IDENTIKEY Server Windows Installation Guide 3.1

(1)

(2)

Disclaimer of Warranties and Limitations of Liabilities

The Product is provided on an 'as is' basis, without any other warranties, or conditions, express or implied, including but not limited to warranties of merchantable quality, merchantability of fitness for a particular purpose, or those arising by law, statute, usage of trade or course of dealing. The entire risk as to the results and performance of the product is assumed by you. Neither we nor our dealers or suppliers shall have any liability to you or any other person or entity for any indirect, incidental, special or consequential damages whatsoever, including but not limited to loss of revenue or profit, lost or damaged data of other commercial or economic loss, even if we have been advised of the possibility of such damages or they are foreseeable; or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers and suppliers shall not exceed the amount paid by you for the Product. The limitations in this section shall apply whether or not the alleged breach or default is a breach of a fundamental condition or term, or a fundamental breach. Some states/countries do not allow the exclusion or limitation or liability for consequential or incidental damages so the above limitation may not apply to you.

Copyright

Copyright © 2010 VASCO Data Security, Inc., VASCO Data Security International GmbH. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc.

Trademarks

VASCO®, Vacman®, IDENTIKEY®, aXsGUARD®, DIGIPASS®, and ® are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries.

(3)

1 Introduction... 9

1.1 Software Components... 9 1.2 System Requirements... 11 1.3 Available Guides... 13

2 Pre-installation Tasks... 15

2.1 IDENTIKEY Server Component... 15

3 Set Up Data Store for IDENTIKEY Server... 18

3.1 Active Directory... 18

3.2 ODBC Database... 20

3.3 Serial Number and Maintenance ID... 21

4 Start IDENTIKEY Server Installation... 22

5 Install IDENTIKEY Server in Basic Mode – ODBC... 24

5.1 Basic Installation Mode... 24

5.2 Basic Installation... 25

6 Install IDENTIKEY Server in Advanced mode - ODBC... 42

6.1 Advanced Installation... 42

6.2 Set Up a Hardware Security Module... 68

7 Install IDENTIKEY Server - Active Directory... 72

7.1 Active Directory Scenario and Decisions... 72

7.2 Install IDENTIKEY Server for Active Directory... 73

8 Deploy IDENTIKEY Server Administration Web Interface... 104

8.1 Deploy Administration Web Interface on the same machine as IDENTIKEY Server... 104

8.2 Deploy Administration Web Interface on a Dedicated Machine...113

8.3 Web Administration Setup Tool... 114

9 Post-Installation Tasks... 117

9.1 Licensing... 117

9.2 Backup Strategy... 117

9.3 Audit Settings... 117

9.4 Database Tasks... 118

(4)

10 Install Additional IDENTIKEY Server... 123

10.1 Install IDENTIKEY Server Component... 123

10.2 Configure Additional IDENTIKEY Servers... 123

10.3 Replication... 123

11 Add Components to Installation... 124

12 Repair Installation... 125

13 Uninstall IDENTIKEY Server... 126

13.1 Data Removal... 126

13.2 Ports... 126

14 Extend Data Store Schema... 127

15 Upgrade IDENTIKEY Server... 130

15.1 Upgrade Paths... 130

15.2 System Requirements... 130

15.3 Upgrade IDENTIKEY Server for 32-bit and 64-bit Windows... 130

15.4 Additional Features for IDENTIKEY Server for 64-bit Windows...135

(5)

Illustration Index

Image 1: IDENTIKEY Server Installation Welcome Window...22

Image 3: IDENTIKEY Server Installation - Installation Type Window...25

Image 4: IDENTIKEY Server Installation -License Agreement Window...26

Image 5: IDENTIKEY Server Installation - Select Installation Path Window...27

Image 6: IDENTIKEY Server Installation - Installation Progress Window ...28

Image 7: IDENTIKEY Server Installation - Installation Progress Window...29

Image 8: IDENTIKEY Server Installation - Installation Progress Window - PostgreSQL...30

Image 9: IDENTIKEY ServerConfiguration Wizard - Start Window...31

Image 10: IDENTIKEY ServerConfiguration Wizard - IP Address Window...32

Image 11: IDENTIKEY ServerConfiguration Wizard - First Administrator Window...33

Image 12: IDENTIKEY ServerConfiguration Wizard - License Window...34

Image 13: IDENTIKEY ServerConfiguration Wizard - Server Functionality Window...35

Image 14: IDENTIKEY ServerConfiguration Wizard - Server Certificate Window...36

Image 15: IDENTIKEY ServerConfiguration Wizard – Deploy Administration Web Interface Window...36

Image 16: IDENTIKEY ServerConfiguration Wizard - RADIUS Topology Window...37

Image 17: IDENTIKEY Server Configuration Wizard - RADIUS Client Window...38

Image 18: IDENTIKEY Server Configuration Wizard - RADIUS Backend Window...38

Image 19: IDENTIKEY Server Configuration Wizard Summary Window...39

Image 20: IDENTIKEY Server Configuration Wizard - Completion Window...39

Image 21: Import DPX Files Window...40

Image 22: IDENTIKEY Server Installation Complete Window...41

Image 23: IDENTIKEY Server Select Installation Type Window...42

Image 24: IDENTIKEY Server Installation - Data Storage Window...43

Image 25: IDENTIKEY Server Installation – Select Components Window...44

Image 26: IDENTIKEY Server Installation – License Agreement Window...45

Image 27: IDENTIKEY Server Installation – Custom Setup window...46

Image 28:IDENTIKEY Server Installation – Ready to Install IDENTIKEY Server window...47

Image 29: Installing IDENTIKEY Server progress window...48

Image 30: IDENTIKEY Server Setup Wizard Completed window...49

Image 31: IDENTIKEY Server Installation - Select Components window...50

Image 32: IDENTIKEY Server Configuration Wizard - Start Window...51

Image 33: IDENTIKEY Server Configuration Wizard – Hardware Security Module...51

(6)

1 Introduction

This Installation Guide is designed to provide you with the information you will need in order to install IDENTIKEY Server. It will guide you through preparation, installation and post-installation tasks which may be required for your system.

1.1 Software Components

IDENTIKEY Server consists of various components, some necessary and some optional.

1.1.1 Required Components

IDENTIKEY Server

The IDENTIKEY Server is a server component that performs authentication, signature validation, administration and provisioning tasks. It runs as a Windows service.

Data Store

The following data stores are supported:

ODBC – either the embedded PostgreSQL database supplied with IDENTIKEY Server, or your own Active Directory

Web Administration Interface

Allows all IDENTIKEY Server data store administration tasks to be carried out over a web interface.

1.1.2 Optional Components

Embedded Database

An embedded PostgreSQL database is available for use with IDENTIKEY Server.

Note

The embedded PostgreSQL database is NOT available for 64-bit Windows.

Embedded Web Application Server

(10)

Introduction

Virtual DIGIPASS Message Delivery Component

This is a Service that is responsible for delivering One Time Passwords through a text message HTTP gateway to a User’s mobile phone.

DIGIPASS TCL Command-Line Administration

Administration may also be carried out using DIGIPASS TCL Command-Line Administration Utility, which allows interactive command-line and scripted administration of IDENTIKEY Server data.

Audit Viewer

The Audit Viewer is a GUI application that can display and filter audit messages from the IDENTIKEY Server. It can read the data from text files and ODBC databases or receive a live feed from the IDENTIKEY Server.

OTP Request Site

This is a miniature web site that allows a User to request a Virtual DIGIPASS OTP to be sent to their mobile phone.

User Self Management Web Site

This is a miniature web site that allows Users to make appropriate changes to their own DIGIPASS settings, such as PIN changes. This is used in a RADIUS environment, when the normal authentication requests are made using a CHAP-based protocol and therefore PIN changes and other 'self-management' features are not possible.

1.1.3 DIGIPASS Authentication for Windows Logon

DIGIPASS Authentication for Windows Logon is a separate module which integrates VASCO's two-factor authentication into Windows logins. It requires extra licensing to be supported in IDENTIKEY Server. For more information on this module, see the DIGIPASS Authentication for Windows Logon Product Guide.

1.1.4 IDENTIKEY Server SDK

The Software Development Kit allows creation of custom SOAP clients and authentication engines, using the SOAP interface. This is an upgrade add-on to IDENTIKEY Server and will only be available for installation if it has been purchased. It requires a separate installation program.

1.1.5 Data Migration Tool

The VASCO Data Migration Tool is a general-purpose utility that allows you to migrate your data from one VASCO product to another. It requires a separate installation.

(11)

1.2 System Requirements

1.2.1 Server Component

IDENTIKEY Server requires:

Windows Server 2008 (32-bit or 64-bit) with Service Pack 2 or above Windows Server 2008 R2 (64-bit only)

Windows Vista (32-bit) with Service Pack 2 or above Windows XP (32-bit) with Service Pack 3 or above

Windows Server 2003 (32-bit or 64-bit) with Service Pack 2 or above Windows Server 2003 R2 (32-bit or 64-bit) with Service Pack 2 or above Windows Small Business Server 2003 with Service Pack 1 or above

Windows Small Business Server 2008 (64-bit only) with Service Pack 2 or above

1.2.2 Administration Web Interface

The Administration Web Interface can be run on the following operating systems: Windows Server 2008 (32-bit or 64-bit) with Service Pack 2 or above Windows Server 2008 R2 (64-bit only)

Windows Vista (32-bit) with Service Pack 2 or above Windows XP (32-bit) with Service Pack 2 or above

Windows 2003 (32-bit or 64-bit) with Service Pack 2 or above Windows 2003 R2 (32-bit or 64-bit) with Service Pack 2 or above

The Administration Web Interface can be run on any Java web application server running: Java Runtime Environment version 5.0 or above

Java Server Pages version 2.0 or above Java Servlets version 2.4 or above

It has been tested primarily on Apache Tomcat 5.5. It is compatible with most common browsers, including:

Internet Explorer 6.0 Internet Explorer 7.0 Mozilla Firefox 2.0

(12)

Introduction

Opera 9.0

Netscape 8.1 (a few cosmetic issues appear with this browser)

1.2.3 Other Components

The Message Delivery Component, Audit Viewer and DIGIPASS TCL Command-Line Administration require: Windows Server 2003 (32-bit or 64-bit) with Service Pack 2 or above

Windows Server 2003 R2 (32-bit or 64-bit) with Service Pack 2 or above Windows XP Professional (32-bit) with Service Pack 3 or above

Windows Vista (32-bit) with Service Pack 1 or above

Windows 2008 (32-bit or 64-bit) GUI version with Service Pack 2 or above

The Request OTP and User Self Management Websites require any web server capable of running CGI.

1.2.4 Requirements Specific to Active Directory

DIGIPASS Extension for Active Directory Users and Computers

Active Directory Users and Computers Snap-In

Active Directory set up for SSL

In the following cases, SSL must be available for IDENTIKEY Server components to connect to Active Directory: IDENTIKEY Server not installed on a Domain Controller.

Administration Interfaces not installed on a Domain Controller.

IDENTIKEY Server and/or Administration Interface(s) on a Domain Controller, but accessing data in another domain.

An Enterprise Certificate Authority must be installed in the forest to enable SSL. Windows Certificate Services is available as an optional Windows component.

However, if you do not wish to install a CA, you can select during installation not to use SSL.

Prerequisites

1. If Active Directory is installed on a Windows 2003 machine and it is being managed using a Windows XP machine, you will have to download the Admin Pack from the Microsoft website and install it on the XP machine.

2. If Active Directory is installed on a Windows 2008 machine, and it is being managed using a Windows Vista machine, Vista SP1 must be downloaded from the Microsoft website and installed on the Vista machine. Then the Remote Server Administration Tools package must be downloaded from the Microsoft website and installed and enabled on the Vista machine.

(13)

1.2.5 Requirements Specific to ODBC Database

IDENTIKEY Server will support most modern ODBC-compliant relational, transactional databases. It has been tested on the following databases:

Oracle 11g

Microsoft SQL Server 2005 Full Enterprise Edition and Express DB2 8.1 (32-bit) and 9.1 (64-bit)

Sybase Adaptive Server Anywhere 11.0 PostgreSQL 8.3

Note

Please note that when setting up a DB2 database the page size should be set to at least 8192k. A smaller page size will create an error when IDENTIKEY Server attempts to connect to the database.

1.2.6 Requrements Specific to HSM

SafeNet ProtectServer is the only Hardware Security Module supported by IDENTIKEY Server.

If a Hardware Security Module is to be used with IDENTIKEY Server the following SafeNet software is required on the machine on which will be installed:

Network or PCI Access Provider v4.00 ProtectToolKit C Runtime Library v4.00

1.2.7 Language

IDENTIKEY Server is designed to function on any language version of Windows. However, the product has only been comprehensively tested on English language versions of Windows.

1.3 Available Guides

The following IDENTIKEY Server guides are available:

Product Guide

The Product Guide will introduce you to the features and concepts of IDENTIKEY Server and the various options you have for using it.

(14)

Introduction

Getting Started Guide

The Getting Started Guide will lead you through a standard setup and testing of key IDENTIKEY Server features.

Windows Installation Guide

Use this guide when planning and working through an installation of IDENTIKEY Server in a Windows environment.

Linux Installation Guide

Use this guide when planning and working through an installation of IDENTIKEY Server in a Linux environment.

Administrator Reference

In-depth information required for administration of IDENTIKEY Server. This includes references such as data attribute lists, backup and recovery and utility commands.

Performance and Deployment Guide

Contains information on common deployment models and performance statistics.

Help Files

Context-sensitive help accompanies the Administration Web Interface and DIGIPASS Extension for Active Directory Users and Computers.

IDENTIKEY Server SDK Programmers Guide

(15)

2 Pre-installation Tasks

This section outlines the preparation that you need to do before installing IDENTIKEY Server.

Please note that to perform pre-installation and installation tasks you must be logged in as Administrator on the system where IDENTIKEY Server is to be installed.The administrator User ID must be a built-in Administrator, not a normal User ID with administrator privileges.

2.1 IDENTIKEY Server Component

The following tasks must be completed before installing the IDENTIKEY Server on a machine.

2.1.1 Data Store Type

Before starting other pre-install tasks, you must decide on the type of data store to be used. Microsoft Active Directory

Integrate DIGIPASS-related data with Active Directory and Windows user accounts using the Active Directory Users and Computers Snap-In.

Embedded Database

A PostgreSQL database may be installed with IDENTIKEY Server. This can only be used with 32-bit Windows.

Note

If you will be installing IDENTIKEY Server with the embedded PostgreSQL database, you will need to run the installation on the machine itself, rather than via Remote Desktop or another remote connection.

Other ODBC Database

Include DIGIPASS-related data in a new or existing ODBC database. The database may be located on any machine to which the IDENTIKEY Server can connect.

2.1.2 Master Domain

IDENTIKEY Server has the concept of a Master Domain. This domain has special significance in two ways: It is used as the default domain, when no domain is specified.

Only Administrators in the Master Domain may be assigned the privilege to view data from all domains. Administrators in other domains will only ever be able to view data in their own domain.

(16)

Pre-installation Tasks

The default name for the Master Domain is master. If you prefer to use another name, you will need to enter this name during the Configuration Wizard.

2.1.3 User ID and Domain Name Conversion

The IDENTIKEY Server may be configured to handle User IDs and domain names in a number of ways. It is important that these are set up before data is added to the database. Before installing, decide which settings to use.

Case-sensitivity

The IDENTIKEY Server may be configured to save and retrieve User IDs and domain names in lower case, upper case or with no conversion (data is saved or searched on exactly as entered). The configuration required will depend on your company's requirements and the capabilities of the database used as the data store. See the Encoding and Case-Sensitivity topic in the Administrator Reference for more information.

The case conversion of User IDs and domain names is set using the Configuration Wizard immediately after installation, or by running the IDENTIKEY Server Configuration utility at any time afterwards.

Caution

Changing case conversion after the initial configuration may require modification of all User IDs and domain names in the data store.

Windows name resolution

Enable Windows Name Resolution to allow the IDENTIKEY Server to use Windows functionality to resolve a UserID – as entered during a login – into a User ID and Domain. This feature is recommended if all User accounts correspond to Windows (Active Directory) User accounts. If they do not correspond, the feature will not be suitable. Windows Name Resolution works well with Dynamic User Registration. See the Product Guide for more information.

2.1.4 System Clock

The IDENTIKEY Server requires that:

Your server’s time is set correctly in relation to GMT, and The time zone and daylight savings indicators are set correctly.

(17)

2.1.5 Domain Name Services

If DIGIPASS Authentication for Windows Logon will be in use with the IDENTIKEY Server, you may need a reverse zone implemented, with a PTR record existing for each client Windows machine. This is required for Dynamic Component Registration.

2.1.6 Embedded PostgreSQL Database

2.1.6.1 Local Users Group Permissions

If the local Users group has restricted permissions on the Program Files directory, the installation of the PostgreSQL database may fail. To avoid this problem, two options are available:

Set the required permissions for the local Users group

Create the PostgreSQL service account before installation and set the required permissions for it (it is usually created automatically during installation)

The PostgreSQL service account requires a User ID of dppostgres and password of p!ss&0rd. The permissions required for the Program Files directory are:

Read & Execute List Folder Contents Read

2.1.7 User Self Management Website

If the Self Manangement website is to be installed on Windows 2008, please note the following :

1. When adding the IIS role, the 'IIS Backwards Compatibility with IIS6' feature must be installed and enabled. 2. The 'CGI' feature must be selected when installing IIS on Windows 2008 to enable the User Admin web sites to function correctly.

(18)

Set Up Data Store for IDENTIKEY Server

3 Set Up Data Store for IDENTIKEY Server

IDENTIKEY Server may use either Microsoft's Active Directory or an ODBC-compliant database as its data store. The data store is selected during installation.

Active Directory

If IDENTIKEY Server will use Active Directory as its data store, the steps in 3.1 Active Directory must be followed before installing IDENTIKEY Server.

ODBC Database

If IDENTIKEY Server will use the embedded PostgreSQL database as its data store, no specific database setup is required before installing IDENTIKEY Server.

If IDENTIKEY Server will use another ODBC database as its data store, then follow the steps in 3.2 ODBC Database

before installing IDENTIKEY Server.

3.1 Active Directory

3.1.1 Checklist – Decisions

The following checklist contains the key decisions to make before you start:



Approve the Schema Extensions

If your company has an approval process to go through for extensions to the Active Directory Schema, then go through this process.



Enterprise Root Certificate Server

If a new Certificate Server is required, and your company requires an approval process to be followed to install one, go through this process.



Identify the DIGIPASS Configuration Domain

Either identify an existing Domain or sub-domain into which the DIGIPASS Configuration Container should be added, or plan to create a new one.



Domain Administrator

Select a Domain Administrator account in the DIGIPASS Configuration Domain to use in installing IDENTIKEY Server.



Installation Location

(19)

If you are installing with the purpose of going through a basic evaluation process, installing onto a Domain Controller is recommended. This will mean that SSL will not need to be set up in order for the IDENTIKEY Server to function.

3.1.2 Active Directory Setup

Run the addschema command to extend the Active Directory schema:

1. Log into the Schema Master as a member of the Schema Administrators group.

2. Copy dpadadmin.exe from the CD-IMAGE\Software\Windows\X86 or amd64\Utilities\dpadadmin installation directory on the installation CD onto the Schema Master

3. Open a command prompt in the location to which it was copied.

4. Type:

dpadadmin addschema -v

5. If DPADadmin detects that Schema extensions are not currently permitted, it will prompt you whether to enable them or not. Enter y to enable them, or n to cancel.

6. Wait several minutes for the Schema extensions to replicate to all the domains and for the local Domain Controller to update its internal data caches.

3.1.3 SSL Setup

The IDENTIKEY Server can use SSL when communicating with Active Directory. For this to work correctly, an Enterprise root Certificate Authority must exist in the forest. It may be installed on any server in the forest, if the server selected is available to the Domain Controller(s) used by the IDENTIKEY Server.

Alternatively, an option is provided during installation to not use SSL in communications between the IDENTIKEY Server and Active Directory. If LDAP SSL will be disabled, no Certificate Authority is required.

1. If not already available, install Certificate Services on the selected machine. This is a Windows component - you may need access to the original Windows installation files or CD/DVD.

2. Generate the Enterprise root CA certificate.

3. You may need to wait several minutes to allow the Domain Controllers to enrol for Domain Controller certificates.

(20)

Set Up Data Store for IDENTIKEY Server

3.2 ODBC Database

The following steps must only be followed if IDENTIKEY Server will be using an ODBC database other the embedded PostgreSQL database as its data store.

If IDENTIKEY Server will be using the embedded database, setup is automatic during installation and configuration.

3.2.1.1 Checklist – Decisions

The following checklist contains the key decisions to make before you start:



Database Location and Setup

A number of decisions may be required for the ODBC database to be used: The server on which the database will be located.

Will the data for the IDENTIKEY Server will be stored in a new database, or added to an existing database?

Will a new schema be used?



New Database

Decide the collation sequence to be used – for example, case-sensitivity.



Database User Accounts

Create or select database user accounts for:

Modifying the database schema (database administrator account required).

IDENTIKEY Server (see the Administrator Reference for details on the permissions required).

3.2.1.2 Modify Database Structure

DPDBADMIN Utility

If the embedded ODBC database is not being used, the addschema command must be run to set up the required schema in the database to be used for IDENTIKEY Server.

Run the addschema command:

1. Copy dpdbadmin.exe from the CD-IMAGE\Software\Windows\X86 or amd64\Utilities\dpdbadmin directory on the installation CD or zip file onto the computer from which the database can be accessed.

2. Create an ODBC Data Source for the database on the computer, if one does not currently exist. 3. Open a command prompt in the location to which it was copied.

4. Enter:

(21)

Ensure that the User ID and password used are that of the database administrator account. For further details on DPDBADMIN, see 14 Extend Data Store Schema .

Note

Due to limitations with Microsoft SQL Server 2005 Express Edition on 64-bit operating systems, DSN entries must be registered as user DSN entries, not system DSN entries.

Permissions

If the database user account used by the IDENTIKEY Server is not the owner of the tables and is not a database administrator account, it must be granted permissions for the tables, or ownership of the tables transferred.

Note

Ensure that it is possible for the account(s) mentioned to reference the tables by name without a schema prefix. If this cannot be done, see the Administrator Reference for advanced setup instructions.

3.3 Serial Number and Maintenance ID

You must have a product Serial Number and a company Maintenance ID unless you are installing an evaluation version of IDENTIKEY Server. If these have not been issued to you, contact your VASCO supplier.

(22)

Start IDENTIKEY Server Installation

4 Start IDENTIKEY Server Installation

The installation program will guide you through installing IDENTIKEY Server and the initial configuration necessary to get it operational. It will launch one or more Windows Installers (MSI) followed by the IDENTIKEY Server Configuration Wizard.

Note

If you are running the installation on Microsoft Windows Vista or Microsoft Windows 2008 core, the windows shown in this guide may look slightly different to those displayed onscreen, but the procedure will be the same.

Image 1: IDENTIKEY Server Installation Welcome Window

1. If autorun is enabled on the installation machine the installer will start up when the CD is inserted. If it does not start automatically then double click on autorun.exe.

The Welcome window will be displayed.

2. Click Install Identikey Server 3.1 to start the installation. The Welcome window will be displayed.

(23)

Image 2: IDENTIKEY Server Installation Welcome Window

3. Click Next to continue.

The three subsequent chapters cover the three types of installation scenario. Choose the instructions to follow depending on which type of installation you wish to perform:

Basic installation, using the embedded PostgreSQL database as data store – see 5 Install IDENTIKEY

Server in Basic Mode – ODBC

Advanced installation, using an ODBC-compliant database as data store – see 6 Install IDENTIKEY Server

in Advanced mode - ODBC

Advanced installation, using Active Directory as data store – see 7 Install IDENTIKEY Server - Active

(24)

Install IDENTIKEY Server in Basic Mode – ODBC

5 Install IDENTIKEY Server in Basic Mode – ODBC

There are two installation modes available - Basic and Advanced. If you do not wish to use default installation and configuration settings, follow the instructions in 6 Install IDENTIKEY Server in Advanced mode - ODBC .

5.1 Basic Installation Mode

Basic Installation will install the following: IDENTIKEY Server

PostgreSQL database Administration Web Interface Apache Tomcat

Java JRE

Message Delivery Component (MDC) Audit Viewer

After the IDENTIKEY Server has been installed the Configuration Wizard will be started up in Basic mode, which means that there will be limited configuration choices, with many settings set to default values.

Note

Only the embedded PostgreSQL database is available in Basic Installation mode. Basic Installation is NOT available on 64-bit Windows.

(25)

5.2 Basic Installation

1. The Installation Type window will be displayed.

Image 3: IDENTIKEY Server Installation - Installation Type Window

2. Click Perform a basic installation. 3. Click Next.

(26)

Install IDENTIKEY Server in Basic Mode – ODBC

Image 4: IDENTIKEY Server Installation -License Agreement Window

4. Read the agreement carefully.

5. To accept the License Agreement, check the box I accept the terms in the License Agreement and click Next.

If you do not accept the License Agreement, and click Cancel, the install will terminate. The Select Installation Path window will be displayed.

(27)

Image 5: IDENTIKEY Server Installation - Select Installation Path Window

6. If you want to install the IDENTIKEY Server somewhere other than the default location, use the browse button to indicate where.

(28)

Install IDENTIKEY Server in Basic Mode – ODBC

Image 6: IDENTIKEY Server Installation - Installation Progress Window

8. Click on Install.

(29)

Image 7: IDENTIKEY Server Installation - Installation Progress Window

The Installer will install each component in turn, checking each one off on the Installation Progress window as it goes.

(30)

Install IDENTIKEY Server in Basic Mode – ODBC

Image 8: IDENTIKEY Server Installation - Installation Progress Window - PostgreSQL

When the Installer gets to the Run configuration Wizard step, the IDENTIKEY Server Configuration Wizard will be started automatically. The Installer runs a contracted version of the wizard, which uses default values for some settings.

(31)

Image 9: IDENTIKEY ServerConfiguration Wizard - Start Window

(32)

Install IDENTIKEY Server in Basic Mode – ODBC

Image 10: IDENTIKEY ServerConfiguration Wizard - IP Address Window

10. Enter the IP address for the IDENTIKEY Server. 11. Click Next.

(33)

Image 11: IDENTIKEY ServerConfiguration Wizard - First Administrator Window

12. Enter a User ID and Password. Confirm the password and click Next The Licence Key window will be displayed. Use this page to load the license for IDENTIKEY Server, or click Next to continue and apply the license at a later date.

(34)

Install IDENTIKEY Server in Basic Mode – ODBC

Image 12: IDENTIKEY ServerConfiguration Wizard - License Window

13. Navigate to a license file using the ... button, or click Request a license from 'vasco.com'. Click Next to continue.

Note

The 'Request a License from vasco.com' button will not be available for Windows 2008 Core, as there is no browser available to load the web site. To obtain a license from vasco.com for Windows 2008 Core you will have to download the license on another machine and copy it across to the Windows 2008 Core machine.

(35)

Image 13: IDENTIKEY ServerConfiguration Wizard - Server Functionality Window

The functionality that is permitted by the license loaded on the previous window is selected by default. If no license was loaded only restricted functionality will be available.

14. Click to de-select any functions not required. 15. Click Next to continue.

(36)

Install IDENTIKEY Server in Basic Mode – ODBC

Image 14: IDENTIKEY ServerConfiguration Wizard - Server Certificate Window

16. Enter a Password for the SSL Server Certificate and confirm it.

17. Click Next to continue. Use this window to deploy the Administration Web Interface.

(37)

There are three choices:

Deploy Administration Web Interface and connect it to the local IDENTIKEY Server. Click this choice to automatically deploy the Administration Web Interface and associate it with the local IDENTIKEY Server without having to enter further details

Deploy Administration Web Interface and connect it to a remote IDENTIKEY Server. Click this choice to deploy the Administration Web Interface, and also supploy the SOAP URL of the remote server on which the required IDENTIKEY Server resides.

Do not deploy Administration Web Interface . Click this choice to enable you to deploy the Administration Web Interface later.

Click Next to continue to the RADIUS Topology page.

Image 16: IDENTIKEY ServerConfiguration Wizard - RADIUS Topology Window

18. Select the format of RADIUS topology required. 19. Click Next to continue.

If you selected IDENTIKEY Server as a standalone RADIUS server, fill in the details of the RADIUS Client and click Next to continue.

If you selected IDENTIKEY Server in front of RADIUS server, fill in the details of the RADIUS Client and RADIUS Backend and click Next to continue..

(38)

Install IDENTIKEY Server in Basic Mode – ODBC

Image 17: IDENTIKEY Server Configuration Wizard - RADIUS Client Window

Image 18: IDENTIKEY Server Configuration Wizard - RADIUS Backend Window The Summary window will be displayed.

(39)

Image 19: IDENTIKEY Server Configuration Wizard Summary Window

20. A summary of the settings will be displayed. Click Proceed to continue.

(40)

Install IDENTIKEY Server in Basic Mode – ODBC

During the deployment of the Administration Web Interface, the Installer will deploy the Administration Web Interface application to the Apache web server using the IDENTIKEY Server certificate. The IDENTIKEY Server Certificate file will be generated during installation and will be placed in the certificate store file with the default password "ikwebpassword". The location of the server certificate files is \<install

directory>\bin\ikeycerts.pem and \<install directory>\bin\ikeypvk.pem (Public and Private certificates respectively) The location of the certificate keystore is \<install directory>\webadmin\keystore.jks 21. Click Finish to complete the configuration.

The Import DPX files window will be displayed.

Image 21: Import DPX Files Window

22. The Import DPX Files step is optional. To bypass this step, click Next to continue. To import a DPX file:

a. Enter the location of the DPX file, or click Browse to navigate to the file.

b. Enter the Transport Key, which will be supplied by VASCO to accompany the DPX file. c. Enter the User ID, password and Server IP for the IDENTIKEY Server that is being installed. d. Click Import to install the DPX file.

(41)

Image 22: IDENTIKEY Server Installation Complete Window

(42)

Install IDENTIKEY Server in Advanced mode - ODBC

6 Install IDENTIKEY Server in Advanced mode - ODBC

Advanced Installation allows you to customize your installation and configuration in detail. If you wish to use only default installation and configuration options, see 5 Install IDENTIKEY Server in Basic Mode – ODBC .

6.1 Advanced Installation

The first window to be displayed will be the Install Type window.

Image 23: IDENTIKEY Server Select Installation Type Window

1. Select the Advanced Installation option button. 2. Click Next.

(43)

Image 24: IDENTIKEY Server Installation - Data Storage Window

3. Select the ODBC Database option button. 4. Click Next.

(44)

Install IDENTIKEY Server in Advanced mode - ODBC

Image 25: IDENTIKEY Server Installation – Select Components Window

5. Click the IDENTIKEY Server 3.1 button.

The IDENTIKEY Server Setup Wizard start window will be displayed. 6. Click Next to continue.

(45)

Image 26: IDENTIKEY Server Installation – License Agreement Window

8. To accept the License Agreement, check the box I accept the terms in the License Agreement and click Next.

If you do not accept the License Agreement, and click Cancel, the install will terminate. The next screen to be displayed will be the Custom Setup Window.

(46)

Install IDENTIKEY Server in Advanced mode - ODBC

9. Select the features that you want to be installed by clicking on the icons on the window. Click the Reset button to reset all your choices.

10. Click Next to continue.

Image 27: IDENTIKEY Server Installation – Custom Setup window The Ready to Install IDENTIKEY Server window will be displayed. 11. Click Install to continue.

(47)

Image 28:IDENTIKEY Server Installation – Ready to Install IDENTIKEY Server window

(48)

Install IDENTIKEY Server in Advanced mode - ODBC

Image 29: Installing IDENTIKEY Server progress window

13. Click Finish to complete the installation of IDENTIKEY Server.

(49)

Image 30: IDENTIKEY Server Setup Wizard Completed window

14. The Installer will install the component for each button that is selected. Each installation after the IDENTIKEY Server install is optional.

(50)

Install IDENTIKEY Server in Advanced mode - ODBC

Image 31: IDENTIKEY Server Installation - Select Components window

15. When the Installer gets to the Run configuration Wizard step, click the Run Configuration Wizard button and the IDENTIKEY Server Configuration Wizard will be started.

(51)

Image 32: IDENTIKEY Server Configuration Wizard - Start Window

The Hardware Security Module window will be displayed. For more information about setting up a Hardware Security Module see 6.2 Set Up a Hardware Security Module .

(52)

Install IDENTIKEY Server in Advanced mode - ODBC

If a Hardware Security Module is being used, click the Use the available Hardware Security Module(s) and navigate to the PKCS11 library. Otherwise, click the Do not use a Hardware Security Module. In both circumstances click Next to continue.

17. If a Hardware Security Module is being used, the HSM Storage Key page will be displayed.

Image 34: IDENTIKEY Server Configuration Wizard – Hardware Security Module Storage Key

18. Enter the Storage key label, Slot ID and check the Key access Private box if required. Enter the Token Label and Token PIN if the Key Access Private box has been checked. Click Next to continue.

(53)

Image 35: IDENTIKEY Server Configuration Wizard – Hardware Security Module Data Encryption Key

Enter the Sensitive data Key Label, and check Key Access Private if requried. Enter the Token Label and Token PIN if the Key Access Private box has been checked. Click Next to continue.

20. The Select Database window will be displayed.

(54)

Install IDENTIKEY Server in Advanced mode - ODBC

21. Select the type of database that is to be used with this installation of IDENTIKEY Server. 22. Click Next to continue.

The Database window will be displayed.

Image 37: IDENTIKEY Server Configuration Wizard - Database Window

a. Enter the ODBC Data Source name for the database that IDENTIKEY Server will use, and if required, a Username and Password.

b. Click Next to continue.

(55)

Image 38: IDENTIKEY Server Configuration Wizard - User ID/Domain conversion Window

23. Select the Case conversion format that you require.

24. Tick the Use Windows Name Resolution checkbox to enable IDENTIKEY Server to use Windows Name Resolution. This is recommended if Dynamic User Registration is to be enabled.

The Master Domain window will be displayed.

(56)

Install IDENTIKEY Server in Advanced mode - ODBC

26. Enter the name of the Master Domain where the first administrator account will be created. 27. Click Next to continue.

The IP Address window will be displayed.

Image 40: IDENTIKEY Server Config IP Address Window

28. Select the IP address for the IDENTIKEY Server. 29. Click Next to continue.

The First Administrator window will be displayed. The first administrator account can be used to login to IDENTIKEY Server (e.g. using the webadmin) and will have a full set of administrative privileges.

(57)

Image 41: IDENTIKEY Server First Administrator Window

30. The Sensitive Data Encryption window will be displayed. The Sensitive Data Encryption windows are only displayed if the HSM option has not been selected.

(58)

Install IDENTIKEY Server in Advanced mode - ODBC

Note

If you will be using a custom encryption key for sensitive data, this should be set before DIGIPASS are imported to the 'live' version of the IDENTIKEY Server. See the Sensitive Data Encryption topic in the Administrator Reference for more information.

31. Selecting the Custom with embedded and custom key combination option will result in the Custom Data Encryption windown being displayed.

Image 43: IDENTIKEY Server Custom Data Encryption Window

(59)

Image 44: IDENTIKEY Server Load Data Encryption Window

32. With either of the above screens, click Next. The License window will be displayed.

Image 45: IDENTIKEY Server Configuration Wizard License Window

(60)

Install IDENTIKEY Server in Advanced mode - ODBC

Note

The Request a Licence from 'vasco.com' button will not be available for Windows 2008 Core, as there is no browser available to load the web site. To obtain a licence from vasco.com for Windows 2008 Core you will have to download the licence on another machine and copy it across to the Windows 2008 Core machine.

Image 46: IDENTIKEY Server Configuration Wizard Server Functionality Window

34. The functions that are available on the Server Functionality window will be determined by your license. Click in the check box to either select or de-select an available function. Click Next to continue.

(61)

Image 47: IDENTIKEY Server Configuration Wizard Server Certificate Window

35. To generate and install a test certificate:

a. Select Generate and install a new test certificate. b. Click Next.

Image 48: IDENTIKEY Server Configuration Wizard Server Certificate Password Window

c. Enter a password for the new certificate. d.

(62)

Install IDENTIKEY Server in Advanced mode - ODBC

To install a custom certificate:

a. Select Install my own SSL certificate. b. Click Next.

Image 49: IDENTIKEY Server SSL Server Certificate Selection

c. Enter the location and filename for a private key file (.pvk), or browse to the file. d. Enter the private key password, if required.

e. Enter the location and filename for the trusted certificates file (.pem), or browse to the file. f. Click Next.

36. The Automatic Server Location Support window will be displayed. Select a DNS registration option from the drop-down menu:

(63)

Image 50: IDENTIKEY Server Automatic Server Location Support

To skip automatic DNS registration now, select No DNS Service registration. To use DNS service registration with a DNS server supporting Dynamic DNS:

a. Select the DNS service registration with a DNS server supporting Dynamic DNS option. b. Enter the name of the DNS domain.

c. Enter the IP address of the Target Host machine.

d. Select the priority for connections to the IDENTIKEY Server - Primary server or Backup server. To use DNS service registration with a DNS server supporting TSIG authentication:

a. Select the DNS service registration with a DNS server supporting Dynamic DNS with TSIG authentication option.

b. Enter the name of the DNS domain.

c. Enter the Fully Qualified Domain Name of the Target Host machine.

d. Select the priority for connections to the IDENTIKEY Server - Primary server or Backup server. e. Enter the full path and filename for the shared key file.

37. Click on Test Settings to test that the DNS server settings are correct. The Configuration Wizard will test the connection and list the result on-screen.

(64)

Install IDENTIKEY Server in Advanced mode - ODBC

38. Click on Next. The Web Admin Client window will be displayed.

Image 51: IDENTIKEY Server Web Admin Client Window

39. Click Next to continue. The Sample Web Client window will be displayed. 40. Enter the IP address of the location of the Web Administration Client.

(65)

41. Enter the IP address of a web client to be used by the Sample Web Pages in the SDK. This page is optional and only needs to be used if the SDK is to be installed. Click Next to continue.

Image 53: IDENTIKEY Server Configuration Wizard Summary Window

42. A summary of the settings will be displayed. Click Proceed to continue. 43. Click Finish to complete the configuration.

(66)

Install IDENTIKEY Server in Advanced mode - ODBC

Image 54:Select Components completed Window

(67)

Image 55:Installation Completed page

Note

(68)

Install IDENTIKEY Server in Advanced mode - ODBC

6.2 Set Up a Hardware Security Module

6.2.1 Hardware Security Module Setup

6.2.1.1 Pre-Requisites

Software

The following software must be installed on the HSM:

Version 2.07 or higher of the SafeNet ProtectServer firmware

The following software must be installed on the machine on which HSM administration tasks will be carried out: Network or PCI Access Provider v4.00

ProtectToolKit C Software Development Kit v4.00

Protect Processing Orange Software Development Kit v3.00

Administrator Account

The setup process requires administration privileges in at least one administration token and one user token on the Hardware Security Module.

Firmware Module

The VACMAN Controller Firmware Module file – aal2sdk - should be copied to the machine on which the HSM administration will take place.

6.2.1.2 Configuration

Hardware Security Module

1. Install the Hardware Security Module.

VACMAN Controller Firmware

To install VACMAN Controller Firmware Module in the Hardware Security Module: 2. Generate SSL certificate in the user slot:

a. At a command prompt, enter:

ctcert c -s<UserSlotID> -k -z<KeySize> -l<CertificateName>

where <UserSlotID> is the ID of the slot on which the certificate should be generated, <KeySize> is the length of private key required, and <CertificateName> is the name you want to give the certificate.

(69)

KeySize must be at least 1024. b. Enter the requested information. 3. Transfer the certificate to admin slot:

a. To do this via command prompt, enter:

ctcert x -l<CertificateName> -s<UserSlotID> -f<CertExportFileName> ctcert I -f<CertExportFileName> -s<AdminSlotID> -l<CertificateName>

where <CertificateName> is the name of the certificate that you entered when generating the certificate, <UserSlotID> is the ID of the slot in which the certificate was generated,

<CertExportFileName> is the filename of the certificate, and <AdminSlotID> is the ID of the administration slot to which the certificate is being copied.

4. Mark the certificate as trusted: a. At a command prompt, enter:

ctcert t -l<CertificateName> -s<AdminSlotID>

where <CertificateName> is the name of the certificate that you entered when generating the certificate, and <AdminSlotID> is the ID of the administration slot to which the certificate has been copied.

5. Use the trusted certificate to sign the VACMAN Controller Firmware Module: a. At a command prompt, enter:

mkfm -k"<UserSlotLabel>(<PIN>)/<CertificateName>" -faal2sdk -oaal2sdk.fm

where <UserSlotLabel> is the label for the user slot on which the certificate was generated, <PIN> is the administrator PIN for the token and <CertificateName> is the name of the certificate that you entered when generating the certificate.

6. Upload firmware module into HSM: a. At a command prompt, enter:

ctconf -b<CertificateName> -jaal2sdk.fm

where <CertificateName> is the name of the certificate that you entered when generating the certificate

Create Storage Key

7. Using the Key Management Utility, create a secret key to use as IDENTIKEY Server's storage key. This will require an administrator login to the token. Note the token label and key label used.

Required key attributes: double or triple DES sensitive

wrap and unwrap enabled private optional

(70)

Install IDENTIKEY Server in Advanced mode - ODBC

All other options disabled

Create Sensitive Data Key

8. Using the Key Management Utility, create a sensitive data key. This will require an administrator login to the token, and can be created in the same or different slot to the storage key created earlier. Note the token label and key label used.

Required attributes: AES 128-bit encrypt enabled decrypt enabled sensitive

Other attribute settings are optional.

Replicate to required slots

If using multiple Hardware Security Modules with IDENTIKEY Server, the keys created above must be replicated to the other HSMs.

The following steps will require attributes specific to your HSM setup. Consult the PTK Administration Manual – typical file name ptk_c_administration_manual_rev-c.pdf – for more information.

9. Generate an identity keypair, using the ctident gen command. 10. Create a trust relationship, using the ctident trust command. 11. Replicate the token, using the ctkmu rt command.

6.2.2 IDENTIKEY Server Setup

6.2.2.1 Pre-requisites

The following software must be installed on the machine on which IDENTIKEY Server will be installed: Network or PCI Access Provider v4.00

ProtectToolKit C Runtime Library v4.00

6.2.2.2 Configuration

1. Ensure that licensing for IDENTIKEY Server includes Hardware Security Module functionality. 2. Install IDENTIKEY Server.

(71)

a. Select Use the available Hardware Security Module(s) in the Hardware Security Module screen. b. Click on the Browse button and browse to the HSM connection library file. For Windows installations,

this will typically be named cryptoki.dll and located in the PTKC runtime installation directory. For Linux installations, it will typically be named libcryptoki.so and copied automatically to the chroot environment – the location will be provided by default.

c. Click on Next.

d. Enter the name of the storage key created earlier, and the slot ID in which it was created. e. If the key was set as private, enter the token label and PIN.

f. Click on Next.

g. Enter the name of the sensitive data key created earlier. h. If the key was set as private, enter the token label and PIN. i. Click on Next.

j. Continue with IDENTIKEY Server configuration. 4. Add environment variables:

a. ET_HSM_NETCLIENT_READ_TIMEOUT_SECS – set to value of 1

b. ET_HSM_NETCLIENT_WRITE_TIMEOUT_SECS – set to value of 1

(72)

Install IDENTIKEY Server - Active Directory

7 Install IDENTIKEY Server - Active Directory

7.1 Active Directory Scenario and Decisions.

This 'typical installation' process uses the following decisions and scenario:

Implementation Decisions

The following decisions were taken for the purposes of this installation process: The Schema extensions have been approved.

The DIGIPASS Configuration Domain has been identified as the existing sub-domain, test.dm3.vasco. The member server SVR of the sub-domain test.dm3.vasco will be used to install IDENTIKEY Server. This requires an Enterprise Certificate Authority to be installed in the forest, so that SSL is enabled. The instructions will take you through installing Windows Certificate Services onto a Domain Controller in the Forest Root domain.

Note

To perform the actions required to install IDENTIKEY Server you must be logged in as the Domain Administrator.

The scenario

A Domain dm3.vasco (this is the Forest Root Domain).

A sub-domain test.dm3.vasco of dm3.vasco. The sub-domain acts as the DIGIPASS Configuration Domain and contains all the configuration data, including Policies and Components.

A single Server SVR, a member server in the DIGIPASS Configuration Domain. A Domain Controller DC-02 acting as the Schema Master on dm3.vasco. Certificate Server will be installed on DC-02.

7.1.2 Extend Schema

Run the addschema command:

1. Log into the machine from which schema changes will be made (DC-02). 2. Copy dpadadmin.exe onto the machine.

3. Open a command prompt in the location to which it was copied.

(73)

dpadadmin addschema

5. If DPADadmin detects that Schema extensions are not currently permitted, it will prompt you whether to enable them or not. Enter y to enable them, or n to cancel.

6. Wait several minutes for the Schema extensions to replicate to the sub-domain and for the local Domain Controller to update its internal data caches. To check, use the following command:

dpadadmin checkschema

7.2 Install IDENTIKEY Server for Active Directory

1. The Installation Type window will be displayed.

Image 56: IDENTIKEY Server Setup - Installation Type window

2. Click on the Advanced Installation option button. Click Next to continue. The Data Storage window will be displayed.

(74)

Install IDENTIKEY Server - Active Directory

Image 57: IDENTIKEY Server Setup - Data Storage window

3. Select the Active Directory option button. 4. Click Next.

5. The Digipass Extension for Active Directory Prerequisites page will be displayed. The functions on this page are optional, and need only be used if DIGIPASS and DIGIPASS User administration is to be performed on this machine.

(75)

Image 58: IDENTIKEY Server Setup – Digipass Extension for Active Directory Prerequisites window

6. If you wish to use the Digipass Extension for Active Directory Users and Computers on this machine: a. If the .NET 2.0 Framework is to be installed, click the .NET 2.0 Framework button.

The Microsoft .NET Framework 3.0 SP1 Setup window will be displayed. i Read the license and click to either accept or not accept the terms. ii Click Install to continue or Cancel to cancel the set up.

(76)

Install IDENTIKEY Server - Active Directory

Image 59: Microsoft .NET license agreement.

(77)

Image 60: IDENTIKEY Server Setup – Digipass Extension for Active Directory Prerequisites window. The Software Update Installation Wizard for your operating system will be displayed. i Click Next to continue.

The Digipass Extension for Active Directory Prerequisites window will be displayed, showing the results of the installations.

(78)

Install IDENTIKEY Server - Active Directory

Image 61: IDENTIKEY Server Setup – Digipass Extension for Active Directory Prerequisites installation complete window.

c. If the IDENTIKEY Server is being installed on Microsoft Windows Vista or Microsoft Windows 2008, a hotfix provided by Microsoft must be installed to enable the Active Directory Users and Computers extension to work. If it is not already installed on the machine, the Active Directory Query Form Hotfix button will be enabled. Click this button to install the hotfix.

Please note that the Active Directory Query Form Hotfix button will remain unavailable on any operating system other than Microsoft Windows Vista or Microsoft Windows 2008.

The Select Components window will be displayed. 7. Click IDENTIKEY Server 3.1 to start the installation wizard.

(79)

Image 62: IDENTIKEY Server Setup - Select Components Window

(80)

Install IDENTIKEY Server - Active Directory

Image 63: IDENTIKEY Server Setup Wizard Start Page. The License Agreement screen will be displayed.

(81)

Image 64: IDENTIKEY Server Setup - License Agreement Window

10. To accept the License Agreement, tick the I accept the terms in the License Agreement checkbox and click Next.

If you do not accept the License Agreement, and click Cancel - the install will terminate. 11. To select the features that you want to be installed click on the icons on the window.

Click the Reset button to reset all your choices. Click Next to continue.

(82)

Install IDENTIKEY Server - Active Directory

Image 65: IDENTIKEY Server Setup - Custom Setup window

(83)

Image 66: IDENTIKEY Server Setup - Ready to Install IDENTIKEY Server window The Installing IDENTIKEY Server progress window will be displayed. 13. Click the Next button to continue when it becomes available.

(84)

Install IDENTIKEY Server - Active Directory

Image 67: Installing IDENTIKEY Server progress window

The IDENTIKEY Server Setup Wizard finish window will be displayed. 14. Click Finish to complete the installation of IDENTIKEY Server .

(85)

Image 68: IDENTIKEY Server Setup Wizard finish window

15. The Installer will install the component for each button that is selected. Each installation after the IDENTIKEY Server install is optional.

(86)

Install IDENTIKEY Server - Active Directory

Image 69: IDENTIKEY Server Installed – Select Components

16. When the Installer gets to the Run Configuration Wizard step, click the Run Configuration Wizard button. The IDENTIKEY Server Configuration Wizard will be started.

IDENTIKEY Server Windows Installation Guide 3.1

Disclaimer of Warranties and Limitations of Liabilities

Disclaimer of Warranties and Limitations of Liabilities

Copyright

Trademarks

Table of Contents

1

Introduction... 9

2

Pre-installation Tasks... 15

3

Set Up Data Store for IDENTIKEY Server... 18

4

Start IDENTIKEY Server Installation... 22

5

Install IDENTIKEY Server in Basic Mode – ODBC... 24

6

Install IDENTIKEY Server in Advanced mode - ODBC... 42

7

Install IDENTIKEY Server - Active Directory... 72

8

Deploy IDENTIKEY Server Administration Web Interface... 104

9

Post-Installation Tasks... 117

Table of Contents

10 Install Additional IDENTIKEY Server... 123

11 Add Components to Installation... 124

12 Repair Installation... 125

13 Uninstall IDENTIKEY Server... 126

14 Extend Data Store Schema... 127

15 Upgrade IDENTIKEY Server... 130

Illustration Index

Table of Contents

Table of Contents

1

Introduction

1.1

Software Components

1.1.1

Required Components

IDENTIKEY Server

Data Store

Web Administration Interface

1.1.2

Optional Components

Embedded Database

Note

Embedded Web Application Server

Introduction

Virtual DIGIPASS Message Delivery Component

DIGIPASS TCL Command-Line Administration

Audit Viewer

User Self Management Web Site

1.1.3

DIGIPASS Authentication for Windows Logon

1.1.4

IDENTIKEY Server SDK

1.1.5

Data Migration Tool

1.2

System Requirements

1.2.1

Server Component

1.2.2

Administration Web Interface

Introduction

1.2.3

Other Components

1.2.4

Requirements Specific to Active Directory

DIGIPASS Extension for Active Directory Users and Computers

Active Directory set up for SSL

Prerequisites

1.2.5

Requirements Specific to ODBC Database

Note

1.2.6

Requrements Specific to HSM

1.2.7

Language