installation guid e - vasco · pdf filevacman middleware installation guide introduction 1...

Modify these field values (right-click and select Fields) to change text throughout the document:

NOTE: Diagrams may appear or disappear depending on these field settings – so BE CAREFUL adding and removing diagrams, as you may be stuffing up formatting.

ADDITIONAL NOTE: Be careful adding and removing text, too. Just because you see something in the document that looks like it shouldn't be there, doesn't mean removing it is a smart idea. Do a print preview to check if it will show up in the final document before you do anything.

(the field values are currently just (relatively) rubbish values – modified at times to check that text conditions are working correctly)

VACMAN MiddlewareAuthentication ServerStarterRADIUSIIS ModuleRADIUSODBCADVACMAN_Middleware_3014_setup.exe

Authentication ServerRADIUSRADIUSVACMAN MiddlewareStarterIIS ModuleODBCADVACMAN_Middleware_3014_setup.exe

I n s t a l la t io n G u id e

Disclaimer of Warranties and Limitations of Liabilities

Disclaimer of Warranties and Limitations of LiabilitiesThe Product is provided on an 'as is' basis, without any other warranties, or conditions, express or implied, including but not limited to warranties of merchantable quality, merchantability of fitness for a particular purpose, or those arising by law, statute, usage of trade or course of dealing. The entire risk as to the results and performance of the product is assumed by you. Neither we nor our dealers or suppliers shall have any liability to you or any other person or entity for any indirect, incidental, special or consequential damages whatsoever, including but not limited to loss of revenue or profit, lost or damaged data of other commercial or economic loss, even if we have been advised of the possibility of such damages or they are foreseeable; or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers and suppliers shall not exceed the amount paid by you for the Product. The limitations in this section shall apply whether or not the alleged breach or default is a breach of a fundamental condition or term, or a fundamental breach. Some states/countries do not allow the exclusion or limitation or liability for consequential or incidental damages so the above limitation may not apply to you.

RADIUS Documentation DisclaimerThe RADIUS documentation featured in this manual is focused on supplying required information pertaining to the RADIUS server and its operation in the VACMAN Middleware environment. It is recommended that further information be gathered from your NAS/RAS vendor for information on the use of RADIUS.

Copyright© 2007 VASCO Data Security Inc. All rights reserved.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc.

TrademarksVACMAN and Digipass are registered trademarks of VASCO Data Security International Inc.

Microsoft and Windows are registered trademarks of Microsoft Corporation.

All other trademarks are the property of their respective holders.

© 2007 VASCO Data Security Inc. 2

VACMAN Middleware Installation Guide Table of Contents

Table of Contents

1 Introduction..........................................................................................................5

1.1 Available Guides........................................................................................................... 5

1.2 System Requirements................................................................................................... 51.2.1 Requirements Specific to Active Directory...................................................................... 61.2.2 Requirements Specific to ODBC Database...................................................................... 6

1.3 Software Components................................................................................................... 71.3.1 Required Components................................................................................................ 71.3.2 Optional Components................................................................................................. 81.3.3 Extra Utilities............................................................................................................ 8

2 Pre-installation Tasks..........................................................................................10

2.1 Data Store.................................................................................................................. 10

2.2 Active Directory.......................................................................................................... 112.2.1 Checklist – Decisions................................................................................................ 112.2.2 Active Directory Setup.............................................................................................. 11

2.2.2.1 Schema Extensions.............................................................................................................11

2.2.3 SSL Setup............................................................................................................... 11

2.3 ODBC Database........................................................................................................... 132.3.1 Checklist – Decisions................................................................................................ 132.3.2 Modify Database Structure........................................................................................ 13

2.3.2.1 DPDBadmin Utility.............................................................................................................. 132.3.2.2 Permissions....................................................................................................................... 14

2.4 Embedded PostgreSQL Database................................................................................. 152.4.1 Local Users Group Permissions................................................................................... 15

2.5 System Clock.............................................................................................................. 15

2.6 Serial Number and Maintenance ID............................................................................. 15

2.7 Checklist – Active Directory........................................................................................ 16

2.8 Checklist – ODBC Database......................................................................................... 16

3 Installing VACMAN Middleware........................................................................... 17

3.1 Typical Installation – Active Directory......................................................................... 173.1.1 Scenario & Decisions................................................................................................ 173.1.2 Extend Schema........................................................................................................ 173.1.3 Run Install.............................................................................................................. 18

3.2 Typical Installation – Embedded Database.................................................................. 263.2.1 Scenario................................................................................................................. 263.2.2 Run Install.............................................................................................................. 26

3.3 Typical Installation – ODBC Database......................................................................... 333.3.1 Scenario & Decisions................................................................................................ 333.3.2 Extend Schema........................................................................................................ 333.3.3 Run Install.............................................................................................................. 34

3.4 Multiple Product Installation....................................................................................... 43

3.5 Post-Installation Tasks............................................................................................... 453.5.1 Licensing................................................................................................................ 45

3.5.1.1 Obtain and Load License Key................................................................................................453.5.1.2 Evaluation Serial Number.................................................................................................... 45

3.5.2 Encryption Settings.................................................................................................. 46


VACMAN Middleware Installation Guide Table of Contents

3.5.3 Backup Strategy...................................................................................................... 463.5.4 Audit Settings.......................................................................................................... 463.5.5 Active Directory Tasks.............................................................................................. 46

3.5.5.1 Additional Setup Steps for Multiple Domains...........................................................................463.5.5.2 Set up Active Directory SSL................................................................................................. 473.5.5.3 Active Directory Replication..................................................................................................473.5.5.4 Active Directory Auditing..................................................................................................... 47

3.5.6 ODBC Database Tasks.............................................................................................. 473.5.6.1 Dppostgres Local Machine Account Created............................................................................473.5.6.2 Configure User ID and Domain Handling................................................................................ 483.5.6.3 Permissions for Group Check................................................................................................493.5.6.4 Configure Connection Parameters......................................................................................... 503.5.6.5 Additional Databases...........................................................................................................503.5.6.6 Additional Setup Steps for Multiple Authentication Servers....................................................... 50

4 Add Components to Installation.......................................................................... 51

5 Repair Installation...............................................................................................52

6 Uninstall VACMAN Middleware.............................................................................53

6.1 Data Removal............................................................................................................. 536.1.1 ODBC Database....................................................................................................... 536.1.2 Active Directory....................................................................................................... 53

7 Extend Data Store Schema.................................................................................. 54

7.1 Active Directory.......................................................................................................... 54

7.2 ODBC Database........................................................................................................... 56

8 Technical Support................................................................................................59

8.1 Support Contact Information...................................................................................... 59


VACMAN Middleware Installation Guide Introduction

1 IntroductionThis Installation Guide is designed to provide you with the information you will need in order to install VACMAN Middleware. It will guide you through preparation, installation and post-installation tasks which may be required for your system.

1.1 Available Guides

The following VACMAN Middleware guides are available:

Product Guide

The Product Guide will introduce you to the features and concepts of VACMAN Middleware and the various options you have for using it.

Installation Guide

Use this guide when planning and working through an installation of VACMAN Middleware.

Getting Started

To get you up and running quickly with a simple installation and setup of VACMAN Middleware.

Administrator Reference

In-depth information required for administration of VACMAN Middleware. This includes references such as data attribute lists, backup and recovery and utility commands.

Data Migration Tool Guide

Takes you through a data migration from one VASCO product to another, using the VASCO Data Migration Tool.

Help Files

Context-sensitive help accompanies the administration interfaces.

1.2 System Requirements

Operating SystemWindows Server 2003 (32-bit version only) with Service Pack 1 or above, or

Windows XP Professional (32-bit version only) with Service Pack 2 or above, or

Windows 2000 with Service Pack 4 or above

LanguageVACMAN Middleware is designed to function on any language version of Windows. However, the product has only been comprehensively tested on English language versions of Windows.



1.2.1 Requirements Specific to Active Directory

Digipass Extension for Active Directory Users and Computers

Active Directory Users and Computers Snap-In

Active Directory set up for SSL

In the following cases, SSL must be available for VACMAN Middleware components to connect to Active Directory:

Authentication Server not installed on a Domain Controller.

Administration Interfaces not installed on a Domain Controller.

Authentication Server and/or Administration Interface(s) on a Domain Controller, but accessing data in another domain.

An Enterprise Certificate Authority must be installed in the forest to enable SSL. Windows Certificate Services is available as an optional Windows component.

However, if you do not wish to install a CA, you can select during installation not to use SSL.

1.2.2 Requirements Specific to ODBC Database

VACMAN Middleware will support most modern ODBC-compliant relational, transactional databases. It has been tested on the following databases:

Oracle 9i

Microsoft SQL Server 2000

Microsoft SQL Server 2005

DB2 8.1

Sybase Adaptive Server Anywhere 9.0

PostgreSQL 8.1.3



1.3 Software ComponentsVACMAN Middleware consists of various components, some necessary and some optional.

1.3.1 Required Components

Authentication Server

This is a Service that performs the authentication processing. It can receive authentication requests using the RADIUS protocol and requests from the IIS Module. If its data store is a database rather than Active Directory, administration is also carried out through the Authentication Server. For IIS Module and administration requests, a proprietary, encrypted, TCP/IP-based protocol is used.

IIS Module (Web authentication only)

For Web authentication, the IIS Module must be installed onto the web server. It is responsible for intercepting authentication requests and referring them to the Authentication Server.

Data Store

All information required by VACMAN Middleware is stored in Active Directory or an ODBC-compliant database. An embedded PostgreSQL database option is provided with VACMANMiddleware. The data store to be used is selected during installation.

Using Active Directory, administration is carried out by direct connection to the directory. Using a database, administration is carried out using the Authentication Server.

Administration MMC Interface

This interface is used in slightly different ways, depending on the data store used by VACMANMiddleware.

Active Directory

If Active Directory is used as the data store, the Administration MMC Interface will be used for administration of Policy, Component and Back-End Server records.

ODBC Database (including embedded database)

If an ODBC database is used as the data store, the Administration MMC Interface will be used for administration of all VASCO data.


A VASCO Extension to the Active Directory Users and Computers interface allows administration of additional User settings and Digipass records integrated with standard Active Directory User administration. This is only available when Active Directory is used as the data store for VACMAN Middleware.

Audit System

The Authentication Server provides a comprehensive audit trail of significant processing events such as successful and failed authentication attempts. The audit messages can be written to



text files, the Windows Event Log and/or an ODBC-compliant database.

In addition it is possible to connect directly from an Audit Viewer (see below) to the Authentication Server, to receive a live feed of audit messages as they are generated.

1.3.2 Optional Components

Audit ViewerThe Audit Viewer is a Windows application that can display and filter audit messages from the Authentication Server. It can read the data from text files and ODBC databases, or receive a live feed from the Authentication Server.

Virtual Digipass

The VASCO components used for Virtual Digipass are:

Message Delivery Component

This is a Service that is responsible for delivering One Time Passwords through a text message HTTP gateway to a User’s mobile phone.

OTP Request Site

This is a miniature web site that allows a User to request a Virtual Digipass OTP to be sent to their mobile phone.

User Self Management Web SiteThis is a miniature web site that allows Users to make appropriate changes to their own Digipass settings, such as PIN changes. This is used in a RADIUS environment, when the normal authentication requests are made using a CHAP-based protocol and therefore PIN changes and other 'self-management' features are not possible.

Digipass TCL Command-Line AdministrationAdministration may also be carried out using Digipass TCL Command-Line Administration Utility, which allows interactive command-line and scripted administration of VACMANMiddleware data.

1.3.3 Extra UtilitiesThese extra utilities may be used with VACMAN Middleware, but require separate installations.

Data Migration Tool

The VASCO Data Migration Tool is a general-purpose utility that allows you to migrate your data from one VASCO product to another.

For VACMAN Middleware 3.0, it is also used for other purposes. It is used to upgrade from version 2.3 to 3.0, as there are significant data model changes between those versions. It is also used to migrate data from an embedded database to another ODBC-compliant database, or from a database to Active Directory.

RADIUS Client Simulator

The RADIUS Client Simulator is a program that simulates RADIUS Authentication and



Accounting processing in a similar fashion to 'real' RADIUS clients. The RADIUS Client Simulator can be used to test Digipass authentication or to estimate performance.


VACMAN Middleware Installation Guide Pre-installation Tasks

2 Pre-installation TasksThis section outlines the preparation that you need to do before installing VACMAN Middleware.

2.1 Data Store

Before starting other pre-install tasks, you must decide on the type of data store to be used. There are two options:

Active Directory

Integrate Digipass-related data with Active Directory and Windows user accounts.

Note

If your license is limited by a number of Digipass, the Active Directory option will not be supported by your license.

ODBC Database

Include Digipass-related data in a new or existing ODBC database. You may wish to use the embedded PostgreSQL database available with VACMAN Middleware.

Note

If you will be installing VACMAN Middleware with the embedded PostgreSQL database, you will need to run the installation on the machine itself, rather than via Terminal Server or another remote connection.



2.2 Active Directory

2.2.1 Checklist – Decisions

The following checklist contains the key decisions to make before you start.

Approve the Schema Extensions If your company has an approval process to go through for extensions to the Active Directory Schema, go through this process.

Enterprise Root Certificate ServerIf a new Certificate Server is required, and your company requires an approval process to be followed to install one, go through this process.

Identify the Digipass Configuration DomainEither identify an existing Domain or sub-domain into which the Digipass Configuration Container should be added, or plan to create a new one.

Domain AdministratorSelect a Domain Administrator account in the Digipass Configuration Domain to use in installing VACMAN Middleware.

Installation LocationDecide where to install the Authentication Server.

If you are installing with the purpose of going through a basic evaluation process, installing onto a Domain Controller is recommended. This will mean that SSL will not need to be set up in order for the Authentication Server to function.

2.2.2 Active Directory Setup

2.2.2.1 Schema Extensions

Run the addschema command:

1. Log into the Schema Master as a member of the Schema Administrators group.

2. Copy dpadadmin.exe onto the Schema Master

3. Open a command prompt in the location to which it was copied.

4. Type:

dpadadmin addschema -v

5. If DPADadmin detects that Schema extensions are not currently permitted, it will prompt you whether to enable them or not. Enter y to enable them, or n to cancel.

6. Wait several minutes for the Schema extensions to replicate to all the domains and for the local Domain Controller to update its internal data caches.

2.2.3 SSL Setup

An Enterprise Certificate Authority must exist in the forest so that SSL may be used by VACMAN Middleware to connect to Active Directory. If one is not already installed, follow the instructions below to install the Certificate Authority included with Windows.



Alternatively, you can select during installation not to use SSL. If so, no Certificate Authority is required.

The Certificate Authority may be installed on any server in the forest, if the server selected is available to the Domain Controller(s) used by the Authentication Server.

You may need the Windows CD in order to complete this process.

1. Open Windows Add or Remove Programs.

2. Click on the Add/Remove Windows Components button.

The Windows Components Wizard will be displayed.

3. Tick the Certificate Services checkbox and click Next.

4. Select the Enterprise root CA option button and click Next.

5. Enter the details required and click on Next.

6. If required, modify the Data Storage Locations. Otherwise, leave these as the default values and click on Next.

The Certificate Server has now been installed. Wait several minutes to allow the Domain Controllers to enrol for Domain Controller certificates.



2.3 ODBC Database

This section does not apply to the embedded database option, where this setup is carried out for you by the installation program. It applies if you provide your own ODBC database.

2.3.1 Checklist – Decisions

The following checklist contains the key decisions to make before you start.

Database Location and Setup

A number of decisions may be required for the ODBC database to be used:

The server on which the database will be located.

Will the data for the Authentication Server will be stored in a new database, or added to an existing database?

If installing a Digipass Pack (eg. Digipass Pack for RADIUS) with basic licensing options, you will need to use the embedded PostgreSQL database.

Will a new schema be used?

New Database

Decide the collation sequence to be used – for example, case-sensitivity.

Database User Accounts

Create or select database user accounts for:

Modifying the database schema (database administrator account required).

Authentication Server (see the Administrator Reference for details on the permissions required).

Administration MMC Interface if it will be connecting directly to the database (see the Administrator Reference for details on the permissions required).

2.3.2 Modify Database Structure

2.3.2.1 DPDBadmin Utility

Note

This is not required if you will be using the embedded PostgreSQL database.

The addschema command must be run to set up the required schema in the database to be used for VACMAN Middleware.


1. Copy dpdbadmin.exe from the Windows/Utilities directory on the installation CD or zip file onto the computer from which the database can be accessed.

2. Create an ODBC Data Source for the database on the computer, if one does not currently exist.




4. Type:

dpdbadmin addschema –u user_name –p password -d dsn

Ensure that the User ID and password used are that of the database administrator account.

For further details on the DPDBADMIN utility, see 7.2 ODBC Database .

2.3.2.2 Permissions

If the database user account used by the Authentication Server is not the owner of the tables and is not a database administrator account, it must be granted permissions for the tables, or ownership of the tables transferred.

The database user account used by the Administration MMC Interface will require the same.

Note

Ensure that it is possible for the account(s) mentioned to reference the tables by name without a schema prefix. If this cannot be done, see the Administrator Reference for advanced setup instructions.



2.4 Embedded PostgreSQL Database

2.4.1 Local Users Group Permissions

If the local Users group has restricted permissions on the Program Files directory, the installation of the PostgreSQL database may fail. To avoid this problem, two options are available:

Set the required permissions for the local Users group

Create the PostgreSQL service account (it is usually created automatically during installation) and set the required permissions for it, before installation

The PostgreSQL service account requires a User ID of dppostgres and password of p!ss&0rd.

The permissions required for the Program Files directory are:

Read & Execute

List Folder Contents

2.5 System Clock

The Authentication Server requires that:

Your server’s time is set correctly in relation to GMT, and

The time zone and daylight savings indicators are set correctly.

All machines hosting components of VACMAN Middleware, if not Domain Controllers, should be clock-synchronized with the Domain Controller(s) in the domain.

2.6 Serial Number and Maintenance ID

You must have a product Serial Number and a company Maintenance ID unless you are installing an evaluation version of VACMAN Middleware. If these have not been issued to you, contact your VASCO Reseller.



2.7 Checklist – Active Directory

Digipass Configuration Domain has been identified.

Active Directory Schema extensions have been made.

Active Directory changes have been replicated to all required Domain Controllers.

A Certificate Server is available, or not required (SSL will not be in use).

System clock and time zone settings are accurate.

Serial Number and Maintenance ID have been obtained.

Enterprise Certificate Authority is installed, if SSL is required.

2.8 Checklist – ODBC Database

Database schema modifications have been made to a new or existing database.

Database user account for Authentication Server has been created. Required permissions have been granted to the account(s).

System clock and time zone settings are accurate.

Serial Number and Maintenance ID have been obtained.


VACMAN Middleware Installation Guide Installing VACMAN Middleware

3 Installing VACMAN Middleware

3.1 Typical Installation – Active Directory

Note

If your license is limited by a number of Digipass, the Active Directory option will not be supported by your license.

3.1.1 Scenario & Decisions

This 'typical installation' process uses the following decisions and scenario:

Implementation Decisions

The following decisions were taken for the purposes of this installation process:

The Schema extensions have been approved.

The Digipass Configuration Domain has been identified as the existing sub-domain, test.dm3.vasco.

The member server SVR of the sub-domain test.dm3.vasco will be used to install VACMAN Middleware. This requires an Enterprise Certificate Authority to be installed in the forest, so that SSL is enabled. The instructions will take you through installing Windows Certificate Services onto a Domain Controller in the Forest Root domain.

The scenarioA Domain dm3.vasco (this is the Forest Root Domain).

A sub-domain test.dm3.vasco of dm3.vasco. The sub-domain acts as the Digipass Configuration Domain and contains all the configuration data, including Policies and Components.

A single RADIUS Server SVR, a member server in the Digipass Configuration Domain.

A Domain Controller DC-02 acting as the Schema Master on dm3.vasco.

Certificate Server will be installed on DC-02.

3.1.2 Extend Schema


1. Log into the machine from which schema changes will be made (DC-02).

2. Copy dpadadmin.exe onto the machine.


4. Type:

dpadadmin addschema


6. Wait several minutes for the Schema extensions to replicate to the sub-domain and for the local Domain Controller to update its internal data caches.



3.1.3 Run Install

Install the standard installation components on a single machine.

1. Start the VACMAN Middleware install process on the server (SVR).

If you are not using the CD Autorun interface, locate and double-click on the VACMAN_Middleware_3014_setup.exe file.

The VACMAN Middleware splash screen will be displayed, followed by the License Agreement dialog.

2. Read the agreement carefully.

3. To accept the License Agreement, click I Agree.

If you do not accept the License Agreement, and click Cancel, the install will terminate.



The Installation Type dialog will be displayed.

4. Select Server install using Active Directory and click on Next.

The Select Components dialog will be displayed.

5. Select the components you want to install. These components are required for the running and administration of the VACMAN Middleware:






6. Click Next.

The Customer Information dialog will be displayed.

7. Enter your user name and company name

8. If you are installing an evaluation copy of the VACMAN Middleware, tick the Use an evaluation license checkbox.

If not, enter the serial number for the product in the Serial Number field.

9. If there are multiple IP addresses registered for the machine, you will be asked which IP address the VACMAN Middleware should use. Select an IP address and click on the Next button.

10. Click on the Next button.



The Active Directory Pre-Requisites dialog will be displayed.

11. If this is not the first Authentication Server to be installed:

a. Ensure that Active Directory has had time to replicate changes to the Schema.

b. Tick the This is not the first Authentication Server to be installed checkbox.

12. If you have run the addschema command, click on Next.

If not, run the command (see 7 Extend Data Store Schema for instructions), wait for the Schema changes to be replicated to the sub-domain then click on Next.

The install program will check the Active Directory Schema.



The Digipass Configuration Domain dialog will be displayed.

13. Enter the fully qualified name of the Domain in which VACMAN Middleware should store its data. This domain must currently exist.

14. Click on Next.

The Active Directory Certificate Authority dialog will be displayed.

15. If you wish to disable LDAP SSL in VACMAN Middleware, tick the checkbox and click on Next.



16. If you have chosen to install the User Self Management Web Site and IIS is installed on the machine, a pop-up dialog will ask if you wish to allow the install program to create a Virtual Directory on the default IIS web site on this machine, and install the User Self Management Web Site files there. Click Yes to allow this or No to set it up manually later.

17. If you have chosen to install the OTP Request Site and IIS is installed on the machine, a pop-up dialog will ask if you wish to allow the install program to create a Virtual Directory on the default IIS web site on this machine, and install the OTP Request Site files there. Click Yes to allow this or No to set it up manually later.

The Installation Directory dialog will be displayed.

18. To install to the default location (C:\Program Files\VASCO\VACMAN Middleware 3 if Windows is installed on the C: drive), click on Install. If you wish to install to a location other than the default, click on Browse, specify the installation location and click on Install.

The Installation Progress dialog will be displayed, showing the progress of your install.

Click Next when the install is complete.



The Activation Options dialog will be displayed.

19. Select a licensing option:

Note

If you are using an evaluation license, you still need to go through the license activation process.

Select the Go to the Activation Web page now option to immediately view the licensing page on the VASCO web site.

Check any details which were automatically filled in, fill in any extra information required, and select the method to receive the license key – either email or download.

After the Activation Web Page has been submitted, the license key file will either start downloading, or be emailed to the email address you supplied.

Save the license key file to a directory on the install machine (ensure that it is saved as a .dat file, not a .htm or .html file), then go back to the installation screen. The screen will allow you to browse to the license key file for immediate loading.

Select the Save a shortcut to the desktop for later option to save a shortcut on the desktop to use at a later time.

If you already have a license file, select the Load the License Key from an existing License File option.

Browse to the file location and select the license key file.

The install program will load the license key during the installation progress.

Select Just Continue to do nothing with the license at this time.



The Restart Required dialog will be displayed.

20. Click the Yes option button to restart the machine, or No to add the license file or perform other tasks before restarting.

21. Click Finish when this process is complete.



3.2 Typical Installation – Embedded Database

3.2.1 Scenario

This 'typical installation' process uses the following scenario:

A new database will be created during installation.

The machine on which VACMAN Middleware will be installed has been selected.

Note

If you will be installing VACMAN Middleware with the embedded PostgreSQL database, you will need to run the installation on the machine itself, rather than via Terminal Server or another remote connection.

3.2.2 Run Install


1. Start the VACMAN Middleware install process on the machine (SVR).









4. Select Server install with an embedded database (PostgreSQL).

5. Click Next.


6. Select the components you want to install. These components are required for the running and administration of VACMAN Middleware where the embedded PostgreSQL database is used as the data store:





Note

The Active Directory Users and Computers Extension option is unavailable when the Embedded Database installation type is selected.

Inclusion of this option when the Custom installation type is selected will cause Active Directory to be used as the data store.

7. Click Next.


8. Enter your user name and company name.



10. If there are multiple IP addresses registered for the machine, you will asked which IP address the VACMAN Middleware should use. Select an IP address and click on the Next button.




The Initial Administrator Account dialog will be displayed.

12. Enter the User ID and password for an administrator account. The installation program will create a Digipass User account with all administration privileges which can be used for initial administration tasks

13. If you have chosen to install the User Self Management Web Site and IIS is installed on the machine, a pop-up dialog will ask if you wish to allow the install program to create a Virtual Directory on the default IIS web site on this machine, and install the User Self Management Web Site files there. Click Yes to allow this or No to set it up manually later.

14. If you have chosen to install the OTP Request Site and IIS is installed on the machine, a pop-up dialog will ask if you wish to allow the install program to create a Virtual Directory on the default IIS web site on this machine, and install the OTP Request Site files there. Click Yes to allow this or No to set it up manually later.





Note





Save the license key file to a directory on the install machine (ensure that it is saved as a .dat file, not a .htm or .html file), then go back to the installation screen. The screen will allow you to browse to the license key file for immediate loading.








3.3 Typical Installation – ODBC Database

3.3.1 Scenario & Decisions

This 'typical installation' process uses the following decisions and scenario for a Standard ODBC installation type, where you provide your own ODBC database. If you wish to use the embedded database option, see 3.2 Typical Installation – Embedded Database .

The scenarioA new database has been created.

A new database administrator account has been created. This account will own all tables and will be used:

in running the addschema command

by the Authentication Server

The machine on which the VACMAN Middleware will be installed has been selected.

A Data Source has been created on the server for the new database.

3.3.2 Extend Schema


1. Copy dpdbadmin.exe from the Windows/Utilities directory on the installation CD or zip file onto the installation machine.

2. Create an ODBC Data Source for the database on the computer, if one does not currently exist.

3. Open a command prompt in the location to which the executable was copied.

4. Type:


Ensure that the username and password used are that of the database administrator account and that the dsn is the name of the ODBC Data Source.

For further details on the DPDBADMIN utility, see 7.2 ODBC Database .



3.3.3 Run Install


1. Start the VACMAN Middleware install process on the machine.









4. Select Server install using an ODBC-compliant database.

Note

If you are just evaluating or running a test install of the Authentication Server, you may wish to use the PostgreSQL database provided instead of providing your own database (see 3.2 Typical Installation – Embedded Database ).




5. Select the components you want to install. These components are required for the running and administration of the VACMAN Middleware where an ODBC or embedded database is used as the data store:



Note

The Active Directory Users and Computers Extension option is unavailable for the Standard ODBC or Embedded database installation type.

Inclusion of this option when the Custom installation type is selected will cause Active Directory to be used as the data store.

6. Click Next.




7. Enter your user name and company name.



9. If there are multiple IP addresses registered for the machine, you will asked which IP address the VACMAN Middleware should use. Select an IP address and click on the Next button.




The ODBC Pre-Requisites dialog will be displayed.

11. If this is not the first Authentication Server to be installed, tick the This is not the first Authentication Server to be installed checkbox.

12. If you have run the addschema command, click on Next.

If not, run the command (see 7.2 ODBC Database for instructions), then click on Next.

The install program will check the database schema.



The ODBC Connection Details dialog will be displayed.

13. Enter the ODBC Data Source Name and the Username and Password of your database administrator account, then click on Next. The install program will check that it can connect using these details to the database.

The Initial Administrator Account dialog will be displayed.



14. Enter the User ID and password for an administrator account. The installation program will create a Digipass User account with all administration privileges which can be used for initial administration tasks.

Click on Next.

15. If you have chosen to install the User Self Management Web Site and IIS is installed on the machine, a pop-up dialog will be displayed. This will ask if you wish to allow the install program to create a Virtual Directory on the default IIS web site on this machine, and install the User Self Management Web Site files there. Click Yes to allow this or No to set it up manually later.

16. If you have chosen to install the OTP Request Site and IIS is installed on the machine, a pop-up dialog will be displayed. This will ask if you wish to allow the install program to create a Virtual Directory on the default IIS web site on this machine, and install the OTP Request Site files there. Click Yes to allow this or No to set it up manually later.









Note





Save the license key file to a directory on the install machine, then go back to the installation screen. The screen will allow you to browse to the license key file for immediate loading.








3.4 Multiple Product Installation

VASCO products share many components (eg. the Administration MMC Interface), as well as data. The installation process is designed to detect other VASCO products on a machine. If another VASCO product is already installed on the machine, the installation process will run in Add Components mode.

Typically, you will only need to add the Authentication Server component, but others may be added if not already installed. See the 4 Add Components to Installation section for instructions after reading the information below.

These changes will affect your existing installation:

Data Store Selection

You will not be given a choice of data store. All Digipass-related data will be stored in the same data store as used by the currently-installed VASCO product.

Start Menu Changes

Installing more than one VASCO product on a machine will cause VASCO Start menu options to be re-arranged, as components may be shared between products. Links to components and documentation specific to the product will be located under VASCO -> <Product Name> (eg. VASCO -> VACMAN Middleware). Links to shared components will be located in VASCO -> Common Components.

Automatic Component Upgrade

If the second product has a later version of any of the shared components, these components will be upgraded as part of the installation.

Shared Components not Removed during Uninstall

When uninstalling one of the products on a machine that has more than one, the uninstaller will only remove the specific component - it will leave all the shared components. They will only be removed when you uninstall the last product.

Important Note

If the second product had later versions of any components, ensure that you uninstall the second product last if you want to uninstall both products. The uninstaller for the original product may not possess all the necessary information to completely remove newer components.

Repairing Components

When two products are installed on the same machine and a repair is attempted, the installation program will only be able to repair the components that are specific to it or are shared. For example, the VACMAN Middleware installation program will not repair the Funk SBR Plug-In.

If the other product has a later version of one of the shared components, it will not be



repaired. In that case, the other product's installer is needed to repair that shared component. In general, use the latest versioned product to repair shared components.



3.5 Post-Installation Tasks

3.5.1 Licensing

Each Authentication Server will require a license key to be loaded into its Component record – even if you are using an evaluation license. If this is not completed during the install process, it will need to be done before the Authentication Server can be used.

3.5.1.1 Obtain and Load License Key

Note

An active internet connection is required to obtain a License Key.

1. Open the Administration MMC Interface.

2. Click on the Components node.

The Component List will be displayed in the Result pane.

3. Double-click on the required Component record.

The Component property sheet will be displayed.

4. Click on the License Key Details... button.

The License Key Details window will be displayed.

5. Click on the Request License Key... button.

A browser window will be opened, with the VASCO Licensing site loaded. Any required information which the Authentication Server has will be entered as the site is loaded.

6. Enter any other required information in the browser window.

7. Click on the Request License Key button in the browser window.

A download of your license key file should begin. Keep note of where you save the file, and its name.

8. Once the download is complete, go back to the Administration MMC Interface and the License Key Details window.

9. Click on the Load License Key... button.

10. Browse to the download location and select the license key file.

11. Click on Open.

A message window will display the success or failure of loading the license key into the data store.

3.5.1.2 Evaluation Serial Number

If you do not obtain a license key file during installation of the Authentication Server, but wish to use an evaluation license, you will need to use this serial number on the VASCO licensing site: 012E900762.



3.5.2 Encryption Settings

If you will be using a custom encryption key for sensitive data, this should be set before Digipass are imported to the 'live' version of the VACMAN Middleware. See the Sensitive Data Encryption topic in the Administrator Reference for more information.

3.5.3 Backup Strategy

Consider a backup strategy to be put in place for files which will require backing up. For more information, see the Administrator Reference.

3.5.4 Audit Settings

Configure how and when the Authentication Server will record audit messages.

Text File

If auditing to a text file, you will need to decide how often a new text file should be created. By default, a new text file is created monthly. To change this frequency, modify the variables used in the file name. For example, if the Authentication Server is configured to write to a text file set to AuthServer-{year}-{month}.audit, a new text file will be created monthly. If the text file name is set to AuthServer-{year}-{month}-{mday}.audit, a new text file will be created daily.

For more information, see the Auditing section of the Administrator Reference.

Event Log

If auditing primarily to the Windows Event Log, ensure that the Event Log is configured to not overwrite old entries automatically. This is the default setting. To check:

1. Open the Event Log.

2. Right-click on the specific log to which the Authentication Server will be auditing.

3. Select Properties.

4. Select Do not overwrite events (clear log manually) from the When maximum log size is reached option button group.

5. Click on OK.

3.5.5 Active Directory Tasks

3.5.5.1 Additional Setup Steps for Multiple Domains

When using the Authentication Server in multiple domains, extra steps must be followed to ensure that the Authentication Server has permissions sufficient to access required data in other domains. See the Set Up Active Directory Permissions section of the Administrator Reference. The Multiple Domains topic in that section contains instructions for cross-domain scenarios, and can be used as follows:

If the Authentication Server you have just installed is not in the Digipass Configuration Domain, follow the instructions in Scenario 1.

If the Authentication Server you have just installed will be used to authenticate Users in



domains other than its own, follow the instructions in Scenario 2.

3.5.5.2 Set up Active Directory SSL

If you need to set up SSL at this point, see 2.2.3 SSL Setup for instructions.

3.5.5.3 Active Directory Replication

Active Directory replication issues need to be considered in some installations of the VACMANMiddleware. See the Active Directory Replication Issues topic in the Administrator Reference. In particular, consider configuring replication of the Digipass cache between Authentication Servers.

3.5.5.4 Active Directory Auditing

Consider whether to include custom object classes and permission property sets in Active Directory's auditing. See the Active Directory Auditing topic in the Administrator Reference for more information.

3.5.6 ODBC Database Tasks

3.5.6.1 Dppostgres Local Machine Account Created

When VACMAN Middleware is installed with the embedded database, a local machine account called dppostgres is created on the installation machine. If installed on a domain controller, this account will be a domain account which has privileges to log on as a service and locally. The privileges to log on locally may be removed manually.

Note

The dppostgres account is not automatically deleted upon uninstallation of VACMAN Middleware.

Changing the dppostgres Account Password

If the password for the dppostgres account is modified, it must also be changed for the PostgreSQL Database Server 8.1 service running on the machine. To do this:

1. Open the Computer Management console (right-click on My Computer and select Manage)

2. Expand the Services and Applications node, and click on Services.

3. Scroll down the Services list to PostgreSQL Database Server 8.1. Double-click on the entry.

4. Click on the Log On tab.

5. Enter the new password in the Password and Confirm Password fields.

6. Click on Apply.

Note

If the dppostgres account password is changed, it should be changed back to



the default before uninstalling and reinstalling VACMAN Middleware. If not, the installation will fail.

3.5.6.2 Configure User ID and Domain Handling

The Authentication Server has options to configure how User IDs and domain names are handled. It is important that these are set up before data is added to the database.

Case-sensitivity

The Authentication Server may be configured to save and retrieve User IDs and domain names in lower case, upper case or with no conversion – data is saved or searched on exactly as entered. The configuration required will depend on your company's requirements and the capabilities of the database used as the data store. See the Encoding and Case-Sensitivity topic in the Administrator Reference for more information.

Using the Embedded database option, the case-sensitivity setting is automatically set to convert User IDs and domain names to lower case, as the PostgreSQL database is case-sensitive.

Case-sensitivity configuration must be completed before User accounts and domain records are added to the database. However, the Master domain (named 'master') is created during installation, and is in lower case. This will not cause any problems if the Authentication Server is configured not to convert case, or to convert to lower case. If the Authentication Server will be configured to convert User IDs and domains to upper case, first follow these steps:

1. Open the Administration MMC Interface and create a new domain. This new domain must have its name entirely in upper case (eg. MASTER).

2. Open the Authentication Server Configuration GUI and set the new domain as the Master domain. Close the Configuration GUI.

3. Delete the original 'master' domain.

Windows name resolution

Enable Windows Name Resolution to allow the Authentication Server to use Windows functionality to resolve a UserID – as entered during a login – into a User ID and Domain. This is highly recommended if Dynamic User Registration will be enabled.



3.5.6.3 Permissions for Group Check

A list of Windows groups can be specified in the Policy used by the Authentication Server. The Authentication Server will only authenticate a User’s login if the User belongs to one of these specified groups.

Add LocalSystem (“SYSTEM”) to either Administrators or the Account Operators Windows group on the server to allow the Authentication Server to run a group check:

1. Go to the desktop and right-click on My Computer.

2. Click on Manage.

3. Expand the Local Users and Groups node.

4. Click on Groups.

5. Right-click on Administrators or Account Operators.

6. Click on Add to Group...

7. Click on Add...

8. Click on Locations...

9. Select the local machine and click on OK.

10. Enter SYSTEM in the object name memo.

11. Click on OK.

A new entry will be added to the Members list.



3.5.6.4 Configure Connection Parameters

You may wish to increase the number of connections attempted to the database if:

The load on the database will be high, and

Changes to the connection settings will be efficient with the database and database driver in question.

Setting an idle timeout will allow connections which are no longer required to be closed as soon as possible, which may lower the load on the database server. See the Administrator Reference for more information.

3.5.6.5 Additional Databases

If additional databases are required for backup, failover or load-balancing purposes, configure the Authentication Server to use them now.

See the Additional ODBC Databases topic in the Product Guide and the Database Connection Handling topic in the Administrator Reference for more information.

3.5.6.6 Additional Setup Steps for Multiple Authentication Servers

If more than one Authentication Server are installed on the system, some additional setup may be required. In particular, replication should be set up between Authentication Servers or between databases.

See the Multiple Authentication Server s topic in the Product Guide and the Replication section in the Administrator Reference for more information.


VACMAN Middleware Installation Guide Add Components to Installation

4 Add Components to InstallationTo add components to an existing installation:

1. Start the VACMAN Middleware install process.


The VACMAN Middleware splash screen will be displayed, followed by the Maintenance Options dialog.

2. Select the Add Components option button and click on Next.


3. Select the components you want to add to the installation and click on Next.


When completed, the Activation Options dialog will be displayed, prompting you to select a method of obtaining a license file.

When the installation is complete, the Restart Required dialog will be displayed.

4. Click the Yes option button to restart the machine, or No to perform other tasks before restarting.

5. Click Close when this process is complete.


VACMAN Middleware Installation Guide Repair Installation

5 Repair InstallationThe installation of the VACMAN Middleware may need to be repaired if files have been corrupted, deleted or lost.

1. Start the VACMAN Middleware install process.


The VACMAN Middleware splash screen will be displayed, followed by the Maintenance Options dialog.

2. Select the Repair Installation option button and click on Next.

A confirmation window will be displayed.

3. Click on Yes.

4. After installation, the system must be restarted.

A screen will be displayed, asking whether you want to restart the machine now or later.

Select the Yes, restart the machine now radio button (selected by default).

Click on the Finish button.


VACMAN Middleware Installation Guide Uninstall VACMAN Middleware

6 Uninstall VACMAN MiddlewareTo uninstall VACMAN Middleware, run the VACMAN_Middleware_3014_setup.exe file available in the VACMAN Middleware installation directory. Alternatively, use the Add or Remove Programs option in the Windows Control Panel.

6.1 Data Removal

6.1.1 ODBC Database

Remove Schema Modifications

The dropschema command in the DPDBadmin command line utility can be used to remove all schema modifications from the database, deleting all data relating to the AuthenticationServer.

6.1.2 Active Directory

Additional data removal

Digipass-specific information is not removed from Active Directory when the VACMANMiddleware is uninstalled from a computer. A custom VB script is available which will strip all information related to the Authentication Server from a domain. See the Administrator Reference for further information and instructions.


VACMAN Middleware Installation Guide Extend Data Store Schema

7 Extend Data Store Schema

7.1 Active Directory

The addschema command is used to create all the Active Directory Schema extensions, if they are not already there. Each element will be checked individually to see if it is already there and if not, will be added.

This command is intended to be run manually by a domain administrator before the main VACMAN Middleware installation is run, as recommended by Microsoft.

It may be necessary to go through an approval process in your company before running this command, as it involves changes to Active Directory Schema. You may also need to have another administrator run the command for you, possibly in another part of your network. This depends on your company’s structure and rules for Active Directory control.

Prerequisite Information

Schema Master Machine

This command may technically be run on any Windows 2000, XP or 2003 machine, however it needs to contact the Domain Controller which has the Schema Master role. There can be only one Domain Controller in the Forest with that role. It may be simplest to run the command directly on the Schema Master, to avoid any potential connectivity or permission issues.

Warning

Warning: If you are passing the credentials to the command in the parameters, and you are not running the command on the Schema Master, check that you do not have any shares on the Schema Master open. This will cause the command to fail.

Domain Administrator Account

In order to successfully update the Schema, you must know the username and password of a Domain Administrator account that is able to log into the Schema Master. You must either run the command while logged in as that user, or pass the credentials to the command in the parameters. The Domain Administrator must have permission to extend the Schema – they must be a member of the Schema Admins group in the Forest-Root-Domain (the first Domain created in the Forest).

Schema Changes Allowed

By default, Active Directory does not permit Schema extensions to be made. There is a registry setting that must be changed to allow extensions. If this is not already set, DPADadmin will ask you whether it should change the setting itself or not. If you click on Yes, it will change the setting itself, make the extensions then change it back again.

If you would prefer to change the setting manually, log into the Schema Master and change the value of the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\



Parameters\Schema Update Allowed registry key to 1, adding it as a value of type DWORD if it does not already exist. Alternatively, if the Schema Manager MMC snap-in is installed on the machine, this can be used to enable or disable Schema extensions.

If you have disabled the Schema extensions after removing a previous installation in the Forest, reactivate them before using this command. This can be done using the Schema Manager MMC snap-in used to deactivate them.

Extend the Schema on the Schema Master

1. Log into the Schema Master as a member of the Schema Administrators group.

2. Copy dpadadmin.exe onto the Schema Master


4. Type:

dpadadmin addschema


The progress and success/failure of the command will be displayed in the command prompt window. If there was a failure, it can be run again after the problem has been rectified.

Extend the Schema on the VACMAN Middleware Server

1. Open a command prompt and navigate to the installation’s bin directory by typing:

cd <install dir>\bin

2. Type:

dpadadmin addschema –master schema_master –u user_name –p password

3. See 7.1 Command Line Syntax for more details regarding the required parameters.

4. If DPADadmin detects that Schema extensions are not allowed, it will prompt you to enable them. Enter y to enable them, or n to cancel.


Command Line Syntax

dpadadmin addschema [–master schema_master] [–u user_name [–p password]] [-q]

Table 1: DPADadmin addschema Command Line Options

Option Description

-master Fully qualified name of the Domain Controller with the Schema Master role. This option may be omitted if the command is run directly on the Schema Master.

-u User name of a Domain Administrator in the Schema Administrators group. This option may be omitted if you are logged into the machine as that Domain Administrator when you run the command.

-p Password of the Domain Administrator. This option may be omitted if you are logged in as that Domain Administrator or if they have a blank password.

-q Quiet mode, will not output commentary text.



DPADadmin addschema Command Sample

dpadadmin addschema –master dc1.vasco.com –u schema_admin –p sa_password

7.2 ODBC Database

The addschema command is used to create all required tables in an existing database, if they are not already there. Each table will be checked individually to see if it is already there and if not, will be added.

This command is intended to be run manually by an administrator before VACMAN Middleware is installed.

It may be necessary to go through an approval process in your company before running this command. You may also need to have a database administrator run the command for you. This depends on your company’s structure and rules for control of the database.

This command may also be used to create the tables required for auditing to an ODBC database.

Prerequisite Information

Database Administrator Account

In order to successfully modify the database structure, you will need the username and password of a database administrator account that is able to make changes to the database schema – for example, creating tables. You must pass these credentials to the command in the parameters.

Database Name

You will need the ODBC Data Source Name of the database (as registered with Windows an as ODBC Data Source).

Modify the Database Structure

1. Open a command prompt and navigate to the installation’s bin directory by typing:

cd <install dir>\bin

2. Type:


3. See below for more details regarding the required parameters.




Command Line Syntax

dpdbadmin addschema –u user_name [–p password] -d dsn [-nouser] [-domain domain_name] [-case case_conversion] [-vdsuser alternatename] [-vdsuserattr alternatename] [-vdsdomain alternatename] [-vdscontrol alternatename] [-vdsdigipass alternatename] [-vdsdpapplication alternatename] [-vdspolicy alternatename] [vdsbackend alternatename] [-vdscomponent alternatename] [-vdsorgunit alternatename] [-audit] [-noserver] [-utf8factor factor] [-q]

Table 2: DPDBadmin addschema Command Line Options

Option Description

-u User name of a database administrator.

-p Password of the database administrator. This option may be omitted if they have a blank password.

-d ODBC Data Source Name (DSN)

-nouser Do not create Digipass User table. This option is not currently supported.

-domain Specify the Master Domain to be used. If not specified, it will be “master”. The Domain will be created if it does not already exist.

-case Specify to convert User IDs and domain names to either upper or lower case. The value must be either “upper” or “lower”.

vdsuser Alternative name for the Digipass User table to be created.

vdsuserattr Alternative name for the Digipass User Attribute table to be created.

vdsdomain Alternative name for the Domain table to be created.

vdscontrol Alternative name for the Controller table to be created.

vdsdigipass Alternative name for the Digipass table to be created.

vdsdpapplication Alternative name for the Digipass Application table to be created.

vdspolicy Alternative name for the Policy table to be created.

vdsbackend Alternative name for the Back-end Server table to be created.

vdscomponent Alternative name for the Component table to be created.

vdsorgunit Alternative name for the Organizational Unit table to be created.

-audit Create the Audit tables.

-noserver Do not create the main tables used by the Authentication Server. This should only be used with the -audit option, when you only want to create the auditing tables.

-utf8factor On certain databases (such as Oracle and DB2), column sizes are specified in bytes, not characters, by default. When UTF-8 encoding is used to store data, for full Unicode support, one character may be represented as more than one byte. Normally 2 or 3 characters are used, depending on the language, but some characters require 4. If your data will include a lot of non-English characters, you can increase the size of certain columns by a factor to allow for the extra bytes. The value of the parameter should be 2, 3 or 4. Typically, 3 is sufficient. The columns affected by this are the User Name (not User ID) and various Description fields.On other databases, column sizes are specified in characters, and this parameter is not needed.

-q Quiet mode, will not output commentary text.

DPDBadmin addschema Command Sample

dpdbadmin addschema –u DBAdmin –p pwd3498 -d UserDb -domain mydomain

This command will modify the database structure of the ODBC database with the data source name of UserDb. It uses a database administrator account with the User ID of DBAdmin and password pwd3498. A non-default Master Domain will be used, called “mydomain”.



dpdbadmin addschema –u DBAdmin –p pwd3498 -d AuditDb -audit -noserver

This command will create only the auditing tables in the ODBC database with the data source name of AuditDb. It uses a database administrator account with the User ID of DBAdmin and password pwd3498.


VACMAN Middleware Installation Guide Technical Support

8 Technical SupportIf you encounter problems with a VASCO product please do the following:

1. Read the How to Troubleshoot topic in the Administrator Reference for help in discovering the source of your problem.

2. Check if your problem is resolved in the Knowledge Base located at the following URL: http://www.vasco.com/support.

3. If you do not find the information you need in the Knowledge Base, please contact the company that sold you the VASCO product.

Only after doing these steps, if your needs are still not completely met please contact VASCO support:

8.1 Support Contact Information

E-mail

[email protected]

Website

http://www.vasco.com/support/contacts.html

Phone

Australia +61 2 8061 3700 (Sydney)

Belgium +32 2 609 9770 (Brussels)

Singapore +65 6 232 2727

USA +1 508 366 3400 (Boston)


http://www.vasco.com/support/contacts.html

mailto:[email protected]

http://www.vasco.com/support

installation guid e - vasco · pdf filevacman middleware installation guide introduction 1...

Documents