Identikey Server Administrator Reference - Vasco

Identikey Server 

Administrator Reference 

3.1

Disclaimer of Warranties and Limitations of Liabilities 

Disclaimer of Warranties and Limitations of Liabilities 

The Product is provided on an 'as is' basis, without any other warranties, or conditions, express or implied, 

including but not limited to warranties of merchantable quality, merchantability of fitness for a particular purpose, 

or those arising by law, statute, usage of trade or course of dealing. The entire risk as to the results and 

performance of the product is assumed by you. Neither we nor our dealers or suppliers shall have any liability to 

you or any other person or entity for any indirect, incidental, special or consequential damages whatsoever, 

including but not limited to loss of revenue or profit, lost or damaged data of other commercial or economic loss, 

even if we have been advised of the possibility of such damages or they are foreseeable; or for claims by a third 

party. Our maximum aggregate liability to you, and that of our dealers and suppliers shall not exceed the amount 

paid by you for the Product. The limitations in this section shall apply whether or not the alleged breach or default 

is a breach of a fundamental condition or term, or a fundamental breach. Some states/countries do not allow the 

exclusion or limitation or liability for consequential or incidental damages so the above limitation may not apply to 

you. 

Copyright 

Copyright © 2009 VASCO Data Security, Inc., VASCO Data Security International GmbH. All rights reserved. 

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any 

means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of 

VASCO Data Security Inc. 

RADIUS Documentation Disclaimer 

The RADIUS documentation featured in this manual is focused on supplying required information pertaining to the 

RADIUS server and its operation in the Identikey Server environment. It is recommended that further information be 

gathered from your NAS/RAS vendor for information on the use of RADIUS. 

Trademarks 

VASCO®, Vacman®, IDENTIKEY®, aXs GUARD, DIGIPASS®, and ® are registered or unregistered 

trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other 

countries. 

Document Version: 1.3

Table of Contents 


1 Introduction.................................................................................................................................................. 16 

1.1 Available Guides................................................................................................................................................ 16 

2 Active Directory Schema............................................................................................................................... 17 

2.1 Schema Extensions........................................................................................................................................... 17 

2.1.1 Added Object Classes................................................................................................................................... 17 

2.1.2 Added Attributes........................................................................................................................................... 18 

2.1.3 Added Permission Property Sets................................................................................................................... 22 

2.2 Active Directory Auditing.................................................................................................................................... 23 

2.2.1 Auditing Inside the Active Directory Users and Computers Extension.............................................................23 

2.3 Custom Search Options..................................................................................................................................... 24 

2.3.1 Saved Queries.............................................................................................................................................. 24 

2.3.2 Using the Custom Search for Digipass.......................................................................................................... 26 

2.3.3 Using the Custom Search for Users...............................................................................................................27 

2.4 Active Directory Replication Issues..................................................................................................................... 30 

2.4.1 Old Data Used After Attribute Modified.......................................................................................................... 30 

2.4.1.1 Single Identikey Server using more than one Domain Controller................................................................................ 30 

2.4.1.2 Administrator and Identikey Server using different Domain Controllers.......................................................................31 

2.4.1.3 Multiple Identikey Servers Using Different Domain Controllers................................................................................... 31 

2.4.1.4 Two Administrators Modifying the Same Attribute.....................................................................................................32 

2.4.2 Old Data Used Overwrites New Data............................................................................................................. 32 

2.4.3 Factors Affecting Replication Issues..............................................................................................................32 

2.4.4 Solutions and Mitigations............................................................................................................................. 33 

2.4.4.1 Digipass Cache......................................................................................................................................................33 

2.5 DPADadmin Utility.............................................................................................................................................. 35 

2.5.1 Extend Active Directory Schema................................................................................................................... 35 

2.5.2 Check Schema Extensions............................................................................................................................ 37 

2.5.2.1 Check the Database Structure.................................................................................................................................37 

2.5.2.2 Command Line Syntax............................................................................................................................................37 

2.5.3 Set Up Digipass Containers in Domain.......................................................................................................... 38 

2.5.3.1 Prerequisite Information..........................................................................................................................................38 

2.5.3.2 Set Up Digipass Containers.....................................................................................................................................38 

2.5.3.3 Command Syntax...................................................................................................................................................38 

2.5.4 Assign Digipass Permissions to a Group....................................................................................................... 39 

2.5.4.1 Pre-requisites........................................................................................................................................................ 39 

2.5.4.2 Command Syntax...................................................................................................................................................39 

2.5.5 Delete all Digipass-Related Data from Active Directory................................................................................. 40 

2.5.5.1 Run Delete Script on a Domain............................................................................................................................... 41 

Identikey Server Administrator Reference 3


3 ODBC Database............................................................................................................................................ 42 

3.1 Database Support.............................................................................................................................................. 42 

3.1.1 Unicode Support........................................................................................................................................... 43 

3.2 Embedded Database.......................................................................................................................................... 43 

3.2.1 Service Account........................................................................................................................................... 43 

3.2.2 Database Administration Account................................................................................................................. 44 

3.2.3 Database Administration...............................................................................................................................44 

3.2.3.2 Changing the Digipass User's Password.................................................................................................................. 44 

3.2.4 Connection Limitations................................................................................................................................. 45 

3.3 Database Schema.............................................................................................................................................. 46 

3.3.1 vdsControl Table.......................................................................................................................................... 46 

3.3.2 vdsUser Table.............................................................................................................................................. 47 

3.3.3 vdsUserAttr Table......................................................................................................................................... 48 

3.3.4 vdsDigipass Table........................................................................................................................................ 48 

3.3.5 vdsDPApplication Table................................................................................................................................ 49 

3.3.6 vdsDPSoftParams Table............................................................................................................................... 49 

3.3.7 vdsPolicy Table............................................................................................................................................ 50 

3.3.8 vdsComponent Table.................................................................................................................................... 51 

3.3.9 vdsBackEnd Table........................................................................................................................................ 52 

3.3.10 vdsDomain Table.......................................................................................................................................... 53 

3.3.11 vdsOrgUnit Table.......................................................................................................................................... 53 

3.3.12 vdsReport Table........................................................................................................................................... 54 

3.3.13 vdsReportFormat Table................................................................................................................................ 54 

3.3.14 vdsConfiguration Table................................................................................................................................. 55 

3.3.15 vdsOfflineAuthData Table............................................................................................................................. 55 

3.4 Encoding and Case-Sensitivity........................................................................................................................... 56 

3.5 Domains and Organizational Units...................................................................................................................... 56 

3.5.1 Domains....................................................................................................................................................... 57 

3.5.1.1 Master Domain...................................................................................................................................................... 57 

3.5.1.2 Identifying the Domain for a Login Attempt...............................................................................................................58 

3.5.2 Organizational Units..................................................................................................................................... 59 

3.6 Database User Accounts.................................................................................................................................... 60 

3.6.1 Permissions on the Tables............................................................................................................................ 60 

3.6.2 Access to Another Schema........................................................................................................................... 60 

3.6.2.1 Modify vdsControl Table......................................................................................................................................... 61 

3.7 Database Connection Handling.......................................................................................................................... 62 

3.7.1 Multiple Data Sources.................................................................................................................................. 62 

3.7.2 Max. Connections......................................................................................................................................... 62 

3.7.3 Connection Wait Time...................................................................................................................................62 

3.7.4 Idle Timeout................................................................................................................................................. 63 



3.7.5 Enable Load Sharing..................................................................................................................................... 63 

3.7.6 Reconnect Intervals...................................................................................................................................... 63 

3.8 DPDBADMIN...................................................................................................................................................... 64 

3.8.1 Modify Database Schema............................................................................................................................. 64 

3.8.2 Check Database Modifications...................................................................................................................... 66 


3.8.2.2 Check the Database Structure.................................................................................................................................67 


3.8.3 Remove Database Modifications................................................................................................................... 68 


3.8.3.2 Modify Database Structure......................................................................................................................................68 


4 Sensitive Data Encryption............................................................................................................................. 70 

4.1.1 Encrypted Data............................................................................................................................................. 70 

4.1.2 Which Encryption Algorithms can be used?.................................................................................................. 70 

4.1.3 Exporting Encryption Settings....................................................................................................................... 71 

4.1.4 Digipass TCL Command-Line Administration................................................................................................ 71 

5 Set Up Active Directory Permissions.............................................................................................................. 72 

5.1 Permissions Needed by the Identikey Server...................................................................................................... 72 

5.1.1 Giving Permissions to the Identikey Server....................................................................................................72 

5.2 Permissions Needed by Administrators.............................................................................................................. 73 

5.2.1 Domain Administrators................................................................................................................................. 73 

5.2.2 Delegated Administrators............................................................................................................................. 73 

5.2.3 Reduced-Rights Administrators.................................................................................................................... 73 

5.2.4 System Administrators................................................................................................................................. 74 

5.3 Assign Administration Permissions to a User ..................................................................................................... 75 

5.4 Multiple Domains............................................................................................................................................... 77 

5.4.1 Scenario 1 – Each Identikey Server Handles One Domain............................................................................. 77 

5.4.2 Scenario 2 – One Identikey Server Handles All Domains............................................................................... 78 

5.4.3 Scenario 3 - Combination............................................................................................................................. 78 

6 Backup and Recovery................................................................................................................................... 79 

6.1 What Must be Backed Up................................................................................................................................... 79 

6.1.1 Configuration Files........................................................................................................................................80 

6.1.2 SSL Certificates............................................................................................................................................ 80 

6.1.3 Audit Log Data.............................................................................................................................................. 80 

6.1.3.1 Write to Text File....................................................................................................................................................80 

6.1.3.2 Write to ODBC Database.........................................................................................................................................80 

6.1.3.3 Write to Windows Event Log................................................................................................................................... 81 

6.1.4 Write to Syslog............................................................................................................................................. 81 



6.1.5 DPX files...................................................................................................................................................... 81 

6.1.6 Data Store.................................................................................................................................................... 82 

6.1.6.1 Data Source Settings..............................................................................................................................................82 

6.1.6.2 Backup Strategies.................................................................................................................................................. 82 

6.1.6.3 Backup of PostgreSQL Embedded Database............................................................................................................ 83 

6.2 Recovery........................................................................................................................................................... 84 

6.2.1 Active Directory............................................................................................................................................ 84 

6.2.2 ODBC Database............................................................................................................................................ 85 

6.2.2.1 Rebuild Identikey Server, Database Undamaged.......................................................................................................85 

6.2.2.2 Restore Database, Identikey Server Undamaged.......................................................................................................86 

6.2.2.3 Rebuild Identikey Server, Restore Database............................................................................................................. 89 

6.2.2.4 Copy Database from Other Identikey Server............................................................................................................. 92 

6.2.2.5 Rebuild Identikey Server, Copy Database................................................................................................................. 94 

7 Field Listings................................................................................................................................................ 96 

7.1 User Properties.................................................................................................................................................. 96 

7.2 User Attributes................................................................................................................................................... 98 

7.3 Digipass Properties.......................................................................................................................................... 100 

7.4 Digipass Application Tab.................................................................................................................................. 102 

7.5 Policy Properties.............................................................................................................................................. 103 

7.6 Client Properties.............................................................................................................................................. 113 

7.7 Back-End Server Properties............................................................................................................................. 115 

7.8 Reports Properties........................................................................................................................................... 116 

7.9 Identikey Server Properties.............................................................................................................................. 118 

7.10 Data Changes Requiring a Restart of Identikey Server...................................................................................... 119 

7.10.1 Changes to the Data Store.......................................................................................................................... 119 

7.10.1.1 Automatic Re-Loading of Cached Data.................................................................................................................. 119 

7.10.1.2 Cached Data List..................................................................................................................................................119 

7.10.2 Changes to Configuration Settings.............................................................................................................. 120 

8 Licensing.................................................................................................................................................... 121 

8.1 How is Licensing Handled?.............................................................................................................................. 121 

8.2 Licensing Parameters...................................................................................................................................... 121 

8.2.1 Sample License File................................................................................................................................... 122 

8.3 View License Information................................................................................................................................. 122 

8.4 Obtain and Load a License Key........................................................................................................................ 123 

8.5 Re-Licensing................................................................................................................................................... 124 

9 Web Sites................................................................................................................................................... 125 

9.1 Customizing the Web Sites.............................................................................................................................. 125 

9.2 CGI Program.................................................................................................................................................... 125 



9.2.1 Configuration Settings................................................................................................................................ 126 

9.3 Form Fields..................................................................................................................................................... 127 

9.3.1 Registration – Main Pages.......................................................................................................................... 127 

9.3.1.1 Registration – Challenge Page.............................................................................................................................. 128 

9.3.1.2 PIN Change......................................................................................................................................................... 129 

9.3.1.3 Login Test – Main Page........................................................................................................................................130 

9.3.1.4 Login Test – Challenge Page................................................................................................................................ 131 

9.3.2 OTP Request Site........................................................................................................................................132 

9.3.2.1 Request Page...................................................................................................................................................... 132 

9.4 Query String Variables..................................................................................................................................... 133 

9.4.1 Failure/Error Handling................................................................................................................................. 133 

9.4.2 Query String Variable List........................................................................................................................... 134 

9.4.3 Return Code Listing.................................................................................................................................... 135 

9.4.3.1 API Return Codes.................................................................................................................................................135 

9.4.3.2 CGI Errors............................................................................................................................................................135 

9.4.3.3 Internal Errors...................................................................................................................................................... 136 

10 Login Options............................................................................................................................................. 138 

10.1 Login Permutations.......................................................................................................................................... 138 

10.1.1 Login Methods........................................................................................................................................... 138 

10.1.2 Login Actions............................................................................................................................................. 138 

10.1.3 Login Variables........................................................................................................................................... 138 

10.1.4 Password Format....................................................................................................................................... 139 

10.1.5 Policy Settings............................................................................................................................................ 139 

10.1.6 Response Only – Cleartext Combined Password Format..............................................................................140 

10.1.7 Response Only – CHAP/MS-CHAP/MS-CHAP2............................................................................................. 142 

10.1.8 2-Step Challenge/Response – Cleartext Combined Password Format..........................................................142 

10.1.9 Virtual Digipass.......................................................................................................................................... 144 

11 Identikey Server Configuration Settings....................................................................................................... 145 

11.1 Identikey Server Configuration Wizard.............................................................................................................. 145 

11.2 Redeploy Administration Web Interface............................................................................................................ 145 

11.3 Identikey Server Configuration......................................................................................................................... 147 

11.3.1 Starting the Configuration GUI.....................................................................................................................147 

11.3.2 General Section.......................................................................................................................................... 147 

11.3.2.1 Server Location....................................................................................................................................................148 

11.3.2.2 Administration Session Settings............................................................................................................................ 148 

11.3.2.3 Tracing................................................................................................................................................................148 

11.3.3 Communicators Section..............................................................................................................................148 

11.3.3.1 SOAP.................................................................................................................................................................. 148 

11.3.3.2 RADIUS............................................................................................................................................................... 149 

11.3.3.3 SEAL................................................................................................................................................................... 149 



11.3.4 Scenarios Section....................................................................................................................................... 150 

11.3.4.1 Authentication Scenario........................................................................................................................................150 

11.3.4.2 Signature Validation Scenario................................................................................................................................150 

11.3.4.3 Provisioning Scenario........................................................................................................................................... 150 

11.3.4.4 Administration Scenario........................................................................................................................................151 

11.3.4.5 Reporting Scenario...............................................................................................................................................151 

11.3.4.6 Audit Scenario..................................................................................................................................................... 151 

11.3.4.7 Replication Scenario.............................................................................................................................................151 

11.3.4.8 Configuration Scenario......................................................................................................................................... 152 

11.3.5 Engines Section.......................................................................................................................................... 152 

11.3.6 Storage Section.......................................................................................................................................... 152 

11.3.6.1 ODBC Data Sources............................................................................................................................................. 152 

11.3.6.2 LDAP Data Sources..............................................................................................................................................154 

11.3.6.3 Encryption........................................................................................................................................................... 154 

11.3.6.4 Advanced Configuration Settings...........................................................................................................................155 

11.3.7 Auditing..................................................................................................................................................... 158 

11.3.8 Replication Section..................................................................................................................................... 159 

11.3.8.1 Enable Replication................................................................................................................................................160 

11.3.8.2 Source Server...................................................................................................................................................... 160 

11.3.8.3 Destination Server................................................................................................................................................160 

11.3.8.4 Queue................................................................................................................................................................. 160 

11.3.9 Configuration File....................................................................................................................................... 161 

11.3.9.1 Windows - Example Configuration File...................................................................................................................161 

11.3.9.2 Linux Example Configuration File...........................................................................................................................168 

11.4 Command Line Options.................................................................................................................................... 176 

11.4.1 Windows Service Control Manager............................................................................................................. 176 

11.4.2 Linux Runtime Configuration....................................................................................................................... 176 

11.4.3 Running Identikey Server with Command Line Options............................................................................... 176 

11.4.3.1 Command Line Option flags..................................................................................................................................176 

11.4.3.2 Windows............................................................................................................................................................. 177 

11.4.3.3 Linux...................................................................................................................................................................177 

11.5 Identikey Server Web Administration Configuration.......................................................................................... 177 

11.5.1 List............................................................................................................................................................. 177 

11.5.1.1 Location.............................................................................................................................................................. 177 

11.5.1.2 Identikey Server Name........................................................................................................................................178 

11.5.2 Add Identikey Server ................................................................................................................................ 178 

11.5.3 Server Status............................................................................................................................................. 178 

11.5.3.1 Replication ..........................................................................................................................................................178 

11.5.3.2 Admin Session.....................................................................................................................................................178 

11.5.4 Server Configuration................................................................................................................................... 178 

11.6 Web Administration Setup Tool........................................................................................................................ 180 

11.6.1 Overview.................................................................................................................................................... 180 

11.6.2 Running the Application.............................................................................................................................. 180 

11.6.3 Available Commands.................................................................................................................................. 181 



11.6.4 Command Usage Examples........................................................................................................................ 182 

11.6.4.1 Adding an Identikey Server and SSL Certificate...................................................................................................... 182 

11.6.4.2 Adding an Identikey Server................................................................................................................................... 183 

11.6.4.3 Adding an SSL Certificate..................................................................................................................................... 183 

11.7 Message Delivery Component Configuration.................................................................................................... 185 

11.7.1 Required Information.................................................................................................................................. 185 

11.7.2 MDC Configuration GUI............................................................................................................................... 185 

11.7.2.1 Modify Gateway Account Login Details.................................................................................................................. 185 

11.7.2.2 Configure Internet Connection Details....................................................................................................................186 

11.7.2.3 Configure Tracing.................................................................................................................................................186 

11.7.2.4 Import HTTP Gateway settings.............................................................................................................................. 187 

11.7.2.5 Edit Advanced Settings.........................................................................................................................................187 

11.7.2.6 Export HTTP Gateway settings...............................................................................................................................188 

11.7.2.7 Gateway Result Pages.......................................................................................................................................... 188 

11.7.3 MDC Configuration File............................................................................................................................... 192 

11.7.4 Configuration Settings................................................................................................................................ 194 

11.8 Digipass TCL Command Line Utility.................................................................................................................. 197 

11.8.1 Sample Configuration File........................................................................................................................... 197 

12 Identikey Server Advanced Setup................................................................................................................ 199 

12.1 Create Organizational Structure....................................................................................................................... 199 

12.1.1 Domains..................................................................................................................................................... 199 

12.1.1.2 Create a New Domain...........................................................................................................................................199 

12.1.2 Organizational Units................................................................................................................................... 200 

12.1.2.1 Create an Organizational Unit................................................................................................................................200 

12.1.3 Administrators............................................................................................................................................ 200 

12.1.3.1 Create a Delegated Administrator..........................................................................................................................200 

12.1.3.2 Create a Global Administrator............................................................................................................................... 201 

12.2 How To Set Up Virtual Digipass........................................................................................................................ 202 

12.2.1 Pre-requisites............................................................................................................................................. 202 

12.2.2 Import Virtual Digipass records................................................................................................................... 202 

12.2.3 Set Up SMS Gateway.................................................................................................................................. 202 

12.2.4 Set Up Message Delivery Component......................................................................................................... 202 

12.2.5 Configure Identikey Server .........................................................................................................................203 

12.2.6 Edit Identikey Server Policy.........................................................................................................................203 

12.2.6.1 Primary Virtual Digipass........................................................................................................................................203 

12.2.6.2 Backup Virtual Digipass........................................................................................................................................ 204 

12.2.7 Test Virtual Digipass................................................................................................................................... 205 

12.3 Connect the Administration Web Interface to a New Identikey Server............................................................... 206 

12.3.1 Windows.................................................................................................................................................... 206 

12.3.2 Linux.......................................................................................................................................................... 206 

12.4 Create Custom Report Definition...................................................................................................................... 207 

12.4.1 Query Filters............................................................................................................................................... 208 



12.5 Install a Commercial SSL Certificate.................................................................................................................212 

12.5.1 Windows.................................................................................................................................................... 212 

12.5.2 Linux.......................................................................................................................................................... 213 

12.6 How to Set Up a Stand-Alone Identikey Server in RADIUS Environment.............................................................214 

12.6.1 Information required................................................................................................................................... 214 

12.6.2 Instructions................................................................................................................................................ 214 

12.7 How to Set Up Identikey Server as RADIUS Proxy Target...................................................................................215 


12.7.2 Instructions................................................................................................................................................ 215 

12.8 How to Set Up Identikey Server as Intermediate Server.................................................................................... 217 


12.8.3 Instructions................................................................................................................................................ 218 

12.9 Add a New Domain to Identikey Server............................................................................................................ 220 

12.9.1 Solution 1: Install an Extra Identikey Server in the New Domain.................................................................. 220 

12.9.2 Solution 2: Configure New Domain for Existing Identikey Server..................................................................220 

13 Reporting................................................................................................................................................... 221 

13.1 Reporting Overview......................................................................................................................................... 221 

13.1.1 What fields can be included in reports?...................................................................................................... 221 

13.1.2 How can these fields be grouped?.............................................................................................................. 221 

13.1.3 How to define a Query................................................................................................................................ 221 

13.1.3.1 Fields Available to Report Query Definition............................................................................................................. 222 

13.1.4 Report Permissions.................................................................................................................................... 225 

13.2 Types of Report .............................................................................................................................................. 225 

13.2.1 Standard Reports....................................................................................................................................... 226 

13.2.2 Custom Reports.......................................................................................................................................... 227 

13.2.3 Formatting Templates................................................................................................................................ 227 

13.3 Archiving Strategy........................................................................................................................................... 227 

14 Auditing...................................................................................................................................................... 228 

14.1 Text File.......................................................................................................................................................... 228 

14.1.1 Text File Name Variables............................................................................................................................ 228 

14.1.2 Configure Auditing to Text File.................................................................................................................... 229 

14.2 Windows Event Log......................................................................................................................................... 230 

14.3 ODBC Audit Message Database........................................................................................................................231 

14.3.1 Set up ODBC Database............................................................................................................................... 231 

14.3.1.1 Create database...................................................................................................................................................231 

14.3.1.2 Create database schema...................................................................................................................................... 231 

14.3.1.3 Create Database Account(s)..................................................................................................................................232 

14.3.1.4 Create DSN on Identikey Server machine...............................................................................................................233 

14.3.1.5 Create DSN on Audit Viewer machine....................................................................................................................233 



14.3.2 Configure Identikey Server..........................................................................................................................233 

14.3.3 Configure Audit Viewer............................................................................................................................... 234 

14.4 Linux Syslog.................................................................................................................................................... 234 

14.4.1 Configure the System Log.......................................................................................................................... 235 

14.4.2 Modify Configuration File............................................................................................................................ 235 

14.4.3 Configure Identikey Server to Write Audit Messages to the Syslog...............................................................236 

14.5 Live Connection - Identikey Server to Audit Viewer........................................................................................... 237 

14.5.1 Configure Identikey Server..........................................................................................................................237 

14.5.2 Configure Audit Viewer............................................................................................................................... 237 

15 Tracing....................................................................................................................................................... 238 

15.1 Trace Message Types...................................................................................................................................... 238 

15.2 Trace Message Levels..................................................................................................................................... 239 

15.3 Trace Message Contents..................................................................................................................................239 

16 Digipass TCL Command-Line Administration............................................................................................... 240 

16.1 Introduction..................................................................................................................................................... 240 

16.1.2 Knowledge Requirements........................................................................................................................... 241 

16.1.3 Data Store Connection................................................................................................................................ 241 

16.1.4 Configuration File....................................................................................................................................... 241 

16.2 Using DPADMINCMD – Basics.......................................................................................................................... 242 

16.2.1 Using an Interactive TCL Command Prompt................................................................................................ 242 

16.2.2 Running a Script......................................................................................................................................... 243 

16.2.3 Help........................................................................................................................................................... 244 

16.2.4 Command Parameters................................................................................................................................ 244 

16.2.5 Result Output............................................................................................................................................. 244 

16.2.6 Error Handling............................................................................................................................................ 245 

16.2.7 International Characters............................................................................................................................. 245 

16.2.8 Syntax Notes.............................................................................................................................................. 245 

16.2.9 Sample Scripts........................................................................................................................................... 246 

17 Replication................................................................................................................................................. 248 

17.1 Concepts......................................................................................................................................................... 248 

17.1.1 Replication Queue...................................................................................................................................... 249 

17.1.2 Record-level Replication............................................................................................................................. 249 

17.1.3 Replication Process.................................................................................................................................... 250 

17.1.4 Connection Handling.................................................................................................................................. 252 

17.1.4.1 Component Record.............................................................................................................................................. 252 

17.1.5 Monitoring Replication................................................................................................................................ 252 

17.1.5.1 Auditing...............................................................................................................................................................252 



17.1.5.2 Administration Web Interface................................................................................................................................ 252 

17.1.6 Forwarding Replication Entries................................................................................................................... 253 

17.2 Configuring Replication ................................................................................................................................... 254 

17.2.1 Active Directory.......................................................................................................................................... 254 

17.2.2 ODBC Database.......................................................................................................................................... 255 

17.2.2.1 Configure Replication to a Second Identikey Server................................................................................................ 255 

17.2.2.2 Configure Replication to a Third or Subsequent Identikey Server .............................................................................257 

17.2.2.3 Add Redundant Replication...................................................................................................................................259 

18 Troubleshooting.......................................................................................................................................... 260 

18.1 Troubleshooting Tools...................................................................................................................................... 260 

18.1.1 View Audit Information............................................................................................................................... 260 

18.1.1.1 Windows Event Viewer......................................................................................................................................... 260 

18.1.1.2 Syslog................................................................................................................................................................. 260 

18.1.1.3 Text file .............................................................................................................................................................. 260 

18.1.1.4 ODBC Database................................................................................................................................................... 261 

18.1.2 Tracing....................................................................................................................................................... 261 

18.2 How To Troubleshoot....................................................................................................................................... 262 

18.2.1 Connection Problems.................................................................................................................................. 262 

18.2.2 Installation Check....................................................................................................................................... 262 

18.2.2.1 Windows Registry Entries......................................................................................................................................262 

18.2.2.2 Check Permissions...............................................................................................................................................263 

18.2.2.3 Default Policy and Component Created..................................................................................................................263 

18.2.3 Administration Web Interface Connection....................................................................................................264 

18.2.4 Message Delivery Component.................................................................................................................... 264 

18.2.4.1 Enable Tracing.....................................................................................................................................................264 

18.2.5 Open Port Numbers on Firewall.................................................................................................................. 264 

18.2.5.1 Incoming Ports.....................................................................................................................................................265 

18.2.5.2 Outgoing Ports.....................................................................................................................................................265 

18.2.6 SOAP/SSL Certificates................................................................................................................................ 265 

19 Audit Messages.......................................................................................................................................... 266 

19.1 Audit Message Listing...................................................................................................................................... 266 

20 Error and Status Codes............................................................................................................................... 279 

20.1 Error Code Listing............................................................................................................................................ 279 

20.2 Status Code Listing.......................................................................................................................................... 285 

21 Technical Support....................................................................................................................................... 292 

21.1 Support Contact Information............................................................................................................................ 292 


Index of Tables 


Table 1: Custom Active Directory Object Classes...................................................................................................................................... 17 

Table 2: Custom Active Directory Object Attributes................................................................................................................................... 18 

Table 3: Custom Active Directory Permission Property Sets...................................................................................................................... 22 

Table 4: Saved Queries in Active Directory Users and Computers............................................................................................................. 25 

Table 5: Custom Active Directory Search criteria - Digipass......................................................................................................................26 

Table 6: Custom Active Directory Search criteria - Users.......................................................................................................................... 28 

Table 7: DPADadmin addschema Command Line Options.........................................................................................................................37 

Table 8: DPADadmin checkschema Command Line Options..................................................................................................................... 37 

Table 9: DPADadmin setupdomain Command Line Options.......................................................................................................................39 

Table 10: DPADadmin setupaccess Command Line Options..................................................................................................................... 39 

Table 11: ODBC Database Tables............................................................................................................................................................. 46 

Table 12: vdsControl Table.......................................................................................................................................................................46 

Table 13: vdsUser Table........................................................................................................................................................................... 47 

Table 14: vdsUserAttr Table......................................................................................................................................................................48 

Table 15: vdsDigipass Table.....................................................................................................................................................................48 

Table 16: vdsDPApplication Table.............................................................................................................................................................49 

Table 17: vdsDPSoftParams Table............................................................................................................................................................49 

Table 18: vdsPolicy Table.........................................................................................................................................................................50 

Table 19: vdsComponent Table................................................................................................................................................................ 51 

Table 20: vdsBackEnd Table.....................................................................................................................................................................52 

Table 21: vdsDomain Table...................................................................................................................................................................... 53 

Table 22: vdsOrgUnit Table...................................................................................................................................................................... 53 

Table 23: vdsReport Table........................................................................................................................................................................54 

Table 24: vdsReportFormat Table.............................................................................................................................................................54 

Table 25: vdsConfiguration Table............................................................................................................................................................. 55 

Table 26: vdsOfflineAuthData Table..........................................................................................................................................................55 

Table 27: Table Permissions Required......................................................................................................................................................60 

Table 28: Table Names in vdsControl........................................................................................................................................................61 

Table 29: DPDBADMIN addschema Command Line Options......................................................................................................................65 

Table 30: DPDBADMIN checkschema Command Line Options.................................................................................................................. 67 

Table 31: DPDBADMIN dropschema Command Line Options.................................................................................................................... 68 

Table 32: Encrypted Data Attributes - ODBC Database.............................................................................................................................70 

Table 33: Encrypted Data Attributes - Active Directory.............................................................................................................................70 

Table 34: User Fields................................................................................................................................................................................96 



Table 35: User Attribute Fields..................................................................................................................................................................98 

Table 36: Digipass Fields........................................................................................................................................................................100 

Table 37: Digipass Application Fields......................................................................................................................................................102 

Table 38: Policy Fields............................................................................................................................................................................103 

Table 39: Client Fields............................................................................................................................................................................113 

Table 40: Back-End Server Fields...........................................................................................................................................................115 

Table 41: Report fields........................................................................................................................................................................... 116 

Table 42: Identikey Server Fields............................................................................................................................................................118 

Table 43: License Parameters for Identikey Server................................................................................................................................. 121 

Table 44: Configuration Settings for CGI Program................................................................................................................................... 126 

Table 45: Form Fields for Main Registration Page...................................................................................................................................127 

Table 46: Form Fields for Registration Challenge Page........................................................................................................................... 128 

Table 47: Form Fields for Server PIN Change Page................................................................................................................................. 129 

Table 48: Form Fields for Main Login Test Page..................................................................................................................................... 130 

Table 49: Form Fields for Login Test Challenge Page..............................................................................................................................131 

Table 50: Form Fields for OTP Request Page.......................................................................................................................................... 132 

Table 51: Query String Variable List........................................................................................................................................................134 

Table 52: API Return Codes.................................................................................................................................................................... 135 

Table 53: CGI Error Return Codes........................................................................................................................................................... 135 

Table 54: Internal Error Codes................................................................................................................................................................ 136 

Table 55: Login Permutations - Response Only Cleartext Combined (1)...................................................................................................140 

Table 56: Login Permutations - Response Only Cleartext Combined (2)...................................................................................................141 

Table 57: Login Permutations - Response Only CHAP/MS-CHAP/MS-CHAP2...........................................................................................142 

Table 58: Login Permutations – 2-Step Challenge/Response Cleartext Combined...................................................................................143 

Table 59: Login Permutations – Virtual Digipass.....................................................................................................................................144 

Table 60: MDC Audit Message Variables.................................................................................................................................................190 

Table 61: Message Delivery Component Configuration Settings..............................................................................................................194 

Table 62: Audit Text File Name/Path Variables........................................................................................................................................228 

Table 63: Required Audit Database Tables..............................................................................................................................................231 

Table 64: vdsAuditMessage Required Fields...........................................................................................................................................232 

Table 65: vdsAuditMsgField Required Fields...........................................................................................................................................232 

Table 66: Required Account Permissions................................................................................................................................................233 

Table 67: Audit Message Types and Syslog Priority................................................................................................................................ 234 

Table 68: Tracing Message Types.......................................................................................................................................................... 238 

Table 69: Tracing Message Levels..........................................................................................................................................................239 

Table 70: Tracing Message Contents......................................................................................................................................................239 



Table 71: DPADMINCMD Help Commands.............................................................................................................................................. 244 

Table 72: Registry Entries.......................................................................................................................................................................262 

Table 73: Permissions Required............................................................................................................................................................. 263 

Table 74: List of Incoming Ports Used by the Identikey Server................................................................................................................ 265 

Table 75: List of Outgoing Ports Used by the Identikey Server.................................................................................................................265 

Table 76: Audit Messages List................................................................................................................................................................266 

Table 77: Error Code List........................................................................................................................................................................279 

Table 78: Status Code List......................................................................................................................................................................285 


1 Introduction 

1.1 Available Guides 

The following Identikey Server guides are available: 

Product Guide 

Introduction 

The Product Guide will introduce you to the features and concepts of Identikey Server and the various options you 

have for using it. 

Getting Started Guide 

The Getting Started Guide will lead you through a standard setup and testing of key Identikey Server features. 

Windows Installation Guide 

Use this guide when planning and working through an installation of Identikey Server in a Windows environment. 

Linux Installation Guide 

Use this guide when planning and working through an installation of Identikey Server in a Linux environment. 

Administrator Reference 

In-depth information required for administration of Identikey Server. This includes references such as data attribute 

lists, backup and recovery and utility commands. 

Performance and Deployment Guide 

Contains information on common deployment models and performance statistics. 

Help Files 

Context-sensitive help accompanies the Administration Web Interface and Digipass Extension for Active Directory 

Users and Computers. 

Identikey Server SDK Programmers Guide 

In-depth information required to develop using the SDK. 


2 Active Directory Schema 

2.1 Schema Extensions 

Active Directory Schema 

The following tables document the changes required by Identikey Server to the Active Directory (AD) schema when 

AD is used as the data store. 

2.1.1 Added Object Classes 

Table 1: Custom Active Directory Object Classes 

Attribute Type Location Explanation 

vasco-UserExt Aux. Class User record Extra VASCO attributes are added to an Active Directory 

User record via an 'auxiliary class' vasco-UserExt on the 

User class. 

vasco-DPToken Class Unassigned – Optional 

vasco- 

DPApplication 

Assigned – with User record 

The vasco-DPToken class is used to store Digipass 

attributes. It is also a container, in which vasco- 

DPApplication records for that Digipass are stored. 

Upon assignment to a User, the Digipass record is stored 

in the same location as the User. 

Class Within Digipass record This class is used to store Digipass Application 

attributes, such as Server PIN and expected OTP length. 

vasco-Policy Class Digipass Configuration 

Container 

vasco-Component Class Digipass Configuration 

Container 

vasco- 

BackEndServer 

Class Digipass Configuration 

Container 

vasco-Report Class Digipass Configuration 

Container 

vasco- 

ReportFormat 

vasco- 

Configuration 


Container 


Container 

vdsOfflineAuthData Class Digipass Configuration 

Container 

Policy attributes. Attributes will commonly be shared via 

inheritance. 

Component attributes include the License Key for 

Identikey Server Components. 

Information required for connection to back-end servers. 

Support reporting functionality. Use this class to control 

the report scope. 

Support reporting functionality. This class contains the 

report format definition information. 

Configuration settings for the Identikey Server. 

Offline authentication data. This is included for future 

releases of Identikey Server. 


2.1.2 Added Attributes 

Table 2: Custom Active Directory Object Attributes 

Name Class 

vasco-SerialNumber vasco-DPToken 

vasco-TokenType vasco-DPToken 

vasco-ApplicationNames vasco-DPToken 

vasco-ApplicationTypes vasco-DPToken 

vasco-LinkVascoDigipassToUserExt vasco-DPToken 

vasco-TokenAssignedDate vasco-DPToken 

vasco-GracePeriod vasco-DPToken 

vasco-EnableBVDP vasco-DPToken 

vasco-BVDPExpiryDate vasco-DPToken 

vasco-BVDPUsesLeft vasco-DPToken 

vasco-DirectAssignOnly vasco-DPToken 

vasco-AdditionalAttribute vasco-DPToken 

vasco-ActivationLocations vasco-DPToken 

vasco-ActivationCount vasco-DPToken 

vasco-LastActivationTime vasco-DPToken 

vasco-DPSoftStaticVector vasco-DPToken 

vasco-DPDescription vasco-DPToken 

vasco-SerialNumber vasco-DPApplication 

vasco-ApplicationName vasco-DPApplication 

vasco-ApplicationNumber vasco-DPApplication 

vasco-ApplicationType vasco-DPApplication 

vasco-DPBlob vasco-DPApplication 

vasco-Active vasco-DPApplication 

vasco-LinkUserExtToVascoDigipass vasco-UserExt 

vasco-LinkUserExtToUser vasco-UserExt 

vasco-StaticPassword vasco-UserExt 

vasco-LocalAuth vasco-UserExt 

vasco-BackEndServerAuth vasco-UserExt 

vasco-Disable vasco-UserExt 

vasco-Profile vasco-UserExt 

vasco-AdminPrivileges vasco-UserExt 



Name Class 

vasco-ObjectScope vasco-UserExt 

vasco-OfflineAuthEnabledOverride vasco-UserExt 

vasco-OfflineData vasco-UserExt 

vasco-CreateTime Vasco-UserExt 

vasco-ModifyTime Vasco-UserExt 

vasco-ID vasco-BackEndServer 

vasco-Protocol vasco-BackEndServer 

vasco-Domain vasco-BackEndServer 

vasco-Priority vasco-BackEndServer 

vasco-Retries vasco-BackEndServer 

vasco-AcctIPAddress vasco-BackEndServer 

vasco-AcctPort vasco-BackEndServer 

vasco-AdditionalAttribute vasco-BackEndServer 

vasco-AuthIPAddress vasco-BackEndServer 

vasco-SharedSecret vasco-BackEndServer 

vasco-Timeout vasco-BackEndServer 

Version-Number vasco-BackEndServer 

vasco-ID vasco-Component 

vasco-Location vasco-Component 

vasco-LinkComponentToPolicy vasco-Component 

vasco-Protocol vasco-Component 

vasco-ComponentType vasco-Component 

vasco-PublicKey vasco-Component 

vasco-AdditionalAttribute vasco-Component 

vasco-SharedSecret vasco-Component 

vasco-TCPPort vasco-Component 

Version-Number vasco-Component 

vasco-AdditionalAttribute vasco-Policy 

vasco-AllowedApplType vasco-Policy 

vasco-AllowedDPTypes vasco-Policy 

vasco-ApplicationNames vasco-Policy 

vasco-AssignmentMode vasco-Policy 

vasco-AssignSearchUpOUPath vasco-Policy 

vasco-Autolearn vasco-Policy 

vasco-BackEndAuth vasco-Policy 



Name Class 

vasco-BackupVDPRequestKeyword vasco-Policy 

vasco-BackupVDPRequestMethod vasco-Policy 

vasco-BVDPMaximumDays vasco-Policy 

vasco-BVDPMaximumUses vasco-Policy 

vasco-ChallengeRequestKeyword vasco-Policy 

vasco-ChallengeRequestMethod vasco-Policy 

vasco-CheckChallenge vasco-Policy 

vasco-ChgWinPwdEnabled vasco-Policy 

vasco-ChgWinPwdLength vasco-Policy 

vasco-ChkInactDays vasco-Policy 

vasco-ClientGroupList vasco-Policy 

vasco-ClientGroupMode vasco-Policy 

vasco-DCR vasco-Policy 

vasco-Description vasco-Policy 

vasco-Domain vasco-Policy 

vasco-DUR vasco-Policy 

vasco-EnableBVDP vasco-Policy 

vasco-EventWindow vasco-Policy 

vasco-GracePeriod vasco-Policy 

vasco-GroupCheckMode vasco-Policy 

vasco-GroupList vasco-Policy 

vasco-ID vasco-Policy 

vasco-IThreshold vasco-Policy 

vasco-ITimeWindow vasco-Policy 

vasco-LinkPolicyToChildPolicy vasco-Policy 

vasco-LinkPolicyToComponent vasco-Policy 

vasco-LinkPolicyToParentPolicy vasco-Policy 

vasco-LocalAuth vasco-Policy 

vasco-OfflineAuthEnabled vasco-Policy 

vasco-OfflineTimeIntervals vasco-Policy 

vasco-OfflineMaxEvents vasco-Policy 

vasco-OneStepChalCheckDigit vasco-Policy 

vasco-OneStepChalLength vasco-Policy 

vasco-OneStepChalResp vasco-Policy 

vasco-OnLineSG vasco-Policy 



Name Class 

vasco-PINChangeAllowed vasco-Policy 

vasco-PrimaryVDPRequestKeyword vasco-Policy 

vasco-PrimaryVDPRequestMethod vasco-Policy 

vasco-Protocol vasco-Policy 

vasco-SelfAssignSeparator vasco-Policy 

vasco-SThreshold vasco-Policy 

vasco-STimeWindow vasco-Policy 

vasco-StoredPasswordProxy vasco-Policy 

vasco-SyncWindow vasco-Policy 

vasco-2OTPSyncEnabled vasco-Policy 

Version-Number vasco-Policy 

vasco-ID vasco-Report 

vasco-ReportName vasco-Report 

vasco-Description vasco-Report 

vasco-DataSource vasco-Report 

vasco-GroupLevel vasco-Report 

vasco-ReportType vasco-Report 

vasco-RunPerms vasco-Report 

vasco-ChangePerms vasco-Report 

vasco-TimeFreq vasco-Report 

vasco-QueryDef vasco-Report 

vasco-UserID vasco-Report 

Version-Number vasco-Report 

vasco-ID vasco-ReportFormat 

vasco-FormatName vasco-ReportFormat 

vasco-FormatDef vasco-ReportFormat 

Version-Number vasco-ReportFormat 

vasco-Name vasco-Configuration 

vasco-Value vasco-Configuration 

Version-Number vasco-Configuration 



2.1.3 Added Permission Property Sets 

Property sets have been created for typical groups of permissions required for administration tasks. 

Table 3: Custom Active Directory Permission Property Sets 

Property Set Applicable Object Actions Allowed 


Digipass Assignment Link Digipass Assign and unassign Digipass for Digipass User 

accounts. 

Digipass Application Data Digipass Application Digipass record functions. 

Digipass User Account Information User Modify Digipass User information. 

Digipass User Account to User Link User Link and unlink Digipass Users. This is also required 

when assigning Digipass to linked Digipass User 

records. 

Digipass User Account Stored Password User Read and modify the stored password for a Digipass 

User. 


2.2 Active Directory Auditing 


Active Directory auditing may be configured to record access and modifications to custom objects used by the 

Identikey Server. If you currently have default auditing enabled, it might already include actions on custom objects. 

See these Microsoft articles for information on turning on and configuring auditing: 

Windows 2003 - http://support.microsoft.com/?kbid=814595 

Windows Vista & 2008 – http://technet.microsoft.com/en-us/library/cc731607.aspx 

What Should I Audit? 

This will depend on what you need to audit. For example, if you wanted to record all Digipass assignments in the 

domain, you might set up auditing in the Domain Root for Everyone, with the Digipass Assignment Link property 

set. 

Please note that this type of auditing is specific to Active Directory. Any audit information generated by this 

method cannot be imported into the Identikey Server auditing system, and cannot be used to generate Identikey 

Server reports. 

See the 2.1 Schema Extensions topic for more information on custom objects and permission property sets created 

for the Identikey Server. 

2.2.1 Auditing Inside the Active Directory Users and Computers Extension 

If you wish to produce audit files that can be imported into Identikey Server and can be used to generate Identikey 

Server reports, you can set up auditing from inside the Active Directory Users and Computers Extension (ADUCE). 

All message types are audited - Error, Warning, Information, Success, Failure. 

To enable Auditing in the ADUCE: 

1. On the Digipass Extension Auditing window click on the Auditing option button. 

2. Browse to the location you want the audit file to be written to. The name of the file will be in the format 

ikey_aduce.audit, where is the current year and is the current month. 

3. Click OK. 


2.3 Custom Search Options 


The Digipass Extension adds functionality to the Active Directory Users and Computers snap-in which allows 

searching for specific Digipass and Digipass User records throughout a domain, or within the limits of a delegated 

administrator's permissions. This functionality is especially useful where unassigned Digipass have been allocated 

to various Organizational Units. 

Note 

2.3.1 Saved Queries 

To see the digipass-pool, digipass-reserve, and digipass configuration containers under the 

domain in the Active Directory Users and Computers snap-in the Advanced Features setting 

needs to be enabled. Go to View => Advanced Features and click on Advanced Features to 

toggle the setting on. 

On Windows Server 2003, Windows 2008, and Windows XP, the Microsoft Management Console (MMC) 

framework supports Saved Queries. 

On Windows Server 2003 and Windows XP, a number of Saved Queries are installed automatically into the saved 

MMC console file that is opened using the Start -> Programs -> VASCO -> Identikey Server -> Active Directory 

Users and Computers shortcut. 

In addition, several Query Definition Files are installed in the \Queries folder. These can be 

imported into your existing Active Directory Users and Computers console by right-clicking on the Saved Queries 

folder and selecting Import Query Definition.... 

The Saved Queries provided by the installation are designed to provide several common queries that may be 

useful, as listed below. They can be edited, copied or deleted as required. If you have made a mistake modifying 

one and wish to start again, you can reload the query by deleting it and importing it from the Query Definition File. 


Table 4: Saved Queries in Active Directory Users and Computers 


Query Name Description Query Definition File 

Users with Digipass All Users in the Domain who have one or more 

Digipass assigned directly. 

Users without Digipass All Users in the Domain who have no Digipass 

assigned, directly or via a Linked User. 

Users with a DP User Account All Users in the Domain who have a Digipass User 

Account. 

Users without a DP User 

Account 

All Users in the Domain who do not have a Digipass 

User Account. 

users-with-dp.xml 

users-without-dp.xml 

users-with-dp-user-account.xml 

Assigned Digipass All Digipass in the Domain that are assigned. assigned-dp.xml 

Unassigned Digipass All Digipass in the Domain that are currently 

unassigned, excluding any Reserved Digipass. 

Locked DP User Accounts All Users in the Domain whose Digipass User 

Account is Locked. 

users-without-dp-user-account.xml 

unassigned-dp.xml 

locked-dp-user-accounts.xml 


2.3.2 Using the Custom Search for Digipass 

To perform a search for Digipass: 

1. Right-click on the Organizational Unit in which to search, or the domain root. 

2. Click on Find... 

3. Select the Digipass object type from the Find: drop down list. 


4. Use the Digipass tab to specify the search criteria. Almost all the Digipass search criteria can be set using 

the form on this tab. 

5. If you are searching on any criteria that do not appear on the Digipass tab, use the Advanced tab: 

a. Click on the Advanced tab. 

b. Click on Field and select the required attribute from the list. 

c. Enter the search Condition and Value, then click Add. 

d. Repeat with additional Fields. 

6. Click Find Now to execute the search. Multiple criteria are applied using the logical AND – all criteria must 

be met for a Digipass to be found. 

The available criteria are listed in the following table: 

Table 5: Custom Active Directory Search criteria - Digipass 

Tab Field Name Usage 

Digipass Serial Number Exact Serial Number (as seen in Digipass properties); 

Serial Number with wildcard*; 

First Serial Number in range, when used with To field. 

(Serial Number) To Last Serial Number in range. 

Digipass Type Digipass Type, eg. DP300. Wildcard* allowed. 

Application Name Application Name, eg. GO3DEFAULT. Wildcard* allowed. 

This will find Digipass that have an Active application of the specified 

name**. 

Application Type Application Type: Response Only, Challenge/Response. 


type**. 

Digipass Assignment Assignment status: Assigned, Unassigned. 

Reserved Reserved status: Reserved, Not Reserved. 

Description Free text. 

Use this field to find Digipass records with the same text string within their 

Description field. 


Tab Field Name Usage 


Advanced Application Name Conditions: Starts with, Ends with, Is (Exactly), Is Not. 

Values: Application Name (complete or partial) 


Application Name criteria**. 

Application Type Conditions: Is (Exactly), Is Not. 

Values: RO (Response Only), CR (Challenge/Response), SG (Signature). 


Application Type criteria**. 

Backup Virtual Digipass 

Enabled 

Conditions: Less than or equal to, Greater than or equal to, Is (Exactly), Is 

Not, Not Present. 

Values: 0 (Default), 1 (No), 2 (Yes - Permitted), 3 (Yes - Required), 4 (Yes – 

Time Limited). 

Note that Digipass with 'Default' for this setting may either have 0 for this 

attribute or may not have the attribute present. 

Digipass Type Conditions: Starts with, Ends with, Is (Exactly), Is Not. 

Values: Digipass Type (complete or partial) 

Reserved Conditions: Is (Exactly), Is Not. 

Values: 0 (No), 1 (Yes). 

This attribute is always present. 

Serial Number Conditions: Starts with, Ends with, Is (Exactly), Is Not. 

Values: Serial Number, as seen in Digipass properties (complete or partial) 

User Assignment Link Conditions: Present, Not Present. 

Values: N/A. 

If this attribute is present, the Digipass is assigned; if not present, the 

Digipass is unassigned. 

* Search criteria on Digipass Application attributes ignore Inactive Digipass Applications. 

** For a wildcard, the * character is used. 

Example 

A search for Digipass records run with only the following text entered into the Serial Number field, would return these results: 

0097 No records returned 

0097* All Digipass with serial number starting with 0097 

0097987654 Digipass with serial number 0097987654 only 

*76 All Digipass with serial number ending in 76 

2.3.3 Using the Custom Search for Users 

To perform a search for Users: 

1. Right-click on the Organizational Unit in which to search, or the domain root. 


2. Click on Find... 

3. Select the Users, Contacts, and Groups object type from the Find: drop down list. 

4. If you have search criteria that are not related to Digipass, specify them as usual. 

5. To specify Digipass related search criteria, use the Advanced tab: 

a. Click on the Advanced tab. 

b. Click on Field, select the User submenu and select the required attribute from the list. 

c. Enter the search Condition and Value, then click Add. 

d. Repeat with additional Fields. 


6. Click Find Now to execute the search. Multiple criteria are applied using the logical AND – all criteria must 

be met for a User to be found. 

The available criteria are listed in the following table: 

Table 6: Custom Active Directory Search criteria - Users 

Field Name Usage 

Digipass Assignment Link Conditions: Present, Not Present. 

Values: N/A. 

If this attribute is present, a Digipass is assigned to the User; if not 

present, no Digipass is assigned. 

Digipass Back-End Authentication Conditions: Less than or equal to, Greater than or equal to, Is (Exactly), 

Is Not, Not Present. 

Values: 0 (Default), 1 (None), 2 (If Needed), 3 (Always). 

Note that Users with 'Default' for this setting may either have 0 for this 


Digipass Local Authentication Conditions: Less than or equal to, Greater than or equal to, Is (Exactly), 


Values: 0 (Default), 1 (None), 2 (Digipass/Password), 3 (Digipass Only). 

Note that Users with 'Default' for this setting may either have 0 for this 


Digipass User Account Create Time Conditions: Less than or equal to, Greater than or equal to, Is (Exactly), 

Is Not, Present, Not Present. 

Values: Number of seconds since 1 st Jan 1970 00:00:00 that the 

Digipass User account was created. 

If this attribute is present, the User has a Digipass User account; if not 

present, the User does not. 

Digipass User Account Disabled Conditions: Is (Exactly), Is Not, Not Present. 


If this attribute is not present, the account is not disabled*. 

Digipass User Account Lock Count Conditions: Less than or equal to, Greater than or equal to, Is (Exactly), 


Values: current count of failed logins since last successful login. 

If this attribute is not present, it is treated as 0. 


Field Name Usage 


Digipass User Account Locked Conditions: Is (Exactly), Is Not, Not Present. 


If this attribute is not present, the account is not locked*. 

Digipass User Account Modify Time Conditions: Less than or equal to, Greater than or equal to, Is (Exactly), 

Is Not, Present, Not Present. 

Values: Number of seconds since 1 st Jan 1970 00:00:00 that the 

Digipass User account was last modified. 

Digipass User Account Password This field does not have practical value as a search field, but is listed 

by Active Directory anyway. 

Digipass User Attributes This field is not currently used. 

Digipass User to User Link Conditions: Present, Not Present. 

Values: N/A. 

If this attribute is present, The Digipass User account is linked to 

another Digipass User account; if not present, there is no link. 

* If you specify Is Not 1, the results will include Users who do not have the attribute set, in addition to those who 

have the attribute set to 0. 

Example 

A search for Digipass User accounts where the Local Authentication setting has a value other than Default would use the following 

criteria: 

Digipass Local Authentication Greater than or equal to 1 


2.4 Active Directory Replication Issues 


Active Directory replication is not instantaneous. Intra-site replication is usually quite fast but changes on one 

Domain Controller may still take several minutes to be replicated to other Domain Controllers. Inter-site replication 

may be quite slow – an hour or more between replications is common. 

Replication occurs when more than one Domain Controller exists in a domain. 

2.4.1 Old Data Used After Attribute Modified 

The time period between replications becomes a problem where information is changed on one Domain Controller 

(for example, a Digipass User's Server PIN is reset), but old information is used on another Domain Controller 

before the changed information has been replicated to it. 

There are a few scenarios where this may occur. These are listed below: 

2.4.1.1 Single Identikey Server using more than one Domain Controller 

A single Identikey Server may make a change to a record, have to switch to another Domain Controller, and read 

the same record – where the change has not yet been applied. 

Example 

A User logs in with an OTP, and the Identikey Server connects to DC-01 to retrieve and update the Digipass data. The connection to 

the DC-01 fails soon after login, before replication has occurred. The User needs to log in again, and the Identikey Server connects 

to DC-02 this time. The User can log in using the same OTP as the last login – the login should fail (OTP replay) but instead 

succeeds, because DC-02 does not yet know that the OTP has been previously used. 

Time DC-01 DC-02 

8:32 Replication occurs 

8:34 User logs in with OTP 10457920. 

The Identikey Server records the use of the OTP in the 

Digipass record. 

8:35 Connection to DC-01 is broken, and the Identikey 

Server switches to DC-02. 

8:35 User retries login using same OTP 

10457920. The login succeeds where it 

should have failed (OTP replay). 

The Identikey Server records the use of the 

OTP in the Digipass record. 


Digipass record changes are replicated between DC-01 and DC-02. 

The example timeline above shows the sequence of events. 


2.4.1.2 Administrator and Identikey Server using different Domain Controllers 


The administrator may not be connected to the same Domain Controller (via the Administration Interfaces) as the 

Identikey Server. 

Example 

An administrator changes a User's Server PIN through the Active Directory Users and Computers extension, which is connected to 

DC-01. The Identikey Server connects to DC-03. The User attempts a login using the new PIN, which fails because DC-03 is not yet 

aware of the change of Server PIN. 



9:03 Administrator changes a User's Server PIN 

from 1234 to 9876. 

9:04 User attempts to log in using new PIN (9876) and the 

login fails. 




2.4.1.3 Multiple Identikey Servers Using Different Domain Controllers 

Multiple Identikey Servers may connect to different Domain Controllers in a domain or site. 

Example 

A User changes their own PIN during a login through one Identikey Server which connects to DC-01. The server on which the 

Identikey Server is installed becomes unavailable, and the User attempts another login via the Identikey Server on a backup server, 

which connects to DC-02. The login fails because DC-02 is not yet aware of the change of Server PIN. 



11:55 User changes their Server PIN from 1234 

to 9876 during login. 

The Identikey Server records the PIN 

change in the Digipass record. 

11:57 User attempts to log in using new PIN (9876) and the 

login fails. 






2.4.1.4 Two Administrators Modifying the Same Attribute 

Two administrators attempt to modify the same attribute on a single User account or Digipass record within the 

same replication interval. The later modification will overwrite the earlier when replication occurs. 

2.4.2 Old Data Used Overwrites New Data 

The problems above are exacerbated when the old information used on the second Domain Controller is updated 

based on the old information. As the updated record on the second Domain Controller now has a later modification 

date, the end result is that the changed information on the first Domain Controller is overwritten incorrectly. 

Example 

An administrator connects to DC-01 and sets a User's PIN from '1234' to '9876'. The User logs in through the Identikey Server, 

which connects to DC-02. The User enters the new Server PIN and his One Time Password. However, the PIN set on DC-01 has not 

yet been replicated to DC-02, so because the PIN entered does not match the old PIN still recorded in the Digipass record on DC- 

02, the login fails. 

Because the Policy setting of Identification Threshold is in use, his login failure is written back to the Digipass record. When 

replication occurs, the Digipass record on DC-02 has the latest modification date – and is copied to DC-01, wiping out the original 

PIN setting made by the administrator. Both DC-01 and DC-02 now consider '1234' to be the correct Server PIN for the Digipass. 


10:45 Replication 

10:46 Administrator changes User's PIN from 

9876 to 1234. 

10:48 User login (with new PIN of 1234) fails. 

Identikey Server writes failure information to Digipass 

record. 

10:50 Replication 

Active Directory finds last instance of the Digipass blob having been modified. 

Active Directory overwrites DC-01 Digipass record with DC-02 Digipass record. 

The example timeline above shows how the problem can occur. 

The problem shown in the example above may also occur in a Force PIN Change set by an administrator. 

2.4.3 Factors Affecting Replication Issues 

A number of factors determine the likelihood and severity of the Active Directory issues described: 

Redundancy and load-balancing settings for the Identikey Server 

There are a number of Identikey Server configuration settings which may affect replication issues: 

Preferred Server 

The Identikey Server will attempt to connect to the named Domain Controller, rather than simply polling the 

domain for an available Domain Controller. 



Preferred Server Only 

The Identikey Server may be restricted to connecting only to the Domain Controller named in the above setting. 

If this is enabled, the Identikey Server will not switch to any other Domain Controller, so it will never retrieve 

data older than its own. 

Max. Bind Lifetime 

The maximum bind lifetime controls how long the Identikey Server will stay connected to a Domain Controller 

before polling the domain for a Domain Controller connection. 

Replication Interval 

On Windows Server 2003 and Windows 2008, the intra-site replication interval is not configurable, but is set to 

approximately 15 seconds, as replication is much more efficient. 

Inter-site replication is fully configurable on Windows Server 2003 and Windows 2008. 

The longer the replication interval, the more likelihood of these problems occurring. 

Number of Domain Controllers in the Site 

Each Domain Controller regularly requires replication with all other local Domain Controllers. As this is done 

sequentially, it will affect the amount of time between replications. 

2.4.4 Solutions and Mitigations 

2.4.4.1 Digipass Cache 

The Digipass cache collects Digipass records as they are modified, and keeps them in memory for a certain length 

of time. A newer entry from the cache is always used in preference to an older record from Active Directory. The 

cache age should be a little longer than the typical replication interval. The default is 10 minutes (600 seconds). 

This option will help in problems caused by a single Identikey Server accessing more than one Domain Controller in 

a domain – see 2.4.1.1 Single Identikey Server using more than one Domain Controller. 

It will also assist in 

problems caused by having multiple Authentication Servers accessing more than one Domain Controller in a 

domain, if Identikey Server replication is enabled between the servers. However, it will not affect the scenario of an 

Administration Interface being connected to a different Domain Controller to the Identikey Server. 

If you calculate that your typical replication interval will be more than ten minutes, the cache age may be increased 

by modifying the Blob-Cache Max-Age setting in the configuration file (\bin\identikeyconfig.xml): 

 

 

 

 

 

 

A large cache may slow down processing slightly for the Identikey Server, so monitor performance to check the 

impact caused after modifying the cache age. 



Warning 

If the Identikey Server is installed on a Member Server, this server must be closely timesynchronized 

with the Domain Controller(s). If the server is not time-synchronized, the Policy 

may select an older record when comparing records in the Digipass cache with those on the 

Domain Controller. 

If the Identikey Server is installed on a Domain Controller, time-synchronization is assumed. 


2.5 DPADadmin Utility 

2.5.1 Extend Active Directory Schema 


The addschema command is used to create all the Active Directory Schema extensions, if they are not already 

there. Each element will be checked individually to see if it is already there and if not, will be added. 

This command is intended to be run manually by a domain administrator before the main Identikey Server 

installation is run, as recommended by Microsoft. 

It may be necessary to go through an approval process in your company before running this command, as it 

involves changes to Active Directory Schema. You may also need to have another administrator run the command 

for you, possibly in another part of your network. This depends on your company’s structure and rules for Active 

Directory control. 

Prerequisite Information 

Schema Master Machine 

This command may technically be run on any Windows XP, 2003, Vista or 2008 machine. However it needs to 

contact the Domain Controller which has the Schema Master role. There can be only one Domain Controller in the 

Forest with that role. It may be simplest to run the command directly on the Schema Master, to avoid any potential 

connectivity or permission issues. 

Warning 

Warning: If you are passing the credentials to the command in the parameters, and you are not 

running the command on the Schema Master, check that you do not have any shares on the 

Schema Master open. This will cause the command to fail. 

Domain Administrator Account 

In order to successfully update the Schema, you must know the username and password of a Domain 

Administrator account that is able to log into the Schema Master. You must either run the command while logged 

in as that user, or pass the credentials to the command in the parameters. The Domain Administrator must have 

permission to extend the Schema – they must be a member of the Schema Admins group in the Forest-Root- 

Domain (the first Domain created in the Forest). 

Schema Changes Allowed 

By default, Active Directory does not permit Schema extensions to be made. There is a registry setting that must 

be changed to allow extensions. If this is not already set, DPADadmin will ask you whether it should change the 

setting itself or not. If you click on Yes, it will change the setting itself, make the extensions then change it back 

again. 



If you would prefer to change the setting manually, log into the Schema Master and change the value of the 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\ Parameters\Schema Update Allowed 

registry key to 1, adding it as a value of type DWORD if it does not already exist. Alternatively, if the Schema 

Manager MMC snap-in is installed on the machine, this can be used to enable or disable Schema extensions. 

If you have disabled the Schema extensions after removing a previous installation in the Forest, reactivate them 

before using this command. This can be done using the Schema Manager MMC snap-in used to deactivate them. 

Extend the Schema on the Schema Master 

1. Log into the Schema Master as a member of the Schema Administrators group. 

2. Copy dpadadmin.exe onto the Schema Master 

3. Open a command prompt in the location to which it was copied. 

4. Type: 

dpadadmin addschema 

5. If DPADadmin detects that Schema extensions are not currently permitted, it will prompt you whether to 

enable them or not. Enter y to enable them, or n to cancel. 

The progress and success/failure of the command will be displayed in the command prompt window. If there was 

a failure, it can be run again after the problem has been rectified. 

Extend the Schema on the Identikey Server 

1. Open a command prompt and navigate to the installation’s bin directory by typing: 

2. Type: 

cd \bin 

dpadadmin addschema –master schema_master –u user_name –p password 

3. See Command Line Syntax for more details regarding the required parameters. 

4. If DPADadmin detects that Schema extensions are not allowed, it will prompt you to enable them. Enter y to 

enable them, or n to cancel. 



Active Directory Replication Interval 

If Active Directory is running replication between multiple domain controllers, allow time for the schema changes to 

be replicated across the system. The DPADadmin checkschema command may be used to check this – see 2.5.2 

Check Schema Extensions for more information. 

Command Line Syntax 

dpadadmin addschema [–master schema_master] [–u user_name [–p password]] 

[-q] 


Table 7: DPADadmin addschema Command Line Options 

Option Description 


-master Fully qualified name of the Domain Controller with the Schema Master role. This option may 

be omitted if the command is run directly on the Schema Master. 

-u User name of a Domain Administrator in the Schema Administrators group. This option may be 

omitted if you are logged into the machine as that Domain Administrator when you run the 

command. 

-p Password of the Domain Administrator. This option may be omitted if you are logged in as that 

Domain Administrator or if they have a blank password. 

-q Quiet mode, will not output commentary text. 

DPADadmin addschema Command Sample 

2.5.2 Check Schema Extensions 

dpadadmin addschema –master dc1.vasco.com –u schema_admin –p sa_password 

The checkschema command can be used to check that the Active Directory schema has been extended to include 

VASCO objects and attributes. 

2.5.2.1 Check the Database Structure 

1. Open a command prompt and go to the installation’s bin directory by typing: 

2. Type 

a. Open a command prompt and navigate to the installation’s bin directory by typing: 

cd \bin 

dpadadmin checkschema –u user_name –p password 

3. See below for more details regarding the parameters. 

The progress and success/failure of the command will be displayed in the command prompt window. 

2.5.2.2 Command Line Syntax 

dpadadmin checkschema [–u user_name [–p password]] [-m] [-d] [-q] [-v] [-l 

file_name] 

Table 8: DPADadmin checkschema Command Line Options 


-u User name of a Domain Administrator in the Schema Administrators group. This option may be 

omitted if you are logged into the machine as that Domain Administrator when you run the 



command. 


-p Password of the Domain Administrator. This option may be omitted if you are logged in as that 

Domain Administrator or if they have a blank password. 

-m Fully qualified name of the Domain Controller with the Schema Master role. This option may 

be omitted if the command is run directly on the Schema Master. 

-d Specify the domain in which the schema check should be run. 


-v Verbose mode. 

-l Log output to file file_name. 

DPADadmin checkschema Command Sample 

dpadadmin checkschema –u schema_admin –p sa_password 

2.5.3 Set Up Digipass Containers in Domain 

This command sets up the Digipass-Pool and Digipass-Reserve containers in the specified domain. It can 

optionally set up the Digipass-Configuration container also. 

2.5.3.1 Prerequisite Information 

Domain Administrator 

You must be logged into the machine as a Domain Admin in the target domain. 

2.5.3.2 Set Up Digipass Containers 

1. Log into the machine as a Domain Administrator in that Domain. 

2. Copy dpadadmin.exe onto the machine and open a command prompt in the location to which it was copied. 

3. Type: 

dpadadmin setupdomain 


2.5.3.3 Command Syntax 

dpadadmin setupdomain [-config] [-domain ] [-q] 


Table 9: DPADadmin setupdomain Command Line Options 



-config OPTIONAL. Specifies that this is the Digipass Configuration Domain, so the Digipass-Configuration 

container must be created. 

-domain OPTIONAL. Specifies the FQDN of the domain to set up. If omitted, the domain to which the current 

machine belongs will be used. 

-q OPTIONAL. Specifies that quiet mode should be used. 

DPADadmin setupdomain Command Sample 

dpadadmin setupdomain -config -q 

2.5.4 Assign Digipass Permissions to a Group 

This command assigns Digipass-specific permissions to a Windows group, applicable at the domain root and 

downwards. The permissions assigned are: 

2.5.4.1 Pre-requisites 

Full read access to everything in the domain 

Full control over vasco-DPToken objects 

Full control over vasco-DPApplication objects 

Full write access to vasco-UserExt auxiliary objects 

You must be logged into the machine as a Domain Admin in the target domain. 

2.5.4.2 Command Syntax 

dpadadmin.exe setupaccess -group [-domain ] [-q] [-c] 

Table 10: DPADadmin setupaccess Command Line Options 


-group MANDATORY. Specify the name of the group to assign the permissions. Double-quotes 

are required if there are any spaces. 

-domain OPTIONAL. Specify the fully-qualified domain name for the domain to which the group or 

user belongs. If omitted, the domain to which the current machine belongs will be used. 

-q OPTIONAL. Specify that quiet mode should be used. 

-c OPTIONAL. Add the local computer to the group named. 


DPADadmin setupaccess Command Sample 

dpadadmin.exe setupaccess -group “RAS and IAS Servers” -q 

2.5.5 Delete all Digipass-Related Data from Active Directory 


Digipass-specific information is not removed from Active Directory when Identikey Server is uninstalled from a 

computer. 

A custom VB script is available which will strip all information related to the Identikey Server from a domain. The 

data removed includes: 

Digipass-Configuration container if present 

VASCO Records in container: 

Policy 

Component 

BackendServer 

Report 

Reportformat 

Configuration 

Offline authentication data 

Digipass-Pool container if present 

Digipass records in container 

Digipass-Reserve container if present 

Digipass records in container 

All Digipass in the domain, including all Digipass Applications. 

All Digipass User Accounts 

Each Digipass User account is deleted by searching for Active Directory Users with the vasco-CreateTime attribute 

set (indicating that a Digipass User account has been created for that User). All vasco-UserExt attributes on the 

Active Directory User are reset. 

Note 

The script must be run in each domain from which data is to be removed. 


2.5.5.1 Run Delete Script on a Domain 


1. Get dpDeleteAll.vbs file from the CD – \Windows\Utilities\DpDeleteAll directory. Copy to the computer where 

you will run the command. 

2. Open cmd prompt, logged in as domain admin in the domain required. 

3. Enter the following: 

cscript dpDeleteAll.vbs [] [-v] 

4. If the machine does not belong to the target domain, specify the domain name 

5. If you want record-by-record progress display, specify -v (verbose mode). 

Example 

cscript dpDeleteAll.vbs dm3.vasco.com -v 


3 ODBC Database 

3.1 Database Support 

Note 

ODBC Database 

An embedded database option is available in the Windows Basic installation program. This will 

install PostgreSQL 8.2 for you on the server. 

However, Identikey Server supports other ODBC-compliant databases, should you prefer to use 

your own database. 

Identikey Server makes use of a limited set of database features, in order to support as many RDBMS (Relational 

Database Management Systems) as possible: 

Tables (relations) with the following datatypes: 

INTEGER (32-bit) 

VARCHAR (up to 1024 characters; on Microsoft SQL Server this is NVARCHAR for Unicode support) 

LONGVARCHAR or TEXT (depending on the database type) is used for columns over 1024 characters if 

required by the database 

TIMESTAMP (for some databases, this is DATETIME or DATE – this is not an automatically generated 

timestamp, but just a date/time field) 

Primary Key constraints 

Foreign Key constraints, using the default action (restrict) and cascade delete 

ANSI Standard SQL DML (Data Manipulation Language) – select, insert, update, delete, without any vendorspecific 

syntax 

Transactions with simple COMMIT and ROLLBACK (no 'save points' or equivalents) 

In order for a database to be supported, there must be an ODBC level 3 driver that supports: 

Multi-threaded access using multiple concurrent connections 

'Wide char' (Unicode) parameters for input and output 

The following databases have been specifically tested: 

Oracle 10g and Oracle 11g 

Microsoft SQL Server 2005 Full Enterprise Edition or Express 

IBM DB2 8.1 (on 32-bit platforms) and 9.1 (on 64-bit platforms) 

Sybase Adaptive Server Anywhere 10.0 


PostgreSQL 8.2.5 

3.1.1 Unicode Support 

ODBC Database 

At a minimum, the database ODBC driver must allow the 'wide char' parameters to be used, as mentioned above. 

However, the underlying database does not necessarily need to be configured with Unicode support. The database 

only needs to be able to handle the characters that are actually used. 

If you do want full Unicode support in the database, refer to the database vendor's instructions. Normally, a 

database has to be created with Unicode storage from the start. Depending upon the database type, some of the 

columns in the database need to be increased in size, to handle multi-byte UTF-8 encoded data. The database 

documentation should indicate whether VARCHAR columns are defined by number of characters or number of 

bytes. 

3.2 Embedded Database 

The embedded database option supplied with Identikey Server for Windows uses PostgreSQL 8.2. The database 

server is installed as a Service and a single database created. This database has full Unicode support. 

The full PostgreSQL install package is used, so the database administation tools and documentation are available. 

The package is installed under the Identikey Server installation directory. 

3.2.1 Service Account 

Windows 

A local Windows account called dppostgres is created on the installation machine. This account is given privileges 

to log on as a service and locally. If installed on a domain controller, this account will be a domain account. The 

privileges to log on locally may be removed manually after installation if preferred, without preventing PostgreSQL 

from running. 

Note 

The dppostgres account is not automatically deleted upon uninstallation of PostgreSQL. 

The default password for dppostgres is p!ss&0rd. This can be changed using the standard Windows or Active 

Directory user management interface. If you do this, make sure that the Windows Service Control Manager is 

configured with the new password. The PostgreSQL service is PostgreSQL Database Server 8.2. 

If you have changed the password when you uninstall and reinstall the product, either delete the dppostgres 

account or change its password back to the default password shown above before re-installing. Otherwise, reinstallation 

of PostgreSQL will fail. 


Linux 

ODBC Database 

During Linux Simple Installation a postgres daemon user account is created, which is assigned the correct 

permissions to run the PostgreSQL server. The PostgreSQL server is registered as a Linux daemon which runs 

under the postgres account. 

3.2.2 Database Administration Account 

A single database administrator account called digipass is created when the embedded database is installed, with 

password digipassword. It has full administration and access rights to the database. 

This account is used by the Identikey Server to connect to the database. If you use an SQL or database 

administration tool to connect to the database, you can also use this account. 

If you want to change the password, you can do this using the pgAdmin III utility. See 3.2.3 Database 

Administration below. 

3.2.3 Database Administration 

Windows 

The full set of PostgreSQL administration tools are installed with the embedded database. For a full description, 

refer to the PostgreSQL documentation that is installed with the product. 

The main tool to use is pgAdmin III, which is a graphical administration interface. This can be launched by clicking 

on the Start Button and selecting Programs -> PostgreSQL 8.2 -> pgAdmin III. 

To connect to the database, right-click on the Servers -> PostgreSQL Database Server 8.2 node in the tree pane 

and select the Connect option. You will be prompted for the password for the digipass user – the default after 

installation is digipassword. 

After logging in, you can perform a range of database administration tasks. See the online help for more details on 

what can be done with the utility. 

The 6 Backup and Recovery section includes instructions on the pg_dump, pg_restore and vacuumdb utilities. 

Linux 

For Linux the PostgreSQL command line utilities are installed. For a full description of the command line utilities 

refer to the PostgreSQL documentation installed with the product. 

3.2.3.2 Changing the Digipass User's Password 

After logging in as described above, expand the Login Roles node in the tree pane. Right-click on the digipass 

node underneath and select Properties. Enter the new password, confirm it and click OK. 


1. Run pgAdmin III and connect as described above. 

2. Expand the Login Roles node in the tree pane. 

3. Right-click on the digipass node underneath and select Properties. 

4. Enter the new Password and confirm it in Password (again). 

5. Click on OK. 

ODBC Database 

6. Open the Identikey Server Configuration utility: click on the Start Button and select Programs -> VASCO -> 

Identikey Server -> Identikey Server Configuration. 

7. Click on the Storage section. 

8. Click on the Identikey Server row in the ODBC Data Sources list and click the Edit... button. 

9. Modify the Password field with the new password and click Test Connection. Identikey Server 

Configuration will test that it can connect to the database using the new password and inform you of the 

result. 

10. If connection failed, make sure you have entered the password correctly and try again. If it still fails, cancel 

out of Identikey Server Configuration and try repeating the whole procedure from step 1. 

11. Click OK. 

12. Click OK to exit Identikey Server Configuration. When prompted to restart the Service, click Yes. 

3.2.4 Connection Limitations 

The embedded database install leaves PostgreSQL with the default configuration, that connections to the database 

may only be made on the same machine. If you need to connect from another machine to the database, you need 

to update the configuration. 

In order to allow connection from another machine, you need to modify a PostgreSQL configuration file. Edit the 

configuration file with a text editor. This file can be found at: 

\PostgreSQL\data\pg_hba.conf (Windows) 

/opt/vasco/identikey/usr/local/pgsql/data/pg_hba.conf (Linux) 

At the bottom of this file, there is a list of rules for authenticating connections to the database, which by default will 

be: 

# TYPE DATABASE USER CIDR-ADDRESS METHOD 

# IPv4 local connections: 

host all all 127.0.0.1/32 md5 


#host all all ::1/128 md5 

Refer to the PostgreSQL documentation for more details. As an example, to permit access from IP address 

10.10.1.50 by the digipass user to the postgres database, add the following line directly below # Ipv4 local 

connections: 

host postgres digipass 10.10.1.50/32 md5 


3.3 Database Schema 

ODBC Database 

Digipass-related data is stored in a number of tables that are created using the DPDBADMIN command line utility: 

Table 11: ODBC Database Tables 

Table Name Notes 

vdsControl This table is used to control various details about the database schema and 

connection. 

vdsUser Contains Digipass User Account details. 

vdsUserAttr Authorization profiles/attributes (not used for all scenarios). 

vdsDigipass Information about individual Digipass, including the Digipass User to which they 

are assigned. 

vdsDPApplication Data for Applications belonging to each Digipass, such as Server PIN and 

expected OTP length. 

vdsDPSoftParams Data required for Software Digipass Provisioning (the 'Static Vector' used to 

generate Activation Codes). 

vdsPolicy Policy attributes. Attributes will commonly be shared via inheritance. 

vdsComponent Component attributes include the License Key for Identikey Servers. 

vdsBackEnd Back-End Server attributes. This includes RADIUS and LDAP server information. 

vdsDomain Domain list. 

vdsOrgUnit Organizational Unit structure. 

vdsReport Report definitions. 

vdsReportFormat Formatting templates for reports. 

vdsConfiguration Configuration settings for the Identikey Server. 

vdsOfflineAuthData Offline authentication data. This is included for future releases of Identikey 

Server. 

3.3.1 vdsControl Table 

Table 12: vdsControl Table 

Name Type Required? 

vdsName varchar(64) Yes 

vdsValue varchar(512) 

vdsFlags integer 

Primary Key: (vdsName) 

Foreign Keys: None 


3.3.2 vdsUser Table 

Table 13: vdsUser Table 


vdsDomain varchar(255) Yes 

vdsUserId varchar(255) Yes 

vdsOrgUnit varchar(255) 

vdsUserName varchar(64) 

vdsDescription varchar(1024) 

vdsPhone varchar(64) 

vdsMobile varchar(64) 

vdsEmail varchar(64) 

vdsStaticPwd varchar(690)* 

vdsLinkUserDomain varchar(255) 

vdsLinkUserId varchar(255) 

vdsLocalAuth integer 

vdsBackEndAuth integer 

vdsLockCount integer 

vdsLocked integer 

vdsDisabled integer 

vdsProfiles** varchar(255) 

vdsAdminPrivileges varchar(255)* 

vdsOfflineAuthEnabled integer 

vdsCreateTime timestamp Yes 

vdsModifyTime timestamp Yes 

* This column contains binary data stored in base64-encoded format. 

** This column is obsolete (replaced by the separate vdsUserAttr table). 

Primary Key: (vdsDomain, vdsUserId) 

Foreign Keys: 

(vdsDomain) references vdsDomain 

(vdsDomain, vdsOrgUnit) references vdsOrgUnit 

(vdsLinkUserDomain, vdsLinkUserId) references vdsUser 

ODBC Database 


3.3.3 vdsUserAttr Table 

Table 14: vdsUserAttr Table 



vdsUserId varchar(255) Yes 

vdsAttrGroup varchar(64) Yes 

vdsSeqNo integer Yes 

vdsName varchar(64) Yes 

vdsUsageQual varchar(64) 




Primary Key: (vdsDomain, vdsUserId, vdsAttrGroup, vdsSeqNo) 

Foreign Keys: 

3.3.4 vdsDigipass Table 

(vdsDomain, vdsUserId) references vdsUser (ON DELETE CASCADE) 

Table 15: vdsDigipass Table 


vdsSerialNo varchar(32) Yes 


vdsOrgUnit varchar(255) 

vdsDPType varchar(32) 

vdsUserId varchar(255) 

vdsAssignDate timestamp 

vdsGPExpires timestamp 

vdsBVDPEnabled integer 

vdsBVDPExpires timestamp 

vdsBVDPUsesLeft integer 

vdsDirectAssign integer 

vdsDPSoftParamsID varchar(64) 

vdsActivLocs varchar(1024) 

vdsActivCount integer 

ODBC Database 



vdsLastActivTime timestamp 

vdsDPDescription varchar(255) 



Primary Key: (vdsSerialNo) 

Foreign Keys: 


(vdsDomain, vdsOrgUnit) references vdsOrgUnit 

(vdsDomain, vdsUserId) references vdsUser 

(vdsDPSoftParamsID) references vdsDPSoftParams 

3.3.5 vdsDPApplication Table 

Table 16: vdsDPApplication Table 


vdsSerialNo varchar(32) Yes 

vdsApplName varchar(32) Yes 

vdsApplNo integer 

vdsApplType integer 

vdsActive integer 

vdsBlob varchar(255) 



Primary Key: (vdsSerialNo, vdsApplName) 

Foreign Keys: 

(vdsSerialNo) references vdsDigipass 

3.3.6 vdsDPSoftParams Table 

Table 17: vdsDPSoftParams Table 


vdsDPSoftParamsID varchar(64) Yes 

ODBC Database 



vdsStaticVector varchar(1024) Yes 



Primary Key: (vdsDPSoftParamsID) 


3.3.7 vdsPolicy Table 

Table 18: vdsPolicy Table 


vdsPolicyId varchar(60) Yes 


vdsParentPolicyId varchar(60) 

vdsDUR integer 

vdsAutoLearn integer 

vdsSPwdProxy integer 

vdsAssignMode integer 

vdsSearchUpOU integer 

vdsApplNames varchar(255) 

vdsApplType integer 

vdsDPTypes varchar(255) 

vdsGracePeriod integer 

vdsLocalAuth integer 

vdsBackEndAuth integer 

vdsBackEndProtocol varchar(32) 

vdsDefDomain varchar(255) 

vdsGroupList varchar(1024) 

vdsGroupMode integer 

vdsOSCR integer 

vdsOSCLength integer 

vdsOSCChkDgt integer 

vdsBVDPEnabled integer 

vdsBVDPMaxDays integer 

vdsBVDPMaxUses integer 

ODBC Database 



vdsChgPinAllowed integer 

vdsSelfAssignSep varchar(8) 

vdsCRMethod integer 

vdsCRKeyword varchar(16) 

vdsPVDPRqstMeth integer 

vdsPVDPKeyword varchar(16) 

vdsBVDPRqstMeth integer 

vdsBVDPKeyword varchar(16) 

vdsITimeWindow integer 

vdsSTimeWindow integer 

vdsEventWindow integer 

vdsSyncWindow integer 

vdsIThreshold integer 

vdsSThreshold integer 

vdsCheckChal integer 

vdsOnlineSG integer 

vdsChkInactDays integer 

vdsOTPSyncEnabled integer 

vdsDCR integer 

vdsChgWinPwdEnabled integer 

vdsChangeWinPwdLength integer 

vdsClientGroupMode integer 



vdsLockThreshold integer 

Primary Key: (vdsPolicyId) 

Foreign Keys: 

(vdsParentPolicyId) references vdsPolicy 

3.3.8 vdsComponent Table 

Table 19: vdsComponent Table 


vdsComponentType varchar(60) Yes 

ODBC Database 



vdsLocation varchar(255) Yes 

vdsPolicyId varchar(80) Yes 

vdsProtocolId varchar(32) 

vdsTCPPort integer 

vdsSharedSecret varchar(690)* 

vdsLicenseKey varchar(1024) 

vdsPubKey varchar(1024) 

vdsCreateTime Timestamp Yes 

vdsModifyTime Timestamp Yes 


Primary Key: (vdsComponentType, vdsLocation) 

Foreign Keys: 

(vdsPolicyId) references vdsPolicy 

3.3.9 vdsBackEnd Table 

Table 20: vdsBackEnd Table 


vdsServerId varchar(80) Yes 

vdsProtocolId varchar(32) 

vdsDomain varchar(255) 

vdsPriority integer 

vdsAuthAddr varchar(128) 

vdsAuthPort integer 

vdsRadAcctAddr varchar(128) 

vdsRadAcctPort integer 

vdsRetries integer 

vdsTimeout integer 

vdsRadSharedSecret varchar(690)* 

vdsDirBaseDN varchar(512) 

vdsSecPrincplDN varchar(512) 

vdsSecPrincplPwd varchar(32) 

vdsDirAuth varchar(32) 

ODBC Database 






Primary Key: (vdsServerId) 


3.3.10 vdsDomain Table 

Table 21: vdsDomain Table 






Primary Key: (vdsDomain) 


3.3.11 vdsOrgUnit Table 

Table 22: vdsOrgUnit Table 



vdsOrgUnit varchar(255) Yes 


vdsParentOrgUnit varchar(255) 



Primary Key: (vdsDomain, vdsOrgUnit) 

Foreign Keys: 


(vdsDomain, vdsParentOrgUnit) references vdsOrgUnit 

ODBC Database 


3.3.12 vdsReport Table 

Table 23: vdsReport Table 



vdsReportID varchar(64) Yes 

vdsReportName varchar(64) Yes 

vdsReportDesc varchar(255) Yes 

vdsDataSource integer Yes 

vdsGroupLevel integer Yes 

vdsReportType integer Yes 

vdsRunPerms integer Yes 

vdsChangePerms integer Yes 

vdsTimeFreq integer Yes 

vdsQueryDef varchar(1024) Yes 

vdsUserID varchar(255) 



Primary Key: (vdsDomain, vdsReportID) 

Foreign Keys: 


(vdsDomain, vdsUserID) references vdsUser 

3.3.13 vdsReportFormat Table 

Table 24: vdsReportFormat Table 



vdsReportID varchar(64) Yes 

vdsFmtName varchar(64) Yes 

vdsFmtDef varchar(32768)* Yes 




ODBC Database 


Primary Key: (vdsDomain, vdsReportID, vdsFmtName) 

Foreign Keys: 

(vdsDomain, vdsReportID) references vdsReport 

3.3.14 vdsConfiguration Table 

Table 25: vdsConfiguration Table 


vdsName varchar(512) yes 


vdsCreateTime timestamp yes 

vdsModifyTime timestamp yes 

Primary Key: vdsName 


3.3.15 vdsOfflineAuthData Table 

Table 26: vdsOfflineAuthData Table 


vdsComponentType varchar(60) yes 

vdsLocation varchar(255) yes 

vdsDomain varchar(255) yes 

vdsUserId varchar(255) yes 

vdsEventWindow integer 

vdsEventCounter integer 

vdsStartTime timestamp 

vdsEndTime timestamp 

vdsReGenRequired integer 

vdsCreateTime timestamp yes 

vdsModifyTime timestamp yes 

Primary Key: vdsComponentType, vdsLocation, vdsDomain, vdsUserid 

Foreign Keys: vdsComponentType, vdsLocation, vdsDomain, vdsUserid 

ODBC Database 


3.4 Encoding and Case-Sensitivity 

ODBC Database 

When you create the database, depending on the database type, you may have the chance to select a collation 

sequence. The collation sequence determines both the sort order and the case-sensitivity of the database. If you 

do not have the chance to select the collation sequence, it is advisable to find out how it is already defined. 

The encoding used by the database is important when considering support for non-English languages. You must 

ensure that the database will be able to store the data in whatever languages may be used in your system. 

Case-sensitivity is of particular importance when looking up a Digipass User account. It determines whether the 

user must get the correct case for their UserId when logging in. For example, if your database collation sequence is 

case-sensitive, user “JSmith” would have to log in as exactly “JSmith”, not “jsmith”. If you want a case-insensitive 

User ID and domain lookup, and your database does not behave this way by default, you have two choices: 

Choose a case-insensitive collation sequence for the database. 

Use a configuration option in Identikey Server to convert User ID and Domain names to all upper or all lower 

case. 

Caution 

The configuration setting for case-sensitivity can be set up in the Identikey Server Configuration 

Wizard before data is entered into the database. This setting can be changed later using the 

Identikey Server Configuration utility. However, since the new setting value may invalidate 

existing Digipass User accounts and Domain records, additional work may be required. 

For example, if you have a User ID in upper or mixed case and you change the setting to convert 

to lower case, the Digipass User account with this User ID will need to be deleted and recreated. 

This setting is especially important for the Master Domain. If you plan to configure the Identikey 

Server to convert User IDs and Domains to upper case, change the name of the Master Domain 

before changing the case setting. See 3.5.1.1 Master Domain for more information. 

The embedded database created by the installation program uses UTF-8 encoding. In addition, as this results in 

case-sensitive collation, the option to convert User IDs and domain names to lower case is set by default. 

3.5 Domains and Organizational Units 

The concepts of Domain and Organizational Unit are present in Identikey Server for the purpose of grouping 

users. They closely match the concepts of the same names in Active Directory/LDAP, but they are not identical. 


3.5.1 Domains 

ODBC Database 

Domains are essentially separate sub-databases of Digipass User accounts and Digipass. All Digipass User 

accounts and Digipass must belong to a Domain. The Domain is used as a naming scope for the UserId – it is 

allowed to have two different Digipass User accounts with the same UserId, so long as they are in different 

Domains. 

3.5.1.1 Master Domain 

When Identikey Server is installed, a single Domain will be created in the database, the Master Domain. By 

default, all new Digipass User accounts and Digipass will be created in that Domain. 

A Domain must be chosen for a Digipass User account when it is created, as the Domain makes up part of the 

identification (primary key) for the account. A Digipass User account may not be moved to a different Domain. It 

must be deleted and recreated in the required Domain. 

Digipass, however, may be moved to the required Domain after import. The 'primary key' of the Digipass record 

consists only of its Serial Number, which cannot be duplicated in different Domains. 

A Digipass that is assigned to a Digipass User account must belong to the same Domain as the account. 

Therefore, you need to ensure that the correct numbers of Digipass are allocated to the different Domains. 

Administrators belonging to the Master Domain may be assigned administration privileges for all Domains in the 

database, or just their own Domain. Administrators belonging to any other Domain will have the assigned 

administration privileges for that Domain only. 

If you do not need to use the concept of Domains in your system, then you can leave all Digipass User accounts 

and Digipass in the Master Domain. 

You can designate a different Domain as the Master Domain using the Identikey Server Configuration Wizard. You 

can change it later using the Identikey Server Configuration utility, Storage section, Advanced Settings tab. 

Modify the Master Domain 

You might need to modify the domain used as the Master Domain if: 

You want new Digipass User accounts and Digipass records to be created in a different domain by default 

You want to change the name of the Master Domain 

The case used in the name of the Master Domain will not be compatible with Identikey Server configuration 

settings 

For instructions on changing the domain used as the Master Domain, see Master Domain in 11.3.6.4 Advanced 

Configuration Settings. 


3.5.1.2 Identifying the Domain for a Login Attempt 

ODBC Database 

As the Domain is part of the naming scope for a Digipass User account, the Domain must be identified when a 

user attempts to log in. 

Image 1: Domain Identification Logic 

When Windows Back-End Authentication is used, the Domain of a Digipass User account must match the Domain 

of their corresponding Windows (Active Directory) user account. In this situation, the Use Windows User Name 

Resolution feature would typically be used, in case the same user logs in with different Windows user name 

formats (DOMAIN\userid, userid@domain.com, userid). You can enable this feature using the Identikey Server 

Configuration interface, Configure Advanced Settings screen. 

Without Windows name resolution, a simple rule is applied to identify the Domain of a user who is logging in: if the 

UserId is in the form userid@domain, and there is a Domain with the given domain name, that Domain will be 

used. In that case, the UserId will have the @domain part removed. Otherwise, the whole UserId will remain as 

userid@domain and no Domain will be identified. 


ODBC Database 

If a Domain cannot be identified via name resolution, the applicable Policy will be checked. If a Default Domain is 

specified in the Policy, it will be used for the login. If no Default Domain is specified in the Policy, the Master 

Domain will be used. The Master Domain is a configuration setting. 

3.5.2 Organizational Units 

Within a Domain, Organizational Units can be used to group Digipass User accounts and Digipass. They are 

primarily used in Identikey Server to allocate unassigned Digipass to groups of users such as offices or 

departments and to provide delegated administration by user group. 

Organizational Units can be created as a hierarchy, in a similar way to Active Directory/LDAP. It is not permitted to 

create a circular chain in the hierarchy. 

Digipass User accounts and Digipass do not have to belong to an Organizational Unit. If you do not need to use the 

Organizational Unit feature, you can ignore it. 

Organizational Units are not used as a naming scope in the same way as Domains. It is permitted to move Digipass 

User accounts and Digipass between Organizational Units whenever required. However, a Digipass that is assigned 

to a Digipass User Account must belong to the same Organizational Unit, as well as the same Domain. Upon 

assignment, or upon moving the Digipass User Account, the Digipass is moved automatically. It is not permitted to 

move an assigned Digipass – instead, you must move the Digipass User Account, which may have other Digipass 

assigned also. 

Organizational Units have no effect on the authentication process, with the exception of Auto- and Self-Assignment 

– the Digipass to be assigned must be in the same Organizational Unit as the Digipass User Account. However, if 

you enable the 'Search up Organizational Unit Hierarchy' Policy setting, the Digipass may be located higher up the 

Organizational Unit structure, provided it is still in the same Domain. 


3.6 Database User Accounts 

ODBC Database 

It is important to consider which database user accounts will be utilized when installing, running and administering 

Identikey Server. There are a few main roles that need to be considered: 

Schema creator. A database user account is needed to create the tables used by Identikey Server. Typically 

this would be either a fully privileged DBA account, or the account that will own the schema. 

Schema owner. This may be the same as the schema creator. If not, the schema creator can transfer 

ownership of the new tables after they have been created. 

Identikey Server account. This may be the same as the schema creator or owner, but you may prefer to use 

an account with less privileges. 

A few elements need to be taken into account when setting up these database user accounts. 

3.6.1 Permissions on the Tables 

The following permissions are required by the Identikey Server account: 

Table 27: Table Permissions Required 

Table Permissions Required 

vdsControl SELECT, INSERT*, UPDATE * 

All other tables SELECT, INSERT, UPDATE, DELETE 

3.6.2 Access to Another Schema 

Depending on the database type, there may be a problem with the Identikey Server database user account 

accessing the tables from another schema/user account. Identikey Server will access the tables according to the 

table names that are defined in the vdsControl table. 

If the tables are not accessible to the Identikey Server account without qualifying the table name (eg. 

schema.table), there are a few ways to solve the problem: 

Set the default schema or database. Some databases allow you to specify which schema or database a 

database user account will use by default when they log in. This may be a setting in the database itself or the 

ODBC data source 

Create views. You can create a view in the Identikey Server account's own schema for each table, that 

provides access to the table. The view names should match the table names. However, be careful that your 

database type permits the necessary INSERT, UPDATE and DELETE operations on the views (see the table 

above). Some database types provide only limited support for those operations or disallow them all. 

* The Identikey Server does not need INSERT and UPDATE permission on the vdsControl table itself. However, when the 

Identikey Server Configuration Wizard and the Identikey Server Configuration utility are used to configure Storage Advanced 

Settings, the same database user account is used as the Identikey Server, and at this time the INSERT and UPDATE 

permissions are needed. 


ODBC Database 

Modify the vdsControl table. Provided that all applicable database user accounts need the schema qualifier in 

front of the table names, you can safely modify the vdsControl table entries to add the schema qualifier (see 

below). If you have just one Identikey Server account, this will be safe. 

Another possible solution is to create a vdsControl table in each applicable database user account's schema, that 

contains the necessary schema qualifier. However this is not recommended, as it is complex to set up and there 

are other settings in the vdsControl table other than the table names. It would be easy to end up with different 

settings in each table. 

3.6.2.1 Modify vdsControl Table 

There are two parts to this solution. Firstly, to make sure that the vdsControl table itself can be accessed; secondly, 

to update the remaining table names using the vdsControl table. 

The Identikey Server component uses a configuration setting in its configuration file identikeyconfig.xml to identify 

the vdsControl table name: 

VASCO->Storage->ODBC->Data-Sources->Data-Sourcesnn->Control-Table 

where nn is 01 for the first data source, 02 for the next, and so on. Each data source must be configured 

separately. 

Modification of the vdsControl table entries that define the table names must be performed using your database's 

SQL utility. The following entries in vdsControl are used to define the table names: 

Table 28: Table Names in vdsControl 

Table vdsName 

vdsUser user_table 

vdsUserAttr user_attr_table 

vdsDigipass dp_table 

vdsDPApplication dpappl_table 

vdsDPSoftParams dpsoft_params_table 

vdsPolicy policy_table 

vdsComponent comp_table 

vdsBackEnd backend_table 

vdsDomain domain_table 

vdsOrgUnit org_table 

vdsReport report_table 

vdsReportFormat report_format_table 

vdsConfiguration configuration_table 

VdsOfflineAuthData offlineauthdata_table 


3.7 Database Connection Handling 

ODBC Database 

The Identikey Server can be configured with a few settings that control the connection to the database. These 

settings can be found in the Identikey Server Configuration utility. 

3.7.1 Multiple Data Sources 

It is possible to make more than one database available to the Identikey Server by creating additional databases 

and corresponding ODBC data sources. The additional database(s) can be used for redundancy and/or simple load 

sharing. 

If this is done, it is critical that the second and subsequent databases are synchronized with the first database. You 

will have to use the methods available to your database type, according to the database vendor's instructions. 

Typical methods include mirroring, shadow databases and instantaneous replication. 

Simply by configuring a second data source, if all connections to the main data source fail and cannot be 

reopened, the Identikey Server will open connections to the second data source. Similarly, a third data source can 

be used when the first and second are both unavailable. 

3.7.2 Max. Connections 

There is a configurable limit on the number of connections to the data source that the Identikey Server will have 

open at one time. This will prevent too many connections being opened to the database in case of peak load. 

However, each request uses a connection for its duration, so the number of connections effectively limits the 

number of requests that can be concurrently executed. It may improve performance to increase this setting, when 

there are a lot of concurrent requests – provided that the database is able to handle the increased load. 

The effect of this setting depends on the characteristics of your ODBC driver and database. Some ODBC drivers 

may not open a separate connection to the database for each connection that is made to it; they may set up a 

'pool' of connections to the database or they may even just maintain a single connection. 

3.7.3 Connection Wait Time 

When the Identikey Server already has the maximum number of connections open and a new request arrives, it will 

wait a configurable amount of time for a connection to become available (unless the Enable Load Sharing option is 

used, see below). You may want to reduce this waiting time, to reduce the impact of an overload of requests. 

Alternatively you may want to increase the waiting time, to make it less likely that a request will be rejected due to 

a temporary 'spike' of requests. 


3.7.4 Idle Timeout 

ODBC Database 

After a period of peak load, there may be a large number of connections open to the database. The Idle Timeout 

setting can be used to configure how quickly the connections are closed after being idle for a period of time. It may 

reduce the load on the database to close these connections quickly. Alternatively, if the load is very irregular but is 

often high, you may prefer to keep idle connections open for longer. 

3.7.5 Enable Load Sharing 

A simple form of load sharing can be implemented if you make a second database available to the Identikey 

Server. In fact, any number of databases can be added to the list of data sources, and the load can be shared 

across all of them. 

If you have more than one database available and the Enable Load Sharing option is used, the Identikey Server will 

open connections to the second database when it would exceed the maximum number of connections it is allowed 

to have to the first database. Similarly, it will open connections to the third database when it has reached the 

maximum for the second, and so on. In general, connections to the first database will be used when available, in 

preference to connections to any other database. 

3.7.6 Reconnect Intervals 

After the first data source has become unavailable, the Identikey Server will attempt at intervals to reconnect, even 

if it has successfully failed over to a second data source. It will always use the first data source in preference to the 

others. 

The Min. Reconnect Interval and Max. Reconnect Interval settings control the minimum and maximum intervals 

between retries respectively. The interval will start at the minimum and increase in steps until the maximum is 

reached. After that, the interval will stay at the maximum. 


3.8 DPDBADMIN 

3.8.1 Modify Database Schema 

ODBC Database 

The addschema command is used to create all required tables in an existing database, if they are not already 

there. Each table will be checked individually to see if it is already there and if not, will be added. 

This command is intended to be run manually by an administrator before Identikey Server is installed. 

It may be necessary to go through an approval process in your company before running this command. You may 

also need to have a database administrator run the command for you. This depends on your company’s structure 

and rules for control of the database. 

This command may also be used to create the tables required for auditing to an ODBC database. 

Prerequisite Information 

Database Administrator Account 

In order to successfully modify the database structure, you will need the username and password of a database 

administrator account that is able to make changes to the database schema – for example, creating tables. You 

must pass these credentials to the command in the parameters. 

Database Name 

You will need the ODBC Data Source Name of the database (as registered with Windows or Linux as an ODBC Data 

Source). 

Master Domain Name 

You can specify the name of the Master Domain (see 3.5.1.1 Master Domain) 

when you add the database schema. 

However if you do not do it at that time, the Configuration Wizard can change it. 

UserID/Domain Name Conversion 

The Case Conversion option for UserIDs and Domain names may be specified (see 3.4 Encoding and Case- 

Sensitivity for more information) during the database schema modification. Alternatively, the setting may be 

modified using the Configuration Wizard. This should, however, be finalised before User data is entered into the 

data store. 

Modify the Database Structure 

1. Follow the instructions for the installation that you have: 

2. Type: 

a. For Windows, open a command prompt and navigate to the installation’s bin directory by typing: 

cd \bin 

dpdbadmin addschema –u user_name –p password -d dsn 


3. See below for more details regarding the required parameters. 

ODBC Database 



Command Line Syntax 

dpdbadmin addschema -d dsn [–u user_name] [–p password] [-domain 

domain_name] [-case case_conversion] [-vdsuser alternatename] [-vdsuserattr 

alternatename] [-vdsdomain alternatename] [-vdscontrol alternatename] 

[-vdsdigipass alternatename] [-vdsdpapplication alternatename] [-vdspolicy 

alternatename] [vdsbackend alternatename] [-vdscomponent alternatename] 

[-vdsorgunit alternatename] [-vdsdpsoftparams alternatename] [-vdsreport 

alternatename] [-vdsreportformat alternatename] [-audit] [-noserver] 

[-nouser] [-utf8factor factor] [-q] [-v] [-l file_name] 

Table 29: DPDBADMIN addschema Command Line Options 


-d ODBC Data Source Name (DSN) 

-u User name of a database administrator (if required). 

-p Password of the database administrator. This option may be omitted if they have a blank password. 

-domain Specify the Master Domain to be used. If not specified, it will be “master”. The Domain will be 

created if it does not already exist. 

-case Specify to convert User IDs and domain names to either upper or lower case. The value must be 

either “upper” or “lower”. 

vdsuser Alternative name for the Digipass User table to be created. 

vdsuserattr Alternative name for the Digipass User Attribute table to be created. 

vdsdomain Alternative name for the Domain table to be created. 

vdscontrol Alternative name for the Control table to be created. 

vdsdigipass Alternative name for the Digipass table to be created. 

vdsdpapplication Alternative name for the Digipass Application table to be created. 

vdspolicy Alternative name for the Policy table to be created. 

vdsbackend Alternative name for the Back-end Server table to be created. 

vdscomponent Alternative name for the Component table to be created. 

vdsorgunit Alternative name for the Organizational Unit table to be created. 

vdsdpsoftparams Alternative name for the DPSoft Parameters table to be created. 

vdsreport Alternative name for the Report Definition table to be created. 

vdsreportformat Alternative name for the Report Format table to be created. 

vdsconfiguration Alternative name for the Configuration table to be created. 

vdsofflineauthdata Alternative name for the Offline Authentication Data table to be created. 

-audit Create the Audit tables. 

-noserver Do not create the main tables used by the Identikey Server. This should only be used with the -audit 



option, when you only want to create the auditing tables. 

-nouser Do not create Digipass User table. This option is not currently supported. 

ODBC Database 

-utf8factor On certain databases (such as Oracle and DB2), column sizes are specified in bytes, not characters, 

by default. When UTF-8 encoding is used to store data, for full Unicode support, one character may 

be represented as more than one byte. Normally 2 or 3 characters are used, depending on the 

language, but some characters require 4. If your data will include a lot of non-English characters, 

you can increase the size of certain columns by a factor to allow for the extra bytes. The value of the 

parameter should be 2, 3 or 4. Typically, 3 is sufficient. The columns affected by this are the User 

Name (not User ID) and various Description fields. 

On other databases, column sizes are specified in characters, and this parameter is not needed. 




DPDBADMIN addschema Command Sample 

dpdbadmin addschema –u DBAdmin –p pwd3498 -d UserDb -domain mydomain -case 

lower 

This command will modify the database structure of the ODBC database with the data source name of UserDb. It 

uses a database administrator account with the User ID of DBAdmin and password pwd3498. A non-default 

Master Domain will be used, called “mydomain”. It specifies to convert domain names and User IDs to lower case. 

dpdbadmin addschema –u DBAdmin –p pwd3498 -d AuditDb -audit -noserver 

This command will create only the auditing tables in the ODBC database with the data source name of AuditDb. It 

uses a database administrator account with the User ID of DBAdmin and password pwd3498. 

3.8.2 Check Database Modifications 

The checkschema command is called from the Identikey Server Configuration Wizard to check that all required 

database changes have been applied. Each table and field is checked individually to see if it exists within the 

database, but it will not be added if it does not exist. 


Database User Account 

Ensure that you know the username and password of a database user account for the database to be checked. It is 

suggested to use the Identikey Server database user account, as the database tables are required by that account, 

Database Name 

You will need the Data Source Name of the database (as registered with Windows or Linux as an ODBC Data 

Source). 


3.8.2.2 Check the Database Structure 

1. Open a command prompt and go to the installation’s bin directory by typing: 

2. Type 

ODBC Database 


cd \bin 

b. For Linux go to the location in which the ODBC data source was created. 

dpdbadmin checkschema –u user_name –p password -d dsn 

3. See below for more details regarding the parameters. 



dpdbadmin checkschema -d dsn [–u user_name] [–p password] [-audit] 

[-noserver] [-vdscontrol alternatename] [-q] [-v] [-l file_name] 

Table 30: DPDBADMIN checkschema Command Line Options 



-u User name of a database user account (if required). 

-p Password of the database account. This option may be omitted if they have a blank password. 

-audit Check the Audit tables. 

-noserver Do not check the main tables used by the Identikey Server. This should only be used with the -audit option, 

when you only want to check the auditing tables. 

vdscontrol Alternative name for the Control table. 




DPDBADMIN checkschema Command Sample 

dpdbadmin checkschema –u DBAdmin –p pwd3498 -d UserDb 

3.8.3 Remove Database Modifications 

This command removes from a database the tables added by the addschema command. 

It may be necessary to go through an approval process in your company before running this command. You may 

also need to have a database administrator run the command for you. 



Database Administrator Account 

ODBC Database 

In order to successfully modify the database structure, you will need the username and password of a database 

administrator account that is able to make changes to the database structure – for example, dropping tables. You 

must pass these credentials to the utility in the parameters of the command. 

Database Name 

You will need the Data Source Name of the database (as registered with Windows or Linux as an ODBC Data 

Source). This DSN must be registered on the computer from which the command line utility wil be run. 

3.8.3.2 Modify Database Structure 

1. Open a command prompt and navigate to the installation’s bin directory by typing: 

2. Type: 


cd \bin 

b. For Linux go to the location in which the ODBC data source was created. 

dpdbadmin dropschema –u user_name –p password -d dsn 

3. See below for more details regarding the required parameters. 




dpdbadmin dropschema -d dsn [–u user_name] [–p password] [-audit] 

[-noserver] [-nouser] [-vdscontrol alternatename] [-q] [-v] [-l file_name] 

Table 31: DPDBADMIN dropschema Command Line Options 



-u User name of a database administrator. 

-p Password of the database administrator. This option may be omitted if they have a blank password. 

-audit Drop the Audit tables. 

-noserver Do not drop the main tables used by the Identikey Server. This should only be used with the -audit 

option, when you only want to drop the auditing tables. 

-nouser Do not delete Digipass User table. This option is not currently supported. 






DPDBADMIN checkschema Command Sample 

dpdbadmin dropschema –u DBAdmin –p pwd3498 -d UserDb 

ODBC Database 


4 Sensitive Data Encryption 

Sensitive Data Encryption 

Sensitive data is encrypted by Identikey Server using an embedded key. If needed, this encryption may be 

strengthened by adding a custom key using the Identikey Server Configuration utility. The embedded and custom 

keys are subjected to a logical XOR process to produce a new key derived from both. 

You may also choose a different encryption algorithm (Cipher) if you prefer. 

All Identikey Servers MUST share the same encryption settings. 

Note 

4.1.1 Encrypted Data 

Encryption settings must be set before importing any Digipass. If you change the settings at a 

later date, all Digipass records will become invalidated, and require deleting and re-importing. 

Table 32: Encrypted Data Attributes - ODBC Database 

Column Table 

vdsStaticPwd vdsUser 

vdsAdminPrivileges vdsUser 

vdsSharedSecret vdsComponent 

vdsSharedSecret vdsBackEnd 

Table 33: Encrypted Data Attributes - Active Directory 

Column Table 

vasco-StaticPassword vasco-UserExt 

vasco-AdminPrivileges vasco-UserExt 

vasco-SharedSecret vasco-Component 

vasco-SharedSecret vasco-BackEndServer 

4.1.2 Which Encryption Algorithms can be used? 

3DES (default) 

3DES with 3 keys 

AES 


4.1.3 Exporting Encryption Settings 

Sensitive Data Encryption 

Encryption settings may be exported to a password-protected text file from the Identikey Server Configuration 

utility. This file must then be loaded to other Identikey Servers – see 11.3.6.3 Encryption for instructions. 

If using Active Directory as the data store for Identikey Server, the Digipass Extension for Active Directory Users and 

Computers snap-in may be used to export the settings: 

1. Open Active Directory Users and Computers. 

2. Right-click on the Users container and select the Digipass Extension Encryption Settings option. 

3. In the Configure Encryption Settings dialog, click the Import... button. 

4. Browse to the encryption settings file. 


6. Enter the required password. 


4.1.4 Digipass TCL Command-Line Administration 

If using Active Directory as the data store for Identikey Server, the customized encryption settings must be loaded 

into Digipass TCL Command-Line Administration if you use it to import Digipass. 

1. Open the file \Bin\dpadmincmd.xml in a text editor (or XML editing tool). 

2. Open the file \Bin\identikeyconfig.xml in a text editor (or XML editing tool). 

3. Copy and paste the whole VASCO -> Encryption section from Identikey Server, overwriting the same section 

in dpadmincmd.xml. 

4. Save dpadmincmd.xml and exit the editors. 


5 Set Up Active Directory Permissions 

5.1 Permissions Needed by the Identikey Server 

Set Up Active Directory Permissions 

The Identikey Server Service runs under the 'Local System' account rather than as a named user account. 

Therefore, when connecting to Active Directory, the Identikey Server connects as the computer account, not a user 

account. The permissions that it has within Active Directory are the permissions of the computer account. 

An important exception to this occurs if you install the Identikey Server onto a Domain Controller. Any Service 

running as 'Local System' on a Domain Controller has all possible permissions to that Domain. In this case, no 

additional setup of permissions is required. Therefore, the rest of this section applies to the case where the 

Identikey Server is not on the Domain Controller. 

During installation, the computer account is added to the built-in 'RAS and IAS Servers' group in the Domain, as it 

will require the permissions assigned by default to this group. 

In order to function correctly, the Identikey Server requires the following permissions in Active Directory, that are 

not granted to 'RAS and IAS Servers' by default: 

Read access to the Digipass Configuration Container 

Read access to all User accounts (or at least, all who might need to be authenticated by the Identikey Server) 

Write access to the new attributes that are added to the User class for Identikey Server (these are in the 

auxiliary class vasco-UserExt) 

Full control over all Digipass (vasco-DPToken) and Digipass Application (vasco-DPApplication) objects 

Create and delete permission for Digipass (vasco-DPToken) objects in Organizational Units and containers 

(specifically the Digipass-Pool and Users containers) 

5.1.1 Giving Permissions to the Identikey Server 

During installation, these additional permissions are granted to the 'RAS and IAS Servers' group automatically. 

There is also a manual way to grant these permissions, by running the 'setupaccess' command at the command 

prompt: 

dpadadmin.exe setupaccess -group “RAS and IAS Servers” 

See 2.5 DPADadmin Utility for more information on the setupaccess command. 

As mentioned above, this is not necessary if the Identikey Server is installed onto a Domain Controller. 


5.2 Permissions Needed by Administrators 

5.2.1 Domain Administrators 

Domain Administrators already have all required permissions within their Domain. 

5.2.2 Delegated Administrators 


The term 'Delegated Administrators' is used here to refer to administrators who have been delegated control over 

an Organizational Unit. Generally speaking, they have administrative control over the user and computer accounts 

within their Organizational Unit. 

See the Digipass Records topic in the Product Guide for more information on possible approaches to delegating 

Digipass administration. 

By default, these administrators will be able to view the Digipass User Account data for their users and the 

Digipass that are located within their Organizational Unit. However, they will not be able to modify any of that data 

or assign Digipass. 

If you wish to delegate responsibility for all Digipass-related administration within an Organizational Unit, the 

following additional permissions are required by the Delegated Administrator: 

Within the scope of the Organizational Unit, Write permission to the new attributes that are added to the User 

class for Identikey Server (these are in the auxiliary class vasco-UserExt) – you can add Write permissions for 

each individual Property Set or if appropriate, grant 'Write All Properties' permission 

Within the scope of the Organizational Unit, Full Control over all Digipass (vasco-DPToken) and Digipass 

Application (vasco-DPApplication) objects 

Create and Delete permission for Digipass (vasco-DPToken) objects within the Organizational Unit 

If the Delegated Administrator should be allowed to assign Digipass from the Digipass Pool to their users, they 

need: 

the Delete Digipass objects permission in the Digipass-Pool container 

Write All Properties permission on Digipass objects in the Digipass-Pool container 

If the Delegated Administrator should be allowed to move unassigned Digipass back to the Digipass-Pool, they 

need Create Digipass objects permission in the Digipass-Pool container 

5.2.3 Reduced-Rights Administrators 

The term 'Reduced-Rights Administrator' is used here to refer to administrators who are granted permissions to 

perform only selected Digipass-related administration tasks. They may be granted these permissions within the 

scope of the whole Domain, or only within an Organizational Unit. 



An example is a Helpdesk operator who is permitted to troubleshoot Digipass operations, but not to 

assign/unassign Digipass to/from users. 

By default, all users have read access to everything in the Active Directory. The modification permissions that can 

be granted to this kind of administrator are: 

Write permission for any of three Property Sets on the Digipass User Account fields: 

Digipass User Account Information – all attributes except those covered by the other two Property Sets, 

including Authorization Profiles/Attributes 

Digipass User Account Link – the link attribute used to share a Digipass between two user accounts 

Digipass User Account Stored Password – the Stored Password attribute 

Write permission for any individual properties on Digipass objects, except for one Property Set that is defined to 

control the Digipass assignment link 

Write permission for any individual properties on Digipass Application objects, except for one Property Set that 

is defined to include the Digipass 'blob' that is required for any administrative operation such as Reset PIN, 

Test, Set Event Counter, etc. 

Create and delete permission on Digipass and Digipass Application objects 

If the administrator should be allowed to move Digipass, they need: 

the Delete Digipass objects and Create Digipass objects permissions in the relevant Domain and/or 

Organizational Unit 

Write All Properties permission on Digipass objects 

Note 

5.2.4 System Administrators 

This can be necessary for assigning Digipass to users, because a move from one location to 

another is controlled by permissions to delete from the source and create in the destination 

The term 'System Administrator' is used here to refer to an administrator who will be responsible for management 

of records which affect the configuration and running of the Identikey Server, rather than Digipass User Accounts 

and Digipass. They need permissions within the Digipass Configuration Container to create, modify and delete 

these objects: 

Component (vasco-Component) 

Policy (vasco-Policy) 

Report (vasco-Report) 

Report Format (vasco-ReportFormat) 

Back-End Server (vasco-BackEndServer) 


Server Configuration (vasco-Configuration) 


In practice, System Administrators can typically be given full control over the Digipass-Configuration container. If 

you wish to grant more limited permissions, this can be handled with the standard Active Directory permissions on 

these objects within the scope of the container. 

5.3 Assign Administration Permissions to a User 

Note 

This example assumes that the administrator's User account has read permissions for all User 

records already. 

To grant permissions to manage Digipass records, you will need to follow these steps: 

1. Right-click on the Organizational Unit in which to assign permissions. in the Active Directory Users and 

Computers extension. 

2. Select Delegate Control... from the right-click menu. 

The Delegate Control Wizard will be displayed. 

3. Select the User or Windows Group to assign permissions. 


5. Select the Delegate Common Tasks option button. 

6. Select Create, Delete and Manage Digipass from the list. 

7. Click on Next. 

8. Click on Finish. 

If you wish to grant permissions to modify Digipass User Account properties, you will need to follow these steps: 

9. Select View -> Advanced Features from the main menu. 

10. Right-click on the Organizational Unit in which to assign permissions. 

11. Select Properties from the right-click menu. 

12. Click on the Security tab. 

13. Click on the Advanced button. 

The Advanced Security Settings window will be displayed. 

14. Click on Add... 

15. Type the username of the User to assign the permissions to and click OK. 

16. Click on the Properties tab. 

17. Select User Objects from the Apply onto drop down list. 


18. Select the required permissions from: 

Write Digipass User Account Information 

Write Digipass User Account Link 

Write Digipass User Account Stored Password 





If the administrator requires permissions to take Digipass out of the Digipass-Pool for assignment, you will need to 

follow these steps: 

22. Right-click on the Digipass Pool. 

23. Select Properties from the right-click menu. 

24. Click on the Security tab. 

25. Click on the Advanced button. 

The Advanced Security Settings window will be displayed. 


27. Select the User account. 


29. Click on the Object tab. 

30. Select Child objects only from the Apply onto drop down list. 

31. Tick the Allow box for: 

Delete Digipass Objects 

Create Digipass Objects (if you wish to allow the administrator to move Digipass records into the Digipass Pool) 



34. Select the User account. 


36. Click on the Object tab. 

37. Select Digipass objects from the Apply onto drop down list. 

38. Tick the Allow box for Write All Properties. 





5.4 Multiple Domains 


When using the Identikey Server with multiple domains, extra steps must be followed to ensure that both the 

Identikey Server and administrators have permissions sufficient to access required data. The main issues are: 

The Digipass Configuration Container is only in one Domain. All Identikey Servers need read access to this 

container, even when they are in a different Domain. Cross-Domain access for administrators is a less likely 

requirement however. 

If a Identikey Server handles users and Digipass in more than one Domain, they need to be granted the 

necessary permissions in all the necessary Domains. 

In this manual, we will handle cross-Domain permissions using a combination of Domain Local and Domain Global 

groups. It is also possible in a 'native' mode Domain to use Universal groups, but this is not covered in the 

instructions below. 

Three possible scenarios for multiple domain setup are outlined below: 

5.4.1 Scenario 1 – Each Identikey Server Handles One Domain 

Each Identikey Server handles only the domain in which it is a member. 

Install the Identikey Server in each domain (the result will be at least as many Identikey Servers as domains). 

Give each Identikey Server access to the Digipass Configuration Domain: 

Domain Global Group(s) 

For each domain (apart from the Digipass Configuration Domain) - 

1. Create a Domain Global group 

2. Add the Identikey Server(s) to the Domain Global group (check which machines are in the 'RAS and IAS 

Servers' group to ensure the correct additions) 

Domain Local group 

In the Digipass Configuration Domain - 

3. Create or use an existing Domain Local group. 

4. Give the Domain Local group full read access to the Digipass Configuration Container. 

5. Add the Domain Global Group from each other domain to the Domain Local group. 


5.4.2 Scenario 2 – One Identikey Server Handles All Domains 


Identikey Servers in one domain handle all domains. The Digipass Configuration Container should be located in the 

domain to which the Identikey Servers belong. 

Give the necessary access to User and Digipass data: 

Domain Global group 

In the RADIUS server Domain - 

1. Create a Domain Global group. 

2. Add the Identikey Servers to the Domain Global group (check which machines are in the 'RAS and IAS 

Servers' group to ensure the correct additions). 

Domain Local groups 

For each other Domain - 

3. Create a Domain Local group. 

4. Give the Domain Local group the required permissions (run the setupaccess command - See 2.5 DPADadmin 

Utility for more information). 

5. Add the Domain Global group from the Identikey Server Domain to the Domain Local group. 

5.4.3 Scenario 3 - Combination 

This scenario represents more complex setups, where a combination of steps from Scenarios 1 and 2 will be 

required. Use the steps given in the first two scenarios as a guide for what you will need to do for the combination 

scenario. 


6 Backup and Recovery 

Backup and Recovery 

This section explores the measures that Administrators can undertake in backing up and recovering Identikey 

Server datafiles in the event of a system failure. 

Note 

This section does not cover backup of executables and system files. In the event of a 

catastrophic failure these can be restored or reinstalled from the original distribution media (and 

any subsequent service packs/patches). 

Once the Identikey Server is installed and operational, backups should be made of important files and data. 

Any time changes are made to the system configuration, backups may need to be performed again. 

User and Digipass data should be backed up on a frequent, regular basis. 

6.1 What Must be Backed Up 

Configuration files for Identikey Server, Virtual Digipass Message Delivery Component and Digipass TCL 

Command Line Administration. 

SSL certificate(s) 

Audit Log data 

Data store 

DPX files (except for demo Digipass) 

Any scripts that have been written for Digipass TCL Command Line Administration, if they may be needed in 

the future. 

Important Note 

The Identikey Server installation includes a DPX directory containing sample DPX files for demo 

Digipass. These do not need to be backed up. However, if Identikey Server uses an ODBC 

database and you have copied the DPX files for your real Digipass into that directory, ensure you 

still have the original files. If you no longer have the DPX file(s) stored elsewhere, it is very 

important that you take a backup. 


6.1.1 Configuration Files 


The configuration files for the Identikey Server, Virtual Digipass Message Delivery Component and Digipass TCL 

Command Line Administration can be copied from: 

the Bin directory in Windows (by default in Windows C:\Program Files\VASCO\Identikey Server\Bin) to a secure 

location. 

/etc/vasco/ in Linux 

The files to be copied are: 

identikeyconfig.xml for all Identikey Servers 

mdcconfig.xml – a backup of one working file is sufficient. 

dpadmincmd.xml 

Tip 

6.1.2 SSL Certificates 

Save the files above with an extension that describes the server from which the file(s) were backed 

up. This makes it easier and quicker to locate the correct file during recovery. 

Any SSL certificates used with the Identikey Server should be backed up. If you are using a certificate generated by 

Identikey Server's Configuration Wizard, this will be named either ikeycerts.pem or ikeypvk.pem. 

6.1.3 Audit Log Data 

If your organization requires that the Audit Log data be archived, the method required will depend on the audit 

settings. You may need to archive periodically, to avoid too much disk space being used or to keep the database 

from growing too large and slow. 

6.1.3.1 Write to Text File 

Ensure you make copies of all files contained in the directory into which the audit log files are written. By default 

this will be \Log (Windows) or /var/vasco (Linux), however it may have been configured to 

another location. Check the audit configuration settings if you are unsure. 

6.1.3.2 Write to ODBC Database 

Back up the database using the database's backup utility. If you are using the audit tables in the embedded 

database, they will be included in the backup of the data store and will not require a separate backup. 


6.1.3.3 Write to Windows Event Log 


By default, Event Log entries are written to the Application log. However, you can configure the entries to be written 

to another log. Check the audit configuration if you are unsure. 

Important Note 

The Event Log may be configured with a maximum size. When this size is reached, the oldest 

entries may be overwritten by new ones. To check this, view the Properties of the log in the 

Event Viewer. If older entries will be overwritten, you will need to archive them before that 

occurs. 

To archive an Event Log: 

1. Select Start -> Programs -> Control Panel. 

2. Double-click on Administrative Tools. 

3. Double-click on Event Viewer. 

4. Right-click on Application (or the correct log, if not Application). 

5. Click on Save log file as... 

6. Select a path and enter a filename. 

7. Select a file format from the Type drop down list. 

8. Click on the Save button. 

Note 

6.1.4 Write to Syslog 

6.1.5 DPX files 

The Audit Log data is not required for system recovery purposes. 

In Linux, audit data can be written to the Syslog. See 14.4 Linux Syslog for information on configuring Linux and 

Identikey Server correctly. 

The DPX files are normally provided on secure media, which can be stored securely as a backup. If you prefer 

another method of archive, copy the files to your preferred location. It is important to keep the DPX file transport 

keys secure and preferably in a separate location to the DPX files themselves. 


6.1.6 Data Store 

6.1.6.1 Data Source Settings 


If you have performed some adjustments to the ODBC Data Source (DSN) that are important to keep, make sure 

that you have a readout of the settings. 

6.1.6.2 Backup Strategies 

Warm Backup 

A 'warm' backup of the disk containing the database used by the Identikey Server via a RAID hardware 

configuration or server mirroring is a favorable backup method. It is both entirely up to date and incurs no 

downtime if a single disk failure occurs. 

This method requires either software RAID, or for better performance a hardware RAID configuration. 

Another technique that achieves the same effect is the 'shadow database'. 

However, it is still recommended to take a cold backup at intervals, as there is a possibility that a database 

corruption could be mirrored/shadowed under some circumstances. 

Cold Backup 

A 'cold' backup of the database allows administrators to implement a duplicate database as a safeguard on a 

regular basis. Generally speaking there are two methods that can be used to perform a cold backup: 

Backup Utility 

The first option is to use the vendor-specific backup utility that allows the contents of the database to backed up to 

a file or device while the system is running. Such a utility is provided with the embedded database PostgreSQL (see 

below). 

Shut Down and Copy the Database File 

The second option involves stopping the database server and any connecting server processes and copying the 

database files. However, this is only possible where the database vendor recommends this approach. Normally this 

is only appropriate if the database is contained in a single operating system file. 

Replicated Copy 

If replication has been configured between databases, a replicated copy can be used as a backup. However, it is 

still recommended to take a cold backup at intervals. 


6.1.6.3 Backup of PostgreSQL Embedded Database 


The PostgreSQL database available with the Identikey Server installation may be backed up while operational by 

completing these steps: 

1. Open command prompt in \PostgreSQL\Bin (Windows) or /usr/local/pgsql/bin 

(Linux). 

2. If using Windows, enter the following command: 

pg_dump -f "" -Fc -Z9 -U [-v] postgres 

If using a Linux distribution, enter the following command: 

vds_chroot pg_dump -f "" -Fc -Z9 -U [-v] postgres 

where: 

is the Identikey Server installation directory – by default, this will be /opt/vasco/identikey 

is the absolute path and file name of the file to which data will be backed up. 

is the database administrator account name. When installed, this is set to digipass. 

-v is an optional 'verbose mode' parameter. Use this if you wish to see output as the backup is run. 

3. You will normally be prompted for the password of the database administrator account. When installed, this 

is set to digipassword. 

This command may also be run via a batch file in order to automatically take a backup at regular intervals. In order 

to remove the interactive prompt for the password, you can add a line to a PostgreSQL configuration file to allow 

local logins for a database administrator account without a password. Edit the file \PostgreSQL\data\pg_hba.conf (Windows) or /usr/local/pgsql/data/pg_hba.conf (Linux) with 

a text editor. At the bottom of this file, there is a list of rules for authenticating connections to the database, which 

by default will be: 

# TYPE DATABASE USER CIDR-ADDRESS METHOD 


host all all 127.0.0.1/32 md5 


#host all all ::1/128 md5 

Add the following line directly below # Ipv4 local connections: 

host postgres digipass 127.0.0.1/32 trust 

Backup Administrator Account 

You may prefer to create a second database administrator account that only has permission to back up the 

database. 


6.2 Recovery 

6.2.1 Active Directory 

Assumptions: 

Steps: 

Active Directory itself is still valid and operational. 

Up-to-date backups of the configuration files for the Identikey Server are available. 


1. Rebuild the server with your operating system SOE, using the same IP address as before, in the same 

Domain as before. 

2. Retrieve your backup copy of the identikeyconfig.xml file. 

3. Reinstall Identikey Server on the server. The same settings as those chosen in the previous installation 

should be selected. 

Before you restart the machine, carry out the following: 

4. Restore the backup copy of the configuration file identikeyconfig.xml to \bin. 

5. Restore any customized files for the web sites (see 9.1 Customizing the Web Sites for more information). 

After restarting the machine: 

6. Check that you can view Digipass-specific information in the Administration Web Interface and the Digipass 

Extension for Active Directory Users and Computers. 


6.2.2 ODBC Database 

6.2.2.1 Rebuild Identikey Server, Database Undamaged 




2. Retrieve your backup copies of the file and any other files from the Bin directory that were backed up. 


should be selected. Do not run the Configuration Wizard. 

4. Restore the backup copy of the configuration file identikeyconfig.xml into the \Bin 

directory. Restore the backup copies of any other files that were backed up from the Bin directory at the 

same time. 

5. Start up the Identikey Server Service. 


6.2.2.2 Restore Database, Identikey Server Undamaged 


This procedure should be followed where a database has been damaged and no current, valid database exists on 

another server. The database is restored from an earlier backup. 

Windows 

1. Stop the Identikey Server Service. 

2. Restore database from backup. If you are using the embedded PostgreSQL database: 

a. Open a command prompt in \PostgreSQL\Bin. 

b. Enter the following command and hit ENTER: 

pg_restore -d postgres -c -U [-v] "" 

where: 

is the absolute path and file name of the file to restore from 

is the database administrator account name. The database administrator account 

created during installation is digipass. 

-v is an optional 'verbose mode' parameter. Use this if you wish to see output as the database is 

restored. 

c. You will normally be prompted for the password of the database administrator account. When installed, 

this is set to digipassword. 

d. Enter the following command and hit ENTER: 

vacuumdb -z -d postgres -U [-v] 

where: 

is the database administrator account name. The database administrator 

account created during installation is "digipass". 


restored. 

e. You will normally be prompted for the password of the database administrator account. 

This step forces the database to recalculate optimization statistics, because all the data has been 

removed and reloaded. 



3. Delete the replication queue files for all destination servers. This can be done by deleting all files in the 

\ReplData directory (Note: if you have re-configured replication to store its files in a 

different directory, delete the files in that directory instead). 

4. Restart the Identikey Server Service. 

Follow the 6.2.2.4 Copy Database from Other Identikey Server procedure below on all other Identikey Servers in 

the system. It is essential to resynchronize all the databases in the system. 

Linux 

1. Stop the Identikey Server Daemon. 


a. Enter the following command: 

vds_chroot 

/opt/vasco/identikey/usr/local/pgsql/bin/pg_restore -d postgres -c -U [-v] "" 

where: 

is the directory in which Identikey Server is installed 





restored. 

b. You will normally be prompted for the password of the database administrator account. When installed, 


c. Enter the following command: 

vds_chroot /opt/vasco/identikey/usr/local/pgsql/bin/vacuumdb 

-z -d postgres -U [-v] 

where: 



created during installation is "digipass". 


restored. 

d. You will normally be prompted for the password of the database administrator account. 



3. Delete the replication queue files for all destination servers. This can be done by deleting all files in the 

\ReplData directory (Note: if you have re-configured replication to store its files in a 


4. Restart the Identikey Server Daemon. 



Follow the 6.2.2.4 Copy Database from Other Identikey Server procedure below on all other Identikey Servers in 

the system. It is essential to resynchronize all the databases in the system. 


6.2.2.3 Rebuild Identikey Server, Restore Database 


This procedure is required where both the Identikey Server and its database have been lost. Configuration files and 

the database will be restored from backups. 

Windows 



2. Retrieve your backup copies of the identikeyconfig.xml file and any other files from the Bin directory that were 

backed up. 





same time. 

5. Stop the Identikey Server Service. 


a. Open a command prompt in \PostgreSQL\Bin. 

b. Enter the following command and hit ENTER: 

pg_restore -d postgres -c -U [-v] "" 

where: 



account created during installation is digipass. 


restored. 

c. You will normally be prompted for the password of the database administrator account. When installed, 


d. Enter the following command and hit ENTER: 


vacuumdb -z -d postgres -U [-v] 

where: 



account created during installation is digipass. 


restored. 



e. You will normally be prompted for the password of the database administrator account. When installed, 


7. Start the Identikey Server Service. 

8. Follow the 6.2.2.4 Copy Database from Other Identikey Server procedure below on all other Identikey Servers 

in the system. It is essential to resynchronize all the databases in the system. 

Linux 




backed up. 



4. Restore the backup copy of the configuration file identikeyconfig.xml into the /Bin 


same time. 

5. Stop the Identikey Server Daemon. 


a. Enter the following command: 

vds_chroot 

/opt/vasco/identikey/usr/local/pgsql/bin/pg_restore -d postgres -c -U [-v] "" 

where: 






restored. 

b. You will normally be prompted for the password of the database administrator account. When installed, 


c. Enter the following command: 



vds_chroot /opt/vasco/identikey/usr/local/pgsql/bin/vacuumdb 

-z -d postgres -U [-v] 

where: 



created during installation is "digipass". 


restored. 



d. You will normally be prompted for the password of the database administrator account. When installed, 


7. Start the Identikey Server Daemon. 

8. Follow the 6.2.2.4 Copy Database from Other Identikey Server procedure below on all other Identikey Servers 

in the system. It is essential to resynchronize all the databases in the system. 


6.2.2.4 Copy Database from Other Identikey Server 


This procedure will be required where multiple Identikey Servers are synchronizing with each other, where one 

database has become unsynchronized or unstable. It must be replaced with a 'safe' database – one containing upto-date, 

uncorrupted data. The instructions below assume a simple two-Identikey Server pair where one Identikey 

Server (SVR-2) is using a database that has become unstable, and the other (SVR-1) is using a 'safe' database. 

To replace the database: 

1. Identify the Identikey Server with the 'safe' database. For these steps, it will be referred to as SVR-1. 

2. Stop the Identikey Server Service on SVR-1 and SVR-2. 

3. Take a complete copy of the database used by the Identikey Server on SVR-1. If you are using the embedded 

PostgreSQL database, see 6.1.6.3 Backup of PostgreSQL Embedded Database for instructions. 

4. Delete the replication queue files for SVR-2 which is on SVR-1: 

a. On SVR-1, run the Identikey Server Configuration utility and change to the Destination Servers tab of 

the Replication section. 

b. Find the Destination Server row that represents SVR-2 and note the Display Name. 

c. Change to the Queue tab and check the File Path value. This will normally be \ReplData, but may have been re-configured. 

d. In that directory, delete all files with filename starting . 

5. The Identikey Server Service on SVR-1 may be restarted now if needed – it will build up a new replication 

queue until it can connect to SVR-2. 

6. Completely overwrite the database used by the Identikey Server on SVR-2 with the copy from SVR-1. If you 

are using the embedded PostgreSQL database, see Step 2 of 6.2.2.2 Restore Database, Identikey Server 

Undamaged. 



7. Delete the replication queue file on SVR-2 for all other Identikey Servers. This can be done by deleting all files 

in the \ReplData directory (Note: if you have re-configured replication to store its files in a 


8. Restart the Identikey Server Service on SVR-2. 

Warning 

If the Identikey Server with the 'bad' database (SVR-2) was synchronizing with another Identikey 

Server, you must copy over the other database as well. Follow the steps above for any Identikey 

Servers with which SVR-2 was synchronizing. 


6.2.2.5 Rebuild Identikey Server, Copy Database 


This procedure will be required where multiple Identikey Servers are synchronizing with each other and one 

Identikey Server, together with its database, is lost. The instructions below assume one functional Identikey Server 

(SVR-1) with an up-to-date database, and a server on which an Identikey Server must be rebuilt (SVR-2) and its 

database copied from the other Identikey Server. 




backed up. 





same time. 

5. On SVR-1, stop the Identikey Server service. 



7. Delete the replication queue file for SVR-2 which is on SVR-1. 

a. On SVR-1, run the Identikey Server Configuration utility and change to the Destination Servers tab of 

the Replication section. 

b. Find the Destination Server row that represents SVR-2 and note the Display Name. 

c. Change to the Queue tab and check the File Path value. This will normally be \ReplData, but may have been re-configured. 


d. In that directory, delete all files with filename starting . 


8. The Identikey Server Service on SVR-1 may be restarted now if needed – it will build up a new replication 

queue until it can connect to SVR-2. 

9. Completely overwrite the database used by the Identikey Server on SVR-2 with the copy from SVR-1. If you 

are using the embedded PostgreSQL database, see Step 2 of 6.2.2.2 Restore Database, Identikey Server 

Undamaged. 

10. Delete the replication queue file on SVR-2 for all other Identikey Servers. This can be done by deleting all 

files in the \ReplData directory (Note: if you have re-configured replication to store its files 

in a different directory, delete the files in that directory instead). 

11. Restart the Identikey Server Service on SVR-2. 

Warning 

If the Identikey Server with the 'bad' database (SVR-2) was synchronizing with another Identikey 

Server, you must copy over the other database as well. Follow the steps above for any Identikey 

Servers with which SVR-2 was synchronizing. 


7 Field Listings 

7.1 User Properties 

Table 34: User Fields 

Field Name Description 

Field Listings 

Static Password The static password. This may be used for static password checking by the Identikey Server or 

may be a record of a password in a Back-End System. 

In view mode, the system will only show whether a password is set or not. 

The Set Password and Reset Password commands are used to change this, although it can 

also be entered when creating the Digipass User account. 

Local Authentication Specifies whether authentication requests for the User account will be handled by the Identikey 

Server using Local Authentication (see the Authenticating Users section in the Product Guide 

for more details on Local Authentication and Back-End Authentication). 

Normally, this field will be Default, meaning that the Policy applicable to the authentication 

request determines the setting. This field on the Digipass User account is used to override the 

Policy setting for special cases. 

When Local Authentication is used, there are two factors that determine whether Digipass 

authentication is used – any Policy restrictions on Digipass Types and/or Applications that can 

be used and whether the Digipass User account has any assigned Digipass that meet the 

restrictions. For example, if the Policy requires a DP300 and the User just has a DP700, they 

cannot use Digipass authentication under that Policy. 

This setting also affects the Provisioning Registration process (see the Software Digipass 

Provisioning section in the Product Guide). 

Options: 

Default Use the setting of the effective Policy. 

None The Identikey Server will not carry out Local Authentication for this 

User account. They may be handled using Back-End Authentication, or 

not handled at all by the Identikey Server. 

Digipass/Password The Identikey Server will always carry out Local Authentication for this 

User, using Digipass authentication if possible, otherwise the static 

password. Back-End Authentication may also be utilized. 

Digipass Only The Identikey Server will always carry out Local Authentication for this 

User, using Digipass authentication. If Digipass authentication is not 

possible, the user cannot log in. Back-End Authentication may also be 

utilized. 

Back-End Authentication Specifies whether authentication requests for the User account will be handled by the Identikey 

Server using Back-End Authentication (see the Authenticating Users section in the Product 

Guide for more details on Local Authentication and Back-End Authentication). 


request determines the setting. This field on the Digipass User account is used to override the 

Policy setting for special cases. 






Options: 


None Back-End Authentication will not be used. 

If Needed The Identikey Server will utilize Back-End Authentication but only in 

certain cases: 

Dynamic User Registration 

Self-Assignment 

Password Autolearn 

Requesting a Challenge or Virtual Digipass OTP, when the 

Request Method includes a Password 

Static password authentication, when verifying a Virtual 

Digipass password-OTP combination or during the Grace Period 

Provisioning Registration 

Always The Identikey Server will utilize Back-End Authentication for every 

authentication and Provisioning Registration request. 

Disabled Specifies whether a Digipass User account is enabled or disabled. If disabled, all requests for 

the User will be rejected by the Identikey Server. 

The Disable and Enable commands are used to change this, although it can also be changed 

when creating or editing the Digipass User account. 

Locked Specifies whether a Digipass User account is locked or not. If locked, all requests for the User 

will be rejected by the Identikey Server. 

The Locked indicator is normally set automatically when the User exceeds a certain number of 

failed authentication attempts. The User Lock Threshold is set in the Policy. 

The Unlock command is used to change this, although it can also be changed when editing the 

Digipass User account. 

Linked User Account It is possible to share Digipass between different User accounts, by linking User accounts 

together. This feature is intended for the case where one person, such as an administrator, has 

multiple User accounts. If their accounts are linked, there is no need to give more than one 

Digipass to that person. 

This feature is used by assigning the Digipass to one User account, then linking all the other 

User accounts for the person to the one that has the Digipass. 

Read only. The Link and Unlink commands must be used to change this. 

If a User is linked to another User, their Linked User Account field will show the UserId and 

Domain of the linked User, for example: 

testuser [vasco.com] 

Created On The date and time that the Digipass User account was created. Read-only. 

Last Modified On The date and time that the Digipass User account was last modified. Read-only. 

Domain The Domain to which the User belongs. 

Read only. This cannot be changed. 

Organizational Unit The Organizational Unit in which the User is located. This is optional as the User does not have 

to be located in an Organizational Unit. 



User Name The full name of the User. 

Read only. The Move command must be used to change this. 

Email Address The email address of the User. 

Phone No. The telephone number of the User. 

Mobile No. The mobile phone number of the User. This will be used for Virtual Digipass logins. 

Description Any descriptive text or notes. 


Assigned Digipass list This lists all Digipass that are assigned to the User. For each Digipass, the list of active 

Applications is given with the Application Type indicated in brackets(). For example: 

0058384426 RESP_ONLY(RO), CHALLENGE(CR) 

In this example line, the Digipass with Serial Number 0058384426 has two active Applications: 

one Response Only Application RESP_ONLY and one Challenge/Response Application 

CHALLENGE. 

Other Digipass properties are shown in this list – for more information, see the Digipass 

Properties table. 

If the User does not have any Digipass assigned directly, but is linked to another User to use 

their Digipass (see Linked User Account), the linked User's Digipass list is shown with the Serial 

Numbers in square brackets (eg. [0058384426]). 

Read-only. The Assign Digipass and Unassign Digipass commands much be used to change 

this. 

Administrative Privileges This lists all the administrative privileges for which the User has permission. 

7.2 User Attributes 

Table 35: User Attribute Fields 


Attribute Group Attribute Groups provide a way to add different attributes to the User account for different client 

components. 

A SOAP client application may request a certain Attribute Group – it will only be given the 

user's attributes for the matching Attribute Group. A different application may request the same 

Attribute Group or a different one. 

An IIS Module (for example, in Digipass Pack for IIS Basic Authentication) may also request 

an Attribute Group. The Attribute Group entered in the Configuration GUI for the IIS Module will 

be requested. 

If the Identikey Server Data Store is shared with Digipass Plug-In for SBR, the SBR Plug-In 

may retrieve other Attribute Groups. 

Name The name of the attribute. This must match the name of an attribute expected by the client 

component. For the Digipass Pack for IIS Basic Authentication, this would be either User- 

Name or Password. 

Usage Specifies the usage of the User attribute. This is an optional setting. 



Options: 


Basic Designates an attribute used by the Digipass Pack for IIS Basic 

Authentication. 

Check Note: Not currently in use with Identikey Server. 

Used to specify a RADIUS check attribute. 

Profile Note: Not currently in use with Identikey Server. 

Used to specify the name of a RADIUS Profile. 

Return Note: Not currently in use with Identikey Server. 

Used to specify a RADIUS return attribute. 

Value This value of the attribute. For the Digipass Pack for IIS Basic Authentication, this would be a 

User ID or password. 


7.3 Digipass Properties 

Table 36: Digipass Fields 


Domain The Domain to which the Digipass belongs. 



Organizational Unit The Organizational Unit in which the Digipass is located. This is optional as the Digipass does 

not have to be located in an Organizational Unit. 


Digipass Type The type of Digipass represented by the Digipass record (eg. DP300). 

Description A custom text description of the Digipass. This can be used to search for specific attributes of a 

Digipass, eg. color, company logo. 

Reserve for Individual 

Assignment 

When used, this option prevents the Digipass from being assigned using the Auto-Assignment 

feature or by Provisioning Registration. It also prevents it from being assigned by an 

administrator who uses the 'Assign next available...' option in the assignment wizard. 

Assigned to User User ID of the Digipass User account that the Digipass is assigned to, if it is assigned. This User 

account must be in the same Domain as the Digipass. 

Read-only. The Assign command must be used to change this. 

Date Assigned The date and time when the Digipass was assigned to its current User. 

Read-only. 

Grace Period End The date on which the Grace Period will expire, or did expire, for this Digipass. If the date shows 

today's date or before, the Grace Period has already expired. If it is blank, there is no Grace 

Period. 

BVDP Mode Specifies whether and how the Backup Virtual Digipass feature can be used for this Digipass. 

Note that in order for the Backup Virtual Digipass feature to function, it must also be 

activated in the DPX file for the Digipass. 


request determines the setting. This field on the Digipass record is used to override the Policy 

setting for special cases. 

Options: 


No Backup Virtual Digipass is not permitted. 

Yes - Permitted Backup Virtual Digipass is permitted, but not mandatory. 

The Enabled Until date is not applicable when using this 

option, but the Uses Remaining count is. 

Yes – Time Limited Backup Virtual Digipass is permitted, but not mandatory. 

Both the Enabled Until date and the Uses Remaining count 

will be in effect. 

Yes - Required Backup Virtual Digipass is mandatory. This may be useful if 

the User may have lost the Digipass, to prevent it from 

being used until they have found it again. 

The Enabled Until date is not applicable when using this 



option, but the Uses Remaining count is. 


Enabled Until The date on which the Backup Virtual Digipass feature may no longer be used, provided that the 

effective Enable Backup VDP setting is Yes – Time Limited (it is ignored otherwise). 

If this date is blank, it will be set automatically the first time that the User requests a 

Backup Virtual Digipass OTP, using the Backup Virtual Digipass Time Limit defined in the 

Policy. 

Once this date has expired, it requires administrator intervention either to extend it or to reset it 

to blank for the next time that the User needs to use Backup Virtual Digipass. 

Uses Remaining The remaining number of times that the Backup Virtual Digipass feature may be used for this 

Digipass. Once this number has reached zero, Backup Virtual Digipass can no longer be used 

with this Digipass, unless the administrator increases it or resets it to blank. 

If this number is blank and there is a Backup Virtual Digipass Max. Uses/User defined in the 

Policy, it will be set automatically the first time that the User requests a Backup Virtual Digipass 

OTP, based on the Max. Uses/User. 

Static Vector ID The presence of a value here indicates that a Digipass is a Software Digipass capable of 

Provisioning. Its specific value is not of use to an administrator normally. It represents a lookup 

key of a database record used in the Provisioning process (DPSoft Parameters) that stores the 

Static Vector value. 

Last Activation The date and time at which the last Provisioning Registration operation took place using this 

Digipass, when an Activation Code was generated for it. 

There is a configurable minimum interval of time between Registration operations for a 

Digipass. See the Software Digipass Provisioning section in the Product Guide for more details. 

This value is reset to blank by the Reset Activation command. 

Activation Locations This is typically only used for Digipass for Web, to keep track of the number of different 

locations at which a particular User has activated it. The value is a comma-separated list of 

hash values, where each hash value represents one location. 

There is a configurable maximum number of activation locations for a Digipass. See the 

Software Digipass Provisioning section in the Product Guide for more details. 

This value is reset to blank by the Reset Activation command. 

Activation Count The total number of Provisioning Registration operations that have taken place using this 

Digipass, when an Activation Code was generated for it. This includes Registration operations 

for which the corresponding Activate operation was not completed successfully. 

There is a configurable maximum number of activation attempts for a Digipass. See the 

Software Digipass Provisioning section in the Product Guide for more details. 

This value is reset to 0 by the Reset Activation command. 

Created On The date and time that the Digipass was created. Read-only. 

Last Modified On The date and time that the Digipass was last modified. Read-only. 


7.4 Digipass Application Tab 

Table 37: Digipass Application Fields 



Application Name A name for the Digipass Application. This is taken from the DPX file (always upper case). Readonly. 

Application Type The type of Digipass Application: 

RO – Response Only 

CR – Challenge/Response 

SG – Signature 

MM – Multi-Mode 

Read-only. 

Status This field indicates whether the Application is active or not. If it is not active, it cannot be used 

for authentication, provisioning or signature validation. 

Read-only. The Activate Application and Deactivate Application commands much be used to 

change this. 

Application Info This list indicates various internal settings of the Digipass Application. They are not edited 

directly but some are updated as side-effects of Digipass operations such as verification of One 

Time Passwords. Others represent programming parameters and never change. 

Created On The date and time that the Digipass Application was created. Read-only. 

Last Modified On The date and time that the Digipass Application was last modified. Read-only. 


7.5 Policy Properties 

Note 

Changes to Policy settings will not take effect immediately on all Identikey Servers unless 

Replication is used to synchronize the Identikey Servers. Where Replication is not used, changes 

to Policy settings will take effect when each Identikey Server is restarted, once the Policy change 

is available to it in its data store. Alternatively, if there is no restart, the cache of Policy settings 

will refresh from the data store after approximately every 15 minutes. 

Table 38: Policy Fields 


Description This description can be entered to record the purpose of the Policy. 


Inherits from Policy Contains the Name of the Policy from which settings will be inherited, referred to as the 

'parent Policy'. Settings are inherited individually, depending on the value in the Policy field; 

they inherit the parent Policy value in the following cases: 

Choice lists/radio buttons – if the selected value is Default 

Text fields – if the field is blank 

Numeric fields – if the field is blank (not 0) 

List fields – if the list is empty 

The Show Effective Policy Settings... button can be used to display the result of inheriting 

settings combined with settings on the current Policy. 

Local Authentication Specifies whether authentication requests using the Policy will be handled by the Identikey 

Server using Local Authentication (see the Authenticating Users section in the Product Guide 

for more details on Local Authentication and Back-End Authentication). 

When Local Authentication is used, there are two factors that determine whether Digipass 

authentication is used – any Policy restrictions on Digipass Types and/or Applications that 

can be used and whether the Digipass User account has any assigned Digipass that meet the 

restrictions. For example, if the Policy requires a DP300 and the User just has a DP700, they 

cannot use Digipass authentication under that Policy. 



Options: 

Default Use the setting of the parent Policy. 

None The Identikey Server will not carry out Local Authentication under 

this Policy. They may be handled using Back-End Authentication, 

or not handled at all by the Identikey Server. 

Digipass/Password The Identikey Server will always carry out Local Authentication 

under this Policy, using Digipass authentication if possible, 

otherwise the static password. Back-End Authentication may also 

be utilized. 

Digipass Only The Identikey Server will always carry out Local Authentication 




under this Policy, using Digipass authentication. If Digipass 

authentication is not possible, the user cannot log in. Back-End 

Authentication may also be utilized. 

Back-End Authentication Specifies whether authentication requests using the Policy will be handled by the Identikey 

Server using Back-End Authentication (see the Authenticating Users section in the Product 

Guide for more details on Local Authentication and Back-End Authentication). 



Options: 


None Back-End Authentication will not be used. 

If Needed The Identikey Server will utilize Back-End Authentication but only 

in certain cases: 

Dynamic User Registration 

Self-Assignment 


Requesting a Challenge or Virtual Digipass OTP, when the 

Request Method includes a Password 

Static password authentication, when verifying a Virtual 

Digipass password-OTP combination or during the Grace 

Period 

Provisioning Registration 

Always The Identikey Server will utilize Back-End Authentication for every 

authentication and Provisioning Registration request. 

Back-End Protocol Specifies the protocol to be used for Back-End Authentication. 

If you have your own Back-End Authentication Engines, they will have Protocol names to 

identify them. The name for the required Engine must be defined in the Back-End Protocol for 

the Policy. 

The following standard options are available: 

Windows Authentication using the Windows operating system (this is only 

available when the Identikey Server runs on Windows). 

RADIUS Authentication using a RADIUS server. 

e-Directory Authentication using Novell's e-Directory. 

ADAM Authentication using a Microsoft ADAM server. 

Active Directory Authentication using Microsoft's Active Directory. 

Created On The date and time that the Policy was created. Read-only. 

Last Modified On The date and time that the Policy was last modified. Read-only. 

Dynamic User Registration Specifies whether the Dynamic User Registration (DUR) feature is enabled for the Policy. If 

this feature is used, when the Identikey Server receives an authentication request for a User 

for the first time and Back-End Authentication is successful, it will create a Digipass User 

account automatically. If DUR is used in conjunction with Auto-Assignment, a Digipass will 

be assigned to the new User account immediately. 




This setting also determines whether the Provisioning Registration process is allowed to 

perform DUR or not. 

Password Autolearn Specifies whether the Password Autolearn feature is enabled for the Policy. This feature 

enables the Identikey Server to update the password stored in the Digipass User account 

when Back-End Authentication is successful. 

This setting also determines whether the Provisioning Registration process will update the 

password after successful Back-End Authentication or not. 

Stored Password Proxy Specifies whether the Stored Password Proxy feature is enabled for the Policy. This feature 

can be used in conjunction with the Back-End Authentication Always setting and the 

Password Autolearn feature. With this combination, even though a Back-End Authentication 

check is done every login, it is done using the password stored in the Digipass User account. 

Therefore the User does not have to enter it during their login, unless it has changed in the 

Back-End System. This mode of operation is referred to as Password Replacement. 

Default Domain The default Domain in which the Identikey Server should look for and create Digipass User 

accounts, if a Domain is not specified by the user credentials. The process of resolving the 

User ID and Domain name is described in the User ID and Domain Resolution section in the 

Product Guide and in 3.5.1.2 Identifying the Domain for a Login Attempt of this document. 

User Lock Threshold This indicates the number of consecutive failed login attempts that will cause a Digipass User 

account to become Locked. For example, if the User Lock Threshold is 3, the account will 

become Locked on the third failed login attempt. Unlocking the account requires 

administrator action. 

Note that not all kinds of login failure will result in locking. For example, if the UserId is 

incorrect or the account is Disabled, the failure would not count towards the lock threshold. 

Locking is used mainly for incorrect OTPs and static passwords. 

The locking mechanism is also used for Provisioning and Signature Validation. 

Windows Group Check Specifies whether and how the Windows Group Check feature is to be used. This feature is 

typically used for a staged deployment of Digipass when the Auto-Assignment method is 

used. It can also be used when only some Users are required to use Digipass or when only 

some Users will be permitted access and they have to use Digipass. 

Options: 


No check Do not use the Windows Group Check feature. 

Pass requests for users not in 

listed groups back to host 

system 

Reject requests for users not in 

listed group 

Use only Back-End 

Authentication for users not in 

listed groups 

Use the Windows Group Check so that any Users who are 

not in one of the listed groups are ignored by the Identikey 


Use of this setting for Provisioning or Signature Validation 

will have the same effect as the Reject... setting. 

Use the Windows Group Check so that any Users who are 

not in one of the listed groups are rejected by the Identikey 


Use Back-End Authentication only for any Users who are 

not in one of the listed groups. 

Use of this setting for Provisioning or Signature Validation 



will have the same effect as the Reject... setting. 


Group List This lists the names of the Windows Groups to be checked according to the Windows Group 

Check radio button setting. There are some important limitations of this check: 

Certain built-in Active Directory groups such as Domain Users and Everyone will not be 

checked. The check is intended to be used with a new group created specifically for this 

purpose. 

Nested group membership will not be detected by the check. 

There is no Domain qualifier for a group. The named group must be created in each Domain 

where User accounts exist that need to be added to the group. 

A local machine group can be used also. 

Assignment Mode Specifies the method of automated Digipass Assignment that will be used for this Policy, if 

any. There are two methods, Auto-Assignment and Self-Assignment. 

Auto-Assignment is used in conjunction with Dynamic User Registration (DUR). When DUR 

occurs, the next available Digipass is assigned to the new Digipass User account. A Grace 

Period is set for the Digipass according to the Grace Period setting in the Policy. 

Self-Assignment is typically used with DUR also, but if the Digipass User accounts are 

created first by the administrator, DUR is not necessary. In the Self-Assignment mode, a User 

is able to assign themselves a Digipass by entering the Serial Number, a valid OTP from the 

Digipass and their static password. There is no Grace Period associated with Self- 

Assignment, because the User has to use the Digipass to perform Self-Assignment. 

In both cases, any Applicable Digipass restrictions for the Policy apply. For example, it will not 

be permitted to self-assign a DP300 if the Policy restricts Digipass Types to DPGO3 and 

DPGO1. In addition, if the User already has a Digipass assigned that meets the Policy 

restrictions, they will not be able to self-assign another Digipass. 

This setting is not applicable to Provisioning or Signature Validation. 

Options: 


Auto-Assignment Use the Auto-Assignment method. 

Self-Assignment Use the Self-Assignment method. 

Neither Do not use either method of automated assignment. 

Grace Period Default time period (in days) to give Users between Auto-Assignment of a Digipass and the 

date they must start using their Digipass to login. Before that time they can still use a static 

password (unless the Local Authentication setting is Digipass Only). However, the first time 

that an OTP is used to log in, the Grace Period is ended at that point if it has not already 

ended. 

This setting does not affect manual assignment by an administrator or Provisioning. 

Serial No. Separator The character (or short sequence of characters) that will be included at the end of the 

Digipass Serial Number during a Self-Assignment login. It allows the Identikey Server to 

easily recognize that a Self-Assignment attempt is being made and extract the Serial Number 

from the credentials. 

Search Upwards in Org. Unit 

hierarchy 

This controls the search scope for an available Digipass for Auto-Assignment or Provisioning 

Registration, or for a specific Digipass for Self-Assignment. 

This setting does not affect manual assignment by an administrator. 



Options: 



No The search scope is only the Organizational Unit in which the 

User account belongs. If the User does not belong to an 

Organizational Unit, the search will look for Digipass that also do 

not belong to an Organizational Unit. 

Yes The search will start in the User account's Organizational Unit, 

but if necessary it will then move upwards through the 

Organizational Unit hierarchy until it reaches the top. See the 

Location of Digipass Records topic in the Product Guide for more 

information. 

Application Names The Policy can specify a restriction on which Digipass Applications may be used when it is 

effective. If the list is empty, there is no restriction. If there are one or more entries, they will 

indicate the Application Names that are permitted. 

Application Type The Policy can restrict which Digipass Application Type (eg. Response Only, 

Challenge/Response) may be used when it is effective. 

Options: 


No Restriction Digipass Application Type is not restricted. 

Response Only Only Digipass Applications of Type RO (Response Only) or MM 

(Multi-Mode) may be used. 

Challenge/Response Only Digipass Applications of Type CR (Challenge/Response) or 

MM (Multi-Mode) may be used. 

Signature Only Digipass Applications of Type SG (Signature) or MM (Multi- 

Mode) may be used. 

Multi-Mode Only Digipass Applications of Type or MM (Multi-Mode) may be 

used. 

Digipass Types The Policy can specify a restriction on which Digipass Types may be used when it is effective. 

If the list is empty, there is no restriction. If there are one or more entries, they will indicate 

the Digipass Types that are permitted. 

Allow PIN change Specifies whether Digipass Users will be allowed to change their Server PIN during 

authentication requests to which the current Policy applies. Normally this setting is enabled, 

but it can be used to prevent PIN changes if required. 

1-Step Challenge/Response 

– Permitted 

Controls whether 1-step Challenge/Response logins will be enabled for the current Policy 

and, if so, where the challenge should originate. 

In order to enable 1-step Challenge/Response, you also need to set the Challenge Check 

Mode (see below). 

Note that 1-step Challenge/Response is not applicable in a RADIUS environment. 

Options: 

Default 

No 1-step Challenge/Response may not be used. 




– Challenge Length 


– Add Check Digit 


– Request Method 


– Request Keyword 

Primary Virtual Digipass – 

Request Method 

Primary Virtual Digipass – 

Request Keyword 


Yes – Server Challenge 1-step Challenge/Response may be used provided that the 

Identikey Server that verifies the response generated the 

challenge. 

Yes – Any Challenge 1-step Challenge/Response may be used with any random 

challenge. 

Specifies the length of the challenge (excluding a check digit) which should be generated for 

1-step Challenge/Response logins. 

A check digit may be added to the generated challenge. This allows the Digipass to identify 

invalid Challenges more quickly. 

The method by which a User has to request a 2-step Challenge/Response login. 

This is the only mode of Challenge/Response available in a RADIUS environment. 

The 'request' is made in the password field during login. The request will fail if the User does 

not have a Challenge/Response-capable Digipass assigned. This includes Digipass 

Applications of Type CR, SG and MM. 

Options: 


None Do not use 2-step Challenge/Response. 

Keyword Use the Request Keyword. This is permitted to be blank. 

Password Use the static password. 

KeywordPassword Use the Request Keyword followed by the static password. No 

separator characters or whitespace should be between them. 

PasswordKeyword Use the static password followed by the Request Keyword. No 


Defines the Keyword that a User must enter to request a 2-step Challenge/Response login, if 

a method using a Keyword is selected in the Request Method. 

This is permitted to be blank. 

The method by which a User has to request a Primary Virtual Digipass login. 

The 'request' is made in the password field during login. The request will be ignored if the 

User does not have a Primary Virtual Digipass assigned. 

Options: 


None Do not use Primary Virtual Digipass. 







Defines the Keyword that a User must enter to request a Primary Virtual Digipass login, if a 

method using a Keyword is selected in the Request Method. This is permitted to be blank. 



Backup Virtual Digipass – 

Enable Backup VDP 


Time Limit 


Max. Uses/User 




Specifies whether and how the Backup Virtual Digipass feature can be used when this Policy 

is effective. Note that in order for the Backup Virtual Digipass feature to function, it must also 

be activated in the DPX file for the Digipass. 

Options: 


No Backup Virtual Digipass is not permitted. 

Yes - Permitted Backup Virtual Digipass is permitted, but not mandatory. 

The Time Limit is not applicable when using this option, but the 

Max. Uses/User limit is. 

Yes – Time Limited Backup Virtual Digipass is permitted, but not mandatory. 

Both the Time Limit and the Max. Uses/User limit will be in 

effect. 

Yes - Required Backup Virtual Digipass is mandatory. 

The Time Limit is not applicable when using this option, but the 

Max. Uses/User limit is. 

When the Enable Backup VDP setting is Yes – Time Limited, the Time Limit setting indicates 

the number of days for which the Backup Virtual Digipass feature may be used by a User, 

once they start using it. 

The Backup Virtual Digipass Enabled Until setting on the Digipass record will be set 

automatically the first time that the User requests a Backup Virtual Digipass OTP, using the 

Time Limit defined in the Policy. Once this date has expired, it requires administrator 

intervention either to extend it or to reset it to blank for the next time that the User needs to 

use Backup Virtual Digipass. 

Note that if a User has more than one Digipass capable of Backup Virtual Digipass, they will 

have a separate limit for each one. 

The maximum number of uses of the Backup Virtual Digipass feature permitted for each 

User, if they do not have a specific limit set for them. 

If the Backup Virtual Digipass Uses Remaining on the Digipass record is blank and there is 

a Max. Uses/User limit defined in the Policy, the Uses Remaining will be set automatically the 

first time that the User requests a Backup Virtual Digipass OTP. 

Once the Uses Remaining has reached zero, Backup Virtual Digipass can no longer be used 

with this Digipass, unless the administrator increases it or resets it to blank. 

Note that if a User has more than one Digipass capable of Backup Virtual Digipass, they will 

have a separate limit for each one. 

The method by which a User has to request a Backup Virtual Digipass login. 

The 'request' is made in the password field during login. The request will be ignored if the 

User does not have a Digipass assigned that is activated for the Backup Virtual Digipass 

feature, or if other Policy or Digipass settings do not permit Backup Virtual Digipass use. 

Options: 


None Do not use Backup Virtual Digipass. 





Request Keyword 







Defines the Keyword that a User must enter to request a Backup Virtual Digipass login, if a 

method using a Keyword is selected in the Request Method. This is permitted to be blank. 

Identification Time Window Controls the maximum number of time steps' variation allowable between a Digipass and the 

Identikey Server during login. This only applies to time-based Digipass Applications when 

verifying a One Time Password. 

The Dynamic Time Window option may be used to allow more variation according to the 

length of time since the last successful login. 

If this setting is not specified at all, there is an inbuilt default value of 20. 

Signature Time Window Controls the maximum number of time steps' variation allowable between a Digipass and the 

Identikey Server during Digital Signature verification. This only applies to time-based Digipass 

Applications when validating a signature, but even then it may be used or not according to 

the Online Signature Level setting. 


Initial Time Window Controls the maximum allowed time variation allowable between a Digipass and the Identikey 

Server, the first time that the Digipass is used. The time is specified in hours. This Initial Time 

Window is also used directly after a Reset Application operation, which can be used if it 

appears that the internal clock in the Digipass has drifted too much since the last successful 

login. 

This only applies to time-based Digipass Applications when verifying a One Time Password. 

In either case, after the first successful login, the Initial Time Window is no longer active. 


Event Window Controls the maximum number of events' variation allowable between a Digipass and the 

Identikey Server during login. This only applies to event-based Digipass Applications. It 

always applies when verifying a One Time Password but for Signature validation, it depends 

on the Online Signature Level setting whether the Event Window is used or not. 


Identification Threshold Specifies the number of consecutive failed authentication attempts allowed before the 

Digipass Application is locked from future authentication attempts. Once the Digipass 

Application is locked, the Reset Appl Lock command is required to unlock it for further 

authentication. 

This locking mechanism is separate from the User Lock Threshold and is normally not 

necessary. It only applies when a single Digipass Application can be used for a login, either 

because the User only has one Digipass with one Application, or because the Policy 

restrictions narrow the list down to one Digipass Application. If Policy restrictions are used in 

this way, the Identification Threshold can be used to lock a User out of one kind of login (eg. 

a VPN) while still permitting them to use another kind (eg. a web application). 

If this setting is not specified at all, this feature is not used. 

Signature Threshold Specifies the number of consecutive failed Signature validation attempts allowed before the 




Digipass Application is set to be locked from future signature validation attempts. Once the 

Digipass Application is locked, the Reset Appl Lock command is required to unlock it for 

further signature validation. 

This locking mechanism is separate from the User Lock Threshold and is normally not 

necessary. It only applies when a single Digipass Application can be used for a signature 

validation, either because the User only has one Digipass with one signature-capable 

Application, or because the Policy restrictions narrow the list down to one Digipass 

Application. If Policy restrictions are used in this way, the Signature Threshold can be used to 

lock a User out of one kind of signature validation while still permitting them to use another 

kind. 


Max. Days Since Last Use This setting specifies the maximum number of days for which a Digipass Application can go 

unused for authentication or signature validation. After this limit, authentication and signature 

validation will be rejected until an admnistrator performs a Reset Application operation. 


Challenge Check Mode This setting is for advanced control over time-based Challenge/Response authentication. 

The value 1 should be used for standard RADIUS Challenge/Response. This is the inbuilt 

default value if the setting is not specified at all. 

0 No check is made. This is necessary for 1-step 

Challenge/Response. 

1 The challenge presented for verification must be the last one that 

was generated specifically for that Digipass. This is the normal 

mode of operation in 2-step Challenge/Response. 

2 The challenge presented for verification is ignored; the last one 

that was generated specifically for that Digipass is used. 

3 Only one verification is permitted per time step. This option only 

applies to time-based Challenge/Response. This is a method of 

avoiding a potential replay of a captured response if the same 

challenge comes up again in the same time step. 

4 If the same challenge and response are presented for verification 

twice in a row during the same time step, they are rejected. This 

is an advanced method of avoiding a potential replay of a capture 

challenge/response. 

Online Signature Level This setting is for advanced control of Signature validation. 

The value 0 can be used for Digipass Applications that are neither time- nor event-based. 

This is the inbuilt default value if the setting is not specified at all. 

0 The signature is validated in offline mode. This is useful when the 

signatures may not be validated in the same sequence as they 

were generated by the user. It is also useful when there may be 

some delay after the signature is generated by the user, before 

the signature is validated. 

For time-based Digipass Applications: 

This mode is typically used with a large time step. 

When this mode is used, no clock synchronization occurs 




between the Digipass and the Identikey Server. The Identikey 

Server will not reject an older signature than the most recently 

validated signature, provided it is still within the Signature Time 

Window. 

For event-based Digipass Applications: 

When this mode is used, the Identikey Server will not reject an 

older signature than the most recently validated signature, 

provided it is still within the Event Window. 

1 The signature is validated in online mode. This is useful when the 

signatures are expected or required to be validated immediately 

after they are generated. 

For time-based Digipass Applications: 

This mode is typically used with a small time step. 

When this mode is used, clock synchronization occurs between 

the Digipass and the Identikey Server. The Identikey Server will 

reject an older signature than the most recently validated 

signature. A newer signature must be within the Signature Time 

Window. 

This mode will allow more than one signature to be validated in 

the same time step, provided that the same exact signature is 

not repeated twice in a row. 

For event-based Digipass Applications: 

When this mode is used, the Identikey Server will reject an older 

signature than the most recently validated signature. A newer 

signature must be within the Event Window. 

2 The signature is validated in strict online mode. This is useful for 

time-based signatures when you want to prevent more than one 

signature from the same time step from being validated. 

Otherwise, this mode is the same as online mode. 

3 The signature is validated using the Deferred Event Count. This 

mode only applies to event-based signatures. For each signature 

validation request, the Deferred Event Count must be supplied as 

a parameter. 


7.6 Client Properties 

Note 

Changes to Client records (add, change, delete) will not take effect immediately on all Identikey 

Servers unless Replication is used to synchronize the Identikey Servers. Where Replication is not 

used, changes to Client records will take effect when each Identikey Server is restarted, once the 

Client change is available to it in its data store. Alternatively, if there is no restart, the cache of 

Client records will refresh from the data store after approximately every 15 minutes. 

Table 39: Client Fields 



Client Type The type of Client component represented by the record. For SOAP clients, the type needs to match 

the Component Type parameter passed in the SOAP requests. Each application can identify itself as 

a different type of Client. 

In addition there are some standard 0ptions: 

Administration Program 

RADIUS Client 

Citrix Web Interface 

Outlook Web Access 

IIS6 Module 

Location The IP address or name of the machine represented by the record. For all Client types except 

RADIUS Clients, this must be the source IP address of requests originating from that Client. 

For a RADIUS Client, it must be the NAS-IP-Address or NAS-Identifier values sent in the RADIUS 

requests. 

A RADIUS Client of Location default can be used to accept RADIUS requests from all IP addresses, 

using the same Shared Secret. However, where a RADIUS Client record with the exact Location 

exists, its Shared Secret will be used in preference to the default RADIUS Client's Shared Secret. 

Protocol The protocol by which requests will be received from the Client. 

SOAP The standard SOAP protocol over HTTPS. This is used by programs 

using the SOAP interface from the Identikey Server SDK and the 

Web Administration Interface. 

RADIUS The standard RADIUS protocol. This is used by various remote 

network access hardware and software systems. It can also be used 

as a simple authentication programming interface. 

SEAL A proprietary TCP/IP based protocol used by Identikey Server and 

VACMAN Middleware 3.x. It is used by the IIS6 Module, Digipass 

TCL Command-Line Administration and for Replication between 

Identikey Servers. 

Policy The name of the Policy that should be used for authentication, Provisioning and signature validation 

requests from the Component. 

Shared Secret The RADIUS Shared Secret between the Identikey Server and the RADIUS Client. 



Confirm Shared Secret Allows confirmation of a new shared secret. 

Created On The date and time that the Client was created. Read-only. 

Last Modified On The date and time that the Client was last modified. Read-only. 


License Key For each SEAL authentication Clients (IIS Modules), a License Key is required. This consists of a set 

of parameters followed by a signature. See 8 Licensing for more information. 


7.7 Back-End Server Properties 

Note 

Changes to Back-End Server records (add, change, delete) will not take effect immediately on all 

Identikey Servers unless Replication is used to synchronize the Identikey Servers. Where 

Replication is not used, changes to Back-End Server records will take effect when each Identikey 

Server is restarted, once the Back-End Server change is available to it in its data store. 

Alternatively, if there is no restart, the cache of Back-End Server records will refresh from the 

data store after approximately every 15 minutes. 

Table 40: Back-End Server Fields 



Protocol Back-End Authentication Protocol. RADIUS, Active Directory, ADAM and e-Directory are 

currently supported. 

Domain This field provides the ability to assign particular Back-End Servers to a given Domain. 

This is optional. 

Priority The priority in the case that there are multiple Back-End Servers. The highest priority 

server is tried first, then the next highest, etc. 

Authentication IP IP Address on which the RADIUS Server receives authentication requests. 

Authentication Port UDP Port on which the RADIUS Server receives authentication requests. 

Accounting IP IP Address on which the RADIUS Server receives accounting requests. 

Accounting Port UDP Port on which the RADIUS Server receives accounting requests. 

Shared Secret Shared secret between the Identikey Server and the RADIUS Server. 

Confirm Shared Secret Allows confirmation of a new shared secret. 

Timeout Number of seconds to wait for a response from the RADIUS Server before either retrying 

or trying another RADIUS Server. 

No. of Retries Number of times to retry if no response is received from the RADIUS Server. 

Base Search DN The DN where the search for user accounts starts. 

Security Principle DN The DN of the security principle used to access the directory. 

Security Principle Password the password of the security principle. 

Created On Date/time of creation. 

Last Modified On Date/time of last modification. 


7.8 Reports Properties 

Table 41: Report fields 


Report Name The name the report was given when it was created. 

Domain Name The domain the report was created in. 

Report Type The report Type. 


List Analysis Report List analysis reports list items that match the 

predefined criteria 

Detailed Analysis Report The Detailed Analysis Report shows detail of 

the events specified in the report definition 

Distribution Analysis Report Distribution analysis reports break down the 

values of certain items over other items. 

Trend Analysis Report Trend analysis reports express a 

trend/evolution over a requested period of time 

for a set of reported items. The system 

therefore makes sub counts at a regular 

interval of the amount of times an item has 

occurred 

Description The description of the report that was entered when the report was created. 

Data Source Where the data in the report comes from. The sources can be: 

Users The User data will be used to generate the 

report 

Users + Audit The User data and audit data will be used to 

generate the report 

Digipass 

Digipass + Audit 

Audit 

Digipass data will be used to generate the 

report 

Digipass data and audit data will be used to 

generate the report. 

Only Audit data will be used to generate the 

report. 

Grouping Level The grouping level will be used to group the information on the report into the format you 

require. The grouping levels are: 

Client The report information will be grouped for 

each client 

Domain The report information will be grouped for 

each Domain 

Organizational Unit The report information will be grouped for 

each Organizational Unit 


User 

Digipass 


The report information will be grouped for 

each client 

The report information will be grouped for 

each Digipass 

Time Frequency For Trend Analysis reports. This type of report shows trends over a time period, taking sub 

counts at certain time periods. Use this field to specify the sub-count time frequency 

Created On Date the report was created 

Updated On Date the report definition was last modified 


7.9 Identikey Server Properties 

Note 

Changes to Identikey Server records (add, change, delete) will not take effect immediately on all 

Identikey Servers unless Replication is used to synchronize the Identikey Servers. Where 

Replication is not used, changes to Identikey Server records will take effect when each Identikey 

Server is restarted, once the Identikey Server change is available to it in its data store. 

Alternatively, if there is no restart, the cache of Identikey Server records will refresh from the 

data store after approximately every 15 minutes. 

Table 42: Identikey Server Fields 


Location The IP address of the Identikey Server represented by the record. 


Policy The name of the Policy that should be used for administration logon requests from the Component, 

including live connections from the Audit Viewer. This Policy is used if there is no specific 

Administration Program Client record for the location of the administration logon. 

Created On The date and time that the Client was created. Read-only. 

Last Modified On The date and time that the Client was last modified. Read-only. 

License Key For each Identikey Server, a License Key is required. This consists of a set of parameters followed by 

a signature. See 8 Licensing for more information. 


7.10 Data Changes Requiring a Restart of Identikey Server 

7.10.1 Changes to the Data Store 


No data changes made in the Web Administration Interface, Digipass TCL Command-Line Administration or a 

SOAP administration client require a restart of the Identikey Server to take effect straight away. As this 

administration is carried out through the Identikey Server, the Identikey Server can immediately update any cached 

data. 

In addition, when multiple Identikey Servers are replicating database changes to each other, they update their 

cached data as changes are replicated. 

However, modifications listed in the Cached Data List topic below will not take effect until the Identikey Server is 

restarted, or until the caches re-load the data automatically, in the following cases: 

Multiple Identikey Servers are sharing a database. In this case, only the Identikey Server with which the data 

change is made will update its caches. 

Multiple Identikey Servers with their own database each are used, but they are not synchronized using 

Identikey Server Replication. 

Direct modifications are made to the database, for example with an SQL tool or using the VASCO Data 

Migration Tool. 

Note that direct modifications to the database are not replicated to any other Identikey Servers – the same 

modifications must be made to each Identikey Server's database (or the whole database re-copied). 

Where multiple Identikey Servers are in use, with multiple databases, user-configured synchronization between the 

databases must be considered. A Identikey Server will not know about a data change made in another Identikey 

Server's database until that change has been copied to its own database. 

7.10.1.1 Automatic Re-Loading of Cached Data 

In the Identikey Server, all cached data is periodically re-loaded from the data store. This time period, around 15 

minutes, is tracked for each entry separately. Therefore, even without a restart, data changes will typically take 

effect within a matter of minutes (unless synchronization between databases is slower). 

7.10.1.2 Cached Data List 

The following data modifications relate to cached data: 

Creation, editing and deletion of Policy records 

Creation, editing and deletion of Client records 

Creation, editing and deletion of Back-End Server records 


Creation, editing and deletion of Identikey Server records 

Creation, editing and deletion of Domain records 

7.10.2 Changes to Configuration Settings 


Configuration settings are modified using the Identikey Server Configuration utility, the Web Administration, SOAP 

commands, TCL commands. or can be modified directly in the XML file. Configuration changes done using the 

Identikey Server Configuration utility or directly in the XML file require a restart. The Identikey Server Configuration 

utility automatically prompts to restart the Service upon exiting. However if you modify the file directly, you will 

need to restart the Identikey Server Service using the Windows Service Control Manager. Configuration changes 

done using Web Administration, or the SOAP or TCL commands do not require a restart. 

Each Identikey Server has separate configuration settings. Changes to settings for one Identikey Server will not be 

automatically applied to other Identikey Servers. 

Storage Advanced Settings 

The settings edited using Advanced Settings tab in the Storage section are not replicated to 

other Identikey Servers. Normally these settings should be the same on all Identikey Servers, so 

you need to make sure they are applied to each one. 

As they are stored in the database itself, if you copy a database from one Identikey Server to 

another, these settings will be copied also. 


8 Licensing 

8.1 How is Licensing Handled? 

Licensing 

Identikey Server requires a License Key for each Identikey Server component. The License Key is stored in the 

Identikey Server record in the data store. It is tied to the location (IP address) where the Identikey Server is installed 

– the Identikey Server will 'listen' on this IP address for SOAP and RADIUS requests. 

A License Key must be obtained from https://sc.vasco.com/registration/identikey/. This will generate a License Key 

and allow you to download it in a text file. The License Key can then be loaded from the file into the data store. 

This process normally occurs in the Identikey Server Configuration Wizard, but may also be carried out later using 

the Web Administration Interface. 

The Identikey Server will not authenticate a user without a valid License Key, except to permit administration and 

reporting. Signature Validation and Provisioning will not be carried out without a valid License Key. 

Certain Client modules – such as the IIS 6 Module for Citrix Web Interface – also require a License Key to be 

loaded into their Client component record. The Identikey Servers to which they connect will otherwise reject all 

authentication requests from them. 

SOAP and RADIUS clients do not require a License Key in their Client component record. However, the Identikey 

Server License Key requires parameters to enable the use of SOAP and RADIUS. 

Certain types of request processing need to be enabled by parameters in the Identikey Server License Key: 

Authentication, Signature Validation and Provisioning. 

If you acquire new functionality, you will need to obtain new License Keys for all your Identikey Servers. This can be 

done using the Web Administration Interface. 

Evaluation Licenses 

An evaluation license allows you to utilize full functionality until the evaluation period runs out. At the end of this 

period, you will need to either uninstall the product or buy a permanent license. Contact your VASCO supplier's 

representative to acquire the licences you will need. For your convenience, the evaluation serial number is provided 

for you in the evaluation license activation web page. However, you still need to obtain and load a License Key. 

Client module licenses can also be evaluation (time-limited) licenses. 

8.2 Licensing Parameters 

Table 43: License Parameters for Identikey Server 

Parameter Value 

Product The name of the VASCO product, eg. Identikey Server. 


Parameter Value 

Component The type of Component licensed, eg. Identikey Server. 

Version Current version number of the licensed VASCO product. 

Location The IP address for the machine represented by the Component record. 

Company The name of your company. 

Username Your name. 

SerialNo The serial number for the VASCO product. 

Generated The date and time that the license file was generated. 

Expires Used for evaluation license only – expiry date. 

SOAP Enable SOAP request processing. 

RADIUS Enable RADIUS request processing. 

Authentication Enable Authentication request processing. 

Signature Enable Signature Validation request processing. 

Provisioning Enable Provisioning request processing. 

8.2.1 Sample License File 

----- VASCO PRODUCT LICENCE ----- 

Product=Identikey Server 

Component=Identikey Server 

Version=3.1 

Expires=2009/06/19 02:40:32 GMT 

Location=test.vasco.com 

Company=VASCO Data Security 

Username=Mr Demo User 

SerialNo=0A2B4C6D8E 

Generated=2009/05/20 02:40:32 GMT 

SOAP=Yes 

Authentication=Yes 

Signature=Yes 

----- SIGNATURE ----- 

3:302C02147A487891E0745D 

6866E0Af8DDB7D6AF092BFCD 

27021474601702DbFCE5B500 

D76354022F0489DB159B62 

----- END LICENCE ----- 

8.3 View License Information 

To view the license information for a specific component: 

Licensing 


1. Log into the Web Administration Interface. 

2. For a Client component, click on the Clients tab. 

The Client List will be displayed. 

3. For an Identikey Server component, click on the System tab. 

The Identikey Server List will be displayed. 

4. Click on the required component record's link to view its property pages. 

5. Click on the License tab. 

8.4 Obtain and Load a License Key 

Note 

An active internet connection is required to obtain a License Key. 

1. Follow the steps in 8.3 View License Information to view the License property tab for the required 

component. 

2. Click on the Get License Key button. 

A browser window will be opened, with the VASCO license activation page loaded. Some details of the 

component will be entered automatically for you. 

3. Enter any other required information into the web page. 

Licensing 

4. When the License Key has been generated, right-click on the link where it says 'Right-click and save the file 

to disk'. Select the option to save the link – save it with a .dat extension, for example as license.dat. 

The license file will also be emailed to you. 

5. A download of your License Key file should begin. Keep note of where you save the file, and its name. 

6. Once the download is complete, go back to the Web Administration Interface and the License property tab. 

7. Click on the Load License Key button. 

8. Browse to the download location and select the License Key file. 

9. Click on Upload to load the License Key from the file into the component record. 

10. If you have new functionality enabled in the license, you will need to restart the Identikey Server in order for 

the new functionality to become available. 

In addition, the new functionality may need to be enabled in other Identikey Servers in your system. If so, you 

will need to follow this procedure for each one. 


8.5 Re-Licensing 

Licensing 

You will need to obtain and load new License Keys for your Identikey Server components in the following situations: 

You need to change from an evaluation license to a permanent license. 

You need to enable new functionality. 

The Identikey Server's IP address is going to change or has changed. 

You are performing an Identikey Server upgrade where the minor or major versions are increasing (for 

example, from 3.0 to 3.1 or 4.0). 

See 8.4 Obtain and Load a License Key above for instructions on obtaining a new License Key in the first two 

cases. 


9 Web Sites 

9.1 Customizing the Web Sites 

Web Sites 

The User Self Management Web Site and OTP Request Site can be customized by modifying the pages provided 

with the installation. You may wish to: 

change the colors and graphics to match your corporate colors/logos 

integrate the pages into a larger web site 

translate or customize the text 

Any cosmetic part of the web pages may be modified. Completely new web pages may be used, provided that the 

correct form fields are posted to the CGI program, and query string variables are interpreted correctly. Server 

scripting languages such as PHP or ASP, or any other way of generating HTML, can be used. 

This section provides the instructions and reference material that you require to customize the site. It is assumed 

that the reader has some web development knowledge. 

9.2 CGI Program 

A CGI script is used for the User Self Management Web Site and OTP Request Site. 

The CGI program carries out the following actions: 

Read and validate the input. This input is gathered from: 

Configuration settings from the registry 

Form variables posted 

Send an authorisation request to the RADIUS Server (if used, and provided that there were no validation errors) 

and interpret the response. Requests are sent to the Server using the RADIUS protocol. A component identifier 

Self-Mgt Site will indicate in the Audit Console which audit messages relate to requests from the User Self- 

Management Web Site. 

(OTP Request Site only) Send a request to the Message Delivery Component to send an OTP to the User's 

mobile phone via text message. 

Output the HTML to direct the user to the page that will indicate success or failure, or display a challenge. This 

is achieved by returning the HTML for a basic ‘please wait’ page with a ‘meta-refresh’ instruction to go directly 

to the appropriate page. The meta-refresh will happen immediately, but on a slow link you may notice the 

intermediate page. 

The CGI program cannot be customized. Its behaviour is controlled by the configuration settings and the posted 

form variables. The configuration settings are listed below; the posted form variables are specified in the 

Customizing the Web Site section. 


9.2.1 Configuration Settings 

Web Sites 

Various configuration settings are used by the CGI program to locate the RADIUS server(s) and to enable tracing. 

These can be modified using the Start->Programs menu option “User CGI Configuration”. 

The configuration settings are stored in the Windows Registry, at the path: 

HKEY_LOCAL_MACHINE\Software\VASCO\User CGI 

Table 44: Configuration Settings for CGI Program 

Name Type Value Default 

Trace-Mask Number 

(DWORD) 

Used to enable internal tracing levels. In general, just 

use these values: 

0 = no tracing 

FFFFFFFF (hexadecimal) = full tracing 

Trace-File String Full path and filename of output file for internal tracing. 

NB: the file will be created if it is missing, but not the 

directory. 

Source-IP-Address String Source IP address to bind to when sending API requests, 

if any (only required if there are multiple IP addresses on 

the machine).eg. 10.9.255.7 

0 

 

 

Server1-IP-Address String IP address of primary RADIUS Server. eg. 10.2.255.45 127.0.0.1 

Server1-Port Number 

(DWORD) 

API port of primary RAIUS Server (in general, this should 

not be changed from the default). 

Server2-IP-Address String IP address of backup RADIUS Server, or blank if there is 

no backup. 

Server2-Port Number 

(DWORD) 

API port of backup RAIUS Server (in general, this should 

not be changed from the default) 

20003 

 

Identikey Server Administrator Reference 126 

20003

9.3 Form Fields 

9.3.1 Registration – Main Pages 

Web Sites 

User Registration (UR), Digipass Assignment (DA) and Password Synchronization (PS) are all implemented using a 

single invocation of the CGI program. This permits them to be carried out either separately or in any combination. 

You can choose to separate them in your customized web site or keep them together as you prefer. 

If Challenge/Response or a Virtual Digipass is used, the user will enter their User ID, static password and Serial 

Number into the main page without a Digipass Response. They will be directed to a challenge page, which is 

specified in the next topic, in which they should enter either a Response to the challenge or the OTP sent to their 

mobile phone. The following table applies only to the main page. 

The following posted form fields must be used on the main page, according to the particular function and other 

conditions specified below: 

Table 45: Form Fields for Main Registration Page 

Form Field Name Visible Label 

(Default) 

dpcgi_operation “register” for User Registration, Digipass 

Assignment or Password Synchronization. 

Value(s) Required? 

dpcgi_success_page Relative or absolute URL of web page to go to if 

the function is successful. 

dpcgi_fail_page Relative or absolute URL of web page to go to if 

the function fails. 

dpcgi_challenge_page Relative or absolute URL of web page to go to if 

a challenge is returned for the user. 

UR PS DA 

Y Y Y 

Y Y Y 

Y Y Y 

(4) (1) 

dpcgi_userid UserId UserID in the Identikey Server. Y Y Y 

dpcgi_password Password Static password. Y Y Y 

dpcgi_serialno Serial Number Digipass serial number. Y 

dpcgi_response Digipass Response Digipass response (without static PIN if there is 

one). 

(5) (2) 

dpcgi_newpin New PIN New static PIN (for Go 1/Go 3). (3) 

dpcgi_confirmpin Confirm New PIN Confirm the new static PIN. (3) 

dpcgi_usecombinedpwd “True” to send the password, serial number, 

response and PIN to the Identikey Server in one 

attribute. 

“False” to send the contents of the password 

field 

(1) If any users may self-assign a Challenge/Response Digipass, provide this form field. 


(2) If any users may self-assign a Response Only Digipass, provide this form field. 

Web Sites 

(3) If any users may self-assign a Response Only Digipass which uses a static PIN at the beginning of the 

response (eg. Go 1/Go 3), where the Digipass are initialized with no initial static PIN, they have to enter a 

new PIN the first time they use the Digipass. If they are self-assigning the Digipass, that means that they 

have to enter the new PIN and confirm it during the self-assignment process. They can do this by adding 

the new PIN twice at the end of the Digipass Response, however it may be more user-friendly to provide 

these two separate form fields. 

(4) If any users have a Challenge/Response application or a Primary Virtual Digipass, include this field. 

(5) If any users have a Response Only application, include this field. 

9.3.1.1 Registration – Challenge Page 

The Registration challenge page will be used for Digipass Challenge/Response or Virtual Digipass. The user enters 

their response to the challenge, to complete the registration process. 

The following posted form fields must be used on the challenge page: 

Table 46: Form Fields for Registration Challenge Page 


(Default) 


dpcgi_operation “register” for User Registration, Digipass Assignment or 

Password Synchronization. 

dpcgi_success_page Relative or absolute URL of web page to go to if the 

function is successful. 

dpcgi_fail_page Relative or absolute URL of web page to go to if the 

function fails. 

dpcgi_userid UserId UserID in the Identikey Server. Y 

dpcgi_response Digipass Response Digipass response or Virtual Digipass OTP. Y 

dpcgi_challenge Challenge Digipass challenge returned to the user. Y 

Note 

If you make dpcgi_challenge a visible form field, ensure that it is not modifiable. An alternative is 

to make it a hidden form field, while also displaying the challenge in HTML text rather than as a 

form field. 


Y 

Y 

Y

9.3.1.2 PIN Change 

Web Sites 

The PIN Change function is only applicable for Digipass Response Only where the Server PIN is entered at the start 

of the response (eg. Go 1/Go 3). 

The following posted form fields must be used on the PIN Change page: 

Table 47: Form Fields for Server PIN Change Page 


(Default) 


dpcgi_operation “changepin” for PIN Change. Y 

dpcgi_success_page Relative or absolute URL of web page to go to if the 

function is successful. 

dpcgi_fail_page Relative or absolute URL of web page to go to if the 

function fails. 


dpcgi_response Digipass Response Digipass response (without static PIN if there is one). Y 

dpcgi_currentpin Current PIN Current static PIN to be changed. (6) 

dpcgi_newpin New PIN New static PIN. Y 

dpcgi_confirmpin Confirm New PIN Confirm the new static PIN. Y 

(6) If the Digipass has had its Server PIN reset by the administrator because the user has forgotten it, there is 

no current Server PIN to enter here. In all other cases, the current Server PIN must be provided to permit 

the PIN change. 


Y 

Y

9.3.1.3 Login Test – Main Page 

Web Sites 

If a Challenge/Response application or Primary Virtual Digipass is used, the user will enter just their UserId (and 

maybe password) into the main page without a Digipass Response. If using the Backup Virtual Digipass, they will 

need to enter the trigger specified in server settings (password and/or a Keyword) into the password field. 

They will be directed to a challenge page, specified in the next topic. The following table applies only to the main 

page. 

The following posted form fields must be used on the main page: 

Table 48: Form Fields for Main Login Test Page 


(Default) 


dpcgi_operation “testlogin” for Login Test. Y 





dpcgi_challenge_page Relative or absolute URL of web page to go to if a 

challenge is returned for the user. 


dpcgi_response Digipass 

Response 

Digipass response (with static PIN if there is one). (8) 

(7) If any users have a Challenge/Response Digipass, a Primary Digipass or use the Backup Virtual Digipass 

feature, provide this form field. 

(8) If any users have a Response Only Digipass, provide this form field. 


Y 

Y 

(7)

9.3.1.4 Login Test – Challenge Page 

Web Sites 

The user enters their response to the challenge or the OTP sent to their mobile phone to complete the login test. 

The following posted form fields must be used on the challenge page: 

Table 49: Form Fields for Login Test Challenge Page 

Form Field Name Visible Label (Default) Value(s) Required? 

dpcgi_operation “testlogin” for Login Test. Y 





dpcgi_userid UserID User ID in the Identikey Server. Y 

dpcgi_response Digipass Response Digipass response. Y 

dpcgi_challenge Challenge Digipass challenge returned to the user. Y 

Note 

If you make dpcgi_challenge a visible form field, make sure that it is not modifiable. An 

alternative is to make it a hidden form field, while also displaying the challenge in HTML text 

rather than as a form field. 


Y 

Y

9.3.2 OTP Request Site 

9.3.2.1 Request Page 

The request page must contain the following fields: 

Table 50: Form Fields for OTP Request Page 

Name Type 

Username text Visible 

Password Password Visible 

dpcgi_operation “VDPrequest” Hidden 

dpcgi_vdp_success_page Name of “OTP was sent” Page Hidden 

dpcgi_vdp_fail_page Name of “OTP not sent” Page Hidden 

dpcgi_vdp_wrongtoken_page Name of “Not a Virtual Digipass” Page Hidden 

Web Sites 


9.4 Query String Variables 

Web Sites 

The query string variables that are passed to the web pages by the CGI program are mainly concerned with status 

and error reporting. There is also a variable that is used to pass a challenge to the pages that display one. 

9.4.1 Failure/Error Handling 

There are three main groups of failures that can occur, which should be handled in a different manner. In all cases 

there is a numeric error code, however in some cases there is an auxiliary code and message such as the return 

code and message from the Identikey Server. The main error codes will be assigned in three separate ranges, so 

that the web pages can identify which category of error is returned. 

API return codes – these are returned by the VASCO API used to make the authentication request to the 

Server. In some cases there will be an auxiliary code and message. 

CGI errors – these errors are detected by the CGI program, mainly when the web pages are not providing or 

enforcing the posted form fields correctly. These will not generally have an auxiliary code and message, but it 

is possible. 

Internal errors – these are technical errors that ‘should not occur’. In some cases there will be an auxiliary 

code and message. 

The intention of using this code-based scheme is to allow translation and customization of the messages. The 

main error code will be translated into a message by the web pages themselves. The pages can also translate the 

auxiliary code into a message, for the Identikey Server codes, but normally, the pages would not know how to 

translate it into a message, and should display the auxiliary message as provided. 


9.4.2 Query String Variable List 

Web Sites 

The following table indicates which variables are used for the User Self Management Web Site and the required 

conditions: 

Table 51: Query String Variable List 

Variable Value Condition Used by Site 

result 0 Successful authentication request Both 

Unsuccessful authentication request Both 

CGI or internal error occurred Both 

challenge 

serialNo 

auxcode 

 

auxmsg 

Examples: 

success: /vmsite/success.html?result=0 

 

Challenge returned by API User Self 

Management Web 

Site only 

Successful Auto- or Self- 

Assignment 

Unsuccessful authentication request 

due to Controller rejecting password 

CGI or internal error occurred, 

where another error code is relevant 

Unsuccessful authentication request 

due to Controller rejecting password 

CGI or internal error occurred, 

where an error message is relevant 

User Self 

Management Web 

Site only 

invalid Digipass response due to code replay: /vmsite/fail.html?result=1000&auxcode=2&auxmsg=Code+Replay+Attempt 

challenge: /vmsite/challenge.html?challenge=738453 


Both 

Both 

Both 

Both

9.4.3 Return Code Listing 

In the following tables, the Message is the one that is provided by the standard web pages that we install. 

9.4.3.1 API Return Codes 

9.4.3.2 CGI Errors 

The following codes are the ones that in normal cases might be returned: 

Table 52: API Return Codes 

Code Message Auxiliary Code/ 

Message? 

Notes 

Web Sites 

-1 Error during request to Server N We are unable to distinguish the error 

from the client side of the API – the 

administrator would have to look at the 

Audit Console. 

Table 53: CGI Error Return Codes 

Code Message Auxiliary 

Code/ 

Message? 

-100 Only the POST method is permitted N 

-101 No dpcgi_operation was posted N 

-102 An invalid dpcgi_operation was posted N 

-103 dpcgi_challenge_page cannot be used for this operation N 

-104 dpcgi_password cannot be used for this operation N 

-105 dpcgi_serialno cannot be used for this operation N 

-106 dpcgi_currentpin cannot be used for this operation N 

-107 dpcgi_newpin cannot be used for this operation N 

-108 dpcgi_confirmpin cannot be used for this operation N 

-109 dpcgi_challenge cannot be used for this operation N 

-110 dpcgi_success_page must be entered for this operation N 

-111 dpcgi_fail_page must be entered for this operation N 

-112 dpcgi_userid must be entered for this operation N 

-113 dpcgi_password must be entered for this operation N 

-114 dpcgi_response must be entered for this operation N 

-115 dpcgi_newpin must be entered for this operation N 


9.4.3.3 Internal Errors 

Web Sites 


Code/ 

Message? 

-116 dpcgi_confirmpin must be entered for this operation N 

-117 A Digipass Response is required to assign a Digipass N 

-118 A New PIN can only be set when assigning a Digipass N 

-119 Enter the new PIN in the New PIN and Confirm New PIN fields N 

-120 The New PIN and Confirm New PIN fields have different values N 

-121 A challenge was returned, but there is no dpcgi_challenge_page N 

-122 Unknown parameter N 

-123 The Content-Length passed in was invalid N 

-124 dpcgi_serialno must be entered for this operation N 

-131 Wrong token page is forbidden N 

Table 54: Internal Error Codes 


Code/ 

Message? 

-1000 Cannot read Trace-Mask configuration setting Y 

-1001 Cannot read Trace-File configuration setting Y 

-1002 Cannot open Trace-File Y 

-1003 Cannot read Source-IP-Address configuration setting Y 

-1004 Cannot read Server1-IP-Address configuration setting Y 

-1005 Cannot read Server1-Port configuration setting Y 

-1006 Cannot read Server2-IP-Address configuration setting Y 

-1007 Cannot read Server2-Port configuration setting Y 

-1008 Invalid configuration setting Source-IP-Address Y 

-1009 Invalid configuration setting Server1-IP-Address Y 

-1010 Invalid configuration setting Server1-Port Y 

-1011 Invalid configuration setting Server2-IP-Address Y 

-1012 Invalid configuration setting Server2-Port Y 

-1014 Cannot read HTTP request data N 

-1015 Request to Server not completed Y 

-1016 Cannot read Self-Management Site registry key Y 


Web Sites 


Code/ 

Message? 

-1017 The specified Source-IP-Address is not on this machine N 

-1018 Cannot read Trace-Header configuration setting Y 

-1019 Invalid configuration setting Trace-Header Y 

-1020 The Trace file name must not contains quotes ' or ". N 

-1021 No File found in the trace file N 

-1030 Error reading Server 1 Secret - return code was N 

-1031 Error reading Server 2 Secret - return code was N 

-1032 Error reading No of Retries - return code was N 

-1033 Error reading Timeout - return code was N 

-1034 Error writing Protocol - return code was N 

-1040 The Shared Secret and Confirm Shared Secret do not match. N 


10 Login Options 

10.1 Login Permutations 

Login Options 

The information required to be entered during a login will vary according to the configuration settings of the 

relevant Policy, the login method, and any actions to be performed during the login. 

This section refers to authentication processing only, not Signature Validation or Provisioning. 

10.1.1 Login Methods 

The login methods specified are: 

Response Only 

Challenge/Response: 

10.1.2 Login Actions 

1-Step Challenge/Response: a random challenge is presented on the login page before the User ID is known. 

This is supported for SOAP clients and form-based IIS Modules. 

2-Step Challenge/Response: a challenge is generated after the user submits their User ID with a request to 

be given a challenge. The user then logs in with the response to the challenge in a second step. This is 

supported for all kinds of authentication client. 

Virtual Digipass - Primary or Backup 

A User may be allowed to do these things during a login: 

Set their Server PIN – on first use or after a PIN reset. 

Change their Server PIN. 

10.1.3 Login Variables 

Inform the Identikey Server that their static password for the Back-End System – eg. Windows - has been 

modified. 

Perform a Self-Assignment for a Digipass in their possession. 

The variables which a User may need to enter, in order to do one of the above functions are listed below. The 

code or word used to designate each variable in the following tables is included in brackets. 

One Time Password (OTP) 

Password (Password) 


Server PIN (PIN) 

Serial Number of their Digipass (Serial No) 

Serial Number Separator (Sep.) 

Request Keyword (Keyword) 

10.1.4 Password Format 

In a SOAP authentication request, there are two Password Formats that can be used: 

Cleartext Combined 

Login Options 

Using this format, all the login variables listed above must be entered into a single password field. This format 

applies when the login screen or web page cannot be extended with additional entry fields. 

Cleartext Separate 

Using this format, the login variables are entered in separate fields. 

In RADIUS authentication requests, the PAP password protocol corresponds to the Cleartext Combined password 

format. The CHAP, MS-CHAP and MS-CHAP2 password protocols are handled as different password formats (as 

the password is hashed in various ways according to the protocol). In general, these hash-based password formats 

are not capable of combining different login variables, unless all the variables are already known to the Identikey 


In administrative logons and IIS Module authentication requests, the Cleartext Combined password format is always 

used. 

10.1.5 Policy Settings 

The Policy settings which will affect the variables required in logins are: 

Stored Password Proxy 

If this attribute is set to Enabled, each User's password must be kept up to date in the Identikey Server. This is 

typically achieved by enabling Password Autolearn. 


If the Identikey Server is informed of a User's password change, the new password will only be recorded by the 

Identikey Server if Password Autolearn is enabled in the relevant Policy 

Serial Number Separator 

If a Serial Number Separator is specified, the User may enter their Digipass serial number exactly as it appears 

on the back of their Digipass (or in the documentation provided to the User), including dashes. If a Serial 

Number Separator is not specified, the Digipass serial number must be padded to 10 characters, with all nonnumerical 

characters removed. 

Back-End Authentication 


Login Options 

In the following login permutations tables, 'Back-End Authentication Required' means that the Back-End 

Authentication setting is set to Always or If Needed. 

Note 

Back-End Authentication is required for Self-Assignment and Password Autolearn logins. 

10.1.6 Response Only – Cleartext Combined Password Format 

The following two tables apply to the following cases: 

SOAP using Cleartext Combined password format 

Administration logins 

RADIUS using PAP 

IIS Modules 

The first table applies in these cases when: 

EITHER the Stored Password Proxy feature is enabled 

OR Back-End Authentication is not enabled 

Table 55: Login Permutations - Response Only Cleartext Combined (1) 

Server PIN 

Required 

Login Type Existing PIN? 

Separator? 

Normal login Yes N/A PIN+OTP 

Password Field Contents 

Set PIN No N/A OTP+NewPIN+NewPIN 

Change PIN Yes N/A PIN+OTP+NewPIN+NewPIN 

Changed Password Yes N/A Password+PIN+OTP 

Set PIN and Changed Password No N/A Password+OTP+NewPIN+NewPIN 

Change PIN and Changed Password Yes N/A Password+PIN+OTP+NewPIN+NewPIN 

Self-Assignment 1 Yes Yes SerialNo+Sep.+Password+PIN+OTP 

No Server Normal login N/A N/A OTP 

No SerialNo+Password+PIN+OTP 

No Yes SerialNo+Sep.+Password+OTP+NewPIN+NewPIN 

No SerialNo+Password+OTP+NewPIN+NewPIN 

1 If a Serial Number Separator is not set, the serial number must have all non-numerical characters removed and be padded to 

10 characters with preceding zeroes. Note that Back-End Authentication is required for successful Self-Assignment. 


PIN 

Required 


Separator? 


Changed Password N/A N/A Password+OTP 

Self-Assignment N/A Yes SerialNo+Sep.+Password+OTP 

The second table applies in these cases when: 

The Stored Password Proxy feature is not enabled 

AND Back-End Authentication is enabled 

Table 56: Login Permutations - Response Only Cleartext Combined (2) 

Server PIN 

Required 

No Server 

PIN 

Required 


No SerialNo+Password+OTP 

Separator? 

Normal login Yes N/A Password+PIN+OTP 


Set PIN No N/A Password+OTP+NewPIN+NewPIN 

Change PIN Yes N/A Password+PIN+OTP+NewPIN+NewPIN 

Changed Password Yes N/A Password+PIN+OTP 

Set PIN and Changed Password No N/A Password+OTP+NewPIN+NewPIN 

Change PIN and Changed Password Yes N/A Password+PIN+OTP+NewPIN+NewPIN 

Self-Assignment 2 Yes Yes SerialNo+Sep.+Password+PIN+OTP 

No SerialNo+Password+PIN+OTP 

Normal login N/A N/A Password+OTP 

Changed Password N/A N/A Password+OTP 

Login Options 

No Yes SerialNo+Sep.+Password+OTP+NewPIN+NewPIN 

No SerialNo+Password+OTP+NewPIN+NewPIN 

Self-Assignment N/A Yes SerialNo+Sep.+Password+OTP 

No SerialNo+Password+OTP 

Examples 

Self-Assignment of a GO 1 Digipass with no existing Server PIN and Serial Number Separator set to '::'. 

3-179-0987::pA192ss086382012341234 

Self-Assignment of a GO 3 Digipass with no Server PIN required and no Serial Number Separator set. 

0031790987PA192ss0863820 


10 characters with preceding zeroes. Note that Back-End Authentication is required for successful Self-Assignment. 


10.1.7 Response Only – CHAP/MS-CHAP/MS-CHAP2 

The following table applies to the following case only: 

RADIUS using CHAP, MS-CHAP or MS-CHAP2 

EITHER the Stored Password Proxy feature is enabled 

OR Back-End Authentication is not enabled 

Table 57: Login Permutations - Response Only CHAP/MS-CHAP/MS-CHAP2 

Login Type Server PIN 

Required? 

Normal login Yes PIN+OTP 

No OTP 


10.1.8 2-Step Challenge/Response – Cleartext Combined Password Format 

The following table applies to the following cases: 

SOAP using Cleartext Combined password format 

Administration logins 

RADIUS using PAP 

IIS Modules 

Challenge/Response in RADIUS is only supported for PAP. 

The column Stored Password Proxy Off AND Back-End Auth. Required contains Yes when: 

The Stored Password Proxy feature is not enabled 

AND Back-End Authentication is enabled 

In most cases, this does not affect 2-Step Challenge/Response; just when a Keyword only is used. 

Login Options 


Table 58: Login Permutations – 2-Step Challenge/Response Cleartext Combined 

Login Type Serial Number Separator? 



Stored 

Password 

Proxy Off 

AND Back- 

End Auth. 

Required 3 

Login Options 

Pre-Challenge Response 

Normal login N/A Keyword Yes Keyword Password+OTP 

No Keyword OTP 

Password N/A Password OTP 

Keyword-Password N/A Keyword+Password OTP 

Password-Keyword N/A Password+Keyword OTP 

Changed Password N/A Keyword N/A Keyword Password+OTP 

Password N/A Password OTP 

Keyword-Password N/A Keyword+Password OTP 

Password-Keyword N/A Password+Keyword OTP 

Self-Assignment 4 Yes N/A N/A SerialNo+Sep.+Password OTP 

No N/A N/A SerialNo+Password OTP 

3 Back-End Authentication is required for Self-Assignment and Password Autolearn logins. 


10 characters with preceding zeroes. 


10.1.9 Virtual Digipass 

Login Options 

The 2-step Virtual Digipass login is possible when using a SOAP client, the RADIUS Access-Challenge mechanism 

or an IIS Module in form-based authentication mode. The static password is required in either the first or the 

second step, but not both. 

However, many RADIUS environments and IIS Module 'basic authentication' do not support the 2-step login 

process. If the 2-step login process is not possible, two separate 1-step logins are required. The second login must 

include the Password as well as the OTP, but it is not necessary to provide the Password in the first login, if only a 

Keyword is used. 

Using the Cleartext Combined password format, all inputs in the table below are entered into the Password field. 

Using the Cleartext Separate password format, the Keyword and/or Password are always entered into the Static 

Password field, while the OTP is entered into the OTP field. 

Table 59: Login Permutations – Virtual Digipass 

Login 

Type 

Normal 

login 

Changed 

Password 

Request Method 2-step login Two 1-step logins 

Step 1 Step 2 Step 1 Step 2 

Keyword Keyword Password+OTP Keyword Password+OTP 

Password Password OTP Password Password+OTP 

Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP 

Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP 

Keyword Keyword Password+OTP Keyword Password+OTP 

Password Password OTP Password Password+OTP 

Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP 

Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP 


11 Identikey Server Configuration Settings 

11.1 Identikey Server Configuration Wizard 

The Identikey Server Configuration Wizard runs in two different modes: 

First Time Mode 

Identikey Server Configuration Settings 

After the Identikey Server is installed, the Configuration Wizard needs to be run in First Time mode. This ensures 

that all necessary configuration to get the Identikey Server operational is accomplished as easily as possible. This 

mode creates the Identikey Server configuration file and initializes the data store with default data and the first 

administrator account. 

Afterwards, configuration settings can be managed using the Identikey Server Configuration utility. The data store 

can be managed using the Web Administration Interface and Digipass TCL Command-Line Administration. 

The Configuration Wizard starts up in First Time mode if the Identikey Server configuration file is not present. 

Maintenance Mode 

If the Identikey Server configuration file is present, the Configuration Wizard will start up in Maintenance mode. 

In Maintenance mode, an operations menu is available to carry out certain maintenance tasks that cannot be 

carried out with the day-to-day administration tools. These tasks are: 

Re-run Installation Wizard 

Change Server location 

Back Up Audit Messages - Back up Audit Message files or databases 

Rescue administrator - create a new administrator account 

Rescue Administration Client - create or modify an Administration Program client 

Install SSL server certificate 

Restore Default Policies and Reports 

11.2 Redeploy Administration Web Interface 

After running the Configuration Wizard or making changes to SSL certificate settings, the Administration Web 

Interface must be redeployed: 

1. Open a command line window. 

2. Navigate to the \webadmin directory. 

3. Delete the existing certificate from the keystore using the following command: 



java -jar admintool.jar certificate delete 

where is the location and file name of the keystore and is the 

password on the keystore. 

For example: 

java -jar admintool.jar certificate delete c:\Program Files\VASCO\Identikey 

3.1\webadmin\keystore.jks password1 

4. Add the new certificate that has been generated: 

java -jar admintool.jar certificate add 

where is the location and file name of the keystore, is the 

password on the keystore and is the certificate that was generated after re-running the 

configuration wizard. 

For example: 

java -jar admintool.jar certificate add c:\Program Files\VASCO\Identikey 

3.1\webadmin\ keystore.jks password1 c:\Program Files\VASCO\Identikey 

3.1\bin\ikeycerts.pem 

5. Restart the web server application. 


11.3 Identikey Server Configuration 


A Graphical User Interface (GUI) is available for use in configuring the Identikey Server. There are several sections 

in Identikey Server Configuration, which can be reached by clicking on the corresponding image on the left hand 

side. 

When settings are changed, click on the Apply or OK button to write them to the configuration file. Clicking OK also 

closes Identikey Server Configuration. 

Note 

A restart of the Identikey Server service or daemon is required after any change to Identikey 

Server configuration settings. When exiting the Configuration Wizard, you will be prompted to 

allow an automatic restart of the service. 

The Administration Web Interface must also be redeployed if any changes are made to the SSL 

certificate settings. This includes running the Configuration Wizard. See 11.2 Redeploy 

Administration Web Interface for instructions. 

11.3.1 Starting the Configuration GUI 

Windows 

To start the Identikey Server Configuration, click on the Start Button and select Programs -> VASCO ->Identikey 

Server -> Identikey Server Configuration. 

Linux 

To start the Identikey Server Configuration in graphical interface mode, open a command prompt and enter: 

vds_chroot /usr/sbin/ikconfigwizardgui 

To start the Identikey Server Configuration GUI in console mode, open a command prompt and enter: 

11.3.2 General Section 

vds_chroot /usr/sbin/ikconfigwizardconsole 

This section contains a few general settings 


11.3.2.1 Server Location 


The Server Location setting contains the licensed IP address for the Identikey Server. The Identikey Server uses 

this IP address to listen for SOAP and RADIUS requests. There must be a Identikey Server component record with 

this Location, containing a valid License Key. The setting is carried forward to the Communication Protocols 

pages. 

11.3.2.2 Administration Session Settings 

11.3.2.3 Tracing 

The following settings control the number and lifetime of administration sessions for this Identikey Server: 

Max Concurrent Sessions: the maximum number of concurrent administration sessions permitted. If this is set 

to 0, concurrent sessions will be unlimited. 

Max Session Time (seconds): the maximum allowed length of an administration session. There is no way to 

extend a session beyond this limit. 

Idle Timeout (seconds): the maximum length of time of inactivity allowed during a session, before the session 

it automatically terminated by the Identikey Server. 

To enable or disable tracing by Identikey Server: 

1. Select a Tracing option. 

2. Enter a path and filename for the tracing file into the File field. The file path entered must be the full absolute 

path. 

Note 

11.3.3 Communicators Section 

11.3.3.1 SOAP 

If the File field is left blank or the path does not exist, the Identikey Server will not output tracing. 

If the file does exist, tracing will be appended to the file. If the path is valid but the file does not 

exist, it will be created. 

This section contains settings for the Communicator modules (see the Structure of Identikey Server section in the 

Product Guide). 

The SOAP Communicator settings are: 


11.3.3.2 RADIUS 

11.3.3.3 SEAL 


Enable SOAP: whether to listen for and process SOAP requests or not. Note that the Identikey Server's License 

Key must enable SOAP for it to be enabled. 

IP Address: the IP address on which to listen for SOAP requests. This is read-only, as it must be the same as 

the licensed IP address for the Identikey Server. It can be changed in the General section using the Server 

Location setting (see 11.3.2.1 Server Location). 

Port: the port number on which to listen for SOAP requests. 

DPX File Upload Location: the directory in which DPX files uploaded using the SOAP administration interface 

will be stored by the Identikey Server. This is used by the Web Administration Interface. 

Server Certificate: the details for the SSL server certificate. The Certificate File address must be the address 

of a .pem file. 

Client Certificate: the details for the SSL client certificate. 

CA certificate store is the absolute address to the file that contains the approved CA list. See the SOAP 

SSL section in the Product Guide. 

Require Client Certificate indicates whether the client certificate is required to during SSL processing. See 

the SOAP SSL section in the Product Guide for further information. The valid values are: 

Never 

Optional 

Required 

Required - Signed Address Only 

Re-Verify on re-negotiation - see the SOAP SSL section in the Product Guide for more details. 

The RADIUS Communicator settings are: 

Enable RADIUS: whether to listen for and process RADIUS requests or not. Note that the Identikey Server's 

License Key must enable RADIUS for it to be enabled. 

IP Address: the IP address on which to listen for RADIUS requests. This is read-only, as it must be the same as 

the licensed IP address for the Identikey Server. It can be changed in the General section using the Server 

Location setting (see 11.3.2.1 Server Location). 

Authentication Port: the port number on which to listen for RADIUS Access-Requests. You may specify more 

than one port, using a comma-separated list. 

Accounting Port: the port number on which to listen for RADIUS Accounting-Requests. You may specify more 

than one port, using a comma-separated list. 

The SEAL Communicator settings are: 



Enable SEAL: whether to listen for and process SEAL requests or not. Note that SEAL does not need to be 

enabled in the Identikey Server's License Key. 

Caution 

Replication updates from other Identikey Servers are received by the SEAL Communicator. If you 

disable it, this Identikey Server will not be able to receive Replication updates. 

11.3.4 Scenarios Section 

Digipass TCL Command-Line Administration also uses SEAL to connect to the Identikey Server. 

IP Address: the IP address on which to listen for SEAL requests. This does not have to be the same as the 

licensed IP address for the Identikey Server. 

Port: the port number on which to listen for SEAL requests. 

DPX File Upload Location: the directory in which DPX files uploaded using the SEAL administration interface 

will be stored by the Identikey Server. This is used by the Web Administration Interface. 

Require administration client component registration: whether to use strict client component checking for 

SEAL administration logons or not. If this option is enabled, there must be an Administration Program client 

component record for every Location at which Digipass TCL Command-Line Administration runs and for every 

Location at which an Audit Viewer sets up a Live Connection to an Identikey Server. 

This section contains settings for the Scenario modules (see the Structure of Identikey Server section in the 

Product Guide). Some Scenario modules do not have specific settings except to enable or disable them, while 

others do have further settings. 

11.3.4.1 Authentication Scenario 

The only setting for this Scenario is to enable or disable it. Note that the Identikey Server's License Key must 

enable Authentication for it to be enabled. 

11.3.4.2 Signature Validation Scenario 

The only setting for this Scenario is to enable or disable it. Note that the Identikey Server's License Key must 

enable Signature for it to be enabled. 

11.3.4.3 Provisioning Scenario 

This Scenario has the following settings: 

Enable Provisioning: whether to process Provisioning requests or not. Note that the Identikey Server's License 

Key must enable Provisioning for it to be enabled. 



Min Intervals: the minimum length of time in minutes between activation attempts for a particular Digipass. 

Max Attempts: the total number of activation attempts (successful or unsuccessful) per Digipass. 

Max Locations: the maximum number of different locations at which a particular Digipass can be activated. 

This only applies where the location is specified as part of Provisioning (Digipass for Web). 

11.3.4.4 Administration Scenario 

The only setting for this Scenario is to enable or disable it. Note that no License Key is required for administration 

to be enabled. 

11.3.4.5 Reporting Scenario 

11.3.4.6 Audit Scenario 

This Scenario has the following settings: 

Enable Reporting: whether to process Reporting requests or not. Note that no License Key is required for 

reporting to be enabled. 

Source: the type of audit data source to use for report generation. UTF8 File and ODBC Database are the 

supported options. 

If UTF8 File is selected, the following settings are required: 

File Path: the full absolute path to the directory in which the audit text files can be found. Note that the 

search for audit files is not recursive - all files must be in this exact directory. 

Extension: the file extension that identifies which files in the File Path are audit files to be read. For 

example, .audit. 

If ODBC Database is selected, the following settings are required: 

DSN: the ODBC Data Source Name for the audit database. 

Username: the username with which to log into the audit database, if required. 

Password: the password to log into the audit database, if required. 

The only setting for this Scenario is to enable or disable it. Note that no License Key is required for the Audit 

Scenario to be enabled. 

When this Scenario is disabled, live connections from the Audit Viewer are not possible to this Identikey Server. 

11.3.4.7 Replication Scenario 

The only setting for this Scenario is to enable or disable it. Note that no License Key is required for administration 

to be enabled. 



When this Scenario is disabled, Replication updates sent to this Identikey Server will not be processed. 

11.3.4.8 Configuration Scenario 

This scenario allows configuration settings to be edited from the Administration Web Interface. 

The scenario may be enabled or disabled. No other settings are required. 

11.3.5 Engines Section 

This section allows you to set up custom Back-End Authentication Engine plug-in modules (see the Structure of 

Identikey Server section in the Product Guide and the Identikey Server SDK Guide). 

Click on the Add... button if you wish to add a new plug-in engine. The Add Plugin Engine window will be 

displayed. Select an engine and click on Edit... to change the settings for that engine. The Edit Plugin Window 

will be displayed. Both windows contain the same information. Add or edit the details as follows: 

1. Enter a Display Name for the engine (this will just be used in the Engines list). 

2. Enter a Library Path, indicating where the engine is kept. 

3. Enter a Protocol to be used when the engine is connecting to Identikey Server. 

4. Enter Custom Fields - the Name and Value of fields used to pass parameters into the back-end engine. 

They are entirely user-defined and the name and value are passed into the back-end engine as a string. 

To test the connection to the plug-in engine, select an engine and click Test. Enter the domain name, User Id and 

Password and click Authenticate. 

11.3.6 Storage Section 

This section contains settings to configure the Identikey Server data store. 

11.3.6.1 ODBC Data Sources 

The database(s) used to store data required by Identikey Server are listed in this tab. 

You may wish to add another database to this list if load-balancing or fail-over mechanisms need to be 

implemented. 

1. Click on the Add... button if you wish to add a new database or Edit... if you wish to modify the settings for 

an existing database. 

2. The Add New ODBC Data Source window will be displayed. 

3. Enter a Display Name for the data source (this will just be used in data source list). 

4. Enter the name (DSN) of the ODBC data source. 



5. Enter the Username and Password of a database administrator account with permissions to read, update, 

create and delete data used by Identikey Server (see 3.6 Database User Accounts). 

6. Click on the Test Connection button. 

If the information has been entered correctly, the test should be successful. 

7. Enter the minimum time the Identikey Server should wait before trying to reconnect to this data source (in 

seconds), after the connection has broken, into the Min Reconnect Interval (s). 

8. Enter the maximum time the Identikey Server should wait before retrying the connection to this data source 

into the Max Reconnect Interval (s). 

9. Click on the OK button to close the window. 


11.3.6.2 LDAP Data Sources 

11.3.6.3 Encryption 

Active Directory domains to which the Identikey Server can connect are listed in this tab. 


1. Click on the Add... button if you wish to add a new domain or Edit... if you wish to modify the settings for an 

existing domain. 

2. The Add LDAP Domain window will be displayed. 

3. Enter the Fully Qualified Domain Name for the domain. 

4. If required, enter the name of a server in the domain in the Preferred Server field. 

If a Preferred Server is specified, the Identikey Server will attempt to connect to it rather than the first 

available server in the domain. 

5. If the Identikey Server should only connect to the Preferred Server, tick the Preferred Server Only checkbox. 

6. To use an encrypted connection, tick the Encrypt Remote Connections checkbox. 

7. Enter a port number to use for unencrypted connections in the Unencrypted Port field. 

8. If the Encrypt Remote Connections checkbox is ticked, enter a port number to use for encrypted 

connections in the Encrypted Port field. 

9. Enter an integer in the Max. Bind Lifetime field. 

10. Click on the OK button to close the window. 

See 4 Sensitive Data Encryption for more information on encryption in the Identikey Server data store. All Identikey 

Servers must share the same encryption settings. 

To modify encryption settings for the first Identikey Server: 

1. If required, enter a custom encryption key in the Storage Key field. This must consist of 32 hex digits. The 

Storage Key is used to derive a unique encryption key for your installation. 

Caution 

If you change from having no Storage Key to having a Storage Key specified, all Digipass records 

already in the data store will be invalidated. They will need to be deleted and re-imported. 

However, Passwords and Shared Secrets in the data store will still be valid (they will be 

converted to the new Storage Key when they are next updated). 

If you change from one Storage Key to a different Storage Key, all Digipass records, Passwords 

and Shared Secrets in the data store will be invalidated, and will have to be re-entered. 

2. If required, select an encryption algorithm from the Cipher Name drop down list. The available algorithms are 

aes256 (AES), des_ede (Triple DES) and des_ede3 (Triple DES with 3 keys). 



If you have any other Identikey Servers, you need to export the new encryption settings and import them into 

the other Identikey Servers. 

3. Click on Export... 

4. Browse to a directory in which to create an encryption settings file. 

5. Enter a file name to export the settings to. 


7. Enter a password to protect the Storage Key. 


For each other Identikey Server, launch the Identikey Server Configuration utility and open the Encryption 

tab: 

9. Click on Import... 

10. Browse to the encryption settings file. 


12. Enter the required password. 


11.3.6.4 Advanced Configuration Settings 

This tab contains settings related to database connection management, as well as User ID and Domain handling. 

While the top two settings are stored in the Identikey Server configuration file, the other settings are stored inside 

the database itself, in the Control table. Each database has its own Control table, so those settings may need to be 

modified in more than one database. 

See 3.7 Database Connection Handling for more details about the connection management settings. 

Data Source-Independent Connection Settings 

The following settings are not specific to a data source, but relate to the handling of connections to all data 

sources: 

Connection Wait Time (ms): the time in milliseconds to wait for a database connection to become available 

when processing a command, before giving up and failing the request. 

Enable Load Sharing: whether to use the extra data sources (after the first one) when the first one is busy 

(enabled), or only when it cannot be contacted (disabled). 

Data Source-Specific Connection Settings 

The following settings are specific to each data source and can be configured differently in each if required. Use 

the Data Source Connection drop-down to view and edit the settings for each data source. 

Max Connections: the maximum number of connections to establish to this data source. 

Idle Timeout (seconds): the maximum time for which a connection can be idle before it is closed. 


User ID and Domain Settings 


The following settings are stored in the Control table and are therefore configured in each data source separately. 

However, they should normally be the same in each data source. You will have to make sure that they are 

configured in each data source, as there is no automatic replication of these settings. 

User ID Conversion / Case 

Use Windows User Name Resolution 

Master Domain 

They are explained in more detail below: 

User ID Conversion 

The case in which the Identikey Server will save and retrieve User IDs will depend on: 

The capabilities and settings of the database used as the data store for the Identikey Server. Your database 

may require case sensitivity in queries, or may store all data in lower or upper case. 

Configuration settings for the Identikey Server. 

The Identikey Server may be configured to save and retrieve User IDs and domain names in: 

Lower case 

Upper case 

No conversion – data is saved or searched on exactly as entered. 

The default configuration setting for the Identikey Server when using an embedded database is Convert to Lower. 

When using another ODBC database, the default is No Conversion. 

Caution 

Before changing the configuration setting, you need to make sure that existing User IDs and 

Domain names will not be invalidated by the new setting, or that they are deleted before the 

setting is changed. For example, if the current setting is No Conversion and you change to 

Convert to Lower, a User ID “TestUser” would become invalid. This Digipass User account must 

be deleted before changing the Case Conversion setting. 

Typically, this setting should be changed shortly after installation, so you do not have to deal 

with a lot of existing Digipass User account and Domain records. 

If you want to move from Convert to Lower to Convert to Upper, or vice versa, it will be necessary 

to make the change in two steps, via No Conversion. While the setting is No Conversion, upper or 

lower case User IDs and Domains can be created and deleted as necessary. 

This is especially important for the Master Domain name. The default Master Domain “master” 

will become invalid if you change to Convert to Upper. Therefore, you will need to create a new 

Domain with an upper case name and make it the Master Domain, while the Case Conversion 



setting is No Conversion. See Master Domain below for instructions to change the Master 

Domain. 

To modify the Case Conversion setting for the Identikey Server: 

1. Select a data source from the list. 

2. If you wish the Identikey Server to convert User IDs to upper or lower case, select Convert to Upper or 

Convert to Lower from the Case drop down list. 

To leave User IDs and domains as they are entered, select No Conversion. 


4. The same setting must be applied in each database for each Identikey Server. This setting change is not 

replicated automatically to other databases. 

Windows User Name Resolution 

Identikey Server can use Windows functions to identify User IDs as Windows User accounts. This may be required 

if Windows is used as the back-end authenticator for Identikey Server. 

1. Select a data source from the list. 

2. To have the Identikey Server look up a User ID with Windows to find the SAM-Account-Name for the account 

and Fully Qualified Domain Name, tick the Use Windows User Name Resolution checkbox. 




Master Domain 

The Master Domain is used as a default Domain as well as having special significance for administrative access. 

For more details, see 3.5.1.1 Master Domain. 

To modify the domain used as the Master Domain: 

1. If the new Master Domain does not already have a Domain record, create the new Domain using the Web 

Administration Interface. 

2. Make sure there is an administrator account in the new Master Domain that has Set Administrative 

Privileges permission. 

3. In the Advanced Settings tab of the Storage section in Identikey Server Configuration, select a data source 

from the list. 

4. Modify the name in the Master Domain field. 


11.3.7 Auditing 


Caution 

Ensure that the name of the Master Domain is set to the correct case, as required by the Case 

Conversion setting. For example, if the Case Conversion setting is Convert to Lower, the Master 

Domain name must be all lower case. 




7. Click Apply or OK to make sure all changes are committed. 

8. Login to the Web Administration Interface as the administrator account identified in step 2. Give this account 

any privileges that it requires that are missing. You will need to log off and on again as this account for the 

new privileges to take effect. 

9. Delete the original 'master' domain if no longer required. 

Note 

All User accounts must be deleted from a domain before the domain record can be deleted. 

To view or edit auditing settings, use the Auditing section. For more information about setting up auditing, see 14 

Auditing. 

Enable or Disable an Audit Method 

Use the checkbox next to the Display Name of the required Audit Method in the list. 

Add an Audit Method 

1. Click on the Add... button. 

2. Select a Plug-in type from the drop down list. 


The Plugin window will be displayed. 

4. Enter a name to use for display purposes in the Display Name field. 

5. Tick the Reject audit message if this method fails checkbox if you want the Identikey Server to return an 

error if it fails to record an auditing message. 

6. Tick the Record audit message if no other audit method has recorded it checkbox if messages should only 

be logged by this auditing plug-in if they have not been previously logged by any other plug-in. 


7. Select one or more audit message types to be logged by this plug-in: 

Error 

Warning 

Information 

Success 

Failure 

8. Enter the Text file settings. 

Enter the address of the log file 

Check the Always keep file open checkbox if required. 

Check the Use GMT/UTC checkbox if required. 


Check the Allow multiple lines in file checkbox if multiple lines of messages are required, instead of one 

long line of concatenated messages. 


Edit an Audit Method 

1. Select an auditing plug-in from the Methods list. 

2. Click on the Edit... button. 

The Plug-In window will be displayed. 

3. Make the required changes. 


5. Click on Apply. 

Delete an Audit Method 

1. Select an auditing plug-in from the Methods list. 

2. Click on the Delete button. 

The record will be deleted. 

11.3.8 Replication Section 

This section contains settings related to the sending of Replication updates to other Identikey Servers. 

Note 

For more information about setting up replication on your system, see 17 

Replication. 


11.3.8.1 Enable Replication 

To configure the current Identikey Server to replicate data to other Identikey Servers: 

1. Click on Edit. 

11.3.8.2 Source Server 

2. Tick the Enable Replication checkbox. 

Define a source server to be replicated: 

1. Enter the IP address of the source server. 


2. Enter the minimum number of seconds the system should wait before trying to reconnect to this server. 

3. Enter the maximum number of seconds the system should wait before trying to reconnect to this server. 

11.3.8.3 Destination Server 

11.3.8.4 Queue 

1. Click on the Create button under the Destination Servers heading. 

2. Enter a display name for the destination Identikey Server. 

3. Enter the IP address and port to use in connecting to the Identikey Server. This must normally correspond to 

the IP Address and Port settings in the SEAL Communicator section of the destination Identikey Server's 

configuration. However, if Network Address Translation is active between the two Identikey Servers, be 

careful to select the correct IP address and port that will reach the Identikey Server. 


The replication queue files hold data that is yet to be replicated on to other Identikey Servers. 

1. If you wish to change the location of the replication queue files, modify the File Path field. This directory 

must already exist. 

2. Set a Max File Size (Mb) for each queue file (there is one per Destination Server). If the file reaches this size, 

replication queue entries will no longer be writeable to the file, and the Identikey Server will cease processing 

requests that result in a database update. 

3. The maximum number of retries specifies how many times the Identikey Server should attempt to resend 

entries in the replication queue that failed at the destination server. Enter a number in the Max Retries field. 

4. The retry interval specifies how long the Identikey Server should wait before attempting to resend entries in 

the replication queue that failed at the destination server. Enter a number of seconds in the Retry Interval 

field. 


11.3.9 Configuration File 


Identikey Server Configuration writes to an XML file named identikeyconfig.xml in the install/bin directory for 

Windows, or the chroot envrionment in Linux. It is possible to edit this file directly instead of using Identikey Server 

Configuration, but is not recommended. 

For Windows you will need to restart the Identikey Server Service using the Windows Service Control Manager after 

editing and saving the file, before the changes will take effect. 

To enter the chroot environment in Linux enter: 

vds_chroot /bin/bash 

is /opt/vasco/identikey by default. 

Note 

The configuration file is UTF-8 encoded – do not put any non-UTF-8 characters into the file. 

The XML tag names in the configuration file are case-sensitive. 

11.3.9.1 Windows - Example Configuration File 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 




 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

11.3.9.2 Linux Example Configuration File 

 

- 

- 


 

 

- 

 

 

 

 

- 

 

 

 

 

 

 

 

 

 

 

 

 

 

- 

 

 

 

 

 

- 

- 

 

 

 

 

 

 

 

 

 

 

 

- 

 

 

 

- 

 

 

 




 

 

 

 

 

- 

 

 

 

 

 

 

 

- 

- 

 

 

 

- 

- 

 

 

 

 

 

 

 

 

 

 

- 

 

 

 

 

 

 

- 

 

 

 

 

 

 

 

 

 

 

- 


 

 

- 

 

 

 

 

 

 

 

 

 

 

- 

 

 

 

- 

 

 

 

 

 

 

 

 

 

 

- 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



 

 

 

 

 

 

 

 

 

 

 

- 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



 

 

 

 

 

 

 

- 

- 

 

 

 

 

 

 

- 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



 

 

 

 

 

 

 

 

 

 

 

 

 

 

- 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



 

 

 

 

 

 

 

 

 



11.4 Command Line Options 


The Identikey Server is started via a single executable file named ikeyserver.exe (Windows) or ikeyserver (Linux). 

This command is rarely executed by the Administrator as it is automatically executed when the server on which 

Identikey Server has been installed is started up. The Identikey Server is started via an operating system specific 

framework used to start and stop services (Windows) or daemons (Linux). 

Command line options can be used to override the Identikey Server configuration file and run Identikey Server with 

a custom configuration file. 

11.4.1 Windows Service Control Manager 

Under Windows the Identikey Server is started using the Windows Service Control Manager (SCM). The SCM 

allows services to be started, stopped, and paused. The SCM also allows the passing of command line 

parameters. The SCM is accessed via the Services icon on the control panel. Command line parameters may be 

passed to the Identikey Server service by double-clicking on the Identikey Server service in the services window 

and then entering the parameters in the Start Parameters field under the General tab. 

11.4.2 Linux Runtime Configuration 

Under Linux the Identikey Server is started as a Daemon by the invocation of a Linux shell script that is run 

automatically as part of the Linux runtime configuration framework. All runtime configuration scripts allow 

daemons to be started, stopped and paused. Command line parameters may be specified by modifying the 

runtime confugration script for the intended daemon. 

11.4.3 Running Identikey Server with Command Line Options 

11.4.3.1 Command Line Option flags 

Issuing the command 'ikeyserver –help' either in a Windows command line instance or under a Linux shell prompt 

will display the following: 

Flags: 

-d, --debug Run Identikey Server in debug mode 

-h, --help Display this help message 

-c, --config=CONFIG_FILENAME Optional argument used to override the configuration file which is used by the 



11.4.3.2 Windows 

11.4.3.3 Linux 

Note 


The Configuration GUI will only modify the default configuration file. If the Identikey Server has 

been started using an alternate configuration file, its configuration settings can only be altered by 

editing the file in a text editor. 

To run Identikey Server with command line options Identikey Server will have to be run in debug mode. This allows 

the Identikey Server executable to be run from the Windows command line. To run Identikey Server in debug 

mode, follow the instructions above in 11.4.1 Windows Service Control Manager pass the command line 

parameter -d to the Windows service. 

Under Linux it is not mandatory that the Identikey Server is run under the debug mode when it is invoked from the 

command line. 

11.5 Identikey Server Web Administration Configuration 

11.5.1 List 

11.5.1.1 Location 

Configuration may be performed via the Identikey Server Web Administration. Click on the System tab for a drop 

down menu. Use the Web Administration Online Help for detailed on each page. 

Select the List menu item to display a list of Identikey Servers. 

The Location setting contains the licensed IP address for the Identikey Server. The Identikey Server uses this IP 

address to listen for SOAP and RADIUS requests. There must be an Identikey Server component record with this 

Location, containing a valid License Key. The component location is carried forward to the Communication 

Protocols pages. 

Click the Location to change the IP address for the Identikey Server and the base policy. 

Click Edit on the Summary tab to change the policy ID. Click the License tab to change the license details. 


11.5.1.2 Identikey Server Name 

Clicking on the Identikey Server Name will allow changes to the following settings: 

Policy 

User 

Digipass 

Challenge 

Virtual Digipass 

Digipass Control Parameters 

11.5.2 Add Identikey Server 

11.5.3 Server Status 

11.5.3.1 Replication 

11.5.3.2 Admin Session 

Use this tab to add another Identikey Server. 

Use this tab to get the Replication Status of nominated Identikey Servers. 

Use this tab to manage Administration sessions. 

11.5.4 Server Configuration 


The tabs shown when you click on Server Configuration correspond to the headings in . 11.3.2 General Section 

The tabs comprise: 

General 

Audit 

Amend the Audit Settings. 

Storage 

Communicators 

Replication 


Scenarios 



11.6 Web Administration Setup Tool 

11.6.1 Overview 


The Web Administration Setup Tool is a Java application that allows the management of Identikey Server 

connections and SSL certificate usage in the Administration Web Interface. Java Runtime Environment is required 

in order to run this tool. 

The Web Administration Setup Tool stores its information using the Java preferences API. On Windows, it uses the 

Windows registry. On Linux, it uses the running user's file system, and is stored in the java/.userPrefs directory. 

User Account 

The user that runs the web server application should be the same user running the Web Administration Setup Tool 

under Linux, otherwise changes will not be reconciled in the Administration Web Interface. 

Note 

11.6.2 Running the Application 

Windows 

Any changes made with the Web Administration Setup Tool will not take effect until the 

Administration Web Interface and the web server application have been restarted. 

1. Open a command prompt. 

2. Navigate to the directory in which the Java executable is located. 

3. Enter the following command: 

Linux 

java -jar admintool.jar 

1. Open a command prompt. 

2. Enter the following commands: 


java -jar admintool.jar 


Note 


The vds_chroot command will enter you into the chroot environment. This is necessary for all 

Setup Tool commands. 

To exit the chroot environment, enter: 

exit 

11.6.3 Available Commands 

The commands should be in the following format: 

java -jar admintool.jar [options] 

The following commands are available: 

Setup Tool Command Explanation 

autoadd 

 

Creates a new Identikey Server connection for the Administration Web 

Interface. 

If a certificate archive and password is specified, the Identikey Server's SSL 

certificate will be added to it. If no certificate archive is specified, it will be 

added to the existing keystore. 

A connection limit (number of concurrent connections to allow) and 

connection timeout may also be specified. 

server list List the available Identikey SOAP servers 

server add 

 

Add a new Identikey Server connection. 

A connection limit (number of concurrent connections to allow) and 

connection timeout may also be specified. 

server delete Remove an existing Identikey Server 

server default Set the specified Identikey SOAP server as the default 

server localaddress 

Specify a local IP address to specify when connecting to the provided server 

name. 

certificate list Displays the list of certificate alias which are in the used certificate archive 

certificate list 

 

certificate add 

 

certificate delete 

 

certificate delete 

 

Displays the list of certificate alias which are in the specifiedcertificate 

archive (opened using the specified passphrase) 

Installs the certificate into an existing or new certificate archive using the 

provided passphrase and alias the certificate using the provided name. 

Removes the certificate with the specified alias from the provided 

Removes the certificate with the default alias "IdentikeyServer" certificate 

archive using the provided password. 


Setup Tool Command Explanation 

autoadd 

11.6.4 Command Usage Examples 

11.6.4.1 Adding an Identikey Server and SSL Certificate 


Combines the functionality of the server add and certificate add commands 

and automates the retrieval of the certificate from the Identikey Server. 

The following command will add an Identikey Server and add the Identikey Server's certificate to the keystore: 

java -jar admintool.jar autoadd 

where is the display name of the Identikey Server, is the address and port number of the Identikey 

Server, is the location and file name of the keystore and is the 

password on the keystore. 

Example 

java -jar admintool.jar autoadd IKServer1 https://192.168.1.1:8888 

etc/vasco/keystore.jks password1 

will create a new Identikey Server record which will be displayed in the Web Administration application using the 

name “IKServer1” and will connect to the Identikey SOAP communicator using http – using SSL - at address 

192.168.1.1 and port 8888. It will add the Identikey Server's SSL certificate to the keystore specified. 

NOTE 

Protocol strings must be provided (http or https for SSL connections). 

Server creation can be verified by running the following command: 

java -jar admintool.jar server list 

which will display the current list of servers. 

NOTE 

The server name and url must both be unique. Attempting to add another server with a different 

name and the same url will fail. Adding a server with the same name and different url will 

overwrite the existing entry for the Identikey Server of that name. 


11.6.4.2 Adding an Identikey Server 


The following command will add an Identikey Server only, without adding a certificate to the keystore: 

java -jar admintool.jar server add 

where is the display name of the Identikey Server and is the address and port number of the 


Example 

java -jar admintool.jar server add IKServer1 http://192.168.1.1:8888 

will create a new Identikey Server record which will be displayed in the Web Administration application using the 

name “IKServer1” and will connect to the Identikey SOAP communicator using http at address 192.168.1.1 and 

port 8888. 

11.6.4.3 Adding an SSL Certificate 

To connect to an Identikey Server which is using an SSL connection, the server's certificate must be added to the 

Web Administration application's certificate archive. If this is not done while adding an Identikey Server using the 

autoadd command, it can be done by executing the 

The certificate used by the Identikey Server is usually created with the filename “ikeycerts.pem” and located in : 

Windows - \vasco\Identikey Server\bin 

Linux - /etc/vasco 

To add this certificate to the Web Administration application's certificate archive, run the following command: 

java -jar admintool.jar certificate add 

 

where is the file path and name of the certificate archive, is the certificate 

archive password and is the file path and name of the SSL certificate to add to the 

certificate archive. 

Example 

or 

java -jar admintool.jar certificate add /etc/vasco/keystore.jks password1 

/etc/vasco/ikeycerts.pem 

java -jar admintool.jar certificate add \vasco\Identikey 

Server\bin\keystore.jks password1 \vasco\Identikey 

Server\bin\ikeycerts.pem 

will add the ikeycerts.pem certificate to the specified certificate archive keystore.jks, using the certificate archive 

password password1. 


NOTE 


Ensure that the connection url to the server is updated - https should be used rather than http. 


11.7 Message Delivery Component Configuration 

11.7.1 Required Information 

To configure gateway settings you will need: 

Gateway details: 

OR 

Protocol to use in connecting to the gateway. 

An address string and port to use in connecting to the gateway. 

The path and filename of a certificate file, if required. 

The required Query String. 

The Query Method (GET or POST) required by the gateway. 


A customized configuration file ordered from your VASCO supplier. This will need to be imported using the 

Configuration GUI. 

Username and password for the gateway account. 

11.7.2 MDC Configuration GUI 

A Graphical User Interface (GUI) is available for use in configuring the MDC in Windows installations. To open the 

MDC Configuration GUI, click on the Start Button and select Programs -> VASCO -> Identikey Server -> Virtual 

Digipass MDC Configuration. 

Note 

The MDC must be restarted after any change is made in the Configuration GUI or configuration 

file. 

If using the MDC on a Linux system, the configuration file can be found in etc/vasco/mdcconfig.xml. 

11.7.2.1 Modify Gateway Account Login Details 

The MDC needs a Username and password for the gateway in order to send text messages through it. Modify the 

Username if needed and change the Password and Confirm Password fields if required. The Password and Confirm 

Password fields must contain identical data. 


11.7.2.2 Configure Internet Connection Details 

Enable or disable the use of an HTTP Proxy and enter details if required. 


1. Enable or disable the use of the HTTP Proxy by ticking or clearing the Use HTTP Proxy checkbox. 

2. If required, enter an IP address, port and timeout for the HTTP Proxy. 

3. Enter a maximum number of internet connections to allow in the Max. Connections field. 

11.7.2.3 Configure Tracing 

The MDC makes use of a trace file to record information about events that occur on the system, for use in 

troubleshooting. This could include generic information, changing conditions, or problems and errors that have 

been encountered. 

The level of tracing that the MDC employs depends on its configuration settings. 

Caution 

Enabling Full Tracing should only be done for troubleshooting purposes. There are no limits set 

on the size of the tracing file, so if the option is left on too long on a high-load system the file 

may dramatically slow down or crash Windows, due to excessive I/O or filling up the hard drive. 

This is not highly likely for MDC, but should be considered. 

Because there are no size limitations set on the trace file, it is not recommended that you have tracing permanently 

enabled. If your system is set up with Basic Tracing always enabled, ensure that the file size does not cause 

problems by deleting or archiving it whenever it gets too large. 

Basic tracing includes: 

Critical error/warning messages [CRITC] 

Major error/warning messages [MAJOR] 

Minor error/warning messages [MINOR] 

Configuration messages [CONFG] 

Full tracing includes: 

Critical error/warning messages [CRITC] 

Major error/warning messages [MAJOR] 

Minor error/warning messages [MINOR] 

Configuration messages [CONFG] 

Informational messages [INFOR] 

Data tracing messages [DATA] 


Debugging messages (useful for support purposes) [DEBUG] 

Security messages, messages that may contain security sensitive data [SECUR] 

Turn Tracing On or Off 

1. Select a Tracing option. 


2. If you have selected Basic Tracing or Full Tracing, enter a path and filename for the tracing file into the File 

Name field. 

The file path entered must be the full absolute path. 

Note 

If the File Name field is left blank or the file path does not exist, the MDC will not output tracing. 

If the file does exist, tracing will be appended to the file. If it does not exist, it will be created. 

11.7.2.4 Import HTTP Gateway settings 

Import a customized configuration file ordered from your VASCO supplier, containing the configuration details for 

your gateway needed by the MDC. 

1. Click on the Gateway Settings tab. 

2. Enter a name for the gateway. 

3. Click on Import Settings. 

4. Select a file from the Browse window. 


The import progress will be displayed. 


11.7.2.5 Edit Advanced Settings 


2. Ensure that the Edit Advanced Settings checkbox is ticked. 

3. Select a protocol to use in connecting to the gateway from the Protocol drop down list (typically HTTP). 

4. Enter an address string to use in connecting to the gateway in the Address field. 

5. Enter a port in the Port field (typically 80 for HTTP connections). 

6. Enter the path and filename of a certificate file if required. 

7. Modify the Query String field if required. 


Example Query String: 

username=[acc_user]&password=[acc_pwd]&device=[otp_dest]&network=tgsm&message=[otp_msg] 

8. Select a Query Method according to what the gateway requires (typically POST). 

11.7.2.6 Export HTTP Gateway settings 


Once you have entered the necessary gateway configuration information into the Configuration GUI, you may wish 

to export the settings into a file for backup purposes or to transfer to another server. 


2. Ensure that the Edit Advanced Settings checkbox is ticked. 

3. Click on Export Settings. 

4. Select a directory from the Browse window. 

5. Enter a filename. 


The export progress will be displayed. 

11.7.2.7 Gateway Result Pages 

A result page is returned by the gateway service when a text message is submitted by the GET or POST methods. 

This page would normally be a HTML formatted page containing specific error codes and/or additional messages 

for success/failure. 

Three types of result messages are generally categorized as: 

Information 

Success of message delivery (the message has been accepted by the server) 

Warning 

The submission/delivery failed, but it is most likely a specific error only affecting this User. The User’s login will fail 

on the first step. Possible causes are: 

Error 

Phone number invalid 

Temporary gateway failure 

Error(s) occurred while attempting delivery. This means that the delivery failed for a particular User, but the error 

might be affecting all Users. In this case, the User’s login will fail immediately. Possible such errors are: 

Account data incorrect (Account User or password wrong) 


Account credit expired (for a pre-paid gateway account) 

Communication error with gateway (network error) 

Other permanent gateway errors 

Audit Console Logging 


A gateway result page can be recognized by key words and phrases, and an alternate message created for logging 

to the audit console whenever the result is received. Variables can be extracted from the result page and used in 

the log message to provide extra information. 

Result Page Rules 

The result page rule patterns use the following syntax: 

[Var-Name1] [] [Var-Name2] … 

Where the template is constructed in the following way: 

: a character string which must be matched in the page returned by the gateway. Note that 

multiple can appear in a single template, but they must not be overlapping. Matching is casesensitive. 

[]: Omits a variable part of the result page between two segments, when matching a template. 

This can be useful to ignore arbitrary data or time/date data in the returned web page. 

[Var-Namex]: Describes a segment of the result page between two segments or at the end of the 

result page, which will be written to a variable. Usually this will be data that can provide more detailed 

information why a particular message submission has failed. The variable name inside the [] brackets can then 

be used as part of the audit message template to create a meaningful message. 

Example 

If the server returns the following result page 

“Submission successful at 10:00, 11/11/02, status: 00 - message delivery in progress.” 

for successful transmission, or 

“Submission unsuccessful at 10:05, 11/11/02, status: 47 – number too short” 

for an unsuccessful submission, then the following result page rules can be configured: 

Message Rule Name: Success 

Message Rule Pattern: successful at [DateTime], status: [Status] – [Message] 

Variables retrieved: DateTimeStatusMessage 

Message Rule Name: Warning 

Message Rule Pattern: unsuccessful at [DateTime], status: 47 – [Message] 

Variables retrieved: DateTimeMessage 

Message Rule Name: Error 

Message Rule Pattern: unsuccessful at [DateTime], status: [status] – [Message] 


Variables retrieved: DateTimeStatusMessage 


No Match Available If no Rule matches a Result page returned, an error will be logged to the Audit Console, 

reporting that the result page returned from the gateway could not be matched. 

Ordering Rules The order of the result page template in the configuration data can be used to match more specific 

messages first and finally catch any “other” message, which the gateway might send. 

Audit message template 

Once a result page template a matched, a corresponding audit message is constructed with the variables retrieved 

from the result page rule. 

The message template will use the following syntax: 

[VAR-Name1] [Var-Name2] … 

: a character string which will appear literally in the constructed audit message. 

[Var-Namex]: Variable which is derived from the matched variables from the corresponding result page 

template. 

The following variables are predefined and can be used in the audit message template: 

Table 60: MDC Audit Message Variables 

[otp_dest] The destination address (a mobile phone number) the OTP was sent to. 

[otp_msg] The message that was submitted. This variable will also contain the OTP, so should not be used for the 

construction of audit messages. 

[acc_user] Account name for the gateway.Not recommended for use in audit messages. 

[acc_pwd] Account password for the gateway.Not recommended for use in audit messages. 

[Username] the User ID of the User requesting the OTP 

Examples of variable use: 

Insufficient credit on account [acc_user] when sending to [username] 

Message not sent to User "[Username]"/[otp_dest]. Gateway reported: [message] 

Modify a Gateway Result Message Rule 

Ensure that the Edit Advanced Settings checkbox on the Gateway Settings tab is ticked. 

1. Click on the Gateway Results tab. 

2. Select a Rule to modify. 


4. Make any required changes. 



Add a Gateway Result Message Rule 

1. Click on the Gateway Results tab. 

2. Click on Add. 

3. Enter a descriptive name for the Rule in the Description field. 


4. Enter the full text or a partial match of the text displayed by the gateway in the Matching Pattern field. 

5. Select an Audit Message Level for the Rule. 

Each level of message will be displayed with a different color background in the Audit Console. 

Info – normal 

Warning – yellow 

Error – red 

6. Enter the message text you wish the User to see into the Message Text field. 



11.7.3 MDC Configuration File 


The MDC Configuration GUI writes to an .xml file named MDCConfig.xml in the install\bin (Windows) or etc/vasco 

(Linux) directory. It is possible to edit this file directly instead of using the MDC Configuration GUI. 

Example Configuration File 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



 

 

 

 

 

Caution 

The configuration file is UTF8 encoded. Non-UTF8 encoded characters should not be added to 

the configuration file, or it will not load. 


11.7.4 Configuration Settings 

The table below lists the options, their default values, and a brief explanation of each. 

Table 61: Message Delivery Component Configuration Settings 

Option Name Config. GUI 

Field 

General tab 

Gateway/ 

ProxyIP 

Gateway/ 

ProxyPort 

Gateway/ 

Timeout 

Gateway/ 

MaxConnections 

Tracing/ 

TraceFile 

Tracing/ 

TraceMask 

Gateway-Acnt/ 

Username 

Gateway-Acnt/ 

Password 

Gateway Settings tab 

Gateway/ 

Description 

Gateway/ 

HTTPMethod 

Default Value Notes 


Proxy IP IP address of the HTTP proxy used by the MDC to contact the HTTP 

gateway. This can be used when the firewall settings do not allow a 

direct connection.Empty - no proxy being used. Data type: String with 

valid IP4 address 

Port Port number to contact the HTTP proxy on.Must be supplied if the 

ProxyIP setting is used. Data type: Integer with valid Port address (1- 

65535) 

Proxy Timeout 30 Time in seconds that the MDC will wait on a response from the 

HTTP/gateway. Data type: integer 

Max 

Connections 

10 Maximum allowed number of concurrent connections to the HTTP 

gateway. Data type: Integer (1-100) 

File Name The file that tracing output should be written to using the absolute 

path and file name. Data type: String 

Tracing 0 The tracemask specifies how much tracing is done. 

0 – no tracing 

1 – basic tracing 

2 – full tracing 

Data type: Integer 

(General 

tab)Username 

(General 

tab)Password & 

Confirm 

Password 

Gateway/ URL Protocol and 

Address 

 

 

Sets the account Username the HTTP gateway. The given value will be 

used as content for the variable [acc_User] in the query string. Data 

type: String 

Sets the account password the HTTP gateway. The given value will be 

used as content for the variable [acc_pwd] in the query string. Data 

type: String 

Gateway Name This is an informational field, naming or describing the HTTP gateway. 

It can be set to provide a description for a particular service, but is 

ignored by the MDC. Data type: String 

Query Method POST Designates either the GET or POST method for use in transferring 

account and message data to the HTTP/HTTPS gateway. Data type: 

String (“GET” or “POST”) 

 

Required parameter.Sets the URL to the HTTP gateway. The address 

should not contain any variables, but is should contain the protocol 



Field 

Gateway/ 

HTTPQuery 

Gateway/ 

CertFile 

Gateway Results tab 

Results/ 

Resultnn/ Name 

Results/ 

Resultnn/ 

Pagematch 

Results/ 

Resultnn/ 

MsgType 

Query String 

Certificate File .\curl-cabundle.crt 



identifier. Note: the protocol identifier of “https://” can be used to 

SSL-encrypt the link between the MDC and the HTTP gateway. In this 

case it is required to specify a filename where the server certificates 

can be found. Data type: String 

Required parameter.Defines the query string which will be submitted 

to the http server, either using POST or GET (as specified by HttpGw- 

Method). This string must contain all required variables that are 

expected by the HTTP gateway. Contained in the query string must be 

the following parameters which will be set by the MDC before 

submitting the query: 

[acc_user] specifies the account name for the gateway which will be 

used to submit the information§ 

[acc_pwd]password for the gateway account specified by the 

[Username] parameters§ 

[otp_msg]specifies the part of the query string, where the OTP 

message will be substituted§ 

[otp_dest]specifies the part of the query string, where the destination 

for the OTP (usually the mobile phone number) will be substituted.The 

query string should also incorporate any other parameters which 

might be expected by the gateway. 

Example: 

Data type: String 

When using the HTTPS protocol, the server certificate file is used to 

authenticate the message gateway and to derive the data encryption 

keys. It can contain either one or multiple server certificates.The file 

needs to be PEM-encoded,X.509 compliant certificate.It can be 

created by exporting the required Root CA from any browser (eg. 

Internet Explorer) using the base-64 format - equivalent to PEM. Data 

type: String 

Description Name of this entry, as displayed by the MDC Configuration GUI. This 

field has no functional meaning. Data type: String 

Matching 

Pattern 

Audit Message 

Level 

 

Result Page Template to match the result page returned by the HTTP 

service. If this template is matched, the corresponding audit message 

is composed and returned to the Identikey Server Audit message. 

Data type: String 

2 Type of message to appear in the audit log: 

0 INFO – informational message (login on) 

1 WARNING – warning message (login fails) 

2 ERROR – error message (login fails) 

Data type: Integer (0-2) 



Field 

Results/ 

Resultnn/ 

Message 

Message Text 



Audit Message Template for the message to be compiled and sent 

back to the Identikey Server. The message is returned as Information, 

Warning or Error, depending on the MsgType parameter in the same 

section. Includes [variable] options. Data type: String 


11.8 Digipass TCL Command Line Utility 


The Digipass Command Line Utility uses an xml file to store necessary configuration settings. This file can be found 

at \Bin\dpadmincmd.xml (Windows) or /etc/vasco/dpadmincmd.xml (Linux). 

If the TCL Command Line Utility is being used on the server machine, the xml file will be created by the wizard. If 

the TCL Command Line Utility is not being used on the server machine, you will have to create the XML file using 

the template provided at \Bin\dpadmincmd.tmpl (Windows) or /etc/vasco/dpadmincmd.tmpl 

(Linux), and replace: 

the trace file 

the local address 

connection 00 - the IP address of the remote server 

11.8.1 Sample Configuration File 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Port type="unsigned" data="20003" /> 

 

 


 

 

 

 



12 Identikey Server Advanced Setup 

12.1 Create Organizational Structure 

12.1.1 Domains 

Identikey Server Advanced Setup 

The creation of the organizational structure is only applicable where Identikey Server uses an ODBC database as its 

data store. If it uses Active Directory, it will utilise the existing Active Directory organizational structure. 

Domains can be used to divide administration between specific organizational divisions, where some 

administrators should only have access to a single group of users rather than all. They may mirror actual domains 

in the corporate network. 

Master Domain 

Identikey Server installation creates a master domain – named Master by default – in the data store. This domain 

can be used to allow global administration and store unallocated Digipass records. Any administrators whose 

Digipass User record is in the Master Domain may act as global administrators. 

12.1.1.2 Create a New Domain 

Pre-requisites 

The global administrator account used for this process must have at least these privileges: 

Admin Logon 

Access Data in all domains 

Create domain 

View domain 

Instructions 

1. Log on to the Administration Web Interface with a global administrator account. 

2. Click on Organization-> Add domain 

3. Enter a Domain name. 

4. If desired, enter a description for the domain. 

5. Click on Create. 


12.1.2 Organizational Units 

12.1.2.1 Create an Organizational Unit 

Org units in IK3.1 are mainly used to organize users and Digipass. 

To create an org unit in a domain: 

1. Open the Administration Web Interface. 

2. Click on Organization->List 

3. Locate the domain in which to place the organizational unit. 

4. View details of the selected domain 

5. Click on Add Org. Unit 

6. Enter a name for the organizational unit. 


7. Select a parent organizational unit, if applicable. This will locate the new organizational unit as a child of the 

selected one. 

8. If desired, enter a description for the new organizational unit. 


12.1.3 Administrators 

There are two basic types of administrators. 

Global administrators 

Global administrators are not restricted by domain, and can read and/or write data regardless of the domain to 

which it belongs. 

Delegated administrators 

This type of administrator is restricted to administration of data in the domain in which the account is located. 

12.1.3.1 Create a Delegated Administrator 

This task implies defining and assigning for each of the newly added domains an admin user who will perform user 

and Digipass administration. In case of delegated administration, administration will be performed by a domain 

specific administrator. A domain specific admin user will be part of his domain. 

For each domain, an administrator has to be created and administrative rights assigned. 

To create an admin user: 



2. Go to Users -> Create 


3. Enter a User ID and domain for the administrator. They will be restricted to User and Digipass administration 

in this domain. 


5. Click on the Click here to manage link. 

6. Click on Admin Privileges. 


8. Assign the necessary user and Digipass admin privileges by selecting the privilege name and clicking the > 

button. 

9. When complete, click on Save. 

12.1.3.2 Create a Global Administrator 

Global administrator accounts are created in the master domain, and the administrative privileges assigned them 

apply throughout all domains. To create a global administrator: 


2. Click on Users -> Create 

3. Enter a User ID for the administrator. 

4. Enter the name of the master domain (default master domain is Master). 


6. Click on the Click here to manage link. 

7. Click on Admin Privileges. 


9. Assign the necessary user and Digipass admin privileges by selecting the privilege name and clicking the > 

button. 

10. When complete, click on Save. 


12.2 How To Set Up Virtual Digipass 

12.2.1 Pre-requisites 

Reading 

It is recommended that you read the following topics before starting this process: 

Types of Digipass topic in the Introduction section of the Product Guide 


Virtual Digipass Implementation Considerations topic in the Digipass section of the Product Guide 

Select Virtual Digipass Options 

There are three basic options available when implementing Virtual Digipass with Identikey Server: 

Primary Virtual Digipass only 

Backup Virtual Digipass, in conjunction with hardware or software Digipass 

Combination of Primary and Backup Virtual Digipass 

12.2.2 Import Virtual Digipass records 

You will receive Primary Virtual Digipass records in a .dpx file, with a DPX File Key, as you would receive with 

normal Digipass records. Import them as you would normal Digipass records. 

Backup Virtual Digipass do not have records of their own. Information on Backup Virtual Digipass is contained in 

the record for the Digipass which is being supplemented by the Backup Virtual Digipass. 

12.2.3 Set Up SMS Gateway 

MDC Access 

If required, configure an ID and password for the Message Delivery Component to use when passing text 

messages to the SMS Gateway. 

12.2.4 Set Up Message Delivery Component 

Installation 

See the relevant Installation Guide (Windows or Linux) for instructions on installing the Message Delivery 

Component. 


MDC Configuration 


For instructions on configuring the Message Delivery Component to work with Identikey Server and the SMS 

Gateway, see 11.7 Message Delivery Component Configuration. 

12.2.5 Configure Identikey Server 

If the Message Delivery Component is installed on a different machine to the Identikey Server, the Identikey Server 

must be configured with the connection details. To do this, open the configuration file - identikeyconfig.xml - and 

find the VDPClient details. Edit the MDC-IPAddress and MDC-Port settings. 

12.2.6 Edit Identikey Server Policy 

You may need to read the Policy information in the Product Guide before following these instructions. 

12.2.6.1 Primary Virtual Digipass 

Set Up Policy 


2. Click on Policy -> List. 

3. Select the Policy in which you wish to enable the use of Virtual Digipass. 

4. Click on the Virtual Digipass tab. 

5. Click Edit. 

6. Find the Primary Virtual Digipass section. 

7. Select one of the following options as the Request Method:: 

Keyword – User enters the Request Keyword into the password field. 

Password - User enters their static password only into the password field. 

KeywordPassword – User enters the Request Keyword, followed by their static password, into the 

password field. 

PasswordKeyword - User enters their static password, followed by the Request Keyword, into the 

password field. 

8. If you have selected an option which includes the use of a Request Keyword, enter it in the PVDP Request 

Keyword field. 

9. Click on Save. 


12.2.6.2 Backup Virtual Digipass 

Permitted, Not Mandatory 






6. Find the Backup Virtual Digipass section. 

7. Select Yes – Permitted from the Enable Backup VDP drop down list. 


8. If desired, enter a maximum number of uses. This will be calculated for each person using a Backup Virtual 

Digipass. 


Permitted, Not Mandatory, Time-Limited 







7. Select Yes – Time Limited from the Enable Backup VDP drop down list. 

8. Enter a time limit (in days) into the Time Limit field. At the end of this time period – calculated from their first 

use - the User will no longer be permitted to use a Backup Virtual Digipass. 


Digipass. 

Mandatory 







7. Select Yes – Required from the Enable Backup VDP drop down list. 




Digipass. 


Backup Virtual Digipass may also be enabled for individual Users, via each Digipass record. This over 

12.2.7 Test Virtual Digipass 

Primary Virtual Digipass 

To test a Primary Virtual Digipass: 


2. Click on Digipass -> List. 

3. Click on the Virtual Digipass to be tested. 

4. From the Application Type tab click on the Test VDP button. 

5. Enter the mobile phone number to which the VDP should be sent. 

6. Click on Generate. 

The Administration Web Interface will attempt to send an OTP to the Message Delivery Component, which 

will attempt to forward it to the SMS Gateway. The success or failure of these attempts will be displayed. 

7. If the OTP was received by your mobile phone, enter it into the OTP field and click on Verify. 

The success or failure of the verification attempt will be displayed. 

Backup Virtual Digipass 

To test a Backup Virtual Digipass: 


2. Click on Digipass -> List. 

3. Click on the Digipass belonging to the Backup Virtual Digipass to be tested. 

4. From the Application Type tab click on the Test BVDP button. 

5. Enter the mobile phone number to which the OTP should be sent. 

6. Click on Generate. 

The Administration Web Interface will attempt to send an OTP to the Message Delivery Component, which 

will attempt to forward it to the SMS Gateway. The success or failure of these attempts will be displayed. 

7. If the OTP was received by your mobile phone, enter it into the OTP field and click on Verify. 

The success or failure of the verification attempt will be displayed. 



12.3 Connect the Administration Web Interface to a New Identikey Server 

12.3.1 Windows 

12.3.2 Linux 

Note 

The Identikey Server to which the Administration Web Interface will be connecting needs to have 

a Client Component record of type Administration Program in its data store for the machine on 

which the Administration Web Interface is running. 



3. If you are using the default keystore and keystore password, enter the following command: 


where is the display name for the server and is its location. 

For example: 

java -jar admintool.jar autoadd Belgium https://198.162.1.1:8888 

4. If you have moved the keystore from its default location, or entered a custom keystore password during 

installation, enter the following command: 


where is the display name for the server, is the server location, is the 

path and filename for the keystore, and is the password set for the keystore. 

1. Enter the chroot environment: 


2. Navigate to /webadmin on the machine where the webadmin is running. 

3. If you are using the default keystore and keystore password, enter the following command: 


where is the display name for the server and is its location. 

For example: 

java -jar admintool.jar autoadd Belgium https://198.162.1.1:8888 



4. If you have moved the keystore from its default location, or entered a custom keystore password during 

installation, enter the following command: 


where is the display name for the server, is the server location, is the 

path and filename for the keystore, and is the password set for the keystore. 

12.4 Create Custom Report Definition 

Before attempting to create a custom report definition, it is recommended that you read the Reporting section of 

the Product Guide. 


2. Click on the Reports tab and select Define report from the drop-down list. 

3. Type a name for the report definition. 

4. Select the type of report definition required: 

List Analysis Report – a list of all items that match the criteria specified in the report definition 

Detailed Analysis Report - detail of selected events 

Distribution Analysis Report - counts of events and/or objects 

Trend Analysis Report – trends in event or object numbers over a specified period of time 

5. Enter a description for the report definition – something which will help you and/or other administrators know 

what data will be found in the report. 

6. Select a grouping level: 

Client – connections requested and/or approved by machines with Client Component records 

7. Click on Next 

Data from Audit sources only 

Domain – Digipass and Digipass User information 

Data from data store (eg. list of Digipass Users by Domain) or Audit sources (eg. rejected authentication 

requests) 

Organizational Unit – Digipass and Digipass User information 

Data from data store (eg. list of Digipass Users by Organizational Unit) or Audit sources (eg. rejected 

authentication requests) 

User – Digipass and Digipass User information 

Data from data store (eg. list of Digipass Users with Digipass assigned) or Audit sources (eg. rejected 

authentication requests) 

Digipass – Digipass information 

Data from data store (eg. list of unassigned Digipass) or Audit sources 


8. Enter a name for the new query. 

9. Click on Add New. 

10. Select the name of a field, the condition, and the value on which to filter. 


Example – To report on rejected authentication requests, select Audit:Code from the Field drop down list, 

select Equals from the Condition drop down list, and enter I007003 in the Value field. 


12. If desired, add more queries. 


14. Select Usage and Update permissions. Usage permissions control which administrators may view a report – 

Update permissions control which administrators may modify a report definition. 


16. To use the standard XML template, Select the Use the default XML template only option button. Or to use a 

custom template, select the Add new template in addition to default XML template option button and enter 

the location of the template and a name to use in referring to it. 


18. Click on Finish. 

12.4.1 Query Filters 

The tables below list the fields on which a report query may be filtered, and the data type required for each. 

User field list 

Display name Type Value(s) required 

User:User ID String 

User:Domain String 

User:Organizational Unit String 

User:User Name String 

User:Email String 

User:Phone String 

User:Mobile String 

User:Description String 

User:Has Digipass Number 

User:Local Authentication Number 

User:Backend Authentication Number 

User:Disabled Checkbox 0 or 1 

User:Lock Count Number 


User:Locked Checkbox 0 or 1 

User:Status String 

User:Profiles String 

User:Link String 

Domain Link String 

User:Created time Date 

User:Modified time Date 

The fields specified in the user field list can be referred to in the XSLT templates. 

Digipass field list 

Display name Type 

Digipass:Serial Number String 

Digipass:Domain String 

Digipass:Digipass Type String 

Digipass:Application Names String 

Digipass:Application Types String 

Digipass:Status String 

Digipass:User ID String 

Digipass:Assigned Date 

Digipass:Grace Period End Date 

Digipass:Backup VDP Enabled CheckBox 

Digipass:Backup VDP Expires Date 

Digipass:Backup VDP Uses Left Number 

Digipass:Created time Date 

Digipass:Modified time Date 

The fields specified in this Digipass field list can be referred to in the XSLT templates. 

Audit field list 

DisplayName Type 

Audit:Source String 

Audit:Type code Number 

Audit:Type String 

Audit:Code String See Audit Messages for a list 

of possible codes and 

messages used by the Audit 

System. 

Audit:Description String See Audit Messages for a list 




Audit:Category String 

Audit:TimeStamp Date 

Audit:AMID String 

Audit:Reason String 

Audit:Area String 

Audit:Operation String 

Audit:Error Code Number 

Audit:Error Message String 

Audit:Error Details String 

Audit:Source Location String 

Audit:Server Location String 

Audit:Client Location String 

Audit:Version String 

Audit:Data Source String 

Audit:Data Source Location String 

Audit:Configuration Details String 

Audit:Outcome String 

Audit:Reason String 

Audit:Characteristics String 

Audit:Credentials String 

Audit:Session ID String 

Audit:Application String 

Audit:Request ID String 

Audit:Password Protocol String 

Audit:Input Details String 

Audit:Action String 

Audit:Output Details String 

Audit:Policy ID String 

Audit:From String 

Audit:To String 


System. 

Audit:Message String See Audit Messages for a list 



System. 

Audit:Quota Number 



Audit:Object String 

Audit:Command String 

Audit:Downtime Number 

Audit:Fields String 

Audit:Request Type String 



12.5 Install a Commercial SSL Certificate 

12.5.1 Windows 

Before installing a commercial SSL certificate, you will need to: 

obtain the .pem files required for the certificate 

note the location of the certificate files 

know the password for the keystore 

Install Certificate 

1. Run the Identikey Server Configuration Wizard. 

2. Select Install SSL Certificate and click on Next. 

3. Select Install my own SSL Certificate and click on Next. 

4. Browse to the certificate file and click on Open. 

5. Enter the password for the SSL certificate. 

6. Browse to the trusted certificates file and click on Open. 


8. Click on Proceed. 

Configure Administration Web Interface to Use Certificate 






where is the display name of the Identikey Server, is the address and port number of the 

Identikey Server, is the location and file name of the keystore and 

is the password on the keystore. 

For example: 


c:\Program Files\VASCO\Identikey 3.1\webadmin\keystore.jks password1 


12.5.2 Linux 

Install Certificate 

1. Run the Identikey Server Configuration Wizard. 

2. Select Install SSL Certificate and click on Next. 

3. Select Install my own SSL Certificate and click on Next. 

4. Browse to the certificate file and click on Open. 

5. Enter the password for the SSL certificate. 

6. Browse to the trusted certificates file and click on Open. 


8. Click on Proceed. 

Configure Administration Web Interface to Use Certificate 

1. Navigate to the usr/share/vasco directory. 




where is the display name of the Identikey Server, is the address and port number of the 

Identikey Server, is the location and file name of the keystore and 

is the password on the keystore. 

For example: 


etc/vasco/keystore.jks password1 



12.6 How to Set Up a Stand-Alone Identikey Server in RADIUS Environment 

You may wish to use this topology if: 

RADIUS attributes are not required 

One of the supported password protocols will be in use: PAP, CHAP, MS-CHAPv1, or MS-CHAPv2 

12.6.1 Information required 

12.6.2 Instructions 

IP address of the RADIUS client 

Shared secret used by the RADIUS client - or select a secret to use now if the RADIUS client isn't yet equipped 

with a shared secret 

Administration Web Interface 

1. Click on Clients -> Register 

2. Enter this data: 

Client Type: Select RADIUS Client 

Location: Enter the IP address of the RADIUS client 

Policy ID: Select the policy you want to use for this RADIUS client 

Protocol ID: Select RADIUS 

Shared Secret: Enter the shared secret used by the RADIUS client 


RADIUS Client Configuration 

4. Configure your RADIUS client to send authentication request to the Identikey server (the IP/port of the RADIUS 

communicator can be found in the Identikey Server Configuration utility). 


12.7 How to Set Up Identikey Server as RADIUS Proxy Target 

You may wish to use this topology if: 

The RADIUS server supports the proxying of authentication while returning attributes itself 


The RADIUS server can forward the authentication request using one of the supported password protocols is 

used: PAP, CHAP, MS-CHAPv1, MS-CHAPv2 

The RADIUS server supports an Access-Challenge response from Identikey Server, if required. The Access- 

Challenge mechanism is used for Challenge/Response and Virtual Digipass, although it is still possible to use 

Virtual Digipass without that mechanism. 

If the RADIUS server is capable, this scenario allows Identikey Server to operate in an environment that uses 

certificate-based EAP protocols such as PEAP and EAP-TTLS. To make this work, the RADIUS server decrypts the 

user credentials into a simpler protocol before forwarding the request to Identikey Server. 



IP address of the RADIUS server 

Shared secret used by the RADIUS server 











RADIUS Client Configuration 


4. Configure your RADIUS client to send authentication request to the Identikey server (the IP/port of the RADIUS 

communicator can be found in the Identikey Server Configuration utility). 


12.8 How to Set Up Identikey Server as Intermediate Server 


When used as an intermediate authentication server, Identikey Server can be set up in two basic modes – OTPonly, 

where Identikey Server keeps a record of a User's static password and relays it to the Back-End Server, and 

OTP-Password, where the User enters an OTP and their password, which is not stored by Identikey Server but is 

relayed to the Back-End Server for authentication. 

OTP Only 

OTP and Password 




IP address of the RADIUS client 

Shared secret used by the RADIUS client 

IP address of the RADIUS server 

Shared secret used by the RADIUS server 










4. Configure the RADIUS client to send authentication requests to the Identikey Server 


The IP/port of the RADIUS communicator can be found using the Identikey Server Configuration utility. 

5. Go to Back-end->Register RADIUS Back-End 

Backend server ID: an identifier for the RADIUS server 

Domain name: master if the RADIUS Server should process auth request from all domains, else a specific 

domain 

Priority: use this if you want to define multiple back-end servers for failover reasons - the one with the 

highest priority will be used first 

Authentication IP Address: The IP address that the RADIUS Server is using for authentication requests 

Authentication port: The Port that the RADIUS Server is using for authentication requests 

Accounting IP Address: The IP address that the RADIUS Server is using for accounting requests 

Accounting port: The Port that the RADIUS Server is using for accounting requests 

Shared Secret: the shared secret of the RADIUS Server 

Timeout: timeout on the connection to the RADIUS Server 

Retries: Number of retries before abandoning attempts to send an authentication request to the RADIUS 

Server 


6. Click on Create 



12.9 Add a New Domain to Identikey Server 


These topic will lead you through the processes required to set up Identikey Server authentication in a new domain, 

where Identikey Server is already set up in another domain. 

12.9.1 Solution 1: Install an Extra Identikey Server in the New Domain. 

Follow the regular installation process to install an Identikey Server on the new domain. 

Note 

Ensure that your license covers the new Identikey Server. 

12.9.2 Solution 2: Configure New Domain for Existing Identikey Server 

1. Check that the schema in the new domain contains the schema extensions required by Identikey Server. See 

2.5.2 Check Schema Extensions for more information. 

2. Set up the Digipass-Pool and Digipass-Reserve containers in the new domain. See 2.5.3 Set Up Digipass 

Containers in Domain for detailed information. 

3. Ensure that trusts are configured correctly between the domains to allow Identikey Server access to data in 

the new domain. 

4. Read 5 Set Up Active Directory Permissions for information on the Active Directory permissions that might 

need to be set in order to administer the Digipass Users and Digipass in that domain. 

5. Add the domain to Identikey Server's configuration settings. See 11.3.6.2 LDAP Data Sources for more 

information. 

6. Optionally, install the Digipass Extension for Active Directory Users & Computers on a machine in the new 

domain which has the Active Directory Users & Computers tool installed. 


13 Reporting 

13.1 Reporting Overview 

13.1.1 What fields can be included in reports? 

Fields from the following sources can be used in a report: 

Users 

Digipass 

Audit Data 

Users + Audit 

Digipass + Audit 

13.1.2 How can these fields be grouped? 

These fields can be grouped based on the following based on the following fields: 

Client 

Domain 

Organizational Unit 

User 

Digipass 

The information on the report will be grouped based on the field defined above. 

13.1.3 How to define a Query 

Queries consist of: 

a Datafield, which is a field from the database, 

an Operator, which is the operation to be performed on the datafield, 

Reporting 

a Value, which is the value the datafield will be compared against. A value is not necessary with all operators. 

To define a query you must select a datafield and an operator. Operators can be selected from the following: 

ISBLANK 

NOTBLANK 


EQUALS 

NOTEQUALS 

STARTS 

INCLUDES 

ENDS 

NOTSTARTS 

NOTENDS 

NOTINCLUDES 

> 

>= 

< 

Name Type Description 

Email String User Email 

Phone String User Phone No 

Mobile Number User Mobile No 

Desc String User Description 

Has_dp Number User Has Digipass 

Digipass String User Digipass serial number 

Local_auth Number User Local Authentication 

Backend_auth Number User Back-End Authentication 

Disabled Y/N User Disabled 

Lock_count Number User Lock Count 

Locked Y/N User Locked 

Status String User Status 

Profiles String User Profiles 

Link_userid String User Link 

Link_domain String Domain Link 

Created 

Modified 

Digipass Fields 


Serial_no String DP Serial No 

Domain String DP Domain 

Org_unit String DP Organisational Unit 

Dp_type String DP Type 

Appl_names String DP Application Names 

Apply_types String DP Application Types 

Status String DP Status 

Userid String DP User ID 

Assigned Date DP Assign Date 

Grace_period_end Date DP Grace Period End Date 

Bvdp_enabled Y/N Backup Virtual DP Enabled 

Bvdp_expires Date BVDP Expiration Date 

Bvdp_uses_left Number BVDP Uses Left 

Reporting 



Reserve Number DP Reserved 

Description String Digipass Description 

Created Date DP Creation Date 

Modified Date DP Modification Date 

Audit Fields 


Source String Audit Source 

Msg_type Number Audit Message Type 

Type_name String Audit Type Name 

Code String Audit Code 

Desc String Audit Description 

Category String Audit Category 

Timestamp Date Audit TimeStamp 

Amid String Audit Amid 

Reason String Audit Reason 

Area String Area 

Operation String Operation 

Error_Code Number Error Code 

Error_Message String Error Message 

Error_Stack String Error Details 

Audit_Location String Source Location 

Server_Location String Server Location 

Client_Location String Client Location 

Version String Version 

Data_Source_Type String Data Source 

Data_Source_Location String Data Source Location 

Configuration_Details String Configuration Details 

Outcome String Outcome 

Reason String Reason 

Characteristics String Characteristics 

Credential_Type String Credentials 

Session_ID String Session ID 

Reporting 



Application_Name String Application Name 

Request_ID String Request ID 

Password_Protocol String Password Protocol 

Input_Details String Input Details 

Action String Action 

Output_Details String Output Details 

Policy_ID String Policy ID 

From_Location String From 

To_Location String To 

Info_Message String Message 

Quota Number Quota 

Object String Object 

Command String Command 

Downtime Number Downtime 

Field_Details String Fields 

Packet_Type String Request Type 

Note 

13.1.4 Report Permissions 

Two or more values after the operator will be interpreted as if the word 'and' was between them. 

Reporting 

You can define Usage Permissions and Update Permissions for reports. Usage Permissions defines who is allowed 

to use the report. Update Permissions defines who is allowed to change the report definition. Both Usage and 

Update permissions can have the following values: 

13.2 Types of Report 

Private - only the owner can run this report 

Domain - all administrators in this domain can run this report 

Public - all administrators in all the domains can run this report. 

There are four report types. All report templates are based on these report types: 


List Analysis Report 

Detailed Analysis Report 

Distribution Analysis Report 

Trend Analysis Report. 

13.2.1 Standard Reports. 

Reporting 

The Identikey Server reporting package will come with standard reports. Standard reports are provided for the most 

common administration tasks. 

The standard reports can be grouped by their use: 

Reports produced by the Helpdesk to help with troubleshooting functional problems 

Detailed authentication report 

User authentication history report 

Detailed Digipass registration report 

Detailed activity summary report 

Detailed Signature Validation report 

Detailed Provisioning report 

Signature Validation history report 

Reports produced by System administrators to help with troubleshooting system problems 

Failed Operations summary report 

Succeeded Operations summary report 

Reports produced by Administrators for Accounting information 

Authentication activity by user report 

Authentication activity by client report 

Provisioning activity by user report 

Provisioning activity by client report 

Transaction Signing Activity by User Application report 

Transaction Signing Activity by Client report 

Reports produced by Administrators for System auditing information 

Administration activity summary report 

Digipass availability by type report 

Digipass deployment trend report 

Digipass deployment by type report 


13.2.2 Custom Reports 

Authentication trend report 

Transaction Signing Activity Trend 

Provisioning activity trend report 

Account lock trend report 

Digipass assignment activity summary report 

Reporting 

Custom reports can be defined to fulfil requirements not met by the standard reports. Custom reports are based 

on the standard report types with a report query defined to suit your organization's requirements. 

13.2.3 Formatting Templates 

Report data is always generated into XML, then an XSLT transformation is applied to give the output. The XSLT 

transformation requires a formatting template. Each report definition requires at least one template so that it can 

be produced in the format required. Each report definition can have more than one Formatting Template. The 

template to be used can be selected when running the report. 

13.3 Archiving Strategy 

Large amounts of data means that reports take a long time to run. Have an archiving strategy in place that moves 

out data over a certain age. Make a decision about what data you will require in your reports, and for how long you 

need to keep it live on the Data Source. 

Archived data cannot be reported upon. 


14 Auditing 

14.1 Text File 

Setting up auditing in the Identikey Server requires three basic steps: 

1. Set up audit message destination. If this will be a text file or the Windows Event Log, no configuration is 

required. 

2. Configure auditing in the Identikey Server to send audit messages to the correct destination. 

3. Configure Audit Viewer to retrieve, filter and display audit messages. 

14.1.1 Text File Name Variables 

Auditing 

A number of variables may be included in the name or path of an audit text file.Time/date variables will influence 

how often a new text file is created. 

Table 62: Audit Text File Name/Path Variables 

Variable Notes 

{year} Current year in format 'YYYY' eg. 2006 

{month} Current month in format 'MM' eg. November becomes 11 

{mday} Current day of the month in format 'DD' eg. 06 

{yday} Current day of the year in format 'DDD' – this will be a number between 1 and 366 

{week} Current week of the year in format 'WW' eg. The 6 th week of the year will be 06 

{source} The name of the program from which the audit message was received by the Audit System eg. 

Authentication Server 

Example 

Entering the following into the Log File field in the Identikey Server Configuration: 

c:\Audit Files\{source}\audit-{year}-{month}-{mday}.audit 

would cause: 

A directory named Identikey Server to be created in the Audit Files directory 

A new audit text file to be created daily 

A file named audit-2006-11-06.audit to be created on the 6 th November 2006 


14.1.2 Configure Auditing to Text File 

1. Open the Identikey Server Configuration utility. 

2. Click on the Auditing icon. 


4. Select Text File from the list box. 


The Add Text File Method window will be displayed. 


Auditing 

7. If this audit method must succeed, tick the Reject audit message if this method fails checkbox. An error will 

be returned by the Identikey Server if an audit message cannot be written with this method. 

8. Tick the Record audit message if no other audit method has recorded it checkbox if required. 


Error 

Warning 

Information 

Success 

Failure 

10. Enter the location and a name for the text file. See 14.1.1 Text File Name Variables for more information. 

11. To speed up the auditing process, tick the Always keep file open checkbox. This will mean that the file is 

locked while the Identikey Server is running. 

12. Tick the Use GMT/UTC checkbox to record dates and times in GMT/UTC. Otherwise, they will be recorded in 

local time. The text file will indicate the time zone used. 




14.2 Windows Event Log 




4. Select Event Log from the list box. 


The Add Event Log Method window will be displayed. 


Auditing 





Error 

Warning 

Information 

Success 

Failure 

10. Select a log type or enter a new log type to be created in the Log Type drop down list. 




14.3 ODBC Audit Message Database 

14.3.1 Set up ODBC Database 

14.3.1.1 Create database 

See 3.1 Database Support for information on the ODBC databases supported by Identikey Server. 

14.3.1.2 Create database schema 

Auditing 

Two tables are required in the database. These can be created by the DPDBadmin utility using the -audit 

parameter (see 3.8.1 Modify Database Schema), 

or manually. 

Table 63: Required Audit Database Tables 

Table Name Purpose 

vdsAuditMessage Basic audit message, including mandatory fields 

vdsAuditMsgField Contains extra (non-mandatory) audit message fields which may be included in an audit 

message 

Image 2: Audit Database Table Relationships 


vdsAuditMessage Table 

Auditing 

This table will contain one record per audit message generated, with non-mandatory information held in the 

vdsAuditMsgField table. 

Table 64: vdsAuditMessage Required Fields 

Column Name Data Type Primary 

Key 

Allow NULL Details 

vdsTimeStamp timestamp* Yes No Date/time of event. 

vdsAMID varchar(32) Yes No 32 hex digit Audit Message ID (without “0x” 

prefix). 

vdsSource varchar(64) No Source component name. 

vdsType integer No Numeric type. 

vdsCode varchar(8) No Message code eg. “I-010003”. 

vdsDesc varchar(255) No Standard description for audit message. 

vdsCategory varchar(32) No Name of category eg. “Authentication”. 

* For some databases, this is DATETIME (SQL Server, Sybase Enterprise) or DATE (Oracle) – this is not an 

automatically generated timestamp, but just a date/time field. Millisecond precision or greater is required. 

vdsAuditMsgField Table 

This table may contain several records for a single audit message. 

Table 65: vdsAuditMsgField Required Fields 

Column Name Data Type Primary 

Key 

Allow NULL Details 

vdsTimeStamp timestamp* Yes No Date/time of event. 

vdsAMID varchar(32) Yes No 32 hex digit AMID (without “0x” prefix). 

vdsFieldID integer Yes No Integer (dataset) ID of optional field. 

vdsFieldValue varchar(1024) No Yes Value of optional field, represented as string. 

* For some databases, this is DATETIME (SQL Server, Sybase Enterprise) or DATE (Oracle) – this is not an 

automatically generated timestamp, but just a date/time field. Millisecond precision or greater is required. 

14.3.1.3 Create Database Account(s) 

Create at least one database account. These permissions are required for the Identikey Server and Audit Viewer: 


Table 66: Required Account Permissions 

Program Table Permission(s) required 

Identikey Server All Write 

Audit Viewer All Read 

14.3.1.4 Create DSN on Identikey Server machine 

Create a Data Source Name for the database on the machine on which the Identikey Server is installed. 

14.3.1.5 Create DSN on Audit Viewer machine 

Create a Data Source Name for the database on the machine on which the Audit Viewer is installed. 





4. Select ODBC Database from the list box. 


The Add ODBC Audit Method window will be displayed. 


Auditing 





Error 

Warning 

Information 

Success 

Failure 

10. Enter the DSN for the database. 

11. Enter the username and password of the database account to be used by the Identikey Server (if required). 




14.3.3 Configure Audit Viewer 

Note 

A Data Source Name must be configured on the Audit Viewer computer for the database. 

1. Select New Audit Source -> ODBC Database from the File menu. 

2. Enter a display name to be used for the database within the Audit Viewer. 

3. Enter the Data Source Name for the database. 

4. Enter the User ID and password of an administrator account for the database. 

5. Tick the Store User ID and Password checkbox to save login details in the Audit Viewer. 


14.4 Linux Syslog 

For Linux systems, auditing data will be written to the Syslog. 

The Syslog requires the Audit Messages to have the following attributes : 

Priority 

Facility 

Timestamp 

Source Hostname 

Source Application name 

Event payload 

Auditing 

The values in the attributes on the Audit Message determine where the message gets written to, and whether it 

appears on the Syslog or not. 

Audit Message type to Syslog Priority Mapping 

The table below defines the mapping of Audit Message Type to Syslog Priority. You can use the Syslog Priority to 

direct the Audit Message Types to any log file, pipe, or remote syslog service. 

Table 67: Audit Message Types and Syslog Priority 

Message Type Syslog Priority 

Success LOG_NOTICE 

Fail LOG_NOTICE 

Info LOG_INFO 


Warning LOG_WARNING 

Error LOG_ERR 

14.4.1 Configure the System Log 

Auditing 

The host's syslog daemon needs to be configured to additionally point to the chroot location in order to pick up the 

identikey syslog audit events. This configuration will depend on the environment and how it is set up. 

Ubuntu 8.0.4 

1. Edit /etc/default/syslogd, adding option -a /opt/vasco/identikey/dev/log to the SYSLOGD parameter. 

RedHat 5 

1. Edit /etc/sysconfig/syslog, adding option -a /opt/vasco/identikey/dev/log to the SYSLOGD_OPTIONS 

parameter. 

2. For standard SELinux environments, the Syslog daemon may not have the correct permissions necessary to 

create the additional socket within the chroot. To resolve this, run the following command: 

SuSE 

cat /etc/selinux/targeted/contexts/files/file_contexts && 

restorecon -F /opt/vasco/identikey/dev 

/opt/vasco/identikey/dev -d system_u:object_r:device_t:s0 

/opt/vasco/identikey/dev/log -s system_u:object_r:devlog_t:s0 

EOF 

1. Run the following command: 

14.4.2 Modify Configuration File 

echo SYSLOGD_ADDITIONAL_SOCKET=\"/opt/vasco/identikey/dev/log\" >> 

/etc/sysconfig/syslog && SuSEconfig && /etc/init.d/syslog restart 

You may need to amend the syslog configuration file, to define the location to which specific audit logs should be 

written. 

For example, if the Identikey Server Syslog configuration has the audit Log Type set to local0, the syslog 

configuration file will need to define where to write this type of log message to. Check the ownership and 

permissions of the log file so that Syslog has permissions to write to it. 

Having changed the syslog configuration files, you will need to restart the host's syslog daemon. 


14.4.3 Configure Identikey Server to Write Audit Messages to the Syslog 




4. Select System Log from the list box. 


The Add System Log Audit Method window will be displayed. 


Auditing 





Error 

Warning 

Information 

Success 

Failure 

10. Select a log type or enter a new log type to be created in the Log Type drop down list. 




14.5 Live Connection - Identikey Server to Audit Viewer 


1. Open the Identikey Server Configuration GUI. 



4. Select Live Connection from the list box. 


The Add Live Connection Method window will be displayed. 


Auditing 



8. Tick the Only record message if no previous method has recorded it checkbox if required. 


Error 

Warning 

Information 

Success 

Failure 

10. Enter the IP address and port number on which the Identikey Server will listen for auditing connections. 

11. Enter the maximum number of concurrent connections to allow. 



14.5.2 Configure Audit Viewer 

1. Select New Audit Source -> Server from the File menu. 

2. Enter a display name to be used for the messages within the Audit Viewer. 

3. Enter the IP address of the Identikey Server. 

4. Enter the port on which the Identikey Server will listen for auditing connections. 



15 Tracing 

The level of tracing for the Identikey Server can be configured using the Identikey Server Configuration GUI. 

Tracing messages will be recorded to a text file. 

15.1 Trace Message Types 

Table 68: Tracing Message Types 

Message Type 

Code 

[CRITC] Critical error/warning 

Notes Examples 

[MAJOR] Major error/warning [MAJOR] > Failed to execute command. Error 

[MINOR] Minor error/warning [MINOR]> Cannot get License Key from Component record 

[CONFG] Configuration/initialization [CONFG] > ODBC Database audit plugin is successfully 

loaded 

[CONFG] > Component cache configured as: 

max age : 900 

max size : 1000 

clean threshold : 800 

min clean interval : 60 

[ALERT] Alerts [ALERT] > disconnecting from server. 

[INFO] Informational messages [INFO ] > Audit: {Info} {Initialization} {I-002002} {The 

Digipass Authentication library has been initialized 

successfully.} 

[INFO ] > Creating Digipass object. 

[VINFO] Verbose informational messages [VINFO] > Event log source is 

[VINFO][ODBCConnection::OpenConnection] > Established 

connection to ODBC database 

[DATA] Data tracing [DATA ] > Prepared SQL statement "SELECT vdsDomain, 

vdsDescription, vdsCreateTime, vdsModifyTime FROM 

vdsDomain ORDER BY vdsDomain" 

[TEMP] Temporary data values [TEMP ] > Updated list is 

[RESRC] Resource usage [RESRC] > Socket Bound to 

[DEBUG] Debugging (useful for support 

purposes) 

[DEBUG] > Registering Binary with Event 

log for Source < Identikey Server 3 

{Application}> 

[DEBUG] > Committed transaction 

Tracing 


Message Type 

Code 

[SECUR] Security messages, messages that 

may contain security sensitive data 

15.2 Trace Message Levels 

Notes Examples 

Tracing 

There are two tracing levels available when configuring tracing from the Identikey Server Configuration GUI – Basic 

and Full. This can be customised further if required by directly editing the configuration file. The message types 

recorded by each level are shown in the table below. 

Table 69: Tracing Message Levels 

CRITC 

MAJOR 

MINOR 

CONFG 

ALERT 

INFO 

Basic Full 

CRITC 

MAJOR 

MINOR 

CONFG 

ALERT 

INFO 

VINFO 

DATA 

TEMP 

RESRC 

DEBUG 

SECUR 

15.3 Trace Message Contents 

Basic and Full tracing levels output different amounts of information in trace messages. 

Table 70: Tracing Message Contents 

Trace Level Message Contents 

Basic [date_time] [thread ID] [level code] message 

Full [date_time] [thread ID] [level code] [internal function name] message 


16 Digipass TCL Command-Line Administration 

16.1 Introduction 

Digipass TCL Command-Line Administration 

Digipass TCL Command-Line Administration (DPCLA) allows interactive command-line and scripted administration 

of Digipass related data. It has a number of possible uses: 

Interactive command-line administration 

Scripted administration 

Complex bulk administration tasks 

Reporting on the data in the data store 

The DPCLA consists of the following components: 

DPADMINCMD 

This is a command-line program that can be used interactively or called from within a batch file, script or other 

program. This provides a command shell based on the TCL interpreter. 

VASCO TCL Extension Library 

The main functionality is provided by the VASCO extensions to TCL. This provides a set of additional commands in 

a “vasco” namespace. 

The extension library is used by DPADMINCMD, which loads the namespace automatically. However, if you have 

your own TCL environment already, you can load the extension library directly into it, without having to use 

DPADMINCMD. In that case, you will need to use the namespace qualifier. 

Other scripting environments such as Python, Perl and VBScript also have modules available that enable them to 

use TCL, allowing the VASCO extensions to be used in a variety of environments. 

TCL Runtime 

The Identikey Server installation program also installs the TCL 8.4 runtime environment, which is necessary to run 

DPADMINCMD. 

Caution 

Windows command-line functions may be run from within the Digipass TCL Command-Line 

Administration. A new Windows command-line console may also be opened. 


16.1.2 Knowledge Requirements 


Digipass TCL Command-Line Administration is an extension of the TCL 8.4 scripting language, and administrators 

will require a basic competence in TCL in order to use the command-line utility. However, for simple usage, no 

great knowledge of TCL is required. 

For an introduction to TCL, see http://www.tcl.tk/about/language.html. Other pages on the www.tcl.tk web site 

may also provide useful background on TCL and its capabilities. For a more comprehensive tutorial, see 

http://www.tcl.tk/man/tcl8.5/tutorial/tcltutorial.html (but note that we install version 8.4, so there may be minor 

differences in 8.5). 

16.1.3 Data Store Connection 

DPCLA makes a connection to the data store in a similar way to the Administration Web Interface. This connection 

requires an administrative login. 

16.1.4 Configuration File. 

Digipass TCL Command-Line Administration requires a configuration file (dpacmincmd.xml file) to be present 

before it can run correctly. This file can be created by the Digipass TCL Command-Line Administration installation 

wizard, or created using a template. See 11.8Digipass 

TCL Command Line Utility for more details. 


16.2 Using DPADMINCMD – Basics 

You can use TCL interactively with a command prompt or you can use it to run a script. 

16.2.1 Using an Interactive TCL Command Prompt 


Using DPADMINCMD to open an interactive TCL command prompt can be done as follows: 

Windows 

1. Open a Windows command prompt in the \Bin directory. 


Linux 

dpadmincmd 

1. Enter the chroot environment: 



dpadmincmd 

A command prompt will be opened, at which you can enter TCL commands. DPADMINCMD automatically loads the 

VASCO TCL extensions, so that they can be used without needing to specify the VASCO 'namespace'. 

Digipass TCL Command-Line Administration Version 3.0.0.12 

Copyright (C) VASCO Data Security Inc. 2006 

All rights reserved 

% 

Before any data administration commands will work, you need to perform an administrative logon to the Identikey 


% logon {userid admin password password} 

1 

% 

If the logon is successful, the output indicates a session number. Otherwise, an error message will be displayed. 

Once there has been a successful logon, you can enter other commands, for example: 

% user query {userid admin} 

{domain master userid admin has_dp Unassigned status 0 created 

{2006/05/11 11:05:32} modified {2006/05/11 11:05:32}} 

% 

To log off, use the logoff command; to exit, use the exit command. 


16.2.2 Running a Script 


Using DPADMINCMD to run a script requires an administration logon to be specified with command-line 

parameters, unless the script itself contains a logon command. 

For a logon requiring credentials, the -u (userid) and -p (password) parameters are required. 

1. If using Windows, open a command prompt in the \Bin directory. 

If using Linux, enter the chroot environment: 


2. Enter the following command for an implicit logon and press Enter: 

dpadmincmd -i scriptname 

3. Or, enter the following command for an explicit logon and press Enter: 

dpadmincmd -u userid -p password scriptname 

The scriptname parameter can be a file name or path and file name. 

If your script requires parameters, enter these after the scriptname. 

Example 

dpadmincmd -i myscript.tcl param1 param2 

The script file must contain a sequence of TCL commands. DPADMINCMD will first perform the logon, and if 

successful, will execute each command in the script in sequence. The TCL language allows you to write simple 

sequential scripts or add more complex control flow, functions and so on. 

The script does not need to use the logoff or exit commands explicitly. DPADMINCMD will logoff the session if 

necessary at exit time. 

Character Substitution 

When using a non-printing ASCII character substitution (eg. \t for a horizontal tab) in a string, enclose the string in 

double quotes. If the string is enclosed in { }, the string will be displayed exactly as entered. 

eg. “Error: \t Component does not exist. \n \t \t Please check the Component name.” will be displayed as: 

Error: Component does not exist. 

Please check the Component name. 

Whereas {Error: \t Component does not exist. \n \t \t Please check the Component name.} will be displayed as: 

Error: \t Component does not exist. \n \t \t Please check the Component name. 


16.2.3 Help 

To access help from the command prompt, use these commands: 

Table 71: DPADMINCMD Help Commands 

Command Notes 


help Provides basic information about DPADMINCMD, including a list of all 

commands available. 

help Provides information about the specific command, including required 

parameters, optional parameters and available subcommands. 

help Provides information about the specific subcommand, including required and 

optional parameters. 

16.2.4 Command Parameters 

16.2.5 Result Output 

Some notes on command parameters in TCL: 

Parameters are given in list form: {field1 value1 field2 value2 ...} 

Parameter values that include whitespace require double quotes or { }, for example {field1 “value 1” field2 

{value 2} ...} 

Commands may be substituted for parameters using square brackets, where the command will return the type 

of parameter(s) required. eg. 

foreach i [user query {domain master} {domain userid has_dp}] { puts $i } 

In this example, a query returns a list of Users with Digipass assigned, which is used in the foreach command. 

Results are typically returned in list form, with pairs of field names and values, eg: 

{domain master userid user0001 has_dp Assigned} 

Some commands do not return field information, only a simple message, eg: 

Created Component. 

Queries return a list of list results, with only the requested fields displayed. These may be formatted for better 

readability by wrapping the query in another command, eg: 

foreach i [user query {domain master} {domain userid has_dp}] { puts $i } 

The result from the example above will display each user record in the master domain on a separate line, and only 

display the requested fields (domain, userid and has_dp), eg: 

domain master userid admin has_dp Assigned 

domain master userid user0001 has_dp Unassigned 


16.2.6 Error Handling 


When an error occurs in a VASCO TCL Extension command, information about the error will be written to the 

standard TCL error variables. This allows error handling in scripts, and allows a user to obtain information about 

the last error received when using an interactive command line. For example, if this command was entered: 

% user get {userid doesnotexist} 

and a User with the ID of doesnotexist could not be found, then this error would be returned: 

Error code: Error message: 

Information about that error could be retrieved from standard TCL error variables using these commands: 

Returns: 

And 

-13 

Returns: 

% puts $errorCode 

% puts $errorInfo 

Error code: Error message: 

while executing 

"user get {userid doesnotexist} 

16.2.7 International Characters 

DPADMINCMD supports international characters, but your console window must be able to support the characters 

or they will not display correctly. The Lucida Console font is typically used. 

16.2.8 Syntax Notes 

The following points should be remembered for basic interactive and scripted usage: 

Result values that include whitespace, including date/time values, are given { } by TCL 

Comments in scripts are preceded with a # 

A backslash character at the end of a line indicates that the command is continued on the next line. 


16.2.9 Sample Scripts 


Below are some sample scripts which perform basic tasks. They range in complexity to provide an example of what 

can be done, and the techniques required. 

Check if a Component Record exists 

This script checks for the existence of a RADIUS Client Component record with a specific IP address. If a 

Component record of that type and location does not exist, a message will be displayed onscreen. 

# Check if a specified RADIUS Client Component exists 

if [catch {component get {comp_type "RADIUS Client" location 192.168.122.213 }} result] { 

puts "Component does not exist: $result" 

} 

Create a Record if it doesn't exist 

This script builds on the previous sample to check for the existence of a RADIUS Client Component record and, if 

one does not currently exist, to create one. It requires a location parameter to be passed to the script when it is run 

from DPADMINCMD. 

# Get IP-address location from command-line argument 

set loc [lindex $argv 0] 

# Create the component if it does not exist 

if [catch "component get {comp_type {RADIUS Client} location $loc}" result] { 

if [catch "component create {comp_type {RADIUS Client} \ 

location $loc \ 

policy_id {Identikey Server 3 

Local Authentication} \ 

shared_secret default \ 

protocol RADIUS}" result] { 

puts "Error creating component: $result" 

} else { 

puts "Created component" 

} 

} else { 

puts "Component already exists" 

} 

To run this script from DPADMINCMD, you would need to use the following syntax: 

dpadmincmd -i scriptname loc 

Bulk User Administration 

This script collects all Digipass User records belonging to the domain named Domain1 and unlocks any which were 

locked. 

# Get all the users of the domain Domain1 

if [catch {user query {domain Domain1}} users] { 


puts "Unable to retrieve users: $users" 

} else { 

# Loop for each user 

foreach user $users { 

# Get the user information into an array for easier 

access 

array set userinfo $user 

} 

} 


# Check if the locked information is present as it may not return a 

# value is the user is not locked 

if [info exists userinfo(locked)] { 

# If the user is locked, try to unlock it 

if [string equal $userinfo(locked) yes] { 

if [catch "user update {userid $userinfo(userid) domain Domain1 locked no}" result] { 

puts "Error unlocking $userinfo(userid): $result" 

} else { 

puts "Unlocked $userinfo(userid)" 

} 

} 

} 

# Clear-out the current user information 

array set userinfo [list] 


17 Replication 

17.1 Concepts 

Replication can be configured to allow multiple Identikey Servers to keep their data synchronized. 

Active Directory 

Replication 

Active Directory has its own replication, which will replicate data between Domain Controllers. In some 

circumstances, however, Active Directory replication can be slow enough to cause problems in Identikey Server 

authentications. Due to these problems, each Identikey Server using Active Directory as its data store has a 

Digipass Cache. Digipass records used in recent authentication requests are kept in the cache for a set amount of 

time, and checked against Active Directory records. See 2.4 Active Directory Replication Issues for more 

information on the Digipass Cache. 

Where Identikey Servers use Active Directory as their data store, this Digipass Cache can be replicated between 

Identikey Servers. This ensures that authentication data is as up-to-date as possible. 


ODBC Databases 

Replication 

Where multiple Identikey Servers use different ODBC databases as their data stores, replication ensures that each 

database is up to date with the latest data changes. 

17.1.1 Replication Queue 

The replication queue for each Identikey Server which is configured as a replication destination is written to two 

files – a data and an index file – in \ReplData. The files are named using the destination 

Identikey Server name. Check the Identikey Server Configuration for the destination server to check the configured 

name. 

17.1.2 Record-level Replication 

The replication method used by Identikey Server involves replication of entire records, rather than individual record 

attributes. This means that data clashes can occur when a single record is updated at the same time from different 

sources. If this occurs, the later change will be the one chosen and written to the database. Superseded changes 

are ignored. 


17.1.3 Replication Process 

Replication 

The writing of an data update to the replication queue (creating a replication entry) and sending a replication entry 

to another Identikey Server is handled by two separate processes. 

Write to Replication Queue 

The process which writes to the replication queue is run before any data changes are committed to the database. If 

the data change cannot be written to the replication queue – usually because the replication queue file has 

exceeded the maximum size allowed – the data change will not be committed to the database. 


Send Replication Queue Entry 

Replication 

The other process sends replication entries from a replication queue to the required Identikey Server. If the 

destination Identikey Server cannot write the change to its database, it sends back a failure message. The process 

will: 

1. Leave the entry in the queue. 

2. Set a retry time for the entry (this depends on the Retry Interval set in the Identikey Server Configuration 

utility). 

3. Attempt replication for the entry according to the number of retries set in the Identikey Server Configuration 

utility. After the Maximum number of retries is reached, the entry is removed from the queue and its details 

audited. 

Note 

This does not include problems in connecting to the other Identikey Server. Queue retries will be 

suspended until the connection is re-established. 


17.1.4 Connection Handling 

Replication 

When the Identikey Server service is started, the Identikey Server will establish a connection to each destination 

Identikey Server configured for replication. It will keep this connection open until the service is stopped or the 

connection is broken. If the connection is broken, it will attempt to reconnect after the minimum reconnect interval 

set in the Identikey Server Configuration has elapsed. If that fails, it will continue to attempt reconnection at 

increasing time intervals until it reaches the maximum reconnect interval set in the Configuration GUI. It will 

continue to attempt reconnection at the maximum reconnect interval until it succeeds. 

The Identikey Server ceases replication efforts to the destination Identikey Server until the connection is reestablished. 

This means that entries in the queue will not be lost because of a broken connection. Replication to 

other Identikey Servers will not be affected. 

A manual reconnect may be attempted at any time using the Administration Web Interface, if the data store used 

by the Identikey Server is an ODBC database. 

17.1.4.1 Component Record 

It is important to note that a Identikey Server will not accept replication updates from another machine unless it has 

a Component record for that machine with the Component Type set to Identikey Server. 

17.1.5 Monitoring Replication 

17.1.5.1 Auditing 

Audit messages are recorded when: 

connections are made or fail 

an update send was successful 

an update send failed 

an update was received and the receiving server sent back a data update success 

an update was received and the receiving server sent back a data update failure 

17.1.5.2 Administration Web Interface 

The Web Administration Interface will contain a Replication Status dialog. This dialog allows you to check the 

current status of replication for an Identikey Server. It also includes the number of entries currently in the 

replication queue. 


17.1.6 Forwarding Replication Entries 

Replication 

Replication forwarding is required where more than two Identikey Servers are replicating, either in a simple 

replication chain or more complicated arrangement. The ID of the originating Identikey Server and the Identikey 

Server(s) to which it is sending the information are added to the replication entry. This allows the receiving 

Identikey Server to check which other Identikey Servers have already been sent the replication entry. It will forward 

the entry only to those Identikey Servers not listed. 


17.2 Configuring Replication 

Replication 

This topic provides high-level instructions for configuring replication between Identikey Servers in various 

situations. For more detailed instructions, see the online help for the Administration Web Interface. 

17.2.1 Active Directory 

These instructions assume that you have two Identikey Servers currently installed and operational, using Active 

Directory as their data store. 

1. Stop the Identikey Server service on each machine. 

2. Configure Identikey Server 1 to replicate to Identikey Server 2. 

3. Configure Identikey Server 2 to replicate to Identikey Server 1. 

4. Restart the Identikey Server service or daemon on each machine. 


17.2.2 ODBC Database 

17.2.2.1 Configure Replication to a Second Identikey Server 

Replication 

These instructions assume that you have one Identikey Server installed and operational (SVR-1), and wish to set up 

another Identikey Server(SVR-2) and replicate between the two. 

1. Install Identikey Server on SVR-2. 

2. Configure SVR-2 identically – except IP addresses - to SVR-1, using the Identikey Server Configuration GUI or 

the configuration file. 

3. Ensure that SVR-2 is functioning correctly. 

4. On SVR-1, create an Identikey Server record for SVR-2. 

5. On SVR-1, load the License Key for SVR-2 into the Identikey Server record just created. 

6. On SVR-1, create a Client record of type Administration Program for the SVR-2's Administration Web 

Interface. 

This will ensure that the Administration Web Interface for SVR-2 can connect to SVR-2 once the database is 

replaced. 

7. Stop the Identikey Server service or daemon on SVR-1 and SVR-2. 



9. Configure the Identikey Server on SVR-1 to replicate to SVR-2. Ensure that the encryption settings are 

replicated. Use the import/export encryption settings facility. 

10. The Identikey Server service on SVR-1 may be restarted now if needed – it will build up a replication queue 

until it can connect to SVR-2. 


Replication 

11. Overwrite the database used by the Identikey Server on SVR-2 with the copy from SVR-1. If you are using 

the embedded PostgreSQL database, see Step 2 of 6.2.2.2 Restore Database, Identikey Server Undamaged. 

12. Configure the Identikey Server on SVR-2 to replicate to SVR-1. 

13. Restart the Identikey Server service or daemon on SVR-2. If you did not restart the service on SVR-1 earlier, restart 

it now. 


17.2.2.2 Configure Replication to a Third or Subsequent Identikey Server 

Replication 

These instructions assume that you have two or more Identikey Servers replicating to each other, and wish to add 

another Identikey Server (SVR-3) in a simple replication chain. 

1. Select which Identikey Server - SVR-1 or SVR-2 – will be replicating data with SVR-3. For these instructions, 

SVR-2 is assumed. 

2. Install Identikey Server on SVR-3. 

3. Configure the Identikey Server on SVR-3 identically to that on SVR-2, using the Identikey Server Configuration 

GUI or the configuration file. 

4. Ensure that SVR-3 is functioning correctly. 

5. On SVR-2, create an Identikey Server record for SVR-3. 

6. On SVR-2, create a Client record of type Administration Program for the SVR-3's Administration Web 

Interface. 

This will ensure that the Administration Web Interface for SVR-3 can connect to SVR-3 once the database is 

replaced. 

7. On SVR-2, load the License Key for SVR-3 into the Identikey Server record just created. 

8. Stop the Identikey Server service or daemon on SVR-2 and SVR-3. 



10. Configure the Identikey Server on SVR-2 to replicate to SVR-3. Ensure that the encryption settings are 


11. The Identikey Server service on SVR-2 may be restarted now if needed – it will build up a replication queue 

until it can connect to SVR-3. 

12. Overwrite the database used by the Identikey Server on SVR-3 with the copy from SVR-2. If you are using 

the embedded PostgreSQL database, see Step 2 of 6.2.2.2 Restore Database, Identikey Server Undamaged. 

13. Configure the Identikey Server on SVR-3 to replicate to SVR-2. 


Replication 

14. Restart the Identikey Server service or daemon on SVR-3. If you did not restart the service on SVR-2 earlier, 

restart it now. 


17.2.2.3 Add Redundant Replication 

Replication 

You may wish to add redundancy replication into your system to add extra protection in case of connection 

problems or data corruption. Redundant replication adds an extra link to a standard replication chain, so that 

replication can occur via more than one route. 

The instructions below assume a replication chain, with replication being added between a primary Identikey 

Server (P-SVR-2) and a backup Identikey Server (B-SVR-1). 

1. Configure the Identikey Server on B-SVR-1 to replicate to P-SVR-2. Ensure that the encryption settings are 


2. Configure the Identikey Server on P-SVR-2 to replicate to B-SVR-1. Ensure that the encryption settings are 


3. Restart the Identikey Server service or daemon on each machine. 


18 Troubleshooting 

18.1 Troubleshooting Tools 

This section describes some tools and strategies available to you in troubleshooting problems. 

18.1.1 View Audit Information 

The Identikey Server can be configured to output audit messages to a number of locations: 

Windows Event Log 

Syslog 

Text file 

ODBC database 

Live Audit Viewer connection 

Troubleshooting 

If you are unsure how and where the Identikey Server is recording audit messages, open the Identikey Server 

Configuration utility and open the Auditing section. 

18.1.1.1 Windows Event Viewer 

18.1.1.2 Syslog 

18.1.1.3 Text file 

Filter for audit messages from the Identikey Server by: 

1. Click on View -> Filter... 

2. SelectIdentikey Server from the Event Source drop down list. 


Audit information may be written to the Syslog under Linux. See the Identikey Server Installation Guide for Linux for 

details on how to enable audit information to be written to the Syslog. 

To view audit messages written to a text file by the Identikey Server, either open the text file using a text editor, or 

use the Audit Viewer. 



See 14.1 Text File for information on configuring the Identikey Server to write audit messages to a text file and 

viewing audit text files in the Audit Viewer. 

18.1.1.4 ODBC Database 

18.1.2 Tracing 

To view audit messages written to an ODBC database by the Identikey Server, open the Audit Viewer. 

See 14.3 ODBC Audit Message Database for information on configuring the Identikey Server to write audit 

messages to an ODBC database and viewing audit messages from the database in the Audit Viewer. 

If you are having problems starting the Identikey Server or logging in via the Identikey Server, enabling tracing may 

allow you to track down the cause. 


2. Select either Basic Tracing or Full Tracing (see the Auditing and Tracing section of the Product Guide for 

more information). 

3. Enter a path and filename to which tracing information should be written, or use the default. 


5. Attempt a login. 

6. Check the trace file for information on the start-up conditions of the Identikey Server and of the login attempt. 


18.2 How To Troubleshoot 

This section gives you step-by-step guidelines for trouble shooting the components of Identikey Server. 

18.2.1 Connection Problems 


If a program or web site is returning an error message of 'connection refused' or similar when attempting a 

connection to an Identikey Server, check that a Client record of the correct type exists in the Identikey Server's data 

store for that program or web site. For example, an Administration Web Interface will be unable to administer data 

for an Identikey Server until a Client record of type Administration Program has been created for it. 

18.2.2 Installation Check 

The information in this section will enable you to check that various files have been installed in the correct locations 

and registered (where required), and Windows registry entries have been created and the correct values inserted. 

18.2.2.1 Windows Registry Entries 

Table 72: Registry Entries 

General 

Registry Path Key Name Value Notes 

HKEY_LOCAL_MACHINE\ 

Software\VASCO Data Security\ 



InstalledProducts\ 



InstalledComponents\ 

HKEY_LOCAL_MACHINE\Software\VAS 

CO Data Security\Identikey Server\ 

Digipass Extension for Active Directory Users and Computers 


Software\VASCO Data Security\ AD 

U&C Extension\ 

InstallDirectory Typically c:\program 

files\VASCO\Identikey Server 

Identikey Server 1 1 = installed 

0 = not installed 

If the Pack has been incorrectly 

installed, the key will typically be 

missing rather than having a value 

of 0. 

Check the recorded version 

numbers for various components. 

Version 1.0.0. Version number for the Identikey 


ApiLibrary \Bin\ 

aal3ad30.dll 

HKEY_LOCAL_MACHINE\ DialogLibrary \Bin\ 


Registry Path Key Name Value Notes 






Message Delivery Component 


System\CurrentControlSet\ 

Services\EventLog\Application\ Virtual 

Digipass Message Delivery Component\ 


System\CurrentControlSet\ 

Services\EventLog\Application\ Virtual 

Digipass Message Delivery Component\ 

Note 

18.2.2.2 Check Permissions 

dpwxlib.dll 

HelpFile \ Doc\ 

AD_Extension_Help.chm 

EventMessageFil 

e 

\Bin\ 

mdcserver.exe 


TypesSupported 1 1 = EVENTLOG_ERROR_TYPE 

See 9.2.1 Configuration Settings for VASCO CGI configuration settings in the Windows registry. 

Directory or File Permission(s) required Notes 

User Self Management Web Site (IIS) 

/dpselfservice/cgi execute 

\UserSite\CGI\usercgi.exe execute This is required on Windows 

Server 2003 only. 

OTP Request Site (IIS) 

/requestotp/cgi execute 

\VDPSite\CGI\vdpcgi.exe execute This is required on Windows 

Server 2003 only. 

Table 73: Permissions Required 

18.2.2.3 Default Policy and Component Created 

A default Policy and a Component for the Identikey Server should have been created during the installation. If they 

have not been created, the Identikey Server will not process authentication requests. 


Note 


These steps should only be followed if the Policies and Components have not been modified 

since installation. 

To check that Policies and Components were created successfully during installation: 


2. Click on Policies -> List. 

A Policy named Identikey Server Administration Logon should be included in the Policies List. 

3. Click on Components -> List. 

4. Check that a Component named Identikey Server is included in the Components List. 

5. Click on the Identikey Server Component record. 

6. Identikey Server Administration Logon should be selected in the Policy drop down list. 

18.2.3 Administration Web Interface Connection 

Security settings in your browser or firewall may block access to the Administration Web Interface. If this occurs, 

you will need to add it to the Trusted Sites list or add an exception to an access rule in the browser and/or firewall 

security settings. 

18.2.4 Message Delivery Component 

18.2.4.1 Enable Tracing 

1. Open the Configuration utility for the Message Delivery Component. 

2. Select either Basic Tracing or Full Tracing (see the Auditing and Tracing section of the Product Guide for 

more information). 

3. Enter a path and filename to which tracing information should be written. 


18.2.5 Open Port Numbers on Firewall 

The Identikey Server uses several different ports to communicate. If these are blocked by a firewall, some features 

will not work correctly. Listed below are the ports used by the Identikey Server, and the default port number used 

for each. If not otherwise specified, the settings are in Configuration. 


18.2.5.1 Incoming Ports 

Table 74: List of Incoming Ports Used by the Identikey Server 

Port Default Configuration Source 

SOAP Port 8080 Communicators section, SOAP tab, 

Port field. 

RADIUS 

Authentication Port 

RADIUS Accounting 

Port 

18.2.5.2 Outgoing Ports 

1812 Communicators section, RADIUS 

tab, Authentication Port field. 

1813 Communicators section, RADIUS 

tab, Accounting Port field. 

SEAL Port 20003 Communicators section, SEAL tab, 

Port field. 

Live Audit Port 20006 Auditing section, Live Audit Viewer 

method properties, Port field 

Table 75: List of Outgoing Ports Used by the Identikey Server 

Web Administration Interface 

SOAP Clients 

RADIUS Clients 

RADIUS Back-End Servers 

RADIUS Clients 


Digipass TCL Command-Line 

Administration 

IIS Modules 

Replication from other Identikey 

Servers 

Audit Viewer 

Port Default Configuration Destination 

RADIUS 

Authentication Port 

RADIUS Accounting 

Port 

1812 Back-End Server records 

(Authentication Port field) 

1813 Back-End Server records 

(Accounting Port field) 

SEAL Port 20003 Replication section, Destination 

Servers tab, destination server 

properties, Port field 



Replication to other Identikey 

Server 

Database Port N/A ODBC Driver ODBC Database, when located on a 

separate machine 

LDAP Port 389 Back-End Server records Novell e-Directory, Active Directory 

or ADAM Back-End Servers 

18.2.6 SOAP/SSL Certificates 


Please note that the test SSL certificate generated by the Configuration Wizard has a limited life. It may be 

necessary to renew it periodically. To avoid having to renew the test SSL certificate periodically you may purchase 

an SSL certificate. 


19 Audit Messages 

To set up auditing in the Identikey Server, see 11.3.7 

19.1 Audit Message Listing 

Table 76: Audit Messages List 

Message 

Code 

Auditing. 

Description Notes 

Audit Messages 

E000001 A system error has occurred. This message is used whenever there is a general 

processing error. It will contain full details of the error. 

E001001 The Digipass Plug-In failed to start up. The Plug-In encountered a fatal error on startup such 

as an invalid or missing configuration file. 

E001002 The Digipass Plug-In has been forced into the 

disabled state. 

The Plug-In has started up, but is in a disabled state 

in which it will not process authentication requests. 

This is typically due to a license problem (an invalid or 

missing License Key in the Plug-In's Component 

record); an invalid Component Location setting in the 

configuration file; or a missing Component record for 

the Plug-In. 

E001003 The Authentication Server failed to start up The Authentication Server encountered a fatal error on 

startup. This is typically due to an invalid or missing 

configuration file or failure to connect to the data 

store. 

E002001 The Active Directory AAL3 library failed to 

initialize. 

E002002 The Digipass Authentication library failed to 

initialize. 

The Active Directory 'AAL3' library encountered a fatal 

error on initialization, eg. invalid configuration settings 

in the configuration file. 

The 'Authentication' library encountered a fatal error 

on initialization, eg. invalid configuration settings in 

the configuration file. 

E002004 The RADIUS protocol handler failed to initialize. The protocol handler that receives and processes 

RADIUS requests did not start up. This may be 

because of a missing License Key in the 

Authentication Server Component record, or because 

the License Key in that Component record does not 

enable RADIUS support. Look for the line RADIUS=Yes 

in the License Key details. 

A common reason for this error, when RADIUS is 

enabled in the License Key, is that the RADIUS ports 

are already in use by another process on the machine. 

Alternatively, the configuration settings may be invalid. 

E002006 The Replication library failed to initialize. The Replication library encountered a fatal error on 


Message 

Code 

E002007 Initialization of a Replication destination server 

failed. 

E002008 The Authentication Server protocol handler failed 

to initialize. 

E002009 The VM2 Compatibility protocol handler failed to 

initialize. 

E009001 An error occurred in the Virtual Digipass 

Message Delivery Component. 

E012001 The RADIUS Profile was not found in Steel-Belted 

RADIUS. 

E012002 The RADIUS Attribute was not known by Steel- 

Belted RADIUS. 



initialization, eg. invalid configuration settings in the 

configuration file. 

The Replication library found the configuration of a 

Destination Server to be invalid. The library will still 

start up if its main configuration settings are valid and 

there is at least one valid Destination Server. For the 

invalid Destination Servers, this audit message is 

generated. 

The protocol handler that receives and processes 

administration requests and authentication requests 

from the IIS modules failed initialization. This is 

typically due to invalid configuration settings or 

because the API port is already in use by another 

process on the machine. 


authentication requests from the VACMAN Middleware 

version 2 IIS modules failed initialization. This is 

typically due to invalid configuration settings or 

because the API port is already in use by another 

process on the machine. 

The MDC encountered an error during the process of 

submitting a request to the HTTP gateway and 

interpreting the response. This may indicate a 

configuration problem for the gateway or connectivity 

issues. The audit message may contain further details 

from the gateway. 

When a RADIUS Profile name is in the Digipass User 

Account but that name is not found in SBR, the login 

is failed with this error. 

This can also occur if there is no RADIUS Profile in the 

Digipass User Account, but there is a Default RADIUS 

Profile configured that was not found in SBR. 

When the Digipass User Account has a RADIUS 

attribute in its Authorization Profiles/Attributes list, 

the attribute must be found in SBR. When such an 

attribute is not known to SBR, the login is failed with 

this error. 

The most likely reason for this error to occur is that 

the spelling of the attribute Name is different in SBR 

compared to the Digipass User account. This may also 

occur if the Value of the attribute does not convert to 

the correct data type expected by SBR. For example, if 

an IP address attribute has a Value which is not a 

representation of an IP address. 


Message 

Code 

E013001 A connection to an ODBC data source could not 

be established. 



An attempt to connect to an ODBC data source failed. 

This may occur because: 

the database is unavailable for some reason such as 

rebooting 

the database is too busy temporarily to service the 

connection 

there are networking problems 

your credentials used in connecting to the database 

are invalid. 

E013002 A connection to an ODBC data source is broken. An established connection to an ODBC data source 

has broken. This may occur because: 

the database suddenly becomes unavailable for some 

reason such as rebooting 

the database becomes too busy temporarily to service 

the connection 

there are networking problems. 

W004001 A connection attempt to Active Directory failed. An attempt to connect to an Active Directory Domain 

Controller failed. This may occur because: the Domain 

Controller is unavailable for some reason such as 

rebooting; the Domain Controller is too busy 

temporarily to service the connection; or there are 

DNS or networking problems. 

W004004 A connection attempt to a Replication destination 

server failed. 

W005001 A connection to Active Directory has terminated 

due to an error. 

W005004 A connection to a Replication destination server 

has terminated due to an error. 

An attempt by the Replication library to connect to a 

Destination Server failed. This may occur because: the 

incorrect IP address or port is configured; the 

Destination Server is unavailable for some reason 

such as rebooting; or there are 

networking/connectivity problems such as an 

intermediate firewall blocking the port. 

An established connection to an Active Directory 

Domain Controller has broken. This may occur 

because: the Domain Controller suddenly becomes 

unavailable for some reason such as rebooting; the 

Domain Controller becomes too busy temporarily to 

service the connection; or there are DNS or 

networking problems. 

An established connection to a Destination Server has 

broken. This may occur because the Destination 

Server suddenly becomes unavailable for some reason 

such as rebooting, or because of a temporary 

networking or connectivity problem. 

W006001 An invalid RADIUS packet has been received. A RADIUS request received was invalid (did not 

conform to the RADIUS protocol). The request is 

discarded. 


Message 

Code 

W006002 A RADIUS request has been received from an 

unknown source. 

W006003 A request has been received from a RADIUS 

Client with no Shared Secret defined. 

W006004 A RADIUS request forwarded by this server has 

been received – there must be a circular proxy 

chain. 

W006005 An Access-Challenge received from the RADIUS 

Server cannot be handled. 



This can also occur when a response is received from 

a RADIUS Server to which a request was forwarded, if 

the response was invalid. The response is discarded. 

A RADIUS request was received but there is no 

RADIUS Client Component for the source of the 

request, and there is no “default” RADIUS Client 

Component. The request is discarded. 

This audit message will be repeated at intervals when 

the same unknown source sends requests, but not for 

every request. 

A RADIUS request was received where there is a 

RADIUS Client Component for the source of the 

request, but that Component record does not have a 

Shared Secret defined. Therefore, it is not possible to 

handle the request and it is discarded. 

This will not occur if there is a “default” RADIUS Client 

Component that has a Shared Secret. 

This audit message will be repeated at intervals when 

the same source sends requests, but not for every 

request. 

This can occur when the Identikey Server forwards a 

request to a RADIUS Server, and the RADIUS Server 

forwards the request back, due to its own proxy rules. 

It can also occur indirectly in a longer 'proxy chain'. 

The request is discarded, otherwise an infinite loop 

could be created. 

If this occurs, there must be an error in the proxy 

configuration of the RADIUS Server(s). 


request to a RADIUS Server and the RADIUS Server 

responds with an Access-Challenge. An Access- 

Challenge can only be handled when the Identikey 

Server forwards the password unmodified to the 

RADIUS Server. If the Identikey Server verifies an OTP 

and forwards the static password to the RADIUS 

Server, it is not possible to handle an Access- 

Challenge from the RADIUS Server. 

W006006 A RADIUS Server is not responding. The Identikey Server has not managed to get a 

response from the RADIUS Server for some time. This 

message indicates that there may be a problem with 

the RADIUS Server. 

W009001 Virtual Digipass One Time Password delivery 

failed. 

The MDC could not successfully deliver a text 

message via the HTTP gateway. The audit message 

should contain further details from the gateway. 


Message 

Code 

W010001 A blank password was used for Back-End 

Authentication, as Stored Password Proxy is 

disabled and the user did not enter a static 

password. 

W011001 A Backup Virtual Digipass quota of uses has 

been finished. 

W011002 No Digipass was found to assign to a new 

Digipass User Account for Auto-Assignment. 



This message only occurs when the Back-End 

Authentication setting is Always. 

When Stored Password Proxy is disabled, the 

Identikey Server does not pass on the password 

stored in the Digipass User Account to Windows for 

Back-End Authentication. If a User does not enter their 

password as well as their OTP, the login will fail 

because their password has not been provided to 

Windows. 

BVDP Uses Remaining has just been decremented to 

0 for a Digipass. The User will not be able to use that 

Digipass for Backup Virtual Digipass logins until the 

Uses Remaining is increased or cleared. 

No available Digipass were found for Auto- 

Assignment. This may be because: there were no 

unassigned Digipass in the right location; the 

unassigned Digipass did not conform to Policy 

restrictions; the unassigned Digipass were Reserved 

for individual assignment. 

The location in which the Identikey Server searches for 

available Digipass records can be controlled to some 

extent using the Search Upwards in Org. Unit 

hierarchy setting. 

W011003 A Digipass User Account has become locked. A User just exceeded the User Lock Threshold of 

failed logins and their Digipass User Account is now 

Locked. Administrator action is required to unlock the 

account. 

W012002 A Replication update received has been ignored, 

as the local data is more up-to-date. 

The Authentication Server has received a data update 

from another Authentication Server via the Replication 

process, but its local data is already newer than the 

data received via Replication. 

It is normal that this can occur, but it can also indicate 

a potential synchronization issue. 

W012003 A Replication queue entry has not been inserted. This can occur when a replication queue has reached 

its maximum size. This is most likely to occur when 

the destination server is down or cannot be contacted 

due to a networking problem. 

W013001 An invalid request has been received by the 

Authentication Server. 

W013002 A request has been received by the 

Authentication Server from an unknown source. 

The Authentication Server has received an invalid 

authentication, administration or Replication request. 

The Authentication Server has received an 

authentication, administration or Replication request 

from an unknown or unauthorized source. If the 

request was from a valid source, this message 


Message 

Code 



indicates that a Component record is missing (or that 

a required restart of the Service has not been made 

since the creation of the necessary Component 

record). 

W014001 The License Key is missing or invalid. A valid, unexpired license key is required to process 

any kind of authentication request. This message will 

be generated periodically when authentication 

requests are received by the Authentication Server, 

when it does not have a valid License Key. 

I001001 The Digipass Plug-In has started up successfully. Configuration details are given in the audit message. 

I001002 The Authentication Server has started up 

successfully. 

I002001 The Active Directory AAL3 library has been 

initialized successfully. 

I002002 The Digipass Authentication library has been 


I002004 The RADIUS protocol handler has been initialized 

successfully. 

I002006 The Replication library has been initialized 

successfully. 

I002007 Initialization of a Replication destination server 

succeeded. 

I002008 The Authentication Server protocol handler has 

been initialized successfully. 

I002009 The VM2 Compatibility protocol handler has been 


I003001 The Digipass Plug-In has shut down. 

I003002 The Authentication Server has shut down. 

I004001 A connection attempt to Active Directory was 

successful. 

I004004 A connection attempt to a Replication destination 

Configuration details are given in the audit message. 

Note that the Authentication Server can start up 

successfully even if a component such as the RADIUS 

protocol handler does not start up successfully. 

The Active Directory 'AAL3' library has completed 

initialization. Configuration details are given in the 

audit message. 

The 'Authentication' library has completed 

initialization. Configuration details are given in the 



RADIUS requests started up. Configuration details are 

given in the audit message. 

The Replication library was initialized successfully. 


The Replication library initialized a Destination Server 

successfully. Configuration details are given in the 



administration requests and authentication requests 

from the IIS modules was initialized successfully. 



authentication requests from the VACMAN Middleware 

version 2 IIS modules was initialized successfully. 



Message 

Code 

server was successful. 

I005001 A connection to Active Directory has been 

terminated normally. 

I005002 A connection to Active Directory has been timed 

out for load-balancing. 

I005004 A connection to a Replication destination server 

has been terminated normally. 




Domain Controller has ended with a normal 

disconnection. 


Domain Controller has been ended for load-balancing 

purposes. Periodically the connections will be dropped 

and new ones established, in case there is a less busy 

Domain Controller available. The time period is 

defined by the configuration setting Max-Bind- 

LifeTime in the file, in minutes. 

An established connection to a Replication Destination 

Server has ended with a normal disconnection. 

I006001 A RADIUS Access-Request has been received. The Identikey Server has received an Access-Request. 

The audit message will indicate what action will be 

taken as well as key details of the request. 

I006002 A RADIUS Accounting-Request has been 

received. 

The Identikey Server has received an Accounting- 

Request. The audit message will indicate what action 

will be taken as well as key details of the request. 

I006003 A RADIUS Server has started responding again. After the Identikey Server had not managed to get a 

response from the RADIUS Server for some time, this 

message indicates that it is responding again. 

I007001 A RADIUS Access-Accept has been issued. The Identikey Server has accepted an Access- 

Request. Note however that it is still possible that after 

the Identikey Server has accepted the request, 

another component of the overall process may still 

decide to reject the request ultimately. 

I007002 A RADIUS Access-Challenge has been issued. The Identikey Server has issued a challenge, either 

Challenge/Response or Virtual Digipass. 

I007003 A RADIUS Access-Reject has been issued. The Identikey Server has rejected an Access-Request. 

I007004 A RADIUS Accounting-Response has been 

issued. 

I008001 A Digipass has been moved for assignment to a 

user. 

I008002 A user-to-user link has been removed due to 

assignment of a Digipass. 

The Identikey Server has acknowledged an 

Accounting-Request. Note however that unless the 

request is forwarded to a RADIUS Server, no 

processing is carried out by the Identikey Server. 

Upon assignment of a Digipass to a User, if the 

Digipass is not already in the same location 

(Organizational Unit) as the User, it is moved to that 

location. 

If a Digipass User Account is linked to another in order 

to share the Digipass, it must not have a Digipass 

assigned itself. If a Digipass is assigned, the link will 


Message 

Code 

I009001 A Virtual Digipass One Time Password has been 

delivered. 


be broken. 


The MDC successfully delivered a text message via 

the HTTP gateway, as reported by the gateway. The 

audit message may contain further details from the 

gateway. 

Note that depending on the gateway, it may still be 

possible for delivery to fail after the gateway has 

reported success. 

I010001 User authentication was not handled. The Identikey Server decided not to handle an 

authentication request due to Policy and/or Digipass 

User Account settings. The main reasons why this 

may occur are: the effective Local Authentication and 

Back-End Authentication settings were both None; 

the User failed the Windows Group Check, using the 

Pass requests for users not in listed groups back to 

host system option. 

Note that the 'effective' settings are the effective 

settings of the Policy, unless the Digipass User 

Account overrides the Policy. 

I010002 A stored password change was unhandled. The Identikey Server decided not to handle a 

password change request due to Policy and/or 

Digipass User Account settings. The main reasons 

why this may occur are: the effective Local 

Authentication and Back-End Authentication settings 

were both None; the User failed the Windows Group 

Check, using the Pass requests for users not in listed 

groups back to host system option. 




I011001 A Digipass Grace Period has been ended by the 

use of a One Time Password. 

I011002 A Backup Virtual Digipass expiration date has 

been set due to the first request for a Virtual One 

Time Password. 

I011003 A Backup Virtual Digipass time limit has been 

expired by the use of the normal One Time 

Password. 

The first time that an assigned Digipass is used 

successfully to log in, if a Grace Period is still active, it 

is ended immediately. They must continue to use their 

Digipass to log in after that point. 

A User has requested a Backup Virtual Digipass OTP 

for the first time, when the effective Backup VDP 

Enabled setting is Yes – Time Limited and they did 

not already have an Enabled Until date set on their 

Digipass. At this time, they are given the Time Limit 

from the Policy by adding it to the current date. 

A User who has been using Backup Virtual Digipass 

has used their normal OTP login using the Digipass 

again. When the effective Backup VDP Enabled 


Message 

Code 

I011004 A Backup Virtual Digipass quota of uses has 

been set due to the first request for a Virtual One 

Time Password. 

I011005 A Digipass User Account has been created using 

Dynamic User Registration. 

I011006 A new static password has been stored using 

Password Autolearn. 

I011007 A Digipass has been assigned to a new Digipass 

User Account using Auto-Assignment. 

I011008 A Digipass has been assigned to a Digipass User 

Account using Self-Assignment. 

I011009 A Digipass challenge has been issued for a Self- 

Assignment attempt. 



setting is Yes – Time Limited, using the normal OTP 

login ends their time limit immediately. This is done by 

setting the Enabled Until date on their Digipass to the 

current date. 

An administrator action is required to reset their 

Enabled Until date, if the User is to be allowed to use 

Backup Virtual Digipass again. 

A User has requested a Backup Virtual Digipass OTP 

for the first time, when the effective Backup VDP 

Max. Uses/User setting is greater than 0 and they did 

not already have a Uses Remaining date set on their 

Digipass. At this time, they are given the Max. 

Uses/User limit from the Policy. 

A Digipass User Account has been created 

automatically upon successful Back-End 

Authentication. This occurs when the Dynamic User 

Registration feature is enabled. 

A new static password has been stored in the 

Digipass User Account after successful Back-End 

Authentication. This occurs when the Password 

Autolearn feature is enabled. 

Upon creation of a new Digipass User Account 

through Dynamic User Registration, an available 

Digipass has been assigned to the new account 

automatically. This occurs when the Auto-Assignment 

feature is enabled. 

A User has successfully assigned a Digipass to 

themselves using the Self-Assignment feature. 

A User has obtained a challenge during an attempt to 

assign a Digipass to themselves using the Self- 

Assignment feature. In order to complete the 

assignment, they must provide the correct response to 

the challenge from the Digipass. 

I011010 A user has changed their Digipass PIN. A User has changed their Server PIN during their 

login, or set it up on first use or after a PIN reset. 

I011011 Successfully assigned Digipass The Digipass has been successfully assigned during 

Software Digipass Provisioning. 

I011012 Added new Digipass for Web activation location A new Digipass has been added for a Web activation 

location during Software Digipass Provisioning. 

I011013 Static Password Update Successful The static password for the User has been 

successfully changed. 

I013001 A connection to an ODBC data source has been 


Message 

Code 

made successfully. 

I013002 A connection to an ODBC data source has been 

terminated normally. 

S001001 A query for a single [object] record was 

successful. 



An established connection to an ODBC data source 

has ended with a normal disconnection. 

The Identikey Server or an administrator has made a 

successful query to the data store for a single record. 

In the case of the Identikey Server this may be a 

search for its Component record; for an administrator 

it could be any single record query. The audit 

message has details of the record found. 

S001002 A query for [object] records was successful. The Identikey Server or an administrator has made a 

successful query to the data store for some records. 

In the case of the Identikey Server this may be a 

search for a RADIUS Client Component record; for an 

administrator it could be any list query. The audit 

message has details of the records found but this may 

be truncated. 

S001003 A command of type [object] [command] was 

successful. 

An administrator has issued a successful data 

modification command such as an update of settings 

or one of the Digipass Application operations like 

Reset PIN. The audit message has details of the 

command and results. 

S002001 User authentication was successful. The 'Authentication' library has passed authentication 

for a request. Note however that the Identikey Server 

or another component of the overall process may still 

decide to reject the request ultimately. 

S002002 User authentication issued a challenge. The 'Authentication' library has issued a challenge for 

an authentication request, either Challenge/Response 

or Virtual Digipass. 

S002004 A stored password change was successful. The Authentication Server has successfully processed 

a password change request. 

S003001 A Replication update was sent successfully. This message is audited at the source server, when a 

database change is sent to a destination server and 

processed successfully. 

S003002 A Replication update received has been 


This message is audited at the destination server, 

when a database change is received and processed 

successfully. 

S004001 An administrative logon was successful. An administrative logon to the Authentication Server 

was successful. 

S004002 A Live Audit connection was successful. A Live Audit connection to the Authentication Server 

was successful. 

S005001 Registration Successful The registration of a Software Digipass during 


Message 

Code 


Provisioning was successful. 


S005002 Activation Successful The activation of a software Digipass during Software 

Digipass Provisioning was successful. 

S006001 Signature Validation Successful. When signing a transaction using the Signature 

Verification function, the signature validation was 

successful. 

F001001 A query for a single [object] record failed. The Identikey Server or an administrator has made an 

unsuccessful query to the data store for a single 

record. In the case of the Identikey Server this may be 

a search for its Component record; for an 

administrator it could be any single record query. The 

audit message has basic details of the failure, but 

there should be a preceding E000001 with more 

details. 

F001002 A query for [object] records failed. The Identikey Server or an administrator has made an 

unsuccessful query to the data store for some 

records. In the case of the Identikey Server this may 

be a search for a RADIUS Client Component record; 

for an administrator it could be any list query. The 

audit message has basic details of the failure, but 

there should be a preceding E000001 with more 

details. 

F001003 A command of type [object] [command] failed. An administrator has issued an unsuccessful data 

modification command such as an update of settings 

or one of the Digipass Application operations like 

Reset PIN. The audit message has basic details of the 

failure, and there may be a preceding E000001 with 

more details. 

F002001 User authentication failed. The 'Authentication' library has failed authentication 

for a request. The audit message has details of the 

failure (see 20 Error and Status Codes) and there may 

be a preceding E000001 with error details. 

F002003 A stored password change failed. The Authentication Server has not processed a 

password change request. The audit message has 

details of the failure (see 20 Error and Status 

Codes) and there may be a preceding E000001 with 

error details. 

F003001 Sending a Replication update was unsuccessful. This message is audited at the source server, when a 

database change is not sent to a destination server 

successfully, or it was sent but the processing at the 

destination was unsuccessful. 

F003002 Processing a Replication update received was This message is audited at the destination server, 


Message 

Code 



unsuccessful. when a database change is received but is not 


F004001 An administrative logon was rejected. The 'Authentication' library has failed an 

administrative login request. The audit message has 

details of the failure (see 20 Error and Status 

Codes) and there may be a preceding E000001 with 

error details. 

Note that this may occur even when preceded by a 

successful authentication (S002001) message, for 

example if the user's credentials were OK but they did 

not have Administrative Logon privilege. 

F004002 A Live Audit connection was rejected. The 'Authentication' library has failed a Live Audit 

connection request. The audit message has details of 

the failure (see 20 Error and Status Codes) 

and 

there may be a preceding E000001 with error details. 

Note that this may occur even when preceded by a 

successful authentication (S002001) message, for 

example if the user's credentials were OK but they did 

not have Administrative Logon or Live Audit 

Connection privilege. 

F005001 Static Password verification failed During Software Digipass Provisioning the static 

password for the User was not verified. 

F005001 Backend Authentication failed During Software Digipass Provisioning, the back-end 

authentication for the User failed. 

F005001 Digipass assignment failed Assignment of the digipass failed during Software 

Digipass Provisioning. 

F005001 Reactivation not allowed. The specified Software Digipass may not be 

reactivated. The number of reactivations for Software 

Digipass is limited. The limit may have been 

exceeded. 

F005002 Multiple Digipass found where a single Digipass 

was required 

During Software Digipass Provisioning more than one 

Digipass was found that fulfilled the criteria specified. 

F005002 OTP verification Failed The One Time Password generated from the Digipass 

used in the Provisioning process has not passed 

validation. 

F006001 Signature Verification failed. When attempting to sign a transaction using an 

electronic Signature, the signature did not pass the 

verification phase. The transaction will not be signed. 

F006001 Multiple Digipass found where a single Digipass 

was required. 

When using the Signature function, Identikey Server 

found more than one Digipass record assigned to the 

user. 

F006001 Required request input fields missing The Signature function requires up to eight input 


Message 

Code 



fields. The input fields are defined when the 

Signature function is set up. One or more of those 

input fields was missing in this transation. 


20 Error and Status Codes 

This section lists the standard error and status codes with the associated messages. 

20.1 Error Code Listing 

Table 77: Error Code List 

Error Code Message Notes 

0 (No error) 

Error and Status Codes 

-1 An unspecified error occurred This error code may occur when a more specific error code 

is not available or was recorded separately. 

-2 The parameters supplied were invalid Parameters supplied to a function or command were 

invalid. 

-3 A memory error occurred Memory allocation failed. This is normally due to the system 

running low on memory. 

-10 A communications error occurred Inter-process or inter-component communication failed. 

This may also occur with communications to Active 

Directory or a database. This error is normally accompanied 

by further details. 

-11 A license error has occurred General-purpose license failure when a more specific code 

is not available or was recorded separately. 

-12 An operating system call failed A system call failed. This may include file handling, Active 

Directory Services Interface and other calls. It is normally 

accompanied by further details. 

-13 The object was not found An attempt was made to perform an operation on an object, 

such as an Active Directory object, but the object did not 

exist. For example, this may occur when one administrator 

deletes a record that another administrator is about to 

update, when the update operation is attempted. 

-14 The object already exists An attempt was made to create an object, such as an 

Active Directory object, but the object already exists. For 

example, this may occur when two administrators try to 

create the same record at the same time. 

-15 The supplied buffer was of the incorrect size An internal data buffer was of insufficient length to hold the 

data required. 

-16 A version error has occurred A version mismatch has occurred. Further details in the 

error record will indicate what versions were mismatched. 

-17 The supplied data are invalid General-purpose error when input data to an operation is 

incorrect. Further details of the error will be recorded. 

-18 The object is invalid An attempt was made to perform an operation upon an 



object type that was not recognized. 


-19 The command is invalid An attempt was made to perform an operation using a 

command that was not recognized. 

-20 The object is in use An attempt was made to delete an object, such as an 

Active Directory object, but that object was in use. 

This may occur when you try to delete a Policy, but another 

Policy inherits from the one you are deleting, or a 

Component uses the Policy. 

-21 The operation is not supported General-purpose error when an operation is attempted on 

an object that does not support it. For example, an attempt 

is made to generate a Virtual Digipass OTP using a Digipass 

that is not enabled for Virtual Digipass. 

-22 An object error has occurred General-purpose error on an operation on an object. This 

should be supplemented with more specific details. 

-23 A required field was missing An operation was attempted without specifying one or more 

mandatory input fields. 

-24 Auditing failed An operation failed because auditing was mandatory, but 

failed. 

-30 The configuration is invalid The configuration data in the configuration file are invalid. 

The error record should indicate which specific data were 

invalid. 

-31 A type mismatch has occurred General-purpose error when one datatype is expected but a 

different datatype was provided. 

-32 One or more objects were not initialized Internal initialization error. More specific error details will be 

recorded. 

-33 The cache is full An attempt was made to add an entry to a cache, but the 

cache has reached its configured maximum size. 

-34 The cache entry has reached the maximum 

reference count 

-35 The system is currently too busy to service the 

request 

An attempt was made to retrieve an item from a cache, but 

the item was already in use and the configuration indicates 

a limit on the number of times an item can be retrieved 

from the cache at one time. 

The system received a new request for processing, but hit a 

resource usage limit of some type. This indicates that the 

system is too loaded to handle the request. For example, 

there may be no spare database connection to use, even 

after waiting a short time for one to become available. 

-80 A timeout has occurred An operation failed because of a timeout. 

-100 An invalid plugin was supplied Audit configuration specifies a plugin method that is 

unknown or that could not be successfully loaded. 

-101 There is no space left to write the message While auditing to text file, the server was unable to write. 

This would normally occur if disk space has run out. 




-140 A Digipass error has occurred General-purpose failure of a Digipass operation such as 

OTP verification, Reset PIN, Unlock, etc. This is normally 

accompanied by a more specific error code and message 

from the VACMAN Controller library. 

-150 Delivery of the Virtual Digipass One-Time 

Password failed 

A Virtual Digipass OTP was generated successfully, but 

delivery by text message failed. A separate message will 

give more details about the failure. 

-200 The license has expired The License Key has an expiration date set, and the date 

has passed. A permanent License Key must be obtained. 

-201 The license data are invalid One of the details embedded into the License Key is invalid 

for the Component in which it is being loaded. The 

Component will not be able to use the License Key. This 

may be IP address, Component Type, or any other detail 

that can be seen in the License Key text. 

-202 The License Key is corrupted The signature at the bottom of the License Key is invalid. 

This would typically occur if the License Key details were 

modified in any way. 

-250 Decryption has failed - no Storage Key is 

specified in the Encryption Settings 

-251 Decryption has failed - an incorrect Cipher is 

specified in the Encryption Settings 

-252 Decryption has failed - an incorrect Storage 

Key is specified in the Encryption Settings 

Some encrypted data has been created or modified using 

configured, rather than default, encryption settings. This 

error occurs when that data is read by a component that 

does not have configured encryption settings – the 

component is therefore unable to decrypt the data. 

It is necessary to configure the encryption settings in the 

component. See 4 Sensitive Data Encryption for more 

information on encryption settings. 


differently configured encryption settings. This error occurs 

when that data is read by a component with configured 

encryption settings that use a different Cipher Name – the 


It is necessary to make sure that the encryption settings in 

all components are identical. See 4 Sensitive Data 

Encryption for more information. 


differently configured encryption settings. This error occurs 

when that data is read by a component with configured 

encryption settings that use a different Storage Key – the 


It is necessary to make sure that the encryption settings in 

all components are identical. See 4 Sensitive Data 

Encryption for more information. 

-300 A database error occurred General-purpose error on a database operation. This should 

be supplemented with more specific details. 




-350 The request received was discarded A replication update that was received was found to be 

superseded by a later change. In this case, the update is 

discarded, as it is no longer relevant. 

This may occur when creating a record, after a record has 

been deleted then re-created. 

It may occur when modifying a record, if a later 

modification occurred before replication could apply the first 

change. 

-351 The request received must be retried A replication update that was received could not be applied 

immediately. In this case, the update is rejected. The retry 

mechanism at the source server will re-send the update, 

according to its configuration settings. 

This may occur if a record does not exist yet, when trying to 

apply a modification or deletion. 

It may occur after a record has been deleted and recreated, 

when a modification of the record is replicated but 

the sequence of deletion and re-creation has not been 

followed in the correct order. 

-352 A replication queue entry had an invalid hash 

value 

When an entry was read from the replication queue before 

sending, its integrity hash value check failed. This suggests 

that the queue entry may have been modified since it was 

added to the queue. In this case, the queue entry is not 

trusted and an error is reported. 

-353 The replication queue is full An operation failed because it needed to update the 

database, but the update could not be added to the 

Replication queue. If the queue is full, no database updates 

are allowed, to avoid the databases getting too far out of 

synchronization. 

Check the Replication Status dialog in the Administration 

MMC Interface and the Replication audit messages to 

investigate why the queue has become full. It is necessary 

to reduce the queue size in order for the system to continue 

to function. 

If this error occurs often, without good reason, consider 

increasing the maximum queue size. This can be 

configured in the Replication tab of the Authentication 

Server Configuration GUI. 

-500 The Service was already started When trying to start a Service, the Service was already 

running. 

-501 The Service was already stopped When trying to stop a Service, the Service was not running. 

-10051 File name is blank. No file name was specified. 

-10052 Failed to open File. The file could not be opened. The file does not exist or the 

user attempting to open the file does not have read 

permission for the file. 




-10057 User ID is longer than 255 characters. The maximum User ID length has been exceeded. 

-10059 Password is longer than 255 characters. The maximum Password length has been exceeded. 

-10060 User Name is longer than 64 characters. The maximum User Name length has been exceeded. 

-10061 Serial Number is longer than 10 characters. The maximum Serial Number length has been exceeded. 

Serial Number must be 10 characters, with no dashes (-) 

and with leading zeros (0) to make it up to 10 characters. 

-10062 Serial Number is less than 10 characters long. The minimum Serial Number length has not been provided. 

Serial Number must be 10 characters, with no dashes (-) 

and with leading zeros (0) to make it up to 10 characters. 

-10063 Serial Number contains non-alphanumeric 

characters. 

-10064 Organizational Unit is longer than 255 

characters. 

The Serial Number contains non-alphanumeric characters. 

Serial Number must be 10 alphanumeric characters, with 

no dashes (-). 

The maximum Organizational Unit length has been 

exceeded. 

-10065 Domain is longer than 255 characters. The maximum Domain length has been exceeded. 

-10066 Distinguished Name is longer than 1024 

characters. 

The maximum LDAP Distinguished Name (DN) length has 

been exceeded. 

-10067 Mobile Number is longer than 64 characters. The maximum Mobile Phone length has been exceeded. 

-10069 A syntax error occurred reading from the file. A syntax error occurred while reading lines from the import 

file: double-quotes were missing; there are too many fields 

in the line; a comma is missing between fields. 

-10070 The file contains characters that are not UTF-8 

encoded. 

The import file must be fully UTF-8 encoded when extended 

or Unicode characters are included. This message indicates 

that non-UTF-8 characters were found in the file. 

-10072 Phone Number is longer than 64 characters. The maximum Phone Number length has been exceeded. 

-10073 Email Address is longer than 64 characters. The maximum Email Address length has been exceeded. 

-10074 No User ID was given. Either the User ID or, for 

Active Directory, the Dishinguished Name is 

needed to import a user. 

-10075 The Mobile No. is invalid. Only numbers, 

spaces, dashes (-) and brackets are allowed 

with a + at the start to indicate a country code 

if needed. 

-10076 The Phone No. is invalid. Only numbers, 

spaces, dashes (-) and brackets are allowed 

with a + at the start to indicate a country code 

if needed. 

-10077 The specified email address contains invalid 

characters and is not in the form 

user@domain. 

A User ID must be supplied to import a user. The only 

exception is when using Active Directory, it is sufficient to 

give the Distinguished Name instead of the User ID. 

The Mobile Number is only allowed to include numeric 

characters, spaces, dashes(-) and brackets (){}[]. In addition 

a + is allowed at the start for the country code. 

The Phone Number is only allowed to include numeric 

characters, spaces, dashes(-) and brackets (){}[]. In addition 

a + is allowed at the start for the country code. 

The Email Address is only allowed to include alphanumeric 

characters, @, dots (.), underscores (_) and dashes (-). 



-10078 The Field Header was not found or invalid 

when reading from the file. 


The first line of an import file must be a header line. The 

header line is a comma-separated list of field names, 

indicating which fields are included in every other line of the 

file. 

This message indicates that the header line was not found, 

that it included unknown field names or that it was not a 

comma-separated list of field names. 

See the Import User Records topic in the online Help for 

the Administration MMC Interface for a definition of the 

import file header format. 

-400 There was no comms descriptor available The comms descriptor map has not been loaded. (support) 

-401 The supplied address could not be resolved name resolution, i.e. DNS, netbios etc 

-402 A socket error occurred. Descriptor should be 

closed 

(communication protocol mismatch 

-403 Descriptor was in the wrong state e.g. trying to bind the socket twice 

-404 The maximum number of open descriptors has 

been reached 

-405 The connection has been closed by the remote 

end 

-406 The command would block, use 'select' should not be seen as a runtime error 

-407 The command is in progress, use 'select' should not be seen as a runtime error 

-408 The comms descriptor is not valid e.g. the socket has not been created 

-450 The key received was invalid The encryption key is somehow invalid 

-550 The config file/registry data could not be read This error may be returned when a corrupt config file is 

used 

-600 One of the RADIUS attributes was invalid RADIUS attribute field layout is invalid 

-601 The action will result in a size limitation being 

exceeded 

A buffer overflow would occur, this is only used within the 

RADIUS library 

-602 An invalid dictionary file was used this does not appear to be returned anywhere 

-650 Initialisation of lock failed 

-700 Failed to open handle Normally occurs when a file cannot be opened 

-800 An invalid length was supplied looks like this error is currently only used in the case where 

a programming error has occurred, resulting in an incorrect 

length parameter being passed to the mschap function 

"CreateVSAttribute" 

-801 Memory allocation failed This appears to only be used by the "demotoken" code 

-802 Password was blank Can occur when attempting to verify a MSCHAP/MSCHAP2 

password when the subsequently hashed password 

provided by the used is equivlent to hashing a blank string, 

i.e. the provided password is blank 




-803 Password was invalid Occurs within MSCHAP/MSCHAP2 password verification 

when the provided password is incorrect and it is not a 

blank string 

-1001 The packet is from an unknown source A client component does not exist for the client who sent 

the packet 

-1002 The shared secret of the packet's source is 

unknown 

There is no shared secret within the client component for 

the peer which sent this packet 

-1003 Incorrect response authenticator The response packet returned from the RADIUS server 

bears an incorrect authenticator 

-1004 The Message-Authenticator attribute was not 

correct 

The message-authenticator appears to only be checked in a 

response 

-1005 The packet is not from the address sent to The response from the backend does not match the source 

address to which the request was sent 

20.2 Status Code Listing 

Table 78: Status Code List 

Status Code Message Notes 

0 No error 

 

The status codes from -1 downwards match the Error 

Codes above. 

1000 The credentials were invalid General-purpose failure due to invalid username or 

password, when a more specific status is unavailable. 

1002 The user failed the Windows Group Check The Identikey Server rejected an authentication 

request due to the Windows Group Check failing. 

This can occur when the effective Windows Group 

Check option is Authenticate listed groups, reject 

others. 

Note that the 'effective' setting is the effective setting 

of the Policy, unless the Digipass User Account 

overrides the Policy. 

1004 The challenge has expired A response to challenge has been given, but the 

expiration time for the challenge has expired. The 

default expiration time is one minute, however this 

can be configured in the configuration file 

VASCO/AAL3/Authlib/Challenge-Cache/Max-Age 

setting (in seconds). 

1005 The user does not have permission to perform General-purpose failure of an administration 




the specified action command when the administrator does not have 

sufficient privileges to carry out the command. 

1007 The user account is locked The Digipass User Account is Locked. This is normally 

due to consecutive login failures, as determined by 

the Policy setting User Lock Threshold. Alternatively 

the administrator can actively lock the account. 

To unlock the User account, an administrator has to 

uncheck the Locked checkbox on the User record. 

1008 The One Time Password has already been used This status code occurs specifically when an OTP is 

rejected because it has already been used. It may also 

occur when the OTP has not been used but is older 

than the most recently used OTP. 

This can sometimes happen when an authentication 

request is re-sent automatically. 

1009 The user account is disabled The Digipass User Account is Disabled. This may be 

because the administrator has actively disabled the 

account, or because the corresponding Windows User 

account has become disabled or expired. 

1010 No user account was found An authentication request was rejected because no 

Digipass User account was found and Local 

Authentication is required by the Policy. 

1011 The static password was incorrect As part of Local Authentication, verification of the 

static password failed. 

1012 The One Time Password was incorrect Verification of the OTP failed. More specific details 

may be found in the VACMAN Controller error code 

and message. 

1013 The challenge was invalid A response to a challenge was given, but the 

challenge was not the latest one issued for that 

Digipass. This is controlled by the Check Challenge 

Policy setting. 

1014 The Digipass Grace Period has expired A User attempted to log in with their static password, 

but their Grace Period had already expired. They have 

to use a Digipass to log in. 

If they do not have their Digipass yet, the 

administrator will have to allow them more time by 

modifying the Grace Period End date on their 

Digipass record. 

1015 Backup Virtual Digipass is not allowed A User attempted to request a Backup Virtual Digipass 

OTP, but they were not permitted. This would normally 

occur when either: 

The effective Backup VDP Enabled setting is Yes – 

Time Limited, and the Digipass Backup VDP Enabled 

Until date is the current date or before. 




The Digipass Backup VDP Uses Remaining counter 

has reached 0. 

In both cases, administrator intervention is required to 

permit the User to continue to use Backup Virtual 

Digipass. The Enabled Until or Uses Remaining limits 

need to be increased to permit this. 


of the Policy, unless the Digipass record overrides the 

Policy. 

1016 The Digipass is not available A User attempted Self-Assignment, but the Digipass 

they requested either could not be found within the 

search scope or was already assigned to someone 

else. 

This may occur because of a mistyped Serial Number. 

Otherwise, the search scope may be incorrect or the 

Digipass may not be in the correct location to be 

made available to the User. See the Location of 

Digipass Records section in the Product Guide. 

1017 The user account has no mobile number for 

Virtual Digipass 

1018 No password was supplied for a Virtual Digipass 

login 

A User requested a Primary or Backup Virtual Digipass 

OTP, but it could not be delivered because the User 

account had no mobile phone number. In Active 

Directory this is the first Mobile No. on the record. 

A User attempted a Virtual Digipass login, but did not 

enter a password in the second stage of the login. See 

10.1.9 Virtual Digipass for more information. 

1019 The new password confirmation failed In a password change request, the new password was 

not confirmed correctly. 

1020 Local authentication failed General-purpose failure of Local Authentication when 

a more specific status code is not available. Additional 

information should provide more specific details. 

1021 Back-end authentication reported that the 

password has expired 

Back-End Authentication (eg. Windows) failed 

because the password was correct but it has expired. 

1022 Back-end authentication failed Back-End Authentication (eg. Windows) failed. A 

specific error code and message will accompany this 

record. 

1030 The policy was invalid An authentication request was rejected because the 

applicable Policy had invalid settings or failed to load. 

This should not occur, but is possible due to the delay 

in Active Directory replication for example. The two 

main ways in which a Policy can become invalid are: 

One or more choice list settings are Default in the 

Policy, and its parent Policy if it has one. 

A circular chain of Policies has been created, for 

example: Policy A inherits from Policy B; Policy B 



1031 The policy does not allow a self-assignment 

attempt 

1032 Hashed passwords cannot be verified by 

Windows 


inherits from Policy C; Policy C inherits from Policy A. 

The Policy must be fixed in order for authentication to 

be permitted using that Policy. 

A User attempted Self-Assignment, but it is not 

permitted under the Policy. 

An authentication request could not be processed 

successfully because Back-End Authentication using 

Windows was required, but the User's password was 

hashed. It is not possible to verify hashed passwords 

with Windows. This can occur when a CHAP-based 

protocol is used – this includes CHAP, MS-CHAP, MS- 

CHAP2, EAP-MD5 and other more complex protocols 

that utilize a one-way hash of the password entered 

by the User. 

Note that the effective Back-End Authentication 

setting is the effective setting of the Policy, unless the 

Digipass User Account overrides the Policy. 

1033 A Digipass must be used The effective Local Authentication setting is Digipass 

Only and the User tried to log in with a static 

password. 




1034 Challenge/Response is not supported by CHAPbased 

protocols 

1035 Challenge/Response is not supported by 

Windows 2000 

Challenge/Response is only supported in RADIUS 

using the PAP protocol. An attempt was made to 

generate a challenge using a CHAP-based protocol – 

this includes CHAP, MS-CHAP, MS-CHAP2, EAP-MD5 

and other more complex protocols. 

This status code can only occur in the Digipass Plug- 

In for IAS. There is a product limitation on Windows 

2000 only that Challenge/Response is not supported. 

It will occur if the User attempted to request a 

challenge. 

1036 1-Step Challenge/Response is disabled A request was made to generate a random challenge 

for 1-step Challenge/Response, but the applicable 

Policy does not have 1-step Challenge/Response 

enabled or does not specify the challenge length and 

check digit indicator. 

1037 Password Autolearn is disabled A request was made to update a user's Stored 

Password, but Password Autolearn is disabled, so the 

update is not permitted. Password Autolearn must be 

enabled for the password update request to be 

processed. 

1038 The administration session ID is not known at An administration command has been received, but 




this location the internal session ID is not recognised at the 

location from which the command came. This can 

only occur by attempting to reuse a session ID from 

another location. 

1039 The administration session is no longer active An administration command has been received, but 

the session has stopped or is unrecognised. This can 

occur due to an idle timeout, a maximum session 

length timeout or a restart of the Identikey Server. 

1040 Back-end authentication returned a Challenge 

that cannot be handled 

1041 No Digipass was found for the given Serial 

Number 

1042 Self-Assignment was attempted but Back-End 

Authentication did not occur to authenticate the 

static password 


request to a RADIUS Server and the RADIUS Server 

responds with an Access-Challenge. An Access- 

Challenge can only be handled when the Identikey 

Server forwards the password unmodified to the 

RADIUS Server. If the Identikey Server verifies an OTP 

and forwards the static password to the RADIUS 

Server, it is not possible to handle an Access- 

Challenge from the RADIUS Server. 

It can also occur if you use RADIUS Back-End 

Authentication for an IIS Module. In that case, Access- 

Challenge is not supported from the RADIUS Server. 

During a Self-Assignment attempt, the Serial Number 

provided by the User was not found in the data store. 

This mainly occurs when the Serial Number is entered 

incorrectly. It can also occur because the Digipass 

record is not in the User's Domain or Organizational 

Unit. 

Self-Assignment is not allowed without Back-End 

Authentication. This is required to validate the static 

password. 

1050 Reactivation is not allowed A reactivation attempt was refused for one of the 

following reasons: 

The Digipass has already been activated from 

the maximum number of allowed locations. This 

limit is controlled by the Provisioning Scenario 

configuration setting Max Locations. 

The maximum number of allowed activation 

attempts has already been reached. This limit is 

controlled by the Provisioning Scenario 

configuration setting Max Attempts. 

The minimum time interval required between 

activation attempts has not yet been reached 

since the last activation attempt. This limit is 

controlled by the Provisioning Scenario 

configuration setting Min Interval. 

1051 Multiple Digipass found where a single Digipass An activation attempt was made where the user had 




was required two or more Digipass that could be used. The 

activation request did not specify which Digipass 

should be used to handle the request. 

1052 The user account has no static password to 

encrypt the activation code 

If no Local Authentication or Back-End Authentication 

is done during an activation request, a static password 

is required from the Digipass User account. The 

password is used to encrypt the activation code. 

1053 No Digipass was available for assignment No available Digipass was found for the Provisioning 

Register request. The Digipass must be capable of 

activation and meet the Digipass restrictions in the 

Policy settings if any. 

1054 Error generating activation code Generation of an activation code for Provisioning 

failed. More specific details may be found in the 

VACMAN Controller error code and message. 

1060 The Signature failed validation Verification of the signature failed. More specific 

details may be found in the VACMAN Controller error 

code and message. 

1061 The Signature has already been used This status code occurs specifically when a signature 

is rejected because it has already been used. It may 

also occur when the signature has not been used but 

is older than the most recently used signature. 

This behaviour depends on the effective Online 

Signature Level Policy setting. 

1062 A Host/Confirmation Code is required but the 

Digipass Application is not able to generate it 

For an authentication request, a Host Code was 

required to be returned. The Digipass Application for 

which the OTP was validated was not capable of 

generating a Host Code. 

For a signature validation request, a Confirmation 

Code was required to be returned. The Digipass 

Application for which the signature was validated was 

not capable of generating a Confirmation Code. 

The DPX file that was used to import the Digipass 

Application controls whether the Host or Confirmation 

Code can be generated. 

3001 A Digipass Challenge was returned This status code is the standard code when a 

challenge is issued and does not indicate any kind of 

error. 

3002 No challenge was identified for the authentication A response to a challenge was given, but no challenge 

could be found. The most likely reason for this to 

occur is that the challenge is too old and has been 

removed from the challenge cache. It can also occur if 

no 'challenge key' was supplied with which to look up 

the challenge. 

3003 Back-end authentication returned a Challenge This occurs when a RADIUS Server responds with an 




Access-Challenge, in a case where the Identikey 

Server can handle it. 

5001 The user failed the Windows Group Check The Identikey Server decided not to handle an 

authentication request due to the Windows Group 

Check failing. This can occur when the effective 

Windows Group Check option is Pass requests for 

users not in listed groups back to host system. 




5002 Neither local nor back-end authentication was 

done due to policy and/or user settings 

The Identikey Server decided not to handle an 

authentication request because the effective Local 

Authentication and Back-End Authentication settings 

were both None. 





21 Technical Support 

If you encounter problems with a VASCO product please do the following: 

Technical Support 

1. Read the Troubleshooting topic in the Administrator Reference for help in discovering the source of your 

problem. 

2. Check if your problem is resolved in the Knowledge Base located at the following URL: 

http://www.vasco.com/support. 

3. If you do not find the information you need in the Knowledge Base, please contact the company that sold you 

the VASCO product. 

Only after doing these steps, if your problem is not yet solved, please contact VASCO support: 

21.1 Support Contact Information 

E-mail 

support@vasco.com 

Website 

http://www.vasco.com/support/contacts.html 

Phone 

Australia +61 2 8061 3700 (Sydney) 

Belgium +32 2 609 9770 (Brussels) 

Singapore +65 6 232 2727 

USA +1 508 366 3400 (Boston)

Identikey Server Administrator Reference - Vasco

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?