This document is written in English only
Configuration Application is a standalone application to provide GUI for configuration XML file. Configuration Application located in the same directory with installed LRA Client. Name of executable is ConfigurationApplication.exe.
Default setup folder has from v3.4 changed to Buypass Access Manager, so it has changed from:
Windows x32 – Program Files\Buypass\Lra Client
Windows x64 – Program Files (x86)\Buypass\Lra Client
To:
Windows x32 – Program Files\Buypass\Buypass Access Manager
Windows x64 – Program Files (x86)\Buypass\ Buypass Access Manager
Also link to ConfigurationApplication.exe is placed in Start menu (Windows 7).
Start page
Either you Open existing configuration files - LOCAL and MASTER or you want to register a new configuration using New.
- LOCAL file must always be available on the BAM client PC. The LOCAL configuration includes mappings and connections to drivers for readers, scanners, signpads, pinpads and local values connected to this and this BAM client only.
- MASTER file can be available on the BAM client PC, but can also be common for all or more clients and therefore localized on a common file server. The MASTER configuration includes mappings and connections to CA, AD, Buypass, Issuing process and values connected to the organization independent on number of BAM clients.
Look of start page in BAM Configuration Application Tool v3.0 - 3.5.
Look of start page BAM Configuration Application Tool v3.6 - new start page.
Navigation
You can use TAB key to navigate between tabs, fields and buttons. To get to the menu use ALT key. Use arrow keys to navigate between options in menus and tabs. Most of controls have tooltips with additional description. Move mouse pointer over the needed parameter to read field description.
Id | Description | Comments |
---|---|---|
#1 | Application menu | Available functions:
|
#2 | Configuration file tabs | Lists open configuration files |
#3 | Configuration file path | Absolute URI of configuration file |
#4 | Tab control | Tabs list of parameters subgroups |
#5 | List of paremeters | - |
#6 | Tool tip | Help tooltip with additional info about pointed parameter |
#7 | Revert button | Reverts all changes on all tabs with parameters of edited file |
#8 | Save button | Save all changes in file |
#9 | Save as button | Save file with last changes in another file |
TEST-button
The TEST-button in the different GUIs of the LOCAL and MASTER configuration will test actual parameters registered in the fields. If the values are saved or not does not matter when testing.
You need to remember to save if any of them are red before exit the application and you want to store new values.
What the tests actually covers are described below in each GUI-tab.
Trace
All changes done in the Configuration Application Tool will be stored in separate log file {ApplicationFolder}\Logs\configuration.trace.log.
A new file is greated every time the Configuration client is started - date and timestamp is part of filename to differ the files.
Local Configuration
Local configuration file contains parameters that may be specific to each LRA client station. This file is stored locally.
Local_Common
Id | Description | Comments |
---|---|---|
#1 | Master configuration | Path to master configuration file. Contains two functions:
|
#2 | Language | Language used in GUI for labels and guidelines. |
#3 | Place | Place or address of organization will be written in all PDF documents generated. |
Smartcard
Id | Description | Comments |
---|---|---|
#1 | Refresh list of available readers | Gets list of readers connected to LRA station |
#2 | Combo box for assign readers | – |
#3 | Test selected readers button | Checks names and access to readers (and secure features if needed). It includes PinPad hardware and service check for ACR88/89. |
Scanner
Id | Description | Comments |
---|---|---|
#1 | Scanner device ID | Gui format |
#2 | Choose scanner button* | Shows native dialog to select scanner from available from this machine |
#3 | Test scanner button | Tries to get image for scanner |
* Windows Image Acquisition (WIA) service must be started on client PC.
Logs
Id | Description | Comments |
---|---|---|
#1 | Severity | Desired severity for default log (trace.log file in the app directory)
|
SignPad
Id | Description | Comments |
---|---|---|
#1 | Test SignPad button | Ensures SignPad is accessible. |
Test all tabs for local config
Id | Description | Comments |
---|---|---|
#1 | Test all button | Tests all devices with current settings and shows aggregated results. User cardreader communication check includes PinPad hardware and service check for ACR88/89. Scanner runs a get image check. SignPad runs a communication check. |
#2 | Test result area | - |
Master Configuration
Master configuration file contains parameters that are common to all LRA stations within one organization. This file is usually stored in a shared area.
Common
Id | Description | Comments |
---|---|---|
#1 | LRA mode | Different configurations of LRA-client; Local issues local certificates only, Buypass issues qualified certificates only and Mixed issues both local and qualified certificates. Mixed mode is default value. Unnecessary tabs will be disabled at left panel. |
#2 | Company name | Name of organization will be written in all PDF documents generated. If organization has more LRA-clients situated in different locations - name can show department. |
Smartcard
Id | Description | Comments |
---|---|---|
#1 | Local certificates key length | Defines the certificate size generated on the smartcard. Valid values:
Value chosen must be in compliance with key length in template. |
Active directory - common
Id | Description | Comments |
---|---|---|
#1 | Domain | Defines the name of the domain controller. Example: testdc:389. Default-button gets available ADs and you will be able to choose the correct one. |
#2 | SearchBase | Defines the search path for searching for Users in AD. Different OU's (directories) in AD can be defined and included. See more details below under Search Base. |
#3 | Use nested groups | If Users are connected to usergroups in AD, which in turn are linked to the certification groups rather than linking one and User to one or more certificate groups this check box must be ticked off. |
#4 | User search mapping | Options - see more details below under User search mapping.
|
#5 | Add | Create new AD configuration. Will be created and available on the left tabs list. |
#6 | Copy | Copy current AD configuration into new tab, which then can be modified. |
#7 | Delete | Delete currently selected AD configuration. |
#8 | Test AD button | Ensures AD is accessible. Checks configured domain name, searchbases, employee mappings and groups. |
Search Base
Active Directory allows administrators to create a hierarchy within a domain that meets the needs of their organization. The object class of choice for building these hierarchies is the class organizationalUnit, a general-purpose container that can be used to group most other object classes together for administrative purposes. An organizational unit in Active Directory is analogous to a directory in the file system; it is a container that can hold other objects.
To define path to SearchBase OU-s you need to construct the entire distinguished name by following references to the root. You can use (*) in case of recursive search needed. Several SearchBases supported separated by semicolon.
For example: we have this Active Directory structure:
- If you need to search only in testOU_1 and not include subunits: SearchBase: ou=testOU_1, ou=TestUsers, ou=Infopulse;
- If you need to search in TestUsers and all subunits, you need to use sign of recursive search – “(*)”. SearchBase: ou=TestUsers, ou=Infopulse(*);
- If you need to search in OU-s testOU_1_1 and all subunits, and also search in testOU_2 without subunits: SearchBase: ou=testOU_1_1, ou=testOU_1, ou=TestUsers, ou=Infopulse(*); ou=testOU_2, ou=TestUsers, ou=Infopulse;
Note: Order of organization units must be specified from bottom to top.
User Search mapping with lookup in AD when Usercard present
- UpnPrefix - maps prefix UPN from Subject Alternative Name in certificate to samAccountName field in AD (samAccountName =value). This has been the only possible implementation until v3.4 and is default value
- UpnFull - maps full UPN from Subject Alternative Name in certificate to UPN field in AD (userPrincipalName =value)
- SubjectCN - maps value from Subject.CN field from certificate to samAccountName field in AD (samAccountName =value) Requires that value in Subject.CN = samAccountName
- DistinguishedName - maps value from Subject field from certificate to DistinguishedName field in AD (distinguishedName =value) DistinguishedName from certificate is used as user’s “absolute path” in AD at the time of certificate issuance
- Certificate - If chosen search (one of the above) does not return User the LRA will automatically do another search mapping whole certificate itself to userCertificate field in AD (userCertificate=\30\82\...)
Search connected to remote functions is not changed. Buypass Access uses UserName stored in the card as part of remote filename and this will be used as search criteria and mapped to AD as samAccountName.
Search connected to reports is also changed in v3.4. From this version and onward it is using the configuration in order to be consistent. Searches in reports can use one of the four first options (a-d). If option e) whole certificate, is set up in configuration the search will automatically switch to use option a) upn prefix = samAccountName, as in current implementation. CA report entry includes certificate metadata (SubjectName, NotBefore, NotAfter, UPN, DistinguishedName, etc.), but not certificate itself. It is possible to search with certificate in reports as well, but then the time of searching will significantly increase. LDAP filter for search using list of certificates will be huge and search in AD much slower even for moderate number of CA report entries.
Active directory - employee mappings
Id | Description | Comments |
---|---|---|
#1 | Update button | Gets list of available mapping fields from AD |
#2 | First name | First name should consist of first and middel name |
#3 | Last name | Last name should consist of last name only |
#4 | Official email of User in the organization | |
#5 | Issuer Key mapping** | AD field to be used as IssuerKey. Should be unique per organization. UserName will be transferred to Buypass if MixedMode and used as lookup on search. Must not be changed without notifying Buypass. |
#5 | SSN in AD mapping** | 11 digits number which consist of date of birth (6 digits on format ddmmyy) and social security number (5 digits). Available forms:
Note: Date format is case sensitive. Additional information about date and time formats can be found here on Microsofts pages. |
#6 | Issuer Key mapping** | AD field to be used as IssuerKey. Should be unique per organization. UserName will be transferred to Buypass if MixedMode and used as lookup on search. Must not be changed without notifying Buypass. |
** For any AD mapping fields you can use any AD attribute listed in AD Attributes List. For selected AD attribute «LDAP-Display-Name» should be used.
On search the client is reading the configuration and searches AD based on this. If the fields in AD does not correspond to configuration the Operator may have strange information in GUI OR User will perhapes not be found.
Excample: If AD has SSN registered in 1 field, but in the configuration this is mapped to 2 fields, then SSN will show the content from field 1 twice. 21036912345 in AD-field will be 2103691234521036912345 in GUI.
Active directory - group mappings
Id | Description | Comments |
---|---|---|
#1 | Update button | Gets list of available groups from AD |
#2 | Local certificate group | Users belonging to Local certificate group will have local certificate issued (LC). |
#3 | Operator group | Users belonging to Operator group will have enrollment agent certificate issued (EA). |
#4 | Administrator group | Users belonging to Administrator group will have enrollment agent certificate issued (EA). |
#5 | Qualified certificate group | Users belonging to Qualified certificate group will have a par of qualified certificates issued (QC). |
Certificate Authority - CA
Id | Description | Comments |
---|---|---|
#1 | Server name | Defines the common name of the CA configuration. Button Select allows to obtain CA name automatically. Example: ca.testlab.local\Testlab CA |
#2 | Update button | Gets certificate templates |
#3 | Logon template | Name of template - if you get OID as in the example the template is unknown |
#4 | Temporary template | Name of template - if you get OID as in the example the template is unknown |
#5 | Enrollment agent template | Name of template - if you get OID as in the example the template is unknown |
#6 | Test CA button | Ensures CA is accessible and template fields are not empty |
Implemented a check in v3.6 so there are no longer possible to search for CA templates without a corresponding OID.
Reports
Id | Description | Comments |
---|---|---|
#1 | Path to reports output directory | Filearea for storage of reports. |
#2 | Test button | When pushing a TEST button we generate a file then store it and delete. |
Document Registry
Id | Description | Comments |
---|---|---|
#1 | Local document registry path | Filearea for storage of PDF documents generated when LRA functions are run. |
#2 | Test button | When pushing a TEST button we generate a file then store it and delete. |
Remote functions
Id | Description | Comments |
---|---|---|
#1 | Remote functions enabling checkbox | If organization is using remote functions having Users at remote locations this checkbox must be ticked off. Give access to Remote function menu. If checked remote functions menu appears in LRA |
#2 | Auto check request count | If number of remote certificate request should be counted and shown in Main menu this checkbox must be ticked off. |
#3 | Path to requests | Filearea for storage of remote certificate requests. |
#4 | Path to responses | Filearea for storage of certificates generated which act as responses of remote requests. |
#5 | Requests pooling interval | Defines the polling interval in milliseconds. Default value is 2000. |
#6 | Max number of attempts | Defines the maximum retry times the LRA client tries to acces the remote area. Default value is 30. |
#7 | Test button | When pushing a TEST button we generate a file then store it and delete. |
Buypass mapping
Id | Description | Comments |
#1 | Merchant ID | Merchant ID connected to organization. Will be provided by Buypass |
#2 | Timeout | Max time of waiting response from LTS - the Buypass interface |
#3 | Endpoint address | Address for PROD: https://www.buypass.no/weblts/p1 Address for TEST: https://www.test4.buypass.no/weblts/p1 |
#4 | Merchant certificate serial number | Serial number of merchant certificate installed in certstore. By using button SELECT you can obtain certificate serial key automatically Certificate should be installed as described in LRA Client readme |
#5 | Use SSN as IssuerKey | Possibility to register a UserName other than SSN in BUYPASS MODE:
|
#6 | Test LTS connection button | Signing a request and send it to LTS to get a response OK |
Issue process
Id | Description | Comments |
---|---|---|
#1 | Agreement sign required | If User should accept agreement on first time issuance of local certificates this ceckbox must be ticked off. |
#2 | User scan and document scan required | If User should sign and get his ID document scanned on first time issuance of local certificates this ceckbox must be ticked off. |
#3 | Allow more Local certificates | Enables possibility to issue additional local certificates in ID card scenario. |
#4 | Allow Operator identification | Enables possibility for the Operator to say that User is known and there are no need of extra identification. In smaller organizations where "everyone knows everyone" this will make the issuance process easier, .... but the Operator still have the responsibility to identify the user. |
#4 | Document scan required on replace | If User should get his ID document scanned on issuance of replacement of both local and qualified certificates this ceckbox must be ticked off. |
#4 | Third party identification enabled | If organization allow 3.party identification in cases where User has forgotten his own ID document this checkbox must be ticked off. |
#5 | Timeout | Third party card waiting timeout |
Test all tabs for master config
Id | Description | Comments |
---|---|---|
#1 | Test all button | Tests all backends/devices with current settings and shows aggregated results. |
#2 | Test result area | - |