VACMAN Middleware Administration Reference A4 - Vasco
VACMAN Middleware Administration Reference A4 - Vasco
VACMAN Middleware Administration Reference A4 - Vasco
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Modify these field values (right-click and select Fields) to change text throughout the<br />
document:<br />
NOTE: Diagrams may appear or disappear depending on these field settings – so BE CAREFUL<br />
adding and removing diagrams, as you may be stuffing up formatting.<br />
ADDITIONAL NOTE: Be careful adding and removing text, too. Just because you see something<br />
in the document that looks like it shouldn't be there, doesn't mean removing it is a smart idea.<br />
Do a print preview to check if it will show up in the final document before you do anything.<br />
(the field values are currently just (relatively) rubbish values – modified at times to check that<br />
text conditions are working correctly)Digipass Pack for Citrix Web Interface<br />
Modify these field values (right-click and select Fields) to change text throughout the<br />
document:<br />
NOTE: Diagrams may appear or disappear depending on these field settings – so BE CAREFUL<br />
adding and removing diagrams, as you may be stuffing up formatting.<br />
ADDITIONAL NOTE: Be careful adding and removing text, too. Just because you see something<br />
in the document that looks like it shouldn't be there, doesn't mean removing it is a smart idea.<br />
Do a print preview to check if it will show up in the final document before you do anything.<br />
(the field values are currently just (relatively) rubbish values – modified at times to check that<br />
text conditions are working correctly)<br />
<strong>VACMAN</strong> <strong>Middleware</strong><br />
Authentication Server<br />
Starter<br />
RADIUS<br />
RADIUS<br />
ODBCAD<br />
Digipass Authentication Server<br />
dpauthserver.xml<br />
<strong>VACMAN</strong> <strong>Middleware</strong> 3<br />
Authentication Server<br />
<strong>VACMAN</strong> <strong>Middleware</strong><br />
RADIUS<br />
RADIUS<br />
Starter<br />
ODBCAD<br />
Digipass Authentication Server<br />
dpauthserver.xml<br />
<strong>VACMAN</strong> <strong>Middleware</strong> 3<br />
A dministrator <strong>Reference</strong>
Disclaimer of Warranties and Limitations of Liabilities<br />
Disclaimer of Warranties and Limitations of Liabilities<br />
The Product is provided on an 'as is' basis, without any other warranties, or conditions, express<br />
or implied, including but not limited to warranties of merchantable quality, merchantability of<br />
fitness for a particular purpose, or those arising by law, statute, usage of trade or course of<br />
dealing. The entire risk as to the results and performance of the product is assumed by you.<br />
Neither we nor our dealers or suppliers shall have any liability to you or any other person or<br />
entity for any indirect, incidental, special or consequential damages whatsoever, including but<br />
not limited to loss of revenue or profit, lost or damaged data of other commercial or economic<br />
loss, even if we have been advised of the possibility of such damages or they are foreseeable;<br />
or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers<br />
and suppliers shall not exceed the amount paid by you for the Product. The limitations in this<br />
section shall apply whether or not the alleged breach or default is a breach of a fundamental<br />
condition or term, or a fundamental breach. Some states/countries do not allow the exclusion<br />
or limitation or liability for consequential or incidental damages so the above limitation may<br />
not apply to you.<br />
RADIUS Documentation Disclaimer<br />
The RADIUS documentation featured in this manual is focused on supplying required<br />
information pertaining to the RADIUS server and its operation in the <strong>VACMAN</strong> <strong>Middleware</strong><br />
environment. It is recommended that further information be gathered from your NAS/RAS<br />
vendor for information on the use of RADIUS.<br />
Copyright<br />
© 2007 VASCO Data Security Inc. All rights reserved.<br />
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in<br />
any form or by any means, electronic, mechanical, photocopying, recording, or otherwise,<br />
without the prior written permission of VASCO Data Security Inc.<br />
Trademarks<br />
<strong>VACMAN</strong> and Digipass are registered trademarks of VASCO Data Security International Inc.<br />
Microsoft and Windows are registered trademarks of Microsoft Corporation.<br />
All other trademarks are the property of their respective holders.<br />
© 2007 VASCO Data Security Inc. 2
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Table of Contents<br />
Table of Contents<br />
1 Introduction........................................................................................................ 12<br />
1.1 Available Guides....................................................................................................... 12<br />
1.2 System Requirements............................................................................................... 12<br />
1.2.1 Requirements Specific to Active Directory................................................................. 12<br />
1.2.2 Requirements Specific to ODBC Database................................................................. 13<br />
1.3 Software Components............................................................................................... 14<br />
1.3.1 Required Components........................................................................................... 14<br />
1.3.2 Optional Components............................................................................................ 15<br />
1.3.3 Extra Utilities....................................................................................................... 15<br />
2 Active Directory Schema......................................................................................17<br />
2.1 Schema Extensions................................................................................................... 17<br />
2.1.1 Added Object Classes............................................................................................ 17<br />
2.1.2 Added Attributes.................................................................................................. 17<br />
2.1.3 Added Permission Property Sets.............................................................................. 20<br />
2.2 Active Directory Auditing.......................................................................................... 21<br />
2.3 Custom Search Options............................................................................................. 22<br />
2.3.1 Saved Queries...................................................................................................... 22<br />
2.3.2 Using the Custom Search for Digipass...................................................................... 23<br />
2.3.3 Using the Custom Search for Users......................................................................... 24<br />
2.4 Active Directory Replication Issues........................................................................... 26<br />
2.4.1 Old Data Used After Attribute Modified..................................................................... 26<br />
2.4.1.1 Single Authentication Server using more than one Domain Controller...................................... 26<br />
2.4.1.2 Administrator and Authentication Server using different Domain Controllers............................. 27<br />
2.4.1.3 Multiple Authentication Servers Using Different Domain Controllers......................................... 27<br />
2.4.1.4 Two Administrators Modifying the Same Attribute................................................................. 27<br />
2.4.2 Old Data Used Overwrites New Data........................................................................ 28<br />
2.4.3 Factors Affecting Replication Issues......................................................................... 28<br />
2.4.4 Solutions and Mitigations....................................................................................... 29<br />
2.4.4.1 Digipass Cache.................................................................................................................29<br />
2.5 DPADadmin Utility.................................................................................................... 30<br />
2.5.1 Extend Active Directory Schema............................................................................. 30<br />
2.5.2 Set Up Digipass Containers in Domain..................................................................... 32<br />
2.5.2.1 Prerequisite Information.................................................................................................... 32<br />
2.5.2.2 Set Up Digipass Configuration Container.............................................................................. 32<br />
2.5.2.3 Command Syntax............................................................................................................. 32<br />
2.5.3 Assign Digipass Permissions to a Group................................................................... 32<br />
2.5.3.1 Pre-requisites...................................................................................................................32<br />
2.5.3.2 Command Syntax............................................................................................................. 33<br />
2.5.4 Delete all Digipass-Related Data from Active Directory............................................... 33<br />
2.5.4.1 Run Delete Script on a Domain...........................................................................................33<br />
3 ODBC Database....................................................................................................35<br />
3.1 Database Support..................................................................................................... 35<br />
3.1.1 Unicode Support................................................................................................... 35<br />
3.2 Embedded Database.................................................................................................. 36<br />
3.2.1 Service Account.................................................................................................... 36<br />
3.2.2 Database <strong>Administration</strong> Account............................................................................ 36<br />
3.2.3 Database <strong>Administration</strong>........................................................................................ 37<br />
© 2007 VASCO Data Security Inc. 3
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Table of Contents<br />
3.2.3.1 Changing the Digipass User's Password............................................................................... 37<br />
3.2.4 Connection Limitations.......................................................................................... 37<br />
3.3 Database Schema...................................................................................................... 38<br />
3.3.1 vdsControl Table.................................................................................................. 38<br />
3.3.2 vdsUser Table...................................................................................................... 39<br />
3.3.3 vdsUserAttr Table................................................................................................. 39<br />
3.3.4 vdsDigipass Table................................................................................................. 40<br />
3.3.5 vdsDPApplication Table.......................................................................................... 40<br />
3.3.6 vdsPolicy Table..................................................................................................... 41<br />
3.3.7 vdsComponent Table............................................................................................. 42<br />
3.3.8 vdsBackEnd Table................................................................................................. 42<br />
3.3.9 vdsDomain Table.................................................................................................. 43<br />
3.3.10 vdsOrgUnit Table.................................................................................................. 43<br />
3.4 Encoding and Case-Sensitivity................................................................................... 44<br />
3.5 Domains and Organizational Units............................................................................. 44<br />
3.5.1 Domains.............................................................................................................. 45<br />
3.5.1.1 Master Domain.................................................................................................................45<br />
3.5.1.2 Identifying the Domain for a Login Attempt..........................................................................46<br />
3.5.2 Organizational Units.............................................................................................. 47<br />
3.6 Database User Accounts............................................................................................ 48<br />
3.6.1 Permissions on the Tables...................................................................................... 48<br />
3.6.2 Access to Another Schema..................................................................................... 49<br />
3.6.2.1 Modify vdsControl Table.....................................................................................................49<br />
3.7 Database Connection Handling.................................................................................. 50<br />
3.7.1 Multiple Data Sources............................................................................................ 50<br />
3.7.2 Max. Connections................................................................................................. 50<br />
3.7.3 Connection Wait Time........................................................................................... 51<br />
3.7.4 Idle Timeout........................................................................................................ 51<br />
3.7.5 Enable Load Sharing............................................................................................. 51<br />
3.7.6 Reconnect Intervals.............................................................................................. 51<br />
3.8 DPDBadmin............................................................................................................... 52<br />
3.8.1 Modify Database Schema....................................................................................... 52<br />
3.8.2 Check Database Modifications................................................................................. 54<br />
3.8.2.1 Prerequisite Information.................................................................................................... 54<br />
3.8.2.2 Check the Database Structure............................................................................................ 54<br />
3.8.2.3 Command Line Syntax...................................................................................................... 54<br />
3.8.3 Remove Database Modifications.............................................................................. 55<br />
3.8.3.1 Prerequisite Information.................................................................................................... 55<br />
3.8.3.2 Modify Database Structure.................................................................................................55<br />
3.8.3.3 Command Line Syntax...................................................................................................... 55<br />
3.8.4 Create Emergency Administrator Account................................................................. 56<br />
3.8.5 Rescue Authentication Server Component................................................................ 57<br />
4 Sensitive Data Encryption....................................................................................59<br />
4.1.1 Encrypted Data – Active Directory........................................................................... 59<br />
4.1.2 Encrypted Data – ODBC and Embedded Database..................................................... 59<br />
4.1.3 Which Encryption Algorithms can be used?............................................................... 59<br />
4.1.4 Exporting Encryption Settings................................................................................. 59<br />
5 Set Up Active Directory Permissions....................................................................61<br />
5.1 Permissions Needed by the Authentication Server..................................................... 61<br />
© 2007 VASCO Data Security Inc. 4
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Table of Contents<br />
5.1.1 Giving Permissions to the Authentication Server........................................................ 61<br />
5.2 Permissions Needed by Administrators..................................................................... 62<br />
5.2.1 Domain Administrators.......................................................................................... 62<br />
5.2.2 Delegated Administrators....................................................................................... 62<br />
5.2.3 Reduced-Rights Administrators............................................................................... 62<br />
5.2.4 System Administrators.......................................................................................... 63<br />
5.3 Assign <strong>Administration</strong> Permissions to a User ............................................................ 63<br />
5.5 Multiple Domains...................................................................................................... 66<br />
5.5.1 Scenario 1 – Each Authentication Server Handles One Domain.................................... 66<br />
5.5.2 Scenario 2 – One Authentication Server Handles All Domains...................................... 67<br />
5.5.3 Scenario 3 - Combination....................................................................................... 67<br />
6 Backup and Recovery.......................................................................................... 68<br />
6.1 What Must be Backed Up........................................................................................... 68<br />
6.1.1 Configuration files................................................................................................. 68<br />
6.1.2 Web Sites............................................................................................................ 69<br />
6.1.3 Audit Log Data..................................................................................................... 69<br />
6.1.3.1 Write to Text File..............................................................................................................69<br />
6.1.3.2 Write to ODBC Database....................................................................................................69<br />
6.1.3.3 Write to Windows Event Log...............................................................................................70<br />
6.1.4 DPX files............................................................................................................. 70<br />
6.1.5 Active Directory.................................................................................................... 70<br />
6.1.5.1 Cold Backup.....................................................................................................................70<br />
6.1.6 ODBC and Embedded Database.............................................................................. 71<br />
6.1.6.1 Data Source Settings........................................................................................................ 71<br />
6.1.6.2 Backup Strategies.............................................................................................................71<br />
6.1.6.3 Backup of Embedded Database...........................................................................................71<br />
6.2 Recovery................................................................................................................... 73<br />
6.2.1 Active Directory.................................................................................................... 73<br />
6.2.2 ODBC or Embedded Database................................................................................ 74<br />
6.2.2.1 Rebuild Authentication Server, Database Undamaged............................................................ 74<br />
6.2.2.2 Restore Database, Authentication Server Undamaged............................................................75<br />
6.2.2.3 Rebuild Authentication Server, Restore Database.................................................................. 76<br />
6.2.2.4 Copy Database from Other Authentication Server................................................................. 78<br />
6.2.2.5 Rebuild Authentication Server, Copy Database......................................................................80<br />
7 Field Listings....................................................................................................... 82<br />
7.1 User Property Sheet.................................................................................................. 82<br />
7.2 User Authorization Profiles/Attributes Window......................................................... 84<br />
7.3 Digipass Property Sheet............................................................................................ 85<br />
7.4 Digipass Application Tab........................................................................................... 86<br />
7.5 Policy Property Sheet................................................................................................ 87<br />
7.6 Component Property Sheet....................................................................................... 94<br />
7.7 Back-End Server Property Sheet................................................................................ 95<br />
7.8 Domain Property Sheet............................................................................................. 96<br />
7.9 Organizational Unit Property Sheet........................................................................... 96<br />
7.10 Data Changes Requiring a Restart............................................................................. 97<br />
7.10.1 Changes to the Data Store..................................................................................... 97<br />
7.10.1.1 ODBC or Embedded Database............................................................................................ 97<br />
7.10.1.2 Active Directory................................................................................................................97<br />
7.10.1.3 Automatic Re-Loading of Cached Data................................................................................. 98<br />
7.10.1.4 Cached Data List.............................................................................................................. 98<br />
© 2007 VASCO Data Security Inc. 5
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Table of Contents<br />
7.10.2 Changes to Configuration Settings.......................................................................... 98<br />
8 Licensing........................................................................................................... 100<br />
8.1 How is Licensing Handled?...................................................................................... 100<br />
8.2 Licensing Parameters.............................................................................................. 101<br />
8.2.1 Sample License File............................................................................................. 101<br />
8.3 View License Information........................................................................................ 101<br />
8.4 Obtain and Load a License Key................................................................................ 102<br />
8.5 Change IP Address.................................................................................................. 103<br />
8.5.1 IP Address Already Changed................................................................................. 104<br />
9 Web Sites.......................................................................................................... 107<br />
9.1 Customizing the Web Sites...................................................................................... 107<br />
9.2 CGI Program........................................................................................................... 107<br />
9.2.1 Configuration Settings......................................................................................... 107<br />
9.3 Form Fields............................................................................................................. 109<br />
9.3.1 User Self Management Web Site........................................................................... 109<br />
9.3.1.1 Registration – Main Pages................................................................................................ 109<br />
9.3.1.2 Registration – Challenge Page.......................................................................................... 111<br />
9.3.1.3 PIN Change....................................................................................................................112<br />
9.3.1.4 Login Test – Main Page.................................................................................................... 113<br />
9.3.1.5 Login Test – Challenge Page.............................................................................................114<br />
9.3.2 OTP Request Site................................................................................................ 114<br />
9.3.2.1 Request Page................................................................................................................. 114<br />
9.4 Query String Variables............................................................................................ 115<br />
9.4.1 Failure/Error Handling......................................................................................... 115<br />
9.4.2 Query String Variable List.................................................................................... 116<br />
9.4.3 Return Code Listing............................................................................................. 117<br />
9.4.3.1 API Return Codes............................................................................................................117<br />
9.4.3.2 CGI Errors..................................................................................................................... 117<br />
9.4.3.3 Internal Errors................................................................................................................118<br />
10 Login Options.................................................................................................... 119<br />
10.1 Login Permutations................................................................................................. 119<br />
10.1.1 Response Only – PAP........................................................................................... 120<br />
10.1.2 Response Only – CHAP/MS-CHAP.......................................................................... 121<br />
10.1.3 Challenge/Response............................................................................................ 122<br />
10.1.4 Virtual Digipass.................................................................................................. 123<br />
11 Configuration Settings.......................................................................................124<br />
11.1 Authentication Server............................................................................................. 124<br />
11.1.1 Set Component Location...................................................................................... 124<br />
11.1.2 <strong>Administration</strong> Connections.................................................................................. 124<br />
11.1.3 Library Path and Type.......................................................................................... 124<br />
11.1.4 RADIUS............................................................................................................. 124<br />
11.1.5 Turn Tracing On or Off......................................................................................... 125<br />
11.1.6 Active Directory Connection.................................................................................. 126<br />
11.1.6.1 Configuration Domain......................................................................................................126<br />
11.1.6.2 Domains List.................................................................................................................. 126<br />
11.1.7 ODBC Connection............................................................................................... 128<br />
11.1.7.1 Connect to an ODBC Database..........................................................................................128<br />
11.1.7.2 Connection Settings........................................................................................................ 128<br />
© 2007 VASCO Data Security Inc. 6
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Table of Contents<br />
11.1.7.3 User ID and Domain Conversion....................................................................................... 129<br />
11.1.7.4 Master Domain............................................................................................................... 130<br />
11.1.7.5 Domains and Organizational Units.....................................................................................131<br />
11.1.8 Auditing............................................................................................................ 132<br />
11.1.9 Data Encryption.................................................................................................. 133<br />
11.1.10 Replication......................................................................................................... 134<br />
11.1.10.1Enable Replication...........................................................................................................134<br />
11.1.10.2Set up Replication to Another Authentication Server............................................................ 134<br />
11.1.10.3Configure Local Replication Settings.................................................................................. 134<br />
11.1.11 Virtual Digipass Text Message............................................................................... 135<br />
11.1.12 Configuration File................................................................................................ 136<br />
11.2 MDC........................................................................................................................ 140<br />
11.2.1 Required Information.......................................................................................... 140<br />
11.2.2 MDC Configuration GUI........................................................................................ 140<br />
11.2.2.1 Modify Gateway Account Login Details............................................................................... 140<br />
11.2.2.2 Configure Internet Connection Details................................................................................140<br />
11.2.2.3 Configure Tracing............................................................................................................141<br />
11.2.2.4 Import HTTP Gateway settings..........................................................................................142<br />
11.2.2.5 Edit Advanced Settings.................................................................................................... 142<br />
11.2.2.6 Export HTTP Gateway settings.......................................................................................... 142<br />
11.2.2.7 Gateway Result Pages..................................................................................................... 143<br />
11.2.3 MDC Configuration File........................................................................................ 146<br />
11.2.4 Configuration Settings......................................................................................... 147<br />
11.3 CGI......................................................................................................................... 148<br />
11.4 Digipass TCL Command Line Utility.......................................................................... 148<br />
12 Auditing.............................................................................................................149<br />
12.1 Text File.................................................................................................................. 149<br />
12.1.1 Text File Name Variables...................................................................................... 149<br />
12.1.2 Configure Auditing to Text File.............................................................................. 149<br />
12.2 Windows Event Log................................................................................................. 151<br />
12.3 ODBC Audit Message Database................................................................................ 152<br />
12.3.1 Set up ODBC Database........................................................................................ 152<br />
12.3.1.1 Create database............................................................................................................. 152<br />
12.3.1.2 Create database schema..................................................................................................152<br />
12.3.1.3 Create Database Account(s)............................................................................................. 153<br />
12.3.1.4 Create DSN on Authentication Server machine....................................................................153<br />
12.3.1.5 Create DSN on Audit Viewer machine................................................................................ 153<br />
12.3.2 Configure Authentication Server............................................................................ 153<br />
12.3.3 Configure Audit Viewer........................................................................................ 154<br />
12.4 Live Connection - Authentication Server to Audit Viewer......................................... 155<br />
12.4.1 Configure Authentication Server............................................................................ 155<br />
12.4.2 Configure Audit Viewer........................................................................................ 155<br />
13 Tracing.............................................................................................................. 156<br />
13.1 Trace Message Types.............................................................................................. 156<br />
13.2 Trace Message Levels.............................................................................................. 157<br />
13.3 Trace Message Contents.......................................................................................... 157<br />
14 Digipass TCL Command-Line <strong>Administration</strong>......................................................158<br />
14.1 Introduction........................................................................................................... 158<br />
14.1.1 Knowledge Requirements..................................................................................... 158<br />
14.1.2 Data Store Connection......................................................................................... 159<br />
© 2007 VASCO Data Security Inc. 7
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Table of Contents<br />
14.2 Using DPADMINCMD – Basics.................................................................................. 160<br />
14.2.1 Using an Interactive TCL Command Prompt............................................................ 160<br />
14.2.2 Running a Script................................................................................................. 161<br />
14.2.3 Help.................................................................................................................. 162<br />
14.2.4 Command Parameters......................................................................................... 162<br />
14.2.5 Result Output..................................................................................................... 162<br />
14.2.6 Error Handling.................................................................................................... 163<br />
14.2.7 International Characters...................................................................................... 163<br />
14.2.8 Syntax Notes..................................................................................................... 163<br />
14.2.9 Sample Scripts................................................................................................... 164<br />
14.3 Configuration File.................................................................................................... 166<br />
14.3.1 Sample Configuration File.................................................................................... 166<br />
15 Replication........................................................................................................ 167<br />
15.1 Concepts................................................................................................................. 167<br />
15.1.1 Replication Queue............................................................................................... 168<br />
15.1.2 Record-level Replication....................................................................................... 168<br />
15.1.3 Replication Process............................................................................................. 168<br />
15.1.4 Connection Handling........................................................................................... 169<br />
15.1.4.1 Component Record..........................................................................................................170<br />
15.1.5 Monitoring Replication......................................................................................... 170<br />
15.1.5.1 Auditing.........................................................................................................................170<br />
15.1.5.2 <strong>Administration</strong> MMC Interface...........................................................................................170<br />
15.1.6 Forwarding Replication Entries.............................................................................. 171<br />
15.2 Configuring Replication .......................................................................................... 172<br />
15.2.1 Active Directory.................................................................................................. 172<br />
15.2.2 ODBC Database.................................................................................................. 173<br />
15.2.2.1 Configure Replication to a Second Authentication Server...................................................... 173<br />
15.2.2.2 Configure Replication to a Third or Subsequent Authentication Server....................................174<br />
15.2.2.3 Add Redundant Replication...............................................................................................175<br />
16 How to troubleshoot..........................................................................................176<br />
16.1 View Audit Information........................................................................................... 176<br />
16.1.1 Windows Event Log............................................................................................. 176<br />
16.1.2 Text file ............................................................................................................ 176<br />
16.1.3 ODBC Database.................................................................................................. 176<br />
16.2 Tracing................................................................................................................... 177<br />
16.2.1 Authentication Server.......................................................................................... 177<br />
16.2.2 Web Sites.......................................................................................................... 177<br />
16.2.2.1 Enable Tracing................................................................................................................177<br />
16.2.2.2 Trace File Permissions..................................................................................................... 177<br />
16.2.3 Message Delivery Component............................................................................... 180<br />
16.2.3.1 Enable Tracing................................................................................................................180<br />
16.3 Open Port Numbers on Firewall............................................................................... 180<br />
16.3.1 Incoming Ports................................................................................................... 180<br />
16.3.2 Outgoing Ports................................................................................................... 181<br />
16.4 Installation Check................................................................................................... 181<br />
16.4.1 Installation Log File............................................................................................. 181<br />
16.4.2 Registry Entries.................................................................................................. 182<br />
16.4.3 Check Permissions.............................................................................................. 183<br />
16.4.4 Authentication Server Registered in Active Directory Domain..................................... 183<br />
© 2007 VASCO Data Security Inc. 8
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Table of Contents<br />
16.4.5 Default Policy and Component Created................................................................... 184<br />
17 Audit Messages..................................................................................................185<br />
17.1 Audit Message Listing............................................................................................. 185<br />
17.2 Audit Message Fields............................................................................................... 194<br />
18 Error and Status Codes......................................................................................196<br />
18.1 Error Code Listing................................................................................................... 196<br />
18.2 Status Code Listing................................................................................................. 200<br />
19 Technical Support..............................................................................................204<br />
19.1 Support Contact Information................................................................................... 204<br />
© 2007 VASCO Data Security Inc. 9
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Table of Contents<br />
Index of Tables<br />
Table 1: Custom Active Directory Object Classes...............................................................................................17<br />
Table 2: Custom Active Directory Object Attributes............................................................................................17<br />
Table 3: Custom Active Directory Permission Property Sets................................................................................ 20<br />
Table 4: Saved Queries in Active Directory Users and Computers........................................................................ 22<br />
Table 5: Custom Active Directory Search criteria - Digipass................................................................................ 23<br />
Table 6: Custom Active Directory Search criteria - Users.................................................................................... 25<br />
Table 7: DPADadmin addschema Command Line Options................................................................................... 31<br />
Table 8: DPADadmin setupdomain Command Line Options................................................................................. 32<br />
Table 9: DPADadmin setupaccess Command Line Options.................................................................................. 33<br />
Table 10: ODBC Database Tables.................................................................................................................... 38<br />
Table 11: vdsControl Table.............................................................................................................................38<br />
Table 12: vdsUser Table................................................................................................................................ 39<br />
Table 13: vdsUserAttr Table........................................................................................................................... 39<br />
Table 14: vdsDigipass Table........................................................................................................................... 40<br />
Table 15: vdsDPApplication Table....................................................................................................................40<br />
Table 16: vdsPolicy Table...............................................................................................................................41<br />
Table 17: vdsComponent Table.......................................................................................................................42<br />
Table 18: vdsBackEnd Table...........................................................................................................................42<br />
Table 19: vdsDomain Table............................................................................................................................ 43<br />
Table 20: vdsOrgUnit Table............................................................................................................................ 43<br />
Table 21: Table Permissions Required..............................................................................................................48<br />
Table 22: Table Names in vdsControl...............................................................................................................50<br />
Table 23: DPDBadmin addschema Command Line Options..................................................................................53<br />
Table 24: DPDBadmin checkschema Command Line Options...............................................................................54<br />
Table 25: DPDBadmin dropschema Command Line Options................................................................................ 55<br />
Table 26: DPDBadmin rescueadmin Command Line Options................................................................................56<br />
Table 27: DPDBadmin rescueserver Command Line Options................................................................................58<br />
Table 28: Encrypted Data Attributes – Active Directory...................................................................................... 59<br />
Table 29: Encrypted Data Attributes – ODBC and Embedded Database.................................................................59<br />
Table 30: User Fields.....................................................................................................................................82<br />
Table 31: User Attribute Fields........................................................................................................................84<br />
Table 32: Digipass Fields................................................................................................................................85<br />
Table 33: Digipass Application Fields............................................................................................................... 86<br />
Table 34: Policy Fields................................................................................................................................... 87<br />
Table 35: Component Fields........................................................................................................................... 94<br />
Table 36: Back-End Server Fields....................................................................................................................95<br />
Table 37: Domain Fields................................................................................................................................ 96<br />
Table 38: Organizational Unit Fields.................................................................................................................96<br />
Table 39: License Parameters for <strong>VACMAN</strong> <strong>Middleware</strong>.....................................................................................101<br />
Table 40: Configuration Settings for CGI Program............................................................................................108<br />
Table 41: Form Fields for Main Registration Page.............................................................................................109<br />
Table 42: Form Fields for Registration Challenge Page......................................................................................111<br />
© 2007 VASCO Data Security Inc. 10
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Table of Contents<br />
Table 43: Form Fields for Server PIN Change Page.......................................................................................... 112<br />
Table 44: Form Fields for Main Login Test Page............................................................................................... 113<br />
Table 45: Form Fields for Login Test Challenge Page........................................................................................ 114<br />
Table 46: Form Fields for OTP Request Page................................................................................................... 114<br />
Table 47: Query String Variable List...............................................................................................................116<br />
Table 48: API Return Codes..........................................................................................................................117<br />
Table 49: CGI Error Return Codes................................................................................................................. 117<br />
Table 50: Internal Error Codes...................................................................................................................... 118<br />
Table 51: Login Permutations - Response Only PAP (1).................................................................................... 120<br />
Table 52: Login Permutations - Response Only PAP (2).................................................................................... 121<br />
Table 53: Login Permutations - Response Only CHAP....................................................................................... 121<br />
Table 54: Login Permutations – Challenge/Response........................................................................................122<br />
Table 55: Login Permutations – Virtual Digipass.............................................................................................. 123<br />
Table 56: MDC Audit Message Variables......................................................................................................... 145<br />
Table 57: Message Delivery Component Configuration Settings......................................................................... 147<br />
Table 58: Audit Text File Name/Path Variables................................................................................................ 149<br />
Table 59: Required Audit Database Tables......................................................................................................152<br />
Table 60: vdsAuditMessage Required Fields.................................................................................................... 152<br />
Table 61: vdsAuditMsgField Required Fields.................................................................................................... 153<br />
Table 62: Tracing Message Types.................................................................................................................. 156<br />
Table 63: Tracing Message Levels..................................................................................................................157<br />
Table 64: Tracing Message Contents..............................................................................................................157<br />
Table 65: DPADMINCMD Help Commands.......................................................................................................162<br />
Table 66: List of Incoming Ports Used by the Authentication Server................................................................... 180<br />
Table 67: List of Outgoing Ports Used by the Authentication Server................................................................... 181<br />
Table 68: Registry Entries............................................................................................................................ 182<br />
Table 69: Permissions Required.....................................................................................................................183<br />
Table 70: Audit Messages List....................................................................................................................... 185<br />
Table 71: Audit Messages Fields....................................................................................................................194<br />
Table 72: Error Code List..............................................................................................................................196<br />
Table 73: Status Code List............................................................................................................................200<br />
© 2007 VASCO Data Security Inc. 11
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Introduction<br />
1 Introduction<br />
1.1 Available Guides<br />
The following <strong>VACMAN</strong> <strong>Middleware</strong> guides are available:<br />
Product Guide<br />
The Product Guide will introduce you to the features and concepts of <strong>VACMAN</strong> <strong>Middleware</strong> and<br />
the various options you have for using it.<br />
Installation Guide<br />
Use this guide when planning and working through an installation of <strong>VACMAN</strong> <strong>Middleware</strong>.<br />
Getting Started<br />
To get you up and running quickly with a simple installation and setup of <strong>VACMAN</strong> <strong>Middleware</strong>.<br />
Administrator <strong>Reference</strong><br />
In-depth information required for administration of <strong>VACMAN</strong> <strong>Middleware</strong>. This includes<br />
references such as data attribute lists, backup and recovery and utility commands.<br />
Data Migration Tool Guide<br />
Takes you through a data migration from one VASCO product to another, using the VASCO<br />
Data Migration Tool.<br />
Help Files<br />
Context-sensitive help accompanies the administration interfaces.<br />
1.2 System Requirements<br />
Operating System<br />
Windows Server 2003 (32-bit version only) with Service Pack 1 or above, or<br />
Windows XP Professional (32-bit version only) with Service Pack 2 or above, or<br />
Windows 2000 with Service Pack 4 or above<br />
Language<br />
<strong>VACMAN</strong> <strong>Middleware</strong> is designed to function on any language version of Windows.<br />
However, the product has only been comprehensively tested on English language<br />
versions of Windows.<br />
1.2.1 Requirements Specific to Active Directory<br />
Digipass Extension for Active Directory Users and Computers<br />
Active Directory Users and Computers Snap-In<br />
© 2007 VASCO Data Security Inc. 12
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Introduction<br />
Active Directory set up for SSL<br />
In the following cases, SSL must be available for <strong>VACMAN</strong> <strong>Middleware</strong> components to connect<br />
to Active Directory:<br />
Authentication Server not installed on a Domain Controller.<br />
<strong>Administration</strong> Interfaces not installed on a Domain Controller.<br />
Authentication Server and/or <strong>Administration</strong> Interface(s) on a Domain Controller, but<br />
accessing data in another domain.<br />
An Enterprise Certificate Authority must be installed in the forest to enable SSL. Windows<br />
Certificate Services is available as an optional Windows component.<br />
However, if you do not wish to install a CA, you can select during installation not to use SSL.<br />
1.2.2 Requirements Specific to ODBC Database<br />
<strong>VACMAN</strong> <strong>Middleware</strong> will support most modern ODBC-compliant relational, transactional<br />
databases. It has been tested on the following databases:<br />
Oracle 9i<br />
Microsoft SQL Server 2000<br />
Microsoft SQL Server 2005<br />
DB2 8.1<br />
Sybase Adaptive Server Anywhere 9.0<br />
PostgreSQL 8.1.3<br />
© 2007 VASCO Data Security Inc. 13
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Introduction<br />
1.3 Software Components<br />
<strong>VACMAN</strong> <strong>Middleware</strong> consists of various components, some necessary and some optional.<br />
1.3.1 Required Components<br />
Authentication Server<br />
This is a Service that performs the authentication processing. It can receive authentication<br />
requests using the RADIUS protocol and requests from the IIS Module. If its data store is a<br />
database rather than Active Directory, administration is also carried out through the<br />
Authentication Server. For IIS Module and administration requests, a proprietary, encrypted,<br />
TCP/IP-based protocol is used.<br />
IIS Module (Web authentication only)<br />
For Web authentication, the IIS Module must be installed onto the web server. It is responsible<br />
for intercepting authentication requests and referring them to the Authentication Server.<br />
Data Store<br />
All information required by <strong>VACMAN</strong> <strong>Middleware</strong> is stored in Active Directory or an ODBCcompliant<br />
database. An embedded PostgreSQL database option is provided with <strong>VACMAN</strong><br />
<strong>Middleware</strong>. The data store to be used is selected during installation.<br />
Using Active Directory, administration is carried out by direct connection to the directory.<br />
Using a database, administration is carried out using the Authentication Server.<br />
<strong>Administration</strong> MMC Interface<br />
This interface is used in slightly different ways, depending on the data store used by <strong>VACMAN</strong><br />
<strong>Middleware</strong>.<br />
Active Directory<br />
If Active Directory is used as the data store, the <strong>Administration</strong> MMC Interface will be used for<br />
administration of Policy, Component and Back-End Server records.<br />
ODBC Database (including embedded database)<br />
If an ODBC database is used as the data store, the <strong>Administration</strong> MMC Interface will be used<br />
for administration of all VASCO data.<br />
Digipass Extension for Active Directory Users and Computers<br />
A VASCO Extension to the Active Directory Users and Computers interface allows<br />
administration of additional User settings and Digipass records integrated with standard Active<br />
Directory User administration. This is only available when Active Directory is used as the data<br />
store for <strong>VACMAN</strong> <strong>Middleware</strong>.<br />
Audit System<br />
The Authentication Server provides a comprehensive audit trail of significant processing events<br />
such as successful and failed authentication attempts. The audit messages can be written to<br />
© 2007 VASCO Data Security Inc. 14
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Introduction<br />
text files, the Windows Event Log and/or an ODBC-compliant database.<br />
In addition it is possible to connect directly from an Audit Viewer (see below) to the<br />
Authentication Server, to receive a live feed of audit messages as they are generated.<br />
1.3.2 Optional Components<br />
Audit Viewer<br />
The Audit Viewer is a Windows application that can display and filter audit messages from the<br />
Authentication Server. It can read the data from text files and ODBC databases, or receive a<br />
live feed from the Authentication Server.<br />
Virtual Digipass<br />
The VASCO components used for Virtual Digipass are:<br />
Message Delivery Component<br />
This is a Service that is responsible for delivering One Time Passwords through a text message<br />
HTTP gateway to a User’s mobile phone.<br />
OTP Request Site<br />
This is a miniature web site that allows a User to request a Virtual Digipass OTP to be sent to<br />
their mobile phone.<br />
User Self Management Web Site<br />
This is a miniature web site that allows Users to make appropriate changes to their own<br />
Digipass settings, such as PIN changes. This is used in a RADIUS environment, when the<br />
normal authentication requests are made using a CHAP-based protocol and therefore PIN<br />
changes and other 'self-management' features are not possible.<br />
Digipass TCL Command-Line <strong>Administration</strong><br />
<strong>Administration</strong> may also be carried out using Digipass TCL Command-Line <strong>Administration</strong><br />
Utility, which allows interactive command-line and scripted administration of <strong>VACMAN</strong><br />
<strong>Middleware</strong> data.<br />
1.3.3 Extra Utilities<br />
These extra utilities may be used with <strong>VACMAN</strong> <strong>Middleware</strong>, but require separate installations.<br />
Data Migration Tool<br />
The VASCO Data Migration Tool is a general-purpose utility that allows you to migrate your<br />
data from one VASCO product to another.<br />
For <strong>VACMAN</strong> <strong>Middleware</strong> 3.0, it is also used for other purposes. It is used to upgrade from<br />
version 2.3 to 3.0, as there are significant data model changes between those versions. It is<br />
also used to migrate data from an embedded database to another ODBC-compliant database,<br />
or from a database to Active Directory.<br />
RADIUS Client Simulator<br />
The RADIUS Client Simulator is a program that simulates RADIUS Authentication and<br />
© 2007 VASCO Data Security Inc. 15
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Introduction<br />
Accounting processing in a similar fashion to 'real' RADIUS clients. The RADIUS Client<br />
Simulator can be used to test Digipass authentication or to estimate performance.<br />
© 2007 VASCO Data Security Inc. 16
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Active Directory Schema<br />
2 Active Directory Schema<br />
2.1 Schema Extensions<br />
The following tables document the changes required by <strong>VACMAN</strong> <strong>Middleware</strong> to the Active<br />
Directory schema when AD is used as the data store.<br />
2.1.1 Added Object Classes<br />
Table 1: Custom Active Directory Object Classes<br />
Attribute Type Location Explanation<br />
vasco-UserExt Aux.<br />
Class<br />
vasco-DPToken Class Unassigned – Optional<br />
User record Extra VASCO attributes are added to an Active Directory<br />
User record via an 'auxiliary class' vasco-UserExt on the<br />
User class.<br />
Assigned – with User<br />
record<br />
The vasco-DPToken class is used to store Digipass<br />
attributes. It is also a container, in which vasco-<br />
DPApplication records for that Digipass are stored.<br />
Upon assignment to a User, the Digipass record is stored<br />
in the same location as the User.<br />
vasco-DPApplication Class Within Digipass record This class is used to store Digipass Application attributes,<br />
such as Server PIN and expected OTP length.<br />
vasco-Policy Class Digipass Configuration<br />
Container<br />
vasco-Component Class Digipass Configuration<br />
Container<br />
vasco-BackEndServer Class Digipass Configuration<br />
Container<br />
2.1.2 Added Attributes<br />
Table 2: Custom Active Directory Object Attributes<br />
Name Class<br />
vasco-SerialNumber vasco-DPToken<br />
vasco-TokenType vasco-DPToken<br />
vasco-ApplicationNames vasco-DPToken<br />
vasco-ApplicationTypes vasco-DPToken<br />
vasco-Link<strong>Vasco</strong>DigipassToUserExt vasco-DPToken<br />
vasco-TokenAssignedDate vasco-DPToken<br />
vasco-GracePeriod vasco-DPToken<br />
vasco-EnableBVDP vasco-DPToken<br />
vasco-BVDPExpiryDate vasco-DPToken<br />
vasco-BVDPUsesLeft vasco-DPToken<br />
vasco-DirectAssignOnly vasco-DPToken<br />
vasco-AdditionalAttribute vasco-DPToken<br />
vasco-SerialNumber vasco-DPApplication<br />
vasco-ApplicationName vasco-DPApplication<br />
vasco-ApplicationNumber vasco-DPApplication<br />
Policy attributes. Attributes will commonly be shared via<br />
inheritance.<br />
Component attributes include the License Key for<br />
Authentication Server Components.<br />
Information required for connection to back-end servers.<br />
© 2007 VASCO Data Security Inc. 17
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Active Directory Schema<br />
Name Class<br />
vasco-ApplicationType vasco-DPApplication<br />
vasco-DPBlob vasco-DPApplication<br />
vasco-Active vasco-DPApplication<br />
vasco-LinkUserExtTo<strong>Vasco</strong>Digipass vasco-UserExt<br />
vasco-LinkUserExtToUser vasco-UserExt<br />
vasco-StaticPassword vasco-UserExt<br />
vasco-LocalAuth vasco-UserExt<br />
vasco-BackEndServerAuth vasco-UserExt<br />
vasco-Disable vasco-UserExt<br />
vasco-Profile <strong>Vasco</strong>-UserExt<br />
vasco-CreateTime <strong>Vasco</strong>-UserExt<br />
vasco-ModifyTime <strong>Vasco</strong>-UserExt<br />
vasco-ID vasco-BackEndServer<br />
vasco-Protocol vasco-BackEndServer<br />
vasco-Domain vasco-BackEndServer<br />
vasco-Priority vasco-BackEndServer<br />
vasco-Retries vasco-BackEndServer<br />
vasco-AcctIPAddress vasco-BackEndServer<br />
vasco-AcctPort vasco-BackEndServer<br />
vasco-AdditionalAttribute vasco-BackEndServer<br />
vasco-AuthIPAddress vasco-BackEndServer<br />
vasco-SharedSecret vasco-BackEndServer<br />
vasco-Timeout vasco-BackEndServer<br />
Version-Number vasco-BackEndServer<br />
vasco-ID vasco-Component<br />
vasco-Location vasco-Component<br />
vasco-LinkComponentToPolicy vasco-Component<br />
vasco-Protocol vasco-Component<br />
vasco-ComponentType vasco-Component<br />
vasco-PublicKey vasco-Component<br />
vasco-AdditionalAttribute vasco-Component<br />
vasco-SharedSecret vasco-Component<br />
vasco-TCPPort vasco-Component<br />
Version-Number vasco-Component<br />
vasco-AdditionalAttribute vasco-Policy<br />
vasco-AllowedApplType vasco-Policy<br />
vasco-AllowedDPTypes vasco-Policy<br />
vasco-ApplicationNames vasco-Policy<br />
vasco-AssignmentMode vasco-Policy<br />
vasco-AssignSearchUpOUPath vasco-Policy<br />
vasco-Autolearn vasco-Policy<br />
vasco-BackEndAuth vasco-Policy<br />
© 2007 VASCO Data Security Inc. 18
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Active Directory Schema<br />
Name Class<br />
vasco-BackupVDPRequestKeyword vasco-Policy<br />
vasco-BackupVDPRequestMethod vasco-Policy<br />
vasco-BVDPMaximumDays vasco-Policy<br />
vasco-BVDPMaximumUses vasco-Policy<br />
vasco-ChallengeRequestKeyword vasco-Policy<br />
vasco-ChallengeRequestMethod vasco-Policy<br />
vasco-CheckChallenge vasco-Policy<br />
vasco-ChkInactDays vasco-Policy<br />
vasco-Description vasco-Policy<br />
vasco-Domain vasco-Policy<br />
vasco-DUR vasco-Policy<br />
vasco-EnableBVDP vasco-Policy<br />
vasco-EventWindow vasco-Policy<br />
vasco-GracePeriod vasco-Policy<br />
vasco-GroupCheckMode vasco-Policy<br />
vasco-GroupList vasco-Policy<br />
vasco-ID vasco-Policy<br />
vasco-IThreshold vasco-Policy<br />
vasco-ITimeWindow vasco-Policy<br />
vasco-LinkPolicyToChildPolicy vasco-Policy<br />
vasco-LinkPolicyToComponent vasco-Policy<br />
vasco-LinkPolicyToParentPolicy vasco-Policy<br />
vasco-LocalAuth vasco-Policy<br />
vasco-OneStepChalCheckDigit vasco-Policy<br />
vasco-OneStepChalLength vasco-Policy<br />
vasco-OneStepChalResp vasco-Policy<br />
vasco-OnLineSG vasco-Policy<br />
vasco-PINChangeAllowed vasco-Policy<br />
vasco-PrimaryVDPRequestKeyword vasco-Policy<br />
vasco-PrimaryVDPRequestMethod vasco-Policy<br />
vasco-Protocol vasco-Policy<br />
vasco-SelfAssignSeparator vasco-Policy<br />
vasco-SThreshold vasco-Policy<br />
vasco-STimeWindow vasco-Policy<br />
vasco-StoredPasswordProxy vasco-Policy<br />
vasco-SyncWindow vasco-Policy<br />
Version-Number vasco-Policy<br />
© 2007 VASCO Data Security Inc. 19
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Active Directory Schema<br />
2.1.3 Added Permission Property Sets<br />
Property sets have been created for typical groups of permissions required for administration<br />
tasks.<br />
Table 3: Custom Active Directory Permission Property Sets<br />
Property Set Applicable<br />
Object<br />
Actions Allowed<br />
Digipass Assignment Link Digipass Assign and unassign Digipass for Digipass User accounts.<br />
Digipass Application Data Digipass<br />
Application<br />
Digipass record functions.<br />
Digipass User Account Information User Modify Digipass User information.<br />
Digipass User Account to User Link User Link and unlink Digipass Users. This is also required when<br />
assigning Digipass to linked Digipass User records.<br />
Digipass User Account Stored Password User Read and modify the stored password for a Digipass User.<br />
© 2007 VASCO Data Security Inc. 20
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Active Directory Schema<br />
2.2 Active Directory Auditing<br />
Active Directory auditing may be configured to record access and modifications to custom<br />
objects used by the <strong>VACMAN</strong> <strong>Middleware</strong>. If you currently have default auditing enabled, it<br />
might include already include actions on custom objects. See these Microsoft articles for<br />
information on turning on and configuring auditing:<br />
Windows 2000<br />
http://support.microsoft.com/?kbid=314955<br />
Windows 2003<br />
http://support.microsoft.com/?kbid=814595<br />
The basic process you will need to follow is:<br />
1. Select a scope for the the auditing (eg. Domain Root).<br />
2. Select a Windows User or Windows Group (eg. Everyone or Domain Administrators)<br />
3. Select the object classes to audit (eg. Digipass objects) – if required<br />
4. Select the permissions which should be audited (eg. Read, Write, Delete, Create)<br />
What Should I Audit?<br />
This will depend on what you need to audit. For example, if you wanted to record all Digipass<br />
assignments in the domain, you might set up auditing in the Domain Root for Everyone, with<br />
the Digipass Assignment Link property set.<br />
See the 2.1 Schema Extensions topic for more information on custom objects and<br />
permission property sets created for the <strong>VACMAN</strong> <strong>Middleware</strong>.<br />
© 2007 VASCO Data Security Inc. 21
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Active Directory Schema<br />
2.3 Custom Search Options<br />
The Digipass Extension adds functionality to the Active Directory Users and Computers snap-in<br />
which allows searching for specific Digipass and Digipass User records throughout a domain, or<br />
within the limits of a delegated administrator's permissions. This functionality is especially<br />
useful where unassigned Digipass have been allocated to various Organizational Units.<br />
2.3.1 Saved Queries<br />
On Windows Server 2003 and Windows XP, the Microsoft Management Console (MMC)<br />
framework supports Saved Queries.<br />
Note<br />
The Saved Queries feature is not supported by the MMC on Windows 2000.<br />
No Saved Queries are provided by the <strong>VACMAN</strong> <strong>Middleware</strong> installation<br />
program on Windows 2000.<br />
On Windows Server 2003 and Windows XP, a number of Saved Queries are installed<br />
automatically into the saved MMC console file that is opened using the Start -> Programs -><br />
VASCO -> <strong>VACMAN</strong> <strong>Middleware</strong> 3 -> Active Directory Users and Computers shortcut.<br />
In addition, several Query Definition Files are installed in the \Queries folder. These can be imported into your existing Active Directory Users and<br />
Computers console by right-clicking on the Saved Queries folder and selecting Import<br />
Query Definition....<br />
The Saved Queries provided by the installation are designed to provide several common<br />
queries that may be useful, as listed below. They can be edited, copied or deleted as required.<br />
If you have made a mistake modifying one and wish to start again, you can reload the query<br />
by deleting it and importing it from the Query Definition File.<br />
Table 4: Saved Queries in Active Directory Users and Computers<br />
Query Name Description Query Definition File<br />
Users with Digipass All Users in the Domain who have one or more<br />
Digipass assigned directly.<br />
Users without Digipass All Users in the Domain who have no Digipass<br />
assigned, directly or via a Linked User.<br />
Users with a DP User<br />
Account<br />
Users without a DP User<br />
Account<br />
All Users in the Domain who have a Digipass User<br />
Account.<br />
All Users in the Domain who do not have a Digipass<br />
User Account.<br />
users-with-dp.xml<br />
users-without-dp.xml<br />
users-with-dp-useraccount.xml<br />
users-without-dp-useraccount.xml<br />
Assigned Digipass All Digipass in the Domain that are assigned. assigned-dp.xml<br />
Unassigned Digipass All Digipass in the Domain that are currently<br />
unassigned, excluding any Reserved Digipass.<br />
Locked DP User Accounts All Users in the Domain whose Digipass User Account<br />
is Locked.<br />
unassigned-dp.xml<br />
locked-dp-user-accounts.xml<br />
© 2007 VASCO Data Security Inc. 22
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Active Directory Schema<br />
2.3.2 Using the Custom Search for Digipass<br />
To perform a search for Digipass:<br />
1. Right-click on the Organizational Unit in which to search, or the domain root.<br />
2. Click on Find...<br />
3. Select the Digipass object type from the Find: drop down list.<br />
4. Use the Digipass tab to specify the search criteria. Almost all the Digipass search<br />
criteria can be set using the form on this tab.<br />
5. If you are searching on any criteria that do not appear on the Digipass tab, use the<br />
Advanced tab:<br />
a. Click on the Advanced tab.<br />
b. Click on Field and select the required attribute from the list.<br />
c. Enter the search Condition and Value, then click Add.<br />
d. Repeat with additional Fields.<br />
6. Click Find Now to execute the search. Multiple criteria are applied using the logical<br />
AND – all criteria must be met for a Digipass to be found.<br />
The available criteria are listed in the following table:<br />
Table 5: Custom Active Directory Search criteria - Digipass<br />
Tab Field Name Usage<br />
Digipass Serial Number Exact Serial Number (as seen in Digipass properties);<br />
Serial Number with wildcard*;<br />
First Serial Number in range, when used with To field.<br />
(Serial Number) To Last Serial Number in range.<br />
Digipass Type Digipass Type, eg. DP300. Wildcard* allowed.<br />
Application Name Application Name, eg. GO3DEFAULT. Wildcard* allowed.<br />
This will find Digipass that have an Active application of the<br />
specified name**.<br />
Application Type Application Type: Response Only, Challenge/Response.<br />
This will find Digipass that have an Active application of the<br />
specified type**.<br />
Digipass Assignment Assignment status: Assigned, Unassigned.<br />
Reserved Reserved status: Reserved, Not Reserved.<br />
Advanced Application Name Conditions: Starts with, Ends with, Is (Exactly), Is Not.<br />
Values: Application Name (complete or partial)<br />
This will find Digipass that have an Active application of the<br />
specified Application Name criteria**.<br />
Application Type Conditions: Is (Exactly), Is Not.<br />
Values: RO (Response Only), CR (Challenge/Response), SG<br />
(Signature).<br />
This will find Digipass that have an Active application of the<br />
specified Application Type criteria**.<br />
Backup Virtual Digipass Enabled Conditions: Less than or equal to, Greater than or equal to, Is<br />
(Exactly), Is Not, Not Present.<br />
Values: 0 (Default), 1 (No), 2 (Yes - Permitted), 3 (Yes -<br />
Required), 4 (Yes – Time Limited).<br />
Note that Digipass with 'Default' for this setting may either have 0<br />
© 2007 VASCO Data Security Inc. 23
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Active Directory Schema<br />
Tab Field Name Usage<br />
for this attribute or may not have the attribute present.<br />
Digipass Type Conditions: Starts with, Ends with, Is (Exactly), Is Not.<br />
Values: Digipass Type (complete or partial)<br />
Reserved Conditions: Is (Exactly), Is Not.<br />
Values: 0 (No), 1 (Yes).<br />
This attribute is always present.<br />
Serial Number Conditions: Starts with, Ends with, Is (Exactly), Is Not.<br />
Values: Serial Number, as seen in Digipass properties (complete or<br />
partial)<br />
User Assignment Link Conditions: Present, Not Present.<br />
Values: N/A.<br />
If this attribute is present, the Digipass is assigned; if not present,<br />
the Digipass is unassigned.<br />
* Search criteria on Digipass Application attributes ignore Inactive Digipass Applications.<br />
** For a wildcard, the * character is used.<br />
Example<br />
A search for Digipass records run with only the following text entered into the Serial Number<br />
field, would return these results:<br />
0097 No records returned<br />
0097* All Digipass with serial number starting with 0097<br />
0097987654 Digipass with serial number 0097987654 only<br />
*76 All Digipass with serial number ending in 76<br />
2.3.3 Using the Custom Search for Users<br />
To perform a search for Users:<br />
1. Right-click on the Organizational Unit in which to search, or the domain root.<br />
2. Click on Find...<br />
3. Select the Users, Contacts, and Groups object type from the Find: drop down list.<br />
4. If you have search criteria that are not related to Digipass, specify them as usual.<br />
5. To specify Digipass related search criteria, use the Advanced tab:<br />
a. Click on the Advanced tab.<br />
b. Click on Field, select the User submenu and select the required attribute from the<br />
list.<br />
c. Enter the search Condition and Value, then click Add.<br />
d. Repeat with additional Fields.<br />
6. Click Find Now to execute the search. Multiple criteria are applied using the logical<br />
AND – all criteria must be met for a User to be found.<br />
The available criteria are listed in the following table:<br />
© 2007 VASCO Data Security Inc. 24
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Active Directory Schema<br />
Table 6: Custom Active Directory Search criteria - Users<br />
Field Name Usage<br />
Digipass Assignment Link Conditions: Present, Not Present.<br />
Values: N/A.<br />
If this attribute is present, a Digipass is assigned to the User; if<br />
not present, no Digipass is assigned.<br />
Digipass Back-End Authentication Conditions: Less than or equal to, Greater than or equal to, Is<br />
(Exactly), Is Not, Not Present.<br />
Values: 0 (Default), 1 (None), 2 (If Needed), 3 (Always).<br />
Note that Users with 'Default' for this setting may either have 0 for<br />
this attribute or may not have the attribute present.<br />
Digipass Local Authentication Conditions: Less than or equal to, Greater than or equal to, Is<br />
(Exactly), Is Not, Not Present.<br />
Values: 0 (Default), 1 (None), 2 (Digipass/Password), 3 (Digipass<br />
Only).<br />
Note that Users with 'Default' for this setting may either have 0 for<br />
this attribute or may not have the attribute present.<br />
Digipass User Account Create Time Conditions: Less than or equal to, Greater than or equal to, Is<br />
(Exactly), Is Not, Present, Not Present.<br />
Values: Number of seconds since 1 st Jan 1970 00:00:00 that the<br />
Digipass User account was created.<br />
If this attribute is present, the User has a Digipass User account; if<br />
not present, the User does not.<br />
Digipass User Account Disabled Conditions: Is (Exactly), Is Not, Not Present.<br />
Values: 0 (No), 1 (Yes).<br />
If this attribute is not present, the account is not disabled*.<br />
Digipass User Account Lock Count Conditions: Less than or equal to, Greater than or equal to, Is<br />
(Exactly), Is Not, Not Present.<br />
Values: current count of failed logins since last successful login.<br />
If this attribute is not present, it is treated as 0.<br />
Digipass User Account Locked Conditions: Is (Exactly), Is Not, Not Present.<br />
Values: 0 (No), 1 (Yes).<br />
If this attribute is not present, the account is not locked*.<br />
Digipass User Account Modify Time Conditions: Less than or equal to, Greater than or equal to, Is<br />
(Exactly), Is Not, Present, Not Present.<br />
Values: Number of seconds since 1 st Jan 1970 00:00:00 that the<br />
Digipass User account was last modified.<br />
Digipass User Account Password This field does not have practical value as a search field, but is<br />
listed by Active Directory anyway.<br />
Digipass User Attributes This field is not currently used.<br />
Digipass User to User Link Conditions: Present, Not Present.<br />
Values: N/A.<br />
If this attribute is present, The Digipass User account is linked to<br />
another Digipass User account; if not present, there is no link.<br />
* If you specify Is Not 1, the results will include Users who do not have the attribute set, in<br />
addition to those who have the attribute set to 0.<br />
Example<br />
A search for Digipass User accounts where the Local Authentication setting has a value other<br />
than Default would use the following criteria:<br />
Digipass Local Authentication Greater than or equal to 1<br />
© 2007 VASCO Data Security Inc. 25
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Active Directory Schema<br />
2.4 Active Directory Replication Issues<br />
Active Directory replication is not instantaneous. Intra-site replication is usually quite fast,<br />
especially under Windows Server 2003, but changes on one Domain Controller may still take<br />
several minutes to be replicated to other Domain Controllers. Inter-site replication may be<br />
quite slow – an hour or more between replications is common.<br />
Replication occurs when more than one Domain Controller exists in a domain.<br />
2.4.1 Old Data Used After Attribute Modified<br />
The time period between replications becomes a problem where information is changed on one<br />
Domain Controller (for example, a Digipass User's Server PIN is reset), but old information is<br />
used on another Domain Controller before the changed information has been replicated to it.<br />
There are a few scenarios where this may occur. These are listed below:<br />
2.4.1.1 Single Authentication Server using more than one Domain<br />
Controller<br />
A single Authentication Server may make a change to a record, have to switch to another<br />
Domain Controller, and read the same record – where the change has not yet been applied.<br />
Example<br />
A User logs in with an OTP, and the Authentication Server connects to DC-01 to retrieve and<br />
update the Digipass data. The connection to the DC-01 fails soon after login, before<br />
replication has occurred. The User needs to log in again, and the Authentication Server<br />
connects to DC-02 this time. The User can log in using the same OTP as the last login – the<br />
login should fail (OTP replay) but instead succeeds, because DC-02 does not yet know that<br />
the OTP has been previously used.<br />
Time DC-01 DC-02<br />
8:32 Replication occurs<br />
8:34 User logs in with OTP 10457920.<br />
The Authentication Server records the use of<br />
the OTP in the Digipass record.<br />
8:35 Connection to DC-01 is broken, and the<br />
Authentication Server switches to DC-02.<br />
8:35 User retries login using same OTP<br />
10457920. The login succeeds where it<br />
should have failed (OTP replay).<br />
The Authentication Server records the use<br />
of the OTP in the Digipass record.<br />
8:37 Replication occurs<br />
Digipass record changes are replicated between DC-01 and DC-02.<br />
The example timeline above shows the sequence of events.<br />
© 2007 VASCO Data Security Inc. 26
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Active Directory Schema<br />
2.4.1.2 Administrator and Authentication Server using different Domain<br />
Controllers<br />
The administrator may not be connected to the same Domain Controller (via the<br />
<strong>Administration</strong> Interfaces) as the Authentication Server.<br />
Example<br />
An administrator changes a User's Server PIN through the Active Directory Users and<br />
Computers extension, which is connected to DC-01. The Authentication Server connects to<br />
DC-03. The User attempts a login using the new PIN, which fails because DC-03 is not yet<br />
aware of the change of Server PIN.<br />
Time DC-01 DC-03<br />
9:02 Replication occurs<br />
9:03 Administrator changes a User's Server PIN<br />
from 1234 to 9876.<br />
9:04 User attempts to log in using new PIN<br />
(9876) and the login fails.<br />
9:05 Replication occurs<br />
Digipass record changes are replicated between DC-01 and DC-03.<br />
The example timeline above shows the sequence of events.<br />
2.4.1.3 Multiple Authentication Servers Using Different Domain Controllers<br />
Multiple Authentication Servers may connect to different Domain Controllers in a domain or<br />
site.<br />
Example<br />
A User changes their own PIN during a login through one Authentication Server which<br />
connects to DC-01. The server on which the Authentication Server is installed becomes<br />
unavailable, and the User attempts another login via the Authentication Server on a backup<br />
server, which connects to DC-02. The login fails because DC-02 is not yet aware of the<br />
change of Server PIN.<br />
Time DC-01 DC-02<br />
11:54 Replication occurs<br />
11:55 User changes their Server PIN from 1234 to<br />
9876 during login.<br />
The Authentication Server records the PIN<br />
change in the Digipass record.<br />
11:57 User attempts to log in using new PIN<br />
(9876) and the login fails.<br />
11:59 Replication occurs<br />
Digipass record changes are replicated between DC-01 and DC-02.<br />
The example timeline above shows the sequence of events.<br />
2.4.1.4 Two Administrators Modifying the Same Attribute<br />
Two administrators attempt to modify the same attribute on a single User account or Digipass<br />
record within the same replication interval. The later modification will overwrite the earlier<br />
when replication occurs.<br />
© 2007 VASCO Data Security Inc. 27
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Active Directory Schema<br />
2.4.2 Old Data Used Overwrites New Data<br />
The problems above are exacerbated when the old information used on the second Domain<br />
Controller is updated based on the old information. As the updated record on the second<br />
Domain Controller now has a later modification date, the end result is that the changed<br />
information on the first Domain Controller is overwritten incorrectly.<br />
Example<br />
An administrator connects to DC-01 and sets a User's PIN from '1234' to '9876'. The User<br />
logs in through the Authentication Server, which connects to DC-02. The User enters the new<br />
Server PIN and his One Time Password. However, the PIN set on DC-01 has not yet been<br />
replicated to DC-02, so because the PIN entered does not match the old PIN still recorded in<br />
the Digipass record on DC-02, the login fails.<br />
Because the Policy setting of Identification Threshold is in use, his login failure is written<br />
back to the Digipass record. When replication occurs, the Digipass record on DC-02 has the<br />
latest modification date – and is copied to DC-01, wiping out the original PIN setting made<br />
by the administrator. Both DC-01 and DC-02 now consider '1234' to be the correct Server<br />
PIN for the Digipass.<br />
Time DC-01 DC-02<br />
10:45 Replication<br />
10:46 Administrator changes User's PIN from 9876<br />
to 1234.<br />
10:48 User login (with new PIN of 1234) fails.<br />
Authentication Server writes failure<br />
information to Digipass record.<br />
10:50 Replication<br />
Active Directory finds last instance of the Digipass blob having been modified.<br />
Active Directory overwrites DC-01 Digipass record with DC-02 Digipass record.<br />
The example timeline above shows how the problem can occur.<br />
The problem shown in the example above may also occur in a Force PIN Change set by an<br />
administrator.<br />
2.4.3 Factors Affecting Replication Issues<br />
A number of factors determine the likelihood and severity of the Active Directory issues<br />
described:<br />
Redundancy and load-balancing settings for the Authentication Server<br />
There are a number of Authentication Server configuration settings which may affect<br />
replication issues:<br />
Preferred Server<br />
The Authentication Server will attempt to connect to the named Domain Controller,<br />
rather than simply polling the domain for an available Domain Controller.<br />
Preferred Server Only<br />
The Authentication Server may be restricted to connecting only to the Domain Controller<br />
named in the above setting. If this is enabled, the Authentication Server will not switch<br />
to any other Domain Controller, so it will never retrieve data older than its own.<br />
Max. Bind Lifetime<br />
The maximum bind lifetime controls how long the Authentication Server will stay<br />
© 2007 VASCO Data Security Inc. 28
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Active Directory Schema<br />
connected to a Domain Controller before polling the domain for a Domain Controller<br />
connection.<br />
Replication Interval<br />
In Windows 2000, the intra-site replication interval can be configured – the default is 5<br />
minutes. On Windows Server 2003, the intra-site replication interval is not configurable, but is<br />
set to approximately 15 seconds, as replication is much more efficient.<br />
Inter-site replication is fully configurable on both Windows 2000 and Windows Server 2003.<br />
The longer the replication interval, the more likelihood of these problems occuring.<br />
Number of Domain Controllers in the Site<br />
Each Domain Controller regularly requires replication with all other local Domain Controllers.<br />
As this is done sequentially, it will affect the amount of time between replications.<br />
2.4.4 Solutions and Mitigations<br />
2.4.4.1 Digipass Cache<br />
The Digipass cache collects Digipass records as they are modified, and keeps them in memory<br />
for a certain length of time. A newer entry from the cache is always used in preference to an<br />
older record from Active Directory. The cache age should be a little longer than the typical<br />
replication interval. The default is 10 minutes (600 seconds).<br />
This option will help in problems caused by a single Authentication Server accessing more than<br />
one Domain Controller in a domain – see 2.4.1.1 Single Authentication Server using more<br />
than one Domain Controller). However, it will not affect the scenario of an <strong>Administration</strong><br />
Interface being connected to a different Domain Controller to the Authentication Server.<br />
If you calculate that your typical replication interval will be more than ten minutes, the cache<br />
age may be increased by modifying the Blob-Cache Max-Age setting in the configuration file<br />
(\bin\dpauthserver.xml):<br />
<br />
<br />
<br />
<br />
<br />
<br />
A large cache may slow down processing slightly for the Authentication Server, so monitor<br />
performance to check the impact caused after modifying the cache age.<br />
Warning<br />
If the Authentication Server is installed on a Member Server, this server must<br />
be closely time-synchronized with the Domain Controller(s). If the server is<br />
not time-synchronized, the Policy may select an older record when comparing<br />
records in the Digipass cache with those on the Domain Controller.<br />
If the Authentication Server is installed on a Domain Controller, time-synchronization is assumed.<br />
© 2007 VASCO Data Security Inc. 29
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Active Directory Schema<br />
2.5 DPADadmin Utility<br />
2.5.1 Extend Active Directory Schema<br />
The addschema command is used to create all the Active Directory Schema extensions, if<br />
they are not already there. Each element will be checked individually to see if it is already<br />
there and if not, will be added.<br />
This command is intended to be run manually by a domain administrator before the main<br />
<strong>VACMAN</strong> <strong>Middleware</strong> installation is run, as recommended by Microsoft.<br />
It may be necessary to go through an approval process in your company before running this<br />
command, as it involves changes to Active Directory Schema. You may also need to have<br />
another administrator run the command for you, possibly in another part of your network. This<br />
depends on your company’s structure and rules for Active Directory control.<br />
Prerequisite Information<br />
Schema Master Machine<br />
This command may technically be run on any Windows 2000, XP or 2003 machine, however it<br />
needs to contact the Domain Controller which has the Schema Master role. There can be only<br />
one Domain Controller in the Forest with that role. It may be simplest to run the command<br />
directly on the Schema Master, to avoid any potential connectivity or permission issues.<br />
Warning<br />
Warning: If you are passing the credentials to the command in the<br />
parameters, and you are not running the command on the Schema Master,<br />
check that you do not have any shares on the Schema Master open. This will<br />
cause the command to fail.<br />
Domain Administrator Account<br />
In order to successfully update the Schema, you must know the username and password of a<br />
Domain Administrator account that is able to log into the Schema Master. You must either run<br />
the command while logged in as that user, or pass the credentials to the command in the<br />
parameters. The Domain Administrator must have permission to extend the Schema – they<br />
must be a member of the Schema Admins group in the Forest-Root-Domain (the first Domain<br />
created in the Forest).<br />
Schema Changes Allowed<br />
By default, Active Directory does not permit Schema extensions to be made. There is a registry<br />
setting that must be changed to allow extensions. If this is not already set, DPADadmin will<br />
ask you whether it should change the setting itself or not. If you click on Yes, it will change<br />
the setting itself, make the extensions then change it back again.<br />
If you would prefer to change the setting manually, log into the Schema Master and change<br />
the value of the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\<br />
Parameters\Schema Update Allowed registry key to 1, adding it as a value of type<br />
DWORD if it does not already exist. Alternatively, if the Schema Manager MMC snap-in is<br />
© 2007 VASCO Data Security Inc. 30
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Active Directory Schema<br />
installed on the machine, this can be used to enable or disable Schema extensions.<br />
If you have disabled the Schema extensions after removing a previous installation in the<br />
Forest, reactivate them before using this command. This can be done using the Schema<br />
Manager MMC snap-in used to deactivate them.<br />
Extend the Schema on the Schema Master<br />
1. Log into the Schema Master as a member of the Schema Administrators group.<br />
2. Copy dpadadmin.exe onto the Schema Master<br />
3. Open a command prompt in the location to which it was copied.<br />
4. Type:<br />
dpadadmin addschema<br />
5. If DPADadmin detects that Schema extensions are not currently permitted, it will<br />
prompt you whether to enable them or not. Enter y to enable them, or n to cancel.<br />
The progress and success/failure of the command will be displayed in the command prompt<br />
window. If there was a failure, it can be run again after the problem has been rectified.<br />
Extend the Schema on the <strong>VACMAN</strong> <strong>Middleware</strong> Server<br />
1. Open a command prompt and navigate to the installation’s bin directory by typing:<br />
2. Type:<br />
cd \bin<br />
dpadadmin addschema –master schema_master –u user_name –p password<br />
3. See 2.5.1 Command Line Syntax for more details regarding the required parameters.<br />
4. If DPADadmin detects that Schema extensions are not allowed, it will prompt you to<br />
enable them. Enter y to enable them, or n to cancel.<br />
The progress and success/failure of the command will be displayed in the command prompt<br />
window. If there was a failure, it can be run again after the problem has been rectified.<br />
Command Line Syntax<br />
dpadadmin addschema [–master schema_master] [–u user_name [–p password]] [-q]<br />
Table 7: DPADadmin addschema Command Line Options<br />
Option Description<br />
-master Fully qualified name of the Domain Controller with the Schema Master role. This option may be<br />
omitted if the command is run directly on the Schema Master.<br />
-u User name of a Domain Administrator in the Schema Administrators group. This option may be<br />
omitted if you are logged into the machine as that Domain Administrator when you run the command.<br />
-p Password of the Domain Administrator. This option may be omitted if you are logged in as that Domain<br />
Administrator or if they have a blank password.<br />
-q Quiet mode, will not output commentary text.<br />
DPADadmin addschema Command Sample<br />
dpadadmin addschema –master dc1.vasco.com –u schema_admin –p sa_password<br />
© 2007 VASCO Data Security Inc. 31
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Active Directory Schema<br />
2.5.2 Set Up Digipass Containers in Domain<br />
This command sets up the Digipass-Pool and Digipass-Reserve containers in the specified<br />
domain. It can optionally set up the Digipass-Configuration container also.<br />
2.5.2.1 Prerequisite Information<br />
Domain Administrator<br />
You must be logged into the machine as a Domain Admin in the target domain.<br />
2.5.2.2 Set Up Digipass Configuration Container<br />
1. Log into the machine as a Domain Administrator in that Domain.<br />
2. Copy dpadadmin.exe onto the machine and open a command prompt in the location<br />
to which it was copied.<br />
3. Type:<br />
dpadadmin setupdomain -config<br />
The progress and success/failure of the command will be displayed in the command prompt<br />
window.<br />
2.5.2.3 Command Syntax<br />
dpadadmin setupdomain [-config] [-domain ] [-q]<br />
Table 8: DPADadmin setupdomain Command Line Options<br />
Option Description<br />
-config OPTIONAL. Specifies that this is the Digipass Configuration Domain, so the Digipass-Configuration<br />
container must be created.<br />
-domain<br />
<br />
OPTIONAL. Specifies the FQDN of the domain to set up. If omitted, the domain to which the current<br />
machine belongs will be used.<br />
-q OPTIONAL. Specifies that quiet mode should be used.<br />
DPADadmin setupdomain Command Sample<br />
dpadadmin setupdomain -config -q<br />
2.5.3 Assign Digipass Permissions to a Group<br />
This command assigns Digipass-specific permissions to a Windows group, applicable at the<br />
domain root and downwards. The permissions assigned are:<br />
Full read access to everything in the domain<br />
Full control over vasco-DPToken objects<br />
Full control over vasco-DPApplication objects<br />
Full write access to vasco-UserExt auxiliary objects<br />
2.5.3.1 Pre-requisites<br />
You must be logged into the machine as a Domain Admin in the target domain.<br />
© 2007 VASCO Data Security Inc. 32
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Active Directory Schema<br />
2.5.3.2 Command Syntax<br />
dpadadmin.exe setupaccess -group [-domain ] [-q] [-c]<br />
Table 9: DPADadmin setupaccess Command Line Options<br />
Option Description<br />
-group MANDATORY. Specify the name of the group to assign the permissions. Double-quotes are<br />
required if there are any spaces.<br />
-domain OPTIONAL. Specify the fully-qualified domain name for the domain to which the group or<br />
user belongs. If omitted, the domain to which the current machine belongs will be used.<br />
-q OPTIONAL. Specify that quiet mode should be used.<br />
-c OPTIONAL. Add the local computer to the group named.<br />
DPADadmin setupaccess Command Sample<br />
dpadadmin.exe setupaccess -group “RAS and IAS Servers” -q<br />
2.5.4 Delete all Digipass-Related Data from Active Directory<br />
Digipass-specific information is not removed from Active Directory when <strong>VACMAN</strong> <strong>Middleware</strong><br />
is uninstalled from a computer.<br />
A custom VB script is available which will strip all information related to the Authentication<br />
Server from a domain. The data removed includes:<br />
Digipass-Configuration container if present<br />
Policy and Component records in container<br />
Digipass-Pool container if present<br />
Digipass records in container<br />
Digipass-Reserve container if present<br />
Digipass records in container<br />
All Digipass in the domain, including all Digipass Applications.<br />
All Digipass User Accounts<br />
Each Digipass User account is deleted by searching for Active Directory Users with the vasco-<br />
CreateTime attribute set (indicating that a Digipass User account has been created for that<br />
User). All vasco-UserExt attributes on the Active Directory User are reset.<br />
Note<br />
The script must be run in each domain from which data is to be removed.<br />
2.5.4.1 Run Delete Script on a Domain<br />
1. Get dpDeleteAll.vbs file from the CD \Windows\Utilities\VBScript directory and copy to<br />
the computer where you will run the command.<br />
2. Open cmd prompt, logged in as domain admin in the domain required.<br />
3. Enter the following:<br />
© 2007 VASCO Data Security Inc. 33
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Active Directory Schema<br />
cscript dpDeleteAll.vbs [] [-v]<br />
4. If the machine does not belong to the target domain, specify the domain name<br />
5. If you want record-by-record progress display, specify -v (verbose mode).<br />
Example<br />
cscript dpDeleteAll.vbs dm3.vasco.com -v<br />
© 2007 VASCO Data Security Inc. 34
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
3 ODBC Database<br />
3.1 Database Support<br />
Note<br />
An embedded database option is available in the installation program. This will<br />
install PostgreSQL 8.1 for you on the server. However, <strong>VACMAN</strong> <strong>Middleware</strong><br />
supports other ODBC-compliant databases, should you prefer to use your own<br />
database.<br />
<strong>VACMAN</strong> <strong>Middleware</strong> makes use of a limited set of database features, in order to support as<br />
many RDBMS (Relational Database Management Systems) as possible:<br />
Tables (relations) with the following datatypes:<br />
INTEGER (32-bit)<br />
VARCHAR (with the maximum length up to 1024 characters; on Microsoft SQL<br />
Server this is NVARCHAR for Unicode support)<br />
TIMESTAMP (for some databases, this is DATETIME or DATE – this is not an<br />
automatically generated timestamp, but just a date/time field)<br />
Primary Key constraints<br />
Foreign Key constraints, using the default action (restrict) and cascade delete<br />
ANSI Standard SQL DML (Data Manipulation Language) – select, insert, update, delete,<br />
without any vendor-specific syntax<br />
Transactions with simple COMMIT and ROLLBACK (no 'save points' or equivalents)<br />
In order for a database to be supported, there must be an ODBC level 3 driver that<br />
supports:<br />
Multi-threaded access using multiple concurrent connections<br />
'Wide char' (Unicode) parameters for input and output<br />
The following databases have been specifically tested:<br />
Oracle 10g<br />
Microsoft SQL Server 2000, 2005<br />
IBM DB2 8.2<br />
Sybase Adaptive Server Anywhere 9.0<br />
PostgreSQL 8.1<br />
3.1.1 Unicode Support<br />
At a minimum, the database ODBC driver must allow the 'wide char' parameters to be used, as<br />
mentioned above. However, the underlying database does not necessarily need to be<br />
configured with Unicode support. The database only needs to be able to handle the characters<br />
that are actually used.<br />
If you do want full Unicode support in the database, refer to the database vendor's<br />
© 2007 VASCO Data Security Inc. 35
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
instructions. Normally, a database has to be created with Unicode storage from the start.<br />
Depending upon the database type, some of the columns in the database need to be increased<br />
in size, to handle multi-byte UTF-8 encoded data. The database documentation should indicate<br />
whether VARCHAR columns are defined by number of characters or number of bytes.<br />
3.2 Embedded Database<br />
The embedded database option supplied with <strong>VACMAN</strong> <strong>Middleware</strong> uses PostgreSQL 8.1. The<br />
database server is installed as a Service and a single database created. This database has full<br />
Unicode support.<br />
The full PostgreSQL install package is used, so the database administation tools and<br />
documentation are available.<br />
3.2.1 Service Account<br />
A local Windows account called dppostgres is created on the installation machine. This account<br />
is given privileges to log on as a service and locally. If installed on a domain controller, this<br />
account will be a domain account. The privileges to log on locally may be removed manually<br />
after installation if preferred, without preventing PostgreSQL from running.<br />
Note<br />
The dppostgres account is not automatically deleted upon uninstallation of<br />
<strong>VACMAN</strong> <strong>Middleware</strong>.<br />
The default password for dppostgres is p!ss&0rd. This can be changed using the standard<br />
Windows or Active Directory user management interface. If you do this, make sure that the<br />
Windows Service Control Manager is configured with the new password. The PostgreSQL<br />
service is PostgreSQL Database Server 8.1.<br />
If you have changed the password when you uninstall and reinstall the product, either delete<br />
the dppostgres account or change its password back to the default password shown above<br />
before re-installing. Otherwise, the installation will fail.<br />
3.2.2 Database <strong>Administration</strong> Account<br />
A single database administrator account called digipass is created when the embedded<br />
database is installed, with password digipassword. It has full administration and access rights<br />
to the database.<br />
This account is used by the Authentication Server to connect to the database. If you use an<br />
SQL or database administation tool to connect to the database, you can also use this account.<br />
If you want to change the password, you can do this using the pgAdmin III utility. See 3.2.3<br />
Database <strong>Administration</strong> below.<br />
© 2007 VASCO Data Security Inc. 36
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
3.2.3 Database <strong>Administration</strong><br />
The full set of PostgreSQL administration tools are installed with the embedded database. For a<br />
full description, refer to the PostgreSQL documentation that is installed.<br />
The main tool to use is pgAdmin III, which is a graphical administration interface. This can<br />
be launched by clicking on the Start Button and selecting Programs -> PostgreSQL 8.1 -><br />
pgAdmin III.<br />
To connect to the database, right-click on the Servers -> PostgreSQL Database Server 8.1<br />
node in the tree pane and select the Connect option. You will be prompted for the password<br />
for the digipass user – the default after installation is digipassword.<br />
After logging in, you can perform a range of database administration tasks. See the online help<br />
for more details on what can be done with the utility.<br />
The 6 Backup and Recovery section includes instructions on the pg_dump, pg_restore and<br />
vacuumdb utilities.<br />
3.2.3.1 Changing the Digipass User's Password<br />
After logging in as described above, expand the Login Roles node in the tree pane. Right-click<br />
on the digipass node underneath and select Properties. Enter the new password, confirm it<br />
and click OK.<br />
1. Run pgAdmin III and connect as described above.<br />
2. Expand the Login Roles node in the tree pane.<br />
3. Right-click on the digipass node underneath and select Properties.<br />
4. Enter the new Password and confirm it in Password (again).<br />
5. Click on OK.<br />
6. Open the Authentication Server Configuration GUI: click on the Start Button and select<br />
Programs -> VASCO -> <strong>VACMAN</strong> <strong>Middleware</strong> 3 -> Authentication Server<br />
Configuration.<br />
7. Change to the ODBC Connection tab.<br />
8. Click on the Digipass Authentication Server row in the Data Sources list and click the<br />
Edit... button.<br />
9. Modify the Password field with the new password and click OK.<br />
10. Click OK to exit Authentication Server Configuration. When prompted to restart the<br />
Service, click Yes.<br />
3.2.4 Connection Limitations<br />
The embedded database install leaves PostgreSQL with the default configuration, that<br />
connections to the database may only be made on the same machine. If you need to connect<br />
from another machine to the database, you need to update the configuration.<br />
In order to allow connection from another machine, you need to modify a PostgreSQL<br />
configuration file. Edit the file \PostgreSQL\data\pg_hba.conf with a text<br />
© 2007 VASCO Data Security Inc. 37
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
editor. At the bottom of this file, there is a list of rules for authenticating connections to the<br />
database, which by default will be:<br />
# TYPE DATABASE USER CIDR-ADDRESS METHOD<br />
# IPv4 local connections:<br />
host all all 127.0.0.1/32 md5<br />
# IPv6 local connections:<br />
#host all all ::1/128 md5<br />
Refer to the PostgreSQL documentation for more details. As an example, to permit access from<br />
IP address 10.10.1.50 by the digipass user to the postgres database, add the following line<br />
directly below # Ipv4 local connections:<br />
host postgres digipass 10.10.1.50/32 md5<br />
3.3 Database Schema<br />
Digipass-related data is stored in a number of tables that are created using the DPDBadmin<br />
command line utility:<br />
Table 10: ODBC Database Tables<br />
Table Name Notes<br />
vdsControl This table is used to control various details about the database<br />
schema and connection.<br />
vdsUser Contains Digipass User Account details.<br />
vdsUserAttr Authorization profiles/attributes (not used for all scenarios).<br />
vdsDigipass Information about individual Digipass, including the Digipass User<br />
to which they are assigned.<br />
vdsDPApplication Data for Applications belonging to each Digipass, such as Server<br />
PIN and expected OTP length.<br />
vdsPolicy Policy attributes. Attributes will commonly be shared via<br />
inheritance.<br />
vdsComponent Component attributes include the License Key for Authentication<br />
Server Components.<br />
vdsBackEnd Back-End Server attributes. Presently, this table includes RADIUS<br />
Servers only.<br />
vdsDomain Domain list.<br />
vdsOrgUnit Organizational Unit structure.<br />
3.3.1 vdsControl Table<br />
Table 11: vdsControl Table<br />
Name Type Required?<br />
vdsName varchar(64) Yes<br />
vdsValue varchar(512)<br />
vdsFlags integer<br />
Primary Key: (vdsName)<br />
Foreign Keys: None<br />
© 2007 VASCO Data Security Inc. 38
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
3.3.2 vdsUser Table<br />
Table 12: vdsUser Table<br />
Name Type Required?<br />
vdsDomain varchar(255) Yes<br />
vdsUserId varchar(255) Yes<br />
vdsOrgUnit varchar(255)<br />
vdsUserName varchar(64)<br />
vdsDescription varchar(1024)<br />
vdsPhone varchar(64)<br />
vdsMobile varchar(64)<br />
vdsEmail varchar(64)<br />
vdsStaticPwd varchar(690)*<br />
vdsLinkUserDomain varchar(255)<br />
vdsLinkUserId varchar(255)<br />
vdsLocalAuth integer<br />
vdsBackEndAuth integer<br />
vdsLockCount integer<br />
vdsLocked integer<br />
vdsDisabled integer<br />
vdsProfiles varchar(255)<br />
vdsAdminPrivileges varchar(255)*<br />
vdsCreateTime timestamp Yes<br />
vdsModifyTime timestamp Yes<br />
* This column contains binary data stored in base64-encoded format.<br />
Primary Key: (vdsDomain, vdsUserId)<br />
Foreign Keys:<br />
(vdsDomain) references vdsDomain<br />
(vdsDomain, vdsOrgUnit) references vdsOrgUnit<br />
(vdsLinkUserDomain, vdsLinkUserId) references vdsUser<br />
3.3.3 vdsUserAttr Table<br />
Table 13: vdsUserAttr Table<br />
Name Type Required?<br />
vdsDomain varchar(255) Yes<br />
vdsUserId varchar(255) Yes<br />
vdsAttrGroup varchar(64) Yes<br />
vdsSeqNo integer Yes<br />
vdsName varchar(64) Yes<br />
vdsUsageQual varchar(64)<br />
vdsValue varchar(255)<br />
© 2007 VASCO Data Security Inc. 39
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
Name Type Required?<br />
vdsCreateTime timestamp Yes<br />
vdsModifyTime timestamp Yes<br />
Primary Key: (vdsDomain, vdsUserId, vdsAttrGroup, vdsSeqNo)<br />
Foreign Keys:<br />
(vdsDomain, vdsUserId) references vdsUser (ON DELETE CASCADE)<br />
3.3.4 vdsDigipass Table<br />
Table 14: vdsDigipass Table<br />
Name Type Required?<br />
vdsSerialNo varchar(32) Yes<br />
vdsDomain varchar(255) Yes<br />
vdsOrgUnit varchar(255)<br />
vdsDPType varchar(32)<br />
vdsUserId varchar(255)<br />
vdsAssignDate timestamp<br />
vdsGPExpires timestamp<br />
vdsBVDPEnabled integer<br />
vdsBVDPExpires timestamp<br />
vdsBVDPUsesLeft integer<br />
vdsDirectAssign integer<br />
vdsCreateTime timestamp Yes<br />
vdsModifyTime timestamp Yes<br />
Primary Key: (vdsSerialNo)<br />
Foreign Keys:<br />
(vdsDomain) references vdsDomain<br />
(vdsDomain, vdsOrgUnit) references vdsOrgUnit<br />
(vdsDomain, vdsUserId) references vdsUser<br />
3.3.5 vdsDPApplication Table<br />
Table 15: vdsDPApplication Table<br />
Name Type Required?<br />
vdsSerialNo varchar(32) Yes<br />
vdsApplName varchar(32) Yes<br />
vdsApplNo integer<br />
vdsApplType integer<br />
vdsActive integer<br />
vdsBlob varchar(255)<br />
vdsCreateTime timestamp Yes<br />
© 2007 VASCO Data Security Inc. 40
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
Name Type Required?<br />
vdsModifyTime timestamp Yes<br />
Primary Key: (vdsSerialNo, vdsApplName)<br />
Foreign Keys:<br />
(vdsSerialNo) references vdsDigipass<br />
3.3.6 vdsPolicy Table<br />
Table 16: vdsPolicy Table<br />
Name Type Required?<br />
vdsPolicyId varchar(60) Yes<br />
vdsDescription varchar(255)<br />
vdsParentPolicyId varchar(60)<br />
vdsDUR integer<br />
vdsAutoLearn integer<br />
vdsSPwdProxy integer<br />
vdsAssignMode integer<br />
vdsSearchUpOU integer<br />
vdsApplNames varchar(255)<br />
vdsApplType integer<br />
vdsDPTypes varchar(255)<br />
vdsGracePeriod integer<br />
vdsLocalAuth integer<br />
vdsBackEndAuth integer<br />
vdsBackEndProtocol varchar(32)<br />
vdsDefDomain varchar(255)<br />
vdsGroupList varchar(1024)<br />
vdsGroupMode integer<br />
vdsOSCR integer<br />
vdsOSCLength integer<br />
vdsOSCChkDgt integer<br />
vdsBVDPEnabled integer<br />
vdsBVDPMaxDays integer<br />
vdsBVDPMaxUses integer<br />
vdsChgPinAllowed integer<br />
vdsSelfAssignSep varchar(8)<br />
vdsCRMethod integer<br />
vdsCRKeyword varchar(16)<br />
vdsPVDPRqstMeth integer<br />
vdsPVDPKeyword varchar(16)<br />
vdsBVDPRqstMeth integer<br />
vdsBVDPKeyword varchar(16)<br />
© 2007 VASCO Data Security Inc. 41
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
Name Type Required?<br />
vdsITimeWindow integer<br />
vdsSTimeWindow integer<br />
vdsEventWindow integer<br />
vdsSyncWindow integer<br />
vdsIThreshold integer<br />
vdsSThreshold integer<br />
vdsCheckChal integer<br />
vdsOnlineSG integer<br />
vdsChkInactDays integer<br />
vdsCreateTime timestamp Yes<br />
vdsModifyTime timestamp Yes<br />
vdsLockThreshold integer<br />
Primary Key: (vdsPolicyId)<br />
Foreign Keys:<br />
(vdsParentPolicyId) references vdsPolicy<br />
3.3.7 vdsComponent Table<br />
Table 17: vdsComponent Table<br />
Name Type Required?<br />
vdsComponentType varchar(60) Yes<br />
vdsLocation varchar(255) Yes<br />
vdsPolicyId varchar(80) Yes<br />
vdsProtocolId varchar(32)<br />
vdsTCPPort integer<br />
vdsSharedSecret varchar(690)*<br />
vdsLicenseKey varchar(1024)<br />
vdsPubKey varchar(1024)<br />
vdsCreateTime Timestamp Yes<br />
vdsModifyTime Timestamp Yes<br />
* This column contains binary data stored in base64-encoded format.<br />
Primary Key: (vdsComponentType, vdsLocation)<br />
Foreign Keys:<br />
(vdsPolicyId) references vdsPolicy<br />
3.3.8 vdsBackEnd Table<br />
Table 18: vdsBackEnd Table<br />
Name Type Required?<br />
vdsServerId varchar(80) Yes<br />
© 2007 VASCO Data Security Inc. 42
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
Name Type Required?<br />
vdsProtocolId varchar(32)<br />
vdsDomain varchar(255)<br />
vdsPriority integer<br />
vdsRadAuthAddr varchar(128)<br />
vdsRadAuthPort integer<br />
vdsRadAcctAddr varchar(128)<br />
vdsRadAcctPort integer<br />
vdsRadRetries integer<br />
vdsRadTimeout integer<br />
vdsSharedSecret varchar(690)*<br />
vdsCreateTime Timestamp Yes<br />
vdsModifyTime Timestamp Yes<br />
* This column contains binary data stored in base64-encoded format.<br />
Primary Key: (vdsServerId)<br />
Foreign Keys:<br />
(vdsDomain) references vdsDomain<br />
3.3.9 vdsDomain Table<br />
Table 19: vdsDomain Table<br />
Name Type Required?<br />
vdsDomain varchar(255) Yes<br />
vdsDescription varchar(1024)<br />
vdsCreateTime Timestamp Yes<br />
vdsModifyTime Timestamp Yes<br />
Primary Key: (vdsDomain)<br />
Foreign Keys: None<br />
3.3.10 vdsOrgUnit Table<br />
Table 20: vdsOrgUnit Table<br />
Name Type Required?<br />
vdsDomain varchar(255) Yes<br />
vdsOrgUnit varchar(255) Yes<br />
vdsDescription varchar(1024)<br />
vdsParentOrgUnit varchar(255)<br />
vdsCreateTime Timestamp Yes<br />
vdsModifyTime Timestamp Yes<br />
Primary Key: (vdsDomain, vdsOrgUnit)<br />
© 2007 VASCO Data Security Inc. 43
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
Foreign Keys:<br />
(vdsDomain) references vdsDomain<br />
(vdsDomain, vdsParentOrgUnit) references vdsOrgUnit<br />
3.4 Encoding and Case-Sensitivity<br />
When you create the database, depending on the database type, you may have the chance to<br />
select a collation sequence. The collation sequence determines both the sort order and the<br />
case-sensitivity of the database. If you do not have the chance to select the collation<br />
sequence, it is advisable to find out how it is already defined.<br />
The encoding used by the database is important when considering support for non-English<br />
languages. You must ensure that the database will be able to store the data in whatever<br />
languages may be used in your system.<br />
Case-sensitivity is of particular importance when looking up a Digipass User Account. It<br />
determines whether the user must get the correct case for their UserId when logging in. For<br />
example, if your database collation sequence is case-sensitive, user “JSmith” would have to log<br />
in as exactly “JSmith”, not “jsmith”. If you want a case-insensitive User ID and domain lookup,<br />
and your database does not behave this way by default, you have two choices:<br />
Choose a case-insensitive collation sequence for the database.<br />
Use a configuration option in <strong>VACMAN</strong> <strong>Middleware</strong> to convert User ID and domain names<br />
to all upper or all lower case. See 11.1.7.3 User ID and Domain Conversion for more<br />
information.<br />
Caution<br />
Configuration settings for case-sensitivity must be set up in the Configuration<br />
GUI before data is entered into the database.<br />
The Master Domain (named 'master') is an exception, as it is created in the<br />
database when the dpdbadmin addschema command is run. If you will be<br />
configuring the Authentication Server to convert User IDs and domains to<br />
upper case, change the name of the Master Domain before changing the case<br />
settings. See 3.5.1.1 Master Domain for more information.<br />
The embedded database created by the installation program uses UTF-8 encoding. In addition,<br />
as this results in case-sensitive collation, the option to convert User IDs and domain names to<br />
lower case is set by default.<br />
3.5 Domains and Organizational Units<br />
The concepts of Domain and Organizational Unit are present in <strong>VACMAN</strong> <strong>Middleware</strong> for the<br />
purpose of grouping users. They closely match the concepts of the same names in Active<br />
Directory/LDAP, but they are not identical.<br />
© 2007 VASCO Data Security Inc. 44
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
3.5.1 Domains<br />
Domains are essentially separate sub-databases of Digipass User Accounts and Digipass. All<br />
Digipass User Accounts and Digipass must belong to a Domain. The Domain is used as a<br />
naming scope for the UserId – it is allowed to have two different Digipass User Accounts with<br />
the same UserId, so long as they are in different Domains.<br />
3.5.1.1 Master Domain<br />
When the <strong>VACMAN</strong> <strong>Middleware</strong> is installed, a single Domain will be created in the database, the<br />
Master Domain. By default, all new Digipass User Accounts and Digipass will be created in<br />
that Domain.<br />
A Domain must be chosen for a Digipass User account when it is created, as the Domain<br />
makes up part of the identification (primary key) for the account. A Digipass User account may<br />
not be moved to a different Domain. It must be deleted and recreated in the required Domain.<br />
Digipass, however, may be moved to the required Domain after importation. The 'primary key'<br />
of the Digipass record consists only of its Serial Number, which cannot be duplicated in<br />
different Domains.<br />
A Digipass that is assigned to a Digipass User Account must belong to the same Domain as the<br />
account. Therefore, you need to ensure that the correct numbers of Digipass are allocated to<br />
the different Domains.<br />
If you do not need to use the concept of Domains in your system, then you can leave all<br />
Digipass User Accounts and Digipass in the Master Domain. You can designate a different<br />
Domain as the Master Domain using the Authentication Server Configuration interface,<br />
Configure Advanced Settings screen.<br />
Administrators belonging to the Master Domain may be assigned administration privileges for<br />
all Domains in the database, or just their own Domain. Administrators belonging to any other<br />
Domain will have the assigned administration privileges for that Domain only.<br />
Modify the Master Domain<br />
You might need to modify the domain used as the Master Domain if:<br />
You want new Digipass User accounts and Digipass records to be created in a different<br />
domain by default<br />
You want to change the name of the Master Domain<br />
The case used in the name of the Master Domain will not be compatible with<br />
Authentication Server configuration settings.<br />
For instructions on changing the domain used as the Master Domain, see 11.1.7.4 Master<br />
Domain.<br />
© 2007 VASCO Data Security Inc. 45
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
3.5.1.2 Identifying the Domain for a Login Attempt<br />
As the Domain is part of the naming scope for a Digipass User Account, the Domain must be<br />
identified when a user attempts to log in.<br />
Image 1: Domain Identification Logic<br />
When Windows Back-End Authentication is used, the Domain of a Digipass User Account must<br />
match the Domain of their corresponding Windows user account. In this situation, the Use<br />
Windows User Name Resolution feature would typically be used, in case the same user logs<br />
in with different Windows user name formats (DOMAIN\userid, userid@domain.com, userid).<br />
You can enable this feature using the Authentication Server Configuration interface,<br />
Configure Advanced Settings screen.<br />
Without Windows name resolution, a simple rule is applied to identify the Domain of a user<br />
who is logging in: if the UserId is in the form userid@domain, and there is a Domain with the<br />
given domain name, that Domain will be used. In that case, the UserId will have the @domain<br />
part removed. Otherwise, the whole UserId will remain as userid@domain and no Domain will<br />
be identified.<br />
If through either kind of name resolution, no Domain is identified, the applicable Policy is<br />
© 2007 VASCO Data Security Inc. 46
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
checked for a Default Domain. The Default Domain is used if it is specified in the Policy.<br />
Otherwise, the Master Domain is used as a default.<br />
3.5.2 Organizational Units<br />
Within a Domain, Organizational Units can be used to group Digipass User Accounts and<br />
Digipass. They are primarily used in <strong>VACMAN</strong> <strong>Middleware</strong> to allocate unassigned Digipass to<br />
groups of users such as offices or departments. In other VASCO products, they can also be<br />
used to provide delegated administration by user group.<br />
Organizational Units can be created as a hierarchy, in a similar way to Active Directory/LDAP.<br />
It is not permitted to create a circular chain in the hierarchy.<br />
Organizational Units are not used as a naming scope in the same way as Domains. It is<br />
permitted to move Digipass User Accounts and Digipass between Organizational Units<br />
whenever required. However, a Digipass that is assigned to a Digipass User Account must<br />
belong to the same Organizational Unit, as well as the same Domain. Upon assignment, or<br />
upon moving the Digipass User Account, the Digipass is moved automatically. It is not<br />
permitted to move an assigned Digipass – instead, you must move the Digipass User Account,<br />
which may have other Digipass assigned also.<br />
Organizational Units have no effect on the authentication process, with the exception of Auto-<br />
and Self-Assignment – the Digipass to be assigned must be in the same Organizational Unit as<br />
the Digipass User Account. However, if you enable the 'Search up Organizational Unit<br />
Hierarchy' Policy setting, the Digipass may be located higher up the Organizational Unit<br />
structure, provided it is still in the same Domain.<br />
© 2007 VASCO Data Security Inc. 47
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
3.6 Database User Accounts<br />
It is important to consider which database user accounts will be utilized when installing,<br />
running and administering <strong>VACMAN</strong> <strong>Middleware</strong>. There are a few main roles that need to be<br />
considered:<br />
Schema creator. A database user account is needed to create the tables used by<br />
<strong>VACMAN</strong> <strong>Middleware</strong>. Typically this would be either a fully privileged DBA account, or the<br />
account that will own the schema.<br />
Schema owner. This may be the same as the schema creator. If not, the schema<br />
creator can transfer ownership of the new tables after they have been created.<br />
Authentication Server account. This may be the same as the schema creator or<br />
owner, but as it does not need extensive permissions on the tables, you may prefer to<br />
use an account with less privileges.<br />
Administrator account. Administrators may be allowed to log directly into the<br />
database in order to administer data. If so, the Adminstration MMC Interface will require<br />
a database user account with sufficient permissions to modify the data as required. It is<br />
not necessary to create a separate account, but you may prefer to do so, in order to<br />
control the permissions strictly. You may even create multiple administrator accounts<br />
with different permissions.<br />
A few elements need to be taken into account when setting up these various database user<br />
accounts.<br />
3.6.1 Permissions on the Tables<br />
The following permissions are required by the Authentication Server and administrator<br />
accounts:<br />
Table 21: Table Permissions Required<br />
Table Authentication Server Administrator<br />
vdsControl SELECT, INSERT*, UPDATE* SELECT<br />
vdsUser SELECT, INSERT**, UPDATE SELECT, INSERT, UPDATE, DELETE***<br />
vdsUserAttr SELECT SELECT, INSERT, UPDATE, DELETE***<br />
vdsDigipass SELECT, UPDATE SELECT, INSERT, UPDATE, DELETE***<br />
vdsDPApplication SELECT, UPDATE SELECT, INSERT, UPDATE, DELETE***<br />
vdsPolicy SELECT SELECT, INSERT, UPDATE, DELETE***<br />
vdsComponent SELECT SELECT, INSERT, UPDATE, DELETE***<br />
vdsBackEnd SELECT SELECT, INSERT, UPDATE, DELETE***<br />
vdsDomain SELECT SELECT, INSERT, UPDATE, DELETE***<br />
vdsOrgUnit SELECT SELECT, INSERT, UPDATE, DELETE***<br />
* The Authentication Server does not need INSERT and UPDATE permission on the vdsControl table itself. However,<br />
when the Authentication Server Configuration GUI is used to Configure Advanced Settings, the same<br />
database user account is used as the Authentication Server, and at this time the INSERT and UPDATE<br />
permissions are needed.<br />
** INSERT permission is only required when Dynamic User Registration is used.<br />
*** In general, SELECT permission is required on all tables, but you can restrict any of INSERT, UPDATE and DELETE<br />
permissions according to the restrictions you need to impose upon your administrators.<br />
© 2007 VASCO Data Security Inc. 48
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
3.6.2 Access to Another Schema<br />
Depending on the database type, there may be a problem with one database user account<br />
accessing the tables from another schema/user account. <strong>VACMAN</strong> <strong>Middleware</strong> components will<br />
access the tables according to the table names that are defined in the vdsControl table.<br />
If the tables are not accessible to the database user account without qualifying the table name<br />
(eg. schema.table), there are a few ways to solve the problem:<br />
Set the default schema or database. Some databases allow you to specify which<br />
schema or database a database user account will use by default when they log in. This<br />
may be a setting in the database itself or the ODBC data source<br />
Create views. You can create a view for each table in the database user account's own<br />
schema, that provides access to the table. The view names should match the table<br />
names. However, be careful that your database type permits the necessary INSERT,<br />
UPDATE and DELETE operations on the views (see the table above). Some database<br />
types provide only limited support for those operations or disallow them all.<br />
Modify the vdsControl table. Provided that all database user accounts need the<br />
schema qualifier in front of the table names, you can safely modify the vdsControl table<br />
entries to add the schema qualifier (see below).<br />
Another possible solution is to create a vdsControl table in each database user account's<br />
schema, that contains the necessary schema qualifier. However this is not recommended, as it<br />
is complex to set up and there are other settings in the vdsControl table other than the table<br />
names. It would be easy to end up with different settings in each table.<br />
3.6.2.1 Modify vdsControl Table<br />
There are two parts to this solution. Firstly, to make sure that the vdsControl table itself can<br />
be accessed; secondly, to update the remaining table names using the vdsControl table.<br />
The Authentication Server component uses a configuration setting in its configuration file<br />
dpauthserver.xml to identify the vdsControl table name:<br />
VASCO->AAL3->ODBC->Data-Sources->Data-Sourcesnn->Control-Table<br />
where nn is 01 for the first data source, 02 for the next, and so on. Each data source must be<br />
configured separately.<br />
However, the administration interface does not use this configuration file, and if the<br />
administrator database account has a schema qualifier problem for the vdsControl table,<br />
another solution such as a view must be used.<br />
Modification of the vdsControl table entries that define the table names must be performed<br />
using your database's SQL utility. The following entries in vdsControl are used to define the<br />
table names:<br />
© 2007 VASCO Data Security Inc. 49
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
Table 22: Table Names in vdsControl<br />
Table vdsName<br />
vdsUser user_table<br />
vdsUserAttr user_attr_table<br />
vdsDigipass dp_table<br />
vdsDPApplication dpappl_table<br />
vdsPolicy policy_table<br />
vdsComponent comp_table<br />
vdsBackEnd backend_table<br />
vdsDomain domain_table<br />
vdsOrgUnit org_table<br />
3.7 Database Connection Handling<br />
The Authentication Server can be configured with a few settings that control the connection to<br />
the database. These settings can be found in the Authentication Server Configuration GUI.<br />
3.7.1 Multiple Data Sources<br />
It is possible to make more than one database available to the Authentication Server by<br />
creating additional databases and corresponding ODBC data sources. The additional<br />
database(s) can be used for redundancy and/or simple load sharing.<br />
If this is done, it is critical that the second and subsequent databases are synchronized with<br />
the first database. You will have to use the methods available to your database type, according<br />
to the database vendor's instructions. Typical methods include mirroring, shadow databases<br />
and instantaneous replication.<br />
Simply by configuring a second data source, if all connections to the main data source fail and<br />
cannot be reopened, the Authentication Server will open connections to the second data<br />
source. Similarly, a third data source can be used when the first and second are both<br />
unavailable.<br />
3.7.2 Max. Connections<br />
There is a configurable limit on the number of connections to the data source that the<br />
Authentication Server will have open at one time. This will prevent too many connections being<br />
opened to the database in case of peak load. However, each authentication request uses a<br />
connection for its duration, so the number of connections effectively limits the number of<br />
authentication requests that can be concurrently executed. It may improve performance to<br />
increase this setting, when there are a lot of concurrent requests – provided that the database<br />
is able to handle the increased load.<br />
The effect of this setting depends on the characteristics of your ODBC driver and database.<br />
Some ODBC drivers may not open a separate connection to the database for each connection<br />
that is made to it; they may set up a 'pool' of connections to the database or they may even<br />
just maintain a single connection.<br />
© 2007 VASCO Data Security Inc. 50
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
3.7.3 Connection Wait Time<br />
When the Authentication Server already has the maximum number of connections open and a<br />
new authentication request arrives, it will wait a configurable amount of time for a connection<br />
to become available (unless the Enable Load Sharing option is used, see below). You may<br />
want to reduce this waiting time, to reduce the impact of an overload of requests. Alternatively<br />
you may want to increase the waiting time, to make it less likely that a request will be rejected<br />
due to a temporary 'spike' of requests.<br />
3.7.4 Idle Timeout<br />
After a period of peak load, there may be a large number of connections open to the database.<br />
The Idle Timeout setting can be used to configure how quickly the connections are closed<br />
after being idle for a period of time. It may reduce the load on the database to close these<br />
connections quickly. Alternatively, if the load is very irregular but is often high, you may prefer<br />
to keep idle connections open for longer.<br />
3.7.5 Enable Load Sharing<br />
A simple form of load sharing can be implemented if you make a second database available to<br />
the Authentication Server. In fact, any number of databases can be added to the list of data<br />
sources, and the load can be shared across all of them.<br />
If you have more than one database available and the Enable Load Sharing option is used,<br />
the Authentication Server will open connections to the second database when it would exceed<br />
the maximum number of connections it is allowed to have to the first database. Similarly, it<br />
will open connections to the third database when it has reached the maximum for the second,<br />
and so on. In general, connections to the first database will be used when available, in<br />
preference to connections to any other database.<br />
3.7.6 Reconnect Intervals<br />
After the first data source has become unavailable, the Authentication Server will attempt at<br />
intervals to reconnect, even if it has successfully failed over to a second data source. It will<br />
always use the first data source in preference to the others.<br />
The Min. Reconnect Interval and Max. Reconnect Interval settings control the minimum<br />
and maximum intervals between retries respectively. The interval will start at the minimum<br />
and increase in steps until the maximum is reached. After that, the interval will stay at the<br />
maximum.<br />
© 2007 VASCO Data Security Inc. 51
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
3.8 DPDBadmin<br />
3.8.1 Modify Database Schema<br />
The addschema command is used to create all required tables in an existing database, if they<br />
are not already there. Each table will be checked individually to see if it is already there and if<br />
not, will be added.<br />
This command is intended to be run manually by an administrator before <strong>VACMAN</strong> <strong>Middleware</strong><br />
is installed.<br />
It may be necessary to go through an approval process in your company before running this<br />
command. You may also need to have a database administrator run the command for you.<br />
This depends on your company’s structure and rules for control of the database.<br />
This command may also be used to create the tables required for auditing to an ODBC<br />
database.<br />
Prerequisite Information<br />
Database Administrator Account<br />
In order to successfully modify the database structure, you will need the username and<br />
password of a database administrator account that is able to make changes to the database<br />
schema – for example, creating tables. You must pass these credentials to the command in the<br />
parameters.<br />
Database Name<br />
You will need the ODBC Data Source Name of the database (as registered with Windows an as<br />
ODBC Data Source).<br />
Modify the Database Structure<br />
1. Open a command prompt and navigate to the installation’s bin directory by typing:<br />
2. Type:<br />
cd \bin<br />
dpdbadmin addschema –u user_name –p password -d dsn<br />
3. See below for more details regarding the required parameters.<br />
The progress and success/failure of the command will be displayed in the command prompt<br />
window. If there was a failure, it can be run again after the problem has been rectified.<br />
Command Line Syntax<br />
dpdbadmin addschema –u user_name [–p password] -d dsn [-nouser] [-domain<br />
domain_name] [-case case_conversion] [-vdsuser alternatename] [-vdsuserattr<br />
alternatename] [-vdsdomain alternatename] [-vdscontrol alternatename] [-vdsdigipass<br />
alternatename] [-vdsdpapplication alternatename] [-vdspolicy alternatename]<br />
[vdsbackend alternatename] [-vdscomponent alternatename] [-vdsorgunit alternatename]<br />
[-audit] [-noserver] [-utf8factor factor] [-q]<br />
© 2007 VASCO Data Security Inc. 52
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
Table 23: DPDBadmin addschema Command Line Options<br />
Option Description<br />
-u User name of a database administrator.<br />
-p Password of the database administrator. This option may be omitted if they have a blank<br />
password.<br />
-d ODBC Data Source Name (DSN)<br />
-nouser Do not create Digipass User table. This option is not currently supported.<br />
-domain Specify the Master Domain to be used. If not specified, it will be “master”. The Domain will be<br />
created if it does not already exist.<br />
-case Specify to convert User IDs and domain names to either upper or lower case. The value must be<br />
either “upper” or “lower”.<br />
vdsuser Alternative name for the Digipass User table to be created.<br />
vdsuserattr Alternative name for the Digipass User Attribute table to be created.<br />
vdsdomain Alternative name for the Domain table to be created.<br />
vdscontrol Alternative name for the Controller table to be created.<br />
vdsdigipass Alternative name for the Digipass table to be created.<br />
vdsdpapplication Alternative name for the Digipass Application table to be created.<br />
vdspolicy Alternative name for the Policy table to be created.<br />
vdsbackend Alternative name for the Back-end Server table to be created.<br />
vdscomponent Alternative name for the Component table to be created.<br />
vdsorgunit Alternative name for the Organizational Unit table to be created.<br />
-audit Create the Audit tables.<br />
-noserver Do not create the main tables used by the Authentication Server. This should only be used with<br />
the -audit option, when you only want to create the auditing tables.<br />
-utf8factor On certain databases (such as Oracle and DB2), column sizes are specified in bytes, not<br />
characters, by default. When UTF-8 encoding is used to store data, for full Unicode support, one<br />
character may be represented as more than one byte. Normally 2 or 3 characters are used,<br />
depending on the language, but some characters require 4. If your data will include a lot of non-<br />
English characters, you can increase the size of certain columns by a factor to allow for the extra<br />
bytes. The value of the parameter should be 2, 3 or 4. Typically, 3 is sufficient. The columns<br />
affected by this are the User Name (not User ID) and various Description fields.<br />
On other databases, column sizes are specified in characters, and this parameter is not needed.<br />
-q Quiet mode, will not output commentary text.<br />
DPDBadmin addschema Command Sample<br />
dpdbadmin addschema –u DBAdmin –p pwd3498 -d UserDb -domain mydomain<br />
This command will modify the database structure of the ODBC database with the data source<br />
name of UserDb. It uses a database administrator account with the User ID of DBAdmin and<br />
password pwd3498. A non-default Master Domain will be used, called “mydomain”.<br />
dpdbadmin addschema –u DBAdmin –p pwd3498 -d AuditDb -audit -noserver<br />
This command will create only the auditing tables in the ODBC database with the data source<br />
name of AuditDb. It uses a database administrator account with the User ID of DBAdmin and<br />
password pwd3498.<br />
© 2007 VASCO Data Security Inc. 53
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
3.8.2 Check Database Modifications<br />
The checkschema command is called from the <strong>VACMAN</strong> <strong>Middleware</strong> installation program to<br />
check that all required database changes have been applied. Each table and field is checked<br />
individually to see if it exists within the database, but it will not be added if it does not exist.<br />
3.8.2.1 Prerequisite Information<br />
Domain Administrator<br />
Ensure that you know the username and password of a database administrator for the<br />
database to be checked.<br />
Database Name<br />
You will need the Data Source Name of the database (as registered with Windows an as ODBC<br />
Data Source).<br />
3.8.2.2 Check the Database Structure<br />
1. Open a command prompt and go to the installation’s bin directory by typing:<br />
2. Type<br />
cd \bin<br />
dpdbadmin checkschema –u user_name –p password -d dsn<br />
3. See below for more details regarding the parameters.<br />
The progress and success/failure of the command will be displayed in the command prompt<br />
window.<br />
3.8.2.3 Command Line Syntax<br />
odbcadmin checkschema –u user_name [–p password] -d dsn [-domain domain_name]<br />
[-q]<br />
Table 24: DPDBadmin checkschema Command Line Options<br />
Option Description<br />
-u User name of a database administrator.<br />
-p Password of the database administrator. This option may be omitted if they have a blank password.<br />
-d ODBC Data Source Name (DSN)<br />
-domain Specify the Master Domain to be used. If not specified, it will be “master”. The Domain must exist.<br />
-q Quiet mode, will not output commentary text.<br />
DPDBadmin checkschema Command Sample<br />
dpdbadmin checkschema –u db_admin –p db_password -d db_users<br />
© 2007 VASCO Data Security Inc. 54
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
3.8.3 Remove Database Modifications<br />
This command removes from a database the tables added by the addschema command.<br />
It may be necessary to go through an approval process in your company before running this<br />
command. You may also need to have a database administrator run the command for you.<br />
3.8.3.1 Prerequisite Information<br />
Database Administrator Account<br />
In order to successfully modify the database structure, you will need the username and<br />
password of a database administrator account that is able to make changes to the database<br />
structure – for example, creating tables. You must pass these credentials to the utility in the<br />
parameters of the command.<br />
Database Name<br />
You will need the Data Source Name of the database (as registered with Windows an as ODBC<br />
Data Source). This DSN must be registered on the computer from which the command line<br />
utility wil be run.<br />
3.8.3.2 Modify Database Structure<br />
1. Open a command prompt and navigate to the installation’s bin directory by typing:<br />
2. Type:<br />
cd \bin<br />
dpdbadmin dropschema –u user_name –p password -d dsn<br />
3. See below for more details regarding the required parameters.<br />
The progress and success/failure of the command will be displayed in the command prompt<br />
window. If there was a failure, it can be run again after the problem has been rectified.<br />
3.8.3.3 Command Line Syntax<br />
dpdbadmin dropschema –u user_name [–p password] -d dsn [-nouser] [-q]<br />
Table 25: DPDBadmin dropschema Command Line Options<br />
Option Description<br />
-u User name of a database administrator.<br />
-p Password of the database administrator. This option may be omitted if they have a blank<br />
password.<br />
-d ODBC Data Source Name (DSN)<br />
-nouser Do not delete Digipass User table. This option is not currently supported.<br />
-q Quiet mode, will not output commentary text.<br />
DPDBadmin checkschema Command Sample<br />
dpdbadmin dropschema –u DBAdmin –p pwd3498 -d UserDb<br />
© 2007 VASCO Data Security Inc. 55
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
3.8.4 Create Emergency Administrator Account<br />
If the main administrator accounts have been accidentally deleted, locked out, disabled, or the<br />
password forgotten, it may be necessary to run this command.<br />
The rescueadmin command creates an emergency administrator account in the Master<br />
Domain, with the given User ID and password. These settings will be configured for the<br />
account:<br />
Local Authentication: Digipass/Password<br />
Back-End Authentication: None<br />
Administrative Privileges: (All)<br />
Note<br />
Running this command will cause the Digipass Authentication Server service to<br />
be stopped. The command can restart the service automatically when record<br />
creation is completed.<br />
Prerequisites<br />
These conditions must be met before this command can be run successfully:<br />
Must be run on the machine on which the Authentication Server is installed.<br />
The Authentication Server configuration file (dpauthserver.xml) must be in the default<br />
location (\Bin)<br />
Create Administrator Account<br />
1. Open a command prompt and navigate to the installation’s bin directory by typing:<br />
2. Type:<br />
cd \bin<br />
dpdbadmin rescueadmin -userid "" -password<br />
"”<br />
3. Enter Y to restart the Digipass Authentication Server service, or N to exit and restart<br />
the service manually.<br />
Command Line Syntax<br />
dpdbadmin rescueadmin -userid "" -password " -q -l -v<br />
Table 26: DPDBadmin rescueadmin Command Line Options<br />
Option Description<br />
-userid User ID for the administrator account to be created. This administrator account must not<br />
currently exist in the Authentication Server data store in the Master Domain.<br />
-password Password for the administrator account to be created. May not be blank.<br />
-q Quiet mode, will not output commentary text.<br />
-l Record messages to a log file.<br />
-v Use verbose logging output.<br />
© 2007 VASCO Data Security Inc. 56
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
DPDBadmin rescueadmin Command Sample<br />
dpdbadmin rescueadmin –userid emergency_admin -password password -l<br />
c:\temp\rescue.log<br />
This command will create an administrator account in the database, with User ID of<br />
emergency_admin and password of password. A log file will be created at c:\temp\rescue.log.<br />
3.8.5 Rescue Authentication Server Component<br />
This command may be needed in a number of scenarios:<br />
An Authentication Server Component record has been accidentally deleted.<br />
The IP address of the machine has been changed without first creating a Component<br />
record for the Authentication Server with the new IP address.<br />
The Policy used for administration logins has been modified in such a way that<br />
administrative logins are no longer possible.<br />
In any of these scenarios, administrative logins will no longer be possible via the<br />
Authentication Server affected. If you have another Authentication Server replicating with the<br />
affected one, you can fix most problems from that Authentication Server. Otherwise, you will<br />
need to use this command.<br />
The rescueserver command creates or updates a Component record of the type<br />
Authentication Server in the database, with the given IP address and Policy. It can also create<br />
a Policy with the Policy ID provided, with these settings:<br />
Inherits from Policy: <br />
Local Authentication: Digipass/Password<br />
Back-End Authentication: None<br />
User Lock Threshold: 0<br />
Note<br />
Running this command will cause the Digipass Authentication Server service to<br />
be stopped. The command can restart the service automatically when record<br />
creation is completed.<br />
Prerequisites<br />
These conditions must be met before this command can be run successfully:<br />
Must be run on the machine on which the Authentication Server is installed.<br />
The Authentication Server configuration file (dpauthserver.xml) must be available on the<br />
machine.<br />
Rescue Authentication Server Component<br />
1. Open a command prompt and navigate to the installation’s bin directory by typing:<br />
2. Type:<br />
cd \bin<br />
© 2007 VASCO Data Security Inc. 57
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> ODBC Database<br />
dpdbadmin rescueserver -location “” -policy "”<br />
3. If a Component record of type Authentication Server and the entered IP address does<br />
not already exist, you will be prompted to create the Component record. Enter Y to<br />
create the record, or N to exit.<br />
4. If a Policy with the entered Policy ID does not currently exist, you will be prompted to<br />
create it. Enter Y to create the record, or N to exit.<br />
5. Enter Y to restart the Digipass Authentication Server service, or N to exit and restart<br />
the service manually.<br />
If there was a failure, it can be run again after the problem has been rectified.<br />
Command Line Syntax<br />
dpdbadmin rescueserver -location -policy "" -q -l -v<br />
Table 27: DPDBadmin rescueserver Command Line Options<br />
Option Description<br />
-location IP address used by the Authentication Server.<br />
-policy Policy ID for the Policy to be used for the new Component. This may be an existing Policy, or a<br />
new one (see above for the settings given to a new Policy by this command).<br />
-q Quiet mode, will not output commentary text.<br />
-l Record messages to a log file.<br />
-v Use verbose logging output.<br />
DPDBadmin rescueserver Command Sample<br />
dpdbadmin rescueserver –location “10.2.15.7” -policy “VM3 <strong>Administration</strong> Logon”<br />
This command will create a Component record in the database, with type Authentication<br />
Server, IP address 10.2.15.7, and using the pre-existing Policy VM3 <strong>Administration</strong> Logon.<br />
© 2007 VASCO Data Security Inc. 58
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Sensitive Data Encryption<br />
4 Sensitive Data Encryption<br />
Sensitive data is encrypted by <strong>VACMAN</strong> <strong>Middleware</strong> using an embedded key. If needed, this<br />
encryption may be strengthened by adding a custom key in the Configuration GUI. The<br />
embedded and custom keys are subjected to a logical XOR process to produce a new key<br />
derived from both.<br />
Note<br />
Encryption settings must be set before importing Digipass.<br />
4.1.1 Encrypted Data – Active Directory<br />
Table 28: Encrypted Data Attributes – Active Directory<br />
Attribute Class<br />
vasco-StaticPassword vasco-UserExt<br />
vasco-SharedSecret vasco-Component<br />
vasco-SharedSecret vasco-BackEndServer<br />
4.1.2 Encrypted Data – ODBC and Embedded Database<br />
Table 29: Encrypted Data Attributes – ODBC and Embedded Database<br />
Column Table<br />
vdsStaticPwd vdsUser<br />
vdsAdminPrivileges vdsUser<br />
vdsSharedSecret vdsComponent<br />
vdsSharedSecret vdsBackEnd<br />
4.1.3 Which Encryption Algorithms can be used?<br />
AES<br />
blowfish<br />
cast5<br />
3DES<br />
3DES with 3 keys<br />
4.1.4 Exporting Encryption Settings<br />
Encryption settings may be exported to a password-protected text file from the Authentication<br />
Server Configuration GUI. This file must then be loaded to other Authentication Servers – see<br />
11.1.9 Data Encryption for instructions.<br />
The same file must be loaded into the administration interfaces wherever they are installed:<br />
<strong>Administration</strong> MMC Interface<br />
1. Open the <strong>Administration</strong> MMC Interface.<br />
2. Right-click on the Digipass <strong>Administration</strong> node and select the Encryption Settings<br />
option.<br />
© 2007 VASCO Data Security Inc. 59
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Sensitive Data Encryption<br />
3. In the Configure Encryption Settings dialog, click the Import... button.<br />
4. Browse to the encryption settings file.<br />
5. Click on OK.<br />
6. Enter the required password.<br />
7. Click on OK.<br />
Active Directory Users and Computers<br />
The following only applies if you are using Active Directory. In addition, if Active Directory<br />
Users and Computers is on the same machine as the <strong>Administration</strong> MMC Interface, the<br />
following steps will not be necessary, as the two programs share the same encryption<br />
configuration settings.<br />
1. Open Active Directory Users and Computers.<br />
2. Right-click on the Users container and select the Digipass Extension Encryption<br />
Settings option.<br />
3. In the Configure Encryption Settings dialog, click the Import... button.<br />
4. Browse to the encryption settings file.<br />
5. Click on OK.<br />
6. Enter the required password.<br />
7. Click on OK.<br />
Digipass TCL Command-Line <strong>Administration</strong><br />
1. Open the file \Bin\dpadmincmd.xml in a text editor (or XML<br />
editing tool).<br />
2. Open the file \Bin\dpauthserver.xml in a text editor (or XML<br />
editing tool).<br />
3. Copy and paste the whole VASCO -> AAL3 -> Encryption section from<br />
dpauthserver.xml, overwriting the same section in dpadmincmd.xml.<br />
4. Save dpadmincmd.xml and exit the editors.<br />
© 2007 VASCO Data Security Inc. 60
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Set Up Active Directory Permissions<br />
5 Set Up Active Directory Permissions<br />
5.1 Permissions Needed by the Authentication Server<br />
The Authentication Server Service runs under the 'Local System' account rather than as a<br />
named user account. Therefore, when connecting to Active Directory, the Authentication<br />
Server connects as the computer account, not a user account. The permissions that it has<br />
within Active Directory are the permissions of the computer account.<br />
An important exception to this occurs if you install the Authentication Server onto a Domain<br />
Controller. Any Service running as 'Local System' on a Domain Controller has all possible<br />
permissions to that Domain. In this case, no additional setup of permissions is required.<br />
Therefore, the rest of this section applies to the case where the Authentication Server is not on<br />
the Domain Controller.<br />
During installation, the computer account is added to the built-in 'RAS and IAS Servers' group<br />
in the Domain, as it will require the permissions assigned by default to this group.<br />
In order to function correctly, the Authentication Server requires the following permissions in<br />
Active Directory, that are not granted to 'RAS and IAS Servers' by default:<br />
Read access to the Digipass Configuration Container<br />
Read access to all User accounts (or at least, all who might need to be authenticated by<br />
the Authentication Server)<br />
Write access to the new attributes that are added to the User class for <strong>VACMAN</strong><br />
<strong>Middleware</strong> (these are in the auxiliary class vasco-UserExt)<br />
Full control over all Digipass (vasco-DPToken) and Digipass Application (vasco-<br />
DPApplication) objects<br />
Create and delete permission for Digipass (vasco-DPToken) objects in Organizational<br />
Units and containers (specifically the Digipass-Pool and Users containers)<br />
5.1.1 Giving Permissions to the Authentication Server<br />
During installation, these additional permissions are granted to the 'RAS and IAS Servers'<br />
group automatically.<br />
There is also a manual way to grant these permissions, by running the 'setupaccess' command<br />
at the command prompt:<br />
dpadadmin.exe setupaccess -group “RAS and IAS Servers”<br />
See 2.5 DPADadmin Utility for more information on the setupaccess command.<br />
As mentioned above, this is not necessary if the Authentication Server is installed onto a<br />
Domain Controller.<br />
© 2007 VASCO Data Security Inc. 61
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Set Up Active Directory Permissions<br />
5.2 Permissions Needed by Administrators<br />
5.2.1 Domain Administrators<br />
Domain Administrators already have all required permissions within their Domain.<br />
5.2.2 Delegated Administrators<br />
The term 'Delegated Administrators' is used here to refer to administrators who have been<br />
delegated control over an Organizational Unit. Generally speaking, they have administrative<br />
control over the user and computer accounts within their Organizational Unit.<br />
See the Digipass Records topic in the Product Guide for more information on possible<br />
approaches to delegating Digipass administration.<br />
By default, these administrators will be able to view the Digipass User Account data for their<br />
users and the Digipass that are located within their Organizational Unit. However, they will not<br />
be able to modify any of that data or assign Digipass.<br />
If you wish to delegate responsibility for all Digipass-related administration within an<br />
Organizational Unit, the following additional permissions are required by the Delegated<br />
Administrator:<br />
Within the scope of the Organizational Unit, Write permission to the new attributes that<br />
are added to the User class for <strong>VACMAN</strong> <strong>Middleware</strong> (these are in the auxiliary class<br />
vasco-UserExt) – you can add Write permissions for each individual Property Set or if<br />
appropriate, grant 'Write All Properties' permission<br />
Within the scope of the Organizational Unit, Full Control over all Digipass (vasco-<br />
DPToken) and Digipass Application (vasco-DPApplication) objects<br />
Create and Delete permission for Digipass (vasco-DPToken) objects within the<br />
Organizational Unit<br />
If the Delegated Administrator should be allowed to assign Digipass from the Digipass<br />
Pool to their users, they need:<br />
the Delete Digipass objects permission in the Digipass-Pool container<br />
Write All Properties permission on Digipass objects in the Digipass-Pool container<br />
If the Delegated Administrator should be allowed to move unassigned Digipass back to<br />
the Digipass-Pool, they need Create Digipass objects permission in the Digipass-Pool<br />
container<br />
5.2.3 Reduced-Rights Administrators<br />
The term 'Reduced-Rights Administrator' is used here to refer to administrators who are<br />
granted permissions to perform only selected Digipass-related administration tasks. They may<br />
be granted these permissions within the scope of the whole Domain, or only within an<br />
Organizational Unit.<br />
An example is a Helpdesk operator who is permitted to troubleshoot Digipass operations, but<br />
not to assign/unassign Digipass to/from users.<br />
© 2007 VASCO Data Security Inc. 62
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Set Up Active Directory Permissions<br />
By default, all users have read access to everything in the Active Directory. The modification<br />
permissions that can be granted to this kind of administrator are:<br />
Write permission for any of three Property Sets on the Digipass User Account fields:<br />
Digipass User Account Information – all attributes except those covered by the other two<br />
Property Sets, including Authorization Profiles/Attributes<br />
Digipass User Account Link – the link attribute used to share a Digipass between two<br />
user accounts<br />
Digipass User Account Stored Password – the Stored Password attribute<br />
Write permission for any individual properties on Digipass objects, except for one<br />
Property Set that is defined to control the Digipass assignment link<br />
Write permission for any individual properties on Digipass Application objects, except for<br />
one Property Set that is defined to include the Digipass 'blob' that is required for any<br />
administrative operation such as Reset PIN, Test, Set Event Counter, etc.<br />
Create and delete permission on Digipass and Digipass Application objects<br />
If the administrator should be allowed to move Digipass, they need:<br />
the Delete Digipass objects and Create Digipass objects permissions in the relevant<br />
Domain and/or Organizational Unit<br />
Write All Properties permission on Digipass objects<br />
Note that this can be necessary for assigning Digipass to users, because a move from<br />
one location to another is controlled by permissions to delete from the source and create<br />
in the destination<br />
5.2.4 System Administrators<br />
The term 'System Administrator' is used here to refer to an administrator who will be<br />
responsible for management of the Component and Policy records, rather than Digipass User<br />
Accounts and Digipass. They need permissions within the Digipass Configuration Container to<br />
create, modify and delete Component (vasco-Component) and Policy (vasco-Policy) objects.<br />
In practice, System Administrators can typically be given full control over the Digipass-<br />
Configuration container. If you wish to grant more limited permissions, this can be handled<br />
with the standard Active Directory permissions on these objects within the scope of the<br />
container.<br />
5.3 Assign <strong>Administration</strong> Permissions to a User<br />
Note<br />
This example assumes that the administrator's User account has read<br />
permissions for all User records already.<br />
To grant permissions to manage Digipass records, you will need to follow these steps:<br />
1. Right-click on the Organizational Unit in which to assign permissions.<br />
2. Select Delegate Control... from the right-click menu.<br />
The Delegate Control Wizard will be displayed.<br />
© 2007 VASCO Data Security Inc. 63
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Set Up Active Directory Permissions<br />
3. Select the User or Windows Group to assign permissions.<br />
4. Click on OK.<br />
5. Select the Delegate Common Tasks option button.<br />
6. Select Create, Delete and Manage Digipass from the list.<br />
7. Click on Next.<br />
8. Click on Finish.<br />
If you wish to grant permissions to modify Digipass User Account properties, you will need to<br />
follow these steps:<br />
9. Select View -> Advanced Features from the main menu.<br />
10. Right-click on the Organizational Unit in which to assign permissions.<br />
11. Select Properties from the right-click menu.<br />
12. Click on the Security tab.<br />
13. Click on the Advanced button.<br />
The Advanced Security Settings window will be displayed.<br />
14. Click on Add...<br />
15. Type the username of the User to assign the permissions to and click OK.<br />
16. Click on the Properties tab.<br />
17. Select User Objects from the Apply onto drop down list.<br />
18. Select the required permissions from:<br />
19. Click on OK.<br />
20. Click on OK.<br />
21. Click on OK.<br />
Write Digipass User Account Information<br />
Write Digipass User Account Link<br />
Write Digipass User Account Stored Password<br />
If the administrator requires permissions to take Digipass out of the Digipass-Pool for<br />
assignment, you will need to follow these steps:<br />
22. Right-click on the Digipass Pool.<br />
23. Select Properties from the right-click menu.<br />
24. Click on the Security tab.<br />
25. Click on the Advanced button.<br />
The Advanced Security Settings window will be displayed.<br />
26. Click on Add...<br />
27. Select the User account.<br />
28. Click on OK.<br />
29. Click on the Object tab.<br />
30. Select Child objects only from the Apply onto drop down list.<br />
© 2007 VASCO Data Security Inc. 64
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Set Up Active Directory Permissions<br />
31. Tick the Allow box for:<br />
32. Click on OK.<br />
33. Click on Add...<br />
Delete Digipass Objects<br />
Create Digipass Objects (if you wish to allow the administrator to move Digipass<br />
records into the Digipass Pool)<br />
34. Select the User account.<br />
35. Click on OK.<br />
36. Click on the Object tab.<br />
37. Select Digipass objects from the Apply onto drop down list.<br />
38. Tick the Allow box for Write All Properties.<br />
39. Click on OK.<br />
40. Click on OK.<br />
41. Click on OK.<br />
© 2007 VASCO Data Security Inc. 65
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Set Up Active Directory Permissions<br />
5.5 Multiple Domains<br />
When using the Authentication Server with multiple domains, extra steps must be followed to<br />
ensure that both the Authentication Server and administrators have permissions sufficient to<br />
access required data. The main issues are:<br />
The Digipass Configuration Container is only in one Domain. All Authentication Servers<br />
need read access to this container, even when they are in a different Domain. Cross-<br />
Domain access for administrators is a less likely requirement however.<br />
If a Authentication Server handles users and Digipass in more than one Domain, they<br />
need to be granted the necessary permissions in all the necessary Domains.<br />
In this manual, we will handle cross-Domain permissions using a combination of Domain Local<br />
and Domain Global groups. It is possible in a 'native' mode Domain to use Universal groups,<br />
but these are not recommended in Windows 2000 due to replication issues. The replication<br />
efficiency has been improved in Windows Server 2003, however Universal groups are still not<br />
used as commonly as Domain Local/Global groups.<br />
Three possible scenarios for multiple domain setup are outlined below:<br />
5.5.1 Scenario 1 – Each Authentication Server Handles One<br />
Domain<br />
Each Authentication Server handles only the domain in which it is a member.<br />
Install the Authentication Server in each domain (the result will be at least as many<br />
Authentication Servers as domains).<br />
Give each Authentication Server access to the Digipass Configuration Domain:<br />
Domain Global Group(s)<br />
For each domain (apart from the Digipass Configuration Domain) -<br />
1. Create a Domain Global group<br />
2. Add the Authentication Server(s) to the Domain Global group (check which machines<br />
are in the 'RAS and IAS Servers' group to ensure the correct additions)<br />
Domain Local group<br />
In the Digipass Configuration Domain -<br />
3. Create or use an existing Domain Local group.<br />
4. Give the Domain Local group full read access to the Digipass Configuration Container.<br />
5. Add the Domain Global Group from each other domain to the Domain Local group.<br />
© 2007 VASCO Data Security Inc. 66
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Set Up Active Directory Permissions<br />
5.5.2 Scenario 2 – One Authentication Server Handles All<br />
Domains<br />
Authentication Servers in one domain handle all domains. The Digipass Configuration<br />
Container should be located in the domain to which the Authentication Servers belong.<br />
Give the necessary access to User and Digipass data:<br />
Domain Global group<br />
In the RADIUS server Domain -<br />
1. Create a Domain Global group.<br />
2. Add the Authentication Servers to the Domain Global group (check which machines are<br />
in the 'RAS and IAS Servers' group to ensure the correct additions).<br />
Domain Local groups<br />
For each other Domain -<br />
3. Create a Domain Local group.<br />
4. Give the Domain Local group the required permissions (run the setupaccess command -<br />
See 2.5 DPADadmin Utility for more information).<br />
5. Add the Domain Global group from the Authentication Server Domain to the Domain<br />
Local group.<br />
5.5.3 Scenario 3 - Combination<br />
This scenario represents more complex setups, where a combination of steps from Scenarios 1<br />
and 2 will be required. Use the steps given in the first two scenarios as a guide for what you<br />
will need to do for the combination scenario.<br />
© 2007 VASCO Data Security Inc. 67
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Backup and Recovery<br />
6 Backup and Recovery<br />
This section explores the measures that Administrators can undertake in backing up and<br />
recovering <strong>VACMAN</strong> <strong>Middleware</strong> datafiles in the event of a system failure.<br />
Note<br />
This section does not cover backup of executables and system files. In the<br />
event of a catastrophic failure these can be restored or reinstalled from the<br />
original distribution media (and any subsequent service packs/patches).<br />
Once the Authentication Server is installed and operational, backups should be made of<br />
important files and data.<br />
Any time changes are made to the system, backups may need to be performed again. These<br />
changes include, but are not limited to:<br />
Changing any configuration settings including the IP address of a server<br />
Adding/removing a Component<br />
Modifying a Policy<br />
User and Digipass data should be backed up on a frequent, regular basis.<br />
6.1 What Must be Backed Up<br />
Configuration files for Authentication Server, Message Delivery Component and<br />
Command Line <strong>Administration</strong> Utility.<br />
User Self-Management Web Site pages and graphics (if customized)<br />
Virtual Digipass OTP Request Web Site pages and graphics (if customized)<br />
Audit Log data<br />
Active Directory or ODBC database containing Digipass-specific data<br />
DPX files (except for demo Digipass)<br />
Any command line administration scripts which have been written for use with the<br />
Command Line <strong>Administration</strong> Utility.<br />
Important Note<br />
The <strong>VACMAN</strong> <strong>Middleware</strong> installation includes a DPX directory containing<br />
sample DPX files for demo Digipass. These do not need to be backed up.<br />
However, if you have copied the DPX files for your real Digipass into that<br />
directory, ensure you still have the original files (normally on floppy disk). If<br />
you no longer have the DPX file(s) stored elsewhere, it is very important that<br />
you take a backup.<br />
6.1.1 Configuration files<br />
The configuration files for the Authentication Server, Virtual Digipass Message Delivery<br />
© 2007 VASCO Data Security Inc. 68
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Backup and Recovery<br />
Component and Command Line <strong>Administration</strong> Utility can be copied from the bin directory (by<br />
default C:\Program Files\VASCO\<strong>VACMAN</strong> <strong>Middleware</strong> 3\Bin) to a secure location.<br />
The files to be copied are:<br />
dpauthserver.xml for all Authentication Servers<br />
dpadmincmd.xml<br />
mdcconfig.xml – a backup of one working file is sufficient.<br />
Tip<br />
Save the files above with an extension that describes the server from which the<br />
file(s) were backed up. This makes it easier and quicker to locate the correct file<br />
during recovery.<br />
6.1.2 Web Sites<br />
In some cases, the web pages and graphics provided with <strong>VACMAN</strong> <strong>Middleware</strong> for the User<br />
Self Management Web Site and Virtual Digipass OTP Request Web Site will have been<br />
customized to suit the organization’s colors/languages/themes/etc.<br />
If these web pages and graphics have been modified, it is important to have a backup stored<br />
in a secure location away from the production server. This will allow the web site to be<br />
restored for the look and feel of the organization.<br />
To back up the web site pages and graphics, you can copy the html, js, and gif files to another<br />
location. If the site is highly modified, or the location of the files on disk is not known, contact<br />
your web administrator for further guidance.<br />
Note<br />
Maintaining the directory structure will make restoration of the site, if required,<br />
quicker and easier.<br />
6.1.3 Audit Log Data<br />
If your organization requires that the Audit Log data be archived, the method required will<br />
depend on the audit settings. You may need to archive periodically, to avoid too much disk<br />
space being used or to keep the database from growing too large and slow.<br />
6.1.3.1 Write to Text File<br />
Ensure you make copies of all files contained in the directory into which the audit log files are<br />
written. By default this will be \Log, however it may have been configured to<br />
another location. Check the audit configuration settings if you are unsure.<br />
6.1.3.2 Write to ODBC Database<br />
Back up the database using the database's backup utility.<br />
© 2007 VASCO Data Security Inc. 69
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Backup and Recovery<br />
6.1.3.3 Write to Windows Event Log<br />
By default, Event Log entries are written to the Application log. However, you can configure<br />
the entries to be written to another log. Check the audit configuration if you are unsure.<br />
Important Note<br />
The Event Log may be configured with a maximum size. When this size is<br />
reached, the oldest entries may be overwritten by new ones. To check this,<br />
view the Properties of the log in the Event Viewer. If older entries will be<br />
overwritten, you will need to archive them before that occurs.<br />
To archive an Event Log:<br />
1. Select Start -> Settings -> Control Panel.<br />
2. Double-click on Administrative Tools.<br />
3. Double-click on Event Viewer.<br />
4. Right-click on Application (or the correct log, if not Application).<br />
5. Click on Save log file as...<br />
6. Select a path and enter a filename.<br />
7. Select a file format from the Type drop down list.<br />
8. Click on the Save button.<br />
Note<br />
The Audit Log data is not required for system recovery purposes.<br />
6.1.4 DPX files<br />
The DPX files are normally provided on a floppy disk, which can be stored securely as a<br />
backup. If you prefer another method of archive, copy the files to your preferred location. It is<br />
important to keep the DPX file transport keys secure and preferably in a separate location to<br />
the DPX files themselves.<br />
6.1.5 Active Directory<br />
6.1.5.1 Cold Backup<br />
In many cases the Authentication Server will belong to an Active Directory domain that<br />
includes several Domain Controllers. Replication should automatically occur between Domain<br />
Controllers, providing simple data backup.<br />
It is highly recommended, however, that you perform a 'cold' backup of the System State<br />
Data, which includes the Active Directory repository. This will allow recovery if data is<br />
corrupted and then replicated. For more information about backing up and restoring System<br />
State Data, refer to Windows Help on your Domain Controller and enter 'backing up data,<br />
System State data' in the index tab. In particular, this should be performed on the Digipass<br />
Configuration Domain and any other Domains containing Digipass User accounts and/or<br />
Digipass records.<br />
© 2007 VASCO Data Security Inc. 70
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Backup and Recovery<br />
6.1.6 ODBC and Embedded Database<br />
6.1.6.1 Data Source Settings<br />
If you have performed some adjustments to the ODBC Data Source (DSN) that are important<br />
to keep, make sure that you have a readout of the settings.<br />
6.1.6.2 Backup Strategies<br />
Warm Backup<br />
A 'warm' backup of the disk containing the database used by the Authentication Server via a<br />
RAID hardware configuration or server mirroring is a favorable backup method. It is both<br />
entirely up to date and incurs no downtime if a single disk failure occurs.<br />
This method requires either software RAID, or for better performance a hardware RAID<br />
configuration.<br />
Another technique that achieves the same effect is the 'shadow database'.<br />
However, it is still recommended to take a cold backup at intervals, as there is a possibility<br />
that a database corruption could be mirrored/shadowed under some circumstances.<br />
Cold Backup<br />
A 'cold' backup of the database allows administrators to implement a duplicate database as a<br />
safeguard on a regular basis. Generally speaking there are two methods that can be used to<br />
perform a cold backup:<br />
Backup Utility<br />
The first option is to use the vendor-specific backup utility that allows the contents of the<br />
database to backed up to a file or device while the system is running. Such a utility is provided<br />
with the embedded database PostgreSQL (see below).<br />
Shut Down and Copy the Database File<br />
The second option involves stopping the database server and any connecting server processes<br />
and copying the database files. However, this is only possible where the database vendor<br />
recommends this approach. Normally this is only appropriate if the database is contained in a<br />
single operating system file.<br />
Replicated Copy<br />
If replication has been configured between databases, a replicated copy can be used as a<br />
backup. However, it is still recommended to take a cold backup at intervals.<br />
6.1.6.3 Backup of Embedded Database<br />
The PostgreSQL database available with the Authentication Server installation may be backed<br />
up while operational by completing these steps:<br />
1. Open command prompt in \PostgreSQL\Bin.<br />
© 2007 VASCO Data Security Inc. 71
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Backup and Recovery<br />
2. Enter the following command and hit ENTER:<br />
pg_dump -f "" -Fc -Z9 -U [-v] postgres<br />
where:<br />
is the absolute path and file name of the file to back up the data<br />
to<br />
is the database administrator account name. When installed,<br />
this is set to "digipass".<br />
-v is an optional 'verbose mode' parameter. Use this if you wish to see output as the<br />
backup is run.<br />
3. You will normally be prompted for the password of the database administrator account.<br />
When installed, this is set to "digipassword".<br />
This command may also be run via a batch file in order to automatically take a backup at<br />
regular intervals. In order to remove the interactive prompt for the password, you can add a<br />
line to a PostgreSQL configuration file to allow local logins for a database administrator account<br />
without a password. Edit the file \PostgreSQL\data\pg_hba.conf with a text<br />
editor. At the bottom of this file, there is a list of rules for authenticating connections to the<br />
database, which by default will be:<br />
# TYPE DATABASE USER CIDR-ADDRESS METHOD<br />
# IPv4 local connections:<br />
host all all 127.0.0.1/32 md5<br />
# IPv6 local connections:<br />
#host all all ::1/128 md5<br />
Add the following line directly below # Ipv4 local connections:<br />
host postgres digipass 127.0.0.1/32 trust<br />
You may prefer to create a second database administrator account that only has permission to<br />
back up the database. This can be done using the PostgreSQL database administration utility<br />
Programs -> PostgreSQL 8.1 -> pgAdmin III. Refer to the PostgreSQL documentation for<br />
more information.<br />
© 2007 VASCO Data Security Inc. 72
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Backup and Recovery<br />
6.2 Recovery<br />
6.2.1 Active Directory<br />
Assumptions:<br />
Active Directory itself is still valid and operational.<br />
Steps:<br />
Up-to-date backups of the configuration files for the Authentication Server are available.<br />
1. Rebuild the server with your operating system SOE, using the same IP address as<br />
before, in the same Domain as before.<br />
2. Retrieve your backup copy of the dpauthserver.xml file.<br />
3. Reinstall <strong>VACMAN</strong> <strong>Middleware</strong> on the server. The same settings as those chosen in the<br />
previous installation should be selected. Note: on Active Directory or an ODBC<br />
database, the This is not the first Authentication Server to be installed checkbox<br />
on the Prerequisites screen should be ticked.<br />
4. Tick the Use an evaluation license checkbox (the existing Digipass data in the data<br />
store contains all necessary licensing information, which will be retrieved when the<br />
Authentication Server is operational).<br />
5. At the end of the installation, you will be prompted to select a license activation<br />
method. Select Just Continue.<br />
Before you restart the machine, carry out the following:<br />
6. Restore the backup copy of the configuration file dpauthserver.xml to \bin.<br />
7. Restore any customized files for the web sites (see 9.1 Customizing the Web Sites<br />
and 6.1.2 Web Sites for more information).<br />
After restarting the machine:<br />
8. Check that you can view Digipass-specific information in the <strong>Administration</strong> MMC<br />
Interface and the Digipass Extension for Active Directory Users and Computers.<br />
© 2007 VASCO Data Security Inc. 73
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Backup and Recovery<br />
6.2.2 ODBC or Embedded Database<br />
6.2.2.1 Rebuild Authentication Server, Database Undamaged<br />
1. Rebuild the server with your operating system SOE, using the same IP address as<br />
before, in the same Domain as before.<br />
2. Retrieve your backup copy of the dpauthserver.xml file.<br />
3. Reinstall <strong>VACMAN</strong> <strong>Middleware</strong> on the server. The same settings as those chosen in the<br />
previous installation should be selected. Note: on Active Directory or an ODBC<br />
database, the This is not the first Authentication Server to be installed checkbox<br />
on the Prerequisites screen should be ticked.<br />
4. Tick the Use an evaluation license checkbox (the existing Digipass data in the data<br />
store contains all necessary licensing information, which will be retrieved when the<br />
Authentication Server is operational).<br />
5. At the end of the installation, you will be prompted to select a license activation<br />
method. Select Just Continue.<br />
Before you restart the machine, carry out the following:<br />
6. Restore the backup copy of the configuration file dpauthserver.xml into the same<br />
directory.<br />
7. Restore any customized files for the web sites (see 9.1 Customizing the Web Sites<br />
and 6.1.2 Web Sites for more information).<br />
After restarting the machine:<br />
8. Check that you can view Digipass-specific information in the <strong>Administration</strong> MMC<br />
Interface.<br />
© 2007 VASCO Data Security Inc. 74
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Backup and Recovery<br />
6.2.2.2 Restore Database, Authentication Server Undamaged<br />
This procedure should be followed where a database has been damaged and no current, valid<br />
database exists on another server. The database is restored from an earlier backup.<br />
1. Stop Digipass Authentication Server service.<br />
2. Restore database from backup. If you are using the embedded PostgreSQL database:<br />
a. Stop the Digipass Authentication Server service.<br />
b. Open a command prompt in \PostgreSQL\Bin.<br />
c. Enter the following command and hit ENTER:<br />
pg_restore -d postgres -c -U [-v] ""<br />
where:<br />
is the absolute path and file name of the file to restore from<br />
is the database administrator account name. The database<br />
administrator account created during installation is "digipass".<br />
-v is an optional 'verbose mode' parameter. Use this if you wish to see output as<br />
the database is restored.<br />
d. Enter the following command and hit ENTER:<br />
vacuumdb -z -d postgres -U [-v]<br />
where:<br />
is the database administrator account name. The database<br />
administrator account created during installation is "digipass".<br />
-v is an optional 'verbose mode' parameter. Use this if you wish to see output as<br />
the database is restored.<br />
This step forces the database to recalculate optimization statistics, because all the<br />
data has been removed and reloaded.<br />
3. Delete the replication queue files for all destination servers. This can be done by<br />
deleting all files in the \Data directory (Note: if you have reconfigured<br />
replication to store its files in a different directory, delete the files in that<br />
directory instead).<br />
4. Restart Digipass Authentication Server service.<br />
Follow the 6.2.2.4 Copy Database from Other Authentication Server procedure below on<br />
all other Authentication Servers in the system. It is essential to resynchronize all the databases<br />
in the system.<br />
© 2007 VASCO Data Security Inc. 75
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Backup and Recovery<br />
6.2.2.3 Rebuild Authentication Server, Restore Database<br />
This procedure is required where both the Authentication Server and its database have been<br />
lost. Configuration files and the database will be restored from backups.<br />
1. Rebuild the server with your operating system SOE, using the same IP address as<br />
before, in the same Domain as before.<br />
2. Retrieve your backup copy of the dpauthserver.xml file.<br />
3. Reinstall <strong>VACMAN</strong> <strong>Middleware</strong> on the server. The same settings as those chosen in the<br />
previous installation should be selected. Note: on Active Directory or an ODBC<br />
database, the This is not the first Authentication Server to be installed checkbox<br />
on the Prerequisites screen should be ticked.<br />
4. Tick the Use an evaluation license checkbox (the existing Digipass data in the data<br />
store contains all necessary licensing information, which will be retrieved when the<br />
Authentication Server is operational).<br />
5. At the end of the installation, you will be prompted to select a license activation<br />
method. Select Just Continue.<br />
Before you restart the machine, carry out the following:<br />
6. Restore the backup copy of the configuration file dpauthserver.xml into the same<br />
directory.<br />
7. Restore any customized files for the web sites (see 9.1 Customizing the Web Sites<br />
and 6.1.2 Web Sites for more information).<br />
8. Restore database from backup. If you are using the embedded PostgreSQL database:<br />
a. Stop the Digipass Authentication Server service.<br />
b. Open a command prompt in \PostgreSQL\Bin.<br />
c. Enter the following command and hit ENTER:<br />
pg_restore -d postgres -c -U [-v] ""<br />
where:<br />
is the absolute path and file name of the file to restore from<br />
is the database administrator account name. The database<br />
administrator account created during installation is "digipass".<br />
-v is an optional 'verbose mode' parameter. Use this if you wish to see output as<br />
the database is restored.<br />
d. You will normally be prompted for the password of the database administrator<br />
© 2007 VASCO Data Security Inc. 76
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Backup and Recovery<br />
account. When installed, this is set to "digipassword".<br />
e. Enter the following command and hit ENTER:<br />
vacuumdb -z -d postgres -U [-v]<br />
where:<br />
is the database administrator account name. The database<br />
administrator account created during installation is "digipass".<br />
-v is an optional 'verbose mode' parameter. Use this if you wish to see output as<br />
the database is restored.<br />
This step forces the database to recalculate optimization statistics, because all the<br />
data has been removed and reloaded.<br />
f. You will normally be prompted for the password of the database administrator<br />
account. When installed, this is set to "digipassword".<br />
9. Reboot the machine.<br />
10. Check that you can view Digipass-specific information in the <strong>Administration</strong> MMC<br />
Interface.<br />
Follow the 6.2.2.4 Copy Database from Other Authentication Server procedure below on<br />
all other Authentication Servers in the system. It is essential to resynchronize all the databases<br />
in the system.<br />
© 2007 VASCO Data Security Inc. 77
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Backup and Recovery<br />
6.2.2.4 Copy Database from Other Authentication Server<br />
This procedure will be required where multiple Authentication Servers are synchronizing with<br />
each other, where one database has become unsynchronized or unstable. It must be replaced<br />
with a 'safe' database – one containing up-to-date, uncorrupted data. The instructions below<br />
assume a simple two-Authentication Server pair where one Authentication Server (SVR-2) is<br />
using a database that has become unstable, and the other (SVR-1) is using a 'safe' database.<br />
To replace the database:<br />
1. Identify the Authentication Server with the 'safe' database. For these steps, it will be<br />
referred to as SVR-1.<br />
2. Stop the Digipass Authentication Server service on SVR-1 and SVR-2.<br />
3. Take a complete copy of the database used by the Authentication Server on SVR-1. If<br />
you are using the embedded PostgreSQL database, see 6.1.6.3 Backup of<br />
Embedded Database for instructions.<br />
4. Delete the replication queue files for SVR-2 which is on SVR-1:<br />
a. On SVR-1, run the Authentication Server Configuration utility and change to the<br />
Replication tab.<br />
b. Find the Destination Server row that represents SVR-2 and note the Display Name.<br />
c. Check the Queue Settings File Path value. This will normally be \Data, but may have been re-configured.<br />
d. In that directory, delete all files with filename starting .<br />
5. The Digipass Authentication Server service on SVR-1 may be restarted now if needed –<br />
it will build up a new replication queue until it can connect to SVR-2.<br />
6. Completely overwrite the database used by the Authentication Server on SVR-2 with<br />
the copy from SVR-1. If you are using the embedded PostgreSQL database, see Step 2<br />
of 6.2.2.2 Restore Database, Authentication Server Undamaged.<br />
7. Delete the replication queue file on SVR-2 for all other Authentication Servers. This can<br />
be done by deleting all files in the \Data directory (Note: if you<br />
have re-configured replication to store its files in a different directory, delete the files<br />
in that directory instead).<br />
© 2007 VASCO Data Security Inc. 78
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Backup and Recovery<br />
Warning<br />
If the Authentication Server with the 'bad' database (SVR-2) was<br />
synchronizing with another Authentication Server, you must copy over the<br />
other database as well. Follow the steps above for any Authentication Servers<br />
with which SVR-2 was synchronizing.<br />
8. Restart the Digipass Authentication Server service on SVR-2.<br />
© 2007 VASCO Data Security Inc. 79
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Backup and Recovery<br />
6.2.2.5 Rebuild Authentication Server, Copy Database<br />
This procedure will be required where multiple Authentication Servers are synchronizing with<br />
each other and one Authentication Server, together with its database, is lost. The instructions<br />
below assume one functional Authentication Server (SVR-1) with an up-to-date database, and<br />
a server on which an Authentication Server must be rebuilt (SVR-2) and its database copied<br />
from the other Authentication Server.<br />
1. Rebuild SVR-2 with your operating system SOE, using the same IP address as before,<br />
in the same Domain as before.<br />
2. Retrieve your backup copy of the dpauthserver.xml file.<br />
3. Reinstall <strong>VACMAN</strong> <strong>Middleware</strong> on the server. The same settings as those chosen in the<br />
previous installation should be selected. Note: on Active Directory or an ODBC<br />
database, the This is not the first Authentication Server to be installed checkbox<br />
on the Prerequisites screen should be ticked.<br />
4. Tick the Use an evaluation license checkbox (the existing Digipass data in the data<br />
store contains all necessary licensing information, which will be retrieved when the<br />
Authentication Server is operational).<br />
5. At the end of the installation, you will be prompted to select a license activation<br />
method. Select Just Continue.<br />
Before you restart SVR-2, carry out the following:<br />
6. Restore the backup copy of the configuration file dpauthserver.xml into the same<br />
directory.<br />
7. Restore any customized files for the web sites (see 9.1 Customizing the Web Sites<br />
and 6.1.2 Web Sites for more information).<br />
8. On SVR-1, stop the Digipass Authentication Server service.<br />
9. Take a complete copy of the database used by the Authentication Server on SVR-1. If<br />
you are using the embedded PostgreSQL database, see 6.1.6.3 Backup of<br />
Embedded Database for instructions.<br />
10. Delete the replication queue file for SVR-2 which is on SVR-1.<br />
a. On SVR-1, run the Authentication Server Configuration utility and change to the<br />
Replication tab.<br />
© 2007 VASCO Data Security Inc. 80
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Backup and Recovery<br />
b. Find the Destination Server row that represents SVR-2 and note the Display Name.<br />
c. Check the Queue Settings File Path value. This will normally be \Data, but may have been re-configured.<br />
d. In that directory, delete all files with filename starting .<br />
11. The Digipass Authentication Server service on SVR-1 may be restarted now if needed<br />
– it will build up a new replication queue until it can connect to SVR-2.<br />
12. Completely overwrite the database used by the Authentication Server on SVR-2 with<br />
the copy from SVR-1. If you are using the embedded PostgreSQL database, see Step 2<br />
of 6.2.2.2 Restore Database, Authentication Server Undamaged.<br />
13. Restart SVR-2.<br />
14. Check that you can view Digipass-specific information in the <strong>Administration</strong> MMC<br />
Interface.<br />
Warning<br />
If the Authentication Server with the 'bad' database (SVR-2) was<br />
synchronizing with another Authentication Server, you must copy over the<br />
other database as well. Follow the steps above for any Authentication Servers<br />
with which SVR-2 was synchronizing.<br />
© 2007 VASCO Data Security Inc. 81
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Field Listings<br />
7 Field Listings<br />
7.1 User Property Sheet<br />
Table 30: User Fields<br />
Field Name in<br />
<strong>Administration</strong><br />
Interfaces<br />
New Password<br />
Confirm Password<br />
Description<br />
These fields are used to modify the static password that is stored in the Digipass User<br />
account. If they are left blank, no modification is made.<br />
Local Authentication Specifies whether authentication requests for the User account will be handled by the<br />
Authentication Server using Local Authentication (see the Authenticating Users section<br />
in the Product Guide for more details on Local Authentication and Back-End<br />
Authentication).<br />
Normally, this field will be Default, meaning that the Policy applicable to the authentication<br />
request determines the setting. This field on the Digipass User account is used to override<br />
the Policy setting for special cases.<br />
When Local Authentication is used, there are two factors that determine whether Digipass<br />
authentication is used – any Policy restrictions on Digipass Types and/or Applications that<br />
can be used and whether the Digipass User account has any assigned Digipass that meet the<br />
restrictions. For example, if the Policy requires a DP300 and the User just has a DP700, they<br />
cannot use Digipass authentication under that Policy.<br />
Options:<br />
Back-End<br />
Authentication<br />
Default Use the setting of the effective Policy.<br />
None The Authentication Server will not carry out Local Authentication for this<br />
User account. They may be handled using Back-End Authentication, or<br />
not handled at all by the Authentication Server.<br />
Digipass/Password The Authentication Server will always carry out Local Authentication for<br />
this User, using Digipass authentication if possible, otherwise the static<br />
password. Back-End Authentication may also be utilized.<br />
Digipass Only The Authentication Server will always carry out Local Authentication for<br />
this User, using Digipass authentication. If Digipass authentication is not<br />
possible, the user cannot log in. Back-End Authentication may also be<br />
utilized.<br />
Specifies whether authentication requests for the User account will be handled by the<br />
Authentication Server using Back-End Authentication (see the Authenticating Users<br />
section in the Product Guide for more details on Local Authentication and Back-End<br />
Authentication).<br />
Normally, this field will be Default, meaning that the Policy applicable to the authentication<br />
request determines the setting. This field on the Digipass User account is used to override<br />
the Policy setting for special cases.<br />
Options:<br />
Default Use the setting of the effective Policy.<br />
None Back-End Authentication will not be used.<br />
If Needed The Authentication Server will utilize Back-End Authentication but only in<br />
certain cases:<br />
Dynamic User Registration<br />
Self-Assignment<br />
Password Autolearn<br />
Requesting a Challenge or Virtual Digipass OTP, when the Request<br />
Method includes a Password<br />
Static password authentication, when verifying a Virtual Digipass<br />
password-OTP combination or during the Grace Period<br />
© 2007 VASCO Data Security Inc. 82
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Field Listings<br />
Field Name in<br />
<strong>Administration</strong><br />
Interfaces<br />
Description<br />
Always The Authentication Server will utilize Back-End Authentication for every<br />
authentication request.<br />
Disabled Specifies whether a Digipass User account is enabled or disabled. If disabled, authentication<br />
for the User will be rejected by the Authentication Server.<br />
Active Directory only:<br />
This attribute will be set to disabled and made read-only if the Active Directory User account<br />
is disabled or expired. Otherwise, this attribute will be editable.<br />
Locked Specifies whether a Digipass User account is locked or not. If locked, authentication for the<br />
User will be rejected by the Authentication Server.<br />
The Locked indicator is normally set automatically when the User exceeds a certain number<br />
of failed authentication attempts. The User Lock Threshold is set in the Policy.<br />
Linked User Account It is possible to share Digipass between different User accounts, by linking User accounts<br />
together. This feature is intended for the case where one person, such as an administrator,<br />
has multiple User accounts. If their accounts are linked, there is no need to give more than<br />
one Digipass to that person.<br />
This feature is used by assigning the Digipass to one User account, then linking all the other<br />
User accounts for the person to the one that has the Digipass.<br />
Read-only.<br />
Active Directory only:<br />
If a User is linked to another User, their Linked User Account field will show the Active<br />
Directory format DN (Distinguished Name) of the linked User. The DN shows the full address<br />
within Active Directory of the linked User, for example:<br />
CN=Test User,OU=Admin,OU=Europe,DC=vasco,DC=com<br />
In this example, the linked User is called Test User and they are located in an Organizational<br />
Unit Admin, which is inside another Organizational Unit Europe in the vasco.com domain.<br />
ODBC Database only:<br />
If a User is linked to another User, their Linked User Account field will show the UserId and<br />
Domain of the linked User, for example:<br />
testuser [vasco.com]<br />
Created On The date and time that the Digipass User account was created. Read-only.<br />
Last Modified On The date and time that the Digipass User account was last modified. Read-only.<br />
Domain ODBC Database only:<br />
The Domain to which the User belongs.<br />
Read only.<br />
Organizational Unit ODBC Database only:<br />
The Organizational Unit in which the User is located. This is optional as the User does not<br />
have to be located in an Organizational Unit.<br />
Read only. The Move command must be used from the User list menu to change this.<br />
User Name ODBC Database only:<br />
The full name of the User.<br />
Email Address ODBC Database only:<br />
The email address of the User.<br />
Phone No. ODBC Database only:<br />
The telephone number of the User.<br />
Mobile No. ODBC Database only:<br />
The mobile phone number of the User. This will be used for Virtual Digipass logins.<br />
Description ODBC Database only:<br />
Any descriptive text or notes.<br />
Assigned Digipass list This lists all Digipass that are assigned to the User. For each Digipass, the list of active<br />
Applications is given with the Application Type indicated in brackets(). For example:<br />
0058384426 RESP_ONLY(RO), CHALLENGE(CR)<br />
In this example line, the Digipass with Serial Number 0058384426 has two active<br />
© 2007 VASCO Data Security Inc. 83
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Field Listings<br />
Field Name in<br />
<strong>Administration</strong><br />
Interfaces<br />
Description<br />
Applications: one Response Only Application RESP_ONLY and one Challenge/Response<br />
Application CHALLENGE.<br />
If the User does not have any Digipass assigned directly, but is linked to another User to use<br />
their Digipass (see Linked User Account), the linked User's Digipass list is shown with the<br />
Serial Numbers in square brackets (eg. [0058384426]).<br />
When a Digipass in the list is selected, the remainder of the property sheet tab indicates<br />
values from the corresponding Digipass record.<br />
Read-only.<br />
7.2 User Authorization Profiles/Attributes Window<br />
Table 31: User Attribute Fields<br />
Field Name in<br />
<strong>Administration</strong><br />
Interfaces<br />
Description<br />
Attribute Group list This list box displays all Attribute Groups, User attributes and RADIUS Profiles currently<br />
configured for a User account.<br />
Note: RADIUS Profiles are not currently in use with <strong>VACMAN</strong> <strong>Middleware</strong>.<br />
Attribute Group drop<br />
down list<br />
Contains all Attribute Groups configured so far. A new Attribute Group may be created by<br />
typing a new value into the drop down list.<br />
Attribute Groups contain one or more User attributes and/or RADIUS Profiles. They are used<br />
where multiple IIS Modules are in use, and each IIS Module needs to use different User<br />
attributes for a User.<br />
The name selected in this field should match a name entered in the Configuration for an IIS<br />
Module.<br />
Name drop down list The name of the item being configured. If this is a User attribute, it must match the name of<br />
a user attribute required by an IIS Module. For the IIS 6 Module for Basic Authentication, this<br />
would be either User-Name or Password.<br />
Usage drop down list Specifies the usage required for the User attribute or RADIUS Profile.<br />
Options:<br />
Basic Used by the IIS 6 Module for Basic Authentication<br />
Check Note: Not currently in use with <strong>VACMAN</strong> <strong>Middleware</strong>.<br />
Used to ensure that an attribute supplied by RADIUS contains the<br />
expected value.<br />
Profile Note: Not currently in use with <strong>VACMAN</strong> <strong>Middleware</strong>.<br />
Indicates that the value entered is the name of a Profile existing in<br />
RADIUS.<br />
Return Note: Not currently in use with <strong>VACMAN</strong> <strong>Middleware</strong>.<br />
Passed back to RADIUS when the result of an authentication is returned<br />
by the Authentication Server.<br />
Value field This field should contain the User attribute value needed by the IIS Module. For the IIS 6<br />
Module for Basic Authentication, this would be a User ID or password.<br />
© 2007 VASCO Data Security Inc. 84
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Field Listings<br />
7.3 Digipass Property Sheet<br />
Table 32: Digipass Fields<br />
Field Name in<br />
<strong>Administration</strong><br />
Interfaces<br />
Description<br />
Domain ODBC Database only:<br />
The Domain to which the Digipass belongs.<br />
Read only. The Move command must be used from the Digipass list menu to change this.<br />
Organizational Unit ODBC Database only:<br />
The Organizational Unit in which the Digipass is located. This is optional as the Digipass does<br />
not have to be located in an Organizational Unit.<br />
Read only. The Move command must be used from the Digipass list menu to change this.<br />
Digipass Type The type of Digipass represented by the Digipass record (eg. DP300).<br />
Reserve for Individual<br />
Assignment<br />
When used, this option prevents the Digipass from being assigned using the Auto-Assignment<br />
feature. It also prevents it from being assigned by an administrator who uses the 'Assign next<br />
available...' option in the assignment dialog.<br />
Assigned to User User ID of the Digipass User account that the Digipass is assigned to, if it is assigned.<br />
Read-only.<br />
Date Assigned The date and time when the Digipass was assigned to its current User.<br />
Read-only.<br />
Grace Period End The date on which the Grace Period will expire, or did expire, for this Digipass. If the date<br />
shows today's date or before, the Grace Period has already expired. If it is blank, there is no<br />
Grace Period.<br />
Enable Backup VDP Specifies whether and how the Backup Virtual Digipass feature can be used for this Digipass.<br />
Note that in order for the Backup Virtual Digipass feature to function, it must also be activated<br />
in the DPX file for the Digipass.<br />
Normally, this field will be Default, meaning that the Policy applicable to the authentication<br />
request determines the setting. This field on the Digipass record is used to override the Policy<br />
setting for special cases.<br />
Options:<br />
Default Use the setting of the effective Policy.<br />
No Backup Virtual Digipass is not permitted.<br />
Yes - Permitted Backup Virtual Digipass is permitted, but not mandatory.<br />
The Enabled Until date is not applicable when using this<br />
option, but the Uses Remaining count is.<br />
Yes – Time Limited Backup Virtual Digipass is permitted, but not mandatory.<br />
Both the Enabled Until date and the Uses Remaining count<br />
will be in effect.<br />
Yes - Required Backup Virtual Digipass is mandatory. This may be useful if the<br />
User may have lost the Digipass, to prevent it from being used<br />
until they have found it again.<br />
The Enabled Until date is not applicable when using this<br />
option, but the Uses Remaining count is.<br />
Enabled Until The date on which the Backup Virtual Digipass feature may no longer be used, provided that<br />
the effective Enable Backup VDP setting is Yes – Time Limited (it is ignored otherwise).<br />
If this date is blank, it will be set automatically the first time that the User requests a Backup<br />
Virtual Digipass OTP, using the Backup Virtual Digipass Time Limit defined in the Policy.<br />
Once this date has expired, it requires administrator intervention either to extend it or to<br />
reset it to blank for the next time that the User needs to use Backup Virtual Digipass.<br />
Uses Remaining The remaining number of times that the Backup Virtual Digipass feature may be used for this<br />
Digipass. Once this number has reached zero, Backup Virtual Digipass can no longer be used<br />
with this Digipass, unless the administrator increases it or resets it to blank.<br />
If this number is blank and there is a Backup Virtual Digipass Max. Uses/User defined in<br />
© 2007 VASCO Data Security Inc. 85
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Field Listings<br />
Field Name in<br />
<strong>Administration</strong><br />
Interfaces<br />
Description<br />
the Policy, it will be set automatically the first time that the User requests a Backup Virtual<br />
Digipass OTP, based on the Max. Uses/User.<br />
Created On The date and time that the Digipass was created. Read-only.<br />
Last Modified On The date and time that the Digipass was last modified. Read-only.<br />
7.4 Digipass Application Tab<br />
Table 33: Digipass Application Fields<br />
Field Name in<br />
<strong>Administration</strong><br />
Interfaces<br />
Application Type The type of Digipass Application:<br />
RO – Response Only<br />
CR – Challenge/Response<br />
SG – Signature<br />
Description<br />
Active This field can be used to deactivate an Application, so that it cannot be used.<br />
Attribute/Value list This list indicates various internal settings of the Digipass Application.<br />
Created On The date and time that the Digipass Application was created. Read-only.<br />
Last Modified On The date and time that the Digipass Application was last modified. Read-only.<br />
© 2007 VASCO Data Security Inc. 86
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Field Listings<br />
7.5 Policy Property Sheet<br />
Note<br />
Changes to Policy settings will not take effect immediately. They will take effect<br />
when the Authentication Server is restarted, once the Policy change is available<br />
to the Authentication Server in the data store. Alternatively, if there is no<br />
restart, the cache of Policy settings will refresh from the data store after<br />
approximately every 15 minutes.<br />
Table 34: Policy Fields<br />
Field Name in<br />
<strong>Administration</strong><br />
Interfaces<br />
Description<br />
Description This description can be entered to record the purpose of the Policy.<br />
Inherits from Policy Contains the Name of the Policy from which settings will be inherited, referred to as the<br />
'parent Policy'. Settings are inherited individually, depending on the value in the Policy field;<br />
they inherit the parent Policy value in the following cases:<br />
Choice lists/radio buttons – if the selected value is Default<br />
Text fields – if the field is blank<br />
Numeric fields – if the field is blank (not 0)<br />
List fields – if the list is empty<br />
The Show Effective Policy Settings... button can be used to display the result of<br />
inheriting settings combined with settings on the current Policy.<br />
Local Authentication Specifies whether authentication requests using the Policy will be handled by the<br />
Authentication Server using Local Authentication (see the Authenticating Users section<br />
in the Product Guide for more details on Local Authentication and Back-End<br />
Authentication).<br />
When Local Authentication is used, there are two factors that determine whether Digipass<br />
authentication is used – any Policy restrictions on Digipass Types and/or Applications that<br />
can be used and whether the Digipass User account has any assigned Digipass that meet<br />
the restrictions. For example, if the Policy requires a DP300 and the User just has a DP700,<br />
they cannot use Digipass authentication under that Policy.<br />
Options:<br />
Back-End<br />
Authentication<br />
Default Use the setting of the parent Policy.<br />
None The Authentication Server will not carry out Local Authentication<br />
under this Policy. They may be handled using Back-End<br />
Authentication, or not handled at all by the Authentication Server.<br />
Digipass/Password The Authentication Server will always carry out Local Authentication<br />
under this Policy, using Digipass authentication if possible, otherwise<br />
the static password. Back-End Authentication may also be utilized.<br />
Digipass Only The Authentication Server will always carry out Local Authentication<br />
under this Policy, using Digipass authentication. If Digipass<br />
authentication is not possible, the user cannot log in. Back-End<br />
Authentication may also be utilized.<br />
Specifies whether authentication requests using the Policy will be handled by the<br />
Authentication Serverusing Back-End Authentication (see the Authenticating Users<br />
section in the Product Guide for more details on Local Authentication and Back-End<br />
Authentication).<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
None Back-End Authentication will not be used.<br />
If Needed The Authentication Server will utilize Back-End Authentication but<br />
© 2007 VASCO Data Security Inc. 87
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Field Listings<br />
Field Name in<br />
<strong>Administration</strong><br />
Interfaces<br />
only in certain cases:<br />
Description<br />
Dynamic User Registration<br />
Self-Assignment<br />
Password Autolearn<br />
Requesting a Challenge or Virtual Digipass OTP, when the<br />
Request Method includes a Password<br />
Static password authentication, when verifying a Virtual<br />
Digipass password-OTP combination or during the Grace Period<br />
Always The Authentication Server will utilize Back-End Authentication for<br />
every authentication request.<br />
Back-End Protocol Specifies the protocol to be used for Back-End Authentication.<br />
Options:<br />
Windows Authentication using the Windows operating system.<br />
RADIUS Authentication using a RADIUS server.<br />
Created On The date and time that the Policy was created. Read-only.<br />
Last Modified On The date and time that the Policy was last modified. Read-only.<br />
Dynamic User<br />
Registration<br />
Specifies whether the Dynamic User Registration (DUR) feature is enabled for the Policy.<br />
If this feature is used, when the Authentication Server receives an authentication request<br />
for a User for the first time and Back-End Authentication is successful, it will create a<br />
Digipass User account automatically. If DUR is used in conjunction with Auto-Assignment,<br />
a Digipass will be assigned to the new User account immediately.<br />
Password Autolearn Specifies whether the Password Autolearn feature is enabled for the Policy. This feature<br />
enables the Authentication Server to update the password stored in the Digipass User<br />
account when Back-End Authentication is successful.<br />
Stored Password Proxy Specifies whether the Stored Password Proxy feature is enabled for the Policy. This<br />
feature can be used in conjunction with the Back-End Authentication Always setting and<br />
the Password Autolearn feature, so that even though a Back-End Authentication check is<br />
done every login, it is done using the password stored in the Digipass User account, so the<br />
User does not have to enter it during their login unless it has just changed.<br />
In <strong>VACMAN</strong> <strong>Middleware</strong> it is normally not necessary to perform a Back-End Authentication<br />
check at each login, so this feature is not typically used.<br />
Default Domain The default Domain in which the Authentication Server should look for and create Digipass<br />
User accounts, if a Domain is not specified by the login credentials.<br />
Active Directory only:<br />
If the User logs in with the User-Principal-Name format (eg. testuser@vasco.com) or the<br />
NT4 style format (eg. VASCO\testuser), the Default Domain is not used. However, if they<br />
log in with just a UserId (eg. testuser), the Default Domain will be used if specified.<br />
In the case that no Domain is implied by the login credentials and there is no Default<br />
Domain, the Authentication Server will search in its Configuration Domain.<br />
This must be the fully qualified domain name.<br />
ODBC Database only:<br />
Windows User Name Resolution can be used, in which case the User-Principal-Name and<br />
NT4 style formats will determine the Domain. If the Domain is not determined by that<br />
method, a simple UPN-like format (ie. testuser@vasco.com) will identify the Domain, when<br />
the Domain exists in the database.<br />
In either case, if no Domain has been identified, the Policy's Default Domain will be used if<br />
it is defined. Finally, if there is no Default Domain, the Master Domain will be used.<br />
User Lock Threshold This indicates the number of consecutive failed login attempts that will cause a Digipass<br />
User account to become Locked. For example, if the User Lock Threshold is 3, the account<br />
will become Locked on the third failed login attempt. Unlocking the account requires<br />
administrator action.<br />
Note that not all kinds of login failure will result in locking. For example, if the UserId is<br />
© 2007 VASCO Data Security Inc. 88
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Field Listings<br />
Field Name in<br />
<strong>Administration</strong><br />
Interfaces<br />
Windows Group Check<br />
(radio buttons)<br />
Description<br />
incorrect or the account is Disabled, the failure would not count towards the lock threshold.<br />
Locking is used mainly for incorrect OTPs and static passwords.<br />
Specifies whether and how the Windows Group Check feature is to be used. This feature<br />
is typically used for a staged deployment of Digipass when the Auto-Assignment method<br />
is used. It can also be used when only some Users are required to use Digipass or when<br />
only some Users will be permitted access and they have to use Digipass.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
No check Do not use the Windows Group Check feature.<br />
Pass requests for users not<br />
in listed groups back to<br />
host system<br />
Reject requests for users<br />
not in listed group<br />
Use only Back-End<br />
Authentication for users<br />
not in listed groups<br />
Use the Windows Group Check so that any Users who are not in<br />
one of the listed groups are ignored by the Authentication<br />
Server.<br />
This mode is not supported in <strong>VACMAN</strong> <strong>Middleware</strong> for<br />
RADIUS – users not in the group list will be rejected.<br />
Use the Windows Group Check so that any Users who are not in<br />
one of the listed groups are rejected by the Authentication<br />
Server.<br />
Use Back-End Authentication only for any Users who are not in<br />
one of the listed groups.<br />
Group List This lists the names of the Windows Groups to be checked according to the Windows Group<br />
Check radio button setting. There are some important limitations of this check:<br />
Certain built-in Active Directory groups such as Domain Users and Everyone will not<br />
be checked. The check is intended to be used with a new group created specifically for<br />
this purpose.<br />
Nested group membership will not be detected by the check.<br />
There is no Domain qualifier for a group. The named group must be created in each<br />
Domain where User accounts exist that need to be added to the group.<br />
In the case of an ODBC Database, a local machine group can be used also.<br />
Assignment Mode Specifies the method of automated Digipass Assignment that will be used for this Policy, if<br />
any. There are two methods, Auto-Assignment and Self-Assignment.<br />
Auto-Assignment is used in conjunction with Dynamic User Registration (DUR). When<br />
DUR occurs, the next available Digipass is assigned to the new Digipass User account. A<br />
Grace Period is set for the Digipass according to the Grace Period setting in the Policy.<br />
Self-Assignment is typically used with DUR also, but if the Digipass User accounts are<br />
created first by the administrator, DUR is not necessary. In the Self-Assignment mode, a<br />
User is able to assign themselves a Digipass by entering the Serial Number, a valid OTP<br />
from the Digipass and their static password. There is no Grace Period associated with Self-<br />
Assignment, because the User has to use the Digipass to perform Self-Assignment.<br />
In both cases, any Applicable Digipass restrictions for the Policy apply. For example, it will<br />
not be permitted to self-assign a DP300 if the Policy restricts Digipass Types to DPGO3 and<br />
DPGO1. In addition, if the User already has a Digipass assigned that meets the Policy<br />
restrictions, they will not be able to self-assign another Digipass.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
Auto-Assignment Use the Auto-Assignment method.<br />
Self-Assignment Use the Self-Assignment method.<br />
Neither Do not use either method of automated assignment.<br />
Grace Period Default time period (in days) to give Users between Auto-Assignment of a Digipass and<br />
the date they must start using their Digipass to login. Before that time they can still use a<br />
static password (unless the Local Authentication setting is Digipass Only). However, the<br />
first time that an OTP is used to log in, the Grace Period is ended at that point if it has not<br />
© 2007 VASCO Data Security Inc. 89
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Field Listings<br />
Field Name in<br />
<strong>Administration</strong><br />
Interfaces<br />
Description<br />
already ended.<br />
This setting does not affect manual assignment by an administrator.<br />
Serial No. Separator The character (or short sequence of characters) that will be included at the end of the<br />
Digipass Serial Number during a Self-Assignment login. It allows the Authentication<br />
Server to easily recognise that a Self-Assignment attempt is being made and extract the<br />
Serial Number from the credentials.<br />
Search Upwards in Org.<br />
Unit hierarchy<br />
This controls the search scope for an available Digipass for Auto-Assignment or for a<br />
specific Digipass for Self-Assignment.<br />
This setting does not affect manual assignment by an administrator.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
No The search scope is only the Organizational Unit in which the User<br />
account belongs. If the User does not belong to an Organizational<br />
Unit (ODBC Database only), the search will look for Digipass that<br />
also do not belong to an Organizational Unit.<br />
Yes The search will start in the User account's Organizational Unit, but if<br />
necessary it will then move upwards through the Organizational Unit<br />
hierarchy until it reaches the top. At the top, in the case of Active<br />
Directory, the Digipass-Pool container will be searched instead of the<br />
Domain Root. See the Location of Digipass Records topic in the<br />
Product Guide for more information.<br />
Application Names The Policy can specify a restriction on which Digipass Applications may be used when it is<br />
effective. If the list is empty, there is no restriction. If there are one or more entries, they<br />
will indicate the Application Names that are permitted.<br />
Application Type The Policy can restrict which Digipass Application Type (eg. Response Only,<br />
Challenge/Response) may be used when it is effective.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
No Restriction Digipass Application Type is not restricted.<br />
Response Only Only Digipass Applications of Type RO (Response Only) may be<br />
used.<br />
Challenge/Response Only Digipass Applications of Type CR (Challenge/Response) may be<br />
used.<br />
Digipass Types The Policy can specify a restriction on which Digipass Types may be used when it is<br />
effective. If the list is empty, there is no restriction. If there are one or more entries, they<br />
will indicate the Digipass Types that are permitted.<br />
Allow PIN change Specifies whether Digipass Users will be allowed to change their Server PIN during logins<br />
to which the current Policy applies. Normally this setting is enabled, but it can be used to<br />
prevent PIN changes if required.<br />
1-Step<br />
Challenge/Response –<br />
Permitted<br />
Controls whether 1-step Challenge/Response logins will be enabled for the current Policy<br />
and, if so, where the challenge should originate.<br />
Note that 1-step Challenge/Response is not applicable in a RADIUS environment.<br />
Options:<br />
Default<br />
No 1-step Challenge/Response may not be used.<br />
Yes – Server<br />
Challenge<br />
1-step Challenge/Response may be used provided that the<br />
authentication server that verifies the response generated the<br />
challenge.<br />
Yes – Any Challenge 1-step Challenge/Response may be used with any random challenge.<br />
1-Step Specifies the length of the challenge (excluding a check digit) which should be generated for<br />
© 2007 VASCO Data Security Inc. 90
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Field Listings<br />
Field Name in<br />
<strong>Administration</strong><br />
Interfaces<br />
Challenge/Response –<br />
Challenge Length<br />
1-Step<br />
Challenge/Response –<br />
Add Check Digit<br />
2-Step<br />
Challenge/Response –<br />
Request Method<br />
2-Step<br />
Challenge/Response –<br />
Request Keyword<br />
Primary Virtual Digipass<br />
– Request Method<br />
Primary Virtual Digipass<br />
– Request Keyword<br />
Backup Virtual Digipass<br />
– Enable Backup VDP<br />
1-step Challenge/Response logins.<br />
Description<br />
A check digit may be added to the generated challenge. This allows the Digipass to more<br />
quickly identify invalid Challenges.<br />
The method by which a User has to request a 2-step Challenge/Response login.<br />
This is the only mode of Challenge/Response available in a RADIUS environment.<br />
The 'request' is made in the password field during login. The request will be ignored if the<br />
User does not have a Challenge/Response-capable Digipass assigned.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
None Do not use 2-step Challenge/Response.<br />
Keyword Use the Request Keyword. This is permitted to be blank.<br />
Password Use the static password.<br />
KeywordPassword Use the Request Keyword followed by the static password. No<br />
separator characters or whitespace should be between them.<br />
PasswordKeyword Use the static password followed by the Request Keyword. No<br />
separator characters or whitespace should be between them.<br />
Defines the Keyword that a User must enter to request a 2-step Challenge/Response login,<br />
if a method using a Keyword is selected in the Request Method.<br />
This is permitted to be blank.<br />
The method by which a User has to request a Primary Virtual Digipass login.<br />
The 'request' is made in the password field during login. The request will be ignored if the<br />
User does not have a Primary Virtual Digipass assigned.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
None Do not use Primary Virtual Digipass.<br />
Keyword Use the Request Keyword. This is permitted to be blank.<br />
Password Use the static password.<br />
KeywordPassword Use the Request Keyword followed by the static password. No<br />
separator characters or whitespace should be between them.<br />
PasswordKeyword Use the static password followed by the Request Keyword. No<br />
separator characters or whitespace should be between them.<br />
Defines the Keyword that a User must enter to request a Primary Virtual Digipass login, if a<br />
method using a Keyword is selected in the Request Method. This is permitted to be blank.<br />
Specifies whether and how the Backup Virtual Digipass feature can be used when this Policy<br />
is effective. Note that in order for the Backup Virtual Digipass feature to function, it must<br />
also be activated in the DPX file for the Digipass.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
No Backup Virtual Digipass is not permitted.<br />
Yes - Permitted Backup Virtual Digipass is permitted, but not mandatory.<br />
The Time Limit is not applicable when using this option, but the<br />
Max. Uses/User limit is.<br />
Yes – Time Limited Backup Virtual Digipass is permitted, but not mandatory.<br />
Both the Time Limit and the Max. Uses/User limit will be in effect.<br />
Yes - Required Backup Virtual Digipass is mandatory.<br />
The Time Limit is not applicable when using this option, but the<br />
© 2007 VASCO Data Security Inc. 91
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Field Listings<br />
Field Name in<br />
<strong>Administration</strong><br />
Interfaces<br />
Backup Virtual Digipass<br />
– Time Limit<br />
Backup Virtual Digipass<br />
– Max. Uses/User<br />
Backup Virtual Digipass<br />
– Request Method<br />
Backup Virtual Digipass<br />
– Request Keyword<br />
Identification Time<br />
Window<br />
Description<br />
Max. Uses/User limit is.<br />
When the Enable Backup VDP setting is Yes – Time Limited, the Time Limit setting<br />
indicates the number of days for which the Backup Virtual Digipass feature may be used by<br />
a User, once they start using it.<br />
The Backup Virtual Digipass Enabled Until setting on the Digipass record will be set<br />
automatically the first time that the User requests a Backup Virtual Digipass OTP, using the<br />
Time Limit defined in the Policy. Once this date has expired, it requires administrator<br />
intervention either to extend it or to reset it to blank for the next time that the User needs<br />
to use Backup Virtual Digipass.<br />
Note that if a User has more than one Digipass capable of Backup Virtual Digipass, they will<br />
have a separate limit for each one.<br />
The maximum number of uses of the Backup Virtual Digipass feature permitted for each<br />
User, if they do not have a specific limit set for them.<br />
If the Backup Virtual Digipass Uses Remaining on the Digipass record is blank and<br />
there is a Max. Uses/User limit defined in the Policy, the Uses Remaining will be set<br />
automatically the first time that the User requests a Backup Virtual Digipass OTP.<br />
Once the Uses Remaining has reached zero, Backup Virtual Digipass can no longer be used<br />
with this Digipass, unless the administrator increases it or resets it to blank.<br />
Note that if a User has more than one Digipass capable of Backup Virtual Digipass, they will<br />
have a separate limit for each one.<br />
The method by which a User has to request a Backup Virtual Digipass login.<br />
The 'request' is made in the password field during login. The request will be ignored if the<br />
User does not have a Digipass assigned that is activated for the Backup Virtual Digipass<br />
feature, or if other Policy or Digipass settings do not permit Backup Virtual Digipass use.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
None Do not use Backup Virtual Digipass.<br />
Keyword Use the Request Keyword. This is permitted to be blank.<br />
Password Use the static password.<br />
KeywordPassword Use the Request Keyword followed by the static password. No<br />
separator characters or whitespace should be between them.<br />
PasswordKeyword Use the static password followed by the Request Keyword. No<br />
separator characters or whitespace should be between them.<br />
Defines the Keyword that a User must enter to request a Backup Virtual Digipass login, if a<br />
method using a Keyword is selected in the Request Method. This is permitted to be blank.<br />
Controls the maximum number of time steps' variation allowable between a Digipass and<br />
the authentication server during login. This only applies to time-based Response Only and<br />
Challenge/Response Applications.<br />
The Dynamic Time Window option may be used to allow more variation according to the<br />
length of time since the last successful login.<br />
If this setting is not specified at all, there is an inbuilt default value of 20.<br />
Signature Time Window Controls the maximum number of time steps' variation allowable between a Digipass and<br />
the authentication server during Digital Signature verification. This only applies to timebased<br />
Signature Applications.<br />
If this setting is not specified at all, there is an inbuilt default value of 24.<br />
Signature Applications are not currently used in RADIUS environments.<br />
Initial Time Window Controls the maximum allowed time variation allowable between a Digipass and the<br />
authentication server, the first time that the Digipass is used. The time is specified in hours.<br />
This Initial Time Window is also used directly after a Reset Application operation, which<br />
can be used if it appears that the internal clock in the Digipass has drifted too much since<br />
the last successful login.<br />
This only applies to time-based Applications.<br />
© 2007 VASCO Data Security Inc. 92
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Field Listings<br />
Field Name in<br />
<strong>Administration</strong><br />
Interfaces<br />
Description<br />
In either case, after the first successful login, the Initial Time Window is no longer active.<br />
If this setting is not specified at all, there is an inbuilt default value of 6.<br />
Event Window Controls the maximum number of events' variation allowable between a Digipass and the<br />
authentication server during login that uses an event-based Application.<br />
If this setting is not specified at all, there is an inbuilt default value of 20.<br />
Identification Threshold Specifies the number of consecutive failed authentication attempts allowed before the<br />
Digipass Application is locked from future authentication attempts.<br />
This locking mechanism is separate from the User Lock Threshold and is normally not<br />
necessary. It only applies when a single Digipass Application can be used for a login, either<br />
because the User only has one Digipass with one Application, or because the Policy<br />
restrictions narrow the list down to one Digipass Application. If Policy restrictions are used<br />
in this way, the Identification Threshold can be used to lock a User out of one kind of login<br />
(eg. a VPN) while still permitting them to use another kind (eg. Wireless).<br />
If this setting is not specified at all, this feature is not used.<br />
Signature Threshold Specifies the number of consecutive failed Digital Signature authentication attempts allowed<br />
before the Digipass Application is set to be locked from future authentication attempts.<br />
If this setting is not specified at all, this feature is not used.<br />
Signature Applications are not currently used in RADIUS environments.<br />
Max. Days Since Last<br />
Use<br />
This setting specifies the maximum number of days for which a Digipass Application can go<br />
unused for authentication. After this limit, authentication will be rejected until an<br />
admnistrator performs a Reset Application operation.<br />
If this setting is not specified at all, this feature is not used.<br />
Challenge Check Mode This setting is for advanced control over time-based Challenge/Response authentication.<br />
The value 1 should be used for standard RADIUS challenge/response. This is the inbuilt<br />
default value if the setting is not specified at all.<br />
0 No check is made. This is necessary for 1-step<br />
Challenge/Response.<br />
1 The challenge presented for verification must be the last one that<br />
was generated specifically for that Digipass. This is the normal mode<br />
of operation in 2-step Challenge/Response.<br />
2 The challenge presented for verification is ignored; the last one that<br />
was generated specifically for that Digipass is used. This is rarely<br />
applicable.<br />
3 Only one verification is permitted per time step. This option only<br />
applies to time-based Challenge/Response. This is a method of<br />
avoiding a potential replay of a captured response if the same<br />
challenge comes up again in the same time step.<br />
4 If the same challenge and response are presented for verification<br />
twice in a row during the same time step, they are rejected. This is<br />
an advanced method of avoiding a potential replay of a capture<br />
challenge/response.<br />
Online Signature Level This setting is for advanced control of Digital Signature authentication, and is not applicable<br />
currently.<br />
Signature Applications are not currently used in RADIUS environments.<br />
© 2007 VASCO Data Security Inc. 93
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Field Listings<br />
7.6 Component Property Sheet<br />
Note<br />
Changes to Component settings will not take effect immediately. They will take<br />
effect when the Authentication Server is restarted, once the Component change<br />
is available to the Authentication Server in the data store. Alternatively, if there<br />
is no restart, the cache of Component settings will refresh from the data store<br />
after approximately every 15 minutes.<br />
Table 35: Component Fields<br />
Field Name in<br />
<strong>Administration</strong><br />
Interfaces<br />
Description<br />
Component Type The type of Component represented by the record.<br />
Options:<br />
Authentication Server<br />
RADIUS Client<br />
Citrix Web Interface<br />
Outlook Web Access<br />
IAS Plug-In<br />
SBR Plug-In<br />
<strong>Administration</strong> Interface<br />
IIS Module 2.x<br />
Location The IP address or name of the machine represented by the record. For a Plug-In, it must be<br />
the licensed IP address; for a RADIUS Client, it must be the NAS-IP-Address or NAS-Identifier<br />
values sent in the RADIUS requests.<br />
A RADIUS Client of Location default can be used to accept RADIUS requests from all IP<br />
addresses, using the same Shared Secret. However, where a RADIUS Client record with the<br />
exact Location exists, its Shared Secret will be used in preference to the default RADIUS<br />
Client's Shared Secret.<br />
Policy The name of the Policy that should be used for authentication requests from the Component.<br />
Shared Secret The RADIUS Shared Secret for the Component.<br />
Created On The date and time that the Component was created. Read-only.<br />
Last Modified On The date and time that the Component was last modified. Read-only.<br />
© 2007 VASCO Data Security Inc. 94
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Field Listings<br />
7.7 Back-End Server Property Sheet<br />
Note<br />
If Active Directory is used as the data store: Changes to Back-End Server<br />
settings will not take effect immediately. They will take effect when the<br />
Authentication Server is restarted, once the Back-End Server change is<br />
available to the Authentication Server in the data store. Alternatively, if there is<br />
no restart, the cache of Back-End Server settings will refresh from the data<br />
store after approximately every 15 minutes.<br />
Table 36: Back-End Server Fields<br />
Field Name in<br />
<strong>Administration</strong><br />
Interfaces<br />
Protocol Back-End Authentication Protocol.<br />
Options:<br />
RADIUS<br />
Description<br />
Domain This field provides the ability to assign particular Back-End Servers to a given Domain.<br />
Priority The priority in the case that there are multiple Back-End Servers. The highest priority<br />
server is tried first, then the next highest, etc.<br />
Authentication IP IP Address on which the RADIUS Server receives authentication requests.<br />
Authentication Port UDP Port on which the RADIUS Server receives authentication requests.<br />
Accounting IP IP Address on which the RADIUS Server receives accounting requests.<br />
Accounting Port UDP Port on which the RADIUS Server receives accounting requests.<br />
Shared Secret Shared secret between <strong>VACMAN</strong> <strong>Middleware</strong> and the RADIUS Server.<br />
Confirm Shared Secret Allows confirmation of a new shared secret.<br />
Timeout Number of seconds to wait for a response from the RADIUS Server before either<br />
retrying or trying another RADIUS Server.<br />
No. of Retries Number of times to retry if no response is received from the RADIUS Server.<br />
Created On Date/time of creation.<br />
Last Modified On Date/time of last modification.<br />
© 2007 VASCO Data Security Inc. 95
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Field Listings<br />
7.8 Domain Property Sheet<br />
This property sheet is required if the data store used by the Authentication Server is an ODBC<br />
or embedded database.<br />
Note<br />
If you have multiple Domains and use the simple user@domain format to log in<br />
(NOT Windows User Name Resolution), Domain names are cached in the<br />
Authentication Server to avoid repeated database lookups.<br />
Therefore, creation and deletion of Domains will not take effect immediately for<br />
this purpose. They will take effect when the Authentication Server is restarted,<br />
once the Domain change is available to the Authentication Server in the data<br />
store. Alternatively, if there is no restart, the cache of Domain settings will<br />
refresh from the data store after approximately every 15 minutes.<br />
Table 37: Domain Fields<br />
Field Name in<br />
<strong>Administration</strong><br />
Interface<br />
Description Any descriptive text and notes.<br />
Description<br />
Created On The date and time that the record was created. Read-only.<br />
Last Modified On The date and time that the record was last modified. Read-only.<br />
7.9 Organizational Unit Property Sheet<br />
This property sheet is required if the data store used by the Authentication Server is an ODBC<br />
database.<br />
Table 38: Organizational Unit Fields<br />
Field Name in<br />
<strong>Administration</strong><br />
Interface<br />
Description<br />
Domain The domain to which the Organizational Unit belongs.<br />
Read-only after creation.<br />
Description A short description for the Organizational Unit.<br />
Inherits from<br />
Organizational Unit<br />
The parent Organizational Unit.<br />
This is used to define a hierarchy of Organizational Units.<br />
Read-only after creation.<br />
Created On The date and time that the record was created.<br />
Read-only.<br />
Last Modified On The date and time that the record was last modified.<br />
Read-only.<br />
© 2007 VASCO Data Security Inc. 96
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Field Listings<br />
7.10 Data Changes Requiring a Restart<br />
7.10.1 Changes to the Data Store<br />
7.10.1.1 ODBC or Embedded Database<br />
If the data store used by the Authentication Server is an ODBC or embedded database, no<br />
data changes made in the <strong>Administration</strong> MMC Interface or Digipass TCL Command-Line<br />
<strong>Administration</strong> require a restart of the Authentication Server to take effect straight away. As<br />
this administration is carried out through the Authentication Server, the Authentication Server<br />
can immediately update any cached data.<br />
In addition, when multiple Authentication Servers are replicating database changes to each<br />
other, they update their cached data when changes are replicated.<br />
modifications listed in the Cached Data List topic below will not take effect until the<br />
Authentication Server is restarted, or until the caches re-load the data automatically<br />
Multiple Authentication Servers are sharing a database. In this case, only the<br />
Authentication Server with which the data change is made will update its caches.<br />
Direct modifications to the database, for example with an SQL tool or using the VASCO<br />
Data Migration Tool.<br />
Note that direct modifications to the database are not replicated to any other Authentication<br />
Servers – the same modifications must be made to each Authentication Server's database (or<br />
the whole database re-copied).<br />
Where multiple Authentication Servers are in use, with multiple databases, user-configured<br />
synchronization between the databases must be considered. A Authentication Server will not<br />
know about a data change made in another Authentication Server's database until that change<br />
has been copied to its own database.<br />
Example<br />
Authentication Server 1 is using Database 1 (Db1);<br />
Authentication Server 2 is using Database 2 (Db2);<br />
A data change is made on Db1, via the <strong>Administration</strong> MMC Interface.<br />
Authentication Server 1 will see the change as soon as it is restarted;<br />
Authentication Server 2 will see the change at the first restart after database synchronization<br />
has transferred the change to Db2.<br />
7.10.1.2 Active Directory<br />
If the data store is Active Directory, all modifications listed in the Cached Data List topic<br />
below will not take effect until the Authentication Server is restarted, or until the caches reload<br />
the data automatically.<br />
In addition, it is necessary for Active Directory replication to make the modification available to<br />
the Authentication Server, if there is more than one Domain Controller used by the<br />
Authentication Servers. For example:<br />
© 2007 VASCO Data Security Inc. 97
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Field Listings<br />
Example<br />
Authentication Server 1 is connected to Domain Controller 1 (DC1);<br />
Authentication Server 2 is connected to Domain Controller 2 (DC2);<br />
A data change is made on DC1;<br />
Authentication Server 1 will see the change as soon as it is restarted;<br />
Authentication Server 2 will see the change at the first restart after Active Directory<br />
replication has transferred the change to DC2.<br />
You must also remember that when the Authentication Server starts up, it tries to locate an<br />
available Domain Controller, and may not choose the same one again. In the above example, if<br />
both Domain Controllers are local to Authentication Server 2, DC1 may be chosen by<br />
Authentication Server 2 when it is restarted.<br />
Wider issues related to Active Directory replication are explained in 2.4 Active Directory<br />
Replication Issues.<br />
7.10.1.3 Automatic Re-Loading of Cached Data<br />
In the Authentication Server, all cached data is periodically re-loaded from the data store. This<br />
time period, around 15 minutes, is tracked for each entry separately. Therefore, even without<br />
a restart, data changes will typically take effect within a matter of minutes (unless Active<br />
Directory replication slows the process down).<br />
7.10.1.4 Cached Data List<br />
The following data modifications relate to cached data:<br />
Creation, editing and deletion of Policy records<br />
Creation, editing and deletion of Component records<br />
Creation, editing and deletion of Back-End Server records<br />
For ODBC and embedded databases: Creation, editing and deletion of Domain records<br />
For Active Directory: Digipass Application updates resulting from OTP verification, PIN<br />
changes and certain administrative actions such as resetting the PIN – see 2.4.4.1<br />
Digipass Cache for more information on the Digipass Cache.<br />
7.10.2 Changes to Configuration Settings<br />
Configuration settings are modified using the Authentication Server Configuration GUI, or<br />
can be modified directly in the XML file (see 11 Configuration Settings).<br />
All configuration<br />
settings require a restart. The Authentication Server Configuration GUI automatically<br />
prompts to restart the Service upon exiting. However if you modify the file directly, you will<br />
need to restart the Digipass Authentication Server Service using the Windows Service Control<br />
Manager.<br />
Each Authentication Server has separate configuration settings. Changes to settings for one<br />
Authentication Server will not be automatically applied to other Authentication Servers.<br />
© 2007 VASCO Data Security Inc. 98
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Field Listings<br />
Advanced Settings for ODBC and embedded databases<br />
The settings edited using Configure Advanced Settings on the ODBC<br />
Connection tab are not replicated to other Authentication Servers. Normally<br />
these settings should be the same on all Authentication Servers, so you need<br />
to make sure they are applied to each one.<br />
As they are stored in the database itself, if you copy a database from one<br />
Authentication Server to another, these settings will be copied also.<br />
© 2007 VASCO Data Security Inc. 99
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Licensing<br />
8 Licensing<br />
8.1 How is Licensing Handled?<br />
VASCO products are licensed per Component record in the data store. The licensing relies upon<br />
a License Key which is checked when the Authentication Server starts. This License Key is tied<br />
to the location (IP address) where the Authentication Server is installed, and stored in the<br />
Component record for the Authentication Server.<br />
The Authentication Server will not authenticate a user without a correct License Key, except to<br />
permit administration.<br />
Client modules – such as the IIS 6 Module for Citrix Web Interface – also require a License Key<br />
to be loaded into their Component record. The Authentication Servers to which they connect<br />
will otherwise reject all authentication requests from them.<br />
License Keys may contain a limit to the number of Digipass that may be used. This limit is<br />
controlled by preventing the import of Digipass if it would exceed the limit in the License Key.<br />
In addition, a Digipass-limited License Key will not permit Active Directory to be used as the<br />
Authentication Server data store.<br />
Evaluation Licenses<br />
An evaluation license means that you can use its full functionality until the evaluation period<br />
runs out. At the end of this period, you will need to either uninstall the product or buy a<br />
permanent license. Contact your distributor or the appropriate VASCO Reseller representative<br />
to acquire the licences you will need. For your convenience, the evaluation serial number is<br />
embedded in the installation program. You will still need to obtain and load a license key.<br />
Client module licenses can also be evaluation (time-limited) licenses.<br />
© 2007 VASCO Data Security Inc. 100
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Licensing<br />
8.2 Licensing Parameters<br />
Table 39: License Parameters for <strong>VACMAN</strong> <strong>Middleware</strong><br />
Parameter Value<br />
Product The name of the VASCO product, eg. <strong>VACMAN</strong> <strong>Middleware</strong>.<br />
Component The type of Component licensed, eg. Authentication Server.<br />
Version Current version number of the licensed VASCO product.<br />
Location The IP address for the machine represented by the Component record.<br />
Company The name of your company.<br />
Username Your name.<br />
SerialNo The serial number for the VASCO product.<br />
DPLimit The maximum number of Digipass that may be imported. This parameter may or may not be<br />
present. If this parameter is present, you cannot use Active Directory as a data store.<br />
Generated The date and time that the license file was generated.<br />
Expires Used for evaluation license only – expiry date.<br />
Signature Encrypted combination of the above parameters.<br />
8.2.1 Sample License File<br />
----- VASCO PRODUCT LICENCE -----<br />
Product=<strong>VACMAN</strong> <strong>Middleware</strong><br />
Component=Authentication Server<br />
Version=1.0<br />
Expires=2005/06/19 02:40:32 GMT<br />
Location=test.vasco.com<br />
Company=VASCO Data Security<br />
Username=Mr Demo User<br />
SerialNo=0A2B4C6D8E<br />
Generated=2005/05/20 02:40:32 GMT<br />
----- SIGNATURE -----<br />
3:302C02147<strong>A4</strong>87891E0745D<br />
6866E0Af8DDB7D6AF092BFCD<br />
27021474601702DbFCE5B500<br />
D76354022F0489DB159B62<br />
----- END LICENCE -----<br />
8.3 View License Information<br />
To view the license information for a specific Component:<br />
1. Open the <strong>Administration</strong> MMC Interface.<br />
2. Click on the Components node.<br />
The Component List will be displayed in the Result pane.<br />
3. Double-click on the required Component record.<br />
The Component property sheet will be displayed.<br />
4. Click on the License Key Details... button.<br />
The License Key Details window will be displayed.<br />
© 2007 VASCO Data Security Inc. 101
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Licensing<br />
8.4 Obtain and Load a License Key<br />
Note<br />
An active internet connection is required to obtain a License Key.<br />
1. Open the <strong>Administration</strong> MMC Interface.<br />
2. Click on the Components node.<br />
The Component List will be displayed in the Result pane.<br />
3. Double-click on the required Component record.<br />
The Component property sheet will be displayed.<br />
4. Click on the License Key Details... button.<br />
The License Key Details window will be displayed.<br />
5. Click on the Request License Key... button.<br />
A browser window will be opened, with the VASCO Licensing site loaded. Any required<br />
information which the Authentication Server has will be entered as the site is loaded.<br />
6. Enter any other required information in the browser window.<br />
7. Click on the Request License Key button in the browser window.<br />
A download of your license key file should begin. Keep note of where you save the<br />
file, and its name.<br />
8. Once the download is complete, go back to the <strong>Administration</strong> MMC Interface and the<br />
License Key Details window.<br />
9. Click on the Load License Key... button.<br />
10. Browse to the download location and select the license key file.<br />
11. Click on Open.<br />
A message window will display the success or failure of loading the license key into the<br />
data store.<br />
© 2007 VASCO Data Security Inc. 102
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Licensing<br />
8.5 Change IP Address<br />
Before you start, find your VASCO product Maintenance ID and Serial Number. Check with<br />
your supplier that your Serial Number will be allowed to license a new IP address.<br />
Note - ODBC Databases<br />
This process assumes that you have not yet changed the IP address of the<br />
machine. The IP address should be changed during the steps below. If you<br />
have already changed the IP address, see 8.5.1 IP Address Already<br />
Changed.<br />
To change the Authentication Server IP address:<br />
1. In the <strong>Administration</strong> MMC Interface, view the list of Component records.<br />
2. Note down the Policy shown for the Authentication Server Component record for the<br />
previous IP address.<br />
3. Create a new Authentication Server Component record, using the new IP address as the<br />
Location. Make sure the same Policy that was noted in the previous step is selected<br />
in the new Component record.<br />
4. Right-click on the new Component record and select the License Key Details... option.<br />
5. Click on the Request License Key button. This will take you to the VASCO licensing<br />
web page. Fill in the required information and download a License Key file.<br />
6. Click on the Load License Key button and load the License Key from the file that was<br />
just downloaded.<br />
7. Exit the <strong>Administration</strong> MMC Interface.<br />
8. Change the IP address of the machine and perform any other administrative actions<br />
required such as restarting the machine and reconfiguring other applications.<br />
9. Open Authentication Server Configuration and modify the Component Location<br />
field on the first tab to the new IP address.<br />
10. Click OK to save the change and exit. You will be prompted to restart the Service –<br />
click Yes.<br />
11. View the startup audit messages to see that there were no problems starting up.<br />
12. The following steps are only necessary for an ODBC or embedded database:<br />
a. In the <strong>Administration</strong> MMC Interface, right-click on the Authentication Server<br />
node in the tree pane for the machine that has changed IP address. Right-click on<br />
the same node and select Properties.<br />
b. Modify the Server IP Address to the new IP address. If the Connect from IP<br />
Address has the old IP address in it, change that to the new IP address also. Click<br />
OK to save the changes.<br />
c. Exit the <strong>Administration</strong> MMC Interface. If you are prompted whether to save<br />
console settings, make sure that you click Yes.<br />
13. If the Audit Viewer is on the machine:<br />
a. Open the Audit Viewer and expand the Authentication Server node in the tree<br />
pane.<br />
© 2007 VASCO Data Security Inc. 103
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Licensing<br />
b. Right-click on the Local Server node and select Properties. Modify the Server<br />
Location to the new IP address.<br />
c. Click OK to save the change and exit the Audit Viewer.<br />
14. Reconfigure the authentication clients (RADIUS Clients and/or IIS Modules) to use the<br />
new IP address.<br />
15. Test that authentication works with the new IP address and Component record.<br />
16. Once everything is working, delete the old Component record.<br />
17. For an ODBC or embedded database, if Digipass TCL Command-Line<br />
<strong>Administration</strong> is used on the machine:<br />
a. Edit the configuration file \Bin\dpadmincmd.xml in a text editor.<br />
b. Modify the VASCO -> AAL3 -> SEAL -> Connection-List -> Connection00<br />
->Address entry to the new IP address.<br />
c. If the VASCO -> AAL3 -> SEAL -> Local-Address entry contains the old IP<br />
address, modify it to the new IP address.<br />
d. Save the file and exit the editor.<br />
18. If any other Authentication Servers are set up to replicate data changes to this<br />
Authentication Server, modify their configuration as follows. For each Authentication<br />
Server:<br />
a. Open Authentication Server Configuration and change to the Replication tab.<br />
b. Click on the row in the Destination Servers list that corresponds to the server<br />
that has changed IP address. Click the Edit... button.<br />
c. Modify the Server Location to the new IP address and click OK.<br />
d. Click OK to save the change and exit. You will be prompted to restart the Service –<br />
click Yes.<br />
19. For an ODBC or embedded database, if the <strong>Administration</strong> MMC Interface or<br />
Digipass TCL Command-Line <strong>Administration</strong> on any other machine is configured<br />
to connect to the Authentication Server that has changed IP address, follow the same<br />
process that was carried out on the Authentication Server machine to re-configure the<br />
IP address.<br />
20. If the Audit Viewer on any other machine is configured to connect to the<br />
Authentication Server that has changed IP address, follow the same process that was<br />
carried out on the Authentication Server machine to re-configure the IP address.<br />
8.5.1 IP Address Already Changed<br />
If <strong>VACMAN</strong> <strong>Middleware</strong> is using an ODBC database (including the embedded PostgreSQL<br />
database) and you changed IP before following the procedure above, follow these steps<br />
instead:<br />
Note<br />
See 3.8.5 Rescue Authentication Server Component for more information<br />
on using the dpdbadmin rescueserver command.<br />
1. Open a command prompt and navigate to the installation’s bin directory by typing:<br />
cd \bin<br />
© 2007 VASCO Data Security Inc. 104
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Licensing<br />
2. Type:<br />
dpdbadmin rescueserver -location “” -policy "”<br />
3. If a Component record of type Authentication Server and the entered IP address does<br />
not already exist, you will be prompted to create the Component record. Enter Y to<br />
create the record, or N to exit.<br />
4. If a Policy with the entered Policy ID does not currently exist, you will be prompted to<br />
create it. Enter Y to create the record, or N to exit.<br />
5. Enter N to exit, as restarting the Digipass Authentication Server service now will fail.<br />
6. Open Authentication Server Configuration and modify the Component Location<br />
field on the first tab to the new IP address.<br />
7. Click OK to save the change and exit. You will be prompted to restart the Service –<br />
click Yes.<br />
8. View the startup audit messages to see that there were no problems starting up.<br />
9. Open the <strong>Administration</strong> MMC Interface.<br />
10. In the <strong>Administration</strong> MMC Interface, right-click on the Authentication Server node<br />
in the tree pane for the machine that has changed IP address. Right-click on the same<br />
node and select Properties.<br />
11. Modify the Server IP Address to the new IP address. If the Connect from IP<br />
Address has the old IP address in it, change that to the new IP address also. Click OK<br />
to save the changes.<br />
12. View the list of Component records.<br />
13. If you need to change the Policy for the new Authentication Server Component<br />
created by the rescueserver command:<br />
a. Note down the Policy shown for the old Authentication Server Component record<br />
for the previous IP address.<br />
14. Double-click on the new Authentication Server Component record.<br />
15. If needed, modify the Policy to the one used by the old Authentication Server<br />
Component.<br />
16. Click on the License Key Details... button.<br />
17. Click on the Request License Key button. This will take you to the VASCO licensing<br />
web page. Fill in the required information and download a License Key file.<br />
18. Click on the Load License Key button and load the License Key from the file that was<br />
just downloaded.<br />
19. If you created an emergency administration Policy, it is recommended that you delete<br />
it now.<br />
20. Exit the <strong>Administration</strong> MMC Interface.<br />
21. If the Audit Viewer is on the machine:<br />
a. Open the Audit Viewer and expand the Authentication Server node in the tree<br />
pane.<br />
b. Right-click on the Local Server node and select Properties. Modify the Server<br />
Location to the new IP address.<br />
c. Click OK to save the change and exit the Audit Viewer.<br />
22. Reconfigure the authentication clients (RADIUS Clients and/or IIS Modules) to use the<br />
© 2007 VASCO Data Security Inc. 105
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Licensing<br />
new IP address.<br />
23. Test that authentication works with the new IP address and Component record.<br />
24. Once everything is working, delete the old Component record.<br />
25. For an ODBC or embedded database, if Digipass TCL Command-Line<br />
<strong>Administration</strong> is used on the machine:<br />
a. Edit the configuration file \Bin\dpadmincmd.xml in a text editor.<br />
b. Modify the VASCO -> AAL3 -> SEAL -> Connection-List -> Connection00<br />
->Address entry to the new IP address.<br />
c. If the VASCO -> AAL3 -> SEAL -> Local-Address entry contains the old IP<br />
address, modify it to the new IP address.<br />
d. Save the file and exit the editor.<br />
26. If any other Authentication Servers are set up to replicate data changes to this<br />
Authentication Server, modify their configuration as follows. For each Authentication<br />
Server:<br />
a. Open Authentication Server Configuration and change to the Replication tab.<br />
b. Click on the row in the Destination Servers list that corresponds to the server<br />
that has changed IP address. Click the Edit... button.<br />
c. Modify the Server Location to the new IP address and click OK.<br />
d. Click OK to save the change and exit. You will be prompted to restart the Service –<br />
click Yes.<br />
27. For an ODBC or embedded database, if the <strong>Administration</strong> MMC Interface or<br />
Digipass TCL Command-Line <strong>Administration</strong> on any other machine is configured<br />
to connect to the Authentication Server that has changed IP address, follow the same<br />
process that was carried out on the Authentication Server machine to re-configure the<br />
IP address.<br />
28. If the Audit Viewer on any other machine is configured to connect to the<br />
Authentication Server that has changed IP address, follow the same process that was<br />
carried out on the Authentication Server machine to re-configure the IP address.<br />
© 2007 VASCO Data Security Inc. 106
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Web Sites<br />
9 Web Sites<br />
9.1 Customizing the Web Sites<br />
The User Self Management Web Site and OTP Request Site can be customized by modifying<br />
the pages provided with the installation. You may wish to:<br />
change the colors and graphics to match your corporate colors/logos.<br />
integrate the pages into a larger web site.<br />
translate or customize the text<br />
Any cosmetic part of the web pages may be modified. Completely new web pages may be<br />
used, provided that the correct form fields are posted to the CGI program, and query string<br />
variables are interpreted correctly. Server scripting languages such as PHP or ASP, or any<br />
other way of generating HTML, can be used.<br />
This section provides the instructions and reference material that you require to customize the<br />
site. It is assumed that the reader has some web development knowledge.<br />
9.2 CGI Program<br />
A single CGI script is used for both the User Self Management Web Site and the OTP Request<br />
Site. The functionality provided depends on the Site.<br />
For each function, the CGI program carries out the following actions:<br />
Read and validate the input. This input is gathered from:<br />
Configuration settings from the registry<br />
Form variables posted<br />
Send an authentication request to the Authentication Server (provided that there were<br />
no validation errors) and interpret the response. Requests are sent to the Server using<br />
the RADIUS protocol. A component identifier Self-Mgt Site will indicate in the Audit<br />
Console which audit messages relate to requests from the User Self-Management Web<br />
Site or OTP Request Site.<br />
(OTP Request Site only) Send a request to the Message Delivery Component to send an<br />
OTP to the User's mobile phone via text message.<br />
Output the HTML to direct the user to the page that will indicate success or failure, or<br />
display a challenge. This is achieved by returning the HTML for a basic ‘please wait’ page<br />
with a ‘meta-refresh’ instruction to go directly to the appropriate page. The meta-refresh<br />
will happen immediately, but on a slow link you may notice the intermediate page.<br />
The CGI program cannot be customized. Its behaviour is controlled by the configuration<br />
settings and the posted form variables. The configuration settings are listed below; the posted<br />
form variables are specified in the Customizing the Web Site section.<br />
9.2.1 Configuration Settings<br />
Various configuration settings are used by the CGI program to locate the server(s) and to<br />
© 2007 VASCO Data Security Inc. 107
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Web Sites<br />
enable tracing. These can be modified using the Start -> Programs -> VASCO -> <strong>VACMAN</strong><br />
<strong>Middleware</strong> 3 -> User CGI Configuration menu option.<br />
The configuration settings are stored in the Windows Registry, at the path:<br />
HKEY_LOCAL_MACHINE\Software\VASCO\User CGI<br />
Table 40: Configuration Settings for CGI Program<br />
Name Type Value Default<br />
Trace-Mask Number<br />
(DWORD)<br />
Trace-Header Number<br />
(DWORD)<br />
Used to enable internal tracing levels. In general, just use these values: 0<br />
= no tracing 3FFFFFFF (hexadecimal) = full tracing<br />
Used to configure tracing. In general, leave with the default value. 47<br />
Trace-File String Full path and filename of output file for internal tracing. NB: the file will be<br />
created if it is missing, but not the directory.<br />
Source-IP-<br />
Address<br />
Server1-IP-<br />
Address<br />
Server1-Port Number<br />
(DWORD)<br />
Server1-<br />
Shared-Secret<br />
Server2-IP-<br />
Address<br />
Server2-Port Number<br />
(DWORD)<br />
Server2-<br />
Shared-Secret<br />
Timeout Number<br />
(DWORD)<br />
No-Of-Retries Number<br />
(DWORD)<br />
String Source IP address to bind to when sending API requests, if any (only<br />
required if there are multiple IP addresses on the machine).eg. 10.9.255.7<br />
0<br />
<br />
<br />
String IP address of primary server. eg. 10.2.255.45 127.0.0.1<br />
API port of primary server (in general, this should not be changed from the<br />
default).<br />
1812<br />
String Shared Secret for primary server. <br />
String IP address of backup server, or blank if there is no backup. <br />
API port of backup server (in general, this should not be changed from the<br />
default)<br />
1812<br />
String Shared Secret for backup server. <br />
Timeout waiting for each server to respond, in seconds. 5<br />
Number of times to retry each server when they time out. 0<br />
Protocol String The only protocol supported currently is RADIUS. RADIUS<br />
© 2007 VASCO Data Security Inc. 108
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Web Sites<br />
9.3 Form Fields<br />
9.3.1 User Self Management Web Site<br />
9.3.1.1 Registration – Main Pages<br />
User Registration (UR), Digipass Assignment (DA) and Password Synchronization (PS) are all<br />
implemented using a single invocation of the CGI program. This permits them to be carried out<br />
either separately or in any combination. You can choose to separate them in your customized<br />
web site or keep them together as you prefer.<br />
If Challenge/Response or a Virtual Digipass is used, the user will enter their User ID, static<br />
password and Serial Number into the main page without a Digipass Response. They will be<br />
directed to a challenge page, which is specified in the next topic, in which they should enter<br />
either a Response to the challenge or the OTP sent to their mobile phone. The following table<br />
applies only to the main page.<br />
The following posted form fields must be used on the main page, according to the particular<br />
function and other conditions specified below:<br />
Table 41: Form Fields for Main Registration Page<br />
Form Field Name Visible<br />
Label<br />
(Default)<br />
Value(s) Required?<br />
dpcgi_operation “register” for User Registration, Digipass Assignment or<br />
Password Synchronization.<br />
dpcgi_success_page Relative or absolute URL of web page to go to if the<br />
function is successful.<br />
dpcgi_fail_page Relative or absolute URL of web page to go to if the<br />
function fails.<br />
dpcgi_challenge_page Relative or absolute URL of web page to go to if a<br />
challenge is returned for the user.<br />
UR PS DA<br />
Y Y Y<br />
Y Y Y<br />
Y Y Y<br />
(4) (1)<br />
dpcgi_userid UserId UserID in the Authentication Server. Y Y Y<br />
dpcgi_password Password Static password. Y Y Y<br />
dpcgi_serialno Serial<br />
Number<br />
dpcgi_response Digipass<br />
Response<br />
Digipass serial number. Y<br />
Digipass response (without static PIN if there is one). (5) (2)<br />
dpcgi_newpin New PIN New static PIN (for Go 1/Go 3). (3)<br />
dpcgi_confirmpin Confirm New<br />
PIN<br />
Confirm the new static PIN. (3)<br />
dpcgi_usecombinedpwd “True” to send the password, serial number, response<br />
and PIN to the Authentication Server in one attribute.<br />
“False” to send the contents of the password field<br />
(1) If any users may self-assign a Challenge/Response Digipass, provide this form field.<br />
(2) If any users may self-assign a Response Only Digipass, provide this form field.<br />
(3) If any users may self-assign a Response Only Digipass which uses a static PIN at the<br />
© 2007 VASCO Data Security Inc. 109
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Web Sites<br />
beginning of the response (eg. Go 1/Go 3), where the Digipass are initialized with no<br />
initial static PIN, they have to enter a new PIN the first time they use the Digipass. If they<br />
are self-assigning the Digipass, that means that they have to enter the new PIN and<br />
confirm it during the self-assignment process. They can do this by adding the new PIN<br />
twice at the end of the Digipass Response, however it may be more user-friendly to<br />
provide these two separate form fields.<br />
(4) If any users have a Challenge/Response application or a Primary Virtual Digipass, include<br />
this field.<br />
(5) If any users have a Response Only application, include this field.<br />
© 2007 VASCO Data Security Inc. 110
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Web Sites<br />
9.3.1.2 Registration – Challenge Page<br />
The Registration challenge page will be used for Digipass Challenge/Response or Virtual<br />
Digipass. The user enters their response to the challenge, to complete the registration process.<br />
The following posted form fields must be used on the challenge page:<br />
Table 42: Form Fields for Registration Challenge Page<br />
Form Field<br />
Name<br />
Visible<br />
Label<br />
(Default)<br />
Value(s) Required?<br />
dpcgi_operation “register” for User Registration, Digipass Assignment or<br />
Password Synchronization.<br />
dpcgi_success_page Relative or absolute URL of web page to go to if the<br />
function is successful.<br />
dpcgi_fail_page Relative or absolute URL of web page to go to if the<br />
function fails.<br />
dpcgi_userid UserId UserID in the Authentication Server. Y<br />
dpcgi_response Digipass<br />
Response<br />
Digipass response or Virtual Digipass OTP. Y<br />
dpcgi_challenge Challenge Digipass challenge returned to the user. Y<br />
Note<br />
If you make dpcgi_challenge a visible form field, ensure that it is not<br />
modifiable. An alternative is to make it a hidden form field, while also<br />
displaying the challenge in HTML text rather than as a form field.<br />
© 2007 VASCO Data Security Inc. 111<br />
Y<br />
Y<br />
Y
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Web Sites<br />
9.3.1.3 PIN Change<br />
The PIN Change function is only applicable for Digipass Response Only where the Server PIN is<br />
entered at the start of the response (eg. Go 1/Go 3).<br />
The following posted form fields must be used on the PIN Change page:<br />
Table 43: Form Fields for Server PIN Change Page<br />
Form Field<br />
Name<br />
Visible Label<br />
(Default)<br />
Value(s) Required?<br />
dpcgi_operation “changepin” for PIN Change. Y<br />
dpcgi_success_page Relative or absolute URL of web page to go to if the<br />
function is successful.<br />
dpcgi_fail_page Relative or absolute URL of web page to go to if the<br />
function fails.<br />
dpcgi_userid UserId UserID in the Authentication Server. Y<br />
dpcgi_response Digipass Response Digipass response (without static PIN if there is one). Y<br />
dpcgi_currentpin Current PIN Current static PIN to be changed. (6)<br />
dpcgi_newpin New PIN New static PIN. Y<br />
dpcgi_confirmpin Confirm New PIN Confirm the new static PIN. Y<br />
(6) If the Digipass has had its Server PIN reset by the administrator, because the user has<br />
forgotten it, there is no current Server PIN to enter here. In all other cases, the current<br />
Server PIN must be provided to permit the PIN change.<br />
© 2007 VASCO Data Security Inc. 112<br />
Y<br />
Y
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Web Sites<br />
9.3.1.4 Login Test – Main Page<br />
If a Challenge/Response application or Primary Virtual Digipass is used, the user will enter just<br />
their UserId (and maybe password) into the main page without a Digipass Response. If using<br />
the Backup Virtual Digipass, they will need to enter the trigger specified in server settings<br />
(password and/or a Keyword) into the password field.<br />
They will be directed to a challenge page, specified in the next topic. The following table<br />
applies only to the main page.<br />
The following posted form fields must be used on the main page:<br />
Table 44: Form Fields for Main Login Test Page<br />
Form Field<br />
Name<br />
Visible Label<br />
(Default)<br />
Value(s) Required?<br />
dpcgi_operation “testlogin” for Login Test. Y<br />
dpcgi_success_page Relative or absolute URL of web page to go to if the<br />
function is successful.<br />
dpcgi_fail_page Relative or absolute URL of web page to go to if the<br />
function fails.<br />
dpcgi_challenge_page Relative or absolute URL of web page to go to if a<br />
challenge is returned for the user.<br />
dpcgi_userid UserId UserID in the Authentication Server. Y<br />
dpcgi_response Digipass Response Digipass response (with static PIN if there is one). (8)<br />
(7) If any users have a Challenge/Response Digipass, a Primary Digipass or use the Backup<br />
Virtual Digipass feature, provide this form field.<br />
(8) If any users have a Response Only Digipass, provide this form field.<br />
© 2007 VASCO Data Security Inc. 113<br />
Y<br />
Y<br />
(7)
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Web Sites<br />
9.3.1.5 Login Test – Challenge Page<br />
The user enters their response to the challenge or the OTP sent to their mobile phone to<br />
complete the login test.<br />
The following posted form fields must be used on the challenge page:<br />
Table 45: Form Fields for Login Test Challenge Page<br />
Form Field<br />
Name<br />
Visible Label<br />
(Default)<br />
Value(s) Required?<br />
dpcgi_operation “testlogin” for Login Test. Y<br />
dpcgi_success_page Relative or absolute URL of web page to go to if the<br />
function is successful.<br />
dpcgi_fail_page Relative or absolute URL of web page to go to if the<br />
function fails.<br />
dpcgi_userid UserID User ID in the Authentication Server. Y<br />
dpcgi_response Digipass Response Digipass response. Y<br />
dpcgi_challenge Challenge Digipass challenge returned to the user. Y<br />
Note<br />
If you make dpcgi_challenge a visible form field, make sure that it is not<br />
modifiable. An alternative is to make it a hidden form field, while also<br />
displaying the challenge in HTML text rather than as a form field.<br />
9.3.2 OTP Request Site<br />
9.3.2.1 Request Page<br />
The request page must contain the following fields:<br />
Table 46: Form Fields for OTP Request Page<br />
Name Type<br />
Username text Visible<br />
Password Password Visible<br />
dpcgi_operation “VDPrequest” Hidden<br />
dpcgi_vdp_success_page Name of “OTP was sent” Page Hidden<br />
dpcgi_vdp_fail_page Name of “OTP not sent” Page Hidden<br />
dpcgi_vdp_wrongtoken_page Name of “Not a Virtual Digipass” Page Hidden<br />
© 2007 VASCO Data Security Inc. 114<br />
Y<br />
Y
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Web Sites<br />
9.4 Query String Variables<br />
The query string variables that are passed to the web pages by the CGI program are mainly<br />
concerned with status and error reporting. There is also a variable that is used to pass a<br />
challenge to the pages that display one.<br />
9.4.1 Failure/Error Handling<br />
There are three main groups of failures that can occur, which should be handled in a different<br />
manner. In all cases there is a numeric error code, however in some cases there is an auxiliary<br />
code and message such as the return code and message from the <strong>VACMAN</strong> Controller. The<br />
main error codes will be assigned in three separate ranges, so that the web pages can identify<br />
which category of error is returned.<br />
API return codes – these are returned by the VASCO API used to make the<br />
authentication request to the Server. In some cases there will be an auxiliary code and<br />
message.<br />
CGI errors – these errors are detected by the CGI program, mainly when the web pages<br />
are not providing or enforcing the posted form fields correctly. These will not generally<br />
have an auxiliary code and message, but it is possible.<br />
Internal errors – these are technical errors that ‘should not occur’. In some cases there<br />
will be an auxiliary code and message.<br />
The intention of using this code-based scheme is to allow translation and customization of the<br />
messages. The main error code will be translated into a message by the web pages<br />
themselves. The pages can also translate the auxiliary code into a message, for the <strong>VACMAN</strong><br />
Controller codes, but normally, the pages would not know how to translate it into a message,<br />
and should display the auxiliary message as provided.<br />
© 2007 VASCO Data Security Inc. 115
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Web Sites<br />
9.4.2 Query String Variable List<br />
The following table indicates which variables are used for the User Self Management Web Site<br />
and OTP Request Site, and the required conditions:<br />
Table 47: Query String Variable List<br />
Variable Value Condition Used by Site<br />
result 0 Successful authentication request Both<br />
Unsuccessful authentication request Both<br />
CGI or internal error occurred Both<br />
challenge Challenge returned by API User Self<br />
Management Web<br />
Site only<br />
serialNo Successful Auto- or Self-Assignment User Self<br />
Management Web<br />
Site only<br />
auxcode <br />
<br />
auxmsg <br />
<br />
Examples:<br />
success: /vmsite/success.html?result=0<br />
Unsuccessful authentication request due to<br />
Controller rejecting password<br />
CGI or internal error occurred, where another<br />
error code is relevant<br />
Unsuccessful authentication request due to<br />
Controller rejecting password<br />
CGI or internal error occurred, where an error<br />
message is relevant<br />
invalid Digipass response due to code replay:<br />
/vmsite/fail.html?result=1000&auxcode=2&auxmsg=Code+Replay+Attempt<br />
challenge: /vmsite/challenge.html?challenge=738453<br />
© 2007 VASCO Data Security Inc. 116<br />
Both<br />
Both<br />
Both<br />
Both
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Web Sites<br />
9.4.3 Return Code Listing<br />
In the following tables, the Message is the one that is provided by the standard web pages that<br />
we install.<br />
9.4.3.1 API Return Codes<br />
The following codes are the ones that in normal cases might be returned:<br />
Table 48: API Return Codes<br />
Code Message Auxiliary<br />
Code/<br />
Message?<br />
Notes<br />
-1 Error during request to Server N We are unable to distinguish the error from the<br />
client side of the API – the administrator would<br />
have to look at the Audit Console.<br />
9.4.3.2 CGI Errors<br />
Table 49: CGI Error Return Codes<br />
Code Message Auxiliary<br />
Code/<br />
Message?<br />
-100 Only the POST method is permitted N<br />
-101 No dpcgi_operation was posted N<br />
-102 An invalid dpcgi_operation was posted N<br />
-103 dpcgi_challenge_page cannot be used for this operation N<br />
-104 dpcgi_password cannot be used for this operation N<br />
-105 dpcgi_serialno cannot be used for this operation N<br />
-106 dpcgi_currentpin cannot be used for this operation N<br />
-107 dpcgi_newpin cannot be used for this operation N<br />
-108 dpcgi_confirmpin cannot be used for this operation N<br />
-109 dpcgi_challenge cannot be used for this operation N<br />
-110 dpcgi_success_page must be entered for this operation N<br />
-111 dpcgi_fail_page must be entered for this operation N<br />
-112 dpcgi_userid must be entered for this operation N<br />
-113 dpcgi_password must be entered for this operation N<br />
-114 dpcgi_response must be entered for this operation N<br />
-115 dpcgi_newpin must be entered for this operation N<br />
-116 dpcgi_confirmpin must be entered for this operation N<br />
-117 A Digipass Response is required to assign a Digipass N<br />
-118 A New PIN can only be set when assigning a Digipass N<br />
-119 Enter the new PIN in the New PIN and Confirm New PIN fields N<br />
-120 The New PIN and Confirm New PIN fields have different values N<br />
-121 A challenge was returned, but there is no dpcgi_challenge_page N<br />
-122 Unknown parameter N<br />
-123 The Content-Length passed in was invalid N<br />
© 2007 VASCO Data Security Inc. 117
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Web Sites<br />
Code Message Auxiliary<br />
Code/<br />
Message?<br />
-124 dpcgi_serialno must be entered for this operation N<br />
-131 Wrong token page is forbidden N<br />
9.4.3.3 Internal Errors<br />
Table 50: Internal Error Codes<br />
Code Message Auxiliary<br />
Code/<br />
Message?<br />
-1000 Cannot read Trace-Mask configuration setting Y<br />
-1001 Cannot read Trace-File configuration setting Y<br />
-1002 Cannot open Trace-File Y<br />
-1003 Cannot read Source-IP-Address configuration setting Y<br />
-1004 Cannot read Server1-IP-Address configuration setting Y<br />
-1005 Cannot read Server1-Port configuration setting Y<br />
-1006 Cannot read Server2-IP-Address configuration setting Y<br />
-1007 Cannot read Server2-Port configuration setting Y<br />
-1008 Invalid configuration setting Source-IP-Address Y<br />
-1009 Invalid configuration setting Server1-IP-Address Y<br />
-1010 Invalid configuration setting Server1-Port Y<br />
-1011 Invalid configuration setting Server2-IP-Address Y<br />
-1012 Invalid configuration setting Server2-Port Y<br />
-1014 Cannot read HTTP request data N<br />
-1015 Request to Server not completed Y<br />
-1016 Cannot read Self-Management Site registry key Y<br />
-1017 The specified Source-IP-Address is not on this machine N<br />
-1018 Cannot read Trace-Header configuration setting Y<br />
-1019 Invalid configuration setting Trace-Header Y<br />
-1020 The Trace file name must not contains quotes ' or ". N<br />
-1021 No File found in the trace file N<br />
-1030 Error reading Server 1 Secret - return code was N<br />
-1031 Error reading Server 2 Secret - return code was N<br />
-1032 Error reading No of Retries - return code was N<br />
-1033 Error reading Timeout - return code was N<br />
-1034 Error writing Protocol - return code was N<br />
-1040 The Shared Secret and Confirm Shared Secret do not match. N<br />
© 2007 VASCO Data Security Inc. 118
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Login Options<br />
10 Login Options<br />
10.1 Login Permutations<br />
The information required to be entered during a login will vary according to the configuration<br />
settings of the relevant Policy, the login method, and any actions to be performed during the<br />
login.<br />
Login Methods<br />
The login methods specified are:<br />
Response Only<br />
Challenge/Response<br />
Virtual Digipass - Primary or Backup<br />
Login Actions<br />
A User may be allowed to do these things during a login:<br />
Set their Server PIN – on first use or after a PIN reset.<br />
Change their Server PIN.<br />
Inform the Authentication Server that their static password for the back-end<br />
authenticator – eg. Windows - has been modified.<br />
Perform a Self-Assignment for a Digipass in their possession.<br />
Login Variables<br />
The variables which a User may need to enter, in order to do one of the above functions are<br />
listed below. The code or word used to designate each variable in the following tables is<br />
included in brackets.<br />
One Time Password (OTP)<br />
Password (Password)<br />
Server PIN (PIN)<br />
Serial Number of their Digipass (Serial No)<br />
Serial Number Separator (Sep.)<br />
Request Keyword (Keyword)<br />
Policy Settings<br />
The Policy settings which will affect the variables required in logins are:<br />
Stored Password Proxy<br />
If this attribute is set to Enabled, each User's password must be kept up to date in the<br />
Authentication Server. This is typically achieved by enabling Password Autolearn.<br />
Password Autolearn<br />
If the Authentication Server is informed of a User's password change, the new password<br />
will only be recorded by the Authentication Server if Password Autolearn is enabled in the<br />
© 2007 VASCO Data Security Inc. 119
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Login Options<br />
relevant Policy.<br />
Serial Number Separator<br />
If a Serial Number Separator is specified, the User may enter their Digipass serial<br />
number exactly as it appears on the back of their Digipass (or in the documentation<br />
provided to the User), including dashes. If a Serial Number Separator is not specified,<br />
the Digipass serial number must be padded to 10 characters, with all non-numerical<br />
characters removed.<br />
Back-End Authentication<br />
In the following login permutations tables, 'Back-End Authentication Required' means<br />
that the Back-End Auth. attribute is set to Always or If Needed.<br />
Note<br />
Back-End Authentication is required for Self-Assignment and Password<br />
Autolearn logins.<br />
10.1.1 Response Only – PAP<br />
Table 51: Login Permutations - Response Only PAP (1)<br />
Server PIN<br />
Required<br />
No Server<br />
PIN<br />
Required<br />
Login Type Existing PIN?<br />
Serial Number<br />
Separator?<br />
Normal login Yes N/A PIN+OTP<br />
Password Field Contents<br />
Stored Password Proxy On<br />
OR<br />
No Back-End Authentication 1<br />
Set PIN No N/A OTP+NewPIN+NewPIN<br />
Change PIN Yes N/A PIN+OTP+NewPIN+NewPIN<br />
Changed Password Yes N/A Password+PIN+OTP<br />
Set PIN and Changed Password No N/A Password+OTP+NewPIN+NewPIN<br />
Change PIN and Changed Password Yes N/A Password+PIN+OTP+NewPIN+NewPIN<br />
Self-Assignment 2<br />
Normal login N/A N/A OTP<br />
Yes Yes SerialNo+Sep.+Password+PIN+OTP<br />
No SerialNo+Password+PIN+OTP<br />
Changed Password N/A N/A Password+OTP<br />
No Yes SerialNo+Sep.+Password+OTP+NewPIN+NewPIN<br />
No SerialNo+Password+OTP+NewPIN+NewPIN<br />
Self-Assignment N/A Yes SerialNo+Sep.+Password+OTP<br />
No SerialNo+Password+OTP<br />
1 Back-End Authentication is required for Self-Assignment and Password Autolearn logins.<br />
2 If a Serial Number Separator is not set, the serial number must have all non-numerical characters removed and be<br />
padded to 10 characters with preceding zeroes.<br />
© 2007 VASCO Data Security Inc. 120
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Login Options<br />
Table 52: Login Permutations - Response Only PAP (2)<br />
Server PIN<br />
Required<br />
No Server<br />
PIN<br />
Required<br />
Examples<br />
Login Type Existing PIN?<br />
Serial Number<br />
Separator?<br />
Normal login Yes N/A Password+PIN+OTP<br />
Password Field Contents<br />
Stored Password Proxy Off<br />
AND<br />
Back-End Authentication Required 3<br />
Set PIN No N/A Password+OTP+NewPIN+NewPIN<br />
Change PIN Yes N/A Password+PIN+OTP+NewPIN+NewPIN<br />
Changed Password Yes N/A Password+PIN+OTP<br />
Set PIN and Changed Password No N/A Password+OTP+NewPIN+NewPIN<br />
Change PIN and Changed Password Yes N/A Password+PIN+OTP+NewPIN+NewPIN<br />
Self-Assignment 4<br />
Yes Yes SerialNo+Sep.+Password+PIN+OTP<br />
No SerialNo+Password+PIN+OTP<br />
Normal login N/A N/A Password+OTP<br />
Changed Password N/A N/A Password+OTP<br />
No Yes SerialNo+Sep.+Password+OTP+NewPIN+NewPIN<br />
No SerialNo+Password+OTP+NewPIN+NewPIN<br />
Self-Assignment N/A Yes SerialNo+Sep.+Password+OTP<br />
No SerialNo+Password+OTP<br />
Self-Assignment of a GO 1 Digipass with no existing Server PIN and Serial Number Separator<br />
set to '::'.<br />
3-179-0987::pA192ss086382012341234<br />
Self-Assignment of a GO 3 Digipass with no Server PIN required and no Serial Number<br />
Separator set.<br />
0031790987PA192ss0863820<br />
10.1.2 Response Only – CHAP/MS-CHAP<br />
The table below assumes that Stored Password Proxy is enabled, or Backend Authentication is<br />
not in use.<br />
Table 53: Login Permutations - Response Only CHAP<br />
Login Type Server PIN<br />
Required?<br />
Normal login Yes PIN+OTP<br />
No OTP<br />
Password Field Contents<br />
3 Back-End Authentication is required for Self-Assignment and Password Autolearn logins.<br />
4 If a Serial Number Separator is not set, the serial number must have all non-numerical characters removed and be<br />
padded to 10 characters with preceding zeroes.<br />
© 2007 VASCO Data Security Inc. 121
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Login Options<br />
10.1.3 Challenge/Response<br />
Challenge/Response is supported with PAP only.<br />
Table 54: Login Permutations – Challenge/Response<br />
Login Type Serial Number<br />
Separator?<br />
Request<br />
Method<br />
2-Step Challenge/Response<br />
Stored<br />
Password<br />
Proxy Off<br />
AND<br />
Back-End<br />
Auth.<br />
Required 5<br />
Pre-Challenge Response<br />
Normal login N/A Keyword Yes Keyword Password+OTP<br />
Changed<br />
Password<br />
Self-<br />
Assignment 6<br />
No Keyword OTP<br />
Password N/A Password OTP<br />
Keyword-Password N/A Keyword+Password OTP<br />
Password-Keyword N/A Password+Keyword OTP<br />
N/A Keyword N/A Keyword Password+OTP<br />
Password N/A Password OTP<br />
Keyword-Password N/A Keyword+Password OTP<br />
Password-Keyword N/A Password+Keyword OTP<br />
Yes N/A N/A SerialNo+Sep.+Password OTP<br />
No N/A N/A SerialNo+Password OTP<br />
5 Back-End Authentication is required for Self-Assignment and Password Autolearn logins.<br />
6 If a Serial Number Separator is not set, the serial number must have all non-numerical characters removed and be<br />
padded to 10 characters with preceding zeroes.<br />
© 2007 VASCO Data Security Inc. 122
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Login Options<br />
10.1.4 Virtual Digipass<br />
The 2-step login is possible when using the RADIUS Access-Challenge mechanism or an IIS<br />
Module in form-based authentication mode. The Password is required in either the first or the<br />
second step, but not both.<br />
However, many RADIUS environments and web 'basic authentication' do not support the 2step<br />
login process. If the 2-step login process is not possible, two separate 1-step logins are<br />
required. The second login must include the Password as well as the OTP, but it is not<br />
necessary to provide the Password in the first login, if only a Keyword is used.<br />
When using the Virtual Digipass OTP Request web site, the 2-step login is not applicable.<br />
Table 55: Login Permutations – Virtual Digipass<br />
Login<br />
Type<br />
Normal<br />
login<br />
Changed<br />
Password<br />
Request<br />
Method<br />
2-step login 7<br />
Two 1-step logins 8<br />
Step 1 Step 2 Step 1 Step 2<br />
Keyword Keyword Password+OTP Keyword Password+OTP<br />
Password Password OTP Password Password+OTP<br />
Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP<br />
Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP<br />
Keyword Keyword Password+OTP Keyword Password+OTP<br />
Password Password OTP Password Password+OTP<br />
Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP<br />
Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP<br />
7 2-step logins are compatible with PAP only<br />
8 Two 1-step logins may be used with any protocol compatible with <strong>VACMAN</strong> <strong>Middleware</strong>.<br />
© 2007 VASCO Data Security Inc. 123
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
11 Configuration Settings<br />
11.1 Authentication Server<br />
A Graphical User Interface (GUI) is available for use in configuring the Authentication Server<br />
To open the Authentication Server Configuration GUI, click on the Start Button and select<br />
Programs -> VASCO -> <strong>VACMAN</strong> <strong>Middleware</strong> 3 -> Authentication Server<br />
Configuration.<br />
Note<br />
A restart of the Digipass Authentication Server service is required after any<br />
change to Authentication Server configuration settings. When exiting the<br />
Configuration GUI, you will be prompted to allow an automatic restart of the<br />
service.<br />
11.1.1 Set Component Location<br />
1. Enter the location of the Authentication Server Component which will be generating<br />
audit messages in the Component Location field.<br />
2. Enter the API port on which the Authentication Server will listen for connections.<br />
3. Click on Apply.<br />
11.1.2 <strong>Administration</strong> Connections<br />
The <strong>Administration</strong> MMC Interface connects to the Authentication Server to make changes to<br />
the data store. The Authentication Server can be configured to check that any <strong>Administration</strong><br />
MMC Interface connecting to it has a Component record in the data store.<br />
1. Tick the Require administration client component registration checkbox.<br />
2. Click on <strong>Administration</strong> Session Settings.<br />
3. Enter the maximum number of concurrent administration settings to allow.<br />
4. Enter the maximum session time to allow (in seconds).<br />
5. Enter an idle timeout limit (in seconds).<br />
6. Click on OK.<br />
7. Click on Apply.<br />
11.1.3 Library Path and Type<br />
The Library Path setting tells the Authentication Server where to find the data access (Active<br />
Directory or ODBC) library. This setting may not be edited in the Configuration GUI.<br />
11.1.4 RADIUS<br />
Enable the Authentication Server to use the RADIUS protocol in authentication requests. This<br />
allows the Authentication Server to pass on RADIUS attributes set by a RADIUS server.<br />
1. Tick the Enable RADIUS checkbox.<br />
© 2007 VASCO Data Security Inc. 124
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
2. Enter an Authentication Port. It is possible to listen on more than one port, by providing<br />
a comma-separated list, for example: 1812,1645<br />
3. Enter an Accounting Port. It is possible to listen on more than one port, by providing a<br />
comma-separated list, for example: 1813,1646<br />
11.1.5 Turn Tracing On or Off<br />
1. Select a Tracing option.<br />
2. To send tracing output to a text file, enter a path and filename for the tracing file into<br />
the File Name field. The file path entered must be the full absolute path.<br />
3. Click on the Apply button.<br />
Note<br />
If the File Name field is left blank or the file path does not exist, the<br />
Authentication Server will not output tracing. If the file does exist, tracing will<br />
be appended to the file. If the path is valid but the file does not exist, it will be<br />
created.<br />
© 2007 VASCO Data Security Inc. 125
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
11.1.6 Active Directory Connection<br />
To view Active Directory settings, open the configuration GUI and click on the Active<br />
Directory Connection tab. These settings will only be available if Active Directory was<br />
selected as the data store during installation of the <strong>VACMAN</strong> <strong>Middleware</strong>.<br />
11.1.6.1 Configuration Domain<br />
The configuration domain is the main Active Directory domain which the Authentication Server<br />
should use for User authentications, and the domain in which the Digipass Configuration<br />
Container is located. This domain will be set automatically during the <strong>VACMAN</strong> <strong>Middleware</strong><br />
installation.<br />
To set the default domain:<br />
1. Click on the Edit... button next to the Configuration Domain field.<br />
The Domain window will be displayed.<br />
2. Enter the fully qualified domain name for the configuration domain into the Name field.<br />
3. If required, enter the name of the server in the domain to which the Authentication<br />
Server should connect, in the Preferred Server field.<br />
4. Tick the Preferred Server Only checkbox to limit the Authentication Server to<br />
connecting only to that server in the configuration domain.<br />
5. Enter the server port to use in making encrypted connections (SSL) to the configuration<br />
domain into the Encrypted Server Port field.<br />
6. Enter the server port to use in making unencrypted connections to the configuration<br />
domain into the Unencrypted Server Port field.<br />
7. Tick the Encrypt checkbox to use an encrypted connection (using SSL) from the<br />
Authentication Server to Active Directory, or leave the checkbox unticked to leave the<br />
connection unencrypted. Note that SSL is not used when the Authentication Server is<br />
on a Domain Controller and connects to Active Directory using that.<br />
8. Enter the maximum amount of time (in minutes) that the Authentication Server should<br />
stay connected to a server before re-synching in the Max Bind Lifetime field.<br />
9. Click on OK.<br />
10. Click on Apply.<br />
11.1.6.2 Domains List<br />
The Domains list contains the names of all other domains that the Authentication Server may<br />
need to use in User authentications. Note that this list is only needed if you wish to configure<br />
how the Authentication Server will connect to the other domains – if a domain is not in the list,<br />
it will still try to connect to it.<br />
Add a Domain<br />
To add a domain to the Domains List:<br />
1. Click on the Add... button.<br />
The Domain window will be displayed.<br />
2. Enter the fully qualified domain name for the domain into the Name field.<br />
© 2007 VASCO Data Security Inc. 126
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
3. If required, enter the name of the server in the domain to which the Authentication<br />
Server should connect, in the Preferred Server field.<br />
4. Tick the Preferred Server Only checkbox to limit the Authentication Server to<br />
connecting only to that server in the domain.<br />
5. Enter the server port to use in making encrypted connections (SSL) to the domain into<br />
the Encrypted Server Port field.<br />
6. Enter the server port to use in making unencrypted connections to the domain into the<br />
Unencrypted Server Port field.<br />
7. Tick the Encrypt checkbox to use an encrypted connection (using SSL) from the<br />
Authentication Server to Active Directory, or leave the checkbox unticked to leave the<br />
connection unencrypted.<br />
8. Enter the maximum amount of time (in minutes) that the Authentication Server should<br />
stay connected to a server in the domain before re-synching in the Max Bind<br />
Lifetime field.<br />
9. Click on OK.<br />
10. Click on Apply.<br />
Modify a domain record in the Domains List<br />
To modify information for a domain in the Domains List:<br />
1. Select the domain to be modified from the Domains List.<br />
2. Click on the Edit... button.<br />
3. Modify the required information.<br />
4. Click on OK.<br />
5. Click on Apply.<br />
Delete a domain record from the Domains List<br />
To remove a domain record from the Domains List:<br />
1. Select the domain to be deleted from the Domains List.<br />
2. Click on the Delete button.<br />
3. The record will be deleted.<br />
© 2007 VASCO Data Security Inc. 127
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
11.1.7 ODBC Connection<br />
To view ODBC Database connection settings, open the Configuration GUI and click on the<br />
ODBC Connection tab. These settings will only be available if an ODBC database was<br />
selected as the data store during installation of <strong>VACMAN</strong> <strong>Middleware</strong>.<br />
11.1.7.1 Connect to an ODBC Database<br />
The database(s) used to store data required by <strong>VACMAN</strong> <strong>Middleware</strong> are listed in the ODBC<br />
Data Sources list on this tab.<br />
You may wish to add another database to this list if load-balancing or fail-over mechanisms<br />
need to be implemented.<br />
1. Click on the ODBC Connection tab.<br />
2. Click on the Add... button.<br />
3. The Data Source window will be displayed.<br />
4. Enter a display name for the data source (this will be used in data source lists in the<br />
Configuration GUI).<br />
5. Enter the name (DSN) of the ODBC data source.<br />
6. Enter the User ID and password of a database administrator account with permissions<br />
to read, write, create and delete Digipass-related data.<br />
7. Click on the Test Connection button.<br />
If the information has been entered correctly, the test should be successful.<br />
8. Enter the minimum time the Authentication Server should wait to reconnect to this data<br />
source (in seconds).<br />
9. Enter the maximum time the Authentication Server should wait before retrying the<br />
connection.<br />
11.1.7.2 Connection Settings<br />
You may need to fine-tune database connection settings to increase performance of the<br />
database and the database driver in use, or if you are implementing load-balancing between<br />
two or more databases for the Authentication Server.<br />
1. Select a database from the list.<br />
2. Click on the Advanced Settings button.<br />
3. Enter the maximum number of concurrent connections which the Authentication Server<br />
should make to the database in the Max. Connections field.<br />
4. Enter the number of milliseconds for which the Authentication Server should wait while<br />
establishing a connection to the database.<br />
5. Enter the period (in minutes) before unused connections to the database should be<br />
closed by the Authentication Server in the Idle Timeout field.<br />
6. If you have multiple databases and want the Authentication Server to switch to another<br />
database if it has exceeded the connection limit or if the database becomes<br />
unavailable, tick the Enable Load Sharing checkbox.<br />
7. Click on OK.<br />
© 2007 VASCO Data Security Inc. 128
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
8. Normally, the same settings should be applied in each database for each Authentication<br />
Server. These settings are not replicated automatically to other databases. However,<br />
you may prefer to keep this configuration different, for example a more powerful<br />
database server can handle more concurrent database connections.<br />
11.1.7.3 User ID and Domain Conversion<br />
User ID and Domain Case<br />
The case in which the Authentication Server will save and retrieve User IDs and domain names<br />
will depend on:<br />
The capabilities and settings of the database used as the data store for the<br />
Authentication Server. Your database may require case sensitivity in queries, or may<br />
store all data in lower or upper case.<br />
Configuration settings for the Authentication Server.<br />
The Authentication Server may be configured to save and retrieve User IDs and domain names<br />
in:<br />
Lower case<br />
Upper case<br />
No conversion – data is saved or searched on exactly as entered.<br />
The default configuration setting for the Authentication Server when using an embedded<br />
database is Convert to Lower. When using another ODBC database, the default is No<br />
Conversion.<br />
Caution<br />
Before changing the configuration setting, you need to make sure that existing<br />
User IDs and Domain names will not be invalidated by the new setting, or that<br />
they are deleted before the setting is changed. For example, if the current<br />
setting is No Conversion and you change to Convert to Lower, a User ID<br />
“TestUser” would become invalid. This Digipass User account must be deleted<br />
before changing the Case Conversion setting.<br />
Typically, this setting should be changed shortly after installation, so you do<br />
not have to deal with a lot of existing Digipass User account and Domain<br />
records.<br />
If you want to move from Convert to Lower to Convert to Upper, or vice versa,<br />
it will be necessary to make the change in two steps, via No Conversion. While<br />
the setting is No Conversion, upper or lower case User IDs and Domains can<br />
be created and deleted as necessary.<br />
This is especially important for the Master Domain name. The default Master<br />
Domain “master” will become invalid if you change to Convert to Upper.<br />
Therefore, you will need to create a new Domain with an upper case name and<br />
make it the Master Domain, while the Case Conversion setting is No<br />
Conversion. See 11.1.7.4 Master Domain for instructions to change the<br />
Master Domain.<br />
To modify the Case Conversion setting for the Authentication Server:<br />
© 2007 VASCO Data Security Inc. 129
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
1. Select a database from the list.<br />
2. Click on the Advanced Settings button.<br />
3. If you wish the Authentication Server to convert User IDs and domains to upper or<br />
lower case, select Convert to Upper or Convert to Lower from the Case drop down list.<br />
To leave User IDs and domains as they are entered, select No Conversion.<br />
4. Click on OK.<br />
5. The same setting must be applied in each database for each Authentication Server. This<br />
setting change is not replicated automatically to other databases.<br />
Windows User Name Resolution<br />
<strong>VACMAN</strong> <strong>Middleware</strong> can use Windows functions to identify User IDs as Windows User<br />
accounts. This may be required if Windows is used as the back-end authenticator for <strong>VACMAN</strong><br />
<strong>Middleware</strong>.<br />
1. Select a database from the list.<br />
2. Click on the Advanced Settings button.<br />
3. To have the Authentication Server look up a User ID with Windows to find the<br />
Distinguished Name for the account, tick the Use Windows User Name Resolution<br />
checkbox.<br />
4. Click on OK.<br />
5. The same setting must be applied in each database for each Authentication Server. This<br />
setting change is not replicated automatically to other databases.<br />
11.1.7.4 Master Domain<br />
The Master Domain is used as a default Domain as well as having special significance for<br />
administrative access. For more details, see 3.5.1.1 Master Domain.<br />
Note<br />
All User accounts must be deleted from a domain before the domain record can<br />
be deleted.<br />
To modify the domain used as the Master Domain:<br />
1. If the new Master Domain does not already have a Domain record, create the new<br />
Domain using the <strong>Administration</strong> MMC Interface.<br />
2. Make sure there is an administrator account in the new Master Domain that has Set<br />
Administrative Privileges permission.<br />
3. Click on the ODBC Connection tab.<br />
4. Click on Configure Advanced Settings.<br />
5. Modify the name in the Master Domain field.<br />
6. Click on OK.<br />
7. The same setting must be applied in each database for each Authentication Server. This<br />
setting change is not replicated automatically to other databases.<br />
8. Login to the <strong>Administration</strong> MMC Interface as the administrator account identified in<br />
© 2007 VASCO Data Security Inc. 130
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
step 2. Give this account any privileges that it requires that are missing. You will need<br />
to log off and on again as this account for the new privileges to take effect.<br />
9. Delete the original 'master' domain if no longer required.<br />
Caution<br />
Ensure that the name of the Master Domain is set to the correct case, as<br />
required by the Case Conversion setting. For example, if the Case Conversion<br />
setting is Convert to Lower, the Master Domain name must be all lower case.<br />
11.1.7.5 Domains and Organizational Units<br />
Other Domains and Organizational Units used in the Authentication Server may be created and<br />
edited using the <strong>Administration</strong> MMC Interface.<br />
© 2007 VASCO Data Security Inc. 131
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
11.1.8 Auditing<br />
To configure auditing for the Authentication Server, add at least one auditing plug-in to the<br />
Methods list. To view or edit auditing settings, click on the Auditing tab in the Configuration<br />
GUI. For more information about setting up auditing, see 12 Auditing.<br />
Add an Audit Method<br />
1. Click on the Add... button.<br />
2. Select a Plug-in type from the drop down list.<br />
3. Click on OK.<br />
The Plugin window will be displayed.<br />
4. Enter a name to use for display purposes in the Display Name field.<br />
5. Tick the Enabled checkbox to enable auditing to this plug-in.<br />
6. Tick the Fail on Error checkbox if you want the Authentication Server to return an<br />
error if it fails to record an auditing message.<br />
7. Tick the Unhandled Only checkbox if messages should only be logged by this auditing<br />
plug-in if they have not been previously logged by any other plug-in.<br />
8. Select one or more audit message types to be logged by this plug-in:<br />
Error<br />
Warning<br />
Information<br />
Success<br />
Failure<br />
9. Enter other required information.<br />
10. Click on OK.<br />
11. Click on Apply.<br />
Edit an Audit Method<br />
1. Select an auditing plug-in from the Methods list.<br />
2. Click on the Edit... button.<br />
The Plug-In window will be displayed.<br />
3. Make the required changes.<br />
4. Click on OK.<br />
5. Click on Apply.<br />
Delete an Audit Method<br />
1. Select an auditing plug-in from the Methods list.<br />
2. Click on the Delete button.<br />
The record will be deleted.<br />
© 2007 VASCO Data Security Inc. 132
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
11.1.9 Data Encryption<br />
See 4 Sensitive Data Encryption for more information on encryption in the Authentication<br />
Server.<br />
To modify encryption settings for the Authentication Server:<br />
1. Click on the Active Directory Connection or ODBC Connection tab.<br />
2. Click on Configure Encryption Settings.<br />
3. The Configure Encryption Settings window will be displayed.<br />
4. Enter the custom encryption key in the Storage Key field.<br />
5. Select an encryption algorithm from the Cipher Name drop down list.<br />
6. Click on OK.<br />
Export Encryption Settings<br />
1. Click on the Active Directory Connection or ODBC Connection tab.<br />
2. Click on Configure Encryption Settings.<br />
3. The Configure Encryption Settings window will be displayed.<br />
4. Click on Export...<br />
5. Browse to the desired directory.<br />
6. Enter a file name to export the settings to.<br />
7. Click on OK.<br />
8. Enter a password.<br />
9. Click on OK.<br />
Import Encryption Settings<br />
1. Click on the Active Directory Connection or ODBC Connection tab.<br />
2. Click on Configure Encryption Settings.<br />
3. The Configure Encryption Settings window will be displayed.<br />
4. Click on Import...<br />
5. Browse to the encryption settings file.<br />
6. Click on OK.<br />
7. Enter the required password.<br />
8. Click on OK.<br />
© 2007 VASCO Data Security Inc. 133
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
11.1.10 Replication<br />
Note<br />
For more information about setting up replication on your system, see 15<br />
Replication.<br />
11.1.10.1 Enable Replication<br />
Configure the current Authentication Server to replicate data to other Authentication Servers:<br />
1. Click on the Replication tab.<br />
2. Tick the Enable Replication checkbox.<br />
3. Add at least one destination server (see 11.1.10.2 Set up Replication to Another<br />
Authentication Server below)<br />
4. Click on Apply.<br />
11.1.10.2 Set up Replication to Another Authentication Server<br />
1. Click on the Replication tab.<br />
2. Click on Add...<br />
3. Enter a display name for the destination Authentication Server.<br />
4. Enter the IP address and port to use in connecting to the Authentication Server.<br />
5. Click on OK.<br />
11.1.10.3 Configure Local Replication Settings<br />
1. Click on the Replication tab.<br />
2. Enter a maximum and minimum reconnect interval.<br />
3. The replication queue file holds data which is yet to be replicated to other<br />
Authentication Servers. If you wish to change the location of the replication queue file,<br />
modify the File Path field. This directory must already exist.<br />
4. Set a maximum size for the file. If the file reaches this size, replication queue entries<br />
will no longer be writable to the file, and the Authentication Server will cease<br />
processing authentication and administration requests that result in a database<br />
update.<br />
5. The maximum number of retries specifies how many times the Authentication Server<br />
should attempt to resend entries in the replication queue that failed at the destination<br />
server. Enter a number in the Max Retries field.<br />
6. The retry interval specifies how long the Authentication Server should wait before<br />
attempting to resend entries in the replication queue that failed at the destination<br />
server. Enter a number of seconds in the Retry Interval field.<br />
7. Click on OK.<br />
© 2007 VASCO Data Security Inc. 134
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
11.1.11 Virtual Digipass Text Message<br />
An advanced setting is available to customize the text message used for Virtual Digipass<br />
logins. This is useful if you do not want to use the default message Your One Time Password is<br />
followed by the OTP. This setting is not available in the Configuration GUI but can be added<br />
into the configuration file using a text editor.<br />
Inside the section, the following line should be added:<br />
<br />
where ????? should be replaced by your message.<br />
If the OTP should be at the end of the message, the setting value should be just the fixed part<br />
of the message. The server will add a space before the OTP value if the fixed part does not end<br />
with a whitespace character.<br />
For example, if the OTP is 474747 and the setting is:<br />
<br />
then the text message will be: Password: 474747<br />
If the OTP should be at the start or in the middle of the message, the setting value should<br />
contain a placeholder [OTP] at the position where the OTP is required.<br />
For example, if the OTP is 838383 and the setting is:<br />
<br />
then the text message will be: Use 838383 to logon<br />
After modifying this setting and saving the file, the server requires a restart before the new<br />
setting will take effect. Restart the Digipass Authentication Server Service.<br />
Caution<br />
If your message will include non-English characters, make sure that the file<br />
dpauthserver.xml is stored in UTF-8 encoding. One way to ensure this is to<br />
open the file in Notepad and use the File->Save As... menu option. The Save<br />
As dialog allows you to choose UTF-8 in the Encoding drop-down list.<br />
Limitations<br />
If your message will include non-English characters, the HTTP gateway web site must be<br />
expecting UTF-8 encoded data. There is currently no way to specify a different encoding<br />
to be used according to your HTTP gateway.<br />
The Active Directory Users and Computers Extension does not have access to the<br />
server's configuration file, and will therefore still deliver the default message when using<br />
the Test Virtual Digipass dialog.<br />
© 2007 VASCO Data Security Inc. 135
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
11.1.12 Configuration File<br />
The Configuration GUI for the Authentication Server writes to an .xml file named<br />
dpauthserver.xml in the install/bin directory. It is possible to edit this file directly instead of<br />
using the Configuration GUI, but is not recommended. You will need to restart the Digipass<br />
Authentication Server Service using the Windows Service Control Manager after editing and<br />
saving the file, before the changes will take effect.<br />
Note<br />
The file is UTF-8 encoded – do not put any non-UTF-8 characters into the file.<br />
It is also case-sensitive.<br />
Example Configuration File<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
© 2007 VASCO Data Security Inc. 136
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
© 2007 VASCO Data Security Inc. 137
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
© 2007 VASCO Data Security Inc. 138
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
© 2007 VASCO Data Security Inc. 139
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
11.2 MDC<br />
11.2.1 Required Information<br />
To configure gateway settings you will need:<br />
Gateway details:<br />
OR<br />
Protocol to use in connecting to the gateway.<br />
An address string and port to use in connecting to the gateway.<br />
The path and filename of a certificate file, if required.<br />
The required Query String.<br />
The Query Method (GET or POST) required by the gateway.<br />
A customized configuration file ordered from your VASCO supplier. This will need to be<br />
imported using the Configuration GUI.<br />
Username and password for the gateway account.<br />
11.2.2 MDC Configuration GUI<br />
A Graphical User Interface (GUI) is available for use in configuring the MDC. To open the MDC<br />
Configuration GUI, click on the Start Button and select Programs -> VASCO -> <strong>VACMAN</strong><br />
<strong>Middleware</strong> 3 -> Virtual Digipass MDC Configuration.<br />
Note<br />
The MDC must be restarted after any change is made in the Configuration GUI.<br />
11.2.2.1 Modify Gateway Account Login Details<br />
The MDC needs a Username and password for the gateway in order to send text messages<br />
through it.<br />
1. Modify the Username if needed.<br />
2. Change the Password and Confirm Password fields if required.<br />
The Password and Confirm Password fields must contain identical data.<br />
11.2.2.2 Configure Internet Connection Details<br />
Enable or disable the use of an HTTP Proxy and enter details if required.<br />
1. Enable or disable the use of the HTTP Proxy by ticking or clearing the Use HTTP Proxy<br />
checkbox.<br />
2. If required, enter an IP address, port and timeout for the HTTP Proxy.<br />
3. Enter a maximum number of internet connections to allow in the Max. Connections<br />
field.<br />
© 2007 VASCO Data Security Inc. 140
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
11.2.2.3 Configure Tracing<br />
The MDC makes use of a trace file to record information about events that occur on the<br />
system, for use in troubleshooting. This could include generic information, changing<br />
conditions, or problems and errors that have been encountered.<br />
The level of tracing that the MDC employs depends on its configuration settings.<br />
Caution<br />
Enabling Full Tracing should only be done for troubleshooting purposes. There<br />
are no limits set on the size of the tracing file, so if the option is left on too<br />
long on a high-load system the file may dramatically slow down or crash<br />
Windows, due to excessive I/O or filling up the hard drive. This is not highly<br />
likely for MDC, but should be considered.<br />
Because there are no size limitations set on the trace file, it is not recommended that you have<br />
tracing permanently enabled. If your system is set up with Basic Tracing always enabled,<br />
ensure that the file size does not cause problems by deleting or archiving it whenever it gets<br />
too large.<br />
Basic tracing includes:<br />
Critical error/warning messages [CRITC]<br />
Major error/warning messages [MAJOR]<br />
Minor error/warning messages [MINOR]<br />
Configuration messages [CONFG]<br />
Full tracing includes:<br />
Critical error/warning messages [CRITC]<br />
Major error/warning messages [MAJOR]<br />
Minor error/warning messages [MINOR]<br />
Configuration messages [CONFG]<br />
Informational messages [INFOR]<br />
Data tracing messages [DATA]<br />
Debugging messages (useful for support purposes) [DEBUG]<br />
Security messages, messages that may contain security sensitive data [SECUR]<br />
Turn Tracing On or Off<br />
1. Select a Tracing option.<br />
2. If you have selected Basic Tracing or Full Tracing, enter a path and filename for the<br />
tracing file into the File Name field.<br />
The file path entered must be the full absolute path.<br />
© 2007 VASCO Data Security Inc. 141
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
Note<br />
If the File Name field is left blank or the file path does not exist, the MDC will<br />
not output tracing. If the file does exist, tracing will be appended to the file. If<br />
it does not exist, it will be created.<br />
11.2.2.4 Import HTTP Gateway settings<br />
Import a customized configuration file ordered from your VASCO supplier, containing the<br />
configuration details for your gateway needed by the MDC.<br />
1. Click on the Gateway Settings tab.<br />
2. Enter a name for the gateway.<br />
3. Click on Import Settings.<br />
4. Select a file from the Browse window.<br />
5. Click on OK.<br />
The import progress will be displayed.<br />
6. Click on OK.<br />
11.2.2.5 Edit Advanced Settings<br />
1. Click on the Gateway Settings tab.<br />
2. Ensure that the Edit Advanced Settings checkbox is ticked.<br />
3. Select a protocol to use in connecting to the gateway from the Protocol drop down list<br />
(typically HTTP).<br />
4. Enter an address string to use in connecting to the gateway in the Address field.<br />
5. Enter a port in the Port field (typically 80 for HTTP connections).<br />
6. Enter the path and filename of a certificate file if required.<br />
7. Modify the Query String field if required.<br />
Example Query String:<br />
username=[acc_user]&password=[acc_pwd]&device=[otp_dest]&network=tgsm&message=<br />
[otp_msg]<br />
8. Select a Query Method according to what the gateway requires (typically POST).<br />
11.2.2.6 Export HTTP Gateway settings<br />
Once you have entered the necessary gateway configuration information into the Configuration<br />
GUI, you may wish to export the settings into a file for backup purposes or to transfer to<br />
another server.<br />
1. Click on the Gateway Settings tab.<br />
2. Ensure that the Edit Advanced Settings checkbox is ticked.<br />
3. Click on Export Settings.<br />
4. Select a directory from the Browse window.<br />
5. Enter a filename.<br />
© 2007 VASCO Data Security Inc. 142
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
6. Click on OK.<br />
The export progress will be displayed.<br />
11.2.2.7 Gateway Result Pages<br />
A result page is returned by the gateway service when a text message is submitted by the GET<br />
or POST methods. This page would normally be a HTML formatted page containing specific<br />
error codes and/or additional messages for success/failure.<br />
Three types of result messages are generally categorized as:<br />
Information<br />
Success of message delivery (the message has been accepted by the server)<br />
Warning<br />
The submission/delivery failed, but it is most likely a specific error only affecting this User.<br />
The User’s login will fail on the first step. Possible causes are:<br />
Error<br />
Phone number invalid<br />
Temporary gateway failure<br />
Error(s) occurred while attempting delivery. This means that the delivery failed for a particular<br />
User, but the error might be affecting all Users. In this case, the User’s login will fail<br />
immediately. Possible such errors are:<br />
Account data incorrect (Account User or password wrong)<br />
Account credit expired (for a pre-paid gateway account)<br />
Communication error with gateway (network error)<br />
Other permanent gateway errors<br />
Audit Console Logging<br />
A gateway result page can be recognized by key words and phrases, and an alternate message<br />
created for logging to the audit console whenever the result is received. Variables can be<br />
extracted from the result page and used in the log message to provide extra information.<br />
Result Page Rules<br />
The result page rule patterns use the following syntax:<br />
[Var-Name1] [] [Var-Name2] …<br />
Where the template is constructed in the following way:<br />
: a character string which must be matched in the page returned by the<br />
gateway. Note that multiple can appear in a single template, but they<br />
must not be overlapping. Matching is case-sensitive.<br />
[]: Omits a variable part of the result page between two segments, when<br />
matching a template. This can be useful to ignore arbitrary data or time/date data in the<br />
© 2007 VASCO Data Security Inc. 143
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
returned web page.<br />
[Var-Namex]: Describes a segment of the result page between two <br />
segments or at the end of the result page, which will be written to a variable. Usually<br />
this will be data that can provide more detailed information why a particular message<br />
submission has failed. The variable name inside the [] brackets can then be used as part<br />
of the audit message template to create a meaningful message.<br />
Example<br />
If the server returns the following result page<br />
“Submission successful at 10:00, 11/11/02, status: 00 - message delivery in<br />
progress.”<br />
for successful transmission, or<br />
“Submission unsuccessful at 10:05, 11/11/02, status: 47 – number too short”<br />
for an unsuccessful submission, then the following result page rules can be configured:<br />
Message Rule Name: Success<br />
Message Rule Pattern: successful at [DateTime], status: [Status] – [Message]<br />
Variables retrieved: DateTimeStatusMessage<br />
Message Rule Name: Warning<br />
Message Rule Pattern: unsuccessful at [DateTime], status: 47 – [Message]<br />
Variables retrieved: DateTimeMessage<br />
Message Rule Name: Error<br />
Message Rule Pattern: unsuccessful at [DateTime], status: [status] – [Message]<br />
Variables retrieved: DateTimeStatusMessage<br />
No Match Available If no Rule matches a Result page returned, an error will be logged to the<br />
Audit Console, reporting that the result page returned from the gateway could not be matched.<br />
Ordering Rules The order of the result page template in the configuration data can be used to<br />
match more specific messages first and finally catch any “other” message, which the gateway<br />
might send.<br />
Audit message template<br />
Once a result page template a matched, a corresponding audit message is constructed with the<br />
variables retrieved from the result page rule.<br />
The message template will use the following syntax:<br />
[VAR-Name1] [Var-Name2] …<br />
: a character string which will appear literally in the constructed audit<br />
message.<br />
[Var-Namex]: Variable which is derived from the matched variables from the<br />
corresponding result page template.<br />
© 2007 VASCO Data Security Inc. 144
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
The following variables are predefined and can be used in the audit message template:<br />
Table 56: MDC Audit Message Variables<br />
[otp_dest] The destination address (a mobile phone number) the OTP was sent to.<br />
[otp_msg] The message that was submitted. This variable will also contain the OTP, so should not be used for the<br />
construction of audit messages.<br />
[acc_user] Account name for the gateway.Not recommended for use in audit messages.<br />
[acc_pwd] Account password for the gateway.Not recommended for use in audit messages.<br />
[Username] the User ID of the User requesting the OTP<br />
Examples of variable use:<br />
Insufficient credit on account [acc_user] when sending to [username]<br />
Message not sent to User "[Username]"/[otp_dest]. Gateway reported: [message]<br />
Modify a Gateway Result Message Rule<br />
Ensure that the Edit Advanced Settings checkbox on the Gateway Settings tab is ticked.<br />
1. Click on the Gateway Results tab.<br />
2. Select a Rule to modify.<br />
3. Click on Edit.<br />
4. Make any required changes.<br />
5. Click on OK.<br />
Add a Gateway Result Message Rule<br />
1. Click on the Gateway Results tab.<br />
2. Click on Add.<br />
3. Enter a descriptive name for the Rule in the Description field.<br />
4. Enter the full text or a partial match of the text displayed by the gateway in the<br />
Matching Pattern field.<br />
5. Select an Audit Message Level for the Rule.<br />
Each level of message will be displayed with a different color background in the Audit<br />
Console.<br />
Info – normal<br />
Warning – yellow<br />
Error – red<br />
6. Enter the message text you wish the User to see into the Message Text field.<br />
7. Click on OK.<br />
© 2007 VASCO Data Security Inc. 145
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
11.2.3 MDC Configuration File<br />
The MDC Configuration GUI writes to an .xml file named MDCConfig.xml in the install/bin<br />
directory. It is possible to edit this file directly instead of using the MDC Configuration GUI.<br />
Example Configuration File<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Caution<br />
The configuration file is UTF8 encoded. Non-UTF8 encoded characters should<br />
not be added to the configuration file, or it will not load.<br />
© 2007 VASCO Data Security Inc. 146
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
11.2.4 Configuration Settings<br />
The table below lists the options, their default values, and a brief explanation of each.<br />
Table 57: Message Delivery Component Configuration Settings<br />
Option<br />
Name<br />
General tab<br />
Config.<br />
GUI Field<br />
Server/ IP Server IP<br />
Address<br />
Default<br />
Value<br />
<br />
Notes<br />
This string is the IP address of the local server. It needs to correspond<br />
with the licensing as well as the IP address configured for the<br />
server.Data type: String with valid IP4 address or hostname that can be<br />
resolved through DNS<br />
Server/ Port Port 20003 This integer is the TCP/IP port on which the local server is listening.<br />
Must correspond with the RADIUS server settings.Data type: Integer<br />
with valid Port address (1-65535)<br />
Gateway/<br />
ProxyIP<br />
Gateway/<br />
ProxyPort<br />
Gateway/<br />
Timeout<br />
Gateway/<br />
MaxConnecti<br />
ons<br />
Tracing/<br />
TraceFile<br />
Tracing/<br />
TraceMask<br />
Gateway-<br />
Acnt/<br />
Username<br />
Gateway-<br />
Acnt/<br />
Password<br />
Proxy IP IP address of the HTTP proxy used by the MDC to contact the HTTP<br />
gateway. This can be used when the firewall settings do not allow a<br />
direct connection.Empty - no proxy being used.Data type: String with<br />
valid IP4 address<br />
Port Port number to contact the HTTP proxy on.Must be supplied if the<br />
ProxyIP setting is used.Data type: Integer with valid Port address (1-<br />
65535)<br />
Proxy<br />
Timeout<br />
Max<br />
Connections<br />
30 Time in seconds that the MDC will wait on a response from the<br />
HTTP/gateway.Data type: integer<br />
10 Maximum allowed number of concurrent connections to the HTTP<br />
gateway.Data type: Integer (1-100)<br />
File Name The file that tracing output should be written to.None – no tracing.Data<br />
type: String<br />
Tracing 0 The tracemask specifies how much tracing is done.0 – no tracing1 –<br />
basic tracing2 – full tracingData type: Integer<br />
(General<br />
tab)Usernam<br />
e<br />
(General<br />
tab)Password<br />
& Confirm<br />
Password<br />
Gateway Settings tab<br />
Gateway/<br />
Description<br />
Gateway/<br />
HTTPMethod<br />
Gateway/<br />
URL<br />
Gateway<br />
Name<br />
Query<br />
Method<br />
Protocol and<br />
Address<br />
<br />
<br />
Sets the account Username the HTTP gateway. The given value will be<br />
used as content for the variable [acc_User] in the query string.Data<br />
type: String<br />
Sets the account password the HTTP gateway. The given value will be<br />
used as content for the variable [acc_pwd] in the query string.Data<br />
type: String<br />
This is an informational field, naming or describing the HTTP gateway. It<br />
can be set to provide a description for a particular service, but is ignored<br />
by the MDC.Data type: String<br />
POST Designates either the GET or POST method for use in transferring<br />
account and message data to the HTTP/HTTPS gateway.Data type:<br />
String (“GET” or “POST”)<br />
<br />
Required parameter.Sets the URL to the HTTP gateway. The address<br />
should not contain any variables, but is should contain the protocol<br />
identifier.Note: the protocol identifier of “https://” can be used to SSLencrypt<br />
the link between the MDC and the HTTP gateway. In this case it<br />
is required to specify a filename where the server certificates can be<br />
found.Data type: String<br />
Gateway/ Query String
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Configuration Settings<br />
Option<br />
Name<br />
Config.<br />
GUI Field<br />
Default<br />
Value<br />
Notes<br />
HTTPQuery parameter> the http server, either using POST or GET (as specified by HttpGw-<br />
Method). This string must contain all required variables that are<br />
expected by the HTTP gateway. Contained in the query string must be<br />
the following parameters which will be set by the MDC before submitting<br />
the query:<br />
[acc_user] specifies the account name for the gateway which will be<br />
used to submit the information§<br />
[acc_pwd]password for the gateway account specified by the<br />
[Username] parameters§<br />
[otp_msg]specifies the part of the query string, where the OTP message<br />
will be substituted§<br />
[otp_dest]specifies the part of the query string, where the destination<br />
for the OTP (usually the mobile phone number) will be substituted.The<br />
query string should also incorporate any other parameters which might<br />
be expected by the gateway.Example:Data type: String<br />
Gateway/<br />
CertFile<br />
Certificate<br />
File<br />
Gateway Results tab<br />
Results/<br />
Resultnn/<br />
Name<br />
Results/<br />
Resultnn/<br />
Pagematch<br />
Results/<br />
Resultnn/<br />
MsgType<br />
Results/<br />
Resultnn/<br />
Message<br />
11.3 CGI<br />
.\curl-cabundle.crt<br />
When using the HTTPS protocol, the server certificate file is used to<br />
authenticate the message gateway and to derive the data encryption<br />
keys. It can contain either one or multiple server certificates.The file<br />
needs to be PEM-encoded,X.509 compliant certificate.It can be created<br />
by exporting the required Root CA from any browser (eg. Internet<br />
Explorer) using the base-64 format - equivalent to PEM.Data type:<br />
String<br />
Description Name of this entry, as displayed by the MDC Configuration GUI. This<br />
field has no functional meaning.Data type: String<br />
Matching<br />
Pattern<br />
Audit<br />
Message<br />
Level<br />
Message<br />
Text<br />
<br />
Result Page Template to match the result page returned by the HTTP<br />
service. If this template is matched, the corresponding audit message is<br />
composed and returned to the Authentication Server Audit<br />
message.Data type: String<br />
2 Type of message to appear in the audit log:0 INFO – informational<br />
message (login on)1 WARNING – warning message (login fails)2<br />
ERROR – error message (login fails)Data type: Integer (0-2)<br />
<br />
Audit Message Template for the message to be compiled and sent back<br />
to the Authentication Server. The message is returned as Information,<br />
Warning or Error, depending on the MsgType parameter in the same<br />
section. Includes [variable] options.Data type: String<br />
See 9.2.1 Configuration Settings for VASCO CGI configuration settings and location.<br />
11.4 Digipass TCL Command Line Utility<br />
See 14.3 Configuration File for Digipass TCL Command Line Utility configuration settings and<br />
file location.<br />
© 2007 VASCO Data Security Inc. 148
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Auditing<br />
12 Auditing<br />
Setting up auditing in the <strong>VACMAN</strong> <strong>Middleware</strong> requires three basic steps:<br />
1. Set up audit message destination. If this will be a text file or the Windows Event Log,<br />
no configuration is required.<br />
2. Configure auditing in the Authentication Server to send audit messages to the correct<br />
destination.<br />
3. Configure Audit Viewer to retrieve, filter and display audit messages.<br />
12.1 Text File<br />
12.1.1 Text File Name Variables<br />
A number of variables may be included in the name or path of an audit text file.Time/date<br />
variables will influence how often a new text file is created.<br />
Table 58: Audit Text File Name/Path Variables<br />
Variable Notes<br />
{year} Current year in format 'YYYY' eg. 2006<br />
{month} Current month in format 'MM' eg. November becomes 11<br />
{mday} Current day of the month in format 'DD' eg. 06<br />
{yday} Current day of the year in format 'DDD' – this will be a number between 1 and 366<br />
{week} Current week of the year in format 'WW' eg. The 6 th week of the year will be 06<br />
{source} The name of the program from which the audit message was received by the Audit System eg.<br />
Authentication Server<br />
Example<br />
Entering the following into the Log File field in the Authentication Server Configuration:<br />
c:\Audit Files\{source}\audit-{year}-{month}-{mday}.audit<br />
would cause:<br />
A directory named <strong>VACMAN</strong> <strong>Middleware</strong> 3 to be created in the Audit Files directory<br />
A new audit text file to be created daily<br />
A file named audit-2006-11-06.audit to be created on the 6 th November 2006<br />
12.1.2 Configure Auditing to Text File<br />
1. Open the Authentication Server Configuration GUI.<br />
2. Click on the Auditing tab.<br />
3. Click on the Add... button.<br />
4. Select Text File from the drop down list.<br />
5. Click on OK.<br />
The Plugin window will be displayed.<br />
6. Enter a name to use for display purposes in the Display Name field.<br />
7. Tick the Enabled checkbox to enable auditing to this plug-in.<br />
© 2007 VASCO Data Security Inc. 149
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Auditing<br />
8. Tick the Fail on Error checkbox if you want the Authentication Server to return an<br />
error if it fails to record an auditing message.<br />
9. Tick the Unhandled Only checkbox if messages should only be logged by this auditing<br />
plug-in if they have not been previously logged by any other plug-in.<br />
10. Select one or more audit message types to be logged by this plug-in:<br />
Error<br />
Warning<br />
Information<br />
Success<br />
Failure<br />
11. Enter the location and a name for the text file. See 12.1.1 Text File Name<br />
Variables for more information.<br />
12. To speed up the auditing process, tick the Always keep file open checkbox. This will<br />
mean that the file is locked while the Authentication Server is running.<br />
13. Tick the Use GMT/UTC checkbox to record dates and times in GMT/UTC. Otherwise,<br />
they will be recorded in local time. The text file will indicate the time zone used.<br />
14. Click on OK.<br />
15. Click on Apply.<br />
© 2007 VASCO Data Security Inc. 150
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Auditing<br />
12.2 Windows Event Log<br />
1. Open the Authentication Server Configuration GUI.<br />
2. Click on the Auditing tab.<br />
3. Click on the Add... button.<br />
4. Select Event Log from the drop down list.<br />
5. Click on OK.<br />
The Plugin window will be displayed.<br />
6. Enter a name to use for display purposes in the Display Name field.<br />
7. Tick the Enabled checkbox to enable auditing to this plug-in.<br />
8. Tick the Fail on Error checkbox if you want the Authentication Server to return an<br />
error if it fails to record an auditing message.<br />
9. Tick the Unhandled Only checkbox if messages should only be logged by this auditing<br />
plug-in if they have not been previously logged by any other plug-in.<br />
10. Select one or more audit message types to be logged by this plug-in:<br />
Error<br />
Warning<br />
Information<br />
Success<br />
Failure<br />
11. Select a log type or enter a new log type to be created in the Log Type drop down<br />
list.<br />
12. Click on OK.<br />
13. Click on Apply.<br />
© 2007 VASCO Data Security Inc. 151
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Auditing<br />
12.3 ODBC Audit Message Database<br />
12.3.1 Set up ODBC Database<br />
12.3.1.1 Create database<br />
See 3.1 Database Support for information on the ODBC databases supported by the <strong>VACMAN</strong><br />
<strong>Middleware</strong>.<br />
12.3.1.2 Create database schema<br />
Two tables are required in the database. These can be created by the DPDBadmin utility using<br />
the -audit parameter (see 3.8.1 Modify Database Schema),<br />
or manually.<br />
Table 59: Required Audit Database Tables<br />
Table Name Purpose<br />
vdsAuditMessage Basic audit message, including mandatory fields<br />
vdsAuditMsgField Contains extra (non-mandatory) audit message fields which may be included in an audit<br />
message<br />
Image 2: Audit Database Table Relationships<br />
vdsAuditMessage Table<br />
This table will contain one record per audit message generated, with non-mandatory<br />
information held in the vdsAuditMsgField table.<br />
Table 60: vdsAuditMessage Required Fields<br />
Column Name Data Type Primary<br />
Key<br />
Allow<br />
NULL<br />
vdsTimeStamp timestamp* Yes No Date/time of event.<br />
Details<br />
vdsAMID varchar(32) Yes No 32 hex digit Audit Message ID (without “0x” prefix).<br />
vdsSource varchar(64) No Source component name.<br />
© 2007 VASCO Data Security Inc. 152
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Auditing<br />
Column Name Data Type Primary<br />
Key<br />
Allow<br />
NULL<br />
vdsType integer No Numeric type.<br />
Details<br />
vdsCode varchar(8) No Message code eg. “I-010003”.<br />
vdsDesc varchar(255) No Standard description for audit message.<br />
vdsCategory varchar(32) No Name of category eg. “Authentication”.<br />
* For some databases, this is DATETIME (SQL Server, Sybase Enterprise) or DATE (Oracle) – this is not an<br />
automatically generated timestamp, but just a date/time field. Millisecond precision or greater is required.<br />
vdsAuditMsgField Table<br />
This table may contain several records for a single audit message.<br />
Table 61: vdsAuditMsgField Required Fields<br />
Column Name Data Type Primary<br />
Key<br />
Allow<br />
NULL<br />
vdsTimeStamp timestamp* Yes No Date/time of event.<br />
Details<br />
vdsAMID varchar(32) Yes No 32 hex digit AMID (without “0x” prefix).<br />
vdsFieldID integer Yes No Integer (dataset) ID of optional field.<br />
vdsFieldValue varchar(1024) No Yes Value of optional field, represented as string.<br />
* For some databases, this is DATETIME (SQL Server, Sybase Enterprise) or DATE (Oracle) – this is not an<br />
automatically generated timestamp, but just a date/time field. Millisecond precision or greater is required.<br />
12.3.1.3 Create Database Account(s)<br />
Create at least one database account. These permissions are required for the Authentication<br />
Server and Audit Viewer:<br />
Program Table Permission(s)<br />
required<br />
Authentication Server All Write<br />
Audit Viewer All Read<br />
12.3.1.4 Create DSN on Authentication Server machine<br />
Create a Data Source Name for the database on the machine on which the Authentication<br />
Server is installed.<br />
12.3.1.5 Create DSN on Audit Viewer machine<br />
Create a Data Source Name for the database on the machine on which the Audit Viewer is<br />
installed.<br />
12.3.2 Configure Authentication Server<br />
1. Open the Authentication Server Configuration GUI.<br />
2. Click on the Auditing tab.<br />
3. Click on the Add... button.<br />
4. Select ODBC Database from the drop down list.<br />
5. Click on OK.<br />
© 2007 VASCO Data Security Inc. 153
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Auditing<br />
The Plugin window will be displayed.<br />
6. Enter a name to use for display purposes in the Display Name field.<br />
7. Tick the Enabled checkbox to enable auditing to this plug-in.<br />
8. Tick the Fail on Error checkbox if you want the Authentication Server to return an<br />
error if it fails to record an auditing message.<br />
9. Tick the Unhandled Only checkbox if messages should only be logged by this auditing<br />
plug-in if they have not been previously logged by any other plug-in.<br />
10. Select one or more audit message types to be logged by this plug-in:<br />
Error<br />
Warning<br />
Information<br />
Success<br />
Failure<br />
11. Enter the DSN for the database.<br />
12. Enter the username and password of the database account to be used by the<br />
Authentication Server (if required).<br />
13. Click on OK.<br />
14. Click on Apply.<br />
12.3.3 Configure Audit Viewer<br />
Note<br />
A Data Source Name must be configured on the Audit Viewer computer for the<br />
database.<br />
1. Select New Audit Source -> ODBC Database from the File menu.<br />
2. Enter a display name to be used for the database within the Audit Viewer.<br />
3. Enter the Data Source Name for the database.<br />
4. Enter the User ID and password of an administrator account for the database.<br />
5. Tick the Store User ID and Password checkbox to save login details in the Audit Viewer.<br />
6. Click on OK.<br />
© 2007 VASCO Data Security Inc. 154
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Auditing<br />
12.4 Live Connection - Authentication Server to Audit<br />
Viewer<br />
12.4.1 Configure Authentication Server<br />
1. Open the Authentication Server Configuration GUI.<br />
2. Click on the Auditing tab.<br />
3. Click on the Add... button.<br />
4. Select Live Connection from the drop down list.<br />
5. Click on OK.<br />
The Plugin window will be displayed.<br />
6. Enter a name to use for display purposes in the Display Name field.<br />
7. Tick the Enabled checkbox to enable auditing to this plug-in.<br />
8. Tick the Fail on Error checkbox if you want the Authentication Server to return an<br />
error if it fails to record an auditing message.<br />
9. Tick the Unhandled Only checkbox if messages should only be logged by this auditing<br />
plug-in if they have not been previously logged by any other plug-in.<br />
10. Select one or more audit message types to be logged by this plug-in:<br />
Error<br />
Warning<br />
Information<br />
Success<br />
Failure<br />
11. Enter the IP address and port number on which the Authentication Server will listen<br />
for auditing connections.<br />
12. Enter the maximum number of concurrent connections to allow.<br />
13. Click on OK.<br />
14. Click on Apply.<br />
12.4.2 Configure Audit Viewer<br />
15. Select New Audit Source -> Authentication Server from the File menu.<br />
16. Enter a display name to be used for the messages within the Audit Viewer.<br />
17. Enter the IP address of the Authentication Server.<br />
18. Enter the port on which the Authentication Server will listen for auditing connections.<br />
19. Click on OK.<br />
© 2007 VASCO Data Security Inc. 155
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Tracing<br />
13 Tracing<br />
The level of tracing for the Authentication Server can be configured using the <strong>Administration</strong><br />
MMC Interface.<br />
Tracing messages will be recorded to a text file.<br />
13.1 Trace Message Types<br />
Table 62: Tracing Message Types<br />
Message<br />
Type Code<br />
[CRITC] Critical error/warning<br />
Notes Examples<br />
[MAJOR] Major error/warning [MAJOR] > Failed to execute command. Error <br />
[MINOR] Minor error/warning [MINOR]> Cannot get License Key from Component record<br />
[CONFG] Configuration/initialization [CONFG] > ODBC Database audit plugin is successfully loaded<br />
[CONFG] > Component cache configured as:<br />
max age : 900<br />
max size : 1000<br />
clean threshold : 800<br />
min clean interval : 60<br />
[ALERT] Alerts [ALERT] > disconnecting from server.<br />
[INFO] Informational messages [INFO ] > Audit: {Info} {Initialization} {I-002002} {The Digipass<br />
Authentication library has been initialized successfully.}<br />
[INFO ] > Creating Digipass object.<br />
[VINFO] Verbose informational messages [VINFO] > Event log source is <br />
[VINFO][ODBCConnection::OpenConnection] > Established<br />
connection to ODBC database<br />
[DATA] Data tracing [DATA ] > Prepared SQL statement "SELECT vdsDomain,<br />
vdsDescription, vdsCreateTime, vdsModifyTime FROM vdsDomain<br />
ORDER BY vdsDomain"<br />
[TEMP] Temporary data values [TEMP ] > Updated list is <br />
[RESRC] Resource usage [RESRC] > Socket Bound to <br />
[DEBUG] Debugging (useful for support<br />
purposes)<br />
[SECUR] Security messages, messages<br />
that may contain security<br />
sensitive data<br />
[DEBUG] > Registering Binary with Event log for<br />
Source <br />
[DEBUG] > Committed transaction<br />
© 2007 VASCO Data Security Inc. 156
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Tracing<br />
13.2 Trace Message Levels<br />
There are two tracing levels available when configuring tracing from the Configuration GUI –<br />
Basic and Full. This can be customised further if required by directly editing the configuration<br />
file. The message types recorded by each level are shown in the table below.<br />
Table 63: Tracing Message Levels<br />
CRITC<br />
MAJOR<br />
MINOR<br />
CONFG<br />
ALERT<br />
INFO<br />
Basic Full<br />
CRITC<br />
MAJOR<br />
MINOR<br />
CONFG<br />
ALERT<br />
INFO<br />
VINFO<br />
DATA<br />
TEMP<br />
RESRC<br />
DEBUG<br />
SECUR<br />
13.3 Trace Message Contents<br />
Basic and Full tracing levels output different amounts of information in trace messages.<br />
Table 64: Tracing Message Contents<br />
Trace Level Message Contents<br />
Basic [date_time] [thread ID] [level code] message<br />
Full [date_time] [thread ID] [level code] [internal function name] message<br />
© 2007 VASCO Data Security Inc. 157
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Digipass TCL Command-Line <strong>Administration</strong><br />
14 Digipass TCL Command-Line <strong>Administration</strong><br />
14.1 Introduction<br />
Digipass TCL Command-Line <strong>Administration</strong> (DPCLA) allows interactive command-line and<br />
scripted administration of Digipass related data. It has a number of possible uses:<br />
Interactive command-line administration<br />
Scripted administration<br />
Complex bulk administration tasks<br />
Reporting on the data in the data store<br />
The DPCLA consists of the following components:<br />
DPADMINCMD<br />
This is a command-line program that can be used interactively or called from within a batch<br />
file, script or other program. This provides a command shell based on the TCL interpreter.<br />
VASCO TCL Extension Library<br />
The main functionality is provided by the VASCO extensions to TCL. This provides a set of<br />
additional commands in a “vasco” namespace.<br />
The extension library is used by DPADMINCMD, which loads the namespace automatically.<br />
However, if you have your own TCL environment already, you can load the extension library<br />
directly into it, without having to use DPADMINCMD. In that case, you will need to use the<br />
namespace qualifier.<br />
Other scripting environments such as Python, Perl and VBScript also have modules available<br />
that enable them to use TCL, allowing the VASCO extensions to be used in a variety of<br />
environments.<br />
TCL Runtime<br />
The <strong>VACMAN</strong> <strong>Middleware</strong> installation program also installs the TCL 8.4 runtime environment,<br />
which is necessary to run DPADMINCMD.<br />
Caution<br />
Windows command-line functions may be run from within the Digipass TCL<br />
Command-Line <strong>Administration</strong>. A new Windows command-line console may<br />
also be opened.<br />
14.1.1 Knowledge Requirements<br />
Digipass TCL Command-Line <strong>Administration</strong> is an extension of the TCL 8.4 scripting language,<br />
and administrators will require a basic competence in TCL in order to use the command-line<br />
utility. However, for simple usage, no great knowledge of TCL is required.<br />
© 2007 VASCO Data Security Inc. 158
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Digipass TCL Command-Line <strong>Administration</strong><br />
For an introduction to TCL, see http://www.tcl.tk/about/language.html. Other pages on the<br />
www.tcl.tk web site may also provide useful background on TCL and its capabilities. For a more<br />
comprehensive tutorial, see http://www.tcl.tk/man/tcl8.5/tutorial/tcltutorial.html (but note<br />
that we install version 8.4, so there may be minor differences in 8.5).<br />
14.1.2 Data Store Connection<br />
DPCLA makes a direct connection to Active Directory in a similar way to the <strong>Administration</strong><br />
MMC Interface. Alternatively, if an ODBC or embedded database is used as the data store,<br />
DPCLA makes a connection to the Authentication Server.<br />
This connection requires an administrative login. In the case of Active Directory, an implicit<br />
login can be used based on your Windows login context, or you can specify explicit credentials.<br />
For ODBC, credentials are required exactly the same as the <strong>Administration</strong> MMC Interface.<br />
© 2007 VASCO Data Security Inc. 159
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Digipass TCL Command-Line <strong>Administration</strong><br />
14.2 Using DPADMINCMD – Basics<br />
You can use TCL interactively with a command prompt or you can use it to run a script.<br />
14.2.1 Using an Interactive TCL Command Prompt<br />
Using DPADMINCMD to open an interactive TCL command prompt can be done as follows:<br />
1. Open a Windows command prompt in the \Bin directory.<br />
2. Enter the following command and press Enter:<br />
dpadmincmd<br />
A command prompt will be opened, at which you can enter TCL commands. DPADMINCMD<br />
automatically loads the VASCO TCL extensions, so that they can be used without needing to<br />
specify the VASCO 'namespace'.<br />
C:\Program Files\VASCO\<strong>VACMAN</strong> <strong>Middleware</strong>\Bin>dpadmincmd.exe<br />
Digipass TCL Command-Line <strong>Administration</strong> Version 3.0.0.12<br />
Copyright (C) VASCO Data Security Inc. 2006<br />
All rights reserved<br />
%<br />
Before any data administration commands will work, you need to perform an administrative<br />
logon, either directly to Active Directory or to the Authentication Server (for ODBC or<br />
embedded database).<br />
The Active Directory logon does not need explicit credentials if you are logged into Windows as<br />
an administrator with the necessary rights:<br />
% logon<br />
1<br />
%<br />
The ODBC or embedded database logon does need explicit credentials. The Active Directory<br />
logon can also be done with explicit credentials if necessary:<br />
% logon {userid admin password password}<br />
1<br />
%<br />
If the logon is successful, the output indicates a session number. Otherwise, an error message<br />
will be displayed.<br />
Once there has been a successful logon, you can enter other commands, for example:<br />
% user query {userid admin}<br />
{domain master userid admin has_dp Unassigned status 0 created {2006/05/11 11:05<br />
:32} modified {2006/05/11 11:05:32}}<br />
%<br />
To log off, use the logoff command; to exit, use the exit command.<br />
© 2007 VASCO Data Security Inc. 160
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Digipass TCL Command-Line <strong>Administration</strong><br />
14.2.2 Running a Script<br />
Using DPADMINCMD to run a script requires an administration logon to be specified with<br />
command-line parameters, unless the script itself contains a logon command.<br />
For an implicit Active Directory logon, the -i (implicit) parameter is sufficient.<br />
For a logon requiring credentials, the -u (userid) and -p (password) parameters are required.<br />
1. Open a Windows command prompt in the \Bin directory.<br />
2. Enter the following command for an implicit logon and press Enter:<br />
dpadmincmd -i scriptname<br />
3. Or, enter the following command for an explicit logon and press Enter:<br />
dpadmincmd -u userid -p password scriptname<br />
The scriptname parameter can be a file name or path and file name.<br />
If your script requires parameters, enter these after the scriptname.<br />
Example<br />
dpadmincmd -i myscript.tcl param1 param2<br />
The script file must contain a sequence of TCL commands. DPADMINCMD will first perform the<br />
logon, and if successful, will execute each command in the script in sequence. The TCL<br />
language allows you to write simple sequential scripts or add more complex control flow,<br />
functions and so on.<br />
The script does not need to use the logoff or exit commands explicitly. DPADMINCMD will<br />
logoff the session if necessary at exit time.<br />
Character Substitution<br />
When using a non-printing ASCII character substitution (eg. \t for a horizontal tab) in a string,<br />
enclose the string in double quotes. If the string is enclosed in { }, the string will be displayed<br />
exactly as entered.<br />
eg. “Error: \t Component does not exist. \n \t \t Please check the Component name.” will be<br />
displayed as:<br />
Error: Component does not exist.<br />
Please check the Component name.<br />
Whereas {Error: \t Component does not exist. \n \t \t Please check the Component name.}<br />
will be displayed as:<br />
Error: \t Component does not exist. \n \t \t Please check the Component<br />
name.<br />
© 2007 VASCO Data Security Inc. 161
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Digipass TCL Command-Line <strong>Administration</strong><br />
14.2.3 Help<br />
To access help from the command prompt, use these commands:<br />
Table 65: DPADMINCMD Help Commands<br />
Command Notes<br />
help Provides basic information about DPADMINCMD, including a list of all<br />
commands available.<br />
help Provides information about the specific command, including required<br />
parameters, optional parameters and available subcommands.<br />
help Provides information about the specific subcommand, including required and<br />
optional parameters.<br />
14.2.4 Command Parameters<br />
Some notes on command parameters in TCL:<br />
Parameters are given in list form: {field1 value1 field2 value2 ...}<br />
Parameter values that include whitespace require double quotes or { }, for example<br />
{field1 “value 1” field2 {value 2} ...}<br />
Commands may be substituted for parameters using square brackets, where the<br />
command will return the type of parameter(s) required. eg.<br />
foreach i [user query {domain master} {domain userid has_dp}] { puts<br />
$i }<br />
In this example, a query returns a list of Users with Digipass assigned, which is used in<br />
the foreach command.<br />
14.2.5 Result Output<br />
Results are typically returned in list form, with pairs of field names and values, eg:<br />
{domain master userid user0001 has_dp Assigned}<br />
Some commands do not return field information, only a simple message, eg:<br />
Created Component.<br />
Queries return a list of list results, with only the requested fields displayed. These may be<br />
formatted for better readability by wrapping the query in another command, eg:<br />
foreach i [user query {domain master} {domain userid has_dp}] { puts $i }<br />
The result from the example above will display each user record in the master domain on a<br />
separate line, and only display the requested fields (domain, userid and has_dp), eg:<br />
domain master userid admin has_dp Assigned<br />
domain master userid user0001 has_dp Unassigned<br />
© 2007 VASCO Data Security Inc. 162
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Digipass TCL Command-Line <strong>Administration</strong><br />
14.2.6 Error Handling<br />
When an error occurs in a VASCO TCL Extension command, information about the error will be<br />
written to the standard TCL error variables. This allows error handling in scripts, and allows a<br />
user to obtain information about the last error received when using an interactive command<br />
line. For example, if this command was entered:<br />
% user get {userid doesnotexist}<br />
and a User with the ID of doesnotexist could not be found, then this error would be returned:<br />
Error code: Error message: <br />
Information about that error could be retrieved from standard TCL error variables using these<br />
commands:<br />
% puts $errorCode<br />
Returns:<br />
And<br />
-13<br />
% puts $errorInfo<br />
Returns:<br />
Error code: Error message: <br />
while executing<br />
"user get {userid doesnotexist}"<br />
14.2.7 International Characters<br />
DPADMINCMD supports international characters, but your console window must be able to<br />
support the characters or they will not display correctly. The Lucida Console font is typically<br />
used.<br />
14.2.8 Syntax Notes<br />
The following points should be remembered for basic interactive and scripted usage:<br />
Result values that include whitespace, including date/time values, are given { } by TCL<br />
Comments in scripts are preceded with a #<br />
A backslash character at the end of a line indicates that the command is continued on<br />
the next line.<br />
© 2007 VASCO Data Security Inc. 163
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Digipass TCL Command-Line <strong>Administration</strong><br />
14.2.9 Sample Scripts<br />
Below are some sample scripts which perform basic tasks. They range in complexity to provide<br />
an example of what can be done, and the techniques required.<br />
Check if a Component Record exists<br />
This script checks for the existence of a RADIUS Client Component record with a specific IP<br />
address. If a Component record of that type and location does not exist, a message will be<br />
displayed onscreen.<br />
# Check if a specified RADIUS Client Component exists<br />
if [catch {component get {comp_type "RADIUS Client" location<br />
192.168.122.213 }} result] {<br />
puts "Component does not exist: $result"<br />
}<br />
Create a Record if it doesn't exist<br />
This script builds on the previous sample to check for the existence of a RADIUS Client<br />
Component record and, if one does not currently exist, to create one. It requires a location<br />
parameter to be passed to the script when it is run from DPADMINCMD.<br />
# Get IP-address location from command-line argument<br />
set loc [lindex $argv 0]<br />
# Create the component if it does not exist<br />
if [catch "component get {comp_type {RADIUS Client} location $loc}" result]<br />
{<br />
if [catch "component create {comp_type {RADIUS Client} \<br />
location $loc \<br />
policy_id {VM3 Local Authentication} \<br />
shared_secret default \<br />
protocol RADIUS}" result] {<br />
puts "Error creating component: $result"<br />
} else {<br />
puts "Created component"<br />
}<br />
} else {<br />
puts "Component already exists"<br />
}<br />
To run this script from DPADMINCMD, you would need to use the following syntax:<br />
dpadmincmd -i scriptname loc<br />
Bulk User <strong>Administration</strong><br />
This script collects all Digipass User records belonging to the domain named Domain1 and<br />
unlocks any which were locked.<br />
# Get all the users of the domain Domain1<br />
if [catch {user query {domain Domain1}} users] {<br />
puts "Unable to retrieve users: $users"<br />
} else {<br />
# Loop for each user<br />
foreach user $users {<br />
# Get the user information into an array for easier access<br />
© 2007 VASCO Data Security Inc. 164
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Digipass TCL Command-Line <strong>Administration</strong><br />
}<br />
}<br />
array set userinfo $user<br />
# Check if the locked information is present as it may not return a<br />
# value is the user is not locked<br />
if [info exists userinfo(locked)] {<br />
# If the user is locked, try to unlock it<br />
if [string equal $userinfo(locked) yes] {<br />
if [catch "user update {userid $userinfo(userid) domain<br />
Domain1 locked no}" result] {<br />
puts "Error unlocking $userinfo(userid): $result"<br />
} else {<br />
puts "Unlocked $userinfo(userid)"<br />
}<br />
}<br />
}<br />
# Clear-out the current user information<br />
array set userinfo [list]<br />
© 2007 VASCO Data Security Inc. 165
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Digipass TCL Command-Line <strong>Administration</strong><br />
14.3 Configuration File<br />
The Digipass Command Line Utility uses a xml file to store necessary configuration settings.<br />
This file can be found at \Bin\dpadmincmd.xml.<br />
14.3.1 Sample Configuration File<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
© 2007 VASCO Data Security Inc. 166
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Replication<br />
15 Replication<br />
15.1 Concepts<br />
Replication can be configured to allow multiple Authentication Servers to keep their data<br />
synchronized.<br />
Active Directory<br />
Where Authentication Servers use Active Directory as their data store, this allows faster<br />
replication of important information required for authentications. See 2.4 Active Directory<br />
Replication Issues for more information.<br />
ODBC Databases<br />
Where multiple Authentication Servers use different ODBC databases as their data stores,<br />
replication ensures that each database is up to date with the latest data changes.<br />
© 2007 VASCO Data Security Inc. 167
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Replication<br />
15.1.1 Replication Queue<br />
The replication queue for each Authentication Server which is configured as a replication<br />
destination is written to two files – a data and an index file – in \data. They<br />
are named according to the name given to the Authentication Server when configuring<br />
replication in the current Authentication Server Configuration GUI.<br />
15.1.2 Record-level Replication<br />
The replication method used by <strong>VACMAN</strong> <strong>Middleware</strong> involves replication of entire records,<br />
rather than individual record attributes. This means that data clashes can occur when a single<br />
record is updated at the same time from different sources. If this occurs, the later change will<br />
be the one chosen and written to the database. Superseded changes are ignored.<br />
15.1.3 Replication Process<br />
The writing of an data update to the replication queue (creating a replication entry) and<br />
sending a replication entry to another Authentication Server is handled by two separate<br />
processes.<br />
Write to Replication Queue<br />
The process which writes to the replication queue is run before any data changes are<br />
committed to the database. If the data change cannot be written to the replication queue –<br />
usually because the replication queue file has exceeded the maximum size allowed – the data<br />
change will not be committed to the database.<br />
Send Replication Queue Entry<br />
© 2007 VASCO Data Security Inc. 168
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Replication<br />
The other process sends replication entries from a replication queue to the required<br />
Authentication Server. If the destination Authentication Server cannot write the change to its<br />
database, it sends back a failure message. The process will:<br />
1. Leave the entry in the queue.<br />
2. Set a retry time for the entry (this depends on the Retry Interval set in the<br />
Configuration GUI).<br />
3. Attempt replication for the entry according to the number of retries set in the<br />
Configuration GUI. After the Maximum number of retries is reached, the entry is<br />
removed from the queue and its details audited.<br />
Note<br />
This does not include problems in connecting to the other Authentication<br />
Server. Queue retries will be suspended until the connection is re-established.<br />
15.1.4 Connection Handling<br />
When the Digipass Authentication Server service is started, the Authentication Server will<br />
establish a connection to each destination Authentication Server configured for replication. It<br />
will keep this connection open until the service is stopped or the connection is broken. If the<br />
connection is broken, it will attempt to reconnect after the minimum reconnect interval set in<br />
the Configuration GUI has elapsed. If that fails, it will continue to attempt reconnection at<br />
increasing time intervals until it reaches the maximum reconnect interval set in the<br />
Configuration GUI. It will continue to attempt reconnection at the maximum reconnect interval<br />
until it succeeds.<br />
© 2007 VASCO Data Security Inc. 169
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Replication<br />
The Authentication Server ceases replication efforts to the destination Authentication Server<br />
until the connection is re-established. This means that entries in the queue will not be lost<br />
because of a broken connection. Replication to other Authentication Servers will not be<br />
affected.<br />
A manual reconnect may be attempted at any time using the <strong>Administration</strong> MMC Interface, if<br />
the data store used by the Authentication Server is an ODBC database.<br />
15.1.4.1 Component Record<br />
It is important to note that a Authentication Server will not accept replication updates from<br />
another machine unless it has a Component record for that machine with the Component Type<br />
set to Authentication Server.<br />
15.1.5 Monitoring Replication<br />
15.1.5.1 Auditing<br />
Audit messages are recorded when:<br />
connections are made or fail<br />
an update send was successful<br />
an update send failed<br />
an update was received and the receiving server sent back a data update success<br />
an update was received and the receiving server sent back a data update failure<br />
15.1.5.2 <strong>Administration</strong> MMC Interface<br />
If the Authentication Server uses an ODBC database as its data store, the <strong>Administration</strong> MMC<br />
Interface will contain a Replication Status dialog. This dialog allows you to check the current<br />
status of replication for an Authentication Server. It also includes the number of entries<br />
currently in the replication queue.<br />
© 2007 VASCO Data Security Inc. 170
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Replication<br />
15.1.6 Forwarding Replication Entries<br />
Replication forwarding is required where more than two Authentication Servers are replicating,<br />
either in a simple replication chain or more complicated arrangement. The ID of the originating<br />
Authentication Server and the Authentication Server(s) to which it is sending the information<br />
are added to the replication entry. This allows the receiving Authentication Server to check<br />
which other Authentication Servers have already been sent the replication entry. It will forward<br />
the entry only to those Authentication Servers not listed.<br />
© 2007 VASCO Data Security Inc. 171
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Replication<br />
15.2 Configuring Replication<br />
15.2.1 Active Directory<br />
These instructions assume that you have two Authentication Servers currently installed and<br />
operational, using Active Directory as their data store.<br />
1. Stop the Digipass Authentication Server service on each machine.<br />
2. Configure Authentication Server 1 to replicate to Authentication Server 2.<br />
3. Configure Authentication Server 2 to replicate to Authentication Server 1.<br />
4. Restart the Digipass Authentication Server service on each machine.<br />
© 2007 VASCO Data Security Inc. 172
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Replication<br />
15.2.2 ODBC Database<br />
15.2.2.1 Configure Replication to a Second Authentication Server<br />
These instructions assume that you have one Authentication Server installed and operational<br />
(SVR-1), and wish to set up another Authentication Server (SVR-2) and replicate between the<br />
two.<br />
1. Install <strong>VACMAN</strong> <strong>Middleware</strong> on SVR-2.<br />
2. Configure SVR-2 identically – except IP addresses - to SVR-1, using the Configuration<br />
GUI or the configuration file.<br />
3. Ensure that SVR-2 is functioning correctly.<br />
4. On SVR-1, create a Component record for SVR-2. Ensure that the Component Type is<br />
Authentication Server.<br />
5. On SVR-1, load the License Key for SVR-2 into the Component record just created.<br />
6. Stop the Digipass Authentication Server service on SVR-1 and SVR-2.<br />
7. Take a complete copy of the database used by the Authentication Server on SVR-1. If<br />
you are using the embedded PostgreSQL database, see 6.1.6.3 Backup of<br />
Embedded Database for instructions.<br />
8. Configure the Authentication Server on SVR-1 to replicate to SVR-2.<br />
9. The Digipass Authentication Server service on SVR-1 may be restarted now if needed –<br />
it will build up a replication queue until it can connect to SVR-2.<br />
10. Overwrite the database used by the Authentication Server on SVR-2 with the copy<br />
from SVR-1. If you are using the embedded PostgreSQL database, see Step 2 of<br />
6.2.2.2 Restore Database, Authentication Server Undamaged.<br />
11. Configure the Authentication Server on SVR-2 to replicate to SVR-1.<br />
12. Restart the Digipass Authentication Server service on SVR-2. If you did not restart the<br />
service on SVR-1 earlier, restart it now.<br />
© 2007 VASCO Data Security Inc. 173
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Replication<br />
15.2.2.2 Configure Replication to a Third or Subsequent Authentication<br />
Server<br />
These instructions assume that you have two or more Authentication Servers replicating to<br />
each other, and wish to add another Authentication Server (SVR-3) in a simple replication<br />
chain.<br />
1. Select which Authentication Server - SVR-1 or SVR-2 – will be replicating data with<br />
SVR-3. For these instructions, SVR-2 is assumed.<br />
2. Install <strong>VACMAN</strong> <strong>Middleware</strong> on SVR-3.<br />
3. Configure the Authentication Server on SVR-3 identically to that on SVR-2, using the<br />
Configuration GUI or the configuration file.<br />
4. Ensure that SVR-3 is functioning correctly.<br />
5. On SVR-2, create a Component record for SVR-3. Ensure that the Component Type is<br />
Authentication Server.<br />
6. On SVR-2, load the License Key for SVR-3 into the Component record just created.<br />
7. Stop the Digipass Authentication Server service on SVR-2 and SVR-3.<br />
8. Take a complete copy of the database used by the Authentication Server on SVR-2. If<br />
you are using the embedded PostgreSQL database, see 6.1.6.3 Backup of<br />
Embedded Database for instructions.<br />
9. Configure the Authentication Server on SVR-2 to replicate to SVR-3.<br />
10. The Digipass Authentication Server service on SVR-2 may be restarted now if needed<br />
– it will build up a replication queue until it can connect to SVR-3.<br />
11. Overwrite the database used by the Authentication Server on SVR-3 with the copy<br />
from SVR-2. If you are using the embedded PostgreSQL database, see Step 2 of<br />
6.2.2.2 Restore Database, Authentication Server Undamaged.<br />
12. Configure the Authentication Server on SVR-3 to replicate to SVR-2.<br />
13. Restart the Digipass Authentication Server service on SVR-3. If you did not restart the<br />
service on SVR-2 earlier, restart it now.<br />
© 2007 VASCO Data Security Inc. 174
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Replication<br />
15.2.2.3 Add Redundant Replication<br />
You may wish to add redundancy replication into your system to add extra protection in case<br />
of connection problems or data corruption. Redundant replication adds an extra link to a<br />
standard replication chain, so that replication can occur via more than one route.<br />
The instructions below assume a replication chain, with replication being added between a<br />
primary Authentication Server (P-SVR-2) and a backup Authentication Server (B-SVR-1).<br />
1. Configure the Authentication Server on B-SVR-1 to replicate to P-SVR-2.<br />
2. Configure the Authentication Server on P-SVR-2 to replicate to B-SVR-1.<br />
3. Restart the Digipass Authentication Server service on each machine.<br />
© 2007 VASCO Data Security Inc. 175
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> How to troubleshoot<br />
16 How to troubleshoot<br />
16.1 View Audit Information<br />
The Authentication Server can be configured to output audit messages to a number of<br />
locations:<br />
Windows Event Log<br />
Text file<br />
ODBC database<br />
Live audit feed<br />
If you are unsure how and where the Authentication Server is recording audit messages, open<br />
the Authentication Server Configuration GUI and click on the Auditing tab.<br />
16.1.1 Windows Event Log<br />
Filter for audit messages from the Authentication Server by:<br />
1. Click on View -> Filter...<br />
2. Select <strong>VACMAN</strong> <strong>Middleware</strong> 3 from the Event Source drop down list.<br />
3. Click on OK.<br />
16.1.2 Text file<br />
To view audit messages written to a text file by the Authentication Server, either open the text<br />
file direct, or use the Audit Viewer.<br />
See 12.1 Text File for information on configuring the Authentication Server to write audit<br />
messages to a text file and viewing audit text files in the Audit Viewer.<br />
16.1.3 ODBC Database<br />
To view audit messages written to an ODBC database by the Authentication Server, open the<br />
Audit Viewer.<br />
See 12.3 ODBC Audit Message Database for information on configuring the Authentication<br />
Server to write audit messages to an ODBC database and viewing audit messages from the<br />
database in the Audit Viewer.<br />
© 2007 VASCO Data Security Inc. 176
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> How to troubleshoot<br />
16.2 Tracing<br />
16.2.1 Authentication Server<br />
If you are having problems starting the Authentication Server or logging in via the<br />
Authentication Server, enabling tracing may allow you to track down the cause.<br />
1. Open the Authentication Server Configuration.<br />
2. Select either Basic Tracing or Full Tracing (see the Auditing and Tracing section of<br />
the Product Guide for more information).<br />
3. Enter a path and filename to which tracing information should be written, or use the<br />
default.<br />
4. Click on OK.<br />
5. Attempt a login.<br />
6. Check the trace file for information on the start-up conditions of the Authentication<br />
Server and of the login attempt.<br />
16.2.2 Web Sites<br />
Enabling tracing for the User Self Management Web Site or the OTP Request Site may allow<br />
you to find the cause of problems experienced. It is important that the Web Site not only have<br />
tracing enabled, but that it has sufficient permissions to access and write to the designated<br />
trace file.<br />
16.2.2.1 Enable Tracing<br />
1. Open the Configuration GUI for the Web Site.<br />
2. Select either Basic Tracing or Full Tracing (see the Auditing and Tracing section of<br />
the Product Guide for more information).<br />
3. Enter a path and filename to which tracing information should be written.<br />
4. Click on OK.<br />
16.2.2.2 Trace File Permissions<br />
Permissions need to be set to allow the Web Sites to access and write to the trace file. By<br />
default, the trace file is stored in \log. Follow these steps for the folder the<br />
trace file will be written to.<br />
1. Open Windows Explorer and browse to the directory that the trace file will be written to<br />
(\log by default).<br />
2. Right-click on the relevant directory.<br />
3. Select Properties.<br />
© 2007 VASCO Data Security Inc. 177
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> How to troubleshoot<br />
The Properties window will be displayed.<br />
4. Click on the Security tab.<br />
5. Ensure that the IUSR_ account has Read and Write permissions<br />
ticked.<br />
6. If changes need to be made to the permissions, make changes and click on the Apply<br />
button.<br />
© 2007 VASCO Data Security Inc. 178
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> How to troubleshoot<br />
Adding IUSR_ account<br />
If the IUSR_ account is not listed for the trace file directory, you will need to<br />
add it manually.<br />
1. Click on the Add… button<br />
The Select Users, Computers, or Groups window will be displayed.<br />
2. Click on the Advanced… button.<br />
3. Enter search criteria (see example below) and click on the Find Now button.<br />
If no search criteria are entered, a list of all users and groups in the selected location<br />
will be returned.<br />
4. Select the IUSR_ account.<br />
5. Click on the OK button.<br />
6. Check that the IUSR_ account is listed.<br />
© 2007 VASCO Data Security Inc. 179
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> How to troubleshoot<br />
7. Click on the OK button.<br />
8. The account should now be listed in the Security group and user list.<br />
16.2.3 Message Delivery Component<br />
16.2.3.1 Enable Tracing<br />
1. Open the Configuration GUI for the Message Delivery Component.<br />
2. Select either Basic Tracing or Full Tracing (see the Auditing and Tracing section of<br />
the Product Guide for more information).<br />
3. Enter a path and filename to which tracing information should be written.<br />
4. Click on OK.<br />
16.3 Open Port Numbers on Firewall<br />
The Authentication Server uses several different ports to communicate. If these are blocked by<br />
a firewall, some features will not work correctly. Listed below are the ports used by the<br />
Authentication Server, and the default port number used for each.<br />
16.3.1 Incoming Ports<br />
Table 66: List of Incoming Ports Used by the Authentication Server<br />
Port Default Configuration Source<br />
API Port 20003 Authentication Server<br />
Configuration – Authentication<br />
Server tab (API Port field)<br />
RADIUS<br />
Authenticatio<br />
n Port<br />
RADIUS<br />
Accounting<br />
Port<br />
1812 Authentication Server<br />
Configuration - Authentication<br />
Server tab (Authentication Port<br />
field)<br />
1813 Authentication Server<br />
Configuration - Authentication<br />
Server tab (Accounting Port<br />
field)<br />
<strong>Administration</strong> MMC<br />
Interface (ODBC or<br />
embedded database only)<br />
Command Line<br />
<strong>Administration</strong> (ODBC or<br />
embedded database only)<br />
Replication from other<br />
Authentication Server<br />
IIS Modules (version 3.x)<br />
RADIUS Clients<br />
RADIUS Back-End Servers<br />
RADIUS Clients<br />
RADIUS Back-End Servers<br />
© 2007 VASCO Data Security Inc. 180
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> How to troubleshoot<br />
Port Default Configuration Source<br />
VM2<br />
Compatibility<br />
Add-on Port<br />
Live Audit<br />
Port<br />
20004 Configuration file for<br />
Authentication Server<br />
20006 Authentication Server<br />
Configuration<br />
Audit Viewer (Audit Source<br />
property sheet)<br />
16.3.2 Outgoing Ports<br />
IIS Modules (version 2.x)<br />
Audit Viewer<br />
Table 67: List of Outgoing Ports Used by the Authentication Server<br />
Port Default Configuration Destination Notes<br />
API Port 20003 Authentication Server<br />
Configuration – Replication tab<br />
(outgoing<br />
RADIUS<br />
Authentication<br />
Port<br />
RADIUS<br />
Accounting<br />
Port<br />
1812 <strong>Administration</strong> MMC Interface –<br />
Back-End Server records<br />
(Authentication Port field)<br />
1813 <strong>Administration</strong> MMC Interface –<br />
Back-End Server records<br />
(Accounting Port field)<br />
LDAP Port 389 Authentication Server<br />
Configuration – Active Directory<br />
Connection tab (Unencrypted<br />
Port field in Configuration<br />
Domain and/or other Domain<br />
details)<br />
LDAPS Port 636 Authentication Server<br />
Configuration – Active Directory<br />
Connection tab (Encrypted Port<br />
field in Configuration Domain<br />
and/or other Domain details)<br />
Replication to other<br />
Authentication Server<br />
RADIUS Server using<br />
Authentication IP address<br />
from Back-End Server<br />
record.<br />
RADIUS Server using<br />
Accounting IP address from<br />
Back-End Server record.<br />
Active Directory (if 'Encrypt<br />
Remote Connections' is<br />
disabled in the Domain<br />
details)<br />
Active Directory (if 'Encrypt<br />
Remote Connections' is<br />
enabled in the Domain<br />
details)<br />
If Authentication Server<br />
is installed on a Domain<br />
Controller, an external<br />
connection will not be<br />
required for that<br />
domain.<br />
If Authentication Server<br />
is installed on a Domain<br />
Controller, an external<br />
connection will not be<br />
required for that<br />
domain.<br />
Database Port ODBC Driver ODBC Database Not required for<br />
embedded database<br />
option.<br />
Configuration is<br />
database-dependent.<br />
16.4 Installation Check<br />
The information in this section will enable you to check that various files have been installed in<br />
the correct locations and registered (where required), and Windows registry entries have been<br />
created and the correct values inserted.<br />
16.4.1 Installation Log File<br />
Check the log file created during the installation of <strong>VACMAN</strong> <strong>Middleware</strong>. The log file should be<br />
found in \install.log.<br />
© 2007 VASCO Data Security Inc. 181
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> How to troubleshoot<br />
Example Log Entries<br />
File successfully created<br />
CreateDirectory: "C:\Program Files\VASCO\<strong>VACMAN</strong> <strong>Middleware</strong> 3\Bin" (1)<br />
File: overwriteflag=0, allowskipfilesflag=2, name="aal3ad30.dll"<br />
File: wrote 2416640 to "C:\Program Files\VASCO\<strong>VACMAN</strong> <strong>Middleware</strong> 3\Bin\aal3ad30.dll"<br />
DLL could not be registered<br />
Error registering DLL: Could not load dpmmccom.dll<br />
16.4.2 Registry Entries<br />
Table 68: Registry Entries<br />
General<br />
Registry Path Key Name Value Notes<br />
HKEY_LOCAL_MACHINE\<br />
Software\VASCO Data Security\<br />
HKEY_LOCAL_MACHINE\<br />
Software\VASCO Data Security\<br />
InstalledProducts\<br />
HKEY_LOCAL_MACHINE\<br />
Software\VASCO Data Security\<br />
InstalledComponents\<br />
HKEY_LOCAL_MACHINE\Softwar<br />
e\VASCO Data<br />
Security\<strong>VACMAN</strong> <strong>Middleware</strong> 3\<br />
<strong>Administration</strong> MMC Interface<br />
HKEY_LOCAL_MACHINE\Softwar<br />
e\VASCO Data Security\MMC<br />
Admin Interface\<br />
HKEY_LOCAL_MACHINE\Softwar<br />
e\VASCO Data Security\MMC<br />
Admin Interface\<br />
HKEY_LOCAL_MACHINE\Softwar<br />
e\VASCO Data Security\MMC<br />
Admin Interface\<br />
HKEY_LOCAL_MACHINE\Softwar<br />
e\VASCO Data Security\MMC<br />
Admin Interface\<br />
HKEY_LOCAL_MACHINE\Softwar<br />
e\VASCO Data Security\MMC<br />
Admin Interface\<br />
InstallDirectory Typically c:\program<br />
files\VASCO\<strong>VACMAN</strong> <strong>Middleware</strong> 3<br />
<strong>VACMAN</strong><br />
<strong>Middleware</strong><br />
1 1 = installed<br />
0 = not installed<br />
If the Pack has been incorrectly<br />
installed, the key will typically be<br />
missing rather than having a value<br />
of 0.<br />
Check the recorded version numbers<br />
for various components.<br />
Version 1.0.0. Version number for the <strong>VACMAN</strong><br />
<strong>Middleware</strong>.<br />
ApiLibrary \Bin\<br />
aal3ad30.dll<br />
ApiLibrary \Bin\<br />
aal3seal30.dll<br />
DialogLibrary \Bin\<br />
dpwxlib.dll<br />
HelpFile \Doc\<br />
Admin_MMC_Interface_A<br />
D_Help.chm<br />
HelpFile \Doc\<br />
Admin_MMC_Interface_<br />
ODBC_Help.chm<br />
Digipass Extension for Active Directory Users and Computers<br />
HKEY_LOCAL_MACHINE\<br />
Software\VASCO Data Security\<br />
AD U&C Extension\<br />
HKEY_LOCAL_MACHINE\<br />
Software\VASCO Data Security\<br />
AD U&C Extension\<br />
ApiLibrary \Bin\<br />
aal3ad30.dll<br />
DialogLibrary \Bin\<br />
dpwxlib.dll<br />
Included only where Active Directory<br />
is used as the data store.<br />
Included only where an ODBC<br />
database is used as the data store.<br />
Included only where Active Directory<br />
is used as the data store.<br />
Included only where an ODBC<br />
database is used as the data store.<br />
© 2007 VASCO Data Security Inc. 182
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> How to troubleshoot<br />
Registry Path Key Name Value Notes<br />
HKEY_LOCAL_MACHINE\<br />
Software\VASCO Data Security\<br />
AD U&C Extension\<br />
Message Delivery Component<br />
HKEY_LOCAL_MACHINE\<br />
System\CurrentControlSet\<br />
Services\EventLog\Application\<br />
Virtual Digipass Message<br />
Delivery Component\<br />
HKEY_LOCAL_MACHINE\<br />
System\CurrentControlSet\<br />
Services\EventLog\Application\<br />
Virtual Digipass Message<br />
Delivery Component\<br />
Note<br />
HelpFile \ Doc\<br />
AD_Extension_Help.chm<br />
EventMessageFile \Bin\<br />
mdcserver.exe<br />
TypesSupported 1 1 = EVENTLOG_ERROR_TYPE<br />
See 9.2.1 Configuration Settings for VASCO CGI configuration settings in<br />
the Windows registry.<br />
16.4.3 Check Permissions<br />
Table 69: Permissions Required<br />
Directory or File Permission(s) required Notes<br />
User Self Management Web Site (IIS)<br />
/dpselfservice/cgi execute<br />
\UserSite\CGI\usercgi.exe<br />
OTP Request Site (IIS)<br />
/requestotp/cgi execute<br />
execute This is required on Windows Server<br />
2003 only.<br />
\VDPSite\CGI\vdpcgi.exe execute This is required on Windows Server<br />
2003 only.<br />
16.4.4 Authentication Server Registered in Active Directory<br />
Domain<br />
If Active Directory is used as the data store, check that the Authentication Server is registered<br />
in the relevant Active Directory domain(s):<br />
1. Open Active Directory Users and Computers.<br />
2. Click on Users.<br />
3. A list of Windows Users and Groups will be displayed in the Result pane.<br />
4. Double-click on the RAS and IAS Servers group.<br />
5. Check that the Authentication Server is listed in the group members.<br />
If the Authentication Server is not registered in the domain, add it to the group.<br />
© 2007 VASCO Data Security Inc. 183
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> How to troubleshoot<br />
16.4.5 Default Policy and Component Created<br />
A default Policy and a Component for the Authentication Server should have been created<br />
during the installation. If they have not been created, the Authentication Server will not<br />
process authentication requests.<br />
Note<br />
These steps should only be followed if the Policies and Components have not<br />
been modified since installation.<br />
To check that Policies and Components were created successfully during installation:<br />
1. Open the <strong>Administration</strong> MMC Interface.<br />
2. Click on the Policies node.<br />
A Policy named VM3 <strong>Administration</strong> Logon should be included in the Policies List.<br />
3. Click on the Components node.<br />
4. Check that a Component named Authentication Server is included in the Components<br />
List.<br />
5. Double-click on the Authentication Server Component record.<br />
The Component Properties window will be displayed.<br />
6. VM3 <strong>Administration</strong> Logon should be selected in the Policy drop down list.<br />
© 2007 VASCO Data Security Inc. 184
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Audit Messages<br />
17 Audit Messages<br />
To set up auditing in the Authentication Server, see 11.1.8<br />
17.1 Audit Message Listing<br />
Table 70: Audit Messages List<br />
Message<br />
Code<br />
Auditing.<br />
Description Notes<br />
E000001 A system error has occurred. This message is used whenever there is a general<br />
processing error. It will contain full details of the error.<br />
E001001 The Digipass Plug-In failed to start up. The Plug-In encountered a fatal error on startup such as an<br />
invalid or missing configuration file.<br />
E001002 The Digipass Plug-In has been forced<br />
into the disabled state.<br />
E001003 The Authentication Server failed to start<br />
up<br />
E002001 The Active Directory AAL3 library failed<br />
to initialize.<br />
E002002 The Digipass Authentication library<br />
failed to initialize.<br />
E002004 The RADIUS protocol handler failed to<br />
initialize.<br />
E002006 The Replication library failed to<br />
initialize.<br />
E002007 Initialization of a Replication destination<br />
server failed.<br />
E002008 The Authentication Server protocol<br />
handler failed to initialize.<br />
E002009 The VM2 Compatibility protocol handler<br />
failed to initialize.<br />
The Plug-In has started up, but is in a disabled state in<br />
which it will not process authentication requests. This is<br />
typically due to a license problem (an invalid or missing<br />
License Key in the Plug-In's Component record); an invalid<br />
Component Location setting in the configuration file; or a<br />
missing Component record for the Plug-In.<br />
The Authentication Server encountered a fatal error on<br />
startup. This is typically due to an invalid or missing<br />
configuration file or failure to connect to the data store.<br />
The Active Directory 'AAL3' library encountered a fatal<br />
error on initialization, eg. invalid configuration settings in<br />
the configuration file.<br />
The 'Authentication' library encountered a fatal error on<br />
initialization, eg. invalid configuration settings in the<br />
configuration file.<br />
The protocol handler that receives and processes RADIUS<br />
requests did not start up. This may be because of a<br />
missing License Key in the Authentication Server<br />
Component record, or because the License Key in that<br />
Component record does not enable RADIUS support. Look<br />
for the line RADIUS=Yes in the License Key details.<br />
A common reason for this error, when RADIUS is enabled<br />
in the License Key, is that the RADIUS ports are already in<br />
use by another process on the machine.<br />
Alternatively, the configuration settings may be invalid.<br />
The Replication library encountered a fatal error on<br />
initialization, eg. invalid configuration settings in the<br />
configuration file.<br />
The Replication library found the configuration of a<br />
Destination Server to be invalid. The library will still start<br />
up if its main configuration settings are valid and there is<br />
at least one valid Destination Server. For the invalid<br />
Destination Servers, this audit message is generated.<br />
The protocol handler that receives and processes<br />
administration requests and authentication requests from<br />
the IIS modules failed initialization. This is typically due to<br />
invalid configuration settings or because the API port is<br />
already in use by another process on the machine.<br />
The protocol handler that receives and processes<br />
authentication requests from the <strong>VACMAN</strong> <strong>Middleware</strong><br />
© 2007 VASCO Data Security Inc. 185
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Audit Messages<br />
Message<br />
Code<br />
E009001 An error occurred in the Virtual Digipass<br />
Message Delivery Component.<br />
E012001 The RADIUS Profile was not found in<br />
Steel-Belted RADIUS.<br />
E012002 The RADIUS Attribute was not known by<br />
Steel-Belted RADIUS.<br />
E013001 A connection to an ODBC data source<br />
could not be established.<br />
E013002 A connection to an ODBC data source is<br />
broken.<br />
W004001 A connection attempt to Active<br />
Directory failed.<br />
W004004 A connection attempt to a Replication<br />
destination server failed.<br />
W005001 A connection to Active Directory has<br />
terminated due to an error.<br />
Description Notes<br />
version 2 IIS modules failed initialization. This is typically<br />
due to invalid configuration settings or because the API<br />
port is already in use by another process on the machine.<br />
The MDC encountered an error during the process of<br />
submitting a request to the HTTP gateway and interpreting<br />
the response. This may indicate a configuration problem for<br />
the gateway or connectivity issues. The audit message may<br />
contain further details from the gateway.<br />
When a RADIUS Profile name is in the Digipass User<br />
Account but that name is not found in SBR, the login is<br />
failed with this error.<br />
This can also occur if there is no RADIUS Profile in the<br />
Digipass User Account, but there is a Default RADIUS<br />
Profile configured that was not found in SBR.<br />
When the Digipass User Account has a RADIUS attribute in<br />
its Authorization Profiles/Attributes list, the attribute<br />
must be found in SBR. When such an attribute is not<br />
known to SBR, the login is failed with this error.<br />
The most likely reason for this error to occur is that the<br />
spelling of the attribute Name is different in SBR compared<br />
to the Digipass User account. This may also occur if the<br />
Value of the attribute does not convert to the correct data<br />
type expected by SBR. For example, if an IP address<br />
attribute has a Value which is not a representation of an IP<br />
address.<br />
An attempt to connect to an ODBC data source failed. This<br />
may occur because:<br />
the database is unavailable for some reason such as<br />
rebooting<br />
the database is too busy temporarily to service the<br />
connection<br />
there are networking problems<br />
your credentials used in connecting to the database<br />
are invalid.<br />
An established connection to an ODBC data source has<br />
broken. This may occur because:<br />
the database suddenly becomes unavailable for some<br />
reason such as rebooting<br />
the database becomes too busy temporarily to<br />
service the connection<br />
there are networking problems.<br />
An attempt to connect to an Active Directory Domain<br />
Controller failed. This may occur because: the Domain<br />
Controller is unavailable for some reason such as<br />
rebooting; the Domain Controller is too busy temporarily to<br />
service the connection; or there are DNS or networking<br />
problems.<br />
An attempt by the Replication library to connect to a<br />
Destination Server failed. This may occur because: the<br />
incorrect IP address or port is configured; the Destination<br />
Server is unavailable for some reason such as rebooting; or<br />
there are networking/connectivity problems such as an<br />
intermediate firewall blocking the port.<br />
An established connection to an Active Directory Domain<br />
Controller has broken. This may occur because: the<br />
© 2007 VASCO Data Security Inc. 186
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Audit Messages<br />
Message<br />
Code<br />
W005004 A connection to a Replication<br />
destination server has terminated due<br />
to an error.<br />
W006001 An invalid RADIUS packet has been<br />
received.<br />
W006002 A RADIUS request has been received<br />
from an unknown source.<br />
W006003 A request has been received from a<br />
RADIUS Client with no Shared Secret<br />
defined.<br />
W006004 A RADIUS request forwarded by this<br />
server has been received – there must<br />
be a circular proxy chain.<br />
W006005 An Access-Challenge received from the<br />
RADIUS Server cannot be handled.<br />
Description Notes<br />
Domain Controller suddenly becomes unavailable for some<br />
reason such as rebooting; the Domain Controller becomes<br />
too busy temporarily to service the connection; or there<br />
are DNS or networking problems.<br />
An established connection to a Destination Server has<br />
broken. This may occur because the Destination Server<br />
suddenly becomes unavailable for some reason such as<br />
rebooting, or because of a temporary networking or<br />
connectivity problem.<br />
A RADIUS request received was invalid (did not conform to<br />
the RADIUS protocol). The request is discarded.<br />
This can also occur when a response is received from a<br />
RADIUS Server to which a request was forwarded, if the<br />
response was invalid. The response is discarded.<br />
A RADIUS request was received but there is no RADIUS<br />
Client Component for the source of the request, and there<br />
is no “default” RADIUS Client Component. The request is<br />
discarded.<br />
This audit message will be repeated at intervals when the<br />
same unknown source sends requests, but not for every<br />
request.<br />
A RADIUS request was received where there is a RADIUS<br />
Client Component for the source of the request, but that<br />
Component record does not have a Shared Secret defined.<br />
Therefore, it is not possible to handle the request and it is<br />
discarded.<br />
This will not occur if there is a “default” RADIUS Client<br />
Component that has a Shared Secret.<br />
This audit message will be repeated at intervals when the<br />
same source sends requests, but not for every request.<br />
This can occur when the Authentication Server forwards a<br />
request to a RADIUS Server, and the RADIUS Server<br />
forwards the request back, due to its own proxy rules. It<br />
can also occur indirectly in a longer 'proxy chain'. The<br />
request is discarded, otherwise an infinite loop could be<br />
created.<br />
If this occurs, there must be an error in the proxy<br />
configuration of the RADIUS Server(s).<br />
This can occur when the Authentication Server forwards a<br />
request to a RADIUS Server and the RADIUS Server<br />
responds with an Access-Challenge. An Access-Challenge<br />
can only be handled when the Authentication Server<br />
forwards the password unmodified to the RADIUS Server.<br />
If the Authentication Server verifies an OTP and forwards<br />
the static password to the RADIUS Server, it is not possible<br />
to handle an Access-Challenge from the RADIUS Server.<br />
W006006 A RADIUS Server is not responding. The Authentication Server has not managed to get a<br />
response from the RADIUS Server for some time. This<br />
message indicates that there may be a problem with the<br />
RADIUS Server.<br />
W009001 Virtual Digipass One Time Password<br />
delivery failed.<br />
W010001 A blank password was used for Back-<br />
End Authentication, as Stored Password<br />
The MDC could not successfully deliver a text message via<br />
the HTTP gateway. The audit message should contain<br />
further details from the gateway.<br />
This message only occurs when the Back-End<br />
Authentication setting is Always.<br />
© 2007 VASCO Data Security Inc. 187
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Audit Messages<br />
Message<br />
Code<br />
Description Notes<br />
Proxy is disabled and the user did not<br />
enter a static password.<br />
W011001 A Backup Virtual Digipass quota of uses<br />
has been finished.<br />
W011002 No Digipass was found to assign to a<br />
new Digipass User Account for Auto-<br />
Assignment.<br />
W011003 A Digipass User Account has become<br />
locked.<br />
W012002 A Replication update received has been<br />
ignored, as the local data is more up-todate.<br />
W012003 A Replication queue entry has not been<br />
inserted.<br />
W013001 An invalid request has been received by<br />
the Authentication Server.<br />
W013002 A request has been received by the<br />
Authentication Server from an unknown<br />
source.<br />
When Stored Password Proxy is disabled, the<br />
Authentication Server does not pass on the password<br />
stored in the Digipass User Account to Windows for Back-<br />
End Authentication. If a User does not enter their password<br />
as well as their OTP, the login will fail because their<br />
password has not been provided to Windows.<br />
BVDP Uses Remaining has just been decremented to 0<br />
for a Digipass. The User will not be able to use that<br />
Digipass for Backup Virtual Digipass logins until the Uses<br />
Remaining is increased or cleared.<br />
No available Digipass were found for Auto-Assignment.<br />
This may be because: there were no unassigned Digipass<br />
in the right location; the unassigned Digipass did not<br />
conform to Policy restrictions; the unassigned Digipass<br />
were Reserved for individual assignment.<br />
The location in which the Authentication Server searches<br />
for available Digipass records can be controlled to some<br />
extent using the Search Upwards in Org. Unit<br />
hierarchy setting.<br />
A User just exceeded the User Lock Threshold of failed<br />
logins and their Digipass User Account is now Locked.<br />
Administrator action is required to unlock the account.<br />
The Authentication Server has received a data update from<br />
another Authentication Server via the Replication process,<br />
but its local data is already newer than the data received<br />
via Replication.<br />
It is normal that this can occur, but it can also indicate a<br />
potential synchronization issue.<br />
This can occur when a replication queue has reached its<br />
maximum size. This is most likely to occur when the<br />
destination server is down or cannot be contacted due to a<br />
networking problem.<br />
The Authentication Server has received an invalid<br />
authentication, administration or Replication request.<br />
The Authentication Server has received an authentication,<br />
administration or Replication request from an unknown or<br />
unauthorized source. If the request was from a valid<br />
source, this message indicates that a Component record is<br />
missing (or that a required restart of the Service has not<br />
been made since the creation of the necessary Component<br />
record).<br />
W014001 The License Key is missing or invalid. A valid, unexpired license key is required to process any<br />
kind of authentication request. This message will be<br />
generated periodically when authentication requests are<br />
received by the Authentication Server, when it does not<br />
have a valid License Key.<br />
I001001 The Digipass Plug-In has started up<br />
successfully.<br />
I001002 The Authentication Server has started<br />
up successfully.<br />
I002001 The Active Directory AAL3 library has<br />
been initialized successfully.<br />
Configuration details are given in the audit message.<br />
Configuration details are given in the audit message.<br />
Note that the Authentication Server can start up<br />
successfully even if a component such as the RADIUS<br />
protocol handler does not start up successfully.<br />
The Active Directory 'AAL3' library has completed<br />
initialization. Configuration details are given in the audit<br />
© 2007 VASCO Data Security Inc. 188
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Audit Messages<br />
Message<br />
Code<br />
I002002 The Digipass Authentication library has<br />
been initialized successfully.<br />
I002004 The RADIUS protocol handler has been<br />
initialized successfully.<br />
I002006 The Replication library has been<br />
initialized successfully.<br />
I002007 Initialization of a Replication destination<br />
server succeeded.<br />
Description Notes<br />
I002008 The Authentication Server protocol<br />
handler has been initialized successfully.<br />
I002009 The VM2 Compatibility protocol handler<br />
has been initialized successfully.<br />
I003001 The Digipass Plug-In has shut down.<br />
I003002 The Authentication Server has shut<br />
down.<br />
I004001 A connection attempt to Active<br />
Directory was successful.<br />
I004004 A connection attempt to a Replication<br />
destination server was successful.<br />
I005001 A connection to Active Directory has<br />
been terminated normally.<br />
I005002 A connection to Active Directory has<br />
been timed out for load-balancing.<br />
I005004 A connection to a Replication<br />
destination server has been terminated<br />
normally.<br />
I006001 A RADIUS Access-Request has been<br />
received.<br />
I006002 A RADIUS Accounting-Request has been<br />
received.<br />
I006003 A RADIUS Server has started<br />
responding again.<br />
I007001 A RADIUS Access-Accept has been<br />
issued.<br />
message.<br />
The 'Authentication' library has completed initialization.<br />
Configuration details are given in the audit message.<br />
The protocol handler that receives and processes RADIUS<br />
requests started up. Configuration details are given in the<br />
audit message.<br />
The Replication library was initialized successfully.<br />
Configuration details are given in the audit message.<br />
The Replication library initialized a Destination Server<br />
successfully. Configuration details are given in the audit<br />
message.<br />
The protocol handler that receives and processes<br />
administration requests and authentication requests from<br />
the IIS modules was initialized successfully. Configuration<br />
details are given in the audit message.<br />
The protocol handler that receives and processes<br />
authentication requests from the <strong>VACMAN</strong> <strong>Middleware</strong><br />
version 2 IIS modules was initialized successfully.<br />
Configuration details are given in the audit message.<br />
An established connection to an Active Directory Domain<br />
Controller has ended with a normal disconnection.<br />
An established connection to an Active Directory Domain<br />
Controller has been ended for load-balancing purposes.<br />
Periodically the connections will be dropped and new ones<br />
established, in case there is a less busy Domain Controller<br />
available. The time period is defined by the configuration<br />
setting Max-Bind-LifeTime in the file, in minutes.<br />
An established connection to a Replication Destination<br />
Server has ended with a normal disconnection.<br />
The Authentication Server has received an Access-Request.<br />
The audit message will indicate what action will be taken as<br />
well as key details of the request.<br />
The Authentication Server has received an Accounting-<br />
Request. The audit message will indicate what action will<br />
be taken as well as key details of the request.<br />
After the Authentication Server had not managed to get a<br />
response from the RADIUS Server for some time, this<br />
message indicates that it is responding again.<br />
The Authentication Server has accepted an Access-<br />
Request. Note however that it is still possible that after the<br />
Authentication Server has accepted the request, another<br />
component of the overall process may still decide to reject<br />
the request ultimately.<br />
© 2007 VASCO Data Security Inc. 189
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Audit Messages<br />
Message<br />
Code<br />
I007002 A RADIUS Access-Challenge has been<br />
issued.<br />
I007003 A RADIUS Access-Reject has been<br />
issued.<br />
I007004 A RADIUS Accounting-Response has<br />
been issued.<br />
I008001 A Digipass has been moved for<br />
assignment to a user.<br />
I008002 A user-to-user link has been removed<br />
due to assignment of a Digipass.<br />
I009001 A Virtual Digipass One Time Password<br />
has been delivered.<br />
Description Notes<br />
The Authentication Server has issued a challenge, either<br />
Challenge/Response or Virtual Digipass.<br />
The Authentication Server has rejected an Access-Request.<br />
The Authentication Server has acknowledged an<br />
Accounting-Request. Note however that unless the request<br />
is forwarded to a RADIUS Server, no processing is carried<br />
out by the Authentication Server.<br />
Upon assignment of a Digipass to a User, if the Digipass is<br />
not already in the same location (Organizational Unit) as<br />
the User, it is moved to that location.<br />
If a Digipass User Account is linked to another in order to<br />
share the Digipass, it must not have a Digipass assigned<br />
itself. If a Digipass is assigned, the link will be broken.<br />
The MDC successfully delivered a text message via the<br />
HTTP gateway, as reported by the gateway. The audit<br />
message may contain further details from the gateway.<br />
Note that depending on the gateway, it may still be<br />
possible for delivery to fail after the gateway has reported<br />
success.<br />
I010001 User authentication was not handled. The Authentication Server decided not to handle an<br />
authentication request due to Policy and/or Digipass User<br />
Account settings. The main reasons why this may occur<br />
are: the effective Local Authentication and Back-End<br />
Authentication settings were both None; the User failed<br />
the Windows Group Check, using the Pass requests for<br />
users not in listed groups back to host system option.<br />
Note that the 'effective' settings are the effective settings<br />
of the Policy, unless the Digipass User Account overrides<br />
the Policy.<br />
I010002 A stored password change was<br />
unhandled.<br />
I011001 A Digipass Grace Period has been ended<br />
by the use of a One Time Password.<br />
I011002 A Backup Virtual Digipass expiration<br />
date has been set due to the first<br />
request for a Virtual One Time<br />
Password.<br />
I011003 A Backup Virtual Digipass time limit has<br />
been expired by the use of the normal<br />
One Time Password.<br />
The Authentication Server decided not to handle a<br />
password change request due to Policy and/or Digipass<br />
User Account settings. The main reasons why this may<br />
occur are: the effective Local Authentication and Back-<br />
End Authentication settings were both None; the User<br />
failed the Windows Group Check, using the Pass<br />
requests for users not in listed groups back to host system<br />
option.<br />
Note that the 'effective' settings are the effective settings<br />
of the Policy, unless the Digipass User Account overrides<br />
the Policy.<br />
The first time that an assigned Digipass is used<br />
successfully to log in, if a Grace Period is still active, it is<br />
ended immediately. They must continue to use their<br />
Digipass to log in after that point.<br />
A User has requested a Backup Virtual Digipass OTP for the<br />
first time, when the effective Backup VDP Enabled<br />
setting is Yes – Time Limited and they did not already have<br />
an Enabled Until date set on their Digipass. At this time,<br />
they are given the Time Limit from the Policy by adding it<br />
to the current date.<br />
A User who has been using Backup Virtual Digipass has<br />
used their normal OTP login using the Digipass again.<br />
When the effective Backup VDP Enabled setting is Yes –<br />
Time Limited, using the normal OTP login ends their time<br />
© 2007 VASCO Data Security Inc. 190
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Audit Messages<br />
Message<br />
Code<br />
I011004 A Backup Virtual Digipass quota of uses<br />
has been set due to the first request for<br />
a Virtual One Time Password.<br />
I011005 A Digipass User Account has been<br />
created using Dynamic User<br />
Registration.<br />
I011006 A new static password has been stored<br />
using Password Autolearn.<br />
I011007 A Digipass has been assigned to a new<br />
Digipass User Account using Auto-<br />
Assignment.<br />
I011008 A Digipass has been assigned to a<br />
Digipass User Account using Self-<br />
Assignment.<br />
I011009 A Digipass challenge has been issued<br />
for a Self-Assignment attempt.<br />
Description Notes<br />
limit immediately. This is done by setting the Enabled<br />
Until date on their Digipass to the current date.<br />
An administrator action is required to reset their Enabled<br />
Until date, if the User is to be allowed to use Backup<br />
Virtual Digipass again.<br />
A User has requested a Backup Virtual Digipass OTP for the<br />
first time, when the effective Backup VDP Max.<br />
Uses/User setting is greater than 0 and they did not<br />
already have a Uses Remaining date set on their<br />
Digipass. At this time, they are given the Max. Uses/User<br />
limit from the Policy.<br />
A Digipass User Account has been created automatically<br />
upon successful Back-End Authentication. This occurs<br />
when the Dynamic User Registration feature is enabled.<br />
A new static password has been stored in the Digipass User<br />
Account after successful Back-End Authentication. This<br />
occurs when the Password Autolearn feature is enabled.<br />
Upon creation of a new Digipass User Account through<br />
Dynamic User Registration, an available Digipass has<br />
been assigned to the new account automatically. This<br />
occurs when the Auto-Assignment feature is enabled.<br />
A User has successfully assigned a Digipass to themselves<br />
using the Self-Assignment feature.<br />
A User has obtained a challenge during an attempt to<br />
assign a Digipass to themselves using the Self-<br />
Assignment feature. In order to complete the assignment,<br />
they must provide the correct response to the challenge<br />
from the Digipass.<br />
I011010 A user has changed their Digipass PIN. A User has changed their Server PIN during their login, or<br />
set it up on first use or after a PIN reset.<br />
I013001 A connection to an ODBC data source<br />
has been made successfully.<br />
I013002 A connection to an ODBC data source<br />
has been terminated normally.<br />
S001001 A query for a single [object] record was<br />
successful.<br />
S001002 A query for [object] records was<br />
successful.<br />
S001003 A command of type [object] [command]<br />
was successful.<br />
An established connection to an ODBC data source has<br />
ended with a normal disconnection.<br />
The Authentication Server or an administrator has made a<br />
successful query to the data store for a single record. In<br />
the case of the Authentication Server this may be a search<br />
for its Component record; for an administrator it could be<br />
any single record query. The audit message has details of<br />
the record found.<br />
The Authentication Server or an administrator has made a<br />
successful query to the data store for some records. In the<br />
case of the Authentication Server this may be a search for<br />
a RADIUS Client Component record; for an administrator it<br />
could be any list query. The audit message has details of<br />
the records found but this may be truncated.<br />
An administrator has issued a successful data modification<br />
command such as an update of settings or one of the<br />
Digipass Application operations like Reset PIN. The audit<br />
message has details of the command and results.<br />
S002001 User authentication was successful. The 'Authentication' library has passed authentication for a<br />
request. Note however that the Authentication Server or<br />
© 2007 VASCO Data Security Inc. 191
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Audit Messages<br />
Message<br />
Code<br />
Description Notes<br />
another component of the overall process may still decide<br />
to reject the request ultimately.<br />
S002002 User authentication issued a challenge. The 'Authentication' library has issued a challenge for an<br />
authentication request, either Challenge/Response or<br />
Virtual Digipass.<br />
S002004 A stored password change was<br />
successful.<br />
S003001 A Replication update was sent<br />
successfully.<br />
S003002 A Replication update received has been<br />
processed successfully.<br />
The Authentication Server has successfully processed a<br />
password change request.<br />
This message is audited at the source server, when a<br />
database change is sent to a destination server and<br />
processed successfully.<br />
This message is audited at the destination server, when a<br />
database change is received and processed successfully.<br />
S004001 An administrative logon was successful. An administrative logon to the Authentication Server was<br />
successful.<br />
S004002 A Live Audit connection was successful. A Live Audit connection to the Authentication Server was<br />
successful.<br />
F001001 A query for a single [object] record<br />
failed.<br />
The Authentication Server or an administrator has made an<br />
unsuccessful query to the data store for a single record. In<br />
the case of the Authentication Server this may be a search<br />
for its Component record; for an administrator it could be<br />
any single record query. The audit message has basic<br />
details of the failure, but there should be a preceding<br />
E000001 with more details.<br />
F001002 A query for [object] records failed. The Authentication Server or an administrator has made an<br />
unsuccessful query to the data store for some records. In<br />
the case of the Authentication Server this may be a search<br />
for a RADIUS Client Component record; for an<br />
administrator it could be any list query. The audit message<br />
has basic details of the failure, but there should be a<br />
preceding E000001 with more details.<br />
F001003 A command of type [object] [command]<br />
failed.<br />
An administrator has issued an unsuccessful data<br />
modification command such as an update of settings or one<br />
of the Digipass Application operations like Reset PIN. The<br />
audit message has basic details of the failure, and there<br />
may be a preceding E000001 with more details.<br />
F002001 User authentication failed. The 'Authentication' library has failed authentication for a<br />
request. The audit message has details of the failure (see<br />
18 Error and Status Codes) and there may be a preceding<br />
E000001 with error details.<br />
F002003 A stored password change failed. The Authentication Server has not processed a password<br />
change request. The audit message has details of the<br />
failure (see 18 Error and Status Codes)<br />
and there may<br />
be a preceding E000001 with error details.<br />
F003001 Sending a Replication update was<br />
unsuccessful.<br />
F003002 Processing a Replication update<br />
received was unsuccessful.<br />
This message is audited at the source server, when a<br />
database change is not sent to a destination server<br />
successfully, or it was sent but the processing at the<br />
destination was unsuccessful.<br />
This message is audited at the destination server, when a<br />
database change is received but is not processed<br />
successfully.<br />
F004001 An administrative logon was rejected. The 'Authentication' library has failed an administrative<br />
login request. The audit message has details of the failure<br />
(see 18 Error and Status Codes)<br />
and there may be a<br />
© 2007 VASCO Data Security Inc. 192
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Audit Messages<br />
Message<br />
Code<br />
Description Notes<br />
preceding E000001 with error details.<br />
Note that this may occur even when preceded by a<br />
successful authentication (S002001) message, for example<br />
if the user's credentials were OK but they did not have<br />
Administrative Logon privilege.<br />
F004002 A Live Audit connection was rejected. The 'Authentication' library has failed a Live Audit<br />
connection request. The audit message has details of the<br />
failure (see 18 Error and Status Codes)<br />
and there may<br />
be a preceding E000001 with error details.<br />
Note that this may occur even when preceded by a<br />
successful authentication (S002001) message, for example<br />
if the user's credentials were OK but they did not have<br />
Administrative Logon or Live Audit Connection privilege.<br />
© 2007 VASCO Data Security Inc. 193
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Audit Messages<br />
17.2 Audit Message Fields<br />
Table 71: Audit Messages Fields<br />
Display Name Description<br />
Area Area of code/functionality in which the audit event occurred. Eg. “Active Directory search”.<br />
Operation Operation being attempted/processed when the audit event occurred.<br />
Error Code Standard error code.<br />
Error Message Fixed error message corresponding to ERROR_CODE.<br />
Error Details Full dump of 'error stack'.<br />
Source Location Location of source of audit message, typically IP address or host name.<br />
Server Location When the server itself is not the source of the audit message, this is the location of the<br />
server (IP/host name).<br />
Client Location When the client itself is not the source of the audit message, this is the location of the client<br />
(IP/host name).<br />
Version Full version string. Eg. “2.5.2.0045”.<br />
Data Source Type of data source. Eg. “File”, “Registry”.<br />
Data Source Location Specific location of data source. Eg. for a File, the path/filename.<br />
Configuration Details Breakdown of configuration settings.<br />
Outcome Outcome of an attempt to do something. Eg. “Success”, “Failure”, “Challenge”.<br />
Reason Generally a short phrase indicating a reason for a failure.<br />
Characteristics Space-separated list of keywords indicating characteristics of interest. Eg. for a connection<br />
attempt, keywords such as “SSL” , “TCP”, “IPv6” may be useful.<br />
User ID UserID. Can be in various formats, unless it refers to a Digipass User Account UserID, when<br />
it must be exact (SAM-Account-Name).<br />
Domain Domain name (FQDN).<br />
Credentials What kind of credential was offered for a connection/login attempt. Eg. “Password”, “None”.<br />
Session ID Session identifier.<br />
Serial No Digipass Serial No.<br />
Application Digipass Application Name.<br />
Request ID Any request identifier(s). Eg. a RADIUS packet ID.<br />
Password Protocol The way in which a password is encoded. Eg. “PAP”, “CHAP”, “MS-CHAP1”, “MS-CHAP2”.<br />
Input Details Breakdown of request parameters/attributes.<br />
Action Intended action to take for a request received. Eg. “Ignore”, “Process”.<br />
Output Details Breakdown of response parameters/attributes.<br />
Policy ID Name of Policy used to handle a request.<br />
Mobile No Mobile phone no. for sending a text message.<br />
From Location from which something is moved. Eg. an Active Directory location.<br />
To Location to which something is moved. Eg. an Active Directory location.<br />
User Link Identification of user to which another user is linked.<br />
Message This is used where something external (eg. the MDC) returns a message for auditing.<br />
Expiration Date Value of an expiry date such as Grace Period.<br />
Quota Value of a quota such as Backup Virtual Digipass Uses Remaining.<br />
Local Authentication Whether Local Authentication was done or not.<br />
Back-End<br />
Authentication<br />
If Back-End Authentication was done, the Back-End Protocol used, otherwise “None”.<br />
© 2007 VASCO Data Security Inc. 194
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Audit Messages<br />
Display Name Description<br />
Object Name of data object of query/command.<br />
Command Name of command.<br />
Downtime Length of downtime in minutes.<br />
Fields The list of fields to be returned by the query, or 'All Fields'.<br />
RADIUS Profile Name of RADIUS Profile (eg. for Funk SBR).<br />
Request Type Type of request or response, eg. “Access-Request”, “Access-Accept”, “Access-Reject”.<br />
© 2007 VASCO Data Security Inc. 195
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Error and Status Codes<br />
18 Error and Status Codes<br />
This section lists the standard error and status codes with the associated messages.<br />
18.1 Error Code Listing<br />
Table 72: Error Code List<br />
Error<br />
Code<br />
0 (No error)<br />
Message Notes<br />
-1 An unspecified error occurred This error code may occur when a more specific error code is<br />
not available or was recorded separately.<br />
-2 The parameters supplied were invalid Parameters supplied to a function or command were invalid.<br />
-3 A memory error occurred Memory allocation failed. This is normally due to the system<br />
running low on memory.<br />
-10 A communications error occurred Inter-process or inter-component communication failed. This<br />
may also occur with communications to Active Directory or a<br />
database. This error is normally accompanied by further details.<br />
-11 A license error has occurred General-purpose license failure when a more specific code is<br />
not available or was recorded separately.<br />
-12 An operating system call failed A system call failed. This may include file handling, Active<br />
Directory Services Interface and other calls. It is normally<br />
accompanied by further details.<br />
-13 The object was not found An attempt was made to perform an operation on an object,<br />
such as an Active Directory object, but the object did not exist.<br />
For example, this may occur when one administrator deletes a<br />
record that another administrator is about to update, when the<br />
update operation is attempted.<br />
-14 The object already exists An attempt was made to create an object, such as an Active<br />
Directory object, but the object already exists. For example,<br />
this may occur when two administrators try to create the same<br />
record at the same time.<br />
-15 The supplied buffer was of the<br />
incorrect size<br />
An internal data buffer was of insufficient length to hold the<br />
data required.<br />
-16 A version error has occurred A version mismatch has occurred. Further details in the error<br />
record will indicate what versions were mismatched.<br />
-17 The supplied data are invalid General-purpose error when input data to an operation is<br />
incorrect. Further details of the error will be recorded.<br />
-18 The object is invalid An attempt was made to perform an operation upon an object<br />
type that was not recognized.<br />
-19 The command is invalid An attempt was made to perform an operation using a<br />
command that was not recognized.<br />
-20 The object is in use An attempt was made to delete an object, such as an Active<br />
Directory object, but that object was in use.<br />
This may occur when you try to delete a Policy, but another<br />
Policy inherits from the one you are deleting, or a Component<br />
uses the Policy.<br />
-21 The operation is not supported General-purpose error when an operation is attempted on an<br />
object that does not support it. For example, an attempt is<br />
made to generate a Virtual Digipass OTP using a Digipass that<br />
is not enabled for Virtual Digipass.<br />
© 2007 VASCO Data Security Inc. 196
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Error and Status Codes<br />
Error<br />
Code<br />
Message Notes<br />
-22 An object error has occurred General-purpose error on an operation on an object. This<br />
should be supplemented with more specific details.<br />
-23 A required field was missing An operation was attempted without specifying one or more<br />
mandatory input fields.<br />
-24 Auditing failed An operation failed because auditing was mandatory, but failed.<br />
-30 The configuration is invalid The configuration data in the configuration file are invalid. The<br />
error record should indicate which specific data were invalid.<br />
-31 A type mismatch has occurred General-purpose error when one datatype is expected but a<br />
different datatype was provided.<br />
-32 One or more objects were not<br />
initialized<br />
Internal initialization error. More specific error details will be<br />
recorded.<br />
-33 The cache is full An attempt was made to add an entry to a cache, but the cache<br />
has reached its configured maximum size.<br />
-34 The cache entry has reached the<br />
maximum reference count<br />
-35 The system is currently too busy to<br />
service the request<br />
An attempt was made to retrieve an item from a cache, but the<br />
item was already in use and the configuration indicates a limit<br />
on the number of times an item can be retrieved from the<br />
cache at one time.<br />
The system received a new request for processing, but hit a<br />
resource usage limit of some type. This indicates that the<br />
system is too loaded to handle the request. For example, there<br />
may be no spare database connection to use, even after<br />
waiting a short time for one to become available.<br />
-80 A timeout has occurred An operation failed because of a timeout.<br />
-140 A Digipass error has occurred General-purpose failure of a Digipass operation such as OTP<br />
verification, Reset PIN, Unlock, etc. This is normally<br />
accompanied by a more specific error code and message from<br />
the <strong>VACMAN</strong> Controller library.<br />
-150 Delivery of the Virtual Digipass One-<br />
Time Password failed<br />
A Virtual Digipass OTP was generated successfully, but delivery<br />
by text message failed. A separate message will give more<br />
details about the failure.<br />
-200 The license has expired The License Key has an expiration date set, and the date has<br />
passed. A permanent License Key must be obtained.<br />
-201 The license data are invalid One of the details embedded into the License Key is invalid for<br />
the Component in which it is being loaded. The Component will<br />
not be able to use the License Key. This may be IP address,<br />
Component Type, or any other detail that can be seen in the<br />
License Key text.<br />
-202 The License Key is corrupted The signature at the bottom of the License Key is invalid. This<br />
would typically occur if the License Key details were modified in<br />
any way.<br />
-250 Decryption has failed - no Storage Key<br />
is specified in the Encryption Settings<br />
-251 Decryption has failed - an incorrect<br />
Cipher is specified in the Encryption<br />
Settings<br />
Some encrypted data has been created or modified using<br />
configured, rather than default, encryption settings. This error<br />
occurs when that data is read by a component that does not<br />
have configured encryption settings – the component is<br />
therefore unable to decrypt the data.<br />
It is necessary to configure the encryption settings in the<br />
component. See 4 Sensitive Data Encryption for more<br />
information on encryption settings.<br />
Some encrypted data has been created or modified using<br />
differently configured encryption settings. This error occurs<br />
when that data is read by a component with configured<br />
encryption settings that use a different Cipher Name – the<br />
© 2007 VASCO Data Security Inc. 197
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Error and Status Codes<br />
Error<br />
Code<br />
-252 Decryption has failed - an incorrect<br />
Storage Key is specified in the<br />
Encryption Settings<br />
Message Notes<br />
component is therefore unable to decrypt the data.<br />
It is necessary to make sure that the encryption settings in all<br />
components are identical. See 4 Sensitive Data Encryption<br />
for more information.<br />
Some encrypted data has been created or modified using<br />
differently configured encryption settings. This error occurs<br />
when that data is read by a component with configured<br />
encryption settings that use a different Storage Key – the<br />
component is therefore unable to decrypt the data.<br />
It is necessary to make sure that the encryption settings in all<br />
components are identical. See 4 Sensitive Data Encryption<br />
for more information.<br />
-300 A database error occurred General-purpose error on a database operation. This should be<br />
supplemented with more specific details.<br />
-350 The request received was discarded A replication update that was received was found to be<br />
superseded by a later change. In this case, the update is<br />
discarded, as it is no longer relevant.<br />
This may occur when creating a record, after a record has been<br />
deleted then re-created.<br />
It may occur when modifying a record, if a later modification<br />
occurred before replication could apply the first change.<br />
-351 The request received must be retried A replication update that was received could not be applied<br />
immediately. In this case, the update is rejected. The retry<br />
mechanism at the source server will re-send the update,<br />
according to its configuration settings.<br />
This may occur if a record does not exist yet, when trying to<br />
apply a modification or deletion.<br />
It may occur after a record has been deleted and re-created,<br />
when a modification of the record is replicated but the<br />
sequence of deletion and re-creation has not been followed in<br />
the correct order.<br />
-352 A replication queue entry had an<br />
invalid hash value<br />
When an entry was read from the replication queue before<br />
sending, its integrity hash value check failed. This suggests that<br />
the queue entry may have been modified since it was added to<br />
the queue. In this case, the queue entry is not trusted and an<br />
error is reported.<br />
-353 The replication queue is full An operation failed because it needed to update the database,<br />
but the update could not be added to the Replication queue. If<br />
the queue is full, no database updates are allowed, to avoid the<br />
databases getting too far out of synchronization.<br />
Check the Replication Status dialog in the <strong>Administration</strong> MMC<br />
Interface and the Replication audit messages to investigate why<br />
the queue has become full. It is necessary to reduce the queue<br />
size in order for the system to continue to function.<br />
If this error occurs often, without good reason, consider<br />
increasing the maximum queue size. This can be configured in<br />
the Replication tab of the Authentication Server Configuration<br />
GUI.<br />
-500 The Service was already started When trying to start a Service, the Service was already<br />
running.<br />
-501 The Service was already stopped When trying to stop a Service, the Service was not running.<br />
-10051 File name is blank. No file name was specified.<br />
-10052 Failed to open File. The file could not be opened. The file does not exist or the user<br />
attempting to open the file does not have read permission for<br />
the file.<br />
© 2007 VASCO Data Security Inc. 198
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Error and Status Codes<br />
Error<br />
Code<br />
Message Notes<br />
-10057 User ID is longer than 255 characters. The maximum User ID length has been exceeded.<br />
-10059 Password is longer than 255<br />
characters.<br />
-10060 User Name is longer than 64<br />
characters.<br />
-10061 Serial Number is longer than 10<br />
characters.<br />
-10062 Serial Number is less than 10<br />
characters long.<br />
-10063 Serial Number contains nonalphanumeric<br />
characters.<br />
-10064 Organizational Unit is longer than 255<br />
characters.<br />
The maximum Password length has been exceeded.<br />
The maximum User Name length has been exceeded.<br />
The maximum Serial Number length has been exceeded. Serial<br />
Number must be 10 characters, with no dashes (-) and with<br />
leading zeros (0) to make it up to 10 characters.<br />
The minimum Serial Number length has not been provided.<br />
Serial Number must be 10 characters, with no dashes (-) and<br />
with leading zeros (0) to make it up to 10 characters.<br />
The Serial Number contains non-alphanumeric characters.<br />
Serial Number must be 10 alphanumeric characters, with no<br />
dashes (-).<br />
The maximum Organizational Unit length has been exceeded.<br />
-10065 Domain is longer than 255 characters. The maximum Domain length has been exceeded.<br />
-10066 Distinguished Name is longer than<br />
1024 characters.<br />
-10067 Mobile Number is longer than 64<br />
characters.<br />
-10069 A syntax error occurred reading from<br />
the file.<br />
-10070 The file contains characters that are<br />
not UTF-8 encoded.<br />
-10072 Phone Number is longer than 64<br />
characters.<br />
-10073 Email Address is longer than 64<br />
characters.<br />
-10074 No User ID was given. Either the User<br />
ID or, for Active Directory, the<br />
Dishinguished Name is needed to<br />
import a user.<br />
-10075 The Mobile No. is invalid. Only<br />
numbers, spaces, dashes (-) and<br />
brackets are allowed with a + at the<br />
start to indicate a country code if<br />
needed.<br />
-10076 The Phone No. is invalid. Only<br />
numbers, spaces, dashes (-) and<br />
brackets are allowed with a + at the<br />
start to indicate a country code if<br />
needed.<br />
-10077 The specified email address contains<br />
invalid characters and is not in the<br />
form user@domain.<br />
-10078 The Field Header was not found or<br />
invalid when reading from the file.<br />
The maximum LDAP Distinguished Name (DN) length has been<br />
exceeded.<br />
The maximum Mobile Phone length has been exceeded.<br />
A syntax error occurred while reading lines from the import file:<br />
double-quotes were missing; there are too many fields in the<br />
line; a comma is missing between fields.<br />
The import file must be fully UTF-8 encoded when extended or<br />
Unicode characters are included. This message indicates that<br />
non-UTF-8 characters were found in the file.<br />
The maximum Phone Number length has been exceeded.<br />
The maximum Email Address length has been exceeded.<br />
A User ID must be supplied to import a user. The only<br />
exception is when using Active Directory, it is sufficient to give<br />
the Distinguished Name instead of the User ID.<br />
The Mobile Number is only allowed to include numeric<br />
characters, spaces, dashes(-) and brackets (){}[]. In addition a<br />
+ is allowed at the start for the country code.<br />
The Phone Number is only allowed to include numeric<br />
characters, spaces, dashes(-) and brackets (){}[]. In addition a<br />
+ is allowed at the start for the country code.<br />
The Email Address is only allowed to include alphanumeric<br />
characters, @, dots (.), underscores (_) and dashes (-).<br />
The first line of an import file must be a header line. The<br />
header line is a comma-separated list of field names, indicating<br />
© 2007 VASCO Data Security Inc. 199
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Error and Status Codes<br />
Error<br />
Code<br />
18.2 Status Code Listing<br />
Table 73: Status Code List<br />
Status<br />
Code<br />
0 No error<br />
<br />
Message Notes<br />
which fields are included in every other line of the file.<br />
This message indicates that the header line was not found, that<br />
it included unknown field names or that it was not a commaseparated<br />
list of field names.<br />
See the Import User Records topic in the online Help for the<br />
<strong>Administration</strong> MMC Interface for a definition of the import file<br />
header format.<br />
Message Notes<br />
The status codes from -1 downwards match the Error<br />
Codes above.<br />
1000 The credentials were invalid General-purpose failure due to invalid username or<br />
password, when a more specific status is unavailable.<br />
1002 The user failed the Windows Group<br />
Check<br />
The Authentication Server rejected an authentication<br />
request due to the Windows Group Check failing. This<br />
can occur when the effective Windows Group Check option<br />
is Authenticate listed groups, reject others.<br />
Note that the 'effective' setting is the effective setting of<br />
the Policy, unless the Digipass User Account overrides the<br />
Policy.<br />
1004 The challenge has expired A response to challenge has been given, but the expiration<br />
time for the challenge has expired. The default expiration<br />
time is one minute, however this can be configured in the<br />
configuration file VASCO/AAL3/Authlib/Challenge-<br />
Cache/Max-Age setting (in seconds).<br />
1005 The user does not have permission to<br />
perform the specified action<br />
General-purpose failure of an administration command<br />
when the administrator does not have sufficient privileges<br />
to carry out the command.<br />
1007 The user account is locked The Digipass User Account is Locked. This is normally due<br />
to consecutive login failures, as determined by the Policy<br />
setting User Lock Threshold. Alternatively the<br />
administrator can actively lock the account.<br />
To unlock the User account, an administrator has to<br />
uncheck the Locked checkbox on the User record.<br />
1008 The One Time Password has already<br />
been used<br />
This status code occurs specifically when an OTP is rejected<br />
because it has already been used. It may also occur when<br />
the OTP has not been used but is older than the most<br />
recently used OTP.<br />
This can sometimes happen when an authentication<br />
request is re-sent automatically.<br />
1009 The user account is disabled The Digipass User Account is Disabled. This may be<br />
because the administrator has actively disabled the<br />
account, or because the corresponding Windows User<br />
account has become disabled or expired.<br />
1010 No user account was found An authentication request was rejected because no<br />
© 2007 VASCO Data Security Inc. 200
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Error and Status Codes<br />
Status<br />
Code<br />
Message Notes<br />
Digipass User account was found and Local<br />
Authentication is required by the Policy.<br />
1011 The static password was incorrect As part of Local Authentication, verification of the static<br />
password failed.<br />
1012 The One Time Password was incorrect Verification of the OTP failed. More specific details may be<br />
found in the <strong>VACMAN</strong> Controller error code and message.<br />
1013 The challenge was invalid A response to a challenge was given, but the challenge was<br />
not the latest one issued for that Digipass. This is<br />
controlled by the Check Challenge Policy setting.<br />
1014 The Digipass Grace Period has expired A User attempted to log in with their static password, but<br />
their Grace Period had already expired. They have to use a<br />
Digipass to log in.<br />
If they do not have their Digipass yet, the administrator<br />
will have to allow them more time by modifying the Grace<br />
Period End date on their Digipass record.<br />
1015 Backup Virtual Digipass is not allowed A User attempted to request a Backup Virtual Digipass<br />
OTP, but they were not permitted. This would normally<br />
occur when either:<br />
The effective Backup VDP Enabled setting is Yes –<br />
Time Limited, and the Digipass Backup VDP<br />
Enabled Until date is the current date or before.<br />
The Digipass Backup VDP Uses Remaining<br />
counter has reached 0.<br />
In both cases, administrator intervention is required to<br />
permit the User to continue to use Backup Virtual Digipass.<br />
The Enabled Until or Uses Remaining limits need to be<br />
increased to permit this.<br />
Note that the 'effective' setting is the effective setting of<br />
the Policy, unless the Digipass record overrides the Policy.<br />
1016 The Digipass is not available A User attempted Self-Assignment, but the Digipass they<br />
requested either could not be found within the search<br />
scope or was already assigned to someone else.<br />
This may occur because of a mistyped Serial Number.<br />
Otherwise, the search scope may be incorrect or the<br />
Digipass may not be in the correct location to be made<br />
available to the User. See the Location of Digipass<br />
Records section in the Product Guide.<br />
1017 The user account has no mobile number<br />
for Virtual Digipass<br />
1018 No password was supplied for a Virtual<br />
Digipass login<br />
A User requested a Primary or Backup Virtual Digipass<br />
OTP, but it could not be delivered because the User<br />
account had no mobile phone number. In Active Directory<br />
this is the first Mobile No. on the record.<br />
A User attempted a Virtual Digipass login, but did not enter<br />
a password in the second stage of the login. See 10.1.4<br />
Virtual Digipass for more information.<br />
1019 The new password confirmation failed In a password change request, the new password was not<br />
confirmed correctly.<br />
1020 Local authentication failed General-purpose failure of Local Authentication when a<br />
more specific status code is not available. Additional<br />
information should provide more specific details.<br />
1021 Back-end authentication reported that<br />
the password has expired<br />
Back-End Authentication (eg. Windows) failed because<br />
the password was correct but it has expired.<br />
1022 Back-end authentication failed Back-End Authentication (eg. Windows) failed. A specific<br />
error code and message will accompany this record.<br />
1030 The policy was invalid An authentication request was rejected because the<br />
© 2007 VASCO Data Security Inc. 201
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Error and Status Codes<br />
Status<br />
Code<br />
1031 The policy does not allow a selfassignment<br />
attempt<br />
1032 Hashed passwords cannot be verified by<br />
Windows<br />
Message Notes<br />
applicable Policy had invalid settings or failed to load. This<br />
should not occur, but is possible due to the delay in Active<br />
Directory replication for example. The two main ways in<br />
which a Policy can become invalid are:<br />
One or more choice list settings are Default in the<br />
Policy, and its parent Policy if it has one.<br />
A circular chain of Policies has been created, for<br />
example: Policy A inherits from Policy B; Policy B<br />
inherits from Policy C; Policy C inherits from Policy A.<br />
The Policy must be fixed in order for authentication to be<br />
permitted using that Policy.<br />
A User attempted Self-Assignment, but it is not<br />
permitted under the Policy.<br />
An authentication request could not be processed<br />
successfully because Back-End Authentication using<br />
Windows was required, but the User's password was<br />
hashed. It is not possible to verify hashed passwords with<br />
Windows. This can occur when a CHAP-based protocol is<br />
used – this includes CHAP, MS-CHAP, MS-CHAP2, EAP-MD5<br />
and other more complex protocols that utilize a one-way<br />
hash of the password entered by the User.<br />
Note that the effective Back-End Authentication setting<br />
is the effective setting of the Policy, unless the Digipass<br />
User Account overrides the Policy.<br />
1033 A Digipass must be used The effective Local Authentication setting is Digipass<br />
Only and the User tried to log in with a static password.<br />
Note that the 'effective' setting is the effective setting of<br />
the Policy, unless the Digipass User Account overrides the<br />
Policy.<br />
1034 Challenge/Response is not supported by<br />
CHAP-based protocols<br />
1035 Challenge/Response is not supported by<br />
Windows 2000<br />
Challenge/Response is only supported in RADIUS using the<br />
PAP protocol. An attempt was made to generate a<br />
challenge using a CHAP-based protocol – this includes<br />
CHAP, MS-CHAP, MS-CHAP2, EAP-MD5 and other more<br />
complex protocols.<br />
This status code can only occur in the Digipass Plug-In for<br />
IAS. There is a product limitation on Windows 2000 only<br />
that Challenge/Response is not supported. It will occur if<br />
the User attempted to request a challenge.<br />
1036 1-Step Challenge/Response is disabled A request was made to generate a random challenge for 1step<br />
Challenge/Response, but the applicable Policy does<br />
not have 1-step Challenge/Response enabled or does not<br />
specify the challenge length and check digit indicator.<br />
1037 Password Autolearn is disabled A request was made to update a user's Stored Password,<br />
but Password Autolearn is disabled, so the update is not<br />
permitted. Password Autolearn must be enabled for the<br />
password update request to be processed.<br />
1038 The administration session ID is not<br />
known at this location<br />
1039 The administration session is no longer<br />
active<br />
An administration command has been received, but the<br />
internal session ID is not recognised at the location from<br />
which the command came. This can only occur by<br />
attempting to reuse a session ID from another location.<br />
An administration command has been received, but the<br />
session has stopped or is unrecognised. This can occur due<br />
to an idle timeout, a maximum session length timeout or a<br />
restart of the Authentication Server.<br />
1040 Back-end authentication returned a This can occur when the Authentication Server forwards a<br />
© 2007 VASCO Data Security Inc. 202
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Error and Status Codes<br />
Status<br />
Code<br />
Message Notes<br />
Challenge that cannot be handled request to a RADIUS Server and the RADIUS Server<br />
responds with an Access-Challenge. An Access-Challenge<br />
can only be handled when the Authentication Server<br />
forwards the password unmodified to the RADIUS Server.<br />
If the Authentication Server verifies an OTP and forwards<br />
the static password to the RADIUS Server, it is not possible<br />
to handle an Access-Challenge from the RADIUS Server.<br />
It can also occur if you use RADIUS Back-End<br />
Authentication for an IIS Module. In that case, Access-<br />
Challenge is not supported from the RADIUS Server.<br />
1041 No Digipass was found for the given<br />
Serial Number<br />
During a Self-Assignment attempt, the Serial Number<br />
provided by the User was not found in the data store. This<br />
mainly occurs when the Serial Number is entered<br />
incorrectly. It can also occur because the Digipass record is<br />
not in the User's Domain or Organizational Unit.<br />
3001 A Digipass Challenge was returned This status code is the standard code when a challenge is<br />
issued and does not indicate any kind of error.<br />
3002 No challenge was identified for the<br />
authentication<br />
3003 Back-end authentication returned a<br />
Challenge<br />
5001 The user failed the Windows Group<br />
Check<br />
5002 Neither local nor back-end<br />
authentication was done due to policy<br />
and/or user settings<br />
A response to a challenge was given, but no challenge<br />
could be found. The most likely reason for this to occur is<br />
that the challenge is too old and has been removed from<br />
the challenge cache. It can also occur if no 'challenge key'<br />
was supplied with which to look up the challenge.<br />
This occurs when a RADIUS Server responds with an<br />
Access-Challenge, in a case where the Authentication<br />
Server can handle it.<br />
The Authentication Server decided not to handle an<br />
authentication request due to the Windows Group Check<br />
failing. This can occur when the effective Windows Group<br />
Check option is Pass requests for users not in listed groups<br />
back to host system.<br />
Note that the 'effective' setting is the effective setting of<br />
the Policy, unless the Digipass User Account overrides the<br />
Policy.<br />
The Authentication Server decided not to handle an<br />
authentication request because the effective Local<br />
Authentication and Back-End Authentication settings<br />
were both None.<br />
Note that the 'effective' settings are the effective settings<br />
of the Policy, unless the Digipass User Account overrides<br />
the Policy.<br />
© 2007 VASCO Data Security Inc. 203
<strong>VACMAN</strong> <strong>Middleware</strong> Administrator <strong>Reference</strong> Technical Support<br />
19 Technical Support<br />
If you encounter problems with a VASCO product please do the following:<br />
1. Read the How to Troubleshoot topic in the Administrator <strong>Reference</strong> for help in<br />
discovering the source of your problem.<br />
2. Check if your problem is resolved in the Knowledge Base located at the following URL:<br />
http://www.vasco.com/support.<br />
3. If you do not find the information you need in the Knowledge Base, please contact the<br />
company that sold you the VASCO product.<br />
Only after doing these steps, if your needs are still not completely met please contact VASCO<br />
support:<br />
19.1 Support Contact Information<br />
E-mail<br />
support@vasco.com<br />
Website<br />
http://www.vasco.com/support/contacts.html<br />
Phone<br />
Australia +61 2 8920 9666 (Sydney)<br />
Belgium +32 2 609 9770 (Brussels)<br />
Singapore +65 6 232 2727<br />
USA +1 508 366 3400 (Boston)<br />
© 2007 VASCO Data Security Inc. 204