the Templates page, select which template to use. If you do not want to use the default XML or PDF
templates (this option is selected by default) then provide a new Template Name and browse to the loc-
ation of the Template Definition file. Click Save to continue.
9. The Finish page displays a summary of report information. Any confirmation or error messages are shown
on this page. Click Finish to close the Report Definition Wizard.

You should now be able to see your new report when you view the available report list.

16.3. PDF and HTML Report Customization

You can produce customized IDENTIKEY Appliance reports with your own logo, header, and footer design. To do
this, you must:

n Create a template in either:

n XML (for PDF reports) or
n XSLT (for HTML reports).
n Use the Administration Web Interface to upload the custom report template and link it to an IDENTIKEY
Appliance report.

The custom template will be linked with that report thereafter. It can also be linked with other reports. If you delete
a custom template, the associated report(s) will revert to the default IDENTIKEY Appliance template.

The following diagram shows how IDENTIKEY Appliance report data is transformed into a finished report.

IDENTIKEY Appliance 3.18 – Administrator Guide 106

16. Reporting

Image 39: Customized Report Data Flow

Custom PDF Report Templates

Custom PDF report templates are defined in XML. To create a custom PDF report template, open a text editor
(or code editor) and create a new file, formatted like the following example.

Example
<VASCO>

<header align="left">My left-aligned header</header>

<footer align="right">My right-aligned footer</footer>

</content>

<orientation>Portrait</orientation>

IDENTIKEY Appliance 3.18 – Administrator Guide 107

16. Reporting

<paper-size>A4</paper-size>

</layout>

</PDFTemplate>

</VASCO>

The src attribute of the image tag specifies the location of a header image, and should be an absolute file
path.

The align attribute defines the alignment of the headers and footers. Possible values for this attribute are:

n left
n center
n right

The orientation tag defines the PDF report's orientation, and has two possible values:

n Portrait
n Landscape

The paper-size tag defines the size of the PDF report when printed. The following table lists the dif-
ferent paper sizes per value:

Table 7: Paper-Size Values (for customized PDF/HTML reports)

Value Paper Size (in pts)
A0 2380x3368
A1 1684x2380
A2 1190x1684
A3 842x1190
A4 595x842
A5 421x595
A6 297x421
Letter 612x792
Broadsheet 1296x1584
Ledger 1224x792
Tabloid 792x1224
Executive 522x756

IDENTIKEY Appliance 3.18 – Administrator Guide 108

16. Reporting

XSLT Templates for HTML Reports

The structure of an XSLT template is considerably more complex than XML. To view the formatting structure,
refer to the default XSLT files that are installed with IDENTIKEY Appliance.

Each default report provided by IDENTIKEY Appliance has a corresponding XSLT script for producing HTML out-
put. To view the corresponding XSLT script of a report:

Procedure 59: Viewing a report's corresponding XSLT script

1. Select REPORTS > List in the Administration Web Interface. A full list of available reports appears.

2. Locate the desired report in the list and click the report name.

3. Click the Template tab.

4. Click the HTML link. Doing so will open the XSLT template for that report.

Once you have created a custom template, you can link it to a report as follows:

Procedure 60: Linking a custom template to a report

1. Select REPORTS > List in the Administration Web Interface. A full list of available reports appears.

2. Locate the desired report in the list and click the report name.

3. Click the Template tab.

4. Click Edit. Doing so will provide new options.
5. Click Choose File and locate the new XML or XSLT template file.
6. Enter a Template Name and click Upload.

The new template will be uploaded and associated with that report.

16.4. Report Retrieval

Only reports created in PDF format can be retrieved via the Administration Web Interface. To do so, navigate to Sys-
tem > Report Retrieval in the Administration Web Interface. From there, you can:

n To Delete, Change Ownership or Take Ownership of one or more reports from this page, select the desired
report or reports and click on the appropriate button.
n Click on the report name to go to the Manage Reportfile page from where you can Delete, Change Own-
ership, Take Ownership or Download a report.

If you choose to download the report, you may either Open the report immediately, or save the report to a specified
location. For information on how to take/change report ownership, refer to 16.1. Working With Reports.

IDENTIKEY Appliance 3.18 – Administrator Guide 109

17. Configuring RADIUS Environments

This section describes how to configure typical RADIUS environments:

For more information about RADIUS environments, refer to the IDENTIKEY Appliance Product Guide , Section
"RADIUS Environments".

17.1. Stand-Alone IDENTIKEY Appliance in RADIUS Environment

This topology is ideal for services where RADIUS attributes are not required and one of the supported password pro-
tocols will be in use:

n PAP
n CHAP
n MSCHAP
n MSCHAP2

Note
When using CHAP, note that score- based DIGIPASS applications do not support CHAP- based
RADIUS authentications.

This deployment will require:

n IP address of the RADIUS client

n Shared secret used by the RADIUS client - or select a secret to use now if the RADIUS client isn't yet
equipped with a shared secret

Image 40: Stand-Alone IDENTIKEY Appliance in a RADIUS Environment

Procedure 61: Deploying Stand-Alone IDENTIKEY Appliance in RADIUS Environment

This procedure is for manual deployment after installation. The following configuration is also available during a
Basic Install configuration phase.

IDENTIKEY Appliance 3.18 – Administrator Guide 110

17. Configuring RADIUS Environments

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Navigate to Clients > Register.
3. Enter the following data:
n Client Type: select RADIUS Client
n Location: IP address of the RADIUS client
n Policy ID: Policy you want to use for this RADIUS client
n Protocol ID: select RADIUS
n Shared Secret: Shared secret used by the RADIUS client
4. Click on Create.

After configuring IDENTIKEY Appliance (either via these steps or via the Basic Install configuration phase), configure
your RADIUS client to send authentication request to IDENTIKEY Appliance. Information on the IP/port of the RADIUS
communicator is available in the Configuration Utility (specifically, in the RADIUS tab of the Communicators menu).

17.2. IDENTIKEY Appliance as RADIUS Proxy Target

You may wish to use this topology if

The RADIUS server supports the proxying of authentication while returning attributes itself

The RADIUS server can forward the authentication request using one of the supported password protocols:
n PAP
n CHAP
n MSCHAP
n MSCHAP2

The RADIUS server supports an Access-Challenge response from IDENTIKEY Appliance, if required. The Access-
Challenge mechanism is used for Challenge/Response and Virtual Mobile Authenticator, although it is still possible
to use Virtual Mobile Authenticator without that mechanism.

If the RADIUS server is capable, this scenario allows IDENTIKEY Appliance to operate in an environment that uses
certificate-based EAP protocols such as PEAP and EAP-TTLS. To make this work, the RADIUS server decrypts the
user credentials into a simpler protocol before forwarding the request to IDENTIKEY Appliance.

This deployment will require:

IDENTIKEY Appliance 3.18 – Administrator Guide 111

17. Configuring RADIUS Environments

n IP address of the RADIUS server

n Shared secret used by the RADIUS server

Image 41: IDENTIKEY Appliance as RADIUS Proxy Server

Procedure 62: Deploying IDENTIKEY Appliance as a RADIUS proxy server

This procedure is for manual deployment after installation. The following configuration is also available dur-
ing a Basic Install configuration phase.

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Navigate to Clients > Register.
3. Enter the following data:
n Client Type: select RADIUS Client
n Location: IP address of the RADIUS server
n Policy ID: Policy you want to use for this RADIUS server
n Protocol ID: select RADIUS
n Shared Secret: Shared secret used by the RADIUS server
4. Click on Create.

After configuring IDENTIKEY Appliance (either via these steps or via the Basic Install configuration phase), configure
your RADIUS server to send authentication request to IDENTIKEY Appliance. Information on the IP/port of the
RADIUS communicator is available in the Configuration Utility (specifically, in the RADIUS tab of the Communicators
menu).

IDENTIKEY Appliance 3.18 – Administrator Guide 112

17. Configuring RADIUS Environments

17.3. IDENTIKEY Appliance as Intermediate Server

When used as an intermediate authentication server, IDENTIKEY Appliance can be set up in two basic modes:

n OTP-only: IDENTIKEY Appliance keeps a record of a user's static password and relays it to the back-end
server

Image 42: IDENTIKEY Appliance as Intermediate Server (OTP-Only)

n OTP-Password: where the user enters an OTP and their password, which is not stored by IDENTIKEY Appli-

IDENTIKEY Appliance 3.18 – Administrator Guide 113

17. Configuring RADIUS Environments

ance but is relayed to the back-end server for authentication.

Image 43: IDENTIKEY Appliance as Intermediate Server (OTP-Password)

Either mode requires the following information:

n IP address of both RADIUS client and RADIUS server

n Shared secret used by both RADIUS client and RADIUS server

Procedure 63: Deploying IDENTIKEY Appliance as an intermediate server

This procedure is for manual deployment after installation. The following configuration is also available dur-
ing a Basic Install configuration phase.

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Navigate to Clients > Register.
3. Enter the following data:
n Client Type: select RADIUS Client
n Location: IP address of the RADIUS client
n Policy ID: Policy you want to use for this RADIUS client
n Protocol ID: select RADIUS
n Shared Secret: Shared secret used by the RADIUS client
4. Click on Create.
5. After configuring IDENTIKEY Appliance (either via these steps or via the Basic Install configuration phase),
configure your RADIUS client to send authentication request to IDENTIKEY Appliance. Information on the

IDENTIKEY Appliance 3.18 – Administrator Guide 114

17. Configuring RADIUS Environments

IP/port of the RADIUS communicator is available in the Configuration Utility (specifically, in the RADIUS tab
of the Communicators menu).
6. Next, navigate to BACK-END > Register RADIUS Back-End.

7. Enter the following data:

n Back-End Server ID: An identifier for the RADIUS server

n Domain Name: Master if the RADIUS server should process auth request from all domains, else a
specific domain
n Priority: Use this if you want to define multiple back-end servers for failover reasons - the one
with the highest priority will be used first
n Authentication IP Address: The IP address that the RADIUS server is using for authentication
requests
n Authentication Port: The port that the RADIUS server is using for authentication requests
n Accounting IP Address: The IP address that the RADIUS server is using for accounting requests
n Accounting Port: The port that the RADIUS server is using for accounting requests
n Shared Secret: The shared secret of the RADIUS server
n Timeout (seconds): Timeout on the connection to the RADIUS server
n Retries: Number of retries before abandoning attempts to send an authentication request to the
RADIUS server
n Character Encoding: Encoding/locale format required by the RADIUS server.
n Include Realm: Specify whether to include the realm in the userName RADIUS attribute of an
authentication request.
n Custom Realm: The realm to be included in the userName RADIUS attribute of an authen-
tication request.
8. Click on Create.

17.4. Wireless RADIUS

IDENTIKEY Appliance supports authentication over a wireless connection via the RADIUS protocol.

Image 44: Wireless RADIUS Components

IDENTIKEY Appliance 3.18 – Administrator Guide 115

17. Configuring RADIUS Environments

17.4.1. Wireless RADIUS Terminology Used

An authentication service using wireless RADIUS has the following components:

n Supplicant: The machine from which a wireless access request originates.

n Authenticator: The machine to which the Wireless Access Point passes authentication requests.

17.4.2. Wireless Network Encryption

The Wireless Access Point must be configured to use one of the following wireless protocols:

n WPA Enterprise
n WPA2 Enterprise
Warning
OneSpan does not recommend the use of the TKIP encryption algorithm on wireless networks due to inherent
security issues. Configure your WAP(s) to use the AES algorithm.

17.4.3. Configure Wireless Access Points

Each wireless access point must be configured with the following settings:

Table 8: Required Wireless Access Point Settings

Setting Value

Encryption protocol WAP Enterprise or WAP2 Enterprise

Encryption algorithm AES

RADIUS protocol One of the supported EAP or PEAP protocols:

n EAP-TTLSv0/PAP
n EAP-TTLSv0/CHAP
n EAP-TTLSv0/MSCHAP
n EAP-TTLSv0/MSCHAP2
n EAP-TTLSv0/EAP-MSCHAP2
n EAP-TTLSv0/EAP-GTC
n PEAPv0/EAP-MSCHAP2
n PEAPv0/EAP-GTC
n PEAPv1/EAP-MSCHAP2
n PEAPv1/EAP-GTC

RADIUS server Enter the IP address and the RADIUS port (default 1812) for IDENTIKEY Authentication Server .

Shared Secret A passphrase used to authenticate the RADIUS Client and IDENTIKEY Authentication Server to
each other.

IDENTIKEY Appliance 3.18 – Administrator Guide 116

17. Configuring RADIUS Environments

If your Wireless Access Point does not support wireless session settings from the configured RADIUS server,
change the default reAuthPeriod configuration setting to the required period before a Fast Reconnect should be
attempted. One hour is the recommended period.

Tip
Where possible, configure the supplicant to request authentication details for every full authentication. If this is
not configured, each automatic full reconnection attempt (not fast reconnect) will cause a failed authentication.

17.4.4. IDENTIKEY Appliance Configuration for Wireless Networking

When configuring IDENTIKEY Appliance to work with wireless access points, you must first copy the
IDENTIKEY Local Authentication policy record. Then, navigate to the RADIUS tab for the policy and
set Supported protocols to Secure.

Afterwards, create a Component record for each Wireless Access Point with the following details:

Table 9: Component Record Settings for Each Wireless Access Point

Setting Value

Component Type RADIUS Client

Location <IP address of the Wireless Access Point>

Protocol RADIUS

Shared Secret <as entered in the Wireless Access Point configuration>

Policy If this is the only Wireless Access Point in use, link to the policy created above.

If this will NOT be the only Wireless Access Point in use, refer to for further instructions.

17.4.5. Multiple Wireless Access Points

If multiple Wireless Access Points are in use, you have the option of allowing roaming connections between Wire-
less Access Points.

The ability of a supplicant to perform a Fast Reconnect with IDENTIKEY Appliance, and roam between Wireless
Access Points, depends on two factors:

n SSID: If a Wireless Access Point's SSID is identical to that of the Wireless Access Point with which the cur-
rent session was created, the supplicant will be able to attempt a Fast Reconnect.
n Policy: If the Component record for the Wireless Access Point passing on a Fast Reconnect request has the
same policy record as the component record for the Wireless Access Point with which the current session
was created, IDENTIKEY Appliance will process the Fast Reconnect request.

IDENTIKEY Appliance 3.18 – Administrator Guide 117

17. Configuring RADIUS Environments

No roaming Wireless Connections

Having no roaming wireless connections means that a user will be required to perform a full authentication if
moving to a new Wireless Access Point. To configure the system this way, set each Wireless Access Point's
SSID to a different value.

Allow roaming Wireless Connections

Where roaming connections will be in use, assign the same SSID to all Wireless Access Points in each zone.

Image 45: Roaming Wireless Connections - Assigning the Same SSID to All Wireless Access Points
Table 10: Policy and Component Record Details when allowing roaming Wireless Connections
Scenario Record Details
Roaming connections, one zone Policy Records Create one policy record only.
Component Records Link all component records to the policy created
earlier.

IDENTIKEY Appliance 3.18 – Administrator Guide 118

17. Configuring RADIUS Environments

Table 10: Policy and Component Record Details when allowing roaming Wireless Connections (continued)
Scenario Record Details
Roaming connections, multiple zones Policy Record Create a policy record with the required settings,
and copy it to new policy records until you have the
same number of policies as roaming zones
needed.
Component Records Assign each policy to a wireless roaming zone.
Component records for each Wireless Access Point
in a roaming zone should be assigned to the same
policy.

Image 46: Roaming Wireless Connections - Policy and Component Record Details

17.5. Customizing the RADIUS Attributes Dictionary

A RADIUS attributes dictionary is available to use with IDENTIKEY Appliance, to assign RADIUS attributes to users
and groups of users. A default dictionary is supplied, but this may be replaced with a custom dictionary. Attributes
may be added, modified or removed by editing the dictionary file.

IDENTIKEY Appliance 3.18 – Administrator Guide 119

17. Configuring RADIUS Environments

Procedure 64: Uploading a custom RADIUS dictionary

Image 47: Uploading a Custom RADIUS Dictionary

Note
The default dictionary remains available for download even after uploading a custom dictionary.

For more information about the format for custom dictionaries, refer to the IDENTIKEY Appliance Administrator
Reference.

IDENTIKEY Appliance 3.18 – Administrator Guide 120

18. IDENTIKEY Authentication Server Discovery

Server Discovery is a feature which allows DIGIPASS Authentication for Windows Logon clients to find an IDENTIKEY
Authentication Server by querying a DNS server.

For more information on GDPR, refer to the IDENTIKEY Appliance General Data Protection Regulation Compliance
Guide.

In order for Server Discovery to work, these conditions must exist:

n The DIGIPASS Authentication for Windows Logon client must have Server Discovery enabled. For more
information, refer to the DIGIPASS Authentication for Windows Logon User Guide.

n An SRV record for the IDENTIKEY Appliance instance(s) must exist on the DNS server to be queried (see
18.1. Registering IDENTIKEY Appliance with DNS Server).

n Windows Logon must be enabled both in the IDENTIKEY Authentication Server license key and the authen-
tication scenario. For more information, refer to the IDENTIKEY ApplianceProduct Guide, Section "Licens-
ing".

18.1. Registering IDENTIKEY Appliance with DNS Server

An SRV record may be created on the DNS server using the DNS registration option in the IDENTIKEY Authentication
Server configuration stage (i.e. after installation). For more information, see 18.2. Server Discovery.

Note
If an IDENTIKEY Authentication Server will be available to client machines in other trusted Active Directory
domains, an SRV record must be manually created on the DNS server(s) that service(s) the client domain .

18.2. Server Discovery

Registering IDENTIKEY Authentication Server with a DNS server allows DIGIPASS Authentication for Windows Logon
clients to discover a local instance of IDENTIKEY Authentication Server.

The following two DNS service registration options are available:

n No authentication type
n TSIG as the authentication type

IDENTIKEY Appliance 3.18 – Administrator Guide 121

18. IDENTIKEY Authentication Server Discovery

Procedure 65: Registering DNS service without authentication type

For the DNS service registration with a DNS server supporting dynamic DNS anonymously, the authentication type
needs to be set to None. Use this method if your DNS Server(s) do not require authentication or SSL for adding SRV
records.

1. Select the DNS service registration with a DNS server supporting dynamic DNS option.
2. Enter the name of the DNS domain.
3. Select the priority for connections to the IDENTIKEY Authentication Server - primary or backup server.

Image 48: Configuration Tool IDENTIKEY Authentication Server Discovery without Authentication Type

Procedure 66: Registering DNS service with TSIG as the authentication type

For the DNS service registration with a DNS server supporting dynamic DNS with TSIG authentication, the authen-
tication type needs to be set to TSIG. This service registration method utilizes a shared key file which is shared
between IDENTIKEY Authentication Server, the DNS, and the application. Transactions are signed using the shared
key file. Use this method if your DNS Server(s) are configured to accept TSIG-authenticated changes only:

1. Select the DNS service registration with a DNS server supporting dynamic DNS with TSIG authentication
option.
2. Enter the full path and file name for the shared key file.

IDENTIKEY Appliance 3.18 – Administrator Guide 122

18. IDENTIKEY Authentication Server Discovery

3. Enter the name of the DNS domain.

4. Select the priority for connections to the IDENTIKEY Authentication Server - primary or backup server.

Image 49: Configuration Tool IDENTIKEY Authentication Server Discovery with TSIG as Authentication
Type

Warning
Active Directory DNS server does not support dynamic DNS with TSIG authentication: the anonymous option must
be used. For instructions on how to configure this, refer to the Active Directory documentation.

Note
If two or more instances of IDENTIKEY Authentication Server are registered with the DNS server and given the
same priority, the first available SRV record will be the one used by the DIGIPASS Authentication for Windows
Logon client.

IDENTIKEY Appliance 3.18 – Administrator Guide 123

19. Test Policy Settings

In this section we provide instructions to test policy settings using a RADIUS Client Simulator for:

n Local and back-end authentication

n DIGIPASS assignment options

To complete these tests, you will need to:

1. Download the RADIUS Client Simulator from the delivery package of IDENTIKEY Appliance.
2. Install the RADIUS Client Simulator on a machine which you will use with IDENTIKEY Appliance to create
and configure settings, and test them.

At various points in the process, test logins are recommended to ensure that the previous steps have not caused
unexpected problems. This also helps in troubleshooting, as it helps to pinpoint at which step of the process a prob-
lem occurred.

19.1. Basic Testing Procedure - Prerequisites and Configurations

The following steps are part of the basic testing procedure and illustrate it:

1. Test direct logins to IDENTIKEY Appliance.

2. Test back-end authentication via IDENTIKEY Appliance.
3. Test management features.

Before testing is possible, a DIGIPASS user account must be created (refer to Section 4.3. User Records for inform-
ation how to create such a user account) , for which the following configurations are necessary:

n A corresponding Windows user account.

n A stored static password which is the same as the password for the Windows account.
n A DIGIPASS authenticator or Demo DIGIPASS with Response-Only and Challenge/Response applications,
assigned to the DIGIPASS user account. Demo DIGIPASS records need to be imported and assigned to the
account, as explained in Section 4.4. DIGIPASS Records and Assignment. The .dpx files of the Demo
DIGIPASS are part of the delivery package of IDENTIKEY Appliance.
n A RADIUS Client Component need to be registered in IDENTIKEY Appliance, as explained in Section 4.1. Cli-
ent Component Records.
n A test policy needs to be created as explained in Section 19.1.1. Create a Test Policy.

19.1.1. Create a Test Policy

Complete the following procedure to create the required test policy.

Procedure 67: Creating a test policy

1. Launch the Administration Web Interface.

2. Navigate to Policies > Create.

IDENTIKEY Appliance 3.18 – Administrator Guide 124

19. Test Policy Settings

3. Enter the required information:

a. Policy ID: Test
b. Inherits from: Identikey Local Authentication
4. Enter a description if desired.
5. Click on Create.

19.1.2. Set Up Client Record

Configure the default RADIUS client record to use the test policy created in 19.1.1. Create a Test Policy. The
RADIUS Client Simulator will use this component record.

Note
The shared secret for the default RADIUS client record and the RADIUS Client Simulator are set to default.

19.1.3. Modifying the Test Policy

Each scenario will require modification of the test policy created in 19.1.1. Create a Test Policy. Use these instruc-
tions to edit the test policy:

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Navigate to Policies > List.
3. Find and click the test policy.
4. Click the required tab:
a. Local Authentication and back-end authentication settings can be found under the Policy tab
b. Dynamic User Registration, Password Autolearn, and Stored Password Proxy settings can be
found under the User tab.
c. Application Type, Assignment Mode, Grace Period, Serial No. Separator, and Search Upwards in
Org. Unit Hierarchy settings can be found under the DIGIPASS tab.
d. Challenge/Response settings can be found under the Challenge tab.
5. Click Edit.
6. Make the required changes.
7. Click Save.

19.1.4. Testing a Login via the RADIUS Client Simulator

In each scenario, you will need to attempt a login, using the RADIUS Client Simulator. Once it is configured cor-
rectly, simply follow the directions below to try a login:

1. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window.
2. Enter the ID for the user account you are using for test logins in the user ID field.
3. Enter the password for the user account and (if required) a one-time password from the
DIGIPASS authenticator in the Password field.

IDENTIKEY Appliance 3.18 – Administrator Guide 125

19. Test Policy Settings

4. Click on the Login button.

The Status information field will indicate the success or failure of your login.

19.2. Test Local Authentication

This topic covers testing logins handled by IDENTIKEY Appliance with no back-end authentication enabled. Three
login methods will be covered:

n Static password (does not require a DIGIPASS authenticator)

n Response-Only (requires a DIGIPASS authenticator with a Response-Only application)
n Challenge/Response (requires a DIGIPASS authenticator with a Challenge/Response application)

19.2.1. Static Password

Modify Test Policy

Make these changes to the test policy (see 19.1.3. Modifying the Test Policy for instructions):

n Set Local Authentication to DIGIPASS/Password during Grace Period.

n Set Back-End Authentication to None.
n Set Password Autolearn to Yes.

Check Grace Period

Check the record for the DIGIPASS authenticator being used for testing. The grace period should be set for a time in
the future. If it is not, the static password login will fail.

Test Login
Run a test login using the RADIUS Client Simulator (see 19.1.4. Testing a Login via the RADIUS Client Simulator for
instructions), using the user ID and static stored password.

19.2.2. Response-Only

Modify Test Policy

Make these changes to the test policy (see 19.1.3. Modifying the Test Policy for instructions):

n Set Application Type to Response-Only.

n Set Local Authentication to DIGIPASS/Password during Grace Period.
n Set Back-End Authentication to None.

IDENTIKEY Appliance 3.18 – Administrator Guide 126

19. Test Policy Settings

Test Login
Run a test login using the RADIUS Client Simulator (see 19.1.4. Testing a Login via the RADIUS Client Simulator for
instructions), using the DIGIPASS user ID and the one-time password from your DIGIPASS authenticator.

19.2.3. Challenge/Response

Modify Test Policy

Make these changes to the test policy (see 19.1.3. Modifying the Test Policy for instructions):

n Set Application Type to Challenge/Response.

n Set 2-Step Challenge/Response Request Method to Keyword.
n Set Keyword to 2StepCR.
n Set Local Authentication to DIGIPASS/Password during Grace Period.
n Set Back-End Authentication to None.

Test Login
Run a test login using the OneSpanRADIUS Client Simulator (VRADSIM; see 19.1.4. Testing a Login via the RADIUS
Client Simulator for instructions), using the DIGIPASS user ID and the keyword (2StepCR). Enter the challenge
provided by the VRADSIM into your DIGIPASS authenticator. Enter the same DIGIPASS user ID and the response
provided by your DIGIPASS authenticator.

19.3. Test RADIUS Back-End Authentication

In this topic, you will be guided through configuring the IDENTIKEY Authentication Server to use a RADIUS back-end
server, and testing back-end authentication using that back-end server.

19.3.1. Set up Back-End RADIUS Server

There are some steps you will need to follow in order to set up the RADIUS Server to be used for back-end authen-
tication:

Requirements
To complete the recommended steps, you will need:

n An installed RADIUS server.

n An administrator login for the RADIUS server.

IDENTIKEY Appliance 3.18 – Administrator Guide 127

19. Test Policy Settings

Create RADIUS client records

Create a RADIUS client record within the RADIUS server for the machine on which the RADIUS Client Simulator
will be running and the machine on which IDENTIKEY Appliance is installed. Without this RADIUS client record,
requests from the RADIUS Client Simulator will be rejected.

You will also need to create a RADIUS client record for the machine on which IDENTIKEY Authentication Server
is running. Without this RADIUS client record, proxied requests from IDENTIKEY Authentication Server will be
rejected

Create a user account

Create a user account in the RADIUS server, or identify an existing account that can be used, if preferred.
Make sure this account has the necessary permissions so that a RADIUS access-request from both the
RADIUS Client Simulator and from IDENTIKEY Appliance will be accepted (given the correct password has been
provided). Also, make sure this account has some RADIUS reply attributes.

Enable Tracing
Depending on the RADIUS server product, some facilities will be available for tracing. This may be referred to
as logging or debugging instead. If this is enabled, it will help to find out what is happening if the observed
behavior is not as expected.

19.3.2. Test Direct Login to RADIUS Server

Once the RADIUS server has been set up, attempt a direct login using the RADIUS Client Simulator and the DIGIPASS
user account created for testing.

Procedure 68: Testing directly logging on the RADIUS server

1. Open the RADIUS Client Simulator.

2. Enter the IP address of the RADIUS server.
3. Enter the Authentication and Accounting port numbers if they vary from the default.
4. Enter the Shared Secret that was configured in the RADIUS client record in the RADIUS server for IDENTIKEY
Appliance.
5. Select a Protocol to use.
6. Click on any port icon to attempt a login.
7. Enter the user ID and password and click on Login.
8. The reply attributes set up for that user account should be displayed in the RADIUS Client Simulator.

IDENTIKEY Appliance 3.18 – Administrator Guide 128

19. Test Policy Settings

19.3.3. Configure IDENTIKEY Appliance for RADIUS Back-End Authentication

19.3.3.1. Local and Back-End Authentication

Local and back-end authentication means that both IDENTIKEY Appliance and the RADIUS server will authenticate
a login. This allows RADIUS reply attributes to be retrieved from the RADIUS server.

In this scenario, the Password Autolearn and Stored Password Proxy features are used. With these features
enabled, IDENTIKEY Appliance will learn the user's RADIUS server password, so that the user does not need to log
in with both their password and DIGIPASS one-time password (OTP) at each login. However, the first time that the
user logs in, they will need to provide their RADIUS server password so that IDENTIKEY Appliance can learn it. In sub-
sequent logins, the user can just log in with their OTP, and IDENTIKEY Appliance will send the stored password to
the RADIUS server.

Modify Test Policy

Make these changes to the test policy (see 19.1.3. Modifying the Test Policy for instructions):

n Set Local Authentication to DIGIPASS/Password during Grace Period.

n Set Back-End Authentication to Always.
n Set Back-End Protocol to RADIUS.
n Set Password Autolearn to Yes.
n Set Stored Password Proxy to Yes.

19.3.3.2. Create Back-End Server Record

IDENTIKEY Appliance needs to be able to locate the RADIUS server. This requires a back-end server record in the
data store. To create a new back-end server record:

Procedure 69: Create new back-end server record

3. Enter the following data:

n Back-End Server ID: An identifier for the RADIUS server

IDENTIKEY Appliance 3.18 – Administrator Guide 129

19. Test Policy Settings

n Accounting Port: The port that the RADIUS server is using for accounting requests
n Shared Secret: The shared secret of the RADIUS server
n Timeout (seconds): Timeout on the connection to the RADIUS server
n Retries: Number of retries before abandoning attempts to send an authentication request to the
RADIUS server
n Character Encoding: Encoding/locale format required by the RADIUS server.
n Include Realm: Specify whether to include the realm in the userName RADIUS attribute of an
authentication request.
n Custom Realm: The realm to be included in the userName RADIUS attribute of an authen-
tication request.
4. Click Create to create the record.

19.3.4. Test Logins with Local and Back-End Authentication

1. Configure the test policy for the login method to be tested – i.e. Response-Only, Challenge/Response.
2. Ensure that the RADIUS Client Simulator client record is using the configured policy.
3. In the RADIUS Client Simulator :
a. Enter the IP address of IDENTIKEY Appliance.
b. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window.
c. Enter the user ID for the user account you are using for test logins in the User ID field.
d. Enter the user account's RADIUS server password followed by an OTP from the
DIGIPASS authenticator in the Password field. There should be no spaces between the password
and the OTP.
e. Click on the Login button.

The Status information field will indicate the success or failure of your logon. Below that you
should see the RADIUS reply attributes from the RADIUS server.

f. Enter a new OTP from the DIGIPASS authenticator into the Password field, without the RADIUS
server password as the first digits.
g. Click on the Login button.

The Status information field will indicate the success or failure of your logon. Below that you
should see the RADIUS reply attributes from the RADIUS server.

19.4. Test Management Features

In this topic, you will be guided through the testing of basic management features in IDENTIKEY Appliance.

19.4.1. Auto-Assignment

Note
When maker–checker authorization is enabled, assigning a DIGIPASS authenticator requires the approval of a

IDENTIKEY Appliance 3.18 – Administrator Guide 130

19. Test Policy Settings

checker administrator. In that case, Auto-Assignment is not available.

Initial Setup
1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Navigate to Clients > List.
3. Click on the client record for the RADIUS Client Simulator.
4. Ensure that the Test Policy is selected in the Policy drop down list.
5. Click on OK.
6. Make these changes to the test policy (see 19.1.3. Modifying the Test Policy for instructions):
n Set Local Authentication to DIGIPASS/Password during Grace Period.
n Set Back-End Authentication to Always.
n Set Back-End Protocol to RADIUS.
n Set Password Auto-learn to Yes.
n Set Stored Password Proxy to Yes.
n Set Dynamic User Registration to No.
n Set Assignment Mode to Neither.
n Set Grace Period (days) – 7 days is the standard time period used.
n Set Search Upwards in Org. Unit Hierarchy to Yes.
n Set Application Type to No Restriction.
7. Create or use a user account in the RADIUS server which does not currently have a corresponding DIGIPASS
user account.
8. Check that at least one unassigned DIGIPASS authenticator is available in the DIGIPASS Container.

Test Auto-Assignment - 1
In the following test, both Dynamic User Registration and Auto-Assignment should fail, meaning that no DIGIPASS
user account will be created, and no DIGIPASS authenticator will be assigned to the user. This shows that the
IDENTIKEY Authentication Server record has been configured successfully.

In the RADIUS Client Simulator:

The Status information field will indicate the success or failure of your logon.

Check Test Results

To check whether a DIGIPASS user account has been created, search for the user account record in the Admin-
istration Web Interface.

If it does not exist, the test has been successful.

IDENTIKEY Appliance 3.18 – Administrator Guide 131

19. Test Policy Settings

Modify Settings
Make these changes to the test policy (refer to 19.1.3. Modifying the Test Policy for instructions):

13. Set Dynamic User Registration to Yes.

14. Set Assignment Mode to Auto-Assignment.

Test Auto-Assignment - 2
In the following test, both Dynamic User Registration and Auto-Assignment should succeed, meaning that a
DIGIPASS user account will be created, and an available DIGIPASS authenticator will be assigned to the user.

In the RADIUS Client Simulator:

15. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window.
16. Enter the user ID for the RADIUS server user account you created earlier (refer to Initial Setup) in the User ID
field.
17. Enter the password for the user account.
18. Click on the Login button.

The Status information field will indicate the success or failure of your logon.

Check Test Results

To check whether a DIGIPASS user account has been created, search for the user account record in the Admin-
istration Web Interface.

To check whether a DIGIPASS authenticator has been assigned to the user:

19. Click on Assigned DIGIPASS.

20. If a DIGIPASS authenticator is listed, the user has been assigned the listed authenticator.
21. Check the grace period end field to see that a grace period of the correct length (7 days by default) has
been set.

Check Grace Period

22. Password login: Using the RADIUS Client Simulator, attempt a login using the RADIUS server user's ID and
password only. If the grace period is still effective, this should be successful.
23. OTP login: Using the RADIUS Client Simulator, attempt a login using the RADIUS Server user's ID and one-
time password (OTP). This should be successful.
24. Password login: Using the RADIUS Client Simulator, attempt a login using the RADIUS Server user's ID and
password only. As the OTP login from the previous step should have ended the grace period for the
DIGIPASS authenticator, this login should fail.
25. Check the grace period end in the user record. It should contain today's date.

IDENTIKEY Appliance 3.18 – Administrator Guide 132

19. Test Policy Settings

19.4.2. Self-Assignment

To complete this test, you will need to have a DIGIPASS authenticator physically available, and free to be assigned
to a test user account.

Initial Setup
1. Make these changes to the test policy (see 19.1.3. Modifying the Test Policy for instructions):
n Set Dynamic User Registration to No.
n Set Assignment Mode to Neither.
n Set Search Upwards in Org. Unit Hierarchy to Yes.
n Set Serial No. Separator to : (colon).
2. Create or use a user account in the RADIUS Server which does not currently have a corresponding
DIGIPASS user account.
3. Check that the desired DIGIPASS authenticator is in the DIGIPASS Container and unassigned.

Test Self-Assignment - 1
In the following test, both Dynamic User Registration and Self-Assignment should fail, meaning that a DIGIPASS
user account will not be created, and the selected DIGIPASS authenticator will not be assigned to the user.

In the RADIUS Client Simulator:

4. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window.
5. Enter the user ID for the RADIUS server user account you created earlier (refer to Initial Setup) in the User ID
field.
6. Enter the serial number for the DIGIPASS authenticator, the separator, the RADIUS server user's password,
a Server PIN (if required) and a one-time password from the authenticator into the Password field, e.g.
98765432-password12340098787 (see the Login Permutations topic in the IDENTIKEY
Authentication Server Administrator Reference for more information).
7. Click on the Login button.

The Status information field will indicate the success or failure of your logon.

Check Test Results

A successful test should result in a failed login and no new DIGIPASS user account created. To check whether a
DIGIPASS user account has been created, search for the user account record in the Administration Web Interface.

Modify Settings
8. Make these changes to the test policy:
n Set Dynamic User Registration to Yes.
n Set Assignment Mode to Self-Assignment.

IDENTIKEY Appliance 3.18 – Administrator Guide 133

19. Test Policy Settings

Test Self-Assignment - 2
In the following test, both Dynamic User Registration and Self-Assignment should succeed , meaning that a
DIGIPASS user account will be created, and the intended DIGIPASS authenticator will be assigned to the user.

In the RADIUS Client Simulator:

9. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window.
10. Enter the user ID for the RADIUS server user account you created earlier (refer to Initial Setup in the User ID
field.
11. Enter the serial number for the DIGIPASS authenticator, the separator, the RADIUS server user's password,
a Server PIN (if required) and a one-time password from the DIGIPASS into the Password field, e. g.
98765432- password12340098787 (see the Login Permutations topic in the IDENTIKEY
Authentication Server Administrator Reference for more information).
12. Click on the Login button.

The Status information field will indicate the success or failure of your logon.

Check Test Results

To check whether a DIGIPASS user account has been created, search for the user account record in the Admin-
istration Web Interface.

To check whether the DIGIPASS authenticator has been assigned to the user:

13. Click on DIGIPASS Assignment.

14. If the authenticator is listed under this tab, it has been assigned to the DIGIPASS user account.

Check Grace Period

15. Check that a grace period has not been set.

Password login
16. Using the RADIUS Client Simulator, attempt a login using the RADIUS server user's ID and password only.
This should fail, as a grace period is not set for self-assignment.

OTP login
17. Using the RADIUS Client Simulator, attempt a login using the RADIUS server user's ID and one-time pass-
word. This should be successful.

IDENTIKEY Appliance 3.18 – Administrator Guide 134

20. Administration Tasks

20.1. Scheduled Task Management

IDENTIKEY Appliance allows you to schedule selected tasks to run at specific times. Certain tasks can be sched-
uled to run either immediately, or on a specified time and date. You can also schedule recurring tasks for running
reports. These can be scheduled to recur on a daily or monthly basis.

20.1.1. Viewing and Editing Scheduled Tasks

Procedure 70: Viewing a scheduled task

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. In the Administration Web Interface, select Servers > Task Management. A list of scheduled tasks is dis-
played.
3. Click on any scheduled task to view or edit details.

Procedure 71: Editing a scheduled task

1. Log on to the IDENTIKEY Authentication Server Administration Web Interface (see 2.3. Launching
IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. In the Administration Web Interface, select Servers > Task Management. A list of scheduled tasks is dis-
played.
3. Click on the scheduled task you wish to edit.
4. Click the appropriate button to perform any of the following functions:
n Cancel
n Delete
n Disable
n Enable
n Edit

The Edit button allows you to change the options and schedule of a task. After editing a task, click Save.

IDENTIKEY Appliance 3.18 – Administrator Guide 135

21. Monitoring

21. Monitoring
Warning
If your organization is impacted by the General Data Protection Regulation (GDPR), you need to ensure that
GDPR-compliance is met.

When auditing:

n If remote logging is used, the connection to any remote syslog servers should be over a secure network.
n If log files are downloaded, the administrator must take care to protect them.

If using tracing or diagnostic log files:

n Configure log file rotation.

For more information on GDPR, refer to the IDENTIKEY Appliance General Data Protection Regulation Compliance
Guide.

21.1. Overview

The Log File Management screen in the IDENTIKEY Appliance Configuration Tool provides an overview (explained
in Section 21.2. Disk Use) of disk use by monitoring information generated and stored on IDENTIKEY Appliance.
Three sources of information are available:

n Logging: if you encounter a problem with the Configuration Tool, you need to search the logging inform-
ation. Logged events are presented in a live viewer. We explain how to manage and use log files in Sec-
tion 21.3. Logging.
n Auditing: if you encounter a problem with any actions in the IDENTIKEY Authentication Server Admin-
istration Web Interface, or with IDENTIKEY Authentication Server services such as authentication, you need
to search the Audit files. Audit records are presented in a live viewer. We explain how to manage and use
Audit files in Section 21.4. Auditing.
n Tracing: if you are unable to identify the problem from information provided from Auditing or Logging, you
can also use Tracing. Tracing information can be viewed in a text editor, as explained in Section 21.5. Tra-
cing.

For more information on the concepts of logging, auditing and tracing, please refer to the IDENTIKEY Appliance
Product Guide.

In addition to monitoring IDENTIKEY Appliance, it is also possible to enable the Secure Network Management Pro-
tocol (SNMP), which is a protocol used in network management systems to monitor devices on the network which
may need attention. SNMP thus allows IDENTIKEY Appliance to be monitored by a managing application. How to
configure SNMP is explained in section 21.6. Configuring SNMP.

IDENTIKEY Appliance 3.18 – Administrator Guide 136

21. Monitoring

21.2. Disk Use

For an overview of the disk space used for the three types of monitoring, navigate to Monitoring > Log File Man-
agement. The top part of the Log File Management screen shows the disk space used for storage of the three
types of data (see image below).

To view

n the number and sizes of audit database parts: select the Databases row (see image below).
n the number and sizes of trace files: select the Trace Files row.
n the number and sizes of log files: select the System Logs row.

Image 50: IDENTIKEY ApplianceConfiguration Tool Disk Use Overview

Note
Disk space used for a data source, and the combined sizes of database parts, log files, or trace file sizes do not
necessarily match due to additional space being used for disk partition.

21.3. Logging

Logging uses information generated about events in the IDENTIKEY Appliance Configuration Tool and includes
information about operations such as updating, backup and restore. For example, a log entry might be:
Backup was created successfully.
Logging is based on the syslog utility which supports local and remote storage and processing of logs. Settings
can be configured in the Configuration Tool manually or using the Configuration Wizard ).
Logged events are accumulated in a file to a maximum of 80,000 lines; after this threshold is reached, a new file is
opened. A certain number of files are archived, but rotation means that the oldest file is replaced by the latest file.
Log files are therefore automatically cleaned.

Log data can also be sent to a remote syslog-compliant server.

IDENTIKEY Appliance 3.18 – Administrator Guide 137

21. Monitoring

In this section we provide instructions on:

n Configuring logging (see Procedure 72: Configuring the type of logging)

n Configuring remote logging (see Procedure 73: Configuring remote logging
n Viewing and filtering files in the live log viewer (see Procedure 74: Viewing and filtering log files)
n Downloading and deleting log files (see Procedure 75: Downloading and deleting log files)

21.3.1. Configuring Logging

Procedure 72: Configuring the type of logging

1. Launch the IDENTIKEY Appliance Configuration Tool and enter your credentials (see Section 2.3. Launch-
ing IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Navigate to Settings > Logging.
3. Click on the arrow icon to view the drop-down list of Log levels to select the required level (refer to the
IDENTIKEY Appliance Administrator Reference).
4. Click Save to finish.

Image 51: Configuring Logging

Procedure 73: Configuring remote logging

1. Launch the IDENTIKEY Appliance Configuration Tool and enter your credentials (see Section 2.3. Launch-
ing IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Navigate to Settings > Logging (see Image 52: Configuring Remote Logging) and enter the IP address of
the syslog-compliant server for viewing log data remotely. Multiple IP addresses can be entered in a
comma-separated list.
3. Click on the arrow icon to view the different levels of logging. For an explanation of these levels , refer to

IDENTIKEY Appliance 3.18 – Administrator Guide 138

21. Monitoring

the IDENTIKEY Appliance Administrator Reference Guide.

4. Click Save to finish.

Image 52: Configuring Remote Logging

For more information about the relevant fields, refer to the IDENTIKEY Appliance Administrator Reference.

21.3.2. Managing Log Files

A live log viewer in the IDENTIKEY Appliance Configuration Tool allows monitoring of Configuration Tool events.
Live log views can be filtered using log levels and / or words ).

IDENTIKEY Appliance 3.18 – Administrator Guide 139

21. Monitoring

Image 53: Live Log Viewer

Procedure 74: Viewing and filtering log files

Image 54: Viewing Logs

IDENTIKEY Appliance 3.18 – Administrator Guide 140

21. Monitoring

3. Filtering is possible by using simple or advanced filters.

n To use the simple filter, enter in the Filter field the characters to be searched for in the message
part of the log (e.g. start in Image 55: Simple Log Filter Entry and Result). Only lines with content
matching the filter field entry will be listed (see result in the lower part of Image 3: Simple Log Fil-
ter Entry and Result).To clear the filter, click X .

Image 55: Simple Log Filter Entry and Result

n To use the advanced filter, click on the arrow (highlighted in the image below) to the right of the
Filter field to open the Advanced Filter dialog (seeImage 57: Advanced Log Filter Fields). Refer to
Table 11: Log Filter Fields for an explanation of how to search using any of the filter fields.

Image 56: Using the Advanced Filter

IDENTIKEY Appliance 3.18 – Administrator Guide 141

21. Monitoring

Image 57: Advanced Log Filter Fields

Table 11: Log Filter Fields
Type Description
Start Click on the icon to select a date from the calendar. Only records after the date specified are displayed.
Date
End Date Click on the icon to select a date from the calendar. Records up to and including the entered date are displayed.
Facility is Click on the drop down menu to select one of the facility types, e.g. kern, user, or mail. Only logs referencing this facility
are displayed.
Level at Click on the drop down menu to select one of the levels, e.g. error or warning. Only logs referencing this level are dis-
least played. For a list of the log levels, please refer to the IDENTIKEY Appliance Administrator Reference.
Program Enter a search string. Only records with a program matching the search string are displayed.
contains
Process Enter the process ID to use as a filter parameter for your search.
ID
Message Enter a search string. Only records with a message matching the search string are displayed.
contains

Note
It is only possible to access the Advanced Filter when the Simple Filter is clear. To clear the simple filter, click on
the X icon by the Filter field.

Procedure 75: Downloading and deleting log files

1. Launch the IDENTIKEY Appliance Configuration Tool and enter your credentials (see Section 2.3. Launch-
ing IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Navigate to Monitoring> Log File Management and click on System Logs. Available log files will be listed
below.

3. Click on the disk icon to the right of an available log file to download it or the trash can icon to delete it
(seeImage 58: Downloading System Log Files).

IDENTIKEY Appliance 3.18 – Administrator Guide 142

21. Monitoring

Image 58: Downloading System Log Files

Note
Clicking on the trash can to delete the log file will also delete all older log files.

21.4. Auditing

Auditing uses information generated about events in the IDENTIKEY Authentication Server , LDAP Synchronization
and Configuration Tool components as well as system and user actions. Auditing can be managed via the
IDENTIKEY Appliance Configuration Tool using the live audit viewer ). It happens in real-time, allowing admin-
istrators to view a limited number of recent events and includes amongst others, information about administration
events, authentication attempts and RADIUS accounting. For example, an event might be: User
successfully authenticated.

Note
Auditing information also includes RADIUS accounting data.

Audit records are accumulated to a database part for one month or to a maximum of 500 MB, whichever limit is
reached first. IDENTIKEY Appliance detects when audit data is using too much hard disk space and automatically
cleans the oldest information.

In this section we provide instructions on:

n Overview of IDENTIKEY Authentication Server audit settings

n Viewing, filtering and exporting files in the live Audit Viewer (see Procedure 76: Viewing and filtering audit
files)
n Exporting audit files (see Procedure 77: Exporting audit files)
n downloading and deleting audit files (see Procedure 78: Downloading and deleting audit files)

IDENTIKEY Appliance 3.18 – Administrator Guide 143

21. Monitoring

21.4.1. Audit Settings

To configure the settings for auditing IDENTIKEY Authentication Server, navigate to Authentication Server > Audit
Settings in the IDENTIKEY Appliance Configuration Tool.

Via the IDENTIKEY Authentication Server audit settings, you can:

n Specify which message type is sent to the syslog

n Enable the Remote Audit Viewer and its associated settings
n Enable SSL connections for the Audit Viewer, select the level of the used SSL cipher suite, download a
server certificate and set a password for the certificate
n Configure the verification Certificate Authority certificate file for the SSL client certificate and associated
settings.

Image 59: Configuring IDENTIKEY Authentication Server Audit Settings in the Configuration Tool

The following sections outline the audit settings for IDENTIKEY Authentication Server in the IDENTIKEY Appliance
Configuration Tool. For a detailed description of these fields, refer to the section on Configuration Tool field listings
in the IDENTIKEY Appliance Administrator Reference.

21.4.1.1. Send Audit Messages to Syslog Settings

Here you can select the message types that are to be sent to the syslog. Available message types are:

IDENTIKEY Appliance 3.18 – Administrator Guide 144

21. Monitoring

n Error
n Warning
n Info
n Success
n Failure

For a detailed description of the audit message types, refer to the IDENTIKEY Appliance Product Guide.

21.4.1.2. Remote Audit Viewer Settings

Here you can enable the remote Audit Viewer and configure the following settings:

n Set the maximum number of Audit Viewer clients connected to IDENTIKEY Authentication Server at the
same time
n Set the maximum period of time in seconds until an authentication times out
n Select the types of audit messages to be sent

For a detailed description of the audit message types, refer to the IDENTIKEY Appliance Product Guide.

Note
If you wish to secure the audit connection with SSL you can do so by enabling SSL connections for the Audit
Viewer. This means that your browser will use an SSL-secured connection (i.e. via HTTPS).

21.4.1.3. SSL Cipher Suite Security Level settings

Select the required cipher suite security level for the Audit Viewer here. IDENTIKEY Authentication Server supports
SSL cipher suites defined under the security levels Very High, High, Medium, and Low. For more information, refer
to the section on SSL Cipher Suites in the IDENTIKEY Appliance Administrator Reference.

21.4.1.4. Server Certificate

Here you can select a valid certificate previously created / imported using the Certificate Management tab (see
13.2. Using Server Certificates).

21.4.1.5. Client Certificate Verification Settings

You can configure the following here:

n Set IDENTIKEY Authentication Server to require a client certificate whenever a client attempts a con-
nection.
n Select the CA certificate used to authenticate the clients from all valid and trusted CA certificates imported
using the Certificate Management tab (see13.3. Using CA Certificates for Client Verification).
n Configure IDENTIKEY Authentication Server to perform an SSL handshake each time the Audit Viewer is re-
connected to IDENTIKEY Authentication Server. Enabling this option may incur a performance penalty, thus
this option should only be enabled if absolutely necessary.

IDENTIKEY Appliance 3.18 – Administrator Guide 145

21. Monitoring

21.4.2. Managing Audit Files

Individual audit records can be viewed in the live audit viewer (see Image 60: Live Audit Viewer), filtered, and
exported (see Procedure 77: Exporting audit files) in the IDENTIKEY Appliance Configuration Tool.

Events generated by the IDENTIKEY Authentication Server component for auditing are stored in the internal data-
base and moved to an audit database on a monthly basis or until a maximum audit data size of 500 MB is reached.
When this limit is exceeded, new audit data is stored in a new database part.

Parts of the database can be downloaded and deleted via the IDENTIKEY Appliance Configuration Tool. Down-
loading is the same as the exporting, but uses a format compatible with IDENTIKEY Authentication Server (see Pro-
cedure 77: Exporting audit files) ).

For more informationc on auditing, refer to the IDENTIKEY Appliance Product Guide.

Image 60: Live Audit Viewer

Procedure 76: Viewing and filtering audit files

Image 61: Viewing the Live Audit Viewer

IDENTIKEY Appliance 3.18 – Administrator Guide 146

21. Monitoring

3. Filtering is possible by using simple or advanced filters.

n To use the simple filter, enter in the Filter field the characters to be searched for in the message
part of the audit information (e.g. SOAP in Image 62: Simple Audit Filter Entry and Result). Only
lines with content matching the filter field entry will be listed (see result in the lower part of Image
62: Simple Audit Filter Entry and Result). To clear the filter, click X.

Image 62: Simple Audit Filter Entry and Result

n To use the advanced filter, click on the arrow (highlighted in the image below) to the right of the
Filter field to open the Advanced Filter dialog (seeImage 64: Advanced Audit Filter Fields). For
more information about searching using the filter fields, see Table 13: Audit Export Fields.

Image 63: Using the Advanced Filter

IDENTIKEY Appliance 3.18 – Administrator Guide 147

21. Monitoring

Image 64: Advanced Audit Filter Fields

Table 12: Audit Filter Fields
Type Description
Start Date Click on the icon to select a date from the calendar. Only records after the date specified are displayed.
End Date Click on the icon to select a date from the calendar. Records up to and including the entered date are dis-
played.
Type is Click on the drop down menu to select one of the message types described in Section 21.4.1.1. Send Audit
Messages to Syslog Settings. Only records referencing this message type are displayed.
Source con- Searching on this field is only relevant if you have a replication setup (see section12.1. Replication Wizard).
tains Enter the name of the relevant instance of IDENTIKEY Authentication Server. Only records generated from
this server are displayed.
Category Enter a category type, e.g. Administration or Authentication. Only records with a category matching the cat-
contains egory entered in this field are displayed.
Code con- Enter an error code. Only records with a matching error code are displayed. For a list of possible error
tains codes, refer to the IDENTIKEY Appliance Administrator Reference.
Host con- Enter an IP address. Only records with a matching IP address are displayed.
tains
Hostname Enter a host name. Only records with a matching host name are displayed.
contains
Description Enter a string. Only records with a matching string in the Description field are displayed.
contains
Field .....- Click on the drop down menu to select a field. All possible fields which can be searched on are listed. Select a
contains field, and enter the matching string to be searched for. Only matching records are displayed.

Note
It is only possible to access the Advanced Filter when the Simple Filter is clear. To clear the simple filter, click on

IDENTIKEY Appliance 3.18 – Administrator Guide 148

21. Monitoring

the X icon by the Filter field.

Procedure 77: Exporting audit files

1. Launch the IDENTIKEY Appliance Configuration Tool and enter your credentials (see Section 2.3. Launch-
ing IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Naviagte to Monitoring > Audit Logs.
3. Click on Export (see highlighted field in Image 65: Exporting from the Audit Viewer); a dialog opens (see
Image 66: Exporting Audit Files). Fields are explained in Table 13: Audit Export Fields.

Image 65: Exporting from the Audit Viewer

Image 66: Exporting Audit Files

IDENTIKEY Appliance 3.18 – Administrator Guide 149

21. Monitoring

Table 13: Audit Export Fields

Type Description
Start date Click on the icon to select a date from the calendar. Only records after the date specified are displayed.
End date Click on the icon to select a date from the calendar. Records up to and including the entered date are dis-
played.
Source Searching on this field is only relevant if you have a replication setup (see section12.1. Replication Wizard).
Enter the name of the relevant IDENTIKEY Authentication Server. Only records generated from this server
are displayed.
Category Enter a category type, e.g. Administration or Authentication. Only records with a category matching the cat-
egory entered in this field are displayed.
Host Audit records can be exported for all servers, or only the local host.
Output Format Export data can be formatted:

n for IDENTIKEY Authentication Server compatibility: this allows the exported data to be imported
to an instance of IDENTIKEY Authentication Server acting as a dedicated reporting server in a
setup with multiple instances of IDENTIKEY Authentication Servers and / or IDENTIKEY Appli-
ance servers.
n Comma-Separated Variable (CSV) compatibility: this commonly used format allows the data to
be imported by other auditing systems.

Note
The CSV format option for exporting auditing data creates a file in which the separator character is a tab,
not a comma, although still called CSV format.

Procedure 78: Downloading and deleting audit files

1. Launch the IDENTIKEY Appliance Configuration Tool and enter your credentials (see Section 2.3. Launch-
ing IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Navigate to Monitoring > Log File Management and click on Databases (see Image 67: Downloading Audit
Files). Available audit files will be listed below.
3. Click on the download icon to the right of an available audit file to download it or the trash can icon to
delete it. The arrow next to the trash can icon indicates that multiple logs are available and will be deleted
(see Image 8: Downloading Audit Files).

IDENTIKEY Appliance 3.18 – Administrator Guide 150

21. Monitoring

Image 67: Downloading Audit Files

Note
n Downloading is the same as the export functionality described above and uses the IDENTIKEY
Authentication Servercompatible format.
n Clicking on the trash can to delete the log file will also delete all older log files.

21.4.3. Secure Auditing

An option is available to enable Secure Auditing during the installation of IDENTIKEY Appliance.

Secure Auditing provides the following:

Integrity protection
With Secure Auditing, IDENTIKEY Appliance uses a non-viewable encrypted signature added to each line of an
audit file, or each row of an audit data store. This prevents any operator from making untraceable manual
changes to the audit file.

Independent verification
Each audit file or data store can be verified using the Secure Auditing Verification Tool.

Non-repudiation
Secure Auditing verifies audit data by comparing each signed line or row of audit data with the previous and
subsequent entries in the audit data.

21.4.3.1. How Secure Auditing Works

Secure Auditing adds a cryptographic signature to each audit message written to the output. The cryptographic sig-
nature relates each message entry to the previous and subsequent entries. External auditors can cryptographically
verify each signature and verify that no lines have been manually deleted or added from the audit information; the
relationship between the entries is verifiable using the Secure Auditing Verification Tool.

IDENTIKEY Appliance 3.18 – Administrator Guide 151

21. Monitoring

Each audit message entry belongs to an epoch, which is a period delimited either by time or by number of audit
messages. At the end of each epoch the encryption key is changed. A message is written to the audit file to indic-
ate that an epoch has ended, and another message is written to indicate that a new epoch has begun. The length
of processing for each epoch is defined during initial configuration. A new epoch always begins at midnight. A mes-
sage is written to the output to indicate the beginning and end of an epoch. Each epoch message contains inform-
ation required by the Secure Auditing Verification Tool to decrypt the signatures for that epoch. This information is
located at the start of each epoch message.

If a Hardware Security Module (HSM) is used, Secure Auditing relies on public and private keys on the HSM for
encryption. Where no HSM is used, Secure Auditing uses a master audit keystore, and public and private keys ran-
domly generated for each epoch.

On IDENTIKEY Appliance you can only configure Secure Auditing via the IDENTIKEY Authentication Server Setup Wiz-
ard. You will need to perform a factory default to configure it again. For more information about configuring Secure
Auditing, refer to the IDENTIKEY Appliance Installation and Maintenance Guide.

21.4.3.2. Secure Auditing Verification Tool

Secure Auditing output can be verified using the Secure Auditing Verification Tool. This tool scans the Secure Audit-
ing output and verifies that all the entries are in order, and that nothing has been removed or added. Processing
results are produced, and the process is either passed or failed. You can optionally specify a trace file to which
Secure Auditing lines which fail verification will be written.

The Secure Auditing Verification Tool is a command-line utility installed with IDENTIKEY Appliance.

Procedure 79: Using the Secure Auditing Verification Tool

1. Open a command-line prompt.

2. To verify a Secure Auditing audit output file with the Secure Auditing Verification Tool, run the following
command:
/usr/bin/auditvt -cert <certname> -audit_file <auditfilename> -trace_file <tracefilename>
where:

n<certname> is the absolute path of the Audit Master Public Keypair, in PEM format.
n<auditfilename > is the absolute path of the Secure Auditing output file that you want to verify.
n <tracefilename> is a file to which Secure Auditing file entries that don't pass verification can be
written. This parameter is optional.
3. The Secure Auditing Verification Tool will scan the specified file and produce results similar to those
shown in the example below. The overall status of the file is shown at the end of the messages. In this
case the status is Passed.

Example
The following is sample Secure Auditing Verification Tool output:
===[ Verification Summary ]==============================

IDENTIKEY Appliance 3.18 – Administrator Guide 152

21. Monitoring

Successfully verified epoch headers :0

Successfully verified epoch footers :0
Successfully verified audit messages :0
Non-secure audit messages found :5
Secure audit failures :0
Secure audit warnings :0
Secure audit messages checked :5

=========================================================

Verification: Passed

21.5. Tracing

IDENTIKEY Appliance trace files contain debugging and troubleshooting information. The content can help
OneSpan support engineers and experienced end-customers to troubleshoot specific issues.

Tracing tasks include:

n Configuring tracing for:

n IDENTIKEY Authentication Server (see 21.5.1. Configuring Tracing for IDENTIKEY Authentication
Server)
n Message Delivery Component (MDC) (see 21.5.2. Configuring Tracing for Message Delivery Com-
ponent (MDC))
n LDAP User Synchronization (see 21.5.3. Configuring Tracing for LDAP User Synchronization)
n Downloading and deleting trace files (see 21.5.4. Managing Trace Files)
Note
Enabling and configuring log rotation configures automatic clean up for IDENTIKEY Authentication Server and
Message Delivery Component (MDC) trace files. LDAP trace files are not automatically purged and therefore need
to be deleted manually.

21.5.1. Configuring Tracing for IDENTIKEY Authentication Server

IDENTIKEY Authentication Server trace files provide information about IDENTIKEY Authentication Server trace events
and are available via the IDENTIKEY Appliance Configuration Tool.

Procedure 80: Configuring tracing for IDENTIKEY Authentication Server

IDENTIKEY Appliance 3.18 – Administrator Guide 153

21. Monitoring

2. Select Authentication Server > Tracing Settings.

Image 68: Configuring Tracing for IDENTIKEY Authentication Server

3. Select the trace level required.

None disables tracing. Basic or Full enable tracing with increasing detail levels. Debug must only be used
if instructed to do so by OneSpan customer support.

For more information about the different tracing levels, refer to the IDENTIKEY Appliance Administrator
Reference.

4. (OPTIONAL) Enable log rotation by selecting Enable Log Rotation and configure log rotation settings.

Log rotation specifies if and when new logs files are created, based on either the log file age or the log file
size. For instance, if you select size and specify 50 MB, trace information will be stored in the file until a
size of 50 MB is reached, after which a new file will be created. The number of archived log files specifies
how many log files are kept at most, if required the oldest log file will be overridden.

5. Click Save.

21.5.2. Configuring Tracing for Message Delivery Component (MDC)

Message Delivery Component (MDC) trace files provide information related to Virtual Mobile Authenticator.

Procedure 81: Configuring tracing for Message Delivery Component (MDC)

2. Select Authentication Server > Message Delivery Component.

IDENTIKEY Appliance 3.18 – Administrator Guide 154

21. Monitoring

Image 69: Configuring Tracing for Message Delivery Component (MDC)

3. Select the trace level required.

None disables tracing. Basic or Full enable tracing with increasing detail levels.

For more information about the different tracing levels, refer to the IDENTIKEY Appliance Administrator
Reference.

4. (OPTIONAL) Enable log rotation by selecting Enable Log Rotation and configure log rotation settings.

Log rotation specifies if and when new logs files are created, based on either the log file age or the log file
size. For instance, If you select size and specify 50 MB, trace information will be stored in the file until a
size of 50 MB is reached, after which a new file will be created. The number of archived log files specifies
how many log files are kept at most, if required the oldest log file will be overridden.

Select Compress Archived Logs to save disk space.

5. Click Save.

21.5.3. Configuring Tracing for LDAP User Synchronization

IDENTIKEY Authentication Server trace files provide information about LDAP user synchronization trace events and
are available via the IDENTIKEY Appliance Configuration Tool.

Procedure 82: Configuring Tracing for LDAP user synchronization

2. Select Authentication Server > LDAP User Synchronization.

IDENTIKEY Appliance 3.18 – Administrator Guide 155

21. Monitoring

Image 70: Configuring Tracing for LDAP User Synchronization

3. Select the trace level required.

None disables tracing. Basic or Full enable tracing with increasing detail levels.

For more information about the different tracing levels, refer to the IDENTIKEY Appliance Administrator
Reference.

4. Click Save.

Note
LDAP user synchronization trace files cannot be rotated or automatically cleaned up. While tracing is enabled, all
LDAP user synchronization records are stored to a single file on the hard disk.

21.5.4. Managing Trace Files

You can download and delete trace files using the IDENTIKEY Appliance Configuration Tool.

Procedure 83: Managing Trace Files

2. Select Monitoring > Logfile Management.

IDENTIKEY Appliance 3.18 – Administrator Guide 156

21. Monitoring

Image 71: Managing Trace Files

3. Click Trace Files to get a list of all available trace files for IDENTIKEY Authentication Server, MDC, and LDAP
user synchronization in the Trace Files pane below.

4. Do one of the following:

n If you want to download a trace file, click the disk icon.

n If you want to delete a trace file, click the trash can icon.

Downloaded trace files can be viewed with a text editor.

21.6. Configuring SNMP

Simple Network Management Protocol (SNMP) is an Internet standard protocol used to manage components on an
IP network. Its main use is to query the system for information and to monitor components in the network for mes-
sages that indicate that components require administrative attention. SNMP can be used to monitor the IDENTIKEY
Appliance system and performance, and can be configured using the IDENTIKEY Appliance Configuration Tool.

Net-SNMP is a software suite to use and deploy SNMP. SNMP typically uses administrative machines which are
referred to as managers. They monitor a group of components (machines, other devices) on a computer network.
An agent is operated at all times on a managed network. This agent, which is a piece of software, reports events
back to the applicable manager via SNMP.

Note
IDENTIKEY Authentication Server does not ship with a predefined set of events for which notifications can be sent
out via SNMP traps (for more information about SNMP traps, see 23. System Monitoring). Using the IDENTIKEY
Authentication Server Configuration Utility or the IDENTIKEY Authentication Server Administration Web Interface,
server administrators can define their own set of events for which they want to send out notifications. These
events, raised via SNMP traps, are called security alerts . IDENTIKEY Authentication Server uses a OneSpan
vendor-specific SNMP trap definition to send out SNMP traps for these security alerts.

IDENTIKEY Appliance 3.18 – Administrator Guide 157

21. Monitoring

21.6.1. Monitoring IDENTIKEY Appliance via a Management Application

It is possible to monitor IDENTIKEY Appliance via a management application and an SNMP server. This feature
allows you to request information from IDENTIKEY Appliance via SNMP.

Additional information can be added to the SNMP server, when IDENTIKEY Appliance performance monitoring is
enabled (see 22. Performance Monitoring).

21.6.2. Configuring SNMP Settings

In order to being able to monitor the IDENTIKEY Appliance events via SNMP, the SNMP settings need to be con-
figured.

Procedure 84: Configuring SNMP Settings

2. Select Settings > SNMP.

3. Select the appropriate version of SNMP and add the related authentication information to be used when
querying the IDENTIKEY Appliance SNMP server:

n For version 2c or earlier: Type the read community password and the source address (Allow Query
From) (see Image 72: Configuring SNMP v2c).
n For version 3: Type an authentication user name and select the types and passwords for the kind
of authentication and privacy (see Image 73: Configuring SNMP v3).

IDENTIKEY Appliance 3.18 – Administrator Guide 158

21. Monitoring

Image 72: Configuring SNMP v2c

Image 73: Configuring SNMP v3

4. (OPTIONAL) Specify contact and location information for the management application in the Settings sec-
tion.

5. Click Save to finish.

IDENTIKEY Appliance 3.18 – Administrator Guide 159

21. Monitoring

Note
The user name and password with SNMP version 3 for a managing application to authenticate with IDENTIKEY
Appliance can be freely chosen and defined in the monitoring settings. These credentials are not associated with
a user account in the Administration Web Interface.

21.6.3. Additional References

For more information about the SNMP server configuration fields, refer to the IDENTIKEY Appliance Administrator
Reference.

21.6.4. Querying the SNMP Server (Examples)

Here are examples outlining how to query the IDENTIKEY Appliance SNMP server via an SNMP tool.

Ensure that all relevant MIB files are correctly found by the Net-SNMP tool you are using. For more information
about third-party MIB files, refer to the documentation of the respective software tool. For more information about
downloading OneSpan MIB files provided for IDENTIKEY Appliance, see 21.7. Downloading OneSpan MIB Files.

Example
Query system information via SNMP version 2c with a MIB translated name system
# snmpwalk -Os -v2c -c mycommunity 192.0.2.1 system

sysDescr.0 = STRING: "IDENTIKEY Appliance 3.6.7.99.5"

sysObjectID.0 = OID: linux

sysUpTimeInstance = Timeticks: (734) 0:00:07.34

sysContact.0 = STRING: "Unknown"

sysName.0 = STRING: "qa-auto-test"

sysLocation.0 = STRING: "Unknown"

sysServices.0 = INTEGER: 76

Example
Query system information using SNMP version 2c and an SNMP OID number
# snmpwalk -Os -v2c -c mycommunity 192.0.2.1 .1.3.6.1.2.1.1

sysDescr.0 = STRING: "IDENTIKEY Appliance 3.6.7.99.5"

IDENTIKEY Appliance 3.18 – Administrator Guide 160

21. Monitoring

sysObjectID.0 = OID: linux

sysUpTimeInstance = Timeticks: (734) 0:00:07.34

sysContact.0 = STRING: "Unknown"

sysName.0 = STRING: "qa-auto-test"

sysLocation.0 = STRING: "Unknown"

sysServices.0 = INTEGER: 76

Example
Query system information using SNMP version 3 and an SNMP OID number
#snmpwalk -Os -v 3 -l authPriv -u my_user -a MD5 -A MyAuthPassword1 -x AES -X MyPrivPassword1 192.0.2.1 .1.3.6.1.2.1.1

sysDescr.0 = STRING: "IDENTIKEY Appliance 3.6.7.99.5"

sysObjectID.0 = OID: linux

sysUpTimeInstance = Timeticks: (3505) 0:00:35.05

sysContact.0 = STRING: "Unknown"

sysName.0 = STRING: "qa-auto-test"

sysLocation.0 = STRING: "Unknown"

sysServices.0 = INTEGER: 76

21.7. Downloading OneSpan MIB Files

A number of MIB files are provided for use with SNMP. You can download these MIB files from IDENTIKEY Appli-
ance.

21.7.1. Downloading OneSpan MIB Files

Procedure 85: Downloading OneSpan MIB files

IDENTIKEY Appliance 3.18 – Administrator Guide 161

21. Monitoring

2. Select Settings > SNMP.

3. Click Download VASCO MIB files.

Image 74: Downloading VASCO MIB Files

21.7.2. Additional Considerations

Generally, when targets are defined as SNMP traps, a VASCO- AXSGUARD- IDENTIFIER-
MIB::vdsIaAuditNotification trap is sent. The MIB file contains the information about the noti-
fication and the variables of the MIB file. For more information, refer to the VASCO-AXSGUARD-IDENTIFIER-MIB file.
You can download this file in the IDENTIKEY Appliance Configuration Tool under Settings > SNMP. The trap will
send the event information directly in the notification. For more information about SNMP notifications, see 23.
System Monitoring.

IDENTIKEY Appliance 3.18 – Administrator Guide 162

22. Performance Monitoring

Performance Monitoring allows you to monitor specific parts of IDENTIKEY Appliance processing to produce useful
performance statistics.

Performance Monitoring is disabled, enabled, and managed using the IDENTIKEY Appliance Configuration Tool.

IDENTIKEY Appliance uses Filters to define what to monitor; the different supported plugins are used to control how
to deliver that data. Filters are applied to all possible output plugins.

22.1. Filters

The Performance Monitoring tool uses filters to determine which specific parts of IDENTIKEY Appliance processing
should be monitored.

A filter must consist of the name of a performance transaction. You can specify a single performance transaction,
or you can use the asterisk (*) wildcard to identify a group of transactions.

IDENTIKEY Appliance 3.18 – Administrator Guide 163

22. Performance Monitoring

Image 75: Adding Filter in Performance Monitoring

In the IDENTIKEY Authentication ServerConfiguration Utility click Add to define a filter. In the Transaction Filter box ,
a filter can be added by entering a pattern. This pattern must consist of the name of a performance transaction.

The positioning of the asterisk determines what performance transactions will be filtered. For example:

n *administration.logon -by placing the asterisk at the beginning , all performance transactions
that end in administration.logon will be monitored
n *administration* -by placing an asterisk at the beginning and at the end, everything related to
administration will be monitored
n identikey.scenario.signature* -by placing the asterisk at the end, all performance trans-
actions starting with identikey.scenario.signature will be monitored
n identikey*logon -by placing the asterisk in the middle, all performance transactions starting with
identikey and ending with logon will be monitored.

You can find a list of available performance transactions in the IDENTIKEY Appliance Administrator Reference.

IDENTIKEY Appliance 3.18 – Administrator Guide 164

22. Performance Monitoring

22.2. Plugins

The Performance Monitoring tool uses several plugins in order to define its output.

CSV Plugin
The CSV Plugin allows you to define a comma-separated variable (.csv) file to write the results to. To enable
the CSV plugin, click Enable CSV Plugin in the Performance Monitoring Tool.

The data will be written to the file specified in the file field. You can use the default file, or specify your own.

File rotation can be applied to the .csv files. This means that a new file will be created when a trigger point
has been reached, but the old file will be retained. The .csv files can be configured to rotate either when a cer-
tain time has elapsed, or when a certain file size is reached. The maximum number of retained files is spe-
cified when configuring file rotation.

To download a .csv file, navigate to the Trace files section in Monitoring > LogFile management.

For more information about the fields used by the .csv file, refer to the IDENTIKEY Authentication Server Admin-
istrator Reference, Section "CSV File Format".

Counter Plugin
To enable the counter plugin, click Enable Counter Plugin in the Performance Monitoring Tool.

The Counter Plugin will generate data relating to the number of times certain transactions have been carried
out, and relevant timing information for those transactions. The SNMP server on which the Counter Plugin
enters the data is the one running on IDENTIKEY Authentication Server.

The counter data can be viewed using SNMP.

Note
For the counter plugin to work, SNMP must be enabled (see 21.6. Configuring SNMP).

IDENTIKEY Appliance 3.18 – Administrator Guide 165

23. System Monitoring

The purpose of system monitoring is to alert administrators of certain events. These alerts, or targets, can be sent
as SNMP traps, short messages (SMS), or e-mails.

We recommend to monitor the following types of events:

n System OS events
n IDENTIKEY Appliance Configuration Tool events
n IDENTIKEY Authentication Server events

23.1. Configuring System Monitoring for System OS Events

Critical system events can be monitored by means of SNMP traps as targets for system OS events.

Such critical events and conditions of these events that trigger sending an SNMP trap are the following:

n Disk space status

The system sends an SNMP trap when less than 10 percent of disk space is available. A full disk would pre-
vent the system from writing audit logs. This disk full warning applies to the following disk partitions:

n System logging: /var/log

n Database storage: /var/pg
n IDENTIKEY file system storage, e.g. for trace, log, and report files: /var/identikey

n Memory status

The system sends an SNMP trap when the memory status is low or if the system is out of memory, i.e.
when less than 128 MB of memory is available.

n SNMP status

The system sends SNMP traps when the SNMP service starts or stops.

n Processes

Traps are sent when processes are starting and stopping; the following processes are monitored via SNMP
traps (see Table 14: Processes Monitored Via SNMP Traps).

Table 14: Processes Monitored Via SNMP Traps

Process Process Name
Message Delivery Component (MDC) daemon mdcserver
LDAP sync daemon ikldapsync
IDENTIKEY Authentication Server daemon ikeyserver
System logging daemon syslog-ng

IDENTIKEY Appliance 3.18 – Administrator Guide 166

23. System Monitoring

Table 14: Processes Monitored Via SNMP Traps (continued)

Process Process Name
Timeserver ntpd

Note
IDENTIKEY Appliance system monitoring does not take into account the service restart function usage on the
IDENTIKEY Appliance Configuration Tool Status page.

The traps sent by IDENTIKEY Appliance for system OS events consist of the following information:

n Agent details (address, host name)

n Date
n Enterprise OID
n Trap type and sub-type
n Community / Infosec Context
n Uptime
n Description
n PDU attribute / Value pair array . This part of the trap contains the information requested which is neces-
sary to monitor the event.

For more information about traps, refer to the IDENTIKEY Appliance Administrator Reference.

23.1.1. Targets for System OS Events

To monitor system OS events, the only available notification target type is an SNMP trap. These targets cannot be
customized but only enabled or disabled for the required SNMP trap version; when enabled, all notifications are
sent to the SNMP handler. Only one such SNMP handler can be configured. The system event trap already contains
all relevant event information data which will be sent directly in the notification.

23.1.2. Configuring System Monitoring Targets for System OS Events

To configure the settings for system OS event traps, configure your SNMP trap server, and proceed as follows.

Procedure 86: Configuring system monitoring targets for system OS events

1. Launch the IDENTIKEY Appliance Configuration Tool and enter your credentials (see Section 2.3. Launch-
ing IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server Administration Web Inter-
face).
2. Select Settings > SNMP and navigate to the SNMP Traps section.
3. Select the required SNMP trap version (v2, v3, or v3 INFORM) to enable the relevant SNMP trap type for the
notifications.
4. Specify the target host, i.e. the location to which the SNMP targets are sent.

Note
During configuration, processes can be restarted, and a process-down trap can be triggered.

IDENTIKEY Appliance 3.18 – Administrator Guide 167

23. System Monitoring

To receive notifications in the form of SNMP traps you need to configure an SNMP trap server (see 23.4. Con-
figuring SNMP Trap Handlers).

23.1.3. Best Practices for SNMP Targets for System OS Events

The following emergency alerts sent by IDENTIKEY Appliance need to be attended in any case to ensure system
functionality:

n The hard disk drive is more than 90 percent full.

n A critical service is not running, e.g. IDENTIKEY Authentication Server, Syslog, Postgres.
n The swap memory is full.

23.2. Configuring System Monitoring for IDENTIKEY Appliance Configuration Tool Events

IDENTIKEY Appliance Configuration Tool event targets serve to monitor critical Configuration Tool events and can
be configured in the IDENTIKEY Appliance Configuration Tool. The source for these targets are audit messages that
are generated by the System Configtool source; in the IDENTIKEY Appliance Configuration Tool navigate
to Monitoring > Audit Logs and check the Source column.

23.2.1. Targets for IDENTIKEY Appliance Configuration Tool Events

The following notification target types can be configured to monitor IDENTIKEY Appliance Configuration Tool
events:

n One or more SNMP traps

n One or more SMS
n One or more e-mails

Generally, when targets are defined as SNMP traps, a MIB file is also available and can be downloaded. MIB files
contain the information about the notification and the variables of the MIB file (see 21.7. Downloading OneSpan
MIB Files).

Note
SNMP traps about IDENTIKEY Appliance Configuration Tool events will only be operational for audit lines which
are generated by the IDENTIKEY Appliance Configuration Tool itself.

23.2.2. Configuring System Monitoring Targets for IDENTIKEY Appliance Configuration Tool Events

To allow sending SMS, e-mail or SNMP trap notifications about IDENTIKEY Appliance Configuration Tool events, the
notification settings need to be configured.

IDENTIKEY Appliance 3.18 – Administrator Guide 168

23. System Monitoring

Procedure 87: Configuring system monitoring targets for IDENTIKEY Appliance Configuration Tool events

2. Select Settings > Notifications.

3. Select Enabled to enable notification about IDENTIKEY Appliance Configuration Tool events.

4. Add one or more notification target types for notification using Add target, and specify the settings for
each notification target.

Image 76: Configuring Notification Settings

If SNMP traps are used as targets for IDENTIKEY Appliance Configuration Tool events, the system event trap already
contains all relevant event information data which will be sent directly in the notification. Additional information
may also be available in the audit messages. To view this information, open the IDENTIKEY Appliance Con-
figuration Tool, select Monitoring > Audit Logs and use the AMID number from the SNMP trap to perform a look-up
for additional information.

If you want to configure an SMS notification target, verify if you must use a country code or special characters
when entering a mobile number. For more information, refer to the MDC or SMS provider documentation.

For more information about the different notification target settings, refer to the IDENTIKEY Appliance Administrator
Reference.

Note
To receive notifications as SNMP traps you need to configure an SNMP trap server (see 23.4. Configuring
SNMP Trap Handlers).

IDENTIKEY Appliance 3.18 – Administrator Guide 169

23. System Monitoring

23.2.3. Filtering IDENTIKEY Appliance Configuration Tool Events for Notification

You can filter IDENTIKEY Appliance Configuration Tool events you want to be notified about. In defining one or
more filters you describe which audit messages need to be filtered. The definition of an audit filter is similar to the
definition of an audit filter as part of a report definition.

Procedure 88: Adding a system monitoring filter for IDENTIKEY Appliance Configuration Tool events

2. Select Settings > Notifications.

3. Click Add New in the Targets field. Then, select the required type and fill in the appropriate details.

This new notification target will now be available for all filters of the same source but not for other sources
or events; for example, targets added via Settings > Notifications will not be available under Authentic-
ation Server > System Monitoring Alerts.

4. Click Add filter to add a new notification filter.

5. Configure the filter in the Notification Filter dialog:

a. Select Enabled.

b. Specify a name for the notification filter.

c. Select the notification target to which the filter will be applied.

d. Click Add Filter and fill in the required filter parameters.

Repeat this step until all required filtering rules are added.

e. Click Add.

6. Select Enabled to activate the alert system.

Note
When assigning multiple filters to a notification target, the notification target will only be triggered when the
match criteria of all assigned filters are met.

IDENTIKEY Appliance allows you to use a complex system of multiple filters and targets to be notified via different
targets in case specific audit messages are generated.

Useful filters are:

IDENTIKEY Appliance 3.18 – Administrator Guide 170

23. System Monitoring

n System actions

Code equals S-024002. This filters for changes regarding login, logout, reboot, shutdown, system update,
and administrator password change, license change, support change etc.

n Configuration change

Code equals S-024001. This filters all changes to IDENTIKEY Appliance Configuration Tool settings.

For more information about system monitoring filters and targets, refer to the IDENTIKEY Appliance Administrator
Reference.

23.3. Configuring System Monitoring for IDENTIKEY Authentication Server Events

IDENTIKEY Authentication Server event targets serve to monitor critical IDENTIKEY Authentication Server events.
These targets can be configured in the IDENTIKEY Appliance Configuration Tool.

The source for these targets are audit messages that are generated by the Identikey Server source; in
the IDENTIKEY Appliance Configuration Tool, select Monitoring > Audit Logs and check the Source column.

23.3.1. Targets for IDENTIKEY Authentication Server Events

The following notification target types can be configured to monitor IDENTIKEY Authentication Server events:

n One or more SNMP traps

n One or more SMS
n One or more emails

23.3.2. Configuring System Monitoring Targets for IDENTIKEY Authentication Server Events

Procedure 89: Configuring system monitoring targets for IDENTIKEY Authentication Server events

2. Select Authentication Server > System Monitoring Alerts.

3. Select Enabled to enable notification about IDENTIKEY Authentication Server events.

4. Add one or more notification target types for notification using Add Target and specify the settings for each
notification target.

IDENTIKEY Appliance 3.18 – Administrator Guide 171

23. System Monitoring

If SNMP traps are used as targets for IDENTIKEY Authentication Server events, the system event trap
already contains all relevant event information data which will be sent directly in the notification. Addi-
tional information may also be available in the audit messages. To view this information, select Mon-
itoring > Audit Logs and use the AMID number from the SNMP trap to perform a lookup for additional
information.

For more information about the different notification target settings, refer to the IDENTIKEY Appliance
Administrator Reference.

Note
To receive notifications as SNMP traps you need to configure an SNMP trap server (see 23.4. Configuring
SNMP Trap Handlers).

23.3.3. Filtering IDENTIKEY Authentication Server Events for Notification

You can filter IDENTIKEY Authentication Server events you want to be notified about as these events occur rather
than having to search through an extensive list of audit logs to locate potentially critical system events. In defining
one or more filters you describe which audit messages need to be filtered.

For more information about filtering events, see 23.2.3. Filtering IDENTIKEY Appliance Configuration Tool Events
for Notification.

Note
SNMP traps about IDENTIKEY Authentication Server events will only be operational for audit lines which are gen-
erated by IDENTIKEY Authentication Server itself.

23.4. Configuring SNMP Trap Handlers

To receive notifications as SNMP traps from you need to configure an SNMP trap handler in your network which
uses the same SNMP settings as specified in the definition of the SNMP notification target.

23.4.1. Configuring an SNMP Trap Handler

Procedure 90: Configuring an SNMP trap handler

1. Configure the SNMP trap settings:

n User name
n Authentication settings
n Privacy settings
n Trap type (v2, v3, or v3 INFORM trap)
n Engine ID (only when the trap type is v3; for traps of the v3 INFORM type, the Engine ID is not
required).

IDENTIKEY Appliance 3.18 – Administrator Guide 172

23. System Monitoring

2. Download and use the file VASCO- AXSGUARD- IDENTIFIER- MIB (see 21.7. Downloading OneSpan
MIB Files).

3. (OPTIONAL) Configure the action to be taken upon receiving SNMP traps on the corresponding system
events.

23.4.2. Additional Considerations

23.4.2.1. Engine ID
The engine ID should only be provided when trap type v3 is used. The system automatically detects when a trap of
the INFORM type is used.

The engine ID has to be entered in hexadecimal format in your monitoring software and must adhere to the fol-
lowing parameters:

n The ID must start with 80001F8880 (hardcoded prefix)

n The string must be in hexadecimal format (characters [0-9a-fA-F])
n The string must consist of an even number of characters

Example
80001F88800123456789ABCDEF (valid)

1234567890 (invalid no prefix)

80001F8880A (invalid, odd number of chars)

The entries in these input fields are validated by the system, preventing the user from making invalid data entries.

Note
The engine ID used for type v3 traps sent out by IDENTIKEY Authentication Server event traps will change every
time IDENTIKEY Authentication Server is restarted.

23.4.3. Additional References

The configuration of your SNMP trap server depends on the software used. For more information about configuring
the SNMP trap server, refer to the documentation of your SNMP product.

23.5. Best Practices for SNMP Targets

When using IDENTIKEY Appliance system monitoring, we recommend to define SNMP notifications for the following
events:

IDENTIKEY Appliance 3.18 – Administrator Guide 173

23. System Monitoring

n IDENTIKEY Authentication Server errors

For this type of events, we recommend to define an audit filter that extracts all error audit messages.

n Locked DIGIPASS users

For this type of events, a filter should be defined that extracts all audit messages with the audit code W-
011003.

n Failed administrative logons

For this type of events, a filter should be defined that extracts all audit messages with the audit code F-
004001.

n Replication failures

For this type of events a filter should be defined that extracts all audit messages with the audit code F-
003001 or F-003002.

IDENTIKEY Appliance 3.18 – Administrator Guide 174

24. Troubleshooting

24. Troubleshooting
This section explains how to resolve:

n Specific problems you may encounter.

n Possible issues with LDAP user synchronization.
n Possible issues with LDAP back-end authentication.

For more information about the information sources for different types of troubleshooting issues, see 21. Mon-
itoring.

24.1. Connection Problems

24.1.1. Description

A program or web site returns an error message that the connection has been refused or similar when attempting
to connect to IDENTIKEY Authentication Server.

24.1.2. Solution

Verify that a Client Component record of the correct type exists in the IDENTIKEY Authentication Server data store
for the program or web site trying to access. For example, Administration Web Interface will be unable to manage
a IDENTIKEY Authentication Server instance until a Client Component record of type Administration Program has
been created for it.

24.2. Dynamic Component Registration Problems

24.2.1. Solutions

Client Lookup
Dynamic User Registration will fail if no PTR record exists on the DNS server for the client machine. A reverse
zone must be implemented in order for Dynamic User Registration to function correctly.

ASCII encoding is assumed for the DNS reverse lookup process. If a computer name uses a character set other
than ASCII, Dynamic User Registration may fail for that machine.

IDENTIKEY Appliance 3.18 – Administrator Guide 175

24. Troubleshooting

Group Check
If Group Check does not seem to be functioning as expected in Dynamic User Registration, check whether the
named groups are part of an Active Directory domain. Group Check works with Active Directory domain
groups only. It will not work with local Windows groups.

24.3. Administration Web Interface Connectivity

24.3.1. Possible Cause

Security settings in your browser or firewall may block access to the Administration Web Interface.

24.3.2. Solution

Add the Administration Web Interface location to the Trusted Sites list or add an exception to an access rule in the
browser and/or firewall security settings.

For example, it is possible to run into a "Certificate Error" or "Certificate Invalid" warning message when accessing
an SSL-secured Administration Web Interface using Windows Internet Explorer. When this occurs, manually import
the Administration Web Interface certificate into the browser's Root Trusted CA first.

24.4. DIGIPASS User Account Locking

A user may be unable to log in via IDENTIKEY Appliance, if:

n the DIGIPASS user account has been locked.

n the DIGIPASS Application has been locked out from usage by the active policy.

The mechanisms to lock a DIGIPASS user account and a DIGIPASS Application are different. Both mechanisms, how-
ever, can be used to enhance security by preventing brute-force hacking.

24.4.1. DIGIPASS User Account Locking

Each DIGIPASS user account contains a user lock count. This value is incremented whenever the user performs an
unsuccessful authenticator operation, e.g. attempting a login via IDENTIKEY Authentication Server with an incorrect
one-time password (OTP) or unsuccessfully attempting to validate a signature. It is reset to zero when the oper-
ation is successful, e.g. a correct OTP is used.

Each policy contains a user lock threshold. If a user's lock count equals or exceeds the user lock threshold in the
policy in use, the DIGIPASS user account will be locked.

IDENTIKEY Appliance 3.18 – Administrator Guide 176

24. Troubleshooting

If a DIGIPASS user account is already locked and user auto-unlock is enabled, the user lock count contains the
number of (unsuccessful) unlock attempts using user auto-unlock.

You can unlock a locked DIGIPASS user account in different ways:

n Manually using the Administration Web Interface or the Active Directory Users and Computers Extension.

You need an administrative account with the Unlock User privilege to manually unlock a locked DIGIPASS
user account.

n Automatically via user auto-unlock.

The user auto-unlock mechanism allows a user to implicitly unlock a locked DIGIPASS user account during
regular authentication or signature validation. It is enabled and configured using policies.

Note that a DIGIPASS user account that has been explicitly locked by an administrator cannot be unlocked
by the user auto-unlock mechanism.

By default, user auto-unlock is disabled. To enable it you need to set Maximum Unlock Tries accordingly
in the applicable policy, that is the maximum number of unlock attempts. Furthermore, you can set the
minimum lock duration before another unlock attempt is allowed and a lock duration multiplier to
increase the lock duration after each unsuccessful unlock attempt. A default policy prepared to support
user auto-unlock is included in the set of pre-loaded policies, i.e. IDENTIKEY Local Authentication with
Auto-Unlock.

For more information about user auto-unlock, refer to the IDENTIKEY Authentication Server Product Guide, Section
"DIGIPASS User Account Auto-Unlock".

Procedure 91: Unlocking a locked DIGIPASS user account manually

1. Open the Administration Web Interface or the Active Directory Users and Computers Extension.
2. Locate and view the respective DIGIPASS user account.
3. Click Unlock.

24.4.2. DIGIPASS Application Locking

Each DIGIPASS Application contains an error count value. This value is incremented when the user enters an incor-
rect OTP or Electronic Signature and the active policy has the following DIGIPASS Application settings:

n The identification threshold or signature threshold is greater than zero.

n The DIGIPASS Application is the only one available for use for authentication or signature validation. This
means that regardless of how many DIGIPASS Applications are available on a user's
DIGIPASS authenticator, the policy should force all authentication or signature validation attempts to go
through one specific DIGIPASS Application.

Note
As long as the policy forces all authentication or signature attempts to go through one DIGIPASS

IDENTIKEY Appliance 3.18 – Administrator Guide 177

24. Troubleshooting

Application, the error count value will increment with each failed attempt. This is independent from the
number of DIGIPASS Applications on any user's DIGIPASS authenticator or what kind of DIGIPASS Applic-
ation is being forced to perform the operation.

An identification threshold and signature threshold is set in each policy (under the DP Control Parameters tab in the
Administration Web Interface). By default it is set to zero, meaning that the error count will not be checked and
DIGIPASS Application will be available. If either the identification threshold or the signature threshold is set to a
value greater than zero, a DIGIPASS Application with an error count reaching either threshold will be locked out
from usage by the policy.

The error count is automatically reset to zero when:

n A correct OTP or Electronic Signature is used.

-AND-
n The error count has not yet reached either the identification threshold or signature threshold.

Procedure 92: Resetting the error count manually (ODBC)

2. Open the DIGIPASS record.

3. Switch to the DIGIPASS Application tab and click Reset Error Count.

In some cases, this function may be available from the Other Actions menu.

Procedure 93: Resetting the error count manually (AD)

1. Launch the view the Active Directory Users and Computers Extension.
2. Open the DIGIPASS record / properties.
3. Switch to the DIGIPASS Application tab and select Reset Error Count from the Actions menu.

24.5. DIGIPASS Event Counter Out of Sync

24.5.1. Description

An out-of-sync event counter may repeatedly prevent a user with an event-based DIGIPASS authenticator from log-
ging in using one-time password (OTP).

24.5.2. Possible Cause

This is typically the case if the user is receiving one of the following errors:

IDENTIKEY Appliance 3.18 – Administrator Guide 178

24. Troubleshooting

n "The one-time password has already been used."

If the event counter in the DIGIPASS BLOB in IDENTIKEY Authentication Server is set higher than the event
count on the DIGIPASS authenticator itself, IDENTIKEY Authentication Server will interpret authentication
requests as code replay attempts and refuse the requests.

n "The one-time password was incorrect."

If the event counter in the DIGIPASS BLOB in IDENTIKEY Authentication Server is set lower than the event
count on the IDENTIKEY Authentication Server, IDENTIKEY Authentication Server will not recognize the
OTPs as valid.

24.5.3. Solutions

Setting the event counter

If an out-of-sync event counter is preventing users from logging in, you can manually re-set the event
counter. An administrator with the correct privileges may use Set Event Counter in Administration Web Inter-
face to increase the IDENTIKEY Authentication Server event counter for the DIGIPASS authenticator. This
should be done in careful increments until the event counts in the DIGIPASS authenticator and IDENTIKEY
Authentication Server are close enough for the DIGIPASS authenticator event count to be within the IDENTIKEY
Authentication Server event window.

Note
The event counter may only be increased, not decreased.

Re-importing the DIGIPASS authenticator

This is the only solution available if the event counter in IDENTIKEY Authentication Server is higher than the
DIGIPASS event count.

Procedure 94: Re-importing a DIGIPASS authenticator

1. Delete the DIGIPASS record.

2. Re-import the .dpx file, ensure that the Upgrade existing DIGIPASS with new activation code option is dis-
abled.

3. Re-assign the imported DIGIPASS authenticator to the correct user.

IDENTIKEY Appliance 3.18 – Administrator Guide 179

24. Troubleshooting

24.6. Wireless RADIUS Authentication Failures

24.6.1. Possible Cause

Authentication via wireless RADIUS may fail if a user enters a domain name of more than 15 characters in the
DOMAIN\USER format.

This problem occurs within default Windows supplicant applications.

Example
The user attempts a wireless authentication, and enters OurDomain.OurCompany\MyUserID in the
user ID field, and the one-time password (OTP) in the password field. The authentication fails despite correct
user ID and OTP.

24.6.2. Solutions

Workaround 1
Where a domain field is available in the login window, the user should enter the domain name into that field.

Example
The user attempts a wireless authentication, and enters MyUserIDin the user ID field,
OurDomain.OurCompany in the domain field and the one-time password (OTP) in the password
field. The authentication succeeds as expected.

Workaround 2
Use the User@Domain format for the user ID instead.

Example
The user attempts a wireless authentication, and enters MyUserID@OurDomain.OurCompany in
the user ID field and the one-time password (OTP) in the password field. The authentication succeeds as
expected.

IDENTIKEY Appliance 3.18 – Administrator Guide 180

24. Troubleshooting

24.7. LDAP User Synchronization Issues

24.7.1. Description

LDAP user synchronization does not work.

24.7.2. Possible Causes

n The bind DN user account is locked.

n The synchronization profile is disabled.
n The user ID is not mapped in the synchronization profile.
n The filter settings are incorrect.
n A network problem occurred.

Tip
To troubleshoot LDAP user synchronization consult the specific tracing files (see 21.5.3. Configuring Tracing for
LDAP User Synchronization). Furthermore, consult the audit records logged (see 21.4. Auditing). Audit records are
helpful to understand why a certain operation failed, e.g. when deleting a user account failed.

24.7.3. Solutions

n The user account is locked.

Verify that the bind DN and bind password are correct in the synchronization profile. If the user account is
locked on the LDAP server, synchronization from user accounts on the LDAP server to the IDENTIKEY Appli-
ance is not possible.

n The synchronization profile is disabled.

Verify that the Enable box is selected in the Synchronization Profile. If the synchronization profile is not
enabled, synchronization is impossible and a notice is logged.

n User ID is not mapped in the synchronization profile.

At least one attribute must always be mapped to the IDENTIKEY Appliance user ID property. If the user ID
property has no mapping entry in the synchronization profile, synchronization is impossible and an error is
logged.

n The filter settings are incorrect or conflicting.

IDENTIKEY Appliance 3.18 – Administrator Guide 181

24. Troubleshooting

Correct filter settings result in records for synchronized user accounts. If the filter settings are incorrect or
conflicting, no user accounts are found for synchronization; therefore none will be synchronized and no tra-
cing records will be produced. Missing tracing records for synchronized user accounts indicates that the fil-
ter settings should be verified.

n A network problem occurred.

If there is a network problem, e.g. due to the firewall configuration, synchronization is impossible and a
connection error is logged.

24.7.4. Additional References

For more information about tracing and auditing, refer to the IDENTIKEY Appliance Product Guide and the
IDENTIKEY Appliance Administrator Reference.

24.8. LDAP Back-End Authentication Setup Issues

24.8.1. Description

When using Microsoft Active Directory back-end authentication some issues could occur if the configuration:

n involves network address translation (NAT) between IDENTIKEY Appliance and the domain controller(s).
n the Active Directory DNS server is not used, i.e. an alternative DNS server is configured in the IDENTIKEY
Appliance Configuration Tool.

24.8.2. Possible Cause

SASL DIGEST-MD5 authentication with SPN verification

These issues relate to the SASL Digest-MD5 LDAP authentication mechanism used by IDENTIKEY Appliance
and a Microsoft security concept called service principal name (SPN). Authentication with SASL Digest-MD5 is
only allowed when the digest-uri parameter contains a string which is also defined as SPN on the Act-
ive Directory server.

IDENTIKEY Appliance automatically sets the digest-uri parameter by performing a DNS reverse lookup
of the IP address used to contact the domain controller.

Example
The location of the back-end server record is 192.0.2.21.

IDENTIKEY Appliance 3.18 – Administrator Guide 182

24. Troubleshooting

The DNS server used by IDENTIKEY Appliance contains the following information:

n an 'A' record: dc1.mydomain.com resolves to 192.0.2.21.

n a 'PTR' record: 21.2.0.192.in-addr.arpa resolves to dc1.mydomain.com.

Steps during authentication:

1. IDENTIKEY Appliance retrieves information from the back-end record and opens an LDAP con-
nection to the domain controller.
2. IDENTIKEY Appliance performs a reverse DNS lookup for 192.0.2.21 (DNS request for
21.2.0.192.in-addr.arpa) and receives dc1.mydomain.com.
3. IDENTIKEY Appliance sends digest-uri dc1.mydomain.com along with other authen-
tication settings to the Active Directory using the open LDAP connection.
4. The domain controller verifies that the digest-uri parameter exists as an SPN; if so, authen-
tication proceeds and credentials are verified.

24.8.3. Solutions

Both issues explained can be solved by ensuring that the result returned by a reverse DNS lookup of the IP address,
used by IDENTIKEY Appliance to connect to the domain controller, exists as an SPN on the domain controller. This
can be achieved by configuring a 'PTR' record in the DNS server used by IDENTIKEY Appliance (see example).

For more information about configuring these settings, refer to the documentation of your DNS server.

Tip
To verify the available SPNs on your Active Directory server, use the setSPN.exe command on the command line:
setSpn.exe -L \<hostname_of_windows_server>

IDENTIKEY Appliance 3.18 – Administrator Guide 183

25. Support

25. Support
25.1. Support Procedure

If you have problems with or questions about a OneSpan product, follow the steps below:

1. Check if your problem has been resolved in the online knowledge base at http://www.vasco.com/support.
2. If you are unable to solve your problem with the Knowledge Base, please contact the company which sold
you the OneSpan product.
3. If your supplier is unable to solve your query, they will automatically contact the appropriate VASCO expert.
If necessary OneSpan experts can access your IDENTIKEY Appliance remotely to solve any problems.
Remote support and access to your IDENTIKEY Appliance are achieved through the VASCO Customer
Portal.

25.2. Allowing Remote Support Connections

If necessary, OneSpan experts can access your IDENTIKEY Appliance remotely to solve problems. Remote support
requires a connection between the VASCO Customer Portal and your IDENTIKEY Appliance.

25.2.1. Before You Begin

A support certificate must be installed before a connection can be established to the VASCO Customer Portal.

Note
When the Rescue Tool is running on the console, support is always enabled.

25.2.2. Allowing Remote Support Connections

Procedure 95: Allowing remote support connections

2. Navigate to System > Support.

3. Select Enable Support.

This enables OneSpan support to connect to the appliance to perform maintenance operations as reques-
ted.

IDENTIKEY Appliance 3.18 – Administrator Guide 184

25. Support

Image 77: Configuring Support Connections

4. Select a support certificate from the Support Certificate list.

The Support Certificate list contains all support certificates you have previously imported using the Cer-
tificate Management tab. For more information, see 13.1. Managing Certificates.

Image 78: Selecting Support Certificate

5. Select Enable Remote Support.

6. Click Save.

IDENTIKEY Appliance 3.18 – Administrator Guide 185

25. Support

25.2.3. Additional Considerations

Remote support can be enabled without installing a support certificate by providing OneSpan support VPN access
to your network. This allows direct access to the IDENTIKEY Appliance Configuration Tool.

IDENTIKEY Appliance 3.18 – Administrator Guide 186

Index

A DIGIPASS user account

auto-unlock 177
Administration Web Interface unlocking, automatically using user auto-unlock 177
troubleshooting connectivity 176 unlocking, manually 177
ADUCE 177 dpx file 93
Audit Viewer 25, 143-144 dynamic user registration (DUR)
Auto-Assignment troubleshooting 175
and maker-checker authorization 30, 131
auto-unlock 177 E
Autolearn
Password Autolearn 125-126, 129 EAP 111, 116
event-based 178
B event counter 178
troubleshooting 178
Back-End Authentication
RADIUS 129 F
back-end protocol 68, 70, 73, 75, 129, 131
back-end server filters
creating a new back-end server record 129 performance monitoring 163

C G

CHAP 110, 116 General Data Protection Regulation (GDPR)

Citrix Web Interface 26, 45 securing RADIUS connections, Caution
Communicator 49, 88-89, 120 notice 27, 52, 121, 136
cryptographic signature Group Check 53, 176
Secure Auditing 151
H
CSV
plugin 165 Hardware Security Module (HSM) 152
customization HTML reports
reporting XSLT templates 109
PDF/HTML reports 106
I
D
IIS module 47
DIGIPASS
auto-assignment and maker-checker authorization 30, 131 K
event counter troubleshooting 178
instance 32 keystore 152
master activation application 33
Multi-Device Activation 32 L
Multi-Device Licensing 32 LDAP back-end authentication
Secure Channel 34 troubleshooting 182
troubleshooting 176 LDAP user synchronization
DIGIPASS App configuring tracing 155
online activation 35 troubleshooting 181
push–notification-based authentication 35 license key 26, 47, 121
upgrading to Push Notification 35 licensing 16-17, 32, 34, 76, 121
DIGIPASS event counter Login Permutations 133
troubleshooting 178

IDENTIKEY Appliance 3.18 – Administrator Guide

Index

M retrieving a report 109

running a report 102
Message Delivery Component (MDC)
configuring tracing 154 S
monitoring
filters 163 Secure Auditing 151
Net-SNMP 157 serial number 32, 35, 37, 133
performance 163 Simple Network Management Protocol (SNMP) 157
Performance Monitoring tool 163, 165 engine ID 173
plugins 165 MIB files 161
system monitoring 166, 168, 171 MIB files, downloading 161
trap handler, configuring 172
O
T
Outlook Web Access 26, 45
templates
P HTML reports
XSLT 109
PAP 110, 116 PDF reports, customized 107
password tracing
supported protocols 110 IDENTIKEY Authentication Server events 153
PDF LDAP user synchronization, configuring 155
report templates 106 Message Delivery Components (MDC) events, configuring 154
PDF Report Templates 107 trace files, deleting 156
PEAP 111, 116 trace files, downloading 156
performance monitoring 163 troubleshooting
plugins Administration Web Interface connectivity 176
performance monitoring 165 connection issues 175
proxy server 112 DIGIPASS authenticator locked 176
Push Notification DIGIPASS event counter out-of-sync 178
authentication method 35 DIGIPASS user account locked 176
Push Notification, DIGIPASS App dynamic user registration (DUR) 175
upgrade 35 LDAP back-end authentication 182
LDAP user synchronization 181
R wireless RADIUS authentication 180
RADIUS U
Back-End Authentication 129
dictionary 120 User Account
securing connections 27, 52, 121, 136 troubleshooting 176
uploading custom dictionary 120 User Dashboard 36
recent DIGIPASS activity 38
recent user activity 38 V
remote support 184
Report Definition Wizard Verification Tool
reporting 102, 105 Secure Auditing 151
reporting view audit information 39
changing report owner 104
W
deleting a report 104
editing a report 104 Windows Group Check 53

IDENTIKEY Appliance 3.18 – Administrator Guide

Index

Wireless Access Points 116-117

multiple 117
wireless RADIUS 115, 180
wireless RADIUS authentication
troubleshooting 180

X
XSLT Templates 109

IDENTIKEY Appliance 3.18 – Administrator Guide

SPP - 7.0.5 LTS - AdministrationGuide
No ratings yet
SPP - 7.0.5 LTS - AdministrationGuide
660 pages
IDENTIKEY Authentication Server Product Guide
No ratings yet
IDENTIKEY Authentication Server Product Guide
254 pages
IDENTIKEY Authentication Server SDK Programmer's Guide
No ratings yet
IDENTIKEY Authentication Server SDK Programmer's Guide
149 pages
IDENTIKEY Appliance Installation and Maintenance Guide
No ratings yet
IDENTIKEY Appliance Installation and Maintenance Guide
88 pages
IDENTIKEY Appliance Product Guide
No ratings yet
IDENTIKEY Appliance Product Guide
256 pages
How To Configure Tacacs
No ratings yet
How To Configure Tacacs
12 pages
Centrify Express Unix Agent Guide
No ratings yet
Centrify Express Unix Agent Guide
56 pages
IDENTIKEY Authentication Server SDK SOAP Reference
No ratings yet
IDENTIKEY Authentication Server SDK SOAP Reference
331 pages
Centrify Win Adminguide
No ratings yet
Centrify Win Adminguide
275 pages
ITAA Gateway AdminManual
No ratings yet
ITAA Gateway AdminManual
36 pages
Security and Data Encryption
No ratings yet
Security and Data Encryption
374 pages
Admin Guide
No ratings yet
Admin Guide
231 pages
CP R81 MobileAccess AdminGuide
No ratings yet
CP R81 MobileAccess AdminGuide
293 pages
Rsa Authentication Manager 8.4 Administrators Guide
No ratings yet
Rsa Authentication Manager 8.4 Administrators Guide
202 pages
OneIdentitySafeguardAuthenticationServices 5.0 AdministrationGuide En-Us
No ratings yet
OneIdentitySafeguardAuthenticationServices 5.0 AdministrationGuide En-Us
217 pages
Identikey Server Product Guide
No ratings yet
Identikey Server Product Guide
197 pages
Centrify Express Unix Agent Guide
No ratings yet
Centrify Express Unix Agent Guide
49 pages
IGL 7.2 Administrators Guide
No ratings yet
IGL 7.2 Administrators Guide
295 pages
Rsa Authentication Manager 8.5 Setup Config Guide
No ratings yet
Rsa Authentication Manager 8.5 Setup Config Guide
120 pages
PPS Manwin
No ratings yet
PPS Manwin
38 pages
SSEC SSG 2021.1 PDF
No ratings yet
SSEC SSG 2021.1 PDF
512 pages
RSA Tutor
No ratings yet
RSA Tutor
98 pages
PAM Without The Pain
No ratings yet
PAM Without The Pain
37 pages
ISA Unit1
No ratings yet
ISA Unit1
6 pages
CIS Controls Mobile Companion Guide Mapping Applicability-1
No ratings yet
CIS Controls Mobile Companion Guide Mapping Applicability-1
83 pages
CCS C3 R 075 en File 9.en
No ratings yet
CCS C3 R 075 en File 9.en
6 pages
Rsa Authentication Manager 8.2 SP1 Setup Config Guide
No ratings yet
Rsa Authentication Manager 8.2 SP1 Setup Config Guide
126 pages
F-MECA For Centrifugal Pump
100% (3)
F-MECA For Centrifugal Pump
4 pages
SA CS - Presentation v1810
No ratings yet
SA CS - Presentation v1810
22 pages
DS ClearPass PolicyManager
No ratings yet
DS ClearPass PolicyManager
5 pages
Symantec Validation & Id Protection Service (Vip) : Integration Guide For Ca Siteminder®
No ratings yet
Symantec Validation & Id Protection Service (Vip) : Integration Guide For Ca Siteminder®
14 pages
CP R80.40 MobileAccess AdminGuide
No ratings yet
CP R80.40 MobileAccess AdminGuide
268 pages
SO ClearPass
No ratings yet
SO ClearPass
5 pages
Wonderware - InTouch Access Anywhere Secure Gateway 2013
No ratings yet
Wonderware - InTouch Access Anywhere Secure Gateway 2013
43 pages
Selling Clearpass
No ratings yet
Selling Clearpass
3 pages
MDM MSP Presentation
No ratings yet
MDM MSP Presentation
25 pages
InfiniSolar Plus 5KW Manual 201501203
No ratings yet
InfiniSolar Plus 5KW Manual 201501203
54 pages
Security Manual / FAQ
No ratings yet
Security Manual / FAQ
10 pages
IDENTIKEY Authentication Server Deployment and Performance Guide
No ratings yet
IDENTIKEY Authentication Server Deployment and Performance Guide
49 pages
Tutorial 2
No ratings yet
Tutorial 2
5 pages
DS ClearPass PolicyManager
No ratings yet
DS ClearPass PolicyManager
6 pages
Modal Verbs Bachillerato Teoría y Ejercicios
No ratings yet
Modal Verbs Bachillerato Teoría y Ejercicios
2 pages
Option - 1 Option - 2 Option - 3 Option - 4 Correct Answer Marks
No ratings yet
Option - 1 Option - 2 Option - 3 Option - 4 Correct Answer Marks
4 pages
Cpuguide
No ratings yet
Cpuguide
13 pages
FAA Form 337 User Guide
No ratings yet
FAA Form 337 User Guide
165 pages
Manual Testing Interview Questions and Answers
No ratings yet
Manual Testing Interview Questions and Answers
22 pages
Engineering Note. Connectivity To Allen-Bradley Controllers: by Eduardo Ballina
No ratings yet
Engineering Note. Connectivity To Allen-Bradley Controllers: by Eduardo Ballina
16 pages
FOSS User Magazine - 2010 Dec
100% (1)
FOSS User Magazine - 2010 Dec
32 pages
Python Oop Assignment Result - PDF 20250310 095423 0000
No ratings yet
Python Oop Assignment Result - PDF 20250310 095423 0000
21 pages
OAFQuestions
No ratings yet
OAFQuestions
17 pages
Sainath Gorde - SAP S4HANA Solution Architect
No ratings yet
Sainath Gorde - SAP S4HANA Solution Architect
2 pages
Hartson - Affordances
No ratings yet
Hartson - Affordances
59 pages
Drawings For Manufacture
No ratings yet
Drawings For Manufacture
16 pages
STM 32 Cubef 1
No ratings yet
STM 32 Cubef 1
3 pages
Chapter 1
No ratings yet
Chapter 1
60 pages
Kim 2021 Donut
No ratings yet
Kim 2021 Donut
12 pages
017 - The Design of Portable Logic Controller (PLC) Training System For Use Outside of Automation Laboratory
No ratings yet
017 - The Design of Portable Logic Controller (PLC) Training System For Use Outside of Automation Laboratory
5 pages
Internet Tablet OS 2008 Edition User Guide: Nokia N800 Internet Tablet Nokia N810 Internet Tablet
No ratings yet
Internet Tablet OS 2008 Edition User Guide: Nokia N800 Internet Tablet Nokia N810 Internet Tablet
52 pages
Volume Based Broadband Packages SLT
No ratings yet
Volume Based Broadband Packages SLT
3 pages
SONTEK FlowTracker2 Acoustic Doppler Velocimeter
No ratings yet
SONTEK FlowTracker2 Acoustic Doppler Velocimeter
4 pages
Java Specification Request 170
No ratings yet
Java Specification Request 170
40 pages
David - Support Engineer
No ratings yet
David - Support Engineer
6 pages
Dogfooding
No ratings yet
Dogfooding
10 pages
Troubleshooting Guide IKE VPN Initialization Rev0
No ratings yet
Troubleshooting Guide IKE VPN Initialization Rev0
14 pages
Ahmad Monir 2024 Resume
No ratings yet
Ahmad Monir 2024 Resume
4 pages
Java Assignment 2024
No ratings yet
Java Assignment 2024
2 pages
Rashmi Gupta
No ratings yet
Rashmi Gupta
3 pages
MS Word4
No ratings yet
MS Word4
1 page
Building Intelligent Agents with Google ADK
From Everand
Building Intelligent Agents with Google ADK
Amulya Rattan Bhatia
No ratings yet
Jenkins, Docker, and Kubernetes: Mastering DevOps Automation
From Everand
Jenkins, Docker, and Kubernetes: Mastering DevOps Automation
Peter Jones
No ratings yet
Mastering Shell for DevOps
From Everand
Mastering Shell for DevOps
Gilbert Stew
No ratings yet
Jenkins, Docker, and Kubernetes: Mastering DevOps Automatio
From Everand
Jenkins, Docker, and Kubernetes: Mastering DevOps Automatio
Peter Jones
No ratings yet
Mastering Shell for DevOps: Automate, streamline, and secure DevOps workflows with modern shell scripting
From Everand
Mastering Shell for DevOps: Automate, streamline, and secure DevOps workflows with modern shell scripting
Gilbert Stew
No ratings yet
Study Guide: Cisco AppDynamics Professional Implementer
From Everand
Study Guide: Cisco AppDynamics Professional Implementer
Anand Vemula
No ratings yet
Study Guide Cisco AppDynamics Professional Implementer (500-430 CAPI)
From Everand
Study Guide Cisco AppDynamics Professional Implementer (500-430 CAPI)
Anand Vemula
No ratings yet
Pinniped Authentication for Kubernetes Deployments: The Complete Guide for Developers and Engineers
From Everand
Pinniped Authentication for Kubernetes Deployments: The Complete Guide for Developers and Engineers
William Smith
No ratings yet
Mastering System Center Configuration Manager
From Everand
Mastering System Center Configuration Manager
Vangel Krstevski
No ratings yet
Vulkan ICD Architecture and Implementation: The Complete Guide for Developers and Engineers
From Everand
Vulkan ICD Architecture and Implementation: The Complete Guide for Developers and Engineers
William Smith
No ratings yet
Jenkins Expert Handbook: In-Depth Strategies and Techniques for CI/CD Excellence
From Everand
Jenkins Expert Handbook: In-Depth Strategies and Techniques for CI/CD Excellence
Adam Jones
No ratings yet
Developing Applications with Kivy: Definitive Reference for Developers and Engineers
From Everand
Developing Applications with Kivy: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
PlatformIO Development Essentials: Definitive Reference for Developers and Engineers
From Everand
PlatformIO Development Essentials: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
VirtualBox Essentials: Definitive Reference for Developers and Engineers
From Everand
VirtualBox Essentials: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Minikube in Practice: Definitive Reference for Developers and Engineers
From Everand
Minikube in Practice: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Effective Workflow in PyCharm: Definitive Reference for Developers and Engineers
From Everand
Effective Workflow in PyCharm: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Gravitee.io Administration and Deployment Guide: Definitive Reference for Developers and Engineers
From Everand
Gravitee.io Administration and Deployment Guide: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Podman Essentials: Definitive Reference for Developers and Engineers
From Everand
Podman Essentials: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
The Keycloak Handbook: Practical Techniques for Identity and Access Management
From Everand
The Keycloak Handbook: Practical Techniques for Identity and Access Management
Robert Johnson
No ratings yet
CompTIA Cloud+ Study Guide: Exam CV0-003
From Everand
CompTIA Cloud+ Study Guide: Exam CV0-003
Ben Piper
No ratings yet
SRS - How to build a Pen Test and Hacking Platform
From Everand
SRS - How to build a Pen Test and Hacking Platform
alasdair gilchrist
2/5 (1)

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.