Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 20 Next »

 

 (lightbulb) This document is written in English only

 

Unable to render {include} The included page could not be found.

Tip!
This documentation applies only to .net-version of Buypass Access Manager. It provides a description for the LRA responsible in the organization of how to set up and configure the LRA

 

Configuration Application is a standalone application to provide GUI for configuration XML file. Configuration Application located in the same directory with installed LRA Client. Name of executable is ConfigurationApplication.exe.

Default setup folder has from v3.4 changed to Buypass Access Manager, so it has changed from:

Windows x32 – Program Files\Buypass\Lra Client

Windows x64 – Program Files (x86)\Buypass\Lra Client

To:

Windows x32 – Program Files\Buypass\Buypass Access Manager

Windows x64 – Program Files (x86)\Buypass\ Buypass Access Manager

 

Also link to ConfigurationApplication.exe is placed in Start menu (Windows 7).

 

 

 

 

 

 

Logs

 

Id

Description

Comments

#1

Severity

Desired severity for default log (trace.log file in the app directory)

  1. Verbose - debugging trace
  2. Information - non critical problem
  3. Warning - Informational message
  4. Error - Recoverable error
  5. Critical - Fatal error or application crash

 

SignPad

Id

Description

Comments

#1

Test SignPad button

Ensures SignPad is accessible.

 

Test all tabs for local config

Id

Description

Comments

#1

Test all button

 Tests all devices with current settings and shows aggregated results. User cardreader communication check includes PinPad hardware and service check for ACR88/89. Scanner runs a get image check. SignPad runs a communication check.

#2

Test result area

-

 

 

Master Configuration

Master configuration file contains parameters that are common to all LRA stations within one organization. This file is usually stored in a shared area.

Common

 

Id

Description

Comments

#1

LRA mode

Different configurations of LRA-client; Local issues local certificates only, Buypass issues qualified certificates only and Mixed issues both local and qualified certificates.

Mixed mode is default value.

Unnecessary tabs will be disabled at left panel.

#2

Company name

Name of organization will be written in all PDF documents generated. If organization has more LRA-clients situated in different locations - name can show department.

 

 

Smartcard

Id

Description

Comments

#1

Local certificates key length

Defines the certificate size generated on the smartcard.

Valid values:

  1. 0x80 : 1024 bits = 128 bytes
  2. 0xC0: 1536 bits = 192 bytes – default
  3. 0xE2 : 1808 bits = 226 bytes
  4. 0xFE : 2032 bits = 254 bytes

Value chosen must be in compliance with key length in template.

 

Active directory - common

 

Id

Description

Comments

#1

Domain

Defines the name of the domain controller. Example: testdc:389. Default-button gets available ADs and you will be able to choose the correct one.

#2

SearchBase

Defines the search path for searching for Users in AD. Different OU's (directories) in AD can be defined and included. See more details below under Search Base.

#3

Use nested groups

If Users are connected to usergroups in AD, which in turn are linked to the certification groups rather than linking one and User to one or more certificate groups this check box must be ticked off.

#4User search mapping

Options - see more details below under User search mapping.

  1. UpnPrefix
  2. UpnFull
  3. SubjectCn
  4. DistinguishedName
  5. Certificate
#5AddCreate new AD configuration. Will be created and available on the left tabs list.
#6CopyCopy current AD configuration into new tab, which then can be modified.
#7DeleteDelete currently selected AD configuration.

#8

Test AD button

Ensures AD is accessible. Checks configured domain name, searchbases, employee mappings and groups.

 

Search Base

Active Directory allows administrators to create a hierarchy within a domain that meets the needs of their organization. The object class of choice for building these hierarchies is the class organizationalUnit, a general-purpose container that can be used to group most other object classes together for administrative purposes. An organizational unit in Active Directory is analogous to a directory in the file system; it is a container that can hold other objects.

To define path to SearchBase OU-s you need to construct the entire distinguished name by following references to the root. You can use (*) in case of recursive search needed. Several SearchBases supported separated by semicolon.

For example: we have this Active Directory structure:

  1. If you need to search only in testOU_1 and not include subunits: SearchBase: ou=testOU_1, ou=TestUsers, ou=Infopulse;
  2. If you need to search in TestUsers and all subunits, you need to use sign of recursive search – “(*)”. SearchBase: ou=TestUsers, ou=Infopulse(*);
  3. If you need to search in OU-s testOU_1_1 and all subunits, and also search in testOU_2 without subunits: SearchBase: ou=testOU_1_1, ou=testOU_1, ou=TestUsers, ou=Infopulse(*); ou=testOU_2, ou=TestUsers, ou=Infopulse;

Note: Order of organization units must be specified from bottom to top.


User Search mapping with lookup in AD when Usercard present

  1. UpnPrefix - maps prefix UPN from Subject Alternative Name in certificate to samAccountName field in AD (samAccountName =value). This has been the only possible implementation until v3.4 and is default value
  2. UpnFull - maps full UPN from Subject Alternative Name in certificate to UPN field in AD (userPrincipalName =value)
  3. SubjectCN - maps value from Subject.CN field from certificate to samAccountName field in AD (samAccountName =value) Requires that value in Subject.CN = samAccountName
  4. DistinguishedName - maps value from Subject field from certificate to DistinguishedName field in AD (distinguishedName =value) DistinguishedName from certificate is used as user’s “absolute path” in AD at the time of certificate issuance
  5. Certificate - If chosen search (one of the above) does not return User the LRA will automatically do another search mapping whole certificate itself to userCertificate field in AD (userCertificate=\30\82\...)

Search connected to remote functions is not changed. Buypass Access uses UserName stored in the card as part of remote filename and this will be used as search criteria and mapped to AD as samAccountName.

Search connected to reports is also changed in v3.4. From this version and onward it is using the configuration in order to be consistent. Searches in reports can use one of the four first options (a-d). If option e) whole certificate, is set up in configuration the search will automatically switch to use option a) upn prefix = samAccountName, as in current implementation. CA report entry includes certificate metadata (SubjectName, NotBefore, NotAfter, UPN, DistinguishedName, etc.), but not certificate itself. It is possible to search with certificate in reports as well, but then the time of searching will significantly increase. LDAP filter for search using list of certificates will be huge and search in AD much slower even for moderate number of CA report entries.

Active directory - employee mappings

 

Id

Description

Comments

#1

Update button

Gets list of available mapping fields from AD

#2

First name

First name should consist of first and middel name

#3

Last name

Last name should consist of last name only

#4

Email

Official email of User in the organization

#5

Issuer Key mapping**

AD field to be used as IssuerKey. Should be unique per organization.

UserName will be transferred to Buypass if MixedMode and used as lookup on search. Must not be changed without notifying Buypass.

#5

SSN in AD mapping**

11 digits number which consist of date of birth (6 digits on format ddmmyy) and social security number (5 digits).

Available forms:

  1. Direct mapping of full SSN: “AdField”
  2. Full SSN in two fields: “AdBirthdate{ddMMyyyy};Ssn2Field”
  3. Partly. Only birthdate: “AdBirthdate{ddMMyyyy}”
  4. None

Note: Date format is case sensitive. Additional information about date and time formats can be found here on Microsofts pages.

#6

Issuer Key mapping**

AD field to be used as IssuerKey. Should be unique per organization.

UserName will be transferred to Buypass if MixedMode and used as lookup on search. Must not be changed without notifying Buypass.

** For any AD mapping fields you can use any AD attribute listed in AD Attributes List. For selected AD attribute «LDAP-Display-Name» should be used.

 

(warning)  On search the client is reading the configuration and searches AD based on this. If the fields in AD does not correspond to configuration the Operator may have strange information in GUI OR User will perhapes not be found. 

Excample: If AD has SSN registered in 1 field, but in the configuration this is mapped to 2 fields, then SSN will show the content from field 1 twice. 21036912345 in AD-field will be 2103691234521036912345 in GUI.

 

Active directory - group mappings

 

Id

Description

Comments

#1

Update button

Gets list of available groups from AD

#2

Local certificate group

Users belonging to Local certificate group will have local certificate issued (LC).

#3

Operator group

Users belonging to Operator group will have enrollment agent certificate issued (EA).

#4

Administrator group

Users belonging to Administrator group will have enrollment agent certificate issued (EA).

#5

Qualified certificate group

Users belonging to Qualified certificate group will have a par of qualified certificates issued (QC).

 

Certificate Authority - CA

 

Id

Description

Comments

#1

Server name

Defines the common name of the CA configuration. Button Select allows to obtain CA name automatically.

Example: ca.testlab.local\Testlab CA

#2

Update button

Gets certificate templates

#3

Logon template

Name of template - if you get OID as in the example the template is unknown

#4

Temporary template

Name of template - if you get OID as in the example the template is unknown

#5

Enrollment agent template

Name of template - if you get OID as in the example the template is unknown

#6

Test CA button

Ensures CA is accessible and template fields are not empty

 

(warning) Implemented a check in v3.6 so there are no longer possible to search for CA templates without a corresponding OID.

 

Reports

 

Id

Description

Comments

#1

Path to reports output directory

Filearea for storage of reports.

#2

Test button

When pushing a TEST button we generate a file then store it and delete.

 

Document Registry

 

Id

Description

Comments

#1

Local document registry path

Filearea for storage of PDF documents generated when LRA functions are run.

#2

Test button

When pushing a TEST button we generate a file then store it and delete.

 

Remote functions

Id

Description

Comments

#1

Remote functions enabling checkbox

If organization is using remote functions having Users at remote locations this checkbox must be ticked off. Give access to Remote function menu.

If checked remote functions menu appears in LRA

#2

Auto check request count

If number of remote certificate request should be counted and shown in Main menu this checkbox must be ticked off.

#3

Path to requests

Filearea for storage of remote certificate requests.

#4

Path to responses

Filearea for storage of certificates generated which act as responses of remote requests.

#5

Requests pooling interval

Defines the polling interval in milliseconds. Default value is 2000.

#6

Max number of attempts

Defines the maximum retry times the LRA client tries to acces the remote area. Default value is 30.

#7

Test button

When pushing a TEST button we generate a file then store it and delete.

 

Buypass mapping

 

Id

Description

Comments

#1

Merchant ID

Merchant ID connected to organization. Will be provided by Buypass

#2

Timeout

Max time of waiting response from LTS - the Buypass interface

#3

Endpoint address

Address for PROD: https://www.buypass.no/weblts/p1

Address for TEST: https://www.test4.buypass.no/weblts/p1

#4

Merchant certificate serial number

Serial number of merchant certificate installed in certstore. By using button SELECT you can obtain certificate serial key automatically 

Certificate should be installed as described in LRA Client readme

#5

Use SSN as IssuerKey

Possibility to register a UserName other than SSN in BUYPASS MODE:

  • If IssuersKey=SSN=TRUE the field of UserName will be disabled in Preregistration-gui.
    Filling in SSN should not as today duplicate the UserName-field.
    The UserName-field should be kept disabled, because duplicating will confuse more than make sense.
  • If IssuersKey=SSN=FALSE then UserName-field must be enabled and Operator must enter whatever value in this field additionally in SSN.

#6

Test LTS connection button

Signing a request and send it to LTS to get a response OK

 

Issue process

Id

Description

Comments

#1

Agreement sign required

If User should accept agreement on first time issuance of local certificates this ceckbox must be ticked off.
NOTE: For first time issuance of qualified certificates the User must always accept the agreement.

#2

User scan and document scan required

If User should sign and get his ID document scanned on first time issuance of local certificates this ceckbox must be ticked off.
NOTE: For first time issuance of qualified certificates the User must allways sign and get his ID document scanned.

#3Allow more Local certificatesEnables possibility to issue additional local certificates in ID card scenario.
#4Allow Operator identificationEnables possibility for the Operator to say that User is known and there are no need of extra identification. In smaller organizations where "everyone knows everyone" this will make the issuance process easier, .... but the Operator still have the responsibility to identify the user.

#4

Document scan required on replace

If User should get his ID document scanned on issuance of replacement of both local and qualified certificates this ceckbox must be ticked off.

#4

Third party identification enabled

If organization allow 3.party identification in cases where User has forgotten his own ID document this checkbox must be ticked off.
3.party identification means another colleague in organization is using his smartcard to verify the Users identity.

#5

Timeout

Third party card waiting timeout

 

Test all tabs for master config

Id

Description

Comments

#1

Test all button

Tests all backends/devices with current settings and shows aggregated results.

#2

Test result area

-

 

 

Content this page  

Unable to render {include} The included page could not be found.

Unable to render {include} The included page could not be found.

 

Unable to render {include} The included page could not be found.
Unable to render {include} The included page could not be found.
 
Unable to render {include} The included page could not be found.
 

 

  • No labels