VACMAN Middleware Administration Reference A4 - Vasco

Modify these field values (right-click and select Fields) to change text throughout the 

document: 

NOTE: Diagrams may appear or disappear depending on these field settings – so BE CAREFUL 

adding and removing diagrams, as you may be stuffing up formatting. 

ADDITIONAL NOTE: Be careful adding and removing text, too. Just because you see something 

in the document that looks like it shouldn't be there, doesn't mean removing it is a smart idea. 

Do a print preview to check if it will show up in the final document before you do anything. 

(the field values are currently just (relatively) rubbish values – modified at times to check that 

text conditions are working correctly)Digipass Pack for Citrix Web Interface 

Modify these field values (right-click and select Fields) to change text throughout the 

document: 

NOTE: Diagrams may appear or disappear depending on these field settings – so BE CAREFUL 

adding and removing diagrams, as you may be stuffing up formatting. 

ADDITIONAL NOTE: Be careful adding and removing text, too. Just because you see something 

in the document that looks like it shouldn't be there, doesn't mean removing it is a smart idea. 

Do a print preview to check if it will show up in the final document before you do anything. 

(the field values are currently just (relatively) rubbish values – modified at times to check that 

text conditions are working correctly) 

VACMAN Middleware 

Authentication Server 

Starter 

RADIUS 

RADIUS 

ODBCAD 

Digipass Authentication Server 

dpauthserver.xml 

VACMAN Middleware 3 


VACMAN Middleware 

RADIUS 

RADIUS 

Starter 

ODBCAD 

Digipass Authentication Server 

dpauthserver.xml 

VACMAN Middleware 3 

A dministrator Reference

Disclaimer of Warranties and Limitations of Liabilities 

Disclaimer of Warranties and Limitations of Liabilities 

The Product is provided on an 'as is' basis, without any other warranties, or conditions, express 

or implied, including but not limited to warranties of merchantable quality, merchantability of 

fitness for a particular purpose, or those arising by law, statute, usage of trade or course of 

dealing. The entire risk as to the results and performance of the product is assumed by you. 

Neither we nor our dealers or suppliers shall have any liability to you or any other person or 

entity for any indirect, incidental, special or consequential damages whatsoever, including but 

not limited to loss of revenue or profit, lost or damaged data of other commercial or economic 

loss, even if we have been advised of the possibility of such damages or they are foreseeable; 

or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers 

and suppliers shall not exceed the amount paid by you for the Product. The limitations in this 

section shall apply whether or not the alleged breach or default is a breach of a fundamental 

condition or term, or a fundamental breach. Some states/countries do not allow the exclusion 

or limitation or liability for consequential or incidental damages so the above limitation may 

not apply to you. 

RADIUS Documentation Disclaimer 

The RADIUS documentation featured in this manual is focused on supplying required 

information pertaining to the RADIUS server and its operation in the VACMAN Middleware 

environment. It is recommended that further information be gathered from your NAS/RAS 

vendor for information on the use of RADIUS. 

Copyright 

© 2007 VASCO Data Security Inc. All rights reserved. 

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in 

any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, 

without the prior written permission of VASCO Data Security Inc. 

Trademarks 

VACMAN and Digipass are registered trademarks of VASCO Data Security International Inc. 

Microsoft and Windows are registered trademarks of Microsoft Corporation. 

All other trademarks are the property of their respective holders. 

© 2007 VASCO Data Security Inc. 2

VACMAN Middleware Administrator Reference Table of Contents 

Table of Contents 

1 Introduction........................................................................................................ 12 

1.1 Available Guides....................................................................................................... 12 

1.2 System Requirements............................................................................................... 12 

1.2.1 Requirements Specific to Active Directory................................................................. 12 

1.2.2 Requirements Specific to ODBC Database................................................................. 13 

1.3 Software Components............................................................................................... 14 

1.3.1 Required Components........................................................................................... 14 

1.3.2 Optional Components............................................................................................ 15 

1.3.3 Extra Utilities....................................................................................................... 15 

2 Active Directory Schema......................................................................................17 

2.1 Schema Extensions................................................................................................... 17 

2.1.1 Added Object Classes............................................................................................ 17 

2.1.2 Added Attributes.................................................................................................. 17 

2.1.3 Added Permission Property Sets.............................................................................. 20 

2.2 Active Directory Auditing.......................................................................................... 21 

2.3 Custom Search Options............................................................................................. 22 

2.3.1 Saved Queries...................................................................................................... 22 

2.3.2 Using the Custom Search for Digipass...................................................................... 23 

2.3.3 Using the Custom Search for Users......................................................................... 24 

2.4 Active Directory Replication Issues........................................................................... 26 

2.4.1 Old Data Used After Attribute Modified..................................................................... 26 

2.4.1.1 Single Authentication Server using more than one Domain Controller...................................... 26 

2.4.1.2 Administrator and Authentication Server using different Domain Controllers............................. 27 

2.4.1.3 Multiple Authentication Servers Using Different Domain Controllers......................................... 27 

2.4.1.4 Two Administrators Modifying the Same Attribute................................................................. 27 

2.4.2 Old Data Used Overwrites New Data........................................................................ 28 

2.4.3 Factors Affecting Replication Issues......................................................................... 28 

2.4.4 Solutions and Mitigations....................................................................................... 29 

2.4.4.1 Digipass Cache.................................................................................................................29 

2.5 DPADadmin Utility.................................................................................................... 30 

2.5.1 Extend Active Directory Schema............................................................................. 30 

2.5.2 Set Up Digipass Containers in Domain..................................................................... 32 

2.5.2.1 Prerequisite Information.................................................................................................... 32 

2.5.2.2 Set Up Digipass Configuration Container.............................................................................. 32 

2.5.2.3 Command Syntax............................................................................................................. 32 

2.5.3 Assign Digipass Permissions to a Group................................................................... 32 

2.5.3.1 Pre-requisites...................................................................................................................32 

2.5.3.2 Command Syntax............................................................................................................. 33 

2.5.4 Delete all Digipass-Related Data from Active Directory............................................... 33 

2.5.4.1 Run Delete Script on a Domain...........................................................................................33 

3 ODBC Database....................................................................................................35 

3.1 Database Support..................................................................................................... 35 

3.1.1 Unicode Support................................................................................................... 35 

3.2 Embedded Database.................................................................................................. 36 

3.2.1 Service Account.................................................................................................... 36 

3.2.2 Database Administration Account............................................................................ 36 

3.2.3 Database Administration........................................................................................ 37 



3.2.3.1 Changing the Digipass User's Password............................................................................... 37 

3.2.4 Connection Limitations.......................................................................................... 37 

3.3 Database Schema...................................................................................................... 38 

3.3.1 vdsControl Table.................................................................................................. 38 

3.3.2 vdsUser Table...................................................................................................... 39 

3.3.3 vdsUserAttr Table................................................................................................. 39 

3.3.4 vdsDigipass Table................................................................................................. 40 

3.3.5 vdsDPApplication Table.......................................................................................... 40 

3.3.6 vdsPolicy Table..................................................................................................... 41 

3.3.7 vdsComponent Table............................................................................................. 42 

3.3.8 vdsBackEnd Table................................................................................................. 42 

3.3.9 vdsDomain Table.................................................................................................. 43 

3.3.10 vdsOrgUnit Table.................................................................................................. 43 

3.4 Encoding and Case-Sensitivity................................................................................... 44 

3.5 Domains and Organizational Units............................................................................. 44 

3.5.1 Domains.............................................................................................................. 45 

3.5.1.1 Master Domain.................................................................................................................45 

3.5.1.2 Identifying the Domain for a Login Attempt..........................................................................46 

3.5.2 Organizational Units.............................................................................................. 47 

3.6 Database User Accounts............................................................................................ 48 

3.6.1 Permissions on the Tables...................................................................................... 48 

3.6.2 Access to Another Schema..................................................................................... 49 

3.6.2.1 Modify vdsControl Table.....................................................................................................49 

3.7 Database Connection Handling.................................................................................. 50 

3.7.1 Multiple Data Sources............................................................................................ 50 

3.7.2 Max. Connections................................................................................................. 50 

3.7.3 Connection Wait Time........................................................................................... 51 

3.7.4 Idle Timeout........................................................................................................ 51 

3.7.5 Enable Load Sharing............................................................................................. 51 

3.7.6 Reconnect Intervals.............................................................................................. 51 

3.8 DPDBadmin............................................................................................................... 52 

3.8.1 Modify Database Schema....................................................................................... 52 

3.8.2 Check Database Modifications................................................................................. 54 


3.8.2.2 Check the Database Structure............................................................................................ 54 

3.8.2.3 Command Line Syntax...................................................................................................... 54 

3.8.3 Remove Database Modifications.............................................................................. 55 


3.8.3.2 Modify Database Structure.................................................................................................55 

3.8.3.3 Command Line Syntax...................................................................................................... 55 

3.8.4 Create Emergency Administrator Account................................................................. 56 

3.8.5 Rescue Authentication Server Component................................................................ 57 

4 Sensitive Data Encryption....................................................................................59 

4.1.1 Encrypted Data – Active Directory........................................................................... 59 

4.1.2 Encrypted Data – ODBC and Embedded Database..................................................... 59 

4.1.3 Which Encryption Algorithms can be used?............................................................... 59 

4.1.4 Exporting Encryption Settings................................................................................. 59 

5 Set Up Active Directory Permissions....................................................................61 

5.1 Permissions Needed by the Authentication Server..................................................... 61 



5.1.1 Giving Permissions to the Authentication Server........................................................ 61 

5.2 Permissions Needed by Administrators..................................................................... 62 

5.2.1 Domain Administrators.......................................................................................... 62 

5.2.2 Delegated Administrators....................................................................................... 62 

5.2.3 Reduced-Rights Administrators............................................................................... 62 

5.2.4 System Administrators.......................................................................................... 63 

5.3 Assign Administration Permissions to a User ............................................................ 63 

5.5 Multiple Domains...................................................................................................... 66 

5.5.1 Scenario 1 – Each Authentication Server Handles One Domain.................................... 66 

5.5.2 Scenario 2 – One Authentication Server Handles All Domains...................................... 67 

5.5.3 Scenario 3 - Combination....................................................................................... 67 

6 Backup and Recovery.......................................................................................... 68 

6.1 What Must be Backed Up........................................................................................... 68 

6.1.1 Configuration files................................................................................................. 68 

6.1.2 Web Sites............................................................................................................ 69 

6.1.3 Audit Log Data..................................................................................................... 69 

6.1.3.1 Write to Text File..............................................................................................................69 

6.1.3.2 Write to ODBC Database....................................................................................................69 

6.1.3.3 Write to Windows Event Log...............................................................................................70 

6.1.4 DPX files............................................................................................................. 70 

6.1.5 Active Directory.................................................................................................... 70 

6.1.5.1 Cold Backup.....................................................................................................................70 

6.1.6 ODBC and Embedded Database.............................................................................. 71 

6.1.6.1 Data Source Settings........................................................................................................ 71 

6.1.6.2 Backup Strategies.............................................................................................................71 

6.1.6.3 Backup of Embedded Database...........................................................................................71 

6.2 Recovery................................................................................................................... 73 

6.2.1 Active Directory.................................................................................................... 73 

6.2.2 ODBC or Embedded Database................................................................................ 74 

6.2.2.1 Rebuild Authentication Server, Database Undamaged............................................................ 74 

6.2.2.2 Restore Database, Authentication Server Undamaged............................................................75 

6.2.2.3 Rebuild Authentication Server, Restore Database.................................................................. 76 

6.2.2.4 Copy Database from Other Authentication Server................................................................. 78 

6.2.2.5 Rebuild Authentication Server, Copy Database......................................................................80 

7 Field Listings....................................................................................................... 82 

7.1 User Property Sheet.................................................................................................. 82 

7.2 User Authorization Profiles/Attributes Window......................................................... 84 

7.3 Digipass Property Sheet............................................................................................ 85 

7.4 Digipass Application Tab........................................................................................... 86 

7.5 Policy Property Sheet................................................................................................ 87 

7.6 Component Property Sheet....................................................................................... 94 

7.7 Back-End Server Property Sheet................................................................................ 95 

7.8 Domain Property Sheet............................................................................................. 96 

7.9 Organizational Unit Property Sheet........................................................................... 96 

7.10 Data Changes Requiring a Restart............................................................................. 97 

7.10.1 Changes to the Data Store..................................................................................... 97 

7.10.1.1 ODBC or Embedded Database............................................................................................ 97 

7.10.1.2 Active Directory................................................................................................................97 

7.10.1.3 Automatic Re-Loading of Cached Data................................................................................. 98 

7.10.1.4 Cached Data List.............................................................................................................. 98 



7.10.2 Changes to Configuration Settings.......................................................................... 98 

8 Licensing........................................................................................................... 100 

8.1 How is Licensing Handled?...................................................................................... 100 

8.2 Licensing Parameters.............................................................................................. 101 

8.2.1 Sample License File............................................................................................. 101 

8.3 View License Information........................................................................................ 101 

8.4 Obtain and Load a License Key................................................................................ 102 

8.5 Change IP Address.................................................................................................. 103 

8.5.1 IP Address Already Changed................................................................................. 104 

9 Web Sites.......................................................................................................... 107 

9.1 Customizing the Web Sites...................................................................................... 107 

9.2 CGI Program........................................................................................................... 107 

9.2.1 Configuration Settings......................................................................................... 107 

9.3 Form Fields............................................................................................................. 109 

9.3.1 User Self Management Web Site........................................................................... 109 

9.3.1.1 Registration – Main Pages................................................................................................ 109 

9.3.1.2 Registration – Challenge Page.......................................................................................... 111 

9.3.1.3 PIN Change....................................................................................................................112 

9.3.1.4 Login Test – Main Page.................................................................................................... 113 

9.3.1.5 Login Test – Challenge Page.............................................................................................114 

9.3.2 OTP Request Site................................................................................................ 114 

9.3.2.1 Request Page................................................................................................................. 114 

9.4 Query String Variables............................................................................................ 115 

9.4.1 Failure/Error Handling......................................................................................... 115 

9.4.2 Query String Variable List.................................................................................... 116 

9.4.3 Return Code Listing............................................................................................. 117 

9.4.3.1 API Return Codes............................................................................................................117 

9.4.3.2 CGI Errors..................................................................................................................... 117 

9.4.3.3 Internal Errors................................................................................................................118 

10 Login Options.................................................................................................... 119 

10.1 Login Permutations................................................................................................. 119 

10.1.1 Response Only – PAP........................................................................................... 120 

10.1.2 Response Only – CHAP/MS-CHAP.......................................................................... 121 

10.1.3 Challenge/Response............................................................................................ 122 

10.1.4 Virtual Digipass.................................................................................................. 123 

11 Configuration Settings.......................................................................................124 

11.1 Authentication Server............................................................................................. 124 

11.1.1 Set Component Location...................................................................................... 124 

11.1.2 Administration Connections.................................................................................. 124 

11.1.3 Library Path and Type.......................................................................................... 124 

11.1.4 RADIUS............................................................................................................. 124 

11.1.5 Turn Tracing On or Off......................................................................................... 125 

11.1.6 Active Directory Connection.................................................................................. 126 

11.1.6.1 Configuration Domain......................................................................................................126 

11.1.6.2 Domains List.................................................................................................................. 126 

11.1.7 ODBC Connection............................................................................................... 128 

11.1.7.1 Connect to an ODBC Database..........................................................................................128 

11.1.7.2 Connection Settings........................................................................................................ 128 



11.1.7.3 User ID and Domain Conversion....................................................................................... 129 

11.1.7.4 Master Domain............................................................................................................... 130 

11.1.7.5 Domains and Organizational Units.....................................................................................131 

11.1.8 Auditing............................................................................................................ 132 

11.1.9 Data Encryption.................................................................................................. 133 

11.1.10 Replication......................................................................................................... 134 

11.1.10.1Enable Replication...........................................................................................................134 

11.1.10.2Set up Replication to Another Authentication Server............................................................ 134 

11.1.10.3Configure Local Replication Settings.................................................................................. 134 

11.1.11 Virtual Digipass Text Message............................................................................... 135 

11.1.12 Configuration File................................................................................................ 136 

11.2 MDC........................................................................................................................ 140 

11.2.1 Required Information.......................................................................................... 140 

11.2.2 MDC Configuration GUI........................................................................................ 140 

11.2.2.1 Modify Gateway Account Login Details............................................................................... 140 

11.2.2.2 Configure Internet Connection Details................................................................................140 

11.2.2.3 Configure Tracing............................................................................................................141 

11.2.2.4 Import HTTP Gateway settings..........................................................................................142 

11.2.2.5 Edit Advanced Settings.................................................................................................... 142 

11.2.2.6 Export HTTP Gateway settings.......................................................................................... 142 

11.2.2.7 Gateway Result Pages..................................................................................................... 143 

11.2.3 MDC Configuration File........................................................................................ 146 

11.2.4 Configuration Settings......................................................................................... 147 

11.3 CGI......................................................................................................................... 148 

11.4 Digipass TCL Command Line Utility.......................................................................... 148 

12 Auditing.............................................................................................................149 

12.1 Text File.................................................................................................................. 149 

12.1.1 Text File Name Variables...................................................................................... 149 

12.1.2 Configure Auditing to Text File.............................................................................. 149 

12.2 Windows Event Log................................................................................................. 151 

12.3 ODBC Audit Message Database................................................................................ 152 

12.3.1 Set up ODBC Database........................................................................................ 152 

12.3.1.1 Create database............................................................................................................. 152 

12.3.1.2 Create database schema..................................................................................................152 

12.3.1.3 Create Database Account(s)............................................................................................. 153 

12.3.1.4 Create DSN on Authentication Server machine....................................................................153 

12.3.1.5 Create DSN on Audit Viewer machine................................................................................ 153 

12.3.2 Configure Authentication Server............................................................................ 153 

12.3.3 Configure Audit Viewer........................................................................................ 154 

12.4 Live Connection - Authentication Server to Audit Viewer......................................... 155 

12.4.1 Configure Authentication Server............................................................................ 155 

12.4.2 Configure Audit Viewer........................................................................................ 155 

13 Tracing.............................................................................................................. 156 

13.1 Trace Message Types.............................................................................................. 156 

13.2 Trace Message Levels.............................................................................................. 157 

13.3 Trace Message Contents.......................................................................................... 157 

14 Digipass TCL Command-Line Administration......................................................158 

14.1 Introduction........................................................................................................... 158 

14.1.1 Knowledge Requirements..................................................................................... 158 

14.1.2 Data Store Connection......................................................................................... 159 



14.2 Using DPADMINCMD – Basics.................................................................................. 160 

14.2.1 Using an Interactive TCL Command Prompt............................................................ 160 

14.2.2 Running a Script................................................................................................. 161 

14.2.3 Help.................................................................................................................. 162 

14.2.4 Command Parameters......................................................................................... 162 

14.2.5 Result Output..................................................................................................... 162 

14.2.6 Error Handling.................................................................................................... 163 

14.2.7 International Characters...................................................................................... 163 

14.2.8 Syntax Notes..................................................................................................... 163 

14.2.9 Sample Scripts................................................................................................... 164 

14.3 Configuration File.................................................................................................... 166 

14.3.1 Sample Configuration File.................................................................................... 166 

15 Replication........................................................................................................ 167 

15.1 Concepts................................................................................................................. 167 

15.1.1 Replication Queue............................................................................................... 168 

15.1.2 Record-level Replication....................................................................................... 168 

15.1.3 Replication Process............................................................................................. 168 

15.1.4 Connection Handling........................................................................................... 169 

15.1.4.1 Component Record..........................................................................................................170 

15.1.5 Monitoring Replication......................................................................................... 170 

15.1.5.1 Auditing.........................................................................................................................170 

15.1.5.2 Administration MMC Interface...........................................................................................170 

15.1.6 Forwarding Replication Entries.............................................................................. 171 

15.2 Configuring Replication .......................................................................................... 172 

15.2.1 Active Directory.................................................................................................. 172 

15.2.2 ODBC Database.................................................................................................. 173 

15.2.2.1 Configure Replication to a Second Authentication Server...................................................... 173 

15.2.2.2 Configure Replication to a Third or Subsequent Authentication Server....................................174 

15.2.2.3 Add Redundant Replication...............................................................................................175 

16 How to troubleshoot..........................................................................................176 

16.1 View Audit Information........................................................................................... 176 

16.1.1 Windows Event Log............................................................................................. 176 

16.1.2 Text file ............................................................................................................ 176 

16.1.3 ODBC Database.................................................................................................. 176 

16.2 Tracing................................................................................................................... 177 

16.2.1 Authentication Server.......................................................................................... 177 

16.2.2 Web Sites.......................................................................................................... 177 

16.2.2.1 Enable Tracing................................................................................................................177 

16.2.2.2 Trace File Permissions..................................................................................................... 177 

16.2.3 Message Delivery Component............................................................................... 180 

16.2.3.1 Enable Tracing................................................................................................................180 

16.3 Open Port Numbers on Firewall............................................................................... 180 

16.3.1 Incoming Ports................................................................................................... 180 

16.3.2 Outgoing Ports................................................................................................... 181 

16.4 Installation Check................................................................................................... 181 

16.4.1 Installation Log File............................................................................................. 181 

16.4.2 Registry Entries.................................................................................................. 182 

16.4.3 Check Permissions.............................................................................................. 183 

16.4.4 Authentication Server Registered in Active Directory Domain..................................... 183 



16.4.5 Default Policy and Component Created................................................................... 184 

17 Audit Messages..................................................................................................185 

17.1 Audit Message Listing............................................................................................. 185 

17.2 Audit Message Fields............................................................................................... 194 

18 Error and Status Codes......................................................................................196 

18.1 Error Code Listing................................................................................................... 196 

18.2 Status Code Listing................................................................................................. 200 

19 Technical Support..............................................................................................204 

19.1 Support Contact Information................................................................................... 204 



Index of Tables 

Table 1: Custom Active Directory Object Classes...............................................................................................17 

Table 2: Custom Active Directory Object Attributes............................................................................................17 

Table 3: Custom Active Directory Permission Property Sets................................................................................ 20 

Table 4: Saved Queries in Active Directory Users and Computers........................................................................ 22 

Table 5: Custom Active Directory Search criteria - Digipass................................................................................ 23 

Table 6: Custom Active Directory Search criteria - Users.................................................................................... 25 

Table 7: DPADadmin addschema Command Line Options................................................................................... 31 

Table 8: DPADadmin setupdomain Command Line Options................................................................................. 32 

Table 9: DPADadmin setupaccess Command Line Options.................................................................................. 33 

Table 10: ODBC Database Tables.................................................................................................................... 38 

Table 11: vdsControl Table.............................................................................................................................38 

Table 12: vdsUser Table................................................................................................................................ 39 

Table 13: vdsUserAttr Table........................................................................................................................... 39 

Table 14: vdsDigipass Table........................................................................................................................... 40 

Table 15: vdsDPApplication Table....................................................................................................................40 

Table 16: vdsPolicy Table...............................................................................................................................41 

Table 17: vdsComponent Table.......................................................................................................................42 

Table 18: vdsBackEnd Table...........................................................................................................................42 

Table 19: vdsDomain Table............................................................................................................................ 43 

Table 20: vdsOrgUnit Table............................................................................................................................ 43 

Table 21: Table Permissions Required..............................................................................................................48 

Table 22: Table Names in vdsControl...............................................................................................................50 

Table 23: DPDBadmin addschema Command Line Options..................................................................................53 

Table 24: DPDBadmin checkschema Command Line Options...............................................................................54 

Table 25: DPDBadmin dropschema Command Line Options................................................................................ 55 

Table 26: DPDBadmin rescueadmin Command Line Options................................................................................56 

Table 27: DPDBadmin rescueserver Command Line Options................................................................................58 

Table 28: Encrypted Data Attributes – Active Directory...................................................................................... 59 

Table 29: Encrypted Data Attributes – ODBC and Embedded Database.................................................................59 

Table 30: User Fields.....................................................................................................................................82 

Table 31: User Attribute Fields........................................................................................................................84 

Table 32: Digipass Fields................................................................................................................................85 

Table 33: Digipass Application Fields............................................................................................................... 86 

Table 34: Policy Fields................................................................................................................................... 87 

Table 35: Component Fields........................................................................................................................... 94 

Table 36: Back-End Server Fields....................................................................................................................95 

Table 37: Domain Fields................................................................................................................................ 96 

Table 38: Organizational Unit Fields.................................................................................................................96 

Table 39: License Parameters for VACMAN Middleware.....................................................................................101 

Table 40: Configuration Settings for CGI Program............................................................................................108 

Table 41: Form Fields for Main Registration Page.............................................................................................109 

Table 42: Form Fields for Registration Challenge Page......................................................................................111 



Table 43: Form Fields for Server PIN Change Page.......................................................................................... 112 

Table 44: Form Fields for Main Login Test Page............................................................................................... 113 

Table 45: Form Fields for Login Test Challenge Page........................................................................................ 114 

Table 46: Form Fields for OTP Request Page................................................................................................... 114 

Table 47: Query String Variable List...............................................................................................................116 

Table 48: API Return Codes..........................................................................................................................117 

Table 49: CGI Error Return Codes................................................................................................................. 117 

Table 50: Internal Error Codes...................................................................................................................... 118 

Table 51: Login Permutations - Response Only PAP (1).................................................................................... 120 

Table 52: Login Permutations - Response Only PAP (2).................................................................................... 121 

Table 53: Login Permutations - Response Only CHAP....................................................................................... 121 

Table 54: Login Permutations – Challenge/Response........................................................................................122 

Table 55: Login Permutations – Virtual Digipass.............................................................................................. 123 

Table 56: MDC Audit Message Variables......................................................................................................... 145 

Table 57: Message Delivery Component Configuration Settings......................................................................... 147 

Table 58: Audit Text File Name/Path Variables................................................................................................ 149 

Table 59: Required Audit Database Tables......................................................................................................152 

Table 60: vdsAuditMessage Required Fields.................................................................................................... 152 

Table 61: vdsAuditMsgField Required Fields.................................................................................................... 153 

Table 62: Tracing Message Types.................................................................................................................. 156 

Table 63: Tracing Message Levels..................................................................................................................157 

Table 64: Tracing Message Contents..............................................................................................................157 

Table 65: DPADMINCMD Help Commands.......................................................................................................162 

Table 66: List of Incoming Ports Used by the Authentication Server................................................................... 180 

Table 67: List of Outgoing Ports Used by the Authentication Server................................................................... 181 

Table 68: Registry Entries............................................................................................................................ 182 

Table 69: Permissions Required.....................................................................................................................183 

Table 70: Audit Messages List....................................................................................................................... 185 

Table 71: Audit Messages Fields....................................................................................................................194 

Table 72: Error Code List..............................................................................................................................196 

Table 73: Status Code List............................................................................................................................200 


VACMAN Middleware Administrator Reference Introduction 

1 Introduction 

1.1 Available Guides 

The following VACMAN Middleware guides are available: 

Product Guide 

The Product Guide will introduce you to the features and concepts of VACMAN Middleware and 

the various options you have for using it. 

Installation Guide 

Use this guide when planning and working through an installation of VACMAN Middleware. 

Getting Started 

To get you up and running quickly with a simple installation and setup of VACMAN Middleware. 

Administrator Reference 

In-depth information required for administration of VACMAN Middleware. This includes 

references such as data attribute lists, backup and recovery and utility commands. 

Data Migration Tool Guide 

Takes you through a data migration from one VASCO product to another, using the VASCO 

Data Migration Tool. 

Help Files 

Context-sensitive help accompanies the administration interfaces. 

1.2 System Requirements 

Operating System 

Windows Server 2003 (32-bit version only) with Service Pack 1 or above, or 

Windows XP Professional (32-bit version only) with Service Pack 2 or above, or 

Windows 2000 with Service Pack 4 or above 

Language 

VACMAN Middleware is designed to function on any language version of Windows. 

However, the product has only been comprehensively tested on English language 

versions of Windows. 

1.2.1 Requirements Specific to Active Directory 

Digipass Extension for Active Directory Users and Computers 

Active Directory Users and Computers Snap-In 



Active Directory set up for SSL 

In the following cases, SSL must be available for VACMAN Middleware components to connect 

to Active Directory: 

Authentication Server not installed on a Domain Controller. 

Administration Interfaces not installed on a Domain Controller. 

Authentication Server and/or Administration Interface(s) on a Domain Controller, but 

accessing data in another domain. 

An Enterprise Certificate Authority must be installed in the forest to enable SSL. Windows 

Certificate Services is available as an optional Windows component. 

However, if you do not wish to install a CA, you can select during installation not to use SSL. 

1.2.2 Requirements Specific to ODBC Database 

VACMAN Middleware will support most modern ODBC-compliant relational, transactional 

databases. It has been tested on the following databases: 

Oracle 9i 

Microsoft SQL Server 2000 

Microsoft SQL Server 2005 

DB2 8.1 

Sybase Adaptive Server Anywhere 9.0 

PostgreSQL 8.1.3 



1.3 Software Components 

VACMAN Middleware consists of various components, some necessary and some optional. 

1.3.1 Required Components 


This is a Service that performs the authentication processing. It can receive authentication 

requests using the RADIUS protocol and requests from the IIS Module. If its data store is a 

database rather than Active Directory, administration is also carried out through the 

Authentication Server. For IIS Module and administration requests, a proprietary, encrypted, 

TCP/IP-based protocol is used. 

IIS Module (Web authentication only) 

For Web authentication, the IIS Module must be installed onto the web server. It is responsible 

for intercepting authentication requests and referring them to the Authentication Server. 

Data Store 

All information required by VACMAN Middleware is stored in Active Directory or an ODBCcompliant 

database. An embedded PostgreSQL database option is provided with VACMAN 

Middleware. The data store to be used is selected during installation. 

Using Active Directory, administration is carried out by direct connection to the directory. 

Using a database, administration is carried out using the Authentication Server. 

Administration MMC Interface 

This interface is used in slightly different ways, depending on the data store used by VACMAN 

Middleware. 

Active Directory 

If Active Directory is used as the data store, the Administration MMC Interface will be used for 

administration of Policy, Component and Back-End Server records. 

ODBC Database (including embedded database) 

If an ODBC database is used as the data store, the Administration MMC Interface will be used 

for administration of all VASCO data. 


A VASCO Extension to the Active Directory Users and Computers interface allows 

administration of additional User settings and Digipass records integrated with standard Active 

Directory User administration. This is only available when Active Directory is used as the data 

store for VACMAN Middleware. 

Audit System 

The Authentication Server provides a comprehensive audit trail of significant processing events 

such as successful and failed authentication attempts. The audit messages can be written to 



text files, the Windows Event Log and/or an ODBC-compliant database. 

In addition it is possible to connect directly from an Audit Viewer (see below) to the 

Authentication Server, to receive a live feed of audit messages as they are generated. 

1.3.2 Optional Components 

Audit Viewer 

The Audit Viewer is a Windows application that can display and filter audit messages from the 

Authentication Server. It can read the data from text files and ODBC databases, or receive a 

live feed from the Authentication Server. 

Virtual Digipass 

The VASCO components used for Virtual Digipass are: 

Message Delivery Component 

This is a Service that is responsible for delivering One Time Passwords through a text message 

HTTP gateway to a User’s mobile phone. 

OTP Request Site 

This is a miniature web site that allows a User to request a Virtual Digipass OTP to be sent to 

their mobile phone. 

User Self Management Web Site 

This is a miniature web site that allows Users to make appropriate changes to their own 

Digipass settings, such as PIN changes. This is used in a RADIUS environment, when the 

normal authentication requests are made using a CHAP-based protocol and therefore PIN 

changes and other 'self-management' features are not possible. 

Digipass TCL Command-Line Administration 

Administration may also be carried out using Digipass TCL Command-Line Administration 

Utility, which allows interactive command-line and scripted administration of VACMAN 

Middleware data. 

1.3.3 Extra Utilities 

These extra utilities may be used with VACMAN Middleware, but require separate installations. 

Data Migration Tool 

The VASCO Data Migration Tool is a general-purpose utility that allows you to migrate your 

data from one VASCO product to another. 

For VACMAN Middleware 3.0, it is also used for other purposes. It is used to upgrade from 

version 2.3 to 3.0, as there are significant data model changes between those versions. It is 

also used to migrate data from an embedded database to another ODBC-compliant database, 

or from a database to Active Directory. 

RADIUS Client Simulator 

The RADIUS Client Simulator is a program that simulates RADIUS Authentication and 



Accounting processing in a similar fashion to 'real' RADIUS clients. The RADIUS Client 

Simulator can be used to test Digipass authentication or to estimate performance. 


VACMAN Middleware Administrator Reference Active Directory Schema 

2 Active Directory Schema 

2.1 Schema Extensions 

The following tables document the changes required by VACMAN Middleware to the Active 

Directory schema when AD is used as the data store. 

2.1.1 Added Object Classes 

Table 1: Custom Active Directory Object Classes 

Attribute Type Location Explanation 

vasco-UserExt Aux. 

Class 

vasco-DPToken Class Unassigned – Optional 

User record Extra VASCO attributes are added to an Active Directory 

User record via an 'auxiliary class' vasco-UserExt on the 

User class. 

Assigned – with User 

record 

The vasco-DPToken class is used to store Digipass 

attributes. It is also a container, in which vasco- 

DPApplication records for that Digipass are stored. 

Upon assignment to a User, the Digipass record is stored 

in the same location as the User. 

vasco-DPApplication Class Within Digipass record This class is used to store Digipass Application attributes, 

such as Server PIN and expected OTP length. 

vasco-Policy Class Digipass Configuration 

Container 

vasco-Component Class Digipass Configuration 

Container 

vasco-BackEndServer Class Digipass Configuration 

Container 

2.1.2 Added Attributes 

Table 2: Custom Active Directory Object Attributes 

Name Class 

vasco-SerialNumber vasco-DPToken 

vasco-TokenType vasco-DPToken 

vasco-ApplicationNames vasco-DPToken 

vasco-ApplicationTypes vasco-DPToken 

vasco-LinkVascoDigipassToUserExt vasco-DPToken 

vasco-TokenAssignedDate vasco-DPToken 

vasco-GracePeriod vasco-DPToken 

vasco-EnableBVDP vasco-DPToken 

vasco-BVDPExpiryDate vasco-DPToken 

vasco-BVDPUsesLeft vasco-DPToken 

vasco-DirectAssignOnly vasco-DPToken 

vasco-AdditionalAttribute vasco-DPToken 

vasco-SerialNumber vasco-DPApplication 

vasco-ApplicationName vasco-DPApplication 

vasco-ApplicationNumber vasco-DPApplication 

Policy attributes. Attributes will commonly be shared via 

inheritance. 

Component attributes include the License Key for 

Authentication Server Components. 

Information required for connection to back-end servers. 



Name Class 

vasco-ApplicationType vasco-DPApplication 

vasco-DPBlob vasco-DPApplication 

vasco-Active vasco-DPApplication 

vasco-LinkUserExtToVascoDigipass vasco-UserExt 

vasco-LinkUserExtToUser vasco-UserExt 

vasco-StaticPassword vasco-UserExt 

vasco-LocalAuth vasco-UserExt 

vasco-BackEndServerAuth vasco-UserExt 

vasco-Disable vasco-UserExt 

vasco-Profile Vasco-UserExt 

vasco-CreateTime Vasco-UserExt 

vasco-ModifyTime Vasco-UserExt 

vasco-ID vasco-BackEndServer 

vasco-Protocol vasco-BackEndServer 

vasco-Domain vasco-BackEndServer 

vasco-Priority vasco-BackEndServer 

vasco-Retries vasco-BackEndServer 

vasco-AcctIPAddress vasco-BackEndServer 

vasco-AcctPort vasco-BackEndServer 

vasco-AdditionalAttribute vasco-BackEndServer 

vasco-AuthIPAddress vasco-BackEndServer 

vasco-SharedSecret vasco-BackEndServer 

vasco-Timeout vasco-BackEndServer 

Version-Number vasco-BackEndServer 

vasco-ID vasco-Component 

vasco-Location vasco-Component 

vasco-LinkComponentToPolicy vasco-Component 

vasco-Protocol vasco-Component 

vasco-ComponentType vasco-Component 

vasco-PublicKey vasco-Component 

vasco-AdditionalAttribute vasco-Component 

vasco-SharedSecret vasco-Component 

vasco-TCPPort vasco-Component 

Version-Number vasco-Component 

vasco-AdditionalAttribute vasco-Policy 

vasco-AllowedApplType vasco-Policy 

vasco-AllowedDPTypes vasco-Policy 

vasco-ApplicationNames vasco-Policy 

vasco-AssignmentMode vasco-Policy 

vasco-AssignSearchUpOUPath vasco-Policy 

vasco-Autolearn vasco-Policy 

vasco-BackEndAuth vasco-Policy 



Name Class 

vasco-BackupVDPRequestKeyword vasco-Policy 

vasco-BackupVDPRequestMethod vasco-Policy 

vasco-BVDPMaximumDays vasco-Policy 

vasco-BVDPMaximumUses vasco-Policy 

vasco-ChallengeRequestKeyword vasco-Policy 

vasco-ChallengeRequestMethod vasco-Policy 

vasco-CheckChallenge vasco-Policy 

vasco-ChkInactDays vasco-Policy 

vasco-Description vasco-Policy 

vasco-Domain vasco-Policy 

vasco-DUR vasco-Policy 

vasco-EnableBVDP vasco-Policy 

vasco-EventWindow vasco-Policy 

vasco-GracePeriod vasco-Policy 

vasco-GroupCheckMode vasco-Policy 

vasco-GroupList vasco-Policy 

vasco-ID vasco-Policy 

vasco-IThreshold vasco-Policy 

vasco-ITimeWindow vasco-Policy 

vasco-LinkPolicyToChildPolicy vasco-Policy 

vasco-LinkPolicyToComponent vasco-Policy 

vasco-LinkPolicyToParentPolicy vasco-Policy 

vasco-LocalAuth vasco-Policy 

vasco-OneStepChalCheckDigit vasco-Policy 

vasco-OneStepChalLength vasco-Policy 

vasco-OneStepChalResp vasco-Policy 

vasco-OnLineSG vasco-Policy 

vasco-PINChangeAllowed vasco-Policy 

vasco-PrimaryVDPRequestKeyword vasco-Policy 

vasco-PrimaryVDPRequestMethod vasco-Policy 

vasco-Protocol vasco-Policy 

vasco-SelfAssignSeparator vasco-Policy 

vasco-SThreshold vasco-Policy 

vasco-STimeWindow vasco-Policy 

vasco-StoredPasswordProxy vasco-Policy 

vasco-SyncWindow vasco-Policy 

Version-Number vasco-Policy 



2.1.3 Added Permission Property Sets 

Property sets have been created for typical groups of permissions required for administration 

tasks. 

Table 3: Custom Active Directory Permission Property Sets 

Property Set Applicable 

Object 

Actions Allowed 

Digipass Assignment Link Digipass Assign and unassign Digipass for Digipass User accounts. 

Digipass Application Data Digipass 

Application 

Digipass record functions. 

Digipass User Account Information User Modify Digipass User information. 

Digipass User Account to User Link User Link and unlink Digipass Users. This is also required when 

assigning Digipass to linked Digipass User records. 

Digipass User Account Stored Password User Read and modify the stored password for a Digipass User. 



2.2 Active Directory Auditing 

Active Directory auditing may be configured to record access and modifications to custom 

objects used by the VACMAN Middleware. If you currently have default auditing enabled, it 

might include already include actions on custom objects. See these Microsoft articles for 

information on turning on and configuring auditing: 

Windows 2000 

http://support.microsoft.com/?kbid=314955 

Windows 2003 

http://support.microsoft.com/?kbid=814595 

The basic process you will need to follow is: 

1. Select a scope for the the auditing (eg. Domain Root). 

2. Select a Windows User or Windows Group (eg. Everyone or Domain Administrators) 

3. Select the object classes to audit (eg. Digipass objects) – if required 

4. Select the permissions which should be audited (eg. Read, Write, Delete, Create) 

What Should I Audit? 

This will depend on what you need to audit. For example, if you wanted to record all Digipass 

assignments in the domain, you might set up auditing in the Domain Root for Everyone, with 

the Digipass Assignment Link property set. 

See the 2.1 Schema Extensions topic for more information on custom objects and 

permission property sets created for the VACMAN Middleware. 



2.3 Custom Search Options 

The Digipass Extension adds functionality to the Active Directory Users and Computers snap-in 

which allows searching for specific Digipass and Digipass User records throughout a domain, or 

within the limits of a delegated administrator's permissions. This functionality is especially 

useful where unassigned Digipass have been allocated to various Organizational Units. 

2.3.1 Saved Queries 

On Windows Server 2003 and Windows XP, the Microsoft Management Console (MMC) 

framework supports Saved Queries. 

Note 

The Saved Queries feature is not supported by the MMC on Windows 2000. 

No Saved Queries are provided by the VACMAN Middleware installation 

program on Windows 2000. 

On Windows Server 2003 and Windows XP, a number of Saved Queries are installed 

automatically into the saved MMC console file that is opened using the Start -> Programs -> 

VASCO -> VACMAN Middleware 3 -> Active Directory Users and Computers shortcut. 

In addition, several Query Definition Files are installed in the \Queries folder. These can be imported into your existing Active Directory Users and 

Computers console by right-clicking on the Saved Queries folder and selecting Import 

Query Definition.... 

The Saved Queries provided by the installation are designed to provide several common 

queries that may be useful, as listed below. They can be edited, copied or deleted as required. 

If you have made a mistake modifying one and wish to start again, you can reload the query 

by deleting it and importing it from the Query Definition File. 

Table 4: Saved Queries in Active Directory Users and Computers 

Query Name Description Query Definition File 

Users with Digipass All Users in the Domain who have one or more 

Digipass assigned directly. 

Users without Digipass All Users in the Domain who have no Digipass 

assigned, directly or via a Linked User. 

Users with a DP User 

Account 

Users without a DP User 

Account 

All Users in the Domain who have a Digipass User 

Account. 

All Users in the Domain who do not have a Digipass 

User Account. 

users-with-dp.xml 

users-without-dp.xml 

users-with-dp-useraccount.xml 

users-without-dp-useraccount.xml 

Assigned Digipass All Digipass in the Domain that are assigned. assigned-dp.xml 

Unassigned Digipass All Digipass in the Domain that are currently 

unassigned, excluding any Reserved Digipass. 

Locked DP User Accounts All Users in the Domain whose Digipass User Account 

is Locked. 

unassigned-dp.xml 

locked-dp-user-accounts.xml 



2.3.2 Using the Custom Search for Digipass 

To perform a search for Digipass: 

1. Right-click on the Organizational Unit in which to search, or the domain root. 

2. Click on Find... 

3. Select the Digipass object type from the Find: drop down list. 

4. Use the Digipass tab to specify the search criteria. Almost all the Digipass search 

criteria can be set using the form on this tab. 

5. If you are searching on any criteria that do not appear on the Digipass tab, use the 

Advanced tab: 

a. Click on the Advanced tab. 

b. Click on Field and select the required attribute from the list. 

c. Enter the search Condition and Value, then click Add. 

d. Repeat with additional Fields. 

6. Click Find Now to execute the search. Multiple criteria are applied using the logical 

AND – all criteria must be met for a Digipass to be found. 

The available criteria are listed in the following table: 

Table 5: Custom Active Directory Search criteria - Digipass 

Tab Field Name Usage 

Digipass Serial Number Exact Serial Number (as seen in Digipass properties); 

Serial Number with wildcard*; 

First Serial Number in range, when used with To field. 

(Serial Number) To Last Serial Number in range. 

Digipass Type Digipass Type, eg. DP300. Wildcard* allowed. 

Application Name Application Name, eg. GO3DEFAULT. Wildcard* allowed. 

This will find Digipass that have an Active application of the 

specified name**. 

Application Type Application Type: Response Only, Challenge/Response. 


specified type**. 

Digipass Assignment Assignment status: Assigned, Unassigned. 

Reserved Reserved status: Reserved, Not Reserved. 

Advanced Application Name Conditions: Starts with, Ends with, Is (Exactly), Is Not. 

Values: Application Name (complete or partial) 


specified Application Name criteria**. 

Application Type Conditions: Is (Exactly), Is Not. 

Values: RO (Response Only), CR (Challenge/Response), SG 

(Signature). 


specified Application Type criteria**. 

Backup Virtual Digipass Enabled Conditions: Less than or equal to, Greater than or equal to, Is 

(Exactly), Is Not, Not Present. 

Values: 0 (Default), 1 (No), 2 (Yes - Permitted), 3 (Yes - 

Required), 4 (Yes – Time Limited). 

Note that Digipass with 'Default' for this setting may either have 0 



Tab Field Name Usage 

for this attribute or may not have the attribute present. 

Digipass Type Conditions: Starts with, Ends with, Is (Exactly), Is Not. 

Values: Digipass Type (complete or partial) 

Reserved Conditions: Is (Exactly), Is Not. 

Values: 0 (No), 1 (Yes). 

This attribute is always present. 

Serial Number Conditions: Starts with, Ends with, Is (Exactly), Is Not. 

Values: Serial Number, as seen in Digipass properties (complete or 

partial) 

User Assignment Link Conditions: Present, Not Present. 

Values: N/A. 

If this attribute is present, the Digipass is assigned; if not present, 

the Digipass is unassigned. 

* Search criteria on Digipass Application attributes ignore Inactive Digipass Applications. 

** For a wildcard, the * character is used. 

Example 

A search for Digipass records run with only the following text entered into the Serial Number 

field, would return these results: 

0097 No records returned 

0097* All Digipass with serial number starting with 0097 

0097987654 Digipass with serial number 0097987654 only 

*76 All Digipass with serial number ending in 76 

2.3.3 Using the Custom Search for Users 

To perform a search for Users: 

1. Right-click on the Organizational Unit in which to search, or the domain root. 

2. Click on Find... 

3. Select the Users, Contacts, and Groups object type from the Find: drop down list. 

4. If you have search criteria that are not related to Digipass, specify them as usual. 

5. To specify Digipass related search criteria, use the Advanced tab: 

a. Click on the Advanced tab. 

b. Click on Field, select the User submenu and select the required attribute from the 

list. 

c. Enter the search Condition and Value, then click Add. 

d. Repeat with additional Fields. 

6. Click Find Now to execute the search. Multiple criteria are applied using the logical 

AND – all criteria must be met for a User to be found. 

The available criteria are listed in the following table: 



Table 6: Custom Active Directory Search criteria - Users 

Field Name Usage 

Digipass Assignment Link Conditions: Present, Not Present. 

Values: N/A. 

If this attribute is present, a Digipass is assigned to the User; if 

not present, no Digipass is assigned. 

Digipass Back-End Authentication Conditions: Less than or equal to, Greater than or equal to, Is 


Values: 0 (Default), 1 (None), 2 (If Needed), 3 (Always). 

Note that Users with 'Default' for this setting may either have 0 for 

this attribute or may not have the attribute present. 

Digipass Local Authentication Conditions: Less than or equal to, Greater than or equal to, Is 


Values: 0 (Default), 1 (None), 2 (Digipass/Password), 3 (Digipass 

Only). 

Note that Users with 'Default' for this setting may either have 0 for 

this attribute or may not have the attribute present. 

Digipass User Account Create Time Conditions: Less than or equal to, Greater than or equal to, Is 

(Exactly), Is Not, Present, Not Present. 

Values: Number of seconds since 1 st Jan 1970 00:00:00 that the 

Digipass User account was created. 

If this attribute is present, the User has a Digipass User account; if 

not present, the User does not. 

Digipass User Account Disabled Conditions: Is (Exactly), Is Not, Not Present. 


If this attribute is not present, the account is not disabled*. 

Digipass User Account Lock Count Conditions: Less than or equal to, Greater than or equal to, Is 


Values: current count of failed logins since last successful login. 

If this attribute is not present, it is treated as 0. 

Digipass User Account Locked Conditions: Is (Exactly), Is Not, Not Present. 


If this attribute is not present, the account is not locked*. 

Digipass User Account Modify Time Conditions: Less than or equal to, Greater than or equal to, Is 

(Exactly), Is Not, Present, Not Present. 

Values: Number of seconds since 1 st Jan 1970 00:00:00 that the 

Digipass User account was last modified. 

Digipass User Account Password This field does not have practical value as a search field, but is 

listed by Active Directory anyway. 

Digipass User Attributes This field is not currently used. 

Digipass User to User Link Conditions: Present, Not Present. 

Values: N/A. 

If this attribute is present, The Digipass User account is linked to 

another Digipass User account; if not present, there is no link. 

* If you specify Is Not 1, the results will include Users who do not have the attribute set, in 

addition to those who have the attribute set to 0. 

Example 

A search for Digipass User accounts where the Local Authentication setting has a value other 

than Default would use the following criteria: 

Digipass Local Authentication Greater than or equal to 1 



2.4 Active Directory Replication Issues 

Active Directory replication is not instantaneous. Intra-site replication is usually quite fast, 

especially under Windows Server 2003, but changes on one Domain Controller may still take 

several minutes to be replicated to other Domain Controllers. Inter-site replication may be 

quite slow – an hour or more between replications is common. 

Replication occurs when more than one Domain Controller exists in a domain. 

2.4.1 Old Data Used After Attribute Modified 

The time period between replications becomes a problem where information is changed on one 

Domain Controller (for example, a Digipass User's Server PIN is reset), but old information is 

used on another Domain Controller before the changed information has been replicated to it. 

There are a few scenarios where this may occur. These are listed below: 

2.4.1.1 Single Authentication Server using more than one Domain 

Controller 

A single Authentication Server may make a change to a record, have to switch to another 

Domain Controller, and read the same record – where the change has not yet been applied. 

Example 

A User logs in with an OTP, and the Authentication Server connects to DC-01 to retrieve and 

update the Digipass data. The connection to the DC-01 fails soon after login, before 

replication has occurred. The User needs to log in again, and the Authentication Server 

connects to DC-02 this time. The User can log in using the same OTP as the last login – the 

login should fail (OTP replay) but instead succeeds, because DC-02 does not yet know that 

the OTP has been previously used. 

Time DC-01 DC-02 

8:32 Replication occurs 

8:34 User logs in with OTP 10457920. 

The Authentication Server records the use of 

the OTP in the Digipass record. 

8:35 Connection to DC-01 is broken, and the 

Authentication Server switches to DC-02. 

8:35 User retries login using same OTP 

10457920. The login succeeds where it 

should have failed (OTP replay). 

The Authentication Server records the use 

of the OTP in the Digipass record. 


Digipass record changes are replicated between DC-01 and DC-02. 

The example timeline above shows the sequence of events. 



2.4.1.2 Administrator and Authentication Server using different Domain 

Controllers 

The administrator may not be connected to the same Domain Controller (via the 

Administration Interfaces) as the Authentication Server. 

Example 

An administrator changes a User's Server PIN through the Active Directory Users and 

Computers extension, which is connected to DC-01. The Authentication Server connects to 

DC-03. The User attempts a login using the new PIN, which fails because DC-03 is not yet 

aware of the change of Server PIN. 



9:03 Administrator changes a User's Server PIN 

from 1234 to 9876. 

9:04 User attempts to log in using new PIN 

(9876) and the login fails. 




2.4.1.3 Multiple Authentication Servers Using Different Domain Controllers 

Multiple Authentication Servers may connect to different Domain Controllers in a domain or 

site. 

Example 

A User changes their own PIN during a login through one Authentication Server which 

connects to DC-01. The server on which the Authentication Server is installed becomes 

unavailable, and the User attempts another login via the Authentication Server on a backup 

server, which connects to DC-02. The login fails because DC-02 is not yet aware of the 

change of Server PIN. 



11:55 User changes their Server PIN from 1234 to 

9876 during login. 

The Authentication Server records the PIN 

change in the Digipass record. 

11:57 User attempts to log in using new PIN 

(9876) and the login fails. 




2.4.1.4 Two Administrators Modifying the Same Attribute 

Two administrators attempt to modify the same attribute on a single User account or Digipass 

record within the same replication interval. The later modification will overwrite the earlier 

when replication occurs. 



2.4.2 Old Data Used Overwrites New Data 

The problems above are exacerbated when the old information used on the second Domain 

Controller is updated based on the old information. As the updated record on the second 

Domain Controller now has a later modification date, the end result is that the changed 

information on the first Domain Controller is overwritten incorrectly. 

Example 

An administrator connects to DC-01 and sets a User's PIN from '1234' to '9876'. The User 

logs in through the Authentication Server, which connects to DC-02. The User enters the new 

Server PIN and his One Time Password. However, the PIN set on DC-01 has not yet been 

replicated to DC-02, so because the PIN entered does not match the old PIN still recorded in 

the Digipass record on DC-02, the login fails. 

Because the Policy setting of Identification Threshold is in use, his login failure is written 

back to the Digipass record. When replication occurs, the Digipass record on DC-02 has the 

latest modification date – and is copied to DC-01, wiping out the original PIN setting made 

by the administrator. Both DC-01 and DC-02 now consider '1234' to be the correct Server 

PIN for the Digipass. 


10:45 Replication 

10:46 Administrator changes User's PIN from 9876 

to 1234. 

10:48 User login (with new PIN of 1234) fails. 

Authentication Server writes failure 

information to Digipass record. 

10:50 Replication 

Active Directory finds last instance of the Digipass blob having been modified. 

Active Directory overwrites DC-01 Digipass record with DC-02 Digipass record. 

The example timeline above shows how the problem can occur. 

The problem shown in the example above may also occur in a Force PIN Change set by an 

administrator. 

2.4.3 Factors Affecting Replication Issues 

A number of factors determine the likelihood and severity of the Active Directory issues 

described: 

Redundancy and load-balancing settings for the Authentication Server 

There are a number of Authentication Server configuration settings which may affect 

replication issues: 

Preferred Server 

The Authentication Server will attempt to connect to the named Domain Controller, 

rather than simply polling the domain for an available Domain Controller. 

Preferred Server Only 

The Authentication Server may be restricted to connecting only to the Domain Controller 

named in the above setting. If this is enabled, the Authentication Server will not switch 

to any other Domain Controller, so it will never retrieve data older than its own. 

Max. Bind Lifetime 

The maximum bind lifetime controls how long the Authentication Server will stay 



connected to a Domain Controller before polling the domain for a Domain Controller 

connection. 

Replication Interval 

In Windows 2000, the intra-site replication interval can be configured – the default is 5 

minutes. On Windows Server 2003, the intra-site replication interval is not configurable, but is 

set to approximately 15 seconds, as replication is much more efficient. 

Inter-site replication is fully configurable on both Windows 2000 and Windows Server 2003. 

The longer the replication interval, the more likelihood of these problems occuring. 

Number of Domain Controllers in the Site 

Each Domain Controller regularly requires replication with all other local Domain Controllers. 

As this is done sequentially, it will affect the amount of time between replications. 

2.4.4 Solutions and Mitigations 

2.4.4.1 Digipass Cache 

The Digipass cache collects Digipass records as they are modified, and keeps them in memory 

for a certain length of time. A newer entry from the cache is always used in preference to an 

older record from Active Directory. The cache age should be a little longer than the typical 

replication interval. The default is 10 minutes (600 seconds). 

This option will help in problems caused by a single Authentication Server accessing more than 

one Domain Controller in a domain – see 2.4.1.1 Single Authentication Server using more 

than one Domain Controller). However, it will not affect the scenario of an Administration 

Interface being connected to a different Domain Controller to the Authentication Server. 

If you calculate that your typical replication interval will be more than ten minutes, the cache 

age may be increased by modifying the Blob-Cache Max-Age setting in the configuration file 

(\bin\dpauthserver.xml): 

 

 

 

 

 

 

A large cache may slow down processing slightly for the Authentication Server, so monitor 

performance to check the impact caused after modifying the cache age. 

Warning 

If the Authentication Server is installed on a Member Server, this server must 

be closely time-synchronized with the Domain Controller(s). If the server is 

not time-synchronized, the Policy may select an older record when comparing 

records in the Digipass cache with those on the Domain Controller. 

If the Authentication Server is installed on a Domain Controller, time-synchronization is assumed. 



2.5 DPADadmin Utility 

2.5.1 Extend Active Directory Schema 

The addschema command is used to create all the Active Directory Schema extensions, if 

they are not already there. Each element will be checked individually to see if it is already 

there and if not, will be added. 

This command is intended to be run manually by a domain administrator before the main 

VACMAN Middleware installation is run, as recommended by Microsoft. 

It may be necessary to go through an approval process in your company before running this 

command, as it involves changes to Active Directory Schema. You may also need to have 

another administrator run the command for you, possibly in another part of your network. This 

depends on your company’s structure and rules for Active Directory control. 

Prerequisite Information 

Schema Master Machine 

This command may technically be run on any Windows 2000, XP or 2003 machine, however it 

needs to contact the Domain Controller which has the Schema Master role. There can be only 

one Domain Controller in the Forest with that role. It may be simplest to run the command 

directly on the Schema Master, to avoid any potential connectivity or permission issues. 

Warning 

Warning: If you are passing the credentials to the command in the 

parameters, and you are not running the command on the Schema Master, 

check that you do not have any shares on the Schema Master open. This will 

cause the command to fail. 

Domain Administrator Account 

In order to successfully update the Schema, you must know the username and password of a 

Domain Administrator account that is able to log into the Schema Master. You must either run 

the command while logged in as that user, or pass the credentials to the command in the 

parameters. The Domain Administrator must have permission to extend the Schema – they 

must be a member of the Schema Admins group in the Forest-Root-Domain (the first Domain 

created in the Forest). 

Schema Changes Allowed 

By default, Active Directory does not permit Schema extensions to be made. There is a registry 

setting that must be changed to allow extensions. If this is not already set, DPADadmin will 

ask you whether it should change the setting itself or not. If you click on Yes, it will change 

the setting itself, make the extensions then change it back again. 

If you would prefer to change the setting manually, log into the Schema Master and change 

the value of the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\ 

Parameters\Schema Update Allowed registry key to 1, adding it as a value of type 

DWORD if it does not already exist. Alternatively, if the Schema Manager MMC snap-in is 



installed on the machine, this can be used to enable or disable Schema extensions. 

If you have disabled the Schema extensions after removing a previous installation in the 

Forest, reactivate them before using this command. This can be done using the Schema 

Manager MMC snap-in used to deactivate them. 

Extend the Schema on the Schema Master 

1. Log into the Schema Master as a member of the Schema Administrators group. 

2. Copy dpadadmin.exe onto the Schema Master 

3. Open a command prompt in the location to which it was copied. 

4. Type: 

dpadadmin addschema 

5. If DPADadmin detects that Schema extensions are not currently permitted, it will 

prompt you whether to enable them or not. Enter y to enable them, or n to cancel. 

The progress and success/failure of the command will be displayed in the command prompt 

window. If there was a failure, it can be run again after the problem has been rectified. 

Extend the Schema on the VACMAN Middleware Server 

1. Open a command prompt and navigate to the installation’s bin directory by typing: 

2. Type: 

cd \bin 

dpadadmin addschema –master schema_master –u user_name –p password 

3. See 2.5.1 Command Line Syntax for more details regarding the required parameters. 

4. If DPADadmin detects that Schema extensions are not allowed, it will prompt you to 

enable them. Enter y to enable them, or n to cancel. 



Command Line Syntax 

dpadadmin addschema [–master schema_master] [–u user_name [–p password]] [-q] 

Table 7: DPADadmin addschema Command Line Options 

Option Description 

-master Fully qualified name of the Domain Controller with the Schema Master role. This option may be 

omitted if the command is run directly on the Schema Master. 

-u User name of a Domain Administrator in the Schema Administrators group. This option may be 

omitted if you are logged into the machine as that Domain Administrator when you run the command. 

-p Password of the Domain Administrator. This option may be omitted if you are logged in as that Domain 

Administrator or if they have a blank password. 

-q Quiet mode, will not output commentary text. 

DPADadmin addschema Command Sample 

dpadadmin addschema –master dc1.vasco.com –u schema_admin –p sa_password 



2.5.2 Set Up Digipass Containers in Domain 

This command sets up the Digipass-Pool and Digipass-Reserve containers in the specified 

domain. It can optionally set up the Digipass-Configuration container also. 

2.5.2.1 Prerequisite Information 

Domain Administrator 

You must be logged into the machine as a Domain Admin in the target domain. 

2.5.2.2 Set Up Digipass Configuration Container 

1. Log into the machine as a Domain Administrator in that Domain. 

2. Copy dpadadmin.exe onto the machine and open a command prompt in the location 

to which it was copied. 

3. Type: 

dpadadmin setupdomain -config 


window. 

2.5.2.3 Command Syntax 

dpadadmin setupdomain [-config] [-domain ] [-q] 

Table 8: DPADadmin setupdomain Command Line Options 


-config OPTIONAL. Specifies that this is the Digipass Configuration Domain, so the Digipass-Configuration 

container must be created. 

-domain 

 

OPTIONAL. Specifies the FQDN of the domain to set up. If omitted, the domain to which the current 

machine belongs will be used. 

-q OPTIONAL. Specifies that quiet mode should be used. 

DPADadmin setupdomain Command Sample 

dpadadmin setupdomain -config -q 

2.5.3 Assign Digipass Permissions to a Group 

This command assigns Digipass-specific permissions to a Windows group, applicable at the 

domain root and downwards. The permissions assigned are: 

Full read access to everything in the domain 

Full control over vasco-DPToken objects 

Full control over vasco-DPApplication objects 

Full write access to vasco-UserExt auxiliary objects 

2.5.3.1 Pre-requisites 

You must be logged into the machine as a Domain Admin in the target domain. 



2.5.3.2 Command Syntax 

dpadadmin.exe setupaccess -group [-domain ] [-q] [-c] 

Table 9: DPADadmin setupaccess Command Line Options 


-group MANDATORY. Specify the name of the group to assign the permissions. Double-quotes are 

required if there are any spaces. 

-domain OPTIONAL. Specify the fully-qualified domain name for the domain to which the group or 

user belongs. If omitted, the domain to which the current machine belongs will be used. 

-q OPTIONAL. Specify that quiet mode should be used. 

-c OPTIONAL. Add the local computer to the group named. 

DPADadmin setupaccess Command Sample 

dpadadmin.exe setupaccess -group “RAS and IAS Servers” -q 

2.5.4 Delete all Digipass-Related Data from Active Directory 

Digipass-specific information is not removed from Active Directory when VACMAN Middleware 

is uninstalled from a computer. 

A custom VB script is available which will strip all information related to the Authentication 

Server from a domain. The data removed includes: 

Digipass-Configuration container if present 

Policy and Component records in container 

Digipass-Pool container if present 

Digipass records in container 

Digipass-Reserve container if present 

Digipass records in container 

All Digipass in the domain, including all Digipass Applications. 

All Digipass User Accounts 

Each Digipass User account is deleted by searching for Active Directory Users with the vasco- 

CreateTime attribute set (indicating that a Digipass User account has been created for that 

User). All vasco-UserExt attributes on the Active Directory User are reset. 

Note 

The script must be run in each domain from which data is to be removed. 

2.5.4.1 Run Delete Script on a Domain 

1. Get dpDeleteAll.vbs file from the CD \Windows\Utilities\VBScript directory and copy to 

the computer where you will run the command. 

2. Open cmd prompt, logged in as domain admin in the domain required. 

3. Enter the following: 



cscript dpDeleteAll.vbs [] [-v] 

4. If the machine does not belong to the target domain, specify the domain name 

5. If you want record-by-record progress display, specify -v (verbose mode). 

Example 

cscript dpDeleteAll.vbs dm3.vasco.com -v 


VACMAN Middleware Administrator Reference ODBC Database 

3 ODBC Database 

3.1 Database Support 

Note 

An embedded database option is available in the installation program. This will 

install PostgreSQL 8.1 for you on the server. However, VACMAN Middleware 

supports other ODBC-compliant databases, should you prefer to use your own 

database. 

VACMAN Middleware makes use of a limited set of database features, in order to support as 

many RDBMS (Relational Database Management Systems) as possible: 

Tables (relations) with the following datatypes: 

INTEGER (32-bit) 

VARCHAR (with the maximum length up to 1024 characters; on Microsoft SQL 

Server this is NVARCHAR for Unicode support) 

TIMESTAMP (for some databases, this is DATETIME or DATE – this is not an 

automatically generated timestamp, but just a date/time field) 

Primary Key constraints 

Foreign Key constraints, using the default action (restrict) and cascade delete 

ANSI Standard SQL DML (Data Manipulation Language) – select, insert, update, delete, 

without any vendor-specific syntax 

Transactions with simple COMMIT and ROLLBACK (no 'save points' or equivalents) 

In order for a database to be supported, there must be an ODBC level 3 driver that 

supports: 

Multi-threaded access using multiple concurrent connections 

'Wide char' (Unicode) parameters for input and output 

The following databases have been specifically tested: 

Oracle 10g 

Microsoft SQL Server 2000, 2005 

IBM DB2 8.2 

Sybase Adaptive Server Anywhere 9.0 

PostgreSQL 8.1 

3.1.1 Unicode Support 

At a minimum, the database ODBC driver must allow the 'wide char' parameters to be used, as 

mentioned above. However, the underlying database does not necessarily need to be 

configured with Unicode support. The database only needs to be able to handle the characters 

that are actually used. 

If you do want full Unicode support in the database, refer to the database vendor's 



instructions. Normally, a database has to be created with Unicode storage from the start. 

Depending upon the database type, some of the columns in the database need to be increased 

in size, to handle multi-byte UTF-8 encoded data. The database documentation should indicate 

whether VARCHAR columns are defined by number of characters or number of bytes. 

3.2 Embedded Database 

The embedded database option supplied with VACMAN Middleware uses PostgreSQL 8.1. The 

database server is installed as a Service and a single database created. This database has full 

Unicode support. 

The full PostgreSQL install package is used, so the database administation tools and 

documentation are available. 

3.2.1 Service Account 

A local Windows account called dppostgres is created on the installation machine. This account 

is given privileges to log on as a service and locally. If installed on a domain controller, this 

account will be a domain account. The privileges to log on locally may be removed manually 

after installation if preferred, without preventing PostgreSQL from running. 

Note 

The dppostgres account is not automatically deleted upon uninstallation of 

VACMAN Middleware. 

The default password for dppostgres is p!ss&0rd. This can be changed using the standard 

Windows or Active Directory user management interface. If you do this, make sure that the 

Windows Service Control Manager is configured with the new password. The PostgreSQL 

service is PostgreSQL Database Server 8.1. 

If you have changed the password when you uninstall and reinstall the product, either delete 

the dppostgres account or change its password back to the default password shown above 

before re-installing. Otherwise, the installation will fail. 

3.2.2 Database Administration Account 

A single database administrator account called digipass is created when the embedded 

database is installed, with password digipassword. It has full administration and access rights 

to the database. 

This account is used by the Authentication Server to connect to the database. If you use an 

SQL or database administation tool to connect to the database, you can also use this account. 

If you want to change the password, you can do this using the pgAdmin III utility. See 3.2.3 

Database Administration below. 



3.2.3 Database Administration 

The full set of PostgreSQL administration tools are installed with the embedded database. For a 

full description, refer to the PostgreSQL documentation that is installed. 

The main tool to use is pgAdmin III, which is a graphical administration interface. This can 

be launched by clicking on the Start Button and selecting Programs -> PostgreSQL 8.1 -> 

pgAdmin III. 

To connect to the database, right-click on the Servers -> PostgreSQL Database Server 8.1 

node in the tree pane and select the Connect option. You will be prompted for the password 

for the digipass user – the default after installation is digipassword. 

After logging in, you can perform a range of database administration tasks. See the online help 

for more details on what can be done with the utility. 

The 6 Backup and Recovery section includes instructions on the pg_dump, pg_restore and 

vacuumdb utilities. 

3.2.3.1 Changing the Digipass User's Password 

After logging in as described above, expand the Login Roles node in the tree pane. Right-click 

on the digipass node underneath and select Properties. Enter the new password, confirm it 

and click OK. 

1. Run pgAdmin III and connect as described above. 

2. Expand the Login Roles node in the tree pane. 

3. Right-click on the digipass node underneath and select Properties. 

4. Enter the new Password and confirm it in Password (again). 

5. Click on OK. 

6. Open the Authentication Server Configuration GUI: click on the Start Button and select 

Programs -> VASCO -> VACMAN Middleware 3 -> Authentication Server 

Configuration. 

7. Change to the ODBC Connection tab. 

8. Click on the Digipass Authentication Server row in the Data Sources list and click the 

Edit... button. 

9. Modify the Password field with the new password and click OK. 

10. Click OK to exit Authentication Server Configuration. When prompted to restart the 

Service, click Yes. 

3.2.4 Connection Limitations 

The embedded database install leaves PostgreSQL with the default configuration, that 

connections to the database may only be made on the same machine. If you need to connect 

from another machine to the database, you need to update the configuration. 

In order to allow connection from another machine, you need to modify a PostgreSQL 

configuration file. Edit the file \PostgreSQL\data\pg_hba.conf with a text 



editor. At the bottom of this file, there is a list of rules for authenticating connections to the 

database, which by default will be: 

# TYPE DATABASE USER CIDR-ADDRESS METHOD 

# IPv4 local connections: 

host all all 127.0.0.1/32 md5 


#host all all ::1/128 md5 

Refer to the PostgreSQL documentation for more details. As an example, to permit access from 

IP address 10.10.1.50 by the digipass user to the postgres database, add the following line 

directly below # Ipv4 local connections: 

host postgres digipass 10.10.1.50/32 md5 

3.3 Database Schema 

Digipass-related data is stored in a number of tables that are created using the DPDBadmin 

command line utility: 

Table 10: ODBC Database Tables 

Table Name Notes 

vdsControl This table is used to control various details about the database 

schema and connection. 

vdsUser Contains Digipass User Account details. 

vdsUserAttr Authorization profiles/attributes (not used for all scenarios). 

vdsDigipass Information about individual Digipass, including the Digipass User 

to which they are assigned. 

vdsDPApplication Data for Applications belonging to each Digipass, such as Server 

PIN and expected OTP length. 

vdsPolicy Policy attributes. Attributes will commonly be shared via 

inheritance. 

vdsComponent Component attributes include the License Key for Authentication 

Server Components. 

vdsBackEnd Back-End Server attributes. Presently, this table includes RADIUS 

Servers only. 

vdsDomain Domain list. 

vdsOrgUnit Organizational Unit structure. 

3.3.1 vdsControl Table 

Table 11: vdsControl Table 

Name Type Required? 

vdsName varchar(64) Yes 

vdsValue varchar(512) 

vdsFlags integer 

Primary Key: (vdsName) 

Foreign Keys: None 



3.3.2 vdsUser Table 

Table 12: vdsUser Table 


vdsDomain varchar(255) Yes 

vdsUserId varchar(255) Yes 

vdsOrgUnit varchar(255) 

vdsUserName varchar(64) 

vdsDescription varchar(1024) 

vdsPhone varchar(64) 

vdsMobile varchar(64) 

vdsEmail varchar(64) 

vdsStaticPwd varchar(690)* 

vdsLinkUserDomain varchar(255) 

vdsLinkUserId varchar(255) 

vdsLocalAuth integer 

vdsBackEndAuth integer 

vdsLockCount integer 

vdsLocked integer 

vdsDisabled integer 

vdsProfiles varchar(255) 

vdsAdminPrivileges varchar(255)* 

vdsCreateTime timestamp Yes 

vdsModifyTime timestamp Yes 

* This column contains binary data stored in base64-encoded format. 

Primary Key: (vdsDomain, vdsUserId) 

Foreign Keys: 

(vdsDomain) references vdsDomain 

(vdsDomain, vdsOrgUnit) references vdsOrgUnit 

(vdsLinkUserDomain, vdsLinkUserId) references vdsUser 

3.3.3 vdsUserAttr Table 

Table 13: vdsUserAttr Table 



vdsUserId varchar(255) Yes 

vdsAttrGroup varchar(64) Yes 

vdsSeqNo integer Yes 

vdsName varchar(64) Yes 

vdsUsageQual varchar(64) 

vdsValue varchar(255) 






Primary Key: (vdsDomain, vdsUserId, vdsAttrGroup, vdsSeqNo) 

Foreign Keys: 

(vdsDomain, vdsUserId) references vdsUser (ON DELETE CASCADE) 

3.3.4 vdsDigipass Table 

Table 14: vdsDigipass Table 


vdsSerialNo varchar(32) Yes 


vdsOrgUnit varchar(255) 

vdsDPType varchar(32) 

vdsUserId varchar(255) 

vdsAssignDate timestamp 

vdsGPExpires timestamp 

vdsBVDPEnabled integer 

vdsBVDPExpires timestamp 

vdsBVDPUsesLeft integer 

vdsDirectAssign integer 



Primary Key: (vdsSerialNo) 

Foreign Keys: 


(vdsDomain, vdsOrgUnit) references vdsOrgUnit 

(vdsDomain, vdsUserId) references vdsUser 

3.3.5 vdsDPApplication Table 

Table 15: vdsDPApplication Table 


vdsSerialNo varchar(32) Yes 

vdsApplName varchar(32) Yes 

vdsApplNo integer 

vdsApplType integer 

vdsActive integer 

vdsBlob varchar(255) 






Primary Key: (vdsSerialNo, vdsApplName) 

Foreign Keys: 

(vdsSerialNo) references vdsDigipass 

3.3.6 vdsPolicy Table 

Table 16: vdsPolicy Table 


vdsPolicyId varchar(60) Yes 


vdsParentPolicyId varchar(60) 

vdsDUR integer 

vdsAutoLearn integer 

vdsSPwdProxy integer 

vdsAssignMode integer 

vdsSearchUpOU integer 

vdsApplNames varchar(255) 

vdsApplType integer 

vdsDPTypes varchar(255) 

vdsGracePeriod integer 

vdsLocalAuth integer 

vdsBackEndAuth integer 

vdsBackEndProtocol varchar(32) 

vdsDefDomain varchar(255) 

vdsGroupList varchar(1024) 

vdsGroupMode integer 

vdsOSCR integer 

vdsOSCLength integer 

vdsOSCChkDgt integer 

vdsBVDPEnabled integer 

vdsBVDPMaxDays integer 

vdsBVDPMaxUses integer 

vdsChgPinAllowed integer 

vdsSelfAssignSep varchar(8) 

vdsCRMethod integer 

vdsCRKeyword varchar(16) 

vdsPVDPRqstMeth integer 

vdsPVDPKeyword varchar(16) 

vdsBVDPRqstMeth integer 

vdsBVDPKeyword varchar(16) 




vdsITimeWindow integer 

vdsSTimeWindow integer 

vdsEventWindow integer 

vdsSyncWindow integer 

vdsIThreshold integer 

vdsSThreshold integer 

vdsCheckChal integer 

vdsOnlineSG integer 

vdsChkInactDays integer 



vdsLockThreshold integer 

Primary Key: (vdsPolicyId) 

Foreign Keys: 

(vdsParentPolicyId) references vdsPolicy 

3.3.7 vdsComponent Table 

Table 17: vdsComponent Table 


vdsComponentType varchar(60) Yes 

vdsLocation varchar(255) Yes 

vdsPolicyId varchar(80) Yes 

vdsProtocolId varchar(32) 

vdsTCPPort integer 

vdsSharedSecret varchar(690)* 

vdsLicenseKey varchar(1024) 

vdsPubKey varchar(1024) 

vdsCreateTime Timestamp Yes 

vdsModifyTime Timestamp Yes 


Primary Key: (vdsComponentType, vdsLocation) 

Foreign Keys: 

(vdsPolicyId) references vdsPolicy 

3.3.8 vdsBackEnd Table 

Table 18: vdsBackEnd Table 


vdsServerId varchar(80) Yes 




vdsProtocolId varchar(32) 

vdsDomain varchar(255) 

vdsPriority integer 

vdsRadAuthAddr varchar(128) 

vdsRadAuthPort integer 

vdsRadAcctAddr varchar(128) 

vdsRadAcctPort integer 

vdsRadRetries integer 

vdsRadTimeout integer 

vdsSharedSecret varchar(690)* 




Primary Key: (vdsServerId) 

Foreign Keys: 


3.3.9 vdsDomain Table 

Table 19: vdsDomain Table 






Primary Key: (vdsDomain) 

Foreign Keys: None 

3.3.10 vdsOrgUnit Table 

Table 20: vdsOrgUnit Table 



vdsOrgUnit varchar(255) Yes 


vdsParentOrgUnit varchar(255) 



Primary Key: (vdsDomain, vdsOrgUnit) 



Foreign Keys: 


(vdsDomain, vdsParentOrgUnit) references vdsOrgUnit 

3.4 Encoding and Case-Sensitivity 

When you create the database, depending on the database type, you may have the chance to 

select a collation sequence. The collation sequence determines both the sort order and the 

case-sensitivity of the database. If you do not have the chance to select the collation 

sequence, it is advisable to find out how it is already defined. 

The encoding used by the database is important when considering support for non-English 

languages. You must ensure that the database will be able to store the data in whatever 

languages may be used in your system. 

Case-sensitivity is of particular importance when looking up a Digipass User Account. It 

determines whether the user must get the correct case for their UserId when logging in. For 

example, if your database collation sequence is case-sensitive, user “JSmith” would have to log 

in as exactly “JSmith”, not “jsmith”. If you want a case-insensitive User ID and domain lookup, 

and your database does not behave this way by default, you have two choices: 

Choose a case-insensitive collation sequence for the database. 

Use a configuration option in VACMAN Middleware to convert User ID and domain names 

to all upper or all lower case. See 11.1.7.3 User ID and Domain Conversion for more 

information. 

Caution 

Configuration settings for case-sensitivity must be set up in the Configuration 

GUI before data is entered into the database. 

The Master Domain (named 'master') is an exception, as it is created in the 

database when the dpdbadmin addschema command is run. If you will be 

configuring the Authentication Server to convert User IDs and domains to 

upper case, change the name of the Master Domain before changing the case 

settings. See 3.5.1.1 Master Domain for more information. 

The embedded database created by the installation program uses UTF-8 encoding. In addition, 

as this results in case-sensitive collation, the option to convert User IDs and domain names to 

lower case is set by default. 

3.5 Domains and Organizational Units 

The concepts of Domain and Organizational Unit are present in VACMAN Middleware for the 

purpose of grouping users. They closely match the concepts of the same names in Active 

Directory/LDAP, but they are not identical. 



3.5.1 Domains 

Domains are essentially separate sub-databases of Digipass User Accounts and Digipass. All 

Digipass User Accounts and Digipass must belong to a Domain. The Domain is used as a 

naming scope for the UserId – it is allowed to have two different Digipass User Accounts with 

the same UserId, so long as they are in different Domains. 

3.5.1.1 Master Domain 

When the VACMAN Middleware is installed, a single Domain will be created in the database, the 

Master Domain. By default, all new Digipass User Accounts and Digipass will be created in 

that Domain. 

A Domain must be chosen for a Digipass User account when it is created, as the Domain 

makes up part of the identification (primary key) for the account. A Digipass User account may 

not be moved to a different Domain. It must be deleted and recreated in the required Domain. 

Digipass, however, may be moved to the required Domain after importation. The 'primary key' 

of the Digipass record consists only of its Serial Number, which cannot be duplicated in 

different Domains. 

A Digipass that is assigned to a Digipass User Account must belong to the same Domain as the 

account. Therefore, you need to ensure that the correct numbers of Digipass are allocated to 

the different Domains. 

If you do not need to use the concept of Domains in your system, then you can leave all 

Digipass User Accounts and Digipass in the Master Domain. You can designate a different 

Domain as the Master Domain using the Authentication Server Configuration interface, 

Configure Advanced Settings screen. 

Administrators belonging to the Master Domain may be assigned administration privileges for 

all Domains in the database, or just their own Domain. Administrators belonging to any other 

Domain will have the assigned administration privileges for that Domain only. 

Modify the Master Domain 

You might need to modify the domain used as the Master Domain if: 

You want new Digipass User accounts and Digipass records to be created in a different 

domain by default 

You want to change the name of the Master Domain 

The case used in the name of the Master Domain will not be compatible with 

Authentication Server configuration settings. 

For instructions on changing the domain used as the Master Domain, see 11.1.7.4 Master 

Domain. 



3.5.1.2 Identifying the Domain for a Login Attempt 

As the Domain is part of the naming scope for a Digipass User Account, the Domain must be 

identified when a user attempts to log in. 

Image 1: Domain Identification Logic 

When Windows Back-End Authentication is used, the Domain of a Digipass User Account must 

match the Domain of their corresponding Windows user account. In this situation, the Use 

Windows User Name Resolution feature would typically be used, in case the same user logs 

in with different Windows user name formats (DOMAIN\userid, userid@domain.com, userid). 

You can enable this feature using the Authentication Server Configuration interface, 

Configure Advanced Settings screen. 

Without Windows name resolution, a simple rule is applied to identify the Domain of a user 

who is logging in: if the UserId is in the form userid@domain, and there is a Domain with the 

given domain name, that Domain will be used. In that case, the UserId will have the @domain 

part removed. Otherwise, the whole UserId will remain as userid@domain and no Domain will 

be identified. 

If through either kind of name resolution, no Domain is identified, the applicable Policy is 



checked for a Default Domain. The Default Domain is used if it is specified in the Policy. 

Otherwise, the Master Domain is used as a default. 

3.5.2 Organizational Units 

Within a Domain, Organizational Units can be used to group Digipass User Accounts and 

Digipass. They are primarily used in VACMAN Middleware to allocate unassigned Digipass to 

groups of users such as offices or departments. In other VASCO products, they can also be 

used to provide delegated administration by user group. 

Organizational Units can be created as a hierarchy, in a similar way to Active Directory/LDAP. 

It is not permitted to create a circular chain in the hierarchy. 

Organizational Units are not used as a naming scope in the same way as Domains. It is 

permitted to move Digipass User Accounts and Digipass between Organizational Units 

whenever required. However, a Digipass that is assigned to a Digipass User Account must 

belong to the same Organizational Unit, as well as the same Domain. Upon assignment, or 

upon moving the Digipass User Account, the Digipass is moved automatically. It is not 

permitted to move an assigned Digipass – instead, you must move the Digipass User Account, 

which may have other Digipass assigned also. 

Organizational Units have no effect on the authentication process, with the exception of Auto- 

and Self-Assignment – the Digipass to be assigned must be in the same Organizational Unit as 

the Digipass User Account. However, if you enable the 'Search up Organizational Unit 

Hierarchy' Policy setting, the Digipass may be located higher up the Organizational Unit 

structure, provided it is still in the same Domain. 



3.6 Database User Accounts 

It is important to consider which database user accounts will be utilized when installing, 

running and administering VACMAN Middleware. There are a few main roles that need to be 

considered: 

Schema creator. A database user account is needed to create the tables used by 

VACMAN Middleware. Typically this would be either a fully privileged DBA account, or the 

account that will own the schema. 

Schema owner. This may be the same as the schema creator. If not, the schema 

creator can transfer ownership of the new tables after they have been created. 

Authentication Server account. This may be the same as the schema creator or 

owner, but as it does not need extensive permissions on the tables, you may prefer to 

use an account with less privileges. 

Administrator account. Administrators may be allowed to log directly into the 

database in order to administer data. If so, the Adminstration MMC Interface will require 

a database user account with sufficient permissions to modify the data as required. It is 

not necessary to create a separate account, but you may prefer to do so, in order to 

control the permissions strictly. You may even create multiple administrator accounts 

with different permissions. 

A few elements need to be taken into account when setting up these various database user 

accounts. 

3.6.1 Permissions on the Tables 

The following permissions are required by the Authentication Server and administrator 

accounts: 

Table 21: Table Permissions Required 

Table Authentication Server Administrator 

vdsControl SELECT, INSERT*, UPDATE* SELECT 

vdsUser SELECT, INSERT**, UPDATE SELECT, INSERT, UPDATE, DELETE*** 

vdsUserAttr SELECT SELECT, INSERT, UPDATE, DELETE*** 

vdsDigipass SELECT, UPDATE SELECT, INSERT, UPDATE, DELETE*** 

vdsDPApplication SELECT, UPDATE SELECT, INSERT, UPDATE, DELETE*** 

vdsPolicy SELECT SELECT, INSERT, UPDATE, DELETE*** 

vdsComponent SELECT SELECT, INSERT, UPDATE, DELETE*** 

vdsBackEnd SELECT SELECT, INSERT, UPDATE, DELETE*** 

vdsDomain SELECT SELECT, INSERT, UPDATE, DELETE*** 

vdsOrgUnit SELECT SELECT, INSERT, UPDATE, DELETE*** 

* The Authentication Server does not need INSERT and UPDATE permission on the vdsControl table itself. However, 

when the Authentication Server Configuration GUI is used to Configure Advanced Settings, the same 

database user account is used as the Authentication Server, and at this time the INSERT and UPDATE 

permissions are needed. 

** INSERT permission is only required when Dynamic User Registration is used. 

*** In general, SELECT permission is required on all tables, but you can restrict any of INSERT, UPDATE and DELETE 

permissions according to the restrictions you need to impose upon your administrators. 



3.6.2 Access to Another Schema 

Depending on the database type, there may be a problem with one database user account 

accessing the tables from another schema/user account. VACMAN Middleware components will 

access the tables according to the table names that are defined in the vdsControl table. 

If the tables are not accessible to the database user account without qualifying the table name 

(eg. schema.table), there are a few ways to solve the problem: 

Set the default schema or database. Some databases allow you to specify which 

schema or database a database user account will use by default when they log in. This 

may be a setting in the database itself or the ODBC data source 

Create views. You can create a view for each table in the database user account's own 

schema, that provides access to the table. The view names should match the table 

names. However, be careful that your database type permits the necessary INSERT, 

UPDATE and DELETE operations on the views (see the table above). Some database 

types provide only limited support for those operations or disallow them all. 

Modify the vdsControl table. Provided that all database user accounts need the 

schema qualifier in front of the table names, you can safely modify the vdsControl table 

entries to add the schema qualifier (see below). 

Another possible solution is to create a vdsControl table in each database user account's 

schema, that contains the necessary schema qualifier. However this is not recommended, as it 

is complex to set up and there are other settings in the vdsControl table other than the table 

names. It would be easy to end up with different settings in each table. 

3.6.2.1 Modify vdsControl Table 

There are two parts to this solution. Firstly, to make sure that the vdsControl table itself can 

be accessed; secondly, to update the remaining table names using the vdsControl table. 

The Authentication Server component uses a configuration setting in its configuration file 

dpauthserver.xml to identify the vdsControl table name: 

VASCO->AAL3->ODBC->Data-Sources->Data-Sourcesnn->Control-Table 

where nn is 01 for the first data source, 02 for the next, and so on. Each data source must be 

configured separately. 

However, the administration interface does not use this configuration file, and if the 

administrator database account has a schema qualifier problem for the vdsControl table, 

another solution such as a view must be used. 

Modification of the vdsControl table entries that define the table names must be performed 

using your database's SQL utility. The following entries in vdsControl are used to define the 

table names: 



Table 22: Table Names in vdsControl 

Table vdsName 

vdsUser user_table 

vdsUserAttr user_attr_table 

vdsDigipass dp_table 

vdsDPApplication dpappl_table 

vdsPolicy policy_table 

vdsComponent comp_table 

vdsBackEnd backend_table 

vdsDomain domain_table 

vdsOrgUnit org_table 

3.7 Database Connection Handling 

The Authentication Server can be configured with a few settings that control the connection to 

the database. These settings can be found in the Authentication Server Configuration GUI. 

3.7.1 Multiple Data Sources 

It is possible to make more than one database available to the Authentication Server by 

creating additional databases and corresponding ODBC data sources. The additional 

database(s) can be used for redundancy and/or simple load sharing. 

If this is done, it is critical that the second and subsequent databases are synchronized with 

the first database. You will have to use the methods available to your database type, according 

to the database vendor's instructions. Typical methods include mirroring, shadow databases 

and instantaneous replication. 

Simply by configuring a second data source, if all connections to the main data source fail and 

cannot be reopened, the Authentication Server will open connections to the second data 

source. Similarly, a third data source can be used when the first and second are both 

unavailable. 

3.7.2 Max. Connections 

There is a configurable limit on the number of connections to the data source that the 

Authentication Server will have open at one time. This will prevent too many connections being 

opened to the database in case of peak load. However, each authentication request uses a 

connection for its duration, so the number of connections effectively limits the number of 

authentication requests that can be concurrently executed. It may improve performance to 

increase this setting, when there are a lot of concurrent requests – provided that the database 

is able to handle the increased load. 

The effect of this setting depends on the characteristics of your ODBC driver and database. 

Some ODBC drivers may not open a separate connection to the database for each connection 

that is made to it; they may set up a 'pool' of connections to the database or they may even 

just maintain a single connection. 



3.7.3 Connection Wait Time 

When the Authentication Server already has the maximum number of connections open and a 

new authentication request arrives, it will wait a configurable amount of time for a connection 

to become available (unless the Enable Load Sharing option is used, see below). You may 

want to reduce this waiting time, to reduce the impact of an overload of requests. Alternatively 

you may want to increase the waiting time, to make it less likely that a request will be rejected 

due to a temporary 'spike' of requests. 

3.7.4 Idle Timeout 

After a period of peak load, there may be a large number of connections open to the database. 

The Idle Timeout setting can be used to configure how quickly the connections are closed 

after being idle for a period of time. It may reduce the load on the database to close these 

connections quickly. Alternatively, if the load is very irregular but is often high, you may prefer 

to keep idle connections open for longer. 

3.7.5 Enable Load Sharing 

A simple form of load sharing can be implemented if you make a second database available to 

the Authentication Server. In fact, any number of databases can be added to the list of data 

sources, and the load can be shared across all of them. 

If you have more than one database available and the Enable Load Sharing option is used, 

the Authentication Server will open connections to the second database when it would exceed 

the maximum number of connections it is allowed to have to the first database. Similarly, it 

will open connections to the third database when it has reached the maximum for the second, 

and so on. In general, connections to the first database will be used when available, in 

preference to connections to any other database. 

3.7.6 Reconnect Intervals 

After the first data source has become unavailable, the Authentication Server will attempt at 

intervals to reconnect, even if it has successfully failed over to a second data source. It will 

always use the first data source in preference to the others. 

The Min. Reconnect Interval and Max. Reconnect Interval settings control the minimum 

and maximum intervals between retries respectively. The interval will start at the minimum 

and increase in steps until the maximum is reached. After that, the interval will stay at the 

maximum. 



3.8 DPDBadmin 

3.8.1 Modify Database Schema 

The addschema command is used to create all required tables in an existing database, if they 

are not already there. Each table will be checked individually to see if it is already there and if 

not, will be added. 

This command is intended to be run manually by an administrator before VACMAN Middleware 

is installed. 


command. You may also need to have a database administrator run the command for you. 

This depends on your company’s structure and rules for control of the database. 

This command may also be used to create the tables required for auditing to an ODBC 

database. 

Prerequisite Information 

Database Administrator Account 

In order to successfully modify the database structure, you will need the username and 

password of a database administrator account that is able to make changes to the database 

schema – for example, creating tables. You must pass these credentials to the command in the 

parameters. 

Database Name 

You will need the ODBC Data Source Name of the database (as registered with Windows an as 

ODBC Data Source). 

Modify the Database Structure 


2. Type: 

cd \bin 

dpdbadmin addschema –u user_name –p password -d dsn 

3. See below for more details regarding the required parameters. 




dpdbadmin addschema –u user_name [–p password] -d dsn [-nouser] [-domain 

domain_name] [-case case_conversion] [-vdsuser alternatename] [-vdsuserattr 

alternatename] [-vdsdomain alternatename] [-vdscontrol alternatename] [-vdsdigipass 

alternatename] [-vdsdpapplication alternatename] [-vdspolicy alternatename] 

[vdsbackend alternatename] [-vdscomponent alternatename] [-vdsorgunit alternatename] 

[-audit] [-noserver] [-utf8factor factor] [-q] 



Table 23: DPDBadmin addschema Command Line Options 


-u User name of a database administrator. 

-p Password of the database administrator. This option may be omitted if they have a blank 

password. 

-d ODBC Data Source Name (DSN) 

-nouser Do not create Digipass User table. This option is not currently supported. 

-domain Specify the Master Domain to be used. If not specified, it will be “master”. The Domain will be 

created if it does not already exist. 

-case Specify to convert User IDs and domain names to either upper or lower case. The value must be 

either “upper” or “lower”. 

vdsuser Alternative name for the Digipass User table to be created. 

vdsuserattr Alternative name for the Digipass User Attribute table to be created. 

vdsdomain Alternative name for the Domain table to be created. 

vdscontrol Alternative name for the Controller table to be created. 

vdsdigipass Alternative name for the Digipass table to be created. 

vdsdpapplication Alternative name for the Digipass Application table to be created. 

vdspolicy Alternative name for the Policy table to be created. 

vdsbackend Alternative name for the Back-end Server table to be created. 

vdscomponent Alternative name for the Component table to be created. 

vdsorgunit Alternative name for the Organizational Unit table to be created. 

-audit Create the Audit tables. 

-noserver Do not create the main tables used by the Authentication Server. This should only be used with 

the -audit option, when you only want to create the auditing tables. 

-utf8factor On certain databases (such as Oracle and DB2), column sizes are specified in bytes, not 

characters, by default. When UTF-8 encoding is used to store data, for full Unicode support, one 

character may be represented as more than one byte. Normally 2 or 3 characters are used, 

depending on the language, but some characters require 4. If your data will include a lot of non- 

English characters, you can increase the size of certain columns by a factor to allow for the extra 

bytes. The value of the parameter should be 2, 3 or 4. Typically, 3 is sufficient. The columns 

affected by this are the User Name (not User ID) and various Description fields. 

On other databases, column sizes are specified in characters, and this parameter is not needed. 


DPDBadmin addschema Command Sample 

dpdbadmin addschema –u DBAdmin –p pwd3498 -d UserDb -domain mydomain 

This command will modify the database structure of the ODBC database with the data source 

name of UserDb. It uses a database administrator account with the User ID of DBAdmin and 

password pwd3498. A non-default Master Domain will be used, called “mydomain”. 

dpdbadmin addschema –u DBAdmin –p pwd3498 -d AuditDb -audit -noserver 

This command will create only the auditing tables in the ODBC database with the data source 

name of AuditDb. It uses a database administrator account with the User ID of DBAdmin and 

password pwd3498. 



3.8.2 Check Database Modifications 

The checkschema command is called from the VACMAN Middleware installation program to 

check that all required database changes have been applied. Each table and field is checked 

individually to see if it exists within the database, but it will not be added if it does not exist. 


Domain Administrator 

Ensure that you know the username and password of a database administrator for the 

database to be checked. 

Database Name 

You will need the Data Source Name of the database (as registered with Windows an as ODBC 

Data Source). 

3.8.2.2 Check the Database Structure 

1. Open a command prompt and go to the installation’s bin directory by typing: 

2. Type 

cd \bin 

dpdbadmin checkschema –u user_name –p password -d dsn 

3. See below for more details regarding the parameters. 


window. 

3.8.2.3 Command Line Syntax 

odbcadmin checkschema –u user_name [–p password] -d dsn [-domain domain_name] 

[-q] 

Table 24: DPDBadmin checkschema Command Line Options 



-p Password of the database administrator. This option may be omitted if they have a blank password. 


-domain Specify the Master Domain to be used. If not specified, it will be “master”. The Domain must exist. 


DPDBadmin checkschema Command Sample 

dpdbadmin checkschema –u db_admin –p db_password -d db_users 



3.8.3 Remove Database Modifications 

This command removes from a database the tables added by the addschema command. 


command. You may also need to have a database administrator run the command for you. 


Database Administrator Account 

In order to successfully modify the database structure, you will need the username and 

password of a database administrator account that is able to make changes to the database 

structure – for example, creating tables. You must pass these credentials to the utility in the 

parameters of the command. 

Database Name 

You will need the Data Source Name of the database (as registered with Windows an as ODBC 

Data Source). This DSN must be registered on the computer from which the command line 

utility wil be run. 

3.8.3.2 Modify Database Structure 


2. Type: 

cd \bin 

dpdbadmin dropschema –u user_name –p password -d dsn 

3. See below for more details regarding the required parameters. 



3.8.3.3 Command Line Syntax 

dpdbadmin dropschema –u user_name [–p password] -d dsn [-nouser] [-q] 

Table 25: DPDBadmin dropschema Command Line Options 



-p Password of the database administrator. This option may be omitted if they have a blank 

password. 


-nouser Do not delete Digipass User table. This option is not currently supported. 


DPDBadmin checkschema Command Sample 

dpdbadmin dropschema –u DBAdmin –p pwd3498 -d UserDb 



3.8.4 Create Emergency Administrator Account 

If the main administrator accounts have been accidentally deleted, locked out, disabled, or the 

password forgotten, it may be necessary to run this command. 

The rescueadmin command creates an emergency administrator account in the Master 

Domain, with the given User ID and password. These settings will be configured for the 

account: 

Local Authentication: Digipass/Password 

Back-End Authentication: None 

Administrative Privileges: (All) 

Note 

Running this command will cause the Digipass Authentication Server service to 

be stopped. The command can restart the service automatically when record 

creation is completed. 

Prerequisites 

These conditions must be met before this command can be run successfully: 

Must be run on the machine on which the Authentication Server is installed. 

The Authentication Server configuration file (dpauthserver.xml) must be in the default 

location (\Bin) 

Create Administrator Account 


2. Type: 

cd \bin 

dpdbadmin rescueadmin -userid "" -password 

"” 

3. Enter Y to restart the Digipass Authentication Server service, or N to exit and restart 

the service manually. 


dpdbadmin rescueadmin -userid "" -password " -q -l -v 

Table 26: DPDBadmin rescueadmin Command Line Options 


-userid User ID for the administrator account to be created. This administrator account must not 

currently exist in the Authentication Server data store in the Master Domain. 

-password Password for the administrator account to be created. May not be blank. 


-l Record messages to a log file. 

-v Use verbose logging output. 



DPDBadmin rescueadmin Command Sample 

dpdbadmin rescueadmin –userid emergency_admin -password password -l 

c:\temp\rescue.log 

This command will create an administrator account in the database, with User ID of 

emergency_admin and password of password. A log file will be created at c:\temp\rescue.log. 

3.8.5 Rescue Authentication Server Component 

This command may be needed in a number of scenarios: 

An Authentication Server Component record has been accidentally deleted. 

The IP address of the machine has been changed without first creating a Component 

record for the Authentication Server with the new IP address. 

The Policy used for administration logins has been modified in such a way that 

administrative logins are no longer possible. 

In any of these scenarios, administrative logins will no longer be possible via the 

Authentication Server affected. If you have another Authentication Server replicating with the 

affected one, you can fix most problems from that Authentication Server. Otherwise, you will 

need to use this command. 

The rescueserver command creates or updates a Component record of the type 

Authentication Server in the database, with the given IP address and Policy. It can also create 

a Policy with the Policy ID provided, with these settings: 

Inherits from Policy: 

Local Authentication: Digipass/Password 

Back-End Authentication: None 

User Lock Threshold: 0 

Note 

Running this command will cause the Digipass Authentication Server service to 

be stopped. The command can restart the service automatically when record 

creation is completed. 

Prerequisites 

These conditions must be met before this command can be run successfully: 

Must be run on the machine on which the Authentication Server is installed. 

The Authentication Server configuration file (dpauthserver.xml) must be available on the 

machine. 

Rescue Authentication Server Component 


2. Type: 

cd \bin 



dpdbadmin rescueserver -location “” -policy "” 

3. If a Component record of type Authentication Server and the entered IP address does 

not already exist, you will be prompted to create the Component record. Enter Y to 

create the record, or N to exit. 

4. If a Policy with the entered Policy ID does not currently exist, you will be prompted to 

create it. Enter Y to create the record, or N to exit. 

5. Enter Y to restart the Digipass Authentication Server service, or N to exit and restart 

the service manually. 

If there was a failure, it can be run again after the problem has been rectified. 


dpdbadmin rescueserver -location -policy "" -q -l -v 

Table 27: DPDBadmin rescueserver Command Line Options 


-location IP address used by the Authentication Server. 

-policy Policy ID for the Policy to be used for the new Component. This may be an existing Policy, or a 

new one (see above for the settings given to a new Policy by this command). 


-l Record messages to a log file. 

-v Use verbose logging output. 

DPDBadmin rescueserver Command Sample 

dpdbadmin rescueserver –location “10.2.15.7” -policy “VM3 Administration Logon” 

This command will create a Component record in the database, with type Authentication 

Server, IP address 10.2.15.7, and using the pre-existing Policy VM3 Administration Logon. 


VACMAN Middleware Administrator Reference Sensitive Data Encryption 

4 Sensitive Data Encryption 

Sensitive data is encrypted by VACMAN Middleware using an embedded key. If needed, this 

encryption may be strengthened by adding a custom key in the Configuration GUI. The 

embedded and custom keys are subjected to a logical XOR process to produce a new key 

derived from both. 

Note 

Encryption settings must be set before importing Digipass. 

4.1.1 Encrypted Data – Active Directory 

Table 28: Encrypted Data Attributes – Active Directory 

Attribute Class 

vasco-StaticPassword vasco-UserExt 

vasco-SharedSecret vasco-Component 

vasco-SharedSecret vasco-BackEndServer 

4.1.2 Encrypted Data – ODBC and Embedded Database 

Table 29: Encrypted Data Attributes – ODBC and Embedded Database 

Column Table 

vdsStaticPwd vdsUser 

vdsAdminPrivileges vdsUser 

vdsSharedSecret vdsComponent 

vdsSharedSecret vdsBackEnd 

4.1.3 Which Encryption Algorithms can be used? 

AES 

blowfish 

cast5 

3DES 

3DES with 3 keys 

4.1.4 Exporting Encryption Settings 

Encryption settings may be exported to a password-protected text file from the Authentication 

Server Configuration GUI. This file must then be loaded to other Authentication Servers – see 

11.1.9 Data Encryption for instructions. 

The same file must be loaded into the administration interfaces wherever they are installed: 


1. Open the Administration MMC Interface. 

2. Right-click on the Digipass Administration node and select the Encryption Settings 

option. 


VACMAN Middleware Administrator Reference Sensitive Data Encryption 

3. In the Configure Encryption Settings dialog, click the Import... button. 

4. Browse to the encryption settings file. 


6. Enter the required password. 


Active Directory Users and Computers 

The following only applies if you are using Active Directory. In addition, if Active Directory 

Users and Computers is on the same machine as the Administration MMC Interface, the 

following steps will not be necessary, as the two programs share the same encryption 

configuration settings. 

1. Open Active Directory Users and Computers. 

2. Right-click on the Users container and select the Digipass Extension Encryption 

Settings option. 

3. In the Configure Encryption Settings dialog, click the Import... button. 





Digipass TCL Command-Line Administration 

1. Open the file \Bin\dpadmincmd.xml in a text editor (or XML 

editing tool). 

2. Open the file \Bin\dpauthserver.xml in a text editor (or XML 

editing tool). 

3. Copy and paste the whole VASCO -> AAL3 -> Encryption section from 

dpauthserver.xml, overwriting the same section in dpadmincmd.xml. 

4. Save dpadmincmd.xml and exit the editors. 


VACMAN Middleware Administrator Reference Set Up Active Directory Permissions 

5 Set Up Active Directory Permissions 

5.1 Permissions Needed by the Authentication Server 

The Authentication Server Service runs under the 'Local System' account rather than as a 

named user account. Therefore, when connecting to Active Directory, the Authentication 

Server connects as the computer account, not a user account. The permissions that it has 

within Active Directory are the permissions of the computer account. 

An important exception to this occurs if you install the Authentication Server onto a Domain 

Controller. Any Service running as 'Local System' on a Domain Controller has all possible 

permissions to that Domain. In this case, no additional setup of permissions is required. 

Therefore, the rest of this section applies to the case where the Authentication Server is not on 

the Domain Controller. 

During installation, the computer account is added to the built-in 'RAS and IAS Servers' group 

in the Domain, as it will require the permissions assigned by default to this group. 

In order to function correctly, the Authentication Server requires the following permissions in 

Active Directory, that are not granted to 'RAS and IAS Servers' by default: 

Read access to the Digipass Configuration Container 

Read access to all User accounts (or at least, all who might need to be authenticated by 

the Authentication Server) 

Write access to the new attributes that are added to the User class for VACMAN 

Middleware (these are in the auxiliary class vasco-UserExt) 

Full control over all Digipass (vasco-DPToken) and Digipass Application (vasco- 

DPApplication) objects 

Create and delete permission for Digipass (vasco-DPToken) objects in Organizational 

Units and containers (specifically the Digipass-Pool and Users containers) 

5.1.1 Giving Permissions to the Authentication Server 

During installation, these additional permissions are granted to the 'RAS and IAS Servers' 

group automatically. 

There is also a manual way to grant these permissions, by running the 'setupaccess' command 

at the command prompt: 

dpadadmin.exe setupaccess -group “RAS and IAS Servers” 

See 2.5 DPADadmin Utility for more information on the setupaccess command. 

As mentioned above, this is not necessary if the Authentication Server is installed onto a 

Domain Controller. 



5.2 Permissions Needed by Administrators 

5.2.1 Domain Administrators 

Domain Administrators already have all required permissions within their Domain. 

5.2.2 Delegated Administrators 

The term 'Delegated Administrators' is used here to refer to administrators who have been 

delegated control over an Organizational Unit. Generally speaking, they have administrative 

control over the user and computer accounts within their Organizational Unit. 

See the Digipass Records topic in the Product Guide for more information on possible 

approaches to delegating Digipass administration. 

By default, these administrators will be able to view the Digipass User Account data for their 

users and the Digipass that are located within their Organizational Unit. However, they will not 

be able to modify any of that data or assign Digipass. 

If you wish to delegate responsibility for all Digipass-related administration within an 

Organizational Unit, the following additional permissions are required by the Delegated 

Administrator: 

Within the scope of the Organizational Unit, Write permission to the new attributes that 

are added to the User class for VACMAN Middleware (these are in the auxiliary class 

vasco-UserExt) – you can add Write permissions for each individual Property Set or if 

appropriate, grant 'Write All Properties' permission 

Within the scope of the Organizational Unit, Full Control over all Digipass (vasco- 

DPToken) and Digipass Application (vasco-DPApplication) objects 

Create and Delete permission for Digipass (vasco-DPToken) objects within the 

Organizational Unit 

If the Delegated Administrator should be allowed to assign Digipass from the Digipass 

Pool to their users, they need: 

the Delete Digipass objects permission in the Digipass-Pool container 

Write All Properties permission on Digipass objects in the Digipass-Pool container 

If the Delegated Administrator should be allowed to move unassigned Digipass back to 

the Digipass-Pool, they need Create Digipass objects permission in the Digipass-Pool 

container 

5.2.3 Reduced-Rights Administrators 

The term 'Reduced-Rights Administrator' is used here to refer to administrators who are 

granted permissions to perform only selected Digipass-related administration tasks. They may 

be granted these permissions within the scope of the whole Domain, or only within an 

Organizational Unit. 

An example is a Helpdesk operator who is permitted to troubleshoot Digipass operations, but 

not to assign/unassign Digipass to/from users. 



By default, all users have read access to everything in the Active Directory. The modification 

permissions that can be granted to this kind of administrator are: 

Write permission for any of three Property Sets on the Digipass User Account fields: 

Digipass User Account Information – all attributes except those covered by the other two 

Property Sets, including Authorization Profiles/Attributes 

Digipass User Account Link – the link attribute used to share a Digipass between two 

user accounts 

Digipass User Account Stored Password – the Stored Password attribute 

Write permission for any individual properties on Digipass objects, except for one 

Property Set that is defined to control the Digipass assignment link 

Write permission for any individual properties on Digipass Application objects, except for 

one Property Set that is defined to include the Digipass 'blob' that is required for any 

administrative operation such as Reset PIN, Test, Set Event Counter, etc. 

Create and delete permission on Digipass and Digipass Application objects 

If the administrator should be allowed to move Digipass, they need: 

the Delete Digipass objects and Create Digipass objects permissions in the relevant 

Domain and/or Organizational Unit 

Write All Properties permission on Digipass objects 

Note that this can be necessary for assigning Digipass to users, because a move from 

one location to another is controlled by permissions to delete from the source and create 

in the destination 

5.2.4 System Administrators 

The term 'System Administrator' is used here to refer to an administrator who will be 

responsible for management of the Component and Policy records, rather than Digipass User 

Accounts and Digipass. They need permissions within the Digipass Configuration Container to 

create, modify and delete Component (vasco-Component) and Policy (vasco-Policy) objects. 

In practice, System Administrators can typically be given full control over the Digipass- 

Configuration container. If you wish to grant more limited permissions, this can be handled 

with the standard Active Directory permissions on these objects within the scope of the 

container. 

5.3 Assign Administration Permissions to a User 

Note 

This example assumes that the administrator's User account has read 

permissions for all User records already. 

To grant permissions to manage Digipass records, you will need to follow these steps: 

1. Right-click on the Organizational Unit in which to assign permissions. 

2. Select Delegate Control... from the right-click menu. 

The Delegate Control Wizard will be displayed. 



3. Select the User or Windows Group to assign permissions. 


5. Select the Delegate Common Tasks option button. 

6. Select Create, Delete and Manage Digipass from the list. 

7. Click on Next. 

8. Click on Finish. 

If you wish to grant permissions to modify Digipass User Account properties, you will need to 

follow these steps: 

9. Select View -> Advanced Features from the main menu. 

10. Right-click on the Organizational Unit in which to assign permissions. 

11. Select Properties from the right-click menu. 

12. Click on the Security tab. 

13. Click on the Advanced button. 

The Advanced Security Settings window will be displayed. 

14. Click on Add... 

15. Type the username of the User to assign the permissions to and click OK. 

16. Click on the Properties tab. 

17. Select User Objects from the Apply onto drop down list. 

18. Select the required permissions from: 




Write Digipass User Account Information 

Write Digipass User Account Link 

Write Digipass User Account Stored Password 

If the administrator requires permissions to take Digipass out of the Digipass-Pool for 

assignment, you will need to follow these steps: 

22. Right-click on the Digipass Pool. 

23. Select Properties from the right-click menu. 


25. Click on the Advanced button. 

The Advanced Security Settings window will be displayed. 


27. Select the User account. 


29. Click on the Object tab. 

30. Select Child objects only from the Apply onto drop down list. 



31. Tick the Allow box for: 



Delete Digipass Objects 

Create Digipass Objects (if you wish to allow the administrator to move Digipass 

records into the Digipass Pool) 

34. Select the User account. 


36. Click on the Object tab. 

37. Select Digipass objects from the Apply onto drop down list. 

38. Tick the Allow box for Write All Properties. 






5.5 Multiple Domains 

When using the Authentication Server with multiple domains, extra steps must be followed to 

ensure that both the Authentication Server and administrators have permissions sufficient to 

access required data. The main issues are: 

The Digipass Configuration Container is only in one Domain. All Authentication Servers 

need read access to this container, even when they are in a different Domain. Cross- 

Domain access for administrators is a less likely requirement however. 

If a Authentication Server handles users and Digipass in more than one Domain, they 

need to be granted the necessary permissions in all the necessary Domains. 

In this manual, we will handle cross-Domain permissions using a combination of Domain Local 

and Domain Global groups. It is possible in a 'native' mode Domain to use Universal groups, 

but these are not recommended in Windows 2000 due to replication issues. The replication 

efficiency has been improved in Windows Server 2003, however Universal groups are still not 

used as commonly as Domain Local/Global groups. 

Three possible scenarios for multiple domain setup are outlined below: 

5.5.1 Scenario 1 – Each Authentication Server Handles One 

Domain 

Each Authentication Server handles only the domain in which it is a member. 

Install the Authentication Server in each domain (the result will be at least as many 

Authentication Servers as domains). 

Give each Authentication Server access to the Digipass Configuration Domain: 

Domain Global Group(s) 

For each domain (apart from the Digipass Configuration Domain) - 

1. Create a Domain Global group 

2. Add the Authentication Server(s) to the Domain Global group (check which machines 

are in the 'RAS and IAS Servers' group to ensure the correct additions) 

Domain Local group 

In the Digipass Configuration Domain - 

3. Create or use an existing Domain Local group. 

4. Give the Domain Local group full read access to the Digipass Configuration Container. 

5. Add the Domain Global Group from each other domain to the Domain Local group. 



5.5.2 Scenario 2 – One Authentication Server Handles All 

Domains 

Authentication Servers in one domain handle all domains. The Digipass Configuration 

Container should be located in the domain to which the Authentication Servers belong. 

Give the necessary access to User and Digipass data: 

Domain Global group 

In the RADIUS server Domain - 

1. Create a Domain Global group. 

2. Add the Authentication Servers to the Domain Global group (check which machines are 

in the 'RAS and IAS Servers' group to ensure the correct additions). 

Domain Local groups 

For each other Domain - 

3. Create a Domain Local group. 

4. Give the Domain Local group the required permissions (run the setupaccess command - 

See 2.5 DPADadmin Utility for more information). 

5. Add the Domain Global group from the Authentication Server Domain to the Domain 

Local group. 

5.5.3 Scenario 3 - Combination 

This scenario represents more complex setups, where a combination of steps from Scenarios 1 

and 2 will be required. Use the steps given in the first two scenarios as a guide for what you 

will need to do for the combination scenario. 


VACMAN Middleware Administrator Reference Backup and Recovery 

6 Backup and Recovery 

This section explores the measures that Administrators can undertake in backing up and 

recovering VACMAN Middleware datafiles in the event of a system failure. 

Note 

This section does not cover backup of executables and system files. In the 

event of a catastrophic failure these can be restored or reinstalled from the 

original distribution media (and any subsequent service packs/patches). 

Once the Authentication Server is installed and operational, backups should be made of 

important files and data. 

Any time changes are made to the system, backups may need to be performed again. These 

changes include, but are not limited to: 

Changing any configuration settings including the IP address of a server 

Adding/removing a Component 

Modifying a Policy 

User and Digipass data should be backed up on a frequent, regular basis. 

6.1 What Must be Backed Up 

Configuration files for Authentication Server, Message Delivery Component and 

Command Line Administration Utility. 

User Self-Management Web Site pages and graphics (if customized) 

Virtual Digipass OTP Request Web Site pages and graphics (if customized) 

Audit Log data 

Active Directory or ODBC database containing Digipass-specific data 

DPX files (except for demo Digipass) 

Any command line administration scripts which have been written for use with the 

Command Line Administration Utility. 

Important Note 

The VACMAN Middleware installation includes a DPX directory containing 

sample DPX files for demo Digipass. These do not need to be backed up. 

However, if you have copied the DPX files for your real Digipass into that 

directory, ensure you still have the original files (normally on floppy disk). If 

you no longer have the DPX file(s) stored elsewhere, it is very important that 

you take a backup. 

6.1.1 Configuration files 

The configuration files for the Authentication Server, Virtual Digipass Message Delivery 



Component and Command Line Administration Utility can be copied from the bin directory (by 

default C:\Program Files\VASCO\VACMAN Middleware 3\Bin) to a secure location. 

The files to be copied are: 

dpauthserver.xml for all Authentication Servers 

dpadmincmd.xml 

mdcconfig.xml – a backup of one working file is sufficient. 

Tip 

Save the files above with an extension that describes the server from which the 

file(s) were backed up. This makes it easier and quicker to locate the correct file 

during recovery. 

6.1.2 Web Sites 

In some cases, the web pages and graphics provided with VACMAN Middleware for the User 

Self Management Web Site and Virtual Digipass OTP Request Web Site will have been 

customized to suit the organization’s colors/languages/themes/etc. 

If these web pages and graphics have been modified, it is important to have a backup stored 

in a secure location away from the production server. This will allow the web site to be 

restored for the look and feel of the organization. 

To back up the web site pages and graphics, you can copy the html, js, and gif files to another 

location. If the site is highly modified, or the location of the files on disk is not known, contact 

your web administrator for further guidance. 

Note 

Maintaining the directory structure will make restoration of the site, if required, 

quicker and easier. 

6.1.3 Audit Log Data 

If your organization requires that the Audit Log data be archived, the method required will 

depend on the audit settings. You may need to archive periodically, to avoid too much disk 

space being used or to keep the database from growing too large and slow. 

6.1.3.1 Write to Text File 

Ensure you make copies of all files contained in the directory into which the audit log files are 

written. By default this will be \Log, however it may have been configured to 

another location. Check the audit configuration settings if you are unsure. 

6.1.3.2 Write to ODBC Database 

Back up the database using the database's backup utility. 



6.1.3.3 Write to Windows Event Log 

By default, Event Log entries are written to the Application log. However, you can configure 

the entries to be written to another log. Check the audit configuration if you are unsure. 

Important Note 

The Event Log may be configured with a maximum size. When this size is 

reached, the oldest entries may be overwritten by new ones. To check this, 

view the Properties of the log in the Event Viewer. If older entries will be 

overwritten, you will need to archive them before that occurs. 

To archive an Event Log: 

1. Select Start -> Settings -> Control Panel. 

2. Double-click on Administrative Tools. 

3. Double-click on Event Viewer. 

4. Right-click on Application (or the correct log, if not Application). 

5. Click on Save log file as... 

6. Select a path and enter a filename. 

7. Select a file format from the Type drop down list. 

8. Click on the Save button. 

Note 

The Audit Log data is not required for system recovery purposes. 

6.1.4 DPX files 

The DPX files are normally provided on a floppy disk, which can be stored securely as a 

backup. If you prefer another method of archive, copy the files to your preferred location. It is 

important to keep the DPX file transport keys secure and preferably in a separate location to 

the DPX files themselves. 

6.1.5 Active Directory 

6.1.5.1 Cold Backup 

In many cases the Authentication Server will belong to an Active Directory domain that 

includes several Domain Controllers. Replication should automatically occur between Domain 

Controllers, providing simple data backup. 

It is highly recommended, however, that you perform a 'cold' backup of the System State 

Data, which includes the Active Directory repository. This will allow recovery if data is 

corrupted and then replicated. For more information about backing up and restoring System 

State Data, refer to Windows Help on your Domain Controller and enter 'backing up data, 

System State data' in the index tab. In particular, this should be performed on the Digipass 

Configuration Domain and any other Domains containing Digipass User accounts and/or 

Digipass records. 



6.1.6 ODBC and Embedded Database 

6.1.6.1 Data Source Settings 

If you have performed some adjustments to the ODBC Data Source (DSN) that are important 

to keep, make sure that you have a readout of the settings. 

6.1.6.2 Backup Strategies 

Warm Backup 

A 'warm' backup of the disk containing the database used by the Authentication Server via a 

RAID hardware configuration or server mirroring is a favorable backup method. It is both 

entirely up to date and incurs no downtime if a single disk failure occurs. 

This method requires either software RAID, or for better performance a hardware RAID 

configuration. 

Another technique that achieves the same effect is the 'shadow database'. 

However, it is still recommended to take a cold backup at intervals, as there is a possibility 

that a database corruption could be mirrored/shadowed under some circumstances. 

Cold Backup 

A 'cold' backup of the database allows administrators to implement a duplicate database as a 

safeguard on a regular basis. Generally speaking there are two methods that can be used to 

perform a cold backup: 

Backup Utility 

The first option is to use the vendor-specific backup utility that allows the contents of the 

database to backed up to a file or device while the system is running. Such a utility is provided 

with the embedded database PostgreSQL (see below). 

Shut Down and Copy the Database File 

The second option involves stopping the database server and any connecting server processes 

and copying the database files. However, this is only possible where the database vendor 

recommends this approach. Normally this is only appropriate if the database is contained in a 

single operating system file. 

Replicated Copy 

If replication has been configured between databases, a replicated copy can be used as a 

backup. However, it is still recommended to take a cold backup at intervals. 

6.1.6.3 Backup of Embedded Database 

The PostgreSQL database available with the Authentication Server installation may be backed 

up while operational by completing these steps: 

1. Open command prompt in \PostgreSQL\Bin. 



2. Enter the following command and hit ENTER: 

pg_dump -f "" -Fc -Z9 -U [-v] postgres 

where: 

is the absolute path and file name of the file to back up the data 

to 

is the database administrator account name. When installed, 

this is set to "digipass". 

-v is an optional 'verbose mode' parameter. Use this if you wish to see output as the 

backup is run. 

3. You will normally be prompted for the password of the database administrator account. 

When installed, this is set to "digipassword". 

This command may also be run via a batch file in order to automatically take a backup at 

regular intervals. In order to remove the interactive prompt for the password, you can add a 

line to a PostgreSQL configuration file to allow local logins for a database administrator account 

without a password. Edit the file \PostgreSQL\data\pg_hba.conf with a text 

editor. At the bottom of this file, there is a list of rules for authenticating connections to the 

database, which by default will be: 

# TYPE DATABASE USER CIDR-ADDRESS METHOD 


host all all 127.0.0.1/32 md5 


#host all all ::1/128 md5 

Add the following line directly below # Ipv4 local connections: 

host postgres digipass 127.0.0.1/32 trust 

You may prefer to create a second database administrator account that only has permission to 

back up the database. This can be done using the PostgreSQL database administration utility 

Programs -> PostgreSQL 8.1 -> pgAdmin III. Refer to the PostgreSQL documentation for 

more information. 



6.2 Recovery 


Assumptions: 

Active Directory itself is still valid and operational. 

Steps: 

Up-to-date backups of the configuration files for the Authentication Server are available. 

1. Rebuild the server with your operating system SOE, using the same IP address as 

before, in the same Domain as before. 

2. Retrieve your backup copy of the dpauthserver.xml file. 

3. Reinstall VACMAN Middleware on the server. The same settings as those chosen in the 

previous installation should be selected. Note: on Active Directory or an ODBC 

database, the This is not the first Authentication Server to be installed checkbox 

on the Prerequisites screen should be ticked. 

4. Tick the Use an evaluation license checkbox (the existing Digipass data in the data 

store contains all necessary licensing information, which will be retrieved when the 

Authentication Server is operational). 

5. At the end of the installation, you will be prompted to select a license activation 

method. Select Just Continue. 

Before you restart the machine, carry out the following: 

6. Restore the backup copy of the configuration file dpauthserver.xml to \bin. 

7. Restore any customized files for the web sites (see 9.1 Customizing the Web Sites 

and 6.1.2 Web Sites for more information). 

After restarting the machine: 

8. Check that you can view Digipass-specific information in the Administration MMC 

Interface and the Digipass Extension for Active Directory Users and Computers. 



6.2.2 ODBC or Embedded Database 

6.2.2.1 Rebuild Authentication Server, Database Undamaged 














6. Restore the backup copy of the configuration file dpauthserver.xml into the same 

directory. 



After restarting the machine: 


Interface. 



6.2.2.2 Restore Database, Authentication Server Undamaged 

This procedure should be followed where a database has been damaged and no current, valid 

database exists on another server. The database is restored from an earlier backup. 

1. Stop Digipass Authentication Server service. 

2. Restore database from backup. If you are using the embedded PostgreSQL database: 

a. Stop the Digipass Authentication Server service. 

b. Open a command prompt in \PostgreSQL\Bin. 

c. Enter the following command and hit ENTER: 

pg_restore -d postgres -c -U [-v] "" 

where: 

is the absolute path and file name of the file to restore from 

is the database administrator account name. The database 

administrator account created during installation is "digipass". 

-v is an optional 'verbose mode' parameter. Use this if you wish to see output as 

the database is restored. 

d. Enter the following command and hit ENTER: 

vacuumdb -z -d postgres -U [-v] 

where: 





This step forces the database to recalculate optimization statistics, because all the 

data has been removed and reloaded. 

3. Delete the replication queue files for all destination servers. This can be done by 

deleting all files in the \Data directory (Note: if you have reconfigured 

replication to store its files in a different directory, delete the files in that 

directory instead). 

4. Restart Digipass Authentication Server service. 

Follow the 6.2.2.4 Copy Database from Other Authentication Server procedure below on 

all other Authentication Servers in the system. It is essential to resynchronize all the databases 

in the system. 



6.2.2.3 Rebuild Authentication Server, Restore Database 

This procedure is required where both the Authentication Server and its database have been 

lost. Configuration files and the database will be restored from backups. 















directory. 



8. Restore database from backup. If you are using the embedded PostgreSQL database: 

a. Stop the Digipass Authentication Server service. 

b. Open a command prompt in \PostgreSQL\Bin. 

c. Enter the following command and hit ENTER: 

pg_restore -d postgres -c -U [-v] "" 

where: 

is the absolute path and file name of the file to restore from 





d. You will normally be prompted for the password of the database administrator 



account. When installed, this is set to "digipassword". 

e. Enter the following command and hit ENTER: 

vacuumdb -z -d postgres -U [-v] 

where: 





This step forces the database to recalculate optimization statistics, because all the 

data has been removed and reloaded. 

f. You will normally be prompted for the password of the database administrator 

account. When installed, this is set to "digipassword". 

9. Reboot the machine. 


Interface. 

Follow the 6.2.2.4 Copy Database from Other Authentication Server procedure below on 

all other Authentication Servers in the system. It is essential to resynchronize all the databases 

in the system. 



6.2.2.4 Copy Database from Other Authentication Server 

This procedure will be required where multiple Authentication Servers are synchronizing with 

each other, where one database has become unsynchronized or unstable. It must be replaced 

with a 'safe' database – one containing up-to-date, uncorrupted data. The instructions below 

assume a simple two-Authentication Server pair where one Authentication Server (SVR-2) is 

using a database that has become unstable, and the other (SVR-1) is using a 'safe' database. 

To replace the database: 

1. Identify the Authentication Server with the 'safe' database. For these steps, it will be 

referred to as SVR-1. 

2. Stop the Digipass Authentication Server service on SVR-1 and SVR-2. 

3. Take a complete copy of the database used by the Authentication Server on SVR-1. If 

you are using the embedded PostgreSQL database, see 6.1.6.3 Backup of 

Embedded Database for instructions. 

4. Delete the replication queue files for SVR-2 which is on SVR-1: 

a. On SVR-1, run the Authentication Server Configuration utility and change to the 

Replication tab. 

b. Find the Destination Server row that represents SVR-2 and note the Display Name. 

c. Check the Queue Settings File Path value. This will normally be \Data, but may have been re-configured. 

d. In that directory, delete all files with filename starting . 

5. The Digipass Authentication Server service on SVR-1 may be restarted now if needed – 

it will build up a new replication queue until it can connect to SVR-2. 

6. Completely overwrite the database used by the Authentication Server on SVR-2 with 

the copy from SVR-1. If you are using the embedded PostgreSQL database, see Step 2 

of 6.2.2.2 Restore Database, Authentication Server Undamaged. 

7. Delete the replication queue file on SVR-2 for all other Authentication Servers. This can 

be done by deleting all files in the \Data directory (Note: if you 

have re-configured replication to store its files in a different directory, delete the files 

in that directory instead). 



Warning 

If the Authentication Server with the 'bad' database (SVR-2) was 

synchronizing with another Authentication Server, you must copy over the 

other database as well. Follow the steps above for any Authentication Servers 

with which SVR-2 was synchronizing. 

8. Restart the Digipass Authentication Server service on SVR-2. 



6.2.2.5 Rebuild Authentication Server, Copy Database 

This procedure will be required where multiple Authentication Servers are synchronizing with 

each other and one Authentication Server, together with its database, is lost. The instructions 

below assume one functional Authentication Server (SVR-1) with an up-to-date database, and 

a server on which an Authentication Server must be rebuilt (SVR-2) and its database copied 

from the other Authentication Server. 

1. Rebuild SVR-2 with your operating system SOE, using the same IP address as before, 

in the same Domain as before. 











Before you restart SVR-2, carry out the following: 


directory. 



8. On SVR-1, stop the Digipass Authentication Server service. 




10. Delete the replication queue file for SVR-2 which is on SVR-1. 

a. On SVR-1, run the Authentication Server Configuration utility and change to the 

Replication tab. 



b. Find the Destination Server row that represents SVR-2 and note the Display Name. 

c. Check the Queue Settings File Path value. This will normally be \Data, but may have been re-configured. 

d. In that directory, delete all files with filename starting . 

11. The Digipass Authentication Server service on SVR-1 may be restarted now if needed 

– it will build up a new replication queue until it can connect to SVR-2. 

12. Completely overwrite the database used by the Authentication Server on SVR-2 with 

the copy from SVR-1. If you are using the embedded PostgreSQL database, see Step 2 

of 6.2.2.2 Restore Database, Authentication Server Undamaged. 

13. Restart SVR-2. 


Interface. 

Warning 

If the Authentication Server with the 'bad' database (SVR-2) was 

synchronizing with another Authentication Server, you must copy over the 

other database as well. Follow the steps above for any Authentication Servers 

with which SVR-2 was synchronizing. 


VACMAN Middleware Administrator Reference Field Listings 

7 Field Listings 

7.1 User Property Sheet 

Table 30: User Fields 

Field Name in 

Administration 

Interfaces 

New Password 

Confirm Password 

Description 

These fields are used to modify the static password that is stored in the Digipass User 

account. If they are left blank, no modification is made. 

Local Authentication Specifies whether authentication requests for the User account will be handled by the 

Authentication Server using Local Authentication (see the Authenticating Users section 

in the Product Guide for more details on Local Authentication and Back-End 

Authentication). 

Normally, this field will be Default, meaning that the Policy applicable to the authentication 

request determines the setting. This field on the Digipass User account is used to override 

the Policy setting for special cases. 

When Local Authentication is used, there are two factors that determine whether Digipass 

authentication is used – any Policy restrictions on Digipass Types and/or Applications that 

can be used and whether the Digipass User account has any assigned Digipass that meet the 

restrictions. For example, if the Policy requires a DP300 and the User just has a DP700, they 

cannot use Digipass authentication under that Policy. 

Options: 

Back-End 

Authentication 

Default Use the setting of the effective Policy. 

None The Authentication Server will not carry out Local Authentication for this 

User account. They may be handled using Back-End Authentication, or 

not handled at all by the Authentication Server. 

Digipass/Password The Authentication Server will always carry out Local Authentication for 

this User, using Digipass authentication if possible, otherwise the static 

password. Back-End Authentication may also be utilized. 

Digipass Only The Authentication Server will always carry out Local Authentication for 

this User, using Digipass authentication. If Digipass authentication is not 

possible, the user cannot log in. Back-End Authentication may also be 

utilized. 

Specifies whether authentication requests for the User account will be handled by the 

Authentication Server using Back-End Authentication (see the Authenticating Users 

section in the Product Guide for more details on Local Authentication and Back-End 



request determines the setting. This field on the Digipass User account is used to override 

the Policy setting for special cases. 

Options: 


None Back-End Authentication will not be used. 

If Needed The Authentication Server will utilize Back-End Authentication but only in 

certain cases: 

Dynamic User Registration 

Self-Assignment 

Password Autolearn 

Requesting a Challenge or Virtual Digipass OTP, when the Request 

Method includes a Password 

Static password authentication, when verifying a Virtual Digipass 

password-OTP combination or during the Grace Period 



Field Name in 


Interfaces 

Description 

Always The Authentication Server will utilize Back-End Authentication for every 

authentication request. 

Disabled Specifies whether a Digipass User account is enabled or disabled. If disabled, authentication 

for the User will be rejected by the Authentication Server. 

Active Directory only: 

This attribute will be set to disabled and made read-only if the Active Directory User account 

is disabled or expired. Otherwise, this attribute will be editable. 

Locked Specifies whether a Digipass User account is locked or not. If locked, authentication for the 

User will be rejected by the Authentication Server. 

The Locked indicator is normally set automatically when the User exceeds a certain number 

of failed authentication attempts. The User Lock Threshold is set in the Policy. 

Linked User Account It is possible to share Digipass between different User accounts, by linking User accounts 

together. This feature is intended for the case where one person, such as an administrator, 

has multiple User accounts. If their accounts are linked, there is no need to give more than 

one Digipass to that person. 

This feature is used by assigning the Digipass to one User account, then linking all the other 

User accounts for the person to the one that has the Digipass. 

Read-only. 


If a User is linked to another User, their Linked User Account field will show the Active 

Directory format DN (Distinguished Name) of the linked User. The DN shows the full address 

within Active Directory of the linked User, for example: 

CN=Test User,OU=Admin,OU=Europe,DC=vasco,DC=com 

In this example, the linked User is called Test User and they are located in an Organizational 

Unit Admin, which is inside another Organizational Unit Europe in the vasco.com domain. 

ODBC Database only: 

If a User is linked to another User, their Linked User Account field will show the UserId and 

Domain of the linked User, for example: 

testuser [vasco.com] 

Created On The date and time that the Digipass User account was created. Read-only. 

Last Modified On The date and time that the Digipass User account was last modified. Read-only. 

Domain ODBC Database only: 

The Domain to which the User belongs. 

Read only. 

Organizational Unit ODBC Database only: 

The Organizational Unit in which the User is located. This is optional as the User does not 

have to be located in an Organizational Unit. 

Read only. The Move command must be used from the User list menu to change this. 

User Name ODBC Database only: 

The full name of the User. 

Email Address ODBC Database only: 

The email address of the User. 

Phone No. ODBC Database only: 

The telephone number of the User. 

Mobile No. ODBC Database only: 

The mobile phone number of the User. This will be used for Virtual Digipass logins. 

Description ODBC Database only: 

Any descriptive text or notes. 

Assigned Digipass list This lists all Digipass that are assigned to the User. For each Digipass, the list of active 

Applications is given with the Application Type indicated in brackets(). For example: 

0058384426 RESP_ONLY(RO), CHALLENGE(CR) 

In this example line, the Digipass with Serial Number 0058384426 has two active 



Field Name in 


Interfaces 

Description 

Applications: one Response Only Application RESP_ONLY and one Challenge/Response 

Application CHALLENGE. 

If the User does not have any Digipass assigned directly, but is linked to another User to use 

their Digipass (see Linked User Account), the linked User's Digipass list is shown with the 

Serial Numbers in square brackets (eg. [0058384426]). 

When a Digipass in the list is selected, the remainder of the property sheet tab indicates 

values from the corresponding Digipass record. 

Read-only. 

7.2 User Authorization Profiles/Attributes Window 

Table 31: User Attribute Fields 

Field Name in 


Interfaces 

Description 

Attribute Group list This list box displays all Attribute Groups, User attributes and RADIUS Profiles currently 

configured for a User account. 

Note: RADIUS Profiles are not currently in use with VACMAN Middleware. 

Attribute Group drop 

down list 

Contains all Attribute Groups configured so far. A new Attribute Group may be created by 

typing a new value into the drop down list. 

Attribute Groups contain one or more User attributes and/or RADIUS Profiles. They are used 

where multiple IIS Modules are in use, and each IIS Module needs to use different User 

attributes for a User. 

The name selected in this field should match a name entered in the Configuration for an IIS 

Module. 

Name drop down list The name of the item being configured. If this is a User attribute, it must match the name of 

a user attribute required by an IIS Module. For the IIS 6 Module for Basic Authentication, this 

would be either User-Name or Password. 

Usage drop down list Specifies the usage required for the User attribute or RADIUS Profile. 

Options: 

Basic Used by the IIS 6 Module for Basic Authentication 

Check Note: Not currently in use with VACMAN Middleware. 

Used to ensure that an attribute supplied by RADIUS contains the 

expected value. 

Profile Note: Not currently in use with VACMAN Middleware. 

Indicates that the value entered is the name of a Profile existing in 

RADIUS. 

Return Note: Not currently in use with VACMAN Middleware. 

Passed back to RADIUS when the result of an authentication is returned 

by the Authentication Server. 

Value field This field should contain the User attribute value needed by the IIS Module. For the IIS 6 

Module for Basic Authentication, this would be a User ID or password. 



7.3 Digipass Property Sheet 

Table 32: Digipass Fields 

Field Name in 


Interfaces 

Description 

Domain ODBC Database only: 

The Domain to which the Digipass belongs. 

Read only. The Move command must be used from the Digipass list menu to change this. 

Organizational Unit ODBC Database only: 

The Organizational Unit in which the Digipass is located. This is optional as the Digipass does 

not have to be located in an Organizational Unit. 

Read only. The Move command must be used from the Digipass list menu to change this. 

Digipass Type The type of Digipass represented by the Digipass record (eg. DP300). 

Reserve for Individual 

Assignment 

When used, this option prevents the Digipass from being assigned using the Auto-Assignment 

feature. It also prevents it from being assigned by an administrator who uses the 'Assign next 

available...' option in the assignment dialog. 

Assigned to User User ID of the Digipass User account that the Digipass is assigned to, if it is assigned. 

Read-only. 

Date Assigned The date and time when the Digipass was assigned to its current User. 

Read-only. 

Grace Period End The date on which the Grace Period will expire, or did expire, for this Digipass. If the date 

shows today's date or before, the Grace Period has already expired. If it is blank, there is no 

Grace Period. 

Enable Backup VDP Specifies whether and how the Backup Virtual Digipass feature can be used for this Digipass. 

Note that in order for the Backup Virtual Digipass feature to function, it must also be activated 

in the DPX file for the Digipass. 


request determines the setting. This field on the Digipass record is used to override the Policy 

setting for special cases. 

Options: 


No Backup Virtual Digipass is not permitted. 

Yes - Permitted Backup Virtual Digipass is permitted, but not mandatory. 

The Enabled Until date is not applicable when using this 

option, but the Uses Remaining count is. 

Yes – Time Limited Backup Virtual Digipass is permitted, but not mandatory. 

Both the Enabled Until date and the Uses Remaining count 

will be in effect. 

Yes - Required Backup Virtual Digipass is mandatory. This may be useful if the 

User may have lost the Digipass, to prevent it from being used 

until they have found it again. 

The Enabled Until date is not applicable when using this 

option, but the Uses Remaining count is. 

Enabled Until The date on which the Backup Virtual Digipass feature may no longer be used, provided that 

the effective Enable Backup VDP setting is Yes – Time Limited (it is ignored otherwise). 

If this date is blank, it will be set automatically the first time that the User requests a Backup 

Virtual Digipass OTP, using the Backup Virtual Digipass Time Limit defined in the Policy. 

Once this date has expired, it requires administrator intervention either to extend it or to 

reset it to blank for the next time that the User needs to use Backup Virtual Digipass. 

Uses Remaining The remaining number of times that the Backup Virtual Digipass feature may be used for this 

Digipass. Once this number has reached zero, Backup Virtual Digipass can no longer be used 

with this Digipass, unless the administrator increases it or resets it to blank. 

If this number is blank and there is a Backup Virtual Digipass Max. Uses/User defined in 



Field Name in 


Interfaces 

Description 

the Policy, it will be set automatically the first time that the User requests a Backup Virtual 

Digipass OTP, based on the Max. Uses/User. 

Created On The date and time that the Digipass was created. Read-only. 

Last Modified On The date and time that the Digipass was last modified. Read-only. 

7.4 Digipass Application Tab 

Table 33: Digipass Application Fields 

Field Name in 


Interfaces 

Application Type The type of Digipass Application: 

RO – Response Only 

CR – Challenge/Response 

SG – Signature 

Description 

Active This field can be used to deactivate an Application, so that it cannot be used. 

Attribute/Value list This list indicates various internal settings of the Digipass Application. 

Created On The date and time that the Digipass Application was created. Read-only. 

Last Modified On The date and time that the Digipass Application was last modified. Read-only. 



7.5 Policy Property Sheet 

Note 

Changes to Policy settings will not take effect immediately. They will take effect 

when the Authentication Server is restarted, once the Policy change is available 

to the Authentication Server in the data store. Alternatively, if there is no 

restart, the cache of Policy settings will refresh from the data store after 

approximately every 15 minutes. 

Table 34: Policy Fields 

Field Name in 


Interfaces 

Description 

Description This description can be entered to record the purpose of the Policy. 

Inherits from Policy Contains the Name of the Policy from which settings will be inherited, referred to as the 

'parent Policy'. Settings are inherited individually, depending on the value in the Policy field; 

they inherit the parent Policy value in the following cases: 

Choice lists/radio buttons – if the selected value is Default 

Text fields – if the field is blank 

Numeric fields – if the field is blank (not 0) 

List fields – if the list is empty 

The Show Effective Policy Settings... button can be used to display the result of 

inheriting settings combined with settings on the current Policy. 

Local Authentication Specifies whether authentication requests using the Policy will be handled by the 

Authentication Server using Local Authentication (see the Authenticating Users section 

in the Product Guide for more details on Local Authentication and Back-End 


When Local Authentication is used, there are two factors that determine whether Digipass 

authentication is used – any Policy restrictions on Digipass Types and/or Applications that 

can be used and whether the Digipass User account has any assigned Digipass that meet 

the restrictions. For example, if the Policy requires a DP300 and the User just has a DP700, 

they cannot use Digipass authentication under that Policy. 

Options: 

Back-End 


Default Use the setting of the parent Policy. 

None The Authentication Server will not carry out Local Authentication 

under this Policy. They may be handled using Back-End 

Authentication, or not handled at all by the Authentication Server. 

Digipass/Password The Authentication Server will always carry out Local Authentication 

under this Policy, using Digipass authentication if possible, otherwise 

the static password. Back-End Authentication may also be utilized. 

Digipass Only The Authentication Server will always carry out Local Authentication 

under this Policy, using Digipass authentication. If Digipass 

authentication is not possible, the user cannot log in. Back-End 

Authentication may also be utilized. 

Specifies whether authentication requests using the Policy will be handled by the 

Authentication Serverusing Back-End Authentication (see the Authenticating Users 

section in the Product Guide for more details on Local Authentication and Back-End 


Options: 


None Back-End Authentication will not be used. 

If Needed The Authentication Server will utilize Back-End Authentication but 



Field Name in 


Interfaces 

only in certain cases: 

Description 

Dynamic User Registration 

Self-Assignment 


Requesting a Challenge or Virtual Digipass OTP, when the 

Request Method includes a Password 

Static password authentication, when verifying a Virtual 

Digipass password-OTP combination or during the Grace Period 

Always The Authentication Server will utilize Back-End Authentication for 

every authentication request. 

Back-End Protocol Specifies the protocol to be used for Back-End Authentication. 

Options: 

Windows Authentication using the Windows operating system. 

RADIUS Authentication using a RADIUS server. 

Created On The date and time that the Policy was created. Read-only. 

Last Modified On The date and time that the Policy was last modified. Read-only. 

Dynamic User 

Registration 

Specifies whether the Dynamic User Registration (DUR) feature is enabled for the Policy. 

If this feature is used, when the Authentication Server receives an authentication request 

for a User for the first time and Back-End Authentication is successful, it will create a 

Digipass User account automatically. If DUR is used in conjunction with Auto-Assignment, 

a Digipass will be assigned to the new User account immediately. 

Password Autolearn Specifies whether the Password Autolearn feature is enabled for the Policy. This feature 

enables the Authentication Server to update the password stored in the Digipass User 

account when Back-End Authentication is successful. 

Stored Password Proxy Specifies whether the Stored Password Proxy feature is enabled for the Policy. This 

feature can be used in conjunction with the Back-End Authentication Always setting and 

the Password Autolearn feature, so that even though a Back-End Authentication check is 

done every login, it is done using the password stored in the Digipass User account, so the 

User does not have to enter it during their login unless it has just changed. 

In VACMAN Middleware it is normally not necessary to perform a Back-End Authentication 

check at each login, so this feature is not typically used. 

Default Domain The default Domain in which the Authentication Server should look for and create Digipass 

User accounts, if a Domain is not specified by the login credentials. 


If the User logs in with the User-Principal-Name format (eg. testuser@vasco.com) or the 

NT4 style format (eg. VASCO\testuser), the Default Domain is not used. However, if they 

log in with just a UserId (eg. testuser), the Default Domain will be used if specified. 

In the case that no Domain is implied by the login credentials and there is no Default 

Domain, the Authentication Server will search in its Configuration Domain. 

This must be the fully qualified domain name. 

ODBC Database only: 

Windows User Name Resolution can be used, in which case the User-Principal-Name and 

NT4 style formats will determine the Domain. If the Domain is not determined by that 

method, a simple UPN-like format (ie. testuser@vasco.com) will identify the Domain, when 

the Domain exists in the database. 

In either case, if no Domain has been identified, the Policy's Default Domain will be used if 

it is defined. Finally, if there is no Default Domain, the Master Domain will be used. 

User Lock Threshold This indicates the number of consecutive failed login attempts that will cause a Digipass 

User account to become Locked. For example, if the User Lock Threshold is 3, the account 

will become Locked on the third failed login attempt. Unlocking the account requires 

administrator action. 

Note that not all kinds of login failure will result in locking. For example, if the UserId is 



Field Name in 


Interfaces 

Windows Group Check 

(radio buttons) 

Description 

incorrect or the account is Disabled, the failure would not count towards the lock threshold. 

Locking is used mainly for incorrect OTPs and static passwords. 

Specifies whether and how the Windows Group Check feature is to be used. This feature 

is typically used for a staged deployment of Digipass when the Auto-Assignment method 

is used. It can also be used when only some Users are required to use Digipass or when 

only some Users will be permitted access and they have to use Digipass. 

Options: 


No check Do not use the Windows Group Check feature. 

Pass requests for users not 

in listed groups back to 

host system 

Reject requests for users 

not in listed group 

Use only Back-End 

Authentication for users 

not in listed groups 

Use the Windows Group Check so that any Users who are not in 

one of the listed groups are ignored by the Authentication 

Server. 

This mode is not supported in VACMAN Middleware for 

RADIUS – users not in the group list will be rejected. 

Use the Windows Group Check so that any Users who are not in 

one of the listed groups are rejected by the Authentication 

Server. 

Use Back-End Authentication only for any Users who are not in 

one of the listed groups. 

Group List This lists the names of the Windows Groups to be checked according to the Windows Group 

Check radio button setting. There are some important limitations of this check: 

Certain built-in Active Directory groups such as Domain Users and Everyone will not 

be checked. The check is intended to be used with a new group created specifically for 

this purpose. 

Nested group membership will not be detected by the check. 

There is no Domain qualifier for a group. The named group must be created in each 

Domain where User accounts exist that need to be added to the group. 

In the case of an ODBC Database, a local machine group can be used also. 

Assignment Mode Specifies the method of automated Digipass Assignment that will be used for this Policy, if 

any. There are two methods, Auto-Assignment and Self-Assignment. 

Auto-Assignment is used in conjunction with Dynamic User Registration (DUR). When 

DUR occurs, the next available Digipass is assigned to the new Digipass User account. A 

Grace Period is set for the Digipass according to the Grace Period setting in the Policy. 

Self-Assignment is typically used with DUR also, but if the Digipass User accounts are 

created first by the administrator, DUR is not necessary. In the Self-Assignment mode, a 

User is able to assign themselves a Digipass by entering the Serial Number, a valid OTP 

from the Digipass and their static password. There is no Grace Period associated with Self- 

Assignment, because the User has to use the Digipass to perform Self-Assignment. 

In both cases, any Applicable Digipass restrictions for the Policy apply. For example, it will 

not be permitted to self-assign a DP300 if the Policy restricts Digipass Types to DPGO3 and 

DPGO1. In addition, if the User already has a Digipass assigned that meets the Policy 

restrictions, they will not be able to self-assign another Digipass. 

Options: 


Auto-Assignment Use the Auto-Assignment method. 

Self-Assignment Use the Self-Assignment method. 

Neither Do not use either method of automated assignment. 

Grace Period Default time period (in days) to give Users between Auto-Assignment of a Digipass and 

the date they must start using their Digipass to login. Before that time they can still use a 

static password (unless the Local Authentication setting is Digipass Only). However, the 

first time that an OTP is used to log in, the Grace Period is ended at that point if it has not 



Field Name in 


Interfaces 

Description 

already ended. 

This setting does not affect manual assignment by an administrator. 

Serial No. Separator The character (or short sequence of characters) that will be included at the end of the 

Digipass Serial Number during a Self-Assignment login. It allows the Authentication 

Server to easily recognise that a Self-Assignment attempt is being made and extract the 

Serial Number from the credentials. 

Search Upwards in Org. 

Unit hierarchy 

This controls the search scope for an available Digipass for Auto-Assignment or for a 

specific Digipass for Self-Assignment. 

This setting does not affect manual assignment by an administrator. 

Options: 


No The search scope is only the Organizational Unit in which the User 

account belongs. If the User does not belong to an Organizational 

Unit (ODBC Database only), the search will look for Digipass that 

also do not belong to an Organizational Unit. 

Yes The search will start in the User account's Organizational Unit, but if 

necessary it will then move upwards through the Organizational Unit 

hierarchy until it reaches the top. At the top, in the case of Active 

Directory, the Digipass-Pool container will be searched instead of the 

Domain Root. See the Location of Digipass Records topic in the 

Product Guide for more information. 

Application Names The Policy can specify a restriction on which Digipass Applications may be used when it is 

effective. If the list is empty, there is no restriction. If there are one or more entries, they 

will indicate the Application Names that are permitted. 

Application Type The Policy can restrict which Digipass Application Type (eg. Response Only, 

Challenge/Response) may be used when it is effective. 

Options: 


No Restriction Digipass Application Type is not restricted. 

Response Only Only Digipass Applications of Type RO (Response Only) may be 

used. 

Challenge/Response Only Digipass Applications of Type CR (Challenge/Response) may be 

used. 

Digipass Types The Policy can specify a restriction on which Digipass Types may be used when it is 

effective. If the list is empty, there is no restriction. If there are one or more entries, they 

will indicate the Digipass Types that are permitted. 

Allow PIN change Specifies whether Digipass Users will be allowed to change their Server PIN during logins 

to which the current Policy applies. Normally this setting is enabled, but it can be used to 

prevent PIN changes if required. 

1-Step 

Challenge/Response – 

Permitted 

Controls whether 1-step Challenge/Response logins will be enabled for the current Policy 

and, if so, where the challenge should originate. 

Note that 1-step Challenge/Response is not applicable in a RADIUS environment. 

Options: 

Default 

No 1-step Challenge/Response may not be used. 

Yes – Server 

Challenge 

1-step Challenge/Response may be used provided that the 

authentication server that verifies the response generated the 

challenge. 

Yes – Any Challenge 1-step Challenge/Response may be used with any random challenge. 

1-Step Specifies the length of the challenge (excluding a check digit) which should be generated for 



Field Name in 


Interfaces 


Challenge Length 

1-Step 


Add Check Digit 

2-Step 


Request Method 

2-Step 


Request Keyword 

Primary Virtual Digipass 

– Request Method 

Primary Virtual Digipass 

– Request Keyword 

Backup Virtual Digipass 

– Enable Backup VDP 

1-step Challenge/Response logins. 

Description 

A check digit may be added to the generated challenge. This allows the Digipass to more 

quickly identify invalid Challenges. 

The method by which a User has to request a 2-step Challenge/Response login. 

This is the only mode of Challenge/Response available in a RADIUS environment. 

The 'request' is made in the password field during login. The request will be ignored if the 

User does not have a Challenge/Response-capable Digipass assigned. 

Options: 


None Do not use 2-step Challenge/Response. 

Keyword Use the Request Keyword. This is permitted to be blank. 

Password Use the static password. 

KeywordPassword Use the Request Keyword followed by the static password. No 

separator characters or whitespace should be between them. 

PasswordKeyword Use the static password followed by the Request Keyword. No 


Defines the Keyword that a User must enter to request a 2-step Challenge/Response login, 

if a method using a Keyword is selected in the Request Method. 

This is permitted to be blank. 

The method by which a User has to request a Primary Virtual Digipass login. 


User does not have a Primary Virtual Digipass assigned. 

Options: 


None Do not use Primary Virtual Digipass. 







Defines the Keyword that a User must enter to request a Primary Virtual Digipass login, if a 

method using a Keyword is selected in the Request Method. This is permitted to be blank. 

Specifies whether and how the Backup Virtual Digipass feature can be used when this Policy 

is effective. Note that in order for the Backup Virtual Digipass feature to function, it must 

also be activated in the DPX file for the Digipass. 

Options: 


No Backup Virtual Digipass is not permitted. 

Yes - Permitted Backup Virtual Digipass is permitted, but not mandatory. 

The Time Limit is not applicable when using this option, but the 

Max. Uses/User limit is. 

Yes – Time Limited Backup Virtual Digipass is permitted, but not mandatory. 

Both the Time Limit and the Max. Uses/User limit will be in effect. 

Yes - Required Backup Virtual Digipass is mandatory. 

The Time Limit is not applicable when using this option, but the 



Field Name in 


Interfaces 


– Time Limit 


– Max. Uses/User 


– Request Method 


– Request Keyword 

Identification Time 

Window 

Description 

Max. Uses/User limit is. 

When the Enable Backup VDP setting is Yes – Time Limited, the Time Limit setting 

indicates the number of days for which the Backup Virtual Digipass feature may be used by 

a User, once they start using it. 

The Backup Virtual Digipass Enabled Until setting on the Digipass record will be set 

automatically the first time that the User requests a Backup Virtual Digipass OTP, using the 

Time Limit defined in the Policy. Once this date has expired, it requires administrator 

intervention either to extend it or to reset it to blank for the next time that the User needs 

to use Backup Virtual Digipass. 

Note that if a User has more than one Digipass capable of Backup Virtual Digipass, they will 

have a separate limit for each one. 

The maximum number of uses of the Backup Virtual Digipass feature permitted for each 

User, if they do not have a specific limit set for them. 

If the Backup Virtual Digipass Uses Remaining on the Digipass record is blank and 

there is a Max. Uses/User limit defined in the Policy, the Uses Remaining will be set 

automatically the first time that the User requests a Backup Virtual Digipass OTP. 

Once the Uses Remaining has reached zero, Backup Virtual Digipass can no longer be used 

with this Digipass, unless the administrator increases it or resets it to blank. 

Note that if a User has more than one Digipass capable of Backup Virtual Digipass, they will 

have a separate limit for each one. 

The method by which a User has to request a Backup Virtual Digipass login. 


User does not have a Digipass assigned that is activated for the Backup Virtual Digipass 

feature, or if other Policy or Digipass settings do not permit Backup Virtual Digipass use. 

Options: 


None Do not use Backup Virtual Digipass. 







Defines the Keyword that a User must enter to request a Backup Virtual Digipass login, if a 

method using a Keyword is selected in the Request Method. This is permitted to be blank. 

Controls the maximum number of time steps' variation allowable between a Digipass and 

the authentication server during login. This only applies to time-based Response Only and 

Challenge/Response Applications. 

The Dynamic Time Window option may be used to allow more variation according to the 

length of time since the last successful login. 

If this setting is not specified at all, there is an inbuilt default value of 20. 

Signature Time Window Controls the maximum number of time steps' variation allowable between a Digipass and 

the authentication server during Digital Signature verification. This only applies to timebased 

Signature Applications. 


Signature Applications are not currently used in RADIUS environments. 

Initial Time Window Controls the maximum allowed time variation allowable between a Digipass and the 

authentication server, the first time that the Digipass is used. The time is specified in hours. 

This Initial Time Window is also used directly after a Reset Application operation, which 

can be used if it appears that the internal clock in the Digipass has drifted too much since 

the last successful login. 

This only applies to time-based Applications. 



Field Name in 


Interfaces 

Description 

In either case, after the first successful login, the Initial Time Window is no longer active. 


Event Window Controls the maximum number of events' variation allowable between a Digipass and the 

authentication server during login that uses an event-based Application. 


Identification Threshold Specifies the number of consecutive failed authentication attempts allowed before the 

Digipass Application is locked from future authentication attempts. 

This locking mechanism is separate from the User Lock Threshold and is normally not 

necessary. It only applies when a single Digipass Application can be used for a login, either 

because the User only has one Digipass with one Application, or because the Policy 

restrictions narrow the list down to one Digipass Application. If Policy restrictions are used 

in this way, the Identification Threshold can be used to lock a User out of one kind of login 

(eg. a VPN) while still permitting them to use another kind (eg. Wireless). 

If this setting is not specified at all, this feature is not used. 

Signature Threshold Specifies the number of consecutive failed Digital Signature authentication attempts allowed 

before the Digipass Application is set to be locked from future authentication attempts. 



Max. Days Since Last 

Use 

This setting specifies the maximum number of days for which a Digipass Application can go 

unused for authentication. After this limit, authentication will be rejected until an 

admnistrator performs a Reset Application operation. 


Challenge Check Mode This setting is for advanced control over time-based Challenge/Response authentication. 

The value 1 should be used for standard RADIUS challenge/response. This is the inbuilt 

default value if the setting is not specified at all. 

0 No check is made. This is necessary for 1-step 

Challenge/Response. 

1 The challenge presented for verification must be the last one that 

was generated specifically for that Digipass. This is the normal mode 

of operation in 2-step Challenge/Response. 

2 The challenge presented for verification is ignored; the last one that 

was generated specifically for that Digipass is used. This is rarely 

applicable. 

3 Only one verification is permitted per time step. This option only 

applies to time-based Challenge/Response. This is a method of 

avoiding a potential replay of a captured response if the same 

challenge comes up again in the same time step. 

4 If the same challenge and response are presented for verification 

twice in a row during the same time step, they are rejected. This is 

an advanced method of avoiding a potential replay of a capture 

challenge/response. 

Online Signature Level This setting is for advanced control of Digital Signature authentication, and is not applicable 

currently. 




7.6 Component Property Sheet 

Note 

Changes to Component settings will not take effect immediately. They will take 

effect when the Authentication Server is restarted, once the Component change 

is available to the Authentication Server in the data store. Alternatively, if there 

is no restart, the cache of Component settings will refresh from the data store 

after approximately every 15 minutes. 

Table 35: Component Fields 

Field Name in 


Interfaces 

Description 

Component Type The type of Component represented by the record. 

Options: 


RADIUS Client 

Citrix Web Interface 

Outlook Web Access 

IAS Plug-In 

SBR Plug-In 

Administration Interface 

IIS Module 2.x 

Location The IP address or name of the machine represented by the record. For a Plug-In, it must be 

the licensed IP address; for a RADIUS Client, it must be the NAS-IP-Address or NAS-Identifier 

values sent in the RADIUS requests. 

A RADIUS Client of Location default can be used to accept RADIUS requests from all IP 

addresses, using the same Shared Secret. However, where a RADIUS Client record with the 

exact Location exists, its Shared Secret will be used in preference to the default RADIUS 

Client's Shared Secret. 

Policy The name of the Policy that should be used for authentication requests from the Component. 

Shared Secret The RADIUS Shared Secret for the Component. 

Created On The date and time that the Component was created. Read-only. 

Last Modified On The date and time that the Component was last modified. Read-only. 



7.7 Back-End Server Property Sheet 

Note 

If Active Directory is used as the data store: Changes to Back-End Server 

settings will not take effect immediately. They will take effect when the 

Authentication Server is restarted, once the Back-End Server change is 

available to the Authentication Server in the data store. Alternatively, if there is 

no restart, the cache of Back-End Server settings will refresh from the data 

store after approximately every 15 minutes. 

Table 36: Back-End Server Fields 

Field Name in 


Interfaces 

Protocol Back-End Authentication Protocol. 

Options: 

RADIUS 

Description 

Domain This field provides the ability to assign particular Back-End Servers to a given Domain. 

Priority The priority in the case that there are multiple Back-End Servers. The highest priority 

server is tried first, then the next highest, etc. 

Authentication IP IP Address on which the RADIUS Server receives authentication requests. 

Authentication Port UDP Port on which the RADIUS Server receives authentication requests. 

Accounting IP IP Address on which the RADIUS Server receives accounting requests. 

Accounting Port UDP Port on which the RADIUS Server receives accounting requests. 

Shared Secret Shared secret between VACMAN Middleware and the RADIUS Server. 

Confirm Shared Secret Allows confirmation of a new shared secret. 

Timeout Number of seconds to wait for a response from the RADIUS Server before either 

retrying or trying another RADIUS Server. 

No. of Retries Number of times to retry if no response is received from the RADIUS Server. 

Created On Date/time of creation. 

Last Modified On Date/time of last modification. 



7.8 Domain Property Sheet 

This property sheet is required if the data store used by the Authentication Server is an ODBC 

or embedded database. 

Note 

If you have multiple Domains and use the simple user@domain format to log in 

(NOT Windows User Name Resolution), Domain names are cached in the 

Authentication Server to avoid repeated database lookups. 

Therefore, creation and deletion of Domains will not take effect immediately for 

this purpose. They will take effect when the Authentication Server is restarted, 

once the Domain change is available to the Authentication Server in the data 

store. Alternatively, if there is no restart, the cache of Domain settings will 

refresh from the data store after approximately every 15 minutes. 

Table 37: Domain Fields 

Field Name in 


Interface 

Description Any descriptive text and notes. 

Description 

Created On The date and time that the record was created. Read-only. 

Last Modified On The date and time that the record was last modified. Read-only. 

7.9 Organizational Unit Property Sheet 

This property sheet is required if the data store used by the Authentication Server is an ODBC 

database. 

Table 38: Organizational Unit Fields 

Field Name in 


Interface 

Description 

Domain The domain to which the Organizational Unit belongs. 

Read-only after creation. 

Description A short description for the Organizational Unit. 

Inherits from 

Organizational Unit 

The parent Organizational Unit. 

This is used to define a hierarchy of Organizational Units. 

Read-only after creation. 

Created On The date and time that the record was created. 

Read-only. 

Last Modified On The date and time that the record was last modified. 

Read-only. 



7.10 Data Changes Requiring a Restart 

7.10.1 Changes to the Data Store 

7.10.1.1 ODBC or Embedded Database 

If the data store used by the Authentication Server is an ODBC or embedded database, no 

data changes made in the Administration MMC Interface or Digipass TCL Command-Line 

Administration require a restart of the Authentication Server to take effect straight away. As 

this administration is carried out through the Authentication Server, the Authentication Server 

can immediately update any cached data. 

In addition, when multiple Authentication Servers are replicating database changes to each 

other, they update their cached data when changes are replicated. 

modifications listed in the Cached Data List topic below will not take effect until the 

Authentication Server is restarted, or until the caches re-load the data automatically 

Multiple Authentication Servers are sharing a database. In this case, only the 

Authentication Server with which the data change is made will update its caches. 

Direct modifications to the database, for example with an SQL tool or using the VASCO 

Data Migration Tool. 

Note that direct modifications to the database are not replicated to any other Authentication 

Servers – the same modifications must be made to each Authentication Server's database (or 

the whole database re-copied). 

Where multiple Authentication Servers are in use, with multiple databases, user-configured 

synchronization between the databases must be considered. A Authentication Server will not 

know about a data change made in another Authentication Server's database until that change 

has been copied to its own database. 

Example 

Authentication Server 1 is using Database 1 (Db1); 

Authentication Server 2 is using Database 2 (Db2); 

A data change is made on Db1, via the Administration MMC Interface. 

Authentication Server 1 will see the change as soon as it is restarted; 

Authentication Server 2 will see the change at the first restart after database synchronization 

has transferred the change to Db2. 

7.10.1.2 Active Directory 

If the data store is Active Directory, all modifications listed in the Cached Data List topic 

below will not take effect until the Authentication Server is restarted, or until the caches reload 

the data automatically. 

In addition, it is necessary for Active Directory replication to make the modification available to 

the Authentication Server, if there is more than one Domain Controller used by the 

Authentication Servers. For example: 



Example 

Authentication Server 1 is connected to Domain Controller 1 (DC1); 

Authentication Server 2 is connected to Domain Controller 2 (DC2); 

A data change is made on DC1; 

Authentication Server 1 will see the change as soon as it is restarted; 

Authentication Server 2 will see the change at the first restart after Active Directory 

replication has transferred the change to DC2. 

You must also remember that when the Authentication Server starts up, it tries to locate an 

available Domain Controller, and may not choose the same one again. In the above example, if 

both Domain Controllers are local to Authentication Server 2, DC1 may be chosen by 

Authentication Server 2 when it is restarted. 

Wider issues related to Active Directory replication are explained in 2.4 Active Directory 

Replication Issues. 

7.10.1.3 Automatic Re-Loading of Cached Data 

In the Authentication Server, all cached data is periodically re-loaded from the data store. This 

time period, around 15 minutes, is tracked for each entry separately. Therefore, even without 

a restart, data changes will typically take effect within a matter of minutes (unless Active 

Directory replication slows the process down). 

7.10.1.4 Cached Data List 

The following data modifications relate to cached data: 

Creation, editing and deletion of Policy records 

Creation, editing and deletion of Component records 

Creation, editing and deletion of Back-End Server records 

For ODBC and embedded databases: Creation, editing and deletion of Domain records 

For Active Directory: Digipass Application updates resulting from OTP verification, PIN 

changes and certain administrative actions such as resetting the PIN – see 2.4.4.1 

Digipass Cache for more information on the Digipass Cache. 

7.10.2 Changes to Configuration Settings 

Configuration settings are modified using the Authentication Server Configuration GUI, or 

can be modified directly in the XML file (see 11 Configuration Settings). 

All configuration 

settings require a restart. The Authentication Server Configuration GUI automatically 

prompts to restart the Service upon exiting. However if you modify the file directly, you will 

need to restart the Digipass Authentication Server Service using the Windows Service Control 

Manager. 

Each Authentication Server has separate configuration settings. Changes to settings for one 

Authentication Server will not be automatically applied to other Authentication Servers. 



Advanced Settings for ODBC and embedded databases 

The settings edited using Configure Advanced Settings on the ODBC 

Connection tab are not replicated to other Authentication Servers. Normally 

these settings should be the same on all Authentication Servers, so you need 

to make sure they are applied to each one. 

As they are stored in the database itself, if you copy a database from one 

Authentication Server to another, these settings will be copied also. 


VACMAN Middleware Administrator Reference Licensing 

8 Licensing 

8.1 How is Licensing Handled? 

VASCO products are licensed per Component record in the data store. The licensing relies upon 

a License Key which is checked when the Authentication Server starts. This License Key is tied 

to the location (IP address) where the Authentication Server is installed, and stored in the 

Component record for the Authentication Server. 

The Authentication Server will not authenticate a user without a correct License Key, except to 

permit administration. 

Client modules – such as the IIS 6 Module for Citrix Web Interface – also require a License Key 

to be loaded into their Component record. The Authentication Servers to which they connect 

will otherwise reject all authentication requests from them. 

License Keys may contain a limit to the number of Digipass that may be used. This limit is 

controlled by preventing the import of Digipass if it would exceed the limit in the License Key. 

In addition, a Digipass-limited License Key will not permit Active Directory to be used as the 

Authentication Server data store. 

Evaluation Licenses 

An evaluation license means that you can use its full functionality until the evaluation period 

runs out. At the end of this period, you will need to either uninstall the product or buy a 

permanent license. Contact your distributor or the appropriate VASCO Reseller representative 

to acquire the licences you will need. For your convenience, the evaluation serial number is 

embedded in the installation program. You will still need to obtain and load a license key. 

Client module licenses can also be evaluation (time-limited) licenses. 



8.2 Licensing Parameters 

Table 39: License Parameters for VACMAN Middleware 

Parameter Value 

Product The name of the VASCO product, eg. VACMAN Middleware. 

Component The type of Component licensed, eg. Authentication Server. 

Version Current version number of the licensed VASCO product. 

Location The IP address for the machine represented by the Component record. 

Company The name of your company. 

Username Your name. 

SerialNo The serial number for the VASCO product. 

DPLimit The maximum number of Digipass that may be imported. This parameter may or may not be 

present. If this parameter is present, you cannot use Active Directory as a data store. 

Generated The date and time that the license file was generated. 

Expires Used for evaluation license only – expiry date. 

Signature Encrypted combination of the above parameters. 

8.2.1 Sample License File 

----- VASCO PRODUCT LICENCE ----- 

Product=VACMAN Middleware 

Component=Authentication Server 

Version=1.0 

Expires=2005/06/19 02:40:32 GMT 

Location=test.vasco.com 

Company=VASCO Data Security 

Username=Mr Demo User 

SerialNo=0A2B4C6D8E 

Generated=2005/05/20 02:40:32 GMT 

----- SIGNATURE ----- 

3:302C02147A487891E0745D 

6866E0Af8DDB7D6AF092BFCD 

27021474601702DbFCE5B500 

D76354022F0489DB159B62 

----- END LICENCE ----- 

8.3 View License Information 

To view the license information for a specific Component: 


2. Click on the Components node. 

The Component List will be displayed in the Result pane. 

3. Double-click on the required Component record. 

The Component property sheet will be displayed. 

4. Click on the License Key Details... button. 

The License Key Details window will be displayed. 



8.4 Obtain and Load a License Key 

Note 

An active internet connection is required to obtain a License Key. 



The Component List will be displayed in the Result pane. 

3. Double-click on the required Component record. 

The Component property sheet will be displayed. 


The License Key Details window will be displayed. 

5. Click on the Request License Key... button. 

A browser window will be opened, with the VASCO Licensing site loaded. Any required 

information which the Authentication Server has will be entered as the site is loaded. 

6. Enter any other required information in the browser window. 

7. Click on the Request License Key button in the browser window. 

A download of your license key file should begin. Keep note of where you save the 

file, and its name. 

8. Once the download is complete, go back to the Administration MMC Interface and the 

License Key Details window. 

9. Click on the Load License Key... button. 

10. Browse to the download location and select the license key file. 

11. Click on Open. 

A message window will display the success or failure of loading the license key into the 

data store. 



8.5 Change IP Address 

Before you start, find your VASCO product Maintenance ID and Serial Number. Check with 

your supplier that your Serial Number will be allowed to license a new IP address. 

Note - ODBC Databases 

This process assumes that you have not yet changed the IP address of the 

machine. The IP address should be changed during the steps below. If you 

have already changed the IP address, see 8.5.1 IP Address Already 

Changed. 

To change the Authentication Server IP address: 

1. In the Administration MMC Interface, view the list of Component records. 

2. Note down the Policy shown for the Authentication Server Component record for the 

previous IP address. 

3. Create a new Authentication Server Component record, using the new IP address as the 

Location. Make sure the same Policy that was noted in the previous step is selected 

in the new Component record. 

4. Right-click on the new Component record and select the License Key Details... option. 

5. Click on the Request License Key button. This will take you to the VASCO licensing 

web page. Fill in the required information and download a License Key file. 

6. Click on the Load License Key button and load the License Key from the file that was 

just downloaded. 

7. Exit the Administration MMC Interface. 

8. Change the IP address of the machine and perform any other administrative actions 

required such as restarting the machine and reconfiguring other applications. 

9. Open Authentication Server Configuration and modify the Component Location 

field on the first tab to the new IP address. 

10. Click OK to save the change and exit. You will be prompted to restart the Service – 

click Yes. 

11. View the startup audit messages to see that there were no problems starting up. 

12. The following steps are only necessary for an ODBC or embedded database: 

a. In the Administration MMC Interface, right-click on the Authentication Server 

node in the tree pane for the machine that has changed IP address. Right-click on 

the same node and select Properties. 

b. Modify the Server IP Address to the new IP address. If the Connect from IP 

Address has the old IP address in it, change that to the new IP address also. Click 

OK to save the changes. 

c. Exit the Administration MMC Interface. If you are prompted whether to save 

console settings, make sure that you click Yes. 

13. If the Audit Viewer is on the machine: 

a. Open the Audit Viewer and expand the Authentication Server node in the tree 

pane. 



b. Right-click on the Local Server node and select Properties. Modify the Server 

Location to the new IP address. 

c. Click OK to save the change and exit the Audit Viewer. 

14. Reconfigure the authentication clients (RADIUS Clients and/or IIS Modules) to use the 

new IP address. 

15. Test that authentication works with the new IP address and Component record. 

16. Once everything is working, delete the old Component record. 

17. For an ODBC or embedded database, if Digipass TCL Command-Line 

Administration is used on the machine: 

a. Edit the configuration file \Bin\dpadmincmd.xml in a text editor. 

b. Modify the VASCO -> AAL3 -> SEAL -> Connection-List -> Connection00 

->Address entry to the new IP address. 

c. If the VASCO -> AAL3 -> SEAL -> Local-Address entry contains the old IP 

address, modify it to the new IP address. 

d. Save the file and exit the editor. 

18. If any other Authentication Servers are set up to replicate data changes to this 

Authentication Server, modify their configuration as follows. For each Authentication 

Server: 

a. Open Authentication Server Configuration and change to the Replication tab. 

b. Click on the row in the Destination Servers list that corresponds to the server 

that has changed IP address. Click the Edit... button. 

c. Modify the Server Location to the new IP address and click OK. 

d. Click OK to save the change and exit. You will be prompted to restart the Service – 

click Yes. 

19. For an ODBC or embedded database, if the Administration MMC Interface or 

Digipass TCL Command-Line Administration on any other machine is configured 

to connect to the Authentication Server that has changed IP address, follow the same 

process that was carried out on the Authentication Server machine to re-configure the 

IP address. 

20. If the Audit Viewer on any other machine is configured to connect to the 

Authentication Server that has changed IP address, follow the same process that was 

carried out on the Authentication Server machine to re-configure the IP address. 

8.5.1 IP Address Already Changed 

If VACMAN Middleware is using an ODBC database (including the embedded PostgreSQL 

database) and you changed IP before following the procedure above, follow these steps 

instead: 

Note 

See 3.8.5 Rescue Authentication Server Component for more information 

on using the dpdbadmin rescueserver command. 


cd \bin 



2. Type: 

dpdbadmin rescueserver -location “” -policy "” 

3. If a Component record of type Authentication Server and the entered IP address does 

not already exist, you will be prompted to create the Component record. Enter Y to 

create the record, or N to exit. 

4. If a Policy with the entered Policy ID does not currently exist, you will be prompted to 

create it. Enter Y to create the record, or N to exit. 

5. Enter N to exit, as restarting the Digipass Authentication Server service now will fail. 

6. Open Authentication Server Configuration and modify the Component Location 

field on the first tab to the new IP address. 

7. Click OK to save the change and exit. You will be prompted to restart the Service – 

click Yes. 

8. View the startup audit messages to see that there were no problems starting up. 


10. In the Administration MMC Interface, right-click on the Authentication Server node 

in the tree pane for the machine that has changed IP address. Right-click on the same 

node and select Properties. 

11. Modify the Server IP Address to the new IP address. If the Connect from IP 

Address has the old IP address in it, change that to the new IP address also. Click OK 

to save the changes. 

12. View the list of Component records. 

13. If you need to change the Policy for the new Authentication Server Component 

created by the rescueserver command: 

a. Note down the Policy shown for the old Authentication Server Component record 

for the previous IP address. 

14. Double-click on the new Authentication Server Component record. 

15. If needed, modify the Policy to the one used by the old Authentication Server 

Component. 


17. Click on the Request License Key button. This will take you to the VASCO licensing 

web page. Fill in the required information and download a License Key file. 

18. Click on the Load License Key button and load the License Key from the file that was 

just downloaded. 

19. If you created an emergency administration Policy, it is recommended that you delete 

it now. 

20. Exit the Administration MMC Interface. 

21. If the Audit Viewer is on the machine: 

a. Open the Audit Viewer and expand the Authentication Server node in the tree 

pane. 

b. Right-click on the Local Server node and select Properties. Modify the Server 

Location to the new IP address. 

c. Click OK to save the change and exit the Audit Viewer. 

22. Reconfigure the authentication clients (RADIUS Clients and/or IIS Modules) to use the 



new IP address. 

23. Test that authentication works with the new IP address and Component record. 

24. Once everything is working, delete the old Component record. 

25. For an ODBC or embedded database, if Digipass TCL Command-Line 

Administration is used on the machine: 

a. Edit the configuration file \Bin\dpadmincmd.xml in a text editor. 

b. Modify the VASCO -> AAL3 -> SEAL -> Connection-List -> Connection00 

->Address entry to the new IP address. 

c. If the VASCO -> AAL3 -> SEAL -> Local-Address entry contains the old IP 

address, modify it to the new IP address. 

d. Save the file and exit the editor. 

26. If any other Authentication Servers are set up to replicate data changes to this 

Authentication Server, modify their configuration as follows. For each Authentication 

Server: 

a. Open Authentication Server Configuration and change to the Replication tab. 

b. Click on the row in the Destination Servers list that corresponds to the server 

that has changed IP address. Click the Edit... button. 

c. Modify the Server Location to the new IP address and click OK. 

d. Click OK to save the change and exit. You will be prompted to restart the Service – 

click Yes. 

27. For an ODBC or embedded database, if the Administration MMC Interface or 

Digipass TCL Command-Line Administration on any other machine is configured 

to connect to the Authentication Server that has changed IP address, follow the same 

process that was carried out on the Authentication Server machine to re-configure the 

IP address. 

28. If the Audit Viewer on any other machine is configured to connect to the 

Authentication Server that has changed IP address, follow the same process that was 

carried out on the Authentication Server machine to re-configure the IP address. 


VACMAN Middleware Administrator Reference Web Sites 

9 Web Sites 

9.1 Customizing the Web Sites 

The User Self Management Web Site and OTP Request Site can be customized by modifying 

the pages provided with the installation. You may wish to: 

change the colors and graphics to match your corporate colors/logos. 

integrate the pages into a larger web site. 

translate or customize the text 

Any cosmetic part of the web pages may be modified. Completely new web pages may be 

used, provided that the correct form fields are posted to the CGI program, and query string 

variables are interpreted correctly. Server scripting languages such as PHP or ASP, or any 

other way of generating HTML, can be used. 

This section provides the instructions and reference material that you require to customize the 

site. It is assumed that the reader has some web development knowledge. 

9.2 CGI Program 

A single CGI script is used for both the User Self Management Web Site and the OTP Request 

Site. The functionality provided depends on the Site. 

For each function, the CGI program carries out the following actions: 

Read and validate the input. This input is gathered from: 

Configuration settings from the registry 

Form variables posted 

Send an authentication request to the Authentication Server (provided that there were 

no validation errors) and interpret the response. Requests are sent to the Server using 

the RADIUS protocol. A component identifier Self-Mgt Site will indicate in the Audit 

Console which audit messages relate to requests from the User Self-Management Web 

Site or OTP Request Site. 

(OTP Request Site only) Send a request to the Message Delivery Component to send an 

OTP to the User's mobile phone via text message. 

Output the HTML to direct the user to the page that will indicate success or failure, or 

display a challenge. This is achieved by returning the HTML for a basic ‘please wait’ page 

with a ‘meta-refresh’ instruction to go directly to the appropriate page. The meta-refresh 

will happen immediately, but on a slow link you may notice the intermediate page. 

The CGI program cannot be customized. Its behaviour is controlled by the configuration 

settings and the posted form variables. The configuration settings are listed below; the posted 

form variables are specified in the Customizing the Web Site section. 

9.2.1 Configuration Settings 

Various configuration settings are used by the CGI program to locate the server(s) and to 



enable tracing. These can be modified using the Start -> Programs -> VASCO -> VACMAN 

Middleware 3 -> User CGI Configuration menu option. 

The configuration settings are stored in the Windows Registry, at the path: 

HKEY_LOCAL_MACHINE\Software\VASCO\User CGI 

Table 40: Configuration Settings for CGI Program 

Name Type Value Default 

Trace-Mask Number 

(DWORD) 

Trace-Header Number 

(DWORD) 

Used to enable internal tracing levels. In general, just use these values: 0 

= no tracing 3FFFFFFF (hexadecimal) = full tracing 

Used to configure tracing. In general, leave with the default value. 47 

Trace-File String Full path and filename of output file for internal tracing. NB: the file will be 

created if it is missing, but not the directory. 

Source-IP- 

Address 

Server1-IP- 

Address 

Server1-Port Number 

(DWORD) 

Server1- 

Shared-Secret 

Server2-IP- 

Address 

Server2-Port Number 

(DWORD) 

Server2- 

Shared-Secret 

Timeout Number 

(DWORD) 

No-Of-Retries Number 

(DWORD) 

String Source IP address to bind to when sending API requests, if any (only 

required if there are multiple IP addresses on the machine).eg. 10.9.255.7 

0 

 

 

String IP address of primary server. eg. 10.2.255.45 127.0.0.1 

API port of primary server (in general, this should not be changed from the 

default). 

1812 

String Shared Secret for primary server. 

String IP address of backup server, or blank if there is no backup. 

API port of backup server (in general, this should not be changed from the 

default) 

1812 

String Shared Secret for backup server. 

Timeout waiting for each server to respond, in seconds. 5 

Number of times to retry each server when they time out. 0 

Protocol String The only protocol supported currently is RADIUS. RADIUS 



9.3 Form Fields 

9.3.1 User Self Management Web Site 

9.3.1.1 Registration – Main Pages 

User Registration (UR), Digipass Assignment (DA) and Password Synchronization (PS) are all 

implemented using a single invocation of the CGI program. This permits them to be carried out 

either separately or in any combination. You can choose to separate them in your customized 

web site or keep them together as you prefer. 

If Challenge/Response or a Virtual Digipass is used, the user will enter their User ID, static 

password and Serial Number into the main page without a Digipass Response. They will be 

directed to a challenge page, which is specified in the next topic, in which they should enter 

either a Response to the challenge or the OTP sent to their mobile phone. The following table 

applies only to the main page. 

The following posted form fields must be used on the main page, according to the particular 

function and other conditions specified below: 

Table 41: Form Fields for Main Registration Page 

Form Field Name Visible 

Label 

(Default) 

Value(s) Required? 

dpcgi_operation “register” for User Registration, Digipass Assignment or 

Password Synchronization. 

dpcgi_success_page Relative or absolute URL of web page to go to if the 

function is successful. 

dpcgi_fail_page Relative or absolute URL of web page to go to if the 

function fails. 

dpcgi_challenge_page Relative or absolute URL of web page to go to if a 

challenge is returned for the user. 

UR PS DA 

Y Y Y 

Y Y Y 

Y Y Y 

(4) (1) 

dpcgi_userid UserId UserID in the Authentication Server. Y Y Y 

dpcgi_password Password Static password. Y Y Y 

dpcgi_serialno Serial 

Number 

dpcgi_response Digipass 

Response 

Digipass serial number. Y 

Digipass response (without static PIN if there is one). (5) (2) 

dpcgi_newpin New PIN New static PIN (for Go 1/Go 3). (3) 

dpcgi_confirmpin Confirm New 

PIN 

Confirm the new static PIN. (3) 

dpcgi_usecombinedpwd “True” to send the password, serial number, response 

and PIN to the Authentication Server in one attribute. 

“False” to send the contents of the password field 

(1) If any users may self-assign a Challenge/Response Digipass, provide this form field. 

(2) If any users may self-assign a Response Only Digipass, provide this form field. 

(3) If any users may self-assign a Response Only Digipass which uses a static PIN at the 



beginning of the response (eg. Go 1/Go 3), where the Digipass are initialized with no 

initial static PIN, they have to enter a new PIN the first time they use the Digipass. If they 

are self-assigning the Digipass, that means that they have to enter the new PIN and 

confirm it during the self-assignment process. They can do this by adding the new PIN 

twice at the end of the Digipass Response, however it may be more user-friendly to 

provide these two separate form fields. 

(4) If any users have a Challenge/Response application or a Primary Virtual Digipass, include 

this field. 

(5) If any users have a Response Only application, include this field. 



9.3.1.2 Registration – Challenge Page 

The Registration challenge page will be used for Digipass Challenge/Response or Virtual 

Digipass. The user enters their response to the challenge, to complete the registration process. 

The following posted form fields must be used on the challenge page: 

Table 42: Form Fields for Registration Challenge Page 

Form Field 

Name 

Visible 

Label 

(Default) 


dpcgi_operation “register” for User Registration, Digipass Assignment or 

Password Synchronization. 





dpcgi_userid UserId UserID in the Authentication Server. Y 

dpcgi_response Digipass 

Response 

Digipass response or Virtual Digipass OTP. Y 

dpcgi_challenge Challenge Digipass challenge returned to the user. Y 

Note 

If you make dpcgi_challenge a visible form field, ensure that it is not 

modifiable. An alternative is to make it a hidden form field, while also 

displaying the challenge in HTML text rather than as a form field. 

© 2007 VASCO Data Security Inc. 111 

Y 

Y 

Y


9.3.1.3 PIN Change 

The PIN Change function is only applicable for Digipass Response Only where the Server PIN is 

entered at the start of the response (eg. Go 1/Go 3). 

The following posted form fields must be used on the PIN Change page: 

Table 43: Form Fields for Server PIN Change Page 

Form Field 

Name 

Visible Label 

(Default) 


dpcgi_operation “changepin” for PIN Change. Y 






dpcgi_response Digipass Response Digipass response (without static PIN if there is one). Y 

dpcgi_currentpin Current PIN Current static PIN to be changed. (6) 

dpcgi_newpin New PIN New static PIN. Y 

dpcgi_confirmpin Confirm New PIN Confirm the new static PIN. Y 

(6) If the Digipass has had its Server PIN reset by the administrator, because the user has 

forgotten it, there is no current Server PIN to enter here. In all other cases, the current 

Server PIN must be provided to permit the PIN change. 


Y 

Y


9.3.1.4 Login Test – Main Page 

If a Challenge/Response application or Primary Virtual Digipass is used, the user will enter just 

their UserId (and maybe password) into the main page without a Digipass Response. If using 

the Backup Virtual Digipass, they will need to enter the trigger specified in server settings 

(password and/or a Keyword) into the password field. 

They will be directed to a challenge page, specified in the next topic. The following table 

applies only to the main page. 

The following posted form fields must be used on the main page: 

Table 44: Form Fields for Main Login Test Page 

Form Field 

Name 

Visible Label 

(Default) 


dpcgi_operation “testlogin” for Login Test. Y 





dpcgi_challenge_page Relative or absolute URL of web page to go to if a 

challenge is returned for the user. 


dpcgi_response Digipass Response Digipass response (with static PIN if there is one). (8) 

(7) If any users have a Challenge/Response Digipass, a Primary Digipass or use the Backup 

Virtual Digipass feature, provide this form field. 

(8) If any users have a Response Only Digipass, provide this form field. 


Y 

Y 

(7)


9.3.1.5 Login Test – Challenge Page 

The user enters their response to the challenge or the OTP sent to their mobile phone to 

complete the login test. 

The following posted form fields must be used on the challenge page: 

Table 45: Form Fields for Login Test Challenge Page 

Form Field 

Name 

Visible Label 

(Default) 


dpcgi_operation “testlogin” for Login Test. Y 





dpcgi_userid UserID User ID in the Authentication Server. Y 

dpcgi_response Digipass Response Digipass response. Y 

dpcgi_challenge Challenge Digipass challenge returned to the user. Y 

Note 

If you make dpcgi_challenge a visible form field, make sure that it is not 

modifiable. An alternative is to make it a hidden form field, while also 

displaying the challenge in HTML text rather than as a form field. 

9.3.2 OTP Request Site 

9.3.2.1 Request Page 

The request page must contain the following fields: 

Table 46: Form Fields for OTP Request Page 

Name Type 

Username text Visible 

Password Password Visible 

dpcgi_operation “VDPrequest” Hidden 

dpcgi_vdp_success_page Name of “OTP was sent” Page Hidden 

dpcgi_vdp_fail_page Name of “OTP not sent” Page Hidden 

dpcgi_vdp_wrongtoken_page Name of “Not a Virtual Digipass” Page Hidden 


Y 

Y


9.4 Query String Variables 

The query string variables that are passed to the web pages by the CGI program are mainly 

concerned with status and error reporting. There is also a variable that is used to pass a 

challenge to the pages that display one. 

9.4.1 Failure/Error Handling 

There are three main groups of failures that can occur, which should be handled in a different 

manner. In all cases there is a numeric error code, however in some cases there is an auxiliary 

code and message such as the return code and message from the VACMAN Controller. The 

main error codes will be assigned in three separate ranges, so that the web pages can identify 

which category of error is returned. 

API return codes – these are returned by the VASCO API used to make the 

authentication request to the Server. In some cases there will be an auxiliary code and 

message. 

CGI errors – these errors are detected by the CGI program, mainly when the web pages 

are not providing or enforcing the posted form fields correctly. These will not generally 

have an auxiliary code and message, but it is possible. 

Internal errors – these are technical errors that ‘should not occur’. In some cases there 

will be an auxiliary code and message. 

The intention of using this code-based scheme is to allow translation and customization of the 

messages. The main error code will be translated into a message by the web pages 

themselves. The pages can also translate the auxiliary code into a message, for the VACMAN 

Controller codes, but normally, the pages would not know how to translate it into a message, 

and should display the auxiliary message as provided. 



9.4.2 Query String Variable List 

The following table indicates which variables are used for the User Self Management Web Site 

and OTP Request Site, and the required conditions: 

Table 47: Query String Variable List 

Variable Value Condition Used by Site 

result 0 Successful authentication request Both 

Unsuccessful authentication request Both 

CGI or internal error occurred Both 

challenge Challenge returned by API User Self 

Management Web 

Site only 

serialNo Successful Auto- or Self-Assignment User Self 

Management Web 

Site only 

auxcode 

 

auxmsg 

 

Examples: 

success: /vmsite/success.html?result=0 

Unsuccessful authentication request due to 

Controller rejecting password 

CGI or internal error occurred, where another 

error code is relevant 

Unsuccessful authentication request due to 

Controller rejecting password 

CGI or internal error occurred, where an error 

message is relevant 

invalid Digipass response due to code replay: 

/vmsite/fail.html?result=1000&auxcode=2&auxmsg=Code+Replay+Attempt 

challenge: /vmsite/challenge.html?challenge=738453 


Both 

Both 

Both 

Both


9.4.3 Return Code Listing 

In the following tables, the Message is the one that is provided by the standard web pages that 

we install. 

9.4.3.1 API Return Codes 

The following codes are the ones that in normal cases might be returned: 

Table 48: API Return Codes 

Code Message Auxiliary 

Code/ 

Message? 

Notes 

-1 Error during request to Server N We are unable to distinguish the error from the 

client side of the API – the administrator would 

have to look at the Audit Console. 

9.4.3.2 CGI Errors 

Table 49: CGI Error Return Codes 


Code/ 

Message? 

-100 Only the POST method is permitted N 

-101 No dpcgi_operation was posted N 

-102 An invalid dpcgi_operation was posted N 

-103 dpcgi_challenge_page cannot be used for this operation N 

-104 dpcgi_password cannot be used for this operation N 

-105 dpcgi_serialno cannot be used for this operation N 

-106 dpcgi_currentpin cannot be used for this operation N 

-107 dpcgi_newpin cannot be used for this operation N 

-108 dpcgi_confirmpin cannot be used for this operation N 

-109 dpcgi_challenge cannot be used for this operation N 

-110 dpcgi_success_page must be entered for this operation N 

-111 dpcgi_fail_page must be entered for this operation N 

-112 dpcgi_userid must be entered for this operation N 

-113 dpcgi_password must be entered for this operation N 

-114 dpcgi_response must be entered for this operation N 

-115 dpcgi_newpin must be entered for this operation N 

-116 dpcgi_confirmpin must be entered for this operation N 

-117 A Digipass Response is required to assign a Digipass N 

-118 A New PIN can only be set when assigning a Digipass N 

-119 Enter the new PIN in the New PIN and Confirm New PIN fields N 

-120 The New PIN and Confirm New PIN fields have different values N 

-121 A challenge was returned, but there is no dpcgi_challenge_page N 

-122 Unknown parameter N 

-123 The Content-Length passed in was invalid N 




Code/ 

Message? 

-124 dpcgi_serialno must be entered for this operation N 

-131 Wrong token page is forbidden N 

9.4.3.3 Internal Errors 

Table 50: Internal Error Codes 


Code/ 

Message? 

-1000 Cannot read Trace-Mask configuration setting Y 

-1001 Cannot read Trace-File configuration setting Y 

-1002 Cannot open Trace-File Y 

-1003 Cannot read Source-IP-Address configuration setting Y 

-1004 Cannot read Server1-IP-Address configuration setting Y 

-1005 Cannot read Server1-Port configuration setting Y 

-1006 Cannot read Server2-IP-Address configuration setting Y 

-1007 Cannot read Server2-Port configuration setting Y 

-1008 Invalid configuration setting Source-IP-Address Y 

-1009 Invalid configuration setting Server1-IP-Address Y 

-1010 Invalid configuration setting Server1-Port Y 

-1011 Invalid configuration setting Server2-IP-Address Y 

-1012 Invalid configuration setting Server2-Port Y 

-1014 Cannot read HTTP request data N 

-1015 Request to Server not completed Y 

-1016 Cannot read Self-Management Site registry key Y 

-1017 The specified Source-IP-Address is not on this machine N 

-1018 Cannot read Trace-Header configuration setting Y 

-1019 Invalid configuration setting Trace-Header Y 

-1020 The Trace file name must not contains quotes ' or ". N 

-1021 No File found in the trace file N 

-1030 Error reading Server 1 Secret - return code was N 

-1031 Error reading Server 2 Secret - return code was N 

-1032 Error reading No of Retries - return code was N 

-1033 Error reading Timeout - return code was N 

-1034 Error writing Protocol - return code was N 

-1040 The Shared Secret and Confirm Shared Secret do not match. N 


VACMAN Middleware Administrator Reference Login Options 

10 Login Options 

10.1 Login Permutations 

The information required to be entered during a login will vary according to the configuration 

settings of the relevant Policy, the login method, and any actions to be performed during the 

login. 

Login Methods 

The login methods specified are: 

Response Only 

Challenge/Response 

Virtual Digipass - Primary or Backup 

Login Actions 

A User may be allowed to do these things during a login: 

Set their Server PIN – on first use or after a PIN reset. 

Change their Server PIN. 

Inform the Authentication Server that their static password for the back-end 

authenticator – eg. Windows - has been modified. 

Perform a Self-Assignment for a Digipass in their possession. 

Login Variables 

The variables which a User may need to enter, in order to do one of the above functions are 

listed below. The code or word used to designate each variable in the following tables is 

included in brackets. 

One Time Password (OTP) 

Password (Password) 

Server PIN (PIN) 

Serial Number of their Digipass (Serial No) 

Serial Number Separator (Sep.) 

Request Keyword (Keyword) 

Policy Settings 

The Policy settings which will affect the variables required in logins are: 

Stored Password Proxy 

If this attribute is set to Enabled, each User's password must be kept up to date in the 

Authentication Server. This is typically achieved by enabling Password Autolearn. 


If the Authentication Server is informed of a User's password change, the new password 

will only be recorded by the Authentication Server if Password Autolearn is enabled in the 



relevant Policy. 

Serial Number Separator 

If a Serial Number Separator is specified, the User may enter their Digipass serial 

number exactly as it appears on the back of their Digipass (or in the documentation 

provided to the User), including dashes. If a Serial Number Separator is not specified, 

the Digipass serial number must be padded to 10 characters, with all non-numerical 

characters removed. 

Back-End Authentication 

In the following login permutations tables, 'Back-End Authentication Required' means 

that the Back-End Auth. attribute is set to Always or If Needed. 

Note 

Back-End Authentication is required for Self-Assignment and Password 

Autolearn logins. 

10.1.1 Response Only – PAP 

Table 51: Login Permutations - Response Only PAP (1) 

Server PIN 

Required 

No Server 

PIN 

Required 

Login Type Existing PIN? 

Serial Number 

Separator? 

Normal login Yes N/A PIN+OTP 

Password Field Contents 

Stored Password Proxy On 

OR 

No Back-End Authentication 1 

Set PIN No N/A OTP+NewPIN+NewPIN 

Change PIN Yes N/A PIN+OTP+NewPIN+NewPIN 

Changed Password Yes N/A Password+PIN+OTP 

Set PIN and Changed Password No N/A Password+OTP+NewPIN+NewPIN 

Change PIN and Changed Password Yes N/A Password+PIN+OTP+NewPIN+NewPIN 

Self-Assignment 2 

Normal login N/A N/A OTP 

Yes Yes SerialNo+Sep.+Password+PIN+OTP 

No SerialNo+Password+PIN+OTP 

Changed Password N/A N/A Password+OTP 

No Yes SerialNo+Sep.+Password+OTP+NewPIN+NewPIN 

No SerialNo+Password+OTP+NewPIN+NewPIN 

Self-Assignment N/A Yes SerialNo+Sep.+Password+OTP 

No SerialNo+Password+OTP 

1 Back-End Authentication is required for Self-Assignment and Password Autolearn logins. 

2 If a Serial Number Separator is not set, the serial number must have all non-numerical characters removed and be 

padded to 10 characters with preceding zeroes. 



Table 52: Login Permutations - Response Only PAP (2) 

Server PIN 

Required 

No Server 

PIN 

Required 

Examples 

Login Type Existing PIN? 

Serial Number 

Separator? 

Normal login Yes N/A Password+PIN+OTP 


Stored Password Proxy Off 

AND 

Back-End Authentication Required 3 

Set PIN No N/A Password+OTP+NewPIN+NewPIN 

Change PIN Yes N/A Password+PIN+OTP+NewPIN+NewPIN 

Changed Password Yes N/A Password+PIN+OTP 

Set PIN and Changed Password No N/A Password+OTP+NewPIN+NewPIN 

Change PIN and Changed Password Yes N/A Password+PIN+OTP+NewPIN+NewPIN 

Self-Assignment 4 

Yes Yes SerialNo+Sep.+Password+PIN+OTP 

No SerialNo+Password+PIN+OTP 

Normal login N/A N/A Password+OTP 

Changed Password N/A N/A Password+OTP 

No Yes SerialNo+Sep.+Password+OTP+NewPIN+NewPIN 

No SerialNo+Password+OTP+NewPIN+NewPIN 

Self-Assignment N/A Yes SerialNo+Sep.+Password+OTP 

No SerialNo+Password+OTP 

Self-Assignment of a GO 1 Digipass with no existing Server PIN and Serial Number Separator 

set to '::'. 

3-179-0987::pA192ss086382012341234 

Self-Assignment of a GO 3 Digipass with no Server PIN required and no Serial Number 

Separator set. 

0031790987PA192ss0863820 

10.1.2 Response Only – CHAP/MS-CHAP 

The table below assumes that Stored Password Proxy is enabled, or Backend Authentication is 

not in use. 

Table 53: Login Permutations - Response Only CHAP 

Login Type Server PIN 

Required? 

Normal login Yes PIN+OTP 

No OTP 







10.1.3 Challenge/Response 

Challenge/Response is supported with PAP only. 

Table 54: Login Permutations – Challenge/Response 

Login Type Serial Number 

Separator? 

Request 

Method 

2-Step Challenge/Response 

Stored 

Password 

Proxy Off 

AND 

Back-End 

Auth. 

Required 5 

Pre-Challenge Response 

Normal login N/A Keyword Yes Keyword Password+OTP 

Changed 

Password 

Self- 

Assignment 6 

No Keyword OTP 

Password N/A Password OTP 

Keyword-Password N/A Keyword+Password OTP 

Password-Keyword N/A Password+Keyword OTP 

N/A Keyword N/A Keyword Password+OTP 

Password N/A Password OTP 

Keyword-Password N/A Keyword+Password OTP 

Password-Keyword N/A Password+Keyword OTP 

Yes N/A N/A SerialNo+Sep.+Password OTP 

No N/A N/A SerialNo+Password OTP 






10.1.4 Virtual Digipass 

The 2-step login is possible when using the RADIUS Access-Challenge mechanism or an IIS 

Module in form-based authentication mode. The Password is required in either the first or the 

second step, but not both. 

However, many RADIUS environments and web 'basic authentication' do not support the 2step 

login process. If the 2-step login process is not possible, two separate 1-step logins are 

required. The second login must include the Password as well as the OTP, but it is not 

necessary to provide the Password in the first login, if only a Keyword is used. 

When using the Virtual Digipass OTP Request web site, the 2-step login is not applicable. 

Table 55: Login Permutations – Virtual Digipass 

Login 

Type 

Normal 

login 

Changed 

Password 

Request 

Method 

2-step login 7 

Two 1-step logins 8 

Step 1 Step 2 Step 1 Step 2 

Keyword Keyword Password+OTP Keyword Password+OTP 

Password Password OTP Password Password+OTP 

Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP 

Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP 

Keyword Keyword Password+OTP Keyword Password+OTP 

Password Password OTP Password Password+OTP 

Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP 

Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP 

7 2-step logins are compatible with PAP only 

8 Two 1-step logins may be used with any protocol compatible with VACMAN Middleware. 


VACMAN Middleware Administrator Reference Configuration Settings 

11 Configuration Settings 

11.1 Authentication Server 

A Graphical User Interface (GUI) is available for use in configuring the Authentication Server 

To open the Authentication Server Configuration GUI, click on the Start Button and select 

Programs -> VASCO -> VACMAN Middleware 3 -> Authentication Server 

Configuration. 

Note 

A restart of the Digipass Authentication Server service is required after any 

change to Authentication Server configuration settings. When exiting the 

Configuration GUI, you will be prompted to allow an automatic restart of the 

service. 

11.1.1 Set Component Location 

1. Enter the location of the Authentication Server Component which will be generating 

audit messages in the Component Location field. 

2. Enter the API port on which the Authentication Server will listen for connections. 

3. Click on Apply. 

11.1.2 Administration Connections 

The Administration MMC Interface connects to the Authentication Server to make changes to 

the data store. The Authentication Server can be configured to check that any Administration 

MMC Interface connecting to it has a Component record in the data store. 

1. Tick the Require administration client component registration checkbox. 

2. Click on Administration Session Settings. 

3. Enter the maximum number of concurrent administration settings to allow. 

4. Enter the maximum session time to allow (in seconds). 

5. Enter an idle timeout limit (in seconds). 



11.1.3 Library Path and Type 

The Library Path setting tells the Authentication Server where to find the data access (Active 

Directory or ODBC) library. This setting may not be edited in the Configuration GUI. 

11.1.4 RADIUS 

Enable the Authentication Server to use the RADIUS protocol in authentication requests. This 

allows the Authentication Server to pass on RADIUS attributes set by a RADIUS server. 

1. Tick the Enable RADIUS checkbox. 



2. Enter an Authentication Port. It is possible to listen on more than one port, by providing 

a comma-separated list, for example: 1812,1645 

3. Enter an Accounting Port. It is possible to listen on more than one port, by providing a 

comma-separated list, for example: 1813,1646 

11.1.5 Turn Tracing On or Off 

1. Select a Tracing option. 

2. To send tracing output to a text file, enter a path and filename for the tracing file into 

the File Name field. The file path entered must be the full absolute path. 

3. Click on the Apply button. 

Note 

If the File Name field is left blank or the file path does not exist, the 

Authentication Server will not output tracing. If the file does exist, tracing will 

be appended to the file. If the path is valid but the file does not exist, it will be 

created. 



11.1.6 Active Directory Connection 

To view Active Directory settings, open the configuration GUI and click on the Active 

Directory Connection tab. These settings will only be available if Active Directory was 

selected as the data store during installation of the VACMAN Middleware. 

11.1.6.1 Configuration Domain 

The configuration domain is the main Active Directory domain which the Authentication Server 

should use for User authentications, and the domain in which the Digipass Configuration 

Container is located. This domain will be set automatically during the VACMAN Middleware 

installation. 

To set the default domain: 

1. Click on the Edit... button next to the Configuration Domain field. 

The Domain window will be displayed. 

2. Enter the fully qualified domain name for the configuration domain into the Name field. 

3. If required, enter the name of the server in the domain to which the Authentication 

Server should connect, in the Preferred Server field. 

4. Tick the Preferred Server Only checkbox to limit the Authentication Server to 

connecting only to that server in the configuration domain. 

5. Enter the server port to use in making encrypted connections (SSL) to the configuration 

domain into the Encrypted Server Port field. 

6. Enter the server port to use in making unencrypted connections to the configuration 

domain into the Unencrypted Server Port field. 

7. Tick the Encrypt checkbox to use an encrypted connection (using SSL) from the 

Authentication Server to Active Directory, or leave the checkbox unticked to leave the 

connection unencrypted. Note that SSL is not used when the Authentication Server is 

on a Domain Controller and connects to Active Directory using that. 

8. Enter the maximum amount of time (in minutes) that the Authentication Server should 

stay connected to a server before re-synching in the Max Bind Lifetime field. 



11.1.6.2 Domains List 

The Domains list contains the names of all other domains that the Authentication Server may 

need to use in User authentications. Note that this list is only needed if you wish to configure 

how the Authentication Server will connect to the other domains – if a domain is not in the list, 

it will still try to connect to it. 

Add a Domain 

To add a domain to the Domains List: 

1. Click on the Add... button. 

The Domain window will be displayed. 

2. Enter the fully qualified domain name for the domain into the Name field. 



3. If required, enter the name of the server in the domain to which the Authentication 

Server should connect, in the Preferred Server field. 

4. Tick the Preferred Server Only checkbox to limit the Authentication Server to 

connecting only to that server in the domain. 

5. Enter the server port to use in making encrypted connections (SSL) to the domain into 

the Encrypted Server Port field. 

6. Enter the server port to use in making unencrypted connections to the domain into the 

Unencrypted Server Port field. 

7. Tick the Encrypt checkbox to use an encrypted connection (using SSL) from the 

Authentication Server to Active Directory, or leave the checkbox unticked to leave the 

connection unencrypted. 

8. Enter the maximum amount of time (in minutes) that the Authentication Server should 

stay connected to a server in the domain before re-synching in the Max Bind 

Lifetime field. 



Modify a domain record in the Domains List 

To modify information for a domain in the Domains List: 

1. Select the domain to be modified from the Domains List. 

2. Click on the Edit... button. 

3. Modify the required information. 



Delete a domain record from the Domains List 

To remove a domain record from the Domains List: 

1. Select the domain to be deleted from the Domains List. 

2. Click on the Delete button. 

3. The record will be deleted. 



11.1.7 ODBC Connection 

To view ODBC Database connection settings, open the Configuration GUI and click on the 

ODBC Connection tab. These settings will only be available if an ODBC database was 

selected as the data store during installation of VACMAN Middleware. 

11.1.7.1 Connect to an ODBC Database 

The database(s) used to store data required by VACMAN Middleware are listed in the ODBC 

Data Sources list on this tab. 

You may wish to add another database to this list if load-balancing or fail-over mechanisms 

need to be implemented. 

1. Click on the ODBC Connection tab. 


3. The Data Source window will be displayed. 

4. Enter a display name for the data source (this will be used in data source lists in the 

Configuration GUI). 

5. Enter the name (DSN) of the ODBC data source. 

6. Enter the User ID and password of a database administrator account with permissions 

to read, write, create and delete Digipass-related data. 

7. Click on the Test Connection button. 

If the information has been entered correctly, the test should be successful. 

8. Enter the minimum time the Authentication Server should wait to reconnect to this data 

source (in seconds). 

9. Enter the maximum time the Authentication Server should wait before retrying the 

connection. 

11.1.7.2 Connection Settings 

You may need to fine-tune database connection settings to increase performance of the 

database and the database driver in use, or if you are implementing load-balancing between 

two or more databases for the Authentication Server. 

1. Select a database from the list. 

2. Click on the Advanced Settings button. 

3. Enter the maximum number of concurrent connections which the Authentication Server 

should make to the database in the Max. Connections field. 

4. Enter the number of milliseconds for which the Authentication Server should wait while 

establishing a connection to the database. 

5. Enter the period (in minutes) before unused connections to the database should be 

closed by the Authentication Server in the Idle Timeout field. 

6. If you have multiple databases and want the Authentication Server to switch to another 

database if it has exceeded the connection limit or if the database becomes 

unavailable, tick the Enable Load Sharing checkbox. 




8. Normally, the same settings should be applied in each database for each Authentication 

Server. These settings are not replicated automatically to other databases. However, 

you may prefer to keep this configuration different, for example a more powerful 

database server can handle more concurrent database connections. 

11.1.7.3 User ID and Domain Conversion 

User ID and Domain Case 

The case in which the Authentication Server will save and retrieve User IDs and domain names 

will depend on: 

The capabilities and settings of the database used as the data store for the 

Authentication Server. Your database may require case sensitivity in queries, or may 

store all data in lower or upper case. 

Configuration settings for the Authentication Server. 

The Authentication Server may be configured to save and retrieve User IDs and domain names 

in: 

Lower case 

Upper case 

No conversion – data is saved or searched on exactly as entered. 

The default configuration setting for the Authentication Server when using an embedded 

database is Convert to Lower. When using another ODBC database, the default is No 

Conversion. 

Caution 

Before changing the configuration setting, you need to make sure that existing 

User IDs and Domain names will not be invalidated by the new setting, or that 

they are deleted before the setting is changed. For example, if the current 

setting is No Conversion and you change to Convert to Lower, a User ID 

“TestUser” would become invalid. This Digipass User account must be deleted 

before changing the Case Conversion setting. 

Typically, this setting should be changed shortly after installation, so you do 

not have to deal with a lot of existing Digipass User account and Domain 

records. 

If you want to move from Convert to Lower to Convert to Upper, or vice versa, 

it will be necessary to make the change in two steps, via No Conversion. While 

the setting is No Conversion, upper or lower case User IDs and Domains can 

be created and deleted as necessary. 

This is especially important for the Master Domain name. The default Master 

Domain “master” will become invalid if you change to Convert to Upper. 

Therefore, you will need to create a new Domain with an upper case name and 

make it the Master Domain, while the Case Conversion setting is No 

Conversion. See 11.1.7.4 Master Domain for instructions to change the 

Master Domain. 

To modify the Case Conversion setting for the Authentication Server: 





3. If you wish the Authentication Server to convert User IDs and domains to upper or 

lower case, select Convert to Upper or Convert to Lower from the Case drop down list. 

To leave User IDs and domains as they are entered, select No Conversion. 


5. The same setting must be applied in each database for each Authentication Server. This 

setting change is not replicated automatically to other databases. 

Windows User Name Resolution 

VACMAN Middleware can use Windows functions to identify User IDs as Windows User 

accounts. This may be required if Windows is used as the back-end authenticator for VACMAN 




3. To have the Authentication Server look up a User ID with Windows to find the 

Distinguished Name for the account, tick the Use Windows User Name Resolution 

checkbox. 




11.1.7.4 Master Domain 

The Master Domain is used as a default Domain as well as having special significance for 

administrative access. For more details, see 3.5.1.1 Master Domain. 

Note 

All User accounts must be deleted from a domain before the domain record can 

be deleted. 

To modify the domain used as the Master Domain: 

1. If the new Master Domain does not already have a Domain record, create the new 

Domain using the Administration MMC Interface. 

2. Make sure there is an administrator account in the new Master Domain that has Set 

Administrative Privileges permission. 

3. Click on the ODBC Connection tab. 

4. Click on Configure Advanced Settings. 

5. Modify the name in the Master Domain field. 




8. Login to the Administration MMC Interface as the administrator account identified in 



step 2. Give this account any privileges that it requires that are missing. You will need 

to log off and on again as this account for the new privileges to take effect. 

9. Delete the original 'master' domain if no longer required. 

Caution 

Ensure that the name of the Master Domain is set to the correct case, as 

required by the Case Conversion setting. For example, if the Case Conversion 

setting is Convert to Lower, the Master Domain name must be all lower case. 

11.1.7.5 Domains and Organizational Units 

Other Domains and Organizational Units used in the Authentication Server may be created and 

edited using the Administration MMC Interface. 



11.1.8 Auditing 

To configure auditing for the Authentication Server, add at least one auditing plug-in to the 

Methods list. To view or edit auditing settings, click on the Auditing tab in the Configuration 

GUI. For more information about setting up auditing, see 12 Auditing. 

Add an Audit Method 


2. Select a Plug-in type from the drop down list. 


The Plugin window will be displayed. 

4. Enter a name to use for display purposes in the Display Name field. 

5. Tick the Enabled checkbox to enable auditing to this plug-in. 

6. Tick the Fail on Error checkbox if you want the Authentication Server to return an 

error if it fails to record an auditing message. 

7. Tick the Unhandled Only checkbox if messages should only be logged by this auditing 

plug-in if they have not been previously logged by any other plug-in. 

8. Select one or more audit message types to be logged by this plug-in: 

Error 

Warning 

Information 

Success 

Failure 

9. Enter other required information. 



Edit an Audit Method 

1. Select an auditing plug-in from the Methods list. 

2. Click on the Edit... button. 

The Plug-In window will be displayed. 

3. Make the required changes. 



Delete an Audit Method 

1. Select an auditing plug-in from the Methods list. 

2. Click on the Delete button. 

The record will be deleted. 



11.1.9 Data Encryption 

See 4 Sensitive Data Encryption for more information on encryption in the Authentication 

Server. 

To modify encryption settings for the Authentication Server: 

1. Click on the Active Directory Connection or ODBC Connection tab. 

2. Click on Configure Encryption Settings. 

3. The Configure Encryption Settings window will be displayed. 

4. Enter the custom encryption key in the Storage Key field. 

5. Select an encryption algorithm from the Cipher Name drop down list. 


Export Encryption Settings 




4. Click on Export... 

5. Browse to the desired directory. 

6. Enter a file name to export the settings to. 


8. Enter a password. 


Import Encryption Settings 




4. Click on Import... 







11.1.10 Replication 

Note 

For more information about setting up replication on your system, see 15 

Replication. 

11.1.10.1 Enable Replication 

Configure the current Authentication Server to replicate data to other Authentication Servers: 

1. Click on the Replication tab. 

2. Tick the Enable Replication checkbox. 

3. Add at least one destination server (see 11.1.10.2 Set up Replication to Another 

Authentication Server below) 


11.1.10.2 Set up Replication to Another Authentication Server 



3. Enter a display name for the destination Authentication Server. 

4. Enter the IP address and port to use in connecting to the Authentication Server. 


11.1.10.3 Configure Local Replication Settings 


2. Enter a maximum and minimum reconnect interval. 

3. The replication queue file holds data which is yet to be replicated to other 

Authentication Servers. If you wish to change the location of the replication queue file, 

modify the File Path field. This directory must already exist. 

4. Set a maximum size for the file. If the file reaches this size, replication queue entries 

will no longer be writable to the file, and the Authentication Server will cease 

processing authentication and administration requests that result in a database 

update. 

5. The maximum number of retries specifies how many times the Authentication Server 

should attempt to resend entries in the replication queue that failed at the destination 

server. Enter a number in the Max Retries field. 

6. The retry interval specifies how long the Authentication Server should wait before 

attempting to resend entries in the replication queue that failed at the destination 

server. Enter a number of seconds in the Retry Interval field. 




11.1.11 Virtual Digipass Text Message 

An advanced setting is available to customize the text message used for Virtual Digipass 

logins. This is useful if you do not want to use the default message Your One Time Password is 

followed by the OTP. This setting is not available in the Configuration GUI but can be added 

into the configuration file using a text editor. 

Inside the section, the following line should be added: 

 

where ????? should be replaced by your message. 

If the OTP should be at the end of the message, the setting value should be just the fixed part 

of the message. The server will add a space before the OTP value if the fixed part does not end 

with a whitespace character. 

For example, if the OTP is 474747 and the setting is: 

 

then the text message will be: Password: 474747 

If the OTP should be at the start or in the middle of the message, the setting value should 

contain a placeholder [OTP] at the position where the OTP is required. 

For example, if the OTP is 838383 and the setting is: 

 

then the text message will be: Use 838383 to logon 

After modifying this setting and saving the file, the server requires a restart before the new 

setting will take effect. Restart the Digipass Authentication Server Service. 

Caution 

If your message will include non-English characters, make sure that the file 

dpauthserver.xml is stored in UTF-8 encoding. One way to ensure this is to 

open the file in Notepad and use the File->Save As... menu option. The Save 

As dialog allows you to choose UTF-8 in the Encoding drop-down list. 

Limitations 

If your message will include non-English characters, the HTTP gateway web site must be 

expecting UTF-8 encoded data. There is currently no way to specify a different encoding 

to be used according to your HTTP gateway. 

The Active Directory Users and Computers Extension does not have access to the 

server's configuration file, and will therefore still deliver the default message when using 

the Test Virtual Digipass dialog. 



11.1.12 Configuration File 

The Configuration GUI for the Authentication Server writes to an .xml file named 

dpauthserver.xml in the install/bin directory. It is possible to edit this file directly instead of 

using the Configuration GUI, but is not recommended. You will need to restart the Digipass 

Authentication Server Service using the Windows Service Control Manager after editing and 

saving the file, before the changes will take effect. 

Note 

The file is UTF-8 encoded – do not put any non-UTF-8 characters into the file. 

It is also case-sensitive. 

Example Configuration File 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



11.2 MDC 

11.2.1 Required Information 

To configure gateway settings you will need: 

Gateway details: 

OR 

Protocol to use in connecting to the gateway. 

An address string and port to use in connecting to the gateway. 

The path and filename of a certificate file, if required. 

The required Query String. 

The Query Method (GET or POST) required by the gateway. 

A customized configuration file ordered from your VASCO supplier. This will need to be 

imported using the Configuration GUI. 

Username and password for the gateway account. 

11.2.2 MDC Configuration GUI 

A Graphical User Interface (GUI) is available for use in configuring the MDC. To open the MDC 

Configuration GUI, click on the Start Button and select Programs -> VASCO -> VACMAN 

Middleware 3 -> Virtual Digipass MDC Configuration. 

Note 

The MDC must be restarted after any change is made in the Configuration GUI. 

11.2.2.1 Modify Gateway Account Login Details 

The MDC needs a Username and password for the gateway in order to send text messages 

through it. 

1. Modify the Username if needed. 

2. Change the Password and Confirm Password fields if required. 

The Password and Confirm Password fields must contain identical data. 

11.2.2.2 Configure Internet Connection Details 

Enable or disable the use of an HTTP Proxy and enter details if required. 

1. Enable or disable the use of the HTTP Proxy by ticking or clearing the Use HTTP Proxy 

checkbox. 

2. If required, enter an IP address, port and timeout for the HTTP Proxy. 

3. Enter a maximum number of internet connections to allow in the Max. Connections 

field. 



11.2.2.3 Configure Tracing 

The MDC makes use of a trace file to record information about events that occur on the 

system, for use in troubleshooting. This could include generic information, changing 

conditions, or problems and errors that have been encountered. 

The level of tracing that the MDC employs depends on its configuration settings. 

Caution 

Enabling Full Tracing should only be done for troubleshooting purposes. There 

are no limits set on the size of the tracing file, so if the option is left on too 

long on a high-load system the file may dramatically slow down or crash 

Windows, due to excessive I/O or filling up the hard drive. This is not highly 

likely for MDC, but should be considered. 

Because there are no size limitations set on the trace file, it is not recommended that you have 

tracing permanently enabled. If your system is set up with Basic Tracing always enabled, 

ensure that the file size does not cause problems by deleting or archiving it whenever it gets 

too large. 

Basic tracing includes: 

Critical error/warning messages [CRITC] 

Major error/warning messages [MAJOR] 

Minor error/warning messages [MINOR] 

Configuration messages [CONFG] 

Full tracing includes: 

Critical error/warning messages [CRITC] 

Major error/warning messages [MAJOR] 

Minor error/warning messages [MINOR] 

Configuration messages [CONFG] 

Informational messages [INFOR] 

Data tracing messages [DATA] 

Debugging messages (useful for support purposes) [DEBUG] 

Security messages, messages that may contain security sensitive data [SECUR] 

Turn Tracing On or Off 

1. Select a Tracing option. 

2. If you have selected Basic Tracing or Full Tracing, enter a path and filename for the 

tracing file into the File Name field. 

The file path entered must be the full absolute path. 



Note 

If the File Name field is left blank or the file path does not exist, the MDC will 

not output tracing. If the file does exist, tracing will be appended to the file. If 

it does not exist, it will be created. 

11.2.2.4 Import HTTP Gateway settings 

Import a customized configuration file ordered from your VASCO supplier, containing the 

configuration details for your gateway needed by the MDC. 

1. Click on the Gateway Settings tab. 

2. Enter a name for the gateway. 

3. Click on Import Settings. 

4. Select a file from the Browse window. 


The import progress will be displayed. 


11.2.2.5 Edit Advanced Settings 


2. Ensure that the Edit Advanced Settings checkbox is ticked. 

3. Select a protocol to use in connecting to the gateway from the Protocol drop down list 

(typically HTTP). 

4. Enter an address string to use in connecting to the gateway in the Address field. 

5. Enter a port in the Port field (typically 80 for HTTP connections). 

6. Enter the path and filename of a certificate file if required. 

7. Modify the Query String field if required. 

Example Query String: 

username=[acc_user]&password=[acc_pwd]&device=[otp_dest]&network=tgsm&message= 

[otp_msg] 

8. Select a Query Method according to what the gateway requires (typically POST). 

11.2.2.6 Export HTTP Gateway settings 

Once you have entered the necessary gateway configuration information into the Configuration 

GUI, you may wish to export the settings into a file for backup purposes or to transfer to 

another server. 


2. Ensure that the Edit Advanced Settings checkbox is ticked. 

3. Click on Export Settings. 

4. Select a directory from the Browse window. 

5. Enter a filename. 




The export progress will be displayed. 

11.2.2.7 Gateway Result Pages 

A result page is returned by the gateway service when a text message is submitted by the GET 

or POST methods. This page would normally be a HTML formatted page containing specific 

error codes and/or additional messages for success/failure. 

Three types of result messages are generally categorized as: 

Information 

Success of message delivery (the message has been accepted by the server) 

Warning 

The submission/delivery failed, but it is most likely a specific error only affecting this User. 

The User’s login will fail on the first step. Possible causes are: 

Error 

Phone number invalid 

Temporary gateway failure 

Error(s) occurred while attempting delivery. This means that the delivery failed for a particular 

User, but the error might be affecting all Users. In this case, the User’s login will fail 

immediately. Possible such errors are: 

Account data incorrect (Account User or password wrong) 

Account credit expired (for a pre-paid gateway account) 

Communication error with gateway (network error) 

Other permanent gateway errors 

Audit Console Logging 

A gateway result page can be recognized by key words and phrases, and an alternate message 

created for logging to the audit console whenever the result is received. Variables can be 

extracted from the result page and used in the log message to provide extra information. 

Result Page Rules 

The result page rule patterns use the following syntax: 

[Var-Name1] [] [Var-Name2] … 

Where the template is constructed in the following way: 

: a character string which must be matched in the page returned by the 

gateway. Note that multiple can appear in a single template, but they 

must not be overlapping. Matching is case-sensitive. 

[]: Omits a variable part of the result page between two segments, when 

matching a template. This can be useful to ignore arbitrary data or time/date data in the 



returned web page. 

[Var-Namex]: Describes a segment of the result page between two 

segments or at the end of the result page, which will be written to a variable. Usually 

this will be data that can provide more detailed information why a particular message 

submission has failed. The variable name inside the [] brackets can then be used as part 

of the audit message template to create a meaningful message. 

Example 

If the server returns the following result page 

“Submission successful at 10:00, 11/11/02, status: 00 - message delivery in 

progress.” 

for successful transmission, or 

“Submission unsuccessful at 10:05, 11/11/02, status: 47 – number too short” 

for an unsuccessful submission, then the following result page rules can be configured: 

Message Rule Name: Success 

Message Rule Pattern: successful at [DateTime], status: [Status] – [Message] 

Variables retrieved: DateTimeStatusMessage 

Message Rule Name: Warning 

Message Rule Pattern: unsuccessful at [DateTime], status: 47 – [Message] 

Variables retrieved: DateTimeMessage 

Message Rule Name: Error 

Message Rule Pattern: unsuccessful at [DateTime], status: [status] – [Message] 

Variables retrieved: DateTimeStatusMessage 

No Match Available If no Rule matches a Result page returned, an error will be logged to the 

Audit Console, reporting that the result page returned from the gateway could not be matched. 

Ordering Rules The order of the result page template in the configuration data can be used to 

match more specific messages first and finally catch any “other” message, which the gateway 

might send. 

Audit message template 

Once a result page template a matched, a corresponding audit message is constructed with the 

variables retrieved from the result page rule. 

The message template will use the following syntax: 

[VAR-Name1] [Var-Name2] … 

: a character string which will appear literally in the constructed audit 

message. 

[Var-Namex]: Variable which is derived from the matched variables from the 

corresponding result page template. 



The following variables are predefined and can be used in the audit message template: 

Table 56: MDC Audit Message Variables 

[otp_dest] The destination address (a mobile phone number) the OTP was sent to. 

[otp_msg] The message that was submitted. This variable will also contain the OTP, so should not be used for the 

construction of audit messages. 

[acc_user] Account name for the gateway.Not recommended for use in audit messages. 

[acc_pwd] Account password for the gateway.Not recommended for use in audit messages. 

[Username] the User ID of the User requesting the OTP 

Examples of variable use: 

Insufficient credit on account [acc_user] when sending to [username] 

Message not sent to User "[Username]"/[otp_dest]. Gateway reported: [message] 

Modify a Gateway Result Message Rule 

Ensure that the Edit Advanced Settings checkbox on the Gateway Settings tab is ticked. 

1. Click on the Gateway Results tab. 

2. Select a Rule to modify. 

3. Click on Edit. 

4. Make any required changes. 


Add a Gateway Result Message Rule 

1. Click on the Gateway Results tab. 

2. Click on Add. 

3. Enter a descriptive name for the Rule in the Description field. 

4. Enter the full text or a partial match of the text displayed by the gateway in the 

Matching Pattern field. 

5. Select an Audit Message Level for the Rule. 

Each level of message will be displayed with a different color background in the Audit 

Console. 

Info – normal 

Warning – yellow 

Error – red 

6. Enter the message text you wish the User to see into the Message Text field. 




11.2.3 MDC Configuration File 

The MDC Configuration GUI writes to an .xml file named MDCConfig.xml in the install/bin 

directory. It is possible to edit this file directly instead of using the MDC Configuration GUI. 

Example Configuration File 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Caution 

The configuration file is UTF8 encoded. Non-UTF8 encoded characters should 

not be added to the configuration file, or it will not load. 



11.2.4 Configuration Settings 

The table below lists the options, their default values, and a brief explanation of each. 

Table 57: Message Delivery Component Configuration Settings 

Option 

Name 

General tab 

Config. 

GUI Field 

Server/ IP Server IP 

Address 

Default 

Value 

 

Notes 

This string is the IP address of the local server. It needs to correspond 

with the licensing as well as the IP address configured for the 

server.Data type: String with valid IP4 address or hostname that can be 

resolved through DNS 

Server/ Port Port 20003 This integer is the TCP/IP port on which the local server is listening. 

Must correspond with the RADIUS server settings.Data type: Integer 

with valid Port address (1-65535) 

Gateway/ 

ProxyIP 

Gateway/ 

ProxyPort 

Gateway/ 

Timeout 

Gateway/ 

MaxConnecti 

ons 

Tracing/ 

TraceFile 

Tracing/ 

TraceMask 

Gateway- 

Acnt/ 

Username 

Gateway- 

Acnt/ 

Password 

Proxy IP IP address of the HTTP proxy used by the MDC to contact the HTTP 

gateway. This can be used when the firewall settings do not allow a 

direct connection.Empty - no proxy being used.Data type: String with 

valid IP4 address 

Port Port number to contact the HTTP proxy on.Must be supplied if the 

ProxyIP setting is used.Data type: Integer with valid Port address (1- 

65535) 

Proxy 

Timeout 

Max 

Connections 

30 Time in seconds that the MDC will wait on a response from the 

HTTP/gateway.Data type: integer 

10 Maximum allowed number of concurrent connections to the HTTP 

gateway.Data type: Integer (1-100) 

File Name The file that tracing output should be written to.None – no tracing.Data 

type: String 

Tracing 0 The tracemask specifies how much tracing is done.0 – no tracing1 – 

basic tracing2 – full tracingData type: Integer 

(General 

tab)Usernam 

e 

(General 

tab)Password 

& Confirm 

Password 

Gateway Settings tab 

Gateway/ 

Description 

Gateway/ 

HTTPMethod 

Gateway/ 

URL 

Gateway 

Name 

Query 

Method 

Protocol and 

Address 

 

 

Sets the account Username the HTTP gateway. The given value will be 

used as content for the variable [acc_User] in the query string.Data 

type: String 

Sets the account password the HTTP gateway. The given value will be 

used as content for the variable [acc_pwd] in the query string.Data 

type: String 

This is an informational field, naming or describing the HTTP gateway. It 

can be set to provide a description for a particular service, but is ignored 

by the MDC.Data type: String 

POST Designates either the GET or POST method for use in transferring 

account and message data to the HTTP/HTTPS gateway.Data type: 

String (“GET” or “POST”) 

 

Required parameter.Sets the URL to the HTTP gateway. The address 

should not contain any variables, but is should contain the protocol 

identifier.Note: the protocol identifier of “https://” can be used to SSLencrypt 

the link between the MDC and the HTTP gateway. In this case it 

is required to specify a filename where the server certificates can be 

found.Data type: String 

Gateway/ Query String


Option 

Name 

Config. 

GUI Field 

Default 

Value 

Notes 

HTTPQuery parameter> the http server, either using POST or GET (as specified by HttpGw- 

Method). This string must contain all required variables that are 

expected by the HTTP gateway. Contained in the query string must be 

the following parameters which will be set by the MDC before submitting 

the query: 

[acc_user] specifies the account name for the gateway which will be 

used to submit the information§ 

[acc_pwd]password for the gateway account specified by the 

[Username] parameters§ 

[otp_msg]specifies the part of the query string, where the OTP message 

will be substituted§ 

[otp_dest]specifies the part of the query string, where the destination 

for the OTP (usually the mobile phone number) will be substituted.The 

query string should also incorporate any other parameters which might 

be expected by the gateway.Example:Data type: String 

Gateway/ 

CertFile 

Certificate 

File 

Gateway Results tab 

Results/ 

Resultnn/ 

Name 

Results/ 

Resultnn/ 

Pagematch 

Results/ 

Resultnn/ 

MsgType 

Results/ 

Resultnn/ 

Message 

11.3 CGI 

.\curl-cabundle.crt 

When using the HTTPS protocol, the server certificate file is used to 

authenticate the message gateway and to derive the data encryption 

keys. It can contain either one or multiple server certificates.The file 

needs to be PEM-encoded,X.509 compliant certificate.It can be created 

by exporting the required Root CA from any browser (eg. Internet 

Explorer) using the base-64 format - equivalent to PEM.Data type: 

String 

Description Name of this entry, as displayed by the MDC Configuration GUI. This 

field has no functional meaning.Data type: String 

Matching 

Pattern 

Audit 

Message 

Level 

Message 

Text 

 

Result Page Template to match the result page returned by the HTTP 

service. If this template is matched, the corresponding audit message is 

composed and returned to the Authentication Server Audit 

message.Data type: String 

2 Type of message to appear in the audit log:0 INFO – informational 

message (login on)1 WARNING – warning message (login fails)2 

ERROR – error message (login fails)Data type: Integer (0-2) 

 

Audit Message Template for the message to be compiled and sent back 

to the Authentication Server. The message is returned as Information, 

Warning or Error, depending on the MsgType parameter in the same 

section. Includes [variable] options.Data type: String 

See 9.2.1 Configuration Settings for VASCO CGI configuration settings and location. 

11.4 Digipass TCL Command Line Utility 

See 14.3 Configuration File for Digipass TCL Command Line Utility configuration settings and 

file location. 


VACMAN Middleware Administrator Reference Auditing 

12 Auditing 

Setting up auditing in the VACMAN Middleware requires three basic steps: 

1. Set up audit message destination. If this will be a text file or the Windows Event Log, 

no configuration is required. 

2. Configure auditing in the Authentication Server to send audit messages to the correct 

destination. 

3. Configure Audit Viewer to retrieve, filter and display audit messages. 

12.1 Text File 

12.1.1 Text File Name Variables 

A number of variables may be included in the name or path of an audit text file.Time/date 

variables will influence how often a new text file is created. 

Table 58: Audit Text File Name/Path Variables 

Variable Notes 

{year} Current year in format 'YYYY' eg. 2006 

{month} Current month in format 'MM' eg. November becomes 11 

{mday} Current day of the month in format 'DD' eg. 06 

{yday} Current day of the year in format 'DDD' – this will be a number between 1 and 366 

{week} Current week of the year in format 'WW' eg. The 6 th week of the year will be 06 

{source} The name of the program from which the audit message was received by the Audit System eg. 


Example 

Entering the following into the Log File field in the Authentication Server Configuration: 

c:\Audit Files\{source}\audit-{year}-{month}-{mday}.audit 

would cause: 

A directory named VACMAN Middleware 3 to be created in the Audit Files directory 

A new audit text file to be created daily 

A file named audit-2006-11-06.audit to be created on the 6 th November 2006 

12.1.2 Configure Auditing to Text File 

1. Open the Authentication Server Configuration GUI. 

2. Click on the Auditing tab. 


4. Select Text File from the drop down list. 












Error 

Warning 

Information 

Success 

Failure 

11. Enter the location and a name for the text file. See 12.1.1 Text File Name 

Variables for more information. 

12. To speed up the auditing process, tick the Always keep file open checkbox. This will 

mean that the file is locked while the Authentication Server is running. 

13. Tick the Use GMT/UTC checkbox to record dates and times in GMT/UTC. Otherwise, 

they will be recorded in local time. The text file will indicate the time zone used. 





12.2 Windows Event Log 




4. Select Event Log from the drop down list. 










Error 

Warning 

Information 

Success 

Failure 

11. Select a log type or enter a new log type to be created in the Log Type drop down 

list. 





12.3 ODBC Audit Message Database 

12.3.1 Set up ODBC Database 

12.3.1.1 Create database 

See 3.1 Database Support for information on the ODBC databases supported by the VACMAN 


12.3.1.2 Create database schema 

Two tables are required in the database. These can be created by the DPDBadmin utility using 

the -audit parameter (see 3.8.1 Modify Database Schema), 

or manually. 

Table 59: Required Audit Database Tables 

Table Name Purpose 

vdsAuditMessage Basic audit message, including mandatory fields 

vdsAuditMsgField Contains extra (non-mandatory) audit message fields which may be included in an audit 

message 

Image 2: Audit Database Table Relationships 

vdsAuditMessage Table 

This table will contain one record per audit message generated, with non-mandatory 

information held in the vdsAuditMsgField table. 

Table 60: vdsAuditMessage Required Fields 

Column Name Data Type Primary 

Key 

Allow 

NULL 

vdsTimeStamp timestamp* Yes No Date/time of event. 

Details 

vdsAMID varchar(32) Yes No 32 hex digit Audit Message ID (without “0x” prefix). 

vdsSource varchar(64) No Source component name. 




Key 

Allow 

NULL 

vdsType integer No Numeric type. 

Details 

vdsCode varchar(8) No Message code eg. “I-010003”. 

vdsDesc varchar(255) No Standard description for audit message. 

vdsCategory varchar(32) No Name of category eg. “Authentication”. 

* For some databases, this is DATETIME (SQL Server, Sybase Enterprise) or DATE (Oracle) – this is not an 

automatically generated timestamp, but just a date/time field. Millisecond precision or greater is required. 

vdsAuditMsgField Table 

This table may contain several records for a single audit message. 

Table 61: vdsAuditMsgField Required Fields 


Key 

Allow 

NULL 

vdsTimeStamp timestamp* Yes No Date/time of event. 

Details 

vdsAMID varchar(32) Yes No 32 hex digit AMID (without “0x” prefix). 

vdsFieldID integer Yes No Integer (dataset) ID of optional field. 

vdsFieldValue varchar(1024) No Yes Value of optional field, represented as string. 

* For some databases, this is DATETIME (SQL Server, Sybase Enterprise) or DATE (Oracle) – this is not an 

automatically generated timestamp, but just a date/time field. Millisecond precision or greater is required. 

12.3.1.3 Create Database Account(s) 

Create at least one database account. These permissions are required for the Authentication 

Server and Audit Viewer: 

Program Table Permission(s) 

required 

Authentication Server All Write 

Audit Viewer All Read 

12.3.1.4 Create DSN on Authentication Server machine 

Create a Data Source Name for the database on the machine on which the Authentication 

Server is installed. 

12.3.1.5 Create DSN on Audit Viewer machine 

Create a Data Source Name for the database on the machine on which the Audit Viewer is 

installed. 

12.3.2 Configure Authentication Server 




4. Select ODBC Database from the drop down list. 












Error 

Warning 

Information 

Success 

Failure 

11. Enter the DSN for the database. 

12. Enter the username and password of the database account to be used by the 

Authentication Server (if required). 



12.3.3 Configure Audit Viewer 

Note 

A Data Source Name must be configured on the Audit Viewer computer for the 

database. 

1. Select New Audit Source -> ODBC Database from the File menu. 

2. Enter a display name to be used for the database within the Audit Viewer. 

3. Enter the Data Source Name for the database. 

4. Enter the User ID and password of an administrator account for the database. 

5. Tick the Store User ID and Password checkbox to save login details in the Audit Viewer. 




12.4 Live Connection - Authentication Server to Audit 

Viewer 

12.4.1 Configure Authentication Server 




4. Select Live Connection from the drop down list. 










Error 

Warning 

Information 

Success 

Failure 

11. Enter the IP address and port number on which the Authentication Server will listen 

for auditing connections. 

12. Enter the maximum number of concurrent connections to allow. 



12.4.2 Configure Audit Viewer 

15. Select New Audit Source -> Authentication Server from the File menu. 

16. Enter a display name to be used for the messages within the Audit Viewer. 

17. Enter the IP address of the Authentication Server. 

18. Enter the port on which the Authentication Server will listen for auditing connections. 



VACMAN Middleware Administrator Reference Tracing 

13 Tracing 

The level of tracing for the Authentication Server can be configured using the Administration 

MMC Interface. 

Tracing messages will be recorded to a text file. 

13.1 Trace Message Types 

Table 62: Tracing Message Types 

Message 

Type Code 

[CRITC] Critical error/warning 

Notes Examples 

[MAJOR] Major error/warning [MAJOR] > Failed to execute command. Error 

[MINOR] Minor error/warning [MINOR]> Cannot get License Key from Component record 

[CONFG] Configuration/initialization [CONFG] > ODBC Database audit plugin is successfully loaded 

[CONFG] > Component cache configured as: 

max age : 900 

max size : 1000 

clean threshold : 800 

min clean interval : 60 

[ALERT] Alerts [ALERT] > disconnecting from server. 

[INFO] Informational messages [INFO ] > Audit: {Info} {Initialization} {I-002002} {The Digipass 

Authentication library has been initialized successfully.} 

[INFO ] > Creating Digipass object. 

[VINFO] Verbose informational messages [VINFO] > Event log source is 

[VINFO][ODBCConnection::OpenConnection] > Established 

connection to ODBC database 

[DATA] Data tracing [DATA ] > Prepared SQL statement "SELECT vdsDomain, 

vdsDescription, vdsCreateTime, vdsModifyTime FROM vdsDomain 

ORDER BY vdsDomain" 

[TEMP] Temporary data values [TEMP ] > Updated list is 

[RESRC] Resource usage [RESRC] > Socket Bound to 

[DEBUG] Debugging (useful for support 

purposes) 

[SECUR] Security messages, messages 

that may contain security 

sensitive data 

[DEBUG] > Registering Binary with Event log for 

Source 

[DEBUG] > Committed transaction 


VACMAN Middleware Administrator Reference Tracing 

13.2 Trace Message Levels 

There are two tracing levels available when configuring tracing from the Configuration GUI – 

Basic and Full. This can be customised further if required by directly editing the configuration 

file. The message types recorded by each level are shown in the table below. 

Table 63: Tracing Message Levels 

CRITC 

MAJOR 

MINOR 

CONFG 

ALERT 

INFO 

Basic Full 

CRITC 

MAJOR 

MINOR 

CONFG 

ALERT 

INFO 

VINFO 

DATA 

TEMP 

RESRC 

DEBUG 

SECUR 

13.3 Trace Message Contents 

Basic and Full tracing levels output different amounts of information in trace messages. 

Table 64: Tracing Message Contents 

Trace Level Message Contents 

Basic [date_time] [thread ID] [level code] message 

Full [date_time] [thread ID] [level code] [internal function name] message 


VACMAN Middleware Administrator Reference Digipass TCL Command-Line Administration 

14 Digipass TCL Command-Line Administration 

14.1 Introduction 

Digipass TCL Command-Line Administration (DPCLA) allows interactive command-line and 

scripted administration of Digipass related data. It has a number of possible uses: 

Interactive command-line administration 

Scripted administration 

Complex bulk administration tasks 

Reporting on the data in the data store 

The DPCLA consists of the following components: 

DPADMINCMD 

This is a command-line program that can be used interactively or called from within a batch 

file, script or other program. This provides a command shell based on the TCL interpreter. 

VASCO TCL Extension Library 

The main functionality is provided by the VASCO extensions to TCL. This provides a set of 

additional commands in a “vasco” namespace. 

The extension library is used by DPADMINCMD, which loads the namespace automatically. 

However, if you have your own TCL environment already, you can load the extension library 

directly into it, without having to use DPADMINCMD. In that case, you will need to use the 

namespace qualifier. 

Other scripting environments such as Python, Perl and VBScript also have modules available 

that enable them to use TCL, allowing the VASCO extensions to be used in a variety of 

environments. 

TCL Runtime 

The VACMAN Middleware installation program also installs the TCL 8.4 runtime environment, 

which is necessary to run DPADMINCMD. 

Caution 

Windows command-line functions may be run from within the Digipass TCL 

Command-Line Administration. A new Windows command-line console may 

also be opened. 

14.1.1 Knowledge Requirements 

Digipass TCL Command-Line Administration is an extension of the TCL 8.4 scripting language, 

and administrators will require a basic competence in TCL in order to use the command-line 

utility. However, for simple usage, no great knowledge of TCL is required. 



For an introduction to TCL, see http://www.tcl.tk/about/language.html. Other pages on the 

www.tcl.tk web site may also provide useful background on TCL and its capabilities. For a more 

comprehensive tutorial, see http://www.tcl.tk/man/tcl8.5/tutorial/tcltutorial.html (but note 

that we install version 8.4, so there may be minor differences in 8.5). 

14.1.2 Data Store Connection 

DPCLA makes a direct connection to Active Directory in a similar way to the Administration 

MMC Interface. Alternatively, if an ODBC or embedded database is used as the data store, 

DPCLA makes a connection to the Authentication Server. 

This connection requires an administrative login. In the case of Active Directory, an implicit 

login can be used based on your Windows login context, or you can specify explicit credentials. 

For ODBC, credentials are required exactly the same as the Administration MMC Interface. 



14.2 Using DPADMINCMD – Basics 

You can use TCL interactively with a command prompt or you can use it to run a script. 

14.2.1 Using an Interactive TCL Command Prompt 

Using DPADMINCMD to open an interactive TCL command prompt can be done as follows: 

1. Open a Windows command prompt in the \Bin directory. 

2. Enter the following command and press Enter: 

dpadmincmd 

A command prompt will be opened, at which you can enter TCL commands. DPADMINCMD 

automatically loads the VASCO TCL extensions, so that they can be used without needing to 

specify the VASCO 'namespace'. 

C:\Program Files\VASCO\VACMAN Middleware\Bin>dpadmincmd.exe 

Digipass TCL Command-Line Administration Version 3.0.0.12 

Copyright (C) VASCO Data Security Inc. 2006 

All rights reserved 

% 

Before any data administration commands will work, you need to perform an administrative 

logon, either directly to Active Directory or to the Authentication Server (for ODBC or 

embedded database). 

The Active Directory logon does not need explicit credentials if you are logged into Windows as 

an administrator with the necessary rights: 

% logon 

1 

% 

The ODBC or embedded database logon does need explicit credentials. The Active Directory 

logon can also be done with explicit credentials if necessary: 

% logon {userid admin password password} 

1 

% 

If the logon is successful, the output indicates a session number. Otherwise, an error message 

will be displayed. 

Once there has been a successful logon, you can enter other commands, for example: 

% user query {userid admin} 

{domain master userid admin has_dp Unassigned status 0 created {2006/05/11 11:05 

:32} modified {2006/05/11 11:05:32}} 

% 

To log off, use the logoff command; to exit, use the exit command. 



14.2.2 Running a Script 

Using DPADMINCMD to run a script requires an administration logon to be specified with 

command-line parameters, unless the script itself contains a logon command. 

For an implicit Active Directory logon, the -i (implicit) parameter is sufficient. 

For a logon requiring credentials, the -u (userid) and -p (password) parameters are required. 

1. Open a Windows command prompt in the \Bin directory. 

2. Enter the following command for an implicit logon and press Enter: 

dpadmincmd -i scriptname 

3. Or, enter the following command for an explicit logon and press Enter: 

dpadmincmd -u userid -p password scriptname 

The scriptname parameter can be a file name or path and file name. 

If your script requires parameters, enter these after the scriptname. 

Example 

dpadmincmd -i myscript.tcl param1 param2 

The script file must contain a sequence of TCL commands. DPADMINCMD will first perform the 

logon, and if successful, will execute each command in the script in sequence. The TCL 

language allows you to write simple sequential scripts or add more complex control flow, 

functions and so on. 

The script does not need to use the logoff or exit commands explicitly. DPADMINCMD will 

logoff the session if necessary at exit time. 

Character Substitution 

When using a non-printing ASCII character substitution (eg. \t for a horizontal tab) in a string, 

enclose the string in double quotes. If the string is enclosed in { }, the string will be displayed 

exactly as entered. 

eg. “Error: \t Component does not exist. \n \t \t Please check the Component name.” will be 

displayed as: 

Error: Component does not exist. 

Please check the Component name. 

Whereas {Error: \t Component does not exist. \n \t \t Please check the Component name.} 

will be displayed as: 

Error: \t Component does not exist. \n \t \t Please check the Component 

name. 



14.2.3 Help 

To access help from the command prompt, use these commands: 

Table 65: DPADMINCMD Help Commands 

Command Notes 

help Provides basic information about DPADMINCMD, including a list of all 

commands available. 

help Provides information about the specific command, including required 

parameters, optional parameters and available subcommands. 

help Provides information about the specific subcommand, including required and 

optional parameters. 

14.2.4 Command Parameters 

Some notes on command parameters in TCL: 

Parameters are given in list form: {field1 value1 field2 value2 ...} 

Parameter values that include whitespace require double quotes or { }, for example 

{field1 “value 1” field2 {value 2} ...} 

Commands may be substituted for parameters using square brackets, where the 

command will return the type of parameter(s) required. eg. 

foreach i [user query {domain master} {domain userid has_dp}] { puts 

$i } 

In this example, a query returns a list of Users with Digipass assigned, which is used in 

the foreach command. 

14.2.5 Result Output 

Results are typically returned in list form, with pairs of field names and values, eg: 

{domain master userid user0001 has_dp Assigned} 

Some commands do not return field information, only a simple message, eg: 

Created Component. 

Queries return a list of list results, with only the requested fields displayed. These may be 

formatted for better readability by wrapping the query in another command, eg: 

foreach i [user query {domain master} {domain userid has_dp}] { puts $i } 

The result from the example above will display each user record in the master domain on a 

separate line, and only display the requested fields (domain, userid and has_dp), eg: 

domain master userid admin has_dp Assigned 

domain master userid user0001 has_dp Unassigned 



14.2.6 Error Handling 

When an error occurs in a VASCO TCL Extension command, information about the error will be 

written to the standard TCL error variables. This allows error handling in scripts, and allows a 

user to obtain information about the last error received when using an interactive command 

line. For example, if this command was entered: 

% user get {userid doesnotexist} 

and a User with the ID of doesnotexist could not be found, then this error would be returned: 

Error code: Error message: 

Information about that error could be retrieved from standard TCL error variables using these 

commands: 

% puts $errorCode 

Returns: 

And 

-13 

% puts $errorInfo 

Returns: 

Error code: Error message: 

while executing 

"user get {userid doesnotexist}" 

14.2.7 International Characters 

DPADMINCMD supports international characters, but your console window must be able to 

support the characters or they will not display correctly. The Lucida Console font is typically 

used. 

14.2.8 Syntax Notes 

The following points should be remembered for basic interactive and scripted usage: 

Result values that include whitespace, including date/time values, are given { } by TCL 

Comments in scripts are preceded with a # 

A backslash character at the end of a line indicates that the command is continued on 

the next line. 



14.2.9 Sample Scripts 

Below are some sample scripts which perform basic tasks. They range in complexity to provide 

an example of what can be done, and the techniques required. 

Check if a Component Record exists 

This script checks for the existence of a RADIUS Client Component record with a specific IP 

address. If a Component record of that type and location does not exist, a message will be 

displayed onscreen. 

# Check if a specified RADIUS Client Component exists 

if [catch {component get {comp_type "RADIUS Client" location 

192.168.122.213 }} result] { 

puts "Component does not exist: $result" 

} 

Create a Record if it doesn't exist 

This script builds on the previous sample to check for the existence of a RADIUS Client 

Component record and, if one does not currently exist, to create one. It requires a location 

parameter to be passed to the script when it is run from DPADMINCMD. 

# Get IP-address location from command-line argument 

set loc [lindex $argv 0] 

# Create the component if it does not exist 

if [catch "component get {comp_type {RADIUS Client} location $loc}" result] 

{ 

if [catch "component create {comp_type {RADIUS Client} \ 

location $loc \ 

policy_id {VM3 Local Authentication} \ 

shared_secret default \ 

protocol RADIUS}" result] { 

puts "Error creating component: $result" 

} else { 

puts "Created component" 

} 

} else { 

puts "Component already exists" 

} 

To run this script from DPADMINCMD, you would need to use the following syntax: 

dpadmincmd -i scriptname loc 

Bulk User Administration 

This script collects all Digipass User records belonging to the domain named Domain1 and 

unlocks any which were locked. 

# Get all the users of the domain Domain1 

if [catch {user query {domain Domain1}} users] { 

puts "Unable to retrieve users: $users" 

} else { 

# Loop for each user 

foreach user $users { 

# Get the user information into an array for easier access 



} 

} 

array set userinfo $user 

# Check if the locked information is present as it may not return a 

# value is the user is not locked 

if [info exists userinfo(locked)] { 

# If the user is locked, try to unlock it 

if [string equal $userinfo(locked) yes] { 

if [catch "user update {userid $userinfo(userid) domain 

Domain1 locked no}" result] { 

puts "Error unlocking $userinfo(userid): $result" 

} else { 

puts "Unlocked $userinfo(userid)" 

} 

} 

} 

# Clear-out the current user information 

array set userinfo [list] 



14.3 Configuration File 

The Digipass Command Line Utility uses a xml file to store necessary configuration settings. 

This file can be found at \Bin\dpadmincmd.xml. 

14.3.1 Sample Configuration File 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


VACMAN Middleware Administrator Reference Replication 

15 Replication 

15.1 Concepts 

Replication can be configured to allow multiple Authentication Servers to keep their data 

synchronized. 

Active Directory 

Where Authentication Servers use Active Directory as their data store, this allows faster 

replication of important information required for authentications. See 2.4 Active Directory 

Replication Issues for more information. 

ODBC Databases 

Where multiple Authentication Servers use different ODBC databases as their data stores, 

replication ensures that each database is up to date with the latest data changes. 



15.1.1 Replication Queue 

The replication queue for each Authentication Server which is configured as a replication 

destination is written to two files – a data and an index file – in \data. They 

are named according to the name given to the Authentication Server when configuring 

replication in the current Authentication Server Configuration GUI. 

15.1.2 Record-level Replication 

The replication method used by VACMAN Middleware involves replication of entire records, 

rather than individual record attributes. This means that data clashes can occur when a single 

record is updated at the same time from different sources. If this occurs, the later change will 

be the one chosen and written to the database. Superseded changes are ignored. 

15.1.3 Replication Process 

The writing of an data update to the replication queue (creating a replication entry) and 

sending a replication entry to another Authentication Server is handled by two separate 

processes. 

Write to Replication Queue 

The process which writes to the replication queue is run before any data changes are 

committed to the database. If the data change cannot be written to the replication queue – 

usually because the replication queue file has exceeded the maximum size allowed – the data 

change will not be committed to the database. 

Send Replication Queue Entry 



The other process sends replication entries from a replication queue to the required 

Authentication Server. If the destination Authentication Server cannot write the change to its 

database, it sends back a failure message. The process will: 

1. Leave the entry in the queue. 

2. Set a retry time for the entry (this depends on the Retry Interval set in the 

Configuration GUI). 

3. Attempt replication for the entry according to the number of retries set in the 

Configuration GUI. After the Maximum number of retries is reached, the entry is 

removed from the queue and its details audited. 

Note 

This does not include problems in connecting to the other Authentication 

Server. Queue retries will be suspended until the connection is re-established. 

15.1.4 Connection Handling 

When the Digipass Authentication Server service is started, the Authentication Server will 

establish a connection to each destination Authentication Server configured for replication. It 

will keep this connection open until the service is stopped or the connection is broken. If the 

connection is broken, it will attempt to reconnect after the minimum reconnect interval set in 

the Configuration GUI has elapsed. If that fails, it will continue to attempt reconnection at 

increasing time intervals until it reaches the maximum reconnect interval set in the 

Configuration GUI. It will continue to attempt reconnection at the maximum reconnect interval 

until it succeeds. 



The Authentication Server ceases replication efforts to the destination Authentication Server 

until the connection is re-established. This means that entries in the queue will not be lost 

because of a broken connection. Replication to other Authentication Servers will not be 

affected. 

A manual reconnect may be attempted at any time using the Administration MMC Interface, if 

the data store used by the Authentication Server is an ODBC database. 

15.1.4.1 Component Record 

It is important to note that a Authentication Server will not accept replication updates from 

another machine unless it has a Component record for that machine with the Component Type 

set to Authentication Server. 

15.1.5 Monitoring Replication 

15.1.5.1 Auditing 

Audit messages are recorded when: 

connections are made or fail 

an update send was successful 

an update send failed 

an update was received and the receiving server sent back a data update success 

an update was received and the receiving server sent back a data update failure 

15.1.5.2 Administration MMC Interface 

If the Authentication Server uses an ODBC database as its data store, the Administration MMC 

Interface will contain a Replication Status dialog. This dialog allows you to check the current 

status of replication for an Authentication Server. It also includes the number of entries 

currently in the replication queue. 



15.1.6 Forwarding Replication Entries 

Replication forwarding is required where more than two Authentication Servers are replicating, 

either in a simple replication chain or more complicated arrangement. The ID of the originating 

Authentication Server and the Authentication Server(s) to which it is sending the information 

are added to the replication entry. This allows the receiving Authentication Server to check 

which other Authentication Servers have already been sent the replication entry. It will forward 

the entry only to those Authentication Servers not listed. 



15.2 Configuring Replication 


These instructions assume that you have two Authentication Servers currently installed and 

operational, using Active Directory as their data store. 

1. Stop the Digipass Authentication Server service on each machine. 

2. Configure Authentication Server 1 to replicate to Authentication Server 2. 

3. Configure Authentication Server 2 to replicate to Authentication Server 1. 

4. Restart the Digipass Authentication Server service on each machine. 



15.2.2 ODBC Database 

15.2.2.1 Configure Replication to a Second Authentication Server 

These instructions assume that you have one Authentication Server installed and operational 

(SVR-1), and wish to set up another Authentication Server (SVR-2) and replicate between the 

two. 

1. Install VACMAN Middleware on SVR-2. 

2. Configure SVR-2 identically – except IP addresses - to SVR-1, using the Configuration 

GUI or the configuration file. 

3. Ensure that SVR-2 is functioning correctly. 

4. On SVR-1, create a Component record for SVR-2. Ensure that the Component Type is 

Authentication Server. 

5. On SVR-1, load the License Key for SVR-2 into the Component record just created. 





8. Configure the Authentication Server on SVR-1 to replicate to SVR-2. 

9. The Digipass Authentication Server service on SVR-1 may be restarted now if needed – 

it will build up a replication queue until it can connect to SVR-2. 

10. Overwrite the database used by the Authentication Server on SVR-2 with the copy 

from SVR-1. If you are using the embedded PostgreSQL database, see Step 2 of 

6.2.2.2 Restore Database, Authentication Server Undamaged. 


12. Restart the Digipass Authentication Server service on SVR-2. If you did not restart the 

service on SVR-1 earlier, restart it now. 



15.2.2.2 Configure Replication to a Third or Subsequent Authentication 

Server 

These instructions assume that you have two or more Authentication Servers replicating to 

each other, and wish to add another Authentication Server (SVR-3) in a simple replication 

chain. 

1. Select which Authentication Server - SVR-1 or SVR-2 – will be replicating data with 

SVR-3. For these instructions, SVR-2 is assumed. 

2. Install VACMAN Middleware on SVR-3. 

3. Configure the Authentication Server on SVR-3 identically to that on SVR-2, using the 

Configuration GUI or the configuration file. 

4. Ensure that SVR-3 is functioning correctly. 

5. On SVR-2, create a Component record for SVR-3. Ensure that the Component Type is 

Authentication Server. 

6. On SVR-2, load the License Key for SVR-3 into the Component record just created. 






10. The Digipass Authentication Server service on SVR-2 may be restarted now if needed 

– it will build up a replication queue until it can connect to SVR-3. 

11. Overwrite the database used by the Authentication Server on SVR-3 with the copy 

from SVR-2. If you are using the embedded PostgreSQL database, see Step 2 of 

6.2.2.2 Restore Database, Authentication Server Undamaged. 


13. Restart the Digipass Authentication Server service on SVR-3. If you did not restart the 

service on SVR-2 earlier, restart it now. 



15.2.2.3 Add Redundant Replication 

You may wish to add redundancy replication into your system to add extra protection in case 

of connection problems or data corruption. Redundant replication adds an extra link to a 

standard replication chain, so that replication can occur via more than one route. 

The instructions below assume a replication chain, with replication being added between a 

primary Authentication Server (P-SVR-2) and a backup Authentication Server (B-SVR-1). 

1. Configure the Authentication Server on B-SVR-1 to replicate to P-SVR-2. 

2. Configure the Authentication Server on P-SVR-2 to replicate to B-SVR-1. 

3. Restart the Digipass Authentication Server service on each machine. 


VACMAN Middleware Administrator Reference How to troubleshoot 

16 How to troubleshoot 

16.1 View Audit Information 

The Authentication Server can be configured to output audit messages to a number of 

locations: 

Windows Event Log 

Text file 

ODBC database 

Live audit feed 

If you are unsure how and where the Authentication Server is recording audit messages, open 

the Authentication Server Configuration GUI and click on the Auditing tab. 

16.1.1 Windows Event Log 

Filter for audit messages from the Authentication Server by: 

1. Click on View -> Filter... 

2. Select VACMAN Middleware 3 from the Event Source drop down list. 


16.1.2 Text file 

To view audit messages written to a text file by the Authentication Server, either open the text 

file direct, or use the Audit Viewer. 

See 12.1 Text File for information on configuring the Authentication Server to write audit 

messages to a text file and viewing audit text files in the Audit Viewer. 

16.1.3 ODBC Database 

To view audit messages written to an ODBC database by the Authentication Server, open the 

Audit Viewer. 

See 12.3 ODBC Audit Message Database for information on configuring the Authentication 

Server to write audit messages to an ODBC database and viewing audit messages from the 

database in the Audit Viewer. 



16.2 Tracing 

16.2.1 Authentication Server 

If you are having problems starting the Authentication Server or logging in via the 

Authentication Server, enabling tracing may allow you to track down the cause. 

1. Open the Authentication Server Configuration. 

2. Select either Basic Tracing or Full Tracing (see the Auditing and Tracing section of 

the Product Guide for more information). 

3. Enter a path and filename to which tracing information should be written, or use the 

default. 


5. Attempt a login. 

6. Check the trace file for information on the start-up conditions of the Authentication 

Server and of the login attempt. 

16.2.2 Web Sites 

Enabling tracing for the User Self Management Web Site or the OTP Request Site may allow 

you to find the cause of problems experienced. It is important that the Web Site not only have 

tracing enabled, but that it has sufficient permissions to access and write to the designated 

trace file. 

16.2.2.1 Enable Tracing 

1. Open the Configuration GUI for the Web Site. 



3. Enter a path and filename to which tracing information should be written. 


16.2.2.2 Trace File Permissions 

Permissions need to be set to allow the Web Sites to access and write to the trace file. By 

default, the trace file is stored in \log. Follow these steps for the folder the 

trace file will be written to. 

1. Open Windows Explorer and browse to the directory that the trace file will be written to 

(\log by default). 

2. Right-click on the relevant directory. 

3. Select Properties. 



The Properties window will be displayed. 


5. Ensure that the IUSR_ account has Read and Write permissions 

ticked. 

6. If changes need to be made to the permissions, make changes and click on the Apply 

button. 



Adding IUSR_ account 

If the IUSR_ account is not listed for the trace file directory, you will need to 

add it manually. 

1. Click on the Add… button 

The Select Users, Computers, or Groups window will be displayed. 

2. Click on the Advanced… button. 

3. Enter search criteria (see example below) and click on the Find Now button. 

If no search criteria are entered, a list of all users and groups in the selected location 

will be returned. 

4. Select the IUSR_ account. 

5. Click on the OK button. 

6. Check that the IUSR_ account is listed. 



7. Click on the OK button. 

8. The account should now be listed in the Security group and user list. 

16.2.3 Message Delivery Component 

16.2.3.1 Enable Tracing 

1. Open the Configuration GUI for the Message Delivery Component. 



3. Enter a path and filename to which tracing information should be written. 


16.3 Open Port Numbers on Firewall 

The Authentication Server uses several different ports to communicate. If these are blocked by 

a firewall, some features will not work correctly. Listed below are the ports used by the 

Authentication Server, and the default port number used for each. 

16.3.1 Incoming Ports 

Table 66: List of Incoming Ports Used by the Authentication Server 

Port Default Configuration Source 

API Port 20003 Authentication Server 

Configuration – Authentication 

Server tab (API Port field) 

RADIUS 

Authenticatio 

n Port 

RADIUS 

Accounting 

Port 

1812 Authentication Server 

Configuration - Authentication 

Server tab (Authentication Port 

field) 


Configuration - Authentication 

Server tab (Accounting Port 

field) 

Administration MMC 

Interface (ODBC or 

embedded database only) 

Command Line 

Administration (ODBC or 

embedded database only) 

Replication from other 


IIS Modules (version 3.x) 

RADIUS Clients 

RADIUS Back-End Servers 

RADIUS Clients 

RADIUS Back-End Servers 



Port Default Configuration Source 

VM2 

Compatibility 

Add-on Port 

Live Audit 

Port 

20004 Configuration file for 



Configuration 

Audit Viewer (Audit Source 

property sheet) 

16.3.2 Outgoing Ports 

IIS Modules (version 2.x) 

Audit Viewer 

Table 67: List of Outgoing Ports Used by the Authentication Server 

Port Default Configuration Destination Notes 

API Port 20003 Authentication Server 

Configuration – Replication tab 

(outgoing 

RADIUS 


Port 

RADIUS 

Accounting 

Port 

1812 Administration MMC Interface – 

Back-End Server records 

(Authentication Port field) 

1813 Administration MMC Interface – 

Back-End Server records 

(Accounting Port field) 

LDAP Port 389 Authentication Server 

Configuration – Active Directory 

Connection tab (Unencrypted 

Port field in Configuration 

Domain and/or other Domain 

details) 

LDAPS Port 636 Authentication Server 

Configuration – Active Directory 

Connection tab (Encrypted Port 

field in Configuration Domain 

and/or other Domain details) 

Replication to other 


RADIUS Server using 

Authentication IP address 

from Back-End Server 

record. 

RADIUS Server using 

Accounting IP address from 

Back-End Server record. 

Active Directory (if 'Encrypt 

Remote Connections' is 

disabled in the Domain 

details) 

Active Directory (if 'Encrypt 

Remote Connections' is 

enabled in the Domain 

details) 

If Authentication Server 

is installed on a Domain 

Controller, an external 

connection will not be 

required for that 

domain. 

If Authentication Server 

is installed on a Domain 

Controller, an external 

connection will not be 

required for that 

domain. 

Database Port ODBC Driver ODBC Database Not required for 

embedded database 

option. 

Configuration is 

database-dependent. 

16.4 Installation Check 

The information in this section will enable you to check that various files have been installed in 

the correct locations and registered (where required), and Windows registry entries have been 

created and the correct values inserted. 

16.4.1 Installation Log File 

Check the log file created during the installation of VACMAN Middleware. The log file should be 

found in \install.log. 



Example Log Entries 

File successfully created 

CreateDirectory: "C:\Program Files\VASCO\VACMAN Middleware 3\Bin" (1) 

File: overwriteflag=0, allowskipfilesflag=2, name="aal3ad30.dll" 

File: wrote 2416640 to "C:\Program Files\VASCO\VACMAN Middleware 3\Bin\aal3ad30.dll" 

DLL could not be registered 

Error registering DLL: Could not load dpmmccom.dll 

16.4.2 Registry Entries 

Table 68: Registry Entries 

General 

Registry Path Key Name Value Notes 

HKEY_LOCAL_MACHINE\ 

Software\VASCO Data Security\ 



InstalledProducts\ 



InstalledComponents\ 

HKEY_LOCAL_MACHINE\Softwar 

e\VASCO Data 

Security\VACMAN Middleware 3\ 



e\VASCO Data Security\MMC 

Admin Interface\ 













InstallDirectory Typically c:\program 

files\VASCO\VACMAN Middleware 3 

VACMAN 

Middleware 

1 1 = installed 

0 = not installed 

If the Pack has been incorrectly 

installed, the key will typically be 

missing rather than having a value 

of 0. 

Check the recorded version numbers 

for various components. 

Version 1.0.0. Version number for the VACMAN 


ApiLibrary \Bin\ 

aal3ad30.dll 


aal3seal30.dll 

DialogLibrary \Bin\ 

dpwxlib.dll 

HelpFile \Doc\ 

Admin_MMC_Interface_A 

D_Help.chm 

HelpFile \Doc\ 

Admin_MMC_Interface_ 

ODBC_Help.chm 




AD U&C Extension\ 





aal3ad30.dll 

DialogLibrary \Bin\ 

dpwxlib.dll 

Included only where Active Directory 

is used as the data store. 

Included only where an ODBC 

database is used as the data store. 

Included only where Active Directory 

is used as the data store. 

Included only where an ODBC 

database is used as the data store. 



Registry Path Key Name Value Notes 




Message Delivery Component 


System\CurrentControlSet\ 

Services\EventLog\Application\ 

Virtual Digipass Message 

Delivery Component\ 


System\CurrentControlSet\ 

Services\EventLog\Application\ 

Virtual Digipass Message 

Delivery Component\ 

Note 

HelpFile \ Doc\ 

AD_Extension_Help.chm 

EventMessageFile \Bin\ 

mdcserver.exe 

TypesSupported 1 1 = EVENTLOG_ERROR_TYPE 

See 9.2.1 Configuration Settings for VASCO CGI configuration settings in 

the Windows registry. 

16.4.3 Check Permissions 

Table 69: Permissions Required 

Directory or File Permission(s) required Notes 

User Self Management Web Site (IIS) 

/dpselfservice/cgi execute 

\UserSite\CGI\usercgi.exe 

OTP Request Site (IIS) 

/requestotp/cgi execute 

execute This is required on Windows Server 

2003 only. 

\VDPSite\CGI\vdpcgi.exe execute This is required on Windows Server 

2003 only. 

16.4.4 Authentication Server Registered in Active Directory 

Domain 

If Active Directory is used as the data store, check that the Authentication Server is registered 

in the relevant Active Directory domain(s): 

1. Open Active Directory Users and Computers. 

2. Click on Users. 

3. A list of Windows Users and Groups will be displayed in the Result pane. 

4. Double-click on the RAS and IAS Servers group. 

5. Check that the Authentication Server is listed in the group members. 

If the Authentication Server is not registered in the domain, add it to the group. 



16.4.5 Default Policy and Component Created 

A default Policy and a Component for the Authentication Server should have been created 

during the installation. If they have not been created, the Authentication Server will not 

process authentication requests. 

Note 

These steps should only be followed if the Policies and Components have not 

been modified since installation. 

To check that Policies and Components were created successfully during installation: 


2. Click on the Policies node. 

A Policy named VM3 Administration Logon should be included in the Policies List. 


4. Check that a Component named Authentication Server is included in the Components 

List. 

5. Double-click on the Authentication Server Component record. 

The Component Properties window will be displayed. 

6. VM3 Administration Logon should be selected in the Policy drop down list. 


VACMAN Middleware Administrator Reference Audit Messages 

17 Audit Messages 

To set up auditing in the Authentication Server, see 11.1.8 

17.1 Audit Message Listing 

Table 70: Audit Messages List 

Message 

Code 

Auditing. 

Description Notes 

E000001 A system error has occurred. This message is used whenever there is a general 

processing error. It will contain full details of the error. 

E001001 The Digipass Plug-In failed to start up. The Plug-In encountered a fatal error on startup such as an 

invalid or missing configuration file. 

E001002 The Digipass Plug-In has been forced 

into the disabled state. 

E001003 The Authentication Server failed to start 

up 

E002001 The Active Directory AAL3 library failed 

to initialize. 

E002002 The Digipass Authentication library 

failed to initialize. 

E002004 The RADIUS protocol handler failed to 

initialize. 

E002006 The Replication library failed to 

initialize. 

E002007 Initialization of a Replication destination 

server failed. 

E002008 The Authentication Server protocol 

handler failed to initialize. 

E002009 The VM2 Compatibility protocol handler 

failed to initialize. 

The Plug-In has started up, but is in a disabled state in 

which it will not process authentication requests. This is 

typically due to a license problem (an invalid or missing 

License Key in the Plug-In's Component record); an invalid 

Component Location setting in the configuration file; or a 

missing Component record for the Plug-In. 

The Authentication Server encountered a fatal error on 

startup. This is typically due to an invalid or missing 

configuration file or failure to connect to the data store. 

The Active Directory 'AAL3' library encountered a fatal 

error on initialization, eg. invalid configuration settings in 

the configuration file. 

The 'Authentication' library encountered a fatal error on 

initialization, eg. invalid configuration settings in the 

configuration file. 

The protocol handler that receives and processes RADIUS 

requests did not start up. This may be because of a 

missing License Key in the Authentication Server 

Component record, or because the License Key in that 

Component record does not enable RADIUS support. Look 

for the line RADIUS=Yes in the License Key details. 

A common reason for this error, when RADIUS is enabled 

in the License Key, is that the RADIUS ports are already in 

use by another process on the machine. 

Alternatively, the configuration settings may be invalid. 

The Replication library encountered a fatal error on 

initialization, eg. invalid configuration settings in the 

configuration file. 

The Replication library found the configuration of a 

Destination Server to be invalid. The library will still start 

up if its main configuration settings are valid and there is 

at least one valid Destination Server. For the invalid 

Destination Servers, this audit message is generated. 

The protocol handler that receives and processes 

administration requests and authentication requests from 

the IIS modules failed initialization. This is typically due to 

invalid configuration settings or because the API port is 

already in use by another process on the machine. 


authentication requests from the VACMAN Middleware 



Message 

Code 

E009001 An error occurred in the Virtual Digipass 

Message Delivery Component. 

E012001 The RADIUS Profile was not found in 

Steel-Belted RADIUS. 

E012002 The RADIUS Attribute was not known by 

Steel-Belted RADIUS. 

E013001 A connection to an ODBC data source 

could not be established. 

E013002 A connection to an ODBC data source is 

broken. 

W004001 A connection attempt to Active 

Directory failed. 

W004004 A connection attempt to a Replication 

destination server failed. 

W005001 A connection to Active Directory has 

terminated due to an error. 


version 2 IIS modules failed initialization. This is typically 

due to invalid configuration settings or because the API 

port is already in use by another process on the machine. 

The MDC encountered an error during the process of 

submitting a request to the HTTP gateway and interpreting 

the response. This may indicate a configuration problem for 

the gateway or connectivity issues. The audit message may 

contain further details from the gateway. 

When a RADIUS Profile name is in the Digipass User 

Account but that name is not found in SBR, the login is 

failed with this error. 

This can also occur if there is no RADIUS Profile in the 

Digipass User Account, but there is a Default RADIUS 

Profile configured that was not found in SBR. 

When the Digipass User Account has a RADIUS attribute in 

its Authorization Profiles/Attributes list, the attribute 

must be found in SBR. When such an attribute is not 

known to SBR, the login is failed with this error. 

The most likely reason for this error to occur is that the 

spelling of the attribute Name is different in SBR compared 

to the Digipass User account. This may also occur if the 

Value of the attribute does not convert to the correct data 

type expected by SBR. For example, if an IP address 

attribute has a Value which is not a representation of an IP 

address. 

An attempt to connect to an ODBC data source failed. This 

may occur because: 

the database is unavailable for some reason such as 

rebooting 

the database is too busy temporarily to service the 

connection 

there are networking problems 

your credentials used in connecting to the database 

are invalid. 

An established connection to an ODBC data source has 

broken. This may occur because: 

the database suddenly becomes unavailable for some 

reason such as rebooting 

the database becomes too busy temporarily to 

service the connection 

there are networking problems. 

An attempt to connect to an Active Directory Domain 

Controller failed. This may occur because: the Domain 

Controller is unavailable for some reason such as 

rebooting; the Domain Controller is too busy temporarily to 

service the connection; or there are DNS or networking 

problems. 

An attempt by the Replication library to connect to a 

Destination Server failed. This may occur because: the 

incorrect IP address or port is configured; the Destination 

Server is unavailable for some reason such as rebooting; or 

there are networking/connectivity problems such as an 

intermediate firewall blocking the port. 

An established connection to an Active Directory Domain 

Controller has broken. This may occur because: the 



Message 

Code 

W005004 A connection to a Replication 

destination server has terminated due 

to an error. 

W006001 An invalid RADIUS packet has been 

received. 

W006002 A RADIUS request has been received 

from an unknown source. 

W006003 A request has been received from a 

RADIUS Client with no Shared Secret 

defined. 

W006004 A RADIUS request forwarded by this 

server has been received – there must 

be a circular proxy chain. 

W006005 An Access-Challenge received from the 

RADIUS Server cannot be handled. 


Domain Controller suddenly becomes unavailable for some 

reason such as rebooting; the Domain Controller becomes 

too busy temporarily to service the connection; or there 

are DNS or networking problems. 

An established connection to a Destination Server has 

broken. This may occur because the Destination Server 

suddenly becomes unavailable for some reason such as 

rebooting, or because of a temporary networking or 

connectivity problem. 

A RADIUS request received was invalid (did not conform to 

the RADIUS protocol). The request is discarded. 

This can also occur when a response is received from a 

RADIUS Server to which a request was forwarded, if the 

response was invalid. The response is discarded. 

A RADIUS request was received but there is no RADIUS 

Client Component for the source of the request, and there 

is no “default” RADIUS Client Component. The request is 

discarded. 

This audit message will be repeated at intervals when the 

same unknown source sends requests, but not for every 

request. 

A RADIUS request was received where there is a RADIUS 

Client Component for the source of the request, but that 

Component record does not have a Shared Secret defined. 

Therefore, it is not possible to handle the request and it is 

discarded. 

This will not occur if there is a “default” RADIUS Client 

Component that has a Shared Secret. 

This audit message will be repeated at intervals when the 

same source sends requests, but not for every request. 

This can occur when the Authentication Server forwards a 

request to a RADIUS Server, and the RADIUS Server 

forwards the request back, due to its own proxy rules. It 

can also occur indirectly in a longer 'proxy chain'. The 

request is discarded, otherwise an infinite loop could be 

created. 

If this occurs, there must be an error in the proxy 

configuration of the RADIUS Server(s). 

This can occur when the Authentication Server forwards a 

request to a RADIUS Server and the RADIUS Server 

responds with an Access-Challenge. An Access-Challenge 

can only be handled when the Authentication Server 

forwards the password unmodified to the RADIUS Server. 

If the Authentication Server verifies an OTP and forwards 

the static password to the RADIUS Server, it is not possible 

to handle an Access-Challenge from the RADIUS Server. 

W006006 A RADIUS Server is not responding. The Authentication Server has not managed to get a 

response from the RADIUS Server for some time. This 

message indicates that there may be a problem with the 

RADIUS Server. 

W009001 Virtual Digipass One Time Password 

delivery failed. 

W010001 A blank password was used for Back- 

End Authentication, as Stored Password 

The MDC could not successfully deliver a text message via 

the HTTP gateway. The audit message should contain 

further details from the gateway. 

This message only occurs when the Back-End 

Authentication setting is Always. 



Message 

Code 


Proxy is disabled and the user did not 

enter a static password. 

W011001 A Backup Virtual Digipass quota of uses 

has been finished. 

W011002 No Digipass was found to assign to a 

new Digipass User Account for Auto- 

Assignment. 

W011003 A Digipass User Account has become 

locked. 

W012002 A Replication update received has been 

ignored, as the local data is more up-todate. 

W012003 A Replication queue entry has not been 

inserted. 

W013001 An invalid request has been received by 

the Authentication Server. 

W013002 A request has been received by the 

Authentication Server from an unknown 

source. 

When Stored Password Proxy is disabled, the 

Authentication Server does not pass on the password 

stored in the Digipass User Account to Windows for Back- 

End Authentication. If a User does not enter their password 

as well as their OTP, the login will fail because their 

password has not been provided to Windows. 

BVDP Uses Remaining has just been decremented to 0 

for a Digipass. The User will not be able to use that 

Digipass for Backup Virtual Digipass logins until the Uses 

Remaining is increased or cleared. 

No available Digipass were found for Auto-Assignment. 

This may be because: there were no unassigned Digipass 

in the right location; the unassigned Digipass did not 

conform to Policy restrictions; the unassigned Digipass 

were Reserved for individual assignment. 

The location in which the Authentication Server searches 

for available Digipass records can be controlled to some 

extent using the Search Upwards in Org. Unit 

hierarchy setting. 

A User just exceeded the User Lock Threshold of failed 

logins and their Digipass User Account is now Locked. 

Administrator action is required to unlock the account. 

The Authentication Server has received a data update from 

another Authentication Server via the Replication process, 

but its local data is already newer than the data received 

via Replication. 

It is normal that this can occur, but it can also indicate a 

potential synchronization issue. 

This can occur when a replication queue has reached its 

maximum size. This is most likely to occur when the 

destination server is down or cannot be contacted due to a 

networking problem. 

The Authentication Server has received an invalid 

authentication, administration or Replication request. 

The Authentication Server has received an authentication, 

administration or Replication request from an unknown or 

unauthorized source. If the request was from a valid 

source, this message indicates that a Component record is 

missing (or that a required restart of the Service has not 

been made since the creation of the necessary Component 

record). 

W014001 The License Key is missing or invalid. A valid, unexpired license key is required to process any 

kind of authentication request. This message will be 

generated periodically when authentication requests are 

received by the Authentication Server, when it does not 

have a valid License Key. 

I001001 The Digipass Plug-In has started up 

successfully. 

I001002 The Authentication Server has started 

up successfully. 

I002001 The Active Directory AAL3 library has 

been initialized successfully. 

Configuration details are given in the audit message. 


Note that the Authentication Server can start up 

successfully even if a component such as the RADIUS 

protocol handler does not start up successfully. 

The Active Directory 'AAL3' library has completed 

initialization. Configuration details are given in the audit 



Message 

Code 

I002002 The Digipass Authentication library has 

been initialized successfully. 

I002004 The RADIUS protocol handler has been 

initialized successfully. 

I002006 The Replication library has been 

initialized successfully. 

I002007 Initialization of a Replication destination 

server succeeded. 


I002008 The Authentication Server protocol 

handler has been initialized successfully. 

I002009 The VM2 Compatibility protocol handler 

has been initialized successfully. 

I003001 The Digipass Plug-In has shut down. 

I003002 The Authentication Server has shut 

down. 

I004001 A connection attempt to Active 

Directory was successful. 

I004004 A connection attempt to a Replication 

destination server was successful. 

I005001 A connection to Active Directory has 

been terminated normally. 

I005002 A connection to Active Directory has 

been timed out for load-balancing. 

I005004 A connection to a Replication 

destination server has been terminated 

normally. 

I006001 A RADIUS Access-Request has been 

received. 

I006002 A RADIUS Accounting-Request has been 

received. 

I006003 A RADIUS Server has started 

responding again. 

I007001 A RADIUS Access-Accept has been 

issued. 

message. 

The 'Authentication' library has completed initialization. 


The protocol handler that receives and processes RADIUS 

requests started up. Configuration details are given in the 

audit message. 

The Replication library was initialized successfully. 


The Replication library initialized a Destination Server 

successfully. Configuration details are given in the audit 

message. 


administration requests and authentication requests from 

the IIS modules was initialized successfully. Configuration 

details are given in the audit message. 


authentication requests from the VACMAN Middleware 

version 2 IIS modules was initialized successfully. 



Controller has ended with a normal disconnection. 


Controller has been ended for load-balancing purposes. 

Periodically the connections will be dropped and new ones 

established, in case there is a less busy Domain Controller 

available. The time period is defined by the configuration 

setting Max-Bind-LifeTime in the file, in minutes. 

An established connection to a Replication Destination 

Server has ended with a normal disconnection. 

The Authentication Server has received an Access-Request. 

The audit message will indicate what action will be taken as 

well as key details of the request. 

The Authentication Server has received an Accounting- 

Request. The audit message will indicate what action will 

be taken as well as key details of the request. 

After the Authentication Server had not managed to get a 

response from the RADIUS Server for some time, this 

message indicates that it is responding again. 

The Authentication Server has accepted an Access- 

Request. Note however that it is still possible that after the 

Authentication Server has accepted the request, another 

component of the overall process may still decide to reject 

the request ultimately. 



Message 

Code 

I007002 A RADIUS Access-Challenge has been 

issued. 

I007003 A RADIUS Access-Reject has been 

issued. 

I007004 A RADIUS Accounting-Response has 

been issued. 

I008001 A Digipass has been moved for 

assignment to a user. 

I008002 A user-to-user link has been removed 

due to assignment of a Digipass. 

I009001 A Virtual Digipass One Time Password 

has been delivered. 


The Authentication Server has issued a challenge, either 

Challenge/Response or Virtual Digipass. 

The Authentication Server has rejected an Access-Request. 

The Authentication Server has acknowledged an 

Accounting-Request. Note however that unless the request 

is forwarded to a RADIUS Server, no processing is carried 

out by the Authentication Server. 

Upon assignment of a Digipass to a User, if the Digipass is 

not already in the same location (Organizational Unit) as 

the User, it is moved to that location. 

If a Digipass User Account is linked to another in order to 

share the Digipass, it must not have a Digipass assigned 

itself. If a Digipass is assigned, the link will be broken. 

The MDC successfully delivered a text message via the 

HTTP gateway, as reported by the gateway. The audit 

message may contain further details from the gateway. 

Note that depending on the gateway, it may still be 

possible for delivery to fail after the gateway has reported 

success. 

I010001 User authentication was not handled. The Authentication Server decided not to handle an 

authentication request due to Policy and/or Digipass User 

Account settings. The main reasons why this may occur 

are: the effective Local Authentication and Back-End 

Authentication settings were both None; the User failed 

the Windows Group Check, using the Pass requests for 

users not in listed groups back to host system option. 

Note that the 'effective' settings are the effective settings 

of the Policy, unless the Digipass User Account overrides 

the Policy. 

I010002 A stored password change was 

unhandled. 

I011001 A Digipass Grace Period has been ended 

by the use of a One Time Password. 

I011002 A Backup Virtual Digipass expiration 

date has been set due to the first 

request for a Virtual One Time 

Password. 

I011003 A Backup Virtual Digipass time limit has 

been expired by the use of the normal 

One Time Password. 

The Authentication Server decided not to handle a 

password change request due to Policy and/or Digipass 

User Account settings. The main reasons why this may 

occur are: the effective Local Authentication and Back- 

End Authentication settings were both None; the User 

failed the Windows Group Check, using the Pass 

requests for users not in listed groups back to host system 

option. 



the Policy. 

The first time that an assigned Digipass is used 

successfully to log in, if a Grace Period is still active, it is 

ended immediately. They must continue to use their 

Digipass to log in after that point. 

A User has requested a Backup Virtual Digipass OTP for the 

first time, when the effective Backup VDP Enabled 

setting is Yes – Time Limited and they did not already have 

an Enabled Until date set on their Digipass. At this time, 

they are given the Time Limit from the Policy by adding it 

to the current date. 

A User who has been using Backup Virtual Digipass has 

used their normal OTP login using the Digipass again. 

When the effective Backup VDP Enabled setting is Yes – 

Time Limited, using the normal OTP login ends their time 



Message 

Code 

I011004 A Backup Virtual Digipass quota of uses 

has been set due to the first request for 

a Virtual One Time Password. 

I011005 A Digipass User Account has been 

created using Dynamic User 

Registration. 

I011006 A new static password has been stored 

using Password Autolearn. 

I011007 A Digipass has been assigned to a new 

Digipass User Account using Auto- 

Assignment. 

I011008 A Digipass has been assigned to a 

Digipass User Account using Self- 

Assignment. 

I011009 A Digipass challenge has been issued 

for a Self-Assignment attempt. 


limit immediately. This is done by setting the Enabled 

Until date on their Digipass to the current date. 

An administrator action is required to reset their Enabled 

Until date, if the User is to be allowed to use Backup 

Virtual Digipass again. 

A User has requested a Backup Virtual Digipass OTP for the 

first time, when the effective Backup VDP Max. 

Uses/User setting is greater than 0 and they did not 

already have a Uses Remaining date set on their 

Digipass. At this time, they are given the Max. Uses/User 

limit from the Policy. 

A Digipass User Account has been created automatically 

upon successful Back-End Authentication. This occurs 

when the Dynamic User Registration feature is enabled. 

A new static password has been stored in the Digipass User 

Account after successful Back-End Authentication. This 

occurs when the Password Autolearn feature is enabled. 

Upon creation of a new Digipass User Account through 

Dynamic User Registration, an available Digipass has 

been assigned to the new account automatically. This 

occurs when the Auto-Assignment feature is enabled. 

A User has successfully assigned a Digipass to themselves 

using the Self-Assignment feature. 

A User has obtained a challenge during an attempt to 

assign a Digipass to themselves using the Self- 

Assignment feature. In order to complete the assignment, 

they must provide the correct response to the challenge 

from the Digipass. 

I011010 A user has changed their Digipass PIN. A User has changed their Server PIN during their login, or 

set it up on first use or after a PIN reset. 

I013001 A connection to an ODBC data source 

has been made successfully. 

I013002 A connection to an ODBC data source 

has been terminated normally. 

S001001 A query for a single [object] record was 

successful. 

S001002 A query for [object] records was 

successful. 

S001003 A command of type [object] [command] 

was successful. 

An established connection to an ODBC data source has 

ended with a normal disconnection. 

The Authentication Server or an administrator has made a 

successful query to the data store for a single record. In 

the case of the Authentication Server this may be a search 

for its Component record; for an administrator it could be 

any single record query. The audit message has details of 

the record found. 

The Authentication Server or an administrator has made a 

successful query to the data store for some records. In the 

case of the Authentication Server this may be a search for 

a RADIUS Client Component record; for an administrator it 

could be any list query. The audit message has details of 

the records found but this may be truncated. 

An administrator has issued a successful data modification 

command such as an update of settings or one of the 

Digipass Application operations like Reset PIN. The audit 

message has details of the command and results. 

S002001 User authentication was successful. The 'Authentication' library has passed authentication for a 

request. Note however that the Authentication Server or 



Message 

Code 


another component of the overall process may still decide 

to reject the request ultimately. 

S002002 User authentication issued a challenge. The 'Authentication' library has issued a challenge for an 

authentication request, either Challenge/Response or 

Virtual Digipass. 

S002004 A stored password change was 

successful. 

S003001 A Replication update was sent 

successfully. 

S003002 A Replication update received has been 

processed successfully. 

The Authentication Server has successfully processed a 

password change request. 

This message is audited at the source server, when a 

database change is sent to a destination server and 

processed successfully. 

This message is audited at the destination server, when a 

database change is received and processed successfully. 

S004001 An administrative logon was successful. An administrative logon to the Authentication Server was 

successful. 

S004002 A Live Audit connection was successful. A Live Audit connection to the Authentication Server was 

successful. 

F001001 A query for a single [object] record 

failed. 

The Authentication Server or an administrator has made an 

unsuccessful query to the data store for a single record. In 


for its Component record; for an administrator it could be 

any single record query. The audit message has basic 

details of the failure, but there should be a preceding 

E000001 with more details. 

F001002 A query for [object] records failed. The Authentication Server or an administrator has made an 

unsuccessful query to the data store for some records. In 


for a RADIUS Client Component record; for an 

administrator it could be any list query. The audit message 

has basic details of the failure, but there should be a 

preceding E000001 with more details. 

F001003 A command of type [object] [command] 

failed. 

An administrator has issued an unsuccessful data 

modification command such as an update of settings or one 

of the Digipass Application operations like Reset PIN. The 

audit message has basic details of the failure, and there 

may be a preceding E000001 with more details. 

F002001 User authentication failed. The 'Authentication' library has failed authentication for a 

request. The audit message has details of the failure (see 

18 Error and Status Codes) and there may be a preceding 

E000001 with error details. 

F002003 A stored password change failed. The Authentication Server has not processed a password 

change request. The audit message has details of the 

failure (see 18 Error and Status Codes) 

and there may 

be a preceding E000001 with error details. 

F003001 Sending a Replication update was 

unsuccessful. 

F003002 Processing a Replication update 

received was unsuccessful. 

This message is audited at the source server, when a 

database change is not sent to a destination server 

successfully, or it was sent but the processing at the 

destination was unsuccessful. 

This message is audited at the destination server, when a 

database change is received but is not processed 

successfully. 

F004001 An administrative logon was rejected. The 'Authentication' library has failed an administrative 

login request. The audit message has details of the failure 

(see 18 Error and Status Codes) 

and there may be a 



Message 

Code 


preceding E000001 with error details. 

Note that this may occur even when preceded by a 

successful authentication (S002001) message, for example 

if the user's credentials were OK but they did not have 

Administrative Logon privilege. 

F004002 A Live Audit connection was rejected. The 'Authentication' library has failed a Live Audit 

connection request. The audit message has details of the 

failure (see 18 Error and Status Codes) 

and there may 

be a preceding E000001 with error details. 

Note that this may occur even when preceded by a 

successful authentication (S002001) message, for example 

if the user's credentials were OK but they did not have 

Administrative Logon or Live Audit Connection privilege. 



17.2 Audit Message Fields 

Table 71: Audit Messages Fields 

Display Name Description 

Area Area of code/functionality in which the audit event occurred. Eg. “Active Directory search”. 

Operation Operation being attempted/processed when the audit event occurred. 

Error Code Standard error code. 

Error Message Fixed error message corresponding to ERROR_CODE. 

Error Details Full dump of 'error stack'. 

Source Location Location of source of audit message, typically IP address or host name. 

Server Location When the server itself is not the source of the audit message, this is the location of the 

server (IP/host name). 

Client Location When the client itself is not the source of the audit message, this is the location of the client 

(IP/host name). 

Version Full version string. Eg. “2.5.2.0045”. 

Data Source Type of data source. Eg. “File”, “Registry”. 

Data Source Location Specific location of data source. Eg. for a File, the path/filename. 

Configuration Details Breakdown of configuration settings. 

Outcome Outcome of an attempt to do something. Eg. “Success”, “Failure”, “Challenge”. 

Reason Generally a short phrase indicating a reason for a failure. 

Characteristics Space-separated list of keywords indicating characteristics of interest. Eg. for a connection 

attempt, keywords such as “SSL” , “TCP”, “IPv6” may be useful. 

User ID UserID. Can be in various formats, unless it refers to a Digipass User Account UserID, when 

it must be exact (SAM-Account-Name). 

Domain Domain name (FQDN). 

Credentials What kind of credential was offered for a connection/login attempt. Eg. “Password”, “None”. 

Session ID Session identifier. 

Serial No Digipass Serial No. 

Application Digipass Application Name. 

Request ID Any request identifier(s). Eg. a RADIUS packet ID. 

Password Protocol The way in which a password is encoded. Eg. “PAP”, “CHAP”, “MS-CHAP1”, “MS-CHAP2”. 

Input Details Breakdown of request parameters/attributes. 

Action Intended action to take for a request received. Eg. “Ignore”, “Process”. 

Output Details Breakdown of response parameters/attributes. 

Policy ID Name of Policy used to handle a request. 

Mobile No Mobile phone no. for sending a text message. 

From Location from which something is moved. Eg. an Active Directory location. 

To Location to which something is moved. Eg. an Active Directory location. 

User Link Identification of user to which another user is linked. 

Message This is used where something external (eg. the MDC) returns a message for auditing. 

Expiration Date Value of an expiry date such as Grace Period. 

Quota Value of a quota such as Backup Virtual Digipass Uses Remaining. 

Local Authentication Whether Local Authentication was done or not. 

Back-End 


If Back-End Authentication was done, the Back-End Protocol used, otherwise “None”. 



Display Name Description 

Object Name of data object of query/command. 

Command Name of command. 

Downtime Length of downtime in minutes. 

Fields The list of fields to be returned by the query, or 'All Fields'. 

RADIUS Profile Name of RADIUS Profile (eg. for Funk SBR). 

Request Type Type of request or response, eg. “Access-Request”, “Access-Accept”, “Access-Reject”. 


VACMAN Middleware Administrator Reference Error and Status Codes 

18 Error and Status Codes 

This section lists the standard error and status codes with the associated messages. 

18.1 Error Code Listing 

Table 72: Error Code List 

Error 

Code 

0 (No error) 

Message Notes 

-1 An unspecified error occurred This error code may occur when a more specific error code is 

not available or was recorded separately. 

-2 The parameters supplied were invalid Parameters supplied to a function or command were invalid. 

-3 A memory error occurred Memory allocation failed. This is normally due to the system 

running low on memory. 

-10 A communications error occurred Inter-process or inter-component communication failed. This 

may also occur with communications to Active Directory or a 

database. This error is normally accompanied by further details. 

-11 A license error has occurred General-purpose license failure when a more specific code is 

not available or was recorded separately. 

-12 An operating system call failed A system call failed. This may include file handling, Active 

Directory Services Interface and other calls. It is normally 

accompanied by further details. 

-13 The object was not found An attempt was made to perform an operation on an object, 

such as an Active Directory object, but the object did not exist. 

For example, this may occur when one administrator deletes a 

record that another administrator is about to update, when the 

update operation is attempted. 

-14 The object already exists An attempt was made to create an object, such as an Active 

Directory object, but the object already exists. For example, 

this may occur when two administrators try to create the same 

record at the same time. 

-15 The supplied buffer was of the 

incorrect size 

An internal data buffer was of insufficient length to hold the 

data required. 

-16 A version error has occurred A version mismatch has occurred. Further details in the error 

record will indicate what versions were mismatched. 

-17 The supplied data are invalid General-purpose error when input data to an operation is 

incorrect. Further details of the error will be recorded. 

-18 The object is invalid An attempt was made to perform an operation upon an object 

type that was not recognized. 

-19 The command is invalid An attempt was made to perform an operation using a 

command that was not recognized. 

-20 The object is in use An attempt was made to delete an object, such as an Active 

Directory object, but that object was in use. 

This may occur when you try to delete a Policy, but another 

Policy inherits from the one you are deleting, or a Component 

uses the Policy. 

-21 The operation is not supported General-purpose error when an operation is attempted on an 

object that does not support it. For example, an attempt is 

made to generate a Virtual Digipass OTP using a Digipass that 

is not enabled for Virtual Digipass. 



Error 

Code 

Message Notes 

-22 An object error has occurred General-purpose error on an operation on an object. This 

should be supplemented with more specific details. 

-23 A required field was missing An operation was attempted without specifying one or more 

mandatory input fields. 

-24 Auditing failed An operation failed because auditing was mandatory, but failed. 

-30 The configuration is invalid The configuration data in the configuration file are invalid. The 

error record should indicate which specific data were invalid. 

-31 A type mismatch has occurred General-purpose error when one datatype is expected but a 

different datatype was provided. 

-32 One or more objects were not 

initialized 

Internal initialization error. More specific error details will be 

recorded. 

-33 The cache is full An attempt was made to add an entry to a cache, but the cache 

has reached its configured maximum size. 

-34 The cache entry has reached the 

maximum reference count 

-35 The system is currently too busy to 

service the request 

An attempt was made to retrieve an item from a cache, but the 

item was already in use and the configuration indicates a limit 

on the number of times an item can be retrieved from the 

cache at one time. 

The system received a new request for processing, but hit a 

resource usage limit of some type. This indicates that the 

system is too loaded to handle the request. For example, there 

may be no spare database connection to use, even after 

waiting a short time for one to become available. 

-80 A timeout has occurred An operation failed because of a timeout. 

-140 A Digipass error has occurred General-purpose failure of a Digipass operation such as OTP 

verification, Reset PIN, Unlock, etc. This is normally 

accompanied by a more specific error code and message from 

the VACMAN Controller library. 

-150 Delivery of the Virtual Digipass One- 

Time Password failed 

A Virtual Digipass OTP was generated successfully, but delivery 

by text message failed. A separate message will give more 

details about the failure. 

-200 The license has expired The License Key has an expiration date set, and the date has 

passed. A permanent License Key must be obtained. 

-201 The license data are invalid One of the details embedded into the License Key is invalid for 

the Component in which it is being loaded. The Component will 

not be able to use the License Key. This may be IP address, 

Component Type, or any other detail that can be seen in the 

License Key text. 

-202 The License Key is corrupted The signature at the bottom of the License Key is invalid. This 

would typically occur if the License Key details were modified in 

any way. 

-250 Decryption has failed - no Storage Key 

is specified in the Encryption Settings 

-251 Decryption has failed - an incorrect 

Cipher is specified in the Encryption 

Settings 

Some encrypted data has been created or modified using 

configured, rather than default, encryption settings. This error 

occurs when that data is read by a component that does not 

have configured encryption settings – the component is 

therefore unable to decrypt the data. 

It is necessary to configure the encryption settings in the 

component. See 4 Sensitive Data Encryption for more 

information on encryption settings. 


differently configured encryption settings. This error occurs 

when that data is read by a component with configured 

encryption settings that use a different Cipher Name – the 



Error 

Code 

-252 Decryption has failed - an incorrect 

Storage Key is specified in the 

Encryption Settings 

Message Notes 

component is therefore unable to decrypt the data. 

It is necessary to make sure that the encryption settings in all 

components are identical. See 4 Sensitive Data Encryption 

for more information. 


differently configured encryption settings. This error occurs 

when that data is read by a component with configured 

encryption settings that use a different Storage Key – the 

component is therefore unable to decrypt the data. 

It is necessary to make sure that the encryption settings in all 

components are identical. See 4 Sensitive Data Encryption 

for more information. 

-300 A database error occurred General-purpose error on a database operation. This should be 

supplemented with more specific details. 

-350 The request received was discarded A replication update that was received was found to be 

superseded by a later change. In this case, the update is 

discarded, as it is no longer relevant. 

This may occur when creating a record, after a record has been 

deleted then re-created. 

It may occur when modifying a record, if a later modification 

occurred before replication could apply the first change. 

-351 The request received must be retried A replication update that was received could not be applied 

immediately. In this case, the update is rejected. The retry 

mechanism at the source server will re-send the update, 

according to its configuration settings. 

This may occur if a record does not exist yet, when trying to 

apply a modification or deletion. 

It may occur after a record has been deleted and re-created, 

when a modification of the record is replicated but the 

sequence of deletion and re-creation has not been followed in 

the correct order. 

-352 A replication queue entry had an 

invalid hash value 

When an entry was read from the replication queue before 

sending, its integrity hash value check failed. This suggests that 

the queue entry may have been modified since it was added to 

the queue. In this case, the queue entry is not trusted and an 

error is reported. 

-353 The replication queue is full An operation failed because it needed to update the database, 

but the update could not be added to the Replication queue. If 

the queue is full, no database updates are allowed, to avoid the 

databases getting too far out of synchronization. 

Check the Replication Status dialog in the Administration MMC 

Interface and the Replication audit messages to investigate why 

the queue has become full. It is necessary to reduce the queue 

size in order for the system to continue to function. 

If this error occurs often, without good reason, consider 

increasing the maximum queue size. This can be configured in 

the Replication tab of the Authentication Server Configuration 

GUI. 

-500 The Service was already started When trying to start a Service, the Service was already 

running. 

-501 The Service was already stopped When trying to stop a Service, the Service was not running. 

-10051 File name is blank. No file name was specified. 

-10052 Failed to open File. The file could not be opened. The file does not exist or the user 

attempting to open the file does not have read permission for 

the file. 



Error 

Code 

Message Notes 

-10057 User ID is longer than 255 characters. The maximum User ID length has been exceeded. 

-10059 Password is longer than 255 

characters. 

-10060 User Name is longer than 64 

characters. 

-10061 Serial Number is longer than 10 

characters. 

-10062 Serial Number is less than 10 

characters long. 

-10063 Serial Number contains nonalphanumeric 

characters. 

-10064 Organizational Unit is longer than 255 

characters. 

The maximum Password length has been exceeded. 

The maximum User Name length has been exceeded. 

The maximum Serial Number length has been exceeded. Serial 

Number must be 10 characters, with no dashes (-) and with 

leading zeros (0) to make it up to 10 characters. 

The minimum Serial Number length has not been provided. 

Serial Number must be 10 characters, with no dashes (-) and 

with leading zeros (0) to make it up to 10 characters. 

The Serial Number contains non-alphanumeric characters. 

Serial Number must be 10 alphanumeric characters, with no 

dashes (-). 

The maximum Organizational Unit length has been exceeded. 

-10065 Domain is longer than 255 characters. The maximum Domain length has been exceeded. 

-10066 Distinguished Name is longer than 

1024 characters. 

-10067 Mobile Number is longer than 64 

characters. 

-10069 A syntax error occurred reading from 

the file. 

-10070 The file contains characters that are 

not UTF-8 encoded. 

-10072 Phone Number is longer than 64 

characters. 

-10073 Email Address is longer than 64 

characters. 

-10074 No User ID was given. Either the User 

ID or, for Active Directory, the 

Dishinguished Name is needed to 

import a user. 

-10075 The Mobile No. is invalid. Only 

numbers, spaces, dashes (-) and 

brackets are allowed with a + at the 

start to indicate a country code if 

needed. 

-10076 The Phone No. is invalid. Only 

numbers, spaces, dashes (-) and 

brackets are allowed with a + at the 

start to indicate a country code if 

needed. 

-10077 The specified email address contains 

invalid characters and is not in the 

form user@domain. 

-10078 The Field Header was not found or 

invalid when reading from the file. 

The maximum LDAP Distinguished Name (DN) length has been 

exceeded. 

The maximum Mobile Phone length has been exceeded. 

A syntax error occurred while reading lines from the import file: 

double-quotes were missing; there are too many fields in the 

line; a comma is missing between fields. 

The import file must be fully UTF-8 encoded when extended or 

Unicode characters are included. This message indicates that 

non-UTF-8 characters were found in the file. 

The maximum Phone Number length has been exceeded. 

The maximum Email Address length has been exceeded. 

A User ID must be supplied to import a user. The only 

exception is when using Active Directory, it is sufficient to give 

the Distinguished Name instead of the User ID. 

The Mobile Number is only allowed to include numeric 

characters, spaces, dashes(-) and brackets (){}[]. In addition a 

+ is allowed at the start for the country code. 

The Phone Number is only allowed to include numeric 

characters, spaces, dashes(-) and brackets (){}[]. In addition a 

+ is allowed at the start for the country code. 

The Email Address is only allowed to include alphanumeric 

characters, @, dots (.), underscores (_) and dashes (-). 

The first line of an import file must be a header line. The 

header line is a comma-separated list of field names, indicating 



Error 

Code 

18.2 Status Code Listing 

Table 73: Status Code List 

Status 

Code 

0 No error 

 

Message Notes 

which fields are included in every other line of the file. 

This message indicates that the header line was not found, that 

it included unknown field names or that it was not a commaseparated 

list of field names. 

See the Import User Records topic in the online Help for the 

Administration MMC Interface for a definition of the import file 

header format. 

Message Notes 

The status codes from -1 downwards match the Error 

Codes above. 

1000 The credentials were invalid General-purpose failure due to invalid username or 

password, when a more specific status is unavailable. 

1002 The user failed the Windows Group 

Check 

The Authentication Server rejected an authentication 

request due to the Windows Group Check failing. This 

can occur when the effective Windows Group Check option 

is Authenticate listed groups, reject others. 

Note that the 'effective' setting is the effective setting of 

the Policy, unless the Digipass User Account overrides the 

Policy. 

1004 The challenge has expired A response to challenge has been given, but the expiration 

time for the challenge has expired. The default expiration 

time is one minute, however this can be configured in the 

configuration file VASCO/AAL3/Authlib/Challenge- 

Cache/Max-Age setting (in seconds). 

1005 The user does not have permission to 

perform the specified action 

General-purpose failure of an administration command 

when the administrator does not have sufficient privileges 

to carry out the command. 

1007 The user account is locked The Digipass User Account is Locked. This is normally due 

to consecutive login failures, as determined by the Policy 

setting User Lock Threshold. Alternatively the 

administrator can actively lock the account. 

To unlock the User account, an administrator has to 

uncheck the Locked checkbox on the User record. 

1008 The One Time Password has already 

been used 

This status code occurs specifically when an OTP is rejected 

because it has already been used. It may also occur when 

the OTP has not been used but is older than the most 

recently used OTP. 

This can sometimes happen when an authentication 

request is re-sent automatically. 

1009 The user account is disabled The Digipass User Account is Disabled. This may be 

because the administrator has actively disabled the 

account, or because the corresponding Windows User 

account has become disabled or expired. 

1010 No user account was found An authentication request was rejected because no 



Status 

Code 

Message Notes 

Digipass User account was found and Local 

Authentication is required by the Policy. 

1011 The static password was incorrect As part of Local Authentication, verification of the static 

password failed. 

1012 The One Time Password was incorrect Verification of the OTP failed. More specific details may be 

found in the VACMAN Controller error code and message. 

1013 The challenge was invalid A response to a challenge was given, but the challenge was 

not the latest one issued for that Digipass. This is 

controlled by the Check Challenge Policy setting. 

1014 The Digipass Grace Period has expired A User attempted to log in with their static password, but 

their Grace Period had already expired. They have to use a 

Digipass to log in. 

If they do not have their Digipass yet, the administrator 

will have to allow them more time by modifying the Grace 

Period End date on their Digipass record. 

1015 Backup Virtual Digipass is not allowed A User attempted to request a Backup Virtual Digipass 

OTP, but they were not permitted. This would normally 

occur when either: 

The effective Backup VDP Enabled setting is Yes – 

Time Limited, and the Digipass Backup VDP 

Enabled Until date is the current date or before. 

The Digipass Backup VDP Uses Remaining 

counter has reached 0. 

In both cases, administrator intervention is required to 

permit the User to continue to use Backup Virtual Digipass. 

The Enabled Until or Uses Remaining limits need to be 

increased to permit this. 


the Policy, unless the Digipass record overrides the Policy. 

1016 The Digipass is not available A User attempted Self-Assignment, but the Digipass they 

requested either could not be found within the search 

scope or was already assigned to someone else. 

This may occur because of a mistyped Serial Number. 

Otherwise, the search scope may be incorrect or the 

Digipass may not be in the correct location to be made 

available to the User. See the Location of Digipass 

Records section in the Product Guide. 

1017 The user account has no mobile number 

for Virtual Digipass 

1018 No password was supplied for a Virtual 

Digipass login 

A User requested a Primary or Backup Virtual Digipass 

OTP, but it could not be delivered because the User 

account had no mobile phone number. In Active Directory 

this is the first Mobile No. on the record. 

A User attempted a Virtual Digipass login, but did not enter 

a password in the second stage of the login. See 10.1.4 

Virtual Digipass for more information. 

1019 The new password confirmation failed In a password change request, the new password was not 

confirmed correctly. 

1020 Local authentication failed General-purpose failure of Local Authentication when a 

more specific status code is not available. Additional 

information should provide more specific details. 

1021 Back-end authentication reported that 

the password has expired 

Back-End Authentication (eg. Windows) failed because 

the password was correct but it has expired. 

1022 Back-end authentication failed Back-End Authentication (eg. Windows) failed. A specific 

error code and message will accompany this record. 

1030 The policy was invalid An authentication request was rejected because the 



Status 

Code 

1031 The policy does not allow a selfassignment 

attempt 

1032 Hashed passwords cannot be verified by 

Windows 

Message Notes 

applicable Policy had invalid settings or failed to load. This 

should not occur, but is possible due to the delay in Active 

Directory replication for example. The two main ways in 

which a Policy can become invalid are: 

One or more choice list settings are Default in the 

Policy, and its parent Policy if it has one. 

A circular chain of Policies has been created, for 

example: Policy A inherits from Policy B; Policy B 

inherits from Policy C; Policy C inherits from Policy A. 

The Policy must be fixed in order for authentication to be 

permitted using that Policy. 

A User attempted Self-Assignment, but it is not 

permitted under the Policy. 

An authentication request could not be processed 

successfully because Back-End Authentication using 

Windows was required, but the User's password was 

hashed. It is not possible to verify hashed passwords with 

Windows. This can occur when a CHAP-based protocol is 

used – this includes CHAP, MS-CHAP, MS-CHAP2, EAP-MD5 

and other more complex protocols that utilize a one-way 

hash of the password entered by the User. 

Note that the effective Back-End Authentication setting 

is the effective setting of the Policy, unless the Digipass 

User Account overrides the Policy. 

1033 A Digipass must be used The effective Local Authentication setting is Digipass 

Only and the User tried to log in with a static password. 



Policy. 

1034 Challenge/Response is not supported by 

CHAP-based protocols 

1035 Challenge/Response is not supported by 

Windows 2000 

Challenge/Response is only supported in RADIUS using the 

PAP protocol. An attempt was made to generate a 

challenge using a CHAP-based protocol – this includes 

CHAP, MS-CHAP, MS-CHAP2, EAP-MD5 and other more 

complex protocols. 

This status code can only occur in the Digipass Plug-In for 

IAS. There is a product limitation on Windows 2000 only 

that Challenge/Response is not supported. It will occur if 

the User attempted to request a challenge. 

1036 1-Step Challenge/Response is disabled A request was made to generate a random challenge for 1step 

Challenge/Response, but the applicable Policy does 

not have 1-step Challenge/Response enabled or does not 

specify the challenge length and check digit indicator. 

1037 Password Autolearn is disabled A request was made to update a user's Stored Password, 

but Password Autolearn is disabled, so the update is not 

permitted. Password Autolearn must be enabled for the 

password update request to be processed. 

1038 The administration session ID is not 

known at this location 

1039 The administration session is no longer 

active 

An administration command has been received, but the 

internal session ID is not recognised at the location from 

which the command came. This can only occur by 

attempting to reuse a session ID from another location. 

An administration command has been received, but the 

session has stopped or is unrecognised. This can occur due 

to an idle timeout, a maximum session length timeout or a 

restart of the Authentication Server. 

1040 Back-end authentication returned a This can occur when the Authentication Server forwards a 



Status 

Code 

Message Notes 

Challenge that cannot be handled request to a RADIUS Server and the RADIUS Server 

responds with an Access-Challenge. An Access-Challenge 

can only be handled when the Authentication Server 

forwards the password unmodified to the RADIUS Server. 

If the Authentication Server verifies an OTP and forwards 

the static password to the RADIUS Server, it is not possible 

to handle an Access-Challenge from the RADIUS Server. 

It can also occur if you use RADIUS Back-End 

Authentication for an IIS Module. In that case, Access- 

Challenge is not supported from the RADIUS Server. 

1041 No Digipass was found for the given 

Serial Number 

During a Self-Assignment attempt, the Serial Number 

provided by the User was not found in the data store. This 

mainly occurs when the Serial Number is entered 

incorrectly. It can also occur because the Digipass record is 

not in the User's Domain or Organizational Unit. 

3001 A Digipass Challenge was returned This status code is the standard code when a challenge is 

issued and does not indicate any kind of error. 

3002 No challenge was identified for the 

authentication 

3003 Back-end authentication returned a 

Challenge 

5001 The user failed the Windows Group 

Check 

5002 Neither local nor back-end 

authentication was done due to policy 

and/or user settings 

A response to a challenge was given, but no challenge 

could be found. The most likely reason for this to occur is 

that the challenge is too old and has been removed from 

the challenge cache. It can also occur if no 'challenge key' 

was supplied with which to look up the challenge. 

This occurs when a RADIUS Server responds with an 

Access-Challenge, in a case where the Authentication 

Server can handle it. 

The Authentication Server decided not to handle an 

authentication request due to the Windows Group Check 

failing. This can occur when the effective Windows Group 

Check option is Pass requests for users not in listed groups 

back to host system. 



Policy. 

The Authentication Server decided not to handle an 

authentication request because the effective Local 

Authentication and Back-End Authentication settings 

were both None. 



the Policy. 


VACMAN Middleware Administrator Reference Technical Support 

19 Technical Support 

If you encounter problems with a VASCO product please do the following: 

1. Read the How to Troubleshoot topic in the Administrator Reference for help in 

discovering the source of your problem. 

2. Check if your problem is resolved in the Knowledge Base located at the following URL: 

http://www.vasco.com/support. 

3. If you do not find the information you need in the Knowledge Base, please contact the 

company that sold you the VASCO product. 

Only after doing these steps, if your needs are still not completely met please contact VASCO 

support: 

19.1 Support Contact Information 

E-mail 

support@vasco.com 

Website 

http://www.vasco.com/support/contacts.html 

Phone 

Australia +61 2 8920 9666 (Sydney) 

Belgium +32 2 609 9770 (Brussels) 

Singapore +65 6 232 2727 

USA +1 508 366 3400 (Boston)

VACMAN Middleware Administration Reference A4 - Vasco

Create successful ePaper yourself

Delete template?

Save as template?