Vasco IDENTIKEY Appliance Installation And Maintenance Manual Download Page 80 | Manualshive

Page: 80 / 87

background image

Image 43: Secure Auditing with HSM

IDENTIKEY Appliance will request a signature from the HSM for each epoch, and this will be used as an epoch ID.
An epoch keypair will be generated, consisting of an epoch public key and an epoch private key. Each Secure Audit
entry will contain the epoch public key, the epoch ID and an cryptographic signature which relates it to the previous
and subsequent entries.

To verify each Secure Audit entry, the Secure Auditing Verification Tool uses the following:

n

The epoch public key

n

The epoch ID (supplied on each secure audit line)

n

The master audit public key which has been exported to a

.pem

file.

The entire file will be verified with a

Yes

(verification successful) or

No

(verification unsuccessful) result provided

after verification.

13.3.1. Secure Auditing with SafeNet

The ctcert tool provided with SafeNet software is used to apply the required configuration to the HSM for Secure
Auditing. Refer to the

ProtectToolkit C Administration Guide

supplied with the HSM for more details and further

options for ctcert.

To enable Secure Auditing on the HSM, the Master Audit keypair must be created. Use ctcert to create the Master
Audit Keypair and then export the public certificate from the device.

A Master Audit keypair requires an attributes file. This file contains details of the issuer, subject, and key usage for
this certificate. The minimum key usage required is:

keyusage { digitalSignature, nonRepudiation }

The following is an example of the contents of an attributes file.

Example

label { MasterAuditCertificate }

serialnumber { 1234 }

issuer {

CN=MasterAudit,

OU=Identikey,

O=VASCO,

C=US

13. Hardware Security Module

IDENTIKEY Appliance 3.11.12 - Installation and Maintenance Guide

80

«
...
78
79
80
81
82
...
»

Summary of Contents for IDENTIKEY Appliance

Page 1: ...IDENTIKEY Appliance Installation and Maintenance Guide 3 11 12...

Page 2: ...es for any loss damage or expense incurred by you your company or any third party arising from the use or inability to use VASCO Software or Mater ials or any third party material available or downloa...

Page 3: ...imitations 12 4 Connecting IDENTIKEY Appliance to your Network 13 4 1 Overview 13 4 2 Powering on IDENTIKEY Appliance 13 4 3 Connecting to your Network 14 5 First Time Configuration 16 5 1 Overview 16...

Page 4: ...sing IDENTIKEY Appliance 53 8 3 Current License Screen 54 8 4 Re Licensing Scenarios 54 9 Updating IDENTIKEY Appliance 57 9 1 Overview 57 9 2 Retrieving Offline Update Packages 57 9 3 Using the Update...

Page 5: ...Replacement IDENTIKEY Appliance 71 12 RAID 72 12 1 Maintaining RAID 72 13 Hardware Security Module 75 13 1 Supported Hardware Security Modules 75 13 2 SafeNet HSMs 75 13 3 Secure Auditing With Hardwar...

Page 6: ...rd Activation Confirmation 29 Image15 Licensing Wizard Welcome 30 Image16 Licensing Wizard System Information 31 Image17 Licensing Wizard Upload License 32 Image18 Licensing Wizard LicenseActivation 3...

Page 7: ...ge37 Backup and Restore Configuring Automatic Backups FTP SFTP Settings 65 Image38 Backup and Restore Configuring Automatic Backups ScheduleSettings 66 Image39 Backup and Restore Configuring Scripted...

Page 8: ...able Index Table1 IDENTIKEY ApplianceDimensions 11 Table2 Settings for Connecting aComputer toIDENTIKEY Appliance 44 Table of Contents IDENTIKEY Appliance3 11 12 Installation and MaintenanceGuide viii...

Page 9: ...ocedures such as updating and re licensing n IDENTIKEY Appliance Product Guide Describes the structure of the product the concepts underpinning authentication and how IDENTIKEY Appliance can support a...

Page 10: ...length of 3 0 meters 2 3 Personal Environmental and IDENTIKEY Appliance Safety To avoid back injuries when lifting the IDENTIKEY Appliance avoid injuries to your back by using your leg muscles Keep y...

Page 11: ...Celsius 40 to 158 degrees Fahrenheit n Humidity Range 8 to 90 non condensing n Non Operating Humidity Range 5 to 95 non condensing n Power Supply Thermal control 260 W AC power supply with PFC 24 pin...

Page 12: ...g models of the DIGIPASS authenticator n E signature DIGIPASS DIGIPASS 760 n Software DIGIPASS DIGIPASS for Mobile and DIGIPASS for APPS Note The new functionalities introduced in the context of Multi...

Page 13: ...information in the 2 Safety and Environmental Information section Check that all the package contents you need have been supplied They are listed on a separate sheet supplied with your IDENTIKEY Appli...

Page 14: ...able is correctly plugged into one of the LAN Ethernet interfaces n The network cable is correctly plugged in to your network hub or switch Image 2 AG 3XXX left and AG 5XXX Models right and lights ind...

Page 15: ...d indicated by the messages time out or destination host unreachable n Check that the workstation s TCP IP settings are correct see points 1 and 2 above n Check that the network cable is in good worki...

Page 16: ...e of a license key to make the appliance fully operational After installation and before Licensing the IDENTIKEY Appli ance Configuration Utility is accessible for configuration and management but the...

Page 17: ...SL Secure Socket Layer encryption over the HTTPS protocol 5 2 1 Browsers IDENTIKEY Appliance was implemented to adhere to common Web standards and is expected to be fully oper ational in the latest st...

Page 18: ...ificate the browser presents a warning ask ing you to accept the certificate to continue Note The procedure for accepting a certificate varies between browsers Internet Explorer is used in the example...

Page 19: ...e user name and password is Username sysadmin Password sysadmin On accessing the Configuration Tool IDENTIKEY Appliance automatically detects that this is a first time installation and launches the Co...

Page 20: ...t 3 Oracle Binary Code license agreement for Java SE 4 Password Change 5 Hostname 6 Network Settings 7 Time Synchronization 8 Appliance CA Information 9 Activation Configuration Wizard screens are sho...

Page 21: ...5 3 1 Welcome Image 6 Configuration Wizard Welcome 5 First Time Configuration IDENTIKEY Appliance3 11 12 Installation and MaintenanceGuide 21...

Page 22: ...Configuration Wizard End User License Agreement Read the license agreement carefully To accept the terms select Accept this End User License Agreement 5 First Time Configuration IDENTIKEY Appliance3 1...

Page 23: ...e default system administrator s password is critically important for security Using the default sysadmin user account for accessing the Configuration Tool is less secure than using a new user account...

Page 24: ...ble For more information refer to the IDENTIKEY Appliance Administrator Guide Image 9 Configuration Wizard Password Change 5 First Time Configuration IDENTIKEY Appliance3 11 12 Installation and Mainte...

Page 25: ...5 3 5 Hostname Image 10 Configuration Wizard Hostname 5 First Time Configuration IDENTIKEY Appliance3 11 12 Installation and MaintenanceGuide 25...

Page 26: ...EY Appliance For more information refer to the IDENTIKEY Appliance Product Guide VASCO Service Center section A direct connection to the VASCO Customer Portal requires a default gateway to be configur...

Page 27: ...ee Section 1 1 8 Activation Successful if you opt to disable Continue to the license wizard 5 3 7 Time Synchronization Image 12 Configuration Wizard Time Synchronization Enter an NTP server name or us...

Page 28: ...tomatically generated certificates 5 3 9 Activation Confirmation After all data has been entered correctly IDENTIKEY Appliance can be activated by clicking Finish Click Finish to start up the Licensin...

Page 29: ...Licensing Wizard is launched via two methods n Immediately after completing the First time Configuration Wizard via the Activation Successful page n After completing the Configuration Wizard via a sta...

Page 30: ...formation about when re licensing is necessary refer to 8 Re Licensing IDENTIKEY Appliance 5 4 1 Welcome Image 15 Licensing Wizard Welcome 5 First Time Configuration IDENTIKEY Appliance3 11 12 Install...

Page 31: ...5 4 3 Acquiring a VASCO License File Two types of license file exist n A commercial license file which remains valid indefinitely n An evaluation license file which is only valid for 30 days To acquir...

Page 32: ...TIKEY Appliance On the Upload License page browse to the downloaded license file and click Nextto upload the file Image 17 Licensing Wizard Upload License 5 4 5 License Activation The IDENTIKEY Applia...

Page 33: ...rmation The License Activation Confirmation page will be displayed to confirm activation This page indicates that IDENTIKEY Appliance services such as authentication are now available 5 First Time Con...

Page 34: ...tion Server Setup Wizard will walk you through the configuration of several basic IDENTIKEY Authentication Server settings These settings include master domain an administrator login Hardware Security...

Page 35: ...es At this stage you have the option to enable a Hardware Security Module HSM or Secure Auditing See the IDENTIKEY Appliance Product Guide for more information on these features Note You cannot disabl...

Page 36: ...seconds has elapsed Secure Auditing setup will be different depending on whether or not you have any HSM enabled If you have an HSM enabled encryption settings will be stored on that HSM see 13 3 Secu...

Page 37: ...oduct Guide Before starting ensure that the license for IDENTIKEY Appliance includes Hardware Security Module functionality For more information about setting up information required to populate the f...

Page 38: ...s a The first administrator for IDENTIKEY Authentication Server b An administrator login for the Configuration Tool 2 Enter and confirm a password The password format must conform to the IDENTIKEY Aut...

Page 39: ...figure Once the details have been provided on the IDENTIKEY Authentication Server Setup Wizard screens IDENTIKEY Authentication Server will be configured with the minimum details allowed for first tim...

Page 40: ...tivating a IDENTIKEY Appliance support certificate 1 Open a web browser and go to the VASCO Customer Portal https cp vasco com Type the maintenance reference and serial number provided by VASCO for yo...

Page 41: ...on 3 Scroll down to Contract certificate select the Download contract certificate hyperlink and download and save the certificate file 4 Access the Configuration Tool 5 Select Settings Certificates 6...

Page 42: ...ion Server When migrating to IDENTIKEY Appliance IDENTIKEY Virtual Appliance from IDENTIKEY Authentication Server you can use the Data Migration Tool and the IDENTIKEY Appliance Update Wizard to migra...

Page 43: ...the package as described in Sections 9 3 1 Select Update and 9 3 3 Verify Update and Install Update to complete data migration 5 First Time Configuration IDENTIKEY Appliance3 11 12 Installation and M...

Page 44: ...fer to 6 3 Adding Authentication for the Rescue Tool You can access the Rescue Tool using one of the following methods n If using IDENTIKEY Virtual Appliance switch to the console view in your hypervi...

Page 45: ...he Rescue Tool These users can be configured to enter other login credentials in addition to the rescue user name To define these users can be defined access the IDENTIKEY Appliance Configuration Tool...

Page 46: ...e Rescue Tool The Number of Additional Logins field enables you to define how many user Ids and passwords have to log in besides the first user This adds further security to the rescue tool login This...

Page 47: ...ess 6 4 1 Resetting IDENTIKEY Appliance 6 4 1 1 Resetting to Factory Default Warning The following Configurations and data are reset if you select the Reset to Factory Default option n Data including...

Page 48: ...yes to confirm settings reset Any IP addresses specified with the Limit Access to Networks setting are cleared effectively allowing access to the Configuration Tool from any client computer 6 4 2 Chan...

Page 49: ...Appliance Procedure 6 Pinging an IP Address 1 type n for network menu 2 type p to enter the Ping menu 3 Enter the IP address or hostname of the system you want to ping The Rescue Tool will then ping t...

Page 50: ...and Shutting Down If IDENTIKEY Appliance is shut down incorrectly it can be corrupted One of the following methods of powering off or rebooting IDENTIKEY Appliance should be used in the following ord...

Page 51: ...st a user name and password to be used for the reset There are three possible outcomes of this operation a If the user name provided is identical to the one provided when running the IDENTIKEY Authent...

Page 52: ...een installed through an update i e not a clean install you can revert to the previously installed version using Revert to a previous version of IDENTIKEY Appliance For more information refer to 9 4 R...

Page 53: ...When IDENTIKEY Appliance has been restored to factory default to remove all data and clean the appli ance see 8 4 5 Restoring to Factory Default For more information about license types and re licensi...

Page 54: ...rors refer to 14 1 Support Procedure Procedure 10 Re licensing for a change of IP address or a backup restored to a different appliance 1 Contact your IDENTIKEY Appliance supplier tor release the appl...

Page 55: ...click Next It is not necessary to download a system information file for re licensing a new license option or type d On the Upload License page browse to and upload the license file License dat which...

Page 56: ...he appliance license from the old configuration key 2 Launch the Licensing Wizard see 8 2 Accessing the Wizard for Re Licensing IDENTIKEY Appliance 3 Complete the Licensing Wizard for a commercial lic...

Page 57: ...gain to the Configuration Tool The Status screen displays feedback concerning the update status If a power failure or other unforeseen event occurs during the update process a fail over system reverts...

Page 58: ...date Packages 3 Select the required iso file to download the selected package for your product and click Save File in the following dialog 9 3 Using the Update Wizard The Update Wizard consists of a n...

Page 59: ...he Verify Update page see 9 3 3 Verify Update and Install Update 9 3 2 Available Updates On Line Process Only On this page the wizard displays the retrieval steps and lists any updates that are availa...

Page 60: ...ecific upgrade other data acquired since the upgrade may be removed includ ing n Audit database records n System statistics It is recommended to contact VASCO support to address your problem before re...

Page 61: ...nce will reboot and revert to the previous version 9 4 3 Additional Considerations Reverting to a previous version is only available if the current version has been installed using an upgrade i e not...

Page 62: ...EY Appliance see 10 7 Configuring Scripted Backups 10 3 Restoring IDENTIKEY Appliance The Restore function is a manual process it allows administrators to upload configuration settings and data which...

Page 63: ...lick Save After configuration custom encryption will be applied to manual automatic and scripted backups of IDENTIKEY Appliance 10 5 Performing Manual Backups Procedure 17 Performing a manual backup 1...

Page 64: ...utomatic backup 1 In the IDENTIKEY Appliance Configuration Tool navigate to System Backup Restore 2 OPTIONAL Select Use Custom Encryption Pass Phrase and type a pass phrase twice to prevent typing err...

Page 65: ...tory and authentication settings and click Fetch Fingerprint to automatically retrieve the fingerprint b Click download Public key to retrieve the IDENTIKEY Appliance public key and install it on the...

Page 66: ...backup script tool to request a backup from IDENTIKEY Appliance The URL to access the IDENTIKEY Appliance backup is https ip_address system backup download Procedure 19 Configuring a scripted backup 1...

Page 67: ...Save to apply the configuration Note The user name and password for a script to authenticate to IDENTIKEY Appliance and download a backup can be freely chosen and defined in the System Backup tab The...

Page 68: ...he Restore Wizard appears 3 Specify the backup file and if required the backup passphrase The passphrase is required if custom encryption has been used for backup The backup file is uploaded and valid...

Page 69: ...Considerations To restore a backup on a replacement IDENTIKEY Appliance follow the procedure for a regular replacement see 11 Replacing an IDENTIKEY Appliance 10 Backing Up and Restoring IDENTIKEY App...

Page 70: ...e to your network see 4 Connecting IDENTIKEY Appliance to your Net work 2 Open the IDENTIKEY Appliance Configuration Tool see 5 2 Accessing and Logging in to the IDENTIKEY Appliance Configuration Tool...

Page 71: ...twork 2 Open the IDENTIKEY Appliance Configuration Tool see 5 2 Accessing and Logging in to the IDENTIKEY Appliance Configuration Tool 3 Complete the Configuration Wizard see 5 3 Configuration Wizard...

Page 72: ...sed in two out of three available slots The RAID is configured using a wizard available via the IDENTIKEY Appliance Configuration Tool whenever an action is required For more information about the RAI...

Page 73: ...e stopped by the IDENTIKEY Appliance The disk needs to be physically removed from the respective slot in the IDENTIKEY Appliance AG 7XXX and a new disk needs to be physically inserted Afterwards the w...

Page 74: ...ge b Replace the hard disk physically The wizard returns to the RAID Maintenance Status and Actions page and offers the Add action c Select Add for the replacement disk to be added to the RAID configu...

Page 75: ...eNet HSMs In order to set up SafeNet HSMs to work with IDENTIKEY Appliance you need to set up the following components Software The following software must be installed on the HSM n Version 2 07 or hi...

Page 76: ...ign an unsigned VACMAN Controller functionality module with your own self signed certificate you need the mkfm tool which is included in the Protect Processing Orange Software Development Kit v3 00 Pr...

Page 77: ...CertificateName jaal2sdk fm Warning Storage and sensitive data keys cannot be created in the admin slot The VACMAN Controller VASCO SafeNet HSM packages will contain a signed version of the VACMAN Co...

Page 78: ...use n encrypt enabled n wrap and unwrap enabled n private optional n All other options disabled 13 2 4 Creating SafeNet Sensitive Data Keys After installing a SafeNet Hardware Security Module and crea...

Page 79: ...n Manual Section Trust Management and Section Token Replication The ProtectToolkit C Administration Manual is included in your SafeNet HSM documentation suite and is typically named ptk_c_administrati...

Page 80: ...ter verification 13 3 1 Secure Auditing with SafeNet The ctcert tool provided with SafeNet software is used to apply the required configuration to the HSM for Secure Auditing Refer to the ProtectToolk...

Page 81: ...key n Csecp256r1 means to create the key using this type of elliptic curve n 1825d creates a certificate which has a validity period of 1825 days from the date this com mand is run n MasterAuditKey w...

Page 82: ...fies the slot where the certificate is located n audit_cert pem is the PEM file that will contain the public certificate Note Secure Auditing for IDENTIKEY Appliance only supports elliptic curve keys...

Page 83: ...Allowing Remote Support Connections If necessary VASCO experts can access your IDENTIKEY Appliance remotely to solve problems Remote support requires a connection between the VASCO Customer Portal an...

Page 84: ...pport certificates you have previously imported using the Cer tificate Management tab For more information refer to the IDENTIKEY Appliance Administrator Guide Sec tion Certificate Management Image 45...

Page 85: ...be enabled without installing a support certificate by providing VASCO support VPN access to your network This allows direct access to the IDENTIKEY Appliance Configuration Tool 14 Support IDENTIKEY A...

Page 86: ...nsigned HSM module 76 SafeNet 75 Secure Auditing 79 SafeNet 80 supported models 75 K keystore 36 L License File 31 licenses upgrading 55 Licensing 12 16 28 30 53 54 70 M Master Audit Keypair 79 80 Mas...

Page 87: ...installation 77 Storage Data Key SafeNet 78 support certificate 40 activating 40 downloading 40 U unsigned HSM installation 76 upgrading licenses 55 IDENTIKEY Appliance3 11 12 Installation and Mainte...

Reviews:

No comments

Related manuals for IDENTIKEY Appliance

Express5800/180Ra-7

Brand: NEC Pages: 2

Express5800/120Rh-2

Brand: NEC Pages: 2

Express5800/120Rh-2

Brand: NEC Pages: 2

Express5800/120Rg-1

Brand: NEC Pages: 2

Express5800/120Rf-1

Brand: NEC Pages: 21

Express5800/120Ra-1

Brand: NEC Pages: 6

Express5800/120Mc2 series

Brand: NEC Pages: 2

EXPRESS5800/120Le

Brand: NEC Pages: 56

Express5800 320La

Brand: NEC Pages: 8

Express5800 120Li

Brand: NEC Pages: 2

Express5800 120Ed

Brand: NEC Pages: 29

Active Upgrade Express5800/320Fc

Brand: NEC Pages: 4

Brand: NEC Pages: 10

Express5800/120Rj-2

Brand: NEC Pages: 18

Express5800/120Rh-1

Brand: NEC Pages: 20

Bull NovaScale R620 Series

Brand: NEC Pages: 346

Express5800 320La

Brand: NEC Pages: 206

Express5800/R110j-1

Brand: NEC Pages: 30

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands