Manual - KeyTalk
Contents
1. EF r 4 Local Area Connection Properties S Internet Protocol Version 4 TCP IPv4 Properties a Networking Sharing General Connect using You can get IP settings assigned automatically if your network supports f this capability Otherwise you need to ask your network administrator amp Y Atheros AR8151 PCI E Gigabit Ethemet Controller for the appropriate IP settings Obtain an IP address automatically This connection uses the following items f Use the following IP address V 0M Client for Microsoft Networks Z QoS Packet Scheduler UB Fie and Printer Sharing for Microsoft Networks Subnet mask 255 255 255 0 HTC NDIS Protocol Driver 4 Intemet Protocol Version 6 TCP IPv6 Default gateway Beg intemet Protocol Version 4 TCP IPv4 4 Link Layer Topology Discovery Mapper 1 0 Driver Obtain DNS server address automatically Link Layer Topology Discovery Responder IP address 10 1 1 585 X K K K K K Use the following DNS server addresses Install Uninsta Properties Preferred DNS server Description Alternate DNS server Transmission Control Protocol Intemet Protocol The default wide area network protocol that provides communication across diverse interconnected networks E Validate settings upon exit ok Caos Figure 4 IP configuration on a Windows 7 64bit PC 5 3 Step 3 Connecting to the appliance2. P Q Figure 2 Back panel KeyTalk Connector port for the power cable L USB port 1 It is possible to perform functional upgrades via a USB key using this USB port USB port 2 It is possible to perform functional upgrades via a USB key using this USB port RS232 port Manufacturer trouble shooting connector NIC availability mode including DEVID The default IP for this connector is 172 16 1 1 Network Interface Connector For connection to the local management device The Network Interface Connector For connection to the external network The default 7 Network Interface Connector For connection to other KeyTalk appliances in high Do not replace any components as this will void your KeyTalk warranty Note replacing hardware components will result in malfunctioning of the system a keytalk 12 4 Top Panel Components On the top panel of the appliance between the front bezel and the appliance top cover you will find a blue label Figure 3 Blue label with appliance s tamper evident serial number This security label displays the unique appliance tamper evident serial number and should not be removed It is used for identification purposes in case support is requested Removing or otherwise manipulating this label will cause the label to permanently change KeyTalk advises you to check this label on a regular basis to make sure it is undamaged Should the label be damaged please contact your KeyT
3. Server Server CN localhost reseptdemo com Key Size 2048 bits CN demo reseptdemo com CN reseptadmin reseptdemo com Key Size 2048 bits i CN devid reseptdemo com Key Size 2048 bits DevId WebUI CN devidadmin reseptdemo com i Key Size 2048 bits i E Include Root CA Li Click Generate Tree to generate a certificate tree using the configuration specified on this page When done you will be prompted to install the generated certificates to the appliance Figure 109 Edit specific criteria for all hosted certificates a keytalk 85 Click on CHANGE to edit a specific set of certificate fields Click OK to accept the alterations MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS WNE Overview Root CA Primary CA Signing CA Communication CA Server Server Client Server WebUI Server DevId Devli Edit Client Server certificate fields Common Name demo reseptdemo caom RSA Key Size bits 2048 Country AC City Locality Organization Organizational Unit Email Time To Live sec 315360000 Time For Correction sec 3600 Figure 110 Edit specific Client Server certificate fields Once you have finished editing the necessary certificate fields you are ready to generate the newly configured certificate tree Cm keytalk 86 MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTI
4. Group attribute Note Adding a separator symbol after the variable can be used to support multiple Groups per user For example Admin Is the LDAP filter used to specify the record against which the criteria are matched The filter may also contain the following placeholders which will be substituted with the actual credentials provided by the KeyTalk Client service domain userid password hwsig pincode Is the LDAP filter used to specify the record against which the criteria are matched Is the LDAP filter used to specify the record against which the criteria are matched 63 19 2 2 3 Configuring LDAP module Bind amp LDAPS for a service One or multiple LDAP servers can be bound to the KeyTalk appliance When a time out occurs on the 1 LDAP the KeyTalk appliance will try the 2 etc To configure your LDAP module bind for your selected service tick the LDAP server configuration entry and select CHANGE or select ADD Configure LDAP Server connection for Service ES Test URL ldap localhost 389 il Bind DN uid userid cou Users dc example dc com Bind Password sseseeeeses show Base DN ou people dc example de com Invalid LOAP bind attempts are considered as if invalid credentials were supplied by the RESEPT user provided the LOAP server is physically accessible It is recommended te verify the configured Bind ON and password for each
5. By default the HwSig verification is set to Off HwSig Verification Off CHANGE Figure 79 Hardware Signature verification setting Select CHANGE to change the HwSig setting Two other options are available for the HwSig verification e Devlid Obtain the user s HwId from our DevId product solution e Exit Obtain the user s HwId using the settings of the authentication module For the option Exit in the case of Sqlite Module the HwSig is obtained from the user s Hardware Signature field When the DevId option has been chosen make sure that the DevId Host amp Port are properly set ra keytalk 68 Edit hardware signature settings for Service DEMO SERVICE DewlO Host 192 168 1 10 DevID Port 001 Devi Group Name Test DevI0 Group Password iti meanest Figure 80 Editing Hardware signature settings for a specific service 19 3 2 2 RADIUS Server connectivity settings RADIUS Server Port 0 to detect Max Tries Timeout sec Server 1 localhost 2 2 Figure 81 RADIUS server connectivity settings Multiple RADIUS servers can be configured by selecting the server and clicking on ADD When Server 1 times out the KeyTalk appliance will send its request to the next in line To change the RADIUS Server connectivity settings select the server configuration you wish to change and click on CHANGE The IP number of the Radius Any valid IP number Por
6. WebUL Strver Devid Devid WebUI Backup amp Restore Generate WebUI certificate and key are used to secure access to the RESEPT server UI via browser Certificate Info Subject C NL ST Utrecht L Soesterberg O Resept Demo OU Demo Only CN reseptedmin reseptdemo com emailAddress demo reseptdemo com Issuer C NL ST Utrecht L Soesterberg O Resept Demo OU Demo Only CN Resept Demo CCA emailAddress demo reseptdemo com Valid From 22 03 2011 13 34 22 03 2011 13 34 GMT Valid To 17 05 2027 13 34 17 05 2027 13 34 GMT Signature Algorithm shalWithRSAEncryption Public Key RSA 2048 bits SHA1 Fingerprint 24339f015e2cf046a7ba95ef0cidf5fe7af9045a Key Info Type RSA 2048 bits Upload Certificate and Key Click Upload to upload PEM containing certificate and key The key should not be protected with password Browse d UPLOAD D O Download Certificate and Key Click Download to download certificate and key as a single PEM file DOWNLOAD D O Figure 105 WebUI certificate information and key upload functionality This screen allows you to download the current certificate and key and upload a new version A new certificate can be uploaded by selecting it via Browse and clicking UPLOAD After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new certificate To make the changes permanent please refer to section 8 2 Saving changes amp reboot
7. 10 2 Front Panel Components GHI J EFABC O Figure 1 Front panel KeyTalk color of front bezel may vary Display navigation button Controls the navigational controls for the LCD information Display navigation button Controls the navigational controls for the LCD information Display navigation button Controls the navigational controls for the LCD information Display navigation button Controls the navigational controls for the LCD information Power button Press to start the device when switched off Press and hold for several seconds to switch off the appliance RESET button Press using a paperclip and hold for several seconds to stop the device The RESET button only needs to be used when normal switch off using the Power button is not working G Power indicator Lights up when the power is switched on Disk indicator Data is stored on the Solid State Disk When this indicator flashes the Solid State Disk is active Information indicator Lights up when important messages require your attention LCD Display Displays the state the device is in and displays menu items for local administration Do not replace any components as this will void your KeyTalk warranty Note replacing hardware components will result in malfunctioning of the system a keytalk 11 3 Back Panel Components Ti ee es d OH T h o ma We a Va M wan SS Sa z e ai rena K LM
8. When installed it may serve as a root for the certificate tree generated on the appliance MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE Gearrrrcates ano KEYS DeeTWORK DEVICE HIGH AVAILABILITY LOGS Overvide Boat Caeimary CA Signing CA Communication CA Server Server Client Server WebUI Server DevId Devid WebUI Backup amp Restore Generate Root CA is optional When installed it may serve a root for the certificate tree generated on the appliance Certificate Info No Certificate Found Key Info No Valid Key Found Upload Certificate and Key Click Upload to upload PEM containing certificate and key The key should not be protected with password It is also possible for the PEM file to contain certificate or key only Browse AT a Figure 99 Root CA information and key upload functionality A new certificate can be uploaded by selecting it via Browse and clicking UPLOAD After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new certificate To make the changes permanent please refer to section 8 2 Saving changes amp reboot 222s Primary CA The Primary CA is a private key and is normally a root of the certificate tree unless the Root CA is installed and is an issuer for the Primary CA After generation this key is kept offline and is usually stored on a portable media in your safe Depending on your security requirements it can be distribu
9. name used for storing the Group of the user Default value memberOf Cm keytalk none exact nocaseexact subst nocasesubst none exact nocaseexact subst nocasesubst none exact nocaseexact subst nocasesubst HwSig needs to match exactly HwSig must match exactly but not case sensitive HwSig must be a substring of the attribute value HwSig must be a substring of the attribute value but not case sensitive Pincode will not be checked Pincode needs to match exactly Pincode must match exactly but not case sensitive Pincode must be a substring of the attribute value Pincode must be a substring of the attribute value but not case sensitive Group will not be checked Group needs to Group must match exactly but not case sensitive Group must be a substring of the attribute value Group must be a substring of the attribute value but not case sensitive The variable for the HwSig attribute Placeholders can be used for attribute values which will be substituted with the actual credentials provided by the KeyTalk Client Supported placeholders are service domain user id password hwsig pincode The variable for the Pincode attribute Note Adding a separator symbol after the variable can be used to support multiple Pincode s per user For Example PinCode The variable for the
10. or DevID 19 2 2 2 LDAP Attribute Match Settings To configure the LDAP attribute match settings choose CHANGE Attribute name Attribute match mode Attribute value Filter HWSIG NONE hwsig sAMAccountName userid HWSIG NONE pincode sAMAccountName userid memberOf NONE sAMAccountName userid S service domain userid password s hwsig pincode Double for verbatim representation of the placeholder passwora U Figure 70 LDAP attribute match settings The following menu will open Edit LDAP Match Settings for Service ES Test Attribute name Attribute match mode Attribute value Filter HWSIG NONE hwsig sAMAccountName userid HWSIG NONE _ pincode sAMAccountName userid memberOf NONE E sAMAccountName userid Supported placeholders service domain userid password hwsig pincode Users with an expired password are denied access regardless of the match settings E Figure 71 Configuring the LDAP attribute match settings a keytalk This overview explains the different fields and values Attribute Attribute match mode Attribute value Filter ime fe HwSig will not be HwSig The LDAP attribute name used for storing the Hardware Signature of the user Default value HWID The LDAP attribute name used for storing the Pincode of the user Default value HWID The LDAP attribute
11. 2 Networking Sharing General Connect using You can get IP settings assigned automatically if your network supports a ee this capability Otherwise you need to ask your network administrator mY Atheros AR8151 PCI E Gigabit Ethemet Controller for the appropriate IP settings Obtain an IP address automatically This connection uses the following items a 2 Use the following IP address v 0 Client for Microsoft Networks Z QoS Packet Scheduler IP address O 8 2 5 Fie and Printer Sharing for Microsoft Networks Subnet mask 255 255 255 0 HTC NDIS Protocol Driver Default gateway oe Intemet Protocol Version 4 TCP IPv4 4 Link Layer Topology Discovery Mapper O Driver Link Layer Topology Discovery Responder Obtain DNS server address automatically v Y V v Intemet Protocol Version 6 TCP IPv6 v v v Use the following DNS server addresses Install Uninsta Properties Preferred DNS server Description Alternate DNS server Transmission Control Protocol Intemet Protocol The default wide area network protocol that provides communication across diverse interconnected networks E Validate settings upon exit ok Cancel Figure 20 Configure your IP Qa keytalk 8 KeyTalk Admin GUI The KeyTalk appliance Graphic Admin Interface can be accessed with a br
12. Download to download certificate and key as a single PEM file DOWNLOAD b E and Key Figure 104 Client server certificate information and key upload functionality Browse i This screen allows you to download and remove the current certificate and key and upload a new version A new certificate can be uploaded by selecting it via Browse and clicking UPLOAD After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new certificate To make the changes permanent please refer to section 8 2 Saving changes amp reboot 22 7 WebUI Certificate amp Key This tab allows you to view the information of the KeyTalk Admin Graphical User Interface It is used to secure the communication between the KeyTalk appliance and the computer of the organization s administrator single SSL You should choose to purchase this certificate ad key from a 3 party certificate provider For more information please refer to section 8 1 Replacing Admin GUI SSL certificate A separate WebUI key and certificate are required for each KeyTalk and DevID appliance Since each appliance will run under its own unique FQDN in the network Cm keytalk 82 MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS ETWORK DEVICE HIGH AVAILABILITY LOGS Overview Root CA Primary CA Signing CA Communication CA Server Server Client Serv
13. Extended Key Usage Refer to OpenSSL Usage Subject The value of the alternative username Refer to OpenSSL Alternative Name 19 2 2 5 User LockOut The User LockOut mechanism allows for users to be locked out from the system when they enter the wrong authentication credentials User Lockout Automatically lock user on failed login Figure 74 enable disable user lockout Automatic lockout can be selected or not Click OK to save the settings When Automatic lockout is selected the KeyTalk appliance will add lock and release users automatically based on an incremental time penalty The Admin can always manually release users before the time penalty expires AND can manually add or remove users to the LockOut table When Automatic lockout is not selected the system runs in a manual mode allowing the Admin to add any usernames for a permanent lock which can only be manually released Adding Users manually is done using a free text No actual check is performed by the system to see if the User actually exists in the database used by the services authentication module Lock user for Service DEMO SERVICE UserID cance Figure 75 Manually adding a user to be locked out for a specific service Cm keytalk 66 19 3 RADIUS Module MAIN SERVICES DAEMON f HENTICATION MODUL ASERS LICENSE CERTIFICATES AND KEYS NETWORK DEVICE HIGH AVAILABILITY LOGS Sqlite Modules LDAP Moduleg RADIUS Modules Exe
14. Management corresponds to NIC P see Section 3 Back Panel Components To configure a specific interface select the appropriate box and click on CHANGE Interface Type IPv4 Address IPv4 Subnet Mas Loopback 127 0 0 1 222 0 0 0 n a egi 172 16 1 1 255 255 0 0 F External 192 168 1 1 255 255 255 0 E Moem T 10 1 1 1 255 0 0 0 Cim gt Figure 35 Changing the Internal Interface type ra keytalk 39 Edit Network Interface Settings Interface Type Internal Ipyv4 Configuration manual Ez TPw4 Address 172 16 1 1 IPv4 Subnet Mask 209 290 00 Ipv6 Configuration Manual TPv6 Address fd crraci0 101 IPv Prefix Length 64 Changing the internal interface settings will cause all running RESEPT daemons bound te the internal interface to restart CANCEL Figure 36 Edit Network interface settings Configure the items you wish to change and select OK to save these changes To change the KeyTalk appliance default gateway select from the main menu NETWORK select Configure Interfaces and select CHANGE M ES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS DH HIGH AVAILABILITY LOGS Configure Interfaces onfigure DNS Configure HA Interface Configure RESEPT Client Listen Port Configure NTP Interface Type IPv4 Address IPv4 Subnet Mask IPv4 Configuration IPv6 Address IPv6 Prefix Length IPv6 Configuration Loopback 127 0 0 1 255 0 0 0 Automatic
15. after the installation completes Figure 112 Install the generated certificate tree After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new certificate tree To make the changes permanent please refer to section 8 2 Saving changes amp reboot a keytalk 87 29 Errors and error reporting KeyTalk 4 x provides error messages These messages are Resolved IP invalid Digest Invalid Time out of sync Server error 7 Nu nr s When an error cannot be resolved the Admin should run Report Problem function MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS NETWOR C vevice J IGH AVAILABILITY LOGS Time Admin Password SSH Access Save amp Reset Configuration Backup amp Restore Configuration Firmware Upgrade Shut Dow Report Problem gt Report Problem Encounter a problem Please help us solve it by following the steps below Step ck Save to generate the recent device activity report and save it to a file qs Step 2 Send the saved report file along with the problem description to your RESEPT support contact Figure 113 Generate a problem activity report Save the resulting file and send it to your KeyTalk supplier or partner with a written description of the problem preferably substantiated with screenshots repro steps and log files Cm keytalk 88 24 LCD information display Front
16. and key as a single file or you can upload the key and the certificate as separate files in PEM format There is no need to rename the files as KeyTalk will do this for you Cm keytalk 81 MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENS ERTIFICATES AND KEYS 39 TWORK DEVICE HIGH AVAILABILITY LOGS Overview Root CA Primary CA Signing CA Communication CA Server Server Clen Serep Webu Server DevId DevId WebUI Backup amp Restore Generate Client server certificate and key are used to secure communication between RESEPT client and server RESEPT server requires both certificate and key RESEPT client only requires certificate which is included in RCCD file Certificate Info Subject C NL ST Utrecht L Soesterberg O Resept Demo OU Demo Only CN demo reseptdemo com emailAddress demo reseptcemo com Issuer C NL ST Utrecht L Soesterberg O Resept Demo OU Demo Only CN Resept Demo CCA emailAddress demo reseptdemo com Valid From 22 03 2011 13 30 22 03 2011 13 30 GMT Valid To 17 05 2027 13 30 17 05 2027 13 30 GMT Signature Algorithm shalWithRSAEncryption Public Key RSA 2048 bits SHA1 Fingerprint e3aci292355c2ef bd6cfa0e9025619d7749da Key Info Type RSA 2048 bits Upload Certificate and Key Click Upload to upload PEM containing certificate and key The key should not be protected with password It is also possible for the PEM file to contain certificate or key only UPLOAD Download Certificate and Key Click
17. clicking UPLOAD After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new certificate To make the changes permanent please refer to section 8 2 Saving changes amp reboot 22 5 Server Server Communication Key This tab allows you to view the information of the Server Server Communication Key and certificate This certificate and key is required to encrypt the information exchange between KeyTalk servers in High Availability mode and to encrypt the information exchange between KeyTalk and the DevID additional module You can upload the combined certificate and key as a single file or you can upload the key and the certificate as separate files in PEM format There is no need to rename the files as KeyTalk will do this for you Cm keytalk MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE ERTIFICATES AND KEYS ETWORK DEVICE HIGH AVAILABILITY LOGS Overview Root CA Primary CA Signing CA Communication einer Sena Client Server WebUI Server DevId DevId WebUI Backup amp Restore Generate Server server certificate and key are used to secure communication between RESEPT servers in High Availability setup Certificate Info Subject C NL ST Utrecht L Soesterberg O Resept Demo OU Demo Only CN localhost reseptdemo com emailAddress demo reseptdemo com Issuer C NL ST Utrecht L Soesterberg O Resept Demo OU Demo Only CN Resept Demo CCA emailAddress demo reseptd
18. for each DevID appliance since each one will run under its own unique FQDN in the network MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE ERTIFICATES AND KEY NETWORK DEVICE HIGH AVAILABILITY LOGS Overview Root CA Primary CA Signing CA Communication CA Server Server Client Server WebUI Server Devi apevid Webypsmackup amp Restore Generate Devid WebUI certificate and key are used to secure access to DEVID server UI via browser Certificate Info No Certificate Found Key Info No Valid Key Found Upload Certificate and Key Click Upload to upload PEM containing certificate and key The key should not be protected with password Browse q UPLOAD p Figure 107 DevID WebUI certificate information and key upload functionality A new certificate can be uploaded by selecting it via Browse and clicking UPLOAD After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new certificate To make the changes permanent please refer to section 8 2 Saving changes amp reboot 22 10 Backup amp Restore This tab allows you to make a full backup of your current certificates and keys as well as granting the ability to restore your backup if required Cm keytalk 84 MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE ERTIFICATES AND KEYS QNETWORK DEVICE HIGH AVAILABILITY LOGS Overview Root CA Primary CA Signing CA Communication CA Ser
19. order to change the Graphical Administrator Interface password do the following In the upper menu select the DEVICE tab and select Admin Password MAIN s DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS seon Gena HIGH AVAILABILITY LOGS Tim Admin Password J9SH Access Save amp Reset Configuration Backup amp Restore Configuration Firmware Upgrade Shut Down Report PreDIem Change Device Web Access Password Account reseptadmin Current Password New Password Repeat New Password Qk j eT Change Device Admin Password Account reseptadmin Current Password New Password Repeat New Password Figure 10 Changing Graphical Administrator Interface password Enter both current and new password and confirm the new password in the Change Device Web Access Password fields Press OK to activate the new password Note It is important to remember this password The KeyTalk appliance also has a more powerful user the device admin for low level administrator maintenance This user is not enabled by default If required contact your KeyTalk supplier or partner 5 8 Step 8 DNS amp NTP Date Time customization To set your applicable DNS select the NETWORK tab in the upper menu and select Configure DNS It is possible to ping the IP in order to check if the IP maps to a living machine Note The firewall might block the ping icmp echo request reply Enter the IP a
20. service Go to tab AUTHENTICATION MODULES select Sqlite modules select the service you would like to set the authentication to and click on CHANGE MAT SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERT Sglite Modules JLOAP Modules RAQTUS Modules Execute Modules eM Modules Configure Sqlite Authentication Modules Service gt E DEMO SERVICE Figure 54 Configuring an Sqlite Authentication module The following screen will open MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND Sglite Modules LDAP Modules RADIUS Modules Execute Modules Relay Modules Configure Sqlite Authentication Module For Service DEMO SERVICE HwSig Verification Off CHANGE Hardware Signature Demollser J User Lockout Automatically lock user on failed login Lock Expiration Lock Reason ADD Figure 55 Configuring Sqlite Authentication module for a specific service By default the HwSig verification is set to Off Two other options are available for the HwSig verification e Devid Obtain the user s HwId from the DevId product solution e Exit Obtain the user s HwId using the settings of the authentication module a keytalk 55 For the option Exit in the case of Sqlite Module the HwSig is obtained from the user s Hardware Signature field When the DevId option has been chosen make sure that the DevId Host amp Port a
21. system configuration equals to the saved configuration saved 10 07 2012 14 05 TD Reset Configuration To Factory Defaults Click Reset to reset the current system configuration the factory defaults The device will automatically reboot when the configuration is reset Figure 22 Saving System configuration REBOOT In the main menu select the DEVICE tab and select Shut Down Select REBOOT to reboot the system MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS nerwor pevce Dich AVAILABILITY LOGS Time Admin Password SSH Access Save amp Reset Configuration Backup amp Restore Configuration Firmware Upgrad shut Downy Report Problem E soor J suroonn_ a Figure 23 Rebooting the system a keytalk 28 J SSH SSH is by default disabled on the KeyTalk appliance Should there be a need to activate it please contact your KeyTalk supplier for an updated KeyTalk license with activated SSH a keytalk 29 10 Changing KeyTalk passwords The Graphical Administrator Interface can be used when required for administrator maintenance The Admin authentication credentials are by default set to Graphical Administrator Interface Admin GUI User reseptadmin Password change In order to change the Graphical Administrator Interface password do the following In the upper menu select the DEVICE tab and select Admin Password MAIN s DAEMON
22. the Remote Host and corresponding Port and whether or not TLS should be used to secure the communication Back End Server Verification CA Li Neo Certificate Found UPLOAD Figure 90 For TLS a server communication key signer CA certificate is needed Additionally when using SSL TLS you will need to upload the Server Communication Key Signer CA certificate in PEM format This does NOT need to be a certificate created under your Certificate Authority tree but can also be that of a 3 party such as VeriSign or Microsoft a keytalk 72 19 5 3 Remote exit basics When you wish to create your own authentication module exit you should always run it from a separate server The details of what needs to be configured are covered in a separate Remote Exit document which is available through your KeyTalk supplier or partner 19 6 Synchronize User Lockout List MAIN SERVICES CONFIGURE DAEMONS AUTHENTICATION MODULES USER MESSAGES LICENSE AND KEYS NETWORK DEVICE LOGS Sqlite Modules LDAP Modules RADIUS Modules Execute Modules Relay Modules ynchronize User Lockout Lis Manually Synchronize User Lockout List Accross Chains User Lockout list is automatically copied to the rest configured chains each time it is altered via WebUI or by RESEPT Client However sometimes you may need to force manual synchronization e g during the initial setup of server chains Click Copy to copy user lockout list from this chain to the rest config
23. to bind a service to a pre configured internal database running on the KeyTalk appliance a keytalk 53 Typically this module is used for testing purposes or small user communities Though more user entries are possible the maximum amount of users in the Sqlite should not exceed 100 if only to reduce administrative efforts By default the KeyTalk appliance will have the DEMO_SERVICE service enabled for testing purposes The DEMO KeyTalk client comes pre configured with this service and the default username DemoUser This database should be removed prior to taking the KeyTalk appliance into production 19 1 1 Adding a Sqlite Module to a service To add a Sqlite Module to a service make certain the service exists i e create it and is not bound to another module Choose ADD and select one of the available services Add qlite Authentication Module Service DEMO_SERVICE Figure 52 adding Sqlite Authentication Module 19 1 2 Changing Sqlite Module settings for a service Go to tab AUTHENTICATION MODULES select Sqlite modules select the service you would like to change and click on CHANGE LICENSE CERT Figure 53 Configuring an Sqlite Authentication module Cw keytalk 54 19 1 2 1 HwSig Verification settings HwSig see section 18 2 Hardware Signature verification settings allow for the optional configuration of HwSig verification for the specified
24. users An existing user message can be changed or removed by selecting the user message and clicking on CHANGE or REMOVE gt 26 07 2012 13 58 Test aoo chance Remove G Figure 94 Changing or removing a user message ra keytalk 74 20 2 Logged in Users You can check if your license is still valid Additionally your license to serve a number of users can also be checked per service on the MAIN tab of KeyTalk License Status ShortTermCerts VALID Figure 95 License validity and number of users logged in It is possible that some users have left your company but are still counted as logged in users To correct the user counter field the RESET button on the USERS tab can be clicked deleting the 10 of users that did not log in recently oldest first MAIN SERVICES DAEMONS AUTHENTICATION moou users D rense CERTIFICATES AND KEYS NETWORK DEVICE HIGH AVAILABILITY LOGS Logged In Users User Messages Currently registered 1 logged in user s of max 10 Service User Last Login Client Version DEMO_SERVICE DemoUser 10 07 2012 14 03 RESEPT Regular Client 4 2 0 Page i of 1 Users per page 50 x Figure 96 Resetting the oldest 10 of counted users Deleting this 10 of oldest counted users can also be done via the LCD menu See section 24 LCD information display for more information Qa keytalk 21 KeyTalk Appliance License The KeyTalk Ap
25. version Display the current KeyTalk appliance firmware version 212 _ Counted users Display counted users for license purposes 22 IPAddress Go to the IP information sub menu 221 External__ Display the current external IP number __ _ 222 Internal__ Display the current internal IP number __ _ 223 Management Display the current management IP number ___ nt IP number Cm keytalk 89 25 Release notes 25 1 KeyTalk Appliance firmware Release date June ist 2011 Initial release Significant efficiency improvement upgraded OS upload firmware option added DevID module support updated January 23rd HAD functionality download amp remove functions on 2012 daemon certificates amp keys total unique users per service reporting LCD based oldest unique user cleaning max 10 Update documentation to KeyTalk 4 2 In 4 2 it is possible y 20a to generate the CA tree on the appliance a keytalk 90 26 Manufacturer Email Web Bank Cm keytalk Manufacturer information KeyTalk BV Nijverheidsweg Noord 78 3812 PM Amersfoort The Netherlands Telephone 31 64 672 67 94 Fax 31 84 875 43 37 info keytalk com www keytalk com Chamber of Commerce 57420858 VAT Number NL852572955BOl1 Rabobank Bank NL14 RABO 0132 1619 15 BIC RABONL2U RESEPT TrustAlert and KeyTalk are a brand of KeyTalk BV 9i G Index Getting Started ccccscceeee
26. 10 1 1 1 3000 You should replace this SSL certificate with your own A certificate can be obtained from a well known party such as VeriSign GoDaddy Globalsign and Cybertrust In the main menu select CERTIFICATES AND KEYS and select WebUI Upload your own SSL certificate by clicking on Browse selecting the SSL certificate and clicking on UPLOAD Cm keytalk 26 MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENS ETWORK DEVICE HIGH AVAILABILITY LOGS Overview Root CA Primary CA Signing CA Communication CA Server Server Client Ser rver Devid Devid WebUI Backup amp Restore Generate WebUI certificate and key are used to secure access to the RESEPT server UI via browser Certificate Info Subject C NL ST Utrecht L Soesterberg O Resept Demo OU Demo Only CN reseptadmin reseptdemo com emailAddress demo reseptdemo com Issuer C NL ST Utrecht L Soesterberg O Resept Demo OU Demo Only CN Resept Demo CCA emailAddress demo reseptdemo com Valid From 22 03 2011 13 34 22 03 2011 13 34 GMT Valid To 17 05 2027 13 34 17 05 2027 13 34 GMT Signature Algorithm shalWithRSAEncryption Public Key RSA 2048 bits SHA1 Fingerprint 24339f015e24046a7ba95ef0cidf5fe7af9045a Key Info Type RSA 2048 bits Upload Certificate and Key Click Upload to upload PEM containing certificate and key The key should not be protected with password Cron D Download Certificate and Key Click Download to down
27. 22 8 Server DevID Certificate amp Key The Server DevID certificate and key is used to secure communication between the KeyTalk Server and the DevID appliance MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE ERTIFICATES AND KEY NETWORK DEVICE HIGH AVAILABILITY LOGS Overview Root CA Primary CA Signing CA Communication CA Server Server Client Server WebUI Berver Devigy Devid WebUI Backup amp Restore Generate Server Devld certificate and key are used to secure communication between RESEPT and DEVID server Certificate Info No Certificate Found Key Info No Valid Key Found Upload Certificate and Key Click Upload to upload PEM containing certificate and key The key should not be protected with password It is also possible for the PEM file to contain certificate or key only Browse d UPLOAD p i Figure 106 Server DevID certificate information and key upload functionality A new certificate can be uploaded by selecting it via Browse and clicking UPLOAD Cm keytalk 83 After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new certificate To make the changes permanent please refer to section 8 2 Saving changes amp reboot 22 9 DevID WebUI Certificate amp Key The DevID WebUI certificate and key are used to secure access to the DevID server UI via a browser A separate DevID WebUI key and certificate are required
28. 321 64 Automatic Internal iJ 172 16 1 1 255 255 0 0 Manual fd7c ac10 101 64 Manual External iJ 192 168 1 1 255 255 255 0 Manual fd7c c0a8 101 64 Manual F qa 10 1 1 1 255 0 0 0 Manual fd7c 201 101 64 Manual ance Default IPv4 Gateway Default IPv6 Gateway No custom network routes defined Hance Figure 37 Changing default Gateway On the screen that opens configure the default gateway IP and select OK Change Default Gateway m Default IPv4 Gateway Default IPv Gateway Setting the default gateway has effect only when all nen loopback interfaces that use manual ie non DHCP configuration Figure 38 Changing the default gateway Note Optionally you can set a gateway for each NIC separately ta 40 keytalk 16 2 Configure DNS To set your applicable DNS from the upper menu select NETWORK and select Configure DNS NS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KE rewon Dvice HIGH AVAILABILITY LOGS Configure Interface Configure DNS Configure HA Interface Configure RESEPT Client Listen Port Configure NTP MAIN SERVICES DAMO Configure DNS Settings Name Server 1 Name Server 2 Name Server 3 DHCP client will overwrite the Name Servers Settings above Figure 39 Configuring your DNS Enter the IP addresses of your DNS and select OK Note Do not enter your host name but your IP addresses 16 3 Configure High Availability Virtua
29. DIUS Module configuration cccceeeeeeeeeeees 67 19 4 Execute Modules 70 19 5 Relay Modules connecting other authentication solutions 71 19 5 1 Adding a Relay Module visscscdstududeduduiedsdedudsiedededwindeiededuesiwevs 71 19 5 2 Changing the Relay Module service configuration 5 71 19 5 3 Remote exit DASICS ccccccee cc cceeeeee eee e ee esseaeeeeeeeeeeeeeeeganags 73 19 6 Synchronize User Lockout List 73 User messages Logged in users 74 20 1 User messages 74 20 2 Logged in Users 75 License Certificates and keys configurations 22 1 Certificate Authority 22 2 Requirements 22 3 Signing Key 22 4 25 4 Server server Communication Key 22 5 Client Server Communication Key 22 6 WebUI Certificate amp Key 22 7 KeyTalk License file Errors and error reporting LCD information display Release notes Error Bookmark not defined 77 Error Bookmark not defined Error Bookmark not defined 79 80 81 82 Error Bookmark not defined 84 89 90 26 a keytalk 25 1 KeyTalk Appliance firmware Contact information 90 91 vi 1 Introduction Thanks for choosing KeyTalk formerly known as RESEPT This device has been designed to make safe communication the next generation security a reality On top of that KeyTalk has many additional benefits Acces Portal With our patented KeyTalk technology you can X 509 Enabled easily pro
30. E UserID ea eee Figure 83 Manually adding a user to be locked out for a specific service 19 4 Execute Modules AUTHENTICATION MODULES er Sqlite Modules LDAP Modules RADIUS Modul MAIN SERVICES DAEMG LICENSE CERTIFICATES AND KEYS NETWORK DEVICE HIGH AVAILABILITY LOGS relay Modules Configure Execute Authentication Modules Service Executable MDS Figure 84 Executable Authentication Modules Execute Modules are tailor made modules officially released by KeyTalk BV as NON STANDARD These modules are not part of the formal firmware release Though it is not the policy to release modules outside of the officially supported firmware releases this feature allows for it to be made possible when executing beyond policy Cm keytalk 70 Licensing restrictions may apply Consult your KeyTalk supplier or partner for more information 19 5 Relay Modules connecting other authentication solutions AUTHENTICATION MODULES RS LICENSE CERTIFICATES AND KEYS NETWORK DEVICE HIGH AVAILABILITY LOGS Sqlite Modules LDAP Modules RADIUS Modules Execute Mod amp les Relay Modules MAIN SERVICES DAEMS Configure Relay Authentication Modules Figure 85 Relay Authentication Modules Relay Modules allow you to make use of the REMAP API to connect to authentication solutions which are not by default supported by KeyTalk REMAP KeyTalk Exit Module Authentication Protocol Customers and partners of KeyTalk
31. FICATES AND KEYS NETWORK DEVICE HIGH AVAILABILITY LOGS Overview Root CA Primary CA Signing CA Communication CA Server Server Client Server WebUI Server DevIid DevIid WebUI Backup amp Restore Generate Primary CA i CN RESEPT Demo PCA Key Size 4096 bits i Signing CA CN RESEPT Demo Signing CA Key Size 4096 bits Communication CA CN RESEPT Demo CCA Key Size 4096 bits CN demo reseptdemo com WebuI CN reseptadmin reseptdemo com Key Size 2048 bits i CN devidadmin reseptdemo com l F Include Root CA E Click Generate Tree to generate a certificate tree using the configuration specified on this page When done will be prompted to install the generated certificates to the appliance Figure 111 Generate the newly configured tree Click Generate Tree to generate a certificate tree using the configuration specified on this page When done you will be prompted to install the generated certificates to the appliance MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS NETWORK DEVICE HIGH AVAILABILITY LOGS Overview Root CA Primary CA Signing CA Communication CA Server Server Client Server WebUI Server Devid DevId WebUI Backup amp Restore Generate The certificate tree has been successfully generated Click Install to install the generated certificates and keys to the appliance Come The device management interface will automatically restart
32. HAD Settings Status Figure 42 Configuring daemons In the next sub sections it is described how these two daemons can be configured 17 1 Certificate Authority daemon CAD settings To configure the Certificate Authority daemon select CAD Settings in the DAEMON tab Cm keytalk 43 MAIN SERVICES DAEMONS_JAUTHENTICATION MODL CAD Settings HAD Settings Status Configure CAD Settings Wl Save Signing Key Password Li E Signing Key Password LETETT T Figure 43 Configuring the CAD Settings The CAD is responsible for the creation of the user certificates and keys When a password is present on your CAD Signing Key you may wish to store it for REBOOT purposes The default password on the KeyTalk DEMO is blank Select OK to save 17 2 High Availability daemon settings To configure the High Availability daemon select HAD Settings in the DAEMON tab MAIN SERVICE L DAEMONS UTHENTI CAD Settings CHAD Settings tatus Configure HAD Settings Had Sync Service il Binding Interface Type Loopback Binding Port 7001 Figure 44 Configuring the HAD Settings The HAD is responsible for discovery and synchronization between the other physical KeyTalk appliances Select the Binding Interface Type e Loopback See Section 16 1 Configure interfaces for the description of this interface type e Internal See Section 16 1 Configure interfaces for the description of this inte
33. KeyTalk Firmware 4 2 Administrator Appliance Manual Installation and settings KeyTalk Documentation a keytalk This document is propriety of KeyTalk BV This is a controlled document it may not be copied and nothing in it may be changed without knowledge and consent of KeyTalk BV Copyright KeyTalk BV All rights reserved The information in this document is subject to change without notice No part of this document may be reproduced stored or transmitted in any form or by any means electronic or mechanical for any purpose without the express written permission of KeyTalk BV KeyTalk BV assumes no liability for any damages incurred directly or indirectly from any errors omissions or discrepancies between the software and the information contained in this document KeyTalk is a registered trademark and the KeyTalk logo is a trademark of KeyTalk BV Document name KeyTalk Client 4 2 Appliance Manual Version 4 202 Date 26 Jul 13 a keytalk Document control Document information Revision amp Summary of Changes Date 4 002 22Jun11 Initial release 4 003 13Jul11 Added chapter on LCD display updated Remote Exit chapter 4 004 25Jul11 Additional information added on HAD chain Updated chapters 5 12 2 13 15 17 19 21 3 21 4 21 5 22 1 22 2 4 005 16Aug11 23 1 2 2 23 1 2 3 23 2 2 2 27 Added chapters 2 1 Updated screenshots TrustAlert brand replaced with Elephant Security 4 101 23Jan12 upda
34. LDAP attributes to the certificate fields To map the LDAP attributes to the certificate fields Select CHANGE under Certificate to LDAP attribute mappings Filter Is the LDAP filter used to specify the Any valid value record against which the criteria are matched Country The value of the country code as it ISO 3166 standard value O rnme O City Locality The value of the city locality as it Any value except blank O aoar noe mamae Organization The value of the organization as it Any value except blank OTT moarnen Common Name The value of the Users name as it Any value except blank TUT iamma aee O o Email The value of the email address as it Any value except blank O aaarnas Time To Live The amount of time that a certificate is Any positive value expressed valid from the time it was issued in seconds except blank Can be 0 Time for The default time correction factor Any negative value expressed Correction expressed in seconds to correct in seconds except blank Can problems when the Client system time be 0 is slightly off For example 1800 Basic The generated certificate is a user CA FALSE Constraints certificate The generated certificate is a CA CA TRUE certificate and is allowed to issue certificates Key Usage Certificate Key Usage Values should be digitalSignature keytalk 65 comma separated nonRepudiation keyEncipherment dataEncipherment keyAgreement Extended Key Certificate
35. LOAP server by using the check button cances Figure 72 Configuring LDAP Server connection URL The LDAP location and appropriate port number for Global Catalog use port 3268 Bind DN The Bind DN Setting appropriate parameters are described in the next sub chapter Bind Pwd Either a bind is done using the user s credentials or when using anonymous a static password can be provided To make a secure connection possible between your LDAP AD and KeyTalk the LDAPS protocol is supported Upload the appropriate certificate using the LDAPS CA Certificate interface LDAPS CA Certificate required for LDAPS only Ne Certificate Found UPLOAD Figure 73 Uploading a LDAPS CA Certificate Browse NOTE The BIND DN is dependent upon the specific LDAP integration Example when using userPrincipalName userid would suffice a keytalk 64 19 2 2 4 Certificate to LDAP attribute mappings The X 509 standard defines several fields in a certificate which must be filled in order to be RFC compliant By default these certificate fields are filled with the default values as set in the service When using the default settings your users will be provided with X 509 user certificates which are all unique based on the date time of issuing the serial number and of course the username However it might be prudent to have more unique user credentials in the certificate When this is required you can map your
36. Panel component J provides information to those accessing the physical KeyTalk appliance Using buttons A B C and D allows you to navigate the different information screens on the LED display Direct code mode Button A BO C D _ Normal mode Button A B C D__ Position Position Position To activate the LCD information display menu touch any of the buttons A B C or D After it has been activated you can press D to activate the Direct Code mode Press buttons A C to go to the Normal mode Select and confirm any of the three figure menu items will make the LCD go to its default display a ma code __ Direct code __ Activate direct code __ Device Go to device sub menu __ Power __ Go to the power sub menu 11 111 Reboot Reboot the appliance This will make the active configurations persistent 12 a IP reset Go to IP reset sub menu Reset the external IP to default perform 131 manually Reset the internal IP to default perform 131 manually Reset the management IP to default perform 131 manually 13 Go to the KeyTalk maintenance sub menu 131 Reset users Reset the oldest 10 of the user license count Pf a32 Save Settings Save changed settings 323 _ Reset settings Tebsor omnes sengs to factory default and ise Upgrade Activate the FWOPGRADE 2 info Goto the information sub menu ar f keyrak Go to the KeyTak information sub menu fait
37. S AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS sewon Gece HIGH AVAILABILITY LOGS Tim Admin Password SH Access Save amp Reset Configuration Backup amp Restore Configuration Firmware Upgrade Shut Down Report Siem Change Device Web Access Password Account reseptadmin Current Password New Password Repeat New Password Qk Change Device Admin Password Account reseptadmin Current Password New Password Repeat New Password Figure 24 Changing Graphical Administrator Interface password Enter both current and new password and confirm the new password in the Change Device Web Access Password fields Press OK to activate the new password Note It is important to remember this password The KeyTalk appliance also has a more powerful user the device admin for low level administrator maintenance This user is not enabled by default If required contact your KeyTalk supplier or partner e 30 11 Backup and Restore To make a full backup of your current system configuration to your computer select DEVICE from the main menu select Backup amp Restore Configuration and select BACKUP MAIN SERVICES DAEMONS AUTHENTICATION MODULES USER NSE CERTIFICATES AND KEYS AVAILABILITY LOGS Time Admin Password SSH Access Save amp Reset ape Gi 8 tn gen Da Upgrade Shut Down Report Problem Backup Configuration Click Backup to save the current system configuration to your compute
38. administrator interface The KeyTalk appliance Graphical Admin Interface can be accessed by browser over the following URL https 10 1 1 1 3000 Note Pay attention to the S in HTTPS and port 3000 Because the appliance is configured using a self signed SSL certificate by default you will likely get a warning that the security certificate was not issued by a trusted certificate authority In this case ignore the warning and continue to the website This is a workaround a trusted certificate should be obtained from a known certificate authority such as VeriSign GoDaddy and Cybertrust or from the KeyTalk Certificate Authority before going into production When the certificate is installed no warning should occur Cm keytalk 15 x There is a problem with this website s security certificate The security certificate presented by this website was not issued by a trusted certificate authority The security certificate presented by this website was issued for a different website s address Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server We recommend that you close this webpage and do not continue to this website Click here to close this webpage Continue to this website not recommended More information Figure 5 Sample warning You will then go to the login page for KeyTalk 5 4 Step 4 Authenticating to the administrator interface T
39. alk appliance Note Before upgrading your firmware make sure the Daemons are stopped See section 17 Configuring daemons in case you update a live system Upgrading the KeyTalk firmware can be done in two different ways 1 For remote upgrading you can upload the upgrade file via the administrator graphical interface Admin GUI Within the KeyTalk Admin GUI go to DEVICE select Firmware Upgrade click on Browse to select the upgrade file and click on UPLOAD to start the upgrade process MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS AVAILABILITY LOGS rade ut Dov eport Problem Time Admin Password SSH Access Save amp Reset Configuration Backup amp Restore Configuratio Firmware wn R Current Firmware Version 4 2 0 To install upgrade please do ONE of the following Either upload RESEPT image to the senye Cron D Or start upgrade daemon and insert USB stick with resept img Your configuration will be automatically saved during upgrade The device will automatically reboot when the upgrade is complete Figure 28 Firmware upgrade remote 2 Ifyou have physical access to the appliance you can use a USB stick for the upgrade Within the KeyTalk Admin GUI go to DEVICE select Firmware Upgrade insert the USB stick with the upgrade files on it into one of the USB ports L or M the LCD menu will be activated Click
40. alk supplier who can provide you with a new label In case the label is damaged without your knowledge be warned that your KeyTalk may have been opened and tampered with Please report such incident to your KeyTalk administrator and or security officer When the device needs to be sent to the manufacturer for repair open the device by breaking the label and remove the hard disk This hard disk contains your company data and should not be sent to the manufacturer When the device has been repaired you will receive it back with a new hard disk and label This hard disk will be in the initial state Your settings and company data can be restored from a backup Please refer to the Backup and Restore section for more information on how to do this a keytalk oP Quick Start Guide Assumptions e The KeyTalk appliance is by default delivered in DEMO configuration and should work immediately after applying the configurations described below e For this quick start configuration the default KeyTalk Client should be used together with the DEMO RCCD file RCCD the Remote Configuration Client Data e For security reasons the DEMO key and certificate material must always be replaced with production material before taking the solution into a production environment e When using production key and certificate material a corresponding production KeyTalk client RCCD file must be used otherwise communication will fail An RCCD
41. consists of several RESEPT servers accessible for RESEPT clients via a single IP provided by a virtual interface called High Availability HA interface If any server from the group stops working e g because of planned maintenance or fail stopped daemon another server automatically takes over the communication transparently for all RESEPT clients Virtual Interface Status LH down Redundancy Group Id E Ipv4 Configuration Manual IPv4 Address IPv4 Subnet Mask Ipv6 Configuration Manual IPv6 Address IPv6 Prefix Length lt Figure 40 Configuring the High Availability Virtual Interface Make the appropriate configuration changes and select OK 16 4 Configure KeyTalk client listening port It is very unlikely that you will have to change the port number on which the KeyTalk appliance listens to the KeyTalk Client as the default 80 port will pass most firewalls If you would like to change the port select from the main menu NETWORK and select Configure RESEPT Client Listen Port MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND E rewon vice HIGH AVAILABILITY LOGS Configure Interfaces Configure DNS Configure HA Inter amp ce Configure RESEPT Client Listen Port C pfigure NTP Configure RESEPT Client Listen Port Interface Type External IPv4 Address 192 168 1 1 IPv6 Address fd7c c0a8 101 m mi 20 Figure 41 Configuring the KeyTalk client listening port Chang
42. cute Modules Relay Modules Configure RADIUS Authentication Modules DEMO_SERVICE Figure 76 RADIUS Authentication Module When a RADIUS server is used for authentication purposes for example when using security tokens this module can be used to bind the RADIUS based authentication to a KeyTalk service 19 3 1 Adding a RADIUS Module To add a RADIUS Module to a service the service must exist and not be connected to another Authentication Module Select ADD and select the service you wish to connect Add RADIUS Authentication Module Service DEMO_SERVICE Figure 77 Adding a RADIUS Authentication Module 19 3 2 Changing a RADIUS Module configuration To change a RADIUS Module configuration of a service select the appropriate service from the RADIUS Configuration Module list and select CHANGE Cw keytalk 67 Configure RADIUS Authentication Module For Service DEMO_SERVICE HwSig Verification Off RADIUS Server Port 0 to detect Max Tries Timeout sec M Server 1 localhost o 2 2 aenOvE User Lockout Automatically lock user on failed login User ID Lock Expiration Lock Reason BENOS Figure 78 Configuring the RADIUS Authentication Module for a specified service 19 3 2 1 HwSig Verification settings HwSig see section 18 2 Hardware Signature verification settings allow for the optional configuration of HwSig verification for the specified service
43. ddresses of your DNS and select OK bes 18 MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND CDA HIGH AVAILABILITY LOGS Configure Interfac Configure DNS Qnfigure HA Interface Configure RESEPT Client Listen Port Configure NTP Configure DNS Settings D Name Server 1 Name Server 2 Name Server 3 Activating DHCP client will overwrite the Name Servers Settings above C Figure 11 Setting the applicable DNS To set the applicable date time go to the tab DEVICE and select Time Enter the current date and time in UTC and select SET Configure Device Time mmi System Time 2012 07 26 10 17 45 Gl Offset from UTC 00 00 C gt Use NTP NTP Server 1 NTP Server 2 NTP Server 3 NTP Server 4 NTP Server 5 NTP Server 6 NTP Server 7 NTP Server 8 It is strongly recommended to reboot the device after changing the time Figure 12 Setting the applicable date time Note The Netherlands is UTC 1 during summertime UTC 2 CST UTC 6 during summertime UTC 5 EST UCT 5 during summertime UTC 4 Preferably set your applicable NTP server s When using NTP server s also check the Use NTP box Confirm by selecting OK Cm keytalk 19 MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS neo once Je AVAILABILITY LOGS Time dmin Password SSH Access Save amp Reset Configuration Backup amp Restore Configurat
44. dule configuration of a service select the appropriate service from the LDAP Configuration Module list and select CHANGE This brings up a large overview menu with several different LDAP Module configuration options MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS NETWORK DEVICE HIGH AVAILABILITY LOGS Sqlite Modules LDAP Modules RADIUS Modules Execute Modules Relay Modules Configure LDAP Authentication Module For Service ES _ Test HwSig Verification Off Attribute name Attribute match mode Attribute value Filter HWSIG NONE hwsig sAMAccountName userid HWSIG NONE pincode sAMAccountName userid memberOf NONE sAMAccountName userid Supported placeholders service domain userid password hwsig pincode Double for verbatim representation of the placeholder password i LDAP Server Bind DN Server CA Certificate Exists E Server 1 Idap localhost 389 uid userid ou Users dc example dc com ou people dc example dc com Certificate to LDAP attribute mappings E Filter sAMAccountName userid Certificate attribute LDAP attribute User Lockout Automatically lock user on failed login User ID Lock Expiration Lock Reason aco a nee eee ee ee Figure 67 Configuring LDAP Authentication module for a specific service a keytalk 60 19 2 2 1 HwSig Verification settings HwSig see section 18 2 Hardware Signature ve
45. e the port number and select OK to save the change Additionally you must change the KeyTalk client RCCD file to contain the corresponding port number for the INI file s Cm keytalk 42 17 Configuring daemons In Unix and other multitasking computer operating systems a daemon is a computer program that runs as a background process rather than being under the direct control of an interactive user source Wikipedia org The following daemons are important for proper functioning of the KeyTalk appliances e AUTHD Authentication daemon Responsible for the user authentication process It will connect to the applicable authentication database e CAD Certificate Authority daemon The actual creator of the certificate It will be invoked after successful authentication e HAD High Availability daemon Responsible for the high availability functionality of the KeyTalk solution e RDD RESEPT Distribution daemon User traffic connects to the RDD This daemon will sanitize the user input perform some checks and when correct will take responsibility for the distribution of the workflow to the other daemons Next to the above mentioned daemons there is also an Admin GUID daemon running on the KeyTalk appliance Two daemons CAD and HAD can be configured in the tab DAEMONS MAIN services Grenon AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS NETWORK DEVICE HIGH AVAILABILITY LOGS CAD Settings
46. ecting the appliance to the internal network 25 8 KeyTalk Admin GUI 26 8 1 Replacing Admin GUI SSL certificate 26 8 2 Saving changes amp reboot 27 9 SSH 29 10 Changing KeyTalk passwords 30 11 Backup and Restore 31 12 Factory Reset 32 13 Firmware upgrade 33 14 Date time amp NTP settings 35 15 Log files 37 15 1 Daemon logging settings 38 16 Network settings 39 16 1 Configure interfaces 39 16 2 Configure DNS 41 16 3 Configure High Availability Virtual Interface 41 16 4 Configure KeyTalk client listening port 42 17 Configuring daemons 43 17 1 Certificate Authority daemon CAD settings 43 17 2 High Availability daemon settings 44 Le AGED UMInIA C MAN erriei 45 17 3 Stop start daemons amp status 46 18 Services 47 18 1 Creating modifying a service 47 18 2 Hardware Signature 51 19 Authentication modules 53 a keytalk iV 20 21 22 23 24 25 a keytalk 19 1 Internal Sqlite database module 53 19 1 1 Adding a Sqlite Module to a service sssssssssrssnrrsnrrsnrrsnnns 54 19 1 2 Changing Sqlite Module settings for a service s ss ssssssesss 54 19 2 LDAP Module Includes AD 59 19 2 1 Adding an LDAP Module iririiiiisisinicitinisininininininisininieinininakn 59 19 2 2 Changing an LDAP Module configuration ccccccceeeeeeeaeees 60 19 3 RADIUS Module 67 19 3 1 Adding a RADIUS Module sssssssssssserrresrrrnsnrrrsnrrreesrrrenrn 67 19 3 2 Changing a RA
47. efault value of the city locality as it should occur in the user 13 City Locality Di certificate The default value of the organization as it should occur in the user 14 Organization certificate ir Organizational The default value of the organizational unit as it should occur in Unit the user certificate ee le The default value email address of the organization as it occurs in mai the user certificate e Time To Live The default amount of time expressed in seconds that a sec certificate is valid from the time it was issued i5 Time For The default time correction factor expressed in seconds to Correction sec correct problems when the Client system time is slightly off CA FALSE The generated certificate is a user certificate 19 Constraints digitalSignature Allows for digital signing nonrepudiation Qualifies a digital signature for non repudiation 20 Key Usage keyEncipherment Allows for encryption of keys dataEncipherment Allows for encryption of data keyAgreement Allows for SSL key handshaking Extended Key Used for 802 1x EAP TLS user certificate based authentication keytalk 50 CA TRUE The generated certificate is a CA certificate and is allowed to issue certificates for advanced use only Additional OIDs comma separated Refer to http www openssl org docs apps x509v3 _ config html Extended Key Usage_ for more information l The default value of the alternative subject name For more
48. efix Length IPv6 Configuration Loopback 127 0 0 1 255 0 0 0 Automatic zi 64 Automatic E Temal 172 16 1 1 255 255 0 0 Manual fd7c ac10 101 64 Manual External Lil 192 168 1 1 255 255 255 0 Manual fd7c c0a8 101 64 Manual E Management E 10 1 1 1 255 0 0 0 Manual fd7c a01 101 64 Manual N Default IPv4 Gateway Default IPv6 Gateway No custom network routes defined Figure 8 Setting network configuration 5 6 Step 6 Edit network interface settings Configure IP Address Subnet Mask and the Default Gateway to match your own network topology and click OK to save these settings Edit Network Interface Settings Interface Type External Ipv4 Configuration manual Ifv4 Address 192 168 1 1 IPv4 Subnet Mask 253 250 2000 Ipv Configuration Manual IPw Address fd c rca8 101 IPv6 Prefix Length 64 _ E cancen Figure 9 Network Interface Settings Note Optionally you can set a gateway for each NIC separately 5 7 Step 7 Change administrator password To guarantee the best security possible it is important to change all user passwords before step 10 Connecting the appliance to the external network The Graphical Administrator Interface can be used when required for maintenance Cw keytalk 17 The Admin authentication credentials are by default set to Graphical Administrator Interface Admin GUI User reseptadmin Password change In
49. emo com Valid From 22 03 2011 13 32 22 03 2011 13 32 GMT Valid To 17 05 2027 13 32 17 05 2027 13 32 GMT Signature Algorithm shalWithRSAEncryption Public Key RSA 2048 bits SHA1 Fingerprint e2155ebbd9e18792af8icbeSaafic804F765007c Key Info Type RSA 2048 bits Upload Certificate and Key Click Upload to upload PEM containing certificate and key The key should not be protected with password It is also possible for the PEM file to contain certificate or key only Browse UPLOAD eT Download Certificate and Key Click Download to download certificate and key as a single PEM file Coonntoas D ificate and Key Figure 103 Server server certificate information and key upload functionality This screen allows you to download and remove the current certificate and key and upload a new version A new certificate can be uploaded by selecting it via Browse and clicking UPLOAD After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new certificate To make the changes permanent please refer to section 8 2 Saving changes amp reboot 22 6 Client Server Communication Key This tab allows you to view the information of the KeyTalk Client Server Key and certificate This certificate and key is required to establish a secure connection between the KeyTalk client and the KeyTalk server You can upload the combined certificate
50. equals to the saved configuration saved 10 07 2012 14 05 MAIN SERVICES DAEMONS AUTHES Time Admin Password SSH Acce Save amp Reset Configuration Save System Configuration Reset Configuration To Factory Defaults Click Reset to reset the current system configuration the factory defaults The device will automatically reboot when the configuration is reset Figure 14 Saving current system configuration Cm keytalk 20 In case a system reboot is necessary the standard configuration will be used unless the changes have been saved See section 8 KeyTalk Admin GUI for details about making changes to the KeyTalk Admin GUI and saving the changes 5 10 Step 10 Connecting the appliance to the external network The KeyTalk appliance has 3 active Network Interface Connectors NIC These are O P and Q see section 3 Back Panel Components NIC Q is by default assigned to 192 168 1 1 and to be connected to the external network This NIC should be used for regular KeyTalk client server communication 5 11 Step 11 Testing the KeyTalk solution Now that the installation is complete the KeyTalk solution can be tested using the provided demo KeyTalk Client in combination with the DEMO RCCD file Update the KeyTalk client configuration start the RESEPT Configuration Manager from the Windows START menu Microsoft Silverlight Microsoft Visual Studio 2010 Microsoft Visua
51. essed from the tab LOGS in the upper menu e AUTHD Logs Authentication daemon logs e CAD Logs Certificate Authority daemon logs e HAD Logs High Availability daemon logs e RDD Logs RESEPT Distribution daemon logs e WebUI Logs Web interface logs For example from the main menu select the LOGS tab and select AUTHD Logs MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS NETWORK DEVICE HIGH avanen Locs AUTHD Logs BAD Logs HAD Logs RDD Logs WebUI Logs Auth Daemon Logging Settings Log Location local Logging Host Log Severity debug Auth Daemon log last 500 entries Figure 32 Authentication daemon logs ra keytalk 37 15 1 Daemon logging settings Each Daemon and the Web UI have their own log file that can be configured individually Auth Daemon Logging Settings Log Location local Logging Host Log Severity debug Figure 33 Daemon logging settings e g for the authentication daemon log Log Location allows the Admin to choose between local logging default and remote logging When local logging is chosen the appropriate Daemon s log file will be stored on the local KeyTalk appliance until it reaches a 250k size After that the local log file rotates to a fresh log file Choosing remote logging requires setting a host Remote logging will allow for a continuous log file on your syslog server Log Severity allows
52. fic user Setting changing the optional password of a user requires the selecting of the password paper pen icon Edit User for Service DEMO_ SERVICE User ID DemoUser Hardware Signature Password eesenses Pincode sssssens Figure 59 Setting Changing a password for a user a keytalk Edit User password for Service DEMO_SERVICE User ID Demollser Enter new password Re enter new password cance Figure 60 Edit user password Setting changing the optional Pincode of a user requires the selecting of the Pincode paper pen icon Edit User for Service DEMO_ SERVICE UserID DemoUser Hardware Signature Password Pincode cance Figure 61 Setting Changing the pincode for a user Edit User pincode for Service DEMO SERVICE User ID DemoUser Enter new pincode Re enter new pincode cance Figure 62 Edit user pincode 19 1 2 3 LockOut The User LockOut mechanism allows for users to be locked out from the system when they enter the wrong authentication credentials User Lockout Automatically lock user on failed login R Figure 63 enable disable user lockout Automatic lockout can be selected or not Click OK to save the settings When Automatic lockout is selected the KeyTalk appliance will add lock and release users automatically based on an incremental time penalty The Admin can always manually release users before the time penalty expire
53. file can be generated by your organization itself This functionality is described in Chapter 5 of the Client Administrator Manual e DNS NTP HTTP HTTPS SysLog port 3000 and optionally icmp ping 0 8 are assumed to be available for connection purposes 5 1 Step 1 Powering the appliance a Remove the appliance from its box b Plug the black power cord into the appliance back power port K c Plug the power cable into a power socket connector d Press the power on button button E 5 2 Step 2 Connecting the appliance to the internal network The KeyTalk appliance has 3 active Network Interface Connectors NIC O P and Q in Figure 2 Back panel KeyTalk The NIC P is 10 1 1 1 and is assigned to the KeyTalk management interface This NIC Should only be accessible to the system administrator e Connect the administrator PC Laptop by UTP cable Cm keytalk 14 f Configure the administrator PC Laptop to the 10 1 1 x network so that you may be able to connect to 10 1 1 1 Pick for example the 10 1 1 50 address address must be 10 1 1 x with x gt 4 for the administrator PC and use network mask 255 255 255 0 NOTE By default pre configuration is based on IPV4 however IPV6 is fully supported The focus for manuals and training is however on IPV4 and will not go into detail for IPV6 configuration Sample screenshots on a Windows 7 64 PC on how to configure your IP
54. for you MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS Be TWORK DEVICE HIGH AVAILABILITY LOGS Overview Root CA Primary canine CASS gt mmunication CA Server Server Client Server WebUI Server DevId DevIid WebUI Backup amp Restore Generate Signing CA is used by CAD to sign generated certificates RESEPT server requires both certificate and key RESEPT client only requires certificate UCA which is included in RCCD file Certificate Info Subject C NL ST Utrecht L Soesterberg O Resept Demo OU Demeo Only CN Resept Demo Signing CA emailAddress demo reseptdemo com Issuer C NL ST Utrecht L Soesterberg O Resept Demo OU Demo Only CN Resept Demo PCA emailAddress demo reseptdemo com Valid From 22 03 2011 13 25 22 03 2011 13 25 GMT Valid To 17 05 2027 13 25 17 05 2027 13 25 GMT Signature Algorithm shaiWithRSAEncryption Public Key RSA 4096 bits SHA1 Fingerprint 1ab4f90ifaedd76f9f10a9cd5ced9744af218420 Key Info Type RSA 4096 bits Upload Certificate and Key Click Upload to upload PEM containing certificate and key The key should not be protected with password It is also possible for the PEM file to contain certificate or key only Browse UPLOAD Download Certificate and Key Click Download to download certificate and key as a single PEM file Connon D O erere Semificate and Key Figure 101 Signing CA information and key upload functionality This screen allows you to do
55. from minimal logging using the emerg emergency to the WK Standard log level of err error up to the most comprehensive log file under the setting Cm keytalk 38 16 Network settings 16 1 Configure interfaces To configure the network network administration knowledge is required The KeyTalk appliance makes use of four interfaces These can be configured by selecting from the main menu NETWORK followed by selecting Configure Interfaces M ES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS DA HIGH AVAILABILITY LOGS Configure Interfaces JJonfigure DNS Configure HA Interface Configure RESEPT Client Listen Port Configure NTP Interface Type IPv4 Address IPv4 Subnet Mask IPv4 Configuration IPv6 Address IPv6 Prefix Length IPv6 Configuration Loopback 127 0 0 1 255 0 0 0 Automatic ssi 64 Automatic Internal iJ 172 16 1 1 255 255 0 0 Manual fd7c ac10 101 64 Manual E External i 192 168 1 1 255 255 255 0 Manual fd7c c0a8 101 64 Manual Management i 10 1 1 1 255 0 0 0 Manual fd7c a01 101 64 Manual mance Default IPv4 Gateway Default IPv6 Gateway No custom network routes defined Figure 34 Configuring interfaces Interface Types Loopback cannot be configured from the Admin GUI Internal corresponds to NIC O see Section 3 Back Panel Components External corresponds to NIC Q see Section 3 Back Panel Components
56. have made available some unsupported API implementations which can be requested through your KeyTalk supplier or partner 19 5 1 Adding a Relay Module To add a Relay Module to a service the service must already exist and not be connected to another Authentication Module Select ADD and select the service you wish to connect Add Relay Authentication Module Service DEMO_SERVICE Figure 86 Adding a Relay Authentication Module 19 5 2 Changing the Relay Module service configuration To change the configuration settings select the Relay Module service for which you wish to change the configuration and select CHANGE Cw keytalk 71 Configure Relay Authentication Modules Service DEMO_ SERVICE BEONE Figure 87 Configuring the Relay Authentication Module for a specified service You will now see the current configuration which can be changed by selecting CHANGE Configure Relay Authentication Module For Service DEMO_SERVICE Remote Host backauth reseptdemo com Remote Port 9001 Use TLS Y Server Communication Key Signer CA Exists lt C Figure 88 Current configuration Edit Relay Authentication Module for Service DEMO SERVICE Remote Host backauth reseptdema com Remote Port 3001 Use TLS Figure 89 Editing the configuration Since the Relay module effectively makes use of a host running remote only a connection needs to be defined for the Remote Host Configure
57. he default authentication credentials to access the KeyTalk administrator interface role are User reseptadmin Password change e Windows Security The server 10 1 1 1 at RESEPT ADMIN requires a username and password w reseptadmin v Remember my credentials Figure 6 Login to KeyTalk administration page after ignoring the certificate warning This user has full access to all the options on the KeyTalk device The homepage of KeyTalk will open Fle Edt View Fevorte Took Help e De amp heum bijdopdehosg I ect ims F D Windows Live Hotrmad Gf Yahoo Babel Fish Vertal MAIN SERVICES OAEHONS AUTHENTICATION MOCKAES USERS LICENSE CERTIFICATES AND KEYS NETWORK DEVICE HIGH AWAILASILITY LOGS Status ALL DADMONS ARE RUNNING rmaare Vere Figure 7 Homepage KeyTalk a keytalk 5 5 Step 5 Set network configuration For configuring the network network administration knowledge is required To set the network configuration select the NETWORK tab in the upper menu select Configuration Interface enable the External checkbox and select CHANGE MAIN RVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND O HIGH AVAILABILITY LOGS Configure Interfaces Qnfigure DNS Configure HA Interface Configure RESEPT Client Listen Port Configure NTP Interface Type IPv4 Address IPv4 Subnet Mask IPv4 Configuration IPv6 Address IPv6 Pr
58. ion Firmware Upgrade Shut Down Report rreoem Configure Device Time System Time 2012 07 26 10 17 45 lil Offset from UTC 00 00 LED ial BESA NTP Server 2 NTP Server 3 NTP Server 4 NTP Server 5 NTP Server 6 NTP Server 7 NTP Server 8 c D gt It is strongly recommended to reboot the device after changing the time Figure 13 Setting your applicable NTP server s Possible problems Please make sure the firewall rules allow connection of NTP services UDP123 Also keep in mind that NTP will only slowly correct the time settings This is standard NTP behavior and to avoid a delay manually set the time before enabling NTP Manually setting the time cannot be done after enabling NTP Also see section 14 Date time amp NTP settings There are two menu items to configure the time but both function identically One menu item is located in the Network configuration the other in Device configuration Both direct you to the same function 5 9 Step 9 Save the current configuration In the main menu select the DEVICE tab and select Save amp Reset Configuration Select SAVE to save the System Configuration MODULES USERS LICENSE CERTIFICATES AND KEYS NETWORK DEVICE HIGH AVAILABILITY LOGS Backup amp Restore Configuration Firmware Upgrade Shut Down CO Click Save to save the current system configuration to non volatile RAM NVRAM of the device Your current system configuration
59. l Interface When running multiple KeyTalk chains i e split daemons on multiple KeyTalk appliances you may wish to setup a redundancy group For more info on KeyTalk chains refer to section 17 2 1 In depth HA chain One logical KeyTalk server consists of one or more physical KeyTalk appliances servers grouped by the same redundancy group ID From the KeyTalk Client perspective it behaves as one server with one IP address This IP address is provided by a virtual interface called High Availability HA interface On one appliance the daemons are configured in chains If the chain breaks the master appliance will communicate this to the other appliances within the same redundancy group in order to elect a new master High Availability is not a substitute for load balancing The current limitation of the High Availability for the KeyTalk appliance is that it is bound to one network ip range To configure the High Availability from the main menu select NETWORK then select Configure HA Interface Cm keytalk 41 gt HA Configuration E disabled Ly MAIN SERVICES DAEMONS AUTHES DN MODULES USERS LICENSE CERTIFICATES AND eemo DEVICE HIGH AVAILABILITY LOGS Configure Interfaces Configure DN Configure HA Interface Jfonfigure RESEPT Client Listen Port Configure NTP Configure High Availability Virtual Interface When running multiple RESEPT servers you may wish to setup a redundancy group A redundancy group
60. l Studio 2012 Ji NVIDIA Corporation m Renesas Electronics RESEPT 4 2 E RESEPT 4 2 EJ RESEPT Configuration Manager E RESEPT Problem Report Generator i Uninstall RESEPT di SharePoint Mm 4 Back Figure 15 KeyTalk Configuration Manager a keytalk 21 E RESEPT Configuration Manager General Installed Settings User Settings Master Settings Figure 16 RESEPT Configuration Manager Load the RCCD file to test the KeyTalk appliance by clicking on Load B E E Load Settings From URL From File Figure 17 Selecting the setting to load a RCCD file Browse to the location where the RCCD is saved either via your browser or from your local system Click on Load to upload the selected RCCD file After successful upload the following message will appear on screen Figure 18 RCCD file was successfully uploaded and applied If the screen above does not appear the RCCD file you tried to upload may be corrupt Please recreate the RCCD file and upload again After clicking OK the screen below will open a keytalk 22 Select the Provider Settings tab and enter the appropriate KeyTalk Appliance server which can be specified by IP address or DNS name When done select OK Provider ElephantSecurity Settings Server keymaster com Figure 19 Sample provider settings For testing purposes
61. lect from the main menu the DEVICE tab and select Save amp Reset Configuration Select RESET to restore default factory configuration settings MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS neTwor pevce cn AVAILABILITY LOGS ss Save amp Reset Configuration B rkup amp Restore Configuration Firmware Upgrade Shut Down Report Problem Save System Configuration Time Admin Password SSH Accd Click Save to save the current system configuration to non volatile RAM NVRAM of the device Your current system configuration equals to the saved configuration saved 10 07 2012 14 05 Reset Configuration To Factory Defaults Click Reset to reset the current system configuration the factory defaults The device will automatically reboot when the configuration is reset Figure 27 Resetting the Factory Defaults Note When resetting the default factory configuration settings this will also affect your set IP addresses In case your KeyTalk device is off premise remote communication with the device will be impossible after a factory reset Cm keytalk 13 Firmware upgrade KeyTalk BV releases periodically new firmware for the KeyTalk appliance New firmware can fix bugs as well as add new functionality Upgrading requires you to go from one version to the next in full sequential order Skipping a firmware version in between may result in the malfunctioning of the KeyT
62. liance As a result you can use your existing infrastructure without adding a new database Of course for testing purposes or when you only have a small community an onboard username password database is available as well For example companies with multiple branches that manage their own authentication solution s such as RADIUS or LDAP AD can make use of a centrally available KeyTalk to turn their heterogeneous authentication environment into a funneled homogeneous authentication environment As a result each company may have their own preferred authentication type but the network only needs to be configured for one X 509 certificate based solution making the administration consistent and efficient By default KeyTalk has 3 authentication modules onboard Each module can be used multiple times using its own specific configuration e Internal Sqlite based database e LDAP AD module e RADIUS Companies who wish to bind another type of authentication solution to KeyTalk can make use of an API allowing an easy integration of solutions such as an Oracle Database 19 1 Internal Sqlite database module DAP Modules RADIUS Modules Execute Modules Relay Modules T T SERVICES DAEMONS AUTHENTICATION MODULES SERS LICENSE CERTIFICATES AND KEYS NETWORK DEVICE HIGH AVAILABILITY LOGS Configure Sqlite Authentication Modules DEMO_SERVICE Figure 51 Configuring the Sqlite authentication modules The Sqlite Modules section allows you
63. lk MAIN Edit Service Service Name Required Credentials Key Size bits URI File URI Digest Check URI Execute Synchronously HWSIG Formula Split Domain and Userid Add 3 Random Characters to CN Country State City Locality Organization Organizational Unit Email Time To Live sec Time For Correction sec Basic Constraints Key Usage Extended Key Usage Subject Alternative Name nsBaseUrl contains service name Comment SERVICES DAEMONS AUTHENTICATION MODULES USERS DEMO_SERVICE PASSWD USERID E pm 1024 https onpremise elephantsecurity com HWSIG E RESPONSE AW E G ldd aA a07 0 10 11 12 13 14 15 16 E G E G NL Utrecht Utrecht Elephant Security Test Test Only webmaster keymastenest com 2600 3600 CA FALSE digitalSignature nonRepudiation keyEncipherment W dataEncipherment keyAgreement E client uth Additional OIDs comma separated DEMO_SERVICE CANCEL Figure 50 Edit a service LICENSE CERTI Required Credentials Key Size bits File URI Digest Check URI Execute te keytalk Synchronously The name assigned to the Service Select what authentication process and credentials are required UserID and HwSig Hardware signature are always on and will be sent from the client to the server PASSWD password PIN and Challenge RESPONSE are all optional Use the dropd
64. load certificate and key as a single PEM file The device management interface may automatically restart after the certificate key file is uploaded Browse Figure 21 Replacing the SSL certificate Make sure that the SSL certificate you wish to make use of also contains the private key and is in a PEM file format Select the file by pressing BROWSE and press UPLOAD to replace the existing SSL certificate After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new SSL certificate To make the changes permanent please refer to section 8 2 Saving changes amp reboot 8 2 Saving changes amp reboot Changes made in the Admin GUI will be effective as long as the KeyTalk appliance does not lose its electric power In order to make changes permanent the changes must be saved by the administrator SAVING In the main menu select the DEVICE tab and select Save amp Reset Configuration Select SAVE to save the System Configuration Cm keytalk 27 MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS neTwor pevce cn AVAILABILITY LOGS Time Admin Password SSH Accd Save amp Reset Configuration B rkup amp Restore Configuration Firmware Upgrade Shut Down Report Problem Save System Configuration Click Save to save the current system configuration to non volatile RAM NVRAM of the device Your current
65. luding empty URI no verification is performed When the URI is an executable this option allows you to set the client to run synchronously KeyTalk client will run until executable finishes when selected or a synchronously when not selected 49 The HwSig formula results in a hash calculated over the chosen components This hash is optionally used provided the feature is activated in the Required Credentials of the Service The formula is comma separated and can contain the HwSig component number references in any order and as often as you HwSIG Formula like Do note that order and repetition of component numbers matter For example 0 1 2 3 4 5 or 0 0 0 6 7 3 3 8 9 14 11 For more information on the HwSig please refer to Section 18 2 Hardware Signature Indicates whether an authentication module should split a fully Split Domain qualified userid supplied as domain userid on two separate and Userid credentials Currently only LDAP authentication module supports domain credentials Add 3 Random When selected three random characters are added to the Common Characters to Name of the generated user certificate This option is only needed CN for backward compatibility The default value of the country code ISO 3166 standard as it 11 Country Should occur in the user certificate The default value of the state county or province as it should 12 State occur in the user certificate l The d
66. on START to upgrade The system will HALT after an upgrade requiring an additional reboot Cm keytalk 33 MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS AVAILABILITY LOGS Time Admin Password SSH Access Save amp Reset Configuration Backup amp Restore Configuratio Firmware Upgrade Bhut Down Report Problem Current Firmware Version 4 2 0 To install upgrade please do ONE of the following Either upload RESEPT image to the server UPLOAD Or start upgrade daemon and insert USB stick with resept img start gt a Your configuration will be automatically saved during upgrade The device will automatically reboot when the upgrade is complete Browse Figure 29 Firmware upgrade on premise As a result the upgrade will start The progress of the upgrade will be shown in the Admin GUI On successful upgrade the appliance will automatically REBOOT to apply the new firmware Cm keytalk 34 14 Date time amp NTP settings To set the applicable date time go to the tab DEVICE and select Time Enter the current date and time in UTC and select SET The KeyTalk appliance will do all required time zone calculations Configure Device Time System Time 2012 07 26 10 17 45 G Offset from UTC 00 00 Use NTP NTP Server 1 NTP Server 2 NTP Server 3 NTP Server 4 NTP Server 5 NTP Server 6 NTP Server 7 NTP Server 8 It is st
67. own list to select the preferred RSA key length 512 1024 2048 or 4096 bits Note that the key size should not exceed the chosen key length of the CAD daemon signing certificate If in doubt about the correct key size consult your KeyTalk supplier or partner This is the URI pushed from the KeyTalk appliance to the KeyTalk Client using the specific service Leave empty when nothing needs to be invoked When using a URL it can be used to trigger the KeyTalk client when an appropriately supported browser goes to the specific base URL For example https webdemo reseptdemo com Alternatively when the KeyTalk client has obtained the certificate the client will start the specified URI Instead of a URL the URI can also contain a reference to a local file or program For example file yourfilelocation yourfilename Note environment variables are respected Starting a program filename can also be done using parameters Note that must be used when spaces are included in a path or using space separated parameters Note Be careful not to use http addresses as these are not secure Optional field containing the SHA 256 of fle URE field containing the SHA 256 of file URI to force a verification of the URI When a URL is used the IP needs to match both server and client side When an executable is started the SHA 256 will be calculated and verified For all the other URI schemes inc
68. owser using the following URL https 10 1 1 1 3000 Note Pay attention to the S in HTTPS and port 3000 User reseptadmin The default password was change but this was changed under section 10 Changing KeyTalk passwords Please remember to use your new password Because the appliance is configured to use a self signed SSL certificate by default you will likely to get a warning that the security certificate was not issued by a trusted certificate authority In this case ignore the warning and continue to the website Sample warning wd There is a problem with this website s security certificate The security certificate presented by this website was not issued by a trusted certificate authority The security certificate presented by this website was issued for a different website s address Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server We recommend that you close this webpage and do not continue to this website Click here to close this webpage amp Continue to this website not recommended More information To avoid this warning you must install a certificate from a trusted party such as VeriSign GoDaddy GlobalSign Cybertrust or from your own KeyTalk Certificate Authority See following section for details 8 1 Replacing Admin GUI SSL certificate By default a self signed SSL certificate is used to access the appliance over https
69. pliance License file contains the general terms amp conditions text in a text file format Your contract details override or amend these T amp C It is personalized to your company and contains all the information required to make the appliance work Your license details can be viewed under the License tab MAIN SERVICES DAEMONS AUTHENTICATION MODULES usens LICENSE CERTIFICATES E License Info Function ShortTermCerts Allowed yes Expires 2014 01 01 Max Users 10 Upload License UPLOAD Figure 97 View license info or upload a new license Erowse A new license can be uploaded by selecting the license via Browse and clicking UPLOAD The text file is signed by KeyTalk ensuring that any tampered text files cannot be uploaded as a valid license The maximum amount of users refers to the maximum amount of unique usernames used to obtain a certificate in a given timeframe a keytalk 76 22 Certificates and keys On the CERTIFICATE AND KEYS tab the Certificate Authority Keys for the KeyTalk appliance can be managed MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENS CERTIFICATES AND KEYSJ NETWORK DEVICE HIGH AVAILABILITY LOGS Brerviers rot CA Primary CA Signing CA Communication CA Server Server Client Server WebUI Server DevId Devid WebUI Backup amp Restore Generate Root CA i Certificate not installed Key not installed Manage Primary CA Ce
70. r O O Cer D Restore Configuration Click Restore to restore the system configuration from the previously made backup The device will automatically reboot when the configuration is restored Browse Figure 25 Making a backup of the system configuration Save the backup file resept config_dat in a location of your choice To restore your backup of your system configuration select DEVICE from the main menu select Backup amp Restore Configuration and select Browse under Restore Configuration Select your resept config dat backup file and select RESTORE The KeyTalk appliance will reboot afterwards to effectuate the changes MAIN SERVICES DAEMONS AUTHENTICATION MODULES USER NSE CERTIFICATES AND KEYS senon Gene pc AVAILABILITY LOGS Time Admin Password SSH Access Save amp Reset sree lt a re Upgrade Shut Down Report Siem Backup Configuration Click Backup to save the current system configuration to your computer BACKUP Restore Configuration Click Restore to restore the system configuration from the previously made backup i _ The device will automatically reboot when the configuration is restored Figure 26 Restoring the system configuration backup file Cm keytalk 31 12 Factory Reset Should you ever want to reset the KeyTalk appliance to its original factory settings the steps described below must be followed Se
71. re properly set Edit hardware signature settings for Service DEMO SERVICE HwSig Verification Devid DevID Host 192 168 1 2 DevID Port 8001 DevID Group Name DEMO GROUP DevID Group Password s seees cance Figure 56 Hardware signature set to DevId NOTE The HwSig verification will FAIL thus the user ts not issued a certificate when e The selected SERVICE is NOT configured to send the HwSig and the module s HwSig Verification is set to either Exit or DevID 19 1 2 2 Add Change Remove user A user can be added changed or removed e Add Click on ADD e Modify Select the appropriate user and click on CHANGE e Delete Select the appropriate user s and click on REMOVE Cm keytalk 56 MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND Sglite Modules LDAP Modules RADIUS Modules Execute Modules Relay Modules Configure Sqlite Authentication Module For Service DEMO SERVICE HwSig Verification Off Hardware Signature E Demallser mp 005 Co inenove User Lockout Automatically lock user on failed login Lock Expiration Lock Reason Figure 57 Adding Changing Removing a user Adding or changing a user allows for entering the basic details of a user Edit User for Service DEMO SERVICE UserID DemoUser Hardware Signature Password eesssses gjg Pincode esssssss Figure 58 Edit user for a speci
72. rface type Select OK to save the new settings Cm keytalk 44 Note High Availability daemons from other KeyTalk chains will need to be made known to the KeyTalk in order for HAD to work properly HADs From Other RESEPT servers HadSyncService Host HadSyncService Port Figure 45 HADs from other KeyTalk servers need to be made known Select ADD to add a new KeyTalk appliance Add New HAD Connection HadSyncService Host HadSyncService Port Figure 46 Add new HAD connection Enter the HadSyncService Host and Port Select OK to save the settings 17 2 1 In depth HA chain The KeyTalk High Availability chain allows for a complete set of KeyTalk daemons to be made available in case of redundancy requirements Each chain is a self supporting chain running on a single KeyTalk appliance When one component of the chain fails the HAD will assume the entire chain to be invalid On initial power up all appliances will boot up in slave status If there is no master in the group it will be elected automatically One KeyTalk appliance will become the master If the master dies the election will be done again as described earlier Note High Availability functionality is not a replacement for load balancing functionality An example of a HA implementation could be Cw keytalk 45 Active Network Component HA Chain 1 HA Chain 2 Figure 47 Example HA implementation Each chain mu
73. rification settings allow for the optional configuration of HwSig verification for the specified service By default the HwSig verification is set to Off Configure LDAP Authentication Module For Service ES Test HwSig Verification Off Figure 68 Hardware Signature verification setting Select CHANGE to change the HwSig setting Two other options are available for the HwSig verification e Devlid Obtain the user s HwId from our DevId product solution e Exit Obtain the user s HwId using the settings of the authentication module For the option Exit in the case of Sqlite Module the HwSig is obtained from the user s Hardware Signature field When the DevId option has been chosen make sure that the Devid Host amp Port as well as Group Name and Group password are properly set MAIN SERVICES DAEMONS AUTHENTICATION MODULES JPUSERS LIt Sglite Modules LDAP Modules RADIUS Modules Execute Modules Relay Modules Edit hardware signature settings for Service ES Test HwSig Verification Off DevID Host DevID Port DevID Group Name DevID Group Password cance Figure 69 Editing Hardware signature settings for a specific service NOTE The HwSig verification is considered a failed login thus the user is not issued a certificate when Cm keytalk 61 e The selected SERVICE is NOT configured to send the HwSig and the module s HwSig Verification is set to either Exit
74. rongly recommended to reboot the device after changing the time Figure 30 Setting the applicable date time Note The Netherlands is UTC 1 during summertime UTC 2 CST UTC 6 during summertime UTC 5 EST UCT 5 during summertime UTC 4 It is highly recommended to set your applicable NTP server s When using NTP server s also check the Use NTP box Confirm by selecting OK Cm keytalk 35 MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS neo once Je AVAILABILITY LOGS Time dmin Password SSH Access Save amp Reset Configuration Backup amp Restore Configuration Firmware Upgrade Shut Down Report rreoem Configure Device Time System Time 2012 07 26 10 17 45 lil Offset from UTC 00 00 LED gt epee NTP Server 2 NTP Server 3 NTP Server 4 NTP Server 5 NTP Server 6 NTP Server 7 NTP Server 8 c D gt It is strongly recommended to reboot the device after changing the time Figure 31 Set your applicable NTP server s See section 5 8 Step 8 DNS amp NTP Date Time customization for details on setting the time for DNS and NTP There are two menu items to configure the time but both function identically One menu item is located in the Network configuration the other in Device configuration Both direct you to the same function Cm keytalk 36 15 Log files The log files of the four main Daemons and the Web UI can be acc
75. rtificate not installed Key not installed i Manage Signing CA Certificate installed Key installed Communication CA Certificate not installed Key not installed i Server Server Certificate installed Key installed Manage Client Server Certificate installed Key installed Manage WebUI Certificate installed Key installed Manage Server Devid Certificate not installed Key not installed i Manage DevId WebuUI Certificate not installed Key not installed Manage Figure 98 Overview of the KeyTalk Certificate Authority Keys By default your KeyTalk appliance comes pre configured with test key and certificate material This material is NOT unique but provided with every system It is therefore necessary to be replaced by your own material when going into production KeyTalk requires the certificates to be imported or generated in PEM file format and requires that they contain the pem file extension Please note that the KeyTalk solution does not mandatorily require you to take into account any specific protocols and procedures as to the security level of key creation key management etc Instead it is your company who decides what is and what is not acceptable Cm keytalk 77 22 1 Root CA The Root CA is an optional public certificate It is only applicable when your company already has an existing certificate authority in place
76. s AND can manually add or remove users to the LockOut table Cm keytalk 58 When Automatic lockout is not selected the system runs in a manual mode allowing the Admin to add any usernames for a permanent lock which can only be manually released Adding Users manually is done using the user ID No actual check is performed by the system to see if the User actually exists in the database used by the services authentication module Lock user for Service DEMO SERVICE UserID cance Figure 64 Manually adding a user to be locked out for a specific service 19 2 LDAP Module Includes AD The LDAP module allows for Active Directories AD and LDAP s alike to be easily connected to KeyTalk MAIN SERVIC DAEMON AUTHENTICATION MODULES SERS LICENSE CERTIFICATES AND KEYS NETWORK DEVICE HIGH AVAILABILITY LOGS Sqlite Modu ADIUS Modules Execute Modules Relay Modules Configure LDAP Authentication Modules 7 ES_Test Figure 65 LDAP Authentication Modules 19 2 1 Adding an LDAP Module Before adding an LDAP authentication module a new service must be defined This service may not be connected to another Authentication Module Select ADD and select the service you wish to connect Add LDAP Authentication Module Service ES Test Figure 66 adding an LDAP Authentication Module Click OK to save a keytalk 19 2 2 Changing an LDAP Module configuration To change an LDAP Mo
77. s primary NIC is the NIC listed first in the Network Connections folder gt Advanced menu gt Advanced settings list 3 HDDs Device Instance IDs Only HDDS attached to IDE and SCSI are considered to avoid pluggable disks e g USB PCI Note SATA and eSATA or PCMCIA will be used when available 4 NICs Device Instance IDs Only NICs attached to PCI are considered to avoid pluggable NICs e g USB Cm keytalk 51 5 IDE ATA ATAPI controllers Device Instance IDs excluding hot pluggable one s like e g PCMCIA 6 USB Root Hubs Device Instance IDs 7 Display Adapters Device Instance IDs 8 Amount of physical memory 9 CPUs device instance IDs 10 Interrupt controller device instance ID 11 System timer device instance ID 12 DMA controller device instance ID 13 System speaker device instance ID 14 OS Product ID 15 OS registered owner 16 User Security Identifier Some components may or may not be preferred for your setup Choose those you need or can use Especially in environments where users for example change local access rights or make use of dongles you may or may not want to enforce one or more of the above mentioned components In some environments it is desirable to prohibit the user to insert anything in the USB socket as this will change the HW signature of that component Cm keytalk 52 19 Authentication modules One or more authentication solutions can be connected to the KeyTalk app
78. st be configured with the static information All dynamic information certificate serials users etc is automatically synchronized as soon as the chains have been configured to be aware of each other To ease configuration it is a good starting point to always configure one single KeyTalk appliance and make a backup of its configuration Note A configured copy might cause conflicting IP s so configure with care 17 3 Stop start daemons amp status The main daemons can be stopped started from the status panel MAIN SERVICE Daemons 9 THENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS NETWORK DEVICE HIGH AVAILABILITY LOGS CAD Settings HAD Setting C Status 4 Daemon Effective Listen Interface Type Status Signing Key Password Action authd running had HadSyncService Loopback IPv4 127 0 0 1 IPv6 1 running Figure 48 Stop start daemons amp status When the CAD is started the Signing Key password may need to be entered when the password has been implemented To alleviate work for the Admin it is possible to store the password This can have security implications but it has been made available to fit the company s security policy How to store the CAD signing key password is described in section 17 1 Certificate Authority daemon CAD settings Cw keytalk 46 18 Services A service is a group of users that follow the same authentication method and certificate time to live Usually
79. t 0 to detect The communication port number Any valid port number Use 0 to have the port number automatically detected Secret The Radius shared secret Any valid Radius shared secret Tries Amount of connections attempts Any valid positive amount up to 999999999 Timeout sec Amount of time assumed for a Any valid positive amount timeout period before retrying expressed in seconds up to 99999999 19 3 2 3 User LockOut The User LockOut mechanism allows for users to be locked out from the system when they enter the wrong authentication credentials Cw keytalk 69 User Lockout Automatically lock user on failed login Figure 82 enable disable user lockout Automatic lockout can be selected or not Click OK to save the settings When Automatic lockout is selected the KeyTalk appliance will add lock and release users automatically based on an incremental time penalty The Admin can always manually release users before the time penalty expires AND can manually add or remove users to the LockOut table When Automatic lockout is not selected the system runs in a manual mode allowing the Admin to add any usernames for a permanent lock which can only be manually released Adding Users manually is done using a free text No actual check is performed by the system to see if the User actually exists in the database used by the services authentication module Lock user for Service DEMO SERVIC
80. t e SAP e Microsoft e Oracle e Novell KeyTalk is a product which seamlessly fits into your existing network infrastructure In a highly secure manner it automatically creates distributes and de installs short living X 509v3 user certificates on the user s device for the purpose of user credentialing and secure access control X 509 is the industry standard since the 80 s and is supported by all major network components and enterprise application solutions and is now made available for short living certificates making it the perfect unified access control solution Managing X 509v3 certificates has thus far been one of the greatest cost factors in high secure environments Cost is now minimized as a direct result of short living certificates making administrative efforts on Certificate Revocation Lists obsolete By re using your existing authentication environment optionally leveraging it with trusted corporate hardware recognition reducing the lifecycle of the certificate and ultimately automating the certificate requests creation distribution and de installation certificate management has become easy as pie with our KeyTalk product In Short KeyTalk protects your data in motion by providing secure access for machine to machine communication and data transmissions between devices corporate networks and cloud applications It prevents common attacks such as man in the middle KeyTalk generates distributes and ins
81. talls short living client certificates on the client device in a fully automated manner leveraging your existing authentication methodology Optionally it uses the device hardware characteristics to strengthen the authentication process a keytalk This document describes how to use the KeyTalk Appliance This document is part of the documentation that comes standard with KeyTalk products e User manual e Installation manual e Prerequisites and Technical requirements e Quick Reference Guide e Release notes 1 1 Getting started In the following subsections the KeyTalk product is described 1 2 Installation All our products are delivered with an Installation manual This manual provides instructions for installing and de installing the KeyTalk software and gives an overview of the system requirements necessary to run the software More detailed technical requirements can be found in the Prerequisites and Technical requirement documents e e e M Using the software How to use KeyTalk products and an explanation of terminology and icons used in the software are described in detail in the User manual Next to describing the hardware the functionalities of the software are also described in full detail In case of product upgrades an overview of the new functionalities is incorporated in the User manual as well as listed in the product s Release Notes For new users of our products a full training is available for both f
82. ted chapters 17 21 23 25 27 4 102 17Feb12 Updated chapters 25 2 to 25 6 Update to KeyTalk Firmware version 4 2 4 2 19Jun12 Replaced the product name KeyTalk with KeyTalk This change in name has not yet been realized in the software 4 201 Aug 2012 Language edited updated screenshots added rewrote chapter 22 4 202 12July13 Updated brand to KeyTalk a keytalk ii a keytalk Table of contents Introduction 7 1 1 Getting started 9 1 2 Installation 9 t21 USING Like SONWALE areri r nro ra ENT EEEREN EEEE 9 leee DDO e 9 1 3 System configurations 10 Li Suks Optional CONMGUIALIONS iiccccsccinaatesstaraaerseerieaeinecinnsentaeaneasonns 10 Front Panel Components 11 Back Panel Components 12 Top Panel Components 13 Quick Start Guide 14 5 1 Step 1 Powering the appliance 14 5 2 Step 2 Connecting the appliance to the internal network 14 5 3 Step 3 Connecting to the appliance administrator interface 15 5 4 Step 4 Authenticating to the administrator interface 16 5 5 Step 5 Set network configuration 17 5 6 Step 6 Edit network interface settings 17 5 7 Step 7 Change administrator password 17 5 8 Step 8 DNS amp NTP Date Time customization 18 5 9 Step 9 Save the current configuration 20 5 10 Step 10 Connecting the appliance to the external network 21 5 11 Step 11 Testing the KeyTalk solution 21 IPv4 and IPv6 24 Setting up the appliance 25 7 1 Powering the appliance 25 SSIS SSS 7 2 Conn
83. ted in parts for safe keeping among several custodians This file also contains the Primary CA Certificate in PEM format MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENS CERTIFICATES AND KEYS ETWORK DEVICE HIGH AVAILABILITY LOGS Overview Root Srimary CE Poning CA Communication CA Server Server Client Server WebUI Server DevId Devid WebUI Backup amp Restore Generate Primary CA is normally a root of the certificate tree unless Root CA is installed and is an issuer for the Primary CA Certificate Info No Certificate Found Key Info No Valid Key Found Upload Certificate and Key Click Upload to upload PEM containing certificate and key The key should not be protected with password It is also possible for the PEM file to contain certificate or key only Browse UPLOAD eT Figure 100 Primary CA information and key upload functionality A new certificate can be uploaded by selecting it via Browse and clicking UPLOAD Cm keytalk 78 After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new certificate To make the changes permanent please refer to section 8 2 Saving changes amp reboot 22 3 Signing CA This tab allows you to upload your own signing certificate and key used to issue user certificates and keys When you have a separate key and certificate you can upload these individually and KeyTalk will combine them
84. the KeyTalk internal user database is already configured with a DemoUser Additional users can be easily added using the Admin GUI see section 19 Authentication modules for more information a keytalk 23 6 IPv4 and IPv6 The KeyTalk appliance fully supports IPv4 and IPv6 Out of the box demo configurations are based on IPv4 Admins who wish to make use of IPv6 will need to configure the appropriate IPv6 settings Cm keytalk 24 7 Setting up the appliance 7 1 Powering the appliance 1 Remove the appliance from its box 2 Plug the black power cord into the appliance back power port K 3 Plug the power cable into a power socket connector 4 Press the power on button E 7 2 Connecting the appliance to the internal network The KeyTalk appliance has 3 active Network Interface Connectors NIC O P and Q The address of P is by default 10 1 1 1 and is assigned to the KeyTalk administrator interface Follow these steps to connect the appliance to the internal network e Connect the administrator PC Laptop by UTP cable e Configure the administrator PC Laptop to the 10 1 1 0 network so that you are able to connect to 10 1 1 1 e Sample screenshots on a Windows 7 64 PC on how to configure your IP from Local Area Connection Properties E r U Local Area Connection Properties Internet Protocol Version 4 TCP IPv4 Properties
85. this group of users belongs to the same department organization Services define default values you wish to make available in the client X 509v3 certificates created distributed and installed by KeyTalk An example value for the organization attribute is O Example com Additionally attributes in the certificate can be mapped to AD fields Multiple services can be configured allowing you to set up a multitude of services ona single KeyTalk instance 18 1 Creating modifying a service To manage services select from the main menu SERVICES An overview of the existing services is displayed In this overview you will find a summary of the services settings and applicable comments The following options are available for Services e Add Click on ADD e Modify Select the existing service and click on CHANGE e Delete Select the existing service and click on REMOVE maQseavices 9mons AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS NETWORK DEVICE HIGH AVAILABILITY LOGS HWSIG Formula Split Domain and Add CN Random Userid Chars Execute Synchronously F DEMO_SERVICE oe 1024 _hitps www google nl 1 2 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Figure 49 Adding modifying deleting a service The following pages describe all the fields of the service Cw keytalk 47 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Qa keyta
86. unctional and technical aspects of the solution Please consult your KeyTalk supplier or KeyTalk partner for more information 1 2 2 Support In case you encounter issues when using our products please contact your KeyTalk supplier Contact details have been made available to you directly by our partner Cm keytalk KeyTalk also has a service desk reachable 24 7 but they only provide 3 line support They can be contacted by e mail or telephone Contact details KeyTalk Service desk 3 line only E mail support keytalk com Tel 31 64 672 67 94 1 3 System configurations You can have one or more KeyTalk devices configured in high availability mode 1 3 1 Optional configurations KeyTalk can be used in combination with KeyTalk s DevID appliance Within an organization DevID allows the binding up to 10 different hardware signatures of a user s devices to a single unique user All is done according to the offered authentication service DevID can be set to automatically learn up to the maximum number of hardware Signatures that is allowed per user setting Moreover DevID is multi tenant allowing multiple user groups to be defined per specific KeyTalk authentication services Each user group can be separately managed by one or more service operators allowing one to deploy and manage DevID in a very flexible manner This way your Admin does not have to do all the work by themselves Cm keytalk
87. ured chains Note Before copying please make sure DbService connection address points to the chain s had Son Figure 91 Synchronize user lockout list This functionality is only applicable when running KeyTalk in a high availability configuration This feature allows you to manually initialize a synchronization of all your User Lockout Lists from all your Authentication Modules for all services on the KeyTalk appliance HA will automatically synchronize but the manual feature is meant for synchronization after adding a new system to your High Availability setup a keytalk 73 20 User messages Logged in users 20 1 User messages User messages allow the Organization s administrator to send a custom message to the user when their KeyTalk client starts A common usage would be to inform users of network downtime announcements for example To create a user message select USERS from the main menu and click on ADD MAIN SERVICES DAEMONS AUTHENTICATION mopu users DAcense CERTIFICATES AND KEYS NETWORK DEVICE HIGH AVAILABILITY LOGS Logged In Users User Messages Last Updated Message Figure 92 Adding a user message Type the message that needs to be sent to all users with a KeyTalk Client and click OK to make the message available to your user community Add User Message gt User Message gt Figure 93 Adding user message and making it available to the KeyTalk Client
88. uueeeeeeuseeeeees I Installation Introduction Cm keytalk S SUD OWE ee dere scecescscsucesasedeoecaccendarasas System configurations ccceee cece eee U Using the SOPtWALEC cccccccce cece eee e eee ees 92
89. values Subject refer to Alternative N http www openssl org docs apps x509v3 config html Subject ame Alternative Name for more information nsBaseURL Optional Netscape Base URL extension see MSDN topic contains http msdn microsoft com en service name us library aa378149 28v vs 85 29 aspx for more information Free text allowing for comments for Admin support purposes This 24 Comment field will not be added to the certificate Note Key Usage fields should only be manipulated when you are familiar with their exact functionality and the impact they might have on application server functionality For more information refer to RSA Labs http www rsa com rsalabs and RFC 5280 http tools ietf org html rfc5280 Note If not familiar with the exact functionality it is advised to use the KeyTalk default values for the certificate attributes 18 2 Hardware Signature KeyTalk can optionally determine the state of hardware of a user s device by calculating a hash over several components of the user s computer hardware The components can be chosen from the list below and are applied in the HwSig formula as described in section 18 1 Creating modifying a service The following component IDs are supported 0 Predefined value 1 Primary HDD Serial On Windows primary HDD is defined by minimal i for which PhysicalDrive lt i gt or Scsi lt i gt is accessible 2 Primary NIC MAC address On Window
90. ver Server Client Server WebUI Server DevId Devid WebUIQ Backup amp Restore Generate Backup All Certificates And Keys Click Backup to save all currently installed certificates and keys to your computer e_ z 4 BACKUP Restore All Certificates And Keys Click Restore to restore all certificates and keys from the previously made backup Browse _ o o n ALL currently installed certificate keys will be removed during restoration The device management interface may automatically restart after the certificates keys package is restored Figure 108 Backup and restore functionality Click Backup to save all currently installed certificates and keys to your computer Click Restore to restore all certificates and keys from the previously made backup The KeyTalk appliance will reboot afterwards to effectuate the changes 22 11 Generate This tab allows you to edit specific criteria for the certificates that have been generated on the appliance MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS NETWORK DEVICE HIGH AVAILABILITY LOGS Overview Root CA Primary CA Signing CA Communication CA Server Server Client Server WebUI Server Devid Devid WebUI Backup amp Restore Generate Primary CA CN RESEPT Demo PCA i Key Size 4096 bits Signing CA CN RESEPT Demo Signing CA Key Size 4096 bits Communication CA CN RESEPT Demo CCA Key Size 4096 bits
91. vide your entire user community whether internal or external with on demand short life X 509v3 certificates All built upon your existing infrastructure so there is no need to change backup procedures or to Desktops laptops User directory teach your community of users new authentication cell phones PDA s methods The KeyTalk appliance simply makes it happen RESEPT server User directory KeyTalk provides you with advanced features which make your life as a user easier and more secure when making use of your company s or partner s online environment Common usages e Single Sign On to web based environments e Digital signing of internal documents e Highly secure connections to web based environments e Protection of your authentication credentials against Man in the Middle attacks e Optionally binding the computer device s to the user or company X 509v3 user certificates have been the standard since 1988 and are commonly accepted by all Operating Systems As a result not only do these user certificates enable you the highest level of safe encrypted communication as well as many more features with the same ease of management such as e Single Sign On e Federated Identity e 802 1x EAP TLS Cm keytalk 7 Certificates issued by the KeyTalk appliance work natively with all major and minor network and client brands such as but not limited to e CISCO e Juniper e F5 e Fortinet e Checkpoin
92. wnload and remove the current certificate and key and upload a new version A new certificate can be uploaded by selecting it via Browse and clicking UPLOAD After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new certificate To make the changes permanent please refer to section 8 2 Saving changes amp reboot keytalk 79 22 4 Communication CA This tab is used to secure communications between different parts of the system The Communication CA corresponds to the SCA Server CA on the client side MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE Q CERTIFICATES AND KEYS ETWORK DEVICE HIGH AVAILABILITY LOGS Overview Root CA Primary CA Signing A eermurication a perver Server Client Server WebUI Server DevId Devid WebUI Backup amp Restore Generate Communication CA is used to secure communications between different parts of the system Communication CA corresponds to SCA Server CA on the client side Certificate Info No Certificate Found Key Info No Valid Key Found Upload Certificate and Key Click Upload to upload PEM containing certificate and key The key should not be protected with password It is also possible for the PEM file to contain certificate or key only Browse G Figure 102 Communication CA information and key upload functionality A new certificate can be uploaded by selecting it via Browse and
Download Pdf Manuals
Related Search