Page 1 IDENTIKEY Appliance Installation and Maintenance Guide 3.6.8 IDENTIKEY Appliance Installation and Maintenance...
Page 2 VASCO shall have no liability under any circumstances for any loss, damage, or expense incurred by you, your company, or any third party arising from the use or inability to use VASCO Software or Materials, or any third party material available or downloadable from the Site. VASCO will not be liable in relation to any loss/damage caused by modification of these Legal Notices or Site content.
Page 3: Table Of Contents
Table of Contents Table of Contents Introduction..............................9 Audience and Purpose of this Document........................9 Available Guides..............................9 Safety and Environmental Information......................10 Overview................................10 Electrical Safety..............................10 Personal, Environmental and IDENTIKEY Appliance Safety...................10 Temperature, Power and Humidity........................11 Dimensions................................11 Chassis Rails................................12 Before you Begin............................13 Connecting the IDENTIKEY Appliance to your Network...................14 Overview................................14 Powering on the IDENTIKEY Appliance.........................15...
Page 4 Table of Contents Reset the access settings to the Configuration Tool.....................65 System Actions............................66 Overview................................66 Reboot and Shut Down............................66 Rescue Default Administrator Users........................67 Re-licensing..............................69 Overview................................69 Accessing the Wizard for Re-licensing.........................70 Current License Screen............................71 Re-licensing for an Upgrade from an Evaluation License..................72 Re-licensing for a New License Option or Type....................72 Re-licensing after a major IDENTIKEY Appliance version upgrade................76 Re-licensing for a Change of IP Address or Replacement..................77...
Page 5 Table of Contents 11.2 Upgrading a Replacement Appliance........................97 11.3 Replacement Procedure............................98 12 RAID................................99 12.1 Overview................................99 12.2 Maintenance Wizard............................100 13 Hardware Security Module..........................102 13.1 SafeNet HSMs..............................103 14 Support..............................110 14.1 Overview................................110 14.2 If you encounter a problem..........................110 14.3 Remote Support Connection..........................111 14.4 Setting up a replacement or new IDENTIKEY Appliance ..................112 14.5 Return procedure if you have a hardware failure ....................112 IDENTIKEY Appliance Installation and Maintenance...
Page 6 Image 20: Uploading the System Info File..................................39 Image 21: VASCO s Registration website..................................40 Image 22: VASCO Registration Product Selection................................41 Image 23: VASCO Registration Terms and Conditions..............................42 Image 24: Product Type Selection....................................43 Image 25: License Request......................................44 Image 26: Download License File....................................
Page 7 Table of Contents Image 53: IDENTIKEY Appliance Off-line upgrade packages............................83 Image 54: Example Upgrade package details and download link............................ 84 Image 55: Update Wizard Welcome Screen................................... 85 Image 56: Update Wizard Select Update Screen................................86 Image 57: Update Wizard Available Updates Screen..............................87 Image 58: Update Wizard Download Update Screen...............................
Page 8 Table of Contents Index of Tables Table 1: IDENTIKEY Appliance Dimensions..............................11 Table 2: Settings to connect a workstation or laptop computer to the IDENTIKEY Appliance..............61 IDENTIKEY Appliance Installation and Maintenance...
Page 9: Introduction
Introduction Introduction Audience and Purpose of this Document IDENTIKEY Appliance Installation and Maintenance Guide is part of a set of guides on the IDENTIKEY Appliance. It is intended to support planning for and installation of the IDENTIKEY Appliance. If not stated otherwise, the information in this guide also applies to .IDENTIKEY Virtual Appliance. Available Guides Other documents in the set of IDENTIKEY Appliance documentation include: IDENTIKEY Appliance Product...
Page 10: Safety And Environmental Information
Safety and Environmental Information Safety and Environmental Information Note The information in this section does not apply to IDENTIKEY Virtual Appliance! Overview In this section we provide details important both for the safe use of the IDENTIKEY Appliance and also to help maintain the device in a safe environment to keep it fully operational.
Page 11: Temperature, Power And Humidity
Rails). Temperature, Power and Humidity VASCO recommends installing the IDENTIKEY Appliance in a server room with air conditioning and UPS (Uninterrupted Power Supply). If the equipment is built into a server cupboard, make sure that there is sufficient ventilation. Environmental requirements are:...
Page 12: Chassis Rails
Safety and Environmental Information Chassis Rails Chassis rails for storing the IDENTIKEY Appliance on a sliding shelf are available for the AG5XXX models only. These are not included in the VASCO price list. Please consult www.supermicro.com for compatible chassis rails (part number CSE-PT8L).
Page 13: Before You Begin
Before you Begin Before you Begin Collect the following information before you start to speed up your installation: An unused IP address in your network The Default Gateway setting in your network DNS Server IP address(es) for your network DNS Suffix(es) (optional) Proxy Server settings (optional) IDENTIKEY Appliance Maintenance Reference (for a Commercial License only) IDENTIKEY Appliance Serial Number (for a Commercial License only)
Page 14: Connecting The Identikey Appliance To Your Network
Connecting the IDENTIKEY Appliance to your Network Connecting the IDENTIKEY Appliance to your Network Note The information in this section does not apply to IDENTIKEY Virtual Appliance! Overview In this section we provide instructions for connecting the IDENTIKEY Appliance to your network. Important: Please first read the safety information in Section 2 Safety and Environmental Information...
Page 15: Powering On The Identikey Appliance
Connecting the IDENTIKEY Appliance to your Network Powering on the IDENTIKEY Appliance Image 1: IDENTIKEY Appliance USB Ports, LAN Ethernet Interfaces and lit LEDS when operational The IDENTIKEY Appliance is delivered with two LAN Ethernet interfaces (see image above), one of which needs to be connected using an appropriate network cable to the network’s hub or switch.
Page 16: Connect To Your Network
Connecting the IDENTIKEY Appliance to your Network Power up the IDENTIKEY Appliance by connecting the appliance via the power cable to a supply. Note The AG-7XXX models have two power units, each with a separate power cable. These power cables need to be connected to separate power circuits. The second (redundant) supply provides backup in case the fuse for the supplying power circuit fails.
Page 17 Connecting the IDENTIKEY Appliance to your Network To access the system, a workstation needs to be temporarily configured with the same TCP/IP settings as the IDENTIKEY Appliance. Configure a workstation with the following settings: Network IP address 192.168.0.2 Subnet Mask 255.255.255.0 Once the TCP/IP settings (listed above) are active on a workstation, use a DOS window or terminal session for the following test:...
Page 18: First-Time Configuration
A license key is required to make the appliance fully operational. To obtain a license key, IDENTIKEY Appliance must be identified to the VASCO Service Center, from where a license key can be downloaded. After installation, and before Licensing, the IDENTIKEY Appliance Configuration Tool is accessible for configuration, but the IDENTIKEY Authentication Server Administration Web Interface and other services will not be available.
Page 19 VASCO Product Registration website https://sc.vasco.com/register. However, it is not necessary for the IDENTIKEY Appliance to have Internet connection, as the required files can be downloaded to another computer and transferred to the IDENTIKEY Appliance. Note If you want to restore an existing instance of IDENTIKEY Appliance, you do not need to undergo all the steps outlined above;...
Page 20: Access And Log On To The Identikey Appliance Configuration Tool
First-time Configuration Access and Log on to the IDENTIKEY Appliance Configuration Tool Caution After the IDENTIKEY Authentication Server Setup Wizard has been completed a more secure Administrator User ID will be created. Disable the default sysadmin user after completing the IDENTIKEY Authentication Server Setup Wizard, as described in the IDENTIKEY Appliance Administrator Reference...
Page 21 First-time Configuration Image 4: Certificate Warning Screen After the certificate has been accepted, the login page for the Configuration Tool will be displayed . Log on using administrator login credentials. The default administrative user name and password is: IDENTIKEY Appliance Installation and Maintenance...
Page 22 First-time Configuration Image 5: Configuration Tool Login Screen User: sysadmin Password: sysadmin When the IDENTIKEY Appliance Configuration Tool is accessed for the first time, the IDENTIKEY Appliance automatically detects that this is a first-time installation and launches the Configuration Wizard. IDENTIKEY Appliance Installation and Maintenance...
Page 23: Configuration Wizard
First-time Configuration Configuration Wizard The Configuration Wizard takes you through nine screens, guiding entry of the information needed to configure the IDENTIKEY Appliance on your network. The following screens are available. Welcome End User License Agreement Oracle Binary Code License Agreement for Java SE Password change IDENTIKEY Appliance Hostname Network settings...
Page 24 First-time Configuration 5.3.1 Welcome Image 6: Configuration Wizard Step 1: Welcome IDENTIKEY Appliance Installation and Maintenance...
Page 25 First-time Configuration 5.3.2 End User License Agreement Image 7: Configuration Wizard Step 2: License Agreement Please read the terms of the End User License Agreement carefully. To accept the terms, click in the check box. 5.3.3 Oracle Binary Code License Agreement for Java SE Please read the terms of the Oracle Binary Code License Agreement carefully.
Page 26 First-time Configuration Image 8: Configuration Wizard Step 3: Oracle Binary Code License Agreement To accept the terms, select the check box. IDENTIKEY Appliance Installation and Maintenance...
Page 27 First-time Configuration 5.3.4 Password Change Caution After the IDENTIKEY Authentication Server Setup Wizard has been completed a more secure Administrator User ID will be created. Disable the default sysadmin user after completing the IDENTIKEY Authentication Server Setup Wizard, as described in the IDENTIKEY Appliance Administrator Guide.
Page 28 First-time Configuration 5.3.5 Hostname Image 10: Configuration Wizard Step 5: Hostname IDENTIKEY Appliance Installation and Maintenance...
Page 29 IDENTIKEY Appliance Product Guide. A direct connection to the VASCO Service Center requires a Default Gateway to be configured and access on TCP port 443. For more information, please refer to the Firewall Ports section of the IDENTIKEY Appliance Administrator Reference Guide.
Page 30 First-time Configuration 5.3.7 Time Synchronization Image 12: Configuration Wizard Step 7: Time Synchronization The address ntp.vasco.com can be entered for the default time server, or another NTP server can be entered. IDENTIKEY Appliance Installation and Maintenance...
Page 31 First-time Configuration 5.3.8 Activation Successful After all data has been entered correctly, IDENTIKEY Appliance can be activated by clicking the Finish button. Click Finish to start up the Licensing Wizard (5.3.10 Licensing Wizard), or uncheck the check box to just complete the activation and perform other configurations manually via the IDENTIKEY Appliance Configuration Tool.
Page 32 First-time Configuration 5.3.9 New Certificate When a new hostname is entered in the wizard, a new certificate is generated. Accordingly, upon successful activation, IDENTIKEY Appliance will display a warning that the page must be reloaded with the new certificate. Image 14: Configuration Wizard Step 8: Activation Successful – Reload Page with New Certificate 5.3.10 Licensing Wizard The Licensing Wizard is launched via two methods: Immediately after completing the First-time Configuration Wizard, via the Activation Successful screen (see...
Page 33 License Activation License Confirmation Note After the second screen in the Licensing wizard, you will need to access the VASCO Product Registration website before you can continue with the third screen. Tip: The circumstances under which re-licensing is necessary, and instructions for re-licensing are provided in section 8.2 Accessing the Wizard.
Page 34 First-time Configuration 5.3.11 Welcome Image 15: Licensing Wizard Step 1: Welcome IDENTIKEY Appliance Installation and Maintenance...
Page 35 To acquire a VASCO License file for your IDENTIKEY Appliance, you need to upload the previously mentioned System Info file to the VASCO Product Registration website. This file identifies your appliance to VASCO, for the issue of a License file.
Page 36 5.3.13.2 Downloading an Evaluation License File. 5.3.13.1 Downloading a Commercial License File To identify your IDENTIKEY Appliance to VASCO for a License file to be issued, you need to : Browse or follow the link to VASCO’s Registration website: https://sc.vasco.com/registration.
Page 37 First-time Configuration If you have read and agree with VASCO's Terms and Conditions, select the check box and click I AGREE. Image 18: VASCO Terms and Conditions IDENTIKEY Appliance Installation and Maintenance...
Page 38 Image 19: Registration Menu Note If VASCO does not have full contact details on file, you may be asked to complete a form providing details, before proceeding with registration. In this case, after completion and submission of the form, an email will be sent to you with a link for validation. You need to click on the link to confirm receipt of the email, before you can proceed with product registration.
Page 39 Image 20: Uploading the System Info File 5.3.13.2 Downloading an Evaluation License File To request an evaluation License file to be issued, you need to: Browse to VASCO’s Registration website: https://sc.vasco.com/registration. Select Click here for an evaluation license. IDENTIKEY Appliance Installation and Maintenance...
Page 40 First-time Configuration Image 21: VASCO s Registration website IDENTIKEY Appliance Installation and Maintenance...
Page 41 First-time Configuration Select the IDENTIKEY Authentication Server registration. Image 22: VASCO Registration Product Selection IDENTIKEY Appliance Installation and Maintenance...
Page 42 First-time Configuration If you have read and agree with VASCO's Terms and Conditions, tick the check box and click on I AGREE. Image 23: VASCO Registration Terms and Conditions IDENTIKEY Appliance Installation and Maintenance...
Page 43 First-time Configuration Select IDENTIKEY Appliance, and click Next. Image 24: Product Type Selection Enter the names of a contact and of your organization. A description may be entered, but is optional. Use the Browse button to browse to the System Info file downloaded in section 5.3.12 System Information.
Page 44 First-time Configuration Click on Create Evaluation License. Image 25: License Request IDENTIKEY Appliance Installation and Maintenance...
Page 45 First-time Configuration Right click to download and save the evaluation License file. Image 26: Download License File IDENTIKEY Appliance Installation and Maintenance...
Page 46: Upload License
Upload License Return to the Licensing wizard and enter or browse to the License file which you downloaded from VASCO s Registration website. Click on Next to upload the file. Image 27: Licensing Wizard Step 3: Upload License IDENTIKEY Appliance Installation and Maintenance...
Page 47 First-time Configuration 5.4.1 License Activation Image 28: Licensing Wizard Step 4: License Activation IDENTIKEY Appliance Installation and Maintenance...
Page 48 First-time Configuration 5.4.2 License Activation Confirmation Image 29: Licensing Wizard Step 5: License Confirmation Click Finish to start up the IDENTIKEY Authentication Server Setup Wizard (5.5 IDENTIKEY Authentication Server Setup Wizard), or uncheck the check box just complete the activation and perform manual configuration in the IDENTIKEY Appliance Configuration Tool.
Page 49: Identikey Authentication Server Setup Wizard
First-time Configuration IDENTIKEY Authentication Server Setup Wizard The IDENTIKEY Authentication Server Setup Wizard will walk you through the configuration of several basic IDENTIKEY Authentication Server settings. These settings include Master Domain, an Administrator Login, HSMs, and Secure Auditing. 5.5.1 IDENTIKEY Authentication Server Settings Image 30: IDENTIKEY Authentication Server Setup Wizard 1: Settings Enter the name of the Master Domain to be used, and select the Name Conversion criteria.
Page 50 First-time Configuration Keep in mind that you cannot disable/enable Hardware Security Module and Secure Auditing settings after completing this wizard. To do so, you will need to perform a factory default. 5.5.2 Secure Auditing Image 31: IDENTIKEY Authentication Server Setup Wizard: Secure Auditing If you selected Secure Auditing on the first screen of the IDENTIKEY Authentication Server Setup Wizard, you will see the Secure Auditing screen.
Page 51 First-time Configuration Note Secure Auditing for IDENTIKEY Appliance only supports elliptic curve keys that are NIST P-256 compliant and stored in the pkcs12 format. 5.5.3 HSM Configuration If you have installed a Hardware Security Module (HSM) you can configure it for use with the IDENTIKEY Appliance here.
Page 52: Identikey Authentication Server Admin User
First-time Configuration IDENTIKEY Authentication Server Admin User Image 33: IDENTIKEY Authentication Server Setup Wizard: Identikey Admin User Enter a Username to be used as: The first administrator for the IDENTIKEY Authentication Server. An administrator login for the Configuration Tool. Enter and confirm a password. The password format must conform to the IDENTIKEY Authentication Server password strength rules.
Page 53 First-time Configuration Image 34: IDENTIKEY Authentication Server Setup Wizard: Ready to Configure 5.6.2 Configured IDENTIKEY Appliance Installation and Maintenance...
Page 54: Support Certificate Activation
Support Certificate Activation To download and activate your IDENTIKEY Appliance Support Certificate: Browse to VASCO’s Registration website: https://sc.vasco.com/registration. Enter the Contract ID and Serial Number provided by VASCO for your IDENTIKEY Appliance and click on Login. IDENTIKEY Appliance Installation and Maintenance...
Page 55 First-time Configuration Image 36: VASCO s Registration website If you have read and agreed with VASCO's Terms and Conditions, tick the check box and click on I AGREE. IDENTIKEY Appliance Installation and Maintenance...
Page 56 First-time Configuration Image 37: VASCO Terms and Conditions IDENTIKEY Appliance Installation and Maintenance...
Page 57 First-time Configuration Click on View contract information. Image 38: View installation information link Scroll to below the Installation Details and right click to download the Support Certificate, and save it to your network. Access the IDENTIKEY Appliance Configuration Tool as explained in 5.2 Access .
Page 58 First-time Configuration Image 39: Configuration Tool > Support Browse to the Support Certificate you have downloaded from the VASCO Product Registration website, and click Open. The Support Certificate information is displayed. IDENTIKEY Appliance Installation and Maintenance...
Page 59: Rescue Tool
Rescue Tool Rescue Tool Overview The Rescue Tool allows administrators to access a limited number of settings through a command line menu. The functionality and use of the Rescue Tool is covered below. For more information on the concepts of the functionality of the Rescue Tool, please refer to the IDENTIKEY Appliance Product Guide.
Page 60 Rescue Tool Tip: Press ENTER if no logon prompt appears. Table 2: Settings to connect a workstation or laptop computer to the IDENTIKEY Appliance Field Value Baudrate 115200 bits per second Parity None Data Bits Stop Bit Terminal Type VT100 Image 40: Rescue Tool Menu IDENTIKEY Appliance Installation and Maintenance...
Page 61: Add Authentication For The Rescue Tool
Rescue Tool Add Authentication for the Rescue Tool A facility exists to add more secure Users with access to the Rescue Tool. These Users can be configured to enter other login credentials in addition to the rescue user name. These Users can be defined using the IDENTIKEY Appliance Configuration Tool Settings >...
Page 62: Navigation And Functionality
Rescue Tool Image 42: Add Rescue Users The User name and Password are entered on a pop-up screen. The password should have the strengths defined in the Password Strength section of the IDENTIKEY Appliance Product Guide. One or many Users can be created in this way.
Page 63: Reset To Factory Defaults
Rescue Tool Reset to Factory Defaults Caution 1. The following Configurations and data are reset if you select the Reset to Factory Default option: – Data, including auditing and logging information, are all erased – The configuration is reset to factory default settings. –...
Page 64: Ping An Ip Address Or Hostname
Rescue Tool Note The Default Gateway can also be modified in a similar way through the Rescue Tool. Ping an IP Address or Hostname You can ping a system in order to test whether it can connect to IDENTIKEY Appliance. To ping an IP Address: Type for network menu.
Page 65: System Actions
System Actions System Actions Overview There are four system actions available in the IDENTIKEY Appliance Configuration Tool, through the System Actions menu topic. Image 43: IDENTIKEY Appliance System Action Buttons Reboot and Shut Down If the IDENTIKEY Appliance is shut down incorrectly it can be corrupted. One of the following methods of powering off or rebooting the IDENTIKEY Appliance should be used, in the following order of preference: Use the IDENTIKEY Appliance Configuration Tool, System >...
Page 66: Rescue Default Administrator Users
System Actions Tip: Reboot and shut down buttons are also provided on the IDENTIKEY Appliance Configuration Tool Status screen. Rescue Default Administrator Users Administrator Users for both the IDENTIKEY Appliance Configuration Tool and IDENTIKEY Authentication Server can be reset in the IDENTIKEY Appliance Configuration Tool. To rescue the IDENTIKEY Appliance Configuration Tool sysadmin User: In the IDENTIKEY Appliance Configuration Tool, navigate to System >...
Page 67 System Actions Reset the Local Authentication policy setting to DIGIPASS/Password (this allows authentication with a static password or a DIGIPASS One-Time Password) Reset the Back-end Authentication policy setting to None (to prevent the use of Back-end authentication) IDENTIKEY Appliance Installation and Maintenance...
Page 68: Re-Licensing
Overview A license file is required to make the IDENTIKEY Appliance fully operational. Licensing is the process of identifying an issued IDENTIKEY Appliance to VASCO for the issue of a License file. First-time licensing has been described in 5.3.10 Licensing Wizard.
Page 69: Accessing The Wizard For Re-Licensing
Re-licensing Accessing the Wizard for Re-licensing To access the Licensing wizard after first-time licensing: Access and log onto the IDENTIKEY Appliance Configuration Tool. If re-licensing is necessary, a link is provided in on the Status screen. Click on the link to initiate the Licensing Wizard.
Page 70: Current License Screen
Re-licensing Image 45: Configuration Tool > System > License Current License Screen The Licensing wizard for re-licensing varies slightly from the first-time wizard. An additional screen after the Welcome screen displays the current licensing information. There are therefore six wizard screens: Welcome Current License (see image below) System Information...
Page 71: Re-Licensing For An Upgrade From An Evaluation License
Re-licensing for a new License option or type (other than when upgrading from an Evaluation License) requires the following steps: Browse to VASCO’s Registration website: https://sc.vasco.com/registration. Enter the Maintenance Reference and Serial Number provided by VASCO for your IDENTIKEY Appliance and click on Login. IDENTIKEY Appliance Installation and Maintenance...
Page 72 Re-licensing Image 47: VASCO s Registration website If you have read and agree with VASCO's Terms and Conditions, tick the checkbox and click on I AGREE. IDENTIKEY Appliance Installation and Maintenance...
Page 73 Re-licensing Image 48: VASCO Terms and Conditions Click on View installation information. IDENTIKEY Appliance Installation and Maintenance...
Page 74: Re-Licensing After A Major Identikey Appliance Version Upgrade
Right click on the available License.dat file and save it to your network. (This file is made available to you via the VASCO Product Registration website on receipt of your purchase order.) Access the Licensing wizard as described above in 8.2 Accessing the...
Page 75: Re-Licensing For A Change Of Ip Address Or Replacement
Re-licensing Re-licensing for a Change of IP Address or Replacement Caution Re-licensing is not possible until you have contacted the supplier of your IDENTIKEY Appliance. See the information on support in section 14.2 If you encounter a problem. The procedure for re-licensing with a change of IP address or for a backup restored to a different appliance, (e.g. for a replacement) requires: Contact your IDENTIKEY Appliance supplier for release of the appliance from its initial license.
Page 76: Re-Licensing For An Appliance Restored To Factory Default
Restoring an appliance to Factory Default cleans the system and changes the Configuration Key. In this case, the installed License is also removed, although still bound in the VASCO back-office to the old Configuration Key. The procedure for re-licensing after returning an appliance to Factory Default, without restoring a backup requires: Contact your IDENTIKEY Appliance supplier for release of the appliance License from the old Configuration Key.
Page 77: Update Identikey Appliance
In this section we describe how to update the IDENTIKEY Appliance using the IDENTIKEY Appliance Configuration Tool. VASCO is constantly improving its products, to solve problems or to address new needs. These improvements are distributed to the IDENTIKEY Appliance through the updating process. Updates are included in the IDENTIKEY Appliance software maintenance contracts.
Page 78: Retrieving Off-Line Update Packages
Update IDENTIKEY Appliance Retrieving off-line Update Packages On-line retrieval is possible and recommended if your IDENTIKEY Appliance is connected to the VASCO Service Center. Retrieving an off-line Update package is only necessary if your organization does not permit a connection between your IDENTIKEY Appliance and the VASCO Service Center.
Page 79 Update IDENTIKEY Appliance Indicate that you have read and agree to the terms and conditions by checking the check box and clickingthe I Agree button. Image 51: VASCO Terms and Conditions IDENTIKEY Appliance Installation and Maintenance...
Page 80 Update IDENTIKEY Appliance Select the Files (Product upgrades) option. Image 52: Files (Product upgrades) option IDENTIKEY Appliance Installation and Maintenance...
Page 81 Update IDENTIKEY Appliance Click on IDENTIKEY Appliance Off-line upgrade packages to expand a list of available update packages. Image 53: IDENTIKEY Appliance Off-line upgrade packages IDENTIKEY Appliance Installation and Maintenance...
Page 82: Update Wizard
Update IDENTIKEY Appliance Click on the required Update file to display its details and download link. Image 54: Example Upgrade package details and download link Click on the link to download the Upgrade package. Update Wizard The Update Wizard takes you through a number of screens, guiding entry of information needed to update the IDENTIKEY Appliance: Welcome Select Update...
Page 83: Welcome
Update IDENTIKEY Appliance Welcome Image 55: Update Wizard Welcome Screen IDENTIKEY Appliance Installation and Maintenance...
Page 84: Select Update
Select Update Image 56: Update Wizard Select Update Screen If your IDENTIKEY Appliance is connected to the VASCO Service Center, select to request a list of any available updates. The Wizard continues to the screen in section 9.6 Available Updates (on-line process only).
Page 85: Available Updates (On-Line Process Only)
Available Updates (on-line process only) Image 57: Update Wizard Available Updates Screen Retrieval steps are reported on the screen. Any updates available from the VASCO Service Center are listed. Click on an update to download it. IDENTIKEY Appliance Installation and Maintenance...
Page 86: Download Update (On-Line Process Only)
Update IDENTIKEY Appliance Download Update (on-line process only) Image 58: Update Wizard Download Update Screen Download steps are reported on the screen. Click on Next to continue. Verify Update Verification steps are reported on the screen. Following successful verification, a change log for the selected update is displayed. Clicking on Next initiates installation of this update and rebooting of the IDENTIKEY Appliance.
Page 87: Backup And Restore
Backup and Restore Backup and Restore 10.1 Overview In this section, we explain how to configure the backup and restore functionality, and the feedback provided, in the IDENTIKEY Appliance Configuration Tool. The Backup facility allows administrators to save a copy of the IDENTIKEY Appliance database configuration settings and data.
Page 88: Manual Backup
Backup and Restore Enter and confirm a Pass Phrase. Click on Save. After configuration, custom encryption will be applied to manual, automatic and scripted backups. Image 59: Configuring Custom Encryption 10.3 Manual Backup To initiate a manual backup requires the following steps: In the IDENTIKEY Appliance Configuration Tool, click on System and >...
Page 89: Automatic Backup
Backup and Restore Image 60: Create Backup Manually 10.4 Automatic Backup To configure automatic backup requires the following steps: In the IDENTIKEY Appliance Configuration Tool, click on System and > Backup & Restore. Check the Use Custom Encryption box, if required. You will then need to enter and confirm a pass phrase. Select the relevant check box for the Automatic Backup Protocol to be used on the backup server and...
Page 90 Backup and Restore For the SFTP protocol used with Public Key only: click on the Download link to retrieve the IDENTIKEY Appliance public key and install it on the SFTP server. Please refer to the documentation for your SFTP server for further instructions. Use the Test settings link to test the configuration.
Page 91: Scripted Backup
Backup and Restore Image 62: Configuring Frequency of Automatic Backup 10.5 Scripted Backup Customers can write their own backup script/tool to request a backup from the IDENTIKEY Appliance. The URL to access the IDENTIKEY Appliance backup is: https://<ip>/system/backup/download To configure authentication for scripted backups requires the following steps: In the IDENTIKEY Appliance Configuration Tool, click on System >...
Page 92 Backup and Restore Image 63: Configuring and Testing Settings for Scripted Backups Note The User name and password for a script to authenticate with the IDENTIKEY Appliance and download a backup can be freely chosen and defined on the System Backup screen. These credentials are not associated with a User Account in the IDENTIKEY Authentication Server Administration Web Interface.
Page 93: Restore
Backup and Restore 10.6 Restore Caution 1. Restoring a backup file overwrites previous configuration settings and data. 2. After restoring a backup from another IDENTIKEY Appliance, re-licensing is necessary (see section Re-licensing). 3. If you have configured a Custom Encryption Pass Phrase, you will need to enter the Pass Phrase during the Restore Wizard.
Page 94 Backup and Restore Image 64: System Backup & Restore Screen (left) and Reboot (right) To restore a backup on a replacement IDENTIKEY Appliance: Restoring a backup on a replacement IDENTIKEY Appliance is accomplished via the same steps as a regular replacement procedure –...
Page 95: Replacement
Upgrade paths for all features may not be supported when restoring a backup to a more recent version. If in doubt, please contact your supplier, who will automatically contact the appropriate VASCO expert, if necessary. The IDENTIKEY Appliance can be easily replaced in the event of hardware failure, by restoring a backup from your old appliance to a new appliance following the series of steps explained in this section.
Page 96 Replacement 11.3 Replacement Procedure To install and license a replacement IDENTIKEY Appliance: Connect the replacement IDENTIKEY Appliance to your network as explained in section Connecting. Access the Configuration Tool as explained in sections Access. The Configuration wizard offers you a link to restore a backup. This enables you to proceed with the backup without having to complete the Configuration wizard.
Page 97 RAID RAID NOTE The information in this section does not apply to IDENTIKEY Virtual Appliance! 12.1 Overview The RAID option (for IDENTIKEY Appliance AG-7XXX models only) provides (hot swappable) hard disk redundancy between two hard disks, supporting full services even when a hard disk fails. Two hard disks are housed in two out of three available slots.
Page 98 RAID 12.2 Maintenance Wizard To access and maintain RAID: Access the IDENTIKEY Appliance Configuration Tool When there is a status message advising that the RAID configuration requires an action, click on the link provided to launch the maintenance wizard. Image 65: RAID Status and link to Maintenance Wizard A welcome screen is presented.
Page 99 RAID Image 66: Example Status and Actions screen in RAID Maintenance Wizard Select the appropriate action and click Next. Follow further instructions in the wizard. Instructions will vary according to the configuration status and the action you have selected. See example below: Example: Replacement, for example, requires the following steps: - The Replace action must first be selected on the 'Possible Actions' screen in the wizard.
Page 100 Hardware Security Module Hardware Security Module In this section we provide instructions on how to set up a Hardware Security Module device. Configuring the HSM must be completed before initiating the IDENTIKEY Authentication Server Setup Wizard (5.5 IDENTIKEY Authentication Server Setup Wizard).
Page 101 The signed VACMAN Controller Firmware Module file – aal2sdk.fm – should be copied to the machine on which the HSM administration will take place. The corresponding VASCO code signing certificate is required to upload this signed module (vascosigningcert.crt). 13.1.1 Install Unsigned Hardware Security Module Install the Hardware Security Module, with the required drivers and libraries.
Page 102 Hardware Security Module Generate SSL certificate in the user slot: At a terminal, enter: ctcert c -s<UserSlotID> -k -z<KeySize> -l<CertificateName> where <UserSlotID> is the ID of the slot on which the certificate should be generated, <KeySize> the length of private key required (minimum size is 1024), and <CertificateName>...
Page 103 ID of the administration slot to which the certificate is being copied, and <CertificateName> is the certificate to be imported. Provide the admin PIN for the import. Mark the VASCO signing certificate as trusted in the admin slot. ctcert t -l <CertificateName> -s <AdminSlotID> where <CertificateName>...
Page 104 Hardware Security Module encrypt enabled decrypt enabled sensitive derive Other attribute settings are optional. 13.1.5 Replicate to required slots If using multiple Hardware Security Modules with IDENTIKEY ApplianceIDENTIKEY Appliance, the keys created above must be replicated to the other HSMs. This process must be performed each time a key change occurs and consistency among HSMs is required.
Page 105 Hardware Security Module 13.1.6 Secure Auditing for HSM Image 67: Secure auditing for HSM To enable Secure Auditing for HSM, a Master Audit Keypair will have to be created on the HSM. This must be performed before configuring IDENTIKEY ApplianceIDENTIKEY Appliance for Secure Auditing. The public key from the Master Audit Keypair must be exported from the HSM to allow its use in verification.
Page 106 { digitalSignature, nonRepudiation } The following is an example of the contents of an attributes file. label { MasterAuditCertificate } serialnumber { 1234 } issuer { CN=MasterAudit, OU=Identikey, O=VASCO, C=US subject { CN=MasterAudit, OU=Identikey, O=VASCO, C=US keyusage {...
Page 107 Hardware Security Module ctcert c -t ec -Csecp256r1 -d1825d -k -lMasterAuditKey -s0 -xattributes.txt Where: means create an Elliptic Curve key. -Csecp256r1 means to create the key using this type of elliptic curve 1825d creates a certificate which has a validity period of 1825 days from the date this command is run MasterAuditKey will be the label of the private key created on the HSM device.
Page 108 VASCO product. If your supplier is unable to solve your problem, they will automatically contact the appropriate VASCO expert, who will contact you to provide remote support through the VASCO Service Center if necessary (see next section). IDENTIKEY Appliance Installation and Maintenance...
Page 109 If necessary, VASCO experts can access your IDENTIKEY Appliance remotely to solve any problems. Remote support requires a connection between the VASCO Service Center and your IDENTIKEY Appliance. A Support Certificate must be installed before a connection can be made to the VASCO Service Center. Please see section 5.7 Support Certificate Activation...
Page 110 It is also possible to avail of remote support without installing a Support Certificate. However, to do so would involve providing VASCO support staff with VPN access to your network. This will allow one of our representatives to access your IDENTIKEY Appliance Configuration Tool directly.
Page 111 Network Settings.................. 29 Updating....................Password Change................27 Fail-over..................79 Password, Reset.................. 67 Off-line..................79 Power....................11 On-line..................79 Powering On..................15 Update Wizard................79 Pre-installation..................14 VASCO Service Center............79, 86, 87, 110 Re-licensing..................69 ..................103, 105-108 IDENTIKEY Appliance Installation and Maintenance...

This manual is also suitable for:

Identikey ag-5 series Identikey ag-7 series

Vasco IDENTIKEY AG-3 Series Installation And Maintenance Manual

1 Introduction

2 Safety and Environmental Information

3 Before You Begin

4 Connecting the IDENTIKEY Appliance to Your Network

5 First-Time Configuration

6 Rescue Tool

7 System Actions

8 Re-Licensing

9 Update IDENTIKEY Appliance

10 Backup and Restore

11 Replacement

Quick Links

Need help?

Questions and answers

Related Manuals for Vasco IDENTIKEY AG-3 Series

Summary of Contents for Vasco IDENTIKEY AG-3 Series

This manual is also suitable for:

Table of Contents