driver keycontroller · design, configuration and use guide c/ acceso ademuz, nº 12-1º-pta 1 -...

DRIVER KEYCONTROLLER

DESIGN, CONFIGURATION AND USE GUIDE

C/ Acceso Ademuz, Nº 12-1º-Pta 1 - 46980 Paterna (Valencia)

www.ivnosys.com - Tel. 960 031 203

COPYRIGHT© The material contained in this document is the property of Ivnosys Soluciones.

No part of this site may be reproduced in any form or by any means, nor may it be used with other organisations for other purposes without our prior written

permission.

1

KEYCONTROLLER DRIVER FOR IVSIGN

PRODUCT: IVSIGN

VERSION:

V9 – V1

www.ivnosys.com 96 003 12 03

[email protected]

Madrid · Barcelona · Valencia

Ivnosys Soluciones, S.L.U. | CIF: B-98333362 | C/ Acceso de Ademuz, 12. 1st floor, Office. 1, Paterna, Valencia (C.P.: 46980)

Registered in the Mercantile Registry of Valencia, Volume: 9306, Book: 6588, Sheet: 60, Section: 8, Page: V143049, Inscription: 1

TABLE OF CONTENTS

TABLE OF CONTENTS __________________________________________________________________________ 1

1. KEYCONTROLLER DRIVER FOR IVSIGN ____________________________________________________ 2

2. STANDARD INSTALLATION AND CONFIGURATION _____________________________________ 3

MANUAL OR STANDARD INSTALLATION _________________________________________________ 3

MANUAL OR STANDARD CONFIGURATION ______________________________________________ 8

3. UNATTENDED INSTALLATION AND CONFIGURATION ________________________________ 11

UNATTENDED INSTALLATION ___________________________________________________________ 11

UNATTENDED CONFIGURATION _________________________________________________________ 13

OPTION 01: CONFIGURATION USING COMMAND LINE PARAMETERS ___________________________ 13

OPTION 02: CONFIGURATION USING THE WINDOWS REGISTRY _________________________________ 15

4. DRIVER INSTALLATION USING GPO _____________________________________________________ 17

STEPS TO FOLLOW ________________________________________________________________________ 17

5. CONFIGURATION ON PKCS#11 ENVIRONMENTS _______________________________________ 25

6. VERSION UPDATE PROCEDURE __________________________________________________________ 29

7. MANAGEMENT AND USE OF KEYCONTROLLER _________________________________________ 30

NOTIFICATION SYSTEM __________________________________________________________________ 30

CONTROL PANEL __________________________________________________________________________ 32

ENABLING/DISABLING CERTIFICATES ___________________________________________________ 33

2


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




1. KEYCONTROLLER DRIVER FOR IVSIGN

IvSign is the solution for safe e-signatures.

With IvSign it is not necessary to install a certificate on a certain device, as it allows the centralisation of all certificates on the platform.

IvSign allows to store digital certificates safely, and its use can be authorised on different devices, users, processes and websites in a centralised way, with traceability of operations.

It is the only mean to guarantee legally and technically the identity of an individual on the internet, a document’s e-signature and any encrypted communication or content.

For that, the installation and configuration of the KeyController driver.

3


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




2. STANDARD INSTALLATION AND CONFIGURATION

MANUAL OR STANDARD INSTALLATION

In order to use a certificate with Windows applications -in the same way it is done with a cer-

tificate in SmartCard or Software-, it is necessary to acquire the KeyController Driver. It is pos-

sible to setup the driver following these simple steps.

Firstly, it is necessary to access the following URL: https://ivsdriver.com/. The license agree-

ment must be read and accepted before proceeding to the download by clicking on the option

“I have read and accept the License agreement for this product.”

When downloading the driver, two options are available:

✓ Clicking on KeyController Installer: it detects the appropriate architecture according

to the computer’s characteristics and it downloads and installs the latest version availa-

ble.

✓ Clicking on the appropriate version, according to the computer processor’s architecture:

• KeyController 64 bits: for computers with a 64-bit processor.

• KeyController 32 bits: for computers with a 32-bit processor.

After clicking on the corresponding link, run the downloaded file.

Note: Administrator permissions are required in order to install the driver.

https://ivsdriver.com/

4


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




A window will open for the installation. It is possible to choose which version to install.

Click on the box “I accept the terms in the license agreement”, and the “Next” button will be

activated, which allows you to start the installation.

The following screen allows the user to select the KeyController Driver components to be in-

cluded in the installation process.

5


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




However, it is recommended to keep the default values and install all the components.

After clicking on each component, a shortcut menu will open showing every option available

for each one.

By default, the components are set to the option “This feature will be installed on your local

hard drive”.

If any component is not to be installed, then click on the option “The complete feature will

not be available”.

After clicking on Next, confirmation will be required in order to start the installation process,

based on the previously selected parameters.

6


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




When clicking on the Install button, a window will be displayed. It will show the status of the

installation through a progress bar.

Once the installation is finished, click on the Finish button to close the wizard.

7


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




Lastly, a dialog box will open, requesting that the computer be restarted.

IMPORTANT NOTE: Restarting the system is required in order to ensure correct

system operation. If restarting is not allowed or it is omitted, the driver may not

run correctly, or it may be unstable.

In case immediately restarting the system is not possible, it is necessary to ensure

it is done afterwards, before the final users start working with the driver.

The icon for the KeyController Driver will be displayed on the bottom right-hand side of the

Windows Task Bar, on the Notifications area.

8


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




MANUAL OR STANDARD CONFIGURATION

The application needs to be configured following the steps below, so as to be able to use cen-

tralised certificates on IvSign.

When clicking with the right mouse button on the KeyController Driver icon located on the

Windows task bar, the following menu will appear:

Click on the Settings option and fill out the following fields:

✓ Server: Enter the value corresponding to the URL of the platform (for example,

ivsign.net).

• Authentication: Select Integrated authentication, Federated Authentication or

Username and Password, as appropriate.

• Integrated authentication: With this option, the data of the active session of

Windows is obtained, thus verifying that the user exists in the Active Directory

of the organization. The Active Directory of the organization must be on the

same network as the IvSign server.

• Federated Authentication: In the same way as with the Integrated Authentica-

tion, this type of authentication will work with the information of the active ses-

sion of Windows. However, users will authenticate against a repository that is

not on the same network as the IvSign server, with which a trust relationship is

established thanks to a federation code.

✓ Username and password: Enter the details from the “Welcome to IvSign” e-mail to

access the platform. The information will be verified on IvSign’s own database.

✓ Organisation ID: Indicate the organization's identifier. If you do not have this identifier,

please contact your project manager.

Note: If the password has been changed, enter the new one and not the one on the wel-

come e-mail.

It is possible to click on Test to check if the credentials are correct.

9


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




Whether the credentials are correct or incorrect, the appropriate message will be displayed on

the bottom section of the window.

Once the configuration is verified, click on Accept.

The certificates that are centralised on IvSign can be viewed from a browser and from applica-

tions that use standard Windows storage protocols.

If certificates are not displayed automatically, it is advisable to restart the system.

NOTE: Centralised certificates can neither be manually removed from the system nor can their

private key be exported, as they are never stored on the computer where they are setup.

10


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




3. UNATTENDED INSTALLATION AND CONFIGURATION

UNATTENDED INSTALLATION

Since version 5, the KeyController setup incorporates new components and additional installa-

tion options. For instance, the system requires for the computer to be restarted after finishing

the installation process. This requirement aims to ensure correct system operation.

If the installation is unattended, this requirement can be omitted or customised based on the

installation options chosen.

The available options are listed on the following table:

Options Description

Components To exclude all additional components from the installation process, in-

clude the following parameters:

“ADDLOCAL=ALL REMOVE=PluginChrome,PluginIE,Pkcs11”

It is also possible to disable specific components. It can be done in two

different ways; either using the previous command (specifying only one

component) or through the option DISABLE and the name of the com-

ponent, as shown below:

• “DISABLE_PluginChrome=1”

• “DISABLE_PluginIE=1”

• “DISABLE_Pkcs11=1”

Restart /norestart: It prevents the computer from being restarted once the

installation process is finished.

NOTE: If this parameter is not included, the computer will automati-

cally be restarted after the installation. The user will not be able to can-

cel it.

11


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




Some examples below:

EXAMPLE: Installation of KeyController excluding all components and preventing the system

from being restarted:

msiexec /q /norestart /i KeyController64_9.0.msi ADDLOCAL=ALL REMOVE=Plugin-

Chrome,PluginIE,Pkcs11

EXAMPLE: Installation of KeyController excluding only the Google Chrome component (first

method) and forcing the system to be restarted:

msiexec /q /i KeyController64_9.0.msi ADDLOCAL=ALL REMOVE=PluginChrome

EXAMPLE: Installation of KeyController excluding only the Google Chrome component (second

method) and forcing the system to be restarted:

msiexec /q /i KeyController64_9.0.msi DISABLE_PluginChrome=1

IMPORTANT NOTE: Restarting the system is required in order to ensure correct

system operation. If restarting is not allowed or it is omitted, the driver may not

run correctly, or it may be unstable.

In case immediately restarting the system is not possible, it is necessary to ensure

it is done afterwards, before the final users start working with the driver.

12


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




UNATTENDED CONFIGURATION

Option 01: configuration using command line parameters.

The MSI installer allows the driver to be setup with default values at the moment of the instal-

lation.

The allowed parameters are the following:

Parameter Description

Server Sets the default server configuration for new users.

Serverfix Sets a fixed server configuration for all users (users will not be able to

change this).

Auth Sets the default authentication method (Values: pass / win)

✓ pass > Basic authentication

✓ win > Integrated authentication

✓ federated > Federated authentication

Authfix Sets a fixed authentication method (users will not be able to change

this).

Orga Sets IvSign’s organisation code.

Orgafix Sets a fixed organisation code (users will not be able to change this).

Noupdates Disables update checks (using value 1).

Nocertdisable Allows to remove the possibility of enabling/disabling certificates from

the menu (using value 1).

Fedcode Federation code. It is required for the use of federated authentication.

Accesopanel Allows to enable the “Control panel” option on KeyController’s shortcut

menu (using value 1).

13


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




SSOPanel Specifies whether autologin on CertManager is allowed, through the

option on “Control Panel” or from a notification (using value 1).

If the user is required to enter their password, the value 0 must be set.

Autoregister Establishes whether KeyController must create the user reference on

IvSign when the user logs in on the computer (using value 1).

This option is only enabled in systems with integrated and federated

authentication.

IMPORTANT NOTE: It is important to take into account that in order to perform the unat-

tended installation with the parameter /q, the console must run in the administrator mode.

Some examples below:

EXAMPLE: Basic example of the installation, in which the user is allowed to edit the form fields

and update checks are disabled.

msiexec /q /i KeyController64_9.0.msi server=ivsign.net auth=win orga=XXXX noupdates=1

nocertdisable=1

EXAMPLE: Below is the same example, only the user cannot edit the form fields.

msiexec /q /i KeyController64_9.0.msi serverfix= ivsign.net authfix=win orgafix=XXXX

noupdates=1 nocertdisable=1

EXAMPLE: Below there is another example, only using federated authentication:

msiexec /q /i KeyController64_9.0.msi serverfix= ivsign.net authfix=federated orgafix=XXXX

fedcode=YYYY noupdates=1

http://ivsign.net/

http://ivsign.net/

http://ivsign.net/

14


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




Option 02: Configuration using the Windows registry

It is possible to modify the default and mandatory configuration of the server and the driver’s

authentication method through some changes in the registry.

The available registry entries are:

Registry entries Description

[HKEY_CURRENT_USER\Soft-

ware\Ivnosys\KeyController]

Sets a specific configuration for a user

[HKEY_LOCAL_MACHINE\SOFTWARE\Cli-

ent\KeyController\fixed]

Sets mandatory values for all users, with no possibility

of modification.

[HKEY_LOCAL_MACHINE\SOFTWARE\Cli-

ent\KeyController\default]

Contains the default configuration values.

KeyController uses these values if it cannot find con-

figuration data on the two paths mentioned above.

EXAMPLE: This is an example of configuration in which ivsign.net and integrated authentication

are forcibly used. The reg file to be used is the following:

------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\KeyController\fixed]

"server"=" ivsign.net"

"auth"="win"

------------------------------------------------------------

EXAMPLE: This is an additional example using federated authentication in a predetermined

way.

------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\KeyController\default]

"server"=" ivsign.net"

"auth"="federated"

"fedcode"="XXXXXXXXXXX"

------------------------------------------------------------

http://ivsign.net/

http://ivsign.net/

15


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




4. DRIVER INSTALLATION USING GPO

In order to use the KeyController driver on all the necessary computers, it is necessary to per-

form an installation using the policies of the domain.

The first step is to locate the installation files (both for 32-bit and 64-bit architectures) on a

shared resource, accessible by all positions, with permissions for all users.

NOTE: It is important for the installer to be MSI.

STEPS TO FOLLOW

To generate the guideline that carries out the unintended installation, it is necessary to access

the Group Policy Administrator. In order to access this panel from the domain controller, the

command “gpmc” needs to be executed.

Once on this panel, unfold the domain in use and create a new one from the Group Policy

Objects.

Edit the new policy.

16


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




Once on the new window, follow the route: System configuration > Guidelines > Software

configuration > Software installation. On this last section, a new data packet will be created

for each MSI.

Once the 32 and 64-bit packets have been created, the next step is to configure the variables

of the driver in order to access the following route:

System configuration > Preferences > Windows configuration > Registry

17


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




The new variables are configured by clicking on the right button on the Registry window > New

> Registry Element

NOTE: The variables depend on the configuration. For more information, consult with your

project manager.

On the KeyController setting options there are certain fields that can be locked so the user

cannot modify them.

Check the section Configuration with command line parameters to see how to do it.

Check the following images to see an example of fixed or editable variables:

1. Fixed field -users cannot modify it- (fixed).

18


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




2. Users can modify the field (default).

NOTE: It is important for the field “Action” to be set on “Replace” to avoid configuration prob-

lems.

Below there are several recommended configurations (depending on the authentication

method) for definitive installations on the client’s work station (in production).

19


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




1. BASIC AUTHENTICATION

The following table indicates the recommended configuration with basic authentication, in

which the fields noupdates and nocertdisable are locked.

*server: Contains IvSign’s URL.

**orga: Sets IvSign’s organisation code.

[If this information is not available to you, request it from your Project Manager]

As a result of the previous configuration, the driver will be configured as follows:

Parameter Config (editable o locked) Value

server fixed *

auth fixed pass

orga fixed **

noupdates default 1

nocertdisable default 1

20


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




2. FEDERATED AUTHENTICATION

This configuration sets the recommended configuration with federated authentication, in which

the fields noupdates and nocertdisable are locked.

*server: Contains IvSign’s URL.

**fedcode: Federation code. It is required for the use of federated authentication and it is pro-

vided at the beginning of the project.

***orga: Sets IvSign’s organisation code

[If this information is not available to you, request it from your Project Manager]

As a result of the previous configuration, the driver will be configured as follows:

Parameter Config (editable o locked) Value

server fixed *

auth fixed federated

fedcode fixed **

orga fixed ***

noupdates default 1

nocertdisable default 1

21


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




Lastly, on the Group Policy Administrator, select the organisational unit that contains the com-

puters where the driver installation will take place. The configured GPO (following the previous

steps) will be applied by selecting “Associate with existing GPO”.

22


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




For the installation to be successful, it is possible to either wait for the computers to be restarted

or to force the update of the group policies by using the command “gpupdate /force” (this

command needs to be used on each client computer).

23


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




5. CONFIGURATION ON PKCS#11 ENVIRONMENTS

On browsers such as Firefox or other systems that need standard PKCS#11, it will be necessary

to set KeyController Driver as a specific encryption key provider, as if it were a SmartCard. The

procedure is as follows:

1. Open the Settings menu

24


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




2. On the Privacy and Security sections, search for Certificates

3. Then, click on Safety Devices

The following screen will appear:

4. Click on Load and select the module PKCS#11:

25


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




The default driver path is:

C:/Program Files/Ivnosys/KeyController/pkcs11

Depending on the browser, it will be the x86 or x64 folder.

It will most likely be the x86 folder.

If everything is operating correctly, the configuration should look as follows:

If the path is not correct or if the driver version does not correspond to the browser’s build

version, the following error message will be displayed and the driver will not be configured

correctly:

26


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




Subsequently, certificates will appear on Firefox just like any certificates imported from a .p12

file or SmartCard:

27


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




6. VERSION UPDATE PROCEDURE

KeyController Driver will periodically inform the user about the latest version available through

a message on the Windows task bar.

Click on the pop-up message to download the file. Then, run the file to apply the updates.

Note: It is essential to have administrator permissions on the computer in order for the

file to run correctly.

In case of wanting to check whether there is a new version without waiting for the message to

appear, right-click on the icon located on the task bar, then click on the option Check for up-

dates.

28


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




7. KEYCONTROLLER MANAGEMENT AND USE

NOTIFICATION SYSTEM

Informative messages regarding the platform’s management are sent to users from IvSign.

In order to read those notifications, it is necessary to access IvSign.

KeyController Driver lets the user know there are unread notifications by displaying the fol-

lowing message:

The option Notifications becomes available on the KeyController Driver when it detects un-

read notifications. By clicking on the Notifications menu, the browser will open a window to the

IvSign platform so the user can read them.

29


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




CONTROL PANEL

The option Control Panel on the menu is a direct access from the KeyController Driver to the

IvSign platform.

Click on this menu to open the IvSign platform through the web browser, in order to log in and

access all of the platform’s options.

30


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




ENABLING/DISABLING CERTIFICATES

In case of having many certificates, the option of enabling or disabling certificates is available,

so as to prevent all the certificates from being displayed all at once when there is a need of

performing an action with them (e-signing, accessing a URL…).

Right-click on the KeyController Driver icon located on the taskbar.

This option allows to work only with the certificates that are enabled on IvSign.

Certificates that show the icon on the Settings column will be displayed.

31


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




Certificates that are disabled on IvSign for any reason (having forgotten the PIN several times,

having been manually disabled…) will not become available on the driver. Certificates that show

the icon on the Settings column will not be displayed.

The enable/disable options will only affect the computer being used in that moment. That

is, if there is a certificate delegated to another user, the enable/disable changes will only work

on the computer that is making the changes. The person to which the certificate is delegated

will need to enable or disable the certificate on their own computer.

To show a hidden certificate, click on the HIDDEN box of that certificate.

32


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




To hide a visible certificate click on the VISIBLE box of the certificate.

In both cases, visibility will automatically change.

33


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




These actions can be carried out individually or all at once by clicking on Select all or Unselect

all.

Certificates can be filtered by the content of any column (visibility, name, common name, issuer

or expiration date) by entering the text on the Search box and clicking on Search or by pressing

Enter. All coincidences will be listed.

34


PRODUCT: IVSIGN

VERSION:

V9 – V1


[email protected]




To show all the certificates again and filter them once more, click on Show all.

driver keycontroller · design, configuration and use guide c/ acceso ademuz, nº 12-1º-pta 1 -...

Documents