Digipass Plug-In for SBR Installation Guide - Vasco

Digipass Plug-In for SBR 

SBR Plug-In 

SBR 

Steel-Belted RADIUS 

Installation G uide

Disclaimer of Warranties and Limitations of Liabilities 

Disclaimer of Warranties and Limitations of Liabilities 

The Product is provided on an 'as is' basis, without any other warranties, or conditions, express 

or implied, including but not limited to warranties of merchantable quality, merchantability of 

fitness for a particular purpose, or those arising by law, statute, usage of trade or course of 

dealing. The entire risk as to the results and performance of the product is assumed by you. 

Neither we nor our dealers or suppliers shall have any liability to you or any other person or 

entity for any indirect, incidental, special or consequential damages whatsoever, including but 

not limited to loss of revenue or profit, lost or damaged data of other commercial or economic 

loss, even if we have been advised of the possibility of such damages or they are foreseeable; 

or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers 

and suppliers shall not exceed the amount paid by you for the Product. The limitations in this 

section shall apply whether or not the alleged breach or default is a breach of a fundamental 

condition or term, or a fundamental breach. Some states/countries do not allow the exclusion 

or limitation or liability for consequential or incidental damages so the above limitation may 

not apply to you. 

Copyright 

© 2006 VASCO Data Security Inc. All rights reserved. 

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in 

any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, 

without the prior written permission of VASCO Data Security Inc. 

Trademarks 

VACMAN and Digipass are registered trademarks of VASCO Data Security International Inc. 

Microsoft and Windows are registered trademarks of Microsoft Corporation. 

All other trademarks are the property of their respective holders. 

© 2006 VASCO Data Security Inc. 2

Digipass Plug-In for SBR Installation Guide Table of Contents 

Table of Contents 

1 Introduction..........................................................................................................5 

1.1 Available Reference Guides.......................................................................................... 5 

1.2 System Requirements...................................................................................................6 

1.2.1 Requirements Specific to Active Directory.................................................................... 6 

1.2.2 Requirements Specific to ODBC Database.................................................................... 6 

1.3 Components and Options..............................................................................................7 

2 Pre-installation Tasks........................................................................................... 8 

2.1 Data Store.................................................................................................................... 8 

2.2 Active Directory............................................................................................................9 

2.2.1 Checklist – Decisions................................................................................................ 9 

2.2.2 Active Directory Setup.............................................................................................. 9 

2.2.2.1 Schema Extensions............................................................................................................9 

2.2.3 SSL Setup.............................................................................................................. 9 

2.3 ODBC Database...........................................................................................................11 

2.3.1 Checklist – Decisions.............................................................................................. 11 

2.3.2 Modify Database Structure...................................................................................... 11 

2.3.2.1 DPDBadmin Utility........................................................................................................... 11 

2.3.2.2 Permissions.................................................................................................................... 11 

2.3.3 PostgreSQL Database............................................................................................. 12 

2.4 System Clock.............................................................................................................. 12 

2.5 Serial Number and Maintenance ID............................................................................ 12 

2.6 Checklist – Active Directory........................................................................................13 

2.7 Checklist – ODBC Database.........................................................................................13 

3 Installing Digipass Plug-In for SBR.....................................................................14 

3.1 Typical Installation – Active Directory........................................................................ 14 

3.1.1 Scenario & Decisions.............................................................................................. 14 

3.1.2 Extend Schema..................................................................................................... 14 

3.1.3 Run Install............................................................................................................ 15 

3.2 Typical Installation – Embedded Database................................................................. 22 



3.3 Typical Installation – ODBC Database.........................................................................28 


3.3.2 Extend Schema..................................................................................................... 28 


3.4 Multiple Product Installation...................................................................................... 36 

3.5 Upgrading from Digipass Plug-In for Funk 2.0 or 2.1..................................................37 

3.6 Post-Installation Tasks...............................................................................................38 

3.6.1 Licensing.............................................................................................................. 38 

3.6.1.1 Evaluation Serial Number..................................................................................................38 

3.6.1.2 Obtain License Key File.....................................................................................................38 

3.6.1.3 Load License Key.............................................................................................................38 

3.6.2 Encryption Settings................................................................................................ 39 

3.6.3 Backup Strategy.................................................................................................... 39 

3.6.4 Active Directory Tasks............................................................................................ 39 


Digipass Plug-In for SBR Installation Guide Table of Contents 

3.6.4.1 Additional Setup Steps for Multiple Domains........................................................................39 

3.6.4.2 Set up Active Directory SSL.............................................................................................. 39 

3.6.4.3 Active Directory Replication...............................................................................................39 

3.6.4.4 Active Directory Auditing.................................................................................................. 40 

3.6.5 ODBC Tasks.......................................................................................................... 40 

3.6.5.1 Configure User ID and Domain Handling............................................................................. 40 

3.6.5.2 Permissions for Group Check.............................................................................................41 

3.6.5.3 Configure Connection Parameters...................................................................................... 42 

3.6.5.4 Additional Databases........................................................................................................42 

3.6.5.5 Additional Setup Steps for Multiple SBR Plug-Ins..................................................................42 

3.6.6 Configure Steel-Belted RADIUS to Use SBR Plug-In..................................................... 42 

4 Add Components to Installation..........................................................................43 

5 Repair Installation.............................................................................................. 44 

6 Uninstall Digipass Plug-In for SBR...................................................................... 45 

6.1 Manual Uninstall......................................................................................................... 45 

6.2 Active Directory..........................................................................................................45 

6.3 ODBC Database...........................................................................................................45 

7 DPADadmin Utility...............................................................................................46 

7.1 addschema command................................................................................................. 46 

7.2 upgradeprofiles command.......................................................................................... 48 

8 DPDBadmin Utility...............................................................................................49 

8.1 addschema command................................................................................................. 49 

8.1.1.1 Prerequisite Information................................................................................................... 49 

8.1.1.2 Extend the Schema on the SBR Server............................................................................... 49 

8.1.1.3 Command Line Syntax......................................................................................................49 

8.2 upgradeprofiles command.......................................................................................... 51 


Digipass Plug-In for SBR Installation Guide Introduction 

1 Introduction 

1.1 Available Reference Guides 

These Reference Guides are available: 

Product Guide 

The Product Guide will introduce you to the features of this product and the various options 

you have for using it. 

Installation Guide 

Use this guide when planning and working through an installation of the product. 

Getting Started 

To get you up and running quickly with a simple installation and setup of the product. 

Administrator Reference 

In-depth information required for administration of the product. 

Data Migration Tool Guide 

Takes you through a data migration from one VASCO product to another, using the VASCO 

Data Migration Tool. 

Help Files 

Accompany various utilities and the administration interfaces. 



1.2 System Requirements 


Steel-Belted RADIUS 5.0 or greater 

Operating System 

One of the following Windows versions: 

Language 

Windows Server 2003 (32-bit version only) 

Windows XP Professional (32-bit version only) with Service Pack 1 or above 

Windows 2000 with Service Pack 4 or above 

The Digipass Plug-In for SBR is designed to function on any language version of Windows. 

However, the product has only been comprehensively tested on English language versions of 

Windows, with some additional German language testing. 

1.2.1 Requirements Specific to Active Directory 

Digipass Extension for Active Directory Users and Computers 

Active Directory Users and Computers Snap-In 

Active Directory set up for SSL 

In the following cases, SSL must be available for Digipass Plug-In for SBR components to 

connect to Active Directory: 

SBR Plug-In not installed on a Domain Controller. 

Administration Interfaces not installed on a Domain Controller. 

SBR Plug-In and/or Administration Interface(s) on a Domain Controller, but accessing 

data in another domain. 

An Enterprise Certificate Authority must be installed in the forest to enable SSL. 

Windows Certificate Services is available as an optional Windows component. 

1.2.2 Requirements Specific to ODBC Database 

The Digipass Plug-In for SBR will support most modern ODBC-compliant relational, 

transactional databases. It has been tested on the following databases: 

Oracle 9i 

Microsoft SQL Server 2000 

DB2 8.1 

Sybase Adaptive Server Anywhere 9.0 

PostgreSQL 8.1 



1.3 Components and Options 

The following components make up the Digipass Plug-In for SBR. See the Product Guide for 

more information. 


The SBR Plug-In is an Authentication Module for Steel-Belted RADIUS which permits an 

increase in SBR security by adding two-factor authentication. 


Digipass Extension to the Active Directory Users and Computers interface. It allows integrated 

administration of additional User settings and Digipass records. The Extension is used only 

when Active Directory is selected as the data store for the Digipass Plug-In for SBR. 

Administration MMC Interface 

This interface allows easy administration of Digipass-related data. If the data store is Active 

Directory, the Administration MMC Interface will be used only to administer configuration 

settings such as Policies and Components. If the data store is an ODBC database, the interface 

will be used to administer all Digipass-related data. 

User Self Management Web Site 

Allows Users to make appropriate changes to their own Digipass User account, including 

password changes. 

Virtual Digipass Message Delivery Component 

Sends a One Time Password through a text message gateway to a User’s mobile phone. 

Virtual Digipass OTP Request Site 

Allows a User to specifically request an OTP to be sent to their mobile phone. 


Digipass Plug-In for SBR Installation Guide Pre-installation Tasks 

2 Pre-installation Tasks 

This section outlines the preparation that you need to do before installing the Digipass Plug-In 

for SBR. 

2.1 Data Store 

Before starting other pre-install tasks, you must decide on the type of data store to be used. 

There are three options: 

Active Directory 

Integrate Digipass-related data with Active Directory and Windows user accounts. 

ODBC Database 

Include Digipass-related data in a new or existing ODBC database. 

Embedded PostgreSQL Database 

Include an embedded PostgreSQL database in the installation of Digipass Plug-In for SBR, and 

use it as the data store. 



2.2 Active Directory 

2.2.1 Checklist – Decisions 

The following checklist contains the key decisions to make before you start. 

Approve the Schema Extensions 

If your company has an approval process to go through for extensions to the Active 

Directory Schema, go through this process. 

Identify the Digipass Configuration Domain 

Either identify an existing Domain or sub-domain into which the Digipass 

Configuration Container should be added, or plan to create a new one. 

Domain Administrator 

Select a Domain Administrator account in the Digipass Configuration Domain to use 

in installing the Digipass Plug-In for SBR. 

Installation Location 

Decide where to install the Plug-In, if a choice of SBR server location exists. 

If you are installing with the purpose of going through a basic evaluation process, 

installing onto a Domain Controller is recommended. This will mean that SSL will not 

need to be set up in order for the Plug-In to function. 

2.2.2 Active Directory Setup 

2.2.2.1 Schema Extensions 

Run the addschema command: 

1. Log into the Schema Master as a member of the Schema Administrators group. 

2. Copy dpadadmin.exe onto the Schema Master 

3. Open a command prompt in the location to which it was copied. 

4. Type: 

dpadadmin addschema -v 

5. If DPADadmin detects that Schema extensions are not currently permitted, it will 

prompt you whether to enable them or not. Enter y to enable them, or n to cancel 

(see 7.1 addschema command for more information). 

6. Wait several minutes for the Schema extensions to replicate to all the domains and for 

the local Domain Controller to update its internal data caches. 

2.2.3 SSL Setup 

An Enterprise Certificate Authority must exist in the forest so that SSL may be used by the 

SBR Plug-In to connect to Active Directory. If one is not already installed, follow the 

instructions below to install the Certificate Authority included with Windows. 

The Certificate Authority may be installed on any server in the forest, if the server selected is 

available to the Domain Controller(s) used by the SBR Plug-In. 



You may need the Windows CD in order to complete this process. 

1. Open Windows Add or Remove Programs. 

2. Click on the Add/Remove Windows Components button. 

The Windows Components Wizard will be displayed. 

3. Tick the Certificate Services checkbox and click Next. 

4. Select the Enterprise root CA option button and click Next. 

5. Enter the details required and click on Next. 

6. If required, modify the Data Storage Locations. Otherwise, leave these as the default 

values and click on Next. 

Certificate Server has now been installed. Wait several minutes to allow the Domain 

Controllers to enrol for Domain Controller certificates. 



2.3 ODBC Database 

2.3.1 Checklist – Decisions 

The following checklist contains the key decisions to make before you start. 

Database Location and Setup 

A number of decisions are required for the ODBC database to be used: 

The server on which the database will be located. 

Will the data for the Digipass Plug-In for SBR will be stored in a new database, or 

added to an existing database. 

Will a new schema be used? 

Which database account will own the tables created? 

New Database 

Decide the collation sequence to be used – for example, case-sensitivity. 

Database User Accounts 

Create or select database user accounts for: 

Modifying the database schema (database administrator account required). 

SBR Plug-In (see the Administrator Reference for details on the permissions 

required) 

Administration MMC Interface (see the Administrator Reference for details on the 

permissions required) 

2.3.2 Modify Database Structure 

2.3.2.1 DPDBadmin Utility 


1. Copy dpdbadmin.exe from the Windows/Utilities directory on the installation CD or 

zip file onto the computer from which the database can be accessed. 

2. Create an ODBC Data Source for the database on the computer, if one does not 

currently exist. 


4. Type: 

dpdbadmin addschema –u user_name –p password -d dsn 

Ensure that the User ID and password used are that of the database administrator 

account. 

2.3.2.2 Permissions 

If the database user account used by the SBR Plug-In is not the owner of the tables and is not 

a database administrator account, it must be granted permissions for the tables, or ownership 

of the tables transferred. 



The database user account used by the Administration MMC Interface will require the same. 

Note 

Ensure that it is possible for the account(s) mentioned to reference the tables 

by name without a schema prefix. If this cannot be done, see the Administrator 

Reference for advanced setup instructions. 

2.3.3 PostgreSQL Database 

If you will be using a PostgreSQL database other than the embedded database (ie, selecting 

the Plug-In install using an ODBC-compliant database option during installation), ensure 

that the LF CR/LF conversion option is disabled. To do this: 

1. Open the ODBC Data Source Administrator. 

2. Select the data source. 

3. Click on Configure... 

4. Click on Datasource. 

5. Click on Page 2. 

6. Untick the LF CR/LF conversion checkbox. 

7. Click on OK. 

8. Click on Save. 


2.4 System Clock 

The SBR Plug-In requires that your server’s time is set correctly in relation to GMT, and that 

the time zone and daylight savings indicators are set correctly. 

All machines hosting components of the Digipass Plug-In for SBR, if not Domain Controllers, 

should be clock-synchronized with the Domain Controller(s) in the domain. 

2.5 Serial Number and Maintenance ID 

You must have a product Serial Number and a company Maintenance ID unless you are 

installing an evaluation version of the Digipass Plug-In for SBR. If these have not been issued 

to you, contact your VASCO Reseller. 



2.6 Checklist – Active Directory 

Digipass Configuration Domain has been identified. 

Active Directory Schema extensions have been made. 

Active Directory changes have been replicated to all required Domain 

Controllers. 

System clock and time zone settings are accurate. 

Serial Number has been obtained. 

Enterprise Certificate Authority is installed, if SSL is required. 

2.7 Checklist – ODBC Database 

Database schema modifications have been made to a new or existing 

database. 

Database user account(s) for SBR Plug-In and administration have been 

created. Required permissions have been granted to the account(s). 

System clock and time zone settings are accurate. 

Serial Number and Maintenance ID have been obtained. 


Digipass Plug-In for SBR Installation Guide Installing Digipass Plug-In for SBR 

3 Installing Digipass Plug-In for SBR 

3.1 Typical Installation – Active Directory 

3.1.1 Scenario & Decisions 

This 'typical installation' process uses the following decisions and scenario: 

Implementation Decisions 

The following decisions were taken for the purposes of this installation process: 

The Schema extensions have been approved. 

The Digipass Configuration Domain has been identified as the existing sub-domain, 

test.dm3.vasco. 

The member server SVR of the sub-domain test.dm3.vasco will be used to install 

Digipass Plug-In for SBR. This requires an Enterprise Certificate Authority to be installed 

in the forest, so that SSL is enabled. The instructions will take you through installing 

Windows Certificate Services onto a Domain Controller in the Forest Root domain. 

The scenario 

A Domain dm3.vasco (this is the Forest Root Domain). 

A sub-domain test.dm3.vasco of dm3.vasco. The sub-domain acts as the Digipass 

Configuration Domain and contains all the configuration data, including Policies and 

Components. 

A single SBR Server SVR, a member server in the Digipass Configuration Domain. 

A Domain Controller DC-02 acting as the Schema Master on dm3.vasco. 

Certificate Server will be installed on DC-02. 

3.1.2 Extend Schema 


1. Log into the machine from which schema changes will be made (DC-02). 

2. Copy dpadadmin.exe onto the machine. 


4. Type: 

dpadadmin addschema 


prompt you whether to enable them or not. Enter y to enable them, or n to cancel. 

6. Wait several minutes for the Schema extensions to replicate to the sub-domain and 

for the local Domain Controller to update its internal data caches. 



3.1.3 Run Install 

Install the standard installation components on a single machine. 

1. Start the Digipass Plug-In for SBR install process on the SBR server (SVR). 

If you are not using the CD Autorun interface, locate and double-click on the 

Digipass_PlugIn_for_SBR_220_setup.exe file. 

The Digipass Plug-In for SBR splash screen will be displayed, followed by the License 

Agreement dialog. 

2. Read the agreement carefully. 

3. To accept the License Agreement, click I Agree. 

If you do not accept the License Agreement, and click Cancel, the install will 

terminate. 



The Installation Type dialog will be displayed. 

4. Select Plug-In install using Active Directory and click on Next. 

Note 

If you are evaluating or running a test install of the Digipass Plug-In for SBR, you may 

wish to use the embedded PostgreSQL database provided. 

The Select Components dialog will be displayed. 

5. Select the components you want to install. These components are required for the 

running and administration of the Digipass Plug-In for SBR: 



6. Click Next. 




The Customer Information dialog will be displayed. 

7. Enter your user name and company name 

8. If you are installing an evaluation copy of the Digipass Plug-In for SBR, tick the Use 

an evaluation license checkbox. 

If not, enter the serial number for the product in the Serial Number field. 

9. If there are multiple IP addresses registered for the machine, you will be asked which 

IP address the Digipass Plug-In for SBR should use. Select an IP address and click on 

the Next button. 

10. Click on the Next button. 



The Active Directory Pre-Requisites dialog will be displayed. 

11. If this is not the first SBR Plug-In to be installed: 

a. Ensure that Active Directory has had time to replicate changes to the Schema. 

b. Tick the This is not the first SBR Plug-In to be installed checkbox. 

12. If you have run the addschema command, click on Next. If not, run the command 

(see 7.1 addschema command for instructions), wait for the Schema changes to be 

replicated to the sub-domain then click on Next. 

The install program will check the Active Directory Schema. 

The Digipass Configuration Domain dialog will be displayed. 



13. Enter the fully qualified name of the Domain in which Digipass Plug-In for SBR should 

store its data. This domain must currently exist. 

14. Click on Next. 

15. If you have chosen to install the User Self Management Web Site and IIS is installed 

on the machine, a pop-up dialog will ask if you wish to allow the install program to 

create a Virtual Directory on the default IIS web site on this machine, and install the 

User Self Management Web Site files there. Click Yes to allow this or No to set it up 

manually later. 

16. If you have chosen to install the OTP Request Site and IIS is installed on the 

machine, a pop-up dialog will ask if you wish to allow the install program to create a 

Virtual Directory on the default IIS web site on this machine, and install the OTP 

Request Site files there. Click Yes to allow this or No to set it up manually later. 

The Installation Directory dialog will be displayed. 

17. To install to the default location (C:\Program Files\VASCO\Digipass Plug-In for SBR if 

Windows is installed on the C: drive), click on Install. If you wish to install to a 

location other than the default, click on Browse, specify the installation location and 

click on Install. 

The Installation Progress dialog will be displayed, showing the progress of your install. 

Click Next when the install is complete. 



The Activation Options dialog will be displayed. 

18. Select a licensing option: 

Note 

If you are using an evaluation license, you still need to go through the license 

activation process. 

Select the Go to the Activation Web page now option to immediately view the 

licensing page on the VASCO web site. 

Check any details which were automatically filled in, fill in any extra information 

required, and select the method to receive the license key – either email or 

download. 

After the Activation Web Page has been submitted, the license key file will either 

start downloading, or be emailed to the email address you supplied. 

Save the license key file to a directory on the install machine, then go back to 

the installation screen. The screen will allow you to browse to the license key file 

for immediate loading. 

Select the Save a shortcut to the desktop for later option to save a shortcut on 

the desktop to use at a later time. 

If you already have a license file, select the Load the License Key from an 

existing License File option. 

Browse to the file location and select the license key file. 

The install program will load the license key during the installation progress. 

Select Just Continue to do nothing with the license at this time. 



The Restart Required dialog will be displayed. 

19. Click the Yes option button to restart the machine, or No to add the license file or 

perform other tasks before restarting. 

20. Click Finish when this process is complete. 



3.2 Typical Installation – Embedded Database 



The scenario 

The embedded PostgreSQL database will be used. 

A database administrator account will be created automatically, with UserID of digipass 

and password digipassword. 

The installation will be run on the Steel-Belted RADIUS server. 

A Data Source will be automatically created on the Steel-Belted RADIUS server for the 

new database. 











terminate. 




4. Select Plug-In install with an embedded database. 



running and administration of the Digipass Plug-In for SBR: 





Note 

The Active Directory Users and Computers Extension option is unavailable 

when the Standard ODBC installation type is selected. 

Inclusion of this option when the Custom installation type is selected will cause 

Active Directory to be used as the data store. 



7. Enter your user name and company name. 




9. If there are multiple IP addresses registered for the machine, you will asked which IP 

address the Digipass Plug-In for SBR should use. Select an IP address and click on 



















The Installation Progress dialog will be displayed, showing the progress of your 

install. 






Note 

If you are using an evaluation license, you still need to go through the 

license activation process. 





download. 






Select the Save a shortcut to the desktop for later option to save a shortcut 

on the desktop to use at a later time. 














3.3 Typical Installation – ODBC Database 



The scenario 

A new database has been created. 

A new database administrator account has been created and named DBAdmin. This 

account will own all tables and will be used: 

in running the addschema command 

by the SBR Plug-In 

for administration 

The installation will be run on the Steel-Belted RADIUS server. 

A Data Source has been created on the Steel-Belted RADIUS server for the new 

database. The Data Source Name has been set to DBA. 

3.3.2 Extend Schema 


1. Copy dpdbadmin.exe from the Windows/Utilities directory on the installation CD or 

zip file onto the Steel-Belted RADIUS server. 

2. Create an ODBC Data Source for the database on the computer, if one does not 

currently exist. 

3. Open a command prompt in the location to which the executable was copied. 

4. Type: 

dpdbadmin addschema –u DBAdmin –p -d DBA 

Ensure that the User ID and password used are that of the database administrator 

account. 













terminate. 




4. Select Plug-In install using an ODBC-compliant database. 

Note 

If you are evaluating or running a test install of the Digipass Plug-In for SBR, you may 

wish to use the embedded PostgreSQL database provided instead. 





running and administration of the Digipass Plug-In for SBR where an ODBC database 

(including Access) is used as the data store: 

Note 



The Active Directory Users and Computers Extension option is unavailable 

when the Standard ODBC installation type is selected. 

Inclusion of this option when the Custom installation type is selected will cause 

Active Directory to be used as the data store. 



7. Enter your user name and company name. 




9. If there are multiple IP addresses registered for the machine, you will asked which IP 

address the Digipass Plug-In for SBR should use. Select an IP address and click on 





The ODBC Pre-Requisites dialog will be displayed. 

11. If this is not the first SBR Plug-In to be installed, tick the This is not the first SBR 

Plug-In to be installed checkbox. 

12. If you have run the addschema command, click on Next. 

If not, run the command (see 7.1 addschema command for instructions), then click 

on Next. 

The ODBC Connection Details window will be displayed. 

13. Enter the Data Source Name for the database and, if required, a Username and 

password to use in connecting to it. 



The install program will check the database schema. 
















install. 






Note 

If you are using an evaluation license, you still need to go through the 

license activation process. 





download. 






Select the Save a shortcut to the desktop for later option to save a shortcut 

on the desktop to use at a later time. 














3.4 Multiple Product Installation 

If another VASCO product is already installed on the machine, the installation process will run 

in Add Components mode, as most data and many components are shared between products. 

Typically, you will only need to add the SBR Plug-In component, but others may be added if 

not already installed. See the 4 Add Components to Installation section for instructions 

after reading the information below. 

These changes will affect your existing installation: 

Data Store Selection 

You will not be given a choice of data store. All Digipass-related data will be stored in the 

same data store as used by the currently-installed VASCO product. 

Start Menu Changes 

Installing more than one VASCO product on a machine will cause VASCO Start menu options to 

be re-arranged, as components may be shared between products. Links to components and 

documentation specific to the product will be located under VASCO -> (eg. 

VASCO -> Digipass Plug-In for SBR). Links to shared components will be located in 

VASCO -> Common Components. 

Automatic Component Upgrade 

If the second product has a later version of any of the shared components, these components 

will be upgraded as part of the installation. 

Shared Components not Removed during Uninstall 

When uninstalling one of the products on a machine that has more than one, the uninstaller 

will only remove the specific plug-in component - it will leave all the shared components. They 

will only be removed when you uninstall the last product. 

Important Note 

If the second product had later versions of any components, ensure that you 

uninstall the second product last if you want to uninstall both products. The 

uninstaller for the original product may not possess all the necessary 

information to completely remove newer components. 

Repairing Components 

When two products are installed on the same machine and a repair is attempted, the 

installation program will only be able to repair the components that are specific to it or are 

shared. For example, the Digipass Plug-In for IAS installation program will not repair the SBR 

Plug-In. 

If the other product has a later version of one of the shared components, it will not be 

repaired. In that case, the other product's installer is needed to repair that shared component. 

In general, use the latest versioned product to repair shared components. 



3.5 Upgrading from Digipass Plug-In for Funk 2.0 or 2.1 

If the Digipass Plug-In for Funk 2.0 or 2.1 is currently installed, it may be upgraded to version 

2.2 by following these steps: 

1. Ensure that your company has an upgraded license for version 2.2. 

2. Get and load an updated license file (see 3.6.1.2 Obtain License Key File and 

3.6.1.3 Load License Key for instructions). 

3. Check that the Administration MMC Interface and the SBR Administrator programs are 

not running. 




A window will be displayed, asking if you want to upgrade the installation. 

5. Click on Yes. 

The Digipass Plug-In for SBR installation will be updated to the production version. 

6. Reboot if required. 

7. If you were using RADIUS Profiles in the Digipass User accounts in Digipass Plug-In for 

Funk 2.0 or 2.1, run the upgradeprofiles command to convert the old RADIUS Profiles 

information to the new User Attributes format. See 7.2 upgradeprofiles command 

(Active Directory) or 8.2 upgradeprofiles command (ODBC database) for more 

information. 

Note 

The data store used for the Digipass Plug-In for SBR may not be changed 

during an upgrade. If an ODBC database is to be used as the data store, 

version 2.0 or 2.1 of the Digipass Plug-In for Funk must be uninstalled from a 

machine before version 2.2 may be installed. 

If the Digipass Plug-In for IAS is installed on a machine, an ODBC database 

may not be used as the data store for the Digipass Plug-In for SBR. 



3.6 Post-Installation Tasks 

3.6.1 Licensing 

Each SBR Plug-In will require a license key to be loaded into its Component record – even if 

you are using an evaluation license. If this is not completed during the install process, it will 

need to be done before the SBR Plug-In can be used. 

3.6.1.1 Evaluation Serial Number 

If you do not obtain a license key file during installation of the SBR Plug-In, but wish to use an 

evaluation license, you will need to use this serial number on the VASCO licensing site: 

213DFFBDA5. 

3.6.1.2 Obtain License Key File 

Note 

An active internet connection is required to obtain a License Key. 

1. Open the Administration MMC Interface. 

2. Click on the Components node. 

The Component List will be displayed in the Result pane. 

3. Double-click on the required Component record. 

The Component property sheet will be displayed. 

4. Click on the License Key Details... button. 

The License Key Details window will be displayed. 

5. Click on the Request License Key... button. 

A browser window will be opened, with the VASCO Licensing site loaded. Any 

required information which the SBR Plug-In has will be entered as the site is loaded. 

6. Enter any other required information in the browser window. 

7. Click on the Request License Key button in the browser window. 

A download of your license key file should begin. Keep note of where you save the 

file, and its name. 

3.6.1.3 Load License Key 

1. Open the Administration MMC Interface. 

2. Click on the Components node. 

The Component List will be displayed in the Result pane. 

3. Double-click on the required Component record. 

The Component property sheet will be displayed. 



4. Click on the License Key Details... button. 

The License Key Details window will be displayed. 

5. Click on the Load License Key... button. 

6. Browse to the download location and select the license key file. 

7. Click on Open. 

A message window will display the success or failure of loading the license key into 

the data store. 

3.6.2 Encryption Settings 

If you will be using a custom encryption key for sensitive data, this should be set before 

Digipass are imported to the 'live' version of the Digipass Plug-In for SBR. See the Sensitive 

Data Encryption topic in the Administrator Reference for more information. 

3.6.3 Backup Strategy 

Consider a backup strategy to be put in place for files which will require backing up. For more 

information, see the Administrator Reference. 

3.6.4 Active Directory Tasks 

3.6.4.1 Additional Setup Steps for Multiple Domains 

When using the SBR Plug-In in multiple domains, extra steps must be followed to ensure that 

the SBR Plug-In has permissions sufficient to access required data in other domains. See the 

Set Up Active Directory Permissions section of the Administrator Reference. The Multiple 

Domains topic in this section contains instructions for cross-domain scenarios, and can be 

used as follows: 

If the SBR Plug-In you have just installed is not in the Digipass Configuration Domain, follow 

the instructions in Scenario 1. 

If the SBR Plug-In you have just installed will be used to authenticate Users in domains other 

than its own, follow the instructions in Scenario 2. 

3.6.4.2 Set up Active Directory SSL 

If you need to set up SSL at this point, see 2.2.3 SSL Setup for instructions. 

3.6.4.3 Active Directory Replication 

Active Directory replication issues can cause problems in some installations of the Digipass 

Plug-In for SBR. See the Active Directory Replication Issues topic in the Administrator 

Reference. 



3.6.4.4 Active Directory Auditing 

Consider whether to include custom object classes and permission property sets in Active 

Directory's auditing. See the Active Directory Auditing topic in the Administrator Reference 

for more information. 

3.6.5 ODBC Tasks 

3.6.5.1 Configure User ID and Domain Handling 

The SBR Plug-In has options to configure how User IDs and domain names are handled. It is 

important that these are set up before data is added to the database. 

Note 

SBR has limited support for extended (non-English) characters in User IDs. The 

SBR Plug-In must work within these limitations. 

Case-sensitivity 

The SBR Plug-In may be configured to save and retrieve User IDs and domain names in lower 

case, upper case or with no conversion – data is saved or searched on exactly as entered. The 

configuration required will depend on your company's requirements and the capabilities of the 

database used as the data store. See the Encoding and Case-Sensitivity topic in the 

Administrator Reference for more information. 

Case-sensitivity configuration must be completed before User accounts and domain records are 

added to the database. However, the Master domain (named 'master') is created during 

installation, and is in lower case. This will not cause any problems if the SBR Plug-In is 

configured not to convert case, or to convert to lower case. If the SBR Plug-In will be 

configured to convert User IDs and domains to upper case, first follow these steps: 

1. Open the Administration MMC Interface and create a new domain. This new domain 

must have its name entirely in upper case (eg. MASTER). 

2. Open the SBR Plug-In Configuration GUI and set the new domain as the Master 

domain. Close the Configuration GUI. 

3. Delete the original 'master' domain. 

Windows name resolution 

Enable Windows Name Resolution to allow the SBR Plug-In to use Windows functionality to 

resolve a UserID – as entered during a login – into a User ID and Domain. This is highly 

recommended if Dynamic User Registration will be enabled. 



3.6.5.2 Permissions for Group Check 

A list of Windows groups can be specified in the configuration GUI of the SBR Plug-In. The 

SBR Plug-In will only authenticate a User’s login if the User belongs to one of these specified 

groups. 

Add LocalSystem (“SYSTEM”) to either Administrators or the Account Operators Windows 

group on the SBR server to allow the SBR Plug-In to run a group check: 

1. Go to the desktop and right-click on My Computer. 

2. Click on Manage. 

3. Expand the Local Users and Groups node. 

4. Click on Groups. 

5. Right-click on Administrators or Account Operators. 

6. Click on Add to Group... 

7. Click on Add... 

8. Click on Locations... 

9. Select the local machine and click on OK. 

10. Enter SYSTEM in the object name memo. 


A new entry will be added to the Members list. 



3.6.5.3 Configure Connection Parameters 

You may wish to increase the number of connections attempted to the database if: 

The load on the database will be high, and 

Changes to the connection settings will be efficient with the database and database 

driver in question. 

Setting an idle timeout will allow connections which are no longer required to be closed as 

soon as possible, which may lower the load on the database server. See the Administrator 

Reference for more information. 

3.6.5.4 Additional Databases 

If additional databases are required for backup, failover or load-balancing purposes, configure 

the SBR Plug-In to use them now. See the Additional ODBC Databases topic in the Product 

Guide and the Database Connection Handling topic in the Administrator Reference for more 

information. 

3.6.5.5 Additional Setup Steps for Multiple SBR Plug-Ins 

If more than one SBR Plug-In are installed on the system, some additional setup may be 

required. See the Multiple SBR Plug-Ins 

topic in the Product Guide for more information. 

3.6.6 Configure Steel-Belted RADIUS to Use SBR Plug-In 

Steel-Belted RADIUS must be configured to use the SBR Plug-In: 

1. Open the SBR Administrator. 

2. Click on Authentication Policies. 

3. Select Digipass Authentication. 

4. Use the arrow buttons to move Digipass Authentication to the top of the list box. 

5. Tick the Active checkbox for Digipass Authentication. 

6. Untick all other Authentication Methods. 

7. Click on Apply. 


Digipass Plug-In for SBR Installation Guide Add Components to Installation 

4 Add Components to Installation 

To add components to the installation: 

1. Start the Digipass Plug-In for SBR install process. 



The Digipass Plug-In for SBR splash screen will be displayed, followed by the 

Maintenance Options dialog. 

2. Select the Add Components option button and click on Next. 


3. Select the components you want to add to the installation and click on Next. 


install. 

When completed, the Activation Options dialog will be displayed, prompting you to 

select a method of obtaining a license file. 

When the installation is complete, the Restart Required dialog will be displayed. 

4. Click the Yes option button to restart the machine, or No to perform other tasks 

before restarting. 

5. Click Close when this process is complete. 


Digipass Plug-In for SBR Installation Guide Repair Installation 

5 Repair Installation 

The installation of the Digipass Plug-In for SBR may need to be repaired if files have been 

corrupted, deleted or lost. 

1. Start the Digipass Plug-In for SBR install process. 



The Digipass Plug-In for SBR splash screen will be displayed, followed by the 

Maintenance Options dialog. 

2. Select the Repair Installation option button and click on Next. 

A confirmation window will be displayed. 

3. Click on Yes. 

4. After installation, the system must be restarted. 

A screen will be displayed, asking whether you want to restart the machine now or 

later. 

Select the Yes, restart the machine now radio button (selected by default). 

Click on the Finish button. 


Digipass Plug-In for SBR Installation Guide Uninstall Digipass Plug-In for SBR 

6 Uninstall Digipass Plug-In for SBR 

6.1 Manual Uninstall 

See the Administrator Reference for a list of files installed for the Digipass Plug-In for SBR. 

6.2 Active Directory 

Additional data removal 

Digipass-specific information is not removed from Active Directory when the Digipass Plug-In 

for SBR is uninstalled from a computer. A custom VB script is available which will strip all 

information related to the SBR Plug-In from a domain. See the Administrator Reference for 

further information and instructions. 

6.3 ODBC Database 

Remove Schema Modifications 

The dropschema command in the DPDBadmin command line utility can be used to remove all 

schema modifications from the database, deleting all data relating to the SBR Plug-In. 


Digipass Plug-In for SBR Installation Guide DPADadmin Utility 

7 DPADadmin Utility 

7.1 addschema command 

The addschema command is used to create all the Active Directory Schema extensions, if 

they are not already there. Each element will be checked individually to see if it is already 

there and if not, will be added. 

This command is intended to be run manually by a domain administrator before the main 

Digipass Plug-In for SBR installation is run, as recommended by Microsoft. 

It may be necessary to go through an approval process in your company before running this 

command, as it involves changes to Active Directory Schema. You may also need to have 

another administrator run the command for you, possibly in another part of your network. This 

depends on your company’s structure and rules for Active Directory control. 

Prerequisite Information 

Schema Master Machine 

This command may technically be run on any Windows 2000, XP or 2003 machine, however it 

needs to contact the Domain Controller which has the Schema Master role. There can be only 

one Domain Controller in the Forest with that role. It may be simplest to run the command 

directly on the Schema Master, to avoid any potential connectivity or permission issues. 

Warning 

Warning: If you are passing the credentials to the command in the 

parameters, and you are not running the command on the Schema Master, 

check that you do not have any shares on the Schema Master open. This will 

cause the command to fail. 

Domain Administrator Account 

In order to successfully update the Schema, you must know the username and password of a 

Domain Administrator account that is able to log into the Schema Master. You must either run 

the command while logged in as that user, or pass the credentials to the command in the 

parameters. The Domain Administrator must have permission to extend the Schema – they 

must be a member of the Schema Admins group in the Forest-Root-Domain (the first Domain 

created in the Forest). 

Schema Changes Allowed 

By default, Active Directory does not permit Schema extensions to be made. There is a registry 

setting that must be changed to allow extensions. If this is not already set, DPADadmin will 

ask you whether it should change the setting itself or not. If you click on Yes, it will change 

the setting itself, make the extensions then change it back again. 

If you would prefer to change the setting manually, log into the Schema Master and change 

the value of the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\ 

Parameters\Schema Update Allowed registry key to 1, adding it as a value of type 

DWORD if it does not already exist. Alternatively, if the Schema Manager MMC snap-in is 

installed on the machine, this can be used to enable or disable Schema extensions. 



If you have disabled the Schema extensions after removing a previous installation in the 

Forest, reactivate them before using this command. This can be done using the Schema 

Manager MMC snap-in used to deactivate them. 

Extend the Schema on the Schema Master 

1. Log into the Schema Master as a member of the Schema Administrators group. 

2. Copy dpadadmin.exe onto the Schema Master 


4. Type: 

dpadadmin addschema 


prompt you whether to enable them or not. Enter y to enable them, or n to cancel. 

The progress and success/failure of the command will be displayed in the command prompt 

window. If there was a failure, it can be run again after the problem has been rectified. 

Extend the Schema on the SBR Server 

1. Open a command prompt and navigate to the installation’s bin directory by typing: 

cd \bin 

2. Type: 

dpadadmin addschema –master schema_master –u user_name –p password 

3. See 7.1 Command Line Syntax for more details regarding the required parameters. 

4. If DPADadmin detects that Schema extensions are not allowed, it will prompt you to 

enable them. Enter y to enable them, or n to cancel. 



Command Line Syntax 

dpadadmin addschema [–master schema_master] [–u user_name [–p password]] [-q] 

Option Description 

-master Fully qualified name of the Domain Controller with the Schema Master role. This option may be 

omitted if the command is run directly on the Schema Master. 

-u User name of a Domain Administrator in the Schema Administrators group. This option may be 

omitted if you are logged into the machine as that Domain Administrator when you run the command. 

-p Password of the Domain Administrator. This option may be omitted if you are logged in as that Domain 

Administrator or if they have a blank password. 

-q Quiet mode, will not output commentary text. 

Table 1: DPADadmin addschema Command Line Options 

DPADadmin addschema Command Sample 

dpadadmin addschema –master dc1.vasco.com –u schema_admin –p sa_password 



7.2 upgradeprofiles command 

The upgradeprofiles command is used to upgrade RADIUS profile information from the 

format used in Digipass Plug-In for Funk 2.0 and 2.1, to the User Attributes format used in 

2.2. It must be run in each domain where User accounts with RADIUS Profile information are 

located. 

Prerequisite Information 

Attribute Group 

You may have a custom Attribute Group name set in the configuration of the new . If so, you 

will need to have the exact name available. Check the Configuration (SBR Settings tab) if you 

are unsure. 

Domain Administrator 

You must run the command as an administrator in that domain with sufficient administration 

rights to: 

Read User information 

Read and write to the vasco-Profile attribute 

Upgrade Profile Information 


2. Type: 

cd \bin 

dpadadmin upgradeprofiles -domain 


window. 


dpadadmin upgradeprofiles [-attrgroup ] [-domain ] [-q] 

[-l] [-v] 

Table 2: DPADadmin upgradeprofiles Command Line Options 


-attrgroup OPTIONAL. Specifies the name of the Attribute Group to which the RADIUS Profile should be added. If 

this is not specified, the default RADIUS will be used. 

-domain OPTIONAL. Specifies the FQDN of the domain to set up. If omitted, the Digipass Configuration Domain 

will be used. 


-l Record messages to a log file. 

-v Use verbose logging output. 

DPADadmin upgradeprofiles Command Sample 

dpadadmin upgradeprofiles -attrgroup RADIUS -domain test.vasco.com 


Digipass Plug-In for SBR Installation Guide DPDBadmin Utility 

8 DPDBadmin Utility 

8.1 addschema command 

The addschema command is used to create all required tables in an existing database, if they 

are not already there. The utility will check each table to see if it is already there and if not, 

will add the required table. 

This command is intended to be run manually by an administrator before the main Digipass 

Plug-In for SBR installation is run. 

8.1.1.1 Prerequisite Information 

Database Administrator Account 

In order to successfully modify the database schema, you will need the username and 

password of a database administrator account that is able to make changes to the database 

schema. You must pass these credentials to the command in the parameters. 

ODBC Data Source Name 

You will need the Data Source Name that can be used to connect to the database. If one does 

not exist, create it before continuing. 

8.1.1.2 Extend the Schema on the SBR Server 


cd \bin 

2. Type: 

dpdbadmin addschema –u user_name –p password -d dsn 

3. See 8.1.1.3 Command Line Syntax for more details regarding the required 

parameters. 



Ensure that the database user account(s) to be used by the SBR Plug-In and for administration 

have the required permissions to access, modify, create and delete rows in the tables just 

created. See 2.3.2.2 Permissions for more information. 

8.1.1.3 Command Line Syntax 

dpdbadmin addschema –u user_name [–p password] -d dsn [-nouser] [-domain 

domain_name] [-vdsuser alternatename] [-vdsdomain alternatename] 

[-vdscontrol alternatename] [-vdsdigipass alternatename] 

[-vdsdpapplication alternatename] [-vdspolicy] [-vdsbackend alternatename] 

[-vdscomponent alternatename] [-vdsorgunit alternatename] [-utf8factor] [-q] 


Digipass Plug-In for SBR Installation Guide DPDBadmin Utility 


-u User name of a database administrator. 

-p Password of the database administrator. This option may be omitted if they have a blank 

password. 

-d Database Name (DNS) 

-nouser Do not create Digipass User table. 

This option is not currently supported. 

-domain Specify the name of the master domain to be created. 

vdsuser Alternative name for the Digipass User table 

vdsdomain Alternative name for the Domain table 

vdscontrol Alternative name for the Controller table 

vdsdigipass Alternative name for the Digipass table 

vdsdpapplication Alternative name for the Digipass Application table 

vdspolicy Alternative name for the Policy table 

vdsbackend Alternative name for the Back-end Server table 

vdscomponent Alternative name for the Component table 

vdsorgunit Alternative name for the Organizational Unit table 

-utf8factor On certain databases (such as Oracle and DB2), column sizes are specified in bytes, not 

characters, by default. When UTF-8 encoding is used to store data, for full Unicode support, one 

character may be represented as more than one byte. Normally 2 or 3 characters are used, 

depending on the language, but some characters require 4. If your data will include a lot of non- 

English characters, you can increase the size of certain columns by a factor to allow for the extra 

bytes. The value of the parameter should be 2, 3 or 4. Typically, 3 is sufficient. The columns 

affected by this are the User Name (not User ID) and various Description fields. 

On other databases, column sizes are specified in characters, and this parameter is not needed. 


Table 3: DPDBadmin addschema Command Line Options 

DPDBadmin addschema Command Sample 

dpdbadmin addschema –u db_admin –p dba_password -d db_users 


8.2 upgradeprofiles command 

The upgradeprofiles command is used to upgrade RADIUS profile information from the 

format used in Digipass Plug-In for Funk 2.0 and 2.1, to the User Attributes format used in 

2.2. 

Prerequisites 

These conditions must be met before this command can be run successfully: 

Must be run on the machine on which the is installed. 

The configuration file () must be in the default location (\Bin) 

Attribute Group 

You may have a custom Attribute Group name set in the Configuration. If so, you will need to 

have the exact name available. Check the Configuration (SBR Settings tab) if you are unsure. 

Upgrade Profile Information 


2. Type: 

cd \bin 

dpdbadmin upgradeprofiles 


window. 


dpdbadmin upgradeprofiles [-attrgroup ] [-q] [-l] [-v] 

Table 4: DPDBadmin upgradeprofiles Command Line Options 


-attrgroup OPTIONAL. Specifies the name of the Attribute Group to which the RADIUS Profile should be added. If 

this is not specified, the default RADIUS will be used. 


-l Record messages to a log file. 

-v Use verbose logging output. 

DPDBadmin upgradeprofiles Command Sample 

dpdbadmin upgradeprofiles -attrgroup RADIUS -l c:\temp\upgrade.log

Digipass Plug-In for SBR Installation Guide - Vasco

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?