KB_150164: How to verify if IDENTIKEY Authentication Server with Active Directory Data Store is using Legacy encryption or not.5/23/2017 4:24:07 PM
The encryption settings of the data stored in the database have changed since IAS3.3. If you have an AD integrated installation that has been upgraded from a pre-IAS3.3 installation, the old encryption (Legacy) settings are still used.
When you are using Legacy encryption, and you want to add a new IAS server to AD, you need to import the Legacy key during installation of IAS to be able to decrypt the existing data in the AD datastore.
This KB explains how to verify if Legacy encryption is used or not.
Encryption settings of IAS are defined in the configuration wizard during installation. If the encryption is not configured correctly, IAS will not be able to decrypt existing data in the database.
The encryption settings are only visible during initial installation. When running the configuration wizard afterwards, these options are not shown anymore. Therefore it is important to know if Legacy encryption is used before installing IAS.
Open ADUC, make sure that “advanced features” are set in the “view” menu.
Open the “Digipass configuration” container. Look for objects starting with KEY:
- When you are using Legacy encryption, you will see “Legacy Sensitive Key” in the name, like in the screenshot below:
In that case you need to import the old encryption (Legacy) settings during installation.
- When you are not using Legacy encryption, you will see a different naming for the KEY: objects , like in the screenshot below:
As of IAS 3.10, the IAS server will automatically detect if Legacy encryption is used or not. Therefore, IAS installations where Legacy encryption settings have not been imported in the configuration wizard will work, but the ADUC extension may not work correctly.
If the ADUC extension is not using the correct encryption:
- You will see the following error when opening the properties of a DIGIPASS:
- When you enable the Full Trace file of the ADUC extension
And you check the trace file when trying to open the properties of a DIGIPASS; you will see the following error:
][0x00000008][vasco::DigipassBlobEngine::unpackBlobData] > The blob is in legacy format.
][0x00000008][CryptoKeyLoader::getLegacyKeyData] > Could not find legacy key in the cache
Caught Vasco::Exception: class vasco::Exception: Error -23 in function
"CryptoKeyLoader::getLegacyKeyData (legacy mode is missing in the attributeset.)": A required field
[2017/05/09|09:37:06.487873UTC][INFO ][0x00000008][TransactionHelper::Rollback] >
Transaction Rollback Succeeded.
In That case you have to load the legacy encryption in the ADUC extension:
If you are using a custom encryption key, you should have stored this key in a safe place, and will have to import it during installation of an additional IAS server or/and in the ADUC extension.
When you import a DPX file, the encryption settings of the ADUC extension will be used. Be sure that the encryption settings are correct before proceeding to a DPX import. When you fail to follow these guidelines, you will end up with a mixed environment: part of the DIGIPASS data will be encrypted with Legacy encryption and part will be encrypted with the new encryption methods. In the ADUC extension you will not be able to administer both. In that case it is advised to use the encryption that best serves you needs, delete the DIGIPASS objects that have the other encryption setting and re-import them.
Applies to: IDENTIKEY Authentication Server
KB 150164– 23/05/2017
© 2016 VASCO Data Security. All rights reserved.