Vasco IDENTIKEY Appliance Installation And Maintenance Manual

Table of Contents

Advertisement

IDENTIKEY
®
Appliance
Installation and Maintenance Guide
3.11.12

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the IDENTIKEY Appliance and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Summary of Contents for Vasco IDENTIKEY Appliance

  • Page 1 IDENTIKEY ® Appliance Installation and Maintenance Guide 3.11.12...
  • Page 2: Intellectual Property

    VASCO shall have no liability under any circumstances for any loss, damage, or expense incurred by you, your company, or any third party arising from the use or inability to use VASCO Software or Mater- ials, or any third party material available or downloadable from the Site. VASCO will not be liable in rela- tion to any loss/damage caused by modification of these Legal Notices or Site content.
  • Page 3: Table Of Contents

    4.2. Powering on IDENTIKEY Appliance 4.3. Connecting to your Network 5. First Time Configuration 5.1. Overview 5.2. Accessing and Logging in to the IDENTIKEY Appliance Configuration Tool 5.3. Configuration Wizard 5.4. Licensing Wizard 5.5. IDENTIKEY Authentication Server Setup Wizard 5.6. Activating a Support Certificate 5.7.
  • Page 4 7. System Actions 7.1. Overview 7.2. Rebooting and Shutting Down 7.3. Rescuing Default Administrator Users 7.4. Reverting to a Previous Version of IDENTIKEY Appliance 8. Re-Licensing IDENTIKEY Appliance 8.1. Overview 8.2. Accessing the Wizard for Re-Licensing IDENTIKEY Appliance 8.3. Current License Screen 8.4.
  • Page 5 Table of Contents 10.7. Configuring Scripted Backups 10.8. Restoring Backups 11. Replacing an IDENTIKEY Appliance 11.1. Installing and Licensing a Replacement IDENTIKEY Appliance 11.2. Upgrading a Replacement IDENTIKEY Appliance 12. RAID 12.1. Maintaining RAID 13. Hardware Security Module 13.1. Supported Hardware Security Modules 13.2.
  • Page 6 Image 24: IDENTIKEY Authentication Server Setup Wizard – Ready to Configure Image 25: IDENTIKEY Authentication Server Setup Wizard – Configured Image 26: VASCO Customer Portal Image 27: VASCO Customer Portal – View contract information Image 28: Configuration Tool – Configuring Support Connection IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 7 Image 31: Authentication Settings - Add Rescue User Image 32: IDENTIKEY Appliance System Actions Image 33: VASCO Customer Portal Image 34: VASCO Customer Portal Retrieving and Downloading Update Packages Image 35: Revert Upgrade Wizard – Previous Version Image 36: Backup and Restore – Creating Manual Backups...
  • Page 8 Table of Contents Table Index Table 1: IDENTIKEY Appliance Dimensions Table 2: Settings for Connecting a Computer to IDENTIKEY Appliance IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide viii...
  • Page 9: Introduction

    IDENTIKEY Appliance Administrator Guide is part of the documentation set about IDENTIKEY Appliance. It provides in-depth guidance for performing common or complicated tasks on IDENTIKEY Appliance and IDENTIKEY Authentic- ation Server. If not stated otherwise, the information in this guide also applies to IDENTIKEY Virtual Appliance.
  • Page 10: Safety And Environmental Information

    3.0 meters. 2.3. Personal, Environmental and IDENTIKEY Appliance Safety To avoid back injuries: when lifting the IDENTIKEY Appliance, avoid injuries to your back by using your leg muscles. Keep your back straight and bend your knees when lifting the device.
  • Page 11: Temperature, Power And Humidity

    2.    Safety and Environmental Information To avoid dropping the IDENTIKEY Appliance: hold the appliance firmly by its main casing. Do not lift the device by the silver colored 'D' shapes at the front of the appliance. These are the chassis handles and are only intended for sliding the IDENTIKEY Appliance in and out of the chassis rails.
  • Page 12: Pre-Installation Tasks And Considerations

    DNS Server IP address(es) for your network DNS Suffix(es) (optional) Proxy Server settings (optional) IDENTIKEY Appliance Maintenance Reference (for a Commercial License only) IDENTIKEY Appliance Serial Number (for a Commercial License only) an appropriate network cable, no longer than 3.0 meter in length 3.2.
  • Page 13: Connecting Identikey Appliance To Your Network

    Note The information in this section does not apply to IDENTIKEY Virtual Appliance! 4.1. Overview In this section we provide instructions for connecting IDENTIKEY Appliance to your network. Warning Before you begin read the safety information in the 2. Safety and Environmental Information section.
  • Page 14: Connecting To Your Network

    2. Power up IDENTIKEY Appliance by connecting the appliance via the power cable to a supply. (The AG-7XXX models have two power units, each with a separate power cable. These power cables need to be con- nected to separate power circuits.
  • Page 15: Image 3: Test Tcp/Ip Settings

    Check that the network cable is in good working order and correctly plugged into one of the LAN Ethernet interfaces and your network hub or switch. An alternative method for modifying the IDENTIKEY Appliance IP address without needing to modify your work- station IP settings is possible with the Rescue Tool.
  • Page 16: First Time Configuration

    IP address of the IDENTIKEY Appliance, Licensing is necessary before services become available. Licensing is the process of identifying an issued IDENTIKEY Appliance to the VASCO Service Center for the issue of a license key to make the appliance fully operational. After installation, and before Licensing, the IDENTIKEY Appli- ance Configuration Utility is accessible for configuration and management, but the IDENTIKEY Authentication Server Administration Web Interface and other services will not be available.
  • Page 17: Accessing And Logging In To The Identikey Appliance Configuration Tool

    5.    First Time Configuration Note If you want to restore an existing instance of IDENTIKEY Appliance, you do not need to undergo all the steps out- lined above; instead restore the backup version of IDENTIKEY Appliance. For more information about restoring a backup, refer to 10.8.
  • Page 18: Image 4: Certificate Warning Screen

    The procedure for accepting a certificate varies between browsers. Internet Explorer is used in the example. Image 4: Certificate Warning Screen After the certificate has been accepted, the login page for the Configuration Tool appears. IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 19: Image 5: Configuration Tool Login Page

    2. Log on using administrator login credentials. The default administrative user name and password is: Username: sysadmin Password: sysadmin On accessing the Configuration Tool, IDENTIKEY Appliance automatically detects that this is a first-time installation and launches the Configuration Wizard. IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 20: Configuration Wizard

    5. Hostname 6. Network Settings 7. Time Synchronization 8. Appliance CA Information 9. Activation Configuration Wizard screens are shown in the following sections and are mostly self-explanatory; additional explanations are provided where appropriate. IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 21: Image 6: Configuration Wizard - Welcome

    5.    First Time Configuration 5.3.1. Welcome Image 6: Configuration Wizard – Welcome IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 22: Image 7: Configuration Wizard - End User License Agreement

    5.    First Time Configuration 5.3.2. End User Licence Agreement Image 7: Configuration Wizard – End User License Agreement Read the license agreement carefully. To accept the terms, select Accept this End User License Agreement. IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 23: Image 8: Configuration Wizard - Oracle Binary Code License Agreement

    Configuration Tool is less secure than using a new user account which requires DIGIPASS one-time password (OTP) authentication. We therefore recommend creating new sys- tem administrator account which requires DIGIPASS authentication and disabling the sysadmin account as IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 24: Image 9: Configuration Wizard - Password Change

    5.    First Time Configuration soon as possible. For more information, refer to the IDENTIKEY Appliance Administrator Guide. Image 9: Configuration Wizard – Password Change IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 25: Image 10: Configuration Wizard - Hostname

    5.    First Time Configuration 5.3.5. Hostname Image 10: Configuration Wizard – Hostname IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 26: Image 11: Configuration Wizard - Network Settings

    An alternative to configuring a default gateway is to use a proxy server. If a default gateway is not configured, how- ever, services are only available to clients in the same subnet as the IDENTIKEY Appliance. To configure proxy set-...
  • Page 27: Image 12: Configuration Wizard - Time Synchronization

    Configuration Tool. This can be done after successful activation (see Section 1.1.8 Activation Successful) if you opt to disable Continue to the license wizard. 5.3.7. Time Synchronization Image 12: Configuration Wizard – Time Synchronization Enter an NTP server name, or use ntp.vasco.com. IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 28: Image 13: Configuration Wizard - Appliance Ca Information

    5.3.8. Appliance CA Information Image 13: Configuration Wizard – Appliance CA Information Specify the information to set up the built-in IDENTIKEY Appliance certification authority (CA). The built-in cer- tification authority (CA) is used to sign all automatically generated certificates. 5.3.9. Activation Confirmation After all data has been entered correctly, IDENTIKEY Appliance can be activated by clicking Finish.
  • Page 29: Licensing Wizard

    It takes you through the process for downloading and loading the license for IDENTIKEY Appliance. Note After the System Information page in the Licensing Wizard you will need to access the VASCO Customer Portal IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 30: Image 15: Licensing Wizard - Welcome

    5.    First Time Configuration before continuing. For more information about when re-licensing is necessary, refer to 8. Re-Licensing IDENTIKEY Appliance. 5.4.1. Welcome Image 15: Licensing Wizard – Welcome IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 31: Image 16: Licensing Wizard - System Information

    An evaluation license file, which is only valid for 30 days. To acquire a VASCO license file for your IDENTIKEY Appliance, you need to upload the system information file to the VASCO Customer Portal. This file identifies your appliance to VASCO, for the issue of a license file.
  • Page 32: Image 17: Licensing Wizard - Upload License

    VASCO Customer Portal to acquire the license file required. 5.4.4. Upload License When the license file has been downloaded, you must upload it to the IDENTIKEY Appliance. On the Upload License page browse to the downloaded license file and click Nextto upload the file.
  • Page 33: Image 18: Licensing Wizard - License Activation

    Image 18: Licensing Wizard – License Activation 5.4.6. License Activation Confirmation License Activation Confirmation page will be displayed to confirm activation. This page indicates that IDENTIKEY Appliance services (such as authentication) are now available. IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 34: Identikey Authentication Server Setup Wizard

    The IDENTIKEY Authentication Server Setup Wizard will walk you through the configuration of several basic IDENTIKEY Authentication Server settings. These settings include master domain, an administrator login, Hardware Security Modules, and Secure Auditing. IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 35: Image 20: Identikey Authentication Server Setup Wizard - Settings

    IDENTIKEY Appliance Product Guide for more information on these features. Note You cannot disable/enable HSM and Secure Auditing settings after completing this wizard. To do so, you will need to perform a factory default. IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 36: Image 21: Identikey Authentication Server Setup Wizard - Secure Auditing

    If HSM-support is not enabled, then you will need to configure a secure auditing keypair. If you choose Install my keypair, you will need to upload this file in the format to IDENTIKEY Appliance afterwards. You will also be asked to provide this file's matching master audit keystore passphrase.
  • Page 37: Image 22: Identikey Authentication Server Setup Wizard - Hardware Security Module Configuration

    5.    First Time Configuration Note Secure Auditing for IDENTIKEY Appliance only supports elliptic curve keys that are NIST P-256 compliant and stored in the pkcs12 format. 5.5.3. HSM Configuration If you have installed a Hardware Security Module (HSM), you can configure it for use with the here. For more inform-...
  • Page 38: Image 23: Identikey Authentication Server Setup Wizard - Administrative User

    2. Enter and confirm a password. The password format must conform to the IDENTIKEY Authentication Server password strength rules. See the IDENTIKEY ApplianceProduct Guide for more details on the password strength rules. IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 39: Image 24: Identikey Authentication Server Setup Wizard - Ready To Configure

    Image 24: IDENTIKEY Authentication Server Setup Wizard – Ready to Configure Once the details have been provided on the IDENTIKEY Authentication Server Setup Wizard screens, IDENTIKEY Authentication Server will be configured with the minimum details allowed for first time use. IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 40: Activating A Support Certificate

    5.6. Activating a Support Certificate Procedure 2: Downloading and activating a IDENTIKEY Appliance support certificate 1. Open a web browser and go to the VASCO Customer Portal: https://cp.vasco.com/. Type the maintenance reference and serial number provided by VASCO for your IDENTIKEY Appliance and click Sign IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 41: Image 26: Vasco Customer Portal

    Download contract certificate hyperlink, and download and save the certificate file. 4. Access the Configuration Tool. 5. Select Settings > Certificates. 6. Click Add Certificate below the Server Certificates list. Add Certificate wizard appears. IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 42: Migration To Identikey Appliance / Identikey Virtual Appliance From Identikey Authentication Server

    Server When migrating to IDENTIKEY Appliance / IDENTIKEY Virtual Appliance from IDENTIKEY Authentication Server you can use the Data Migration Tool and the IDENTIKEY Appliance Update Wizard to migrate for instance user data or DIGIPASS data. See Chapter Updating IDENTIKEY Appliance for information about the Update Wizard and update procedures.
  • Page 43 5.    First Time Configuration verify, and install the package as described in Sections 9.3.1. Select Update 9.3.3. Verify Update and Install Update to complete data migration. IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 44: Rescue Tool

    You can access the Rescue Tool using one of the following methods: If using IDENTIKEY Virtual Appliance, switch to the console view in your hypervisor software and log on. Connecting a screen and keyboard directly to the IDENTIKEY Appliance, and logging on in a command-line prompt.
  • Page 45: Adding Authentication For The Rescue Tool

    You can add more secure users with access to the Rescue Tool. These users can be configured to enter other login credentials in addition to the rescue user name. To define these users can be defined access the IDENTIKEY Appliance Configuration Tool and navigate to Settings >...
  • Page 46: Image 30: Authentication Settings - Rescue Users

    Ids and passwords have to log in besides the first user. This adds further security to the rescue tool login. This number must always be less than or equal to the number of rescue users created. IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 47: Navigation And Functionality

    Configuration Wizard will need to be repeated. It is not necessary to return IDENTIKEY Appliance to factory default if a backup is to be restored to the appliance. In this case, the appliance is automatically returned to Factory Default before the backup is restored. For more information about restoring backups, see Section 10.8.
  • Page 48 Configuration Tool from any client computer. 6.4.2. Change IP Address The Rescue Tool can be used to change the IDENTIKEY Appliance IP address. This is an alternative method to the instructions provided in Section 4. Connecting IDENTIKEY Appliance to your Network...
  • Page 49 6.    Rescue Tool 6.4.3. Ping an IP Address or Host Name You can ping a system in order to test whether it can connect to IDENTIKEY Appliance. Procedure 6: Pinging an IP Address 1. type n for network menu 2. type p to enter the...
  • Page 50: System Actions

    Image 32: IDENTIKEY Appliance System Actions 7.2. Rebooting and Shutting Down If IDENTIKEY Appliance is shut down incorrectly it can be corrupted. One of the following methods of powering off or rebooting IDENTIKEY Appliance should be used, in the following order of preference: 1.
  • Page 51: Rescuing Default Administrator Users

    Rescue Sysadmin User button. This automatically enables the sysadmin user and prompts you to enter a new password for the sysadmin user. A new login to the IDENTIKEY Appliance Configuration Tool is not required to change the password. See also Section 6.4.1.
  • Page 52: Reverting To A Previous Version Of Identikey Appliance

    7.    System Actions 7.4. Reverting to a Previous Version of IDENTIKEY Appliance If the current version of IDENTIKEY Appliance has been installed through an update, i.e. not a clean install, you can revert to the previously installed version using Revert to a previous version of IDENTIKEY Appliance.
  • Page 53: Re-Licensing Identikey Appliance

    A license file is required to make IDENTIKEY Appliance fully operational. Licensing is the process of identifying an issued instance of IDENTIKEY Appliance to VASCO for the issue of a license file. For information on first-time licens- ing of IDENTIKEY Appliance, refer to Section 5.4.
  • Page 54: Current License Screen

    Configuration Tool. 8.3. Current License Screen The re-licensing wizard varies slightly from the wizard for licensing IDENTIKEY Appliance for the first time; it includes an additional screen. This additional screen displays the current licensing information. The structure of the re-licensing wizard is the following: 1.
  • Page 55 1. Open a web browser and go to the VASCO Customer Portal: https://cp.vasco.com/. 2. Follow the instructions on the VASCO Customer Portal to acquire the license file required. The license file is made available to you via the VASCO Customer Portal on receipt of your purchase order. 3. Launch the Licensing Wizard (see 8.2.
  • Page 56 Wizard). Note Restoring IDENTIKEY Appliance to factory default is not necessary if a backup is to be restored to the appliance. In this case, the appliance is automatically returned to factory default before the backup is restored. For more information about restoring a backup, refer to 11.
  • Page 57: Updating Identikey Appliance

    9. Updating IDENTIKEY Appliance 9.1. Overview IDENTIKEY Appliance can be updated using the Configuration Tool. VASCO distributes updates to the products on a regular basis via the updating process. Updates are included in the software maintenance contracts. Updating is supported by an Update Wizard in the IDENTIKEY Appliance Configuration Tool and can be: Off-line using an update package from the VASCO Customer Portal (see...
  • Page 58: Using The Update Wizard

    9.    Updating IDENTIKEY Appliance Image 33: VASCO Customer Portal 2. In the VASCO Customer Portal, navigate to the Downloadsmenu, and select the required download pack- age for your product. Image 34: VASCO Customer Portal Retrieving and Downloading Update Packages 3. Select the required .iso...
  • Page 59 9.3.2. Available Updates (On-Line Process Only) for more information. If your instance of IDENTIKEY Appliance is not connected to the VASCO Customer Portal, you will need to download an update package from the VASCO Customer Portal. Refer to Section 9.2. Retrieving Offline Update Packages for instructions on how to retrieve the necessary package.
  • Page 60: Reverting An Installed Upgrade

    9.    Updating IDENTIKEY Appliance 9.4. Reverting an Installed Upgrade If you encounter problems with IDENTIKEY Appliance after upgrading to a new version, you can revert the IDENTIKEY Appliance operating system to the previous version. 9.4.1. Before You Begin Warning If you revert to a previous version you will lose all configuration modifications since the upgrade, including: IDENTIKEY Authentication Server configuration, e.g.
  • Page 61: Image 35: Revert Upgrade Wizard – Previous Version

    Finish to revert to the original version. The IDENTIKEY Appliance will reboot and revert to the previous version. 9.4.3. Additional Considerations Reverting to a previous version is only available, if the current version has been installed using an upgrade, i.e. not after a clean install.
  • Page 62: Backing Up And Restoring Identikey Appliance

    Custom Encryption for Backup Files). Backup can be performed: Manually. Using a link in the IDENTIKEY Appliance Configuration Tool to create a backup at any time (see 10.5. Performing Manual Backups). Automatically. The backup is pushed from IDENTIKEY Appliance and is scheduled for specific times (see 10.6.
  • Page 63: Performing Manual Backups

    10.    Backing Up and Restoring IDENTIKEY Appliance Procedure 16: Configuring an additional passphrase for custom encryption 1. In the IDENTIKEY Appliance Configuration Tool, navigate to System > Backup & Restore. 2. Select the Use Custom Encryption Pass Phrase check box.
  • Page 64: Configuring Automatic Backups

    3. Specify the destination for the backup file. The backup is created. 10.6. Configuring Automatic Backups Procedure 18: Configuring an automatic backup 1. In the IDENTIKEY Appliance Configuration Tool, navigate to System > Backup & Restore. 2. (OPTIONAL) Select Use Custom Encryption Pass Phrase and type a pass phrase twice to prevent typing errors.
  • Page 65: Image 37: Backup And Restore - Configuring Automatic Backups (Ftp/Sftp Settings)

    When using Secure File Transfer Protocol (SFTP), the SFTP server sends an encrypted fingerprint of its public host key to ensure that the SFTP connection is with the correct server. Connection is only possible if the fingerprint is known to the IDENTIKEY Appliance. a. Specify the fingerprint settings.
  • Page 66: Configuring Scripted Backups

    The backup will be performed accordingly to the configured schedule. 10.7. Configuring Scripted Backups You can write your own backup script/tool to request a backup from IDENTIKEY Appliance. The URL to access the IDENTIKEY Appliance backup is: https://<ip_address>/system/backup/download Procedure 19: Configuring a scripted backup 1.
  • Page 67: Image 39: Backup And Restore - Configuring Scripted Backups

    Note The user name and password for a script to authenticate to IDENTIKEY Appliance and download a backup can be freely chosen and defined in the System Backup tab. These credentials are not associated with a user account in the IDENTIKEY Authentication Server Administration Web Interface.
  • Page 68: Restoring Backups

    While the backup is restored, the IDENTIKEY Appliance will be unavailable for approximately 10 minutes. 6. (OPTIONAL) After restore, log on to the IDENTIKEY Appliance Configuration Tool and review the restore status feedback in the Status tab.
  • Page 69: Image 40: Backup And Restore - Restoring And Rebooting

    10.    Backing Up and Restoring IDENTIKEY Appliance Image 40: Backup and Restore - Restoring and Rebooting 10.8.3. Additional Considerations To restore a backup on a replacement IDENTIKEY Appliance, follow the procedure for a regular replacement (see 11. Replacing an IDENTIKEY Appliance).
  • Page 70: Replacing An Identikey Appliance

    11.    Replacing an IDENTIKEY Appliance 11. Replacing an IDENTIKEY Appliance IDENTIKEY Appliance can be easily replaced in the event of hardware failure, by restoring a backup from an old appliance to a new one. If the replacement appliance is running an older product version than the version running on the appliance to be replaced, the replacement appliance must be upgraded before a backup can be restored (see 11.2.
  • Page 71: Upgrading A Replacement Identikey Appliance

    11.    Replacing an IDENTIKEY Appliance 11.2. Upgrading a Replacement IDENTIKEY Appliance Procedure 22: Upgrading a replacement IDENTIKEY Appliance 1. Connect the replacement IDENTIKEY Appliance to your network (see 4. Connecting IDENTIKEY Appliance to your Network). 2. Open the IDENTIKEY Appliance Configuration Tool (see 5.2.
  • Page 72: Raid

    The information in this section does not apply to IDENTIKEY Virtual Appliance! The RAID option (for IDENTIKEY Appliance AG-7XXX models only) provides redundancy between two (hot swap- pable) disks, supporting full services even when a disk fails or is being replaced. The two disks are continuously synchronized (also known as RAID mirroring).
  • Page 73 AG-7XXX. (Note that inserting is not the same as adding the disk to the RAID configuration for syn- chronization). Add. A new disk already inserted into a slot in the IDENTIKEY Appliance AG-7XXX will be added by the IDENTIKEY Appliance to the RAID configuration for synchronization.
  • Page 74: Image 42: Raid Maintenance Status And Actions - Replacing Hard Disk

    Select Add for the replacement disk to be added to the RAID configuration for synchronization. After completing the wizard, the RAID configuration will be repaired. The status message and the link to launch the wizard will no longer be displayed in the IDENTIKEY Appliance Configuration Tool. IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 75: Hardware Security Module

    IDENTIKEY Appliance installation. 13.2. SafeNet HSMs In order to set up SafeNet HSMs to work with IDENTIKEY Appliance, you need to set up the following components: Software The following software must be installed on the HSM: Version 2.07 or higher of the SafeNet ProtectServer firmware...
  • Page 76 Signed Functionality Module: copy the signed VACMAN Controller functionality module file – aal2sdk.signed – to the machine on which HSM administration will take place. The corresponding VASCO code signing certificate is required to upload this signed module (vascosigningcert.crt). The functionality modules are located on the IDENTIKEY Authentication Server product CD in the following folders: Before installing a functionality module, install the Hardware Security Module with the required drivers and libraries and restart the machine.
  • Page 77 Warning Storage and sensitive data keys cannot be created in the admin slot. The VACMAN Controller VASCO SafeNet HSM packages will contain a signed version of the VACMAN Controller func- tionality module. Procedure 25: Install a signed VACMAN Controller Functionality Module 1.
  • Page 78 Note the token label and key label used. This key should have the following attributes: 128-bit derive sensitive encrypt enabled decrypt enabled Other attribute settings are optional. IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 79: Secure Auditing With Hardware Security Modules

    13.2.5. Replicating to Required Slots If you are using multiple Hardware Security Modules with IDENTIKEY Appliance, the storage and sensitive data keys created must be replicated to the other HSMs. This process must be performed each time a key change occurs and consistency among HSMs is required.
  • Page 80: Image 43: Secure Auditing With Hsm

    Image 43: Secure Auditing with HSM IDENTIKEY Appliance will request a signature from the HSM for each epoch, and this will be used as an epoch ID. An epoch keypair will be generated, consisting of an epoch public key and an epoch private key. Each Secure Audit entry will contain the epoch public key, the epoch ID and an cryptographic signature which relates it to the previous and subsequent entries.
  • Page 81 You will be prompted to enter the user pin for the specified slot (i.e. slot 0 in this case). 2. Extract the public certificate from the device and save it to a .pem file: ctcert x -lMasterAuditCertificate -s0 -faudit_cert.pem where: IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 82 PEM file that will contain the public certificate audit_cert.pem Note Secure Auditing for IDENTIKEY Appliance only supports elliptic curve keys that are NIST P-256 compliant and stored in pkcs12 format. IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 83: Support

    2. If you are unable to solve your problem with the Knowledge Base, please contact the company which sold you the VASCO product. 3. If your supplier is unable to solve your query, they will automatically contact the appropriate VASCO expert. If necessary VASCO experts can access your IDENTIKEY Appliance remotely to solve any problems. Remote support and access to your IDENTIKEY Appliance are achieved through the VASCO Customer Portal.
  • Page 84: Image 44: Configuring Support Connections

    Cer- tificate Management tab. For more information, refer to the IDENTIKEY Appliance Administrator Guide, Sec- tion "Certificate Management". Image 45: Selecting Support Certificate 5. Select Enable Remote Support. 6. Click Save. IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 85 14.    Support 14.2.3. Additional Considerations Remote support can be enabled without installing a support certificate by providing VASCO support VPN access to your network. This allows direct access to the IDENTIKEY Appliance Configuration Tool. IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 86 34, 75-76, 78-79 Secure File Transfer Protocol (SFTP) functionality module (FM) Sensitive Data Key installing a signed HSM module SafeNet installing an unsigned HSM module Serial Number SafeNet Secure Auditing SafeNet supported models keystore IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...
  • Page 87 Index Index signed HSM installation Storage Data Key SafeNet support certificate activating downloading unsigned HSM installation upgrading licenses IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide...

Table of Contents

Save PDF