IDENTIKEY Appliance Installation and Maintenance Guide...Image11:ConfigurationWizard–NetworkSettings 27 Image12:ConfigurationWizard–TimeSynchronization 28 Image13:ConfigurationWizard–ApplianceCA

IDENTIKEY®

ApplianceInstallation and Maintenance Guide

3.17

Disclaimer of Warranties and Limitations of Liabilities

Legal Notices

Copyright © 2008–2019 OneSpan North America, Inc. All rights reserved.

Trademarks

OneSpan™, DIGIPASS® and CRONTO® are registered or unregistered trademarks of OneSpan North America Inc.,OneSpan NV and/or OneSpan International GmbH (collectively "OneSpan") in the U.S. and other countries.

OneSpan reserves all rights to the trademarks, service marks and logos of OneSpan and its subsidiaries.

All other trademarks or trade names are the property of their respective owners.

Intellectual Property

OneSpan Software, documents and related materials (“Materials”) contain proprietary and confidential information.All title, rights and interest in OneSpan Software and Materials, updates and upgrades thereof, including softwarerights, copyrights, patent rights, industrial design rights, trade secret rights, sui generis database rights, and all otherintellectual and industrial property rights, vest exclusively in OneSpan or its licensors. No OneSpan Software or Mater-ials may be downloaded, copied, transferred, disclosed, reproduced, redistributed, or transmitted in any form or byany means, electronic, mechanical or otherwise, for any commercial or production purpose, except as otherwisemarked or when expressly permitted by OneSpan in writing.

Disclaimer

OneSpan accepts no liability for the accuracy, completeness, or timeliness of content, or for the reliability of links toand content of external or third party websites.

OneSpan shall have no liability under any circumstances for any loss, damage, or expense incurred by you, your com-pany, or any third party arising from the use or inability to use OneSpan Software or Materials, or any third party mater-ial made available or downloadable. OneSpan will not be liable in relation to any loss/damage caused bymodification of these Legal Notices or content.

Reservation

OneSpan reserves the right to modify these Notices and the content at any time. OneSpan likewise reserves the rightto withdraw or revoke consent or otherwise prohibit use of the OneSpan Software or Materials if such use does notconform to the terms of any written agreement between OneSpan and you, or other applicable terms that OneSpanpublishes from time to time.

Contact us

Visit our website: https://www.onespan.comResource center: https://www.onespan.com/resource-centerTechnical support and knowledge base: https://www.onespan.com/support

If there is no solution in the knowledge base, contact the company that supplied you with the OneSpan product.

Date last modified: 2/22/2019

https://www.onespan.com/

https://www.onespan.com/resource-center

https://www.onespan.com/support

Table of Contents

1. Introduction 9

1.1. IDENTIKEY Appliance Documentation Set 9

2. Safety and Environmental Information 10

2.1. Overview 10

2.2. Electrical Safety 10

2.3. Personal, Environmental and IDENTIKEY Appliance Safety 10

2.4. Temperature, Power and Humidity 11

2.5. Dimensions 11

2.6. Chassis Rails 11

3. Pre-Installation Tasks and Considerations 12

3.1. Setup Information 12

3.2. Open Source Software 12

3.3. Multi-Device Licensing and Multi-Device Activation Limitations 12

4. Connecting IDENTIKEY Appliance to your Network 14

4.1. Overview 14

4.2. Powering on IDENTIKEY Appliance 14

4.3. Connecting to your Network 15

5. First Time Configuration 17

5.1. Overview 17

5.2. Accessing and Logging in to the IDENTIKEY Appliance Configuration Tool 18

5.3. Configuration Wizard 21

5.4. Licensing Wizard 30

5.5. IDENTIKEY Authentication Server Setup Wizard 35

5.6. Activating a Support Certificate 41

5.7. Migration to IDENTIKEY Appliance / IDENTIKEY Virtual Appliance from IDENTIKEY Authentication Server 43

Table of Contents

IDENTIKEY Appliance 3.17 – Installation and Maintenance Guide iii

6. Rescue Tool 45

6.1. Overview 45

6.2. Accessing the Rescue Tool 45

6.3. Adding Authentication for the Rescue Tool 46

6.4. Navigation and Functionality 48

7. System Actions 51

7.1. Overview 51

7.2. Rebooting and Shutting Down 51

7.3. Rescuing Default Administrator Users 52

7.4. Reverting to a Previous Version of IDENTIKEY Appliance 53

8. Re-Licensing IDENTIKEY Appliance 54

8.1. Overview 54

8.2. Accessing the Wizard for Re-Licensing IDENTIKEY Appliance 54

8.3. Current License Screen 55

8.4. Re-Licensing Scenarios 55

9. Updating IDENTIKEY Appliance 58

9.1. Overview 58

9.2. Retrieving Offline Update Packages 58

9.3. Using the Update Wizard 59

9.4. Reverting an Installed Upgrade 61

10. Backing Up and Restoring IDENTIKEY Appliance 63

10.1. Overview 63

10.2. Backing Up IDENTIKEY Appliance 63

10.3. Restoring IDENTIKEY Appliance 63

10.4. Configuring Custom Encryption for Backup Files 64

10.5. Performing Manual Backups 64

Table of Contents

IDENTIKEY Appliance 3.17 – Installation and Maintenance Guide iv

10.6. Configuring Automatic Backups 65

10.7. Configuring Scripted Backups 67

10.8. Restoring Backups 69

11. Replacing an IDENTIKEY Appliance 71

11.1. Installing and Licensing a Replacement IDENTIKEY Appliance 71

11.2. Upgrading a Replacement IDENTIKEY Appliance 72

12. RAID 73

12.1. Maintaining RAID 73

13. Hardware Security Module 76

13.1. Supported Hardware Security Modules 76

13.2. SafeNet HSMs 76

13.3. Secure Auditing with a Hardware Security Module (HSM) 80

14. Support 84

14.1. Support Procedure 84

14.2. Allowing Remote Support Connections 84

Table of Contents

IDENTIKEY Appliance 3.17 – Installation and Maintenance Guide v

Illustration Index

Image 1: USB Ports, LAN Ethernet Interfaces and lit LEDs when operational 15

Image 2: AG-3XXX (left) and AG-5XXX Models (right) and lights indicating device operational (bottom right) 15

Image 3: Test TCP/IP Settings 16

Image 4: Certificate Warning Screen 19

Image 5: Configuration Tool Login Page 20

Image 6: Configuration Wizard – Welcome 22

Image 7: Configuration Wizard – End User License Agreement 23

Image 8: Configuration Wizard – Oracle Binary Code license agreement 24

Image 9: Configuration Wizard – Password Change 25

Image 10: Configuration Wizard – Hostname 26

Image 11: Configuration Wizard – Network Settings 27

Image 12: Configuration Wizard – Time Synchronization 28

Image 13: Configuration Wizard – Appliance CA Information 29

Image 14: Configuration Wizard – Activation Confirmation 30

Image 15: Licensing Wizard – Welcome 31

Image 16: Licensing Wizard – System Information 32

Image 17: Licensing Wizard – Upload License 33

Image 18: Licensing Wizard – License Activation 34

Image 19: Licensing Wizard – License Confirmation 35

Image 20: IDENTIKEY Authentication Server Setup Wizard – Settings 36

Image 21: IDENTIKEY Authentication Server Setup Wizard – Secure Auditing 37

Image 22: IDENTIKEY Authentication Server Setup Wizard – Hardware Security Module Configuration 38

Image 23: IDENTIKEY Authentication Server Setup Wizard – Administrative User 39

Image 24: IDENTIKEY Authentication Server Setup Wizard – Ready to Configure 40

Image 25: IDENTIKEY Authentication Server Setup Wizard – Configured 41

Image 26: VASCO Customer Portal 42

Image 27: VASCO Customer Portal – View contract information 42

Image 28: Configuration Tool – Configuring Support Connection 43

Table of Contents

IDENTIKEY Appliance 3.17 – Installation and Maintenance Guide vi

Image 29: Rescue Tool Menu 46

Image 30: Authentication Settings - Rescue Users 47

Image 31: Authentication Settings - Add Rescue User 48

Image 32: IDENTIKEY Appliance System Actions 51

Image 33: VASCO Customer Portal 59

Image 34: VASCO Customer Portal Retrieving and Downloading Update Packages 59

Image 35: Revert Upgrade Wizard – Previous Version 62

Image 36: Backup and Restore – Creating Manual Backups 65

Image 37: Backup and Restore - Configuring Automatic Backups (FTP/SFTP Settings) 66

Image 38: Backup and Restore - Configuring Automatic Backups (Schedule Settings) 67

Image 39: Backup and Restore - Configuring Scripted Backups 68

Image 40: Backup and Restore - Restoring and Rebooting 70

Image 41: Launching the RAID Maintenance Wizard 73

Image 42: RAID Maintenance Status and Actions - Replacing Hard Disk 75

Image 43: Secure Auditing with HSM 81

Image 44: Configuring Support Connections 85

Image 45: Selecting Support Certificate 85

Table of Contents

IDENTIKEY Appliance 3.17 – Installation and Maintenance Guide vii

Table Index

Table 1: IDENTIKEY Appliance Dimensions 11

Table 2: Settings for Connecting a Computer to IDENTIKEY Appliance 45

Table of Contents

IDENTIKEY Appliance 3.17 – Installation and Maintenance Guide viii

1. Introduction

IDENTIKEY Appliance Administrator Guide is part of the documentation set about IDENTIKEY Appliance. It providesin-depth guidance for performing common or complicated tasks on IDENTIKEY Appliance and IDENTIKEY Authentic-ation Server.

If not stated otherwise, the information in this guide also applies to IDENTIKEY Virtual Appliance.

WarningComponents or features described in this document may need to be configured to meet the standards of the Gen-eral Data Protection Regulation (GDPR). If your organization is collecting or in any capacity processing data on cit-izens of a European Union country, your organization is subject to the GDPR. For more information on this subjectmatter, refer to the IDENTIKEY Appliance General Data Protection Regulation Compliance Guide.

1.1. IDENTIKEY Appliance Documentation Set

The following IDENTIKEY Appliance guides are available:

n IDENTIKEY Appliance Administrator Guide. Explains the steps needed for administration tasks, includingmonitoring and troubleshooting.

n IDENTIKEY Appliance Administrator Reference. Provides field explanations and other organized referencematerial for technical experts using IDENTIKEY Appliance intended for reference only.

n IDENTIKEY Appliance Installation and Maintenance Guide. Explains the steps required to connect theIDENTIKEY Appliance to your network, first-time configuration and maintenance procedures, such asupdating and re-licensing.

n IDENTIKEY Appliance Product Guide. Describes the structure of the product, the concepts underpinningauthentication and how IDENTIKEY Appliance can support authentication within an existing infrastructure.

n IDENTIKEY Appliance General Data Protection Regulation Compliance Guide: provides general informationabout the EU General Data Protection Regulation (GDPR), its implications on IDENTIKEY Appliance andprovides instructions to achieve GDPR compliance where additional adaptations or procedures arerequired.

n IDENTIKEY Authentication Server SDK Programmer Guide. Provides in-depth information required for devel-opment work using the SDK. This document is relevant to SOAP Authentication, electronic signatures andprovisioning using the IDENTIKEY Appliance.

n Documents about DIGIPASS Authentication for Windows Logon. Provide information about the concepts,installation and configuration, setup, and procedures to test DIGIPASS Authentication for Windows Logon.

n Two Password Synchronization Manager guides for installation and usage information.n Filter guides for each available filter for installation and usage information.

Access to the IDENTIKEY Appliance documentation is provided via the IDENTIKEY Appliance Configuration Tool.Manuals for IDENTIKEY Appliance add-ons are provided on the CD-ROM delivered with the appliance.

1. Introduction

IDENTIKEY Appliance 3.17 – Installation and Maintenance Guide 9

2. Safety and Environmental Information

NoteThe information in this section does not apply to IDENTIKEY Virtual Appliance!

2.1. Overview

In this section we provide details important both for the safe use of theIDENTIKEY Appliance and also to help main-tain the device in a safe environment to keep it fully operational.

TipPlease read all of this section before starting to install your IDENTIKEY Appliance

2.2. Electrical Safety

Use the exact type of power cord required:

n only use a power cord(s) with safety certificationsn only use a power cord(s) which is compliant with the AC voltage requirements in your region

Plug the power cord(s) into a socket which is properly grounded, before turning on the power.

Turn the IDENTIKEY Appliance off before you disconnect the power supply.

Use the exact type of network cable recommended:

n to conform to certification restrictions, only use a network cable with maximum length of 3.0 meters.

2.3. Personal, Environmental and IDENTIKEY Appliance Safety

To avoid back injuries: when lifting the IDENTIKEY Appliance, avoid injuries to your back by using your leg muscles.Keep your back straight and bend your knees when lifting the device.

Protecting the environment: producing the IDENTIKEY Appliance involves the extraction and use of naturalresources. The product may contain substances which are hazardous for human health and the environment. Toreduce the risk of any hazardous substances being released into the environment and to reduce the depletion ofnatural resources, we encourage you to use appropriate recycling systems. Such systems reuse or recycle mostend-of-life materials in a safe way. The 'crossed-bin symbol' invites you to use such systems.

Further information on collection, reuse and recycling is available from your local or regional refuse administrationcenter.

For further information on the IDENTIKEY Appliance and the environment, please contact your supplier.



To avoid dropping the IDENTIKEY Appliance: hold the appliance firmly by its main casing. Do not lift the device bythe silver colored 'D' shapes at the front of the appliance. These are the chassis handles and are only intended forsliding the IDENTIKEY Appliance in and out of the chassis rails.

2.4. Temperature, Power and Humidity

VASCO recommends installing the IDENTIKEY Appliance in a server room with air conditioning and UninterruptedPower Supply (UPS). If the equipment is built into a server cupboard, make sure that there is sufficient ventilation.Environmental requirements are:

n Operating Temperature Range: 10 to 35 degrees Celsius (50 to 95 degrees Fahrenheit)n Non-Operating Temperature Range: -40 to +70 degrees Celsius (-40 to 158 degrees Fahrenheit)n Humidity Range: 8% to 90% non-condensingn Non-Operating Humidity Range: 5% to 95% non-condensingn Power Supply: Thermal control 260 W AC power supply with PFC [24-pin, 4-pin=12V, (2) 4-pin]

n AC Voltage: 100-240 V, 60-50 Hz, 4 Amp Maxn DC Output: 5V + 3.3V <= 140 Wn +5V: 25.0 Ampn +5V standby: 2.0 Ampn +12V: 18.0 Ampn -12V: 1.0 Ampn +3.3V: 15.0 Amp

2.5. Dimensions

AG-3XXX AG-5XXX AG-7XXX

Height 1.7'' (43mm) 1.7'' (43mm) 3.5'' (89mm)

Width 16.8'' (426mm) 16.8'' (426mm) 17.2'' (437mm)

Depth 10'' (253mm) 14'' (356mm) 17.7'' (450mm)

Table 1: IDENTIKEY Appliance Dimensions

.

2.6. Chassis Rails

Chassis rails for storing the IDENTIKEY Appliance on a sliding shelf are available for the AG5XXX models only. Theseare not included in the VASCO price list. Please consult www.supermicro.com for compatible chassis rails (partnumber CSE-PT8L).



http://www.supermicro.com/

3. Pre-Installation Tasks and Considerations

3.1. Setup Information

Collecting the following information before you start will help to speed up your installation:

n an unused IP address in your networkn the default gateway setting in your networkn DNS Server IP address(es) for your networkn DNS Suffix(es) (optional)n Proxy Server settings (optional)n IDENTIKEY Appliance Maintenance Reference (for a Commercial License only)n IDENTIKEY Appliance Serial Number (for a Commercial License only)n an appropriate network cable, no longer than 3.0 meter in length

3.2. Open Source Software

VASCO uses various open source software (OSS) included in IDENTIKEY Appliance and its components.

The list of licences and the list of the open source software used can be found in the IDENTIKEY AuthenticationServer installation folder on the IDENTIKEY Appliance machine or its respective components.

NotePart of the open source software is licenced under General Public License (GPL), and upon customer’s requestVASCO can provide source codes for our adaptations to such a software in form of a DVD for a small fee for themedium. These source codes can be freely copied, extended, modified, and redistributed without any restric-tions from VASCO or our End User License Agreement.

3.3. Multi-Device Licensing and Multi-Device Activation Limitations

As of version 3.7, IDENTIKEY Authentication Server supports a new model for licensing and activating aDIGIPASS authenticator: Multi-Device Licensing and Multi-Device Activation.

This new licensing and activation model applies to the following models of the DIGIPASS authenticator:

n E-signature DIGIPASS: DIGIPASS 760n Software DIGIPASS: DIGIPASS for Mobile and DIGIPASS for APPS

NoteThe new functionalities introduced in the context of Multi-Device Licensing, Multi-Device Activation, and theSecure Channel feature are aimed at the banking security market only. This implies that certain of these func-tionalities will not be available for typical enterprise security deployments.



WarningThe Multi-Device Licensing and Multi-Device Activation functionality using the Secure Channel feature requires aSOAP provisioning and / or SOAP signature license!

With the Multi-Device Licensing model and its one-to-one relationship between a user account and a DIGIPASSserial number license, a user account can optionally be bound to several DIGIPASS instances. Multi-Device Activ-ation, which is an activation process in two steps, guarantees that only the intended end user can perform thedevice activation.



4. Connecting IDENTIKEY Appliance to your Network


4.1. Overview

In this section we provide instructions for connecting IDENTIKEY Appliance to your network.

WarningBefore you begin read the safety information in the 2. Safety and Environmental Information section. Checkthat all the package contents you need have been supplied. They are listed on a separate sheet supplied withyour IDENTIKEY Appliance.

Refer to 3. Pre-Installation Tasks and Considerations and check that you have all the information you need forinstallation.

4.2. Powering on IDENTIKEY Appliance



Image 1: USB Ports, LAN Ethernet Interfaces and lit LEDs when operational

1. IDENTIKEY Appliance is delivered with two LAN Ethernet interfaces (see image above), one of which needsto be connected using an appropriate network cable to the network’s hub or switch.

2. Power up IDENTIKEY Appliance by connecting the appliance via the power cable to a supply. (The AG-7XXXmodels have two power units, each with a separate power cable. These power cables need to be con-nected to separate power circuits. The second (redundant) supply provides backup in case the fuse for thesupplying power circuit fails.)

3. The two lights on the front of IDENTIKEY Appliance indicate that the device is connected and operational(see image below).

Check if the lights are on. If they are not, check the following:

n The network cable is in good working ordern The network cable is correctly plugged into one of the LAN Ethernet interfacesn The network cable is correctly plugged in to your network hub or switch

Image 2: AG-3XXX (left) and AG-5XXX Models (right) and lights indicating device operational (bottom right)

4.3. Connecting to your Network

There are two ways to change the IDENTIKEY Appliance IP address to an address within your network:

n using the Rescue Tooln temporarily isolating a client workstation from the network and linking it to IDENTIKEY Appliance. This

involves changing a client workstation IP address to within the specified IP address range for IDENTIKEYAppliance, for which we provide instructions here.

IDENTIKEY Appliance is delivered with the following standard configuration on the LAN Ethernet interface:

Network IP address/ Netmask 192.168.0.1/24

To access the system, a workstation needs to be temporarily configured with the same TCP/IP settings asIDENTIKEY Appliance.



1.Configure a workstation with the following settings:

Network IP address 192.168.0.2

Subnet Mask 255.255.255.0

2.Once the TCP/IP settings (listed above) are active on a workstation, use a DOS window or terminal session forthe following test:

...> ping 192.168.0.1

Image 3: Test TCP/IP Settings

If a reply is received as shown in the image above, everything is OK.

If a reply is not received, indicated by the messages time out or destination host unreachable:

n Check that the workstation’s TCP/IP settings are correct (see points 1 and 2 above).n Check that the network cable is in good working order and correctly plugged into one of the LAN Ethernet

interfaces and your network hub or switch.

TipAn alternative method for modifying the IDENTIKEY Appliance IP address without needing to modify your work-station IP settings is possible with the Rescue Tool.



5. First Time Configuration

5.1. Overview

Once a workstation has been connected to the IDENTIKEY Appliance, the next step is first-time configuration of theIDENTIKEY Appliance using the Configuration Tool. All the instructions in this section need to be completed in theConfiguration Tool. First-time configuration involves:

n completing the Configuration Wizardn completing the Licensing Wizardn installing the Support Certificate, andn (optionally) completing manual configurationsn Configure IDENTIKEY Authentication Server

For information about using the IDENTIKEY Appliance Configuration Utility, refer to Section 5.2. Accessing and Log-ging in to the IDENTIKEY Appliance Configuration Tool . The Configuration Wizard is launched when a newIDENTIKEY Appliance Configuration Utility is accessed. The wizard guides the system administrator through a min-imal number of settings. During the Maintenance Wizard, the IP address of IDENTIKEY Appliance is changed towithin your network. You can then reset the IP address of the workstation you used to connect to IDENTIKEY Appli-ance (unless you used the Rescue Tool). Following completion of the Configuration Wizard, and using the newlyconfigured IP address of the IDENTIKEY Appliance, Licensing is necessary before services become available.

Licensing is the process of identifying an issued IDENTIKEY Appliance to the VASCO Service Center for the issue of alicense key to make the appliance fully operational. After installation, and before Licensing, the IDENTIKEY Appli-ance Configuration Utility is accessible for configuration and management, but the IDENTIKEY AuthenticationServer Administration Web Interface and other services will not be available. The Licensing procedure is supportedby a Licensing Wizard, which is accessible through the IDENTIKEY Appliance Configuration Utility. This wizardguides the system administrator through a minimal number of settings (see 5.4. Licensing Wizard).

For more information about licensing, refer to the IDENTIKEY Appliance Product Guide, Section "Licensing".

The IDENTIKEY Authentication Server Setup will then walk you through the configuration of a master domain, alongwith an administrator login for this domain. This process will also allow you to easily enable and configure HSMand secure auditing. After completing the IDENTIKEY Authentication Server Setup , the Administration Web Inter-face and other services will be available.

Manual configuration in the Configuration Tool is only possible after completion of the Configuration Wizard. Formore information about manual configuration, refer to the IDENTIKEY Appliance Administrator Guide.

WarningLicensing requires access to the VASCO Customer Portal (https://cp.onespan.com/). However, it is not necessaryfor the IDENTIKEY Appliance to have Internet connection, as the required files can be downloaded to another com-puter and transferred to the IDENTIKEY Appliance.



https://cp.onespan.com/

NoteIf you want to restore an existing instance of IDENTIKEY Appliance, you do not need to undergo all the steps out-lined above; instead restore the backup version of IDENTIKEY Appliance. For more information about restoring abackup, refer to 10.8. Restoring Backups.

5.2. Accessing and Logging in to the IDENTIKEY Appliance Configuration Tool

WarningUsing the default sysadmin user account for accessing the configuration tool is less secure than using a new useraccount which requires DIGIPASS one-time password authentication. We therefore recommend creating new Sys-tem Administrator Account which requires DIGIPASS authentication and disabling the sysadmin account as soonas possible. For more information, refer to the IDENTIKEY Appliance Administrator Guide.

Accessing the IDENTIKEY Appliance Configuration Tool is possible using a standard Web browser, providing it doesnot have a proxy setup in its browser settings. Access is secured by SSL (Secure Socket Layer) encryption over theHTTPS protocol.

5.2.1. Browsers

IDENTIKEY Appliance was implemented to adhere to common Web standards and is expected to be fully oper-ational in the latest stable releases of all major Web browsers. The IDENTIKEY Appliance Configuration Tool hasbeen tested on the following browsers:

n Google Chrome 41n Mozilla Firefox ESR 38n Internet Explorer 10

NoteThe following browser settings are mandatory for Internet Explorer:

n JavaScript must be enabledn Redirect must be enabledn Administration Web Interface must be added to the Trusted Sitesn Pop-ups must be allowed for this Website

TipUntil first-time configuration and licensing have been completed, using the URL, https://< IDENTIKEY ApplianceIPaddress>/, automatically redirects to the Configuration Tool. After licensing, the URL points to the Admin-istration Web Interface allowing daily management.

On connection to the Configuration Tool, IDENTIKEY Appliance automatically detects that this is a first-time install-ation and launches the Configuration Wizard.



Logging into the Configuration Tool requires the following steps:

1. Enter the URL for the interface into the browser:

https://<appliance_ip_address>/configtool

As you are accessing a website secured with a self-signed certificate, the browser presents a warning ask-ing you to accept the certificate to continue.

NoteThe procedure for accepting a certificate varies between browsers. Internet Explorer is used in theexample.

Image 4: Certificate Warning Screen

After the certificate has been accepted, the login page for the Configuration Tool appears.



Image 5: Configuration Tool Login Page

2. Log on using administrator login credentials.

The default administrative user name and password is:

Username: sysadmin

Password: sysadmin

On accessing the Configuration Tool, IDENTIKEY Appliance automatically detects that this is a first-timeinstallation and launches the Configuration Wizard.



5.3. Configuration Wizard

The Configuration Wizard takes you through nine screens, guiding entry of information needed to configure theIDENTIKEY Appliance on your network:

1. Welcome2. End User License Agreement3. Oracle Binary Code license agreement for Java SE4. Password Change5. Hostname6. Network Settings7. Time Synchronization8. Appliance CA Information9. Activation

Configuration Wizard screens are shown in the following sections and are mostly self-explanatory; additionalexplanations are provided where appropriate.



5.3.1. Welcome

Image 6: Configuration Wizard – Welcome



5.3.2. End User Licence Agreement

Image 7: Configuration Wizard – End User License Agreement

Read the license agreement carefully.

To accept the terms, select Accept this End User License Agreement.



5.3.3. Oracle Binary Code license agreement for Java SE

Image 8: Configuration Wizard – Oracle Binary Code license agreement

Read the Oracle Binary Code license agreement carefully.

To accept the terms, select Accept the Oracle Binary Code License for Java SE.

5.3.4. Password Change

WarningChanging the default system administrator's password is critically important for security. Using the defaultsysadmin user account for accessing the Configuration Tool is less secure than using a new user accountwhich requires DIGIPASS one-time password (OTP) authentication. We therefore recommend creating new sys-tem administrator account which requires DIGIPASS authentication and disabling the sysadmin account as



soon as possible. For more information, refer to the IDENTIKEY Appliance Administrator Guide.

Image 9: Configuration Wizard – Password Change



5.3.5. Hostname

Image 10: Configuration Wizard – Hostname



5.3.6. Network Settings

Image 11: Configuration Wizard – Network Settings

The IP address needs to be entered in CIDR format. For example 192.0.2.230 with netmask255.255.255.0 needs to be entered as: 192.0.2.230/24. DNS suffixes can be entered in a comma sep-arated list. The DNS server can be entered in a list, where you can enter several IP addresses in a column.

The VASCO Customer Portal server handles licensing, updating and remote support for the IDENTIKEY Appliance.For more information, refer to the IDENTIKEY Appliance Product Guide, VASCO Service Center section.

A direct connection to the VASCO Customer Portal requires a default gateway to be configured and access on TCPport 443. For more information, refer to the IDENTIKEY Appliance Administrator Reference , Section "FirewallPorts".

An alternative to configuring a default gateway is to use a proxy server. If a default gateway is not configured, how-ever, services are only available to clients in the same subnet as the IDENTIKEY Appliance. To configure proxy set-



tings, navigate to Settings > Network in the Configuration Tool. This can be done after successful activation (seeSection 1.1.8 Activation Successful) if you opt to disable Continue to the license wizard.

5.3.7. Time Synchronization

Image 12: Configuration Wizard – Time Synchronization

Enter an NTP server name, or use ntp.vasco.com.



5.3.8. Appliance CA Information

Image 13: Configuration Wizard – Appliance CA Information

Specify the information to set up the built-in IDENTIKEY Appliance certification authority (CA). The built-in cer-tification authority (CA) is used to sign all automatically generated certificates.

5.3.9. Activation Confirmation

After all data has been entered correctly, IDENTIKEY Appliance can be activated by clicking Finish.

Click Finish to start up the Licensing Wizard, or clear the check box to just complete the activation and performother configurations manually via the IDENTIKEY Appliance Configuration Tool.



If you changed the IP address during first-time configuration (network settings), then you will need to reflect thischange in your browser (ie. change the IP portion of the address in your browser accordingly). Otherwise, clickingFinish at this point will result in a timeout.

Image 14: Configuration Wizard – Activation Confirmation

5.4. Licensing Wizard

The Licensing Wizard is launched via two methods:

n Immediately after completing the First-time Configuration Wizard (via the Activation Successful page).n After completing the Configuration Wizard, via a status screen link to initiate the Licensing Wizard.

It takes you through the process for downloading and loading the license for IDENTIKEY Appliance.

NoteAfter the System Information page in the Licensing Wizard you will need to access the VASCO Customer Portal



before continuing.

For more information about when re-licensing is necessary, refer to 8. Re-Licensing IDENTIKEY Appliance.

5.4.1. Welcome

Image 15: Licensing Wizard – Welcome



5.4.2. System Information

Image 16: Licensing Wizard – System Information

The system information file downloaded on this screen contains information specific to your IDENTIKEY Appliance.This information is required during registration on the VASCO Customer Portal, in order to acquire a license file.

5.4.3. Acquiring a VASCO License File

Two types of license file exist:

n A commercial license file, which remains valid indefinitely.n An evaluation license file, which is only valid for 30 days.

To acquire a VASCO license file for your IDENTIKEY Appliance, you need to upload the system information file to theVASCO Customer Portal. This file identifies your appliance to VASCO, for the issue of a license file.



Open a web browser and go to the VASCO Customer Portal: https://cp.onespan.com/. Follow the instructions onthe VASCO Customer Portal to acquire the license file required.

5.4.4. Upload License

When the license file has been downloaded, you must upload it to the IDENTIKEY Appliance. On the Upload Licensepage browse to the downloaded license file and click Nextto upload the file.

Image 17: Licensing Wizard – Upload License

5.4.5. License Activation

The IDENTIKEY Appliance will investigate the uploaded license to establish whether it is a valid license. When theLicense Activation page is displayed, click Next to activate the license.




Image 18: Licensing Wizard – License Activation

5.4.6. License Activation Confirmation

The License Activation Confirmation page will be displayed to confirm activation. This page indicates thatIDENTIKEY Appliance services (such as authentication) are now available.



Image 19: Licensing Wizard – License Confirmation

5.5. IDENTIKEY Authentication Server Setup Wizard

The IDENTIKEY Authentication Server Setup Wizard will walk you through the configuration of several basicIDENTIKEY Authentication Server settings. These settings include master domain, an administrator login, HardwareSecurity Modules, and Secure Auditing.



5.5.1. IDENTIKEY Authentication Server Settings

Image 20: IDENTIKEY Authentication Server Setup Wizard – Settings

Enter the name of the master domain to be used, and, optionally, enable Case Sensitive User IDs / Domain Names.At this stage you have the option to enable a Hardware Security Module (HSM) or Secure Auditing . See theIDENTIKEY Appliance Product Guide for more information on these features.

NoteYou cannot disable/enable HSM and Secure Auditing settings after completing this wizard. To do so, you willneed to perform a factory default.



5.5.2. Secure Auditing

If you selected Secure Auditing on the first screen of the IDENTIKEY Authentication Server Setup Wizard, you willsee the Secure Auditing screen:

Image 21: IDENTIKEY Authentication Server Setup Wizard – Secure Auditing

n Epoch Length in Lines: the epoch will end after the specified number of lines has been written to thesecure audit data store.

n Epoch Length in Seconds: the epoch will end after the specified time (in seconds) has elapsed.

Secure Auditing setup will be different depending on whether or not you have any HSM enabled. If you have anHSM enabled, encryption settings will be stored on that HSM (see 13.3. Secure Auditing with a Hardware SecurityModule (HSM)).

If HSM-support is not enabled, then you will need to configure a secure auditing keypair. If you choose Install myown keypair, you will need to upload this file in the PEM format to IDENTIKEY Appliance afterwards. You will alsobe asked to provide this PEM file's matching master audit keystore passphrase.



NoteSecure Auditing for IDENTIKEY Appliance only supports elliptic curve keys that are NIST P-256 compliant andstored in the pkcs12 format.

5.5.3. HSM Configuration

If you have installed a Hardware Security Module (HSM), you can configure it for use with the here. For more inform-ation regarding HSM, refer to the IDENTIKEY Appliance Product Guide.

Before starting, ensure that the license for IDENTIKEY Appliance includes Hardware Security Module functionality.

For more information about setting up information required to populate the fields on this screen, refer to 13. Hard-ware Security Module . The procedures described in that section must be performed BEFORE attempting thisscreen!

Image 22: IDENTIKEY Authentication Server Setup Wizard – Hardware Security Module Configuration



5.5.4. IDENTIKEY Authentication Server Admin User

Image 23: IDENTIKEY Authentication Server Setup Wizard – Administrative User

Procedure 1: Creating an IDENTIKEY Authentication Server Admin User

1. Enter a user name to be used as:

a. The first administrator for IDENTIKEY Authentication Server.

b. An administrator login for the Configuration Tool.

2. Enter and confirm a password. The password format must conform to the IDENTIKEY Authentication Serverpassword strength rules. See the IDENTIKEY Appliance Product Guide for more details on the passwordstrength rules.



5.5.5. Completing Configuration

Image 24: IDENTIKEY Authentication Server Setup Wizard – Ready to Configure

Once the details have been provided on the IDENTIKEY Authentication Server Setup Wizard screens, IDENTIKEYAuthentication Server will be configured with the minimum details allowed for first time use.



Image 25: IDENTIKEY Authentication Server Setup Wizard – Configured

5.6. Activating a Support Certificate

Procedure 2: Downloading and activating a IDENTIKEY Appliance support certificate

1. Open a web browser and go to the VASCO Customer Portal: https://cp.onespan.com/. Type the main-tenance reference and serial number provided by VASCO for your IDENTIKEY Appliance and click Sign in.




Image 26: VASCO Customer Portal

2. By default, the Customer Portal displays the contract details as the first page after signing in.

Image 27: VASCO Customer Portal – View contract information

3. Scroll down to Contract certificate , select the Download contract certificate hyperlink, and download andsave the certificate file.

4. Access the Configuration Tool.

5. Select Settings > Certificates.

6. Click Add Certificate below the Server Certificates list.

The Add Certificate wizard appears.



a. Select Upload Certificate in the Certificate Source page.

b. Specify the support certificate file you have downloaded from the VASCO Customer Portal andtype an optional description for the certificate.

The support certificate file is verified.

c. Click Next to upload and add the support certificate to the available certificates.

d. Click Finish to close the Add Certificate wizard.

7. Select System > Support.

8. If required, select Enable Support.

9. Select the support certificate from the Support Certificate list.

Image 28: Configuration Tool – Configuring Support Connection

5.7. Migration to IDENTIKEY Appliance / IDENTIKEY Virtual Appliance from IDENTIKEY Authentic-ation Server

When migrating to IDENTIKEY Appliance / IDENTIKEY Virtual Appliance from IDENTIKEY Authentication Server youcan use the Data Migration Tool and the IDENTIKEY Appliance Update Wizard to migrate for instance user data orDIGIPASS data. See Chapter 9. Updating IDENTIKEY Appliance for information about the Update Wizard andupdate procedures.

When migrating from IDENTIKEY Appliance / IDENTIKEY Virtual Appliance, the source IDENTIKEY Appliance/ IDENTIKEY Virtual Appliance must be set to Migration Mode. This is done by retrieving the enable-dmt-mode-<version>.bun package from the Downloads section in the VASCO Customer Portal and uploading it to IDENTIKEYAppliance / IDENTIKEY Virtual Appliance as described in Section 9.2. Retrieving Offline Update Packages. Select,



verify, and install the package as described in Sections 9.3.1. Select Update and 9.3.3. Verify Update and InstallUpdate to complete data migration.



6. Rescue Tool

6.1. Overview

The Rescue Tool allows administrators to access a limited number of settings through a command line menu. Thefunctionality and use of the Rescue Tool is covered below.

For more information on the concepts of the functionality of the Rescue Tool, refer to the IDENTIKEY ApplianceProduct Guide.

6.2. Accessing the Rescue Tool

To access the Rescue Tool, use the logon user name rescue. No password is required when using the defaultlogon options. However, you can specify several user/password combinations and require a minimum number ofsuccessful logins before granting access. For example, you can have five possible user/password combinations,and a user will need to supply at least three of these to access the Rescue Tool. For more information, refer to 6.3.Adding Authentication for the Rescue Tool.

You can access the Rescue Tool using one of the following methods:

n If using IDENTIKEY Virtual Appliance, switch to the console view in your hypervisor software and log on.

n Connecting a screen and keyboard directly to the IDENTIKEY Appliance, and logging on in a command-lineprompt.

This does not apply to IDENTIKEY Virtual Appliance!

n Connecting a workstation or laptop computer to the IDENTIKEY Appliance using a serial null modem cableplugged into a serial port on both devices. This requires configuration specific to the operating system ofthe workstation or laptop computer.

This does not apply to IDENTIKEY Virtual Appliance!

TipPress ENTER if no logon prompt appears.

Field Value

Baudrate 115200 bits per second

Parity None

Data Bits 8

Stop Bit 1

Terminal Type VT100

Table 2: Settings for Connecting a Computer to IDENTIKEY Appliance

6. Rescue Tool


Image 29: Rescue Tool Menu

6.3. Adding Authentication for the Rescue Tool

You can add more secure users with access to the Rescue Tool. These users can be configured to enter other logincredentials in addition to the rescue user name.

To define these users can be defined access the IDENTIKEY Appliance Configuration Tool and navigate to Settings> Authentication .

6. Rescue Tool


Image 30: Authentication Settings - Rescue Users

This facility allows you to create your own users with associated high-strength passwords who have access to theRescue Tool.

The Number of Additional Logins field enables you to define how many user Ids and passwords have to log inbesides the first user. This adds further security to the rescue tool login. This number must always be less than orequal to the number of rescue users created.

6. Rescue Tool


Image 31: Authentication Settings - Add Rescue User

User name and password are entered in the dialogue that is displayed. The password must conform to the pass-word strength rules as defined in the password strength section of the IDENTIKEY Appliance Product Guide. One orseveral users can be created in this way. If no users are defined, the default setting is the un-authenticated rescueuser ID.

6.4. Navigation and Functionality

Type in the letter referenced in front of a menu option in the Rescue Tool to select the option.

Pressing Esc returns to the previous menu screen; pressing Esc in the main screen exits the Rescue Tool.

The following functions are supported through the menu:

n Reset to factory defaultn Reset the sysadmin usern Reset the access settings to the Configuration Tooln Change and view network settingsn Reboot or shut down IDENTIKEY Appliancen Ping an IP address

6.4.1. Resetting IDENTIKEY Appliance

6.4.1.1. Resetting to Factory Default

WarningThe following Configurations and data are reset if you select the Reset to Factory Default option:

n Data, including auditing and logging information, are all erasedn The configuration is reset to factory default settings.n The IP address is reset to the factory default, so that IDENTIKEY Appliance will need to be re-connected

to your network (see Chapter 4. Connecting IDENTIKEY Appliance to your Network for more inform-ation), and the first-time Configuration Wizard will need to be repeated.

It is not necessary to return IDENTIKEY Appliance to factory default if a backup is to be restored to the appliance.In this case, the appliance is automatically returned to Factory Default before the backup is restored. For moreinformation about restoring backups, see Section 10.8. Restoring Backups.

The Rescue Tool is the only means of resetting IDENTIKEY Appliance to factory default settings, and involves the fol-lowing steps:

6. Rescue Tool


Procedure 3: Resetting IDENTIKEY Appliance to factory default

1. type r to access the reset options2. type f for system configuration reset3. type y for yes to confirm system reset

Reboot automatically follows system reset confirmation, after which the system is reset to factory default.

6.4.1.2. Resetting the Sysadmin User

To reset the sysadmin user, change the password for this user. For more information on how to change the pass-word, refer to Section 5.3. Configuration Wizard.

The user will be prompted for the new password immediately, a new login to the IDENTIKEY Appliance Con-figuration Tool is not required to change the password. The sysadmin user will be reset with the same result asdescribed in 7.3. Rescuing Default Administrator Users

6.4.1.3. Resetting the Access Settings to the Configuration Tool

Procedure 4: Resetting the access settings to the Configuration Tool

1. type r to access the reset options2. type c for reset the access settings3. type y for yes to confirm settings reset

Any IP addresses specified with the Limit Access to Networks setting are cleared, effectively allowing access to theConfiguration Tool from any client computer.

6.4.2. Change IP Address

The Rescue Tool can be used to change the IDENTIKEY Appliance IP address. This is an alternative method to theinstructions provided in Section 4. Connecting IDENTIKEY Appliance to your Network for first-time configuration,and also an alternative to the manual configuration via the Configuration Tool, which is explained in the IDENTIKEYAppliance Administrator Guide.

Procedure 5: Resetting IDENTIKEY Appliance

1. type n for network menu2. type i to set the system IP address and subnet3. Enter the new IP address in CIDR format. An example of CIDR format is IP/netmask , for example

192.168.5.230 with netmask 255.255.255.0 needs to be entered as 192. 168.5.230/24.4. Press any key to return to the network menu after notification of the successful modification.

The IP address is now modified.

NoteThe default gateway can also be modified in a similar way through the Rescue Tool.

6. Rescue Tool


6.4.3. Ping an IP Address or Host Name

You can ping a system in order to test whether it can connect to IDENTIKEY Appliance.

Procedure 6: Pinging an IP Address

1. type n for network menu2. type p to enter the Ping menu3. Enter the IP address or hostname of the system you want to ping

The Rescue Tool will then ping the supplied IP address or hostname.

6. Rescue Tool


7. System Actions

7.1. Overview

Four system actions are available in the IDENTIKEY Appliance Configuration Tool. These can be accessed throughthe System Actions menu.

Image 32: IDENTIKEY Appliance System Actions

7.2. Rebooting and Shutting Down

If IDENTIKEY Appliance is shut down incorrectly it can be corrupted. One of the following methods of powering offor rebooting IDENTIKEY Appliance should be used, in the following order of preference:

1. Use the IDENTIKEY Appliance Configuration Tool, System > Actions.2. Use the Rescue Tool (as explained in Chapter 6. Rescue Tool).

7. System Actions


3. Use the ON/OFF switch or RESET button on the device.

TipReboot and shut down buttons are also provided on the IDENTIKEY Appliance Configuration Tool status screen.

7.3. Rescuing Default Administrator Users

Administrator users for both the IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server canbe reset in the IDENTIKEY Appliance Configuration Tool.

Procedure 7: Rescuing the IDENTIKEY Appliance Configuration Tool sysadmin user

1. In the IDENTIKEY Appliance Configuration Tool, navigate to System > Actions.2. Click the Rescue Sysadmin User button. This automatically enables the sysadmin user and prompts you to

enter a new password for the sysadmin user. A new login to the IDENTIKEY Appliance Configuration Tool isnot required to change the password. See also Section 6.4.1. Resetting IDENTIKEY Appliance for moreinformation.

It is also possible to rescue the administrative user of the master domain created with the IDENTIKEY Authentic-ation Server Setup Wizard.

Procedure 8: Rescuing the IDENTIKEY Appliance administrative user

1. In the IDENTIKEY Appliance Configuration Tool, navigate to System > Actions.2. Click the Rescue IDENTIKEY Admin User button. The IDENTIKEY Appliance Configuration Tool will then

request a user name and password to be used for the reset. There are three possible outcomes of thisoperation:

a. If the user name provided is identical to the one provided when running the IDENTIKEY Authentic-ation Server Setup Wizard, the administrative user will be reset, and you will be prompted to entera new password.

b. If the user name does not exist on the master domain, then a new DIGIPASS user account will becreated with the provided credentials. This user account will have the same access rights as theone created via the IDENTIKEY Authentication Server Setup Wizard.

c. If the user name already exists in the master domain, then user account that corresponds to thatuser name will be upgraded to an administrator account. Its password will also be changed to theone you provided.

In addition to these outcomes, the IDENTIKEY Appliance Configuration Tool will also perform the following tasks onthe rescued user account:

a. Unlock the user account, if locked.b. Enable the user account, if disabled.c. Unassign any DIGIPASS records assigned to the user account.d. Reset the Local Authentication policy setting to DIGIPASS/Password during Grace Period or DIGIPASS or

Password. This allows authentication with a static password or one-time password.e. Reset the back-end authentication policy setting to None to prevent the use of back-end authentication.

7. System Actions


7.4. Reverting to a Previous Version of IDENTIKEY Appliance

If the current version of IDENTIKEY Appliance has been installed through an update, i.e. not a clean install, you canrevert to the previously installed version using Revert to a previous version of IDENTIKEY Appliance.

For more information, refer to .9.4. Reverting an Installed Upgrade.

7. System Actions


8. Re-Licensing IDENTIKEY Appliance

8.1. Overview

A license file is required to make IDENTIKEY Appliance fully operational. Licensing is the process of identifying anissued instance of IDENTIKEY Appliance to VASCO for the issue of a license file. For information on first-time licens-ing of IDENTIKEY Appliance, refer to Section 5.4. Licensing Wizard. Re-licensing IDENTIKEY Appliance is required inthe following cases:

n When upgrading from an evaluation license to a commercial license (see 8.4.2. Upgrading an EvaluationLicense to a Commercial License).

n When a new license option or new license type (other than an upgrade from an evaluation license ) is pur-chased (see 8.4.3. Upgrading a Commercial License to Add New License Options).

n With an upgrade to a higher major version of IDENTIKEY Appliance (see 8.4.4. Upgrading a Major SoftwareVersion).

n With a change in IP address (see 8.4.1. Changing the IP Address or Restoring a Backup to an IDENTIKEYAppliance).

n When a back-up is restored to a different IDENTIKEY Appliance, for example when replacing an instance ofIDENTIKEY Appliance (see 8.4.1. Changing the IP Address or Restoring a Backup to an IDENTIKEY Appli-ance).

n When IDENTIKEY Appliance has been restored to factory default to remove all data and clean the appli-ance (see 8.4.5. Restoring to Factory Default).

For more information about license types and re-licensing, and the fields which need to be completed, refer to theIDENTIKEY Appliance Product Guide, Section "Licensing".

NoteThe Current License screen (see 8.3. Current License Screen) is only displayed if a license has already beenuploaded and is operational. Under certain conditions, time restrictions are imposed on licenses - once the timehas elapsed services are stopped and only administration is possible, as for example:

n an evaluation license is valid for a limited time of 45 days.n a grace period of 30 days is imposed, for example when replacing IDENTIKEY Appliance (see 11.1.

Installing and Licensing a Replacement IDENTIKEY Appliance).

8.2. Accessing the Wizard for Re-Licensing IDENTIKEY Appliance

A wizard for re-licensing IDENTIKEY Appliance is available in the Configuration Tool. The system automaticallydetects if re-licensing is required at all.

Procedure 9: Accessing IDENTIKEY Appliance licensing wizard

1. Access and log on to the IDENTIKEY Appliance Configuration Tool2. On the status screen, select the link the system displays to initiate the licensing wizard.



You can also access the re-licensing wizard by navigating to System > License in the Configuration Tool.

8.3. Current License Screen

The re-licensing wizard varies slightly from the wizard for licensing IDENTIKEY Appliance for the first time; itincludes an additional screen. This additional screen displays the current licensing information. The structure ofthe re-licensing wizard is the following:

1. Welcome2. Current License3. System Information4. Upload License5. License Activation6. License Confirmation

8.4. Re-Licensing Scenarios

8.4.1. Changing the IP Address or Restoring a Backup to an IDENTIKEY Appliance

WarningRe-licensing is not possible until you have contacted the supplier of your IDENTIKEY Appliance. For informationabout handling errors, refer to 14.1. Support Procedure.

Procedure 10: Re-licensing for a change of IP address or a backup restored to a different appliance

1. Contact your IDENTIKEY Appliance supplier tor release the appliance from its initial license.

2. Launch the Licensing Wizard (see 8.2. Accessing the Wizard for Re-Licensing IDENTIKEY Appliance).

3. Complete the Licensing Wizard for a commercial license (see 5.4. Licensing Wizard).

For more information about setting up a replacement appliance, refer to 11. Replacing an IDENTIKEY Appliance.

8.4.2. Upgrading an Evaluation License to a Commercial License

Procedure 11: Re-licensing when upgrading from an evaluation license to a commercial license





8.4.3. Upgrading a Commercial License to Add New License Options

Re-licensing is required if you want to add a new license option or type other than when upgrading from an eval-uation license.

Procedure 12: Re-licensing for a new license option or type

1. Open a web browser and go to the VASCO Customer Portal: https://cp.onespan.com/.

2. Follow the instructions on the VASCO Customer Portal to acquire the license file required.

The license file is made available to you via the VASCO Customer Portal on receipt of your purchase order.


4. Complete the Licensing Wizard.

a. On the Welcome page, click Next.

b. On the Current License page, click Next.

c. On the System Information page, click Next.

It is not necessary to download a system information file for re-licensing a new license option ortype.

d. On the Upload License page, browse to and upload the license file (License.dat), which you down-loaded from the VASCO Customer Portal before.

e. On the License Activation page, click Next.

f. On the License Confirmation page, click Finish.

8.4.4. Upgrading a Major Software Version

When performing a major software upgrade of IDENTIKEY Appliance, the Update Wizard will indicate whether re-licensing is necessary.

Re-licensing after a major version upgrade follows the same procedure as re-licensing for a new license option ortype (see 8.4.3. Upgrading a Commercial License to Add New License Options).

8.4.5. Restoring to Factory Default

WarningRe-licensing is not possible until you have contacted the supplier of your IDENTIKEY Appliance. For information




about handling errors, refer to 14.1. Support Procedure.

Restoring IDENTIKEY Appliance to factory default cleans the system and changes the configuration key. In thiscase, the installed license is also removed, although still bound to the old configuration key in the VASCO back-office.

Procedure 13: Re-licensing after returning an appliance to factory default (without restoring a backup)

1. Contact your IDENTIKEY Appliance supplier tor release the appliance license from the old configurationkey.



NoteRestoring IDENTIKEY Appliance to factory default is not necessary if a backup is to be restored to the appliance.In this case, the appliance is automatically returned to factory default before the backup is restored. For moreinformation about restoring a backup, refer to 11. Replacing an IDENTIKEY Appliance.



9. Updating IDENTIKEY Appliance

9.1. Overview

IDENTIKEY Appliance can be updated using the Configuration Tool. VASCO distributes updates to the products on aregular basis via the updating process. Updates are included in the software maintenance contracts.

Updating is supported by an Update Wizard in the IDENTIKEY Appliance Configuration Tool and can be:

n Off-line using an update package from the VASCO Customer Portal (see 9.2. Retrieving Offline UpdatePackages).

n On-line, through a connection to the VASCO Customer Portal. An available update can be downloaded dur-ing the Update Wizard.

On completion of the Update Wizard for an on- or off-line update, IDENTIKEY Appliance automatically reboots. Dur-ing reboot, services are temporarily unavailable. After reboot, the system administrator needs to log on again tothe Configuration Tool. The Status screen displays feedback concerning the update status.

If a power failure or other unforeseen event occurs during the update process, a fail-over system reverts IDENTIKEYAppliance to its operational version from the time before the update process was initiated.

9.2. Retrieving Offline Update Packages

Online retrieval is possible and recommended if your instance of IDENTIKEY Appliance is connected to theVASCO Customer Portal. Retrieving an off-line update package is only necessary if your organization does not per-mit a connection between your instance of IDENTIKEY Appliance and the VASCO Customer Portal.

Procedure 14: Retrieving an update package for offline updating

1. Open a web browser and go to the VASCO Customer Portal: https://cp.onespan.com/. Enter the main-tenance reference and serial number provided by VASCO for your IDENTIKEY Appliance and click Sign in.




Image 33: VASCO Customer Portal

2. In the VASCO Customer Portal, navigate to the Downloadsmenu, and select the required download pack-age for your product.

Image 34: VASCO Customer Portal Retrieving and Downloading Update Packages

3. Select the required .iso file to download the selected package for your product, and click Save File in thefollowing dialog.

9.3. Using the Update Wizard

The Update Wizard consists of a number of pages where you enter information that is required to updateIDENTIKEY Appliance:

1. Welcome2. Select Update



3. Available Updates (on-line process only)4. Download Update (on-line process only)5. Verify Update6. Install Update

WarningTo cancel the update and leave the wizard at any time before the Install page, click Cancel.

9.3.1. Select Update

If your instance of IDENTIKEY Appliance is connected to the VASCO Customer Portal, in the Select Update pageselect VASCO Customer Portal to request a list of any available updates. The wizard continues to the AvailableUpdates page (in the on-line process only) - see Section 9.3.2. Available Updates (On-Line Process Only) for moreinformation. If your instance of IDENTIKEY Appliance is not connected to the VASCO Customer Portal, you will needto download an update package from the VASCO Customer Portal. Refer to Section 9.2. Retrieving Offline UpdatePackages for instructions on how to retrieve the necessary package.

If you have already downloaded an update package for off-line updating, which is now stored on your computer,click Saved Update and browse to the update. The wizard takes you directly to the Verify Update page (see 9.3.3.Verify Update and Install Update).

9.3.2. Available Updates (On-Line Process Only)

On this page, the wizard displays the retrieval steps and lists any updates that are available from theVASCO Customer Portal. Select the link of the required update to download it. The wizard displays the DownloadUpdate page where the download steps are reported. Click Next to continue.

9.3.3. Verify Update and Install Update

On the Verify Update page, the wizard displays the steps to verify the update progress. Once this has been suc-cessfully verified, a change log for the selected update is displayed. Click Next to initiate the installation of thisupdate and rebooting of IDENTIKEY Appliance.

NoteServices are temporarily not available during rebooting IDENTIKEY Appliance.

When you cancel the update process, the Update Wizard will be closed.

The Install Update page displays the progress of the installation steps. IDENTIKEY Appliance will be automaticallyrebooted after installation is completed; log back on to the IDENTIKEY Appliance Configuration Tool after reboot,and view the installation feedback on the Status screen.



9.4. Reverting an Installed Upgrade

If you encounter problems with IDENTIKEY Appliance after upgrading to a new version, you can revert theIDENTIKEY Appliance operating system to the previous version.

9.4.1. Before You Begin

WarningIf you revert to a previous version you will lose all configuration modifications since the upgrade, including:

n IDENTIKEY Authentication Server configuration, e.g. newly created users or DIGIPASS assignmentsn System configuration like monitoring settings or LDAP user synchronization

Additionally, depending on the specific upgrade, other data acquired since the upgrade may be removed, includ-ing:

n Audit database recordsn System statistics

It is recommended to contact VASCO support to address your problem before reverting an upgrade.

9.4.2. Reverting an Installed Upgrade

Procedure 15: Reverting an Installed Upgrade

1. In the IDENTIKEY Appliance Configuration Tool, select System > Actions.

2. Click Revert to a previous version of IDENTIKEY Appliance.

The Revert Upgrade Wizard appears, showing the previously installed operating system and the date andtime the current update was installed. The latter is important because all configuration since that momentwill be lost.



Image 35: Revert Upgrade Wizard – Previous Version

3. Click Finish to revert to the original version.

The IDENTIKEY Appliance will reboot and revert to the previous version.

9.4.3. Additional Considerations

Reverting to a previous version is only available, if the current version has been installed using an upgrade, i.e. notafter a clean install.



10. Backing Up and Restoring IDENTIKEY Appliance

10.1. Overview

You can configure the Backup and Restore functionality and the feedback provided in the IDENTIKEY Appliance Con-figuration Tool.

10.2. Backing Up IDENTIKEY Appliance

The Backup function allows administrators to save a copy of the IDENTIKEY Appliance database configuration set-tings and data. All backups are encrypted by default, but an additional passphrase can be used (see 10.4. Con-figuring Custom Encryption for Backup Files).

Backup can be performed:

n Manually. Using a link in the IDENTIKEY Appliance Configuration Tool to create a backup at any time (see10.5. Performing Manual Backups).

n Automatically. The backup is pushed from IDENTIKEY Appliance and is scheduled for specific times (see10.6. Configuring Automatic Backups).

n Scripted. Another server pulls the backup from IDENTIKEY Appliance (see 10.7. Configuring ScriptedBackups).

NoteWhen copying, migrating, or backing up encrypted database files, ensure that the encryption key (and/or theoptional password key) is also backed up. Otherwise, you will not be able to read the data, as it will be encryp-ted.

10.3. Restoring IDENTIKEY Appliance

The Restore function is a manual process; it allows administrators to upload configuration settings and data,which have been backed up from another or the same instance of IDENTIKEY Appliance, to the appliance's internaldatabase. If restored to the same appliance, for instance following a configuration error or loss of data, the set-tings simply overwrite those currently stored in the appliance, without the need for re-licensing IDENTIKEY Appli-ance.

For more information, refer to the IDENTIKEY Appliance Product Guide, Section " Backup and Restore".



10.4. Configuring Custom Encryption for Backup Files

Manual, automatic, and scripted backups are all encrypted by default. You can configure an additional passphrasefor custom encryption.

WarningIf you configure a custom encryption passphrase, you will need to enter the passphrase to upload a backup.

Procedure 16: Configuring an additional passphrase for custom encryption

1. In the IDENTIKEY Appliance Configuration Tool, navigate to System > Backup & Restore.2. Select the Use Custom Encryption Pass Phrase check box.3. Click Change next to Custom Encryption Pass Phrase .4. Enter and confirm a passphrase.5. Click Save.

After configuration, custom encryption will be applied to manual, automatic, and scripted backups of IDENTIKEYAppliance.

10.5. Performing Manual Backups

Procedure 17: Performing a manual backup

1. In the IDENTIKEY Appliance Configuration Tool, navigate to System > Backup & Restore.

2. Click Create backup.

Usually, the web browser will display a dialog to specify the backup file destination.



Image 36: Backup and Restore – Creating Manual Backups

3. Specify the destination for the backup file.

The backup is created.

10.6. Configuring Automatic Backups

Procedure 18: Configuring an automatic backup


2. (OPTIONAL) Select Use Custom Encryption Pass Phrase and type a pass phrase twice to prevent typingerrors.

3. Select the respective protocol option to use for automatic backups:



n Enable SFTP Backup

When using Secure File Transfer Protocol (SFTP), the SFTP server sends an encrypted fingerprintof its public host key to ensure that the SFTP connection is with the correct server. Connection isonly possible if the fingerprint is known to the IDENTIKEY Appliance.

a. Specify the fingerprint settings.

n Copy and paste the fingerprint to the SSH Server RSA Fingerprint field; the fin-gerprint should be generated with the RSA algorithm.

-OR-

n Type the SFTP server, SFTP directory and authentication settings, and clickFetch Fingerprint to automatically retrieve the fingerprint.

b. Click download Public key to retrieve the IDENTIKEY Appliance public key and install it onthe SFTP server.

For more information, refer to the documentation of your SFTP server.

n Enable FTP Backup

Specify the FTP server settings.

Image 37: Backup and Restore - Configuring Automatic Backups (FTP/SFTP Settings)

For more information about the SFTP and FTP protocol fields, refer to the IDENTIKEY Appliance Admin-istrator Reference.

4. Click Test Settings to test the configuration.



5. Click the Schedule list to specify backup scheduling.

Image 38: Backup and Restore - Configuring Automatic Backups (Schedule Settings)

6. Click Save to apply the configuration.

The backup will be performed accordingly to the configured schedule.

10.7. Configuring Scripted Backups

You can write your own backup script/tool to request a backup from IDENTIKEY Appliance. The URL to access theIDENTIKEY Appliance backup is:

https://<ip_address>/system/backup/download

Procedure 19: Configuring a scripted backup

1. In the IDENTIKEY Appliance Configuration Tool, navigate to System > Backup & Restore

2. Select Scripted Backups > Enabled.

3. Specify the user credentials as specified in the System Backup tab:



a. Usernameb. Passwordc. Allowed Networks. Required to pull a backup from the IDENTIKEY Appliance using a customized

script.

Image 39: Backup and Restore - Configuring Scripted Backups

4. Click Test Settings to test the configuration.

5. Click Save to apply the configuration.

NoteThe user name and password for a script to authenticate to IDENTIKEY Appliance and download a backup can befreely chosen and defined in the System Backup tab. These credentials are not associated with a user account inthe IDENTIKEY Authentication Server Administration Web Interface.



10.8. Restoring Backups


Warning1. Restoring a backup file overwrites previous configuration settings and data.2. When restoring a backup from another IDENTIKEY Appliance, re-licensing is required (see 8. Re-Licens-

ing IDENTIKEY Appliance).3. If you have configured a custom encryption passphrase, you will need to type the passphrase in the

Restore Wizard.

10.8.2. Restoring A Backup

Procedure 20: Restoring a backup


2. Click Restore a backup.

The Restore Wizard appears.

3. Specify the backup file and, if required, the backup passphrase.

The passphrase is required, if custom encryption has been used for backup.

The backup file is uploaded and validated. If the file is not a valid backup file, a respective message is dis-played and the restore is canceled.

4. Verify the backup summary on the Info page.

5. Click Finish to restore the backup.

While the backup is restored, the IDENTIKEY Appliance will be unavailable for approximately 10 minutes.

6. (OPTIONAL) After restore, log on to the IDENTIKEY Appliance Configuration Tool and review the restorestatus feedback in the Status tab.



Image 40: Backup and Restore - Restoring and Rebooting


To restore a backup on a replacement IDENTIKEY Appliance, follow the procedure for a regular replacement (see11. Replacing an IDENTIKEY Appliance).



11. Replacing an IDENTIKEY Appliance

IDENTIKEY Appliance can be easily replaced in the event of hardware failure, by restoring a backup from an oldappliance to a new one.

If the replacement appliance is running an older product version than the version running on the appliance to bereplaced, the replacement appliance must be upgraded before a backup can be restored (see 11.2. Upgrading aReplacement IDENTIKEY Appliance).

WarningThe replacement appliance should run the same product version as the appliance being replaced. Upgrade pathsfor all features may not be supported when restoring a backup to a more recent version. If in doubt, contact thesupplier of your IDENTIKEY Appliance.

The RAID option (for IDENTIKEY Appliance AG-7XXX models only) provides (hot swappable) hard disk redundancy,supporting full services even when a hard disk fails (see 12. RAID).

11.1. Installing and Licensing a Replacement IDENTIKEY Appliance

Procedure 21: Installing and licensing a replacement IDENTIKEY Appliance

1. Connect the replacement appliance to your network (see 4. Connecting IDENTIKEY Appliance to your Net-work).

2. Open the IDENTIKEY Appliance Configuration Tool (see 5.2. Accessing and Logging in to the IDENTIKEYAppliance Configuration Tool).

3. Complete the Configuration Wizard (see 5.3. Configuration Wizard).

The Configuration Wizard offers you a link to restore a backup. This enables you to proceed with thebackup without having to complete the wizard.

4. Restore the backup from the IDENTIKEY Appliance to be replaced (see 10.8. Restoring Backups).

The license from your previous IDENTIKEY Appliance remains valid for a grace period of 30 days. You needto re-license the replacement appliance within that grace period (see 8.4.1. Changing the IP Address orRestoring a Backup to an IDENTIKEY Appliance).

TipAfter restoring a backup to a replacement appliance there is a grace period of 30 days during which all servicesare available. When the grace period expires, the IDENTIKEY Authentication Server Administration Web Interfaceand the IDENTIKEY Appliance Configuration Tool are still accessible for administration and management pur-poses, but no services are available.



11.2. Upgrading a Replacement IDENTIKEY Appliance

Procedure 22: Upgrading a replacement IDENTIKEY Appliance

1. Connect the replacement IDENTIKEY Appliance to your network (see 4. Connecting IDENTIKEY Applianceto your Network).

2. Open the IDENTIKEY Appliance Configuration Tool (see 5.2. Accessing and Logging in to the IDENTIKEYAppliance Configuration Tool).

3. Complete the Configuration Wizard (see 5.3. Configuration Wizard).

Completing the License Wizard is not required.

4. Upgrade the IDENTIKEY Appliance (see 9. Updating IDENTIKEY Appliance).



12. RAID


The RAID option (for IDENTIKEY Appliance AG-7XXX models only) provides redundancy between two (hot swap-pable) disks, supporting full services even when a disk fails or is being replaced. The two disks are continuouslysynchronized (also known as RAID mirroring). If one disk fails, all information is still present on the other one.

The two disks are housed in two out of three available slots. The RAID is configured using a wizard, available viathe IDENTIKEY Appliance Configuration Tool whenever an action is required.

For more information about the RAID option, refer to the IDENTIKEY Appliance Product Guide.

12.1. Maintaining RAID

Procedure 23: Maintaining RAID using the RAID Maintenance Wizard

1. Launch the IDENTIKEY Appliance Configuration Tool.

2. If there is a status message indicating the RAID configuration requires action, click Launch theRAID Maintenance Wizard.

Image 41: Launching the RAID Maintenance Wizard

12. RAID


The RAID Maintenance Wizard appears.

3. Verify the RAID status on the RAID Maintenance Status and Actions page and select the appropriate actionin the Possible Actions list.

n Insert. A new disk needs to be physically inserted into an available slot in the IDENTIKEY ApplianceAG-7XXX. (Note that inserting is not the same as adding the disk to the RAID configuration for syn-chronization).

n Add. A new disk already inserted into a slot in the IDENTIKEY Appliance AG-7XXX will be added bythe IDENTIKEY Appliance to the RAID configuration for synchronization.

n Replace. The synchronization of a disk to the RAID configuration will be stopped by the IDENTIKEYAppliance. The disk needs to be physically removed from the respective slot in the IDENTIKEYAppliance AG-7XXX and a new disk needs to be physically inserted. Afterwards, the wizard willoffer to add the new disk to the RAID configuration for synchronization.

n Re-add. This option is only offered for a disk which is physically present and recognized as havingbeen previously synced, but which is not currently added for synchronization and therefore con-sidered as faulty. A present disk which is not synchronized might have been physically removedand reinserted while the system was running to mimic hardware failure and test fail-over. Re-addcan then be used to add the disk to the RAID configuration for synchronization again.

12. RAID


Image 42: RAID Maintenance Status and Actions - Replacing Hard Disk

4. Follow the further instructions in the wizard, varying according to the configuration status and the selectedaction.

ExampleReplacement requires the following steps:

a. Select Replace in the RAID Maintenance Status and Actions page.

b. Replace the hard disk (physically).

The wizard returns to the RAID Maintenance Status and Actions page and offers the Add action.

c. Select Add for the replacement disk to be added to the RAID configuration for synchronization.

After completing the wizard, the RAID configuration will be repaired. The status message and the link tolaunch the wizard will no longer be displayed in the IDENTIKEY Appliance Configuration Tool.

12. RAID


13. Hardware Security Module

A Hardware Security Module (HSM) may be integrated with IDENTIKEY Appliance to provide an extra layer of secur-ity to data storage.

13.1. Supported Hardware Security Modules

IDENTIKEY Appliance supports the following Hardware Security Module models:

n SafeNet ProtectServer External 2n SafeNet ProtectServer Internal Express

On SUSE Linux Enterprise Server 12, only SafeNet ProtectServer Gold, SafeNet ProtectServer Orange and SafeNetProtectServer Internal Express are supported.

If you plan to integrate IDENTIKEY Appliance with a supported Hardware Security Module, this HSM must beinstalled and functioning correctly prior to IDENTIKEY Appliance installation.

13.2. SafeNet HSMs

In order to set up SafeNet HSMs to work with IDENTIKEY Appliance, you need to set up the following components:

Software

The following software must be installed on the HSM:

n Version 2.07 or higher of the SafeNet ProtectServer firmware

Administrator Account

The setup process requires administration privileges in at least one administration token and one user tokenon the Hardware Security Module.

Functionality Module (FM)

Setting up a SafeNet HSM involves copying the VACMAN Controller functionality module file—aal2sdk—to themachine which will be used for HSM administration. The VACMAN Controller functionality module file may beunsigned or signed, depending on your requirements. VASCO provides both a signed and an unsignedVACMAN Controller functionality module (see 13.2.2. Installing a SafeNet Hardware Security Module).

13.2.1. Limitations in the usage of HSMs

n IDENTIKEY Appliance only supports network Hardware Security Modules.



13.2.2. Installing a SafeNet Hardware Security Module

There are two options for setting up a functionality module:

n Unsigned Functionality Module. Copy the unsigned VACMAN Controller functionality module file—aal2sdk—to the machine on which HSM administration will take place. You will have to generate yourown self-signed certificate to sign the module before uploading the signed module into the HSM.

n Signed Functionality Module. Copy the signed VACMAN Controller functionality module file—aal2sdk.signed—to the machine on which HSM administration will take place. The corresponding VASCOcode signing certificate is required to upload this signed module (vascosigningcert.crt).

The functionality modules are located on the IDENTIKEY Appliance product CD in the following folders:

n Add-on software and tools/Software/HSM-SAFNET/PSI-E (used for SafeNet ProtectServer)n Add-on software and tools/Software/HSM-SAFENET/PSI-E2 (used for SafeNet ProtectServer 2)

Before installing a functionality module, install the Hardware Security Module with the required drivers and librariesand restart the machine.

The following procedure applies only, if you want to sign (and install) an unsigned VACMAN Controller functionalitymodule with your own self-signed certificate.

NoteTo sign an unsigned VACMAN Controller functionality module with your own self-signed certificate, you need themkfm tool, which is included in the Protect Processing Orange Software Development Kit v3.00.

Procedure 24: Installing an unsigned VACMAN Controller Functionality Module

1. Open a terminal.

2. Run the following command to generate a SSL certificate in the user slot:

ctcert c -s<UserSlotID> -k -z<KeySize> -l<CertificateName>

where:

n <UserSlotID> is the ID of the slot on which the certificate should be generated.

n <KeySize> is the length of private key required (minimum size is 1024).n <CertificateName> is the name you want to give the certificate.

3. Enter the requested information.

4. Run the following commands to transfer the certificate to the admin slot:

ctcert x -l<CertificateName> -s<UserSlotID> -f<CertExportFileName>

ctcert i -f<CertExportFileName> -s<AdminSlotID> -l<CertificateName>



where:

n <CertificateName> is the name of the certificate that you entered when generating the cer-tificate.

n <UserSlotID> is the ID of the slot in which the certificate was generated.n <CertExportFileName> is the file name of the certificate.n <AdminSlotID> is the ID of the administration slot to which the certificate is being copied.

5. Run the following command to mark the certificate as trusted:

ctcert t -l<CertificateName> -s<AdminSlotID>

6. Run the following command to use the trusted certificate to sign the VACMAN Controller functionality mod-ule:

mkfm -k"<UserSlotLabel>(<PIN>) <CertificateName>" -faal2sdk -oaal2sdk.fm

where:

n <UserSlotLabel> is the label for the user slot on which the certificate was generated.

n <PIN> is the administrator PIN for the token.n <CertificateName> is the name of the certificate that you entered when generating the cer-

tificate.

7. Run the following command to upload the functionality module to the HSM:

ctconf -b<CertificateName> -jaal2sdk.fm

WarningStorage and sensitive data keys cannot be created in the admin slot.

The VACMAN Controller VASCO SafeNet HSM packages will contain a signed version of the VACMAN Controller func-tionality module.

The following procedure applies only, if you want to install a VACMAN Controller functionality module alreadysigned by VASCO.

Procedure 25: Install a signed VACMAN Controller Functionality Module

1. Import the VASCO signing certificate into the admin slot.

ctcert i -f <CertExportFileName> -s <AdminSlotID> -l <CertificateName>

where:

n <CertExportFileName> is the VASCO code signing certificate (vascosigningcert.crt).n <AdminSlotID> is the ID of the administration slot to which the certificate is being copied.n <CertificateName> is the display name of the certificate to be imported.

2. Type the SO-PIN.



3. Mark the VASCO signing certificate as trusted in the admin slot:

ctcert t -l <CertificateName> -s <AdminSlotID>

4. Type the SO-PIN.

5. Upload the signed module to the HSM:

ctconf -b <CertificateName> -j aal2sdk.signed

6. Type the admin PIN.

13.2.3. Creating SafeNet Storage Data Keys

After installing a SafeNet Hardware Security Module, you will need to create a secret key to use as the IDENTIKEYAppliance storage data key.

Use the SafeNet Key Management Utility to create a sensitive data key. This requires an administrator login to thetoken. Note the token label and key label used.

When creating a SafeNet storage key, the following key attributes are required:

n double or triple DESn sensitive enabledn exportable optional, if key backup in usen encrypt enabledn wrap and unwrap enabledn private optionaln All other options disabled

13.2.4. Creating SafeNet Sensitive Data Keys

After installing a SafeNet Hardware Security Module and creating a SafeNet storage key, you will need to create asensitive data key.

Use the SafeNet Key Management Utility to create a sensitive data key. This requires an administrator login to thetoken, and can be created in the same or different slot to the storage key created earlier. Note the token label andkey label used.

This key should have the following attributes:

n AESn 128-bitn deriven sensitiven encrypt enabledn decrypt enabled



Other attribute settings are optional.

13.2.5. Replicating to Required Slots

If you are using multiple Hardware Security Modules with IDENTIKEY Appliance, the storage and sensitive data keyscreated must be replicated to the other HSMs. This process must be performed each time a key change occurs andconsistency among HSMs is required.

The exact steps for this procedure will depend on attributes specific to your HSM setup. For more information, referto the ProtectToolkit C Administration Manual, Section "Trust Management" and Section "Token Replication".

The ProtectToolkit C Administration Manual is included in your SafeNet HSM documentation suite, and is typicallynamed ptk_c_administration_manual_rev-c.pdf.

13.3. Secure Auditing with a Hardware Security Module (HSM)

To enable Secure Auditing for a Hardware Security Module (HSM), a master audit key pair must be created on theHSM. This must be done before configuring IDENTIKEY Appliance to use Secure Auditing.

The public key from the master audit key pair must be exported from the HSM to allow its use in verification.



Image 43: Secure Auditing with HSM

IDENTIKEY Appliance will request a signature from the HSM for each epoch, and this will be used as an epoch ID.An epoch key pair will be generated, consisting of an epoch public key and an epoch private key. Each secureaudit entry will contain the epoch public key, the epoch ID and an cryptographic signature which relates it to theprevious and subsequent entries.

To verify each secure audit entry, the Secure Auditing Verification Tool uses the following:

n The epoch public keyn The epoch ID (supplied on each secure audit line)n The master audit public key which has been exported to a .pem file.

The entire file will be verified with a Yes (verification successful) or No (verification unsuccessful) result providedafter verification.

13.3.1. Secure Auditing with SafeNet

The ctcert tool provided with SafeNet software is used to apply the required configuration to the HSM for SecureAuditing. Refer to the ProtectToolkit C Administration Guide supplied with the HSM for more details and furtheroptions for ctcert.



To enable Secure Auditing on the HSM, the Master Audit keypair must be created. Use ctcert to create the MasterAudit Keypair and then export the public certificate from the device.

A Master Audit keypair requires an attributes file. This file contains details of the issuer, subject, and key usage forthis certificate. The minimum key usage required is:

keyusage { digitalSignature, nonRepudiation }

The following is an example of the contents of an attributes file.

Examplelabel { MasterAuditCertificate }

serialnumber { 1234 }

issuer {

CN=MasterAudit,

OU=Identikey,

O=VASCO,

C=US

}

subject {

CN=MasterAudit,

OU=Identikey,

O=VASCO,

C=US

}

keyusage {

digitalSignature,

nonRepudiation,

keyCertSign

}

After configuring an attributes file, perform the following steps in order to create a Master Audit keypair cer-tificate for SafeNet:



Procedure 26: Create the Master Audit Keypair certificate

1. Generate the self signed certificate using the ctcert tool. A sample of the ctcert command is :

ctcert c -t ec -Csecp256r1 -d1825d -k -lMasterAuditKey -s0 -xattributes.txt

where:

n ec means create an Elliptic Curve key.n -Csecp256r1 means to create the key using this type of elliptic curven 1825d creates a certificate which has a validity period of 1825 days from the date this com-

mand is runn MasterAuditKey will be the label of the private key created on the HSM device.n -s0 means create this keypair /certificate on the HSM slot 0n attributes.txt is the attributes file previously created.

You will be prompted to enter the user pin for the specified slot (i.e. slot 0 in this case).

2. Extract the public certificate from the device and save it to a .pem file:

ctcert x -lMasterAuditCertificate -s0 -faudit_cert.pem

where:

n MasterAuditCertificate is the name of the certificate created in the previous step,from the label field in the sample attributes.txt file.

n -s0 specifies the slot where the certificate is locatedn audit_cert.pem is the PEM file that will contain the public certificate

NoteSecure Auditing for IDENTIKEY Appliance only supports elliptic curve keys that are NIST P-256 compliant andstored in pkcs12 format.



14. Support

14.1. Support Procedure

If you have problems with or questions about a VASCO product, follow the steps below:

1. Check if your problem has been resolved in the online knowledge base at http://www.vasco.com/support.2. If you are unable to solve your problem with the Knowledge Base, please contact the company which sold

you the VASCO product.3. If your supplier is unable to solve your query, they will automatically contact the appropriate VASCO expert.

If necessary VASCO experts can access your IDENTIKEY Appliance remotely to solve any problems. Remotesupport and access to your IDENTIKEY Appliance are achieved through the VASCO Customer Portal.

14.2. Allowing Remote Support Connections

If necessary, VASCO experts can access your IDENTIKEY Appliance remotely to solve problems. Remote supportrequires a connection between the VASCO Customer Portal and your IDENTIKEY Appliance.


A support certificate must be installed before a connection can be established to the VASCO Customer Portal (see5.6. Activating a Support Certificate).

NoteWhen the Rescue Tool is running on the console, support is always enabled.

14.2.2. Allowing Remote Support Connections

Procedure 27: Allowing remote support connections

1. Log on to the IDENTIKEY Appliance Configuration Tool).

2. Navigate to System > Support.

3. Select Enable Support.

This enables VASCO support to connect to the appliance to perform maintenance operations as requested.

14. Support


http://www.vasco.com/support

Image 44: Configuring Support Connections

4. Select a support certificate from the Support Certificate list.

The Support Certificate list contains all support certificates you have previously imported using the Cer-tificate Management tab. For more information, refer to the IDENTIKEY Appliance Administrator Guide.

Image 45: Selecting Support Certificate

5. Select Enable Remote Support.

6. Click Save.

14. Support



Remote support can be enabled without installing a support certificate by providing VASCO support VPN access toyour network. This allows direct access to the IDENTIKEY Appliance Configuration Tool.

14. Support


Index

A

attributes file 82

B

backup and restoreconfiguring a scripted backup 67configuring an automatic backup 65performing a manual backup 64restoring a backup 69restoring a backup, Caution notice 69

C

cryptographic signatureSecure Auditing 81

ctcert 77, 81

D

Data Migration Tool 43DIGIPASS

instance 13Multi-Device Activation 12Multi-Device Licensing 12

E

Evaluation License 55

F

functionality module (FM)installing a signed HSM module 78installing an unsigned HSM module 77SafeNet 76

H

Hardware Security Module (HSM) 35, 76-77, 79-80functionality module (FM)

installing a signed HSM module 78installing an unsigned HSM module 77

SafeNet 76Secure Auditing 80

SafeNet 81supported models 76

K

keystore 37

L

License File 32license key 17licenses

upgrading 56licensing 9, 12, 17-18, 27, 29-31, 54-55, 63, 69, 71

M

Master Audit Keypair 82Master Audit public key 81

P

proxy server 12, 27

R

RAID 73remote support 84replacement IDENTIKEY Appliance

installing 71replacing an IDENTIKEY Appliance 72replacing an IDENTIKEY Appliance, Caution notice 71replicating

SafeNetreplicating to required slots 80

S

SafeNet 76replicating to required slots 80Secure Auditing 81Sensitive Data Key 79Storage Data Key 79Token Replication 80Trust Management 80

Secure AuditingHardware Security Module 80

SafeNet 81Secure File Transfer Protocol (SFTP) 66Sensitive Data Key

SafeNet 79serial number 12-13, 41, 58

IDENTIKEY Appliance 3.17 – Installation and Maintenance Guide

Index

Index

signed HSMinstallation 78

Storage Data KeySafeNet 79

support certificate 41activating 41downloading 41

U

unsigned HSMinstallation 77

upgrading licenses 56

V

Verification ToolSecure Auditing 81

IDENTIKEY Appliance 3.17 – Installation and Maintenance Guide

Index