DIGIPASS CertiID User Manual
Contents
1. 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 94 DIGIPASS CertilD User Manual Managing Authentication Objects 8 Specify whether you want a PIN and or a PUK letter to be printed on the selected printer Change Object Security Print a PIN letter IF vou prepare this card on behalf of another user you can print a PIN letter tan containing the PIN information to provide to your user Print a PIN letter Include PUK C Print a PUK letter Select printer Printer Microsoft OFFice Document Image Writer Figure 65 Changing Object Security Printing PIN PUK Letter 9 Click Finish 5 6 3 Additional considerations e The system or token administrator may restrict access to certain program features If a particular option Is not available you may not have the privileges to use it e Assigning a different PIN to a data object is not the same as changing a PIN If you assign a different PIN you replace the current PIN object by another PIN object If you change a PIN you change the value of that PIN object e The previous PIN remains on the token after assigning another PIN to a data object even if the previous PIN does not protect any other data objects e tis not recommended to use different PINs other than the default PIN with PKCS 11 since some PKCS 11 applications do not support context specific authentication including Mozilla Thunderbi2. software DIGIPASS CertilD User Manual DIGIPASS CertilD User Manual Disclaimer Disclaimer of Warranties and Limitations of Liabilities The Product is provided on an as is basis without any other warranties or conditions express or implied including but not limited to warranties of merchantable quality merchantability of fitness for a particular purpose or those arising by law statute usage of trade or course of dealing The entire risk as to the results and performance of the product is assumed by you Neither we nor our dealers or suppliers shall have any liability to you or any other person or entity for any indirect incidental special or consequential damages whatsoever including but not limited to loss of revenue or profit lost or damaged data of other commercial or economic loss even if we have been advised of the possibility of such damages or they are foreseeable or for claims by a third party Our maximum aggregate liability to you and that of our dealers and suppliers shall not exceed the amount paid by you for the Product The limitations in this section shall apply whether or not the alleged breach or default is a breach of a fundamental condition or term or a fundamental breach Some States countries do not allow the exclusion or limitation or liability for consequential or incidental damages so the above limitation may not apply to you Copyright 2008 2009 VASCO Data Security All rights reserved
3. ccccceeeeeeeeeeeeeeeeeeeeeeees 131 Create new PUKs to unblock option 08 131 Cryptographic Message Syntax Standard PKCS 7 155 D EEE E NIIET E EN OIE ET 22 69 changing security 0 005 ccncvesesceavessvadevnsasavaeesavansvastsoreees 87 deleting enabling Option ccccccccccccceeeeeeeeeeeees 130 default value profile cc ccccccccccceeeeeeeeeeeeeeeeeees 26 35 Delete certificates option ccccccccccccceeceeeeeeeeeeeeees 130 Delete containers OPtiON cccccccccccccccceeceeeeeeeeeeeeees 130 Delete data objects option ccccccccccccccceeeeeeeeeeeeees 130 Delete OTP key objects option cccccccceeeeeeeeees 130 Delete secret key objects Option cccccceeeeeeeeeees 130 DER Encoded Binary X 509 ccccccccccccccceeeeeeeeeees 155 DIGIPASS 860 generating one time passwords OTP 112 143 DIGIPASS CertiID configuring using DP CertiID Configuration Center EEEE E SIEA EE E E E AE E 121 configuring using Group Policy ccceesseeeees 115 settings precedence NoOte ccccccccccceeeeeeeeeeeeees 115 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited DIGIPASS CertilD User Manual document CONVENTIONS ccccecceeeeeeeeeeeeeeeeeeeeeeeeeeees 15 DP CertiID Configuration Center setting Automatic Registering of Certificates options Spee tice so APAN AI
4. e You can verify whether an OTP key object can be used to generate OTPs by inspecting its object properties in DP CertilD Management Application If Key Usage includes Event based OTP generation the OTP key object can be used to generate OTPs 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 144 DIGIPASS CertilD User Manual Appendix Using DP CertilD with One Time Passwords OTP 9 1 4 Additional references e Using the DP CertilD Tray Agent e Configuring DIGIPASS CertilD e Importing OTP Key Objects 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 145 DIGIPASS CertilD User Manual Appendix Using DP CertilD with One Time Passwords OTP 9 2 Generating One Time Passwords OTP from Challenges VACMAN Controller based servers such as VACMAN Middleware and IDENTIKEY Server can require clients to authenticate by dynamically calculating one time passwords OTP based on a numerical challenge issued by the server You can use OTP key objects on your token to generate such OTPs from challenges 9 2 1 Before you begin To generate one time passwords OTP from challenges you need e DP CertilD Management Application or DP CertilD Tray Agent e a token containing an OTP key object valid to generate OTPs from challenges 9 2 2 Generating Responses using one time passwords OTPs gt To generate a response usin
5. Testa TestADM 02 Or Group Policy Objects higher in the list have the highest priority TestADM 05 TestADM 03 Or This list obtained from myDomain local H E TestADM 06 H Users 3 TestADM 04 r New Add Edit Up TestADM 05 Or Test DM 06 Or Options Delete Properties Down Users Co ES See T Block Policy inheritance Cancel Apply Figure 75 Configuring DIGIPASS CertilD via Group Policy 1 Active Directory Users and Computers 5 Do one of the following e f you want to create a new Group Policy object click New and type a name for the new Group Policy object e f you want to edit an existing Group Policy object select the respective Group Policy object in the list 6 Click Edit The Group Policy Object Editor appears 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 118 DIGIPASS CertilID User Manual a Group Policy Object Editor File Action View Help Configuring DIGIPASS CertilD iy New Group Policy Object ryvDormain local i Computer Configuration 2 A Software Settings ij Windows Settings Administrative Templates H E Windows Components feo L PUK Policy Authentication amp Security User Access Rights i Display and User experience lg User Configuration H E Software Settings J Windows Settings J Administrative Templates Et PIN minimum length override Ei Enable P
6. c cc ceeeeeeeeeeeeseeeeeeeeeeeees 44 token security mode Secure Signature Mode ccccccceeeeeeeeeeeeeeeeees 29 S 8 26 A211 AE A EA O A E A A E 28 VASCO Default Mode ccccccesccecceccescescesceecees 29 token templat Eere een nee E 24 26 U Unblock PINS OptiOfesisecisinicissiieiininininnnnsi 130 Unregister certificates of the following categories OPU O een Pee enn orem ee eee eee 127 Use keypad hardware capabilities when possible option NNE E E EE EEIE EEES E EE 122 160 V VACMAN Middleware cccccccecceccecceccccesceces 146 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 169
7. 0000000000 132 Show status changes option ccccccceeeeeeeeeeeees 132 Show support contact information in Unblock PIN Dijalos OOO IM arcetece ce ean E 132 SO PIN dscccanuscssciernes See Security Officer PIN SO PIN stat s hover pahe eee een ee ie eee nee ene ee 111 support contact information displaying enabling option ccccccccceceeeeeeeees 132 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 168 DIGIPASS CertilD User Manual T Test key pairs option c ccccccceeeeeeeeeeeeeeeeeeeeeeeeees 130 token authentication object See authentication object 29 40 0 E as ee en ae ee eee ene eee 21 BAIA ZC E EE E AE E 24 D E ee eee S 24 initializing confirming authentication codes 35 initializing enabling Option ccccccccceeeeeeeeeees 129 initializing using default value profiles 26 persona AA 42 eee eee E 37 personalizing confirming authentication codes 42 51 personalizing enabling Option cc ceceeeeeees 129 pre Gl FEAL IAG oisein iE NE ANTE 24 37 renaming enabling OptiONn c scenes 129 reset enabling option c cc eeeeeeeeeeeeeeeeeeeeeeeeeeees 129 jo A nee ee 44 resetting personalization ccceeeeeeeeeeeeeeeseeeeeeees 47 resetting token personalization 0 ceseeeeeeeeees 47 resetting Caution notice
8. 1 Insert your token 2 Select the data object currently protected in the token explorer tree 3 Select Change object security from the shortcut menu OR Select Tasks gt Change object security from the menu bar The Change Object Security Wizard appears 4 Select Remove current PIN and click Next 5 Click Finish to confirm removing the PIN protection 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 97 DIGIPASS CertilD User Manual Managing Authentication Objects 5 3 Additional considerations e The system or token administrator may restrict access to certain program features If the remove PIN protection option is unavailable you may not have the privileges to use It e Removing the PIN protection is not the same as removing the PIN object The PIN object remains on the token e Removing the PIN protection of one data object does not affect the PIN protection of other data objects e You can only remove the link between a PIN object and a data object You cannot remove a PIN object itself from the token 5 7 4 Additional references e Changing the Security of Objects e Access Configuration e Understanding Authentication Objects 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 98 DIGIPASS CertilD User Manual Managing Authentication Objects 5 8 Replacing a PUK with an Administrator Key Yo
9. 2 Select the token in the token explorer tree 3 Select Personalize from the shortcut menu OR select Tasks gt Personalize from the menu bar The Personalize Token Wizard appears 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 37 DIGIPASS CertilD User Manual Managing Tokens Personalize Token Personalize token This wizard helps you to complete initializing your token with personal settings During personalization individual token settings are applied including token label cardholder data and settings For default PIN and default PUK for default administrator key Click Next to continue Figure 18 Personalizing Token 1 4 Specify a cardholder name Personalize Token Specify the cardholder name P i Jh The cardholder is the person who has the actual right to possess and use the token gt P Cardholder name Jane Doe Figure 19 Personalizing Token 2 Specifying Cardholder Name 5 Specify a label for the token 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 38 DIGIPASS CertilD User Manual Managing Tokens The token label is the name used to refer to this token helping to distinguish between different tokens Personalize Token Eg Specify the token label The token label is the name used to refer to this token It helps you to distinguish
10. 4 token template contains basic token configuration information Click Next to continue Figure 5 Initializing Token 1 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 25 DIGIPASS CertilD User Manual Managing Tokens 4 Select the token template in the list A token template contains the default token configuration settings such as which default authentication mode is used You can select a default value profile to set the standard values for initialization If you do not enable Edit default values the values defined in the default value profile are loaded and used for initialization automatically The subsequent wizard pages are not displayed and you are redirected directly to the Ready to Initialize page If you enable Edit default values the values defined in the default value profile are loaded and filled in the respective fields in the subsequent wizard pages If the standard values defined in the default value profile do not comply with the effective PIN and PUK policy the values defined in the default value profile are loaded and used for Initialization However you are redirected to the particular wizard pages to correct the invalid values Initialize Token Select token template 4 token template contains basic token configuration information 4 default value profile contains all settings you can specify using this wizard such as PIN and PUK va
11. manage authentication objects using DP CertilD Management Application manage tokens using DP CertilD Management Application use DP CertilD to generate one time passwords OTPs use DP CertilD Tray Agent configure DP CertilD applications using DP CertilD Configuration Center troubleshoot and diagnose issues using DP CertilD Troubleshooting and Diagnostics This manual does not provide detailed instructions about preparing and installing DP CertilD refer to DIGIPASS CertilD Installation Guide detailed instructions about using DP CertilD with common third party applications refer to DIGIPASS CertilD Getting Started Manual 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 14 DIGIPASS CertilD User Manual Introduction 1 1 About this manual 1 1 1 How to use this manual You can use this manual in different ways depending on your skill and knowledge level You can read it from the beginning to the end highly recommended for novice users you can browse through the chapter abstracts and read specifically the chapters relevant to your needs or you can search by key words in the index if you need to find certain references quickly If you need to Use DP CertilID Management Application to manage digital Chapter 2 Using DP CertilID Management certificates on your tokens Application AND Chapter 4 Managing Certificates get a better understanding o
12. Session to perform one or more cryptographic operations Non silent means that PIN authentication is handled by VASCO CertilID Smart Card Crypto Provider directly silent means that the respective third party application handles PIN authentication itself The PIN cache is cleared when the application releases the cryptographic context but not longer than a certain timeout if enabled using PIN cache timeout If Cache PINs during cryptographic sessions is disabled PIN authentication is required for each operation This option affects VASCO CertilD Smart Card Crypto Provider only NOTE Whether a cryptographic operation is silent or non silent or whether a new cryptographic context is created for each operation or not depends on the respective third party application Clear PIN cache after a certain time Select this option to clear the PIN cache after a certain time The PIN is kept at least a certain time span given by PIN cache timeout unless the respective cryptographic context is released by the application earlier in 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 122 DIGIPASS CertilD User Manual Configuring DIGIPASS CertilD which case the PIN is cleared immediately This option is available only when you select the Cache PINs during cryptographic sessions check box PIN cache timeout Type the time span how long a PIN is kept by VASCO CertilD Smart Card Crypt
13. Specifying Default PUK e Select Set PUK now and type a value for the PUK twice to prevent typing errors Next remains disabled until the new PUK complies with the effective PUK policy TIP Click View Details to show the effective PUK policy to see why the specified PUK does not comply with it 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 39 DIGIPASS CertilD User Manual Managing Tokens e Select Generate PUK to have a PUK automatically generated for you The generated PUK value is displayed after the wizard has performed the requested actions It will also be shown in the PIN and or PUK letter if you request to print one See Step 13 e Select Set PUK on first use if you don t want to set the default PUK now This option is only available if the Set PIN on first use option was selected see Step 9 The default PUK is not set now i e the token is pre initialized The next time the token Is inserted the user is asked to complete the initialization via the Personalize Token Wizard The Number of retries before block box defines how often an incorrect value for the PUK can be consecutively typed before it is blocked 12 If required specify an administrator key This option is only available if the token template configuration includes an administrator key Initialize Token specify the administrator key The administrator key is a hexadeci
14. Troubleshooting 2 Click Start The program examines your system When finished the Troubleshooting Report Dialog appears 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 134 DIGIPASS CertilD User Manual Troubleshooting and Diagnostics Troubleshooting Report Troubleshooting report xX Troubleshooting found some issues x Report e verifying installation wv Checking required system services i verifying attached slot devices se Validating tokens and certificate data S Token not Found wf Testing middleware modules Token not found Mo token is inserted on the system How can I solve this problem Save a5 Clase Figure 79 Troubleshooting Report 3 OPTIONAL Click Save as to save the troubleshooting report to disk You can save the troubleshooting report for archiving purposes or to send it your support contact if required 4 Click Close If you did not save the troubleshooting report it is discarded 8 1 2 Additional considerations e Troubleshooting reports can be saved as a plain text file If you do not save a report it is discarded when you close the Troubleshooting Report Dialog e f the troubleshooting report does not identify any issues and you still think a problem exist you may perform a diagnostics run 8 1 3 Additional references e Using Diagnostics 2008 2009 VASCO Data Security All rights reserved Unauthorize
15. gt Register from the menu bar NOTE If you install a CA certificate you confirm that you explicitly trust this CA and any certificate issued by it Due to the impact and security risks of this Microsoft Windows may display a security warning when DP GertilD Tray Agent tries to register a certificate for a CA Microsoft Windows registers the CA certificate only if you confirm that you trust the respective CA gt To unregister a certificate 1 Insert your token 2 Select the certificate to unregister in the token explorer tree 3 Select Unregister from the shortcut menu OR 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 63 DIGIPASS CertilD User Manual Managing Certificates and Containers Select Tasks gt Unregister from the menu bar 4 4 3 Additional considerations e Registering only adds the certificate and the associated public key to the certificate store The associated private key is never read from the token e The certificate will remain on the token after unregistering If you want to remove it from the token you must delete It e The certificate remains registered when you remove the token unless DP CertilD Tray Agent is running and configured to automatically unregister certificates If you want to remove it from the certificate store you need to explicitly unregister it e You can use DP CertilD Tray Agent to automatically
16. 111 Figure 72 Generating One Time Password OTP sviccxsissa zinvatarasiarebanetsoonieteen choice sii ieealboscainn ocean escsnscaestateetetioisatentetettneties TIS Figure 73 Configuring DIGIPASS CertilD via Group Policy 1 Group Policy Management 116 Figure 74 Configuring DIGIPASS CertilD via Group Policy 2 Group Policy Object Editor Server 2008 0 00 eeeeeeeee 117 Figure 75 Configuring DIGIPASS CertilD via Group Policy 1 Active Directory Users and Computers cccccceeeeeen 118 Figure 76 Configuring DIGIPASS CertilD via Group Policy 2 Group Policy Object Editor Server 2003 wo 119 Foure 7 OMI ONE CAME cco it paces vena nat occa cette EEE ER 121 POUC o KOUPE 66 101 RRE rete ten ee Cee ere eee 134 Foure 79 Troubleshooting gc 0 anne eee nee nen nee ee ee ee eee eee 135 POUED a BYES g 05 6S E E E ees E EE E E eee ee eee 136 Figure 81 Setting Diagnostics OPONE aoe nina aucrateicinerinnaanctaarennemacnotnamnniawiatatasecn vein cram tedcGnnintaentiamnsesianies 137 Figure 82 Diagnostics Log ResUl acceso teva cea EEEE EA EEE EEEE EEEE 138 FOUG S39 Enor REDON S can nn ee eee E ee nee S ee tee 140 Figure 84 Generating One Time Password OTP uo ccc cccccccscccssssecssssueescsesesceseeeescessueeseseessesaueesseneueeseseeesveneueeseseneagy 144 Figure 85 Generating One Time Password OTP from Challenge cccccccccsccssescsseeecseeccsseescseesessueecssutecsseeessuesesueeegs 147 Poe oo OM Ma oh ONST
17. 4 1 3 PAONTIOPIANC O1YS GGL QE ONNS crscrcua atest ctcueosstateue oat cise vette toetate cir act ean dem krr ntk E rE NEENEEEEENEEEEEEEEEEEEEEEEEEEEEEEEEEEE EEEE EEEE EEEE of 4 1 4 Additional referentES Seen en eee ee ee nee 57 Ae BOON CO MMIC A Saian E E E EE A 58 4 2 1 PoE OUD 6 r a A ere E AE AE E EE 08 4 2 2 OIG AC SIUC Ne seuroina enii AEE A EEEE R E 08 4 2 3 Additional SC OVS GGT ONNS scrscrceasteastout oxsteatoxcotsatstou vnctectan oot seater aa doen ateaneaie tte artcteeaateansiottesicatuatanstoeeainatcintaaanentanenmnaenes 60 4 2 4 Adational re Kc Gl serria E E E E ree 60 4 3 Deleting ODI C GUS tact acess ceaasceevienctate dancer atene oneal saat uenaitntatsacen aime seiaied saaastannatans daarnaine resend isactanaiantnaten 61 4 3 1 BeO e E E E E O E E EE E E S E E 61 43 2 SICH PGMA ODICOL saesdan stasis sctcnctan atta ina csin tno E E aiwmnacnnaned 61 4 3 3 Additional consideration S saiceac scree tsrseutcatsc severe soteea na cottse ur rR NENTE NOTES EEEE TE EEEE E EDT 61 4 3 4 AdAtional roere 0 C 1s siparin e nnr ee EA E E EA E A ee 62 4 4 Registering and Unregistering Certificates ccccccccsseceesseseeeseeveeseeueeeeueesauueeseeueeeeauueesaeueeeaeeerseauensaens 63 4 4 1 BeON EE EE E OA E E E E EES E E eee 63 4 4 2 Registering and unregistering a certificate as occausansceauna anceauannncasambnnteaineneiaised tnradssinniadaebanteaunyenteavetstratnicaaaente 63 4 4 3 Adaidondi Considera ONG sieren ar EEEE ETEEN REAT 64 4 4 4 Add
18. FALCON considera ONS seers eseasrnete toca ue tsoen cosine Celene wg vont tay ERE otcactenesstea tuna eaten acateneines 4 3 2 4 PORON WT GCOS aia A A AAN E E ee ee ere 43 3 9 Resetting MOK GING sreeaaiseuandsnnasuanstnbasnacemsoueiesantaincbeaiaaseabenncredaansisnesaaeeundesgaduanatiatedsanannseaesieuseerinatyientateeucent 44 el Beo fog 6 0h 0 6 eames eter vente E nee O E nese rn ne E 44 3 3 2 Resetting a OKO esnan E E E E R EE EEES 44 33 9 Adaitional consideration S sais gecrcc sr seitaca tas secrete sosteea na Etenen corstsaa uc vai wd EEEE EREDE EEEE EE EENT 45 3 3 4 2 OTIS IAI eit ONCOS ne nner ee ee eee eee ee 46 3 4 Resetting Token Personalization ccccceccecececcueecueeeeueeeueeseueeeuuesuueseueeeuueeeueeeuueauueseueeauuesaueteueesuueseueeany 47 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 3 DIGIPASS CertilID User Manual Table of Contents 3 4 1 BOLERO EOS deanna ante ree et een E ae ene re ee a re ee eee 47 3 4 2 Fe SUNG OKEN personalia asinarse ae DEEE EEEE EEEE ETS NEEE EOT 47 3 4 3 Additional considerations saisine aaa ARNEE TEENE EERE i EEEa 51 3 4 4 AdaitionalreiorenCOS emesse a stan E dedia 52 4 Managing Certificates and Containers cscscccccsssseeceeeesseeeeeeeseeeesseesseeesaeaseeeesaeaseeessaeseesenagsseeess 53 GA AMONI GONCA E S aaran EEE E 54 4 1 1 PoE VOT a A E EE A AEE E E E E 54 4 1 2 ENOTES MTC A seriinin rir E E ETE EE Baii 54
19. No part of this publication may be reproduced stored in a retrieval system or transmitted in any form or by any means electronic mechanical photocopying recording or otherwise without the prior written permission of VASCO Data Security Inc Trademarks VASCO VACMAN IDENTIKEY aXsGUARD DIGIPASS and the Vasco V logo are either registered or unregistered trademarks of VASCO Data Security Inc and or VASCO Data Security International GmbH in the U S and other countries Version 2009 06 22 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 2 DIGIPASS CertilD User Manual Table of Contents Table of Contents 1 IVUROGUGHOMN MAPTE EE EE A A EET E E 14 TE ADOUtCINS Mania A E E E S A AA 15 1 1 1 How t0 use nie manual Ente en an ee 15 1 1 2 Document conventions eee ec ac exatvnnttccer geste eer oes tate acscs nears cosa pets dais oct sees occu adhslousnt nail asatc nace alassenieaue 15 AF POUAN ADA K krne e A E EA E 16 2 Using DP CertilD Management Application ccccccceccessceceeeeceeeeuseeeeueeeeeueeeeuueeseuueteuuueseuueeseuuenanunss 17 2 1 Getting to Know DP CertilD Management Application cccccscseseesseseesseeseeseeueesaeueeesesensaeueeseeuensaeueeeas 18 2 1 1 JOOD eera E E EAA E EAN 19 2 1 2 TOK OT ereen E E EOE AA EE EE EEE 19 2 1 3 We lt 2 429 48 01 SAE oaa EEE OEE E ere One a a ee ee ee ee 19 2 1 4 Common tasks SIGGDAN cicatsinisicianstan
20. Objects The Number of retries before block box defines how often an incorrect value for the administrator key can be consecutively typed before it is blocked e fan administrator key already exists on the token It is assigned to unblock the particular PIN In this case you can t specify a value for the administrator key 6 Click Replace If no administrator key exists on the token it is created and assigned to unblock the particular PIN 5 8 3 Additional considerations e he system or token administrator may restrict access to certain program features If the replace PUK option is not available you may not have the privileges to use it e The previous PUK object remains on the token after replacing it with an administrator key e f you replace the PUK protection of a PIN the protection is only changed for that particular PIN It does not affect any other PIN objects unblocked by the same PUK e You can replace a PUK with an administrator key but not vice versa e You cannot remove a PUK object itself from the token Neither can you remove the administrator key itself from the token e You can generate master administrator keys to derive secret administrator keys 5 8 4 Additional references e Changing the Security of Objects e Generating Master Administrator Keys e Access Configuration e Understanding Authentication Objects 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribu
21. PFX files NOTE If you try to import a PFX file containing more than one certificate only the first certificate will be imported 10 4 2 Cryptographic Message Syntax Standard PKCS 7 The Cryptographic Message Syntax Standard or PKCS 7 format is used to transfer certificates and all certificates in its certification path such certificate files usually have a P7B file suffix CertilD supports import of and export to P7B files 10 4 3 DER Encoded Binary X 509 The Distinguished Encoding Rules DER Encoded Binary format encodes data objects such as X 509 certificates such certificate files usually have a CER file suffix CertilD supports export to CER files 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 155 DIGIPASS CertilD User Manual Appendix PKI and Certificate Basics 10 4 4 Base 64 Encoded Binary X 509 The Base 64 Encoded Binary format was developed for content transfer encoding for Multipurpose Internet Mail Extensions MIME i e a popular standard method to transfer binary attachments over the internet such certificate files usually have a CER file suffix CertiID supports export to CER files 10 4 5 Additional resources e mporting Certificates e Exporting Certificates 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 156 DIGIPASS CertilD User Manual Append
22. PUK can not be unblocked PUK 4711 _ T acknowledge this information Figure 17 Initializing Token 13 Confirming Authentication Codes 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 35 DIGIPASS CertilD User Manual Managing Tokens 3 1 3 Additional considerations e he token template specifies the default authentication mechanism You can change the authentication mechanism of an initialized token by adding individual PINs by removing PIN protection and by migrating PUKs to administrator keys e The system or token administrator may restrict access to certain program features If a particular option is not available you may not have the privileges to use it e After applying a token template you cannot switch to another token template If you want to apply a different token template you need to reset the token first e You can re issue a token to another user by resetting the personalization data This way you do not have to reset and re initialize the token completely e You can save your settings to a default values profile without actually initializing a token Specify your settings save them to a default values profile in the Ready to Initialize page and then click Cancel e The Set on first use options for PIN PUK and administrator key apply to the values only The retry counter is set as specified in the respective pages e You can adapt th
23. PUK object that is used by default to unblock the default PIN and other PIN objects The default PUK is a regular PUK object with the label PUK If you enter an incorrect PUK several times in a row it is blocked and can no longer be used to unblock the associated PINs A blocked PUK cannot be unblocked 5 1 3 3 Administrator Key An unblock response is calculated via external authentication The basic principle is that the token creates a so called challenge Using that challenge with the administrator key a response is calculated This is often done by the system or token administrator The response is then typed and verified by the token If it is correct the PIN is unblocked Depending on the token capabilities the administrator key is usually either 16 or 24 bytes long An administrator key can be used to unblock one or more PINs on a token A token can contain one administrator key TIP The advantage of administrator keys is that the token user does not necessarily need to know the administrator key to unblock a PIN but only the response created with it This allows scenarios where the PIN is only known by the user while the administrator key is known only by the system or token administrator which is not possible with a PUK Since the token generates a different challenge each time the respective response is valid only one time and could not be misused by some unauthorized person gaining knowledge of it 2008 2009 VA
24. all non personal certificates e Certification Authority CA such certificates are also not meant for personal use by you and do not contain an associated private key Such certificates are usually trusted root certificates from certification authorities NOTE Note that the certificate storage on the token does not necessarily correspond one to one with the local certificate stores on the machine 10 3 1 Additional references e Registering and Unregistering Certificates e Using the DP CertilD Tray Agent 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 154 DIGIPASS CertilD User Manual Appendix PKI and Certificate Basics 10 4 Certificate File Formats Certificates can be stored using various file formats each based on different security and compatibility concerns DIGIPASS CertilD supports the following certificate file formats e Personal Information Exchange PKCS 1 2 e Cryptographic Message Syntax Standard PKCS 7 e DER Encoded Binary X 509 e Base 64 Encoded Binary X 509 10 4 1 Personal Information Exchange PKCS 12 The Personal inFormation eXchange PFX or PKCS 12 format is used to exchange public and private objects in a single file e g a certificate and its corresponding private key such certificate files usually have a PFX or P12 file suffix since private keys cannot be retrieved from a token CertilD supports only import of
25. between different tokens Token label Jane Doe s Token Figure 20 Personalizing Token 3 Specifying Token Label 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 39 DIGIPASS CertilD User Manual Managing Tokens 6 If required specify a default PIN This option is only available if the token template configuration includes a default PIN and the Set PIN on first use option was selected during initialization Personalize Token specify the value for the default PIN Enter the PIN two times to prevent typing errors or select Generate PIN to have a PIN value generated automatically Set PIN now FIN eens Confirm PIM ennee Generate PIN Skip PIN personalization Tell me more about personalizing PINs o x Figure 21 Personalizing Token 4 Specifying Default PIN e Select Set PIN now and type a value for the PIN twice to prevent typing errors Next remains disabled until the new PIN complies with the effective PIN policy TIP Click View Details to show the effective PIN policy to see why the specified PIN does not comply with it e Select Generate PIN to have a PIN automatically generated for you The generated PIN value is displayed after the wizard has performed the requested actions It will also be shown in the PIN letter if you request to print one See Step 9 e Select Skip PIN personalization if you d
26. but have the user change it the first time the token is used e Select Unblock default PIN on first use if you want the user to unblock it the first time the token is used This option is only available if an administrator key exists on the token The default PIN is blocked The next time the token is inserted the user is asked to unblock the PIN via challenge response before the token can be used 7 If required specify the new default PIN This option is only available if the Change default PIN on first use option was selected see Step 6 Reset Token Personalization x specify the value for the default PIN fi Enter the PIN two times to prevent typing errors or select Generate PIN to have a PIN value generated automatically Set PIN now PIM eebeae Confirm PIM ELLEI O Generate PIH Tell me more about resetting token personalization vew Dea Figure 30 Reset Token Personalization 5 Specifying Default PIN e Select Set PIN now and type a value for the default PIN twice to prevent typing errors Next remains disabled until the new PIN complies with the effective PIN policy TIP Click View Details to show the effective PIN policy to see why the specified PIN does not comply with it e Select Generate PIN to have a PIN automatically generated for you 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 50 DIGIPASS CertilD U
27. during initialization such as specifying the default PIN and the default PUK In this case the token is called to be pre initialized Before it can be used initialization needs to be completed by personalizing the token meaning to apply the individual settings which were omitted during initialization Sele Before you begin You can only initialize empty tokens To re initialize a token you need to reset the token first See Section Resetting Tokens You need to consider which token template you want to use A token template contains the default token configuration settings such as which default authentication mode is used Currently the following token templates are available e Standard PIN PUK template This token template provides authentication using a default PIN protected by a default PUK Their values and retry counters may be set during the initialization process This is the default token template and may be used for all supported CAs e Standard PIN Adminkey template This token template provides authentication using a default PIN protected by external authentication using an administrator key Their values and retry counters may be set during the initialization process This token template is highly recommended if you want to use VASCO Card Module under Microsoft Windows Vista e Entrust optimized PIN PUK template This token template provides the same authentication mechanisms as the Standard PIN PUK template It is o
28. e PIN Policy Rules e Changing the Security of Objects e Understanding Authentication Objects 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 75 DIGIPASS CertilD User Manual Managing Authentication Objects e Changing PUKs similar to your PINS you can change your PUKs NOTE You should change your PUK immediately if you suspect that it has been compromised guessed or revealed by someone else Buel Before you begin To change a PUK you need e DP CertilD Management Application e the current PUK e to choose a strong PUK that can t be easily guessed but can still easily be remembered by you CAUTION lf you need to record your PUK either in writing or electronically store it in a secure place Do not disclose it to anyone including supervisors or co workers CAUTION If you consecutively enter an incorrect PUK too many times it is blocked You cannot unblock a blocked PUK thus losing the possibility to unblock the assigned PINs 5 3 2 Changing a PUK gt To change a PUK 1 Insert your token 2 select the PUK to be changed in the token explorer tree 3 Select Change from the shortcut menu OR select Tasks gt Change from the menu bar The Change PUK Dialog appears 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 76 DIGIPASS CertilD User Manual Managing Authen
29. e The application displays its own authentication interface Depending on whether the application is aware of the connected keypad hardware it requires the user to type the PIN either on the keyboard or on the keypad For instance when authenticating to Microsoft Windows you are required to type the PIN using the keyboard at the Windows Logon Screen because the underlying process winlogon exe is not aware of keypad hardware e The application depends on the middleware to authenticate the user In this case you can determine the behaviour using the Use keypad hardware capabilities when possible option set via DP CertilD 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 160 DIGIPASS CertilD User Manual Appendix Using DIGIPASS CertilD with Keypad Hardware Configuration Center If this option is selected keypad hardware is used whenever possible If this option is not selected the PIN is required to be typed on the keyboard This option requires the particular tokens to be initialized with enabled keypad support 12 1 1 2 DP CertilD PKCS 11 Library Applications that use PKCS 11 for cryptographic operations always use their own authentication interface Depending on whether the application is aware of the connected keypad hardware it requires the user to type the PIN either on the keyboard or on the keypad 12 1 1 3 VASCO Card Module VASCO Card Module does currently not provi
30. e ot AN 127 setting Automatic Unregistering of Certificates SL aan e E EEN N et re ae AS 127 setting Certificate Expiry Date Reminder options 128 setting Certificate Import options 128 setting Display and User Experience Options 132 setting General PIN Options ccccceceeeeeeeeees 122 setting Initialize Token Options 123 setting One Time Password Options 00664 132 setting PIN Policy Rules nnnnnnnnnnnnnnnnnnnennnnnns 124 setting program feature ACCESS ccccceeeeeeeeeees 129 setting PUK Policy Rules 125 TS HN E A AE 121 DP CertiID Diagnostics and Troubleshooting performing a diagnostics TUN ee eeeeeeeeeeeeeeeeees 136 searching TOF ISSUES g5ec cannconnaanadsanganadanoxanbisndeakienewasas 134 system diagnostics 00 cece ccccececeeeeeeeeeeeeeeeeeeeeeeeeeees 136 user Gd ON OSU OS vnarotatats insni eniT INARA ENNAN ORNAR 136 using application error reports cece 140 using Diagnostics cceeeeeeeeeeeseetestsessssssstseeeteeees 136 using Troubleshooting ccccccssessseeseseesseseeenees 134 DP CertiID Management Application common tasks Sidebar eccccccccceeeeeseseeeesstseeeeees 19 oject Pane eee eee eee eee oE RE 19 SE ITA EEEE A EA E A E E 18 EE A ETT 20 token explorer sidebar cccccccccccccccccceeeeeeeeeeeeeeees 19 token selection eececeeeseesssstceeeeeeeeeeeeeeeeeeeeeens 19 POG NO a are E 19 TUS TN ao E N E 17 DP C
31. each character is equal for all characters 1234 1357 abcd The following PUKs are non successive character sequences because the distance between each character is not equal for all characters 3856 12341234 1 2qwertz PUKs must contain at least this many digits Enter the number of digits a PUK must contain at least to be valid This option is available only when you select the Enable PUK complexity rules check box PUKs must contain at least this many uppercase characters Enter the number of uppercase characters e g AB C a PUK must contain at least to be valid This option is available only when you select the Enable PUK complexity rules check box PUKs must contain at least this many lowercase characters Enter the number of lowercase characters e g a b c a PUK must contain at least to be valid This option is available only when you select the Enable PUK complexity rules check box Allow the following characters for PUKs This option specifies which characters a PUK can contain to be valid e Numeric characters only select this option to allow only numeric characters e Alpha characters only select this option to allow only alphabetic characters e Alphanumeric characters select this option to allow numeric and alphabetic characters e Unicode characters select this option to allow any valid Unicode UTF 8 character 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distrib
32. explorer tree 3 Select Reset personalization from the shortcut menu OR select Tasks gt Reset personalization from the menu bar The Reset Token Personalization Wizard appears 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 47 DIGIPASS CertilD User Manual Managing Tokens Reset Token Personalization Reset personalization on Jane Doe s Token This wizard helps you to reset the personalization state of this token When resetting the token personalization you can reset the token label the cardholder data the default PIN and define how the default PIN is initialized when this token is used again Click Next to continue Tell me more about resetting token personalization Figure 26 Reset Token Personalization 1 4 Specify a new cardholder name or click Next to keep the current one Reset Token Personalization Specify the cardholder name The cardholder is the person who has the actual right to possess and use the token To keep the current cardholder data click Next Cardholder name Jane Doe Figure 27 Reset Token Personalization 2 Specifying Cardholder Name 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 48 DIGIPASS CertilD User Manual Managing Tokens 5 specify a new token label or click Next to keep the current one Reset Token Perso nalization Spe
33. is blocked and needs to be unblocked 4 Specify a label for the new PIN The PIN label is the name used to refer to this PIN helping to distinguish between different PINs 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 90 DIGIPASS CertilD User Manual Managing Authentication Objects specify the label for the new PIN The PIN label is the name used to refer to this PIN It helps you to distinguish between different PIMs PIN label Jane s PIN Note You can t use PIN PUR SDMINKEY or SO PIN For the PIN label Figure 61 Changing Object Security Specifying PIN Label NOTE The PIN label can t be set to PIN PUK ADMINKEY or SO PIN as these labels are reserved for the default PIN the default PUK and the administrator key respectively PKCS 11 refers to the PUK as SO PIN 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 91 DIGIPASS CertilD User Manual Managing Authentication Objects 5 Select how to unblock the PIN Change Object Security Specify unblock mechanism for the new PIN TF you consecutively enter a wrong PIN too often it is blocked and the data it Te protects can not be accessed You can define how to unblock the PIN oo Settings marked by a lock are disabled by your system administrator Other settings may not be applicable at this
34. new PUKs to unblock select this option to allow users to create and assign new PUKs to unblock newly created PINs It effectively disables the Generate new PUK option in the Change Object Security Wizard his option is available only when you select the Create new PINs check box Remove PIN protection select this option to allow users to remove the PIN protection from data objects It effectively disables the Remove current PIN option in the Change Object Security Wizard his option is available only when you select the Change object security check box Rename PINs select this option to allow users to change PIN labels Rename PUKs select this option to allow users to change PUK labels 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 131 DIGIPASS CertilD User Manual Configuring DIGIPASS CertilD Tf Other 1 0 1 Display and User Experience Show support contact information in Unblock PIN Dialog select this option to display support contact information in the Unblock PIN Dialog so users may discover who to contact if their PIN is blocked Support contact information Type the support contact information to display in the Unblock PIN Dialog This option is available only when you select the Show support contact information in Unblock PIN Dialog check box Show icon in notification area select this option to enable the icon in the notification area If you cle
35. objects select this option to allow users to delete data objects from a token Delete secret key objects Select this option to allow users to delete secret key and master administrator key objects from a token Import OTP key objects select this option to allow users to import OTP key objects to a token Delete OTP key objects select this option to allow users to delete OTP key objects from a token 7 6 6 Security Settings Unblock PINs select this option to allow users to unblock PINs Change administrator authenticators select this option to allow users to change the value of PUKs and administrator keys Replace PUKs with administrator key select this option to allow users to replace PUKs with an administrator key 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 130 DIGIPASS CertilD User Manual Configuring DIGIPASS CertilD Generate master administrator keys select this option to allow users to generate master administrator keys Change object security Select this option to allow users to change the protection of data objects It effectively disables the Change Object Security Wizard Create new PINs select this option to allow users to create and assign new PINs to a data object It effectively disables the Generate new PIN option in the Change Object Security Wizard his option is available only when you select the Change object security check box Create
36. prohibited 69 DIGIPASS CertilD User Manual Managing Authentication Objects access a certificate more precisely the private key associated with the certificate e g to use it for a signing operation you are required to provide the respective PIN Only after you typed the correct PIN the data object can be used for the desired operation A token may contain more than one PIN protecting different data objects It may also contain a default PIN i e a PIN object that is used by default to protect newly created data object The default PIN is a regular PIN object with the label PIN For example if you enrol a certificate with a private key on the token access to it is automatically protected by the default PIN but can be changed afterwards If you enter an incorrect PIN several times in a row it is blocked and the data it protects can no longer be accessed A blocked PIN must be unblocked in order to access the protected data again 5 1 3 2 Personal Unblocking Key PUK To unblock a blocked PIN you need to provide an unblock code Ihe unblock code is either a personal unblocking key PUK or an unblock response A PUK similar to a PIN is a secret numeric alphanumeric or Unicode password When data protected by a blocked PIN is accessed the PUK is requested to unblock and reset the PIN first A PUK can be used to unblock one or more PINs on a token A token can contain more than one PUK It may also contain a default PUK i e a
37. requires a response calculated based on a challenge issued by the token NOTE You should change your administrator key immediately if you suspect that it has been compromised guessed or revealed by someone else 5 4 1 Before you begin To change an administrator key you need e DP CertilD Management Application e the current administrator key OR the master administrator key If you do not know your administrator key or don t possess the master administrator key you should contact your token administrator CAUTION lf you need to record your administrator key either in writing or electronically store it in a secure place Do not disclose it to anyone including supervisors or co workers CAUTION lf you consecutively enter an incorrect administrator key too many times it is blocked You cannot unblock a blocked administrator key thus losing the possibility to unblock the assigned PINs via external authentication 5 4 2 Changing an administrator key gt To change an administrator key 1 Insert your token 2 Select the administrator key to be changed in the token explorer tree 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 78 DIGIPASS CertilD User Manual Managing Authentication Objects 3 Select Change from the shortcut menu OR select Tasks gt Change from the menu bar The Change Administrator Key Dialog appears Cha
38. response to unblock a PIN is determined by the type of authentication object which is assigned to unblock the PIN 5 5 1 Before you begin To unblock a PIN you need e DP CertilD Management Application e the respective unblock code If you do not know your unblock code contact your token administrator CAUTION Do not record your PIN either in writing or electronically and do not disclose it to anyone including supervisors or co workers CAUTION If you consecutively enter an incorrect PUK or an incorrect administrator key to unblock a PIN too many times the PUK or the administrator key is blocked as well You cannot unblock a blocked PUK or a blocked administrator key thus losing the possibility to unblock the assigned PIN 5 0 2 Unblocking a PIN with a PUK gt To unblock a PIN with a PUK 1 Insert your token 2 Select the PIN to be unblocked in the token explorer tree 3 select Unblock from the shortcut menu OR 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 82 DIGIPASS CertilD User Manual Managing Authentication Objects select Tasks gt Unblock PIN from the menu bar The Unblock PIN Dialog appears requiring you to enter a PUK Unblock PIN Enter PUK and new PIN Your PIN has been blocked To unblock it and access the data protected by it again enter the PUK To unblock PIN On token Jane Doe s Token PUK oee8 New PIN sss
39. test below to verify the certificate for correct signing operability IF the verification is successful the signing certificate For correct signing operability IF the verification is successful the signing key works correctly key works correctly Hash Algorithm MDS Hash Algorithm MDS Plaintext foobar Plaintext foobar Signature Signature 4D 57 F9 D3 AC B9 F2 E4 24 C2 22 4D D2 Figure 43 Testing Key Pair for Signing a Type some arbitrary text in Plaintext o Select a hash algorithm in the Hash Algorithm list and click Test The key pair is used to create a signature for the plaintext based on the selected hash algorithm The signature is then verified for validity A green checkmark indicates the test completed successfully otherwise you will receive an error message c When you have finished testing click Next 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 66 DIGIPASS CertilID User Manual 6 Verify the test results and click Glose 4 5 3 Additional considerations Managing Certificates and Containers e f you try to test a single key instead of a key pair e g because only one key was created during an unsuccessful enrollment you will get an appropriate error message 4 5 4 Additional references e Appendix PKI and Certificate Basics 2008 2009 VASCO Data Security All rights reserved Unauthor
40. the certificate store Other select this option to have certificates of other people certificates for non personal with no associated key pair automatically unregistered by DP CertilD Tray Agent when a token is removed This option is available only when you select the Other check box under Register certificates of the following categories 7 5 3 Certificate Expiry Date Reminder Remind me if a certificate is about to expire select this option to get a warning each time you insert a token containing a certificate that is about to expire This option affects DP CertiID Management Application and DP CertilD Tray Agent only other applications will not display a warning Days before certificate expires Enter the number of days a certificate should at least still be valid before an expiration warning is displayed This option is available only when you select the Remind me if a certificate is about to expire check Dox 7 5 4 Certificate Import Automatically write certificate chain to token when a certificate is imported If you select this option each time a certificate is imported via VASCO CertilID Smart Card Crypto Provider or VASCO Card Module e g during a rollout the middleware will attempt to retrieve the complete certificate chain for the certificate being imported i e all intermediate CA certificates up to and including the root CA certificate from the current user and local machine certificate stores If all certifica
41. the following e If you know the respective administrator key a Click Generate response The Enter Administrator Key Dialog appears Enter Administrator Key Enter administrator key To generate a response enter the administrator key Enter administrator key Administrator key opoo ooo o000 ooon 0000 0000 0o00 ooga 0o00 0000 Oooo ooga Use master administrator key Master key FIN Tell me more about administrator keys Figure 55 Entering Administrator Key o Type the administrator key and click OK to return to the Unblock PIN Dialog The response is calculated using the provided administrator key and automatically entered into the Response box e f you possess the master administrator key 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 84 DIGIPASS CertilD User Manual Managing Authentication Objects a Click Generate response B The Enter Administrator Key Dialog appears o Insert the administrator token c Select Use master administrator key d Select the master administrator key in the Master key list e Type the PIN for the master administrator key and click OK to return to the Change Administrator Key Dialog The response is calculated using the provided administrator key and automatically entered into the Response box e f you do not Know the administrator key contact your token administrator and read the chal
42. time Why can t I select some settings Use default PUK recommended Generate new PUK advanced Use administrator key Tell me more about creating PUKS Figure 62 Changing Object Security Specifying Unblock Mechanism e Select Use default PUK to use the default PUK to unblock the PIN if it is blocked This option is only available if a default PUK exists on the token Continue with Step 8 e select Generate new PUK if you want to create a new PUK object to unblock the new PIN e Select Use administrator key to use external authentication using the administrator key to unblock the new PIN This option is only available if an administrator key exists on the token Continue with Step 8 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 92 DIGIPASS CertilD User Manual Managing Authentication Objects 6 Specify the value and retry counter for the new PUK Change Object Security Specify the value for the new PUK NI s IF vou consecutively enter a wrong PIN too often it is blocked and the data it Th protects can not be accessed You can define a PUK to unblock the PIN Set PUK now PUK eee Confirm PUK ones Generate PUK Number of retries before block Tell me more about creating PUKS OMe Figure 63 Changing Object Security Specifying New PUK e Select Set PUK now and type a value for the PUK twice to prevent typing err
43. token reset protection You can set a reset code required to reset the token IF you do not specify a reset code anyone can reset the token without authentication destroying all data on it Require reset code to reset token recommended Reset Code eons Confirm Reset Code sees Number of retries before block 10 e O Do not require reset code to reset token This option allows anyone to reset the token destroying all data on it It is not recommended to use this option Do not allow to reset this token AY IF vou use this option you will never be able to reset this token Tell me more about resetting tokens aie Figure 9 Initializing Token 5 Specifying Reset Code e Select Require reset code to reset token if you want to protect the token with a reset code The token can be reset only with the correct reset code Type a value for the reset code twice to prevent typing errors The Number of retries before block box defines how often an incorrect value for the reset code can be consecutively typed before it is blocked e Select Do not require reset code to reset token if you want to allow resetting the token without a reset code If you do not require a reset token anyone including unauthorized persons can reset the token without any prior authentication e Select Do not allow to reset this token to prevent to reset this token at all CAUTION If you use this option you will never be able to r
44. when a token is inserted Certificates of this type are added to the Other People Store 7 5 2 Automatic Unregistering of Certificates Unregister certificates of the following categories These options specify which certificate categories are automatically unregistered by DP CertilD Tray Agent when a token is removed Personal select this option to have personal certificates certificates for personal use with associated key pair automatically unregistered by DP CertilD Tray Agent when a token is removed This option is available only when you select the Personal check box under Register certificates of the following categories 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 127 DIGIPASS CertilID User Manual Configuring DIGIPASS CertilD Certificate Authorities CA select this option to have certificates of certificate authorities CA certificates with no associated key pair automatically unregistered by DP CertilD Tray Agent when a token is removed This option is available only when you select the Certificate Authorities CA check box under Register certificates of the following categories NOTE Due to the impact and security risks of removing a CA certificate Microsoft Windows may display a security warning when DP CertilD Tray Agent tries to unregister a certificate for a CA Microsoft Windows unregisters the CA certificate only if you confirm to delete it from
45. 1 2 Additional considera ON G sensisse un niaasedenisaniaewiacacteeans anctetaidnaiapsaantitenane 135 8 1 3 AAO A TCT SN eae oer erste eeu rset ve nets ieee conc sires E E E 135 92 GIVE TINO STNG anenee EEE ATEO E EE 136 8 2 1 Performing a diagnostics TUN cancnsciuncteacguantartad ntnaanctacianntannaaranana aancasiadesaentadiwndnmnnwunantnndnanpes 136 8 2 2 Additional CON SIO CPAUONS gerne de ticnetsnnateccostone sions ocsoutiads turr rnt orsetaodetiodantescntiond eat aneaneneraaaapeaieemacauspace 139 8 2 3 PAONTA O T OO an E A O A E en nuarountantasnesunte 139 8 3 Using Application Error Repons ccccsecccsececseuecccueeceuueeseueesuueeseueeseueeeeueeeauueeseueeseueeseueeeeusenauuenseneenens 140 8 3 1 MASTS COUCT AOI ULC CU ON OG ct eee lic tet hc atc ict nena patente tana 140 8 3 2 Adaiional Consider aO anerian aena nE TEE E EAE EEA T N 141 9 Appendix Using DP CertilD with One Time Passwords OTP cccccceccssseceseeeseeseuseseeueeeeuueeseusenaees 142 9 1 Generating One Time Passwords OTP cccccccseseessceeeeeeceeeeseeeeeseueeseuueesaeueesaeuseesaeeesaeueenseuuensaueneas 143 9 1 1 BeOS VOUS IE cates eneceseete ete ca vsinrsiceets vein E E 143 9 1 2 Generating one time passwords OTP seessieicssastesseisimaacta ena irisasevsaieg asicteus et Uys tinea eel sietuntens a ood 143 9 1 3 Adaitional COUNSEL ANON rsson EER E NEEE ENEN EEE EEEE EAEAN E 144 9 1 4 Additional references icciistvavivnciansdveisansinemncdhivedateuntianietivas wa
46. 105 Pd PE OE erent rant ne E E ee eee eee 105 IO USING Me SONS CAN CUI AUC sessie E EEEE RT EAE TAE 105 5 10 39 Additional CONG GSN ONS iysarsensecievann saga sessaeenuerientneiaeavaiaareuincsa cual raie EENAA EEEa ANEETA ISAE iaia 107 DO OGIO IMA ECCE oaae r E E E S pepsowstedesnatldaunsiieieannde 107 6 Usma the DP Corm Tray AGON risiningirnnkoianii inr na AE EE 108 OL MOCO aei E E ee eer 109 6 1 1 Registering and unregistering CCP CANS Se tcxctusiechses sesresisetaledsaalionascaiecitstaleundite sivneiitsiedaeidsestnciiaaiehe deans deaaendcuadetes 109 6 2 Getting to Know the DP CertilD Tray Agent ICON ccccessseseeeeeeeeeseeseeseeueesaeueeseeeeeeeuseesaeauenseavensauueneas 110 6 2 1 Using the status hover pane sec acarsstenrns deatnsadeesicnnac can neecantacanteqeantoriasmtacinodinagncenmmudieneoniuanes 111 6 2 2 showing and hiding the DP CertiID Tray Agent ICON cece ccccccscccsssseccessesessesseeesseseeeesesesessesneesseneneessgs 112 6 2 3 Generating one time passwords OTP v cccceccscsecssssevesssesssesecscauecsesesvessueveseuevsvasececausevenesevessueuesaseracarenvens 112 6 2 4 PGMA roa OG ainne anani A E AAT N Ei Eroii 113 7 Configuring DIGIPASS CertilD tisiccvssstanyanncaswnneonitairnrscewainuectannainensteiaites sanaamenbaareneaennaenensdanetennenees 114 7 1 Using Group Policy to configure DIGIPASS CertilD ccccccccsesseseesseseeseeueeeeeueeeeeuseeeeuueesauueereeauersaeueneas 115 7 1 1 POOT ON Ole OM e ES 115 7 1
47. 2 Configuring DIGIPASS CertilD USING Group POIICY ccccccceccsevsesscecvecsecesvesscseseesesceverseveuveracsevensarecvervaversenaes 115 Vole Additional considerations isinin aaa eee en ee ree ee 120 7 2 Using DP CertilD Configuration Center to configure DIGIPASS CertilD cccccssseceesesseeeesseeeueeeeueeaeeeeeay 121 1 2 1 Pere VOU I eee E E EE E E EENE E AE AE EA E E 121 1 2 2 Starting DP CertilD Configuration Center ccc ccccccccccsssecsssseseccsseseecesseeesseseeeescseevessesaueessenenesesneessesaes 121 Loa PIN Randin ceermasan r A T 122 1 3 1 CERANO 1E r E E AT A EET ET E EE EE 122 7 3 2 Cryptographic Service Provider CSP PIN Caching Options ccccccccccsseccsseecseecseecseesesescsseecsseessseesssaeees 122 gore MAUNA MORE OSU ONG ea E O EAEE 123 A FIN EO oea A T 124 1 4 1 PINTON UC agen dacs eaptan a E E 124 74 2 PURK POIG RAUCS ceased ec rrp hese S 125 19 Cenificate HANGING sig odanntinvsicaniaiedudsaitnsveiniehazannseveinanspsnantcatedeuactedsaansuencsnaniaitiortecanisbandeuneaagiaiien 127 1 5 1 Automatic Registering of Certificates cccccccccccscssccssssessssesssrececueccesseveresecesasececarecceesevesevesaresssareeveneeny 127 1 5 2 Automatic Unregistering of Certificates ccccccccsscvssssevssssecessececuscvesssevessseuesasecscauecceeseveevevenressearsevenengs 12 SYS C rtificate Expiry Date Reminder sa snansedouevtre teva eiet sera biredstavieastaatauaneten stator ttre AANEEN ENAREN A NAEK EAE 128 1 5 4 C
48. 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 124 DIGIPASS CertilD User Manual Configuring DIGIPASS CertilD PINs must contain at least this many digits Enter the number of digits a PIN must contain at least to be valid This option is available only when you select the Enable PIN complexity rules check box PINs must contain at least this many uppercase characters Enter the number of uppercase characters e g ABC a PIN must contain at least to be valid This option is available only when you select the Enable PIN complexity rules check box PINs must contain at least this many lowercase characters Enter the number of lowercase characters e g abc a PIN must contain at least to be valid This option is available only when you select the Enable PIN complexity rules check box Allow the following characters for PINs This option specifies which characters a PIN can contain to be valid e Numeric characters only select this option to allow only numeric characters e Alpha characters only select this option to allow only alphabetic characters e Alphanumeric characters select this option to allow numeric and alphabetic characters e Unicode characters select this option to allow any valid Unicode UTF 8 character 7 4 2 PUK Policy Rules Override token hardware capabilities select these options if you want to explicitly set the minimum and maximum PUK length respective
49. ASS CertilD User Manual Managing Authentication Objects The Replace PUK with Administrator Key Dialog appears Replace PUK Replace PUK with administrator key To replace your PUK with an administrator key you need to enter the PUK and specify a value For the administrator key Replace PUK lt LOBEL gt On token C4ORD LABEL Current PUK Enter administrator key Administrator key qooo oooo ooo aooo 0000 0000 000 0000 dodd 0000 000 0000 O Use master administrator key a Mumber of retries 3 eal Tell me more about PUES and administrator keys Figure 66 Replacing PUK with Administrator Key 4 Type the PUK in the Current PUK box 5 Do one of the following e f you want to specify the administrator key a Select Enter administrator key o Type the administrator key c Specify the retry counter The Number of retries before block box defines how often an incorrect value for the administrator key can be consecutively typed before it is blocked f you want to use a master administrator key a Insert the administrator token o Select Use master administrator key c Select the master administrator key in the Master key list d Type the PIN for the master administrator key e Specify the retry counter 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 100 DIGIPASS CertilD User Manual Managing Authentication
50. Click Start to activate diagnostics Diagnostics is now activated and records the respective data until it is deactivated again gt To disable system or user diagnostics in progress 1 Switch to the Diagnostics tab 2 Click Deactivate for the respective diagnostics type Diagnostics is now deactivated and the Diagnostics Report Dialog appears 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 137 DIGIPASS CertilID User Manual Diagnostics Repo rt EY Diagnostics Log Result SF Result 5 issues Found Process Module Error code Message WdsPKIMands2 exe Proccoresz dil O0070001 00000015 File ErrorResources xml not found VdsPEIMans2 exe ProcCoresz dil OO000002 00000001 Internal error information WdsPKIMand2 exe ProcCore32 dil O00270001 000000135 File StringResources xml not Found VdsPEIMans2 exe Proccoresz dil OO000007 00000001 Internal error information YdsPKIMangs2 exe ProcCores2 dil OO000001 00000004 Unhandled exception Process C Program Files Wasco VDIGIPASS CertilDVdsPEIMan32 exe Module C Program Files AS CODIGIPASS CertiID ProcCoresz dll Error Code OOO00002 00000001 Message Internal error information Details Cannot load default error resource File Test Include system information in report Figure 82 Diagnostics Log Result 3 OPTIONAL Click Save as to save the diagnostics report You can save the diagnostics report fo
51. E ESEE E TE ESE 161 TAI VA 8 CAMU osa tne ont Rte See rT ne te ne te ee nat eee 161 12 2 EMAON aae E tases nue E E E A 162 13 Appendix Customizing PIN PUK Letters cccccccccssecessesceeeeseueeeeuseeeeuvessuueeseuuerseuveteuueeseuuersennenan 163 13 1 Customizing PIN PUK Letter Templates cccccccecsccecececceeeeueeseueeeeuueeeuueeeuueesaueeseuueseuvereuueneauneas 164 oA EAN a E E A E A oe 164 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 8 DIGIPASS CertilID User Manual Illustration Index Figure 1 DP CertilID Management Application Main Window Figure 2 DP CertilID Management Application Toolbar Figure 3 Exploring Token Figure 4 Inspecting Token to Initialize Figure 5 Initializing Token 1 Figure 6 Initializing Token 2 Selecting Token Template Figure 7 Initializing Token 3 Specifying Cardholder Name Figure 8 Initializing Token 4 Specifying the Token Label Figure 9 Initializing Token 5 Specifying Reset Code Figure 10 Figure 11 Figure 12 Figure 13 Figure 14 Figure 15 Figure 16 Figure 17 Figure 18 Figure 19 Figure 20 Figure 21 Figure 22 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited Initializing Token 6 Selecting Token Security Mode cercen Initializing Token 7 Specifying Keypad Hardware Support ccc eeeceeeeeen Initi
52. I ane een ere een eer enero eer eee eRe en ee er ee ere reer 148 Figure S7 AIM ele Did apricot leat bettie eed peas EEEE SEO 149 Figure 88 Inspecting Imported OTP Object Gene erent Nn nee eeente ee ere enter ne ee re ee eee ee a ee 150 Figure 89 Entering PIN on keypad hardWare siccaisesivscinnsinsncanadesuss vincauae stnea countinntdnnsdasiend daadnnstadanimceteatnismaltaniendaraatsnacdeeicatt 160 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 12 DIGIPASS CertilD User Manual Table of Contents Index of Tables Table 1 Authentication Codes Overview ascent canna eee cattle eh leieatonebaiceabcieteeeatesentecileden a Table 2 Tray Agent ICON States OVEN VIEW v sisiiccossinimertvtnnssstaisnnivsp sunnah olueasiesn shou santenhioa sae dia aetna vin dan Rienaatetionmedistabismatoatesitedd 110 Table 3 Card Operating Systems Limitations Overview v u ccsscsssecesssesessecessrsscssseveesevesesevesauecscaueeveseeeveseveverareveaenevenes 158 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 13 DIGIPASS CertilD User Manual Introduction 1 Introduction Welcome to the DIGIPASS CertilD DP CertiID User Manual This document provides you the information you will need to use and configure DP CertilD applications This manual provides information about how to manage certificates using DP CertilID Management Application
53. IN complexity Rules Standard Mot configured PIN maximum length override Mot configured Not configured fa Allow the Following characters For PINs Not configured Enable PIN complexity Rules Properties Ei Setting Explain a Enable FIN complexity Rules Enabled Disabled D Force non successive character sequences e g not 1234 or abed PINs must contain at least this many digits at least this many uppercase characters al least this many lowercase characters Supported on At least Windows 2000 Previous Setting Nest Setting mea w Figure 76 Configuring DIGIPASS CertilD via Group Policy 2 Group Policy Object Editor Server 2003 7 Select Computer Configuration gt Administrative Templates gt VASCO gt DIGIPASS CertilD in the Group Policy Object tree and use the right pane to configure the software settings lf the VASCO gt DIGIPASS CertilD branch does not exist in the Group Policy Object tree you can add it manually a Select Administrative Templates in the Group Policy Object tree 0 Select Add Remove Templates from the shortcut menu The Add Remove Templates Dialog appears c Select VascoDPCertilD in the list If this item is not listed click Add and browse for the respective Group Policy Administrative Template file VascoDPCertilID adm d Click Glose to return to the Group Policy Object Editor 8 Close Group Policy Object Editor when you have f
54. IOo OCMC ASIP SINC SS sorin an EAE iaa 154 10 4 Certificate File Formats sssssessnsnennnnnsnrnnnnnnnnnnnnnnnnnnnnnunnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnna 155 10 4 1 Personal Information Exchange PKCS 12 oocccciiccccccccsscecccsseeeccsseesesssueessssueecssueesesssueessssueeessneseeiys 155 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 7 DIGIPASS CertilID User Manual Table of Contents 10 4 2 Cryptographic Message Syntax Standard PKCS 7 ccccccccscccssececssseecseeseseesessseecssueeecsseessteeseteesesueens 155 UA DERENG ENI 0 ee ETE E E EEEE EE EEEE EE 135 10 4 4 Base 64 Encoded Binary X 509 cccsscscsssecsessrsessesrsesccseseusecsesevseseusevsesaesusacsesevsesersevsesareevacrevsacanvevsesers 156 OAs AddiionalTesoUrCOS senkennnnennn drei onaceaa tar teal ad 156 11 Appendix Card Operating System LIMItatiONS cc cccccsssceseeseueeseuseeseuveeseueeseuueeseuuensuueeseuueneeueenas 157 11 1 STN D E AE E E A E A E E A EE 158 12 Appendix Using DIGIPASS CertilD with Keypad Hardware ccccccccssseesseseceeeeeseeeeuseeeeueeseuseeseueenas 159 12 1 OVE E A EEE EEE E E AE TE E EET 160 12 1 1 Differences using Keypad Hardware with Middleware Modules cccccccccsecccccsssseeecessseeeseessssueeenerssueeen 160 12111 VASCO CernilD Smart Card Crypto Provider orina siniori i n e E NANNA N 160 ke PSU TRG S m Ii LO A irinin inno eninin iE
55. Include system information in report Tell me more about error reports Session 0 Figure 83 Error Report List aana Discard Clase 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 140 DIGIPASS CertilD User Manual Troubleshooting and Diagnostics gt To save an error report to disk 1 Select the respective error report in the Error Report list 2 Click Save report You can save the error report for archiving purposes or to send it to your support contact if required If you enable Include system information in report Diagnostics collects information about system configuration that may help identifying issues NOTE Error reports contain a small portion of the contents of your machine s memory and some system information data necessary to examine potential issues Data in error reports is encrypted and does not contain sensitive data such as PINs VASCO will not track error reports back to you personally and treats this information confidential Only individuals actively working on fixing problems have access to the information Error report data is used to find and fix problems in the software you use It is not used for marketing purposes gt To discard an error report 1 Select the respective error report in the Error Report list 2 Click Discard 8 3 2 Additional considerations e Error reports remain in
56. Letter Templates PIN letters are based on XHTML templates located in the 1033 Templates folder in the DIGIPASS CertilD program folder The following templates are available AdminkeyLetter xhtml This template is used when printing an administrator key letter PINLetter xhtml This template is used when printing a PIN letter containing the PIN only PINLetterWithAdminkey xhtml This template is used when printing a PIN letter containing PIN and administrator key PINLetterWithPUK xhtml This template is used when printing a PIN letter containing PIN and PUK PUKLetter xhtm This template is used when printing a PUK letter The templates use HTML for text layout and placeholder enclosed in curly braces to insert specific information in the printed letter at runtime TOKENSERIAL This placeholder is replaced with the token serial number It is evaluated in all templates CARDHOLDER This placeholder is replaced with the cardholder name of the token It is evaluated in all templates PIN This placeholder is replaced with the PIN value It is evaluated in all templates containing PIN information PUK This placeholder is replaced with the PUK value It is evaluated in all templates containing PUK information ADMINISTRATORKEY This placeholder is replaced with the administrator key value It is evaluated in all templates containing administrator key information 13 1 1 Example Lesa lt blockquote gt lt strong gt Toke
57. Managing Tokens The default PIN is not set now i e the token is pre initialized The next time the token Is inserted the user is asked to complete the initialization via the Personalize Token Wizard his option is useful if you want to prepare a token with a personalized default PUK or default administrator key but want the user to set the default PIN e Select Unblock PIN on first use to create a blocked default PIN that needs to be unblocked first This option is only available if the token template configuration includes an administrator key The default PIN is created but blocked The next time the token is inserted the user is asked to unblock the PIN via challenge response before the token can be used The Number of retries before block box defines how often an incorrect value for the PIN can be consecutively typed before it is blocked and needs to be unblocked 11 If required specify a default PUK This option is only available if the token template configuration includes a default PUK Initialize Token ad p Specify the value for the default PUK IF vou consecutively enter a wrong PIN too often it is blocked and the data it be protects can not be accessed You can define a PUK to unblock the PIM Set PUK now PUE LELET E Confirm PUK eoneee O Generate PUK Set PUK on first use Number of retries before black 5 is Tell me more about initializing PUKES Figure 13 Initializing Token 9
58. Manual Managing Certificates and Containers 4 2 Exporting Certificates You can export a certificate from a token to disk to store a copy in a secure location or to import it on another computer or token NOTE If you export a personal certificate with an associated key pair only the certificate is exported to disk since you cannot extract the private key from a token 4 2 1 Before you begin To export a certificate you need e DP CertilD Management Application 4 2 2 Exporting a certificate gt To export a certificate to disk 1 Insert your token 2 Select the certificate you want in the token explorer tree My Computer gt Eutron Digipass 660 0 5 Jane Doe s Token i Authentication Objects Secret key Objects Data Objects OTP Key Objects CA Certificates l Other Certificates OS Certificate of Jane Doe Certificate of Jane Doe lir Private key T Public key Figure 37 Inspecting Certificate to Export 3 Select Export from the shortcut menu OR select Tasks gt Export in the menu bar 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 58 DIGIPASS CertilD User Manual The Export Certificate Wizard appears Export Certificate Export certificate z za This wizard helps you to copy certificates From your token to your disk 4 certificate which is issued by a certification authority is a confirmation of your ide
59. PASS CertilD User Manual Configuring DIGIPASS CertilD ies PIN Handling 1 3 1 General PIN Options Cache PINs during sessions Select this option to enable PIN caching for DP CertilD Management Application When you access a protected data object the first time you are prompted for the PIN If you enter the correct PIN it is cached If you subsequently access the same object again or any other data object protected by the same PIN object you will not be prompted for the PIN again The PIN is kept until you remove the token or exit DP CertilD Management Application Use keypad hardware capabilities when possible select this option to allow VASCO CertilID Smart Card Crypto Provider to use keypad hardware whenever possible unless specified otherwise by the calling client application This option requires the particular tokens to be initialized with enabled keypad support and affects VASCO CertilID Smart Card Crypto Provider only NOTE When authenticating to Microsoft Windows this flag has no effect because the underlying process winlogon exe does always require the PIN to be typed using its own dialog 7 3 2 Cryptographic Service Provider CSP PIN Caching Options Cache PINs during cryptographic sessions select this option to enable PIN caching for VASCO CertilD Smart Card Crypto Provider If enabled the PIN is cached after a valid PIN authentication when a third party application opens a non silent cryptographic context
60. RNON Sites co netic ircer pas ovcacey r iE erage alban dca an eiia PiN ada a eie iiiar 98 5 7 4 Additional references ss ssssesssssrrresnrrnnnnrrntkkrrntkrrr onkr rnnr rnat knra N ate ue seh rnsneatetenaetnapetateantaetwatanspsantcdtetnanmnnesnnemedee 98 5 8 Replacing a PUK with an Administrator Key ccccccecccseeecseuecseueeceueeceueeeauueesuueeseueeseueeesueeseuerseueeseueesanses 99 5 8 1 BG OUI AE A EEE TEEN EEE A EEE A E PETA 99 9 8 2 Replacing a PUK with an administrator Key wwisivissincrcaverasdttreersatinetiivintsteatreavaaeerieatelatanunisiietonabinind 99 5 8 3 reTo calito qrelimeteas 0 2 6 0 rnnt krna ttk r ratr r rE N EENEEEEENEEEENEEEEEEEEEEEEEEEEEEEEEEEEEEEEE EEEE EEE 101 0 8 4 PCG WTO ENGL SC So vnetgerctee Poe certo iensen ern duoc ox seuthadts Miata ENEE tos ENE ARESE 101 5 9 Generating Master Administrator K YS ccccccccccccsecceeseeeeeseuseeseeueeseeueeeseuueeseuueeeeeuueeeauueesauuuetseauensauuenss 102 5 9 1 OERTERP TAI 102 9 9 2 Generating a master administrator Key sitar ceca tsa tas petite am anes lacenetnct 102 5 9 3 Additonal COnS GT AUIOING saire ara ETE E EAE AA E 103 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 5 DIGIPASS CertilID User Manual Table of Contents 0 9 4 Additional TOI CNCC snese E E S E S EE 104 5 10 Using the Response Calulator ccccccccsccsecsceceeeeceeeeeeeveeeeuueeseuueesaeueeeaeeueeeauueesauuuevauuuenseuuersaggy
61. SCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 70 DIGIPASS CertilD User Manual Managing Authentication Objects If you enter an incorrect administrator key several times in a row it is blocked and can no longer be used to unblock the associated PINs A blocked administrator key cannot be unblocked 5 1 3 4 Reset Code If desired a reset code may be set when initializing a token The reset code protects a token from unauthorized deletion The reset code is optional If you want to reset a protected token you are required to type the reset code If you enter an incorrect reset code several times in a row It is blocked and can no longer be used to reset the token A blocked reset code cannot be unblocked A token with a blocked reset code can no longer be reset oneal oneal Purpose a data PINs Unblock PINs via Ed token objects challenge response ooo Yes Reset cove code Retry courte ow Yes ST e a a a Maximum number per n n 1 1 token Length Policy dependent Policy dependent 16 24 bytes up to 16 chars Table 1 Authentication Codes Overview 5 1 4 Master Administrator Key A master administrator key is a secret key used to derive an actual administrator key It is used to implement the concept of administrator tokens Instead of typing the administrator key directly when needed the token with the respective master administrator key is required After successful auth
62. See Personal Unblocking Key PUK PUKs must contain at least this many digits option 126 PUKs must contain at least this many lowercase characters OP UON sssrinin sieas 126 PUKs must contain at least this many uppercase characters OP OU isser innare ar ERNE 126 R Register certificates of the following categories option ENI E EE P ASAA NEEE TT 127 Remind me if a certificate is about to expire option 128 Remove PIN protection Option cccccccccceeeeeeeees 131 Rename PINS Option ccccccccccccccccceeeceeeeeeeeeeeeeeees 131 Rename PUK S Opto icccicciacscntsccateaticernnstanotsanticnsiens 131 Rename tokens OptiOn ccccccccccccccccceeeeeeeeeeeeeeeeeeees 129 Replace PUKs with administrator key option 130 Require authentication before generating an OTP option sedis E cee ave N A cee EA E ae sate E E A 132 HS CO e AE EE E E 71 blocking Caution notice cccccesssseeessesseesseeeeens 44 UG TANG VAAN ere E asachsenneeeunets 24 Sj 0 5 1 A 15 ae E ee ee 28 Res t tokens Option ica ssasisacoxaierdeosskseacosshvestdesteeateseits 129 TSS ONO ae couse nonohsdtesnaniet 70 response calculator savescccscscscecersedeccctseseeessvesess 81 86 105 TSU YC ONIN CT E E E E E 69 86 S secret key deleting enabling Option cccccccccccceeeeeeseeeeeees 130 secret key ODj Ct eiris 22 Security Officer PIN SO PIN 0 cccceeeee 91 94 Show icon in notification area option
63. T 89 creatine new PUR sec csatenarseteosctevacesshvenndesteentevetevoesss 92 removing PIN protectiOn ccccsssesseeeeeeeeeeeeeeees 97 One Time Password OTP ccccccccceeeeeeeeeeeeeeeees 142 display TRIG OUI gp c fe vesetvarsceescchveaccees anaE 132 aN T ON INEAN REAA ETA 112 143 generating from challenges ccccccccccccceseeeeeees 146 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited DIGIPASS CertilID User Manual requiring authentication for generating 132 One Time Password OTP key object 22 deleting enabling option eoeeeeeenennnnnnnnnnneenenenne 130 PIANO OPUS a E E O 148 importing enabling option ssssssssssseeeeereeeeseses 130 S e A sana ecesnures See One Time Password OTP OTP display timeout option ccccccceeeeeeeeeeeeees 132 Override token hardware capabilities PIN option 124 Override token hardware capabilities PUK option 125 P Personal Identification Number PIN 08 69 USS 1 IN secer iS 88 caching during DP CertiID Management Application SESS ONS isos dakadandidsektedeahsecosgehcauencahatanastaevoreshesenede 122 ehano 1112 oaei S 74 changing Caution Notice cccccccccccccccccccseeeeeeeeeeees 74 oy ars HT New PIN sgrin 89 creating new PIN enabling option c08 131 customizing PIN letten pecarscenssersiancsusswensstceverevessete
64. acters option cccccccccccccccceeeeeeeeceeeeeeeeseeeeeees 125 PKCS See Public Key Cryptography Standards PKCS lig 4 Eee ere eee See Public Key Infrastructure PKI PTV Cy pecrio haninercecs ecommerce E 22 150 152 program feature COMM CUPING ACCESS einari aE n Ni 129 program options Allow the following characters for PINS 125 Allow the following characters for PUKs 126 Always require to acknowledge authentication codes after initializing personalizing tokens 123 Automatically enable all program features for administrative Users cccesessceeeeceeeeeeeeseeeseeeees 129 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 167 DIGIPASS CertilD User Manual Automatically personalize token on token insert 123 Automatically write certificate chain to token when a certificate is TMP OLE cotta Geohneccnsvticornwetdeeenns 128 Cache PINs during cryptographic sessions 122 Cache PINs during sessions ccccceeeeeeeeeeeeeeees 122 Change administrator authenticators cccc08 130 Change object security nnenoeenennnnnnnnnnnnneeeeeeeene 131 Clear PIN cache after a certain time 122 Oeria BINS E E E sisal 131 Create new PUKs to unblock nnnnnennnnnnnnnnnnnennnne 131 D lete ceri MCE S annenin 130 Delete comaine Sis csnceccassuntecardecescsssenscentsmeeccasennecens
65. alizing Token 8 Specifying Default PIN oo cic ccc ccsseeesssseeeeseueesessueenens Initializing Token 9 Specifying Default PUK uo cccccseeeceseeseseseesessueenens Initializing Token 10 Specifying Administrator K Y cccccccccccecccseeeceseesessueeeens Initializing Token 11 Printing PIN PUK Letter Initializing Token 12 Ready to Initialize ernn Initializing Token 13 Confirming Authentication Codes cccceccceceeeeceeeeeen Personalizing TOKEN CU airiran rasaan AnA AANAND EINADO KANEEN EEN Personalizing Token 2 Specifying Cardholder NaMe scccccccccrcnenenn Personalizing Token 3 Specifying Token Label asccsccrcrenreeninen Personalizing Token 4 Specifying Default PIN ccsccccccrcrcenccenrnen Personalizing Token 5 Specifying Default PUK ciccecccceeesesseeerseneeeens Table of Contents DIGIPASS CertilD User Manual Table of Contents Figure 23 Personalizing Token 6 Specifying Administrator K Y ccccccccccceccsseeeccssseeeccssseescessueecseueesessueesessueenenuee 4 Figure 24 Inspecting Token t0 pts Slo ne ee nen eee cen Cnn eee ee 45 Fig re 25 Entering Reset COl svar reyes e EEDE A Eea TET ia EEA aTa EAEE 45 Figure 20 Reset Token Personalization T Rene eee tenn ene trees eee E E eee eee 48 Figure 27 Reset Token Personalization 2 Specifying Cardholder NaMe ccccccccecceseecsssesccsseeessseecssseessseesessuesssueesesas 48 Figure 28 Reset Token Pe
66. all authentication objects on the token i e all PINs PUKs and the administrator key if present In most cases you will see at least a default PIN a PIN object with the label PIN and a default PUK a PUK object with the label PUK 2 2 2 CA certificates This folder contains all CA certificates that are not associated with a key pair 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 241 DIGIPASS CertilD User Manual Using DP CertilID Management Application 2 2 3 2 2 4 2 2 0 2 2 6 2 2 Other certificates This folder contains all other third party certificates other people Data objects This folder contains any generic data objects that are not authentication objects certificates or key objects OTP key objects This folder contains OTP key objects An OTP key object in this context is an abstract representation of an OTP generating mechanism This can be an OTP hardware token e g DP860 or a secret key object on the token used to calculate OTPs secret key objects This folder contains all secret key objects on the token including master administrator keys A secret key is a key used for cryptographic operations where the same key is used for both encryption and decryption also known as symmetric cryptography Key and certificate container A key container contains a key pair used for cryptographic operations where different keys are used for en
67. ar this option the icon is disabled for all users However if you select this option the icon is initially shown but can be hidden by the user by selecting Hide Tray Icon in the DP CertilD Tray Agent shortcut menu This option requires DP CertilD Tray Agent Show status changes Select this option to display the hover pane automatically if the token status changes e g when a token is inserted or removed If you clear this option the status hover pane is disabled for all users However if you select this option it can be overruled by the user by clearing the View Status Changes option in the DP CertilD Tray Agent shortcut menu This option requires DP CertilD Tray Agent 7 7 2 One Time Password Options OTP display timeout Type the time span how long a one time password OTP is displayed in the OTP field of the Generate OTP Dialog before it is displayed to be expired The value is given in seconds Require authentication before generating an OTP select this option to always require authentication before generating an OTP using a hardware token This option affects hardware tokens only software OTP key objects always require authentication on access 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 132 DIGIPASS CertilD User Manual Troubleshooting and Diagnostics 8 Troubleshooting and Diagnostics This chapter gives an overview of how to diagnose and troubleshoot issue
68. ate and Export certificate 2 1 5 Object view The object view displays the objects which are logically associated with the object currently selected in the token explorer sidebar 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 19 DIGIPASS CertilID User Manual 2 1 6 Status bar Using DP CertilID Management Application The status bar at the bottom of the window displays information about the current state background tasks and other contextual information 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 20 DIGIPASS CertilD User Manual Using DP CertilID Management Application PAP Exploring your Token The token explorer sidebar allows you to quickly browse and explore your tokens It displays all connected smart card readers and tokens grouped hierarchically An initialized token may usually contain the following folders e Authentication Objects e CA Certificates e Data Objects e Other Certificates e OTP Key Objects e secret Key Objects Additionally tt may contain one or more key and certificate containers Token Explorer je My Computer E Eutron Digipass 360 0 em Jane Doe s Token G A Authentication Objects Secret Key Objects Data Objects OTP Key Objects CA Certificates Other Certificates Figure 3 Exploring Token 2 2 1 Authentication objects This folder contains
69. cacauecseaeeevenes 59 Foure ado BDPorind Ceniicate S opeciymnd Fl iensen EEREN S ee Tne me 60 Figure 41 Selecting Private Key esate erat agents stipe eae nner ne RAANNAANANAANERAANEAANNEAANERAENEAANEEEENE REENE Enne 65 Fig re42 Testing Key Fair for TINCT ONIN sanana an aE ANENE EEA E S EA EAEN 66 Figure 43 Testing Key Pair for Signing sssssssssirsssnrrsenrrrnsnrnnnsnrrnnnnrnnnrnanrnankknrnak unint k unnat unnat AANA KAAN EEEEENE EEEE REEEEE EEEE 66 Figure 44 Two Data Objects protected by a PIN that is unblocked by a PUK Example cscri 2 Figure 45 Two Data Objects protected by two different PINs that are unblocked by one PUK Example cccceceeeeeeeeees 72 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 10 DIGIPASS CertilID User Manual Table of Contents Figure 46 Two Data Objects protected by two different PINs that are each unblocked by two different PUKs Example 13 Figure 47 Two Data Objects protected by two different PINs that are unblocked via external authentication Example l3 gle Vigow tore Cnc lacie PIN ener nt airne E EEE AAA EOE 75 Foure 4g ATMEL PUR serrana erraren EEEE EEEE OEA E 1 Figure 50 Changing Administrator Key 1 icici tisnaaiestsicaa eat vecyeancntaaesetniagiiattstes cea dein ines tenanatatehicdonisinetacntiiastevatedtiemudleies 19 Figure 51 Entering Administrator ceca pesca ect ene ecto anette canned eon ett nitan
70. cate 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 80 DIGIPASS CertilD User Manual Managing Authentication Objects e Changing an administrator key does not affect the PIN that is unblocked using the administrator key If you are the token administrator e You can use the response calculator available via Tools gt Response Calculator in the DP CertilD Management Application menu bar to calculate a response for a challenge requested by a user e You can generate master administrator keys to derive secret administrator keys 5 4 4 Additional references e Unblocking PINs e Changing PUKs e Changing the Security of Objects e Generating Master Administrator Keys e Understanding Authentication Objects e Using the Response Calculator 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 81 DIGIPASS CertilD User Manual Managing Authentication Objects 99 Unblocking PINS If you consecutively enter a wrong PIN too many times the PIN is blocked to prevent an unauthorized person from checking all possible PIN combinations by trial and error To access the data objects protected by the PIN again you need to unblock the PIN first by entering an unblock code The unblock code may be a personal unblocking key PUK or an unblock response calculated via external authentication Whether you need a PUK or an unblock
71. cccccccccccseessseeccccssceeeseeeecceeeseeeeueeesuceeaeeeeseeccuesseeeeasecsuecsseeeeaseesaeesenneneaeeny 1 5 1 5 XAO E E E E A ee ee 2 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 4 DIGIPASS CertilID User Manual Table of Contents 0 1 6 PCO MOVANT VCH ONCOS sessast EA E Ea AE 13 BZ Grandn PINS ee E E 74 5 2 1 BR o EE E E E E E EE E E EE E E A E 14 5 2 2 CAAT A N A E pines aspen dainscaco antics A A ncaa eae eesti cae ademas 74 9 2 3 Additional consideration Sets xcessaeg sarees a etaslnpert cave pie steno ohn Ereinen aE EN EEEN EATA REE ATT 15 0 2 4 AV OTIS WIR Kelle 5 E S E E ee eee eee en ee ee 15 AIO INS aeien s onaniar EEEE OEA AEEA OE EO AEE AANER EO 76 5 3 1 PEO VOU CO ea E E S E E A NS 76 5 3 2 PANEN Ta E E E ET EE yee E E AEE E 76 0 00 Additional consideration Ste tincs cessing xieeeteney sa etaslnpert caves etusln et oud itetner ainda inate ETENEE PA Ea iaar 1 5 3 4 Additional references ces atc encarta oad aera satestie ne dacton eectescaie ed ete memenaieat deena aiedoenent cnet aateineeaenndneatnanmntanntmededs 1 5 4 Changing Administrator Keys cccccseccecsceceecceueeceeueeeeeeueeseuueeeeeueeeseuueeseeueeeaeueeeseuueesuuueesauueetaeuensauuensangy 18 0 4 1 DG ONE VOU Oa a E E E R E A NS 18 0 4 2 Chanding an Administrator KOY sacs atravasa tee acer ptase ate aster deta era ale atta eve ade evened EE EENE 18 5 4 3 Additional CONGICG ANIONS accnivsanctrartannei
72. ciarcteaedrecindtaduavsniba cian ecacneienedsatancietninndjaecnaiy denen dediuendnatnencsndenene 19 2 1 5 0100 c10 E 19 2 1 6 A D a E A E E 20 22 Bpionng your TOKON isoce E EA EEA EE ESERE DEERE 21 2241 ANU UT co RUCAI UOT ODICE Hee nee rt A ed gn rn eee ee 21 222 CGA CCUG AS asta cnierita tan caccianntacive cea cianrine aa deiencierinn EAA EEEE DEEE 21 Doe TNC E COP CNG S se sntevarsstrvicet we secteatee Soto Porc T we situades Sinisa EEE A E E ET 22 2 24 PEERU 210 CS era a E ge en eee eee 22 220 APRO C1 Seer ne re ret rn Pree ee ern Treen ere eee ene re ee eee eee 22 2 2 6 Secret 280 oe ee ee 22 2 2 1 Key ANd certificate COMTAINET cccccsccseccccssesvecseusseuvecseeseeevecsaueseuvecaeeeeuvesaeeassvecsausecevacaeeeeuvedaueeesvenanneens 22 3 MANAGING LOKONG con E 23 L MAZNO TOKE IG eese EEE E E O 24 el PoE 61s 6 ener mere EA ere ra one eee eee eee ere 24 32 Ditalizing a OKO sssrinin arr E EEEE E N aE E Rai Eir 20 3 1 3 Additional CONS GT AION scrsczcuasteatsctcue onstateus svatcteie asettean vette cir act ean deem t knrn ttk r rE N EENENEEENEAEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE EEEE EEEE 36 3 1 4 C2 ONT SIS fs CES ean enn ee ee ee eee ree 36 See PESONN 1 OK GINS cersstcae acsseaticssise aay aacutccouseususpeetenct T 37 3 2 1 PEE OUI I r a E A A va pce A ete ict A E EES Or 3 2 2 Personalizing a token ssssssrrsessnrrrnnnnnrrnnnkntrnntkkntantt kkut antanu Annat uu AAA EAR uAAAEEAAENEEREEENEEEEEEEEENEEEEEEEEEEEEE REEERE EEEE 3 3 2 3
73. cify the token label The token label is the name used to refer to this token It helps you to distinguish between different tokens To keep the current token label click ext Token label Jane Doe s Token Figure 28 Reset Token Personalization 3 Specifying Token Label 6 Specify how to initialize the default PIN Reset Token Personalization Specify how to initialize the default PIN Specify how the default PIN is initialized the First time the token is used Some settings may not be applicable at this time The default PIN must be initialized before the token can be used Change default PIN on first use The default PIN is set mow but must be changed the First time the token is used The default PUK or default administrator key are not affected Unblock default PIN on first use The default PIN must be unblocked before the token can be used This option requires an administrator key Tell me more about setting the default PIN behaviour Figure 29 Reset Token Personalization 4 Specifying Default PIN Initialization 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 49 DIGIPASS CertilD User Manual Managing Tokens e Select Set default PIN on first use if you don t want to set a new value for the default PIN now e Select Change default PIN on first use if you want to set a new value for the default PIN now
74. cinctratataaedrarendaneccha naa aiaaciariataneidhannademmananannascauass 80 5 4 4 Adaitional Mel ECS S asesecsetse tas setectast tenn En E dress EEE ENO EEE 81 S9 UADOCKNO PIN oiea a E busasanstincanamaineaitentaneaenten 82 90 BoC VOU DO I airnn pree EEE EE STEN EEEE E SEE EE EERE E R 82 5 5 2 UNDC KIO T FIN ATA POK eraa ace ic eet cae rp E E EEOSE 82 5 5 3 Unblocking a PIN with external authentication ssssnsesrrresnrrrsnrrrnsnrrrnnnrrrnnnrrnnnrrrnnrrrsnrrrennrrrsrrrernrrernrrrenne 83 5 0 4 Additional COS CTA OMS vxcetussettoctes Pietentne te styeredansnat uc sestiose eevee yecintadeed soca ocaecttadee Aiesta arneeutnacsienatsenuenaneiicunasenciaats 86 0 00 AV OTIS AIM eile 5 110 een E EEE E ene er ee E 86 5 6 Changing the Security Of ODjOCtS ccccccccseueccseueesseeueeseeueeeeeuueeeeuueeseuuensueuueeeeuueeseuuessauueetauuuersaaueenaesy 87 5 6 1 Beea O o EE E to E O E EE E E EE E A E eee 87 9 6 2 PS SVOMIGIG I EEE A div ante ede tponta ied ask O iva ab een coeliac et eater A 8 0 6 3 Additional consideration Seen nn nn ce ee ee 95 5 6 4 Additional references cs nates encarta oat atrcesatestie ened es teceaie nnne tkr mem enaieat deren caveat cident canal napeiretonteineaananentnnntnieaats 96 5 Removing the PIN Protection c cccccceccccccccucccuueccuueecueseuuecuueuauueuuuesuueseucesueneuueuuuesuueseuuecuueneuuenueneuseaas 97 5 7 1 DE Ole VOD e E A E e E E E 97 5 7 2 PO A aa A EAA EA E E E E EE 97 Od Additonal CONS IGG F A
75. cryption and decryption also known as asymmetric cryptography A key pair consists of a public key and a private key The private key is kept secret and used to decrypt data that has been encrypted with the corresponding public key or to sign data The public key is widely distributed and used to verify data that has been signed with the corresponding private key or to encrypt data A certificate container is a key container with an associated certificate You can see which authentication objects are used to protect a particular data or key object in the token explorer sidebar 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 22 DIGIPASS CertilD User Manual Managing Tokens 3 Managing Tokens This chapter gives an overview of how to manage tokens using DP CertilD Management Application It covers the following topics e Initializing Tokens e Personalizing Tokens e Resetting Tokens e Resetting Token Personalization 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 23 DIGIPASS CertilD User Manual Managing Tokens 3 1 Initializing Tokens To use an empty token with DIGIPASS CertilD you need to initialize the token first During initialization a so called token template is applied to the token which contains important token configuration data such as default PIN PUK protection You can skip some settings
76. ctively assigned to protect a certain certificate is shown below the private key of the respective certificate If you are the token administrator You can use the response calculator available via Tools gt Response Calculator in the menu bar to create a response for a challenge requested by a user You can generate master administrator keys to derive secret administrator keys You can specify support contact information that is displayed in the Unblock PIN Dialog via DP CertilD Configuration Center so users may discover who to contact if their PIN is blocked 5 5 5 Additional references Changing PUKs Changing Administrator Keys Replacing a PUK with an Administrator Key Understanding Authentication Objects Using the Response Calculator Configuring DIGIPASS CertilD 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 86 DIGIPASS CertilD User Manual Managing Authentication Objects 5 6 Changing the Security of Objects You can have more than one PIN object on a token each protecting different data objects If you enroll a certificate to a token its private key is automatically protected by the default PIN if the token contains a default PIN If desired you may assign a different PIN to the private key Using different PINs for different data objects potentially increases security However consider that you e need to keep track of and remember several PINs e choo
77. d duplication or distribution is prohibited 135 DIGIPASS CertilD User Manual Troubleshooting and Diagnostics 8 2 Using Diagnostics Diagnostics is used if you encounter problems such as application crashes and unexpected system behaviour which you think may be caused by a CertilID middleware component and a troubleshooting scan did not identify any issues Diagnostics tries to identify issues by recording all user actions and operations executed in the CertilD middleware There are two different types of diagnostics e system diagnostics system diagnostics records all actions and events of the system and all users in all sessions on a machine It can only be activated and deactivated by a user with administrative privileges e User diagnostics User diagnostics records all actions and events by the user It does not record system events including system logon It can be activated and deactivated by every user 8 2 1 Performing a diagnostics run gt To enable system or user diagnostics 1 Switch to the Diagnostics tab G DP CertilD Troubleshooting and Diagnostics Ge VASCC gt Troubleshooting Diagnostics Error Reports More Help Diagnostics runs in the background and records all PEI user actions and application events to find software issues x System diagnostics is deactivated x User diagnostics is deactivated Tell me more about diagnostics close Figure 80 Diagnostics 2 Click Activate fo
78. de keypad hardware support 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 161 DIGIPASS CertilD User Manual Appendix Using DIGIPASS CertilD with Keypad Hardware 12 2 Limitations DIGIPASS CertilD Keypad hardware support has currently the following limitations e Only user authentication is supported i e enter PIN e PIN and PUK management is not supported e g change or unblock e Only VASCO CertilID Smart Card Crypto Provider and DP CertilID PKCS 11 Library support keypad hardware e You cannot manage tokens on keypad hardware i e initialize or reset tokens 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 162 DIGIPASS CertilD User Manual Appendix Customizing PIN PUK Letters 13 Appendix Customizing PIN PUK Letters When you initialize a token you can decide whether to print information regarding the authentication codes i e PIN PUK and or administrator key This information can be handed over to the user along with the token PIN letter This chapter gives an overview of how to customize PIN and PUK letter templates used to print authentication code information when initializing tokens 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 163 DIGIPASS CertilD User Manual Appendix Customizing PIN PUK Letters 13 1 Customizing PIN PUK
79. e text and style of PIN PUK letters by changing the respective template files 3 1 4 Additional references e Personalizing Tokens e Resetting Tokens e Resetting Token Personalization e Generating Master Administrator Keys e Access Configuration e Changing the Security of Objects e Understanding Authentication Objects e Configuring DIGIPASS CertilD e Appendix Customizing PIN PUK Letters 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 36 DIGIPASS CertilD User Manual Managing Tokens 3 2 Personalizing Tokens You can skip some settings during initialization such as specifying the default PIN and the default PUK In this case the token is called to be pre initialized Before it can be used initialization needs to be completed by personalizing the token Personalizing means applying the individual settings which were omitted during initialization Personalizing a token means applying personal or individual settings to the token which have been omitted during initialization Personalization includes e Setting the token label e specifying cardholder data e Setting the default PIN e Setting the default PUK or default administrator key 3 2 1 Before you begin To personalize a token you need e DP CertilD Management Application or DP CertilD Tray Agent e apre initialized token 3 2 2 Personalizing a token gt To personalize a token 1 Insert your token
80. e tokens or tokens with OTP key objects gt To generate and view a one time password OTP 1 Plug in your OTP token e g DP860 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 112 DIGIPASS CertilD User Manual Using the DP CertilD Tray Agent 2 oelect Generate One Time Password OTP from the shortcut menu OR If you have more than one OTP tokens connected select lt TOKEN gt gt Generate One Time Password OTP where lt TOKEN gt is the respective token The Generate OTP Dialog appears Generate OTP Generate One Time Password OTP This is the one time password OTP currently generated by your token It is valid only a certain time OTP 852509 Tell me more about generating one time passwords OTPs z X w View Details Close Figure 72 Generating One Time Password OTP 3 If required type the PIN and click OK 4 Click Generate to generate a new OTP The OTP box displays the current valid OTP After a certain time span default 30 seconds the field changes to Expired 5 Click Gopy to copy the current OTP to the clipboard TIP You can select lt TOKEN gt gt Generate One Time Password OTP to Clipboard to generate and copy a one time password directly to the clipboard without opening the Generate OTP Dialog 6 2 4 Additional references e Using DP CertilD Management Application e Access Configuration e Appendix Us
81. easenteatactmonrtaiee 125 PINs must contain at least this many uppercase CE AC UG Sts cicanonseaceatscasensanuyoomneceBaesatateinscancestonaniee 125 PUKs must contain at least this many digits 126 PUKs must contain at least this many lowercase ehara ICES srama A 126 PUKs must contain at least this many uppercase charac LES sareno renr rE NEEE Ein 126 Register certificates of the following categories 127 Remind me if a certificate is about to expire 128 Remove PIN protection c cssssssssssssesseseeees 131 Romme PIN epena onesies ceusearetatunanties 131 Rename PUE Ssscnoreton n inre 131 Rename GOK eiS ssr aa EE 129 Replace PUKs with administrator key 130 Require authentication before generating an OTP 132 IG SC FON nS aciei 129 Show icon in notification area 132 Index Show status changes s sssssssseeesseeseeeseees 132 Show support contact information in Unblock PIN DO aaae A E NE 132 Test key AIS Aarcactenetchateccaatecectoeticecaneteuetenaticecseas 130 Conoc k PING aese rN 130 Unregister certificates of the following categories 127 Use keypad hardware capabilites when possible 122 160 o b 6 I eg lt saneeeere ener tine eee E 22 152 Public Key Cryptography Standards PKCS 11 91 94 95 161 Public Key Infrastructure PKI ccccccccccceeeeeees 152 Public Key Infrastructure PKI understanding the TAGES EE EE E 152 PUK siruen
82. ecurity Not Configured C3 Certificate Handling Enabled Display and User experience C Disabled F PIN Policy C PUK Policy 9 User Access Rights m E Windows Components OSs All Settings Preferences amp User Configuration 4 C Policies 9 Preferences gt Extended Standard 3 setting s Supported on At least Windows 2000 Next Setting Cancel Apply Previous Setting Figure 74 Configuring DIGIPASS CertilD via Group Policy 2 Group Policy Object Editor Server 2008 7 Select Computer Configuration gt Policies gt Administrative Templates gt VASCO gt DIGIPASS CertilD in the Group Policy Object tree and use the right pane to configure the software settings lf the VASCO gt DIGIPASS GertilD branch does not exist in the Group Policy Object tree verify whether the Group Policy Administrative Templates files VascoDPCertilD admx and VascoDPCertilD adml are in the correct directory 8 Close Group Policy Object Editor when you have finished configuring the Group Policy Object gt To configure DIGIPASS CertilD using Group Policy Windows Server 2003 1 Start Active Directory Users and Computers via Start gt Control Panel gt Administrative Tools gt Active Directory Users and Computers 2 select the domain or organizational unit for which you want to set a group policy in the console tree 3 select Properties from the context m
83. eeeeeeeeeeeeeees 34 Setting ON first USC 0 0 eee ccccececeeeeeeeeeeeeeeeeeeeees 34 42 setting on token initialization cccccececeeeeeeeeees 33 specifying administrator key cccccccceeeeees 33 41 administrator token essersi 71 103 Allow the following characters for PINs option 125 Allow the following characters for PUKs option 126 Always require to acknowledge authentication codes after initializing personalizing tokens option 123 asymmetric Cryptographic ccccccceceeeseseeeeeeeeeeeees 152 authentication code VEO casts EAE E E E E 71 authentication object cceccccccceeeeeeeeeeeeeeeeeeeeeees 21 69 understanding the Concept ccccssessessessseeeeeeees 69 Automatically enable all program features for administrative users Option cececcceeeeeeeeeeeeeeees 129 Automatically personalize token on token insert option PEREP PEE AEN EEE I SE E 123 Automatically write certificate chain to token when a certificate 1s imported Option ssessseeeseseseseseeeene 128 B Base 64 Encoded Binary X 509 cccccccccceceeeeeeees 156 C G OAE EE See Certification Authority CA Cache PINs during cryptographic sessions option 122 Cache PINs during sessions OptiOn 0ssssceeees 122 CS ICAL E 152 Certificate Authority CA certificate 0 0 0 0 cee 21 Index certificate categories sriid andia 154 corneal GOCAINS ssesdinu annaka EE 153 certif
84. eees 76 personalizing enabling Option cc cccceeeeeeees 129 printing PUK letter eeeeeeeeeeeeeeeeees 34 42 95 PUK letter customizing template 008 163 renaming enabling OptiONn cc eeeeeeeeeeeeeeeeees 131 replacing with administrator key 0000000000000000000 99 replacing with administrator key enabling option 130 retry counter specifying eee eeeeeeeeeeeeeeeeeeeeeees 33 setting allowed characters cccccceceeeeeeeeeeeeees 126 setting maximum length eee ccceeeeeeeeeeeeees 125 Setting MINIMUM IIts cece cece eeeeeeeeeeeeeeees 126 setting minimum length eee cceceeeeeeeeeeeees 125 setting minimum lowercase characters 0 126 setting minimum uppercase characters 126 Setting policy rules ec ccccccceeeeeeeeeeeeeeeeeeeeeeees 125 specifying default PUK ccccccceeeeeeeeeees 32 41 Personalize administrator authenticators option 129 Personalize tokens OptiOM cccccccccecccceeeeeeeeeeeeeeees 129 ig oer See Personal inFormation eXchange PFX PEN roa See Personal Identification Number PIN PIN cache timeout OptiOn ccccccccccccccceceeeeeeeeeeeees 123 PINs must contain at least this many digits option 125 PINs must contain at least this many lowercase Characters option ccccccccccccccccccceeeeeeeeeeeeeeeeeeeeeees 125 PINs must contain at least this many uppercase Char
85. en selection Token explorer sidebar 2 3 4 Common tasks sidebar 5 Object view 6 Status bar 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 18 DIGIPASS CertilD User Manual Using DP CertilID Management Application TIP You can show hide and move most of the sidebars as you like To reset the main window view to its default layout select View gt Reset view in the menu bar 2 1 1 Toolbar Go back to previous object Open Help Go forward to next object Go up one level GO oO Display Common Tasks Figure 2 DP CertilD Management Application Toolbar The toolbar provides quick navigation commands and allows quick showing or hiding of the sidebars 2 1 2 Token selection The token selection list contains all connected readers and tokens Readers and tokens are enumerated and listed by name or device type for better distinction respectively 2 1 3 Token explorer sidebar The token explorer sidebar displays the connected smart card readers and tokens as well as the various kinds of data objects they may contain in a hierarchical list 2 1 4 Common tasks sidebar The common tasks sidebar shows the most relevant properties of the selected object and provides quick access to the most common tasks applicable to it For example if the selected object is a certificate a set of certificate related tasks is shown such as View certific
86. encrypt data A digital certificate is the digital equivalent of an ID card It specifies the name of an individual company or other entity and certifies that the public key included in the certificate belongs to that entity Digital certificates are issued by certification authorities that attest the public key contained in a certificate really belongs to the person or organization noted in the certificate Certification authorities are usually hierarchically grouped i e a root CA on top issuing certificates to other CAs below that hierarchy to confirm and certify the identities of these CAs and so on chain of trust Certificates are usually valid only for a certain period of time specified within the certificate itself 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 152 DIGIPASS CertilD User Manual Appendix PKI and Certificate Basics 10 2 Certificate Details Certificate details include different fields extensions and properties Version This is the X 509 version of the certificate Serial number This is the unique serial number of the certificate Issuer This is the certification authority that issued the certificate Valid from This field gives the date from which on the certificate can be used Valid to This field gives the date until which the certificate can be used Subject This is the name of the person machine device or certification authori
87. entication with the PIN the master administrator key is used to derive the administrator key This introduces an additional level of security as the actual administrator key is unknown Furthermore to use an administrator key an additional physical device is required i e the administrator token A master administrator key itself may be protected with a PIN One master administrator key is used to derive exactly one administrator key Since a master administrator key is basically a secret key object a token can contain several master administrator keys 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 71 DIGIPASS CertilD User Manual Managing Authentication Objects 5 1 5 Examples a a a Ya Data Object A gt m PIN PUK protects access 4 234 471 1 Data Object B Figure 44 Two Data Objects protected by a PIN that is unblocked by a PUK Example j a N A PIN 1 T PK 1234 unblocks 471 1 Data Object A protects access Data Object B 3 PIN 2 0815 Figure 45 Two Data Objects protected by two different PINs that are unblocked by one PUK Example 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 72 DIGIPASS CertilID User Manual j protects access a PIN 1 1234 Data Object A protects access unblocks Da
88. enu 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 117 DIGIPASS CertilD User Manual Configuring DIGIPASS CertilD 4 Switch to the Group Policy tab 4 Active Directory Users and Computers lel x lt 3 File Action View Window Help e Amene Rm war aea 3 Active Directory Users and Computers myDomain local myDomain local 22 objects H E Saved Queries 9 myDomain local Name Type a Builtin Delegate Control CBuitin bu my Domain local Properties E Compi Find Computers Co 3 Domai Connect to Domain Domain Controllers Or General Managed By Object Security Group Policy ae Entru Connect to Domain Controller a asa ityPrinci 7 To improve Group Policy management upgrade to the Group Policy HJ Foreic Raise Domain Functional Level arorekpisecurkyfrincpels Col t Console GPMC anagement Console Il H E Lost i Operations Masters Infrastructure inf a e Mics Lost ndFound los S Current Group Policy Object Links for myDomain local ES NTDS New gt microsoft Exchange System Obj ms H A Oldcc All Tasks gt INTOS Quotas ms i a Proar TTT Fe 5 Te jip aji 4 view gt a computers or Group Policy Object Links H New Window From Here z Program Lata Co a scriptt RnD Users Or E sya Refresh scripttest Or ci m kare Export List system Co amp a aian A Terminal Server Or HE Testa E TestADM 01 Or H
89. ers 0 125 Setting policy rules ec ceccccceeeeeeeeeeeeeeeeeeeeeeeeees 124 specifying default PIN 0 0 cecceceeeeeeeeeeeeees 30 40 UM BIOCK ING con cccsvscacctecensocsrwtnaectomeeneatneenasennbendsenwnstdsens 82 unblocking via external authentication 0 83 unblocking with administrator key 0000000000000000 83 unblocking with PUK 0 0 eeeeeeeeeeeeeeeeeeeeeeeeees 82 unblocking enabling Option c ceseeeeeeeeeees 130 Personal inFormation eXchange PFX 0 155 Personal Unblocking Key PUKR cccccccccceceeeees 70 assigning default PUK ccc ccccccccccccccecceeeeeeeeeees 92 blocking Caution notice cccccsessessssssessseseeeeees 82 AO A eE E E E 76 changing Caution notice ccccccccccccccccceccseeeeeeeeeees 76 changing enabling option ccccccccccceeeeseeeeeees 130 Creatine new PURririsriareri areira iona 92 creating new PUK enabling option 131 customizing PUK letter ensarssnsirusnsonneroninasi 163 deo PUE re E E 70 default PUK generating on first use 33 41 default PUK setting on first use ceee 33 41 default PUK setting on token initialization 32 dorul V ANIC ssena 24 enabling complexity rules nnnennnnnnnnnnnnnnnnnnnnn 126 forcing non successive character sequences 126 keeping secret Caution notice ccceeeeeeeeeeeee
90. ertiID Tray Agent displaying icon in notification area enabling option MOETE au EEES AEE ETE E EET E EET 132 hiding icon permanently ccccssseeeeeeeeseeeeeeees 112 hiding icon temporarily ccceeeeeseseeeeeeeeeeeeeeees 112 TOONS FA EE EE EET ET 110 showing status changes enabling option 132 DS E E O E 110 E Enable PIN complexity rules option cccce 124 Enable PUK complexity rules option 08 126 Export certificates option ccccccccccccceccceeeeeeeeeeeeees 130 external authentication ccccccccccecceccecceccescesceecees 70 F Force non successive character sequences PIN option AEAEE E pats IE EEE EAA AOE are sesie se 124 Force non successive character sequences PUK option OANE E E PAE EE S PEE TE A EE E E E ETE 126 Index G Generate administrator keys Option cccccceee 131 Group Policy Administrative Template ccccccccccccccccceeeeeeeees 115 configuring DIGIPASS CertiID ceeeeeees 115 I Identikey SOY Clevo vccnccorsvndnconsvanteceanedursnsensttorsaadavessunsnes 146 Import certificates option cccccccccccccceceeeeeeeeeeeeees 130 Import OTP key objects Option cccccccceceeeeeeees 130 Initialize tokens OptiOn cccccccccccceecceeeeeeeeeeeeeeeeees 129 K IS CODA LIN AEE E E ET 22 deleting Caution notice ccccccccccccccececeeeeeeeeeeeees 61 deleting enabli
91. ertificate IMPO nesia TA AE TAEAE EAEE 128 LO ACCoSS COMM OUP AMON cs sanecientteasanscsauntseieanacaasasaessubiaasansanaunrsetranceaeaaseustcteainacaasnemiaeeanterennteusaeenimiaieneets 129 7 6 1 Administrator Override cise ncsierassaiare v ayesha eating waieucinuice tehsil afeusnitatsoineiradonestdsininieisinseninisiewinantbeiossnteanivotannndte 129 7 6 2 oken Management sti ccstancncemnierictatuninahtameacevhornvievidaandh vietauntheh heunihaihaaeit ah tend ve hiaedhahad di ldeinatiaesiteddteniennilatientites 129 7 6 3 FTI Z ALI OI erected A A cvs ta sea ste ok acd EE dentit nioenaeienieaetbae ce 129 7 6 4 Certificates and A Ola IONS saias nnion T A E ATAT 130 7 6 5 oper VANES GUNS I EEEE ET TE 130 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 6 DIGIPASS CertilID User Manual Table of Contents 7 6 6 SCUO OGNIN S aeee A ET A N 130 Doh E iE EET E EEE E EA EEE E EE E E AT 132 Cols Display and User elmo 0121 ee en nO Pn Cem OE ee ne 132 1 1 2 One ime Password ODTONS se caccassancectvsaonscecseapeaneessasaas angie EAE EAEN TARE NET NNE E 132 8 Troubleshooting and Diagnostics cccsesecccssseceeseseceeeseceeeeseeeeeeseeeeseseeeeeaseeeseueetseaeeetsegeestagseess 133 Onl Usmo ToOupIESNOOUNO isisisi aR E NEATE 134 8 1 1 Searching for SSUES cccccccccscvcsssevesssevesesevsceceveceuevceaueuveseueveseueveseuevesauevacauaveeveveseueveseuevecasevacauecseausevenevevenes 134 8
92. erved Unauthorized duplication or distribution is prohibited 159 DIGIPASS CertilD User Manual Appendix Using DIGIPASS CertilD with Keypad Hardware 12 1 Overview smart card reader hardware with keypad function such as the DP855 introduces additional security since the PIN is typed and verified directly on the device excluding any possibility for PIN eavesdropping DIGIPASS CertilID supports keypad hardware for authentication Instead of the Enter PIN Dialog requiring you to type the PIN on the computer keyboard you are required to follow the instructions and type the PIN on the keypad hardware Enter PIN Enter PIN on your keypad An access operation requires you to enter the PIN To access PIN On token Jane Doe s Token PIN Use your keypad to type PIM Tell me more about using PINs on keypads Figure 89 Entering PIN on keypad hardware NOTE Since the PIN is typed directly on the keypad device no PIN caching is applied In some cases you may be required to type the PIN more than once e g when enrolling a certificate from a certification authority CA 12 1 1 Differences using Keypad Hardware with Middleware Modules The keypad hardware support behaves differently depending on which middleware module the application uses for cryptographic operations 12 1 1 1 VASCO CertilID Smart Card Crypto Provider Applications that use CSP for cryptographic operations have two options to request authentication
93. eset the token again 8 Specify a token security mode The token security mode defines your default rights on the objects on the token 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 28 DIGIPASS CertilD User Manual Managing Tokens Initialize Token p Select a security mode for the token fa The security mode of a token specifies your default rights to the objects on that s token VASCO Default Mode This security mode is the standard option You can create and read objects on the token You can delete objects From the token except For authentication objects PIMs PUKs administrator keys Secure Signature Mode This security mode is more restrictive You can create and read objects on the token but you can t delete key objects and certificates From the token Tell me more about token security modes Figure 10 Initializing Token 6 Selecting Token Security Mode e The VASCO Default Mode allows you to create and use all objects on the token You can also delete all objects from the token except for authentication objects e The Secure Signature Mode is more restrictive You can delete data objects but are not allowed to delete authentication objects key objects or certificates 9 Specify keypad hardware support If you enable Keypad support PINs on the token can be entered using keypad hardware if available If no keypad hard
94. eteoneteas 19 Figure 52 Changing Administrator Key 2 een enn een nn ener ee ene ene eee 80 EU oi UIUC I PIN WIN a FIIs cael occa entre dca ntonter tance hata ticnaatanpeeenetent 83 Figure 54 Unblocking PIN with an Administrator Key 1 ccccccccccccsccccccssseeececsssseeesecsssseeeseccsssueeesessssueeeescsuueesesssuueeseeegs 84 Figure 55 Entering Administrator Key ssssssrressnnnrannnnnrrunnnnnnannnnnnnannnntnnnntnknnanttnnnannn nnana t Munna NEN phamateeacenetennienttenaitenmteneieets 84 Figure 56 Unblocking PIN with an Administrator Key 2 ccccccccccccccssccssccserssesvecsessecvecseesesvecseeseeseesaeeessseeusessaesaneesseens 85 Figure 57 Changing Object Security Using Existing PIN Cl 2icxcsscicesscctianrsicasiyrali ays case ascoicetsinriniceaivaieies estate theieglocialasseatenwaterts 88 Figure 58 Changing Object Security Using Existing PIN 2 cc cccsssssscsscsecsssrssvssssevesssevetesevesauecseesseesecscaresacauecseeeevenes 88 Figure 59 Changing Object Security Generating New PIN cc ccccseccssecescrecsssssvssssevesssevesasevecauevesseveseuesesarecacaresveaenevenes 89 Figure 60 Changing Object Security Specifying New PIN c ccccscccscscsssesssssscssssesesevessssueuessuevsneeevseveserevesssauesvenueevenes 90 Figure 61 Changing Object Security Specifying PIN Label ccccccssecsscsecsssrssvsssevesssevesssececaueveseuevesuevesasecataresseaesevenes 91 Figure 62 Changing Object Security Specify
95. f different data and authentication Section 5 1 Understanding Authentication Use DP CertiID Management Application to manage Chapter 5 Managing Authentication Objects tokens use DP CertilD Tray Agent to automatically register unregister Chapter 6 Using the DP CertilD Tray Agent certificates and to verify the status of DIGIPASS CertilD middleware Use Group Policy or DP CertilD Configuration Center to Chapter 7 Configuring DIGIPASS CertilD nnn use DP CertilD Troubleshooting and Diagnostics to diagnose Chapter 8 Troubleshooting and Diagnostics eA USe DP CertilD to generate one time passwords OTPs Chapter 9 Appendix Using DP CertilD with eT eee oem A OT Chapter 10 Appendix PKI and Certificate Basics 1 1 2 Document conventions The following typographic style conventions are used throughout this document Typography Meaning sSSCSS Boldface Names of user interface widgets e g the OK button Blue Values for options placeholders for information or parameters that you provide e g select Server name in the list box Monospace Windows Registry Keys commands you are supposed to type in or are displayed in a command prompt shell including directories and filenames API functions and source code examples 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 15 DIGIPASS CertilD User Manual Introduction Typog
96. g a one time password OTP 1 Insert your OTP token 2 select the OTP key object in the explorer tree 3 Select Generate OTP from challenge from the shortcut menu OR select Tasks gt Generate OTP from challenge from the menu bar The Generate OTP from Challenge Dialog appears 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 146 DIGIPASS CertilD User Manual Appendix Using DP CertilD with One Time Passwords OTP Generate OTP from Challenge Generate OTP from challenge To generate a one time password OTP based on a challenge type the challenge below and click Calculate OTP key object Jane Doe s OTP Key Challenge O345863455435H6e6 Generated OTF 212097 v view Details 4 one time password OTP can be generated based on a numerical challenge given on a login page The OTP may also referred to as response Figure 85 Generating One Time Password OTP from Challenge 4 Type the challenge issued by your VACMAN Controller based server in the Challenge box 5 Click Generate The Response box displays the calculated response 6 lf required type your PIN 7 OPTIONAL Click Gopy to copy the response to the clipboard 9 2 3 Additional considerations e You can also use DP CertilD Tray Agent to generate OTPs from challenges e You can verify whether an OTP key object can be used to generate OTPs from challenges by inspect
97. ge PIM on First use Generate PIN now User must change PIN on First use Set PIN on first use The default PIM must be initialized before che token can be used Unblock PIN on first use The default PIN must be unblocked before the token can be used This option requires an administrator key Number of retries before block 3 Tell me more about initializing PINs Figure 12 Initializing Token 8 Specifying Default PIN e Select Set PIN now and type a value for the PIN twice to prevent typing errors If you select the User must change PIN on first use check box the user is asked to change the PIN before the token can be used Next remains disabled until the new PIN complies with the effective PIN policy TIP Click View Details to show the effective PIN policy to see why the specified PIN does not comply with it e Select Generate PIN to have a PIN automatically generated for you The generated PIN value is displayed after the wizard has performed the requested actions It will also be shown in the PIN letter if you request to print one see Step 13 If you select the User must change PIN on first use check box the user is asked to change the PIN before the token can be used e Select Set PIN on first use if you don t want to set the default PIN now 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 31 DIGIPASS CertilD User Manual
98. ghts reserved Unauthorized duplication or distribution is prohibited 60 DIGIPASS CertilD User Manual Managing Certificates and Containers 4 3 Deleting Objects You can delete objects from your token such as certificates containers data objects or secret key objects 4 3 1 Before you begin CAUTION Ensure that you really won t need the object for later use before you delete it If you delete a key container the key pair it contains is deleted and cannot be recovered You can t decrypt data encrypted using that key pair anymore To delete an object you need e DP CertilD Management Application 4 3 2 Deleting an object gt To delete an object from a token 1 Insert your token 2 select the object you want to delete in the token explorer tree 3 Select Delete from the shortcut menu OR Select Tasks gt Delete from the menu bar 4 Click Yes to confirm deleting the object 4 3 3 Additional considerations e The system or token administrator may restrict access to certain program features If a particular option is not available you may not have the privileges to use It e The types of objects you can delete depend on the security mode set when initializing the token If a particular object can t be deleted you may not be allowed to do so f acertificate to be deleted has a corresponding key pair the key pair is not deleted and will remain on the token If you want to remove it as well you must explic
99. h administrator keys See Section Replacing a PUK with an Administrator Key To reset a token you need e DP CertilD Management Application e the reset code for the token if it is protected by one 3 3 2 Resetting a token gt To reset a token 1 Insert your token 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 44 DIGIPASS CertilD User Manual Managing Tokens 2 Select the token to reset in the token explorer tree Token Explorer fie My Computer Gy Eutron Digipass 360 0 5 Jane Doe s Token a Authentication Objects Ba PIN Secret Key Objects Data Objects OTP Key Objects p CA Certificates i i Other Certificates Figure 24 Inspecting Token to Reset 3 Select Reset from the shortcut menu OR Select Tasks gt Reset from the menu bar 4 Click Yes to confirm resetting the token If the token is protected with a reset code the Reset Token Dialog appears Reset Token P o Enter reset code te The token is protected To reset it enter the reset code To reset Jane Doe s Token Reset code 8 Tell me more about resetting tokens Figure 25 Entering Reset Code 5 If required type the reset code and click OK 3 3 3 Additional considerations e The system or token administrator may restrict access to certain program features If the reset token option is not available you may not have the privileges to use it e Du
100. he respective challenge OR the master administrator key 5 10 2 Using the response calculator gt To calculate a response with the response calculator 1 Select Tools gt Response Calculator in the menu bar The Response Calculator Dialog appears 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 105 DIGIPASS CertilID User Manual Response Calculator Enter challenge and administrator key To generate a response enter the challenge provided in the Unblock PIN Dialog and the respective administrator key and click Calculate Challenge D225 31F2 3606 OF6E Enter administrator key Key type BESS wt Key value ooo 0000 ood ooga opot 0000 ogon OO00 opon OOOO OOOO ogag Use master administrator key PIM Response 4519 D9E1 74E 5700 Calculate i Copy to clipboard Tell me more about using the response calculator Close Figure 68 Using Response Calculator Managing Authentication Objects 2 Type the challenge given in the Unblock PIN Dialog in the Challenge box 3 Doone of the following e If you know the current administrator key a Select Enter administrator key o Select the administrator key type in the Key Type list c Type the administrator key for the respective token in the Administrator key box e f you possess the master administrator key a Insert the administrator token o0 Select Use mas
101. hentication Objects Secret key Objects Data Objects OTP Key Objects CA Certificates Other Certificates Figure 36 Inspecting Imported Certificate 4 1 3 Additional considerations e mporting a certificate is not the same as enrolling a certificate If you import a certificate you put an existing already enrolled certificate from disk on the token If you enroll a certificate you request a new certificate to be created and issued from a certification authority e The imported certificate file is not deleted and will remain on the disk after the import e if you import a certificate for which a corresponding key pair exists on the token it is added to the particular key container This does not remove any existing certificate already assigned to the key pair e lf you import a certificate that is already on the token it is not imported a second time The certificate already stored on the token is not replaced by the imported certificate file NOTE VASCO CertiID Smart Card Crypto Provider and VASCO Card Module always use the first certificate assigned with a key pair since the Microsoft cryptographic architecture assumes that key pairs have only one assigned certificate 4 1 4 Additional references e Certificate File Formats e Certificate Category e Exporting Certificates 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 57 DIGIPASS CertilD User
102. how the status hover pane e Select View Hover Pane in the shortcut menu The status hover pane appears and remains visible until you either click Close 2 The hover pane can appear automatically if the token status changes For instance when a token is inserted or removed gt To prevent the status hover pane to appear automatically e Clear View Status Changes in the shortcut menu The status hover pane will no longer automatically appear when inserting or removing a token or card reader 6 2 2 Showing and hiding the DP CertilD Tray Agent icon gt To hide the DP CertilD Tray Agent icon permanently e Select Hide Tray Icon in the shortcut menu The DP CertilD Tray Agent icon disappears and remains hidden even after a system reboot However certificates will still be automatically registered and unregistered You can show the DP GertilD Tray Agent icon again by launching Start gt Programs gt VASCO gt DIGIPASS CertilD gt Tray Agent gt To hide the DP CertilD Tray Agent icon temporarily e Select Exit in the shortcut menu The DP CertilD Tray Agent icon disappears and the DP CertilD Tray Agent is shut down If configured certificates are still automatically registered or unregistered However the DP CertilD Tray Agent is restarted after a system reboot 6 2 3 Generating one time passwords OTP You can use DP CertilD Tray Agent to quickly generate and view one time passwords OTP using OTP capable hardwar
103. iF Other Certificates a a Certificate of Jane Doe Figure 86 OTP Key Objects Folder 3 Select Import OTP key object from the shortcut menu OR select Tasks gt Import OTP key object from the menu bar The Import OTP Key Object Dialog appears 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 148 DIGIPASS CertilD User Manual Appendix Using DP CertilD with One Time Passwords OTP Import OTP Key Object Import OTP key object To import a one time password OTP key object select the activation mechanism and type the activiation data specified by your OTP service provider To token Jane Doe s Token Use online activation Activation data 723490568230498670234 a 696709276590823457098 234759823475908237590 67 e Activation password LELELELELELLLLELELLELLELELLEE O Use offline activation Serial number Activation code OTP object label Jane Doe s OTP Service identifier Doe Inc Tell me more about importing OTP key objects j Cancel Figure 87 Import OTP Dialog 4 Doone of the following e lf you are using offline activation a Select Use online activation o Type the activation data and activation password information as provided by your OTP service provider e lf you are using online activation a Select Use offline activation o Type the serial number and activation code infor
104. icate file formats ccccccccccccccceeceeeeeeeeeeeees 155 certificate file formats CER eee 155 156 certificate file formats P7B cc eee eeecceeeceee eee 155 certificate file formats PFX eee ee eeece eee ee 155 deleting enabling Option cccccccccccceceeeeeeeeeees 130 CX POM IMO ee AA 58 exporting enabling Option ccccccccceceeeeeeeeeees 130 DAOUILIN AE EE ENE T 54 importing including certificate chain 00 128 importing enabling OptiONn cccccccccceeeeeeeeeeees 130 Be A VG UN O E ENT 63 109 third party Certificate cc eeeeesssseeeeeeeseseeeeeeees ZZ UTNE CIS GTN GS sienne inni a EAE 63 109 certificate chain MAPON aseacc dan cvces Geconacseatovees emvareantosen eae eceatrcetes 128 certificate COMAINES y 5 uiaccossscncatadudagoonseausatsswenceennsnianeads 22 deleting Caution notice ccccccccccccccccceeceeeeeeeeeeeees 61 deleting enabling Option cccccccccccccceeeeeeeeeees 130 Certification Authority CA ccccccceceeeeeeeeeeeeeees 152 cbal The o EAE 70 Change administrator authenticators option 130 Change object security OptiONn ccccccceeeeeeeeeeees 131 Clear PIN cache after a certain time option 122 container deleting Caution notice ccccccccceceeeeeeeeeeeeeeeeees 61 deleting enabling Option ccccccccccccceeeeeeeeeeeees 130 Create new PINS Option
105. ing DP CertilD with One Time Passwords OTP 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 113 DIGIPASS CertilD User Manual Configuring DIGIPASS CertilD 7 Configuring DIGIPASS CertilD This chapter gives an overview of how to configure CertilD and describes what options can be set using DP CertilD Configuration Center It covers the following topics e Using Group Policy to configure DIGIPASS CertilD e Using DP CertilID Configuration Center to configure DIGIPASS CertilD e PIN Handling e PIN Policy e Certificate Handling e Access Configuration 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 114 DIGIPASS CertilD User Manual Configuring DIGIPASS CertilD 7 1 Using Group Policy to configure DIGIPASS CertilD DIGIPASS CertilD includes Administrative Templates that provide policy information to configure DIGIPASS CertilD software affecting all or only a group of computers and users in a domain This section gives a brief overview of how to use Administrative Templates and use them to manage registry based policy For more information refer to Windows Server Group Policy documentation on Microsoft TechNet technet microsoft com 1 1 1 Before you begin To complete the following procedure you need to be logged on with a user account with administrator privileges or an account that has Edit setting permis
106. ing Unblock Mechanism ssssisssrissrrrsrrrsnrrssrrrsnrrrsnriesrrrerrrrrrrreerirerrrrrerrns 92 Figure 63 Changing Object Security Specifying New PUK s ssssssenressnruenrnsnnrnnnnnnnnrannnnnnnrnnennnnnnannrnunnnrnenrnnnrnnnnrrnnnrenernns 93 Figure 64 Changing Object Security Specifying PUK Label cccccccseccscseccssrssvssssevesssevesesevecauecseaeeseeveresaresacauesueaeeevenes 94 Figure 65 Changing Object Security Printing PIN PUK Letter ccccscccccscscssssvssssvssssevesesevesauecseaeeseeuevesasesacaresseaevevenes 95 Figure 66 Replacing PUK with Administrator Key cccccccccccccsccccccsssecccccssseeececssseececcssueeesecssueeseccsssueesecesssueesesessuueeseeegs 100 Figure 67 Generating Master Administrator KOY cccccccssccssssevessevesesevscereuseesevseuevecauececauecseeeeveseueveseuevesavecacanseveaeneen 103 Figure 68 Using Response Calculator enna ene nnn nena ene en nnn eee eee ee eee ere 106 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 11 DIGIPASS CertilID User Manual Table of Contents Figure 69 DP CertilID Tray Agent Notification Ar Q cccccccccscccccseccccsseeccssseseccssueecceseesecsueesecssueesesueeessueensesueesenunens 110 Figure 70 DP CertilD Tray Agent Shortcut MON as crsinsecrsinvaesiniorsnsrniaiensenaa desi iasaneeemaiic ie tenitievionsenvinnanadivemiadanenetanaianedie 111 Figure 71 Status Hover PANG aperture ct veces TEESE
107. ing its object properties in DP CertilID Management Application If Key Usage includes Challenge Response the OTP key object can be used to generate OTPs from challenges 92 4 Additional references e Using the DP CertilD Tray Agent e Configuring DIGIPASS CertilD e Importing OTP Key Objects 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 147 DIGIPASS CertilD User Manual Appendix Using DP CertilD with One Time Passwords OTP 9 3 Importing OTP Key Objects The OTP key objects DP CertilD uses to generate one time passwords OTP or calculate OTP responses are abstract representations of any OTP generating mechanism provided by that token This can be an OTP hardware token e g DP860 You can also import OTP key object i e creating a secret key object that can be used to calculate OTPs 9 3 1 Before you begin To import OTP key objects you need e DP CertilD Management Application e depending on the OTP deployment mechanism either activation data and activation password or serial number and activation code information provided by your OTP service provider 9 3 2 Importing OTP key objects gt To import an OTP key object 1 Insert your token 2 Select the OTP Key Objects folder in the token explorer tree E fe My Computer E Eutron Digipass 860 0 Jane Doe s Token Authentication Objects Secret Key Objects Data Objects OTP Key Objects fig CA Certificates
108. inished configuring the Group Policy Object 9 Click Glose to apply the new Group Policy 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 119 DIGIPASS CertilD User Manual Configuring DIGIPASS CertilD 1 3 Additional considerations e lf you want to use domain Group Policy but don t want to install DIGIPASS CertilD on the domain controller you can just copy the Administrative Templates to the respective directories The plain Administrative Templates are on the DIGIPASS CertilID product CD in the Install Group Policy folder For Windows Server 2008 copy VascoDPCertilD admx and en US VascoDPCertilD adml to lt WindowsFolder gt PolicyDefinitions respectively where lt WindowsFolder gt is the full path to your Windows folder e g C Windows For Windows Server 2003 copy VascoDPCertilID adm to lt SystemFolder gt GroupPolicy Adm where lt systemFolder gt is the full path to your system folder e g C Windows System32 e lf you use DIGIPASS CertilD in an environment without a domain controller you can use Local Group Policy Editor to configure DIGIPASS CertilD via Group Policy To start Local Group Policy Editor open a command prompt and type gpedit msc 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 120 DIGIPASS CertilD User Manual Configuring DIGIPASS CertilD 7 2 Using DP CertilD Configuration Cen
109. itional references seca a occa ch nce tenet oct oe putea pence oe ence va csc net ese peta aida gutec tite cnt adouncoutaascia maiacscnvasa 64 4 5 Testing Key Pairs ngs ovenneststencshsvrsvetatnensendeateaaeitadsacdasuntececduestasdsateascnisdeiibivedsctedegnteadsaterssangtersdeeaisedvers 65 4 5 1 BEE TO a E E E A E E E E 65 4 5 2 TE A OY DA ccs ete tc cee lata nwa ogee alts sonst av EEEE E 65 4 5 3 PCC NUIT Ve ONS SE PON NS cee ecotehaveg careteee epaesodaregeds araa EEE EEEE aasdinnitennm ert atennertainmuiresionsnnste 6 4 5 4 Additional references act estactn atten atte ete tateale vette are vet ateate est cea st tateateann datearestenaateanapdtinbatcntleaationsueiatantaannenasesnnnaed 6 5 Managing Authentication ODjeCtS cccccccsssseccccsssseeceesesseceesueseeeeeeeesseeeeaeaseeeeeaeuueeetsaeseesesaggseents 68 5 1 Understanding Authentication Objects ccvcicccsxivcesvcuctveseavecsusndsesnavagdincassaedaassebacutird svcaneeieneemanaaabecanveas 69 5 1 1 BIKO E S EEEE EEE EEE PEE A EE EAEE EET PS TE IA TE AEAEE EE EE E T 69 oP BY ODECE en nn ee a ee ee 69 5 1 3 Authentication ODOC Seress enaren innin EnEn e ELER iadeli 69 Skol Parsonal ISIE eM Number PIN accra siesta aateastasentuy antes ardo daatan ean anteraptasetayaniaciuia4alenetan aasa aaan a aada iaaa 69 ao POCA VAn CR cl kal a N ee ee 70 SAES e E SU AO E E EEEE EEEE EELEE LEE EE CEE EEEL EELEE LEE EEE EEEE EEEE 70 SHC Mec 6000 te eee 71 5 1 4 Master Administrator Key ccccc
110. itly delete the remaining key container e You may export a certificate before you delete it from the token for backup purposes 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 61 DIGIPASS CertilD User Manual Managing Certificates and Containers e A PIN that may be assigned to protect the private key in a container remains on the token after deleting the container 4 3 4 Additional references e Exporting Certificates e Initializing Tokens 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 62 DIGIPASS CertilD User Manual Managing Certificates and Containers 4 4 Registering and Unregistering Certificates Registering a certificate means adding it to the appropriate certificate store on the machine A certificate store is the system area where certificates are stored locally by the operating system and made accessible for applications using cryptographic services e g e mail applications Unregistering a certificate means removing it from the certificate store 4 4 1 Before you begin To register or unregister a certificate you need e DP CertilD Management Application 4 4 2 Registering and unregistering a certificate gt To register a certificate 1 Insert your token 2 Select the certificate to register in the token explorer tree 3 Select Register from the shortcut menu OR Select Tasks
111. ity of Objects e Configuring DIGIPASS CertilD 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 150 DIGIPASS CertilD User Manual Appendix PKI and Certificate Basics 10 Appendix PKI and Certificate Basics This chapter gives an overview of how to manage digital certificates and key pairs on a token using DP CertilD Management Application It covers the following topics e Understanding PKI and Certificates e Certificate Details e Certificate Category e Certificate File Formats 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 151 DIGIPASS CertilD User Manual Appendix PKI and Certificate Basics 10 1 Understanding PKI and Certificates Public Key Infrastructure PKI can be defined as the software and or hardware components necessary to manage and enable the effective use of public key encryption technology It binds public keys to respective user identities by means of certification authorities CA Public key encryption technology in principle is asymmetric cryptographic using pairs of cryptographic keys A key pair consists of a public key and a private key The private key is kept secret and used to decrypt data that has been encrypted with the corresponding public key or to sign data The public key is widely distributed and used to verify data that has been signed with the corresponding private key or to
112. ix Card Operating System Limitations 11 Appendix Card Operating System Limitations This chapter gives an overview of the limitations of the different card operating systems COS supported by DIGIPASS CertilD 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 157 DIGIPASS CertilD User Manual Appendix Card Operating System Limitations 11 1 Overview Feature Card0S4 3b CardOS 4 01A STARCOS 3 1 10 One1 0 Administrator key Key type DES3 Key size byte 24 16 Key form T1 T2 T3 T1 T2 T1 PIN Minimum lengi PUK Reset protection No protection Reset code No reset Miscellaneous Returns retry counter Uses extended APDU Table 3 Card Operating Systems Limitations Overview 1 Cannot execute cryptographic functions with RSA keys gt 2032 on DP 905 v0 0 0 Cannot execute cryptographic functions with RSA keys gt 2032 on DP 905 v0 0 0 Extended APDUs may cause problems on various smart card readers when using RSA keys gt 2032 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 158 DIGIPASS CertilD User Manual Appendix Using DIGIPASS CertilD with Keypad Hardware 12 Appendix Using DIGIPASS CertilD with Keypad Hardware This chapter gives an overview of how to use DIGIPASS CertilD with keypad hardware including pitfalls and limitations 2008 2009 VASCO Data Security All rights res
113. ized duplication or distribution is prohibited 67 DIGIPASS CertilID User Manual 5 Managing Authentication Objects Managing Authentication Objects This chapter gives an overview of authentication objects and how to manage them on a token using DP CertilD Management Application It covers the following topics 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited Understanding Authentication Objects Changing PINs Changing PUKs Changing Administrator Keys Unblocking PINs Changing the Security of Objects Removing the PIN Protection Replacing a PUK with an Administrator Key Generating Master Administrator Keys Using the Response Calculator 68 DIGIPASS CertilD User Manual Managing Authentication Objects 5 1 Understanding Authentication Objects This section provides an overview of different types of authentication mechanisms which will help you to gain a better understanding of the software It further introduces some term definitions that are frequently used in DIGIPASS CertilD both in the software and in the user documentation If you are new to PKI software it is recommended that you read this section carefully 5 g Data objects Data on a token is organized similarly to data on a computer disk Some objects or files in the analogy contain user data Such an object is called data object and can be for example a certificate 5 1 2 Key objects Key ob
114. jects are special data objects used for cryptographic operations For instance public key encryption uses pairs of cryptographic keys consisting of a public key and a private key 5 1 3 Authentication objects Access to certain objects may be protected or supposed to be protected for example the private key of a key pair should not be publicly accessible The access to such data objects worth protecting is protected by so called authentication objects or authentication codes CertilD distinguishes between four different types of authentication objects e Personal identification numbers PIN e Personal unblocking keys PUK e External authentication objects administrator keys e eset codes As a measure of security an authentication object is blocked after a certain number of incorrect authentication attempts For instance if you enter an incorrect PIN three times in a row It is blocked and no longer valid meaning the data it protects cannot be accessed at all The number of allowed retries is called the retry counter All authentication objects have a separate retry counter 5 1 3 1 Personal Identification Number PIN The most basic authentication object is the personal identification number PIN A PIN is a secret numeric alphanumeric or Unicode password ideally known only to the legitimate user and the token Before you can 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is
115. lenge information shown in the Challenge box in the Unblock PIN Dialog to receive the response 5 Type anew PIN twice to prevent typing errors Unblock PIN Enter challenge response and new PIN Your PIN has been blocked To unblock it call your token administrator and read the challenge information below to receive the response To unblock PIN On token John Doe s Token Challenge D225 31F2 5606 OF6E Response 4519 D9E1 74EB 5700 Mew PIM Confirm Mew PIM Tell me more about unblocking PINs v View Details Unblock Figure 56 Unblocking PIN with an Administrator Key 2 6 Click Unblock Unblock remains disabled until the new PIN complies with the effective PIN policy TIP Click View Details to show the effective PIN policy to see why the specified PIN does not comply with it 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 85 DIGIPASS CertilD User Manual Managing Authentication Objects 5 5 4 Additional considerations The Unblock PIN Dialog appears automatically if you try to access a data object protected by a blocked PIN The retry counter of the PIN is automatically reset to its initial value after a successful unblock The system or token administrator may enact a PIN policy to encourage and enforce strong PINs The Authentication Objects folder in the token explorer tree contains all PINs on a particular token The PIN effe
116. lowing settings Summary a Selected token template Selected default value profile a Cardholder name a Token label Token reset Selected security mode Enable keypad support Default PIN initialization Default PIN retry counter Default PUK initialization Default PUK retry counter i Print PIN letter EF Include PUK in PIN letter EP Print PUK letter Detail Standard PIM PUKE template lt New Profile gt Jane Doe Jane Doe s Token Allowed don t require reset code YASCO Default Yes Set value now 3 Set value now 5 Yes Mo Mo gt Selected printer Microsoft Office Document Image Writer Save as default value profile You can select a default value profile at the beginning of this wizard to apply the saved settings the next tine you initialize a token Profile name Mew ProFile gt Figure 16 Initializing Token 12 Ready to Initialize Managing Tokens 15 If required select acknowledge this information and click OK to confirm the effective PIN PUK and or administrator key that were automatically generated when initializing the token Initialize Token Confirm your authentication codes D The Following authentication codes has been automatically created For you iy Keep this information secret and do not share it with anyone else The default FIN protects your sensitive data from unauthorized use PIN 1234 The default PUK allows you to unblock a blocked default PIN A blocked
117. lues Token template Standard PINIPUK template Use default value profile New Profile gt wt Edit default values till in values set in the default value profile Description Standard template with PIN protected by PUK Tell me more about token templates and default value profiles Figure 6 Initializing Token 2 Selecting Token Template 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 26 DIGIPASS CertilD User Manual Managing Tokens 5 Specify a cardholder name Initialize Token x Specify the cardholder name The cardholder is the person who has the actual right to possess and use the token Cardholder name Jane Doe Figure 7 Initializing Token 3 Specifying Cardholder Name 6 Specify a label for the token The token label is the name used to refer to this token helping to distinguish between different tokens Initialize Token Eg Specify the token label Ro m Ja The token label is the name used to refer to this token It helps you to distinguish between different tokens Token label Jane Doe s Token Figure 8 Initializing Token 4 Specifying the Token Label 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 27 DIGIPASS CertilD User Manual Managing Tokens 7 specify the token reset protection Initialize Token Specify
118. ly and to have them emulated if the used token hardware does not support the specified values If you clear these check boxes the minimum and or maximum PUK lengths are determined by what the particular token hardware supports Minimum PUK length Enter the number of characters a PUK must have at least to be valid A value MAX if you increase the value via the spin control specifies that the minimum PUK length to be equal the maximum value allowed by the token hardware This value can t be greater than the value specified by Maximum PUK length Maximum PUK length Enter the number of characters a PUK can have at most to be valid A value MAX if you increase the value via the spin control specifies that the maximum PUK length to be equal the maximum value allowed by the token hardware This value can t be less than the value specified by Minimum PUK length 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 125 DIGIPASS CertilD User Manual Configuring DIGIPASS CertilD Enable PUK complexity rules select this option to enable certain complexity rules to enforce strong PUKs Force non successive character sequences select this option to disallow PUKs that contain only a successive character sequence This option is available only when you select the Enable PUK complexity rules check box EXAMPLE The following PUKs are successive character sequences i e the distance between
119. mal number used For external authentication a Help desk staff need it to calculate an unblock phrase if the default PIN is blocked Set administrator key now Administrator key gogo oo00 gooo aooga 0000 0000 cooo ooog O Generate administrator key Set administrator key on first use O Use master administrator key ri Insert a master administrator token Number of retries before block 5 bes Tell me more about initializing administrator keys Figure 14 Initializing Token 10 Specifying Administrator Key e Select Set administrator key now and type a value for the administrator key e Select Generate administrator key to have an administrator key automatically generated for you The generated administrator key value is displayed after the wizard has performed the requested actions It will also be shown in the PIN and or administrator key letter if you request to print one See Step 13 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 33 DIGIPASS CertilD User Manual Managing Tokens e Select Set administrator key on first use if you don t want to set the default administrator key now This option is only available if the Set PIN on first use option was selected see Step 9 The default administrator key is not set now i e the token is pre initialized The next time the token is inserted the user is asked to complete the initialization
120. mation as provided by your OTP service provider 5 Type a label for the OTP key object in the OTP object label box 6 Type the name of your OTP service provider in the Service identifier box 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 149 DIGIPASS CertilD User Manual 7 Click Import Token Explorer E fie My Computer E Eutron Digipass 660 0 5 Jane Doe s Token Authentication Objects Secret Key Objects Lilt Data Objects OTP Key Objects Sand Jane Doe s OTP Key GF ca Certificates Other Certificates e Certificate of Jane Doe Figure 88 Inspecting Imported OTP Object 9 3 3 Additional considerations Appendix Using DP CertilD with One Time Passwords OTP e The system or token administrator may restrict access to certain program features If a particular option is not available you may not have the privileges to use it e The imported OTP key object is protected by the default PIN if one is available on the token You can change this via DP CertiID Management Application e lhe OTP Key Objects folder in the token explorer tree contains all OTP key objects on a token i e abstract representations of any OTP generating mechanism provided by that token e g OTP hardware or imported OTP key object 9 3 4 Additional references e Generating One Time Passwords OTP e Generating One Time Passwords OTP from Challenges e Changing the Secur
121. membered by you CAUTION Do not record your PIN either in writing or electronically and do not disclose it to anyone including supervisors or co workers 5 2 2 Changing a PIN gt To change a PIN 1 Insert your token 2 Select the PIN to be changed in the token explorer tree 3 Select Change from the shortcut menu OR select Tasks gt Change from the menu bar The Change PIN Dialog appears 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 74 DIGIPASS CertilD User Manual Managing Authentication Objects Change PIN Change PIN od To change your PIM you need to enter the current PIN and a i new FIN kwo times to prevent typing errors Change PIN PIN On token Jane Doe s Token Tell me more about changing PINs ven Dea Figure 48 Changing PIN 4 Type the current PIN and a new PIN two times to prevent typing errors 5 Click Change Change remains disabled until the new PIN complies with the effective PIN policy 5 2 3 Additional considerations e The system or token administrator may enact a PIN policy to encourage and enforce strong PINs e he Authentication Objects folder in the token explorer tree contains all PINs on a particular token The PIN effectively assigned to protect a certain private key is shown below the private key of the respective certificate 5 2 4 Additional references e Unblocking PINs e Changing PUKs
122. ministrator key c Select the master administrator key in the Master key list d Type the PIN for the master administrator key and click OK to return to the Change Administrator Key Dialog The response is calculated using the provided administrator key and automatically entered into the Response box e f you do not know the administrator key contact your token administrator and read the challenge information shown in the Challenge box in the Change Administrator Key Dialog to receive the response 5 Type anew administrator key in the New administrator key box Change Administrator Key Change administrator key Ee To change your administrator key enter the correct response to the challenge given below and specify a new administrator key On token John Doe s Token Challenge 14C0 Cara C79F 5947 Response CB43 A072 269 60FE New administrator key gogoo good aooo ooog 0000 0000 0000 000g 0000 0000 0000 C000 Tell me more about changing administrator keys Figure 52 Changing Administrator Key 2 6 Click Change Change is disabled if either the Response box or the New administrator key box is empty 5 4 3 Additional considerations e he Authentication Objects folder in the token explorer tree contains all authentication objects on the token including the administrator key If the administrator key is assigned to protect a PIN it is shown along with the PIN below the private key of the respective certifi
123. n Serial Number lt strong gt TOKENSERIAL lt br gt lt strong gt Assigned Cardholder lt strong gt CARDHOLDER lt br gt lt strong gt PIN lt strong gt PIN lt br gt lt blockquote gt 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 164 DIGIPASS CertilD User Manual Index A ACCESS feature S vss ctansonssdcivtnasenensnaiazdunnondentonnadessonacananare 129 administrator Key ccccccccecceseeeeeeeeeeeeeeeeeeeeeeeeeeeeees 70 administrator key letter customizing template 163 ASS 1G AG sca drccrnnenceamuutisaeavateidiatenbtaestamaciaxoedesnenetereaes 92 blocking Caution notice cccccssssssseeesesesseseeeees 82 changing arerin een inae EEE AEREAS 78 changing Caution notice cccccccccceeeeeeeeeeeeeeeeees 78 changing enabling Option ccccccccccceeeeeeeeeeeees 130 customizing administrator key letter 00 163 LS UU BEY AI ace necacntscdoarmta E ces 24 generating on first Use peseccscncsicrecenesedescrssicsesensseyencoases 42 generating on token initialization ccceseeseeees 33 generating with master administrator key 34 42 keeping secret Caution notice c cee 78 99 personalizing enabling Option 0 0 0 0 ccccceeeeeeees 129 printing administrator key letter 34 42 95 TG on et PN coinn E E 99 retry counter specifying cee eeeeeeeeee
124. nerate a master administrator key on token The more complex the passphrase the more secure the master administrator key On Jane Doe s Token Key label mnyMaster4dminkey Passphrase SESCECEEEEEEEREES Tell me more about master administrator keys o Generate Cancel Figure 67 Generating Master Administrator Key 4 Type a key label The key label is the name to refer to the key to distinguish between different master administrator keys 5 Type a passphrase The passphrase is used to calculate the master administrator Key The more random and complex the passphrase the more random and secure the master administrator key 6 Click Generate 5 9 3 Additional considerations e The system or token administrator may restrict access to certain program features If the generate master administrator key option is not available you may not have the privileges to use It e he passphrase is used only once to generate the master administrator key You do not need it to use or access the master administrator key once it has been generated e One particular passphrase generates exactly one particular master administrator key value If the token with a master administrator key is damaged you can re create the master administrator key using the Original passphrase You can also create multiple cards with the same muster administrator key using one passphrase e g for different helodesk members e Basically a master administrat
125. ng Option cccccccccccccceeeeeeeeeeees 130 Ty OCG eee a ananen teat nce tentwesetectecsanienerte ates 69 KEV DO ie tae ee tacts E E E 22 152 E 010 2 nee ee A E E E A 65 testing enabling OptiONn cc eeeeeeeeeeeeeeeeeeeeeeees 130 keypad bard Ware s ccsscxeccasiasencddecencechtassncdssceoesetetenetens 159 enabling SUP POM airea ai 29 keypad hardware limitations cccccccccccceceeeeeeees 162 M master administrator key 71 80 81 84 86 101 106 generating suse cernceeeadsaneesdennad ieadeneeeanntnesseanbaeesnarentenes 102 generating enabling Option ccccccccccceeeeeeeeeees 131 Maximum PIN length option ccccccccccceceeeeeeees 124 Maximum PUK length option cccccccccceceeeeeeees 125 Minimum PIN length option cccccccccccecceeeeeeees 124 Minimum PUK length option cccccccccceeeeeeeees 125 Mozilla Thunderbird ccc ccccccccccccccceeeceeeeeeeeseeeeees 95 N notification area icon hiding icon permanetly ccccseseeeeeeeeseseeeeeeees 112 hiding icon temporarily cccceeeeeeeeeeeeeeeeeeeeeeees 112 TC ORY SUAS ae rn 110 O object security assigning administrator Key cccccccccceceeeeeeeeeeees 92 assigning default PUK o ccc ccccccccccceeseeeeeeeeeeees 92 assigning existing PIN scccsvcesecscesescestaveseseetaescestiaenesss 88 changing enabling Option cccccccccccceeeeeeeeeeeees 131 E a a E A A
126. nge Administrator Key Change administrator key Ee To change your administrator key enter the correct response to the challenge given below and specify a new administrator key On token John Doe s Token Challenge 14C0 Cara C79F 5947 Response 0000 0000 0000 ogag New administrator key joogoo good aooo ooog 0000 0000 0000 000g 0000 0000 0000 000g Tell me more about changing administrator keys Figure 50 Changing Administrator Key 1 4 Doone of the following e f you know the current administrator key a Click Generate response B The Enter Administrator Key Dialog appears Enter Administrator Key Enter administrator key To generate a response enter the administrator key Enter administrator key Administrator key opoo ooo cooo ooon 0o00 0000 Oooo ooga Oooo Oooo Oooo ooga Use master administrator key Master key PIM Tell me more about administrator keys Figure 51 Entering Administrator Key 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 79 DIGIPASS CertilD User Manual Managing Authentication Objects o Type the administrator key and click OK to return to the Change Administrator Key Dialog The response is calculated using the provided administrator key and automatically entered into the Response box e f you possess the master administrator key a Insert the administrator token o Select Use master ad
127. ntication Tell me more about changing the PIN protection Figure 59 Changing Object Security Generating New PIN 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited Managing Authentication Objects 89 DIGIPASS CertilD User Manual Managing Authentication Objects 3 specify the value and retry counter for the new PIN Change Object Security specify the value for the new PIN f Enter the PIN two times to prevent typing errors or select Generate PIN to have a Te PIN value generated automatically Set PIN now PIM tpt Confirm PIM tatt O Generate PIH Number of retries before block Tell me more about creating PINs OMe Figure 60 Changing Object Security Specifying New PIN e Select Set PIN now and type a value for the PIN twice to prevent typing errors Next remains disabled until the new PIN complies with the effective PIN policy TIP Click View Details to show the effective PIN policy to see why the specified PIN does not comply with it e Select Generate PIN to have a PIN automatically generated for you The generated PIN value is displayed after the wizard has performed the requested actions It will also be shown in the PIN letter if you request to print one see Step 8 The Number of retries before block box defines how often an incorrect value for the PIN can be consecutively typed before it
128. ntity and contains information used to protect data or to establish secure network connections Click Next to continue Figure 38 Exporting Certificate 1 4 Click Next to begin 5 specify the file format for the certificate file Export Certificate Specify the file format a Certificates can be exported in a variety of File Formats DER encoded binary 509 CER Base 64 encoded 509 CER Cryptographic Messages Syntax Standard PKCS 7 Certificate P7B Tell me more about certificate File formats Figure 39 Exporting Certificate 2 Specifying File Format 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited Managing Certificates and Containers 59 DIGIPASS CertilD User Manual Managing Certificates and Containers 6 Specify the path and the name for the file that will contain the exported certificate Export Certificate ES specify the name of the file you want to export HE Documents and Settings jane doeiDesktop jane doe cer Figure 40 Exporting Certificate 3 Specifying File 7 Click Finish 4 2 3 Additional considerations e The certificate will remain on the token after the export If you want to remove it from the token you must delete it 4 2 4 Additional references e Certificate File Formats e Importing Certificates e Deleting Objects 2008 2009 VASCO Data Security All ri
129. ntvanutiwhstctshescinewtantalaaihninenssioibtnrivawiaaentiviawnianviakbieneit 145 9 2 Generating One Time Passwords OTP from ChallengeS sssssssessnserrnnsrrnnurrnnnrrnnsnnnnnnnnnnrnnnnrnnnrrnnenes 146 9 2 1 PO OUT eee aetet ere earse actu aescuar sets x trate E E 146 9 2 2 Generating Responses using one time passwords OTPS ccccccccscecsssescssseecsutecsseecesseesesseesessuesessueeeaes 146 9 2 3 Adational consideralo S senseraro S OA TOER ERREEN 147 9 2 4 Additional references ceviisisevissserssevdenseesetincviaeiaiuntandtvss battaevtedevedabeuwnintauineinerstondencrdeeiensaivantanianvavebenne 147 9 3 Importing OTP Key Objects sssesssessnsurrnnnrnnnsrrnnnnnnnsnrnnnnnnnnnnnnnrnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 148 9 3 1 Pere yOu ice er ee ee ee 148 9 3 2 Importing OTP Key ODjOCtS ccsccsssevesssecessrececssscssesevesssevesesevaceueuseaessveseueveseuevecauecacanevessuevesasevasarevseaevevenes 148 9 3 3 Adatonal consider aUo S enara S i AEI ee ne ee TEENI 190 9 3 4 Adaitional relerenGES sarrerea nnani E E 150 10 Appendix PKI and Certificate Basics cccccccccsseceeeecceeeeuseeseueeeeuueeseuvensuueeseuueeseuversuueeseuueneeunenas 151 10 1 Understanding PKI and Certificates ccccccssseceesseueesseceeeeeseeseuueesauueeeaeuuerseeueeeauuuersuuenseuuensaasy 152 10 2 Ceruncale DOTANS aristensdncitannienciertea aanaueoandnidananien A S anise 153 10 3 CeCe Cate OLY iernii ai aenea ia aa E aE iaa 154
130. o Provider before it is cleared If the application releases the respective cryptographic context the PIN cache is cleared immediately even if the timeout has not been elapsed The value is given in seconds This option is available only when you select the Clear PIN cache after a certain time check box 7 3 3 Initialize Token Options Always require to acknowledge authentication codes after initializing personalizing tokens select this option to always display the Confirm Authentication Dialog when a token has been initialized If you clear this check box the Confirm Authentication Dialog appears only if at least one of the effective authentication codes that is default PIN default PUK and or default administrator key is selected to be generated automatically but no respective PIN PUK Administrator key letter is printed Automatically personalize token on token insert select this option to launch the Personalize Token Wizard automatically when a pre initialized token is inserted This option requires DP CertilID Tray Agent 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 123 DIGIPASS CertilID User Manual Configuring DIGIPASS CertilD 7 4 PIN Policy 7 4 1 PIN Policy Rules Override token hardware capabilities select these options if you want to explicitly set the minimum and maximum PIN length respectively and to have them emulated if the used token hardware does no
131. on t want to personalize the default PIN now This option is only available if neither the default PUK nor the default administrator key has been personalized so far respectively The default PIN is not set now but asked again for the next time the Personalize Token Wizard appears for this token This option is useful if you want to prepare a token with a personalized default PUK or default administrator key but want the user to set the default PIN 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 40 DIGIPASS CertilD User Manual Managing Tokens 7 If required specify a default PUK This option is only available if the token template configuration includes a default PUK and the Set PUK on first use option was selected during initialization Personalize Token Specify the value for the default PUK IF vou consecutively enter a wrong PIN too often it is blocked and the data it protects can not be accessed You can define a PUK to unblock the PIN Set PUK now PUK LETELT Confirm PUK ELTE O Generate PUK Tell me more about personalizing PUKs Chn Figure 22 Personalizing Token 5 Specifying Default PUK e Select Set PUK now and type a value for the PUK twice to prevent typing errors Next remains disabled until the new PUK complies with the effective PUK policy TIP Click View Details to show the effective PUK policy to see why the s
132. ooe Confirm New PIN eeeee Tell me more about PINs and PUKs v view Dekails Unblock Figure 53 Unblocking PIN with a PUK 4 Type the required PUK and a new PIN two times to prevent typing errors 5 Click Unblock Unblock remains disabled until the new PIN complies with the effective PIN policy TIP Click View Details to show the effective PIN policy to see why the specified PIN does not comply with it 5 5 3 Unblocking a PIN with external authentication gt To unblock a PIN using an unblock response 1 Insert your token 2 select the PIN to be unblocked in the token explorer tree 3 Select Unblock from the shortcut menu OR Select Tasks gt Unblock PIN from the menu bar The Unblock PIN Dialog appears requiring you to enter a response unblock code 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 83 DIGIPASS CertilD User Manual Managing Authentication Objects Unblock PIN Enter challenge response and new PIN Your PIN has been blocked To unblock it call your token administrator and read the challenge information below to receive the response To unblock FIN On token John Doe s Token Challenge D225 31F2 6606 OF6E Response OO00 0000 0000 0000 Mew FIM Confirm Mew PIM Tell me more about unblocking PINs v View Details Unblock Figure 54 Unblocking PIN with an Administrator Key 1 4 Doone of
133. or key is a secret key The Secret Key Objects folder in the token explorer tree contains all secret keys and all master administrator keys e Administrator token is a theoretical term Any token containing master administrator keys is an administrator token but can be used normally like any other token However it is highly recommended to use a designated token solely for the purpose of storing master administrator keys 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 103 DIGIPASS CertilD User Manual Managing Authentication Objects 5 9 4 Additional references e Access Configuration e Understanding Authentication Objects 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 104 DIGIPASS CertilD User Manual Managing Authentication Objects 5 10 Using the Response Calculator The response calculator is a tool allowing you to calculate a response for a given challenge using an administrator key It is primarily intended for token administrators or help desk staff that need to remotely help users to unblock PINs protected by administrator keys The response calculator is available via Tools gt Response Calculator in the DP CertiID Management Application menu bar 5 10 1 Before you begin To use the response calculator you need e DP CertilD Management Application e the administrator key of the token that issued t
134. ors Next remains disabled until the new PUK complies with the effective PUK policy TIP Click View Details to show the effective PUK policy to see why the specified PUK does not comply with it e Select Generate PUK to have a PUK automatically generated for you The generated PUK value is displayed after the wizard has performed the requested actions It will also be shown in the PIN and or PUK letter if you request to print one See Step 8 The Number of retries before block box defines how often an incorrect value for the PUK can be consecutively typed before it is blocked 7 specify a label for the new PUK The PUK label is the name to refer to this PUK helping to distinguish between different PUKs 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 93 DIGIPASS CertilD User Manual Managing Authentication Objects specify the label for the new PUK a2 The PUK label is the name used to refer to this PUK It helps you to distinguish between different FUKS PUE label Jane s PUK Note You can t use PIN PUR QDMINKEY or SO PIN For the PUK label Figure 64 Changing Object Security Specifying PUK Label NOTE The PUK label can t be set to PIN PUK ADMINKEY or SO PIN as these labels are reserved for the default PIN the default PUK and the administrator key respectively PKCS 11 refers to the PUK as SO PIN
135. ostics is activated e Diagnostics reports can be saved to disk If you do not save a report it is discarded when you close the Diagnostics Report Dialog 8 2 3 Additional references e Using Troubleshooting 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 139 DIGIPASS CertilID User Manual 8 3 Using Application Error Reports Troubleshooting and Diagnostics DIGIPASS CertilD provides a built in error handler that automatically creates a memory dump when a middleware or application module terminates unexpectedly You can check at any time whether application errors occurred and pending error reports are available via the Error Report tab 8 3 1 Inspecting application error reports gt To inspect error reports 1 Switch to the Error Report tab 2 If error reports are available click View The Error Report List Dialog appears You can decide what to do with them e Create error reports and save them to disk e Discard error reports Error Report List The following error reports have been created You can help us to improve the quality of the products you are using by submitting error reports to Wasco Error reports are treated confidential and do not contain personal information Time FOO8 05 04 10 20 19 z008 03 12 15 01 53 2008 05 12 15 36 54 z00 03 13 08 01 12 Process VdsPKIMans2 exe WdsPEIMan32 exe dsPKIMans2 exe vdsPKIPlans2 exe
136. oving the PIM protection for a particular certificate at all Generate new PIN recommended Use an existing PIN Remove current PIN not recommended Avoid using this option It removes the current PIN allowing to use the certificate without any authentication Tell me more about changing the PIN protection Figure 57 Changing Object Security Using Existing PIN 1 3 Select an existing PIN in the PIN box and click Next Change Object Security Select existing PIN to assign to Private Key Tell me more about assigning PINs Figure 58 Changing Object Security Using Existing PIN 2 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 88 DIGIPASS CertilD User Manual 4 Click Finish From now on the selected PIN is requested to access the data object gt To create and assign a new PIN 1 Invoke the Change Object Security Wizard see above 2 select Create new PIN and click Next Change Object Security Change protection for Private Key By default certificates are protected by the default PIN You can change this by choosing or creating a different PIN or by removing the PIM protection for a particular certificate at all Generate new PIN recommended Use an existing PIN Remove current PIN not recommended Avoid using this option It removes the current PIN allowing to use the certificate without any authe
137. party certificate other people or certification authorities the certificate is added either to the CA Certificates or the Other Certificates folder on the token or to an existing key container which may already contain a certificate 4 1 1 Before you begin To import a certificate you need e Access to the file containing the respective certificate e DP CertilD Management Application 4 1 2 Importing a certificate gt To import a certificate to a token 1 Insert your token 2 Select the token in the reader explorer tree 3 select Import from the shortcut menu OR select Tasks gt Import in the menu bar The Import Certificate Wizard appears 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 54 DIGIPASS CertilD User Manual Import Certificate Import certificate This wizard helps you to copy certificates from your disk to your token 4 certificate which is issued by a certification authority is a confirmation of your identity and contains information used to protect data or to establish secure network connections Click Next to continue Figure 32 Importing Certificate 1 4 Click Next to begin 5 Select the file name Import Certificate Specify the file you want to import C Documents and Settingsyjane doe Desktop john doe cer Note More than one certificate can be stored in a single File in the Following Forma
138. pecified PUK does not comply with it e Select Generate PUK to have a PUK automatically generated for you The generated PUK value is displayed after the wizard has performed the requested actions It will also be shown in the PIN and or PUK letter if you request to print one See Step 9 8 If required specify an administrator key This option is only available if the token template configuration includes an administrator key and the Set administrator key on first use option was selected during initialization 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 41 DIGIPASS CertilD User Manual Managing Tokens Personalize Token specify the administrator key The administrator key is a hexadecimal number used For external authentication Help desk staff need it to calculate an unblock phrase if the default PIN is blocked Set administrator key now Administrator key goo gooo gooo aooo 0000 0000 cooo ooog O Generate administrator key O Use master administrator key Tell me more about personalizing administrator keys ce e Figure 23 Personalizing Token 6 Specifying Administrator Key e Select Set administrator key now and type a value for the administrator key e Select Generate administrator key to have an administrator key automatically generated for you The generated administrator key value is displayed after the wizard has performed the
139. ptimized for use with Entrust Certification Authorities CA but you can use it with any other CAs as well Although it is recommended to use this token template with Entrust CAs you may also use the other token templates e Entrust optimized PIN Adminkey template This token template provides the same authentication mechanisms as the Standard PIN Adminkey template It is optimized for use with Entrust Certification Authorities CA but you can use it with any other CAs as well Although it is recommended to use this token template with Entrust CAs you may also use the other token templates NOTE Your system or token administrator may remove some token templates so not all of these token templates may be available to you 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 24 DIGIPASS CertilD User Manual Managing Tokens 3 1 2 initializing a token gt To initialize a token 1 Insert your token 2 Select the token in the token explorer tree Token Explorer E fie My Computer H Eutron Digipass 660 0 i empty gt Figure 4 Inspecting Token to Initialize 3 Select Initialize from the shortcut menu OR Select Tasks gt Initialize from the menu bar The Initialize Token Wizard appears Initialize Token Initialize token m qs This wizard helps you to initialize tokens to use with the OP CertilD middleware based on token templates
140. r Manual Managing Certificates and Containers 4 To test for encryption and decryption operation do the following Test Key Pair Test Key Pair Test key pair for encryption Test key pair for encryption Enter a plaintext and click Test below to verify the certificate for correct encryption Enter a plaintext and click Test below to verify the certificate for correct encryption operability IF Decrypted Text matches Plaintext the decryption key works operability IF Decrypted Text matches Plaintext the decryption key works correctly correctly Plaintext foobar Plaintext Foobar Ciphertext Ciphertext 00 1C 08 24 BF 7F E3 19 C6 6F B3 DD 74 Decrypted Text Decrypted Text foobar Figure 42 Testing Key Pair for Encryption a Type some arbitrary text in Plaintext and click Test The key pair is used to encrypt the plaintext The encrypted text is then reversely decrypted again If Decrypted Text matches Plaintext the key pair works correctly for encryption decryption A green checkmark indicates the test completed successfully otherwise you will receive an error message o When you have finished testing for encryption click Next 5 To test for signing and verifying operation do the following Test Key Pair Test Key Pair Test key pair for signing Test key pair for signing Enter a plaintext choose a hash algorithm and click test below to verify the Enter a plaintext choose a hash algorithm and click
141. r archiving purposes or to send it your support contact if required If you enable Include system information in report Diagnostics collects information about system configuration that may help identifying issues 4 Click Close If you did not save the diagnostics report it is discarded NOTE The diagnostics report does contain a small portion of the contents of your machine s memory and some system information data necessary to examine potential issues All collected data in diagnostics reports is encrypted VASCO will not track the diagnostics report back to you personally and treats this information confidential Only individuals actively working on fixing problems have access to the information Diagnostics report data is used to find and fix problems in the software you use It is not used for marketing purposes 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited Troubleshooting and Diagnostics 138 DIGIPASS CertilD User Manual Troubleshooting and Diagnostics 8 2 2 Additional considerations e Diagnostics is deactivated by default and must be explicitly enabled It remains activated until it is explicitly deactivated e Since diagnostics may considerably decrease system performance you should enable it only when necessary e lf no application layer is included only error messages and warnings will be recorded e You can continue work while diagn
142. r the respective diagnostics type 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 136 DIGIPASS CertilD User Manual Troubleshooting and Diagnostics The Set Diagnostics Options Dialog appears Set Diagnostics Options p Set diagnostics options Ea w Limit Log to MB ho Include these events in log file Application User events CertilD modules Middleware CSP PECS 11 card module Cryptographic Service Provider CSP FECS 11 library Card Module C Base Components token drivers 3 Hardware PCISC hardware drivers Include sensitive data PINs PUES in log file For security reasons sensitive data will be encrypted Figure 81 Setting Diagnostics Options 3 OPTIONAL Type a limit for the log file size and select which application layers should add log entries to the file The log file will contain the latest records up to the specified file size Once the specified file size is reached logging continues and the oldest log entries will be overwritten If you suspect a specific module to cause a problem e g a specific hardware driver you can include the respective application layer only and exclude everything else If you select Include sensitive data PINs and PUKs are included in the log file as this information may help analysing some issues NOTE Sensitive data in diagnostics reports is always encrypted 4
143. raphy Meaning O SS O blue underlined Internet links The following visual hint colour schemes are used throughout this document TIP Tips contain supplementary information that is not essential to the completion of the task at hand including explanations of possible results or alternative methods NOTE Notes contain important supplementary information CAUTION Cautions contain warnings about possible data loss breaches of security or other more serious problems 1 1 3 Providing feedback Every effort has been made to ensure the accuracy and usefulness of this manual However as the reader of this documentation you are our most important critic and commentator We appreciate your judgment and would like you to write us your opinions suggestions critics questions and ideas Please send your commentary to documentation vasco com To recognize the particular document you are referring to please include the following information in your subject header DPC UM 3 1 0en 22062009 Please note that product support is not offered through the above mail address 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 16 DIGIPASS CertilD User Manual Using DP CertilID Management Application 2 Using DP CertiID Management Application DP CertilD Management Application is an administration tool allowing you to manage your tokens and digital certificates Thi
144. rd 2 x e Assigning a different PIN to a data object does not affect the protection of other data objects e The system or token administrator may enact a PIN PUK policy to encourage and enforce strong PINs and PUKs 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 95 DIGIPASS CertilID User Manual 5 6 4 Additional references e Removing the PIN Protection e Understanding Authentication Objects e Access Configuration 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited Managing Authentication Objects 96 DIGIPASS CertilD User Manual Managing Authentication Objects N Removing the PIN Protection You can remove the PIN protection of a particular data object If you remove the PIN protection from a data object it becomes accessible to anyone without any authentication CAUTION It is recommended not to use this option It removes the PIN protection from a data object allowing anyone including unauthorized persons to use the data without any prior authentication 5 7 1 Before you begin Due to its potential security risk this option is unavailable by default and must be enabled in the program access conditions To remove the PIN protection from a data object you need e DP CertilD Management Application e the current PIN 5 2 Removing a PIN gt To remove the PIN protection from a data object
145. register and unregister your certificates upon inserting and removing the token 4 4 4 Additional references e Using the DP CertilD Tray Agent e Deleting Objects 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 64 DIGIPASS CertilD User Manual Managing Certificates and Containers 4 5 Testing Key Pairs You can test key pairs to validate whether encryption decryption and signing verifying operations work correctly The key pair to test may have an associated certificate 4 5 1 Before you begin To test a key pair you need e DP CertilD Management Application e the PIN that protects the private key of the respective key pair 4 5 2 Testing a key pair gt To test a key pair 1 Insert your token 2 Select the private key of the key pair to test in the token explorer tree Token Explorer E fie My Computer H E Eutron Digipass 560 0 5 Jane Doe s Token Authentication Objects Secret key Objects Data Objects OTP Key Objects CA Certificates Other Certificates 5 9 Certificate of Jane Doe T Certificate of Jane Doe H Private key F Public key Figure 41 Selecting Private Key 3 select Test key pair from the shortcut menu OR select Tasks gt Test key pair from the menu bar The Test Key Pair Wizard appears 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 65 DIGIPASS CertilD Use
146. requested actions It will also be shown in the PIN and or administrator key letter if you request to print one see Step 9 e Select Use master administrator key if you want to use a master administrator key to derive the administrator key for this token a Insert the administrator token o Select the master administrator key in the Master key list c Type the PIN for the master administrator key 9 Specify whether to print a PIN PUK administrator key letter and select a printing device to print 10 Click Finish to personalize the token 11 If required select acknowledge this information and click OK to confirm the effective PIN PUK and or administrator key that were automatically generated when initializing the token 3 2 3 Additional considerations e The system or token administrator may restrict access to certain program features If a particular option Is not available you may not have the privileges to use it 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 42 DIGIPASS CertilD User Manual Managing Tokens e You can set up DP CertilD Tray Agent to automatically invoke the Personalize Token Wizard upon inserting tokens e f you specify to use a master administrator key the generated administrator key is neither displayed for confirmation nor printed e You can re issue a token to another user by resetting the personalization data This way you do no
147. ring initialization tokens can be configured to be not reset at all If you try to reset a token which can t be reset you will get an appropriate error message e After a successful reset the token is empty To use it with the middleware you need to initialize it again 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 45 DIGIPASS CertilD User Manual Managing Tokens e ifthe reset code is blocked you will not be able to reset the token ever again However you can continue using it normally 3 3 4 Additional references e Initializing Tokens e Replacing a PUK with an Administrator Key e Access Configuration e Understanding Authentication Objects 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 46 DIGIPASS CertilD User Manual Managing Tokens 3 4 Resetting Token Personalization You can reset the personalization data on a token to reset it to a pre personalized state By resetting the token personalization you can re issue the token to another user without having the token completely reset and re initialized 3 4 1 Before you begin To reset the personalization of a token you need e DP CertilD Management Application e the default PUK or administrator key 3 4 2 Resetting token personalization gt To reset the personalization of a token 1 Insert your token 2 Select the token in the token
148. rsonalization 3 Specifying Token Label cccccsccscscsssesssssessssesesussssesevseeevstevevereuenssenevenes 49 Figure 29 Reset Token Personalization 4 Specifying Default PIN Initialization oo cc cccccccseeccssecccsseeesseeesseesssuessseeeeesas 49 Figure 30 Reset Token Personalization 5 Specifying Default PIN oo ccc cssccscccsssccssssessssesessuesssseevseeeveeveserevensranevenes 50 Figure 31 Reset Token Personalization 6 Ready to Reset Token Personalization 51 Figure o2 MIMO ONAN Cerca T xe erp EEE EA EE E EEE EEEE 55 Figure 33 Importing Certificate 2 Specifying File vicastcrssicstSinsatseecrevzcelaestr ee Stage a esi itbelea dn ean aatsesdnseueatseaaianandeatacaies 55 Figure 34 Importing Certificate 3 Entering Password sssisssrrssrrsenrrnsnrrnnrrnnnrrnsnnnnrnnnnrinnnnnnnrinnnrieninnrinsnrinrenrenrinenrnns 06 Figure 35 Importing Certificate 4 Selecting Certificate CateQory ccccccccscssvssssevssssevessesesressssseveseevessesscauesveeeevenes 56 Figure 36 Inspecting Imported Certificate Sennen ea etn rn en eee 57 Figure 37 Inspecting Certificate to EXPO sssssssrsssnrusnrannnrunnnnnnnnanennnnnnnnennanntnnnnnnnknrnttnanknnn kaant t nant AAnn tuane Raa EAnnn nanne nnn ana nne 08 FUP S PPOO Ce RUIN US 01 accel tc ec tects cg abc eed tena accents thomas 59 Figure 39 Exporting Certificate 2 Specifying File FOrmat ccccccccsscssccecsssrssvssssevesssevesesesesasevessevesevesesase
149. s chapter gives an overview of the tool and how to use it It covers the following topics e Getting to Know DP CertilD Management Application e Exploring your Token 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 17 DIGIPASS CertilD User Manual Using DP CertilID Management Application 2 1 Getting to Know DP CertilD Management Application gt To start DP CertilD Management Application e Select Start gt Programs gt VASCO gt DIGIPASS CertilD gt Management Application OR select Management Application in the DP CertilD Tray Agent menu G DIGIPASS CertilD Management Application Administration Mode File Tasks View Tools Help 1 Token Selection Eutron Digipass 860 0 2 i Token Explorer l el My Computer Object Info A E Eutron Digipass 860 0 mg VASCO DPIOS 0 Slot 4 slot is a physical device that can host a token such as a smart card reader 3 Details ka Label Eutron Digipass 860 0 Slot stake Slot empty insert a card 5 Common Tasks vendor Eutron Model Digipass 860 Version 0 0 0 See also a Getting Help Figure 1 DP CertilD Management Application Main Window The DP CertilD Management Application main window consists of the following 1 Menu bar and toolbar Tok
150. s using DP CertilD Troubleshooting and Diagnostics It covers the following topics e Using Troubleshooting e Using Diagnostics e Using Application Error Reports 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 133 DIGIPASS CertilD User Manual Troubleshooting and Diagnostics 8 1 Using Troubleshooting Troubleshooting helps you to find and identify issues It verifies the current state of the system looks for running services connected card readers and inserted tokens and performs a basic middleware self check This tool serves as a first level support assistant and is used if a program error or crash occurred or if you think that CertilD middleware is not working correctly 8 1 1 searching for issues gt To search for issues using troubleshooting 1 Switch to the Troubleshooting tab amp DP CertilD Troubleshooting and Diagnostics o Searching For Issues X Searching for issues Please wait while examing your system This may take a Few minutes Troubleshooting Diagnostics Error Reports More Help Troubleshooting helps you to Find and identify issues vw verifying installation Last scan Unknown W Checking required system services Result Unknown O erifying attached slot devices Validating tokens and certificate data Testing middleware modules Tell me more about troubleshooting Cancel Close Figure 78
151. se strong PINs that can t be easily guessed but still can easily be remembered by you 5 6 1 Before you begin To assign a different PIN you need e DP CertilD Management Application e the current PIN e to choose a strong PIN that can t be easily guessed but still can easily be remembered by you CAUTION Do not record your PIN either in writing or electronically and do not disclose it to anyone including supervisors or co workers 5 6 2 Assigning a PIN You assign a different PIN via the Change Object Security Wizard gt To invoke the Change Object Security Wizard 1 Select the data object to which you want to assign a PIN in the token explorer tree 2 Select Change object security from the shortcut menu OR Select Tasks gt Change object security from the menu bar With the Change Object Security Wizard you can either e assign an existing PIN to the data object or e create a new PIN and assign it to the data object 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 87 DIGIPASS CertilD User Manual Managing Authentication Objects gt To assign an existing PIN 1 Invoke the Change Object Security Wizard see above 2 select Use an existing PIN and click Next Change Object Security Change protection for Private Key By default certificates are protected by the default PIN You can change this by choosing or creating a different PIN or by rem
152. select the respective OTP key object in the token explorer tree 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 143 DIGIPASS CertilD User Manual Appendix Using DP CertilD with One Time Passwords OTP 3 Select Generate One Time Password OTP from the shortcut menu OR Select Tasks gt Generate One Time Password OTP from the menu bar The Generate OTP Dialog appears Generate OTP Generate One Time Password OTP This is the one time password OTP currently generated by your token It is valid only a certain time OTP 852509 Tell me more about generating one time passwords OTPs v view Details Figure 84 Generating One Time Password OTP 4 If required type the PIN and click OK 5 Click Generate to generate a new OTP The OTP box displays the current valid OTP After a certain time span default 30 seconds the field changes to Expired 6 OPTIONAL Click Copy to copy the current OTP to the clipboard TIP You can select Generate One Time Password OTP to Clipboard to generate and copy a one time password directly to the clipboard without opening the Generate OTP Dialog 9 1 3 Additional considerations e Pressing the button on the DP860 token does not have any effect on the Generate OTP Dialog e You can set the OTP time span via DP CertilD Configuration Center e You can also use DP CertilD Tray Agent to generate and view OTPs
153. ser Manual Managing Tokens The generated PIN value is displayed after the wizard has performed the requested actions It will also be shown in the PIN letter if you request to print one see Step 8 8 lf required specify whether to print a PIN letter and select the printing device to print This option is only available if the Change default PIN on first use option was selected see Step 6 9 Click Finish to reset the token personalization Reset Token Personalization i Ready to reset token personalization F The token personalization will be reset after you click Finish You may need to type your PUK or your administrator key to allow the Following operations You have specified the Following settings Summary Detail Default PIN initialization Set value on First use Figure 31 Reset Token Personalization 6 Ready to Reset Token Personalization 10 If required type the default PUK or administrator key and click OK 11 If required select acknowledge this information and click OK to confirm the effective PIN PUK and or administrator key that were automatically generated when initializing the token 3 4 3 Additional considerations e The system or token administrator may restrict access to certain program features If the reset token personalization option is not available you may not have the privileges to use it e Resetting the personalization data affects cardholder information token label and
154. sion to edit a Group Policy Object GPO NOTE Settings configured via Group Policy take precedence over settings configured via DP CertilD Configuration Center 7 1 2 Configuring DIGIPASS CertilD using Group Policy gt To configure DIGIPASS CertilD using Group Policy Windows Server 2008 1 Start Group Policy Management via command prompt by typing gomc msc 2 select the domain or organizational unit for which you want to set a group policy in the group policy management tree 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 115 DIGIPASS CertilD User Manual Configuring DIGIPASS CertilD 3 Select Create a GPO in this domain and Link it here from the context menu Ee Group Policy Management Elle x Fie Action View Window Help TAE E 1x Group Policy Management E A Forest myDomain local E Domains E gj myDomain local GPO Status WMI Fiter Modified Create a GPO in this domain and Link it here Default Domain Controllers P Enabled None 2 12 2009 9 22 Link an Existing GPO Default Domain Policy Enabled None 1 12 2009 1 28 Block Inheritance Group Policy Objects in myDomain local Contents Delegation Group Policy Modeling Wizard New Organizational Unit Search Change Domain Controller Remove Active Directory Users and Computers fT fe Ee Ee Ge OG Go Vie
155. ss 130 De lete data OD CCES ararnar 130 Delete OTP key ODjeCtSaininrimeririireirinsniii 130 Delete secret key objects cccceesssesseseeeseeeeeeees 130 Enable PIN complexity rules cccccccccccceeeeeees 124 Enable PUK complexity rules ccccccccccceeeeeees 126 FRONT CEMIMCALES seyminin k enS kinh 130 Force non successive character sequences PIN 124 Force non successive character sequences PUK 126 Generate master administrator keyS ccc008 131 Import certificates cicscoxacsnveacdncnasesaseanstxasenndecsseaneneess 130 Import OTP key objects cccccccccccccccceeeeeeeeeeeees 130 Initialize tokens sain anes secndoanadevantandtzanensdexsnennectone 129 Maximum PIN length eeeeeeeeeeeeeeeeeeeees 124 Maximum PUK length ccc cccccccccccccceeeeeeeeeees 125 Minimum PIN length eeeeeeeeeeeeeeeeeeeees 124 Minimum PUK length eeeeeeeeeeeeeeeeeeeees 125 OTP display timeout cccccccccccccccceceeeeeeeeeeeeeeees 132 Override token hardware capabilities PIN 124 Override token hardware capabilities PUK 125 Personalize administrator authenticators 129 Personalize toKens cccccssseesssseeeeeeeetseesessssseees 129 PIN cache timeout ceeeeeeeeeeeeeeeessssessseseeeees 123 PINs must contain at least this many digits 125 PINs must contain at least this many lowercase character S ccearsnsescets scasunatoagnounscotaust
156. ss 163 deiou PIN aoras TE 70 150 default PIN changing on first use 31 default PIN generating on first use ccccccceeee 40 default PIN generating on token initialization 31 default PIN setting on first use 31 40 default PIN setting on token initialization 31 default PIN unblocking on first use nnnnnnnnnnn 32 derult yaC ssor Ep n E E 24 enabling complexity rules nnnnnnnnnnnnnnnnnnnnnnnne 124 forcing non successive character sequences 124 keeping secret Caution notice cee 82 87 PIN letter customizing template 008 163 printing PIN letter ncececsercescevatsicessctsuscavenss 34 42 95 removing PIN protectiOn ccccsseseeeeeeeseeeeeeeees 97 removing protection Caution notice 0 97 removing protection enabling option 6 131 renaming enabling OptiONn ccceeeeeeeeeeeeeeeees 131 resetting detault PIN cccscsessuatewersesenncbawscansiveredsamcenens 49 TREE S E ANE E A E A E 86 retry counter specifying ee eeeeeeeeeeeeeeeeeeeeeeeees 32 setting allowed characters cccccccecceeeeeeeeeeeeees 125 setting maximum length cee cceeeeeeeeeeeeeees 124 Setting MINIMUM IIts eee cece eeeeeeeeeeeeeeeees 125 setting minimum length cece cceeeeeeeeeeeeeees 124 setting minimum lowercase characters 125 setting minimum uppercase charact
157. t Icon 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 108 DIGIPASS CertilD User Manual Using the DP CertilD Tray Agent 6 1 Introduction The DP CertilD Tray Agent is an application that adds itself to the notification area Its functionality can be extended via plug ins Depending on the installed plug ins DP CertilD Tray Agent performs the following tasks e Registering unregistering certificates e Generating viewing one time passwords OTP using OTP capable hardware tokens e Displaying the smart card reader and token status via a notification area icon 6 1 1 Registering and unregistering certificates Registering a certificate means adding it to the appropriate certificate store on the machine A certificate store is the system area where certificates are stored locally by the operating system and made accessible for applications using cryptographic services e g e mail applications NOTE If you install a CA certificate you confirm that you explicitly trust this CA and any certificate issued by it Due to the impact and security risks of this Microsoft Windows may display a security warning when DP GertilD Tray Agent tries to register a certificate for a CA Microsoft Windows registers the CA certificate only if you confirm that you trust the respective CA Unregistering a certificate means removing it from the certificate store DP CertilD Tray Agen
158. t can be configured to automatically unregister all previously registered certificates of a token first when the respective token is inserted Then it automatically registers the certificates which are configured to be automatically registered When the token is removed all certificates previously registered are automatically unregistered NOTE The DP CertilID Tray Agent unregisters all smart card certificates including those registered manually using the DP CertilD Management Application 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 109 DIGIPASS CertilD User Manual Using the DP CertilD Tray Agent 6 2 Getting to Know the DP CertilD Tray Agent Icon The DP CertilD Tray Agent automatically adds an icon to the notification area displaying the overall status of the CertilD middleware Figure 69 DP CertilD Tray Agent Notification Area Tray Agent Icon Meaning G c GS Weng ee comecediokenisempy status Unknown token i e at least one token is not supported ae Status Error At least one token is invalid or not responding Table 2 Tray Agent Icon States Overview TIP lf the DP CertilD Tray Agent icon is not present it may be hidden To show it again launch Start gt Programs gt VASCO gt DIGIPASS CertilD gt Tray Agent If you right click the DP GertilD Tray Agent icon the shortcut menu opens 2008 2009 VASCO Data Securi
159. t have to reset and re initialize the token completely e You can adapt the text and style of PIN PUK letters by changing the respective template files 3 2 4 Additional references e Initializing Tokens e Resetting Token Personalization e Generating Master Administrator Keys e Access Configuration e Understanding Authentication Objects e Configuring DIGIPASS CertilD e Using the DP CertilD Tray Agent e Appendix Customizing PIN PUK Letters 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 43 DIGIPASS CertilD User Manual Managing Tokens 3 0 Resetting Tokens You can reset a token to an empty state to apply another token template to it i e to re initialize it CAUTION Resetting a token deletes all data on it including your digital certificates and key pairs Ensure that you really won t need the data on the token for later use before you reset the token CAUTION If your token is protected by a reset code and you consecutively enter an incorrect reset code too many times the reset code is blocked You cannot unblock a blocked reset code thus losing the possibility to reset the token in the future 3 3 1 Before you begin Usually a token reset is only necessary if you have blocked your PUK or the administrator key You do not have to reset the token if you want to use an administrator key instead of a PUK to unblock PINs as you can replace PUKs wit
160. t support the specified values If you clear these check boxes the minimum and or maximum PIN lengths are determined by what the particular token hardware supports Minimum PIN length Enter the number of characters a PIN must have at least to be valid A value MAX if you increase the value via the spin control specifies that the minimum PIN length to be equal the maximum value allowed by the token hardware This value can t be greater than the value specified by Maximum PIN length Maximum PIN length Enter the number of characters a PIN can have at most to be valid A value MAX if you increase the value via the spin control specifies that the maximum PIN length to be equal the maximum value allowed by the token hardware This value can t be less than the value specified by Minimum PIN length Enable PIN complexity rules select this option to enable certain complexity rules to enforce strong PINs Force non successive character sequences select this option to disallow PINs that contain only a successive character sequence This option is available only when you select the Enable PIN complexity rules check box EXAMPLE The following PINs are successive character sequences i e the distance between each character is equal for all characters 1234 1357 abcd The following PINs are non successive character sequences because the distance between each character is not equal for all characters 3856 12341234 12qwertz 2008
161. t this option to allow users to reset tokens If a token is protected by a reset code it is still required to reset the token whether this option is selected or not Initialize tokens select this option to allow users to initialize tokens 7 6 3 Personalization Personalize tokens select this option to allow users to personalize pre initialized tokens Personalize administrator authenticators select this option to allow users to personalize the default PUK or default administrator key of pre initialized tokens Reset token personalization select this option to allow users to reset the personalization data of initialized tokens and set them to the pre initialized state 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 129 DIGIPASS CertilD User Manual Configuring DIGIPASS CertilD 7 6 4 Certificates and Containers Import certificates select this option to allow users to import certificates from disk to a token Export certificates select this option to allow users to export certificates from a token to disk Test key pairs select this option to allow users to test key pairs for correct encryption decryption and signing verifying operations 7 6 5 Object Management Delete certificates select this option to allow users to delete certificates from a token Delete containers select this option to allow users to delete key containers from a token Delete data
162. ta Object B PIN 2 0815 e S f Managing Authentication Objects gt PUK 1 4711 PUK 2 foobar Figure 46 Two Data Objects protected by two different PINs that are each unblocked by two different PUKs Example protects access Challenge e g F9B8 7806 0C2E A1C1 unblock ee ee an es Sp re na Data Object A amp y PIN 1 a calculate Administrator 1234 oe response key protects PIN 2 0815 Data Object B e g 4A6D 82AF 3F5F 9DEB Figure 47 Two Data Objects protected by two different PINs that are unblocked via external authentication Example 5 1 6 Additional references e Changing the Security of Objects e Initializing Tokens 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 13 DIGIPASS CertilD User Manual Managing Authentication Objects 5 2 Changing PINs A personal identification number PIN protects certain data objects such as certificates from unauthorized access By changing your PINs regularly you can keep the data on your token more secure NOTE You should change your PIN immediately if you suspect that it has been compromised guessed or revealed by someone else 5 2 1 Before you begin To change a PIN you need e DP CertilD Management Application e the current PIN e to choose a strong PIN that can t be easily guessed but still easily re
163. ter administrator key c Select the master administrator key in the Master key list d Type the PIN for the master administrator key 4 Click Calculate The response is calculated and returned in the Response box If you are the token administrator you may read the response to the user on the phone or click Copy to clipboard to copy and paste the response code into another application and provide it to the user e g via E mail 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 106 DIGIPASS CertilD User Manual Managing Authentication Objects 5 10 3 Additional considerations e You don t need a token connected to use the response calculator except for the administrator token if required e Since tokens generate a different challenge each time the respective response is valid only one time and could not be misused by some unauthorized person gaining knowledge of it 5 10 4 Additional references e Unblocking PINs e Changing Administrator Keys e Understanding Authentication Objects 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 107 DIGIPASS CertilD User Manual Using the DP CertilD Tray Agent 6 Using the DP GertilD Tray Agent This chapter gives an overview of DP CertilD Tray Agent and how to use it It covers the following topics e Introduction e Getting to Know the DP CertilD Tray Agen
164. ter to configure DIGIPASS CertilD The DP CertilD Configuration Center is a configuration application allowing you to configure system wide options for all middleware components 7 2 1 Before you begin To start and use DP CertilID Configuration Center you need to be logged on with a user account with local administrator privileges 7 2 2 Starting DP CertilD Configuration Center gt To start DP CertilD Configuration Center e Select Start gt Programs gt VASCO gt DIGIPASS CertilD gt Configuration Center OR select Tools gt Configuration Center in the DP CertilD Management Application menu bar GA DIGIPASS CertilD Configuration Center Jog Change how PIHs and PUKs are handled PIN Handling General PIN Options A PIN Policy Cache PINs during sessions affects DP CertiID Management Application only Certificate Handling Use PINpad hardware capabilities when possible affects YASCO CertiID Smart Card Crypto Provider only Access Confiauration Tell me more about General PIN Options access Lonriguration Other Initialize Token Options A _ Always require to acknowledge authentication codes after initializing personalizing tokens Automatically personalize token on token insert affects DP Tray Agent only Tell me more about Initialize Token Options Figure 77 Configuration Center 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 121 DIGI
165. tes of the chain can be retrieved they will also be written to the token This option affects VASCO CertilD Smart Card Crypto Provider and VASCO Card Module only it is not effective if you import certificate using DP CertilD Management Application TIP This option is useful when working with IdenTrust since signing data using an IdenTrust identity certificate requires the whole certificate chain to be present on the machine 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 128 DIGIPASS CertilID User Manual Configuring DIGIPASS CertilD 7 6 Access Configuration These options allow you to restrict access to particular program options for users with non administrative privileges respectively If you are running on a user account with restricted privileges and some program options are not available to you the system administrator may have disabled the program options in question 7 6 1 Administrator Override Automatically enable all program features for administrative users select this option to ignore the specified access configuration and automatically enable all program features if the user has administrative privileges This option affects DP CertilID Management Application only other applications will adhere to the access configuration settings 7 6 2 Token Management Rename tokens select this option to allow users to change token labels Reset tokens selec
166. the default PIN and sets the token to a pre personalized state All other objects are not affected and remain on the token including certificates and key pairs e You can adapt the text and style of PIN PUK letters by changing the respective template files 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 5 DIGIPASS CertilD User Manual Managing Tokens 3 4 4 Additional references e Initializing Tokens e Personalizing Tokens e Resetting Tokens e Appendix Customizing PIN PUK Letters 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 5 DIGIPASS CertilD User Manual Managing Certificates and Containers 4 Managing Certificates and Containers This chapter gives an overview of how to manage digital certificates and key containers on a token using DP CertilD Management Application It covers the following topics e Importing Certificates e Exporting Certificates e Deleting Objects e Registering and Unregistering Certificates e Testing Key Pairs 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 53 DIGIPASS CertilD User Manual Managing Certificates and Containers 4 1 Importing Certificates You can import a certificate from disk to a data container on your token Depending on whether the certificate is intended for you or if it is a third
167. the list until you explicitly discard them 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 141 DIGIPASS CertilD User Manual Appendix Using DP CertilD with One Time Passwords OTP 9 Appendix Using DP CertilD with One Time Passwords OTP This chapter gives an overview of how to use DP CertilD to generate one time passwords OTP using OTP capable hardware tokens It covers the following topics e Generating One Time Passwords OTP e Generating One Time Passwords OTP from Challenges e Importing OTP Key Objects 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 142 DIGIPASS CertilD User Manual Appendix Using DP CertilD with One Time Passwords OTP 9 1 Generating One Time Passwords OTP DP CertilD allows you to generate one time passwords OTP using OTP key objects The OTPs generated by the token are displayed via the OTP software and can be copied to the clipboard for use in other software applications requiring OTP authentication 9 1 1 Before you begin To generate and view one time passwords OTP you need e DP CertilD Management Application or DP CertilD Tray Agent e aDP860 token OR a token containing an OTP key object valid to generate OTPs 9 1 2 Generating one time passwords OTP gt To generate and view a one time password OTP 1 Plug in your OTP token e g DP860 2
168. tication Objects Change PUK Change PUK Q7 To change your PUK you need to enter the current PUK and the new PUK two times to prevent typing errors Change PUK FUK On token Jane Doe s Token Tell me more about changing PKs ven Dea Figure 49 Changing PUK 4 Type the current PUK and a new PUK two times to prevent typing errors 5 Click Change Change remains disabled until the new PUK complies with the effective PUK policy 5 3 3 Additional considerations e The system or token administrator may enact a PUK policy to encourage and enforce strong PUKs e The Authentication Objects folder in the token explorer tree contains all PUKs on a particular token The PUK effectively assigned to unblock a certain PIN is shown along with the respective PIN below the private key of the respective certificate e Changing a PUK does not affect the PIN that is unblocked with the PUK 5 3 4 Additional references e Unblocking PINs e Changing PINs e Changing Administrator Keys e PUK Policy Rules e Changing the Security of Objects e Understanding Authentication Objects 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 77 DIGIPASS CertilD User Manual Managing Authentication Objects 5 4 Changing Administrator Keys similar to your PINS and PUKs you can change your administrator key However due to their nature changing an administrator key
169. tion is prohibited 101 DIGIPASS CertilD User Manual Managing Authentication Objects 5 9 Generating Master Administrator Keys A master administrator key is a secret key used to derive an actual administrator key Instead of typing the administrator key directly when needed the token with the respective master administrator key is required After successful authentication with the PIN the master administrator Key is used to derive the administrator key 5 9 1 Before you begin To generate a master administrator key you need e DP CertilD Management Application TIP Although you can put master administrator keys on any token you like it is highly recommended to use a designated token solely for the purpose of storing master administrator keys 5 9 2 Generating a master administrator key gt To generate a master administrator key 1 Insert your administrator token 2 Select the Secret Key Objects folder in the token explorer tree 3 select Generate master administrator key from the shortcut menu OR select Tasks gt Generate master administrator key from the menu bar The Generate Master Administrator Key Dialog appears 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 102 DIGIPASS CertilD User Manual Managing Authentication Objects Generate Master Administrator Key Enter label and passphrase for master administrator key The passphrase is used to ge
170. ts Personal Information Exchange PKCS 12 PFX P12 Cryptographic Message Syntax Standard PECS 47 Certificates P7B Figure 33 Importing Certificate 2 Specifying File 6 Ifyou are importing a PKCS 12 file Type the passphrase used to encrypt the private key 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited Managing Certificates and Containers 99 DIGIPASS CertilD User Manual Import Certificate Enter the password for the private key bats To maintain security the private key was protected with a password I Figure 34 Importing Certificate 3 Entering Password 7 Select the certificate category Import Certificate Select the certificate category The certificate category is determined by certain certificate attributes and purposes It determines how the certificate is stored on the token and how applications will access it Personal ith private key only Other People Certification authority CA Tell me more about certificate categories Figure 35 Importing Certificate 4 Selecting Certificate Category 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited Managing Certificates and Containers 56 DIGIPASS CertilD User Manual Managing Certificates and Containers 8 Click Finish El My Computer a Jane Doe s Token B Aut
171. ty All rights reserved Unauthorized duplication or distribution is prohibited 110 DIGIPASS CertilD User Manual Using the DP CertilD Tray Agent E Jane Doe s Token Initialized i Generate OTP From Jane Doe s OTP Key lig Generate OTP From Jane Doe s OTP Key to clipboard Ga Configuration Center Qe Troubleshooting and Diagnostics F Certificate Management g Management Application view Status Change view Hower Pane Hide Tray Icon About apf Exit Figure 70 DP CertilD Tray Agent Shortcut Menu The shortcut menu contains e A list of all connected tokens and smart card readers e Quick launch options to start important DP CertilD applications and tools e Some options to show and hide the icon and the status hover pane and to exit DP CertilD Tray Agent 6 2 1 Using the status hover pane The status hover pane displays all connected tokens and smart card readers including their current status and provides quick access to common commands for the particular smart card readers and tokens It further indicates if system and or user diagnostics is active Jane Doe s Token Eutron Digipass 860 0 re Initialized W ltt Smart card reader Eutron Digipass 660 0 La SlotEmpty Figure 71 Status Hover Pane 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 111 DIGIPASS CertilD User Manual Using the DP CertilD Tray Agent gt To s
172. ty to whom the certificate has been issued Public key This field gives information about the type and key length of the associated public key Thumbprint algorithm This is the algorithm used to calculate the Thumbprint Thumbprint This is the thumbprint digest of the certificate data Friendly name The common name for the name given in the Subject field Enhanced key usage This field specifies the purposes for which the certificate may be used 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 153 DIGIPASS CertilD User Manual Appendix PKI and Certificate Basics 10 3 Certificate Category The certificate category is determined by certain certificate attributes and purposes It determines how the certificate is stored on the token and how applications will access it DIGIPASS CertilD distinguishes three different certificate categories e Personal Certificates of this category contain an associated private key on your token and hence can be used for signing and encrypting Such certificates are usually issued to you They are displayed separately in a certificate container with a certificate and a key pair e Other People Certificates of other people are not meant for personal use by you and do not contain an associated private key Such certificates are usually issued to people and end entities implicitly trusted in applications They are displayed together with
173. u can change the way a PIN is unblocked by replacing the assigned PUK with an administrator key If the PIN is blocked afterwards it must be unblocked via external authentication using the administrator key instead of the PUK 5 8 1 Before you begin Using external authentication instead of a PUK potentially increases security and allows the help desk to unblock PINs for user tokens remotely without disclosing the unblock secret i e the administrator key However consider that you e need to keep the administrator key in a secure place e choose a strong administrator key that can t be guessed e can t switch back from an administrator key protection to PUK protection To replace a PUK with an administrator key you need e DP CertilD Management Application e the current PUK CAUTION If you need to record your administrator key either in writing or electronically store it in a secure place Do not disclose it to anyone including supervisors or co workers 5 8 2 Replacing a PUK with an administrator key gt To replace a PUK with an administrator key 1 Insert your token 2 select the PUK you want to replace with an administrator key in the token explorer tree 3 Select Replace with administrator key from the shortcut menu OR select Tasks gt Replace with administrator key from the menu bar 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 99 DIGIP
174. ution is prohibited 126 DIGIPASS CertilD User Manual Configuring DIGIPASS CertilD 7 5 Certificate Handling 7 5 1 Automatic Registering of Certificates Register certificates of the following categories These options specify which certificate categories are automatically registered by DP CertilD Tray Agent when a token is inserted Personal select this option to have personal certificates certificates for personal use with associated key pair automatically registered by DP CertilD Tray Agent when a token is inserted Certificates of this type are added to the Personal Store Certificate Authorities CA select this option to have certificates of certificate authorities CA certificates with no associated key pair automatically registered by DP CertilD Tray Agent when a token is inserted Certificates of this type are added to the respective certification authority s store NOTE If you install a CA certificate you confirm that you explicitly trust this CA and any certificate issued by it Due to the impact and security risks of this Microsoft Windows may display a security warning when DP CertilD Tray Agent tries to register a certificate for a CA Microsoft Windows registers the CA certificate only if you confirm that you trust the respective CA Other select this option to have certificates of other people certificates for non personal with no associated key pair automatically registered by DP CertilD Tray Agent
175. via the Personalize Token Wizard e Select Use master administrator key if you want to use a master administrator key to derive the administrator key for this token a Insert the administrator token b Select the master administrator key in the Master key list c Type the PIN for the master administrator key The Number of retries before block box defines how often an incorrect value for the administrator key can be consecutively typed before it is blocked 13 Specify whether to print a PIN PUK administrator key letter and select a printing device to print Initialize Token Print a PIN letter oUF you prepare this card on behalf of another user you can print a PIN letter apy containing the PIN information to provide to your user Print a PIN letter Cl Include PUK C Print a PUK letter Select printer Printer Microsoft Office Document Image Writer Select Figure 15 Initializing Token 11 Printing PIN PUK Letter 14 Click Finish to initialize the token You may save your settings to a default values profile which you can select the next time you initialize a token Type a profile name in the Profile name box and click Save 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 34 DIGIPASS CertilD User Manual Initialize Token Ready to initialize the token The token will be initialized after you click Finish You have specified the Fol
176. w New Window from Here Refresh Properties Help z WMI Filters Starter GPOs Sites Group Policy Modeling E2 Group Policy Results Source Starter GPO none Cancel Figure 73 Configuring DIGIPASS CertilD via Group Policy 1 Group Policy Management 4 Type a name for the new Group Policy object 5 Select the Group Policy Object in the tree 6 Select Edit from the context menu The Group Policy Object Editor appears 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 116 DIGIPASS CertilID User Manual Configuring DIGIPASS CertilD g Group Policy Management Editor Mel x Fe Action View Help es alm Ois e ly pSetting tate Comment Lf myGroupPolicy myDomain local Policy E g amp Computer Configuration FS Cache PINs during sessions Not configured No E M Policies JE Use keypad hardware capabilities when possible Not configured No 1 Software Settings Require authentication before generating an OTP Not configured No 9 Windows Settings 9 Administrative Templates Policy definitions ADMX files Cache PINs during sessions Properties C Control Panel E Network Setting Explain Comment gt Printers E System C Cache PINs during sessions g ig vasco 5 DIGIPASS CertiID l C Authentication and S
177. ware is found PINs are entered using PIN dialogs on the screen If you don t enable keypad support PINs on the token are always entered using PIN dialogs on the screen 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 29 DIGIPASS CertilID User Manual Initialize Token Specify keypad hardware support Configure iF you want bo use this token with keypad reader hardware Enable keypad support IF wou set this option PINs on this token can be typed using keypad readers iF available IF no keypad reader is Found PINs are typed using PIN dialogs on screen Disable keypad support IF vou set this option PINS on this token can t be typed using keypad readers teven if available but only via PIN dialogs on screen Tell me more about using PINs on keypads Figure 11 Initializing Token 7 Specifying Keypad Hardware Support 10 If required specify a default PIN This option is only available if the token template configuration includes a default PIN 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited Managing Tokens 30 DIGIPASS CertilD User Manual Managing Tokens Initialize Token Specify how to initialize the default PIN Js You can specify the default PIN now or when the token is used the first time Set PIN now PIM ETTET Confirm PIM sss Fj User must chan
Download Pdf Manuals
Related Search