1. No category

DIGIPASS Authentication for Epic Hyperspace

DIGIPASS Authentication
for Epic Hyperspace
Administrator Guide
®
3.6
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Disclaimer
Disclaimer of Warranties and Limitations of Liabilities
Legal Notices
Copyright © 2015 VASCO Data Security, Inc., VASCO Data Security International GmbH. All rights reserved.
Trademarks
VASCO®, VACMAN®, IDENTIKEY®, aXsGuard®, DIGIPASS®, CertiID®, CRONTO™, CRONTOSIGN™,
MYDIGIPASS.COM™, the MYDIGIPASS.COM MD Lock logo, the DP+ logo, the VASCO ‘V’ logo and the Cronto
logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security
International GmbH in the U.S. and other countries.
VASCO reserves all rights to the trademarks, service marks and logos of VASCO and its subsidiaries.
Intellectual Property
VASCO Software, documents and related materials (“Materials”) made available on the Site contain proprietary
and confidential information. All title, rights and interest in VASCO Software and Materials, updates and
upgrades thereof, including software rights, copyrights, patent rights, trade secret rights, sui generis database
rights, and all other intellectual and industrial property rights, vest exclusively in VASCO or its licensors. No
VASCO Software or Materials published in this Site may be downloaded, copied, transferred, disclosed,
reproduced, redistributed, or transmitted in any form or by any means, electronic, mechanical or otherwise, for
any commercial or production purpose, except as otherwise marked or when expressly permitted by VASCO in
writing.
Disclaimer
VASCO accepts no liability for the accuracy, completeness, or timeliness of Site content, or for the reliability of
links to and content of external or third party websites.
VASCO shall have no liability under any circumstances for any loss, damage, or expense incurred by you, your
company, or any third party arising from the use or inability to use VASCO Software or Materials, or any third
party material available or downloadable from the Site. VASCO will not be liable in relation to any loss/damage
caused by modification of these Legal Notices or Site content.
Reservation
VASCO reserves the right to modify these Notices and the content at any time. VASCO likewise reserves the
right to withdraw or revoke consent or otherwise prohibit use of the VASCO Software or Materials if such use
does not conform to the terms of any written agreement between VASCO and you, or other applicable terms
that VASCO publishes from time to time.
Date: 2015-08-21
2
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Table of Contents
Table of Contents
1
Introduction ................................................................................................................................. 6
1.1
2
About
1.1.1
1.1.2
1.1.3
This Administrator Guide .............................................................................................................. 7
How to Use This Manual ................................................................................................................................ 7
Document Conventions ................................................................................................................................. 7
Providing Feedback....................................................................................................................................... 8
DIGIPASS Authentication for Epic Hyperspace Overview ..................................................................... 9
2.1
General Overview ............................................................................................................................... 10
2.1.1
Overview of DIGIPASS Authentication for Epic Hyperspace ............................................................................. 10
2.2 DIGIPASS Authentication Module Terminology ........................................................................................ 11
2.3 Authentication Methods ....................................................................................................................... 12
2.4 Server Connection Management ........................................................................................................... 14
2.4.1
Connection Profiles ..................................................................................................................................... 14
2.4.2
Connection Options ..................................................................................................................................... 14
2.4.3
Standard Server Setup ................................................................................................................................ 15
2.5 Tracing ............................................................................................................................................. 16
3
Installing DIGIPASS Authentication for Epic Hyperspace ................................................................... 17
3.1
System Requirements ......................................................................................................................... 18
3.1.1
Software Requirements ............................................................................................................................... 18
3.2 Pre-Installation Tasks ......................................................................................................................... 19
3.2.1
Installing the Authentication Server .............................................................................................................. 19
3.2.2
Epic Hyperspace ......................................................................................................................................... 19
3.2.3
Information Needed..................................................................................................................................... 19
3.3 Installing DIGIPASS Authentication for Epic Hyperspace ........................................................................... 20
3.4 Using the DIGIPASS Authentication for Epic Hyperspace Configuration Wizard ............................................. 25
3.4.1
Configuring DIGIPASS Authentication for Epic Hyperspace ............................................................................. 25
4
Configuring DIGIPASS Authentication Module ................................................................................. 30
4.1
Using the DIGIPASS Authentication for Epic Hyperspace Configuration Center ............................................. 31
4.1.1
Starting DIGIPASS Authentication Module Configuration Center ...................................................................... 31
4.1.2
Configuring Servers and Connections ........................................................................................................... 31
4.1.3
Configuring Authentication .......................................................................................................................... 34
4.1.4
Configuring Tracing..................................................................................................................................... 35
4.1.5
Viewing Product Information ........................................................................................................................ 36
4.2 Editing the Configuration File ............................................................................................................... 38
4.2.1
Example Configuration File .......................................................................................................................... 38
4.2.2
Configuration Settings ................................................................................................................................. 39
4.2.2.1
Servers and Connections ......................................................................................................................................... 39
3
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
4.2.2.2
Table of Contents
Tracing ................................................................................................................................................................... 40
4.2.3
Authentication XML Settings ........................................................................................................................ 41
4.3 Configuring the Authentication Server ................................................................................................... 42
4.3.1
Client Record .............................................................................................................................................. 42
4.3.2
Configuring for Windows User Accounts ....................................................................................................... 42
4.3.2.1
4.3.2.2
4.3.2.3
4.3.3
4.3.3.1
4.3.3.2
4.3.3.3
4.3.3.4
4.3.3.5
4.3.3.6
5
Windows user name resolution................................................................................................................................. 42
Case sensitivity ....................................................................................................................................................... 42
Default domain ........................................................................................................................................................ 43
Policy ......................................................................................................................................................... 43
DIGIPASS users log in with OTP only (Windows user accounts) ................................................................................... 43
DIGIPASS users log in with password and OTP (Windows user accounts) .................................................................... 44
Local authentication only ......................................................................................................................................... 45
1-Step Challenge/Response ..................................................................................................................................... 45
2-Step Challenge/Response ..................................................................................................................................... 45
Virtual DIGIPASS...................................................................................................................................................... 46
Post-Installation Tasks ................................................................................................................ 47
5.1
5.2
6
Enabling the Response-Only Login or 2-Step Challenge/Response Login .................................................... 48
Enabling the 1-Step Challenge/Response Login Page .............................................................................. 49
Troubleshooting .......................................................................................................................... 50
6.1
DIGIPASS Authentication Module Installation Problems ............................................................................ 51
6.1.1
Checking File Placement ............................................................................................................................. 51
6.1.2
Trace file location ....................................................................................................................................... 52
6.2 Other Troubleshooting Options ............................................................................................................. 53
6.2.1
No Trace File .............................................................................................................................................. 53
6.2.2
Information from Trace File.......................................................................................................................... 53
6.2.3
Authentication Server .................................................................................................................................. 53
6.2.4
DIGIPASS Authentication Module could not load............................................................................................ 53
6.3 Repairing the Installation ..................................................................................................................... 54
7
Uninstalling DIGIPASS Authentication for Epic Hyperspace ............................................................... 55
7.1
8
Uninstalling DIGIPASS Authentication for Epic Hyperspace ........................................................................ 56
Technical Support ....................................................................................................................... 57
4
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Table of Contents
Illustration Index
Figure 1: DIGIPASS Authentication Module Overview......................................................................................................... 10
Figure 2: Standard Server Connection Configuration ......................................................................................................... 15
Figure 3: Installing DIGIPASS Authentication Module (1) .................................................................................................... 20
Figure 4: Installing DIGIPASS Authentication Module (2) .................................................................................................... 21
Figure 5: Installing DIGIPASS Authentication Module (3) .................................................................................................... 22
Figure 6: Installing DIGIPASS Authentication Module (4) .................................................................................................... 23
Figure 7: Using the Configuration Wizard (1) ..................................................................................................................... 25
Figure 9: Using the Configuration Wizard (2) ..................................................................................................................... 26
Figure 10: Using the Configuration Wizard (3) ................................................................................................................... 27
Figure 11: Using the Configuration Wizard (4) ................................................................................................................... 28
Figure 12: Using the Configuration Wizard (5) ................................................................................................................... 29
Figure 13: Configuring Servers and Connections (1).......................................................................................................... 32
Figure 14: Configuring Servers and Connections (2).......................................................................................................... 33
Figure 15: Configuring Authentication .............................................................................................................................. 35
Figure 16: Configuring Tracing Options ............................................................................................................................ 36
Figure 17: Viewing Version Page ..................................................................................................................................... 37
Figure 18: Enabling Response-Only and 2-Step Challenge/Response................................................................................. 48
Figure 19: Enabling 1-Step Challenge/Response .............................................................................................................. 49
Index of Tables
Table 1: Installation Structure of DIGIPASS Authentication for Epic Hyperspace ................................................................... 51
5
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
1
Introduction
Introduction
Welcome to the DIGIPASS Authentication for Epic Hyperspace Administrator Guide.
This guide provides information about:
• the DIGIPASS Authentication for Epic Hyperspace features and functionalities
• how to install DIGIPASS Authentication for Epic Hyperspace
• how to configure DIGIPASS Authentication for Epic Hyperspace
• how to troubleshoot possible issues that may occur when working with DIGIPASS Authentication for Epic
Hyperspace
• how to uninstall DIGIPASS Authentication for Epic Hyperspace
This guide does not provide:
• Detailed information about IDENTIKEY Authentication Server or IDENTIKEY Appliance / IDENTIKEY Virtual
Appliance (refer to the respective product documentation)
6
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Introduction
1.1 About This Administrator Guide
1.1.1
How to Use This Manual
You can use this manual in different ways, depending on your skill and knowledge level. You can read it from
the beginning to the end (highly recommended for novice users), you can browse through the chapter
abstracts and read specifically the chapters relevant to your needs, or you can search by key words in the
index, if you need to find certain references quickly.
If you need to…
...get an overview of the DIGIPASS Authentication for Epic
Hyperspace architecture and features
...get instructions to install DIGIPASS Authentication for Epic
Hyperspace
...configure DIGIPASS Authentication for Epic Hyperspace
...troubleshoot your DIGIPASS Authentication for Epic
Hyperspace installation
1.1.2
Refer to
2. DIGIPASS Authentication for Epic
Hyperspace Overview
3 Installing DIGIPASS Authentication for Epic
Hyperspace
-AND5 Post-Installation Tasks
4 Configuring DIGIPASS Authentication Module
6 Troubleshooting
Document Conventions
The following typographic style conventions are used throughout this document.
Typography
Boldface
Blue
UPPERCASE
Monospace
blue, underlined
Meaning
Names of user interface widgets, e.g. the OK button
Values for options; placeholders for information or parameters that you provide, e.g.
select Server name in the list box.
Keyboard keys, e.g. CTRL for the Control key
Commands you are supposed to type in or are displayed in a command prompt shell,
including directories and filenames; API functions and source code examples
Internet links
The following visual hint colour schemes are used throughout this document.
TIP
Tips contain supplementary information that is not essential to the completion of the task at hand,
including explanations of possible results or alternative methods.
NOTE
Notes contain important supplementary information.
CAUTION
Cautions contain warnings about possible data loss, breaches of security, or other more serious
problems.
7
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
1.1.3
Introduction
Providing Feedback
Every effort has been made to ensure the accuracy and usefulness of this manual. However, as the reader of
this documentation, you are our most important critic and commentator. We appreciate your judgement and
would like you to write us your opinions, suggestions, critics, questions, and ideas. Please send your
commentary to: [email protected].
To recognize the particular document you are referring to, please include the following information in your
subject header: DPAuth4EHS-AG-3.6.0en-21082015
Please note that product support is not offered through the above mail address.
8
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
2
DIGIPASS Authentication for Epic Hyperspace Overview
DIGIPASS Authentication for Epic Hyperspace Overview
This chapter gives an overview of the DIGIPASS Authentication for Epic Hyperspace features and
functionalities. It provides a list of terms you should be familiar with when working with DIGIPASS
Authentication for Epic Hyperspace and outlines various authorization scenarios.
This chapter covers the following topics:
• General Overview
• DIGIPASS Authentication Module Terminology
• Authentication Methods
• Server Connection Management
• Tracing
9
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
DIGIPASS Authentication for Epic Hyperspace Overview
2.1 General Overview
2.1.1
Overview of DIGIPASS Authentication for Epic Hyperspace
DIGIPASS Authentication for Epic Hyperspace (also referred to as DPAuth4EHS) provides strong
authentication for Epic Hyperspace using DIGIPASS technology.
DPAuth4EHS is a client-side .NET module that integrates with Epic Hyperspace to add support for two-factor
authentication using a DIGIPASS authenticator. It must be installed on each client computer that requires twofactor authentication. It supports 1-step and 2-step challenge/response and response-only authentication. It
requires IDENTIKEY Authentication Server as authentication back-end to validate credentials provided by the
end user. The one-time passwords (OTP) are validated using IDENTIKEY Authentication Server or IDENTIKEY
Appliance / IDENTIKEY Virtual Appliance.
Figure 1: DIGIPASS Authentication Module Overview
10
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
DIGIPASS Authentication for Epic Hyperspace Overview
2.2 DIGIPASS Authentication Module Terminology
The following definitions describe how these items are used in this document.
Authentication server
The term authentication server refers to the component to which the DIGIPASS Authentication Module sends
authentication requests. This component is:
• for IDENTIKEY Authentication Server: the IDENTIKEY Authentication Server service or daemon
• for IDENTIKEY Appliance / IDENTIKEY Virtual Appliance: the IDENTIKEY Authentication Server daemon
Client record
The client record is the record defined in the authentication server’s data store, to represent an installed
instance of the DIGIPASS Authentication Module.
It is used for the following main purposes:
• To indicate that the authentication server is permitted to process a request from that client
• To specify a policy to be used to process the request
DIGIPASS Authentication Module
This is the generic term for DIGIPASS Authentication for Epic Hyperspace. It provides multi-factor
authentication for additional security to those who access applications across networks.
DIGIPASS Authentication Module Configuration Wizard
The DIGIPASS Authentication Module Configuration Wizard serves to define the basic settings for using
DIGIPASS Authentication for Epic Hyperspace.
DIGIPASS Authentication Module Configuration Center
The DIGIPASS Authentication Module Configuration Center serves to configure DIGIPASS Authentication for
Epic Hyperspace.
11
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
DIGIPASS Authentication for Epic Hyperspace Overview
2.3 Authentication Methods
Refer to the Product Guide for your authentication server product for detailed information about login methods
and options.
Response-only login
Response-only login takes place when a user wants to access a resource protected by Epic Hyperspace. The
Citrix StoreFront system requires the user to authenticate, i.e. the user needs to logon to the Epic Hyperspace
system using a DIGIPASS authenticator that supports response-only authentication, for instance a single
button device like DIGIPASS GO6. When using response-only, a user logs in via the current login page with the
user name and a one-time password (OTP).
For information about enabling this login procedure, see 5.1 Enabling the Response-Only Login or 2-Step
Challenge/Response Login.
1-Step Challenge/Response login
In a 1-step challenge/response login process the user wants to access a resource protected by Epic
Hyperspace. The Epic Hyperspace system requires the user to authenticate using challenge/response
authentication. A random challenge sent by IDENTIKEY Authentication Server – of a length configured for all
users in the authentication server’s policy – is displayed on the login page. The user logs in with the user
name and DIGIPASS response to the displayed challenge. In a 1-step challenge/response login process the
DIGIPASS Authentication Module receives the authentication credentials of the end user, and sends an
authentication request with these credentials to IDENTIKEY Authentication Server.
For more information about enabling this login procedure, see 5.2 Enabling the 1-Step Challenge/Response
Login Page.
2-Step Challenge/Response login
In a 2-step challenge/response login process a user wants to access a resource protected by Epic
Hyperspace. The Epic Hyperspace system requires the user to authenticate using 2-step challenge/response.
A first authentication request (first step) is used to request a challenge. The second authentication request
(second step) is used to validate the response to that challenge.
For information about enabling this login procedure, see 5.1 Enabling the Response-Only Login or 2-Step
Challenge/Response Login.
Virtual DIGIPASS login
Virtual DIGIPASS login is used when the users do not have access to their DIGIPASS authenticator and need to
log on to the Citrix StoreFront using a Virtual DIGIPASS. The user requests IDENTIKEY Authentication Server
(by means of an authentication request through Epic Hyperspace) to generate a one-time password (OTP) and
deliver that OTP via SMS or email. This process will typically start when the user clicks Forgot DIGIPASS? in
the RO, 1-step C/R or 2-step C/R logon interface (indicating that the user has forgotten the DIGIPASS
authenticator).
12
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
DIGIPASS Authentication for Epic Hyperspace Overview
Users logging in with Virtual DIGIPASS use a process similar to the 2-step challenge/response login. If the user
has a primary Virtual DIGIPASS assigned or requests using the backup Virtual DIGIPASS feature during the first
step to generate an OTP, this OTP can be delivered via SMS or email. The user is then redirected by the
DIGIPASS Authentication Module to a new screen to enter the OTP.
13
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
DIGIPASS Authentication for Epic Hyperspace Overview
2.4 Server Connection Management
The DIGIPASS Authentication Module provides flexibility in managing connections to multiple primary
and/or backup authentication servers. This allows redundancy and load sharing over multiple servers.
2.4.1
Connection Profiles
The Two connection profiles available are
Primary
The server(s) between which the DIGIPASS Authentication Module balances the authentication load.
Backup
The server(s) that replace the primary servers during outage.
2.4.2
Connection Options
Maximum Connections
The maximum number of connections that the DIGIPASS Authentication Module may have open to the
authentication server at one time.
Timeout
The time that the DIGIPASS Authentication Module should wait for a reply form the authentication server.
Reconnect Interval
If the DIGIPASS Authentication Module cannot connect to an authentication server, it will make another
connection attempt to this server only after a time period defined by the reconnect interval. If other servers are
configured, connection attempts to these servers are made in the meantime.
14
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
2.4.3
DIGIPASS Authentication for Epic Hyperspace Overview
Standard Server Setup
Figure 2: Standard Server Connection Configuration
This setup uses one main authentication server to handle requests from the DIGIPASS Authentication Module,
with a backup authentication server for use when the main server is busy or unavailable.
15
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
DIGIPASS Authentication for Epic Hyperspace Overview
2.5 Tracing
The DIGIPASS Authentication Module allows use of a trace file to record module activity, e.g. for
troubleshooting. This will include errors that have been encountered, warnings, and general information about
performed authentication requests.
The level of tracing that the DIGIPASS Authentication Module employs depends on its configuration settings.
CAUTION
Enabling full tracing should only be done for troubleshooting purposes. There are no limits set on
the size of the tracing file, so if the option is left on too long on a high-load system the file may
dramatically slow down or crash Windows, due to excessive I/O or filling up the hard drive.
Because there are no size limitations set on the trace file, it is not recommended that you have
tracing permanently enabled. If your system is set up with tracing always enabled, ensure that the
file does not cause problems by deleting or archiving it whenever it gets too large.
Basic tracing includes:
• Error messages
• Warnings
• High-level information from module activity
Full tracing includes:
• Error messages
• Warnings
• High-level information from module activity
• Detailed information from module activity
NOTE
The DIGIPASS Authentication Module will require permissions for the directory in which the tracing
file is kept. For more information, see 6.1.2 Trace file location.
16
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
3
Installing DIGIPASS Authentication for Epic Hyperspace
Installing DIGIPASS Authentication for Epic Hyperspace
This chapter contains instruction to install DIGIPASS Authentication for Epic Hyperspace. It lists system and
other requirements, as well as pre-installation settings and tasks. Be sure to check that all system
requirements and pre-installation tasks have been met before installing the DIGIPASS Authentication
Module. This will help ensure a smooth, trouble-free installation and integration process.
This chapter covers the following topics:
• System Requirements
• Pre-Installation Tasks
• Installing DIGIPASS Authentication for Epic Hyperspace
• Using the DIGIPASS Authentication for Epic Hyperspace Configuration Wizard
17
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Installing DIGIPASS Authentication for Epic Hyperspace
3.1 System Requirements
3.1.1
Software Requirements
To install DIGIPASS Authentication for Epic Hyperspace, the following components/servers are required:
• An authentication server pre-installed and running on another machine. This should be one of the
following:

IDENTIKEY Authentication Server 3.8.1 and higher

IDENTIKEY Appliance / IDENTIKEY Virtual Appliance 3.8.9.1
• Citrix StoreFront 2012 pre-installed on the target (installation) machine running on one of the following:

Windows Server 2012 R2 (64-bit)

Windows Server 2012 (64-bit)

Windows 7 (64-bit)
• The user must have administration rights on the target (installation) machine.
18
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Installing DIGIPASS Authentication for Epic Hyperspace
3.2 Pre-Installation Tasks
Before installing the DIGIPASS Authentication Module, there are several tasks which need to be
completed. Performing these tasks (where applicable) will assist in a quick, smooth installation process.
3.2.1
Installing the Authentication Server
An authentication server should be installed on the network before the DIGIPASS Authentication Module is
installed. For more information about recommended configurations, see 3.1 System Requirements and 4.3
Configuring the Authentication Server.
CAUTION
If the users are Active Directory users on a Windows platform, it is recommended that the Use
Windows user name resolution feature on the authentication server is enabled. This uses
Windows functions to identify users IDs as Windows user accounts, including the domain to which
the account belongs.
If the Use Windows user name resolution feature is disabled, it is essential that users always
use the same login name. If they try to log in using a different form of their Windows account
name, their login name will be rejected, unless a second DIGIPASS user account has been created.
3.2.2
Epic Hyperspace
Ensure that the Epic Hyperspace environment is installed and working correctly. The DIGIPASS Authentication
Module needs to be installed on the computer where Epic Hyperspace is running.
The DIGIPASS Authentication Module ProgID "DPAuth4EHS.DPAuthEpicDevice" should be associated with the
Epic Hyperspace environment.
3.2.3
Information Needed
Before you begin installation of the DIGIPASS Authentication Module, ensure that you have the following
information easily accessible, as you will need to enter this during installation.
• Location (IP address) and port number of the authentication server. To check this, open the authentication
server configuration and check the Component location and SEAL Communicator port fields.
• Source IP address of the local machine to use when connecting to the Authentication Server (if multiple IP
addresses are configured for this machine).
19
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Installing DIGIPASS Authentication for Epic Hyperspace
3.3 Installing DIGIPASS Authentication for Epic Hyperspace

To install DIGIPASS Authentication for Epic Hyperspace
1. Locate dp-auth-for-ehs_<version>_x64.msi and start the installation process.
Figure 3: Installing DIGIPASS Authentication Module (1)
20
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Installing DIGIPASS Authentication for Epic Hyperspace
2. Read the license agreement text, select I accept the terms in the license agreement, and click
Next.
Figure 4: Installing DIGIPASS Authentication Module (2)
21
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Installing DIGIPASS Authentication for Epic Hyperspace
3. Specify the destination folder for DIGIPASS Authentication for Epic Hyperspace and click Next.
The default destination folder (referred to as <installation_folder> in this document) is: C:\Program
Files\VASCO\DIGIPASS Authentication for Epic Hyperspace.
Figure 5: Installing DIGIPASS Authentication Module (3)
22
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Installing DIGIPASS Authentication for Epic Hyperspace
4. Click Install to start the installation.
Figure 6: Installing DIGIPASS Authentication Module (4)
23
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Installing DIGIPASS Authentication for Epic Hyperspace
5. After successful installation, click Finish to exit the setup program.
The DIGIPASS Authentication for Epic Hyperspace Configuration Wizard is started.
24
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Installing DIGIPASS Authentication for Epic Hyperspace
3.4 Using the DIGIPASS Authentication for Epic Hyperspace Configuration Wizard
After you have finished the installation wizard, the DIGIPASS Authentication for Epic Hyperspace configuration
wizard is started automatically. Go through the wizard to define the basic settings for using the DIGIPASS
Authentication Module. Once the wizard is complete, the DIGIPASS Authentication Module configuration file
Setting.xml is filled with the IAS Server configuration values for Epic Hyperspace, and the DIGIPASS
Authentication Module is ready for use.
For further configuration options and to change your initial settings, use the DIGIPASS Authentication
Module Configuration Center.
For more information, see 4.1 Using the DIGIPASS Authentication for Epic Hyperspace Configuration Center
and 4.2 Editing the Configuration File.
3.4.1
Configuring DIGIPASS Authentication for Epic Hyperspace

To configure DIGIPASS Authentication for Epic Hyperspace
1. When the DIGIPASS Authentication Module Configuration Wizard is started, click Next.
The DIGIPASS Authentication Module Configuration Wizard is started automatically after you have
completed the installation wizard. Afterward, if you want to modify your settings using the wizard, select
Start > All Programs > DIGIPASS Authentication Modules > DPAuth4EHS Config Wizard.
Figure 7: Using the Configuration Wizard (1)
25
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Installing DIGIPASS Authentication for Epic Hyperspace
2. Specify the IP address and SEAL port of the authentication server.
Figure 8: Using the Configuration Wizard (2)
Select an IP address from the list, which contains IP addresses assigned to the current machine. The
DIGIPASS Authentication Module will use the selected IP address exclusively.
26
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Installing DIGIPASS Authentication for Epic Hyperspace
Figure 9: Using the Configuration Wizard (3)
3. Specify whether to create an IDENTIKEY Authentication Server client record.
27
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Installing DIGIPASS Authentication for Epic Hyperspace
Figure 10: Using the Configuration Wizard (4)
• Select Create client record automatically if you want to specify that administrator login for the
authentication server to register the DIGIPASS Authentication Module as a client in the authentication
server database.
Provide the user name and password to allow administrative access to the authentication server.
• Select Don’t create client record if the client record for the DIGIPASS Authentication Module already
exists in the authentication server database, or you prefer to create it manually.
4. Review the settings you have specified and click Finish.
28
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Installing DIGIPASS Authentication for Epic Hyperspace
Figure 11: Using the Configuration Wizard (5)
29
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
4
Configuring DIGIPASS Authentication Module
Configuring DIGIPASS Authentication Module
This chapter describes how to configure the DIGIPASS Authentication Module. Configuration settings can
be modified in two ways. The easiest method is via the DIGIPASS Authentication Module Configuration
Center – a graphical user interface that allows you to make changes with a few mouse clicks. Advanced
users may prefer to edit the configuration file directly.
This chapter covers the following topics:
• Using the DIGIPASS Authentication for Epic Hyperspace Configuration Center
• Editing the Configuration File
• Configuring the Authentication Server
30
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Configuring DIGIPASS Authentication Module
4.1 Using the DIGIPASS Authentication for Epic Hyperspace Configuration Center
A graphical user interface (GUI) called DIGIPASS Authentication for Epic Hyperspace Configuration
Center is available to configure the DIGIPASS Authentication Module. This provides a simple, intuitive way to
set up the DIGIPASS Authentication Module to work with your current system.
If this is the first time you have opened the DIGIPASS Authentication for Epic Hyperspace Configuration
Center and the configuration file has not been edited, the values you will see are those entered when the
wizard was last run.
4.1.1
Starting DIGIPASS Authentication Module Configuration Center

To start the DIGIPASS Authentication Module Configuration Center
Do one of the following:
• Select Start > All Programs > VASCO > DIGIPASS Authentication Modules >
DPAuth4EHS Config Center.
-OR• Open Windows Explorer and launch <installation_folder\VASCO DIGIPASS Authentication for Epic
Hyperspace Configuration Center.exe.
4.1.2
Configuring Servers and Connections

To add and configure authentication servers
1. Start the DIGIPASS Authentication for Epic Hyperspace Configuration Center and select Servers
and Connections.
31
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Configuring DIGIPASS Authentication Module
Figure 12: Configuring Servers and Connections (1)
2. Do one of the following:
• Click Add if you want to add a new authentication server.
-OR• To modify the settings of an authentication server, select the server from the Authentication
servers list.
Move servers up and down as needed. With multiple authentication servers, DIGIPASS Authentication for
Epic Hyperspace will connect to the topmost server. If this server is not available, the DIGIPASS
Authentication for Epic Hyperspace will attempt to connect to the next server in the list.
The Configuration for <authentication_server> section appears.
32
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Configuring DIGIPASS Authentication Module
Figure 13: Configuring Servers and Connections (2)
3. Select an IP address in Connect from IP address from which to connect to the authentication server.
For more information, see 2.4.1 Connection Profiles.
4. Specify the server details:
• Display name: Type a name for the authentication server in this field. This name is then used to
distinguish the authentication server in the Authentication servers list, but has no effect on the
behaviour of the DIGIPASS Authentication Module.
• IP address: Type the IP address of the authentication server.
• SEAL port: Type the port for the authentication server. The default port is 20003 for standard, and
20004 for SSL connections.
• Use SSL: Select this if you want to use SSL when connecting to the authentication server
• Server type: Select the server type. For more information, see 2.4.1 Connection Profiles.
5. (OPTIONAL) Click Test to test if a connection to the authentication server can be established. A message
will appear indicating if the test was successful.
6. Specify the connection parameters.
• Timeout (in sec): Specify a timeout period in seconds.
• Maximum Connections: Specify the maximum number of concurrent connections to be made
from the DIGIPASS Authentication Module to the authentication server.
33
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Configuring DIGIPASS Authentication Module
• Minimum Connections: Specify the minimum number of concurrent connections to be made from
the DIGIPASS Authentication Module to the authentication server.
• Maximum reconnect interval (in sec): Specify the maximum amount of time that the DIGIPASS
Authentication Module should wait before attempting to reconnect to the authentication server.
7. Specify secure connection settings.
• Select Use Windows built-in CA certificate repository if you want to trust the certificate
authorities in the Windows CA certificate repository
• Select Load CA certificate repository if you want to use your own CA certificate list. Browse to
the certificate file and click Open.
8. Click Apply for your changes to take effect.
4.1.3
Configuring Authentication
The Authentication page allows configuring the authentication/related settings of DIGIPASS Authentication
for Epic Hyperspace.
The Authentication page consists of two major sections:
• General
• Authentication
The General section allows you to enable or disable DIGIPASS Authentication for Epic Hyperspace. The
Authentication section defines which authentication methods are available when DIGIPASS Authentication
for Epic Hyperspace is enabled.
34
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Configuring DIGIPASS Authentication Module
Figure 14: Configuring Authentication
General
Select Enable Epic Hyperspace authentication to allow the DIGIPASS Authentication Module to intercept
authentication requests using the authentication server.
Authentication
Select Response-Only and 2-step Challenge/Response login or 1-step Challenge/Response
login to allow the respective authentication modes (see 2.3 Authentication Methods).
If you are required to allow backup authentication, select Enable Virtual DIGIPASS login.
4.1.4
Configuring Tracing

To configure settings for tracing
1. Start DIGIPASS Authentication for Epic Hyperspace Configuration Center and select Tracing.
2. Specify the tracing level (see 2.5 Tracing).
35
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Configuring DIGIPASS Authentication Module
Figure 15: Configuring Tracing Options
3. If you have selected basic or full tracing, the path and filename for the tracing file appears in the Trace
File box. This box is read-only. All trace logging is written to %LocalAppData%\Vasco\DIGIPASS
Authentication for Epic Hyperspace\Log, where %LocalAppData% is the AppData/Local directory for the
current user. This location cannot be modified.
4. Click Apply for your changes to take effect.
4.1.5
Viewing Product Information
The Product Version page allows reviewing the version information of the application and its dependencies
(e.g. libraries). It also enables the customer to copy the detailed version information to the clipboard and paste
it into an email message to customer support.
36
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Configuring DIGIPASS Authentication Module
Figure 16: Viewing Version Page
37
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Configuring DIGIPASS Authentication Module
4.2 Editing the Configuration File
The DIGIPASS Authentication for Epic Hyperspace Configuration Wizard and the DIGIPASS
Authentication for Epic Hyperspace Configuration Center write to an XML file named Settings.xml in the
installation directory. It is possible to edit this file directly instead of using the apllications.
NOTE
This option is recommended only for the advanced users. The DIGIPASS Authentication for Epic
Hyperspace Configuration Center prevents common configuration mistakes, but there are no such
checks when edits are made directly to the configuration file. Incorrect changes to the
configuration file may cause the DIGIPASS Authentication Module to stop working.
If Settings.xml is damaged, uses incorrect XML syntax, or is otherwise invalid, the DIGIPASS
Authentication Module may not initialize.
4.2.1
Example Configuration File
<? xml version="1.0" encoding="UTF-8”?>
<Profile>
<Key Name="Servers and Connections">
<Value Name="LocalIPAddress" Type="STRING">
<Key Name="ConnectionList">
<Key Name="Connection0">
<Value Name="Name" Type="STRING">Main Server</Value>
<Value Name="ServerIPAddress" Type="STRING">1.1.1.1</Value>
<Value Name="ServerPort" Type="INT">20004</Value>
<Value Name="IsBackup" Type="BOOL">FALSE</Value>
<Value Name="MaxConcurrentConnections" Type="INT">10</Value>
<Value Name="ConnectionTimeoutSeconds" Type="INT">30</Value>
<Value Name="MinReconnectIntervalSeconds" Type="INT">10</Value>
<Value Name="MaxReconnectIntervalSeconds" Type="INT">10</Value>
<Key Name="SSL">
<Value Name="EnableSSL" Type="BOOL">TRUE</Value>
<Value Name="EnableCustomCertificateArchiveFile"
Type="BOOL">FALSE </Value>
<Value Name="CustomCertificateArchiveFilePath" Type="STRING">
</Value>
</Key>
</Key>
</Key>
</Key>
<Key Name="Tracing">
<Value Name="TraceFilePath" Type="STRING">
%LocalAppData%\VASCO\DIGIPASS Authentication for Epic
Hyperspace\Log\DPAuth4EHS.trace</Value>
<Value Name="TraceFileEnable" Type="BOOL">FALSE</Value>
<Value Name="TraceCodeInfo" Type="BOOL">FALSE</Value>
<Value Name="TraceProcessInfo" Type="BOOL">FALSE</Value>
<Value Name="TraceLevel" Type="INT">100</Value>
</Key>
<Key Name="EpicHyperspace">
<Value Name="Enabled" Type="BOOL">True</Value>
38
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Configuring DIGIPASS Authentication Module
<Value Name="Authenticationmode" Type="INT">0</Value>
<Value Name="VIRTUALDIGIPASS" Type="BOOL">FALSE</Value>
</Key>
</Profile>
4.2.2
Configuration Settings
This section lists configuration settings and their default values. After installation, Settings.xml contains only a
few basic settings. After the configuration has been completed, the file is filled with the default configuration
for Epic Hyperspace.
4.2.2.1
Servers and Connections
“Servers and Connections” > “LocalIPAddress”
The address from which to connect to the authentication server. The default value is the IP address
automatically detected by the install program. If more than one IP address was detected, this value will be the
IP address selected during installation.
“Servers and Connections” > “ConnectionList” > “Connection0” > “Name”
The server name that will be displayed in the Authentication servers list in the DIGIPASS Authentication
for Epic Hyperspace Configuration Center.
The default value is Main Server.
“Servers and Connections” > “ConnectionList” > “Connection0” > “ServerIPAddress”
The authentication server’s IP address.
“Servers and Connections” > “ConnectionList” > “Connection0” > “ServerPort”
The authentication server’s port.
The default value is 20003.
“Servers and Connections” > “ConnectionList” > “Connection0” > “ServerType”
Either primary or backup authentication server.
The default value is Primary.
“Servers
and
Connections”
“MaxConcurrentConnections”
>
“ConnectionList”
>
“Connection0”
>
The maximum number of concurrent connections which the DIGIPASS Authentication Module may hold open
to the authentication server.
The default value is 10.
“Servers
and
Connections”
“ConnectionTimeoutSeconds”
>
“ConnectionList”
>
“Connection0”
>
Session idle timeout in minutes.
The default value is 10.
39
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
“Servers
and
Connections”
“MinReconnectIntervalSeconds”
>
Configuring DIGIPASS Authentication Module
“ConnectionList”
>
“Connection0”
>
The minimum amount of time in seconds that the DIGIPASS Authentication Module will leave between
attempts to reconnect to an authentication server after an unsuccessful connect attempt (e.g. server busy).
The default value is 10.
“Servers
and
Connections”
“MaxReconnectIntervalSeconds”
>
“ConnectionList”
>
“Connection0”
>
The maximum amount of time in seconds that the DIGIPASS Authentication Module will leave between
attempts to reconnect to an authentication server after an unsuccessful connect attempt (e.g. server busy).
The default value is 10.
“Servers and Connections” > “ConnectionList” > “Connection0” > “SSL” > “EnableSSL”
Enable/disable the use of SSL when connecting to this authentication server.
The default value is FALSE.
“Servers and Connections” > “ConnectionList”
“EnableCustomCertificateArchiveFile”
>
“Connection0”
>
“SSL”
>
>
“SSL”
>
Enable/disable certificate archive file for use instead of the Windows certificate store.
The default value is FALSE.
“Servers and Connections” >
“CustomCertificateArchiveFilePath”
“ConnectionList”
>
“Connection0”
Enable file location and name of custom certificate store.
4.2.2.2
Tracing
“Tracing” > “TraceFilePath”
The absolute path and file name of the file to which internal state tracing will be written.
The default value is %LocalAppData%\Vasco\DIGIPASS Authentication for Epic
Hyperspace\Log\DPAuth4EHS.trace.
NOTE
This option is ignored by DIGIPASS Authentication for Epic Hyperspace. Trace logging is always
written to the LocalAppData directory for the current user.
“Tracing” > “TraceFileEnable”
Enable/disable tracing.
The default value is FALSE.
“Tracing” > “TraceCodeInfo”
Defines if source code information is traced. Use this for troubleshooting in collaboration with VASCO support.
The default value is FALSE.
“Tracing” > “TraceProcessInfo”
40
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Configuring DIGIPASS Authentication Module
Defines if source code information is dumped at start and end of tracing session.
The default value is FALSE.
“Tracing” > “TraceLevel”
Basic or full tracing.
The possible values are:
• 100 – Basic tracing
• 50 – Full tracing
• 0 – No tracing
The default value is 100.
4.2.3
Authentication XML Settings
“Epic Hyperspace”> “Enabled”
If false, DIGIPASS authentication will not be available for this Epic Hyperspace instance.
“Epic Hyperspace”> “AuthenticationMode”
The operational authentication mode supported by this authentication module instance.
• 0 – Response-only and 2-step challenge/response
• 1 – 1-step challenge/response
“Epic Hyperspace”> “VirtualDIGIPASS”
Specifies whether Virtual DIGIPASS can be requested when the primary DIGIPASS authenticator is forgotten or
lost.
41
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Configuring DIGIPASS Authentication Module
4.3 Configuring the Authentication Server
4.3.1
Client Record
A client record must be configured in the authentication server for the DIGIPASS Authentication Module. The
configuration wizard can create the required record if a connection to the authentication server and an
administrator account with sufficient privileges are available. If the configuration wizard does not create a
client record, this must be done manually.
• Component type should be set to Epic Hyperspace.
• Location should be set to the same IP address as in the Connect from IP address setting in the
DIGIPASS Authentication for Epic Hyperspace Configuration Center.
• Select a policy for the authentication server to use when processing authentication requests from the
DIGIPASS Authentication Module.
4.3.2
4.3.2.1
Configuring for Windows User Accounts
Windows user name resolution
If the authentication server is installed on a Windows platform and is using an ODBC database (including the
embedded database) as its data store, it is recommended that you enable Windows user name resolution. This
allows the authentication server to use Windows functionality to resolve a user ID – as entered during a login
in the format username@domain or domain\username – into a user ID and domain. It is highly recommended
if Dynamic User Registration (DUR) will be enabled.
This setting is not required where the authentication server is using Active Directory as its data store – name
resolution will occur automatically.
This setting is not available on IDENTIKEY Authentication Server on Linux or IDENTIKEY Appliance / IDENTIKEY
Virtual Appliance.
If the Use Windows user name resolution feature is disabled or unavailable, it is essential that users
always use the same login name. If they try to log in using a different form of their Windows account name,
their login will be rejected, unless a second DIGIPASS user account has been created in the master domain.
4.3.2.2
Case sensitivity
Windows user names are not case-sensitive. If the ODBC database used by the authentication server is casesensitive, ensure that the user ID case is converted to lower case. Upper case may also be used, but will
involve extra configuration steps. The embedded PostgreSQL database is set to convert to lower case by
default. For more information, refer to the IDENTIKEY Authentication Server Administrator Guide, Section
“Encoding and Case Sensitivity”.
42
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
4.3.2.3
Configuring DIGIPASS Authentication Module
Default domain
Where users log in without entering a domain name or UPN, the authentication server will need to be
configured to use the correct domain. There are two basic scenarios that might apply:
Change master domain
If users will only ever be logging in to one domain via the authentication server, the simplest solution is to set
the master domain name to the fully qualified domain name of the required domain.
This option is not available for IDENTIKEY Appliance / IDENTIKEY Virtual Appliance.
Set default domain in policy
This strategy should be used if
• You wish to keep the master domain strictly for administration accounts and separate from user accounts.
• The authentication server may be required to handle a different default domain for different DIGIPASS
Authentication Modules or other clients.
Each policy may be configured with a default domain, to be used if a user does not enter a domain on login.
Typically, you will need to modify the policy used by each DIGIPASS Authentication Module.
4.3.3
Policy
The client record created during installation of DIGIPASS Authentication for Epic Hyperspace uses the default
password replacement policy for the package. It will be named:
• Identikey Windows Password Replacement (IDENTIKEY Authentication Server)
• Identikey Microsoft AD Password Replacement (IDENTIKEY Appliance / IDENTIKEY Virtual Appliance)
This policy is configured with the following settings:
• Back-end authentication is set to Always (used for Windows Password Replacement, Dynamic User
Registration, Password Autolearn etc. Not all logins).
• Windows is used as the back-end authenticator in the IDENTIKEY Windows Password Replacement policy.
• Dynamic User Registration and Password Autolearn are enabled.
• Group check mode is set to Pass Back and DIGIPASS Users is placed in the group list. This means that any
logins by users not in the DIGIPASS users group will be ignored – not rejected – by the authentication
server in the Identikey Windows Password Replacement policy.
If you need different settings, either select a different policy (e.g. Self-Assignment or Auto-Assignment) for the
DIGIPASS Authentication Module component or copy the password replacement policy to a new record, modify
the new policy as required, and use the new policy for the DIGIPASS Authentication Module component.
4.3.3.1
DIGIPASS users log in with OTP only (Windows user accounts)
The following settings are recommended for this scenario:
Back-end authentication
• Back-end authentication: If needed
43
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Configuring DIGIPASS Authentication Module
• Back-end protocol: Windows (IDENTIKEY Authentication Server) or Microsoft AD (IDENTIKEY Appliance /
IDENTIKEY Virtual Appliance.)
These settings allow the authentication server to check user login details with Active Directory in case of
Dynamic User Registration (DUR), Password Autolearn and Self-Assignment logins through the
DIGIPASS Authentication Module.
DIGIPASS User Account handling
• Dynamic User Registration: Enabled
• Password Autolearn: Enabled
• Stored Password Proxy: Enabled
These settings allow the authentication server to create an account for an unrecognized user based on a
successful Windows or Active Directory authentication. The authentication server can then store the user’s
Active Directory password and replay it to the DIGIPASS Authentication Module in place of the one-time
password entered by the user on future logins.
DIGIPASS Authentication Module
Either Self-Assignment or Auto-Assignment would typically be used in this scenario, although manual
assignment may also be used.
Local Authentication
The typical setting for local authentication would be Digipass/Password, meaning that user usually need to use
an OTP when logging in, but are not required to in some circumstances (e.g. in grace period).
4.3.3.2
DIGIPASS users log in with password and OTP (Windows user accounts)
The following settings are recommended for this scenario:
Back-end authentication
• Back-end authentication: If needed
• Back-end protocol: Windows (IDENTIKEY Authentication Server) or Microsoft AD (IDENTIKEY Appliance /
IDENTIKEY Virtual Appliance).
These settings allow the authentication server to check user login details with Windows or Active Directory in
case of Dynamic User Registration (DUR) and Self-Assignment logins through the DIGIPASS
Authentication Module.
DIGIPASS User Account handling
• Dynamic User Registration: Enabled
• Password Autolearn: Enabled
• Stored Password Proxy: Enabled
These settings allow the authentication server to create an account for an unrecognized user based on a
successful Windows or Active Directory authentication. The authentication server will not store or replay a
user’s Active Directory password.
44
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Configuring DIGIPASS Authentication Module
DIGIPASS Assignment Mode
Either Self-Assignment or Auto-Assignment would typically be used in this scenario, although manual
assignment may also be used.
Local Authentication
The typical setting for local authentication would be Digipass/Password, meaning that the users usually need
to use an OTP when logging in, but are not required to in some circumstances (e.g. in grace period).
4.3.3.3
Local authentication only
These settings are typically used where:
• The authentication server does not check authentication details against Windows accounts.
Back-end authentication
• Back-end authentication: None
DIGIPASS User Account handling
• Dynamic user registration: Disabled
• Password Autolearn: Disabled
• Stored Password Proxy: Disabled
New DIGIPASS user accounts must be created manually (no DUR). An Active Directory password is not stored,
because back-end authentication is disabled.
DIGIPASS Assignment Mode
Manual assignment would be used in this scenario.
Local DIGIPASS Authentication
The typical setting for local authentication would be Digipass Only, requiring users to log in with an OTP.
4.3.3.4
1-Step Challenge/Response
If you use 1-step challenge/response, you will need these policy settings:
• 1-Step Challenge/Response

Permitted: Yes – Server Challenge

Challenge Length: 4

Add Check Digit as required

Challenge check mode: 0
For more information, refer to IDENTIKEY Authentication Server Product Guide, Section “Policies”.
4.3.3.5
2-Step Challenge/Response
If you use 2-step challenge/response, you will need these policy settings:
• Request method: as required
45
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Configuring DIGIPASS Authentication Module
• Request keyword: as required
For more information, refer to the IDENTIKEY Authentication Server Product Guide. Section “Policies”.
4.3.3.6
Virtual DIGIPASS
If you use Virtual DIGIPASS login, you will need these policy settings:
• Delivery Method: as required
• Primary/backup Virtual DIGIPASS: as required
• Request Method: as required
• Request Keyword: as required
• BVDP Mode: as required
• Time Limit (days): as required
• Max. Uses/User: as required
For more information, refer to the IDENTIKEY Authentication Server Product Guide, Section “Policies”.
46
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
5
Post-Installation Tasks
Post-Installation Tasks
This chapter lists and describes tasks you need to complete after installing the DIGIPASS Authentication
Module.
This chapter covers the following topics:
• Enabling the Response-Only Login or 2-Step Challenge/Response Login
• Enabling the 1-Step Challenge/Response Login Page
47
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Post-Installation Tasks
5.1 Enabling the Response-Only Login or 2-Step Challenge/Response Login
The General section allows the administrator to enable or disable DIGIPASS Authentication for Epic
Hyperspace; the Authentication section defines which authentication methods are available when DIGIPASS
Authentication for Epic Hyperspace is enabled.
To enable response-only and 2-step challenge/response authentication, select Response-Only and 2-Step
Challenge/Response login (see Figure 17).
NOTE
If you would like end users to use Virtual DIGIPASS, select Enable Virtual DIGIPASS login.
Figure 17: Enabling Response-Only and 2-Step Challenge/Response
48
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Post-Installation Tasks
5.2 Enabling the 1-Step Challenge/Response Login Page
To enable 1-step challenge/response authentication, select 1-step Challenge/Response login (see Figure
18).
NOTE
If you would like end users to use Virtual DIGIPASS, select Enable Virtual DIGIPASS login.
Figure 18: Enabling 1-Step Challenge/Response
49
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
6
Troubleshooting
Troubleshooting
This chapter provides information about possible issues that may occur when working with DIGIPASS
Authentication for Epic Hyperspace. Read this chapter carefully as it may help you find and identify issues.
This chapter covers the following topics:
• DIGIPASS Authentication Module Installation Problems
• Other Troubleshooting Options
• Repairing the Installation
50
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Troubleshooting
6.1 DIGIPASS Authentication Module Installation Problems
The installation program for the DIGIPASS Authentication Module will usually complete the following tasks
automatically. However, if it fails in these tasks for some reason, an error message will be displayed during
installation. These steps can then be followed to complete the installation manually.
If you have trouble running the authentication server and the DIGIPASS Authentication Module for the first
time, following these steps may help you track down the problem and fix it manually.
6.1.1
Checking File Placement
The following files must be placed in the directory they are listed under. If they have been moved to another
directory, or incorrectly copied, the DIGIPASS Authentication Module will not function correctly.
Table 1: Installation Structure of DIGIPASS Authentication for Epic Hyperspace
Folders and Files
Description
<programs_folder>\VASCO\DIGIPASS Authentication for Epic Hyperspace
DIGIPASS Authentication Module Configuration
DIGIPASS Authentication for Epic Hyperspace
Center.exe
Configuration Center
DIGIPASS Authentication Module Configuration
DIGIPASS Authentication for Epic Hyperspace
Wizard.exe
Configuration Wizard
DPAuth4EHS.dll
DIGIPASS Authentication for Epic Hyperspace Module
AAL3CSWrapper.dll
Epic.Core.Authentication.dll
GUI64.dll
Iconv.dll
ikaal3seal.dll
Libeay32.dll
Libxml2.dll
msvcr110.dll
msvcr120.dll
PPDIGIPASSPlugin_Common64.dll
PPDIGIPASSPlugin_EPIC64.dll
ProcCore64.dll
regCA.ibd
Ssleay32.dll
StdGUI64.dll
Vdsconfig.dll
Vdscore.dll
Vdscrypto.dll
Vdsdata.dll
Vdsdatamodel.dll
Vdsnetwork.dll
Vdsprocess.dll
Vdsseal.dll
Zlib1.dll
51
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Folders and Files
Troubleshooting
Description
<programs_folder>\VASCO\DIGIPASS Authentication for Epic Hyperspace
Config.sxml
Configuration file of DIGIPASS Authentication for Epic
Hyperspace Configuration Center and the DIGIPASS
Authentication for Epic HyperspaceConfiguration
Wizard.
NOTE
Do not edit this file.
Settings.xml
Configuration file containing settings for servers and
connections, tracing, and authentication. This file is
written to DIGIPASS Authentication for Epic
Hyperspace Configuration Wizard.
For more information about how to work with the file,
see 4.2 Editing the Configuration File.
<programs_folder>\VASCO\DIGIPASS Authentication for Epic Hyperspace\1033
String.xml
Resource Files
Config.xrs
DIGIPASSPlugin_ConfigWizard.xrs
GUIFx.xrs
PPDIGIPASSPlugin_Common.xrs
StdGui.xrs
6.1.2
Trace file location
The trace file is stored in %LocalAppData%\Vasco\DIGIPASS Authentication for Epic Hyperspace\Log, where
%LocalAppData% refers to the local application data folder for the current user (e.g.
C:\Users\<username>\AppData\Local).
52
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Troubleshooting
6.2 Other Troubleshooting Options
If you still have problems after checking that all installation and configuration settings for the DIGIPASS
Authentication Module are correct, follow these steps to check for other possible problems.
6.2.1
No Trace File
If there is no trace file, or no new entries are written to the file, check the Windows events for any warnings or
errors generated by a failure to load the DIGIPASS Authentication Module into Citrix StoreFront.
6.2.2
Information from Trace File
To view trace file information

1. Set the DIGIPASS Authentication Module to tracing.
2. Attempt to log in
3. Check the trace for information on start-up conditions of the DIGIPASS Authentication Module and of the
login attempt
6.2.3
Authentication Server
If the DIGIPASS Authentication Module appears to load and update but you are unable to achieve a successful
login, check the authentication server. Open the Audit Viewer to:
• Check available audit messages in the audit files or database.
• Configure a live audit connection from the authentication server and retry a login.
For more information, refer to the Authentication Server Administration Reference or Administrator Guide.
6.2.4
DIGIPASS Authentication Module could not load
•
Verify that Settings.xml is available or exists in the default installation folder (referred to as
<installation_folder> in this document), i.e. C:\Program Files\VASCO\DIGIPASS Authentication for Epic
Hyperspace.
•
Verify that the Layout value in the Config node is correctly configured in Settings.xml.
•
Verify that DPAuth4EHS.dll in the installation folder is a 64-bit component and running on a 64-bit operating
system with Epic Hyperspace 2012 (64-bit) installed.
53
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Troubleshooting
6.3 Repairing the Installation
The installation of the DIGIPASS Authentication Module may need to be repaired if files have been corrupted,
deleted, or lost.

To repair DIGIPASS Authentication Module:
1. Locate and double-click dp-auth_for-ehs_<version>_x<bitness>.msi.
2. Click Next.
3. Select Repair to enter the repair function and click Next.
4. Click Install to confirm the repair.
5. Click Finish to exit the setup program.
If you have deleted or moved the configuration file, changed the IP address for the machine you will need to
run the DIGIPASS Authentication for Epic Hyperspace Configuration Wizard after the installation repair.
54
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
7
Uninstalling DIGIPASS Authentication for Epic Hyperspace
Uninstalling DIGIPASS Authentication for Epic Hyperspace
This chapter provides instruction to remove an existing DIGIPASS Authentication for Epic Hyperspace
installation.
This chapter covers the following topics:
• Uninstalling DIGIPASS Authentication for Epic Hyperspace
55
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Uninstalling DIGIPASS Authentication for Epic Hyperspace
7.1 Uninstalling DIGIPASS Authentication for Epic Hyperspace

To uninstall DIGIPASS Authentication for Epic Hyperspace:
1. Locate and double-click dp-auth_for-ehs_<version>_x<bitness>.msi.
2. Click Next.
3. Select Remove.
4. Select Keep trace files if you want to preserve existing trace files.
5. Click Next.
6. Click Remove to confirm the remove function.
7. Click Finish to exit the setup program.
8. After uninstalling the module, restart the system.
56
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
8
Technical Support
Technical Support
If you encounter problems with a VASCO product please do the following:
1. Check whether your problem has already been solved and reported in the Knowledge Base at the
following URL: http://www.vasco.com/support.
2. If there is no solution in the Knowledge Base, please contact the company which supplied you with the
VASCO product.
If your supplier is unable to solve your problem, they will automatically contact the appropriate VASCO
expert.
57
DIGIPASS Authentication for Epic Hyperspace Administrator Guide
Index
Index
1
I
1-step challenge/response authentication
enabling .......................................................................... 49
I
2
2-step challenge/response authentication
enabling .......................................................................... 48
A
authentication modes
2-Step Challenge/Response login ..................................... 12
One-Step Challenge/Response login ................................. 12
Response-only login ........................................................ 12
Virtual DIGIPASS login ...................................................... 12
authentication server............................................................ 11
case sensitivity ................................................................ 42
configuring ...................................................................... 42
default domain ................................................................ 43
default domain, changing master domain .......................... 43
default domain, setting default domain in policy ................ 43
policy, login with OTP only................................................ 43
Windows user accounts, configuring ................................. 42
C
configuring authentication .................................................... 34
configuring tracing ............................................................... 35
D
DIGIPASS Authentication for Epic Hyperspace ........................ 10
DIGIPASS Authentication Module
installation problems .................................................. 51, 53
overview ......................................................................... 10
DIGIPASS Authentication Module Configuration Center ........... 31
DIGIPASS Authentication Module terminology ........................ 11
document conventions ........................................................... 7
Dynamic User Registration ................................................... 42
Installing DIGIPASS Authentication .................................... 57
IDENTIKEY Appliance / IDENTIKEY Virtual Appliance ............... 10
Installing DIGIPASS authentication
software requirements ..................................................... 18
Installing DIGIPASS Authentication
Configuration Wizard ....................................................... 57
Pre installation tasks........................................................ 57
Software Requirements.................................................... 57
Installing DIGIPASS Authentication for Epic Hyperspace
pre-installation tasks ....................................................... 19
P
Password Autolearn ............................................................. 43
R
response-only authentication
enabling ......................................................................... 48
S
server connection management
backup ........................................................................... 14
primary ........................................................................... 14
servers and connections configuration .................................. 31
standard server setup .......................................................... 15
support information ............................................................. 57
T
troubleshooting
checking file placement ................................................... 51
DIGIPASS Authentication Module installation problems 51, 53
W
Windows user name resolution
Dynamic User Registration ............................................... 42
58

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz