Manual
Contents
1. gt 25 87 2012 1 8 Tar Figure 94 Changing or removing a user message 20 2 Logged in Users You can check if your license is still valid Additionally your license capability to serve a number of users can also be checked per service on the MAIN tab of KeyTalk License Status pm ShertTermCerts VALID Figure 95 License validity and number of users logged in It is possible that some users have left your company but are still counted as logged in users To correct the user counter field the RESET button on the USERS tab can be clicked deleting the 10 of users that did not log in recently oldest first MAIN SERVICES DADMONS AUTHENTICATION moo usns eres CERTIFICATES ANO KEYS NETWORK DEVICE NIGH AVAILABILITY LOGS ceged in Vers User Vasseges Current regstered 1 logged i users of max 10 RESEPT Reger Certa 20 DEC SIKyILE Det ae Page ile afi Usersperpege 30 Figure 96 Resetting the oldest 10 of counted users Deleting this 10 of oldest counted users can also be done via the LCD menu of the physical appliance See section 24 LCD information display for more information 21 KeyIalk Appliance License The KeyTalk Appliance License file contains your company name text in a text file format Your contract details apply It is personalized to your company and contains all the information required to make the virtual appliance work Your license details2. Authentication modules for more information NOTE At the time of writing of this manual only the Windows client has the option to change the KeyTalk server address For the mobile clients you need to ensure the RCCD contains the appropriate KeyTalk server address when creating it in the signing portal Ca keytalk 22 Should you be a free trial user and wish to test also with for example the iOS client kindly drop us a line by email support keytalk com and request an updated RCCD file for the demo KeyTalk server and inform us of your preferred KeyTalk server address Ca keytalk 23 6 IPv4 IPv and virtual NICs The KeyTalk appliance fully supports IPv4 and Pv Out of the box demo configurations are based on IPv4 Admins who wish to make use of IPv will need to configure the appropriate IPv settings using the graphic user interface of KeyTalk on https 10 1 1 1 5000 6 1 VMWare prompt based IP address changes In some cases you may be deploying the Virtual Appliance OVF directly to your subnet in which case the default Admin user interface on hitps 10 1 1 1 3000 might not be available You can update the Admin interface IP address by following these easy steps d change etc hostname em2 using the command vi etc hostname em2 b change the default IP and subnet address to what you want to use and save using the command W c make the new configuration persistent using the com
3. password hwsig pincode The variable for the Pincode attribute Note Adding a separator symbol after the variable can be used to support multiple Pincode s per user For Example PinCode The variable for the Group attribute Note Adding a separator symbol after the variable can be used to support multiple Groups per user For example Admin Is the LDAP filter used to specify the record against which the criteria are matched The filter may also contain the following placeholders which will be substituted with the actual credentials provided by the KeyTalk Client service domain userid password hwsig pincode Is the LDAP filter used to specify the record against which the criteria are matched Is the LDAP filter used to specify the record against which the criteria are matched 66 Nested groups Some companies create Groups within Groups so called nested Groups In accordance with http msdn microsoft com en us library aa746475 28v vs 85 29 aspx KeyTalk allows for the use of nested groups using the syntax memberof 1 2 840 113556 1 4 1941 Security groups It s very common for companies to assign security group memberships to its users So when creating a specific BIND you can exclude certain users or devices from obtaining a client certificate when they are not a member of a specific security group As an example A use
4. User LockOut in seconds except blank Can be 0 Any negative value expressed in seconds except blank Can be 0 For example 1800 CA FALSE CA TRUE digitalSignature nonRepudiation keyEncipherment dataEncipherment keyAgreement Refer to OpenSSL Refer to OpenSSL The User LockOut mechanism allows for users to be locked out from the system when they enter the wrong authentication credentials User Lockout Automatically lock user on failed login Figure 74 enable disable user lockout Automatic lockout can be selected or not Click OK to save the settings When Automatic lockout is selected the KeyTalk appliance will add lock and release users automatically based on an incremental time penalty Ca keytalk The Admin can always manually release users before the time penalty expires AND can manually add or remove users to the LockOut table When Automatic lockout is not selected the system runs in a manual mode allowing the Admin to add any usernames for a permanent lock which can only be manually released Adding Users manually is done using a free text No actual check is performed by the system to see if the User actually exists in the database used by the services authentication module Lock user for Service DEMO SERVICE User ID ETE Figure 75 Manually adding a user to be locked out for a specific service 19 5 RADIUS Module MAIN SERVICES DAP MON
5. 15 OS registered owner 16 User Security Identifier 17 BIOS serial number iOS client codes 101 Device name as set by user e g KeyTalk 102 Operating System name e g iPhone OS 105 Model of the device e g iPad 104 Model of the device as a localized string 105 Software defined UDID real hardware UDID is deprecated by Apple Example e510de852117a695d04048e8e42 106 Unique application ID e g com keytalk client 107 Platform identification string e g iPad5 1 108 Specific hardware model description e g J1AP 109 Platform friendly name derived from Platform e g iPad 5C 110 CPU Frequency For example 1000000000 111 BUS Frequency For example 250000000 112 Total memory in bytes available on the device e g 1055976704 113 MAC address of the primary interface MAC is different for Wifi and 3G 114 Gyro sensor availabilty e g Gyro or NoGyro 115 Magnetometer sensor availability e g Magnetometer or NoMagnetometer 116 Accelerometer sensor availability e g Accelerometer or NoAccelerometer 117 DeviceMotion sensor availability e g Devicemotion or NoDevicemotion Android client codes 201 Serial number Required for tablets and exists on some phones 202 Android device ID example 9774d56d682e549c On devices after API9 change on factory reset and rooted phones keytalk 203 WiFi MAC address Unique but exists only if turned on 204 Unique devi
6. HwSig The LDAP attribute name used for storing the Hardware Signature of the user Default value HWID Pincode The LDAP attribute name used for storing the Pincode of the user Default value HWID Group The LDAP attribute name used for storing the Group of the user Default value memberOf none exact nocaseexact subst nocasesubst none exact nocaseexact subst nocasesubst none exact nocaseexact subst nocasesubst Hwsig will not be Hwsig needs to HwSig must match exactly but not case sensitive HwSig must be a substring of the attribute value HwSig must be a substring of the attribute value but not case sensitive Pincode will not be checked Pincode needs to match exactly Pincode must match exactly but not case sensitive Pincode must be a substring of the attribute value Pincode must be a substring of the attribute value but not case sensitive Group will not be checked Group needs to Group must match exactly but not case sensitive Group must be a substring of the attribute value Group must be a substring of the attribute value but not case sensitive Ca keytalk The variable for the Hwsig attribute Placeholders can be used for attribute values which will be substituted with the actual credentials provided by the KeyTalk Client Supported placeholders are service domain user id
7. 0 cccccsssscccccceeesesecccceeeeeeeeceeeenees 19 5 2 Changing the Relay Module service configuration 19 5 5 Remote exit basics cccc ccc ecececcccecscecccececscsccccecececscececeecscscecs 19 6 Synchronize User Lockout List 78 User messages and User accounting 80 20 1 User messages 80 20 2 Logged in Users 81 KeyTalk Appliance License 82 46 48 48 53 56 56 57 57 62 62 65 71 71 72 76 76 77 77 78 22 23 24 25 26 Ca hoy talk Certificates and keys 22 1 22 2 22 5 22 4 22 5 22 6 22 7 22 8 22 9 22 10 22 11 22 12 Root CA Primary CA Signing CA Communication CA Server Server Communication Key Client Server Communication Key WebUI Certificate amp Key Server DevID Certificate amp Key DevID WebUI Certificate amp Key Backup amp Restore Create for RCCD Generate Errors and error reporting LCD information display Release notes 25 1 KeyTalk Appliance firmware Manufacturer information 83 84 84 85 86 86 87 88 89 90 90 91 91 94 95 97 97 98 vi 1 Introduction Thanks for choosing KeyTalk This product has been designed to make safe communication a reality On top of that KeyTalk has many additional benefits With our patented KeyTalk technology you can easily provide your entire user comm
8. Sever 9i idam borer J09 wes gomil cole oc eerrr ss coe cnm CItDecs9e 4e ad a Cc con Cenificate to LDAP attribute mappings L to SS Maio we db smt prts ate attrtete I DAO attrbeme Figure 67 Configuring LDAP Authentication module for a specific service ur J 63 19 2 2 1 Hwsig Verification settings Hwsig see section 18 2 Hardware Signature verification settings allow for the optional configuration of HwsSig verification for the specified service By default the HwSig verification is set to Off Configure LDAP Authentication Module For Service ES Test HwSig Verification Off Figure 68 Hardware Signature verification setting select CHANGE to change the HwSig setting Two other options are available for the HwSig verification e Devld Obtain the user s Hwld from our Devld product solution e Exit Obtain the user s Hwld using the settings of the authentication module For the option Exit in the case of LDAP Module the HwSig is obtained from the user s Hardware Signature field attribute When the Devld option has been chosen make sure that the Devld Host amp Port as well as Group Name and Group password are properly set MAIN SERVICES DAEMONS AUTHENTICATION MODULES JQUSERS LIt Sglite Modules C LDAP Modules RADIUS Modules Execute Modules Relay Modules Edit hardware signature settings for Service ES Test HwSig Verification Off DevID Host DevID Part DevID
9. Synchronize user lockout list This functionality is only applicable when running KeyTalk in a high availability configuration This feature allows you to manually initialize a synchronization of all your User Lockout Lists from all your Authentication Modules for all services on the KeyTalk appliance keytalk 78 HA will automatically synchronize but the manual feature is meant for synchronization after adding a new system to your High Availability setup Ca keytalk 79 20 User messages and User accounting 20 1 User messages User messages allow the Organization s administrator to send a custom message to the user when their KeyTalk client authenticates A common usage would be to inform users of network downtime announcements for example To create a user message select USERS from the main menu and click on ADD MAIN SERVICES OAEMONS AUTHENTICATION nonin uses Denes CERTIFICATES AND KEYS WETWORK OFVICE NICH AVAILANILITY LOGS Leet Updeted Message Figure 92 Adding a user message Type the message that needs to be sent to all users with a KeyTalk Client and click OK to make the message available to your user community Add User Message User Message Cox P emen Figure 95 Adding user message and making it available to the KeyTalk Client users An existing user message can be changed or removed by selecting the user message and clicking on CHANGE or REMOVE
10. User ID Demallser Enter new pincode Re enter new pincode ET Figure 62 Edit user pincode 19 1 2 3 LockOut The User LockOut mechanism allows for users to be temporary suspended from subsequent logins when they enter wrong authentication credentials User Lockout Automatically lock user on failed login v Figure 63 enable disable user lockout Automatic lockout can be selected or not Click OK to save the settings When Automatic lockout is selected the KeyTalk appliance will add lock and release users automatically based on an incremental time penalty be ay talk 61 The Admin can always manually release users before the time penalty expires AND can manually add or remove users to the LockOut table When Automatic lockout is not selected the system runs in a manual mode allowing the Admin to add any usernames for a permanent lock which can only be manually released Adding Users manually is done using the user ID No actual check is performed by the system to see if the User actually exists in the database used by the services authentication module Lock user for Service DEMO SERVICE User ID ETE Figure 64 Manually adding a user to be locked out for a specific service 19 2 LDAP Module Includes Active Directory The LDAP module allows for Active Directories AD and LDAP s alike to be easily connected to KeyTalk MAIN SERVICE DAEMON ISERS LICENSE CERTIFICATES ANO
11. Back panel KeyTalk B ENNEN o Connector port for the power cable USB port 1 It is possible to perform functional upgrades via a USB eer key using this USB port USB port 2 It is possible to perform functional upgrades via a USB mee key using this USB port N RS232 port Manufacturer trouble shooting connector Network Interface Connector For connection to other KeyTalk appliances in high NIC availability mode including DEVID The default IP for this connector is 172 16 1 1 Network Interface Connector For connection to the local management device The NIC default IP for this connector is 10 1 1 1 Network Interface Connector For connection to the external network The default IP NIC for this connector is 192 168 1 1 Do not replace any components as this will void your KeyTalk warranty Note replacing hardware components will result in malfunctioning of the system 4 Top Panel Components This section does not apply for the virtual version of the KeyTalk appliance On the top panel of the appliance between the front bezel and the appliance top cover you will find a blue label Figure 3 Blue label with appliance s tamper evident serial number This security label displays the unique appliance tamper evident serial number and should not be removed It is used for identification purposes in case support is requested Removing or otherwise manipulating this label will cause the label to permanently
12. Group Name DevID Group Password ET Figure 69 Editing Hardware signature settings for a specific service oy tall 19 2 2 2 LDAP Attribute Match Settings To configure the LDAP attribute match settings choose CHANGE Attithete mia ft mode wr yore ios pidihcoe eure fi iva Wut Mnt o s theoe 2 mew i amd rr wore Qum ee fidone B uwent WW pentword Here Apoge Tout er etatem ca cwpechamet s Me moreover ER canrwerd HL Figure 70 LDAP attribute match settings eco ote aren The following menu will open Edit LDAP Match Settings for Service ES Test en me t e ro bi yore per tombe aeMA ra Rene sed ecbum ct true l TTE Aspecrted proceed epe Eibeeve l E doman eee Hamos fna f FILM IE User w an qocpouT raped are Dates eccam cege ies of the meit petting H ox CANCEL Figure 71 Configuring the LDAP attribute match settings Using LDAP attribute match settings you can set a matching attribute for example to allow for a HardwareSignature to come from your LDAP attribute instead of KeyTalk s DevID module More likely you can use these match settings for nested groups or to only allow specific members of a security group to be the only ones to obtain a client certificate Some examples can be found on the following pages This overview explains the different fields and values Attribute Attribute match mode Attribute value Filter name
13. HwSig Verification Off Hardware Signature Demollser i User Lockout Automatically lock user on failed login Lock Expiration Lock Reason ADD Figure 55 Configuring Sqlite Authentication module for a specific service By default the HwSig verification is set to Off Two other options are available for the HwSig verification e Devld Obtain the user s Hwld from the Devld product solution oy talk 58 e Exit Obtain the user s Hwld using the settings of the authentication module For the option Exit in the case of Sqlite Module the HwSig is obtained from the user s Hardware Signature field When the Devld option has been chosen ensure that the Devld Host amp Port and additional password are properly set Edit hardware signature settings for Service DEMO SERVICE HwSig Verification DevId DevID Host 192 163 1 2 DevID Port 5001 DevID Group Name DEMO GROUP DevID Group Password seseses ET Figure 56 Hardware signature set to Devld 19 1 2 2 Add Change Remove user A user can be added changed or removed e Add Click on ADD e Modify Select the appropriate user and click on CHANGE e Delete select the appropriate user s and click on REMOVE oy tall 59 MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND Sglite Modules LDAP Modules RADIUS Modules Execute Modules Relay Modules Configure Sqlite Authentication
14. KEYS NETWORK OGEVICE WICH AVAILABILITY 1005 Configure LDAP Authentication Modules modom v EX Teat App j e j renove jJ Figure 65 LDAP Authentication Modules 19 2 1 Adding an LDAP Module Before adding an LDAP authentication module a new service must be defined This service may not be connected to another Authentication Module Select ADD and select the service you wish to connect Add LDAP Authentication Module Service E5 Test Figure 66 adding an LDAP Authentication Module for a new service named ES Test Click OK to save Qa koytalk 62 19 2 2 Changing an LDAP Module configuration To change an LDAP Module configuration of a service select the appropriate service from the LDAP Configuration Module list and select CHANGE This brings up a large overview menu with several different LDAP Module configuration options MALIN SEEVICES DALWONS AUTME NTICATIOUN MODULES USERS LICENSES CERTIFICATES AND RETR NETWARE OECVICE MIGH AVAILABILITY 2206GS Salde Meets DAP etri ASTON Feel ot Dh no Paus Vetter Configure LDAP Authenbcabon Module For Serice ES Test ela Verfus OF LIT MP Lp ec HATIG ei trag AR MAIDIQ UT Te a Laert MALIS Oti ti praca Maime Tee p ceed Tw teo son AS MAcID O TAM TR tji Leer Bare tet pmetettere Fi cervere Hasnan Klose Bipeetererd Ree Bipemessda Coates p fer reben representantes af Ite pipes etter petted M CHANGE 1 LAUNE RN mw
15. SFRS LICENSE CERTIFICATES AND KEYS NETWORK DEVICE HIGH AVALLATILITY t DGS Configure RADIUS Authentication Modules Servire vie SERVICE ADD CHANGE REMOVE Figure 76 RADIUS Authentication Module When a RADIUS server is used for authentication purposes for example when using security tokens this module can be used to bind the RADIUS based authentication to a KeyTalk service 19 3 1 Adding a RADIUS Module To add a RADIUS Module to a service the service must exist and not be connected to another Authentication Module select ADD and select the service you wish to connect Add RADIUS Authentication Module Service DEMO_MY_RADIUS 3 Figure 77 Adding a RADIUS Authentication Module for service DEMO_MY_RADIUS Qa keytalk 71 19 5 2 Changing a RADIUS Module configuration To change a RADIUS Module configuration of a service select the appropriate service from the RADIUS Configuration Module list and select CHANGE Configure RADIUS Authentication Module For Service DEMO MY RADIUS apo Figure 78 Configuring the RADIUS Authentication Module for a specified service 12 3 21 HwSig Verification settings HwSig see section 18 2 Hardware Signature verification settings allow for the optional configuration of HwSig verification for the specified service By default the HwSig verification is set to Off HwSig Verification Off CHANGE Figure 79 Hardware Signature verifica
16. efficient By default KeyTalk has 3 authentication modules onboard Each module can be used multiple times using Its own specific configuration e Internal Sqlite based database e LDAP AD module e RADIUS Companies who wish to bind another type of authentication solution to KeyTalk can make use of our BackEnd API allowing an easy integration of solutions such as an Oracle or a SQL database p Internal Sglite database module EA onemons Cagreericarion morsu sens LICENSE CERTIFICATES AND KEYS NETWORK DEVICE HIGH AVAILABILITY LOGS Configure Sqiite Authentication Modules DEMO SERVICE ADD CHANGE REMOVE Figure 51 Configuring the Sglite authentication modules koytalk 56 The Sqlite Modules section allows you to bind a service to a pre configured internal database running on the KeyTalk appliance Typically this module is used for testing purposes or small user communities Though more user entries are possible the maximum amount of users in the Sglite should not exceed 100 primarily to reduce administrative efforts By default the KeyTalk appliance will have the DEMO SERVICE service enabled for testing purposes The DEMO KeyTalk client RCCD comes pre configured with this service and the default username DemoUser This database should be removed prior to taking the KeyTalk appliance into production 19 1 1 Adding a Sqlite Module to a service To add a Sqlite Module to a service make certain the serv
17. ent side Certificate Info Key Info Upload Certificate and Key goad to usloed PEM corta ning tertfhicabe and key The key shouid fot be protected wkh paesamord It a sso ocas bie for t e PEM Me to contam certi cate of key ony Qu Figure 102 Communication CA information and key upload functionality A new certificate can be uploaded by selecting it via Browse and clicking UPLOAD After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new certificate To make the changes permanent please refer to section 8 2 Saving changes amp reboot 22 5 Server Server Communication Key This tab allows you to view the information of the Server Server Communication Key and certificate This certificate and key is required to encrypt the information exchange between KeyTalk servers in High Availability mode For KeyTalk s DevID appliance we have a separate menu item Server Devid You can upload the combined certificate and key as a single file or you can upload the key and the certificate as separate files in PEM format There is no need to rename the files as KeyTalk will do this for you keytalk 86 MAIN peyIces DAE MONS ALITHENTICATION MODULES uss Rs LICENSE Qtr Ano ee rwon pe wrpcr WHICH AWAILARMRILITY LOCS i P t i n ret a r n etyul attan e Des Oog Aa bi T haste eer al Server serwer cerbhicete ard key are used t secure Commurmcetioon between RESE
18. have their own log destination that can be configured individually Auth Daemon Logging Settings Log Location local w Logging Host Log Severity debug z Figure 33 Daemon logging settings e g for the authentication daemon log Log Location allows the Admin to choose between local logging default and remote logging When local logging is chosen the appropriate Daemon s log file will be stored on the local KeyTalk appliance until it reaches a 250k size After that the local log file rotates to a fresh log file Choosing remote logging requires setting a host Remote logging will allow for a continuous log file on your syslog server Log Severity allows from minimal logging using the emerg emergency to the standard up log level of warning up to the most comprehensive log file under the or debug setting Ca keytalk 38 16 Network settings 16 1 Configure interfaces To configure the network network administration knowledge is required The KeyTalk appliance makes use of four interfaces These can be configured by selecting from the main menu NETWORK followed by selecting Configure Interfaces z res DAT HTN S ALTTHERTICATION PHOCXR ES USERS Licrnss CERTIFICATES An Ey C HICH Avan ARMIS TITY ons Ile Corg 44047 leterfece Types LEID Ped rakeet Ment Pes i T2 LINIEN T LX IDE LIPIS 12280451 28331204 Morar i as a mat baer l 71 58 1 4 13324310 Merce
19. installed it may serve as a root for the certificate tree generated on the appliance MAIN SENVICE DALEMONS AUTHENTICATION MODULES USAS LICENSE Qnis ano eT TWORK DEVICE HICH AVAILAMILITY LOGS Root CA is opborne Wren meis ed 9 may serve cool for the certriicete tree generated on the enpoierce Certificate into p Y No Cerpfrcats anI Key into Kee Found Upload Certificate and Key Click Upload te upload PEM contaimeg certilicate and wey The key Jod not be protected with password It s s0 poss bie for the PEM file to contain certificate or bey of p Figure 99 Root CA information and key upload functionality A new certificate can be uploaded by selecting it via Browse and clicking UPLOAD After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new certificate To make the changes permanent please refer to section 8 2 Saving changes amp reboot 22 2 Primary CA The Primary CA is a private key and is normally a root of the certificate tree unless the Root CA is installed and is an issuer for the Primary CA After generation this key is kept offline and is usually stored on a portable media in your safe Depending on your security requirements it can be distributed in parts for safe keeping among several custodians This file also contains the Primary CA Certificate in PEM format MAIN SERVICES DAI MONS ALJTHENTICATION MOOULELS USS X i
20. necitil 4 Macs bow H 192 148 1 1 133 3 25 9 ee Pano otek 111 as ne 1a 1d 233 01 Here rt 4 Mere Me ag m T hu CHANGE Teepe 1254 Das Maim 5 P 0 arts fas atom retwork routes jetne CHANGE Figure 34 Configuring interfaces Interface Types Loopback cannot be configured from the Admin CUI Internal corresponds to NIC O see Section 3 Back Panel Components External corresponds to NIC Q see Section 3 Back Panel Components Management corresponds to NIC P see Section 3 Back Panel Components To configure a specific interface select the appropriate box and click on CHANGE Interface Type IPv4 Address IPv4 Subnet Mas Loopback 127 0 0 1 255 0 0 0 imn i 172 16 1 1 255 255 0 0 E Etema Ll 192 168 1 1 255 255 255 0 E agane E 10 1 1 1 255 0 0 0 Gi chance J Figure 35 Changing the Internal Interface type 39 Edit Network Interface Settings Interface Type Internal Ipv4 Configuration manual Ez TPw4 Address 172 16 1 1 IPv4 Subnet Mask 209 290 00 Ipv amp Configuration Manual IPv Address fd7c ac10 101 IPv amp Prefix Length amp 4 Changing the internal interface settings will cause all running RESEPT daemons bound te the internal interface o restart CANCEL Figure 36 Edit Network interface settings Configure the items you wish to change and select OK to save these changes To change the KeyTalk appliance default
21. please refer to section 8 2 Saving changes amp reboot 22 10 Backup amp Restore This tab allows you to make a full backup of your current certificates and keys as well as granting the ability to restore your backup if required keytalk 90 MAIN SERVICES DAELMONS AUTHENTICATION MODULES USERS LICENSA Qnis ano keen eris aco ram mre koara Backup All Certificates And Keys to Save ai currentiy installe certificates and keys to your computer Restore All Certificates And Keys Click Restore to restore all cerbficetes and keys from the prewidusly made backup ai ery ata vert cet e rere b p pre cte B bons Figure 108 Backup and restore functionality Click Backup to save all currently installed certificates and keys to your computer Click Restore to restore all certificates and keys from the previously made backup The KeyTalk appliance will reboot afterwards to effectuate the changes 22 11 Create for RCCD This tab allows you to download all PUBLIC material required to create your own RCCD files for your organization within the KeyTalk signingportal To access the KeyTalk signing portal you are required to either be a KeyTalk partner serving at least 1 active customer or be an active customer Potential customers who are playing with the free trial software under the demo license may contact KeyTalk support or a relevant KeyTalk partner to enter into an agreement free of charge to
22. use KeyTalk using unique Key Material for Proof of Concept purposes for an agreed amount of time MAIN SPuvIces NAS MINIS AUTHENTICATION MODULES Theta be LN enseTERTIPICATES AND KEES DET wot Device Mich AVAILANILITY LOGS Create for RCCD Chek raato TO aava 4 package with pobkc key Materia for ROCD creation to you computer 22 12 Generate This tab allows you to edit specific criteria for the certificates that have been generated on the appliance Always ensure your parent certificate has the same or higher values than its child ref the signature algorithm the lifetime and the key size The Signing CA signs the client certificates that get issues When you choose SHA256 also your client certificates will make use of SHA256 hashing Ca oy tall 91 MAIN SERVICES UAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS ETIWONK DEVIE MICH AVAILABILITY LOGS vava Root CA Prenaery CA Dpp CA Caormeruncen CA Serer Sev ert Gerver Well Gerwer Dewlat Devid Welds feckup Ad Senos Create fre qf heat o OC o Primary CA CH kaytak Demo PCA Kay Size 4095 bits _ incide Root CALU Ok Generate Tree to generate a certificate tree uang the configuration spected on the page When done you wd be prompted to metal the generated certificates to the aecckanrs samenars maj Figure 109 Edit specific criteria for all hosted certificates Click on CHANGE to e
23. 0 User admin The default password was changel but this could have been changed under section 10 Changing KeyTalk passwords Please remember to use your new password Because the appliance is configured to use a self signed SSL certificate by default you will likely to get a warning that the security certificate was not issued by a trusted certificate authority In this case ignore the warning and continue to the website Sample warning a To avoid this warning you must install a certificate from a trusted party such as VeriSign GoDaddy GlobalSign Cybertrust or from your own KeyTalk Certificate Authority See following section for details 8 1 Replacing Admin GUI SSL certificate By default a self signed SSL certificate is used to access the appliance over https 10 1 1 1 5000 You should replace this SSL certificate with your own A certificate can also be obtained from a well known party such as VeriSign GoDaddy Globalsign and Cybertrust In the main menu select CERTIFICATES AND KEYS and select WebUIl Upload your own SSL certificate by clicking on Browse selecting the SSL certificate and clicking on UPLOAD Ca keytalk 26 MAIN GERVECER PMAFMORS AUTHENRTICATPON MOUDRH ES USFRES ili emp WORE MUNE HIGH AVANASRILITY LOGS Well certtivate pid bey 3798 18m to secure moe to the KeyTyk server LH vis bronset Certificate info Key Info Upicad Certificate and Key bk Lii ty u
24. 0 1 1 0 network so that you are able to connect to 10 1 1 1 e Sample screenshots on a Windows 7 64 PC on how to configure your IP from Local Area Connection Properties ee po loca Ama Cosrecton Propetes leterret Pratoco Veruna 4 TCI 15241 Pacpertons v ror Sharma roms vwr mw ou cum get P ostiis eeegred automata vor tec ageo b fus canat Cete you reed tz ack your nba eret at Lu oe UM Peet fw th aporapnone eta t who Qetan a Poac was asorat 7 grer sea e m e ge tme hor P adiens w oe wA Met ewes x A gt Pe SOS ae y aes v gpaw te mao fe Monat etanata isisa Wm J v P w gt parat Powics Ven E TCI ve e m 9 gehen yY wv a LUur amp Lay Janctegy Isase Mapper LO Da w ie l Gy Oucrweery Say i eee eee Ung he fehl OC sem oe AA PEL Profirrend CIN pm om dyttrate DH sarve laramueon Corte Matec rera Aro Te deta ad a ote ett 12cr hat dea tum Men 5 4 eaat wie roe yYse3el abiarm 28 umen gari ve ata na Par et M a Figure 20 Configure your IP L 1 L1 1 1LALLEEEEEELLLZL koytalk 25 8 KeyTalk Admin GUI The KeyTalk appliance Graphic Admin Interface can be accessed with a browser using the following URL https 10 1 1 1 3000 Note Pay attention to the S in HTTPS and port 300
25. 6 Edit network interface settings Configure IP Address Subnet Mask and the Default Gateway to match your own network topology and click OK to save these settings Edit Network Interface Settings Interface Type External Ipv4 Configuration manual IPv4 Address 182 168 1 1 IPv4 Subnet Mask 253 250 2000 Ipv Configuration Manual IPv amp Address fd7c c aB 101 IPv amp Prefix Length 64 CCo Dem Figure 9 Network Interface Settings Note Optionally you can set a gateway for each NIC separately 5 7 Step 7 Change administrator password To guarantee the best security possible it is important to change all user passwords before step 10 Connecting the appliance to the external network 17 The Graphical Administrator Interface can be used when required for maintenance The Admin authentication credentials are by default set to Graphical Administrator Interface Admin CUI User admin Password change In order to change the Graphical Administrator Interface password do the following In the upper menu select the DEVICE tab and select Admin Password a 8 Cheang Deres Wof Areas Uere Change Device eb Accent Paaneaara Charge Device Mirin Uerreem Changs Drace Adti PFiareac1 Figure 10 Changing Graphical Administrator Interface password Enter both current and new password and confirm the new password in the Change Device Web Acces
26. ANCEL Figure 81 RADIUS server connectivity settings The IP number of the Radius Any valid IP number Port 0 to detect The communication port number Any valid port number Use 0 to have the Timeout sec OTP Time Offset RADIUS Attribute Code EAP Authentication Method The Radius shared secret Amount of time assumed for a timeout period before retrying Code of RADIUS attribute holding the value of time difference between KeyTalk client and KeyTalk server This attribute is communicated to RADIUS server and is used during One Time Password OTP authentication Whether Extended Authentication Protocol EAP shall be used to communicate with RADIUS server Available when Use EAP is selected The following EAP methods are supported by KeyTalk server aka authenticator Auto password When RADIUS server is configured with one of password based EAP methods EAP MD5 LEAP EAP MSCHAPv2 EAP GTC EAP TLS PEAP EAP TTLS the exact method to be used is automatically negotiated between KeyTalk server and RADIUS server PEAP Use PEAP password based authentication For PEAP authentication RADIUS CA certificate is required to verify RADIUS server identity EAP TTLS Use EAP TTLS password based authentication For EAP TTLS authentication RADIUS CA certificate is required to verify RADIUS server identity AKA SIM Use EAP AKA or EAP SIM challenge response authentication The exact method Is automa
27. Add Click on ADD e Modify Select the existing service and click on CHANGE e Delete Select the existing service and click on REMOVE minen moms AUTHENTICATION MDOULIS USERS LICENSE CERTIFICATES AND KEYS NETWORK DEVON MIGMAVADLARILITY LOGS Figure 49 Adding modifying deleting a service The following pages describe all the fields of the service Ca keytalk 49 AUTHENTICATION MODULES USERS LICENSE HWSIG nesmonse wl V passwo CERTIFICATES AND KEYS NETWORK DEY Ei 1 2 4 3 7 8 9 10 11 2 16 201 102 102 104 103 106 107 100 109 110 111 112 114 113 114 117 uu KevyTalk for D MO purposes DEMO NOT FOR PRODUCTION keytalkdemogkeytalk com v digitalSignature v nonRepudiaticn v keyEnupherment v dataEncoherrment Additional O1Ds comma separated This is s demo KeyTalic pernice Sound te the internal GLO suthenticatben module MAIN SERVICES DAEMONS Edit Service Service Name DEMO _SEXWICE 1 wv Required Crecertiats urs A 2 lem Key Size bits 2046 w URI Pie URI Digest 5 ee Check URT 1 6 Execute Gynchronounly arn 7 HWSIG Formute 8 Seit Domain and Userid i 9 abi Add 3 Random Characters te cn E 10 Country IL we 1 1 State Utrecht 12 E ity Locality Amaerstoort 1 5 Organization 14 Organizational Unit 1 5 Email 1 6 Time Te Live sec 3600 1 7 Time From Correction sec 3600 1 8 Bas Constraints i CAiFALSE YV 19 Key Us
28. Figure 5 Sample warning You will then go to the admin login page for KeyTalk NOTE When running the virtual appliance it may not be possible for you to reach the 10 1 1 1 3000 address due to your used subnet In this case kindly refer to chapter 6 1 5 4 Step 4 Authenticating to the administrator interface The default authentication credentials to access the KeyTalk administrator interface role are User admin Password change Authentication Requimrexd EA 44 ute aed password are Deng mouarssea by Spiejnto 1 13000 The ine cape ADMIN FALE Leer Name acm Cet eeeeee Ox Canem Figure 6 Login to KeyTalk administration page after ignoring the certificate warning This user has full access to all the options on the KeyTalk device The homepage of KeyTalk will open bem e AP HA WA A MEE PN cH amit e Av rr com y Hw rsmpewHIIN xw buta 4il Dede OPE 11S Figure 7 Homepage KeyTalk Qa hoy tall 16 5 9 Step 5 Set network configuration For configuring the network network administration knowledge is required To set the network configuration select the NETWORK tab in the upper menu select Configuration Interface enable the External checkbox and select CHANGE male Lr is oat bel beet AUTOM STICATIO PARES usins LEE NE FATIT CATT aan es HIM AVAILABILITY LDSS CD s i dwetm 14 ode ere morre SPET oo Surt TT Figure 8 Setting network configuration 5 6 Step
29. ICENSE CERTIFICATES AND KEYG WETWORE DEVICE HICH AVAILABILITY LOGS 2g Moduwa LDAP Moduwe MADIS Modules Figure 85 Relay Authentication Modules Relay Modules allow you to make use of the REMAP API to connect to authentication solutions which are not by default supported by KeyTalk REMAP KeyTalk Exit Module Authentication Protocol Customers and partners of KeyTalk have made available some unsupported API implementations which can be requested through your KeyTalk supplier or partner 19 5 1 Adding a Relay Module To add a Relay Module to a service the service must already exist and not be connected to another Authentication Module Select ADD and select the service you wish to connect Add Relay Authentication Module Sevice JEMC SERVICE ox Figure 86 Adding a Relay Authentication Module 19 5 2 Changing the Relay Module service configuration To change the configuration settings select the Relay Module service for which you wish to change the configuration and select CHANGE Configure Relay Authentication Modules Service DEMO SERVICE Figure 87 Configuring the Relay Authentication Module for a specified service You will now see the current configuration which can be changed by selecting CHANGE Configure Relay Authentication Module For Service DEMO SERVICE Ramota Heat backeuth rusaptiamas coom Remote Fort 9001 Use TLS Server Cammenications Key Signer CA Exiars lt gt F
30. Jun 12 Replaced the product name KeyTalk with KeyTalk This change in name has not yet been realized in the software ey tall Table of contents Introduction 7 1 1 Getting started 9 1 2 Installation 9 1 2 1 Using ihe RIO 9 LS DUOPO MR cS 9 1 8 System configurations 10 1 3 1 Optional confIgUrctlons sce eta ro reet Ya papa o one atr narrans 10 Front Panel Components 11 Back Panel Components 12 Top Panel Components 13 Quick Start Guide 14 5 1 Step 1 Powering the physical appliance 14 5 2 Step 2 Connecting the appliance to the internal network 14 5 5 Step 3 Connecting to the appliance administrator interface 15 5 4 Step 4 Authenticating to the administrator interface 16 5 5 Step 5 Set network configuration 17 5 6 Step 6 Edit network interface settings 17 5 7 Step 7 Change administrator password 17 5 8 Step 8 DNS amp NTP Date Time customization 18 5 9 Step 9 Save the current configuration 20 5 10 Step 10 Connecting the appliance to the external network 21 5 11 Step 11 Testing the KeyTalk solution 21 UR REN 10 11 12 15 14 15 16 17 Ca keytalk IPv4 IPv and virtual NICs 24 6 1 VMWare prompt based IP address changes 24 6 2 VMWare prompt based changing network interfaces 24 Setting up the appliance 25 7 1 Powering the physical appliance 25 7 24 Connecting the appliance to the internal network 25 KeyTalk Admin GUI 26 8 1 R
31. KEYS NETWORK DEVICE WHICH AVATLAGILITY LOGS Figure 42 Configuring daemons In the next sub sections it is described how these two daemons can be configured 17 1 Certificate Authority daemon CAD settings To configure the Certificate Authority daemon select CAD Settings in the DAEMON tab MAIN SERVICES DAEMONS JJAUTHENTICATION MODL CAD Settings HAD Settings Status Configure CAD Settings Save Signing Key Password il vi Signing Key Passwerd LIII Figure 43 Configuring the CAD Settings Ca oy tall 43 The CAD is responsible for the creation of the user certificates and keys When a password is present on your CAD Signing Key you may wish to store it for REBOOT purposes The default password on the KeyTalk DEMO is blank Select OK to save 17 2 High Availability daemon settings To configure the High Availability daemon select HAD Settings in the DAEMON tab MAIN SERVICES DAEMONS AUTHENTI CAD Settings CHAD Settings tatus Configure HAD Settings HadSyncService Hn Binding Interface Type Loopback v Binding Port 7001 Figure 44 Configuring the HAD Settings The HAD is responsible for discovery and synchronization between the other physical KeyTalk appliances Select the Binding Interface Type e Loopback See Section 16 1 Configure interfaces for the description of this interface type e Internal See Section 16 1 Configure interfaces for the description of
32. KeyTalk Firmware 4 3 3 Administrator Appliance Manual Installation and settings a keytalk This document is propriety of KeyTalk BV This is a controlled document it may be copied and distributed through other channels but nothing in it may be changed without knowledge and consent of KeyTalk BV or its operational branch KeyTalk 1 BV Copyright KeyTalk BV All rights reserved The information in this document is subject to change without notice KeyTalk BV assumes no liability for any damages incurred directly or indirectly from any errors omissions or discrepancies between the software and the information contained in this document KeyTalk is a registered trademark and the KeyTalk logo is a trademark of KeyTalk BV Document name KeyTalk Administrator manual Version 4 3 03 Date 27 Oct 14 Ca keytalk Document control Document information Revision amp Summary of Changes Date 4 002 22 Jun 11 Initial release 4 003 13 Jul 11 Added chapter on LCD display updated Remote Exit chapter 4 004 25 Jul 11 Additional information added on HAD chain Updated chapters 5 12 2 13 15 17 19 21 3 21 4 21 5 22 1 22 2 4 005 16 Aug 11 23 1 2 2 23 1 2 3 23 2 2 2 27 Added chapters 2 1 Updated screenshots TrustAlert brand replaced with Elephant Security updated chapters 17 21 23 25 27 4 102 17 Feb 12 Updated chapters 25 2 to 25 6 Update to KeyTalk Firmware version 4 2 4 101 23 Jan 12 4 2 19
33. Module For Service DEMO SERVICE HwSig Verification Off Hardware Signature E Demallser mE o REMOVE User Lockout Automatically lock user on failed login Lock Expiration Lock Reason Figure 57 Adding Changing Removing a user Adding or changing a user allows for entering the basic details of a user Edit User for Service DEMO SERVICE User ID DemoUser Hardware Signature Password eesssses gjg Pincode eseseses Figure 58 Edit user for a specific user belonging to a specific service authentication Password and pin code will only be verified when configured on the service page Setting changing the optional password of a user requires the selecting of the password paper pen icon Edit User for Service DEMO SERVICE User ID DemoUser Hardware Signature Password iuis Pincode mmm Figure 59 Setting Changing a password for a user 60 keytalk Edit User password for Service DEMO SERVICE User ID Demallser Enter new password Re enter new password EN Figure 60 Edit user password Setting changing the optional Pincode of a user requires the selecting of the Pincode paper pen icon Edit User for Service DEMO SERVICE User ID Demaolser Hardware Signature Password Pincode i cance Figure 61 Setting Changing the pincode for a user Edit User pincode for Service DEMO SERVICE
34. PT secvers in hgh Avatahboty setyo Certificate info jhe CAL ZTw hredtL9L2emecte O asapg Dac CU Decz Oty O loce toe s wepcoce ca corr ere Aco wns se cS resegtsers com TIENE Cw CT eirre te iaa ALE A i eoent Dev Ushers Oey Cv aee Dw CIA e Td dre 0 t Gere Srerent Oe aft Prom z Ps 13 3 i v sist i 13 M1 ye sive F LE e i E al Tt s21353a432205911739 2 2 1c 2a5a41 7204 3077 Key info Tyee ASA 2048 bce Upload Cerificate and Key Click Joload to upload PEM contain ng certificate and key he key should not be protected wth nassword It 859 poss be for the PPM hie tn cortam certficste or bey ons ur Download Certificate and Key Chek Dewnisad to downiced curtcate and key at engle CEM Fia n 5ficate and Key Figure 103 Server server certificate information and key upload functionality This screen allows you to download and remove the current certificate and key and upload a new version A new certificate can be uploaded by selecting it via Browse and clicking UPLOAD After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new certificate To make the changes permanent please refer to section 8 2 Saving changes amp reboot 22 6 Client Server Communication Key This tab allows you to view the information of the KeyTalk Client Server Key and certificate This certificate and key is required to establish a secure co
35. Q rrariicania ane era D TWORK DEVICE HIGH AVAILABILITY LOGS 2 LUTTE S OR Corn cat Terve Lerver ant ave ebu carver Des Li Devis biji Beckus Nestore saree Primary CA is pormally s root of the cerbfhoste tree uniess Root CA s watated and s an iasuer for the Pomary C Certificate info e Cevt cate Coumi Key Info Vato Ser Forno Upload Certificate and Key ipoes to upoed PEM conmtersng certe ard key The key should not be protected wth pesseord It m ooo pocs bie for the PLM He t5 contain certricete or key oniy A new certificate can be uploaded by selecting it via Browse and clicking UPLOAD After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new certificate To make the changes permanent please refer to section 8 2 Saving changes amp reboot 22 3 Signing CA This tab allows you to upload your own signing certificate and key used to issue user certificates and keys When you have a separate key and certificate you can upload these individually and KeyTalk will combine them for you MAIN SERVICES DADMONS AUTHENTICATION MOOULES USERS LICENSE c anys yero s av a mal Nig bc ooa carr i bearer E i r a ert lt i i gt eel A E Sle tioning CA a used Sy CAD to mgn generated certocetes RESEPT server requres both certihcete en key RESEPT chent ony reqeres certecate UCA whch is mciuged ROCD his Certificate Info J
36. TE By default pre configuration is based on IPV4 however IPV6 is fully supported The focus for manuals and training is however on IPV4 and will not go into detail for IPV configuration sample screenshots on a Windows 7 64 PC on how to configure your IP Pa nos UIDES ERES EE es oe aA ST ae o gt ies 6 er Ez p LLTT a Locas Ama Loetecton roe m Irturree Protoco Veruna 4 102 Ped Papets N o Tele C f 2444646646 jJ L Jag he erg DC uw 2 eee Figure 4 IP configuration on a Windows 7 64bit PC 5 5 Step 5 Connecting to the appliance administrator interface The KeyTalk appliance Graphical Admin Interface can be accessed by browser over the following URL https 10 1 1 1 5000 Note Pay attention to the S in HTTPS and port 3000 Because the appliance is configured using a self signed SSL certificate by default you will likely get a warning that the security certificate was not issued by a trusted certificate authority In this case ignore the warning and continue to the website This is a workaround a trusted certificate should be obtained from a known certificate authority such as VeriSign GoDaddy and Cybertrust or from the KeyTalk Certificate Authority before going into production When the certificate is installed no warning should occur Ca keytalk 15 We ree mom re eed her yru sinem Gem aetveye served chee wert sarietan ter V do mem teette
37. TY LOGS Figure 48 Stop start daemons amp status When the CAD is started the Signing Key password may need to be entered when the password has been implemented To alleviate work for the Admin it is possible to store the password This can have security implications but it has been made available to fit the company s security policy How to store the CAD signing key password is described in section 17 1 Certificate Authority daemon CAD settings Ca keytalk 47 18 Services A service is a group of users that follow the same authentication method and default certificate time to live Usually this group of users belongs to the same department organization company or use the same type of device Services define default values you wish to make available in the client X 509v3 certificates created distributed and installed by KeyTalk An example value for the organization attribute is O Example com Additionally attributes in the certificate can be mapped to Active Directory attribute fields Multiple services can be configured allowing you to set up a multitude of services on a single KeyTalk instance 18 1 Creating modifying a service To manage services select from the main menu SERVICES An overview of the existing services is displayed In this overview you will find a summary of the services settings and applicable comments The following options are available for Services e
38. age 20 v keyAgreement LJ tlient uth Extended Key Usage 21 Subject Alternative Mame nsBaseUr contains service mame DEMO SERVICE 22 Cnemment 25 LES a Ca an Figure 50 Edit a service keytalk 50 The name assigned to the Service select what authentication process and credentials are required These credentials will be requested from the KeyTalk Client Required configured with the given service Credentials UserlD and HwSig Hardware signature are always on and will be sent from the client to the server PASSWD password PIN and Challenge RESPONSE are all optional Use the dropdown list to select the preferred RSA key length 512 1024 2048 or 4096 bits 5 Key Size bits Note that the key size should not exceed the chosen key length of the CAD daemon signing certificate If in doubt about the correct key size consult your KeyTalk supplier or partner This is the URI pushed from the KeyTalk appliance to the KeyTalk Client using the specific service Leave empty when nothing needs to be invoked When using a URL it can be used to trigger the KeyTalk client when an appropriately supported browser goes to the specific base URL For example https webdemo reseptdemo com Alternatively when the KeyTalk client has obtained the certificate the client will start the specified URI ais Instead of a URL the URI can also contain a reference to a local file or program For example file yourfilelocation yourfilen
39. ame Note environment variables are respected Starting a program filename can also be done using parameters Note that must be used when spaces are included in a path or Using space separated parameters Note Be careful not to use http addresses as these are not secure File URI Digest Optional field containing the SHA 256 of file URI Tick to force a verification of the URI When a URL is used the IP needs to match both server and client side Check URI When an executable is started the SHA 256 will be calculated and verified For all the other URI schemes including empty URI no verification is performed When the URI is an executable this option allows you to set the client Execute to run synchronously KeyTalk client will run until the executable synchronously finishes when selected or asynchronously when not selected Ca keytalk 51 The Hwsig formula specifies the list of hardware components on the user s device used for calculation of Hardware Signature HwsSig The formula is comma separated and can contain the HwSig component number references in any order and as often as you like HwSIG Formula Do note that the order and repetition of component numbers matters For example 0 1 2 5 4 5 or 0 0 0 6 7 3 3 8 9 14 11 For more information on the Hwsig please refer to Section 18 2 Hardware Signature Indicates whether an authentication module should split a fully Split Domain qua
40. bility Virtual Interface When running multiple KeyTalk servers you may wish to combine them in a redundancy group One logical KeyTalk server maps of one or more physical KeyTalk appliances servers sharing the same redundancy group ID From the KeyTalk Client perspective it behaves as one server with one IP address This IP address is provided by a virtual interface called High Availability HA interface When any server from the group stops working another server from the same group automatically takes over the communication transparently for all KeyTalk clients High Availability is not a substitute for load balancing The current limitation of the High Availability for the KeyTalk appliance is that it is bound to one network ip range To configure the High Availability from the main menu select NETWORK then select Configure HA Interface Ca oy tall 41 Figure 40 Configuring the High Availability Virtual Interface Make the appropriate configuration changes and select OK 16 4 Configure KeyTalk client listening port It is very unlikely that you will have to change the port number on which the KeyTalk appliance listens to the KeyTalk Client as the default 80 port will pass most firewalls If you would like to change the port select from the main menu NETWORK and select Configure RESEPT Client Listen Port MAIN SERVICES DATMONS AUTHENTICATION MOUOLE S USERS LICENSE CERTIFICATES AND aE ermo re SL
41. can be viewed under the License tab MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS WETWORK DEVICE HIGH AVAILA License Info Suchan Short Tarn Cet Alc ee Expires 2013 01 01 Mae Veer License Verification CA Subpect Cea ST Utrecht L Soesterberg O R ESEPT Craducton Licensing end Custeeuesthon OU Lrerae Circa Che fESEST License CA Leaver Can ST evtrectt Le Soesterberg O AESEDT Production Lituming end Custermcation OUeVelidation Office ChRESEST Droducbon Validabon OCA 31 O2 2011 11 489 31 02 2011 11 49 GMT I rem m Vale From veic Ta 12 07 2027 11 49 13 07 2027 11 49 GMT 5 o ature Agorthm tha 1 VWA SAE rrypeon bubba Mary RSA 4096 Des ZMAL Fingergrnt Gc2dbEEESddB253553520349141534b dacib dczd7 UG Upload License Figure 97 View license info or upload a new license A new license can be uploaded by selecting the license via Browse and clicking UPLOAD The text file is signed by KeyTalk ensuring that any tampered text files cannot be uploaded as a valid license The maximum amount of users refers to the maximum amount of unique usernames used to obtain a certificate in a given timeframe 22 Certificates and keys On the CERTIFICATE AND KEYS tab the Certificate Authority Keys for the KeyTalk appliance can be managed MAIN STNYICES DArF MONS AUTHENTICATION MHOOULTS USERS ac eE D T WOMKK DEVICE WICH AVAILABILITY LOGS Root CA Cartiicats not we
42. ce When the 1 LDAP server cannot be contacted the KeyTalk appliance will try the 2 etc To verify if the KeyTalk appliance can connect to your LDAP AD you can optionally ab use the ping function under DNS settings To configure your LDAP module bind for your selected service tick the LDAP server configuration entry and select CHANGE or select ADD URL ldap localhost 389 Bind DN cn userid mydomain com pind Passord D sron T Allow empty password Li Base DN Bonnie A i a 000 MLidshem Invalid LDAP bind attempts are considered as if invalid credentials were supplied by the KeyTalk user provided the LDAP server is physically accessible It is recommended to verify the configured Bind DN and password for each LDAP server by using the check button Figure 72 Configuring LDAP Server connection URL The LDAP location and appropriate port number for Global Catalog use MN port 5268 Bind DN The Bind DN Setting appropriate parameters are described in the next ndi sub chapter Bind Password Either a bind is done using the user s credentials or when using anonymous a static password can be provided Base DN The Base DN usually the same as the BIND DN except without the userid reference service User The Service User and Service Password values are used to change the service expired password for a user authenticated by Active Directory When Password service User is left empty it wil
43. ce ID For example IMEI for GSM and MEID or ESN for CDMA phones May not exist on some devices 205 Simcard number Exists only on devices with sim card 206 Subscriber id For example IMSI for a GSM May not exist on some devices 207 Sim operator name For example KPN or Vodafone 208 Board name For example goldfish 209 Device manufacturer For example HTC or Motorola 210 Device model For example Nexus One 211 API version For example 10 Changes after system upgrade 212 Screen width and height in pixels For example 240x680 BlackBerry client codes 301 Serial number Required for tablets and exists on some phones 302 BB device ID example 9774d56d682e549c On devices after API9 change on factory reset and rooted phones 303 WiFi MAC address Unique but exists only if turned on 304 Unique device ID For example IMEI for GSM and MEID or ESN for CDMA phones May not exist on some devices 305 Simcard number Exists only on devices with sim card 306 Subscriber id For example IMSI for a GSM May not exist on some devices 307 Sim operator name For example KPN or Vodafone 308 Board name For example goldfish 309 Device manufacturer For example BlackBerry 310 Device model For example Q30 311 API version For example 10 Changes after system upgrade 312 Screen width and height in pixels For example 240x680 Windows Phone clien
44. change KeyTalk advises you to check this label on a regular basis to make sure it is undamaged Should the label be damaged please contact your KeyTalk supplier who can provide you with a new label In case the label is damaged without your knowledge be warned that your KeyTalk appliance may have been opened and tampered with Please report such incident to your KeyTalk administrator and or security officer When the device needs to be sent to the manufacturer for repair open the device by breaking the label and remove the hard disk This hard disk contains your company data and should not be sent to the KeyTalk partner or the KeyTalk manufacturer When the device has been repaired you will receive it back with a new hard disk and label This hard disk will be in the initial state Your settings and company data can be restored from a backup Please refer to the Backup and Restore section for more information on how to do this The replacement harddisk or repair can result in additionally invoiced cost 5 Quick Start Guide Assumptions e The KeyTalk appliance is by default delivered in DEMO configuration and should work immediately after applying the configurations described below e For this quick start configuration the default Windows KeyTalk Client should be used together with the DEMO RCCD file RCCD Readable Client Configuration Data e For security reasons the DEMO key and certificate material must always be re
45. cted with password Download Certificate and Key Chick Downlosd ta downoad certificate and key ac 5 single PEM Me DOWNLOAD Figure 105 WebuUI certificate information and key upload functionality This screen allows you to download the current certificate and key and upload a new version A new certificate can be uploaded by selecting it via Browse and clicking UPLOAD After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new certificate To make the changes permanent please refer to section 8 2 Saving changes amp reboot 22 8 Server DevID Certificate amp Key The Server DevID certificate and key is used to secure communication between the KeyTalk server and the DevID appliance MAIN SERVICES DAL MONS AUTHENTICATION MODULES USERS LICE rest CEERTIFICATES AMD EERE TWORK DEVICE HIGH AVATLARBTILTTY LOGS F cA Dp ai A aime CA Con i PET A Zev e Lena erc Serve X LED av t Web Ssctus B Redtzre Gererste Server Devid certificate and key are used to secure commurecateon Between RESEPT ad DEVID serve Certificate info Key into Upload Certificate and Key bck Upliewd to upload PEM containng certificate and tey The key shad not be protected wth passmord It a aao goemble for the CEM Fle to contain cortticete oc key ent TC Figure 106 Server DevID certificate information and key upload functionality A new certi
46. dit a specific set of certificate fields Click OK to accept the alterations Edit Client Server certificate fields Common Name demo keytalkdemo com Signature Algorithm sha256WithRSAEncryption RSA Key Size bits Country City Locality Organization Organizational Unit Ema il H Time To Live sec 315360000 Time Far Correction sec 2600 Once you have finished editing the necessary certificate fields you are ready to generate the newly configured certificate tree MAIN SEHVILES VAE PDAS AUTHENTICATION MODULES USERS LH ENSE UERTIFILATES AND Sts nt T WONK DEVIE WICH AVAILABILITY LOGS eit art eroe vetu ji ow t evin s Mersi ial E pate ns it we Ore a CN kaytak Demo PCA Key Siza 4095 bits L CHARGE Signing CA CN Ky talk Demo Song CA Key Sze 4096 bes m Communication CA CN RevyTtalk Demo CCA Key Gre 4098 bee aci as ea d Server Server C localhost keytalbdeme com Key Size 2048 tetas Chest Server OM demo kerytslkdmmo com Hey ice 2040 bes nanoa Webu Ch kestalkadmn x stakdemo com Key Size 2048 ints MANGE Server Dovid Ot devid kevtalKkdemo com Key Size 2048 Des ee IA te ae Devid Webu CN dedans keytsledemo cmm Key Size 2046 tta incide Root CALL Ork Generate Tree to generate a certificate tree uang the configuration spected on thes paze When done you wal be prompted to metali the generated cerihcwtws to the aeeckan
47. dministrator Interface password do the following In the upper menu select the DEVICE tab and select Admin Password Ga Chaves Device Wof amp ctsh ethene Change Device eb Acceet Fas evand Gheorge Device Abi Userreem r Changs Drace Adri Fiarea1 Figure 24 Changing Graphical Administrator Interface password Enter both current and new password and confirm the new password in the Change Device Web Access Password fields Press OK to activate the new password Note It is important to remember this password The KeyTalk appliance also has a more powerful user the device admin for low level administrator maintenance This user is not enabled by default If required contact your KeyTalk supplier or partner Ca oy tall 30 11 Backup and Restore To make a full backup of your current system configuration to your computer select DEVICE from the main menu select Backup amp Restore Configuration and select BACKUP MAIN SEnvices Dt Pies AUTHENTICATION MODULES USERS CENS CERTIFICATES AND KEYS wetTworus Device WHICH AWADLABILITY LOGS Backup Configuration Cock Backus to save the corrert system contiguraton to your computer Restore Configuration L k Mestore to restore Ce yite nh gurabor from the eres ousty Made backe boeze RESTORE Josue asd ste f Tune Se Consuet es Figure 25 Making a backup of the system configuration save the backup file keytalk c
48. ee Configure Key Talk Cent Listen Port Pe 2errenr Figure 41 Configuring the KeyTalk client listening port Change the port number and select OK to save the change Additionally you must use KeyTalk Configuration Tool to change port number on your KeyTalk client but preferably update it in the RCCD file by creating and singing a new one using KeyTalk s signingportal oy tall 42 17 Configuring daemons In Unix and other multitasking computer operating systems a daemon is a computer program that runs as a background process rather than being under the direct control of an interactive user source Wikipedia org The following daemons are important for proper functioning of the KeyTalk appliances e AUTHD Authentication daemon Responsible for the user authentication process It will connect to the applicable authentication database e CAD Certificate Authority daemon The actual creator of the certificate It will be invoked after successful authentication e HAD High Availability daemon Responsible for the high availability functionality of the KeyTalk solution e RDD RESEPT Distribution daemon All KeyTalk client traffic goes through RDD This daemon will validate user input and will take responsibility for the distribution of the workflow to the other daemons Two daemons CAD and HAD can be configured in the tab DAEMONS MAIN senvices Grenon Jauruenticanion nooi es USERS LICENSE CERTIFICATES AND
49. em corf aurabon equals to the saved corfigureton saved 10 07 2012 14 05 SAVE Reset Configuration To Factory Defaults Click Reset to reset the currant system configuration the Factory defaults The Seele gatormatiza rab MNTLTT ng ehe raf ip wee Figure 27 Resetting the Factory Defaults Note When resetting to the default factory configuration settings this will also affect your set IP addresses n case your Keylalk device is off premise remote communication with the device will be impossible after a factory reset 32 13 Firmware upgrade KeyTalk BV releases periodically new firmware for the KeyTalk appliance New firmware can fix bugs as well as add new functionality Upgrading requires you to go from one version to the next i e 4 2 to 4 2 1 or to 4 3 in full sequential order Skipping a firmware version in between will be detected by KeyTalk and result in an aborted upgrade and KeyTalk going back to its last persistent state Upgrading the KeyTalk firmware can be done in two different ways 1 Forremote upgrading you can upload the upgrade file via the administrator graphical interface Admin CUI Within the KeyTalk Admin GUI go to DEVICE select Firmware Upgrade click on Browse to select the upgrade file and click on UPLOAD to start the upgrade process MAIN APF VTICT DAFP AUTMENTIUATTUN PUD Le a be I3CE NF FW TFTIATT AND ere SPT Cory AVAT Anm IT LOGS x T Dina zn aoe i i dii
50. eplacing Admin GUI SSL certificate 26 8 2 Saving changes amp reboot 27 SSH 29 Changing KeyTalk passwords 30 Backup and Restore 31 Factory Reset 32 Firmware upgrade 33 Date time amp NTP settings 35 Log files 37 15 1 Daemon logging settings 38 Network settings 39 16 1 Configure interfaces 39 16 2 Configure DNS 41 16 3 Configure High Availability Virtual Interface 41 16 4 Configure KeyTalk client listening port 42 Configuring daemons 43 17 1 Certificate Authority daemon CAD settings 43 17 2 High Availability daemon settings 44 eee 18 19 20 21 Ca hoy talk 17 2 1 High Availability in depth 17 5 Stop start daemons amp status Services 18 1 Creating modifying a service 18 2 Hardware Signature Authentication modules 19 1 Internal Sqlite database module 19 1 1 Adding a Sqlite Module to a service ssssee 19 1 2 Changing Sqlite Module settings for a service 19 2 LDAP Module Includes Active Directory 19 2 1 Adding an LDAP Module seen 19 2 2 Changing an LDAP Module configuration 19 5 RADIUS Module 19 5 1 Adding a RADIUS Module eessssssseecccccceeeeeeeeeeseeeeeeeees 19 5 2 Changing a RADIUS Module configuration 19 4 Execute Modules 19 5 Relay Modules connecting other authentication solutions 19 5 1 Adding a Relay Module
51. ficate can be uploaded by selecting it via Browse and clicking UPLOAD hoy tall 89 After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new certificate To make the changes permanent please refer to section 8 2 Saving changes amp reboot 22 9 DeviD WebUI Certificate amp Key The DevID WebUI certificate and key are used to secure access to the DevID server Ul via a browser A separate DevID WebUI key and certificate are required for each DevlID appliance since each one will run under its own unique FQDN in the network MAIN SERVICES DALMUONS AUTHENTICATION MOOULES USERS LICENSE CEAS Ano KEES eros DEVICE HICH AVAILABILITY LOCS P st CA Enma az tor rey rec ete A arver Ser wt Se a fez ar or Geni eris wee acip amp ant serler ate Devid WebUI certificate and key are used to secure access to DEVIDO server UI we browser Certificate Info No Cartficete Found Key Into N saeco te d Upload Certificate and Key Click Upioed to uploed FPEM comames certincate and key The key should not be protected wah password Figure 107 DevID WebUI certificate information and key upload functionality A new certificate can be uploaded by selecting it via Browse and clicking UPLOAD After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new certificate To make the changes permanent
52. ft Juniper Adobe F5 SAP Fortinet IBM CheckPoint Oracle Palo Alto Novell HP Google Huawei OpenVPN KeyTalk is a product which seamlessly fits into your existing network infrastructure In a highly secure manner it automatically creates distributes and de installs short lived X 509v3 user certificates on the user s device for the primary purpose of user credentialing and secure access control X 509 is the industry standard since the 80 s and is supported by all major network components and enterprise application solutions and is now made available for short lived certificates making it the perfect unified access control solution Managing X 509v3 certificates has thus far been one of the greatest cost factors in high secure environments Cost is now minimized as a direct result of short lived certificates making administrative efforts on Certificate Revocation Lists obsolete By re using your existing authentication environment optionally leveraging it with trusted corporate hardware recognition reducing the lifecycle of the certificate and ultimately automating the certificate requests creation distribution and de installation certificate management has become easy as pie with our KeyTalk product To summarize KeyTalk protects your data in motion by providing secure access for machine to machine communication and data transmissions between devices corporate networks and cloud applica
53. gateway select from the main menu NETWORK select Configure Interfaces and select CHANGE rr TAP TIN AUTHENTICATION MISA FEN Umm Licrnss CERTIFICATES Anp avs em re HICH AWATLARTIITY ion Agere tf a m Ix Egat SELDSST Chert La cz or gare 1 Ped Sateet Ment Pet LIGUE oelegat ation baer 4 75 58 1 1 133323100 Merle fe c acie 200 4 aos beue a H 19 Li sz Fos oF coal 111 4 inas 233601 Hom Tr stl LI 4 en fis custom retwortk routes defocad CHANGE Figure 57 Changing default Gateway On the screen that opens configure the default gateway IP and select OK Change Default Gateway Default IPv4 Gateway _ ee Default IPv Gateway ET Setting the default gateway has effect only when all non loopback interfaces that use manual i e non DHCF configuration Figure 38 Changing the default gateway Note Optionally you can set a gateway for each NIC separately Qa koytalk 40 16 2 Configure DNS To set your applicable DNS from the upper menu select NETWORK and select Configure DNS MAIN SERVICES DADMONGS AUTHENTICATION MODULES USERS LICENSE comrurscares ano se urrwone nc MICH AVAILABILITY LOGS Configure DNS Settings hare Levers ite PING MIC ware Se a Auc Ti ag at v Figure 39 Configuring DNS Enter the IP addresses of your DNS and select OK Note Do not enter host name but IP addresses 16 3 Configure High Availa
54. i i n urere Im ware Xon P Figure 28 Firmware upgrade remote 2 Ifyou have physical access to the appliance you can use a USB stick for the upgrade Within the KeyTalk Admin GUI go to DEVICE select Firmware Upgrade insert the USB stick with the upgrade files on it into one of the USB ports L or M the LCD menu will be activated Click on START to upgrade The system will HALT after an upgrade requiring an additional reboot Ca keytalk 33 MAIN APRVICE DAFP AUTMEWTIUATTUN TMP Teod t ILICE PETIFPIDATES AND ere iia COLD i AVAT Anm mv LO x T Dio zii a Y j WA Figure 29 Firmware upgrade on premise As a result the upgrade will start The progress of the upgrade will be shown in the Admin GUI On successful upgrade the appliance will automatically REBOOT to apply the new firmware while preserving the latest persistent configuration Ca keytalk 34 14 Date time amp NTP settings To set the applicable date time go to the tab DEVICE and select Time Enter the current date and time in UTC and select SET MAIN SERYICES LAL MUSS AUTHENTICATION MODULES usta LICENSE CEHTIFICAIES AND NETS c TP Sore LOGS Conhgure Device Time Figure 30 Setting the applicable date time Note The Netherlands is UTC 7 during summertime UTC 2 CST UTC 6 during summertime UTC 5 EST UCT 5 during summertime UTC 4 lt is highly recommended to set your app
55. ice exists i e create it and is not bound to another module Choose ADD and select one of the available services Add qlite Authentication Module Service DEMO SERVICE Figure 52 adding Sqlite Authentication Module 12 1 2 Changing Sqlite Module settings for a service Go to tab AUTHENTICATION MODULES select Sqlite modules select the service you would like to change and click on CHANGE ASERS LICENSE CERT Sglite Modules JLDAP Modules RADIUS Modules Execute Modules Relay Modules Figure 53 Configuring an Sqlite Authentication module Qa koytalk 57 19 1 2 T Hwsig Verification settings Hwsig see section 18 2 Hardware Signature verification settings allow for the optional configuration of HwSig verification for the specified service Go to tab AUTHENTICATION MODULES select Sqlite modules select the service you would like to set the authentication to and click on CHANGE LICENSE CERT Sglite Modules JLDAP Modules RADIUS Modules Execute Modules Relay Modules Configure Sqlite Authentication Modules Service F DEMO_SERVICE Figure 54 Configuring an Sqlite Authentication module The following screen will open MAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND Sglite Modules LDAP Modules RADIUS Modules Execute Modules Relay Modules Configure Sqlite Authentication Module For Service DEMO SERVICE
56. if 1 Go to IP reset sub menu 1 11 12 External Reset the external IP to default perform 131 manually 122 internal Reset the internal IP to default perform 131 manually 123 Management Reset the management IP to default perform 131 manually Maintenance Go to the KeyTalk maintenance sub menu Reset the oldest 10 of the user license count Reset Settings aes appliance settings to factory default and 134 Upgrade Activate the FWUPGRADE 2 Go to the information sub menu d21 KeyTalk Go to the KeyTalk information sub menu mno version Display the current KeyTalk appliance firmware version 212 Counted users Display counted users for license purposes keytalk 95 13 122 i IP Address Go to the IP information sub menu 221 External Display the current external IP number 222 Internal Display the current internal IP number 2285 Management _ Display the current management IP number Ca keytalk 96 25 Release notes 25 1 KeyTalk Appliance firmware Release date Significant efficiency improvement upgraded OS upload firmware option added DevID module support updated HAD functionality download amp remove functions on daemon certificates amp keys total unique users per service reporting LCD based oldest unique user cleaning max 10 Update documentation to KeyTalk 4 2 In 4 2 it is possible to July 2012 generate the CA
57. igure 88 Current configuration Edit Relay Authentication Module for Service DEMO SERVICE Remote Host backauth reseptdemo com Remote Port 9001 Use TLS Loc J cem Figure 89 Editing the configuration Qa hoy tall Z7 since the Relay module effectively makes use of a host running remote only a connection needs to be defined for the Remote Host Configure the Remote Host and corresponding Port and whether or not TLS should be used to secure the communication Back End Server Verification CA Li No Certificate Found UPLOAD Figure 90 For TLS a server communication key signer CA certificate is needed Browse Additionally when using SSL TLS you will need to upload the Server Communication Key Signer CA certificate in PEM format This does NOT need to be a certificate created under your Certificate Authority tree but can also be that of a 3 party such as VeriSign or Microsoft 19 5 3 Remote exit basics When you wish to create your own authentication module exit you should always run it from a separate server The details of what needs to be configured are covered in a separate Remote Exit document which is available through your KeyTalk supplier or partner 19 6 Synchronize User Lockout List PAIN stuvices CONF COME OAFTSOMNS AUTHENTICATION Oca ES USER PERS ALES LICENSE Am KEYS ne TOWN DEVICI IOCA Manually Synchronize User Lockout List Accross Chains eS eS corr Figure 91
58. irectly by our partner KeyTalk also has a service desk reachable 24 7 They primarily provide 3 line support i e bug fixes They can be contacted by e mail or telephone Contact details KeyTalk Service desk 3 line only E mail support keytalk com More http www keytalk com pages contact php oy tall 1 5 System configurations You can have one or more KeyTalk virtual appliances configured in high availability mode 1 3 1 Optional configurations KeyTalk can be used in combination with KeyTalk s DevID virtual appliance Within an organization DevID allows the binding up to 10 different hardware signatures of a user s devices to a single unique user All is done according to the offered authentication service DevlD can be set to automatically learn up to the maximum number of hardware signatures that is allowed per user setting Moreover DevID is multi tenant allowing multiple user groups to be defined per specific KeyTalk authentication services Each user group can be separately managed by one or more service operators each with its own authorization allowing one to deploy and manage DevID in a very flexible manner This way your Admins do not have to do all the work by themselves oy tall 10 2 Front Panel Components This section does not apply for the virtual version of KeyTalk GHI J EFABC O Figure 1 Front panel KeyTalk color of front bezel may vary E 000000000 A Displa
59. l not be possible to change expired Active Directory passwords Expiring password still can be changed Example BIND DN userid BASE DN dc mydomain dc local user authenticates with username domain local BASE DN userid domain local BIND DN dc mydomain dc local user authenticates with username Ca oy tall 68 To make a secure connection possible between your LDAP AD and KeyTalk the LDAPS protocol is supported Upload the appropriate CA tree under which the LDAPS certificate on your AD LDAP was Issued LDAPS CA Certificate required for LDAPS only Ne Certificate Found UPLOAD Figure 73 Uploading a LDAPS CA Certificate Browse NOTE 1 The BIND DN and BASE DN are dependent upon the specific LDAP integration NOTE 2 When your LDAP certificate is its own Root LDAPS connections will not work 19 2 2 4 Certificate to LDAP attribute mappings The X 509 standard defines several fields in a certificate which must be filled in order to be RFC compliant By default these certificate fields are filled with the default values as set in the service When using the default settings your users will be provided with X 509 user certificates which are all unique based on the date time of issuing the serial number and of course the username However it might be prudent to have more unique user credentials in the certificate When this is required you can map your LDAP attributes to the certificate fie
60. lds To map the LDAP attributes to the certificate fields Select CHANGE under Certificate to LDAP attribute mappings Filter Is the LDAP filter used to specify the Any valid value record against which the criteria are matched Country The value of the country code as it should ISO 3166 standard value IE occur in the user certificate City Locality The value of the city locality as it should Any value except blank occur in the user certificate Organization The value of the organization as it should Any value except blank iul occur in the user certificate Common Name The value of the Users name as it should Any value except blank mm occur in the user certificate Email The value of the email address as it Any value except blank should occur in the user certificate The amount of time that a certificate is Any positive value expressed keytalk 69 Time for Correction Basic Constraints Key Usage Extended Key Usage Subject Alternative Name 19 2 2 5 valid from the time it was issued The default time correction factor expressed in seconds to correct problems when the Client system time is slightly off The generated certificate is a user certificate The generated certificate is a CA certificate and is allowed to issue certificates Certificate Key Usage Values should be comma separated Certificate Extended Key Usage The value of the alternative username
61. licable NTP server s When using NTP server s also check the Use NTP box Confirm by selecting OK MAIN SERYICES DAL MURS AUTHENTICATION MOOULES US x LICENSE CEHUTIFICAIES AND FEYS e peer Yo avanan Conhgure Device Time D ms mt Figure 31 Set your applicable NTP server s see section 5 8 Step 8 DNS amp NTP Date Time customization for details on setting the time for DNS and NTP There are two menu items to configure the time but both function identically One menu item is located in the Network configuration the other in Device configuration Both direct you to the same function Ca keytalk 36 15 Log files The log files of the four main Daemons and the Web UI can be accessed from the tab LOGS in the upper menu e AUTHD Logs Authentication daemon logs e CAD Logs Certificate Authority daemon logs e HAD Logs High Availability daemon logs e RDD Logs RESEPT Dispatcher daemon logs KeyTalk s previous name was RESEPT e WebUI Logs Web interface logs For example from the main menu select the LOGS tab and select AUTHD Logs MAIN SERVICES DAIMONS AUTHENTICATION MODULES SERS LICENSE CERTIFICATES AND KEYS NETWORK DEVICE WIGCM 2D AE ot MAD Lege SDD Legs Webi Loge Auth Daemon Logging Settings Auth Dssmmmn log last 300 amines rer Caan Figure 32 Authentication daemon logs 15 1 Daemon logging settings Each Daemon and the Web Ul
62. lified userid supplied as domain userid on two separate and Userid credentials Currently only LDAP authentication module supports domain credentials Add 3 Random When selected three random characters are added to the Common Characters to Name of the generated user certificate This option is only needed for backward compatibility The default value of the country code ISO 3166 standard as it should mem occur in the user certificate The default value of the state county or province as it should occur in mme the user certificate The default value of the city locality as it should occur in the user City Locality certificate mE The default value of the organization as it should occur in the user Organization 7 certificate Organizational The default value of the organizational unit as it should occur in the Unit user certificate The default value email address of the organization as it occurs in the user certificate Time To Live The default amount of time expressed in seconds that a certificate is sec valid from the time it was issued Time For The default time correction factor expressed in seconds to correct Correction sec problems when the Client system time is slightly off CA FALSE The generated certificate is a user certificate Basic Constraints CA TRUE The generated certificate is a CA certificate and is digitalSignature A ows for digital signing nonrepudiation Qualifies a digital
63. mand etc RESEPT saveconfig sh d Now reboot the virtual appliance 6 2 VMWare prompt based changing network interfaces The KeyTalk appliance by default makes use of 3 virtual network interfaces Each interface segregates specific network traffic using its own built in firewall to prevent bridging of traffic In some rare cases you may wish to merge these interfaces To do so follow these steps l Edit the appropriate config file vi etc RESEPT resept net conf II Map the interface you wish to map taking into account em0 external em1 internal em2 management and save using the command wg III make the new configuration persistent using the command etc RESEPT saveconfig sh IV Now reboot the virtual appliance Ca oy tall 24 Setting up the appliance 7 1 Powering the physical appliance 1 Remove the appliance from its box 2 Plug the black power cord into the appliance back power port K 3 Plug the power cable into a power socket connector 4 Press the power on button E 7 2 Connecting the appliance to the internal network The KeyTalk appliance has 3 active Network Interface Connectors NIC O P and Q The address of P is by default 10 1 1 1 and is assigned to the KeyTalk administrator interface Follow these steps to connect the appliance to the internal network e Connect the administrator PC Laptop by UTP cable e Configure the administrator PC Laptop to the 1
64. nager in Windows 8 Gal Key talk Confquratinn Ma m Geo a vovier Stern Sr ry boos et ei113e Pieria fi lat Salhia Mave Sul Figure 16 RESEPT Configuration Manager Load the RCCD file to connect to the KeyTalk appliance by clicking on Load Ga Load Selliregs x Load Seting E from LK From Fil Lawl Can E Figure 17 Selecting the setting to load a RCCD file Browse to the location where the RCCD is saved either via your browser or from your local system Click on Load to upload the selected RCCD file After successful upload the following message will appear on screen b k ry ilk c3 we C ustormizmon tng have been soccesstuty mmpsed Figure 18 RCCD file was successfully uploaded and applied If the screen above does not appear the RCCD file you tried to upload may be corrupt or hasn t been signed by KeyTalk s signingportal Please recreate the RCCD file and upload again Select the Provider Settings tab and enter the appropriate KeyTalk Appliance server which can be specified by IP address or DNS name When done select OK Cal KeyTalk Configuration Ma H Geraral Prowcer Sebnzs Service Settings Priro de KEYTALK Setting aj Leod i RRR Figure 19 Sample provider settings For testing purposes the KeyTalk internal user database is already configured with a DemoUser Additional users can be easily added using the Admin GUI see section 19
65. nnection between the KeyTalk client and the KeyTalk server You can upload the combined certificate and key as a single file or you can upload the key and the certificate as separate files in PEM format There is no need to rename the files as KeyTalk will do this for you AlN SERVICES DAEMONS ALITMENTICATIONMODULES USERS LES QUEERTISICATES AND KEYES TWO DEVIES HIGH AVAHASILITY LENS bewtt eerve rrthcsie pad hey m used ts oF CTUM Mtesen ESTE chert and omm amp SZAEPT server remures both certi cbe snd bey SE SESET et oy wow HiAce whch nuded n CD fiie Cer ficste info Key Into Upload Certificate and Key be b gt E p os ves Certificate and Key k iowninsd certrocete enc key oc a urge FEN Pie Figure 104 Client server certificate information and key upload functionality sd PEN ms Io certificate ene ke The ke host not be protected eet pasowor d It ie pone be for the POY Net me teecthrate or bay OF 4 This screen allows you to download and remove the current certificate and key and upload a new version A new certificate can be uploaded by selecting it via Browse and clicking UPLOAD After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new certificate To make the changes permanent please refer to section 8 2 Saving changes amp reboot 22 7 WebUl Certificate amp Key This tab allows you to view the information
66. of the KeyTalk Admin Graphical User Interface It is used to secure the communication between the KeyTalk appliance and the computer of the organization s administrator single SSL You should choose to purchase this certificate ad key from a 3 party certificate provider For more information please refer to section 8 1 Replacing Admin GUI SSL certificate A separate WebUI key and certificate are required for each KeyTalk and DevID appliance since each appliance will run under its own unique FQDN in the network Ca keytalk HAIN SERVICES DAEMONS AUTHENTICATION MODULES USERS LICENSE SERTIFICATES AND KEYES ETWORK DEVICE HIGH AVAILABILITY LOGS gt Root CA Prima gun CA Lm cat CA ruar Dorie ent ze E webur er De 22 Dwe1c Apal Rackuop A Amore ee he Webu cert cate and key are used to secure access to the RESEPT server UI wa browser su ect Cat STerUr wow LE Goente terc Ot Parece Ovnis Oum Dee Ori D vooaaert o nevepnder o com ema Adere Demo B reseptdeme com row Cell Telrad Lekore oeg Ov Repert Doris Ole Dente Cris D ve amp esapc Dens CCA erc Accremde 2 oemepz3er c cor Veic fron 2 E2 2011 12134 22 2 BELL 13 34 Get sic Ta 17 09 2027 13 38 27 85 2027 15 4 Oe 2420 atat gontre eral wrrR Gre St mw RSA 204E t4 SHAL Pegerpore 24139 0153a2 04 2 722534327 252547 37904 53 Typs MSA 2045 ns Upload Certificate and Key Chck Upload to upload POM contemng cert icate and key The key should not be prote
67. onfig dat in a location of your choice To restore your backup of your system configuration select DEVICE from the main menu select Backup amp Restore Configuration and select Browse under Restore Configuration select your keytalk config dat backup file and select RESTORE The KeyTalk appliance will reboot afterwards to effectuate the changes MAIN Srnvices DA McA AUTHENTICATION NODULES USERS crn CERTIFICATES AND Erys we monk oes Ju AVAILABILITY LOG Li ait 25H Acce ae Facet ahs UNT 0 ae Ut 2e bot ot j t e Backup Configuration Cock Backzc io save the corrert system comfigureten to your computet _ BACKUP Restore Configuration Dick Restore to restore We syste from the erevousty made backe e sve arc d f wert he Contra e enh Figure 26 Restoring the system configuration backup file oy tall 12 Factory Reset Should you ever want to reset the KeyTalk appliance to its original factory settings the steps described below must be followed select from the main menu the DEVICE tab and select Save amp Reset Configuration Select RESET to restore default factory configuration settings MAIN SERVICES DALMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS nerw oevicr uc uvam amr LOGS Save System Configuration Chck Save to save the current system coofigurabon to non volable RAM NYRAM of the device Your current syst
68. placed with production material before taking the solution into a production state and environment e When using production keys and certificate material a corresponding production KeyTalk client RCCD file must be used otherwise communication will fail An RCCD file can be generated by your organization This functionality is described in Chapter 5 of the Client Administrator Manual e DNS NTP HTTP HTTPS SysLog port 3000 and optionally icmp ping 0 8 are assumed to be available for connection purposes 5 1 Step 1 Powering the physical appliance Q Remove the appliance from its box o Plug the black power cord into the appliance back power port K Q Plug the power cable into a power socket connector 2 Press the power on button button E 5 4 Step 2 Connecting the appliance to the internal network The KeyTalk appliance has 3 active Network Interface Connectors NIC O P and Q in Figure 2 Back panel KeyTalk The NIC P is 10 1 1 1 and is assigned to the KeyTalk management interface This NIC should only be accessible to the system administrator Ca oy tall 14 e Connect the administrator PC Laptop by UTP cable f Configure the administrator PC Laptop to the 10 1 1 x network so that you may be able to connect to 10 1 1 1 Pick for example the 10 1 1 50 address address must be 10 1 1 x with x gt 4 for the administrator PC and use network mask 255 255 255 0 NO
69. ptosd PEM contsmmg cemere and key The key should not be orotected w eo lt a Download Certificate and Key Chek Dowioed n dow toe Sri we an wey n amp nw TEM Tie Cr Ow nLOAD Figure 21 Replacing the SSL certificate Make sure that the SSL certificate you wish to make use of also contains the private key and is in a PEM file format Select the file by pressing BROWSE and press UPLOAD to replace the existing SSL certificate After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new SSL certificate To make the changes permanent please refer to section 8 2 Saving changes amp reboot 8 2 Saving changes amp reboot Changes made in the Admin CUI will be effective as long as the KeyTalk appliance does not lose its electric power In order to make changes permanent the changes must be saved by the administrator SAVING In the main menu select the DEVICE tab and select Save amp Reset Configuration Select SAVE to save the System Configuration oy tall 27 MAIN SERVICES DALMONS AUTHENTICATION MODULES USERS LICENSE CERTIFICATES AND KEYS perwa pev ce AVAILABILITY LDCS ae CET Ene cerra D ph Aecere Contyguration Femeware Upgrade Bhet Donn Repert Protier Save System Configuration Click Save to save the current system coofgurabon to non volable RAM NYRAM of the device Your currert system cor gurator equals to the saved configu
70. r is part of the security group TestGroup We can lookup a user his details using a Let AD display object attributes AD snap in gt menu View gt check Advanced Features b Let AD display the value of memberOf attribute Go to TestUser gt Properties gt Attribute Editor gt Filter gt select backlinks jecur omoi Seems fPemteorou Garena Actbenz I Acron Prodie Telephones Orparation Published Cetihcates Warber OK Passwond Reskcation Dein Otea flercte wmktop Sereces Prote OOM Sertute fata Ate tes Srtade ves me mt ey on macwgeci toe vt ont ayaza ret ent sere Ps ret ent Mas Ropt not oot riw C Adress ot sel cie Harm vet wei obe rot wd modi Teva Stan 2 20 2014 120135 AN W Europe Starder ms OM Patcr Seti ret unt ra COM beri nik ret tet ra 10M eer tor ret ont weD FSF lt CormouterF rat oot on T C Copy memberOf value of the TestUser into the KeyTalk WebuUI Attiduto easter Atte deste mat h ede ILI valer mail wore test cc com cme T ester hermaghene WORE Si orMcece uel fi uber emberot DACT Cu TasTGroap CNmUuserr DCvRarepgt OTC t OC vocal Cheb uten peerted pDact eigerg Tree gomen Siaperd toarswed s hemg Nomcede Devils f for varbation rep esettatier Fre placefedier f parswerd di CHANGE i e i SSS 192 255 Configuring LDAP module Bind amp LDAPS for a service One or multiple LDAP servers can be bound to the KeyTalk applian
71. re Figure 111 Generate the newly configured tree Click Generate Tree to generate a certificate tree using the configuration specified on this page When done you will be prompted to install the generated certificates to the appliance The certificate tree has been successfully generated Click Install to install the generated certificates and keys to the appliance lt E The device management interface will automatically restart after the installation completes Figure 112 Install the generated certificate tree After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new certificate tree If for whatever reason it doesn t please do so manually To make the changes permanent please refer to section 8 2 Saving changes amp reboot 23 Errors and error reporting When KeyTalk server encounters an error KeyTalk Client displays an appropriate error message The most typical server side errors are Resolved IP invalid Digest Invalid Time out of sync When server error cannot be resolved the Admin should run Report Problem function PAIN SERVICES OAFNMONS AUTHENTICATION MOOULES USERS LICENSE CERTIFICATES AND KEYS NETIMNUN sevice Dion AVAILABILITY LOC S ie ba 2 ALOI Seve aps ANG a Bocna D Past Trou et sy pQ w3 Sul L3 C Aesar obion Report Probl m Frcourter amp problem Please help us solve by following the steos below to gererme the
72. recent device actretty report and save gt a his Step 7 Send t e seved report fre along with the poblem descnptor to your RESEPT support contact Figure 113 Generate a problem activity report Save the resulting file and send it to your KeyTalk supplier or partner with a written description of the problem preferably substantiated with screenshots repro steps and log files Please make sure to always have a generated problem report before contacting support to assist fast troubleshooting hoy talc 94 24 LCD information display Does not apply to the virtual appliance Front Panel component J provides information to those accessing the physical KeyTalk appliance Using buttons A B C and D allows you to navigate the different information screens on the LED display Direct code mode Button A B C D Normal mode Button A B C D Position Position Position To activate the LCD information display menu touch any of the buttons A B C or D After it has been activated you can press D to activate the Direct Code mode Press buttons A C to go to the Normal mode Select and confirm any of the three figure menu items will make the LCD go to its default display Menuitem Description Effect code az Activate direct code Go to device sub menu 11 1 Go to the power sub menu Reboot Reboot the appliance This will make the active configurations persistent 2
73. ring summertime UTC 2 CST UTC 6 during summertime UTC 5 EST UCT 5 during summertime UTC 4 Preferably set your applicable NTP server s When using NTP server s also check the Use NTP box Confirm by selecting OK Ca oy tall 19 MAIN SERYICES LAL MUS AUTHENTICATION MOOULES usta LICENSE CEHTIFICAIES AND SETS ux pae Ye MUABLABSLEFV Conhgure Device Time yer Ome mt et e yw after cf ary Figure 13 Setting your applicable NTP server s Possible problems Please make sure the firewall rules allow connection of NTP services UDP123 Also keep in mind that NTP will only slowly correct the time settings This is standard NTP behavior and to avoid a delay manually set the time before enabling NIP Manually setting the time cannot be done after enabling NTP Also see section 14 Date time amp NTP settings There are two menu items to configure the time but both function identically One menu item is located in the Network configuration the other in Device configuration Both direct you to the same function 5 9 Step 9 Save the current configuration In the main menu select the DEVICE tab and select Save amp Reset Configuration select SAVE to save the System Configuration MAIN SERWICES DAE MONS AuT ss fat DDULEEZ USES LICENSE CERTIFICATES AND KXYS hi orc De AVAILABILITY x LOGS aH roD cup amp Restore etgurst Ferrera Vogress hut I mnm Mapcrt F
74. rmbon saved 10 07 2012 14 95 M u Reset Configuration To Factory Defaults Click Reset to reset the current syelem configuration the factory defaults La RESET the dence ew aufurwtcatly raboot wher the covfigurateor is wet Figure 22 Saving System configuration REBOOT In the main menu select the DEVICE tab and select Shut Down Select REBOOT to reboot the system MAIN SERVICES DAF MUNS AUTHENTICATION MOOULES USERS LICENSE CERTIFICATES AND KFYS serwo vevice Dan AVAILARILITY LOGS Terre Atmen Paasvetrd JGH Access Save amp Paset Carmgurate Sathup amp Aertere Certgureter r w w Ung Qe t Proteerr SS a re Figure 23 Rebooting the system 9 SSH SSH is by default disabled on the KeyTalk appliance Should there be a need to activate it please contact your KeyTalk supplier for an updated KeyTalk license with activated SSH Those running VMware can access the device through their VMware software using the default User admin Pwd change These may have been changed if the KeyTalk Admin has followed the guidelines under under section 10 of this manual Ca keytalk 29 10 Changing KeyTalk passwords The Graphical Administrator Interface can be used when required for administrator maintenance The Admin authentication credentials are by default set to Graphical Administrator Interface Admin CUI User admin Password change In order to change the Graphical A
75. ronien Save System Configuration Dick Save to save the correct system contguracon t non volatile RAM NYRAM of the device Your currere ystem config equals to the saves figurahon saved 10 07 20 taros Reset Configuration To Factory Defautts x Reset to reset the curent system configuration the factory defausts n he corre y a cormetcs eboo wan tte coeur it re Figure 14 Saving current system configuration Oo Ca oy tall 20 In case a system reboot is necessary the standard configuration will be used unless the changes have been saved See section 8 KeyTalk Admin GUI for details about making changes to the KeyTalk Admin GUI and saving the changes 5 10 Step 10 Connecting the appliance to the external network The KeyTalk appliance has 5 active Network Interface Connectors NIC These are O P and Q see section 5 Back Panel Components NIC Q is by default assigned to 192 168 1 1 and to be connected to the external network This NIC should be used for regular KeyTalk client server communication 5 11 Step 11 Testing the KeyTalk solution Now that the installation is complete the KeyTalk solution can be tested using the provided demo KeyTalk Client in combination with the DEMO RCCD file Update the KeyTalk client configuration start the KeyTalk Configuration Manager from the Windows START menu Figure 15 KeyTalk Configuration Ma
76. rtual interface called High Availability HA interface If any server from the group stops working e g because of planned maintenance or fail stopped daemon another server automatically takes over the communication transparently for all KeyTalk clients Only one server from a group can route traffic from KeyTalk clients This server is called master and the rest servers are called slave Master slave election occurs automatically and is transparent for KeyTalk clients Note High Availability functionality is not a replacement for load balancing functionality An example of a HA implementation could be Active Network Component HA Server 1 HA server 2 Figure 47 Example HA implementation Each server in HA redundant group must be configured with the static information ie IP numbers All dynamic information certificate serials users etc is automatically synchronized as soon as the chains have been configured to be aware of each other To ease configuration it is a good starting point to always configure one single KeyTalk appliance and make a backup of its configuration Note A configured copy might cause conflicting IP s so configure with care 17 3 Stop start daemons amp status The main daemons can be stopped started from the status panel MAIN SERVII QC obarmous DUTHENTICATION MODULES USERS LICENSE CERTIFICATES ANO KEFEYE NETWORK DEVICE NICH AVADLABILI
77. s Password fields Press OK to activate the new password Note It is important to remember this password The KeyTalk appliance also has a more powerful user the device SSH admin for low level administrator maintenance This user is not enabled by default If required contact your KeyTalk supplier or partner to activate SSH using an updated license file 5 8 Step 8 DNS amp NTP Date Time customization To set your applicable DNS select the NETWORK tab in the upper menu and select Configure DNS It is possible to ping the IP in order to check if the IP maps to a live machine Note The firewall might block the ping icmp echo request reply Ca keytalk 18 Enter the IP addresses of your DNS and select OK MAIN SEWVICE DACMONS AUTHENTICATION NODUNT usps LICENSE CERTIFICATES AND CDA HICH AVATLANTLITY LOGS rrfigire ete f ire ireertare E i FT te rt v NT Configure DNS enings gt lara Serveret l m isre Serm PING l HaTe Persa 2 rims Figure 11 Setting the applicable DNS To set the applicable date time go to the tab DEVICE and select Time Enter the current date and time in UTC and select SET SERVICES OASMONS AUTHENTICATION MOOULES USERS LICENSE CERTIFICATES AND NEYS Tu NMURASLABSLESV UDGN i i ae TIT gt t 2 Past at pe ug so hus Ed Conhgure Device Time Figure 12 Setting the applicable date time Note The Netherlands is UIC 7 du
78. signature for non repudiation keyEncipherment A ows for encryption of keys Key Usage dataEncipherment A lows for encryption of data keyAgreement Allows for SSL key handshaking keytalk 52 10 11 12 13 14 15 16 17 18 19 allowed to issue certificates for advanced use only 20 Used for 802 1x EAP TLS user certificate based authentication Extended Key Additional OIDs comma separated Refer to Usage http www openssl org docs apps x509v3 config htmlZ Extended Key Usage for more information The default value of the alternative subject name For more values ubject refer to http www openssl org docs apps x509v3_config html Subject_ Altern Alternative Name l l l ative Name for more information nsBaseURL Optional Netscape Base URL extension see MSDN topic contains service http msdn microsoft com en name us library aa378149 28v vs 85 29 aspx for more information Free text allowing for comments for Admin support purposes This Comment l l 7 field will not be added to the certificate Note Key Usage fields should only be manipulated when you are familiar with their exact functionality and the impact they might have on application server functionality For more information refer to RSA Labs http www rsa comy rsalabs and RFC 5280 http tools ietf org html t c5280 Note If not familiar with the exact functionality it is advised to use the KeyTalk default values for the certifica
79. t codes 401 499 reserved for future use MacOSX client codes 501 599 reserved for future use Linux client codes 601 699 reserved for future use Some components may or may not be preferred for your setup Choose those you need or can use Especially in environments where users for example change local access rights or make use of dongles tethering you may or may not want to enforce one or more of the above mentioned components such as MAC address In some environments it is desirable to prohibit the user to insert anything in the USB socket as this will change the HW signature of that component Ca keytalk 55 19 Authentication modules One or more authentication solutions can be connected to the KeyTalk appliance As a result you can use your existing infrastructure without adding a new database Of course for testing purposes or when you only have a small community an onboard username password database is available as well For example companies with multiple branches that manage their own authentication solution s such as RADIUS or LDAP AD can make use of a centrally available KeyTalk to turn their heterogeneous authentication environment into a funneled homogeneous authentication environment As a result each company may have their own preferred authentication type but the network only needs to be configured for one X 509 certificate based solution making the administration consistent and
80. te attributes 18 2 Hardware Signature KeyTalk can optionally determine the state of hardware of a user s device by calculating a hash over several components of the user s computer hardware The components can be chosen from the list below and are applied in the HwSig formula as described in section 18 1 Creating modifying a service The following component IDs are supported on Windows devices 0 Predefined value 1 Primary HDD Serial On Windows primary HDD is defined by minimal i for which PhysicalDrive lt i gt or Scsi lt i gt is accessible 2 Primary NIC MAC address On Windows primary NIC is the NIC listed first in the Network Connections folder gt Advanced menu gt Advanced settings list 3 HDDs Device Instance IDs Only HDDS attached to IDE and SCSI are considered to avoid pluggable disks e g USB PCI Note SATA and eSATA or PCMCIA will be used when available Ca keytalk 53 4 NICs Device Instance IDs Only NICs attached to PCI are considered to avoid pluggable NICs e g USB 5 IDE ATA ATAPI controllers Device Instance IDs excluding hot pluggable one s like e g PCMCIA 6 USB Root Hubs Device Instance IDs 7 Display Adapters Device Instance IDs 8 Amount of physical memory 9 CPUs device instance IDs 10 Interrupt controller device instance ID 11 system timer device instance ID 12 DMA controller device instance ID 13 System speaker device instance ID 14 OS Product ID
81. this interface type Select OK to save the new settings Note High Availability daemons from other KeyTalk chains will need to be made known to the KeyTalk in order for HAD to work properly and loopback will need to be changed to internal when you wish to activate the HA Ca keytalk 44 MAIN SLHYUVICES DAt MONS AUTHENTICA I PON MODULES USERS LICENSE UERTIFILATES AND KEYS NETWORK Ut vic Qnm Does Synchronization Between Redundant Key Talk Servers You can setup KeyTak server To act ae a part of redundancy group TO seynchronge data between group members Redundant Key Talk Servers Please zoecdty which KeyTalk servers besades tis one shoud be included in the recundancy group lt Wo nedundaet servers defred gt M Gaerne wl act maDcaly motat wan rhv Cintas hangod Figure 45 HADs from other KeyTalk servers need to be made known select ADD to add a new KeyTalk appliance Add New Redundant KeyTalk Server Connection MA Synctruregeteor Ferara fost A eee e T7 P MA Synceroresatcr Service Port Ox CANCEL Figure 46 Add new HAD connection Enter the HadSyncService Host and Port Select OK to save the settings 17 2 1 High Availability in depth The KeyTalk High Availability allows for a multiple physical KeyTalk servers to be made available in case of redundancy requirements A redundancy group consists of several KeyTalk servers accessible for KeyTalk clients via a single IP provided by a vi
82. tically selected based on card type UMTS or GSM supplied by user Until smartcard support is implemented for the KeyTalk client Ca keytalk port number automatically detected Any valid Radius shared secret Any valid positive amount expressed in seconds RADIUS attribute code value from 1 to 255 Checkbox indicating whether EAP shall be used One of Auto Password PEAP EAP TTLS or AKA SIM selected from drop down box 74 smartcard information should be encapsulated in username and encoded as CARD TYPE_MNC LENGTh_IMSI For example o Username GSM 2 354162120787078 indicates that the user provides GSM card with MNC length 2 and IMSI 354162120787078 EAP SIM method will be selected to authenticate the user Username UMTS_3_354162120787078 indicates that the user provides UMTS card with MNC length 3 and IMSI 354162120787078 EAP AKA method will be selected to authenticate the user 19 3 2 3 User LockOut The User LockOut mechanism allows for users to be locked out from the system when they enter the wrong authentication credentials User Lockout Automatically lock user on failed login Figure 82 enable disable user lockout Automatic lockout can be selected or not Click OK to save the settings When Automatic lockout is selected the KeyTalk appliance will add lock and release users automatically based on an incremental time penalty The Admin can alwa
83. tion setting Select CHANGE to change the HwSig setting Two other options are available for the HwSig verification e Devld Obtain the user s Hwld from our Devld product solution e Exit Obtain the user s Hwld using the settings of the authentication module For the option Exit in the case of Sqlite Module the HwSig is obtained from the user s Hardware Signature field Qa hoy tall When the Devld option has been chosen make sure that the Devld Host amp Port are properly set Edit hardware signature settings for Service DEMO SERVICE HwSig Verification DavId DevID Host 192 168 1 10 DevID Port 8001 DevID Group Nama Test DevID Group Password eeeccce OK CANCEL Figure 80 Editing Hardware signature settings for a specific service 19 3 2 2 RADIUS Server connectivity settings Multiple RADIUS servers can be configured by selecting the server and clicking on ADD When the fitst server cannot be contacted the KeyTalk appliance will send its request to the next in line and so forth To change the RADIUS Server connectivity settings select the server configuration you wish to change and click on CHANGE OTP Teme Offeaet RADIUS Attribute Code Configure RADIUS Server connection for Service DEMO_MY_RADIUS Hnet iacminnst Port 10 t detect g Seret 99995959 s Timecut sec 5 OTP Time Offset RADIUS Attribute Code 1 253 4 Use DAP on C
84. tions It prevents common intrusions such as Man in the Middle KeyTalk generates distributes and installs short lived client certificates on the client device ina fully automated manner leveraging your existing authentication methodology Optionally it uses the device hardware characteristics to strengthen the authentication process Ca keytalk 1 1 Getting started In the following subsections the KeyTalk product is described 1 2 Installation All our products are delivered with an Installation manual This manual provides instructions for installing and de installing the KeyTalk software and gives an overview of the system requirements necessary to run the software More detailed technical requirements can be found in the Prerequisites and Technical requirement documents 1 2 1 Using the software How to use KeyTalk products and an explanation of terminology and icons used in the software are described in detail in the User manual Next to describing the hardware the functionalities of the software are also described in full detail In case of product upgrades an overview of the new functionalities is incorporated in the User manual as well as listed in the product s Release Notes Please consult your KeyTalk supplier or partner for more information 1 2 2 Support In case you encounter issues when using our products please contact your KeyTalk supplier or partner Contact details have been made available to you d
85. tree on the appliance January 23rd 2012 ADDED full RADIUS authentication ADDED RADIUS field name change option on authentication type for client purposes ADDED Active Directory Service Account for October 2013 password change after password expired from client ADDED Windows BIOS DevID option ADDED RCCD certificate files download button Updated core engine Added SHA256 to CA tree generation Improved LDAP BIND options Allow for no empty password for LDAP AD NIGGA s Improved RADIUS to support RSA SecurlD For the minor details please visit our website http www keytalk com downloads KeyTalkApplian ceReleaseNotes txt Ca keytalk 26 Manufacturer Email Web Bank Manufacturer information KeyTalk 1 BV Nijverheidsweg Noord 78 3812 PM Amersfoort The Netherlands Telephone 31 0 88 KEYTALK info keytalk com www keytalk com Chamber of Commerce 59072555 VAT Number NL853305766B01 Rabobank Bank NL78 RABO 0133 2932 38 BIC RABONL2U 98
86. tuled Key not installed Primary CA Certihcate etaed Key ewttefed Manage Signing CA Certdicats inttaled Key insEaied Mans Communication CA Cettfiicwte witaled Key mnaralled Mandos fervet Serret Cartfcate stated Key wztaled Cihent Server Certicato escialrad Kew wetated Manage Webtll Certificate matated Ker mstaled Manane Server Devid Certihcgte not eiitalled few not mstalien Manone Devid Webtunt Certtcate not ewtwled Kew not wt alie Hanags Figure 98 Overview of the KeyTalk Certificate Authority By default your KeyTalk appliance comes pre configured with demo key and certificate material This material is NOT unique but provided with every system It is therefore necessary to be replaced by your own material when going into production The demo material can be used for testing or KeyTalk s free trial KeyTalk requires the certificates to be imported or generated in PEM file format and requires that they contain the pem file extension Please note that the KeyTalk solution does not mandatorily require you to take into account any specific protocols and procedures as to the security level of key creation key management etc Instead it is your company who decides what is and what is not acceptable a hoy talc 22 1 Root CA The Root CA is an optional public certificate It is only applicable when your company already has an existing certificate authority in place When
87. unity whether internal or external m with on demand short lived X 509 edm m RC certificates eo All built upon your existing infrastructure so there is no need to change backup mes procedures or to teach your community rcm of users new authentication methods The KeyTalk appliance simply makes it happen KeyTalk provides you with advanced features which make your life as a user easier and more secure when making use of your company s or partner s online environment Common usages Single Sign On to web based environments Digital signing of internal documents Highly secure connections to network based environments Protection of your authentication credentials and data in motion against Man in the Middle intrusions Optionally binding the trusted computer device s to the user or company community allowing for Multi Factor Authentication X 509 user certificates have been the standard since 1988 and are commonly accepted by all Operating Systems As a result not only do these user certificates enable you the highest level of safe encrypted communication as well as many more features with the same ease of management such as Single Sign On for certificate aware applications Federated Identity Ca keytalk 802 1x EAP TLS Certificates issued by the KeyTalk appliance work natively with all major network and client brands such as but not limited to CISCO Microso
88. utgar M Tal race La Toe burg C feren Dez OU Dpre Dv Ce aptet Dero Segreg C4 ara 22109 C o renro cor 17 E MT ature ig Uam Ie s b esr 82492 2 ai1707 1 Da fcd 5e 25 744 5 21 34 Key Info re Upload Certificate and Key k Upiset te upad PEM containing certificate and key The key should t be svotected mih pasinaon 1 i5 esa posso be for e PEM Sle to cantar certfaste w bey ah Dowrnioad Certificate and Key C roe to downioa9 cert cate and key 95 ng e PEMfTf gt Figure 101 Signing CA information and key upload functionality This screen allows you to download and remove the current certificate and key and upload a new version A new certificate can be uploaded by selecting it via Browse and clicking UPLOAD After a successful UPLOAD the device management subsystem will automatically restart to effectuate the new certificate To make the changes permanent please refer to section 8 2 Saving changes amp reboot Ca oy tall 85 22 4 Communication CA This tab is used to secure communications between different parts of the system The Communication CA corresponds to the SCA Server CA on the client side MAIN SERVICES DAF MONS AUTHENTICATION MODULES USERS LUCERNY Qnin ano aes gt TWORK DEWIUE MICH AWAJLAHILITY LOCS Cormevameshor CA weed to secure communcetoce between different parts of the mtem Communcsbon CA corwapoeds to SCA Server CA the c
89. y navigation button Controls the navigational controls for the LCD information menu see section 24 LCD information display Controls the navigational controls for the LCD information menu see section 24 LCD information display C Display navigation button Controls the navigational controls for the LCD information i C menu see section 24 LCD information display Display navigation button Controls the navigational controls for the LCD information menu see section 24 LCD information display Power button Press to start the device when switched off Press and hold for several seconds to switch off the appliance F RESET button Press using a paperclip and hold for several seconds to stop the device The RESET button only needs to be used when normal switch off using the Power button is not working Lights up when the power is switched on H Disk indicator Data is stored on the Solid State Disk When this indicator flashes the Solid State Disk is active Information indicator Lights up when important messages require your attention s Display Displays the state the device is in and displays menu items for local administration Do not replace any components as this will void your KeyTalk warranty Note replacing hardware components will result in malfunctioning of the system 9 Back Panel Components This section does not apply for the virtual version of KeyTalk Figure 2
90. ys manually release users before the time penalty expires AND can manually add or remove users to the LockOut table When Automatic lockout is not selected the system runs in a manual mode allowing the Admin to add any usernames for a permanent lock which can only be manually released Adding Users manually is done using a free text No actual check is performed by the system to see if the User actually exists in the database used by the services authentication module Ca keytalk 75 Lock user for Service DEMO SERVICE User ID ETE Figure 83 Manually adding a user to be locked out for a specific service 19 4 Execute Modules MAIN SERVICES DARMI RS LICENSE CERTIFICATES AND KEYG NETWORK DEVICE HICH AVAILABILITY LOGS ta Moduws LDAP Module Configure Execute Authentication Modules Figure 84 Executable Authentication Modules Execute Modules are tailor made modules officially released by KeyTalk BV as NON STANDARD These modules are not part of the formal firmware release but likely will become part of future releases for maintenance purposes Though it is not the policy to release modules outside of the officially supported firmware releases this feature allows for it to be made possible when executing beyond policy Licensing restrictions may apply Consult your KeyTalk supplier or partner for more information 19 5 Relay Modules connecting other authentication solutions MAIN SERVICES OAEM RS L
Download Pdf Manuals
Related Search
Manual manual manualslib manual car manual hoist manual pallet jack manuale digitale manual winch manually meaning manual timesheet manual transmission manual wheelchair manually update your device drivers windows manual arts high school manual for courts martial manual definition manual j load calculation manual labor manual lawn mower manual muscle testing manually register devices with autopilot manual muscle testing grades manualidades manual transfer switch manual therapy cpt code manual blood pressure cuff