This document is written in English only
Configuration Application is a standalone application to provide GUI for configuration XML file. Configuration Application located in the same directory with installed LRA Client. Name of executable is ConfigurationApplication.exe.
Default setup folder has from v3.4 changed to Buypass Access Manager, so it has changed from:
Windows x32 – Program Files\Buypass\Lra Client
Windows x64 – Program Files (x86)\Buypass\Lra Client
To:
Windows x32 – Program Files\Buypass\Buypass Access Manager
Windows x64 – Program Files (x86)\Buypass\ Buypass Access Manager
Also link to ConfigurationApplication.exe is placed in Start menu (Windows 7).
Logs
Id | Description | Comments |
---|---|---|
#1 | Severity | Desired severity for default log (trace.log file in the app directory)
|
SignPad
Id | Description | Comments |
---|---|---|
#1 | Test SignPad button | Ensures SignPad is accessible. |
Test all tabs for local config
Id | Description | Comments |
---|---|---|
#1 | Test all button | Tests all devices with current settings and shows aggregated results. User cardreader communication check includes PinPad hardware and service check for ACR88/89. Scanner runs a get image check. SignPad runs a communication check. |
#2 | Test result area | - |
Master Configuration
Master configuration file contains parameters that are common to all LRA stations within one organization. This file is usually stored in a shared area.
Common
Id | Description | Comments |
---|---|---|
#1 | LRA mode | Different configurations of LRA-client; Local issues local certificates only, Buypass issues qualified certificates only and Mixed issues both local and qualified certificates. Mixed mode is default value. Unnecessary tabs will be disabled at left panel. |
#2 | Company name | Name of organization will be written in all PDF documents generated. If organization has more LRA-clients situated in different locations - name can show department. |
Smartcard
Id | Description | Comments |
---|---|---|
#1 | Local certificates key length | Defines the certificate size generated on the smartcard. Valid values:
Value chosen must be in compliance with key length in template. |
Active directory - common
Id | Description | Comments |
---|---|---|
#1 | Domain | Defines the name of the domain controller. Example: testdc:389. Default-button gets available ADs and you will be able to choose the correct one. |
#2 | SearchBase | Defines the search path for searching for Users in AD. Different OU's (directories) in AD can be defined and included. See more details below under Search Base. |
#3 | Use nested groups | If Users are connected to usergroups in AD, which in turn are linked to the certification groups rather than linking one and User to one or more certificate groups this check box must be ticked off. |
#4 | User search mapping | Options - see more details below under User search mapping.
|
#5 | Add | Create new AD configuration. Will be created and available on the left tabs list. |
#6 | Copy | Copy current AD configuration into new tab, which then can be modified. |
#7 | Delete | Delete currently selected AD configuration. |
#8 | Test AD button | Ensures AD is accessible. Checks configured domain name, searchbases, employee mappings and groups. |
Search Base
Active Directory allows administrators to create a hierarchy within a domain that meets the needs of their organization. The object class of choice for building these hierarchies is the class organizationalUnit, a general-purpose container that can be used to group most other object classes together for administrative purposes. An organizational unit in Active Directory is analogous to a directory in the file system; it is a container that can hold other objects.
To define path to SearchBase OU-s you need to construct the entire distinguished name by following references to the root. You can use (*) in case of recursive search needed. Several SearchBases supported separated by semicolon.
For example: we have this Active Directory structure:
- If you need to search only in testOU_1 and not include subunits: SearchBase: ou=testOU_1, ou=TestUsers, ou=Infopulse;
- If you need to search in TestUsers and all subunits, you need to use sign of recursive search – “(*)”. SearchBase: ou=TestUsers, ou=Infopulse(*);
- If you need to search in OU-s testOU_1_1 and all subunits, and also search in testOU_2 without subunits: SearchBase: ou=testOU_1_1, ou=testOU_1, ou=TestUsers, ou=Infopulse(*); ou=testOU_2, ou=TestUsers, ou=Infopulse;
Note: Order of organization units must be specified from bottom to top.
User Search mapping with lookup in AD when Usercard present
- UpnPrefix - maps prefix UPN from Subject Alternative Name in certificate to samAccountName field in AD (samAccountName =value). This has been the only possible implementation until v3.4 and is default value
- UpnFull - maps full UPN from Subject Alternative Name in certificate to UPN field in AD (userPrincipalName =value)
- SubjectCN - maps value from Subject.CN field from certificate to samAccountName field in AD (samAccountName =value) Requires that value in Subject.CN = samAccountName
- DistinguishedName - maps value from Subject field from certificate to DistinguishedName field in AD (distinguishedName =value) DistinguishedName from certificate is used as user’s “absolute path” in AD at the time of certificate issuance
- Certificate - If chosen search (one of the above) does not return User the LRA will automatically do another search mapping whole certificate itself to userCertificate field in AD (userCertificate=\30\82\...)
Search connected to remote functions is not changed. Buypass Access uses UserName stored in the card as part of remote filename and this will be used as search criteria and mapped to AD as samAccountName.
Search connected to reports is also changed in v3.4. From this version and onward it is using the configuration in order to be consistent. Searches in reports can use one of the four first options (a-d). If option e) whole certificate, is set up in configuration the search will automatically switch to use option a) upn prefix = samAccountName, as in current implementation. CA report entry includes certificate metadata (SubjectName, NotBefore, NotAfter, UPN, DistinguishedName, etc.), but not certificate itself. It is possible to search with certificate in reports as well, but then the time of searching will significantly increase. LDAP filter for search using list of certificates will be huge and search in AD much slower even for moderate number of CA report entries.
Active directory - employee mappings
Id | Description | Comments |
---|---|---|
#1 | Update button | Gets list of available mapping fields from AD |
#2 | First name | First name should consist of first and middel name |
#3 | Last name | Last name should consist of last name only |
#4 | Official email of User in the organization | |
#5 | Issuer Key mapping** | AD field to be used as IssuerKey. Should be unique per organization. UserName will be transferred to Buypass if MixedMode and used as lookup on search. Must not be changed without notifying Buypass. |
#5 | SSN in AD mapping** | 11 digits number which consist of date of birth (6 digits on format ddmmyy) and social security number (5 digits). Available forms:
Note: Date format is case sensitive. Additional information about date and time formats can be found here on Microsofts pages. |
#6 | Issuer Key mapping** | AD field to be used as IssuerKey. Should be unique per organization. UserName will be transferred to Buypass if MixedMode and used as lookup on search. Must not be changed without notifying Buypass. |
** For any AD mapping fields you can use any AD attribute listed in AD Attributes List. For selected AD attribute «LDAP-Display-Name» should be used.
On search the client is reading the configuration and searches AD based on this. If the fields in AD does not correspond to configuration the Operator may have strange information in GUI OR User will perhapes not be found.
Excample: If AD has SSN registered in 1 field, but in the configuration this is mapped to 2 fields, then SSN will show the content from field 1 twice. 21036912345 in AD-field will be 2103691234521036912345 in GUI.
Active directory - group mappings
Id | Description | Comments |
---|---|---|
#1 | Update button | Gets list of available groups from AD |
#2 | Local certificate group | Users belonging to Local certificate group will have local certificate issued (LC). |
#3 | Operator group | Users belonging to Operator group will have enrollment agent certificate issued (EA). |
#4 | Administrator group | Users belonging to Administrator group will have enrollment agent certificate issued (EA). |
#5 | Qualified certificate group | Users belonging to Qualified certificate group will have a par of qualified certificates issued (QC). |
Certificate Authority - CA
Id | Description | Comments |
---|---|---|
#1 | Server name | Defines the common name of the CA configuration. Button Select allows to obtain CA name automatically. Example: ca.testlab.local\Testlab CA |
#2 | Update button | Gets certificate templates |
#3 | Logon template | Name of template - if you get OID as in the example the template is unknown |
#4 | Temporary template | Name of template - if you get OID as in the example the template is unknown |
#5 | Enrollment agent template | Name of template - if you get OID as in the example the template is unknown |
#6 | Test CA button | Ensures CA is accessible and template fields are not empty |
Implemented a check in v3.6 so there are no longer possible to search for CA templates without a corresponding OID.
Reports
Id | Description | Comments |
---|---|---|
#1 | Path to reports output directory | Filearea for storage of reports. |
#2 | Test button | When pushing a TEST button we generate a file then store it and delete. |
Document Registry
Id | Description | Comments |
---|---|---|
#1 | Local document registry path | Filearea for storage of PDF documents generated when LRA functions are run. |
#2 | Test button | When pushing a TEST button we generate a file then store it and delete. |
Remote functions
Id | Description | Comments |
---|---|---|
#1 | Remote functions enabling checkbox | If organization is using remote functions having Users at remote locations this checkbox must be ticked off. Give access to Remote function menu. If checked remote functions menu appears in LRA |
#2 | Auto check request count | If number of remote certificate request should be counted and shown in Main menu this checkbox must be ticked off. |
#3 | Path to requests | Filearea for storage of remote certificate requests. |
#4 | Path to responses | Filearea for storage of certificates generated which act as responses of remote requests. |
#5 | Requests pooling interval | Defines the polling interval in milliseconds. Default value is 2000. |
#6 | Max number of attempts | Defines the maximum retry times the LRA client tries to acces the remote area. Default value is 30. |
#7 | Test button | When pushing a TEST button we generate a file then store it and delete. |
Buypass mapping
Id | Description | Comments |
#1 | Merchant ID | Merchant ID connected to organization. Will be provided by Buypass |
#2 | Timeout | Max time of waiting response from LTS - the Buypass interface |
#3 | Endpoint address | Address for PROD: https://www.buypass.no/weblts/p1 Address for TEST: https://www.test4.buypass.no/weblts/p1 |
#4 | Merchant certificate serial number | Serial number of merchant certificate installed in certstore. By using button SELECT you can obtain certificate serial key automatically Certificate should be installed as described in LRA Client readme |
#5 | Use SSN as IssuerKey | Possibility to register a UserName other than SSN in BUYPASS MODE:
|
#6 | Test LTS connection button | Signing a request and send it to LTS to get a response OK |
Issue process
Id | Description | Comments |
---|---|---|
#1 | Agreement sign required | If User should accept agreement on first time issuance of local certificates this ceckbox must be ticked off. |
#2 | User scan and document scan required | If User should sign and get his ID document scanned on first time issuance of local certificates this ceckbox must be ticked off. |
#3 | Allow more Local certificates | Enables possibility to issue additional local certificates in ID card scenario. |
#4 | Allow Operator identification | Enables possibility for the Operator to say that User is known and there are no need of extra identification. In smaller organizations where "everyone knows everyone" this will make the issuance process easier, .... but the Operator still have the responsibility to identify the user. |
#4 | Document scan required on replace | If User should get his ID document scanned on issuance of replacement of both local and qualified certificates this ceckbox must be ticked off. |
#4 | Third party identification enabled | If organization allow 3.party identification in cases where User has forgotten his own ID document this checkbox must be ticked off. |
#5 | Timeout | Third party card waiting timeout |
Test all tabs for master config
Id | Description | Comments |
---|---|---|
#1 | Test all button | Tests all backends/devices with current settings and shows aggregated results. |
#2 | Test result area | - |