Entrust®

Entrust Identity Enterprise 13.0

Installation Guide

Document issue: 12.0

Date of Issue: November 2024

 Copyright © 2024 Entrust Corporation. All rights reserved.

Entrust and the hexagon design are trademarks, registered

trademarks and/or service marks of Entrust Corporation in
Canada and the United States and in other countries. All
Entrust product names and logos are trademarks,
registered trademarks and/or service marks of Entrust
Corporation. All other company and product names and
logos are trademarks, registered trademarks and/or service
marks of their respective owners in certain countries..

This information is subject to change as Entrust reserves

the right to, without notice, make changes to its products
as progress in engineering or manufacturing methods or
circumstances may warrant.

Export and/or import of cryptographic products may be

restricted by various regulations in various countries.
Export and/or import permits may be required.

2 Entrust Identity Enterprise 13.0 Installation Guide

 TOC

About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

New name! New look! .................................... 9
Revision information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Documentation conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Note and Attention text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Related documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Obtaining documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Documentation feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Obtaining technical assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Professional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Preparing to install Entrust Identity Enterprise . . . . . . . . . . . . . . . . . . . . . . . .21

Worksheets for deploying Entrust Identity Enterprise . . . . . . . . . . . . . . . . . 22
Worksheet for preparing to deploy Entrust Identity Enterprise . . . . . 22
Worksheet for deploying a primary Entrust Identity Enterprise Server 24
Worksheet for deploying a replica Entrust Identity Enterprise Servers 25
Worksheet for configuring an Entrust Identity Enterprise deployment 25
Synchronizing clocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Creating a Linux group and user account to own Entrust Identity Enterprise .
28
Downloading Entrust Identity Enterprise software . . . . . . . . . . . . . . . . . . . 30
Preparing your repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Using a hardware security module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Collecting your configuration data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Installing Entrust Identity Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Installing Entrust Identity Enterprise Server on Windows . . . . . . . . . . . . . . 41
 Installing Entrust Identity Enterprise Server on Linux . . . . . . . . . . . . . . . . . 48

Configuring Entrust Identity Enterprise as a primary server . . . . . . . . . . . . . .53

Configuring Entrust Identity Enterprise as a primary server on Windows . . 54
Configuring Entrust Identity Enterprise as a primary server on Linux . . . . . 73

Configuring Entrust Identity Enterprise as a replica server . . . . . . . . . . . . . . .89

Replica server overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Configuring Entrust Identity Enterprise as a replica server on Windows . . . 92
Configuring Entrust Identity Enterprise as a replica server on Linux . . . . . 103
Replicating master keys on HSMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Initializing Entrust Identity Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111

Initializing a primary Entrust Identity Enterprise Server . . . . . . . . . . . . . . . 112
Initializing a primary Entrust Identity Enterprise Server on Windows 112
Initializing a primary Entrust Identity Enterprise Server on Linux . . . 126
Initializing a replica Entrust Identity Enterprise Server or server restored from a
backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Initializing a replica Entrust Identity Enterprise Server or server restored
from a backup on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Initializing a replica Entrust Identity Enterprise Server or server restored
from a backup on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Troubleshooting initialization failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Creating the first administrator manually . . . . . . . . . . . . . . . . . . . . . . . . . 148

Testing Entrust Identity Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151

Testing Entrust Identity Enterprise on Windows . . . . . . . . . . . . . . . . . . . . 152
Testing Entrust Identity Enterprise on Linux . . . . . . . . . . . . . . . . . . . . . . . 158
Troubleshooting your installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Customizing Entrust Identity Enterprise Server . . . . . . . . . . . . . . . . . . . . . . .163

Disabling the Authentication service non-SSL port on Tomcat . . . . . . . . . 164
Enabling the Administration service non-SSL port on Tomcat . . . . . . . . . . 166
Disabling the Administration service SSL port on Tomcat . . . . . . . . . . . . . 168
Configuring Tomcat to use a proxy server . . . . . . . . . . . . . . . . . . . . . . . . 170

4 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

 Managing the SSL certificate on Entrust Identity Enterprise Server . . . . . . 171
Managing certificates using the Key Store Management interface . 171
Managing certificates using keytool . . . . . . . . . . . . . . . . . . . . . . . . 171

Starting and stopping Entrust Identity Enterprise services . . . . . . . . . . . . . . 187

Managing Entrust Identity Enterprise services . . . . . . . . . . . . . . . . . . . . . 188
Managing Entrust Identity Enterprise services on Linux . . . . . . . . . 188
Managing Entrust Identity Enterprise services on Windows . . . . . . 194

Backing up and restoring Entrust Identity Enterprise . . . . . . . . . . . . . . . . . . 201

Backup and restore overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Planning a backup strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Entrust Identity Enterprise backup files . . . . . . . . . . . . . . . . . . . . . . 203
Backing up file-based repositories . . . . . . . . . . . . . . . . . . . . . . . . . 205
Backup best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Backing up your configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Restoring Entrust Identity Enterprise from a backup . . . . . . . . . . . . . . . . 213

Migrating Entrust Identity Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

Migrating Entrust Identity Enterprise to another platform . . . . . . . . . . . . 226
Shutting down the old server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Migrating Entrust Identity Enterprise from a staging to a production
environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Migrating policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Migrating roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Migrating tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Recreating soft tokens in the production system . . . . . . . . . . . . . . 232
Migrating grid cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Migrating properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

5
 Upgrading Entrust Identity Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235
Upgrade overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Supported upgrade paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Upgrade preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Upgrading the operating system and Entrust Identity Enterprise . . . 238
Upgrade worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Multi-server considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
High-availability considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Web service and API considerations . . . . . . . . . . . . . . . . . . . . . . . . 242
Logging an upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Upgrading Entrust Identity Enterprise on Windows . . . . . . . . . . . . . . . . . 243
Upgrading Entrust Identity Enterprise on Linux . . . . . . . . . . . . . . . . . . . . 251

Adding a patch to Entrust Identity Enterprise . . . . . . . . . . . . . . . . . . . . . . . .257

Patching overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Multi-server considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Maintaining high-availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Compatibility with Self-Service Module . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Check master key binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Basic patching procedure for the Entrust Identity Enterprise server . . . . . . 262

Using the sample application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265

Sample application overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
About error messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
About changing information in the sample application . . . . . . . . . . 267
About the sample policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
About the sample role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Installing the sample application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Enabling or disabling the sample application . . . . . . . . . . . . . . . . . . . . . . 276

6 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

 Preparing to use the sample application . . . . . . . . . . . . . . . . . . . . . . . . . 280
Browser requirements for the sample application . . . . . . . . . . . . . . 280
Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Changing the sample application logging levels . . . . . . . . . . . . . . . 283
Ensuring mutual authentication works . . . . . . . . . . . . . . . . . . . . . . 284
Configuring the sample application for certificate-based authentication
(Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Accessing the sample application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Using two-step authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Enrolling a user for two-step authentication . . . . . . . . . . . . . . . . . . 292
Registering a second-factor method for two-step authentication . . 297
Performing two-step authentication . . . . . . . . . . . . . . . . . . . . . . . 308
Using step-up authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Enrolling a user for step-up authentication . . . . . . . . . . . . . . . . . . . 313
Performing step-up authentication . . . . . . . . . . . . . . . . . . . . . . . . 324
Changing the browser information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Answering second-factor authentication challenges . . . . . . . . . . . . . . . . 333
Performing a wire transfer using transaction authentication . . . . . . . . . . 340

Uninstalling Entrust Identity Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Uninstalling Entrust Identity Enterprise on Linux . . . . . . . . . . . . . . . . . . . 344
Uninstalling Entrust Identity Enterprise Windows . . . . . . . . . . . . . . . . . . . 346

Glossary of Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

7
8 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12
 About

About this guide

The Entrust Identity Enterprise Installation Guide provides detailed information for
administrators to plan, install, configure, upgrade, uninstall, use the sample Web
application, and troubleshoot the Entrust Identity Enterprise Server installation.
Topics in this chapter include:
• “Revision information” on page 10
• “Documentation conventions” on page 14
• “Related documentation” on page 16
• “Obtaining documentation” on page 18
• “Obtaining technical assistance” on page 19

New name! New look!

Entrust IdentityGuard is now known as Entrust Identity Enterprise, part of the Entrust
Identity family of products which includes Entrust Identity as a Service (formerly
Entrust Datacard IntelliTrust), Entrust Identity Enterprise, and Entrust Identity
Essentials (formerly SMS Passcode).
The user interfaces of the Entrust Identity Enterprise products have been refreshed to
reflect the new Entrust brand. Updates to images in the documentation are ongoing.
The contents of the user interface pages described in the documentation have not
changed, so procedures still reflect what you see on screen even though the logo,
icons, colors, and fonts might look different. Thank you for your patience as we
continue to update the documentation.
To maintain backward compatibility, the product and component names have not
changed in underlying parts of the software including APIs and file names.

9
 Revision information
Table 1: Revisions in this document

Document issue Section Description

and date
12.0 “Compatibility with Self-Service • Updated the “Compatibility with
Module” on page 259 Self-Service Module” table for
November 2024
Patch 623364.
11.0 “Compatibility with Self-Service • Updated the “Compatibility with
Module” on page 259 Self-Service Module” table for
October 2024
Patch 623359.

10 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Table 1: Revisions in this document (continued)

Document issue Section Description

and date
10.0 “Compatibility with Self-Service • Updated the “Compatibility with
Module” on page 259 Self-Service Module” table.
May 2024
“Using a hardware security module” • Updated Step 2 of “To prepare
on page 33 the HSM” to add “or later”.
“Configuring Entrust Identity • Updated Step 17.a. to add an
Enterprise as a primary server on example URL in the JDBC
Windows” on page 54 driver-specific format for SQL
Server.
“Initializing a primary Entrust Identity • Updated the image in Step 6.a. of
Enterprise Server on Windows” on “To initialize a primary Entrust
page 112 Identity Enterprise Server on
Windows using the
Configuration Wizard”.
• Added Step 6.e. in “To initialize a
primary Entrust Identity
Enterprise Server on Windows
using the Configuration Wizard”.
• Updated the -createAdmin
attribute and description in Table
10.
• Added Step 11.d. in “To initialize
a primary Entrust Identity
Enterprise Server on Windows
using the master user shell”.
“Initializing a primary Entrust Identity • Added Step 9.d. in “To initialize a
Enterprise Server on Linux” on primary Entrust Identity
page 126 Enterprise Server on Linux using
the configuration script”.
• Updated the init command in
Step 3 of “To initialize a primary
Entrust Identity Enterprise Server
on Linux using the master user
shell”.
• Updated the -createAdmin
attribute and description in Table
11.
• Added Step 11.d. in “To initialize
a primary Entrust Identity
Enterprise Server on Linux using
the master user shell”.

About this guide 11

Report any errors or omissions
 Table 1: Revisions in this document (continued)

Document issue Section Description

and date
“Installing Entrust Identity Enterprise” • Added a Note on removing
on page 39 biometric data before patching to
Entrust Identity Enterprise Patch
572543 or later.
9.0 “Switching to a CA-signed certificate Correction to Step 5. (IDG-15096)
using keytool” on page 171 - Step 5:
September 2023
Importing the certificates to your
Entrust Identity Enterprise clients
“Compatibility with Self-Service Update to table of compatible Server
Module” on page 259 and Self-Service Module patches.
8.0 “Compatibility with Self-Service Update to table of compatible Server
Module” on page 259 and Self-Service Module patches.
June 2023
“Using a hardware security module” Included configuration and upgrade
on page 33 information regarding the nCipher
HSM.
“Upgrade overview” on page 236
7.0 “Check master key binding” on New requirement prior to installing a
page 261 patch on the Entrust Identity
January 2023
Enterprise Server (IDG-19323).
6.0 “Compatibility with Self-Service Update to table of compatible Server
Module” on page 259 and Self-Service Module patches.
October 2022
Update to Self-Service Module patch
requirements to match Server
installation patch level (IDG-17677).
“Using a hardware security module” Updates to required setup for Luna
on page 33 SA hardware security module.
Related documentation Updates to list of related
documentation.
5.0 “Compatibility with Self-Service Update to table of compatible server
Module” on page 259 and Self-Service Module patches.
September 2022

12 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Table 1: Revisions in this document (continued)

Document issue Section Description

and date
4.0 “Compatibility with Self-Service Update to table of compatible server
Module” on page 259 and Self-Service Module patches.
April 2022
“Initializing a replica Entrust Identity New paragraph advising to read
Enterprise Server or server restored HSM vendor documentation for
from a backup” on page 140 advice on replicating HSM keys.
“Initializing Entrust Identity Removed notes that said the same
Enterprise” starting on page 111 HSM serial number must be used on
primary and replica servers.
3.0 “Compatibility with Self-Service Update to table of compatible server
Module” on page 259 and Self-Service Module patches.
December 2021
“Using the sample application” on Additional message warning not to
page 265 use the sample application for
production.
2.0 “Basic patching procedure for the Shut down Master User Shell before
Entrust Identity Enterprise server” on patching or upgrading.
April 2021
page 262
“Installing Entrust Identity Enterprise See Prerequisite concerning
Server on Linux” on page 48 installation of fonts.
“Upgrading Entrust Identity Updated Windows upgrade
Enterprise on Windows” on page 243 screenshots.
1.0 All sections First release of this guide for Release
13.0.
December 2020 Note: All content related to use of IBM
WebSphere and Oracle WebLogic has
been removed from this guide. Use of
these application servers is not
supported in Entrust Identity
Enterprise13.0.
Note: All content related to use of
Unix operating systems (Solaris and
AIX) has been removed from this
guide. Use of the Solaris and AIX
operating systems is not supported in
Entrust Identity Enterprise13.0.

About this guide 13

Report any errors or omissions
 Documentation conventions
Following are documentation conventions that appear in this guide:

Table 2: Typographic conventions

Convention Purpose Example

Bold text Indicates graphical user Click Next.
(other than interface elements and
headings) wizards
Italicized text Used for book or Entrust Identity Enterprise Server Administration
document titles Guide
Blue text Used for hyperlinks to Entrust TruePass supports the use of many types
other sections in the of digital ID.
document
Underlined blue Used for Web links For more information, visit our Web site at
text www.entrust.com.
Courier type Indicates installation Use the entrust-configuration.xml file
paths, file names, to change certain options for Verification Server.
Windows registry keys,
commands, and text you
must enter
Angle brackets Indicates variables (text By default, the entrust.ini file is located in
you must replace with <install_path>/conf/security/entrust.
<>
your organization’s ini.
correct values)
Square brackets Indicates optional dsa passwd [-ldap]
[courier type]
parameters

Note and Attention text

Throughout this guide, there are paragraphs set off by ruled lines above and below
the text. These paragraphs provide key information with two levels of importance, as
shown below.

Note:
Information to help you maximize the benefits of your Entrust product.

14 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Attention:
Issues that, if ignored, may seriously affect performance, security, or the
operation of your Entrust product.

About this guide 15

Report any errors or omissions
 Related documentation
This section describes related reading material that may be used in conjunction with
this guide.
• Entrust Identity Enterprise Server Administration Guide provides instructions
about administering Entrust Identity Enterprise users and groups.
• Entrust Identity Enterprise Smart Credentials Guide provides instructions for
configuring and administering physical and mobile smart credentials.
• Entrust Identity Enterprise Print Module User Guide provides instructions
about issuing (printing and encoding) smart credentials through the Print
Module.
• Entrust Identity Enterprise Master User Shell Reference provides a full list and
descriptions of the Entrust Identity Enterprise master user shell commands.
• Entrust Identity Enterprise Directory Configuration Guide provides
information about configuring Entrust Identity Enterprise to work with a
supported LDAP repository.
• Entrust Identity Enterprise Database Configuration Guide provides
information about configuring Entrust Identity Enterprise to work with a
supported JDBC database.
• Entrust Identity Enterprise Error Messages provides information about
Entrust Identity Enterprise error messages.
• Entrust Identity Enterprise Release Notes provides information about new
features, limitations, and known issues in the latest release.
• Self-Service Module documentation includes:
– Entrust Identity Enterprise Self-Service Module Installation and
Configuration Guide
– Entrust Identity Enterprise Self-Service Module Customization Guide
– Entrust Identity Enterprise Self-Service Module User Guide
• Entrust Identity Enterprise Programming Guide (either Java Platform or
.NET). provides information about integrating the authentication and
administration processes of your applications with Entrust Identity Enterprise.
• If you developed custom applications with Entrust IdentityGuard 12.0, use
the guidance in the Entrust Identity Enterprise 13.0 Java CXF Migration
Guide to update them.

16 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Note:
If you are using a programming environment other than .NET or Java, you can
still connect applications to Entrust Identity Enterprise. Entrust Identity Enterprise
exposes a standard Web-services interface for authentication and administration.
The server install ships the WSDL for these services in the
<IG_HOME>/client/doc directory. You can translate example code in the .NET
and Java guides into other languages.

About this guide 17

Report any errors or omissions
 Obtaining documentation
Entrust product documentation, white papers, technical notes, and a comprehensive
Knowledge Base are available through Entrust TrustedCare Online. If you are
registered for our support programs, you can use our web-based Entrust TrustedCare
online support services at:
https://trustedcare.entrust.com

Documentation feedback
You can rate and provide feedback about Entrust product documentation by
completing the online feedback form. You can access this form in one of the following
ways:
• Click the Report any errors or omissions link located in the footer of Entrust
PDF documents (see bottom of this page).
• Follow this link: http://go.entrust.com/documentation-feedback
Feedback concerning documentation can also be directed to the Customer Support
email address.
support@entrust.com

18 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Obtaining technical assistance
Entrust recognizes the importance of providing quick and easy access to our support
resources. The following subsections provide details about the technical support and
professional services available to you.

Technical support
Entrust offers a variety of technical support programs to help you keep Entrust
products up and running. To learn more about the full range of Entrust technical
support services, visit our Web site at:
http://www.entrust.com/
If you are registered for our support programs, you can use our Web-based support
services.
Entrust TrustedCare Online offers technical resources including Entrust product
documentation, white papers and technical notes, and a comprehensive Knowledge
Base at:
https://trustedcare.entrust.com
If you contact Entrust Customer Support, please provide as much of the following
information as possible:
• Your contact information
• Product name, version, and operating system information
• Your deployment scenario
• Description of the problem
• Copy of log files containing error messages
• Description of conditions under which the error occurred
• Description of troubleshooting activities you have already performed

Telephone numbers
For support assistance by telephone call one of the numbers below:
• 1-877-754-7878 in North America
• 1-613-270-3700 outside North America

Email address
The email address for Customer Support is:
support@entrust.com

About this guide 19

Report any errors or omissions
 Professional Services
The Entrust team assists e-businesses around the world to deploy and maintain secure
transactions and communications with their partners, customers, suppliers and
employees. We offer a full range of professional services to deploy our e-business
solutions successfully for wired and wireless networks, including planning and design,
installation, system integration, deployment support, and custom software
development.
Whether you choose to operate your Entrust solution in-house or subscribe to hosted
services, Entrust Professional Services will design and implement the right solution for
your e-business needs. For more information about Entrust Professional Services
please visit our Web site at:
http://www.entrust.com/services

Training
Through a variety of hands-on courses, Entrust delivers effective training for
deploying, operating, administering, extending, customizing and supporting any
variety of Entrust digital identity and information security solutions. Delivered by
training professionals, Entrust professional training services help to equip you with the
knowledge you need to speed the deployment of your security platforms and
solutions. Please visit our training website at:
http://www.entrust.com/training

20 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 1

Preparing to install Entrust Identity

Enterprise
Complete the steps in this chapter before you install Entrust Identity Enterprise Server.
It contains important preinstallation steps for installers and repository (directory or
database) administrators.
This chapter contains the following topics:
• “Worksheets for deploying Entrust Identity Enterprise” on page 22
• “Synchronizing clocks” on page 27
• “Creating a Linux group and user account to own Entrust Identity
Enterprise” on page 28
• “Downloading Entrust Identity Enterprise software” on page 30
• “Preparing your repository” on page 32
• “Using a hardware security module” on page 33
• “Collecting your configuration data” on page 35

21
 Worksheets for deploying Entrust Identity
Enterprise
Use the following worksheets as a checklist to set up Entrust Identity Enterprise for
your system.
This section contains the following topics:
• “Worksheet for preparing to deploy Entrust Identity Enterprise” on page 22
• “Worksheet for deploying a primary Entrust Identity Enterprise Server” on
page 24
• “Worksheet for deploying a replica Entrust Identity Enterprise Servers” on
page 25
• “Worksheet for configuring an Entrust Identity Enterprise deployment” on
page 25

Worksheet for preparing to deploy Entrust Identity Enterprise

Use the following worksheet as a checklist to prepare your Entrust Identity Enterprise
system.

Table 3: Deployment worksheet for preparing to deploy Entrust Identity Enterprise

Task Details Completed

1 Create a deployment
scenario for your system.
2 Synchronize all clocks on See “Synchronizing clocks” on page 27.
required servers.
3 For Linux servers, create a See “Creating a Linux group and user account to
group and user account that own Entrust Identity Enterprise” on page 28.
will own Entrust Identity
Enterprise.
4 Download the Entrust See “Downloading Entrust Identity Enterprise
Identity Enterprise software software” on page 30.
from Entrust TrustedCare.
5 Set up your database or See “Preparing your repository” on page 32.
directory by loading the See the Entrust Identity Enterprise Database
Entrust Identity Enterprise Configuration Guide or the Entrust Identity
schema. Schema files are Enterprise Directory Configuration Guide for
included in the installation instructions.
package.

22 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Table 3: Deployment worksheet for preparing to deploy Entrust Identity Enterprise (continued)

Task Details Completed

6 (Directory repository only.) The first administrator account must exist in the
Create a user account in the same searchbase as the Entrust Identity
directory to be the first Enterprise policy user. (The policy user was
Entrust Identity Enterprise created when the LDAP repository was initially
administrator. configured.)

You must create at least one You can create a new user account in the
administrator before you can directory, or use an existing user account in the
directory.
use the Entrust Identity
Enterprise Administration
interface.
7 (Optional. Directory The sample Web application demonstrates how
repository only.) Create a Entrust Identity Enterprise registers users and
user account in the directory authenticates them. An Entrust Identity
to run the Entrust Identity Enterprise user with administrative permissions is
Enterprise sample required to run the sample application.
application. The user account must exist in the same
This step is optional. You searchbase as the Entrust Identity Enterprise
policy user. (The policy user was created when
only need to create a user
the LDAP repository was initially configured.)
account in the directory if
you will use the Entrust You can create a new user account in the
Identity Enterprise sample directory, or use an existing user account in the
application. directory.

8 Prepare a hardware security See “Using a hardware security module” on

module (HSM), if you want page 33.
to store the Entrust Identity Entrust Identity Enterprise has two master keys
Enterprise master keys on an that are used to encrypt and sign sensitive
HSM. information in the Entrust Identity Enterprise
repository. You can store the Entrust Identity
Enterprise master keys on an HSM to improve
the security of your Entrust Identity Enterprise
system.
You must prepare the HSM before you initialize
Entrust Identity Enterprise. You can only store
the master keys on an HSM when you initialize
Entrust Identity Enterprise. You cannot move the
master keys to an HSM after you initialize
Entrust Identity Enterprise.

Preparing to install Entrust Identity Enterprise 23

Report any errors or omissions
 Table 3: Deployment worksheet for preparing to deploy Entrust Identity Enterprise (continued)

Task Details Completed

9 Collect and record the data See “Collecting your configuration data” on
required to install and page 35.
configure Entrust Identity
Enterprise.

Worksheet for deploying a primary Entrust Identity Enterprise

Server
Use the following worksheet as a checklist for deploying a primary Entrust Identity
Enterprise Server. You can have only one primary Entrust Identity Enterprise Server.

Table 4: Deployment worksheet for a primary Entrust Identity Enterprise Server

Task Details Completed

1 Install Entrust Identity See “Installing Entrust Identity Enterprise” on
Enterprise. page 39.
2 Configure Entrust Identity See “Configuring Entrust Identity Enterprise as a
Enterprise as a primary primary server” on page 53.
server.
3 Initialize Entrust Identity See “Initializing a primary Entrust Identity
Enterprise. Enterprise Server” on page 112.
4 Create the first administrator. See “Creating the first administrator manually”
on page 148.
You will need to manually create the first
administrator if you did not create it when you
initialized Entrust Identity Enterprise.
5 (Optional.) Install the Entrust See “Installing the sample application” on
Identity Enterprise sample page 269.
application.

24 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Worksheet for deploying a replica Entrust Identity Enterprise
Servers
Use the following worksheet as a checklist for deploying a replica Entrust Identity
Enterprise Server. You can have more than one replica Entrust Identity Enterprise
Server.

Table 5: Deployment worksheet for a replica Entrust Identity Enterprise Server

Task Details Completed

1 Take a partial backup of See “Backing up your configuration” on
Entrust Identity Enterprise. page 207.
Partial backups contain just enough information
to configure a replica system.
You can take the backup from the primary
Entrust Identity Enterprise Server or any replica
Entrust Identity Enterprise Server.
Transfer the backup file to the server that will
host the replica Entrust Identity Enterprise server.
2 Install Entrust Identity See “Installing Entrust Identity Enterprise” on
Enterprise. page 39.
3 Configure Entrust Identity See “Configuring Entrust Identity Enterprise as a
Enterprise as a replica server. replica server” on page 89.
4 Initialize Entrust Identity See “Initializing a replica Entrust Identity
Enterprise Enterprise Server or server restored from a
backup” on page 140.

Worksheet for configuring an Entrust Identity Enterprise

deployment
After deploying the primary Entrust Identity Enterprise Server and all replica Entrust
Identity Enterprise Servers, use the following worksheet as a checklist for customizing
your Entrust Identity Enterprise deployment.

Table 6: Deployment worksheet for configuring Entrust Identity Enterprise

Task Details Completed

1 Set up the policies required See the Entrust Identity Enterprise Server
by your organization. Administration Guide.

Preparing to install Entrust Identity Enterprise 25

Report any errors or omissions
 Table 6: Deployment worksheet for configuring Entrust Identity Enterprise (continued)

Task Details Completed

2 Set up the user groups See the Entrust Identity Enterprise Server
required by your Administration Guide.
organization.
3 Create roles for your See the Entrust Identity Enterprise Server
administrators. Administration Guide.
4 Create administrators to See the Entrust Identity Enterprise Server
manage users in your Administration Guide.
organization.
5 Configure Entrust Identity See the Entrust Identity Enterprise Server
Enterprise to use the Administration Guide.
authentication methods you For smart credentials, see the Entrust Identity
require. Enterprise Smart Credentials Guide.
6 Create your client See the Entrust Identity Enterprise Programming
applications using the Guide that applies to your development
available API and Web platform (either Java Platform or Microsoft
service interfaces. .NET).

7 Create Entrust Identity See the Entrust Identity Enterprise Server

Enterprise users. Administration Guide.
8 Test and deploy your system. See this guide and the Entrust Identity Enterprise
Server Administration Guide.

26 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Synchronizing clocks
You may be required to synchronize clocks on certain servers.
• If you plan to use Kerberos authentication as your first-factor authentication
method, synchronize the clocks on your Kerberos server (for example, Active
Directory) and your Entrust Identity Enterprise server.
• If you plan to use time-based tokens (for example, Entrust OT or AT tokens)
for second-factor authentication, synchronize the Entrust Identity Enterprise
server to a standard time server.
If the clocks are out-of-sync, authentication fails.

Preparing to install Entrust Identity Enterprise 27

Report any errors or omissions
 Creating a Linux group and user account to
own Entrust Identity Enterprise
Entrust Identity Enterprise Server requires a non-root user account to own the Entrust
Identity Enterprise Server installation. The Entrust Identity Enterprise Server installer
prompts you for the user login name and group of the user account that will own the
Entrust Identity Enterprise Server installation. You can use an existing user account or
create a new user account.

Note:
Use lower case names when you create groups and users. For example, use
iggroup and iguser, instead of IGgroup and IGuser.

To create a new Linux group and user for Entrust Identity Enterprise Server
1 Log in as root to the Linux server that will host Entrust Identity Enterprise.
2 To create a new group, enter the following command:
groupadd <group_name>
Where <group_name> is the name of your group. For example:
groupadd iggroup
3 To create a new user, enter the following command:
useradd -g <group_name> -s /bin/bash <user>
Where:
• <group_name> is the name of your Linux group. This is the group you
created in the previous step.
• <user> is the name of your Linux user.
For example:
useradd -g iggroup -s /bin/bash iguser
4 To enter a new password for the user, enter the following command:
passwd <user>
Where <user> is the user login name of the user account you just created. For
example:
passwd iguser
5 Enter and confirm the password when prompted.

28 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
A strong password contains at least eight characters, and includes at least one
uppercase character, one lowercase character, one number, and one
non-alphanumeric character.

Preparing to install Entrust Identity Enterprise 29

Report any errors or omissions
 Downloading Entrust Identity Enterprise
software
Download the Entrust Identity Enterprise software package from Entrust TrustedCare,
which includes necessary schema files to set up your repository.
You should have an email message from Entrust that includes:
• your user name and password for accessing the downloads page
• instructions for accessing the downloads page
• activation and installation keys required for the installer

To download Entrust Identity Enterprise software

1 Browse to the Entrust Identity Enterprise downloads page on Entrust TrustedCare
https://trustedcare.entrust.com.
2 Click the Download link to download one of the following files (depending on
the operating system and application server you are using):

Installer file Description

IG_130_Linux.tar Installs Entrust Identity Enterprise Server with embedded
Tomcat on Linux.
IG_130_Windows.zip Installs Entrust Identity Enterprise Server with or without
embedded Tomcat on Windows.
When you start the installer, you are prompted to select
a complete or custom installation:
• Choose complete for the embedded Tomcat
installation.

Save the file to any directory on the computer you want to use to run Entrust
Identity Enterprise.
3 Extract the files to a temporary directory.
• On Linux, enter the command:
tar -xvf <installer_file>
Where <installer_file> is the file you have downloaded for your
specific installation. For example, IG_130_Linux.tar.
• On Microsoft Windows, locate the IG_130_Windows.zip and extract the
files.

30 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Extracting the file creates a subdirectory called IG_130 that contains all the
Entrust Identity Enterprise files and subdirectories.

Preparing to install Entrust Identity Enterprise 31

Report any errors or omissions
 Preparing your repository
Configure your repository to work with Entrust Identity Enterprise before you begin
the Entrust Identity Enterprise Server installation. Entrust Identity Enterprise supports
the use of an LDAP-compliant directory, such as Active Directory, or a database as the
data repository.
Whether you are upgrading Entrust Identity Enterprise Server, or installing it for the
first time, you must apply the Entrust Identity Enterprise schema changes by running
the LDIF or SQL files. Follow the instructions in the Entrust Identity Enterprise
Directory Configuration Guide or Entrust Identity Enterprise Database Configuration
Guide. These guides also contain detailed information on configuring your repository.

Note:
You do not need to stop running Entrust Identity Enterprise when you upgrade a
repository. Entrust Identity Enterprise continues to use the old repository
definitions until you upgrade it.

32 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Using a hardware security module
Entrust Identity Enterprise has two master keys that are used to encrypt and sign
sensitive information in the Entrust Identity Enterprise repository. Because these keys
are so important, you might want to store them on a hardware security module
(HSM).
An HSM is a separate piece of hardware that is responsible for generating and storing
keys, and performing all cryptographic operations involving those keys. By isolating
keys and cryptographic operations to the HSM, the overall security of your system is
improved.
Although other keys are used in the Entrust Identity Enterprise system—to secure SSL
communications, for example—the HSM feature is used primarily for master keys,
and profiles for XAP administrators and PIV Content Signers.

Attention:
You must decide whether you want to use an HSM before you initialize Entrust
Identity Enterprise Server because the HSM can be specified only during
initialization. You cannot add an HSM after initialization.

If you use an HSM, the HSM must be available at all times, or Entrust Identity
Enterprise will stop working.

You cannot have some servers in a replicated system with HSMs and others
without. Either all Entrust Identity Enterprise servers use HSMs, or none of them
do.

A networked HSM that holds the master keys must be co-located with the
Entrust Identity Enterprise host server. The HSM should be on the same subnet
as the Entrust Identity Enterprise host server.

Complete the following procedure to prepare your HSM for use with Entrust Identity
Enterprise.

To prepare the HSM

1 Determine the supported HSM vendors. This information is in the Entrust Identity
Enterprise Release Notes.
2 Install a 64-bit version of the HSM driver onto all your Entrust Identity Enterprise
servers. The HSM driver must implement the PKCS#11 v2.1 standard or later.
3 Configure your HSM so it is accessible over your network. See your HSM
documentation for details.

Preparing to install Entrust Identity Enterprise 33

Report any errors or omissions
 4 Initialize the HSM with a password. You are asked for this password during the
Entrust Identity Enterprise initialization.

Note:
If you are using Entrust Authority Security Manager as your certification authority
(CA) for smart credentials or digital IDs, ensure that the password you set meets
all of the Security Manager password criteria.

5 Determine which slot number corresponds to which HSM serial number. With the
Luna SA HSM, for example, run vtl verify to get a list of slot-to-serial
number mappings. Perform this step on primary and replica Entrust Identity
Enterprise Servers.
For some HSMs, such as the nCipher HSM, there is no one-by-one mapping of
slot numbers to serial numbers. To check the available card label on an nCipher
HSM, use the command $ncipher_home/bin/ckcheckinst.

Note:
If you are using the Thales nShield Connect HSM, you plan to use smart
credential authentication, and you want to store the required administrator
accounts in the HSM instead of in Entrust profiles (EPF), you might need to create
virtual slots in the HSM. For more information, see "Using an HSM to store
administrator credentials" in the Entrust Identity Enterprise Smart Credentials
Guide.

6 The Luna SA HSM installation includes a configuration file

<LunaSA_install>/crystoki.ini (Windows) or /etc/Chrystoki.conf
(Linux). If your implementation uses a Luna SA 7.x client for p11 operations, you
must add the following values to the configuration file:
ToolsDir=C:\Program Files\SafeNet\LunaClient\PE1746Enabled=1
PartitionPolicyTemplatePath=C:\Program
Files\SafeNet\LunaClient\data\partition_policy_templates
ProtectedaAuthenticationPathFlagStatus=1
RSAKeyGenMechRemap=1
If these values are not present, Entrust Identity Enterprise cannot be initialized or
p11 operations do not work.
For more information, see the Entrust Identity Enterprise 13.0 Master User Shell
Command Reference.
You have now prepared your HSM for use with Entrust Identity Enterprise.

34 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Collecting your configuration data
Ensure you have the following information before installing and configuring Entrust
Identity Enterprise.

Attention:
If you choose to record passwords on this worksheet, store this worksheet in a
secure place to keep your passwords secure.

Table 7: Entrust Identity Enterprise Installation worksheet

Required information Value

Entrust Identity Enterprise Server • with embedded Tomcat application server on Linux
installation type
• with embedded Tomcat application server on Microsoft
Windows

Entrust Identity Enterprise Server

host name (for example,
domain.example.com)
Linux user and group that owns Name:
Entrust Identity Enterprise (for
Group:
Linux installations with
embedded Tomcat) Password:
Application server user and group Complete “Creating a Linux group and user account to own
that owns the application server Entrust Identity Enterprise” on page 28 (for installation on
(for Linux installations with an Linux )
existing application server)
Entrust Identity Enterprise
installation directory
Defaults:
• Linux: /opt/entrust
• Windows Server:
C:\Program
Files\Entrust\Entrust
Identity Enterprise
Database, Active Directory, AD DB, AD, AD LDS, or LDAP
LDS, or other LDAP-compliant
Complete “Database information” on page 37 or “Directory
directory?
information” on page 38

Preparing to install Entrust Identity Enterprise 35

Report any errors or omissions
 Table 7: Entrust Identity Enterprise Installation worksheet (continued)

Required information Value

Entrust Identity Enterprise
Authentication Web service port
Note: Port 8080 is the default port for embedded Tomcat. If
number (default 8080)
you are using an existing application server, use the ports
configured when the application server was first deployed.
Entrust Identity Enterprise
Authentication Web Service
Note: Port 8443 is the default port for embedded Tomcat. If
services secure SSL port number
you are using an existing application server, use the ports
(default 8443)
configured when the application server was first deployed.
Entrust Identity Enterprise
Administration Web service port
Note: Port 8444 is the default for embedded Tomcat. If you
number (default 8444)
are using an existing application server, use the ports
configured when the application server was first deployed.
Entrust Identity Enterprise Sample
Application Authentication Web
Note: Port 8447 is the default for embedded Tomcat. If you
Service client-authenticated SSL
are using an existing application server, use the ports
port number (default 8447,
configured when the application server was first deployed.
optional)
See “Configuring the sample application for certificate-based
authentication (Optional)” on page 286 for more
information.
Installation key

Activation key

Master1 password

Master2 password

Master3 password

Sample application administrator Name:

Password:

Note: If you are using a directory as your repository, you must

create this user in the directory before installing the sample
application.

36 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Table 7: Entrust Identity Enterprise Installation worksheet (continued)

Required information Value

First administrator Name:
(You can create the first Password:
administrative user during
installation with the predefined
superuser role.) Note: If you are using a directory as your repository, you must
create this user in the directory before adding the first
administrator.
HSM settings HSM PKCS#11 driver library file name and location:

HSM password:

For details related to your database type, see the Entrust Identity Enterprise Database
Configuration Guide.

Table 8: Database information

Database required information Value

Location of database driver JAR
file(s)
(Ensure the JAR files are copied to
the server that will host Entrust
Identity Enterprise.)
Database driver class name

Database URL

Database administrative user Name:

Password:
Schema name

For a list of applicable JAR files for your database, the JDBC class name, and related
details, see the Entrust Identity Enterprise Database Configuration Guide.

Preparing to install Entrust Identity Enterprise 37

Report any errors or omissions
 For details related to your directory type, see the Entrust Identity Enterprise Directory
Configuration Guide.

Table 9: Directory information

Directory required information Value

Using the LDAP or LDAPS LDAP or LDAPS
protocol?
If using LDAPS:
• Ensure that the subject or subjectAltname includes a host
name (not an IP address). A host name is required for
successful host name validation.
• Copy the CA certificate to the Entrust Identity Enterprise
computer.
LDAP host name
LDAP port number
LDAP base DN
LDAP user DN DN:
Password:
LDAP policy RDN
LDAP user ID attribute

38 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 2

Installing Entrust Identity Enterprise

This chapter provides all the necessary steps for installing Entrust Identity Enterprise
Server on supported operating systems. Complete the instructions in this chapter to
install Entrust Identity Enterprise Server.

Note:
Support for use of Unix operating systems (Solaris and AIX were previously
supported) has been discontinued in Entrust Identity Enterprise 13.0.

Note:
Support for use of the IBM WebSphere and Oracle WebLogic application servers
has been discontinued in Entrust Identity Enterprise 13.0.

39
 Note:
When you install Entrust Identity Enterprise Patch 572543 or later, biometric data
is not automatically deleted. Entrust Identity Enterprise recognizes when an entry
in the biometrics table is not a passkey and issues the following warning log and
ignores the biometric entry:

“Ignoring biometric that was found. Existing biometrics should be deleted using
a version of Entrust Identity Enterprise before Release 13, Patch 572543.”

Once you install Entrust Identity Enterprise Release 13.0 Patch 572543 or later,
you cannot delete the biometric entries and the system issues the warning log
mentioned above each time you search for passkeys.

If you currently have Entrust Identity Enterprise Release 13.0 Patch 552330 or
earlier installed and you currently have biometric data, find all biometrics in the
system using the Biometric search criteria in the Entrust Identity Enterprise
Administration interface and delete each biometric entry one by one.

This chapter contains the following information:

• “Installing Entrust Identity Enterprise Server on Windows” on page 41
• “Installing Entrust Identity Enterprise Server on Linux” on page 48

40 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Installing Entrust Identity Enterprise Server on
Windows
Install Entrust Identity Enterprise Server on a dedicated Windows server. Other
software products on the same machine can interfere with the operation of Entrust
Identity Enterprise.

Note:
If your Entrust Identity Enterprise uses a database as its repository and you are
installing an initial/primary instance, copy the JDBC driver JAR file (or files) for
your database type to the $IGHOME/lib/db folder. The installation wizard
provides a reminder about this step.

To install Entrust Identity Enterprise Server

1 Before installing Entrust Identity Enterprise, ensure that you have completed the
tasks in “Preparing to install Entrust Identity Enterprise” on page 21.
2 Log in to the Windows server that will host Entrust Identity Enterprise.
3 Exit all Windows programs before running the Entrust Identity Enterprise
Installation wizard to prevent any conflicts in resources.
4 Navigate to the folder where you extracted the Entrust Identity Enterprise Server
for Windows installation package.
5 Double-click the IG_130_Windows.msi installer.

Installing Entrust Identity Enterprise 41

Report any errors or omissions
 The Entrust Identity Enterprise Server Setup Wizard opens.

6 Click Next to begin installation.

Note:
If you are not prepared to install, click Cancel at any time to exit. Click Back to
return to a previous panel to change information.

42 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 The End-User License Agreement page appears.

7 Read the license agreement for the Entrust Identity Enterprise software carefully.
If you accept all the terms of the license agreement, select I accept the terms in
the license agreement.
You cannot install Entrust Identity Enterprise if you do not accept the license
agreement.
8 Click Next to continue.

Installing Entrust Identity Enterprise 43

Report any errors or omissions
 The Destination Folder page appears.

a To change the default installation folder, click Browse and then select a new
folder.
b Click Next to continue.
The Ready to Install Entrust Identity Enterprise Server 13.0 page appears.

44 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
9 Click Next to install Entrust Identity Enterprise.
The Completed the Entrust Identity Enterprise Server 13.0 Setup Wizard page
appears.

Installing Entrust Identity Enterprise 45

Report any errors or omissions
 10 If your Entrust Identity Enterprise installation uses a database as its repository and
you are installing an initial/primary instance, the following message appears on
the last page of the installation wizard.

If you have not already done so, copy the JDBC driver JAR file (or files) for your
database type to the $IGHOME/lib/db folder, then click OK to close the
message.
11 Click Finish to exit the installation.
The Entrust Identity Enterprise Configuration Panel appears.

46 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
If you are performing a new installation of a primary Entrust Identity Enterprise Server,
proceed to “Configuring Entrust Identity Enterprise as a primary server” on page 53.
If you are performing a new installation of a replica Entrust Identity Enterprise Server,
proceed to “Configuring Entrust Identity Enterprise as a replica server” on page 89.
If you are performing this installation as part of restoring Entrust Identity Enterprise
from a backup, proceed to “Restoring Entrust Identity Enterprise from a backup” on
page 213.

Installing Entrust Identity Enterprise 47

Report any errors or omissions
 Installing Entrust Identity Enterprise Server on
Linux
Install Entrust Identity Enterprise Server on a dedicated Linux server. Other software
products on the same machine can interfere with the operation of Entrust Identity
Enterprise.
To install and configure Entrust Identity Enterprise, you must have an understanding
of Linux administration.

Prerequisite
On Linux, missing fonts or a missing font configuration file in AdoptOpenJDK results
in java.lang.* errors when performing operations with smart credentials or generating
reports.
Actions with dependencies on font calculations can produce exceptions because the
fonts are not present in some Linux installations. The fonts cannot be distributed with
Entrust Identity Enterprise, but they are freely available.

To avoid font-related issues on Red Hat Linux

1 In a command shell, run the following command as root to install the RHEL
package fontconfig.
yum install fontconfig
2 Restart the Entrust Identity Enterprise (formerly Entrust IdentityGuard) service.

To install Entrust Identity Enterprise on Linux

1 Before installing Entrust Identity Enterprise, ensure that you have completed the
tasks in “Preparing to install Entrust Identity Enterprise” on page 21.
2 Log in to the Linux server that will host Entrust Identity Enterprise.

Note:
It is recommended that you log in to the server as root. If you are logged in as a
non-root account:
— You will not be prompted to provide the name of the user account that will
own Entrust Identity Enterprise. Instead, the current user will be used.
— The installer will not be able to configure the system to start Entrust Identity
Enterprise automatically after a system restart. The installer will not have
sufficient permissions to install the service scripts into /etc/init.d.

48 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
3 Navigate to the IG_130 directory. This directory was created when you extracted
the download package.
4 Enter the following command to run the install script:
./install.sh

Note:
You can cancel out of the script at any time by pressing Ctrl + C.

The Entrust Identity Enterprise Server license agreement appears.

5 Press Enter to begin reading the license agreement. Keep pressing Enter to read
the license line by line, or press the space bar to skip to the next page. To skip to
the end of the license agreement, enter q.
After reading the license agreement, the installer prompts you to accept the
terms of the license agreement:
Do you agree to the above license terms? [yes or no]
6 If you agree to the license terms, enter yes to continue. If you disagree with the
license terms, enter no to terminate the installation. You cannot install Entrust
Identity Enterprise if you do not accept the license agreement.
7 If you are logged in as root, the installer prompts you for the name of the user
account that will own the Entrust Identity Enterprise installation:

Note:
The installer shows UNIX, but Linux is the supported operating system.

Enter the UNIX user name that will own the installation:
Enter the user name of the Linux user you created to own the Entrust Identity
Enterprise installation.
You cannot specify root as the owner.
8 The installer prompts you for the group that will own the Entrust Identity
Enterprise installation:
Enter the UNIX group name that will own the installation:
Enter the name of the Linux group you created to own the Entrust Identity
Enterprise installation.
9 The installer prompts you to enter an installation directory for Entrust Identity
Enterprise:
Enter the install directory (default /opt/entrust):

Installing Entrust Identity Enterprise 49

Report any errors or omissions
 To accept the default installation directory (/opt/entrust), press Enter. To
select a different installation directory, type the directory path and then press
Enter.
If you are logged on as a non-root user, the user must own the directory you
enter, or have permissions to create the directory.
If you are using the embedded Tomcat application server, proceed to Step 10 on
page 50.
10 The installer extracts the contents of the identityguard.zip file from the
IG_130 directory into $IG_HOME/identityguard130 (where $IGHOME is
typically /opt/entrust/).
The installer also creates env_setting.sh or env_settings.csh in the
$IG_HOME/identityguard130 directory. This file sets the environment files
needed to run Entrust Identity Enterprise.
11 If you are logged in as root:
a The installer creates the Entrust Identity Enterprise service and enables the
service to start automatically after a system restart:
Creating identityguard service...
b The installer creates the Entrust Identity Enterprise Radius proxy service. The
installer asks if you want the Entrust Identity Enterprise Radius proxy to start
automatically when Entrust Identity Enterprise starts:
Creating igradius service...
Do you want the Entrust Identity Enterprise Radius proxy to
start automatically when the host starts after reboot? [yes or
no]
To have the Entrust Identity Enterprise Radius proxy start automatically, enter
yes. To start it manually, enter no. If you enter no, you can enable automatic
startup later.
c If you did not enable the Entrust Identity Enterprise Radius proxy to
automatically start, the installer displays a message stating that you must run
igsvcconfig.sh as root to enable automatic startup:
If you wish to enable automatic startup in the future, run the
command "igsvcconfig.sh igradius enable" when logged on as
root.
See the Entrust Identity Enterprise Server Administration Guide for further
details.
12 If you are logged in as a non-root user:
a The installer does not create the Entrust Identity Enterprise service. The
installer displays a message stating that you must run igsvcconfig.sh as
root at a later time to manually install the Entrust Identity Enterprise service:

50 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 To enable automatic startup of the Entrust Identity Enterprise
service after reboot, run the command "igsvcconfig.sh
identityguard install" when logged on as root.
b The installer does not create the Entrust Identity Enterprise Radius proxy
service. The installer displays a message stating that you must run
igsvcconfig.sh as root at a later time to manually install the Entrust
Identity Enterprise Radius service:
To enable automatic startup of the Entrust Identity Enterprise
Radius proxy after reboot, run the command "igsvcconfig.sh
igradius install" when logged on as root.
See the Entrust Identity Enterprise Server Administration Guide for further
details.
13 The installer displays a message stating that the installation is complete, and asks
if you want to configure Entrust Identity Enterprise:
Installation complete.
Do you wish to configure the application now? [yes or no]
To configure Entrust Identity Enterprise immediately, enter yes. To exit the install
and configure Entrust Identity Enterprise later, enter no.
If you are performing a new installation of a primary Entrust Identity Enterprise Server,
proceed to “Configuring Entrust Identity Enterprise as a primary server” on page 53.
If you are performing a new installation of a replica Entrust Identity Enterprise Server,
proceed to “Configuring Entrust Identity Enterprise as a replica server” on page 89.
If you are performing this installation as part of restoring Entrust Identity Enterprise
from a backup, proceed to “Restoring Entrust Identity Enterprise from a backup” on
page 213.

Installing Entrust Identity Enterprise 51

Report any errors or omissions
52 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12
Report any errors or omissions
 3

Configuring Entrust Identity

Enterprise as a primary server
This chapter provides all the necessary steps for configuring Entrust Identity
Enterprise Server as a primary server on supported operating systems. You can
configure Entrust Identity Enterprise immediately after you install it. You must
configure Entrust Identity Enterprise before you can initialize it. (Initializing Entrust
Identity Enterprise allows you to use Entrust Identity Enterprise).
When you configure Entrust Identity Enterprise as a primary server, you provide data
that allows Entrust Identity Enterprise for connect to your directory or database
repository, and you choose the ports used for the Entrust Identity Enterprise services.

Attention:
You can have only one primary Entrust Identity Enterprise Server. If you are
configuring another Entrust Identity Enterprise Server as a replica, see
“Configuring Entrust Identity Enterprise as a replica server” on page 89.

This chapter contains the following sections:

• “Configuring Entrust Identity Enterprise as a primary server on Windows” on
page 54
• “Configuring Entrust Identity Enterprise as a primary server on Linux” on
page 73

53
 Configuring Entrust Identity Enterprise as a
primary server on Windows
Complete the following procedure to configure Entrust Identity Enterprise as a
primary server on supported Windows operating systems. You should have already
collected the required configuration data in “Collecting your configuration data” on
page 35.

To configure Entrust Identity Enterprise Configuration as a primary server on

Windows
1 Log in to the Windows server where you installed Entrust Identity Enterprise.
2 Launch the Entrust Identity Enterprise Configuration Panel, if it is not open:
• On Microsoft Windows Server 2019 or 2016, click the Windows button,
expand Entrust Identity Enterprise in the list of applications, then click
Configuration Panel.
• On Microsoft Windows Server 2012 or 2012 R2, select Start, then click the
down arrow to access Apps, then click Configuration Panel.
When viewing by name or category, Configuration Panel is listed under
Entrust Identity Enterprise.
The Entrust Identity Enterprise Configuration Panel opens.

3 Under Configuration, click Configure Entrust Identity Enterprise.

54 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 The Entrust Identity Enterprise System Type dialog box appears.

4 Click Primary to configure Entrust Identity Enterprise as a primary server.

5 If you have previously configured Entrust Identity Enterprise, the following
warning appears:

Click Yes to overwrite the previously-configured Entrust Identity Enterprise.

Configuring Entrust Identity Enterprise as a primary server 55

Report any errors or omissions
 6 The Entrust Identity Enterprise Configuration Wizard appears.

Click Next to begin configuring Entrust Identity Enterprise.

Note:
To re-enter information on a previous page, click Back to return to the previous
page. No information you already entered will be lost if you return to a previous
page.

To cancel the configuration or exit the Entrust Identity Enterprise Configuration

Wizard, click Cancel or close the wizard. If you cancel the configuration process
or close the wizard, all configuration information will be lost.

56 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
7 The Repository Settings page appears.

a Select the type of repository you configured for Entrust Identity Enterprise:
– If you configured Microsoft Active Directory or Active Directory
Lightweight Directory Services (AD LDS), select Microsoft Active Directory
or ADAM or AD LDS.
AD LDS was formerly known as Active Directory Application Mode
(ADAM).
– If you configured a supported LDAP-compliant directory, select LDAP.
– If you configured a supported database, select Database.
You should have already configured the repository before you installed
Entrust Identity Enterprise as described in the Entrust Identity Enterprise
Directory Configuration Guide or the Entrust Identity Enterprise Database
Configuration Guide.

Note:
If your Entrust Identity Enterprise repository is a database, you must copy the
JDBC driver JAR file (or files) for your database type to the $IGHOME/lib/db
folder before proceeding. When the JAR file is in place, click OK.

b Click Next to continue.

If you are using Microsoft Active Directory or AD LDS, proceed to the next step.
If you are using a supported LDAP-compliant directory, proceed to Step 12 on
page 62.

Configuring Entrust Identity Enterprise as a primary server 57

Report any errors or omissions
 If you are using a supported database, proceed to Step 16 on page 66.
8 If the Entrust Identity Enterprise repository is Microsoft Active Directory or AD
LDS, the Repository Settings (Microsoft Active Directory) - Page 1 of 4 page
appears.

a For Microsoft Active Directory Server SSL Configuration:

– If you want Entrust Identity Enterprise to communicate with Active
Directory using secure communications over SSL—secure LDAP (LDAPS)—
select Yes.
– If you want Entrust Identity Enterprise to communicate with Active
Directory over LDAP, select No.
b If you selected Yes:
– Click Browse to select the Active Directory SSL certificate or the CA
certificate that issued the SSL certificate.
The Entrust Identity Enterprise truststore contains several public root CA
certificates. If your Active Directory SSL certificate was issued by a public
root CA certificate, you do not need to import a certificate.

Note:
If the certificate cannot be trusted, Entrust Identity Enterprise cannot connect to
the directory.

58 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 c Click Next to continue.
9 The LDAP Vendor Type (Page 2 of 4) page appears.

a Select the type of directory Entrust Identity Enterprise will use as the
repository: Microsoft Active Directory or Microsoft ADAM/AD LDS.
b Click Next to continue.
10 The Repository Settings (Microsoft Active Directory) - Page 3 of 4 page appears.

Configuring Entrust Identity Enterprise as a primary server 59

Report any errors or omissions
 a In the Microsoft Active Directory server host name field, enter the fully
qualified domain name (FQDN) or IP address of the server hosting the
directory.
b In the Microsoft Active Directory server port field, enter the directory server
port number. By default, the LDAP port is 389. For LDAPS (secure LDAP),
the default port is 636.
c In the Microsoft Active Directory user DN field, enter the distinguished
name (DN) of an administrative user account that Entrust Identity Enterprise
will use to connect to the directory.
The account must have sufficient privileges to make changes to the user and
policy objects in the directory. You should have created this user account
when you configured the directory for Entrust Identity Enterprise.
d In the Microsoft Active Directory password and Confirm password fields,
enter and confirm the password of the administrative user account.
e To test the connection to the directory, click Test Connection. The wizard
attempts to connect to the directory using the information you provided.
A dialog box will appear, informing you if the connection attempt was
successful or if the connection attempt failed. If the connection attempt
failed, verify that the information you entered is correct and that the
directory or firewall allows connections from the Entrust Identity Enterprise
server.

Note:
If the connection attempt fails, you can still proceed with the configuration.
However, all fields must be filled and the passwords must match.

f Click Next to continue.

The wizard will check the host name or IP address of the directory. If the host
name or IP address cannot be validated, a dialog box appears warning you
that the host name cannot be validated. You may continue with the
configuration, or cancel to go back and change the host name or IP address.

60 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
11 The Repository Settings (Microsoft Active Directory) - Page 4 of 4 page appears.

a In the Microsoft Active Directory base DN field, enter the DN of the

directory entry under which all Entrust Identity Enterprise entries are located.
For example, dc=mycorpIG,dc=com.
b In the Policy RDN field, enter the relative distinguished name (RDN) of the
directory entry used to store the Entrust Identity Enterprise policy
information.
The RDN must be relative to the base DN. For example, if all the users exist
under the base DN dc=mycorpIG,dc=com and the DN of the policy entry
is cn=IGpolicy,dc=mycorpIG,dc=com, then enter cn=IGpolicy as the
policy RDN.
c Click Verify policy RDN to verify that the policy user exists. The wizard
attempts to connect to the policy user entry in the directory using the
information you provided.
A dialog box will appear, informing you if there the connection attempt was
successful or if the connection attempt failed. If the connection attempt
failed, verify that the information you entered is correct and that the
directory or firewall allows connections from the Entrust Identity Enterprise
server.
d In the Microsoft Active Directory userid attribute field, enter the directory
attribute that will uniquely identify Entrust Identity Enterprise users in the
directory.

Configuring Entrust Identity Enterprise as a primary server 61

Report any errors or omissions
 By default, the attribute is set to sAMAccountName.
The sAMAccountName attribute is commonly used for Active Directory. The
CN (common name) attribute is commonly used for AD LDS.
e Click Next to continue. All fields must be filled to continue configuring
Entrust Identity Enterprise.
Proceed to Step 18 on page 69.
12 If the Entrust Identity Enterprise repository is an LDAP-compliant directory, the
Repository Settings (LDAP) - Page 1 of 4 page appears.

a For LDAP Server SSL Configuration:

– If you want Entrust Identity Enterprise to communicate with the directory
using secure communications over SSL—secure LDAP (LDAPS)—select
Yes.
– If you want Entrust Identity Enterprise to communicate with the directory
over LDAP, select No.
b If you selected Yes:
– For Entrust Identity Enterprise with the embedded Tomcat application
server, click Browse to select the directory server SSL certificate or the CA
certificate that issued the SSL certificate.
The Entrust Identity Enterprise truststore contains several public root CA
certificates. If your directory server SSL certificate was issued by a public
root CA certificate, you do not need to import a certificate.

62 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Note:
If the certificate cannot be trusted, Entrust Identity Enterprise cannot connect to
the directory.

c Click Next to continue.

13 The LDAP Vendor Type (Page 2 of 4) page appears.

a Select the type of directory Entrust Identity Enterprise will use as the
repository.

Note:
Select Other only if instructed by Entrust Customer Support.

b Click Next to continue.

Configuring Entrust Identity Enterprise as a primary server 63

Report any errors or omissions
 14 The Repository Settings (LDAP) - Page 3 of 4 page appears.

a In the LDAP server host name field, enter the fully qualified domain name
(FQDN) or IP address of the server hosting the directory.
b In the LDAP server port field, enter the directory server port number. By
default, the LDAP port is 389. For LDAPS (secure LDAP), the default port is
636.
c In the LDAP user DN field, enter the distinguished name (DN) of an
administrative user account that Entrust Identity Enterprise will use to
connect to the directory.
The account must have sufficient privileges to make changes to the user and
policy objects in the directory. You should have created this user account
when you configured the directory for Entrust Identity Enterprise.
d In the LDAP password and Confirm password fields, enter and confirm the
password of the administrative user account.
e To test the connection to the directory, click Test Connection. The wizard
attempts to connect to the directory using the information you provided.
A dialog box will appear, informing you if the connection attempt was
successful or if the connection attempt failed. If the connection attempt
failed, verify that the information you entered is correct and that the
directory or firewall allows connections from the Entrust Identity Enterprise
server.

64 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Note:
If the connection attempt fails, you can still proceed with the configuration.
However, all fields must be filled and the passwords must match.

f Click Next to continue.

The wizard will check the host name or IP address of the directory. If the host
name or IP address cannot be validated, a dialog box appears warning you
that the host name cannot be validated. You may continue with the
configuration, or cancel to go back and change the host name or IP address.
15 The Repository Settings (Microsoft Active Directory) - Page 4 of 4 page appears.

a In the LDAP base DN field, enter the DN of the directory entry under which
all Entrust Identity Enterprise entries are located.
For example, dc=Remote,dc=CompanyOne,dc=com.
b In the Policy RDN field, enter the relative distinguished name (RDN) of the
directory entry used to store the Entrust Identity Enterprise policy
information.
The RDN must be relative to the base DN. For example, if all the users exist
under the base DN dc=Remote,dc=CompanyOne,dc=com and the DN of

Configuring Entrust Identity Enterprise as a primary server 65

Report any errors or omissions
 the policy entry is cn=IG Policy,dc=Remote,dc=CompanyOne,dc=com,
then enter cn=IG Policy as the policy RDN.
c Click Verify policy RDN to verify that the policy user exists. The wizard
attempts to connect to the policy user entry in the directory using the
information you provided.
A dialog box will appear, informing you if there the connection attempt was
successful or if the connection attempt failed. If the connection attempt
failed, verify that the information you entered is correct and that the
directory or firewall allows connections from the Entrust Identity Enterprise
server.
d In the LDAP userid attribute field, enter the directory attribute that will
uniquely identify Entrust Identity Enterprise users in the directory.
By default, the attribute is set to uid.
The uid or cn (common name) attributes are commonly used attributes in
LDAP directories to identify user entries.
e Click Next to continue. All fields must be filled to continue configuring
Entrust Identity Enterprise.
Proceed to Step 18 on page 69.
16 If the Entrust Identity Enterprise repository is a database, the Repository Settings
(Database) - Page 1 of 2 page appears.

66 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
a From the Please select the database type drop-down list, select your
database from the drop-down list. Options include:
– Oracle
– DB2
– SQL Server
– MySQL
– PostgreSQL
– Other

Note:
Select Other only if instructed by Entrust Customer Support.

b For JDBC driver JAR file, click Browse to locate and import the required
JDBC driver JAR file for the database.
For example, C:\mssql-jdbc-8.2.2.jre11.jar for SQL Server
Database.
c In the JDBC driver class name field, enter the JDBC driver class name.
For example, com.microsoft.sqlserver.jdbc.SQLServerDriver for
SQL Server Database.
d For Additional JDBC JAR (if required) files:
– To add an additional JDBC JAR files required by the JDBC driver, click Add
to locate and add the JAR file.
– To remove a JDBC JAR files that you may have added by accident, select
the JAR file from the list, and click Remove.
If your JDBC driver does not require additional JAR files, leave this field blank.
e Click Next to continue.

Configuring Entrust Identity Enterprise as a primary server 67

Report any errors or omissions
 17 The Repository Settings (Database) - Page 2 of 2 page appears.

a In the Database URL in driver-specific format field, enter the URL that
Entrust Identity Enterprise will use to connect to the database. Enter the URL
in the JDBC driver-specific format. For example,
for PostgreSQL:
jdbc:postgresql://postgresql.example.com:5432/identityguard
for SQL Server:
jdbc:sqlserver://<dbhost>:<dbport>;
databaseName=<dbname>;selectMethod=cursor;encrypt=true;trustSer
verCertificate=true;
b In the Database user name field, enter the name of the database user that
Entrust Identity Enterprise will use to connect to the database and administer
data.
c In the Database password and Confirm database password fields, enter the
password of the database user.
d In the Database schema name field, enter the name of the database schema.
In some databases (for example, Oracle Database), the schema is
automatically named with the user name associated with it. For these
databases, enter the database administrator user name.
e To test the connection to the database, click Test Connection. The wizard
attempts to connect to the directory using the information you provided.

68 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 A message informs you if the connection attempt was successful or if it
failed. If the connection attempt failed, verify that the information you
entered is correct and that the database or firewall allows connections from
the Entrust Identity Enterprise server.

Note:
If the connection attempt fails, you can still proceed with the configuration.
However, all fields must be filled and the passwords must match.

f Click Next to continue.

18 The Service Settings page appears.

Ensure that the ports for each Entrust Identity Enterprise service are unique for
that computer.
a In the Authentication Service HTTP port number field, enter the HTTP
(non-secure) port number to use for the Authentication Service (default
8080).
(Optional) You can disable the HTTP port later to enhance security. See
“Disabling the Authentication service non-SSL port on Tomcat” on page 164
for instructions after configuring Entrust Identity Enterprise.
b In the Authentication Service HTTPS port number field, enter the HTTPS port
number to use for the Authentication Service (default 8443).

Configuring Entrust Identity Enterprise as a primary server 69

Report any errors or omissions
 c In the Authentication Service client-authenticated HTTPS port number field,
enter the client-authenticated HTTPS port number to use for the
Authentication Service (default 8447).
d In the Administration Service HTTPS port number field, enter the HTTPS
port number to use for the Administration Service (default 8444).
e Click Next to continue.
19 The System host name page appears.
• The System host name page for an embedded Tomcat application server:

– In the Enter the host name used by the self-signed certificate and service
URLs field, enter the host name that will be used to access the Entrust
Identity Enterprise services.
The wizard will create a self-signed SSL certificate. This certificate will be
used to secure communications on the HTTPS ports. The host name you
enter will be used as the subject DN in the self-signed certificate. You can
switch the self-signed certificate to a CA-signed certificate later as
described in “Switching to a CA-signed certificate using keytool” on
page 171.
– In the Self-signed SSL certificate lifetime (in days) field, enter the lifetime,
in days, of the self-signed SSL certificate. The default lifetime is 365 days.
20 Click Next to continue.
The wizard attempts to resolve the host name. If the wizard cannot resolve the
host name, a dialog box appears, informing you that the host name could not be
resolved. Verify that the host name you enter is correct. You can go back and
change the host name, or continue with the configuration.

70 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
21 The Configuration Summary page appears.

This page contains a list of all information you entered into the Entrust Identity
Enterprise Configuration wizard.
a Review the configuration summary.
– If you need to change any settings, click Back to return to a previous page
and make your changes.
– (Optional.) If you need to keep a record of the configuration summary,
select and copy the configuration summary, then paste it into a text file.
b To accept the configuration, click Confirm and Save.

Configuring Entrust Identity Enterprise as a primary server 71

Report any errors or omissions
 22 After the wizard saves the configuration changes, the Finish page appears.

a Select one of the following options:

– To initialize Entrust Identity Enterprise later, select Do not initialize the
Entrust Identity Enterprise System now.
Select this option if you are using an HSM. You cannot initialize Entrust
Identity Enterprise using the wizard; you must initialize Entrust Identity
Enterprise using the master user shell.
– To initialize Entrust Identity Enterprise immediately, select Initialize the
Entrust Identity Enterprise System now.
b Click Finish.
You have configured Entrust Identity Enterprise as a primary server. You must initialize
Entrust Identity Enterprise before you can begin using Entrust Identity Enterprise. An
uninitialized Entrust Identity Enterprise does not function. To begin initializing Entrust
Identity Enterprise, proceed to “Initializing a primary Entrust Identity Enterprise
Server” on page 112.

72 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Configuring Entrust Identity Enterprise as a
primary server on Linux
Complete the following procedure to configure Entrust Identity Enterprise as a
primary server on supported Linux operating systems. You should have already
collected the required configuration data in “Collecting your configuration data” on
page 35.

To configure Entrust Identity Enterprise Configuration on Linux

1 If the configuration script is not running:
a Switch to the Linux user account that owns Entrust Identity Enterprise Server.
b Navigate to the Entrust Identity Enterprise installation directory ($IG_HOME),
typically:
/opt/entrust/identityguard130
c Enter the following command to source the environment settings:
. ./env_settings.sh
(Include a space between the two periods in the command.)
d Change to the $IG_HOME/bin directory, typically:
/opt/entrust/identityguard130/bin
e Enter the following command to run the Entrust Identity Enterprise
configuration script:
./configure.sh
f If you have previously configured Entrust Identity Enterprise, the following
message appears:
An identityguard.properties file exists. If you continue, this
file will be overwritten.
Do you want to continue? [yes or no]
Enter yes to overwrite the previously-configured Entrust Identity Enterprise.

Note:
You can cancel out of the script at any time by pressing Ctrl + C.

2 The configuration script asks if you are configuring a primary or replica server, or
restoring the configuration from a backup:
Are you configuring an Entrust Identity Enterprise primary or
replica server, or are you restoring the configuration from a
backup file? (PRIMARY, REPLICA or RESTORE):

Configuring Entrust Identity Enterprise as a primary server 73

Report any errors or omissions
 Enter PRIMARY to configure Entrust Identity Enterprise Server as a primary server.
3 The configuration script asks you for the type of repository used to store the
Entrust Identity Enterprise information:
What type of repository will you use to store Entrust Identity
Enterprise information?
AD - Microsoft(R) Active Directory or Microsoft Active Directory
in Application Mode or Lightweight Directory Services
LDAP - LDAP-compliant Directory
DB - Database
(AD, LDAP or DB):
• If the repository is Microsoft Active Directory or Active Directory Lightweight
Directory Services (AD LDS), enter AD. Proceed to the next step.
• If the repository is an LDAP-compliant directory, enter LDAP. Proceed to
Step 5 on page 78.
• If the repository is a database, enter DB. Proceed to Step 6 on page 82.
You should have already configured the repository before you installed Entrust
Identity Enterprise as described in the Entrust Identity Enterprise Directory
Configuration Guide or the Entrust Identity Enterprise Database Configuration
Guide.
4 If the repository is Microsoft Active Directory or AD LDS, the configuration script
prompts you for the directory configuration information:
Microsoft Active Directory CONFIGURATION
a The configuration script asks you if the repository is Active Directory or AD
LDS:
Are you using Active Directory or ADAM/AD LDS? (AD, ADAM):
– If the repository is Active Directory, enter AD.
– If the repository is AD LDS, enter ADAM. AD LDS was formerly called Active
Directory Application Mode (ADAM).
b The configuration script asks if you want Entrust Identity Enterprise to
connect to the directory using SSL:
Do you wish to use SSL to connect to the Microsoft Active
Directory server? [yes or no]
– If you want Entrust Identity Enterprise to connect to the directory using
secure LDAP (LDAPS), enter yes.
– If you want Entrust Identity Enterprise to connect to the directory using
LDAP, enter no.
c If you entered yes to use SSL to connect to the directory, the configuration
script asks if you want to import the directory server SSL certificate:
In order to verify the SSL connection to the Microsoft Active
Directory server, Entrust Identity Enterprise requires that the

74 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Microsoft Active Directory server's SSL certificate or the
certificate of the CA that issued it be imported into its trust
store. The Entrust Identity Enterprise trust store already
contains several public root CA certificates. If the server's
certificate was not issued by a public root you must import the
certificate. If Entrust Identity Enterprise cannot trust the
server's certificate, it will be unable to connect to the
Microsoft Active Directory server causing operations including
initialization to fail.
Do you wish to import the Microsoft Active Directory server's
SSL certificate? [yes or no]
You must import the directory server SSL certificate, or the CA certificate that
issued the SSL certificate, into the application server’s truststore.
The Entrust Identity Enterprise truststore contains several public root CA
certificates. If your directory server SSL certificate was issued by a public root
CA certificate, you do not need to import a certificate.

Note:
If the certificate cannot be trusted, Entrust Identity Enterprise cannot connect to
the directory.

– To import the directory server SSL certificate or the CA certificate into the
truststore, enter yes.
– To not import a certificate, enter no.
If you enter no, a message appears telling you that the SSL certificate will
need to be imported manually.
d If you entered yes to import a certificate, the configuration script prompts
you to enter the file name of the certificate:
Enter the filename of the certificate:
Enter the full path and file name of the certificate. If you specify an invalid
file, you will be prompted to enter a different file.
e If you imported a certificate, the configuration script displays the certificate
details and then asks if you want to trust the certificate:
Trust this certificate? [no]:
– To trust the certificate and import it into the keystore, enter yes.
A success message will appear, stating that the certificate was added to the
keystore.
– To reject the certificate, enter no.
You will be prompted to enter a different file.

Configuring Entrust Identity Enterprise as a primary server 75

Report any errors or omissions
 f The configuration script prompts you to provide the host name of the
directory server:
Enter the Microsoft Active Directory host
(ex: identityguard.anycorp.com):
Enter the fully qualified domain name (FQDN) or IP address of the server
hosting the directory.
g The configuration script prompts you to provide the port number of the
directory:
Enter the Microsoft Active Directory port number (default is
389):
Enter the directory server port number. By default, the LDAP port is 389. For
LDAPS (secure LDAP), the default port is 636.
h The configuration script prompts you to provide the base DN of the
directory:
The Microsoft Active Directory base DN is the DN under which
all Entrust Identity Enterprise entries are found.
Enter the Microsoft Active Directory base DN
(ex: dc=anycorp,dc=com):

Note:
Entrust Identity Enterprise configuration automatically converts spaces in any
DNs or RDNs you enter to %20. If you edit any DN or RDN after installation in
the identityguard.properties file, you must replace all spaces in DNs and
RDNs with %20.

The base DN is the distinguished name (DN) of the directory entry under
which all Entrust Identity Enterprise entries are found.
Enter the base DN of the directory. For example:
dc=anycorp,dc=com
i The configuration script prompts you to provide the directory user DN:
The Microsoft Active Directory user DN and password define the
credentials used by Entrust Identity Enterprise to connect to
the repository.
Enter the Microsoft Active Directory user DN
(ex: cn=Administrator,cn=Users,dc=anycorp,dc=com):
The directory user DN is the distinguished name (DN) of an administrative
user account that Entrust Identity Enterprise will use to connect to the
directory.

76 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 The account must have sufficient privileges to make changes to the user and
policy objects in the directory. You should have created this user account
when you configured the directory for Entrust Identity Enterprise.
Enter the DN of the directory user Entrust Identity Enterprise will use to
connect to the directory. For example:
cn=Administrator,cn=Users,dc=anycorp,dc=com
j The configuration script prompts you to provide the password of the
directory user account:
Enter the Microsoft Active Directory password:
Enter the password of the administrative user account.
k The configuration script prompts you to confirm the password:
Confirm:
Enter the password again to confirm the password. If the passwords you
entered do not match, the configuration script will prompt you to provide
and confirm the password again.
l The configuration script prompts you to provide the policy RDN:
The policy RDN defines the entry in the Microsoft Active
Directory repository used to store Entrust Identity Enterprise
policy information. The entry must already exist.
Enter the Microsoft Active Directory policy RDN
(ex: cn=igpolicy,cn=Users):
The policy RDN is the relative distinguished name of the directory entry used
to store the Entrust Identity Enterprise policy information.
The RDN must be relative to the base DN. For example, if all the users exist
under the base DN dc=anycorp,dc=com and the DN of the policy entry is
cn=igpolicy,cn=Users,dc=anycorp,dc=com, then enter
cn=igpolicy,cn=Users as the policy RDN.
Enter the policy RDN.
m The configuration script prompts you to provide the directory user name
attribute:
The Microsoft Active Directory user name attribute is the
attribute that uniquely identifies Entrust Identity Enterprise
users. Entrust Identity Enterprise uses this attribute to find
entries in the repository.
Enter the Microsoft Active Directory user name attribute
(ex: sAMAccountName):
Enter the directory attribute that will uniquely identify Entrust Identity
Enterprise users in the directory.

Configuring Entrust Identity Enterprise as a primary server 77

Report any errors or omissions
 The sAMAccountName attribute is commonly used for Active Directory. The
CN (common name) attribute is commonly used for AD LDS.
Proceed to Step 7 on page 84.
5 If the repository is an LDAP directory, the configuration script prompts you for
the directory configuration information:
LDAP CONFIGURATION
a The configuration script asks you what type of directory you are using:
What type of directory are you using?
eDirectory - Novell(R) eDirectory(TM)
IBM - IBM Tivoli Directory
OID - Oracle Internet Directory
OPENLDAP - OpenLDAP
RedHat - Red Hat
SunONE - Oracle Enterprise Directory
UnboundID - UnboundID Data Store
CA - CA Directory
Other
(EDIRECTORY, IBM, OID, OPENLDAP, REDHAT, SUNONE, UNBOUNDID, CA,
or OTHER):
Enter the type of directory you are using as the directory repository:
– If the directory is Novell eDirectory, enter eDirectory.
– If the directory is IBM Tivoli Directory, enter IBM.
– If the directory is Oracle Internet Directory, enter OID.
– If the directory is OpenLDAP, enter OPENLDAP.
– If the directory is Red Hat Directory Server, enter RedHat.
– If the directory is Oracle Directory Server Enterprise Edition, enter SunONE.
Oracle Directory Server Enterprise Edition was formerly known as Sun Java
System Directory Server and SunONE Directory Server.
– If the directory is UnboundID Directory Server, enter UnboundID.
– If the directory is CA Directory, enter CA.
– If the directory is another supported directory server that is not listed, enter
Other.

Note:
Enter Other only if instructed by Entrust Customer Support.

78 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
b The configuration script asks if you want Entrust Identity Enterprise to
connect to the directory using SSL:
Do you wish to use SSL to connect to the LDAP server? [yes or
no]
– If you want Entrust Identity Enterprise to connect to the directory using
secure LDAP (LDAPS), enter yes.
– If you want Entrust Identity Enterprise to connect to the directory using
LDAP, enter no.
c If you entered yes to use SSL to connect to the directory, the configuration
script asks if you want to import the directory server SSL certificate:
In order to verify the SSL connection to the LDAP server,
Entrust Identity Enterprise requires that the LDAP server's SSL
certificate or the certificate of the CA that issued it be
imported into its trust store. The Entrust Identity Enterprise
trust store already contains several public root CA
certificates. If the server's certificate was not issued by a
public root you must import the certificate. If Entrust
Identity Enterprise cannot trust the server's certificate, it
will be unable to connect to the LDAP server causing operations
including initialization to fail.
Do you wish to import the LDAP server's SSL certificate? [yes
or no]
You must import the directory server SSL certificate, or the Certification
Authority (CA) certificate that issued the SSL certificate, into the application
server’s truststore.
The Entrust Identity Enterprise truststore contains several public root CA
certificates. If your directory server SSL certificate was issued by a public root
CA certificate, you do not need to import a certificate.

Note:
If the certificate cannot be trusted, Entrust Identity Enterprise cannot connect to
the directory.

– To import the directory server SSL certificate or the CA certificate into the
truststore, enter yes.
– To not import a certificate, enter no.
If you enter no, a message appears telling you that the SSL certificate will
need to be imported manually.
d If you entered yes to import a certificate, the configuration script prompts
you to enter the file name of the certificate:
Enter the filename of the certificate:

Configuring Entrust Identity Enterprise as a primary server 79

Report any errors or omissions
 Enter the full path and file name of the certificate. If you specify an invalid
file, you will be prompted to enter a different file.
e If you imported a certificate, the configuration script displays the certificate
details and then asks if you want to trust the certificate:
Trust this certificate? [no]:
– To trust the certificate and import it into the keystore, enter yes.
A success message will appear, stating that the certificate was added to the
keystore.
– To reject the certificate, enter no.
You will be prompted to enter a different file.
f The configuration script prompts you to provide the host name of the
directory server:
Enter the LDAP host
(ex: identityguard.anycorp.com):
Enter the fully qualified domain name (FQDN) or IP address of the server
hosting the directory.
g The configuration script prompts you to provide the port number of the
directory:
Enter the LDAP port number (default is 389):
Enter the directory server port number. By default, the LDAP port is 389. For
LDAPS (secure LDAP), the default port is 636.
h The configuration script prompts you to provide the base DN of the
directory:
The LDAP base DN is the DN under which all Entrust Identity
Enterprise entries are found.
Enter the LDAP base DN
(ex: dc=anycorp,dc=com):

Note:
Entrust Identity Enterprise configuration automatically converts spaces in any
DNs or RDNs you enter to %20. If you edit any DN or RDN after installation in
the identityguard.properties file, you must replace all spaces in DNs and
RDNs with %20.

The base DN is the distinguished name (DN) of the directory entry under
which all Entrust Identity Enterprise entries are found.
Enter the base DN of the directory. For example:
dc=anycorp,dc=com

80 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
i The configuration script prompts you to provide the directory user DN:
The LDAP user DN and password define the credentials used by
Entrust Identity Enterprise to connect to the repository.
Enter the LDAP user DN
(ex: ex: cn=Directory Manager):
The directory user DN is the distinguished name (DN) of an administrative
user account that Entrust Identity Enterprise will use to connect to the
directory.
The account must have sufficient privileges to make changes to the user and
policy objects in the directory. You should have created this user account
when you configured the directory for Entrust Identity Enterprise.
Enter the DN of the directory user Entrust Identity Enterprise will use to
connect to the directory. For example:
cn=Directory Manager
j The configuration script prompts you to provide the password of the
directory user account:
Enter the LDAP password:
Enter the password of the administrative user account.
k The configuration script prompts you to confirm the password:
Confirm:
Enter the password again to confirm the password. If the passwords you
entered do not match, the configuration script will prompt you to provide
and confirm the password again.
l The configuration script prompts you to provide the policy RDN:
The policy RDN defines the entry in the LDAP repository used to
store Entrust Identity Enterprise policy information. The
entry must already exist.
Enter the LDAP policy RDN
(ex: uid=policy):
The policy RDN is the relative distinguished name of the directory entry used
to store the Entrust Identity Enterprise policy information.
The RDN must be relative to the base DN. For example, if all the users exist
under the base DN dc=anycorp,dc=com and the DN of the policy entry is
uid=policy,dc=anycorp,dc=com, then enter uid=policy as the policy
RDN.
Enter the policy RDN.
m The configuration script prompts you to provide the directory user name
attribute:

Configuring Entrust Identity Enterprise as a primary server 81

Report any errors or omissions
 The LDAP user name attribute is the attribute that uniquely
identifies Entrust Identity Enterprise users. Entrust Identity
Enterprise uses this attribute to find entries in the
repository.
Enter the LDAP user name attribute
(ex: uid):
Enter the directory attribute that will uniquely identify Entrust Identity
Enterprise users in the directory.
The uid or cn (common name) attributes are commonly used attributes in
LDAP directories to identify user entries.
Proceed to Step 7 on page 84.
6 If the repository is a database, the configuration script prompts you for the
database configuration information:
DATABASE CONFIGURATION
a The configuration script asks you what type of database you are using:
Enter the database type (Oracle, DB2, MySQL, SQLServer,
PostgreSQL, Other):
Enter the type of database you are using as the database repository:
– If the database is Oracle Database, enter Oracle.
– If the database is IBM DB2, enter DB2
– If the database is MySQL, enter MySQL.
– If the database is Microsoft SQL Server, enter SQLServer.
– If the database is PostgreSQL, enter PostgreSQL.
– If the database is another supported database that is not listed, enter
Other.

Note:
Enter Other only if instructed by Entrust Customer Support.

b The configuration scripts prompts you to provide the JDBC driver JAR file
name:
Enter the JDBC driver JAR file name:
Enter the full path and file name of the JDBC driver JAR file (for example,
/tmp/ojdbc14.jar for Oracle Database). Ensure the file permissions on
this file allow the Entrust Identity Enterprise owner to both read and execute
the file.

82 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Note:
Some databases require multiple JAR files. You can add other files in a later step.

c The configuration script prompts you to provide the JDBC driver class name:
Enter the JDBC driver class name:
Enter the JDBC driver class name. For example,
oracle.jdbc.driver.OracleDriver for Oracle Database.
d The configuration scripts asks if Entrust Identity Enterprise requires additional
JDBC driver JAR files to connect to the database:
Are there any other JDBC JAR files to be installed? [yes or no]
– If only one JDBC driver JAR file is required to connect to the database—the
JDBC JAR file you specified earlier—enter no.
– If more than one JDBC driver JAR file is required to connect to the
database, enter yes.
e If you entered yes to specify additional JDBC driver JAR files, the
configuration script prompts you to provide a JDBC driver JAR file name:
Enter the JDBC JAR file name:
Enter the full path and file name of the JDBC driver JAR file (for example,
/tmp/ojdbc7.jar). Ensure the file permissions on this file allow the Entrust
Identity Enterprise owner to both read and execute the file.
The configuration script will ask you again if any other JDBC driver JAR files
need to be installed:
Are there any other JDBC JAR files to be installed? [yes or no]
If Entrust Identity Enterprise requires additional JDBC driver JAR files to
connect to the database, enter yes, and then enter the full path and file
name of the JAR file. When no more JDBC driver JAR files are required to
connect to the database, enter no.
f The configuration script prompts you to provide the database URL that
Entrust Identity Enterprise will use to connect to the database:
The DB URL provides information required to connect to the
database server.
Each JDBC driver defines its own syntax for the URL. Consult
the driver documentation for details. For example, if you are
using the Oracle thin driver the URL will look like
jdbc:oracle:thin:@dbhost:dbport:SID where dbhost is the
database server host name, dbport is the database server port
number and SID is the Oracle SID.
Enter the DB URL:

Configuring Entrust Identity Enterprise as a primary server 83

Report any errors or omissions
 Enter the database URL that Entrust Identity Enterprise will use to connect to
the database server. Enter the URL in the JDBC driver-specific format.
For example, for PostgreSQL:
jdbc:postgresql://postgresql.example.com:5432/identityguard
g The configuration script prompts you to provide the database user that
Entrust Identity Enterprise will use to connect to the database and administer
data:
Enter the DB userid:
Enter the name of the database user that Entrust Identity Enterprise will use
to connect to the database and administer data.
h The configuration script prompts you to provide the password of the
database user:
Enter the DB password:
Enter the password of the database user.
i The configuration script prompts you to confirm the password of the
database user:
Confirm:
Enter the password of the database user again to confirm the password.
j The configuration script prompts you to provide the database schema name:
Enter the DB schema name:
Enter the schema name for your database.
In some databases (for example, Oracle Database), the schema is
automatically named with the user name associated with it. For these
databases, enter the database administrator user name.
7 The configuration script prompts you to provide the ports the application will use
for the Entrust Identity Enterprise services.
Ensure that the ports for each Entrust Identity Enterprise service are unique for
that computer.
a The configuration script prompts you to provide the port number to use for
the Authentication Service HTTP port:
Enter the Authentication Service HTTP port number
(default is 8080):
Enter the HTTP (non-secure) port number to use for the Authentication
Service, or press Enter to accept the default port of 8080.
You can disable the HTTP port later to enhance security. See “Disabling the
Authentication service non-SSL port on Tomcat” on page 164 for
instructions after configuring Entrust Identity Enterprise.

84 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 b The configuration script prompts you to provide the port number to use for
the Authentication Service HTTPS port:
Enter the Authentication Service HTTPS port number
(default is 8443):
Enter the HTTPS port number to use for the Authentication Service, or press
Enter to accept the default port of 8443.
c The configuration script prompts you to provide the port number to use for
the Authentication Service client-authenticated HTTPS port:
Enter the Authentication Service Client-Authenticated HTTPS
port number
(default is 8447):
Enter the client-authenticated HTTPS port number to use for the
Authentication Service, or press Enter to accept the default port of 8447.

Note:
If you are using the client-authenticated HTTPS port, you must import each CA
certificate that signed the client certificate being used for client-authenticated
SSL (or the client certificate itself) into the Entrust Identity Enterprise keystore.
See “Step 3: Obtain and import the root and all chain certificates using keytool”
on page 176, which describes how to import the root CA certificate. You can
extrapolate from these instructions how to import other, intermediate CA
certificates. Note that the referred-to instructions are part of a larger procedure
that you can ignore.)

d The configuration script prompts you to provide the port number to use for
the Administration Services HTTPS port:
Enter the Administration Service HTTPS port number
(default is 8444):
Enter the HTTPS port number to use for the Administration Service, or press
Enter to accept the default port of 8444.
8 For the embedded Tomcat application server, the configuration script will create
a self-signed certificate. This certificate will be used to secure communications on
the HTTPS ports:
Entrust Identity Enterprise will create a self-signed certificate
for SSL communication.
You can switch the self-signed certificate to a CA-signed certificate later as
described in “Switching to a CA-signed certificate using keytool” on page 171.

Configuring Entrust Identity Enterprise as a primary server 85

Report any errors or omissions
 a The configuration script displays the host name of the server, and asks if you
want to use that host name for the Entrust Identity Enterprise service URLs
and the self-signed SSL certificate:
The hostname to be used in the service URLs and the SSL
certificate is domain.example.com.
Do you want to use this hostname? [yes or no]
To use the displayed host name for the Entrust Identity Enterprise service
URLs and as the subject DN in the self-signed SSL certificate, enter yes. To
use a different host name, enter no.
b If you entered no to change the host name, the configuration script prompts
you to provide the host name to use:
Enter the hostname to use:
Enter the host name to use for the service URLs and self-signed SSL
certificate.
c The configuration script prompts you to set the lifetime of the self-signed
certificate:
Enter the lifetime in days of the certificate (default is 365):
Enter a lifetime (in days) for the self-signed certificate, or press Enter to
accept the default lifetime of 365 days.
d Entrust Identity Enterprise automatically exports a copy of the self-signed
certificate to a file. The configuration script displays the full path and file
name of the certificate file:
Certificate stored in file
</opt/entrust/identityguard130/etc/identityguard.cer>
Within the keystore, the self-signed certificate and private key are stored
under the alias tomcat.
9 You are prompted to configure Entrust Identity Enterprise logs:
LOG CONFIGURATION
a The configuration script asks if you want Entrust Identity Enterprise to log
messages to files or syslog:
Should Entrust Identity Enterprise log to files or syslog (FILE
or SYSLOG):
– To log messages to files, enter FILE.
Entrust Identity Enterprise displays the location of the files. For example:
Logs will be stored in
/opt/entrust/identityguard130/logs.
– To log messages to syslog, enter SYSLOG.
b If you chose to log messages to syslog, Entrust Identity Enterprise prompts
you for the syslog host name:

86 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Enter the syslog host name (default is localhost):
Enter the host name of the syslog server, or press Enter if the syslog host is
the local host (the server hosting Entrust Identity Enterprise).
c If you chose to log messages to syslog, Entrust Identity Enterprise displays a
message, telling you to ensure that syslog on the specified host is configured
to accept Entrust Identity Enterprise logs:
Ensure that syslog on localhost is configured to accept Entrust
Identity Enterprise logs.
Ensure that syslog on the specified server is configured to accept logs from
Entrust Identity Enterprise.
See the Entrust Identity Enterprise Server Administration Guide for more
information about logging.
10 The configuration script finishes configuring Entrust Identity Enterprise and asks
if you want to initialize Entrust Identity Enterprise:
Configuration complete.

Do you wish to initialize the primary system? [yes or no]

• To initialize Entrust Identity Enterprise later using the master user shell, enter
no.
• To initialize Entrust Identity Enterprise immediately using the configuration
script, enter yes.
You have configured Entrust Identity Enterprise as a primary server. You must initialize
Entrust Identity Enterprise before you can begin using Entrust Identity Enterprise. An
uninitialized Entrust Identity Enterprise does not function. To begin initializing Entrust
Identity Enterprise, proceed to “Initializing a primary Entrust Identity Enterprise
Server” on page 112.

Configuring Entrust Identity Enterprise as a primary server 87

Report any errors or omissions
88 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12
Report any errors or omissions
 4

Configuring Entrust Identity

Enterprise as a replica server
Replica Entrust Identity Enterprise Servers help decrease the load on the primary
Entrust Identity Enterprise Server. While you can only use one primary server, you can
add an unlimited number of replica servers. Add replica servers to set up a
load-balanced or failover environment when you are administering very large
numbers of users.

Note:
See the Entrust Identity Enterprise Server Administration Guide for information
about configuring the repository for failover and high-availability.

You must have an existing primary Entrust Identity Enterprise Server running before
attempting to create a replica system.
This chapter provides all the necessary steps for configuring Entrust Identity
Enterprise Server as a replica server on supported operating systems. This chapter
includes the following sections:
• “Replica server overview” on page 90
• “Configuring Entrust Identity Enterprise as a replica server on Windows” on
page 92
• “Configuring Entrust Identity Enterprise as a replica server on Linux” on
page 103
• “Replicating master keys on HSMs” on page 109

89
 Replica server overview
Replica Entrust Identity Enterprise Servers help decrease the load on the primary
Entrust Identity Enterprise Server. While you can only use one primary server, you can
add an unlimited number of replica servers. Add replica servers to set up a
load-balanced or failover environment when you are administering very large
numbers of users.

Note:
See the Entrust Identity Enterprise Server Administration Guide for information
about configuring the repository for failover and high-availability.

You must have an existing primary Entrust Identity Enterprise Server before
attempting to create a replica system.
When adding a replica server, consider the following:
• If you are using an LDAP directory, Entrust Identity Enterprise uses file-based
repositories.
File-based repositories reside on the primary server, and they contain
unassigned cards, tokens, and smart credentials. If you are using a file-based
repository, ensure that administrators and master users log in to the primary
Entrust Identity Enterprise Server when assigning tokens, cards, or smart
credentials to users. Entrust Identity Enterprise does not install a file-based
repository on a replica server.
• The repository is not copied when you add a replica.
The replica uses the same repository that the primary Entrust Identity
Enterprise Server uses.
• A new self-signed certificate with the proper host name is created during the
replica configuration.
If you create a new SSL certificate for the replica server, ensure the host name
in the SSL certificate is the same as the host name used by the server.
For details about creating an SSL certificate, after completing this procedure,
see “Managing the SSL certificate on Entrust Identity Enterprise Server” on
page 171.
• If you make any configuration changes to the primary Entrust Identity
Enterprise Server, you must manually propagate the changes to any replicas.

90 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 For example, if you update the certificates or change the
identityguard.properties file, you must also update the replicas.
• To make changes to the identityguard.properties file on a replica, use
the Properties Editor that runs on that replica. You cannot copy the
identityguard.properties file from the primary server to the replica.
• If you have added a patch to the primary server, you must update the replica
server to the same patch level.

Note:
All files added to the replica server should be readable and writable by the user
and group selected during installation.

• Do not enable challenge caching in a replicated or load-balanced

environment where you cannot guarantee a user's authentication requests
will always be directed to the same Entrust Identity Enterprise server.
If you are running a replica on the repository with the administration service enabled,
there is no real difference between the primary and a replica, which means:
• If the primary node fails, it is not necessary to assign a new primary. All nodes
are essentially equivalent.
• When doing an upgrade, you can run the primary upgrade on any node, but
it must be run first, then apply the replica upgrade to the rest of the nodes.

Configuring Entrust Identity Enterprise as a replica server 91

Report any errors or omissions
 Configuring Entrust Identity Enterprise as a
replica server on Windows
Complete the following procedure to configure Entrust Identity Enterprise as a replica
server on supported Windows operating systems.

To configure Entrust Identity Enterprise as a replica server on Windows

1 From the primary Entrust Identity Enterprise Server or any replica Entrust Identity
Enterprise Server, take a partial backup of Entrust Identity Enterprise. See
“Backing up your configuration” on page 207 for instructions.
Partial backups contain just enough information to configure a replica system.
2 Copy the backup ZIP file to the server that will host the new replica Entrust
Identity Enterprise Server.
3 Log in to the Windows server where you installed Entrust Identity Enterprise.
4 Launch the Entrust Identity Enterprise Configuration Panel, if it is not open:
• On Microsoft Windows Server 2019 or 2016, click the Windows button,
then select Entrust Identity Enterprise > Configuration Panel.
• On Microsoft Windows Server 2012 or 2012 R2, select Start, then click the
down arrow to access Apps, then click Configuration Panel.
When viewing by name or category, Configuration Panel is listed under
Entrust Identity Enterprise.
The Entrust Identity Enterprise Configuration Panel dialog box appears.

92 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
5 Under Configuration, click Configure Entrust Identity Enterprise.
The Entrust Identity Enterprise System Type dialog box appears.

Configuring Entrust Identity Enterprise as a replica server 93

Report any errors or omissions
 6 Click Replica to configure Entrust Identity Enterprise as a replica server.
7 If you have previously configured Entrust Identity Enterprise, the following
warning appears:

Click Yes to overwrite the previously-configured Entrust Identity Enterprise.

94 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
8 The Entrust Identity Enterprise Configuration Wizard appears.

Click Next to begin configuring Entrust Identity Enterprise.

Note:
To re-enter information on a previous page, click Back to return to the previous
page. No information you already entered will be lost if you return to a previous
page.

To cancel the configuration or exit the Entrust Identity Enterprise Configuration

Wizard, click Cancel or close the wizard. If you cancel the configuration process
or close the wizard, all configuration information will be lost.

Configuring Entrust Identity Enterprise as a replica server 95

Report any errors or omissions
 9 The System Backup File page appears.

a In the text field, enter the full path and file name of the backup ZIP you
transferred to the server earlier, or click Browse to select the file.
b Click Next to continue.

96 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
10 The Service Settings page appears.

When installing Entrust Identity Enterprise, ensure that the ports for each Entrust
Identity Enterprise service are unique for that computer.
a In the Authentication Service HTTP port number field, enter the HTTP
(non-secure) port number to use for the Authentication Service (default
8080).
You can disable the HTTP port later to enhance security. See “Disabling the
Authentication service non-SSL port on Tomcat” on page 164 for
instructions after configuring Entrust Identity Enterprise.
b In the Authentication Service HTTPS port number field, enter the HTTPS port
number to use for the Authentication Service (default 8443).
c In the Authentication Service client-authenticated HTTPS port number field,
enter the client-authenticated HTTPS port number to use for the
Authentication Service (default 8447).
d In the Administration Service HTTPS port number field, enter the HTTPS
port number to use for the Administration Service (default 8444).
e Click Next to continue.

Configuring Entrust Identity Enterprise as a replica server 97

Report any errors or omissions
 11 The System host name page appears.
• The System host name page for an embedded Tomcat application server:

– In the Enter the host name used by the self-signed certificate and service
URLs field, enter the host name that will be used to access the Entrust
Identity Enterprise services.
The wizard will create a self-signed SSL certificate. This certificate will be
used to secure communications on the HTTPS ports. The host name you
enter will be used as the subject DN in the self-signed certificate. You can
switch the self-signed certificate to a CA-signed certificate later as
described in “Switching to a CA-signed certificate using keytool” on
page 171.
– In the Self-signed SSL certificate lifetime (in days) field, enter the lifetime,
in days, of the self-signed SSL certificate. The default lifetime is 365 days.
12 Click Next to continue.
The Administration Controls screen appears.

98 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
13 Select the administration state:
• Enabled. This option enables both the Administration service and interface
controls on the replica system.
Do not select Enabled if you are using multiple Entrust Identity Enterprise
servers with replicated repositories or if you are using file-based repositories.
If you are using an LDAP directory, Entrust Identity Enterprise uses file-based
repositories.
It is recommended that the administration service only be enabled on the
primary Entrust Identity Enterprise Server, since delays in replication between
repositories can cause problems. If you are using a single repository,
replication is not an issue, and you can enable or disable the administration
service as you see fit.

Configuring Entrust Identity Enterprise as a replica server 99

Report any errors or omissions
 If you select Enabled, be sure that administrators use the Administration
interface on the primary server to assign or unassign cards, tokens, or smart
credentials.
• Disabled. This option disables both the Administration service and interface
controls on the replica system.
• Primary. This option disables the Administration service on the replica system
and forwards all Administration interface requests to the primary system. The
Administration interface remains enabled on the replica and can still be
accessed using the replica’s host name.
In this mode, the SSL certificate of the primary must be installed in the local
keystore. This is done automatically.

Note:
If you select Primary, the identityguard.webadmin.directConnection
(Direct Connection to Admin API) property is set to false so that the
Administration service on the replica server cannot directly connect to the
repository. Instead, it connects to the Administration service on the primary
Entrust Identity Enterprise Server. The property is added to the
identityguard.properties file if it does not already exist.

14 Select Next to continue.

The wizard attempts to resolve the host name. If the wizard cannot resolve the
host name, a dialog box appears, informing you that the host name could not be
resolved. Verify that the host name you enter is correct. You can go back and
change the host name, or continue with the configuration.

100 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
15 The Configuration Summary page appears.

This page contains a list of all information you entered into the Entrust Identity
Enterprise Configuration wizard.
a Review the configuration summary.
– If you need to change any settings, click Back to return to a previous page
and make your changes.
– (Optional.) If you need to keep a record of the configuration summary,
select and copy the configuration summary, then paste it into a text file.
b To accept the configuration, click Confirm and Save.

Configuring Entrust Identity Enterprise as a replica server 101

Report any errors or omissions
 16 After the wizard saves the configuration changes, the Finish page appears.

a Select one of the following options:

– To initialize Entrust Identity Enterprise later, select Do not initialize the
Entrust Identity Enterprise System now.
Select this option if you are using an HSM. You cannot initialize Entrust
Identity Enterprise using the wizard; you must initialize Entrust Identity
Enterprise using the master user shell.
– To initialize Entrust Identity Enterprise immediately, select Initialize the
Entrust Identity Enterprise System now.
b Click Finish.
You have configured Entrust Identity Enterprise as a replica server. You must initialize
Entrust Identity Enterprise before you can begin using Entrust Identity Enterprise. An
uninitialized Entrust Identity Enterprise does not function. To begin initializing Entrust
Identity Enterprise, proceed to “Initializing a replica Entrust Identity Enterprise Server
or server restored from a backup” on page 140.

102 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Configuring Entrust Identity Enterprise as a
replica server on Linux
Complete the following procedure to configure Entrust Identity Enterprise as a replica
server on supported Linux operating systems.

To configure Entrust Identity Enterprise as a replica server on Linux

1 From the primary Entrust Identity Enterprise Server or any replica Entrust Identity
Enterprise Server, take a partial backup of Entrust Identity Enterprise. See
“Backing up your configuration” on page 207 for instructions.
Partial backups contain just enough information to configure a replica system.
2 Copy the backup ZIP file to the server that will host the new replica Entrust
Identity Enterprise Server.
3 Log in to the Linux server where you installed Entrust Identity Enterprise.
4 If the configuration script is not running:
a Switch to the Linux user account that owns Entrust Identity Enterprise Server.
b Navigate to the Entrust Identity Enterprise installation directory ($IG_HOME),
typically:
/opt/entrust/identityguard130
c Enter the following command to source the environment settings:
. ./env_settings.sh
(Include a space between the two periods in the command.)
d Change to the $IG_HOME/bin directory, typically:
/opt/entrust/identityguard130/bin
e Enter the following command to run the Entrust Identity Enterprise
configuration script:
./configure.sh
f If you have previously configured Entrust Identity Enterprise, the following
message appears:
An identityguard.properties file exists. If you continue, this
file will be overwritten.
Do you want to continue? [yes or no]
Enter yes to overwrite the previously-configured Entrust Identity Enterprise.

Configuring Entrust Identity Enterprise as a replica server 103

Report any errors or omissions
 Note:
You can cancel out of the script at any time by pressing Ctrl + C.

5 The configuration script asks if you are configuring a primary or replica server, or
restoring the configuration from a backup:
Are you configuring an Entrust Identity Enterprise primary or
replica server, or are you restoring the configuration from a
backup file? (PRIMARY, REPLICA or RESTORE):
Enter REPLICA to configure Entrust Identity Enterprise Server as a replica server.
6 The configuration script prompts you to provide the configuration backup file:
Enter the name of the configuration backup file:
Enter the full path and file name of the configuration backup file (.zip file) that
you transferred to the server earlier. For example:
/tmp/igpartialbackup_20060224150045.zip
7 The configuration script prompts you to select the mode of the Administration
service:
How should the administration services be setup? (ENABLED,
DISABLED, or PRIMARY)?
Enter one of the following values:
• ENABLED to enable both the Administration service and interface controls on
the replica server.
Do not select ENABLED if you are using multiple Entrust Identity Enterprise
servers with replicated repositories or if you are using file-based repositories.
If you are using an LDAP directory, Entrust Identity Enterprise uses file-based
repositories.
It is recommended that the administration service only be enabled on the
primary Entrust Identity Enterprise Server, since delays in replication between
repositories can cause problems. If you are using a single repository,
replication is not an issue, and you can enable or disable the administration
service as you see fit.
If you select ENABLED, be sure that administrators use the Administration
interface on the primary server to assign or unassign cards, tokens, or smart
credentials.
• DISABLED to disable both the Administration service and interface controls
on the replica server.
• PRIMARY to disables the Administration service on the replica server and
forwards all Administration interface requests to the primary server. The

104 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Administration interface remains enabled on the replica and can still be
accessed using the replica’s host name.
In this mode, the SSL certificate of the primary must be installed in the local
keystore. This is done automatically.
8 The configuration script prompts you to provide the ports the application will use
for the Entrust Identity Enterprise services.
Ensure that the ports for each Entrust Identity Enterprise service are unique for
that computer.
a The configuration script prompts you to provide the port number to use for
the Authentication Service HTTP port:
Enter the Authentication Service HTTP port number
(default is 8080):
Enter the HTTP (non-secure) port number to use for the Authentication
Service, or press Enter to accept the default port of 8080.
You can disable the HTTP port later to enhance security. See “Disabling the
Authentication service non-SSL port on Tomcat” on page 164 for
instructions after configuring Entrust Identity Enterprise.
b The configuration script prompts you to provide the port number to use for
the Authentication Service HTTPS port:
Enter the Authentication Service HTTPS port number
(default is 8443):
Enter the HTTPS port number to use for the Authentication Service, or press
Enter to accept the default port of 8443.
c The configuration script prompts you to provide the port number to use for
the Authentication Service client-authenticated HTTPS port:
Enter the Authentication Service Client-Authenticated HTTPS
port number
(default is 8447):
Enter the client-authenticated HTTPS port number to use for the
Authentication Service, or press Enter to accept the default port of 8447.

Configuring Entrust Identity Enterprise as a replica server 105

Report any errors or omissions
 Note:
If you are using the client-authenticated HTTPS port, you must import each CA
certificate that signed the client certificate being used for client-authenticated
SSL (or the client certificate itself) into the Entrust Identity Enterprise keystore.
See “Step 3: Obtain and import the root and all chain certificates using keytool”
on page 176, which describes how to import the root CA certificate. You can
extrapolate from these instructions how to import other, intermediate CA
certificates. Note that the referred-to instructions are part of a larger procedure
that you can ignore.)

d The configuration script prompts you to provide the port number to use for
the Administration Services HTTPS port:
Enter the Administration Service HTTPS port number
(default is 8444):
Enter the HTTPS port number to use for the Administration Service, or press
Enter to accept the default port of 8444.
9 For the embedded Tomcat application server, the configuration script will create
a self-signed certificate. This certificate will be used to secure communications on
the HTTPS ports:
Entrust Identity Enterprise will create a self-signed certificate
for SSL communication.
You can switch the self-signed certificate to a CA-signed certificate later as
described in “Switching to a CA-signed certificate using keytool” on page 171.
a The configuration script displays the host name of the server, and asks if you
want to use that host name for the Entrust Identity Enterprise service URLs
and the self-signed SSL certificate:
The hostname to be used in the service URLs and the SSL
certificate is domain.example.com.
Do you want to use this hostname? [yes or no]
To use the host name for the Entrust Identity Enterprise service URLs and as
the subject DN in the self-signed SSL certificate, enter yes. To use a different
host name, enter no.
b If you entered no to change the host name, the configuration script prompts
you to provide the host name to use:
Enter the hostname to use:
Enter the host name to use for the service URLs and self-signed SSL
certificate.

106 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 c The configuration script prompts you to set the lifetime of the self-signed
certificate:
Enter the lifetime in days of the certificate (default is 365):
Enter a lifetime (in days) for the self-signed certificate, or press Enter to
accept the default lifetime of 365 days.
d Entrust Identity Enterprise automatically exports a copy of the self-signed
certificate to a file. The configuration script displays the full path and file
name of the certificate file:
Certificate stored in file
</opt/entrust/identityguard130/etc/identityguard.cer>
Within the keystore, the self-signed certificate and private key are stored
under the alias tomcat.
10 You are prompted to configure Entrust Identity Enterprise logs:
LOG CONFIGURATION
a The configuration script asks if you want Entrust Identity Enterprise to log
messages to files or syslog:
Should Entrust Identity Enterprise log to files or syslog (FILE
or SYSLOG):
– To log messages to files, enter FILE.
Entrust Identity Enterprise displays the location of the files. For example:
Logs will be stored in
/opt/entrust/identityguard130/logs.
– To log messages to syslog, enter SYSLOG.
b If you chose to log messages to syslog, Entrust Identity Enterprise prompts
you for the syslog host name:
Enter the syslog host name (default is localhost):
Enter the host name of the syslog server, or press Enter if the syslog host is
the local host (the server hosting Entrust Identity Enterprise).
c If you chose to log messages to syslog, Entrust Identity Enterprise displays a
message, telling you to ensure that syslog on the specified host is configured
to accept Entrust Identity Enterprise logs:
Ensure that syslog on localhost is configured to accept Entrust
Identity Enterprise logs.
Ensure that syslog on the specified server is configured to accept logs from
Entrust Identity Enterprise.
See the Entrust Identity Enterprise Server Administration Guide for more
information about logging.
11 The configuration script finishes configuring Entrust Identity Enterprise and asks
if you want to initialize Entrust Identity Enterprise:

Configuring Entrust Identity Enterprise as a replica server 107

Report any errors or omissions
 Configuration complete.

Do you wish to initialize the primary system? [yes or no]

• To initialize Entrust Identity Enterprise later using the master user shell, enter
no.
• To initialize Entrust Identity Enterprise immediately using the configuration
script, enter yes.
You have configured Entrust Identity Enterprise as a primary server. You must initialize
Entrust Identity Enterprise before you can begin using Entrust Identity Enterprise. An
uninitialized Entrust Identity Enterprise does not function. To begin initializing Entrust
Identity Enterprise, proceed to “Initializing a replica Entrust Identity Enterprise Server
or server restored from a backup” on page 140.

108 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Replicating master keys on HSMs
If you are using HSMs with your replica servers, you must replicate the Entrust
Identity Enterprise master keys stored on the primary server’s HSM to all replica
HSMs. HSMs usually offer dedicated tools to perform this key replication. Consult
your HSM vendor’s documentation for details.

Configuring Entrust Identity Enterprise as a replica server 109

Report any errors or omissions
110 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12
Report any errors or omissions
 5

Initializing Entrust Identity

Enterprise
After you configure Entrust Identity Enterprise, you must initialize it. You must
initialize Entrust Identity Enterprise before you can begin using Entrust Identity
Enterprise. An uninitialized Entrust Identity Enterprise does not function.

Attention:
If you are reinitializing Entrust Identity Enterprise, you will lose access to all stored
information in the repository (such as user accounts, cards, and groups), and all
settings will be reset to their default values.

This chapter contains the following sections:

• “Initializing a primary Entrust Identity Enterprise Server” on page 112
• “Initializing a replica Entrust Identity Enterprise Server or server restored from
a backup” on page 140
• “Troubleshooting initialization failures” on page 147
• “Creating the first administrator manually” on page 148

111
 Initializing a primary Entrust Identity
Enterprise Server
Initializing a primary Entrust Identity Enterprise Server creates master keys, a default
group and policy, and the various default roles. The identityguard.properties
file specifies two files that are used to store the keys that protect the repository and
the master users. The files that store this information are:
• masterkeys.enc
This Entrust Identity Enterprise master keys file contains the encryption keys
that protect the repository.
When using an HSM, this file still exists, but instead it contains all the data
required to validate the master user passwords and get access to the keys
stored on the HSM.
• masterkeys.kpf
This Entrust Identity Enterprise key protection file contains an obfuscation
key, which is used to encrypt the three master user passwords that are stored
in the file.
The contents of the master keys file can be unlocked by a master user. The contents
of the key protection file provide access to the master user passwords. This access can
then be used to unlock the master keys file.
This section contains the following topics:
• “Initializing a primary Entrust Identity Enterprise Server on Windows” on
page 112
• “Initializing a primary Entrust Identity Enterprise Server on Linux” on
page 126

Initializing a primary Entrust Identity Enterprise Server on

Windows
After you configure Entrust Identity Enterprise, you must initialize it. You must
initialize Entrust Identity Enterprise before you can begin using Entrust Identity
Enterprise. An uninitialized Entrust Identity Enterprise does not function.
To initialize Entrust Identity Enterprise as a primary server, all three Master Users must
choose and enter their own unique and private passwords.
Initializing a primary Entrust Identity Enterprise Server as a primary server requires an
installation key and an activation key. You should have already received the
installation key and activation key from Entrust.
You can initialize Entrust Identity Enterprise using the Configuration Wizard or the
master user shell. You can initialize Entrust Identity Enterprise using the Configuration

112 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Wizard only if you selected Initialize the Entrust Identity Enterprise System now at
the end of the configuration.

Note:
Do not immediately initialize Entrust Identity Enterprise using the Configuration
Wizard if you are using an HSM. You cannot initialize Entrust Identity Enterprise
using the wizard; you must initialize Entrust Identity Enterprise using the master
user shell.

This topic contains the following procedures:

• “To initialize a primary Entrust Identity Enterprise Server on Windows using
the Configuration Wizard” on page 113
• “To initialize a primary Entrust Identity Enterprise Server on Windows using
the master user shell” on page 118

To initialize a primary Entrust Identity Enterprise Server on Windows using

the Configuration Wizard
1 When configuring Entrust Identity Enterprise as a primary server (see
“Configuring Entrust Identity Enterprise as a primary server on Windows” on
page 54):
a On the Finish page, select Initialize the Entrust Identity Enterprise System
now.
b Click Finish.
2 If you have previously initialized Entrust Identity Enterprise, the following
warning appears:

Initializing Entrust Identity Enterprise 113

Report any errors or omissions
 If you are reinitializing Entrust Identity Enterprise, you will lose access to all stored
information in the repository (such as user accounts, cards, and groups), and all
settings will be reset to their default values.
Click Yes to overwrite the previously-initialized Entrust Identity Enterprise.
3 The Entrust Identity Enterprise Primary System Initialization dialog box appears.

Note:
To cancel initialization, click Cancel. If you cancel initialization, all information
you have entered will be lost.

114 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 a In the Entrust Identity Enterprise installation key field, enter your Entrust
Identity Enterprise installation key.
b In the Entrust Identity Enterprise activation key field, enter your Entrust
Identity Enterprise activation key.
c Click Validate to validate the license information.

Note:
If the Validate button does not work, consult the Entrust knowledge base at
https://trustedcare.entrust.com for troubleshooting tips.

If the Entrust Identity Enterprise license information is validated, the master

user password fields become enabled. A warning message appears if the
license information does not validate.
d Under Master User Information, enter and confirm a password for each of
the three master users (Master1, Master2, and Master3).
Each password must contain at least eight characters, and must include at
least one uppercase character, one lowercase character, and one number.

Attention:
Master passwords are very important. Without them, it is impossible to upgrade
Entrust Identity Enterprise, migrate between platforms, restore from backup, or
create replica servers. Therefore, record your master passwords and keep them in
a safe place.

e Click Initialize.
4 A confirmation dialog box appears.

Initializing Entrust Identity Enterprise 115

Report any errors or omissions
 Note:
If an error message appears informing you that initialization failed, see
“Troubleshooting initialization failures” on page 147.

Click OK.
5 The First Administrator Creation dialog box appears:

To access the Entrust Identity Enterprise Administration interface or Entrust

Identity Enterprise Properties Editor, administrators require an Entrust Identity
Enterprise user name and password. By default, no users exist in Entrust Identity
Enterprise.
You can create the first administrative user during initialization. The first
administrator is assigned the predefined superuser role. The Configuration
Wizard will prompt you to provide a user ID and password for the administrator.
If you are using a directory repository (Active Directory, AD LDS, or LDAP
directory), the administrator must already exist in the directory, and must exist in
the same search base as the Entrust Identity Enterprise policy user.
• To create the first administrator now, click Yes.
• To create the first administrator later, click No.
6 If you clicked Yes to create the first administrator:

116 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
a The Entrust Identity Enterprise First Administrator Creation dialog box
appears:

b In the Enter the administrator ID field, enter a user ID for the administrator.
If you are using a directory repository (Active Directory, AD LDS, or LDAP
directory), the administrator must already exist in the directory.
c In the Enter password for the first administrator field, enter a password for
the administrator.
The password must contain at least eight characters, and must include at
least one uppercase character, one lowercase character, and one number.
d In the Confirm password for the first administrator field, enter the password
again to confirm the password.
e (Optional) Deselect Change Is Required On First Usage if you do not want
the first administrator to change their password when they first log in to the
Entrust Identity Enterprise.
f Click Create.
g If the administrator is successfully created, a success message appears.

Click OK.

Initializing Entrust Identity Enterprise 117

Report any errors or omissions
 7 The Entrust Identity Enterprise Service Manager dialog box appears.

• To start the Entrust Identity Enterprise service later, enter No.

• To start the Entrust Identity Enterprise service immediately, enter Yes.
If the service was started successfully, a success message appears.

You have now initialized Entrust Identity Enterprise Server as a primary server on
Windows.
If you want to use the Entrust Identity Enterprise sample application, proceed to
“Using the sample application” on page 265.
If you want to test Entrust Identity Enterprise, proceed to “Testing Entrust Identity
Enterprise” on page 151.

To initialize a primary Entrust Identity Enterprise Server on Windows using

the master user shell
1 If you are reinitializing an Entrust Identity Enterprise system:
• If you are using an LDAP repository, you must manually remove the
<IG_HOME>/etc/fpcr folder, typically:
C:/Program Files/Entrust/IdentityGuard/identityguard130/etc/fpc
r
• If you are using an LDAP repository, you must manually remove the
<IG_HOME>/etc/ftkr folder, typically:

118 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 C:/Program Files/Entrust/IdentityGuard/identityguard130/etc/ftk
r
• Replace any encrypted values in the identityguard.properties file
(such as the repository user’s password) with clear text values, because
Entrust Identity Enterprise cannot decrypt the old values after it is
reinitialized.
In the identityguard.properties file, properties preceded with an
ampersand (&) have values that are encrypted or will be encrypted.
2 Open the Master User Shell:
• On Microsoft Windows Server 2019 or 2016, select click the Windows
button, expand Entrust Identity Enterprise in the list of applications, then
click Master User Shell.
• On Microsoft Windows Server 2012 or 2012 R2, select Start, then click the
down arrow to access Apps, then click Master User Shell.
When viewing by name or category, Master User Shell is listed under Entrust
Identity Enterprise.
3 Enter the following command:
init [(-sernum <num> [-installKey <key> -actKey <key>])] [-force]
[-overwrite] [-createAdmin [-skip|(<userid> [<password>
[<adminPasswordChangeRequired>)]]]] [-useCryptoHardware
[true|false]]
Attributes in square brackets are optional attributes. Attributes separated by a
vertical bar are mutually exclusive attributes. The following table describes the
init command attributes.

Table 10: init command attributes

Attributes Description
-sernum <num> Starts the card serial numbers at a specific number, where <num> is the
number.
If not specified, it defaults to 1.
-installKey <key> Specifies the installation key, where <key> is the installation key.
If this attribute is not specified, the master user shell prompts you to
enter the installation key.
-actKey <key> Specifies the activation key, where <key> is the activation key.
If this attribute is not specified, the master user shell prompts you to
enter the activation key.

Initializing Entrust Identity Enterprise 119

Report any errors or omissions
 Table 10: init command attributes (continued)

Attributes Description
-force Suppresses prompts asking you to confirm an operation.
For example, if you want to force an overwrite:
init -force -overwrite
The master user shell will not ask you to confirm that you want to
overwrite Entrust Identity Enterprise system.
-overwrite Overwrites the key protection file (masterkeys.kpf) if a key
protection file exists. A key protection file will not exist if the Entrust
Identity Enterprise Server has never been initialized. If you are
re-initializing an Entrust Identity Enterprise Server, a key protection file
will exist.
Attention: If you specify this attribute, your entire system will be
overwritten, the data in the repository will be overwritten, and you
will no longer be able to access the system. Only specify this attribute
when you want to overwrite an existing system. Never use this
command on any system (primary or replica) you do not want to
overwrite.
If this attribute is not specified and a key protection file exists, the key
protection file will not be overwritten and initialization will fail.

120 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Table 10: init command attributes (continued)

Attributes Description
-createAdmin Specifies whether to create an administrator with the superuser role
[-skip|(<userid> (-createAdmin [-skip|(<userid> [<password>
[<password> [<adminPasswordChangeRequired>)]]]).
[<adminPasswordChang
Where:
eRequired>)]]]
• <userid> is a unique user ID for the administrator. If not
specified, the master user shell prompts you to provide a user ID.
• <password> is a password for the administrator. If not specified,
the master user shell prompts you to provide a password.
• <adminPasswordChangeRequired> is an option that allows
the first administrator to change their password when they first log
in to the Entrust Identity Enterprise. If you set
<adminPasswordChangeRequired> to true or TRUE, the
first administrator must change their password when they first log
in to the Entrust Identity Enterprise. If you set
<adminPasswordChangeRequired> to false or FALSE, the
first administrator does not need to change their password when
they first log in to the Entrust Identity Enterprise.
If you choose to create an administrator and the repository is a
directory (Active Directory, AD LDS, or LDAP directory), the
administrator must already exist in the directory, and must exist in the
same search base as the Entrust Identity Enterprise policy user.
If this attribute is not specified, the master user shell asks if you want
to create an administrator.
-useCryptoHardware Specifies whether to store the Entrust Identity Enterprise master keys
[true|false] on a Hardware Security Module (true) or encrypted on the local file
system (false).
If this attribute is not specified, the master user shell asks if you want
to use cryptographic hardware to store the master keys.
If you specify this attribute but not true or false, it defaults to true
(the master keys will be stored on an HSM).

4 If you specified the -overwrite attribute, but not the -force attribute, and an
existing system was detected, the master user shell asks if you want to confirm
that you want to overwrite the system:
An existing system has been detected. Overwriting an existing
system will mean the existing data can no longer be accessed.
Are you sure you want to overwrite the existing system? (y/n) [n]:

Initializing Entrust Identity Enterprise 121

Report any errors or omissions
 If you are reinitializing Entrust Identity Enterprise, you will lose access to all stored
information in the repository (such as user accounts, cards, and groups), and all
settings will be reset to their default values.
Enter y to confirm that you want to overwrite the existing system and initialize a
new system.
5 If you did not specify the -installKey <key> attribute, the master user shell
prompts you to provide the installation key.
Enter install key:
Enter the installation key provided to you by Entrust.
6 If you did not specify the -actKey <key> attribute, the master user shell
prompts you to provide the activation key.
Enter activation key:
Enter the activation key provided to you by Entrust.
Entrust Identity Enterprise will attempt to validate the installation key and
activation key. If the keys are successfully validated, initialization can continue. If
the keys do not validate, you are prompted to provide the installation key and
activation key again. Initialization will fail if you enter incorrect keys three times
in a row.
7 If you did not specify the -useCryptoHardware attribute, the master user shell
asks you if you want to store the Entrust Identity Enterprise master keys on a
Hardware Security Module (HSM):
Do you want to store the master keys on a hardware security
module? (y/n) [n]:
• To store the master keys on an HSM, enter y.
• To store the master keys encrypted on the local file system, enter n.
8 If you are storing the master keys on an HSM:
a The master user shell prompts you to provide the path to the PKCS #11
library file:
Enter path to PKCS #11 library:
Enter the full path and file name of the PKCS #11 driver library file for your
HSM. Typically, the driver is bundled in the software package that comes
with your HSM.
If you ever need to change the library file after specifying it here, you must
exit the master user shell and begin the initialization process again with the
new library. This applies to both primary and replica system initialization.
b The master user shell displays one of the following prompts:

122 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 – If more than one slot is on the HSM, the master user shell lists the slots and
asks you to select which slot to use to store the master keys:
Which slot will be used to store the master keys?
Enter the number associated with the slot you want to use to store the
master keys.
– If the HSM has only one slot, the master user shell lists the slot asks you if
you want to use the slot to store the master keys:
Would you like to use this slot to store the master keys?
(y/n)
To accept the slot, enter y.
c The master user shell asks you to provide the HSM password that you
created when you initialized the HSM. Enter the password.
9 The master user shell prompts you to enter and confirm a password for each of
the three master users (Master1, Master2, and Master3).
Each password must contain at least eight characters, and must include at least
one uppercase character, one lowercase character, and one number.

Attention:
Master passwords are very important. Without them, it is impossible to upgrade
Entrust Identity Enterprise, migrate between platforms, restore from backup, or
create replica servers. Therefore, record your master passwords and keep them in
a safe place.

a The master user shell prompts you to provide a password for Master 1:
Enter a new password for Master1.
Password:
Enter a password for Master1.
b The master user shell prompts you to confirm the password:
Confirm:
Enter the password again to confirm the password.
c The master user shell prompts you to provide a password for Master 2:
Enter a new password for Master2.
Password:
Enter a password for Master2.
d The master user shell prompts you to confirm the password:
Confirm:
Enter the password again to confirm the password.

Initializing Entrust Identity Enterprise 123

Report any errors or omissions
 e The master user shell prompts you to provide a password for Master 3:
Enter a new password for Master3.
Password:
Enter a password for Master3.
f The master user shell prompts you to confirm the password:
Confirm:
Enter the password again to confirm the password.
10 If you did not specify the -createAdmin attribute, the master user shell asks if
you want to create the first administrator:
Do you want to create the first administrator? (y/n) [y]:
To access the Entrust Identity Enterprise Administration interface or Entrust
Identity Enterprise Properties Editor, administrators require an Entrust Identity
Enterprise user name and password. By default, no users exist in Entrust Identity
Enterprise.
You can create the first administrative user during initialization. The first
administrator is assigned the predefined superuser role. The master user shell will
prompt you to provide a user ID and password for the administrator.
If you are using a directory repository (Active Directory, AD LDS, or LDAP
directory), the administrator must already exist in the directory, and must exist in
the same search base as the Entrust Identity Enterprise policy user.
• To create the first administrator now, enter y.
• To create the first administrator later, enter n.
11 If you chose to create an administrator:
a If you did not specify the <userid> attribute, the master user shell prompts
you to provide the unique user ID of the administrator:
Enter administrator ID:
Enter a user ID for the administrator.
If you are using a directory repository (Active Directory, AD LDS, or LDAP
directory), the administrator must already exist in the directory.
b If you did not specify the <password> attribute, the master user shell
prompts you to provide a password for the administrator:
Password:
Enter a password for the administrator.
The password must contain at least eight characters, and must include at
least one uppercase character, one lowercase character, and one number.
c If you did not specify the <password> attribute, the master user shell
prompts you to confirm the password:

124 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Confirm:
Enter the password again to confirm the password.
d The master user shell asks if you want to change the administrator password
on first usage:
Do you want to change the administrator password on first usage
(y/n) [y]:
Enter y or n based on your requirements.
y: The first administrator needs to change their password upon logging in to
the Entrust Identity Enterprise through the Identity Enterprise Administration
interface for the first time.
n: The first administrator does not need to change their password upon
logging in to the Entrust Identity Enterprise through the Identity Enterprise
Administration interface for the first time.
The default is y, if you press Enter directly and do not enter a value.
12 If the system initializes successfully, the following prompt appears:
System initialized.
If you are using an HSM, the master keys have been generated and stored in the
HSM. All cryptographic operations using these keys are now performed within
the HSM.

Attention:
If the master keys are stored on an HSM, the HSM must be available at all times
or Entrust Identity Enterprise will stop working.

13 Back up the masterkeys.enc file (the master keys file). If this file is lost, the
system cannot be recovered.
Do not back up the key protection file (masterkeys.kpf) because this file is
unique to each server.
You have now initialized Entrust Identity Enterprise Server as a primary server on
Windows.
If you want to use the Entrust Identity Enterprise sample application, proceed to
“Using the sample application” on page 265.
If you want to test Entrust Identity Enterprise, proceed to “Testing Entrust Identity
Enterprise” on page 151.

Initializing Entrust Identity Enterprise 125

Report any errors or omissions
 Initializing a primary Entrust Identity Enterprise Server on
Linux
After you configure Entrust Identity Enterprise, you must initialize it. You must
initialize Entrust Identity Enterprise before you can begin using Entrust Identity
Enterprise. To initialize Entrust Identity Enterprise, all three Master Users and must
choose and enter their own unique and private passwords.
Initializing a primary Entrust Identity Enterprise Server as a primary server requires an
installation key and an activation key. You should have already received the
installation key and activation key from Entrust.
You can initialize Entrust Identity Enterprise using the configuration script or the
master user shell. You can initialize Entrust Identity Enterprise using the configuration
script only if you entered yes to the prompt Do you wish to initialize the
primary system? at the end of the configuration.
This topic contains the following procedures:
• “To initialize a primary Entrust Identity Enterprise Server on Linux using the
configuration script” on page 126
• “To initialize a primary Entrust Identity Enterprise Server on Linux using the
master user shell” on page 133

To initialize a primary Entrust Identity Enterprise Server on Linux using the

configuration script
1 When configuring Entrust Identity Enterprise as a primary server (see
“Configuring Entrust Identity Enterprise as a primary server on Linux” on
page 73):
a When prompted:
Do you wish to initialize the primary system? [yes or no]
Enter yes to initialize Entrust Identity Enterprise immediately using the
configuration script.
b The configuration script begins the initialization process:
PRIMARY SYSTEM INITIALIZATION
2 If an existing system was detected, the master user shell asks you to confirm that
you want to overwrite the system:
An existing system has been detected. Overwriting an existing
system will mean the existing data can no longer be accessed.
Are you sure you want to overwrite the existing system? (y/n) [n]:
If you are reinitializing Entrust Identity Enterprise, you will lose access to all stored
information in the repository (such as user accounts, cards, and groups), and all
settings will be reset to their default values.

126 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Enter y to confirm that you want to overwrite the existing system and initialize a
new system.
3 The configuration script prompts you to provide the installation key:
Enter install key:
Enter the installation key provided to you by Entrust.
4 The configuration script prompts you to provide the activation key:
Enter activation key:
Enter the activation key provided to you by Entrust.
Entrust Identity Enterprise will attempt to validate the installation key and
activation key. If the keys are successfully validated, initialization can continue. If
the keys do not validate, you are prompted to provide the installation key and
activation key again. Initialization will fail if you enter incorrect keys three times
in a row.
5 The configuration script asks you if you want to store the Entrust Identity
Enterprise master keys on a Hardware Security Module (HSM):
Do you want to store the master keys on a hardware security
module? (y/n) [n]:
• To store the master keys on an HSM, enter y.
• To store the master keys encrypted on the local file system, enter n.
6 If you are storing the master keys on an HSM:
a The configuration script prompts you to provide the path to the PKCS #11
library file:
Enter path to PKCS #11 library:
Enter the full path and file name of the PKCS #11 driver library file for your
HSM. Typically, the driver is bundled in the software package that comes
with your HSM.
If you ever need to change the library file after specifying it here, you must
exit the master user shell and begin the initialization process again with the
new library. This applies to both primary and replica system initialization.
b The configuration script displays one of the following prompts:
– If more than one slot is on the HSM, the configuration script lists the slots
and asks you to select which slot to use to store the master keys:
Which slot will be used to store the master keys?
Enter the number associated with the slot you want to use to store the
master keys.

Initializing Entrust Identity Enterprise 127

Report any errors or omissions
 – If the HSM has only one slot, the configuration script lists the slot asks you
if you want to use the slot to store the master keys:
Would you like to use this slot to store the master keys?
(y/n)
To accept the slot, enter y.
c The configuration script asks you to provide the HSM password that you
created when you initialized the HSM.
Enter the HSM password.
7 The configuration script prompts you to enter and confirm a password for each
of the three master users (Master1, Master2, and Master3).
Each password must contain at least eight characters, and must include at least
one uppercase character, one lowercase character, and one number.

Attention:
Master passwords are very important. Without them, it is impossible to upgrade
Entrust Identity Enterprise, migrate between platforms, restore from backup, or
create replica servers. Therefore, record your master passwords and keep them in
a safe place.

a The configuration script prompts you to provide a password for Master 1:

Enter a new password for Master1.
Password:
Enter a password for Master1.
b The configuration script prompts you to confirm the password:
Confirm:
Enter the password again to confirm the password.
c The configuration script prompts you to provide a password for Master 2:
Enter a new password for Master2.
Password:
Enter a password for Master2.
d The configuration script prompts you to confirm the password:
Confirm:
Enter the password again to confirm the password.
e The configuration script prompts you to provide a password for Master 3:
Enter a new password for Master3.
Password:

128 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Enter a password for Master3.
f The configuration script prompts you to confirm the password:
Confirm:
Enter the password again to confirm the password.
8 The configuration script asks if you want to create the first administrator:
Do you want to create the first administrator? (y/n) [y]:
To access the Entrust Identity Enterprise Administration interface or Entrust
Identity Enterprise Properties Editor, administrators require an Entrust Identity
Enterprise user name and password. By default, no users exist in Entrust Identity
Enterprise.
You can create the first administrative user during initialization. The first
administrator is assigned the predefined superuser role. The master user shell will
prompt you to provide a user ID and password for the administrator.
If you are using a directory repository (Active Directory, AD LDS, or LDAP
directory), the administrator must already exist in the directory, and must exist in
the same search base as the Entrust Identity Enterprise policy user.
• To create the first administrator now, enter y.
• To create the first administrator later, enter n.
9 If you chose to create an administrator:
a The configuration script prompts you to provide the unique user ID of the
administrator:
Enter administrator ID:
Enter a user ID for the administrator.
If you are using a directory repository (Active Directory, AD LDS, or LDAP
directory), the administrator must already exist in the directory.
b The configuration script prompts you to provide a password for the
administrator:
Password:
Enter a password for the administrator.
The password must contain at least eight characters, and must include at
least one uppercase character, one lowercase character, and one number.
c The configuration script prompts you to confirm the password:
Confirm:
Enter the password again to confirm the password.
d The configuration script asks if you want to change the administrator
password on first usage:

Initializing Entrust Identity Enterprise 129

Report any errors or omissions
 Do you want to change the administrator password on first usage
(y/n) [y]:
Enter y or n based on your requirements.
y: The first administrator needs to change their password upon logging in to
the Entrust Identity Enterprise through the Identity Enterprise Administration
interface for the first time.
n: The first administrator does not need to change their password upon
logging in to the Entrust Identity Enterprise through the Identity Enterprise
Administration interface for the first time.
The default is y, if you press Enter directly and do not enter a value.
10 If the system initializes successfully, the following prompt appears:
System initialized.
If you are using an HSM, the master keys have been generated and stored in the
HSM. All cryptographic operations using these keys are now performed within
the HSM.

Attention:
If the master keys are stored on an HSM, the HSM must be available at all times
or Entrust Identity Enterprise will stop working.

11 The configuration script asks you if you want to set up the sample application:
Do you wish to setup the sample application? [yes or no]
The Entrust Identity Enterprise sample application is a Web application designed
to demonstrate the various features of Entrust Identity Enterprise.
The sample application is intended for test environments or proof-of-concept
environments. You should never install the sample application in a production
environment.
The sample application runs using an Entrust Identity Enterprise user account.
The configuration script will prompt you for a user ID and password for the user
account. The configuration script will create a role named samplerole, a policy
named samplegroup, and a group named samplegroup for the user.
If you are using a directory repository (Active Directory, AD LDS, or LDAP
directory), the administrator must already exist in the directory, and must exist in
the same search base as the Entrust Identity Enterprise policy user.
• To set up the sample application, enter yes.
• To not set up the sample application, enter no.
12 If you chose to set up the sample application using the configuration script:

130 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
a If the configuration script detects that the sample application was set up
previously, it asks if you want to continue:
/opt/entrust/identityguard130/etc/igsample.properties file
already exists.
Do you wish to continue? [yes or no]
Enter yes to continue.
b The configuration script displays information about the Entrust Identity
Enterprise user account that will run the sample application, and prompts you
to provide a user ID for the user account:
Setting up Entrust Identity Enterprise Sample
The Entrust Identity Enterprise Sample requires an
administrator. A role called samplerole, a policy called
samplepolicy and a group called samplegroup will be created.
The administrator will be created in the samplegroup and have
access to the samplegroup. If you are using an LDAP
repository, an entry must already exist for the administrator.
WARNING: The password for the sample administrator will be
stored in cleartext in the file
$IDENTITYGUARD_HOME/etc/igsample.properties until the Entrust
Identity Enterprise Sample is started. When the Sample is first
started it will encrypt the password.
Enter the adminid for Sample administrator:
Enter a user ID for the sample administrator.
If you are using a directory repository (Active Directory, AD LDS, or LDAP
directory), the administrator must already exist in the directory.
c The configuration script prompts you to provide a password for the sample
administrator:
Enter the password for Sample administrator:
Enter a password for the administrator.
The password must contain at least eight characters, and must include at
least one uppercase character, one lowercase character, and one number.
d The configuration script prompts you to confirm the password:
Confirm:
Enter the password again to confirm the password.
e A master user must log in to complete the setup. The configuration script
prompts you to provide a master user name:
A master user must login to complete the setup.
You must login to perform this command.
Userid:

Initializing Entrust Identity Enterprise 131

Report any errors or omissions
 Enter the name of a master user (Master1, Master2, Master3).
f The configuration script prompts you to provide the password for the master
user:
Password:
Enter the password of the master user.
g If the setup was successful, the configuration displays a success message:
Setup of Entrust Identity Enterprise Sample was successful.
h The configuration script asks if you want to enable the sample service:
Do you want to enable the sample service? [yes or no]
You must enable the sample application before you can use it.
– To enable the sample application, enter yes.
– To disable the sample application, enter no. You can manually enable the
sample application later.
13 The configuration script asks if you want to start the Entrust Identity Enterprise
services:
Do you wish to start the Entrust Identity Enterprise services?
[yes or no]
• To start the Entrust Identity Enterprise services later, enter no.
The configuration script displays a message stating that you can start the
services later by running the identityguard.sh script:
You can start the services later by running "identityguard.sh
start"
• To start the Entrust Identity Enterprise services immediately, enter yes.
14 Back up the masterkeys.enc file (the master keys file). If this file is lost, the
system cannot be recovered.
Do not back up the key protection file (masterkeys.kpf) because this file is
unique to each server.
You have now initialized Entrust Identity Enterprise Server as a primary server on
Linux.
If you want to use the Entrust Identity Enterprise sample application, proceed to
“Using the sample application” on page 265.
If you want to test Entrust Identity Enterprise, proceed to “Testing Entrust Identity
Enterprise” on page 151.

132 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
To initialize a primary Entrust Identity Enterprise Server on Linux using the
master user shell
1 If you are reinitializing an Entrust Identity Enterprise system:
• If you are using an LDAP repository, you must manually remove the
$IG_HOME/etc/fpcr folder, typically:
/opt/entrust/identityguard130/etc/fpcr
• If you are using an LDAP repository, you must manually remove the
$IG_HOME/etc/ftkr folder, typically:
/opt/entrust/identityguard130/etc/ftkr
• Replace any encrypted values in the identityguard.properties file
(such as the repository user’s password) with clear text values, because
Entrust Identity Enterprise cannot decrypt the old values after it is
reinitialized.
In the identityguard.properties file, properties preceded with an
ampersand (&) have values that are encrypted or will be encrypted.
2 Open the master user shell:
a Switch to the Linux user account that owns the Entrust Identity Enterprise
Server installation.
b Navigate to the Entrust Identity Enterprise installation directory ($IG_HOME),
typically:
/opt/entrust/identityguard130
c Enter the following command to source the environment settings:
. ./env_settings.sh
(Include a space between the two periods in the command.)
d Change to the $IG_HOME/bin directory, typically:
/opt/entrust/identityguard130/bin
e Enter the following command to start the master user shell:
supersh
Copyright information and the Entrust Identity Enterprise version number
appear, followed by a command prompt.
3 Enter the following command:
init [(-sernum <num> [-installKey <key> -actKey <key>])] [-force]
[-overwrite] [-createAdmin [-skip|(<userid> [<password>
[<adminPasswordChangeRequired>)]]]] [-useCryptoHardware
[true|false]]

Initializing Entrust Identity Enterprise 133

Report any errors or omissions
 Attributes in square brackets are optional attributes. Attributes separated by a
vertical bar are mutually exclusive attributes. The following table describes the
init command attributes.

Table 11: init command attributes

Attributes Description
-sernum <num> Starts the card serial numbers at a specific number, where <num> is the
number.
If not specified, it defaults to 1.
-installKey <key> Specifies the installation key, where <key> is the installation key.
If this attribute is not specified, the master user shell prompts you to
enter the installation key.
-actKey <key> Specifies the activation key, where <key> is the activation key.
If this attribute is not specified, the master user shell prompts you to
enter the activation key.
-force Suppresses prompts asking you to confirm an operation.
For example, if you want to force an overwrite:
init -force -overwrite
The master user shell will not ask you to confirm that you want to
overwrite Entrust Identity Enterprise system.
-overwrite Overwrites the key protection file (masterkeys.kpf) if a key
protection file exists. A key protection file will not exist if the Entrust
Identity Enterprise Server has never been initialized. If you are
re-initializing an Entrust Identity Enterprise Server, a key protection file
will exist.
Attention: If you specify this attribute, your entire system will be
overwritten, the data in the repository will be overwritten, and you
will no longer be able to access the system. Only specify this attribute
when you want to overwrite an existing system. Never use this
command on any system (primary or replica) you do not want to
overwrite.
If this attribute is not specified and a key protection file exists, the key
protection file will not be overwritten and initialization will fail.

134 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Table 11: init command attributes (continued)

Attributes Description
-createAdmin Specifies whether to create an administrator with the superuser role
[-skip|(<userid> (-createAdmin [-skip|(<userid>
[<password> [<password>[<adminPasswordChangeRequired>)]]]), or skip
[<adminPasswordChang creating an administrator (-createAdmin -skip).
eRequired>)]]]
Where:
• <userid> is a unique user ID for the administrator. If not
specified, the master user shell prompts you to provide a user ID.
• <password> is a password for the administrator. If not specified,
the master user shell prompts you to provide a password.
• <adminPasswordChangeRequired> is an option that allows
the first administrator to change their password when they first log
in to the Entrust Identity Enterprise. If you set
<adminPasswordChangeRequired> to true or TRUE, the
first administrator must change their password when they first log
in to the Entrust Identity Enterprise. If you set
<adminPasswordChangeRequired> to false or FALSE, the
first administrator does not need to change their password when
they first log in to the Entrust Identity Enterprise.
If you choose to create an administrator and the repository is a
directory (Active Directory, AD LDS, or LDAP directory), the
administrator must already exist in the directory, and must exist in the
same search base as the Entrust Identity Enterprise policy user.
If this attribute is not specified, the master user shell asks if you want
to create an administrator.
-useCryptoHardware Specifies whether to store the Entrust Identity Enterprise master keys
[true|false] on a Hardware Security Module (true) or encrypted on the local file
system (false).
If this attribute is not specified, the master user shell asks if you want
to use cryptographic hardware to store the master keys.
If you specify this attribute but not true or false, it defaults to true
(the master keys will be stored on an HSM).

4 If you specified the -overwrite attribute, but not the -force attribute, and an
existing system was detected, the master user shell asks if you want to confirm
that you want to overwrite the system:
An existing system has been detected. Overwriting an existing
system will mean the existing data can no longer be accessed.
Are you sure you want to overwrite the existing system? (y/n) [n]:

Initializing Entrust Identity Enterprise 135

Report any errors or omissions
 If you are reinitializing Entrust Identity Enterprise, you will lose access to all stored
information in the repository (such as user accounts, cards, and groups), and all
settings will be reset to their default values.
Enter y to confirm that you want to overwrite the existing system and initialize a
new system.
5 If you did not specify the -installKey <key> attribute, the master user shell
prompts you to provide the installation key:
Enter install key:
Enter the installation key provided to you by Entrust.
6 If you did not specify the -actKey <key> attribute, the master user shell
prompts you to provide the activation key:
Enter activation key:
Enter the activation key provided to you by Entrust.
Entrust Identity Enterprise will attempt to validate the installation key and
activation key. If the keys are successfully validated, initialization can continue. If
the keys do not validate, you are prompted to provide the installation key and
activation key again. Initialization will fail if you enter incorrect keys three times
in a row.
7 If you did not specify the -useCryptoHardware attribute, the master user shell
asks you if you want to store the Entrust Identity Enterprise master keys on a
Hardware Security Module (HSM):
Do you want to store the master keys on a hardware security
module? (y/n) [n]:
• To store the master keys on an HSM, enter y.
• To store the master keys encrypted on the local file system, enter n.
8 If you are storing the master keys on an HSM:
a The master user shell prompts you to provide the path to the PKCS #11
library file:
Enter path to PKCS #11 library:
Enter the full path and file name of the PKCS #11 driver library file for your
HSM. Typically, the driver is bundled in the software package that comes
with your HSM.
If you ever need to change the library file after specifying it here, you must
exit the master user shell and begin the initialization process again with the
new library. This applies to both primary and replica system initialization.
b The master user shell displays one of the following prompts:

136 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 – If more than one slot is on the HSM, the master user shell lists the slots and
asks you to select which slot to use to store the master keys:
Which slot will be used to store the master keys?
Enter the number associated with the slot you want to use to store the
master keys.
– If the HSM has only one slot, the master user shell lists the slot asks you if
you want to use the slot to store the master keys:
Would you like to use this slot to store the master keys?
(y/n)
To accept the slot, enter y.
c The master user shell asks you to provide the HSM password that you
created when you initialized the HSM.
Enter the HSM password.
9 The master user shell prompts you to enter and confirm a password for each of
the three master users (Master1, Master2, and Master3).
Each password must contain at least eight characters, and must include at least
one uppercase character, one lowercase character, and one number.

Attention:
Master passwords are very important. Without them, it is impossible to upgrade
Entrust Identity Enterprise, migrate between platforms, restore from backup, or
create replica servers. Therefore, record your master passwords and keep them in
a safe place.

a The master user shell prompts you to provide a password for Master 1:
Enter a new password for Master1.
Password:
Enter a password for Master1.
b The master user shell prompts you to confirm the password:
Confirm:
Enter the password again to confirm the password.
c The master user shell prompts you to provide a password for Master 2:
Enter a new password for Master2.
Password:
Enter a password for Master2.
d The master user shell prompts you to confirm the password:
Confirm:

Initializing Entrust Identity Enterprise 137

Report any errors or omissions
 Enter the password again to confirm the password.
e The master user shell prompts you to provide a password for Master 3:
Enter a new password for Master3.
Password:
Enter a password for Master3.
f The master user shell prompts you to confirm the password:
Confirm:
Enter the password again to confirm the password.
10 If you did not specify the -createAdmin attribute, the master user shell asks if
you want to create the first administrator:
Do you want to create the first administrator? (y/n) [y]:
To access the Entrust Identity Enterprise Administration interface or Entrust
Identity Enterprise Properties Editor, administrators require an Entrust Identity
Enterprise user name and password. By default, no users exist in Entrust Identity
Enterprise.
You can create the first administrative user during initialization. The first
administrator is assigned the predefined superuser role. The master user shell will
prompt you to provide a user ID and password for the administrator.
If you are using a directory repository (Active Directory, AD LDS, or LDAP
directory), the administrator must already exist in the directory, and must exist in
the same search base as the Entrust Identity Enterprise policy user.
• To create the first administrator now, enter y.
• To create the first administrator later, enter n.
11 If you chose to create an administrator:
a If you did not specify the <userid> attribute, the master user shell prompts
you to provide the unique user ID of the administrator:
Enter administrator ID:
Enter a user ID for the administrator.
If you are using a directory repository (Active Directory, AD LDS, or LDAP
directory), the administrator must already exist in the directory.
b If you did not specify the <password> attribute, the master user shell
prompts you to provide a password for the administrator:
Password:
Enter a password for the administrator.
The password must contain at least eight characters, and must include at
least one uppercase character, one lowercase character, and one number.

138 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 c If you did not specify the <password> attribute, the master user shell
prompts you to confirm the password:
Confirm:
Enter the password again to confirm the password.
d The master user shell asks if you want to change the administrator password
on first usage:
Do you want to change the administrator password on first usage
(y/n) [y]:
Enter y or n based on your requirements.
y: The first administrator needs to change their password upon logging in to
the Entrust Identity Enterprise through the Identity Enterprise Administration
interface for the first time.
n: The first administrator does not need to change their password upon
logging in to the Entrust Identity Enterprise through the Identity Enterprise
Administration interface for the first time.
The default is y, if you press Enter directly and do not enter a value.
12 If the system initializes successfully, the following prompt appears:
System initialized.
If you are using an HSM, the master keys have been generated and stored in the
HSM. All cryptographic operations using these keys are now performed within
the HSM.

Attention:
If the master keys are stored on an HSM, the HSM must be available at all times
or Entrust Identity Enterprise will stop working.

13 Back up the masterkeys.enc file (the master keys file). If this file is lost, the
system cannot be recovered.
Do not back up the key protection file (masterkeys.kpf) because this file is
unique to each server.
You have now initialized Entrust Identity Enterprise Server as a primary server on
Windows.
If you want to use the Entrust Identity Enterprise sample application, proceed to
“Using the sample application” on page 265
If you want to test Entrust Identity Enterprise, proceed to “Testing Entrust Identity
Enterprise” on page 151.

Initializing Entrust Identity Enterprise 139

Report any errors or omissions
 Initializing a replica Entrust Identity Enterprise
Server or server restored from a backup
The identityguard.properties file specifies two files that are used to store the
keys that protect the repository and the master users. The files that store this
information are:
• masterkeys.enc
This Entrust Identity Enterprise master keys file contains the encryption keys
that protect the repository.
When using an HSM, this file still exists, but instead it contains all the data
required to validate the master user passwords and get access to the keys
stored on the HSM.
• masterkeys.kpf
This Entrust Identity Enterprise key protection file contains an obfuscation
key, which is used to encrypt the three master user passwords that are stored
in the file.
The contents of the master keys file can be unlocked by a master user. The contents
of the key protection file provide access to the master user passwords. This access can
then be used to unlock the master keys file.
When you initialize a replica Entrust Identity Enterprise Server or an Entrust Identity
Enterprise configuration restored from a backup, an Entrust Identity Enterprise key
protection file (masterkeys.kpf) is created. The Entrust Identity Enterprise master
keys file (masterkeys.enc) was included in the backup file used to configure the
replica server or restore the Entrust Identity Enterprise configuration.
The primary and any replicas must use the same master keys. When a single HSM is
used, this can be achieved by having the primary and any replicas access the same
slot on that HSM. If different slots are to be used, or different HSMs are to be used,
then the keys must be exported from the HSM slot used by the primary and imported
into the HSM slot used by each replica. HSM vendors typically offer dedicated tools
to perform this key cloning or replication process. Consult the documentation for
your HSM.
This section contains the following topics:
• “Initializing a replica Entrust Identity Enterprise Server or server restored from
a backup on Windows” on page 141
• “Initializing a replica Entrust Identity Enterprise Server or server restored from
a backup on Linux” on page 145

140 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Initializing a replica Entrust Identity Enterprise Server or server
restored from a backup on Windows
After you configure Entrust Identity Enterprise, you must initialize it before you can
begin using Entrust Identity Enterprise. An uninitialized Entrust Identity Enterprise
does not function.
To initialize Entrust Identity Enterprise as a replica server, or initialize an Entrust
Identity Enterprise Server restored from a backup, all three Master Users must enter
their passwords.
On Windows, you can initialize Entrust Identity Enterprise using the Configuration
Wizard or the master user shell. You can initialize Entrust Identity Enterprise using the
Configuration Wizard only if you selected Initialize the Entrust Identity Enterprise
System now at the end of the configuration.

Note:
Do not immediately initialize Entrust Identity Enterprise using the Configuration
Wizard if you are using an HSM. You cannot initialize Entrust Identity Enterprise
using the wizard; you must initialize Entrust Identity Enterprise using the master
user shell.

This topic contains the following procedures:

• “To initialize a replica Entrust Identity Enterprise Server on Windows using
the Configuration Wizard” on page 141
• “To initialize a replica Entrust Identity Enterprise Server on Windows using
the master user shell” on page 143

To initialize a replica Entrust Identity Enterprise Server on Windows using the

Configuration Wizard
1 When configuring Entrust Identity Enterprise as a replica server, or restoring
Entrust Identity Enterprise Server restored from a backup:
a On the Finish page, select Initialize the Entrust Identity Enterprise System
now.
b Click Finish.

Initializing Entrust Identity Enterprise 141

Report any errors or omissions
 2 The Entrust Identity Enterprise Replica System Initialization dialog box appears.

Note:
To cancel initialization, click Cancel. If you cancel initialization, all information
you have entered will be lost.

a In the Password for Master1 field, enter the password of the master user
Master1.
b In the Password for Master2 field, enter the password of the master user
Master2.
c In the Password for Master3 field, enter the password of the master user
Master3.
d Click Initialize.
The configuration file is extracted from the backup file and updated with the
changes made in the Entrust Identity Enterprise Configuration wizard. File-based
repositories are disabled, as is the Administration service and interface controls
are disabled (if you selected it to be disabled). A new application server SSL
certificate is generated, and the primary server’s public key (SSL certificate) and
the LDAP SSL certificate (if is exists) are imported to the new keystore. The
system is initialized.

142 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
3 A confirmation dialog box appears.

Note:
If an error message appears informing you that initialization failed, see
“Troubleshooting initialization failures” on page 147.

Click OK.
You have now initialized Entrust Identity Enterprise Server on Windows.
If you want to test Entrust Identity Enterprise, proceed to “Testing Entrust Identity
Enterprise” on page 151.

To initialize a replica Entrust Identity Enterprise Server on Windows using the

master user shell
1 Open the master user shell:
• On Microsoft Windows Server 2019 or 2016, click the Windows button,
expand Entrust Identity Enterprise in the list of applications, then click Master
User Shell.
• On Microsoft Windows Server 2012 or 2012 R2, select Start, then click the
down arrow to access Apps, then click Master User Shell.
When viewing by name or category, Master User Shell is listed under Entrust
Identity Enterprise.
2 Enter the following command:
init -replica
3 If the primary Entrust Identity Enterprise server was initialized on an hardware
security module (HSM):
a The master user shell prompts you to confirm the full path to the PKCS #11
library driver. The default path is the library that you specified when you
initialized the primary server.
– If the path is correct, enter y.

Initializing Entrust Identity Enterprise 143

Report any errors or omissions
 – If the path is not correct, enter n and then specify the appropriate path
when prompted.
Typically, the PKCS #11 driver library is bundled in the software package that
comes with your HSM.
If you ever need to change the library file after specifying it here, you must
exit the Master user shell and begin the initialization process over again with
the new library. This applies to both primary and replica system initialization.
b The master user shell prompts you to confirm the HSM slot ID. The default
is the slot that you chose when you initialized the primary server.
– If the replica HSM uses the same slot ID, enter y.
– If the replica HSM uses a different slot ID, enter n and then specify the
correct slot when prompted.
c The master user shell asks you if the password required to access the HSM
on the replica server is the same password used on the primary server.
– If the password used to access the replica server’s HSM is the same
password used to access the primary server’s HSM, enter y.
– If the password used to access the replica server’s HSM is different than the
password used to access the primary server’s HSM, enter n and then enter
correct password when prompted.
4 The master user shell prompts you to enter the password for each of the three
master users (Master1, Master2, and Master3).
a The master user shell prompts you to provide the password for Master 1:
Enter a new password for Master1.
Password:
Enter the password for Master1.
b The master user shell prompts you to provide the password for Master 2:
Enter a new password for Master2.
Password:
Enter the password for Master2.
c The master user shell prompts you to provide the password for Master 3:
Enter a new password for Master3.
Password:
Enter the password for Master3.
You have now initialized Entrust Identity Enterprise Server as a replica server on
Windows.
If you want to test Entrust Identity Enterprise, proceed to “Testing Entrust Identity
Enterprise” on page 151.

144 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Initializing a replica Entrust Identity Enterprise Server or server
restored from a backup on Linux
After you configure Entrust Identity Enterprise, you must initialize it. You must
initialize Entrust Identity Enterprise before you can begin using Entrust Identity
Enterprise. An uninitialized Entrust Identity Enterprise does not function.
To initialize Entrust Identity Enterprise as a replica server, or initialize an Entrust
Identity Enterprise Server restored from a backup, all three Master Users must enter
their passwords.

To initialize a replica Entrust Identity Enterprise Server on Linux

1 If you did not choose to initialize Entrust Identity Enterprise immediately using
the configuration script:
a Switch to the Linux user account that owns Entrust Identity Enterprise Server.
b Navigate to the Entrust Identity Enterprise installation directory ($IG_HOME),
typically:
/opt/entrust/identityguard130
c Enter the following command to source the environment settings:
. ./env_settings.sh
(Include a space between the two periods in the command.)
d Change to the $IG_HOME/bin directory, typically:
/opt/entrust/identityguard130/bin
e Enter the following command to start the master user shell:
supersh
Copyright information and the Entrust Identity Enterprise version number
appear, followed by a command prompt.
f Enter the following command:
init -replica
2 If the primary Entrust Identity Enterprise server was initialized on an hardware
security module (HSM):
a The master user shell prompts you to confirm the full path to the PKCS #11
library driver. The default path is the library that you specified when you
initialized the primary server.
– If the path is correct, enter y.
– If the path is not correct, enter n and then specify the appropriate path
when prompted.
Typically, the PKCS #11 driver library is bundled in the software package that
comes with your HSM.

Initializing Entrust Identity Enterprise 145

Report any errors or omissions
 If you ever need to change the library file after specifying it here, you must
exit the Master user shell and begin the initialization process over again with
the new library. This applies to both primary and replica system initialization.
b The master user shell prompts you to confirm the HSM slot ID. The default
is the slot that you chose when you initialized the primary server.
– If the replica HSM uses the same slot ID, enter y.
– If the replica HSM uses a different slot ID, enter n and then specify the
correct slot when prompted.
c The master user shell asks you if the password required to access the HSM
on the replica server is the same password used on the primary server.
– If the password used to access the replica server’s HSM is the same
password used to access the primary server’s HSM, enter y.
– If the password used to access the replica server’s HSM is different than the
password used to access the primary server’s HSM, enter n and then enter
correct password when prompted.
3 The master user shell prompts you to enter the password for each of the three
master users (Master1, Master2, and Master3).
a The master user shell prompts you to provide the password for Master 1:
Enter a new password for Master1.
Password:
Enter the password for Master1.
b The master user shell prompts you to provide the password for Master 2:
Enter a new password for Master2.
Password:
Enter the password for Master2.
c The master user shell prompts you to provide the password for Master 3:
Enter a new password for Master3.
Password:
Enter the password for Master3.
You have now initialized Entrust Identity Enterprise Server on Linux.
If you want to test Entrust Identity Enterprise, proceed to “Testing Entrust Identity
Enterprise” on page 151.

146 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Troubleshooting initialization failures
Review the Entrust Identity Enterprise log files to identify the cause of the failure. By
default, you can find the log files in the following location:
• On Windows:
C:\Program Files\Entrust\IdentityGuard\identityguard130\logs
• On Linux:
/opt/entrust/identityguard130/logs
The most likely causes of an initialization failure:
• The Entrust Identity Enterprise properties file
(identityguard.properties) contains invalid values.
• Your repository is not configured correctly to work with Entrust Identity
Enterprise.
• The repository is not running.
For more information about Entrust Identity Enterprise error messages, see Entrust
Identity Enterprise Error Messages included with your documentation package.

Initializing Entrust Identity Enterprise 147

Report any errors or omissions
 Creating the first administrator manually
To access the Entrust Identity Enterprise Administration interface or Entrust Identity
Enterprise Properties Editor, administrators require an Entrust Identity Enterprise user
name and password.
When you initialized Entrust Identity Enterprise as a primary server, you had the
option to create the first administrator. If you did not create the first administrator
when you initialized Entrust Identity Enterprise, you must manually create the first
administrator using the master user shell.
If you are using a directory repository (Active Directory, AD LDS, or LDAP directory),
the administrator must already exist in the directory, and must exist in the same
search base as the Entrust Identity Enterprise policy user.
This section contains the following procedures:
• “To create a first administrator manually on Windows” on page 148
• “To create a first administrator manually on Linux” on page 149

To create a first administrator manually on Windows

1 If you are using a directory repository (Active Directory, AD LDS, or LDAP
directory), the administrator must already exist in the directory, and must exist in
the same search base as the Entrust Identity Enterprise policy user.
2 Open the master user shell:
• On Microsoft Windows Server 2019 or 2016, click the Windows button,
expand Entrust Identity Enterprise in the list of applications, then click Master
User Shell.
• On Microsoft Windows Server 2012 or 2012 R2, select Start, then click the
down arrow to access Apps, then click Master User Shell.
When viewing by name or category, Master User Shell is listed under Entrust
Identity Enterprise.
3 Log in as a master user:
a Enter the following command:
login
b You are prompted for the user ID of a master user:
Userid:
Enter the name of a master user (Master1, Master2, Master3).
c You are prompted to provide the password of the master user:
Password:
Enter the password of the master user.
4 Enter the following command to create the first administrator:

148 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 user create <userid> -role superuser
Where <userid> is the unique user name of the administrator in
<group>/<username> format. For example:
user create default/Administrator -role superuser
If you do not specify a group, the administrator is created in the default group.
For the first administrator, it is recommended that you create the administrator in
the default group.
The superuser role gives the first administrator all administrative permissions.
This allows the administrator to access all Entrust Identity Enterprise functionality
and to create other administrators with more restrictive roles or permissions.
5 Enter the following command to give the administrator a password:
user password create <userid> -password <password>
Where:
• <userid> is the user ID of the administrator in <group>/<username>
format. If you do not specify a group, the default group is used.
• <password> is a password for the administrator.
The password must contain at least eight characters, and must include at
least one uppercase character, one lowercase character, and one number.

To create a first administrator manually on Linux

1 If you are using a directory repository (Active Directory, AD LDS, or LDAP
directory), the administrator must already exist in the directory, and must exist in
the same search base as the Entrust Identity Enterprise policy user.
2 Open the master user shell:
a Switch to the Linux user account that owns Entrust Identity Enterprise Server.
b Navigate to the Entrust Identity Enterprise installation directory ($IG_HOME),
typically:
/opt/entrust/identityguard130
c Enter the following command to source the environment settings:
. ./env_settings.sh
(Include a space between the two periods in the command.)
d Change to the $IG_HOME/bin directory, typically:
/opt/entrust/identityguard130/bin
e Enter the following command to start the master user shell:
supersh
Copyright information and the Entrust Identity Enterprise version number
appear, followed by a command prompt.

Initializing Entrust Identity Enterprise 149

Report any errors or omissions
 3 Log in as a master user:
a Enter the following command:
login
b You are prompted for the user ID of a master user:
Userid:
Enter the name of a master user (Master1, Master2, Master3).
c You are prompted to provide the password of the master user:
Password:
Enter the password of the master user.
4 Enter the following command to create the first administrator:
user create <userid> -role superuser
Where <userid> is the unique user name of the administrator in
<group>/<username> format. For example:
user create default/Administrator -role superuser
If you do not specify a group, the administrator is created in the default group.
For the first administrator, it is recommended that you create the administrator in
the default group.
The superuser role gives the first administrator all administrative permissions.
This allows the administrator to access all Entrust Identity Enterprise functionality
and to create other administrators with more restrictive roles or permissions.
5 Enter the following command to give the administrator a password:
user password create <userid> -password <password>
Where:
• <userid> is the user ID of the administrator in <group>/<username>
format. If you do not specify a group, the default group is used.
• <password> is a password for the administrator.
The password must contain at least eight characters, and must include at
least one uppercase character, one lowercase character, and one number.

150 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 6

Testing Entrust Identity Enterprise

This chapter provides testing steps that determine whether your installation is
working properly. It assumes you have completed the installation, configuration, and
initialization tasks.
This chapter contains the following sections:
• “Testing Entrust Identity Enterprise on Windows” on page 152
• “Testing Entrust Identity Enterprise on Linux” on page 158
• “Troubleshooting your installation” on page 162

151
 Testing Entrust Identity Enterprise on Windows
Complete the following procedure to test that Entrust Identity Enterprise Server is
running properly on Windows.

To test Entrust Identity Enterprise on Windows

1 Check the Entrust Identity Enterprise log files for errors. Typically, the log files are
located in the following folder:
C:\Program Files\Entrust\IdentityGuard\identityguard130\logs
2 Start the Entrust Identity Enterprise Server. For instructions, see “Starting and
stopping Entrust Identity Enterprise services” on page 187.
3 Check the status of all services in Entrust Identity Enterprise Web interface and
Application Manager, accessible through the Entrust Identity Enterprise
Configuration Panel:
a Launch the Entrust Identity Enterprise Configuration Panel, if it is not open:
– On Microsoft Windows Server 2019 or 2016, click the Windows button,
then select Entrust Identity Enterprise > Configuration Panel.
– On Microsoft Windows Server 2012 or 2012 R2, select Start, then click the
down arrow to access Apps, then click Configuration Panel.
When viewing by name or category, Configuration Panel is listed under
Entrust Identity Enterprise.
The Configuration Panel appears.

152 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
b Select Launch Web Service and Application Manager.
The Web Service and Application Manager dialog box appears.

Testing Entrust Identity Enterprise 153

Report any errors or omissions
 c Under the Status tab, check the status of each service:
– Administration Service
– Authentication Service HTTP
– Authentication Service HTTPS
– Authentication (client-authenticated) Service HTTPS
– Properties Editor Service
– Administration Interface
– Sample Application
If the status of any of these services is Offline, see “Troubleshooting your
installation” on page 162.
If the status of any of these is Error, ensure that the URLs correspond to valid
services or applications in the identityguard.properties file. By
default, you can find the identityguard.properties file in the
following folder:
C:\Program Files\Entrust\IdentityGuard\identityguard130\etc\

154 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
4 Ensure that you can log in to the Administration Web interface.
a Open a Web browser.
b Browse to the following URL:
https://<hostname>:<port>/IdentityGuardAdmin
Where:
– <hostname> is the server host name you selected during configuration.
– <port> is the administration port you selected during configuration
(default 8444).

Note:
If you cannot access the Entrust Identity Enterprise services (Administration or
Authentication), verify that firewall rules are not blocking the HTTPS ports (by
default 8443 and 8444).

Alternatively, you can access the Administration interface from the Start
menu:
– On Microsoft Windows Server 2019 or 2016, click the Windows button,
then select Entrust Identity Enterprise> Administration Interface.
– On Microsoft Windows Server 2012 or 2012 R2, select Start, then click the
down arrow to access Apps, then click Administration Interface.
When viewing by name or category, Administration Interface is listed
under Entrust Identity Enterprise.
The Entrust Identity Enterprise Administration Log In page appears.

Testing Entrust Identity Enterprise 155

Report any errors or omissions
 c In the Administrator Name field, enter user ID of an Entrust Identity
Enterprise administrator.
For the initial login, enter the user ID of the first administrator you created
either during initialization or manually after initialization.
d In the Password field, enter the password of the administrator.
e (Optional.) If your administrator belongs to a group, enter the group name
in the Group field.
You must specify the group if more than one user share the same user name
in Entrust Identity Enterprise.
f Click Log In.
g If you are logging in for the first time, you may be prompted to change your
password.
The Entrust Identity Enterprise Administration interface appears.

156 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
5 (Optional) Test the sample application. See “Using the sample application” on
page 265 for more information.

Testing Entrust Identity Enterprise 157

Report any errors or omissions
 Testing Entrust Identity Enterprise on Linux
Complete the following procedure to test that Entrust Identity Enterprise Server is
running properly on Linux.

To test Entrust Identity Enterprise on Linux

1 Check the Entrust Identity Enterprise log files for errors. Typically, the log files are
located in the following folder:
/opt/entrust/identityguard130/logs
2 Switch to the Linux user account that owns Entrust Identity Enterprise.
3 Start the Entrust Identity Enterprise Server. For instructions, see the “Starting and
stopping Entrust Identity Enterprise services” on page 187.
4 Check whether all Entrust Identity Enterprise services are running as expected:
a Navigate to the Entrust Identity Enterprise installation directory ($IG_HOME),
typically:
/opt/entrust/identityguard130
b Enter the following command to source the environment settings:
. ./env_settings.sh
(Include a space between the two periods in the command.)
c Change to the $IG_HOME/bin directory, typically:
/opt/entrust/identityguard130/bin
d Enter the following command:
igservice.sh all status
The following is an example of the status report when all services are running:
Entrust Identity Enterprise (pid 2822) is running...
Authentication HTTP V11 service is available at
http://identityguard.example.com:8080/IdentityGuardAuthServi
ce/services/AuthenticationServiceV11
Authentication HTTP V9 service is available at
http://identityguard.example.com:8080/IdentityGuardAuthServi
ce/services/AuthenticationServiceV9
Authentication HTTP V10 service is available at
http://identityguard.example.com:8080/IdentityGuardAuthServi
ce/services/AuthenticationServiceV10
Authentication HTTPS V11 service is available at
https://identityguard.example.com:8443/IdentityGuardAuthServ
ice/services/AuthenticationServiceV11

158 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Authentication HTTPS V9 service is available at
https://identityguard.example.com:8443/IdentityGuardAuthServ
ice/services/AuthenticationServiceV9
Authentication HTTPS V10 service is available at
https://identityguard.example.com:8443/IdentityGuardAuthServ
ice/services/AuthenticationServiceV10
Authentication Client HTTPS V11 service is configured at
https://identityguard.example.com:8447/IdentityGuardAuthServ
ice/services/AuthenticationServiceV11
Authentication Client HTTPS V9 service is configured at
https://identityguard.example.com:8447/IdentityGuardAuthServ
ice/services/AuthenticationServiceV9
Authentication Client HTTPS V10 service is configured at
https://identityguard.example.com:8447/IdentityGuardAuthServ
ice/services/AuthenticationServiceV10
Sample application is disabled.
Administration V11 service is available at
https://identityguard.example.com:8444/IdentityGuardAdminSer
vice/services/AdminServiceV11
Administration V9 service is available at
https://identityguard.example.com:8444/IdentityGuardAdminSer
vice/services/AdminServiceV9
Administration V10 service is available at
https://identityguard.example.com:8444/IdentityGuardAdminSer
vice/services/AdminServiceV10
Administration interface is available at
https://identityguard.example.com:8444/IdentityGuardAdmin
Properties editor is available at
https://identityguard.example.com:8444/IdentityGuardProperti
esEditor
Entrust Identity Enterprise Radius (pid 15858) is running...
5 Ensure that you can log in to the Administration Web interface.
a Open a Web browser.
b Browse to the following URL:
https://<hostname>:<port>/IdentityGuardAdmin
Where:
– <hostname> is the server host name you selected during configuration.

Testing Entrust Identity Enterprise 159

Report any errors or omissions
 – <port> is the administration port you selected during configuration
(default 8444).

Note:
If you cannot access the Entrust Identity Enterprise services (Administration or
Authentication), verify that firewall rules are not blocking the HTTPS ports (by
default 8443 and 8444).

For example:
https://www.example.com:8444/IdentityGuardAdmin
The Entrust Identity Enterprise Administration Log In page appears.

c In the Administrator Name field, enter user ID of an Entrust Identity

Enterprise administrator.
For the initial login, enter the user ID of the first administrator you created
either during initialization or manually after initialization.
d In the Password field, enter the password of the administrator.
e (Optional.) If your administrator belongs to a group, enter the group name
in the Group field.

160 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 You must specify the group if more than one user share the same user name
in Entrust Identity Enterprise.
f Click Log In.
g If you are logging in for the first time, you may be prompted to change your
password.
The Entrust Identity Enterprise Administration interface appears.

6 (Optional) Test the sample application. See “Using the sample application” on
page 265 for more information.

Testing Entrust Identity Enterprise 161

Report any errors or omissions
 Troubleshooting your installation
When you reinstall Entrust Identity Enterprise, the services may need to be restarted.
If one or more services is marked as Offline, restart the services. See the “Starting and
stopping Entrust Identity Enterprise services” on page 187 for instructions about
restarting the Entrust Identity Enterprise services.
If the Administration interface does not appear, but you know the services are
running, check if it is disabled. See “Enabling and disabling individual Entrust Identity
Enterprise services” on page 195 for instructions about managing the Entrust Identity
Enterprise services.

162 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 7

Customizing Entrust Identity

Enterprise Server
Use this chapter to configure or reconfigure Entrust Identity Enterprise Server after
installation.

Attention:
This chapter has instructions that include making changes to the web.xml file.
When you upgrade or install a patch, these changes are lost.

Back up your web.xml file before upgrading or installing a patch.

Topics in this chapter:

• “Disabling the Authentication service non-SSL port on Tomcat” on page 164
• “Enabling the Administration service non-SSL port on Tomcat” on page 166
• “Disabling the Administration service SSL port on Tomcat” on page 168
• “Configuring Tomcat to use a proxy server” on page 170
• “Managing the SSL certificate on Entrust Identity Enterprise Server” on
page 171

163
 Disabling the Authentication service non-SSL
port on Tomcat
By default, the Entrust Identity Enterprise Authentication service uses the following
ports for communication between the Entrust Identity Enterprise Server and the
Authentication Web service:
• non-SSL (default: 8080)
• SSL (default: 8443)
• client-authenticated SSL (default 8447)
To further secure your Entrust Identity Enterprise Server, disable the non-SSL (HTTP)
port.

To disable the Authentication service non-SSL port on Tomcat

1 If Entrust Identity Enterprise is currently running, stop the services. See “Starting
and stopping Entrust Identity Enterprise services” on page 187 for instructions.
2 Open the Apache Tomcat server.xml file in a text editor. You can find the file
in the following location:
• On Linux:
$CATALINA_HOME/conf
Where $CATALINA_HOME is the install directory for Tomcat. For example:
/opt/entrust/apache-tomcat-<version>
• On Microsoft Windows:
$IG_HOME/apache-tomcat-<version>/conf
Where $IG_HOME is the install directory for Entrust Identity Enterprise. The
default location is C:/Program Files/Entrust/IdentityGuard.
3 Identify and comment out the following section, using <!-- before the section
and --> after the section:
<Connector port="8080"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443"
acceptCount="100" debug="0" connectionTimeout="20000"
URIEncoding="UTF-8" disableUploadTimeout="true" />
For example:
<!--
<Connector port="8080"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"

164 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 enableLookups="false" redirectPort="8443"
acceptCount="100" debug="0" connectionTimeout="20000"
disableUploadTimeout="true" />
-->
4 Save the file.
5 Use the Properties editor to disable the non-SSL port for the Authentication
service. See the Entrust Identity Enterprise Server Administration Guide.
6 Restart the Entrust Identity Enterprise Server.
7 Update Entrust Identity Enterprise clients to use the SSL port for communication
with the Authentication service. If clients attempt to access the Entrust Identity
Enterprise Authentication service at the non-SSL port, they receive a
Connection Refused error.

Customizing Entrust Identity Enterprise Server 165

Report any errors or omissions
 Enabling the Administration service non-SSL
port on Tomcat
By default, the Entrust Identity Enterprise Administration service runs on HTTPS (port
8444) to take advantage of better security. If necessary, complete the following steps
to allow the Administration service to run on a non-SSL port.

Attention:
Using the non-SSL port on the Administration service can seriously compromise
the security of your system.

To enable the Administration service non-SSL port on Tomcat

1 Open the Apache Tomcat server.xml file in a text editor. You can find the file
in the following location:
• On Linux:
$CATALINA_HOME/conf
Where $CATALINA_HOME is the install directory for Tomcat. For example:
/opt/entrust/apache-tomcat-<version>
• On Microsoft Windows:
$IG_HOME/apache-tomcat-<version>/conf
Where $IG_HOME is the install directory for Entrust Identity Enterprise. The
default location is C:/Program Files/Entrust/IdentityGuard.
2 Add a new <Connector> element to the second <Service> element (which
defines the Administration service).
The new <Connector> element should be the same as the first <Connector>
element in the first <Service> element, except you must pick a new port. Do
not use the default ports: 8080, 8443, 8444, or 8447, or any other ports you may
be using.
The connector's redirect port should point to the Administration service at port
8444, not the Authentication service at port 8443. The port number must be
greater than 1024.
3 Open the web.xml file in a text editor. You can find the file in the following
location:
$IG_HOME/services/admin/IdentityGuardAdminService/WEB-INF/

166 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Where $IG_HOME is the install directory for Entrust Identity Enterprise. For
example:
• On Linux:
/opt/entrust/identityguard130/services/admin/IdentityGuardAdmin
Service/WEB-INF/web.xml
• On Microsoft Windows:
C:/Program Files/Entrust/IdentityGuard/identityguard130/service
s/admin/IdentityGuardAdminService/WEB-INF/web.xml
4 Remove the <security-constraint> element.
5 Save and close the web.xml.
This change must be re-applied any time an Entrust Identity Enterprise patch is
installed.

Customizing Entrust Identity Enterprise Server 167

Report any errors or omissions
 Disabling the Administration service SSL port
on Tomcat
If you have disabled the Administration service and the Administration interface,
complete the following steps to disable the default HTTPS port (8444) on the
Administration service.
After you have disabled this port, if you wish to enable either the Administration
service, the Administration interface, or the Properties editor, you must enable the
SSL port on the Administration service.
If you have enabled a non-SSL port for the Administration service, you can use the
same port to access the Administration service and the Administration interface.

To disable the SSL port on Linux

1 If Entrust Identity Enterprise is currently running, stop the service. See
“Managing Entrust Identity Enterprise services on Linux” on page 188.
2 Run the command to disable the Administration interface, if it is still running:
identityguard.sh disable admininterface
3 Run the command to disable the Administration service, if it is still running:
identityguard.sh disable adminservice
4 Locate and make a backup copy of the Apache Tomcat server.xml file, located
in the following folder:
$CATALINA_HOME/conf/server.xml
Where $CATALINA_HOME is the install directory for Tomcat. For example:
/opt/entrust/apache-tomcat-<version>/conf/server.xml
5 Identify and comment out the code between <Service ..> and </Service>
that contains <Connector port="8444">.
6 Save the file.
7 Restart the Entrust Identity Enterprise Server.

To disable the SSL port on Microsoft Windows

1 If Entrust Identity Enterprise is currently running, shut it down. See “Managing
Entrust Identity Enterprise services on Windows” on page 194.
2 Locate and make a backup copy of the Apache Tomcat server.xml file, located
in the following folder:
$IG_HOME/apache-tomcat-<version>/conf/server.xml
Where $IG_HOME is the install directory for Entrust Identity Enterprise. The
default location is C:/Program Files/Entrust/IdentityGuard.

168 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
3 Identify and comment out the code between <Service ..> and </Service>
that contains <Connector port="8444">.
4 Save the file.
5 Restart the Entrust Identity Enterprise Server.

Customizing Entrust Identity Enterprise Server 169

Report any errors or omissions
 Configuring Tomcat to use a proxy server
If you want to route traffic to the Entrust Identity Enterprise server through a proxy
server, follow the instructions below.

To configure Tomcat to use a proxy server

1 Open the Apache Tomcat catalina.properties file in a text editor. You can
find the file in the following location:
• On Linux:
$CATALINA_HOME/conf
Where $CATALINA_HOME is the install directory for Tomcat. For example:
/opt/entrust/apache-tomcat-<version>
• On Microsoft Windows:
$IG_HOME/apache-tomcat-<version>/conf
Where $IG_HOME is the install directory for Entrust Identity Enterprise. The
default location is C:/Program Files/Entrust/IdentityGuard.
2 Scroll to the bottom and add the following lines:
http<s>.proxyPort=<port>
http<s>.proxyHost=<proxy.domain.com>
Where:
• http<s> is either http or https. Use http if you want the Entrust Identity
Enterprise server to connect to the proxy server over http, and https if you
want to connect using SSL.
• <port> is the http or https port number, by default, 80 and 443,
respectively.
• <proxy.domain.com> is the host name of the proxy server.
Examples:
http.proxyPort=80
http.proxyHost=myproxy.myorg.com
https.proxyPort=443
https.proxyHost=mydomain.com
3 Save the file.
4 Restart the Entrust Identity Enterprise service. See “Starting and stopping Entrust
Identity Enterprise services” on page 187.

170 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Managing the SSL certificate on Entrust
Identity Enterprise Server
When installing Entrust Identity Enterprise, a self-signed certificate is created. This
certificate enables a secure SSL connection between the Entrust Identity Enterprise
server and its clients, such as users’ browsers and the Self-Service Module.

Managing certificates using the Key Store Management interface

The Key Store Management capability in the Entrust Identity Enterprise
Administration interface makes it easy to manage your SSL certificate and other
trusted certificates. For instructions about using this interface, see the Entrust Identity
Enterprise Server Administration Guide.
In addition to guiding you through the process of obtaining and trusting a CA-signed
certificate for your Entrust Identity Enterprise server, the interface warns you when
certificates are nearing expiry and makes it easy to import certificates used for other
purposes in your installation.

Managing certificates using keytool

If you prefer, you can use the procedures in the remainder of this chapter to manage
the tomcat certificate using the command-line keytool utility.
Topics in this section:
• “Switching to a CA-signed certificate using keytool” on page 171
• “Updating the Entrust Identity Enterprise server certificate before expiry
using keytool” on page 180
• “Exporting the Entrust Identity Enterprise server certificate using keytool” on
page 184

Switching to a CA-signed certificate using keytool

During the Entrust Identity Enterprise installation, a self-signed certificate is created.
This certificate enables a secure SSL connection between the Entrust Identity
Enterprise server and its clients, such as users’ browsers and the Self-Service Module.
Because the certificate is self-signed, browsers do not implicitly trust it and warnings
are displayed when users access the Entrust Identity Enterprise Web interfaces (see
Figure 1).

Customizing Entrust Identity Enterprise Server 171

Report any errors or omissions
 Figure 1: Internet Explorer security warning

To eliminate these warnings, you can switch the self-signed certificate for one that is
signed by a Certification Authority (CA). A CA-signed certificate from Entrust is
secure and is implicitly trusted by the majority of browsers. You can also use signed
certificates from other CAs.

Note:
The fully qualified domain name (FQDN) of the Entrust Identity Enterprise server
must be the first element in the distinguished name (DN). For example,
cn=ig.example.com,o=Organization,c=US. If the FQDN is not the first
element, such as emailaddress=ig@example.com,
cn=ig.example.com,o=Organization,c=US, then the Entrust Identity
Enterprise Radius proxy and clients such as Entrust Identity Enterprise Self-Service
Module will fail to connect to Entrust Identity Enterprise.

Follow these instructions to obtain a CA-signed certificate and get it working in the
Entrust Identity Enterprise server:
• “Step 1: Preliminary tasks” on page 173
• “Step 2: Obtain a CA-signed certificate” on page 176
• “Step 3: Obtain and import the root and all chain certificates using keytool”
on page 176
• “Step 4: Import the CA-signed certificate using keytool” on page 178
• “Step 5: Importing the certificates to your Entrust Identity Enterprise clients”
on page 179

172 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Step 1: Preliminary tasks

Note:
The following procedure uses the Java keytool utility. For details on the keytool
commands and options, see
https://docs.oracle.com/en/java/javase/11/tools/keytool.html.

1 Log in to the server hosting Entrust Identity Enterprise.

2 Open a command prompt.
3 Change to the folder containing the Java keytool utility. By default:
• Linux:
/opt/entrust/jdk11.0.8_10/jre/bin
• Windows:
C:/Program Files/Entrust/IdentityGuard/jdk11.0.8_10/jre/bin
4 Delete the existing private key corresponding to the self-signed certificate that
the Entrust Identity Enterprise server is currently using:
keytool -delete -alias <unique_key_pair> -keystore
<path_to_keystore> -storepass entrust
Where:
• <unique_key_pair> is the unique name associated with the Entrust
Identity Enterprise server key pair. This alias should be set to tomcat if you
have been following this documentation.
• <path_to_keystore> is:
$IG_HOME/etc/keystore
Where $IG_HOME is the Entrust Identity Enterprise installation folder. For
example:
– Linux:
/opt/entrust/identityguard130/etc/keystore
– Microsoft Windows:
C:/Program Files/Entrust/IdentityGuard/identityguard130
/etc/keystore
For example:
keytool -delete -alias tomcat -keystore "C:/Program Files/Entrust/
IdentityGuard/identityguard130/etc/keystore" -storepass entrust

Customizing Entrust Identity Enterprise Server 173

Report any errors or omissions
 5 Generate a public/private key pair. To generate the key pair, enter:
keytool -genkeypair -alias <IG_cert> -dname <required DN> -keyalg
<key_alg> -keysize <value> -sigalg sha256WithRSA -keystore
<path_to_keystore> -keypass <key_PW> -storepass <keystore_PW>
Where:
• <IG_cert> is a short name you want to associate with your Entrust Identity
Enterprise server’s CA-signed certificate. It is recommended that you use
tomcat as your alias, because it was used for the self-signed certificate. You
may be asked for this alias when you perform management functions against
the certificate using the keytool utility.
• <required DN> is one of the following:
– If you will obtain your certificate from Entrust Certificate Services
(http://www.entrust.net), "cn=<FQDN>,o=<organization>,
c=<country_code>".
Where <FQDN> is the fully qualified domain name of the Entrust Identity
Enterprise server, <organization> is the name of your organization, and
<country_code> is the ISO 3166-1 ALPHA-2 country code of your
country. For example:
"cn=ig.example.com,o=Organization,c=US"
You must include o=<organization> and c=<country_code> to
complete an order from Entrust Certificate Services.
– If you are using your own Entrust CA with Entrust Authority Enrollment
Server for Web to generate the certificate, "cn=<refnum>".
Where <refnum> is the reference number generated by your CA. For
example:
"cn=12349876"
– If you are using a certificate from another CA, consult the CA’s
documentation for details of the DN syntax.
• -keyalg RSA is the algorithm for the private/public key pair. Specify RSA
to avoid unintended substitution of the default.
• <keysize> is the keysize value. Ensure the keysize value is secure. For
example, 2048.
• -sigalg sha256WithRSA is the signing algorithm. Specify
sha256WithRSA to avoid unintended substitution of the default.
• <path_to_keystore> is:
$IG_HOME/etc/keystore
Where $IG_HOME is the Entrust Identity Enterprise installation folder. For
example:
– Linux:
/opt/entrust/identityguard130/etc/keystore

174 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 – Microsoft Windows:
C:/Program Files/Entrust/IdentityGuard/identityguard130
/etc/keystore
• <key_PW> is the password for the private key that will be generated. For
simplicity, it is recommended you use entrust as the private key password.
If <key_PW> is not specified, you will be prompted for it. If you press Enter
at the prompt, the password is set to the keystore password.
• <keystore_PW> is the password for the keystore that contains the
certificate that will be generated. For simplicity, if you are using an Entrust
certificate, it is recommended you use entrust as the keystore password.
For example:
keytool -genkeypair -alias tomcat -dname "cn=ig.example.com,o=Organization,c=US"
-keyalg RSA -keysize 2048 -sigalg sha256WithRSA -keystore "c:/Program
Files/Entrust/IdentityGuard/identityguard130/etc/keystore" -keypass entrust
-storepass entrust
6 Create a Certificate Signing Request (CSR) by entering the following command:
keytool -certreq -alias <alias> -file <file> -keystore <path_to_keystore>
-storepass entrust
Where:
• <alias> is the short name you specified earlier. For example, tomcat.
• <file> is the path and name of the file in which to store the CSR, for
example, c:/igCSR.txt.
• <path_to_keystore> is:
$IG_HOME/etc/keystore
Where $IG_HOME is the Entrust Identity Enterprise installation folder. For
example:
– Linux:
/opt/entrust/identityguard130/etc/keystore
– Microsoft Windows:
C:/Program Files/Entrust/IdentityGuard/identityguard130
/etc/keystore
For example:
keytool -certreq -alias tomcat -file c:/igCSR.txt -keystore "c:/Program
Files/Entrust/IdentityGuard/identityguard130/etc/keystore" -storepass entrust
You now have a CSR file that you can give to Entrust or another vendor, or use
with Enrollment Services for Web (if you are using your own in-house Entrust
Authority Security Manager CA).

Customizing Entrust Identity Enterprise Server 175

Report any errors or omissions
 Step 2: Obtain a CA-signed certificate
1 Send the CSR file to one of the following certificate sources, as outlined in the
following table:

Table 12:

Certificate source Instructions

Entrust Certificate If you choose to use an Entrust certificate, see the following
Services documents for information about the types of certificates available
and detailed steps through the process for obtaining them.
• Entrust Certificate Services Multi-Domain SSL Enrollment Guide
(listed as Entrust EV Multi-Domain SSL)
• Entrust Certificate Services Standard and Advantage SSL
Enrollment Guide (listed as SSL Certificates)
The documents are available at
https://www.entrust.com/get-support/ssl-certificate-support/enroll
ment-guides/.
When your certificate is ready, Entrust will send you an email
message that includes a link to a Web page where you can pick it up.
It can take three to seven business days for Entrust to verify your
request. See the enrollment guides for information about the
verification process. To create the .cer file for an Entrust certificate
1 Click the link in the email message you received from Entrust.
2 Cut-and-paste the certificate displayed on the Web site into a file
with a .cer extension, for example:
ig.cer
Ensure that you copy the ---BEGIN CERTIFICATE--- and ---END
CERTIFICATE--- lines. Do not include leading or trailing spaces or
carriage returns.
3 Save the file.

Another vendor Follow your vendor’s process to obtain a certificate.

Entrust Authority Generate the certificate using Entrust Authority Enrollment Server
Enrollment Server for for Web. Consult the Enrollment Server for Web documentation for
Web CA details.

You now have a file with a .cer extension that is required for the next step.

Step 3: Obtain and import the root and all chain certificates using keytool
1 Obtain your root CA certificate as follows:

176 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 a On a Windows computer, double-click the Entrust Identity Enterprise
certificate ig.cer.
b Click Certification Path.
c Click the top-most certificate in the chain. This is the root CA certificate. It is
typically named after the certificate vendor, for example, Entrust. This CA
signed the CA certificate under it, which in turn signed the certificate under
it, and so on, until you reach the Entrust Identity Enterprise server certificate
at the bottom. This sequence of certificates is called a “certificate chain”.
d With the root CA certificate selected, click View Certificate.
e Click Details.
f Click Copy to File. A wizard appears.
g Click Next through the wizard, selecting DER encoded binary X.509 (.CER),
and selecting a name and location for the file, for example,
c:/igrootCA.cer. Click Finish.
You now have the root CA certificate that chains to the Entrust Identity
Enterprise server certificate.
2 Obtain intermediate CA certificates the same way you obtained the root CA
certificate, giving them their own names.
You should now have a set of files, each one corresponding to a different CA
certificate in the chain. For example:
igrootCA.cer
igintermediateCA1.cer
igintermediateCA2.cer
3 Copy the CA certificates (igrootCA.cer, igintermediateCA1.cer,
igintermediateCA2.cer, and so on) to the computer that hosts the Entrust
Identity Enterprise server.
The CA certificates are now ready for import into the Java keystore.
4 Import each CA certificate to the Java keystore as follows:

Note:
The following procedure uses the Java keytool utility. For details on the keytool
commands and options, see
https://docs.oracle.com/en/java/javase/11/tools/keytool.html.

a Change to the folder containing the Java keytool utility. By default:

– Linux:
/opt/entrust/jdk11.0.8_10/jre/bin

Customizing Entrust Identity Enterprise Server 177

Report any errors or omissions
 – Windows:
C:/Program
Files/Entrust/IdentityGuard/jdk11.0.8_10/jre/bin
b Import the root CA certificate as follows:
keytool -importcert -alias <alias> -trustcacerts -file <CA_certificate>
-keystore <IG_keystore> -storepass entrust
Where:
– <alias> is a short name you want to associate with the CA certificate.
Each CA certificate needs its own alias, for example:
igroot
igintermediate1
igintermediate2
You may be asked for this alias when you perform management functions
against this certificate using the keytool utility.
– <CA_certificate> is the full path and file name of the CA certificate.
– <IG_keystore> is:
$IG_HOME/etc/keystore
Where $IG_HOME is the Entrust Identity Enterprise installation folder.
By default on Linux:
/opt/entrust/identityguard130/etc/keystore
By default on Windows:
C:/Program Files/Entrust/IdentityGuard/identityguard130
/etc/keystore
For example:
keytool -importcert -alias igroot -trustcacerts -file c:/igrootCA.cer -keystore
"c:Program Files/Entrust/IdentityGuard/identityguard130/etc/keystore" -storepass
entrust
You have now imported all the CA certificates in the chain to the Java keystore.

Step 4: Import the CA-signed certificate using keytool

Note:
The following procedure uses the Java keytool utility. For details on the keytool
commands and options, see
https://docs.oracle.com/en/java/javase/11/tools/keytool.html.

1 Copy the CA-signed certificate (ig.cer) to the Entrust Identity Enterprise server
if it is not already there.

178 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 2 Change to the folder containing the Java keytool utility. By default:
• Linux:
/opt/entrust/jdk11.0.8_10/jre/bin
• Windows:
C:/Program Files/Entrust/IdentityGuard/jdk11.0.8_10/jre/bin
3 Import the CA-signed certificate as follows:
keytool -importcert -alias <IG_cert> -file <cert_file> -keystore
<path_to_keystore> -storepass entrust
Where:
• <alias> is the short name you specified in “Step 1: Preliminary tasks” on
page 173. For example, tomcat.
• <cert_file> is the full path and file name of the CA-signed certificate that
you exported.
• <path_to_keystore> is:
$IG_HOME/etc/keystore
Where $IG_HOME is the Entrust Identity Enterprise installation folder. For
example:
– Linux:
/opt/entrust/identityguard130/etc/keystore
– Microsoft Windows:
C:/Program Files/Entrust/IdentityGuard/identityguard130
/etc/keystore
For example:
keytool -importcert -alias tomcat -file c:/ig.cer -keystore "c:/Program
Files/Entrust/IdentityGuard/identityguard130/etc/keystore" -storepass entrust
You have now imported the CA-signed certificate.
Warnings should no longer appear in users’ browsers when they access the
Entrust Identity Enterprise Properties editor and Administration interface.

Step 5: Importing the certificates to your Entrust Identity Enterprise clients

1 Copy the Entrust Identity Enterprise server certificate chain (igrootCA.cer,
igintermediateCA1.cer, intermediateCA2.cer, and so on),
including the server certificate itself, to all of your Entrust Identity Enterprise
client applications such as the Self-Service Module.
2 Import both certificates into the client applications following their
documentation.
SSL is now enabled between your Entrust Identity Enterprise clients and the
Entrust Identity Enterprise server.

Customizing Entrust Identity Enterprise Server 179

Report any errors or omissions
 Updating the Entrust Identity Enterprise server certificate
before expiry using keytool
Whether you are using a self-signed certificate or a CA-signed certificate, the
certificate will eventually expire. You must update the Entrust Identity Enterprise
server’s keystore with the new certificate before expiry. You must also import the new
certificate into your Entrust Identity Enterprise clients (such as the Self-Service
Module).
The Key Store Management capability in the Entrust Identity Enterprise
Administration interface warns you when a certificate is approaching expiry. In
addition, you can use it to extend the lifetime of the self-signed server SSL certificate.
For more information about the System > Key Store Management tab, see
"Managing SSL certificates" in the Entrust Identity Enterprise Server Administration
Guide.
In addition to impending expiry, there are other reasons why you might want to
replace your current certificate. For example, you may need:
• to modify the lifetime or key size
The default certificate size is 2048.

Note:
This is the only size that the Key Store Management tab supports. We
recommend this key size.

• a different DN in the certificate

The default self-signed certificate has a DN of cn=<hostname>, where
<hostname> is the fully-qualified host name of the Entrust Identity
Enterprise server. If the client applications connecting to the Entrust Identity
Enterprise services are not using this host name, you need a new certificate.
• additional security, if for example, you are using extended validation SSL
certificates.
See http://www.entrust.net/ssl-certificates/extended-validation.htm for
more information.
If you choose not to use the Key Store Management interface to update the
server certificate, complete one of the following procedures to update the Entrust
Identity Enterprise server certificate and import it to your Entrust Identity
Enterprise clients.
• “To update a self-signed certificate using keytool” on page 181
• “To update a CA-signed certificate” on page 183

180 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
To update a self-signed certificate using keytool

Note:
The following procedure uses the Java keytool utility. For details on the keytool
commands and options, see
https://docs.oracle.com/en/java/javase/11/tools/keytool.html.

1 Log in to the server hosting Entrust Identity Enterprise.

2 Open a command prompt.
3 Change to the folder containing the Java keytool utility. By default:
• Linux:
/opt/entrust/jdk11.0.8_10/jre/bin
• Windows:
C:/Program Files/Entrust/IdentityGuard/jdk11.0.8_10/jre/bin
4 (Optional) Delete the previous self-signed certificate.
If you attempt to generate a new self-signed certificate with the same alias as
another certificate in the keystore, the operation will fail with an error similar to
the following:
keytool error: java.lang.Exception: Key pair not generated, alias
tomcat already exists
To avoid this error, you must either use a different alias when generating a new
self-signed certificate, or delete the certificate with the alias that you want to use
for the new self-signed certificate.
To delete a self-signed certificate, enter (on one line) the following command:
keytool -delete -alias <IG_cert> -keystore <path_to_keystore>
-storepass <keystore_PW> -keypass <key_PW>
Where:
• <IG_cert> is the unique name associated with the Entrust Identity
Enterprise certificate. If you followed the instructions in this guide, the alias
is tomcat.
• <path_to_keystore> is:
$IG_HOME/etc/keystore
Where $IG_HOME is the Entrust Identity Enterprise installation folder. For
example:
– Linux:
/opt/entrust/identityguard130/etc/keystore

Customizing Entrust Identity Enterprise Server 181

Report any errors or omissions
 – Microsoft Windows:
C:/Program Files/Entrust/IdentityGuard/identityguard130
/etc/keystore
• <keystore_PW> is the password for the keystore that contains the
certificate. If you followed the instructions in this guide, the password is
entrust.
• <key_PW> is the password for the certificate's private key. If you followed
the instructions in this guide, the password is entrust. If <key_PW> is not
specified, you will be prompted for it. If you press Enter at the prompt, the
password is set to the keystore password.
For example:
keytool -delete -alias tomcat -keystore "C:/Program
Files/Entrust/IdentityGuard/identityguard130/etc/keystore"
-storepass entrust -keypass entrust
5 Enter (on one line) the following command to generate a new self-signed
certificate:
keytool -genkeypair -alias <IG_cert> -validity <number_of_days>
-keystore <path_to_keystore> -dname <DN> -keyalg RSA -keysize 2048
-sigalg sha256WithRSA -keypass <key_PW> -storepass <keystore_PW>
Where:
• <IG_cert> is a unique name you want to associate with the Entrust Identity
Enterprise certificate. For simplicity, it is recommended you use tomcat as
the alias.
If you attempt to generate a new self-signed certificate with the same alias
as another certificate in the keystore, the operation will fail with an error
similar to the following:
keytool error: java.lang.Exception: Key pair not generated,
alias tomcat already exists
To avoid this error, you must either delete the other certificate (see Step 4 on
page 181) or use a different alias (such as tomcat1 or tomcat2).
• <number_of_days> is the number of days the certificate should remain
valid.
• <path_to_keystore> is:
$IG_HOME/etc/keystore
Where $IG_HOME is the Entrust Identity Enterprise installation folder. For
example:
– Linux:
/opt/entrust/identityguard130/etc/keystore

182 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 – Microsoft Windows:
C:/Program Files/Entrust/IdentityGuard/identityguard130
/etc/keystore
• <DN> is "cn=<FQDN>" where <FQDN> is the fully qualified DN of the Entrust
Identity Enterprise server.
• -keyalg RSA is the algorithm for the private/public key pair. Specify RSA
to avoid unintended substitution of the default.
• <keysize> is the keysize value. Ensure the keysize value is secure. For
example, 2048.
• -sigalg sha256WithRSA is the signing algorithm. Specify
sha256WithRSA to avoid unintended substitution of the default.
• <key_PW> is the password for the private key that will be generated. For
simplicity, it is recommended you use entrust as the private key password.
If <key_PW> is not specified, you will be prompted for it. If you press Enter
at the prompt, the password is set to the keystore password.
• <keystore_PW> is the password for the keystore that contains the
certificate that will be generated. For simplicity, it is recommended you use
entrust as the keystore password.
For example:
keytool -genkeypair -alias tomcat -validity 365 -keystore "c:/Program
Files/Entrust/IdentityGuard/identityguard130/etc/keystore" -dname
"cn=ig.example.com" -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -keypass
entrust -storepass entrust
A new self-signed certificate is generated.
6 Export the certificate to a file following the instructions in “Exporting the Entrust
Identity Enterprise server certificate using keytool” on page 184. At the end of
the process you will have a file called something like ig.cer.
7 Copy ig.cer to any Entrust Identity Enterprise clients that use the certificate to
establish a secure SSL connection with the Entrust Identity Enterprise server. The
Self-Service Module is an example of an Entrust Identity Enterprise client.
8 Import the certificate onto the client following its documentation.

To update a CA-signed certificate

1 If you are updating a CA-signed certificate, follow the instructions in “Switching
to a CA-signed certificate using keytool” on page 171 to obtain a new CA-signed
certificate and import it to the Entrust Identity Enterprise server’s keystore.
2 Copy ig.cer to any Entrust Identity Enterprise clients that use the certificate to
establish a secure SSL connection with the Entrust Identity Enterprise server. The
Self-Service Module is an example of an Entrust Identity Enterprise client.
3 Import the certificate onto the client following its documentation.

Customizing Entrust Identity Enterprise Server 183

Report any errors or omissions
 Exporting the Entrust Identity Enterprise server certificate using
keytool
Exporting a certificate means gathering together all the relevant Entrust Identity
Enterprise server certificate information such as the public key and DN, and placing it
together in a single, self-contained CER or CRT file. This file can then be copied and
imported into Entrust Identity Enterprise clients such as the Self-Service Module to
enable SSL.
Generally speaking, there is no need to export the Entrust Identity Enterprise server
certificate because it is already available as a CER or CRT file somewhere on the
Entrust Identity Enterprise server. However, if you misplace this file, or you are unsure
which CER or CRT file corresponds to your Entrust Identity Enterprise server
deployment, you can obtain the correct certificate by exporting it from the Entrust
Identity Enterprise server’s Java keystore. Follow the instructions below.

To export the Entrust Identity Enterprise server certificate using keytool

Note:
The following procedure uses the Java keytool utility. For details on the keytool
commands and options, see
https://docs.oracle.com/en/java/javase/11/tools/keytool.html.

1 Log in to the server hosting Entrust Identity Enterprise.

2 Open a command prompt.
3 Change to the folder containing the Java keytool utility. By default:
• Linux:
/opt/entrust/jdk11.0.8_10/jre/bin
• Windows:
C:/Program Files/Entrust/IdentityGuard/jdk11.0.8_10/jre/bin
4 Enter the following command (on one line):
keytool -exportcert -alias <IG_cert> -file <path_to_file.cer>
-keystore <path_to_keystore> -storepass <keystore_PW>

184 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 where:
• <IG_cert> is a unique name that you associated with the Entrust Identity
Enterprise certificate. This alias should have been set to tomcat if you have
been following this documentation.
• <path_to_file.cer> is the full path and name of the Entrust Identity
Enterprise server certificate that you want to export.
• <path_to_keystore> is:
$IG_HOME/etc/keystore
Where $IG_HOME is the Entrust Identity Enterprise installation folder. For
example:
– Linux:
/opt/entrust/identityguard130/etc/keystore
– Microsoft Windows:
C:/Program Files/Entrust/IdentityGuard/identityguard130
/etc/keystore
• <keystore_PW> is the password of the keystore containing the Entrust
Identity Enterprise certificate. This password should have been set to
entrust if you have been following this documentation.
For example:
keytool -exportcert -alias tomcat -file c:/ig.cer -keystore
"c:/Program Files/Entrust/IdentityGuard/identityguard130/etc/keyst
ore" -storepass entrust
You have now exported the Entrust Identity Enterprise certificate to a file. This file can
now be copied to clients such as the Self-Service Module. Once copied over, the
certificate can be imported into the client to enable SSL. See the client’s
documentation for details.

Customizing Entrust Identity Enterprise Server 185

Report any errors or omissions
186 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12
Report any errors or omissions
 8

Starting and stopping Entrust Identity

Enterprise services
This chapter explains how to start and stop Entrust Identity Enterprise Server and
services after installation.
This chapter contains the following sections:
• “Managing Entrust Identity Enterprise services” on page 188

187
 Managing Entrust Identity Enterprise services
Complete the following steps to start, stop, check the status, or restart the Entrust
Identity Enterprise services on supported operating systems.
Topics in this section:
• “Managing Entrust Identity Enterprise services on Linux” on page 188
• “Managing Entrust Identity Enterprise services on Windows” on page 194

Managing Entrust Identity Enterprise services on Linux

There are several commands you can use to manage the services (Administration
interface, Administration service, Properties editor, and the sample application) on
Linux. You have the option of using either the identityguard.sh command, or the
Linux service command.
This section includes the following topics:
• “Starting and stopping Entrust Identity Enterprise using identityguard.sh” on
page 188
• “Starting and stopping Entrust Identity Enterprise with the Linux
commands” on page 190
• “Enabling and disabling individual Entrust Identity Enterprise services” on
page 191
• “Enabling and disabling auto-restart of Tomcat on reboot” on page 193
• “Querying the status of Entrust Identity Enterprise on Linux” on page 193

Starting and stopping Entrust Identity Enterprise using

identityguard.sh
The identityguard.sh script enables you to start, stop, restart, and query the
status of the Entrust Identity Enterprise service.

Note:
If you are root, you cannot start Entrust Identity Enterprise using
identityguard.sh start, igradius.sh start, or the igservice.sh
start commands.
To stop the Entrust Identity Enterprise service, you must be the user who started
the service.

188 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
To start and stop Entrust Identity Enterprise using identityguard.sh
1 Switch to the Linux user account that owns Entrust Identity Enterprise Server.
2 Navigate to the Entrust Identity Enterprise installation directory ($IG_HOME),
typically:
/opt/entrust/identityguard130
3 Enter the following command to source the environment settings:
. ./env_settings.sh
(Include a space between the two periods in the command.)
4 To start, stop, restart, or query the status of the Entrust Identity Enterprise service,
enter:
identityguard.sh <command>
Where <command> is one of the options in the following table.

Table 13: Starting and stopping Entrust Identity Enterprise

Command Description
start Starts the Entrust Identity Enterprise service.
You can also start the Entrust Identity Enterprise service
by entering:
igservice.sh identityguard start
Entrust Identity Enterprise generates audits that indicate
if the services have started successfully or failed to start.
You will not see an error message if the service fails to
start.
stop Stops the Entrust Identity Enterprise service.
You can also stop the Entrust Identity Enterprise service
by entering igservice.sh identityguard stop
status Tells you if the Entrust Identity Enterprise service is
running. If the service is running, the process ID number
appears.
restart Stops and restarts the Entrust Identity Enterprise service.
When you change some settings in the
identityguard.properties file, you must restart the
service so that the server recognizes the new settings.

Starting and stopping Entrust Identity Enterprise services 189

Report any errors or omissions
 Starting and stopping Entrust Identity Enterprise with the Linux
commands
On Linux, you can also start and stop the Entrust Identity Enterprise services using the
Linux service command or the LInux servicectl command. If these commands
are run as root, they start the service as the Linux user ID that installed Entrust Identity
Enterprise.

To start and stop Entrust Identity Enterprise with the Linux service command
1 To start, stop, restart, or query the status of the Entrust Identity Enterprise service,
enter:
service identityguard <command>
where <command> is one of the options shown in Table 14:

Table 14: Linux service command

Command Description
start Starts the Entrust Identity Enterprise service.
Entrust Identity Enterprise generates audits that indicate
if the services have started successfully or failed to start.
You will not see an error message if the service fails to
start.
stop Stops the Entrust Identity Enterprise service.
status Tells you if the Entrust Identity Enterprise service is
running. If the service is running, the process ID number
appears.
restart Stops and restarts the Entrust Identity Enterprise service.
Changes to some settings in
identityguard.properties require a restart so that
the server recognizes the new settings.

190 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
To start and stop Entrust Identity Enterprise with the Linux systemctl
command
1 To start, stop, restart, or query the status of the Entrust Identity Enterprise service,
enter:
systemctl <command> identityguard
where <command> is one of the options shown in Table 15:

Table 15: Linux systemctl command

Command Description
start Starts the Entrust Identity Enterprise service.
Entrust Identity Enterprise generates audits that indicate
if the services have started successfully or failed to start.
You will not see an error message if the service fails to
start.
stop Stops the Entrust Identity Enterprise service.
status Tells you if the Entrust Identity Enterprise service is
running. If the service is running, the process ID number
appears.
restart Stops and restarts the Entrust Identity Enterprise service.
Changes to some settings in
identityguard.properties require a restart so that
the server recognizes the new settings.

Enabling and disabling individual Entrust Identity Enterprise

services
Use the manual command identityguard.sh to enable and disable the following
Entrust Identity Enterprise individual services within Tomcat:
• Administration interface (admininterface)
• Administration service (adminservice)
• Properties editor (preditor)
• sample application (sample)

To enable the Entrust Identity Enterprise services using identityguard.sh

1 Switch to the Linux user account that owns Entrust Identity Enterprise Server.
2 Navigate to the Entrust Identity Enterprise installation directory ($IG_HOME),
typically:
/opt/entrust/identityguard130

Starting and stopping Entrust Identity Enterprise services 191

Report any errors or omissions
 3 Enter the following command to source the environment settings:
. ./env_settings.sh
(Include a space between the two periods in the command.)
4 Enter one of the following commands:
• To enable the Administration interface:
identityguard.sh enable admininterface
• To disable the Administration service:
identityguard.sh enable adminservice
• To disable the Properties editor:
identityguard.sh enable preditor
• To disable the sample application:
identityguard.sh enable ample
For example, to enable the Properties editor:
identityguard.sh enable preditor
You can also use the Entrust Identity Enterprise igsvcconfig.sh command to
enable Entrust Identity Enterprise.

To disable the Entrust Identity Enterprise services using identityguard.sh

1 Switch to the Linux user account that owns Entrust Identity Enterprise Server.
2 Navigate to the Entrust Identity Enterprise installation directory ($IG_HOME),
typically:
/opt/entrust/identityguard130
3 Enter the following command to source the environment settings:
. ./env_settings.sh
(Include a space between the two periods in the command.)
4 Enter one of the following commands:
• To disable the Administration interface:
identityguard.sh disable admininterface
• To disable the Administration service:
identityguard.sh disable adminservice
• To disable the Properties editor:
identityguard.sh disable preditor
• To disable the sample application:
identityguard.sh disable ample
For example, to disable the Properties editor:

192 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 identityguard.sh disable preditor
You can also use the Entrust Identity Enterprise igsvcconfig.sh command to
disable Entrust Identity Enterprise.

Enabling and disabling auto-restart of Tomcat on reboot

Use the manual command igsvcconfig.sh to enable and disable automatic restart
of Tomcat when your system reboots.

To enable auto-restart of Tomcat using igsvcconfig.sh

1 Switch to the root user.
2 Navigate to the Entrust Identity Enterprise $IG_HOME/bin directory, typically:
/opt/entrust/identityguard130/bin
3 Enter the following command:
./igsvcconfig.sh identityguard enable

To disable auto-restart of Tomcat using igsvcconfig.sh

1 Switch to the root user.
2 Navigate to the Entrust Identity Enterprise $IG_HOME/bin directory, typically:
/opt/entrust/identityguard130/bin
3 Enter the following command:
./igsvcconfig.sh identityguard disable

Querying the status of Entrust Identity Enterprise on Linux

The following command allows you to query the status of the Entrust Identity
Enterprise service.

To query the status of Entrust Identity Enterprise

1 Switch to the Linux user account that owns Entrust Identity Enterprise Server.
2 Navigate to the Entrust Identity Enterprise installation directory ($IG_HOME),
typically:
/opt/entrust/identityguard130
3 Enter the following command to source the environment settings:
. ./env_settings.sh
(Include a space between the two periods in the command.)
4 To query the status of the Entrust Identity Enterprise service, enter:
identityguard.sh status

Starting and stopping Entrust Identity Enterprise services 193

Report any errors or omissions
 Managing Entrust Identity Enterprise services on Windows
The following procedures describe how to manage the services (Administration
interface, Administration service, Properties editor, and the sample application) on
Windows.
This section includes the following topics:
• “Starting and stopping Entrust Identity Enterprise on Windows” on
page 194
• “Enabling and disabling individual Entrust Identity Enterprise services” on
page 195
• “Querying the status of Entrust Identity Enterprise on Windows” on
page 198

Starting and stopping Entrust Identity Enterprise on Windows

Complete the following steps to start, stop, check the status, or restart the Entrust
Identity Enterprise service.
Starting and stopping events are logged in the Event Viewer.

Note:
By default, Entrust Identity Enterprise starts automatically whenever you reboot
the computer.

The following commands allow you to start, stop, restart, and query the status of the
Entrust Identity Enterprise Server.
Changes to Entrust Identity Enterprise properties require a restart so that the server
recognizes the new settings.

To start, stop, and restart Entrust Identity Enterprise on Windows

1 Log in to the server where you installed Entrust Identity Enterprise.
2 Open Windows Services.
• On Microsoft Windows Server 2019 or 2016, click the Windows button,
select Windows Administrative Tools, and then select Services.
• On Windows Server 2012 or 2012 R2, select Start, then click the down arrow
to access Apps, then click Services.
When listed by name or category, Services is listed under Administrative
Tools.

194 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 The Services window appears.

3 To stop, start, or restart, the Entrust Identity Enterprise Server (including the
sample application) right-click Entrust Identity Enterprise Server and select the
appropriate command.
4 To start, stop, or restart the Entrust Identity Enterprise Radius proxy, right-click
Entrust Identity Enterprise Radius Proxy and select the appropriate command.

Enabling and disabling individual Entrust Identity Enterprise

services
Use the Web Service and Application Manager to complete the following steps to
enable and disable the services.

To enable and disable individual Entrust Identity Enterprise services on

Windows
1 Log in to the server where you installed Entrust Identity Enterprise.

Starting and stopping Entrust Identity Enterprise services 195

Report any errors or omissions
 2 Launch the Entrust Identity Enterprise Configuration Panel, if it is not open:
• On Microsoft Windows Server 2019 or 2016, click the Windows button,
then select Entrust Identity Enterprise > Configuration Panel.
• On Microsoft Windows Server 2012 or 2012 R2, select Start, then click the
down arrow to access Apps, then click Configuration Panel.
When viewing by name or category, Configuration Panel is listed under
Entrust Identity Enterprise.
The Entrust Identity Enterprise Configuration Panel dialog box appears.

3 Click Launch Web Service and Application Manager.

The Web Service and Application Manager dialog box appears.

196 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
4 Click the Controls tab.
The options under the Controls tab appear.
5 Under Administration Service:
• To enable the Administration Service, select Enabled.
• To disable the Administration Service, select Disabled.
6 Under Properties Editor Service:
• To enable the Properties editor, select Enabled.
• To disable the Properties editor, select Disabled.
7 Under Administration Interface:
• To enable the Administration interface, select Enabled.
• To disable the Administration interface, select Disabled.

Starting and stopping Entrust Identity Enterprise services 197

Report any errors or omissions
 8 Under Sample Application:
• To enable the sample application, select Enabled.
• To disable the sample application, select Disabled.
9 Complete the following and click Apply Changes.

Querying the status of Entrust Identity Enterprise on Windows

Complete the following procedure to check if Entrust Identity Enterprise is running.

To check the status of Entrust Identity Enterprise

1 Log in to the server where you installed Entrust Identity Enterprise.
2 Open Windows Services.
• On Microsoft Windows Server 2019 or 2016, click the Windows button,
select Windows Administrative Tools, and then select Services.
• On Windows Server 2012 or 2012 R2, select Start, then click the down arrow
to access Apps, then click Services.
When listed by name or category, Services is listed under Administrative
Tools.

198 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 The Services window appears.

3 Locate Entrust Identity Enterprise Server and check the status column to view the
status.
The status tells you if the Entrust Identity Enterprise Server is running.
4 Locate Entrust Identity Enterprise Radius Proxy and check the status column to
view the status.
The status tells you if the Entrust Identity Enterprise Radius Proxy is running.

Starting and stopping Entrust Identity Enterprise services 199

Report any errors or omissions
200 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12
Report any errors or omissions
 9

Backing up and restoring Entrust

Identity Enterprise
This chapter is intended for installers and administrators who are responsible for the
backup and recovery of Entrust Identity Enterprise. It provides guidelines for planning
a backup strategy and steps for restoring Entrust Identity Enterprise from a backup.
This chapter contains the following sections:
• “Backup and restore overview” on page 202
• “Backing up your configuration” on page 207
• “Restoring Entrust Identity Enterprise from a backup” on page 213

201
 Backup and restore overview
Through the Entrust Identity Enterprise Configuration Panel (Windows) or the backup
and restore scripts (Linux), you can create full or partial backups of primary and
replica servers, and you can restore those servers. You can also use the backup and
restore features to move your Entrust Identity Enterprise configuration to a different
platform—such as Linux to Windows, or Windows to Linux.

Note:
The version of Entrust Identity Enterprise that is restored must be the same as the
version that was backed up.

This section contains the following topics:

• “Planning a backup strategy” on page 202
• “Entrust Identity Enterprise backup files” on page 203
• “Backing up file-based repositories” on page 205
• “Backup best practices” on page 205

Planning a backup strategy

It is strongly recommended that you have a backup strategy in place before you install
or upgrade Entrust Identity Enterprise. You should also back up your servers each time
you configure, restore, or migrate Entrust Identity Enterprise.
Having regular backups ensures that if something unexpected happens to the servers
hosting Entrust Identity Enterprise and your repository—such as a hardware failure—
you can recover your system quickly. You should use a separate server or separate
physical disk to host the backup files in case of a hard disk failure.
Use the following points to help develop a backup strategy for Entrust Identity
Enterprise Server and your repository:
• Entrust Identity Enterprise includes the Entrust Identity Enterprise master
keys file (masterkeys.enc) in the backup, but you cannot recover this file
after a system failure. Back up this file any time it is changed.
• Entrust Identity Enterprise does not back up your data repository so you must
ensure that you back up your repositories on a regular basis, and before
installing or upgrading Entrust Identity Enterprise.
If the data is split over multiple repositories, back up and restore all
repositories together.

202 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Note:
Before upgrading Entrust Identity Enterprise, you should back up your user
repositories. At a minimum, you should back up all user records that are
associated with Entrust object classes.

• A partial or full backup does not back up IP data files. If you want to use the
IP/Geolocation feature, and you install Entrust Identity Enterprise from a
backup, you must also install the latest IP data files. See the Entrust Identity
Enterprise Server Administration Guide for instructions.
• The Entrust Identity Enterprise full backup option does include a copy of the
log files, but you should back up your logs on a regular basis in case of system
failure.
If you selected file logging when you installed Entrust Identity Enterprise, the
logs are stored in $IG_HOME/logs, by default:
– Linux:
/opt/entrust/identityguard130/logs
– Windows:
C:/Program Files/Entrust/IdentityGuard/identityguard130
/logs
• Decide on an Entrust Identity Enterprise backup type from the following two
options:
– Full
Full backups contain all information required to restore the configuration
and logs, and file-based repositories.
– Partial
Partial backups contain just enough information to configure a replica
system.

Entrust Identity Enterprise backup files

Table 16 lists the files in both the full backup ZIP file and the partial backup ZIP file.
Mandatory files in the table are always included in a backup file, and optional files are
only included if they exist.

Table 16: Entrust Identity Enterprise backup files

Full backup Partial backup

Mandatory masterkeys.enc masterkeys.enc
identityguard.properties identityguard.properties

Backing up and restoring Entrust Identity Enterprise 203

Report any errors or omissions
 Table 16: Entrust Identity Enterprise backup files (continued)

Full backup Partial backup

Optional $IG_HOME/lib/db/*.jar files $IG_HOME/lib/db/*.jar files
igsample.properties igsample.properties
igkrb5.conf igkrb5.conf
qamap.txt qamap.txt
disallowedpasswords.txt disallowedpasswords.txt
Token vendor configuration files Token vendor configuration files
OOB (out-of-band) JavaMail OOB (out-of-band) JavaMail
template files template files
OOB (out-of-band) Authentify OOB (out-of-band) Authentify
template files template files
OOB (out-of-band) SMS message OOB (out-of-band) SMS message
template files template files
identityguard.properties.*
files
Logs directory
Export directory
File-based repository directory for
preproduced cards (fpcr)
File-based repository directory for
unassigned tokens (ftkr)
File-based repository directory for
unassigned smart credentials (fscr)
jasperreports.properties file
Reporting template files
Optional identityguard.cer identityguard.cer
LDAP SSL certificate LDAP SSL certificate
server.xml

Keystore

204 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Backing up file-based repositories
Entrust Identity Enterprise may store preproduced cards, unassigned tokens, and
unassigned smart credentials in file-based repositories. This is the default storage
method when your user repository is an LDAP directory. These files will not exist if
your user repository is a database or if, where users are stored in an LDAP directory,
you chose to use a database instead of a file to store preproduced cards, unassigned
tokens, and unassigned smart credentials.
The directory fpcr stores preproduced cards, the directory ftkr stores unassigned
tokens, and the directory fscr stores unassigned smart credentials. Entrust Identity
Enterprise includes the contents of these directories in a full backup.
You can back up these file-based repositories separately, using any backup
mechanism, as a way to have up-to-date copies in case of a system failure.

To back up a file-based repository

1 For preproduced cards, back up the files that start with fpcr.pcr located in the
following folder:
$IG_HOME/etc/fpcr
Where $IG_HOME is the Entrust Identity Enterprise installation folder.
2 For unassigned tokens, back up the files that start with ftkr.pcr located in the
following folder:
$IG_HOME/etc/ftkr
Where $IG_HOME is the Entrust Identity Enterprise installation folder.
3 For unassigned smart credentials, back up the files that start with fscr.pcr
located in the following folder:
$IG_HOME/etc/fscr
Where $IG_HOME is the Entrust Identity Enterprise installation folder.
4 Ensure that the files are owned (and are readable and writable) by the user
account that owns Entrust Identity Enterprise.
The default names and locations used above may have been changed in the
Properties editor. See the Entrust Identity Enterprise Server Administration Guide for
more information on the Properties editor.

Backup best practices

Follow these best practices for backups:
• Ensure that you synchronize the backups of your LDAP directory or database
repositories. Remember that any time you restore Entrust Identity Enterprise

Backing up and restoring Entrust Identity Enterprise 205

Report any errors or omissions
 from a backup, both the LDAP and database repositories should also be
restored.
• When backing up your user repository, you should back up—at minimum—
all user records that are associated with Entrust object classes before
beginning the upgrade.
• Store your backup files securely. Backup files contain sensitive information,
such as the masterkeys.enc file and export files. The
igsample.properties file contains a clear text administrator password.

206 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Backing up your configuration
Back up your Entrust Identity Enterprise configuration as a precaution in case your
system fails, or when you are creating a replica server.
This section contains the following procedures:
• “To back up your configuration on Linux” on page 207
• “To back up your configuration on Microsoft Windows using Entrust Identity
Enterprise Configuration Panel” on page 208
• “To back up your configuration on Microsoft Windows from the command
line” on page 211

To back up your configuration on Linux

1 Log in to the server hosting Entrust Identity Enterprise.
2 Switch to the Linux user account that owns Entrust Identity Enterprise.
3 Change to the $IG_HOME/directory, typically:
/opt/entrust/identityguard130/
4 Enter the following command to source the environment settings:
. ./env_settings.sh
(Include a space between the two periods in the command.)
5 Enter the following command to back up Entrust Identity Enterprise:
./igbackup.sh [-partial|-full] [-file <file name>]
Parameters in square brackets are optional parameters. Parameters separated by
a vertical bar are mutually exclusive parameters. Where:
• -partial creates a partial backup.
Partial backups contain just enough information to configure a replica
system.
• -full creates a full backup.
Full backups contain all information required to restore the configuration and
logs, and file-based repositories.

Note:
If you do not specify either -partial or -full, a full backup is created.

• -file allows you to specify a file name for the backup file, and <file
name> is the file name of the backup file. Enter a file name that ends with a

Backing up and restoring Entrust Identity Enterprise 207

Report any errors or omissions
 .zip extension. The default location is relative to your current working
directory.
If you do not specify -file <file name>, the command creates a backup
ZIP file and puts it in the default backup location at $IG_HOME/backups/.
The default name includes the type of backup (partial or full), and the current
date and time. For example, if you create a partial backup file created on
February 24, 2020 at 15:00:45, the file name is
igpartialbackup_20200224150045.zip.
For example:
./igbackup.sh -partial -file example_backup.zip

To back up your configuration on Microsoft Windows using Entrust Identity

Enterprise Configuration Panel
1 Log in to the server hosting Entrust Identity Enterprise.
2 Launch the Entrust Identity Enterprise Configuration Panel, if it is not open:
• On Microsoft Windows Server 2019 or 2016, click the Windows button,
then select Entrust Identity Enterprise > Configuration Panel.
• On Microsoft Windows Server 2012 or 2012 R2, select Start, then click the
down arrow to access Apps, then click Configuration Panel.
When viewing by name or category, Configuration Panel is listed under
Entrust Identity Enterprise.
The Entrust Identity Enterprise Configuration Panel dialog box appears.

208 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
3 Under Configuration Backup, click Backup Entrust Identity Enterprise
Configuration.
The Entrust Identity Enterprise Configuration Backup dialog box appears.

Backing up and restoring Entrust Identity Enterprise 209

Report any errors or omissions
 4 Under Backup Type, select the backup type:
• Full
Full backups contain all information required to restore the configuration and
logs, and file-based repositories.
• Partial
Partial backups contain just enough information to configure a replica
system.
5 In the Backup File Location field, enter the full path and file name of the backup
file, or click Browse to select a location and file name. The file name must have
a .zip extension.
If you click Browse, the default file name is igfullbackup_<date-time>.zip
(for a full backup) or igpartialbackup_<date-time>.zip (for a partial
backup), where <date-time> is the date and time of the backup. The file is
stored in the Entrust Identity Enterprise $IG_HOME/backups folder by default,
typically:
C:/Program Files/Entrust/IdentityGuard/identityguard130/backups

210 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Note:
If you enter your own file name, ensure that you can recognize which backup is
the most recent file, as over time, more than one backup file may exist.

6 Click Save.
The Save Successful dialog box appears.

7 Click OK.
8 Click Close to close the Entrust Identity Enterprise Configuration Backup dialog
box.
An Exit Warning dialog box appears.
9 Click OK.

To back up your configuration on Microsoft Windows from the command line

1 Log in to the server hosting Entrust Identity Enterprise.
2 Open a command line.
3 Navigate to the $IG_HOME/bin directory, typically:
C:/Program Files/Entrust/IdentityGuard/identityguard130/bin
4 Enter the following command to back up Entrust Identity Enterprise:
igbackup [-partial|-full] [-file <file name>]
Parameters in square brackets are optional parameters. Parameters separated by
a vertical bar are mutually exclusive parameters. Where:
• -partial creates a partial backup.
Partial backups contain just enough information to configure a replica
system.
• -full creates a full backup.
Full backups contain all information required to restore the configuration and
logs, and file-based repositories.

Backing up and restoring Entrust Identity Enterprise 211

Report any errors or omissions
 Note:
If you do not specify either -partial or -full, a full backup is created.

• -file allows you to specify a file name for the backup file, and <file
name> is the file name of the backup file. Enter a file name that ends with a
.zip extension. The default location is relative to your current working
directory.
If you do not specify -file <file name>, the command creates a backup
ZIP file and puts it in the default backup location at $IG_HOME/backups.
The default name includes the type of backup (partial or full), and the current
date and time. For example, if you create a partial backup file created on
February 24, 2020 at 15:00:45, the file name is
igpartialbackup_20200224150045.zip.
For example:
igbackup -partial -file example_backup.zip

212 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Restoring Entrust Identity Enterprise from a
backup
The restore feature is available to restore a system that has been damaged or to
migrate to a new platform.
Backups between versions of Entrust Identity Enterprise may not be compatible. If
you are not sure, open the manifest.txt file in a text editor and ensure that your
backup ZIP file contains the correct version of the files.
To restore Entrust Identity Enterprise from a backup, the backup file must be a full
backup, not a partial backup. If the backup file you use during restoration is from a
replica server, you restore a replica server. If the backup is from a primary server, you
restore a primary server.
If you create a replica server using the backup and restore features, the restoration
includes the log files and any grid card export files that were part of the replica’s
backup file. By comparison, if you configure a new replica server, it will not include
log and export files.
At the end of the restoration process, a full backup file is generated in the backups
directory that contains the pre-restoration backup of the system configuration. There
will also be a new directory under the Entrust Identity Enterprise home directory
called restoredlogs. It contains a subdirectory with the backup date as its name.
It contains the logs that were restored from the backup file.
After you restore your LDAP or database repository from a backup, you may need to
reconfigure the next generated grid card serial number. This prevents duplication of
serial numbers for cards that were created and manufactured between the backup
and the time the repository was restored. (See the Entrust Identity Enterprise Server
Administration Guide for information about reconfiguring the next generated grid
card serial number.)

Attention:
All preproduced grid card and token files contained in the backup are restored
and overwrite the existing preproduced grid card and token files. When you
restore Entrust Identity Enterprise, if you do not restore your repository as well,
the repository may become out-of-sync with the preproduced grid card and
token files. If your backup does not include the masterkeys.enc file, then you
cannot restore your system.

The following procedures describe how to restore Entrust Identity Enterprise from a
backup. The instructions assume that you have already restored your repository and
installed Entrust Identity Enterprise.

Backing up and restoring Entrust Identity Enterprise 213

Report any errors or omissions
 This section contains the following procedures:
• “To restore Entrust Identity Enterprise from a backup on Linux” on page 214
• “To restore Entrust Identity Enterprise from a backup on Windows” on
page 216

To restore Entrust Identity Enterprise from a backup on Linux

1 Copy the full backup ZIP file from your Entrust Identity Enterprise Server to the
server where you will restore Entrust Identity Enterprise.
The default location for the file is $IG_HOME/backups.

Note:
All files listed here should be readable and writable by the user and group that
own Entrust Identity Enterprise.

2 Log in to the server where you will restore Entrust Identity Enterprise.
3 Prepare the server for Entrust Identity Enterprise. See “Preparing to install Entrust
Identity Enterprise” on page 21 for details.
4 Install Entrust Identity Enterprise on the server. See “Installing Entrust Identity
Enterprise” on page 39 for instructions.
5 If the configuration script is not running:
a Switch to the Linux user account that owns Entrust Identity Enterprise Server.
b Navigate to the Entrust Identity Enterprise installation directory ($IG_HOME),
typically:
/opt/entrust/identityguard130
c Enter the following command to source the environment settings:
. ./env_settings.sh
(Include a space between the two periods in the command.)
d Change to the $IG_HOME/bin directory, typically:
/opt/entrust/identityguard130/bin
e Enter the following command to run the Entrust Identity Enterprise
configuration script:
./configure.sh
6 The configuration script asks if you are configuring a primary or replica server, or
restoring the configuration from a backup:

214 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Are you configuring an Entrust Identity Enterprise primary or
replica server, or are you restoring the configuration from a
backup file? (PRIMARY, REPLICA or RESTORE):
Enter RESTORE to restore Entrust Identity Enterprise Server from a backup.
7 The configuration scripts prompts you to provide the configuration backup file:
Enter the name of the configuration backup file:
Enter the full path and file name of the backup ZIP file.
8 The configuration script displays the host name of the server, and asks if you
want to use that host name for the Entrust Identity Enterprise service URLs:
The hostname to be used in the service URLs and the SSL
certificate is domain.example.com.
Do you want to use this hostname? [yes or no]
a To use the host name for the service URLs, enter yes. To use a different host
name, enter no.
b If you entered no to change the host name, the configuration script prompts
you to provide the host name to use for the service URLs:
Enter the hostname to use:
Enter the host name to use for the Entrust Identity Enterprise service URLs.
9 With the embedded Tomcat application server:
a If an SSL certificate exists in the backup file, the configuration script asks if
you want to use the certificate:
An SSL certificate exists in the backup file.
If its hostname is different than domain.example.com, or if the
certificate expires, then Entrust Identity Enterprise will not
function correctly.
Would you like to use this certificate? [yes or no]
If the host name (subject name) of the certificate is different that the host
name of the server, or if the certificate expires, Entrust Identity Enterprise will
not function correctly.
– To use the SSL certificate in the backup file, enter yes.
– To create a new SSL certificate, enter no.
b If you chose to create a new SSL certificate, the configuration script prompts
you to set the lifetime of the self-signed certificate:
Enter the lifetime in days of the certificate (default is 365):
Enter a lifetime (in days) for the self-signed certificate, or press Enter to
accept the default lifetime of 365 days.
You can switch the self-signed certificate to a CA-signed certificate later as
described in “Switching to a CA-signed certificate using keytool” on
page 171.

Backing up and restoring Entrust Identity Enterprise 215

Report any errors or omissions
 10 The configuration script displays the configuration summary information. For
example:
The following configuration options were chosen:
------------------------------------------------
Backup file: /tmp/full-backup-linux.zip
------------------------------------------------
System host name: domain.example.com
------------------------------------------------
Use existing certificate: false
SSL certificate lifetime: 365
------------------------------------------------
Do you want to proceed with restoring the configuration? [yes or
no]
Enter yes to restore Entrust Identity Enterprise from the backup.
11 The configuration script finishes configuring Entrust Identity Enterprise and asks
if you want to initialize Entrust Identity Enterprise:
Configuration complete.

Do you wish to initialize the primary system? [yes or no]

• To initialize Entrust Identity Enterprise later using the master user shell, enter
no.
• To initialize Entrust Identity Enterprise immediately using the configuration
script, enter yes.
You have restored the Entrust Identity Enterprise configuration from a backup. You
must initialize Entrust Identity Enterprise before you can begin using Entrust Identity
Enterprise. An uninitialized Entrust Identity Enterprise does not function. To begin
initializing Entrust Identity Enterprise, proceed to “Initializing a replica Entrust Identity
Enterprise Server or server restored from a backup” on page 140.

To restore Entrust Identity Enterprise from a backup on Windows

1 Copy the full backup ZIP file from your Entrust Identity Enterprise Server to the
server where you will restore Entrust Identity Enterprise.
The default location for the file is $IG_HOME/backups.
2 Log in to the server where you will restore Entrust Identity Enterprise.
3 Prepare the server for Entrust Identity Enterprise. See “Preparing to install Entrust
Identity Enterprise” on page 21 for details.
4 Install Entrust Identity Enterprise on the server. See “Installing Entrust Identity
Enterprise” on page 39 for instructions.

216 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
5 Launch the Entrust Identity Enterprise Configuration Panel, if it is not open:
• On Microsoft Windows Server 2019 or 2016, click the Windows button,
then select Entrust IdentityGuard > Configuration Panel.
• On Microsoft Windows Server 2012 or 2012 R2, select Start, then click the
down arrow to access Apps, then click Configuration Panel.
When viewing by name or category, Configuration Panel is listed under
Entrust Identity Enterprise.
The Entrust Identity Enterprise Configuration Panel dialog box appears.

6 Under Configuration, click Configure Entrust Identity Enterprise.

Backing up and restoring Entrust Identity Enterprise 217

Report any errors or omissions
 The Entrust Identity Enterprise System Type dialog box appears.

7 Click Restore.
The following warning appears:

8 Click Yes to overwrite the previously-configured Entrust Identity Enterprise.

The Entrust Identity Enterprise Configuration Wizard appears.

218 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
9 Click Next to continue.
The System Backup File page appears.

Backing up and restoring Entrust Identity Enterprise 219

Report any errors or omissions
 10 In the text field, enter the full path and file name of the configuration backup ZIP
file, or click Browse to locate and select the file.
11 Click Next to continue.
The System Host Name page appears.

12 In the text field, enter the host name that will be used to access the Entrust
Identity Enterprise services.
13 Click Next.

220 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
14 For Entrust Identity Enterprise with embedded Tomcat and an SSL certificate
exists in the backup file, the SSL Certificate page appears.

The page displays the host name (subject name) and expiry date of the SSL
certificate.
If the host name (subject name) of the certificate is different that the host name
of the server, or if the certificate expires, Entrust Identity Enterprise will not
function correctly.
a Select one of the following options:
– To use the SSL self-signed certificate in the backup file, select Yes.
– To create a new SSL certificate, select No.
You can switch the self-signed certificate to a CA-signed certificate later as
described in “Switching to a CA-signed certificate using keytool” on
page 171.
b If you selected No to create a new SSL certificate, enter a lifetime (in days)
for the certificate in the Self-signed SSL certificate lifetime (in days) field.
The default lifetime is 365 days.
c Click Next to continue.

Backing up and restoring Entrust Identity Enterprise 221

Report any errors or omissions
 15 The Configuration Summary page appears.

This page contains a list of all information you entered into the Entrust Identity
Enterprise Configuration wizard.
a Review the configuration summary.
– If you need to change any settings, click Back to return to a previous page
and make your changes.
– (Optional.) If you need to keep a record of the configuration summary,
select and copy the configuration summary, then paste it into a text file.
b To accept the configuration, click Confirm and Save.

222 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
16 After the wizard saves the configuration changes, the Finish page appears.

a Select one of the following options:

– To initialize Entrust Identity Enterprise later, select Do not initialize the
Entrust Identity Enterprise System now.
Select this option if you are using an HSM. You cannot initialize Entrust
Identity Enterprise using the wizard; you must initialize Entrust Identity
Enterprise using the master user shell.
– To initialize Entrust Identity Enterprise immediately, select Initialize the
Entrust Identity Enterprise System now.
b Click Finish.

Note:
The backup file contains the URLs for Entrust Identity Enterprise services.
However, unless you are restoring from an embedded Tomcat server installation
to another embedded Tomcat server installation, the enabled/disabled setting is
not restored. After restoration, check that the Administration service,
Administration interface and the sample application are enabled or disabled, as
applicable.

Backing up and restoring Entrust Identity Enterprise 223

Report any errors or omissions
 You have restored the Entrust Identity Enterprise configuration from a backup. You
must initialize Entrust Identity Enterprise before you can begin using Entrust Identity
Enterprise. An uninitialized Entrust Identity Enterprise does not function. To begin
initializing Entrust Identity Enterprise, proceed to “Initializing a replica Entrust Identity
Enterprise Server or server restored from a backup” on page 140.

224 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 10

Migrating Entrust Identity Enterprise

This chapter explains how to migrate Entrust Identity Enterprise from one system to
another.
This chapter contains the following sections:
• “Migrating Entrust Identity Enterprise to another platform” on page 226
• “Migrating Entrust Identity Enterprise from a staging to a production
environment” on page 228

225
 Migrating Entrust Identity Enterprise to
another platform
You can move an existing Entrust Identity Enterprise configuration from one platform
to another—from Linux to Windows for example—using the backup and restore
features described in “Backing up and restoring Entrust Identity Enterprise” on
page 201.
Entrust Identity Enterprise does not restore or move your data repository but does
move the file-based repositories used for unassigned tokens and preproduced cards,
if they exist.
There is no need to migrate your data repositories because the restored Entrust
Identity Enterprise configuration continues to use the same URL to connect to your
repository. If you do move your data repositories, do so before installing Entrust
Identity Enterprise on the new platform. Also, ensure that you restore from a backup
taken after this migration because the settings in the identityguard.properties
file may change as a result of the move.
If you have moved or renamed any Entrust Identity Enterprise files, such as
disallowedpasswords.txt and qamap.txt, they may end up in default
directories after migration. When moving between platforms, it is highly unlikely that
directory or folder hierarchies will be the same, and some directories or folders may
not exist. In this case, Entrust Identity Enterprise restores moved files to the default
Entrust Identity Enterprise directories and folders.
If you are migrating from an earlier release of Entrust IdentityGuard that supported
and existing application server (WebLogic or WebSphere) to a Release 13.0 or later
installation that supports only the embedded Tomcat application server, ensure that
there are two separate SSL ports for the Authentication and Administration services.
Follow these high-level steps to migrate from a source platform to a target platform
with a different operating system.

To migrate to another platform

1 On the target platform, install Entrust Identity Enterprise. See “Installing Entrust
Identity Enterprise” on page 39 for instructions.
2 Stop the Entrust Identity Enterprise services on the source platform. This should
be part of a scheduled shutdown that is communicated to your users. See
“Shutting down the old server” on page 227.
3 On the source platform, use the Entrust Identity Enterprise backup feature to
create a full backup of the primary or replica server you want to migrate. (See
“Backing up your configuration” on page 207 for details.)
4 Copy the backup ZIP file from the source platform to a directory under the
Entrust Identity Enterprise home directory on the target platform.

226 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 5 Use the Entrust Identity Enterprise restore feature to restore the configuration
from the backup files. (See “Restoring Entrust Identity Enterprise from a backup”
on page 213 for details.)
6 Update your client applications to use the new URLs for the Entrust Identity
Enterprise services.
7 Start the Entrust Identity Enterprise services on the target platform.
8 Test your applications to see if they perform as expected.
9 Uninstall Entrust Identity Enterprise on the old platform.

Shutting down the old server

Before you migrate Entrust Identity Enterprise to a new platform, you must shut
down Entrust Identity Enterprise Server on the old platform. You need to complete
the migration and testing before you give users access to the installation on the new
server.
You do not want to have two installations of Entrust Identity Enterprise running
simultaneously because it may put the following out of sync:
• log files
• file-based grid card, token, and smart credential repositories, if used
• IP and country blacklists
• the disallowedpasswords.txt and qamap.txt files
These files will quickly become different if users on both installations can
authenticate, or administrators on both systems can assign cards and tokens, and
update files used for authentication. Also, so that these files stay synchronized, ensure
that your old system is shut down before taking the backup file to use for migration.

Migrating Entrust Identity Enterprise 227

Report any errors or omissions
 Migrating Entrust Identity Enterprise from a
staging to a production environment
Typically, Entrust Identity Enterprise is tested in a staging environment before it is
moved over to a production environment. A staging environment allows you to plan
your configuration, including policy settings, property values, administrative roles,
and user data in a safe setting.
The following describes how to migrate Entrust Identity Enterprise from the staging
system to the production system. You may need only a subset of these steps if you
are making changes to an existing production system.
To migrate from a staging system to a production system, follow these steps:
1 Migrate policies (see “Migrating policies” on page 228)
2 Migrate roles (see “Migrating roles” on page 229)
3 Migrate tokens (see “Migrating tokens” on page 230)
4 Migrate soft tokens (see “Recreating soft tokens in the production system” on
page 232)
5 Migrate grid cards (see “Migrating grid cards” on page 233)
6 Migrate properties (see “Migrating properties” on page 234)

Note:
User data migration is not supported. This means that things like contact
information, shared secrets, questions and answers, mutual authentication
images, full name, expected IP addresses, IP location history, and so on, cannot
be preserved when you move to the production system.

Migrating policies
Migrate policies by exporting them from the staging system and importing them into
the production system. Follow the instructions below.

To migrate policies
1 On the staging system, log in to the master user shell. For instructions, see the
Entrust Identity Enterprise Master User Shell Command Reference.
2 Enter the following command:
policy get <policy_name> -export <filename>

228 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Where:
• <policy_name> is the name of the policy to export, as defined in the
Entrust Identity Enterprise Administration interface.
• <filename> is the location and name of the export file to be created.
For example:
policy get default_policy -export c:/policies/default_policy.txt
3 Repeat Step 2 for each policy on your staging system. (There is no way to export
all policies at once.)
4 Copy all policy files to the production system and import each using the following
master user shell command:
policy create <policy_name> -import <filename>
Where:
• <policy_name> is the name of the policy to be created on the production
system. You can use the name that was used on the staging system, or you
can choose a new name.
• <filename> is the path and name of the file containing the policy.
For example:
policy create default_policy -import c:/policies/default_policy.txt
You have now imported your policies to the production system.

Migrating roles
Migrate roles by exporting them from the staging system and importing them into
the production system. Follow the instructions below.

To migrate roles
1 On the staging system, log in to the master user shell. For instructions, see the
Entrust Identity Enterprise Master User Shell Command Reference.
2 Enter the following command:
role get <role_name> -export <filename>
Where:
• <role_name> is the name of the role to export, as defined in the Entrust
Identity Enterprise Administration interface.
• <filename> is the location and name of the export file to be created.
For example:
role get user_role -export c:/roles/user_role.txt

Migrating Entrust Identity Enterprise 229

Report any errors or omissions
 3 Repeat Step 2 for each role on your staging system. (There is no way to export
all roles at once.)
4 Copy all role files to the production system and import each using the following
master user shell command:
role create <role_name> -import <filename>
Where:
• <role_name> is the name of the role to be created on the production
system. You can use the name that was used on the staging system, or you
can choose a new name.
• <filename> is the path and name of the file containing the role.
For example:
role create user_role -import c:/roles/user_role.txt
You have now imported your roles to the production system.

Migrating tokens
It is impossible to migrate assigned hardware tokens. To achieve the same result, you
must unassign the tokens, export all users on the staging system who had tokens,
import them into the production system, and then reassign their tokens in the
production system. Instructions follow.
To migrate unassigned tokens, all you need to do is load the token data file into the
production system. You can do this using the Administration interface or master user
shell. For details, see the Entrust Identity Enterprise Server Administration Guide or
the Entrust Identity Enterprise Master User Shell Reference.

To reassign hardware tokens in the production system

1 On the staging system, log in to the Administration interface and generate a
report of token users and their assigned token serial numbers. To generate the
report, complete the following steps:
a In the top menu, click Reports.
b In the Report Name list, click Token Search CSV Report, and then click Next.
c Enter a report description, and then click Generate Report.
d In the Report List, click the name of the report you generated.
e On the Report Details page, click Download CSV Report.
f On the File Download dialog box, click Save, then specify a file name and
location for the report and click Save again.
g Locate the report file and open it in a spreadsheet editor like Microsoft Excel.
h Delete the top row of the report.

230 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 i Delete all columns except User Name, Token Vendor, and Serial #.
j Replace the text in the column header row with userid, tokenVendor, and
serialNumber. Your CSV file should look something like the following
example:

k Save the file. Ensure it is saved in CSV format.

2 On the staging system, log in to the master user shell and generate a list of users
who have assigned hardware tokens. Run this command:
user list -tokenvendor <vendor> -export <path>/tokenusers.xml
Where:
• <vendor> is the token vendor. To get a list of token vendors, run the token
vendor list command.
• <path> is a path where you want the tokenusers.xml file to go.
The generated tokenusers.xml file contains a list of all the users who have
been assigned tokens from the specified vendor.
3 To unassign tokens from users in the staging system, run this command:
user token unassign -import <path>/tokenusers.xml -all -force
Where:
• <path> is a path to the tokenusers.xml file you created in the previous
step.
The tokens are unassigned from the users in the list.
4 Copy the tokenusers.xml file to the production system.
5 To create the users on the production system, run the following master user shell
command:
user create -import <path>/tokenusers.xml
Where <path> is the path to the tokenusers.xml file on the production
system.
6 On the production system, load the token data file. You can use the
Administration interface or the master user shell. For details, see the Entrust
Identity Enterprise Server Administration Guide or the Entrust Identity Enterprise
Master User Shell Command Reference.

Migrating Entrust Identity Enterprise 231

Report any errors or omissions
 7 To assign new tokens to each of the imported users, in the master user shell, run
the following command:
user token assign -bulk <path>/<file>.csv
Where <path> is the path to the CSV file you created in Step 1.
You have now created users on the production system and have reassigned the
tokens they had assigned in the staging system.

Recreating soft tokens in the production system

It is impossible to migrate existing soft tokens. To achieve the same result, you must
export all users on the staging system who had soft tokens, import them into the
production system, and then create new soft tokens for them. Users must then
activate their new soft tokens. Instructions follow.

To migrate soft tokens

1 On the production system, ensure you have the required Soft Tokens licenses. For
details, see the Entrust Identity Enterprise Server Administration Guide.
2 On the staging system, log in to the master user shell.
3 Run this command:
user list -tokenvendor <vendor> -export <path>/softtokenusers.xml
Where:
• <vendor> is the soft token vendor, typically softtoken. To get a list of
token vendors, run the token vendor list command.
• <path> is a path where you want the softtokenusers.xml file to go.
The generated softtokenusers.xml file contains a list of all the users who
have been assigned tokens from the specified vendor.
4 Copy softtokenusers.xml file to the production system.
5 Add users on the production system using the following master user shell
command:
user create -import <path>/softtokenusers.xml
Where <path> is the path to the softtokenusers.xml file on the production
system.
6 Have users create new soft tokens using self-service, or create new soft tokens
for each of the imported users with the following command:
user token create -import <path>/softtokenusers.xml
You have now created users on the production system and have created soft
tokens for them.

232 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 7 If you created soft tokens for the users, have the users activate their soft tokens.
For details on ways to activate soft tokens, see the Entrust Identity Enterprise
Server Administration Guide.

Migrating grid cards

It is impossible to migrate assigned cards. The best you can do is: export all users on
the staging system who had cards, import them into the production system, and then
assign them new cards. Instructions follow.
Migrating unassigned cards is possible, and would typically only be done if you had
already printed the cards. If you have not yet printed cards, creating new unassigned
cards in the production system is easier than migrating them. Instructions on
migrating unassigned cards are provided below.

To migrate assigned grid cards

1 On the staging system, log in to the master user shell.
2 Run this command:
user list -cardState pending hold_pending current canceled hold
-export <path>/cardusers.xml
Where <path> is a path where you want the cardusers.xml file to go.
The generated cardusers.xml file contains a list of all the users who have cards
in any state.
3 Copy cardusers.xml file to the production system.
4 Add users on the production system using the following master user shell
command:
user create -import <path>/cardusers.xml
Where <path> is the path to the cardusers.xml file on the production system.
5 Assign new cards for each of the imported users:
user card create -import <path>/cardusers.xml
You have now created users on the production system and assigned them new
cards.

To migrate unassigned grid cards

1 On the staging system, log in to the master user shell.
2 Run this command:
card list -export <filename>
Where <filename> is the location and name of the export file to be created.
For example:

Migrating Entrust Identity Enterprise 233

Report any errors or omissions
 card list -export c:/cards/unassigned_cards.xml
3 Copy the unassigned cards file to the production system and import it using the
following master user shell command:
card create -import <filename>
Where <filename> is the path and name of the unassigned cards file.
For example:
card create -import c:/cards/unassigned_cards.xml
You have now imported your unassigned grid cards to the production system.

Migrating properties
Migrate over reusable sections of the identityguard.properties file from the
staging system to the production system.
The production system service and repository properties are set when you installed
and initialized Entrust Identity Enterprise on the production server.
You may, however, be able to copy some sections of the properties file used on the
staging server directly to your production server properties file. Some possible
examples include:
• VPN configurations
• Out-of-band delivery configurations
• search base configurations
If you copy any properties sections containing encrypted properties, you must
re-enter the properties as clear text using the Properties editor. Encrypted properties
are prefixed with an ampersand ‘&’, for example:
&identityguard.igradius.radius.secret=MIAEFNLO8Yl8gJ4iZsama/HyXVky
PV
When you restart Entrust Identity Enterprise, your plaintext entries become
encrypted.
If you are copying multiple repository definitions from the test system, you may have
to update the group/repository mappings on the production version of Entrust
Identity Enterprise.

Attention:
You must take care when copying repository settings between systems to avoid
overwriting existing data.

234 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 11

Upgrading Entrust Identity Enterprise

This chapter is intended for installers and administrators who are responsible for
upgrading Entrust Identity Enterprise. It provides an overview, steps for upgrading
Entrust Identity Enterprise, and differences from previous releases.

Attention:
Before you proceed with an upgrade, back up your configuration. See “Backing
up and restoring Entrust Identity Enterprise” on page 201 for instructions.

This chapter contains the following sections:

• “Upgrade overview” on page 236
• “Upgrading Entrust Identity Enterprise on Windows” on page 243
• “Upgrading Entrust Identity Enterprise on Linux” on page 251

235
 Upgrade overview
Use the procedures in this section to ensure your upgrade process runs smoothly.
Topics in this section:
• “Supported upgrade paths” on page 236
• “Upgrade preparation” on page 237
• “Upgrading the operating system and Entrust Identity Enterprise” on
page 238
• “Upgrade worksheet” on page 239
• “Multi-server considerations” on page 240
• “High-availability considerations” on page 240
• “Web service and API considerations” on page 242
• “Logging an upgrade” on page 242

Supported upgrade paths

The following upgrade paths are supported for Entrust Identity Enterprise
installations.

Table 17: Supported upgrade paths

Upgrade from this release to this release

Entrust IdentityGuard Server 10.2 12.0, then 13.0

Entrust IdentityGuard Server 10.2 FP1 12.0, then 13.0

Entrust IdentityGuard Server 11.0 12.0, then 13.0

Entrust IdentityGuard Server 12.0 13.0

In cases where an upgrade to release 12.0 is required, the subsequent upgrade to

release 13.0 can be applied immediately after the first. There is no need to run release
12.0 in the production environment before upgrading to release 13.0.For instructions
on upgrading to release 12.0, see the Entrust IdentityGuard Server 12.0 Installation
Guide.

Note:
Support for use of Unix operating systems (Solaris was previously supported) has
been discontinued in Entrust Identity Enterprise13.0.

236 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Note:
Support for use of the IBM WebSphere and Oracle WebLogic application servers
has been discontinued in Entrust Identity Enterprise13.0.

Upgrade preparation
Follow the advice in this section to ensure you are ready to upgrade.
• Backup: Back up your Entrust IdentityGuard installation and your repository.
If using a virtual machine, take a snapshot so you can roll back to it, if
necessary. See “Upgrade worksheet” on page 239 and “Backing up your
configuration” on page 207.
• Disk space: Ensure that you have sufficient disk space available prior to
beginning the upgrade.
• Permissions: On Microsoft Windows servers, run the upgrade with
administrator permissions and, if possible, use the same administrator
account used to install the previous version of Entrust IdentityGuard (now
Entrust Identity Enterprise).
• Time zone: If you have made time zone definition updates to the Java
Runtime Environment, those updates are lost when you upgrade Entrust
Identity Enterprise.
• During the upgrade, the JRE and WAR files are replaced. Entrust Identity
Enterprise 13.0 includes AdoptOpenJDK JRE version 11.0.8_10. For more
information, see https://adoptopenjdk.net/.
• If the upgrade fails before completion, you must restore the system from a
repository backup. See “Restoring Entrust Identity Enterprise from a backup”
on page 213.
• Any changes you made to the web.xml file or other files inside the WAR
files, such as images, are lost each time you install a patch or upgrade to a
new version of Entrust Identity Enterprise. You should back them up so that
you can replace them after upgrade.
• If you are using a Novell eDirectory repository, and your Entrust Identity
Enterprise installation includes many roles (more than about 30), your
upgrade may fail. If you run into this problem, please contact Entrust
customer support for assistance.
• If you used an HSM setup with the 32-bit version of the Luna SA client with
Entrust IdentityGuard release 11.0 or earlier, when you upgrade to Entrust
Identity Enterprise 13.0, you must manually update the location of the Luna
SA library. The default location of the 64-bit Luna SA library is:

Upgrading Entrust Identity Enterprise 237

Report any errors or omissions
 – on Linux: /usr/safenet/lunaclient/lib/libCryptoki2_64.so
– on Windows: C:\Program
Files\Safenet\Lunaclient\cryptoki.dll
• If you used an HSM setup with the 32-bit version of the nCipher client with
Entrust IdentityGuard release 11.0 or earlier, when you upgrade to Entrust
Identity Enterprise 13.0, you may have to manually update the location of
the nCipher library. The default location of the 64-bit nCipher library is
expected to be in the same location as it is in the 32-bit version of the
nCipher client, but it is recommended that you double-check this and
manually update the location if necessary before proceeding.

Upgrading the operating system and Entrust Identity Enterprise

If you are upgrading to a new major release of an operating system (OS)—for
example, Windows 2012 to 2019 or RHEL 7.x to 8.x—in addition to performing an
Entrust Identity Enterprise upgrade, you must handle the OS and Entrust Identity
Enterprise upgrades separately.
The order in which you perform the upgrades might depend on which versions of the
OS are supported by the old and new versions of Entrust Identity Enterprise.
The following scenarios outline the order of upgrade tasks.

To upgrade the operating system first

1 Back up Entrust Identity Enterprise on the system running the old operating
system (OS).
2 Install the old version of Entrust Identity Enterprise on the new OS. For
instructions, see the corresponding version of the Entrust Identity Enterprise
Server Installation Guide.
3 Restore the Entrust Identity Enterprise configuration from the backup.
4 Upgrade Entrust Identity Enterprise on the new system. Follow the upgrade
instruction in this guide.

To upgrade Entrust Identity Enterprise first

1 Upgrade Entrust Identity Enterprise on the system running the old operating
system (OS). Follow the upgrade instruction in this guide.
2 Back up Entrust Identity Enterprise on the system running the old OS.
3 Install the new version of Entrust Identity Enterprise on the new OS.
4 Restore the Entrust Identity Enterprise configuration from the backup.

238 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Upgrade worksheet
Use the worksheet in Table 18 as a checklist to upgrade Entrust Identity Enterprise.

Table 18: Upgrade worksheet

Tasks Description
Check supported platforms Some older versions of Entrust and third-party software and
third-party hardware might continue to work with this release,
however, only those listed as supported in the release notes are
fully supported.
Check disk space Ensure that you have sufficient disk space available prior to
beginning the upgrade.
Check permissions On Microsoft Windows servers, run the upgrade with
administrator permissions and, if possible, use the same
administrator account used to install the previous version of
Entrust IdentityGuard (now Entrust Identity Enterprise).
Back up installation and To back up the Entrust Identity Enterprise server, see “Backing up
repositories your configuration” on page 207.
You should also back up your user repositories. At minimum, you
should backup all user records that are associated with Entrust
object classes.
If using a virtual machine, take a snapshot so you can roll back
to it, if necessary.
Save custom Tomcat settings Save customized Tomcat settings to re-apply after upgrade. The
(Windows platforms only) previous version of the Tomcat application server is removed and
reinstalled as part of the upgrade. All custom login settings you
might have configured for Tomcat are removed.
For example, when using a Microsoft CA, you have a Startup
Type option of Automatic (the default) or Manual. If you had
configured the service for Manual startup, after the upgrade the
setting will be the default. Similarly, if you had configured the
Entrust IdentityGuard (now Entrust Identity Enterprise) Server
Property to log on with a specific account, that setting will have
reverted to the default. You must reapply your custom settings
after the upgrade.
Stop related services If you are running other Entrust Identity Enterprise products
(Federation Module or Self-Service Module) on the same
computer as an Entrust Identity Enterprise server, stop the
services for those products before upgrading. Not doing so can
result in an issue described in the Entrust Identity Enterprise
Release Notes, (Known issue IDG-11538).

Upgrading Entrust Identity Enterprise 239

Report any errors or omissions
 Table 18: Upgrade worksheet (continued)

Tasks Description
Upgrade Entrust Identity Enterprise Complete the procedure for your operating system:
Note: You must use one of the • “Upgrading Entrust Identity Enterprise on Windows” on
Master User passwords to page 243.
complete the upgrade procedure.
• “Upgrading Entrust Identity Enterprise on Linux” on
page 251
•

Multi-server considerations
If you have multiple Entrust Identity Enterprise servers configured, upgrade them
following the procedure below.

Note:
The following upgrade procedure assumes you can take your servers offline for
a brief period. If you would rather maintain high-availability throughout the
upgrade, see instead “High-availability considerations” on page 240 for a
different procedure.

To upgrade in a multi-server environment

1 Back up all Entrust Identity Enterprise servers so that you can restore a working
configuration if needed. Back up the repository as well, because the upgrade
changes the repository data.
2 Take all servers offline.
3 Upgrade all Entrust Identity Enterprise servers, as well as database or LDAP
servers. For detailed instructions, see:
• “Upgrading Entrust Identity Enterprise on Windows” on page 243
• “Upgrading Entrust Identity Enterprise on Linux” on page 251
4 Bring all servers online again.

High-availability considerations
An Entrust Identity Enterprise upgrade normally requires a short service outage while
you apply changes to the repository schema and run the upgrade script. If you cannot
take your system offline, even for a short time, then follow the procedure below to
provide continuous service.

240 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Note:
For clarity, the following procedure uses Entrust Identity Enterprise 12.0 (with the
latest patch) as the version to be upgraded. Although 12.0 is assumed, the
instructions work for any version of Entrust Identity Enterprise.

To upgrade while maintaining availability

1 Have your existing Entrust Identity Enterprise system running against your
chosen database or LDAP directory. This system continues authenticating users
until the 13.0 cut-over.
2 Configure a replica database or LDAP server that mirrors your current primary
Entrust Identity Enterprise database or LDAP server.
3 Install a new Entrust Identity Enterprise 12.0 server, pointing at the replica
database or LDAP server, and restoring settings from the existing 12.0 system.
4 Shortly before starting the upgrade:
• Tell Entrust Identity Enterprise administrators to stop making changes to
users and policies on the old system. (At this point, the old system continues
to authenticate users.)
• Stop replication between the old and new database or LDAP servers. (Make
sure replication is complete before the stoppage.)
5 Start the upgrade:
• Apply the 13.0 schema change to the replica database or LDAP server.
• Upgrade the new Entrust Identity Enterprise 12.0 server to 13.0.
• Initialize the new system.
For detailed instructions, see:
• “Upgrading Entrust Identity Enterprise on Windows” on page 243
• “Upgrading Entrust Identity Enterprise on Linux” on page 251
6 After completing the upgrade, cut over authentications to the new Entrust
Identity Enterprise 13.0 server, and decommission the old Entrust Identity
Enterprise server, as well as the database or LDAP server.

Upgrading Entrust Identity Enterprise 241

Report any errors or omissions
 During the cut-over, some non-critical data will be lost. This data includes:
• time of last authentication
• card states
• grid usage counts
• temporary PIN remaining uses
• OTPs used/not used
• token event counts
• user lockout counts
This data is non-critical, and does not affect the system. Still, if data loss is a concern,
Entrust suggests that you perform the cut-over at a low-traffic time of day.

Web service and API considerations

When you upgrade to Entrust Identity Enterprise 13.0, you will have access to the
new V11 versions of the Web services and APIs. The V12 versions are the latest for
Entrust Identity Enterprise and include the new features available in Entrust Identity
Enterprise 13.0.
There are several points to consider:
• V9 and V10 services are still available in Entrust Identity Enterprise 13.0 and
are named the same way.
• Applications using V9 and V10 services still work after you upgrade to
Entrust Identity Enterprise 13.0.
• New Entrust Identity Enterprise functionality is only available through the
V11 services.
• Some application changes are required to take advantage of the V11 services
(See the Entrust Identity Enterprise Programming Guides).
• There are no significant behavior changes if you are running V9 and V10
applications with Entrust Identity Enterprise 13.0.
For more information about the Entrust Identity Enterprise APIs, see the Entrust
Identity Enterprise Programming Guides.

Logging an upgrade
During an upgrade, messages are written to a log file in the $IG_HOME/logs
directory. The log file names are:
• On Linux, upgrade.log
• On Windows, configpanel.log
See the Entrust Identity Enterprise Server Administration Guide for more details on
configuring logging and auditing.

242 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Upgrading Entrust Identity Enterprise on
Windows
You can upgrade Entrust Identity Enterprise Server on Windows from a previous
installation of Entrust IdentityGuard version 10.2, 10.2 FP1, 11.0, or 12.0. See
“Supported upgrade paths” on page 236.

To upgrade Entrust Identity Enterprise Server

1 Download and extract the Entrust Identity Enterprise 13.0 software. See
“Downloading Entrust Identity Enterprise software” on page 30 for instructions.
2 Install the appropriate Entrust Identity Enterprise upgrade schema for your
repository.
Refer to the specific schema configuration instructions for your directory or
database in either the Entrust Identity Enterprise Directory Configuration Guide
or the Entrust Identity Enterprise Database Configuration Guide.
3 If you used an HSM setup with the 32-bit version of the Luna SA client for a
previous release of Entrust Identity Enterprise Server, when you upgrade to
Entrust Identity Enterprise Server 13.0, you must manually update the location of
the Luna SA library to a 64-bit version. Entrust Identity Enterprise Server 13.0 is
64-bit only.
The default location of the 64-bit Luna SA library is:
C:\Program Files\LunaSA\cryptoki.dll
No such manual update is generally required for the nCipher library (if using an
nCipher HSM), as the default location is expected to be unchanged.
4 Stop the Entrust Identity Enterprise and Entrust Identity Enterprise Radius Proxy
services:
a Open Windows Services (select Start > Administrative Tools > Services).
The Services dialog box appears.
b Select Entrust Identity Enterprise Server, then click Stop.
c Select Entrust Identity Enterprise Radius Proxy, then click Stop.
d Close the Services dialog box.
You must close the Windows Services panel before upgrading Entrust Identity
Enterprise. If you leave it open, the upgrade will remove the Entrust Identity
Enterprise service permanently, and the only way to get it back is to re-install it
by running the following command:
<IG_HOME>\bin\service.exe install
Where <IG_HOME> is the Entrust Identity Enterprise installation directory,
typically:

Upgrading Entrust Identity Enterprise 243

Report any errors or omissions
 C:\Program Files\Entrust\IdentityGuard\identityguard130
5 Change to the directory where you extracted the Entrust Identity Enterprise
Server software.
6 Double-click the IG_130_Windows.msi installer.
The Entrust Identity Enterprise Server Setup Wizard opens.

7 Click Next to begin the upgrade.

Note:
If you are not prepared to install, click Cancel at any time to exit. Click Back to
return to a previous panel to change information.

The End-User License Agreement page appears.

244 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
8 Read the license agreement for the Entrust Identity Enterprise software carefully.
If you accept all the terms of the license agreement, select I accept the license
agreement.
You cannot install Entrust Identity Enterprise if you do not accept the license
agreement.
9 Click Next to continue.

Upgrading Entrust Identity Enterprise 245

Report any errors or omissions
 The Destination Folder page appears.

10 Click Next to continue.

246 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 The Ready to install Entrust Identity Enterprise Server 13.0 page appears.

11 Click Install to begin the installation.

The Installing Entrust Identity Enterprise Server 13.0 page appears while the
installer updates the Entrust Identity Enterprise files. The progress bar displays the
progress of the Entrust Identity Enterprise install.

Upgrading Entrust Identity Enterprise 247

Report any errors or omissions
 If the installation was successful, the Completed the Entrust Identity Enterprise
Server 13.0 Setup Wizard page appears.

12 Click Finish.
A System Upgrade dialog box prompts you to confirm whether you are
upgrading an Entrust Identity Enterprise replica. Complete one of the following
actions:

• If you are upgrading a replica Entrust Identity Enterprise Server, click Yes.
• If you are upgrading a primary Entrust Identity Enterprise Server, click No.

248 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Note:
If your current properties contain the identityguard.ldap.url property, but
not the identityguard.ldap.vendor property, a message appears indicating
that these properties should be modified in the Properties Editor. Open the
Entrust Identity Enterprise Properties Editor and make the changes that are
detailed in the pop-up message.

13 Another System Upgrade dialog box appears, informing you that a Master User
must log in to complete the upgrade.Click OK.
The Master User Information page appears.

14 Log in as a Master user (Master1, Master2, or Master3), and then click Upgrade.

Note:
If the upgrade fails, check that your repository schema was upgraded. After you
upgrade the repository schema, you can continue with the Entrust Identity
Enterprise upgrade by running the master user shell command system
upgrade.

Upgrading Entrust Identity Enterprise 249

Report any errors or omissions
 If the upgrade was successful, a System Upgrade Completed Successfully screen
appears.

15 Click OK.
The Entrust Identity Enterprise Service Manager dialog box appears.

16 To start service now, click Yes. To start the service later, click No. See “Starting
and stopping Entrust Identity Enterprise services” on page 187 for information
about starting the service manually.
17 If you chose to start the service and the service started successfully, a success
message appears.

Click OK.

250 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Upgrading Entrust Identity Enterprise on Linux
You can upgrade Entrust Identity Enterprise Server on Linux from a previous
installation of Entrust Identity Enterprise version 10.2, 10.2 FP1, 11.0, or 12.0. See
“Supported upgrade paths” on page 236.

To upgrade Entrust Identity Enterprise Server on Linux

1 Download and extract the Entrust Identity Enterprise 13.0 software. For
instructions, see “Downloading Entrust Identity Enterprise software” on
page 30.
2 Install the appropriate Entrust Identity Enterprise upgrade schema for your
repository.
Refer to the specific schema configuration instructions for your directory or
database in either the Entrust Identity Enterprise Directory Configuration Guide
or the Entrust Identity Enterprise Database Configuration Guide.
3 If you used an HSM setup with the 32-bit version of the Luna SA client for a
previous release of Entrust Identity Enterprise Server, when you upgrade to
Entrust Identity Enterprise Server 13.0, you must manually update the location of
the Luna SA library to a 64-bit version. Entrust Identity Enterprise Server 13.0 is
64-bit only.
The default location of the 64-bit Luna SA library is:
/usr/lunasa/lib/libCryptoki2_64.so
No such manual update is generally required for the nCipher library (if using an
nCipher HSM), as the default location expected to be unchanged.
4 Log in to the Linux server that will host Entrust Identity Enterprise.

Note:
It is recommended that you log in to the server as root. If you are logged in as a
non-root account:
— You will not be prompted to provide the name of the user account that will
own Entrust Identity Enterprise. Instead, the current user will be used.
— The installer will not be able to configure the system to start Entrust Identity
Enterprise automatically after a system restart. The installer will not have
sufficient permissions to install the service scripts into /etc/init.d.

5 Navigate to the IG_130 directory. This directory was created when you extracted
the download package.
6 Enter the following command to run the install script:
./install.sh

Upgrading Entrust Identity Enterprise 251

Report any errors or omissions
 Note:
You can cancel out of the script at any time by pressing Ctrl + C.

The Entrust Identity Enterprise Server license agreement appears.

7 Press Enter to begin reading the license agreement. Keep pressing Enter to read
the license line by line, or press the space bar to skip to the next page. To skip to
the end of the license agreement, enter q.
After reading the license agreement, the installer prompts you to accept the
terms of the license agreement:
Do you agree to the above license terms? [yes or no]
8 If you agree to the license terms, enter yes to continue. If you disagree with the
license terms, enter no to terminate the installation. You cannot install Entrust
Identity Enterprise if you do not accept the license agreement.
9 If you are logged in as root, the installer prompts you for the name of the user
account that will own the Entrust Identity Enterprise installation:

Note:
The installer shows UNIX, but Linux is the supported operating system.

Enter the UNIX user name that will own the installation:
Enter the user name of the Linux user you created to own the Entrust Identity
Enterprise installation.
You cannot specify root as the owner.
10 The installer prompts you for the group that will own the Entrust Identity
Enterprise installation:
Enter the UNIX group name that will own the installation:
Enter the name of the Linux group that will own the Entrust Identity Enterprise
installation.
11 The installer prompts you to enter an installation directory for Entrust Identity
Enterprise:
Enter the install directory (default /opt/entrust):
To accept the default installation directory (/opt/entrust), press Enter. To
select a different installation directory, type the directory path and then press
Enter.

252 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 If you are logged on as a non-root user, the user must own the directory you
enter, or have permissions to create the directory.
12 The installer detects that a previous version of Entrust Identity Enterprise is
installed and asks if you want to upgrade. For example:
Entrust Identity Enterprise 12.0 is installed.
Do you wish to install Entrust Identity Enterprise 13.0 and
upgrade the 12.0 data? [yes or no]
Enter yes to upgrade the Entrust Identity Enterprise data.
13 The install script backs up the existing Entrust Identity Enterprise data, then
upgrades Entrust Identity Enterprise.
14 If you are logged in as root:
a The installer creates the Entrust Identity Enterprise service and enables the
service to start automatically after a system restart:
Creating identityguard service...
b The installer creates the Entrust Identity Enterprise Radius service. The
installer asks if you want the Entrust Identity Enterprise Radius proxy to start
automatically when Entrust Identity Enterprise starts:
Creating igradius service...
Do you want the Entrust Identity Enterprise Radius proxy to
start automatically when the host starts after reboot? [yes or
no]
To have the Radius proxy start automatically, enter yes. To start it manually,
enter no. If you enter no, you can enable automatic startup later.
c If you did not enable the Entrust Identity Enterprise Radius proxy to
automatically start, the installer displays a message stating that you must run
igsvcconfig.sh as root to enable automatic startup:
If you wish to enable automatic startup in the future, run the
command "igsvcconfig.sh igradius enable" when logged on as
root.
See the Entrust Identity Enterprise Server Administration Guide for further
details.
15 If you are logged in as a non-root user:
a The installer does not create the Entrust Identity Enterprise service. The
installer displays a message stating that you must run igsvcconfig.sh as
root at a later time to manually install the Entrust Identity Enterprise service:
To enable automatic startup of the Entrust Identity Enterprise
service after reboot, run the command "igsvcconfig.sh
identityguard install" when logged on as root.
b The installer does not create the Entrust Identity Enterprise Radius service.
The installer displays a message stating that you must run igsvcconfig.sh

Upgrading Entrust Identity Enterprise 253

Report any errors or omissions
 as root at a later time to manually install the Entrust Identity Enterprise
Radius service:
To enable automatic startup of the Entrust Identity Enterprise
Radius proxy after reboot, run the command "igsvcconfig.sh
igradius install" when logged on as root.
See the Entrust Identity Enterprise Server Administration Guide for further
details.
16 When the installation is complete, the following message appears, prompting
you to restore your configuration data.
Installation complete.

Configuration data from the existing installation has been backed

up. If you wish, you can configure a new server or restore the
existing configuration data and upgrade it to 13.0. If you don’t
restore the existing configuration data, all existing data will be
removed.
Do you wish to restore the existing configuration data? [yes or
no]
17 Select one of the following options:
• To configure a new server, enter no.
When you enter no, all of your previous configuration data is removed. You
must complete the configuration and initialization procedures:
– “Configuring Entrust Identity Enterprise as a primary server” on page 53
or “Configuring Entrust Identity Enterprise as a replica server” on page 89
– “Initializing Entrust Identity Enterprise” on page 111
• To retain your Entrust Identity Enterprise data, enter yes.
The installation script restores the configuration parameters:
Configuration parameters restored.
Complete the rest of the steps in this procedure.
18 If you entered yes to retain your Entrust Identity Enterprise data:

Note:
If your current properties contain the identityguard.ldap.url property, but
not the identityguard.ldap.vendor property, a message appears indicating
that these properties should be modified in the Properties Editor. Open the
Entrust Identity Enterprise Properties Editor and make the changes that are
detailed in the message.

254 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
a The following message is displayed:
PERFORMING UPGRADE
Are you upgrading an Entrust Identity Enterprise primary or
replica? (PRIMARY or REPLICA):
– If you are upgrading the primary Entrust Identity Enterprise Server (the first
instance of the Entrust Identity Enterprise Server), enter PRIMARY.
– If you are upgrading a replica Entrust Identity Enterprise Server, enter
REPLICA.
b You are prompted to log in with a master user name and password to
complete the upgrade:
A master user must login to complete the upgrade.
Userid:
Enter a master user name (Master1, Master2 or Master3).
c You are prompted to enter the master password:
Password:
Enter the password of the master user.
d If the upgrade was successful, a success message appears. For example:
Upgrade completed successfully.
Upgrade was from version Entrust Identity Enterprise 11.0.
Additional system role upgrade messages inform you if the content of
existing roles has been updates.

Note:
If you are upgrading from an Entrust Identity Enterprise release prior to 11.0 and
the upgrade fails, check that your repository schema was upgraded. (There is no
LDAP schema update required between Entrust Identity Enterprise 12.0 and
13.0).After you upgrade the repository schema, you can continue with the
Entrust Identity Enterprise upgrade by running the master user shell command
system upgrade. For details about using this command, see the Entrust Identity
Enterprise Master User Shell Command Reference.

e If you have not set up the sample application, the installer prompts you to
set up the sample application:
Do you wish to setup the sample application? [yes or no]
– To configure the sample application, enter yes. Proceed to “Installing the
sample application” on page 269.

Upgrading Entrust Identity Enterprise 255

Report any errors or omissions
 – To configure the sample application manually later, enter no. For
information about configuring the sample application manually, see
“Installing the sample application” on page 269.
f The installer prompts you to start the Entrust Identity Enterprise services:
Do you wish to start the Entrust Identity Enterprise services?
[yes or no]
– To start the services now, enter yes.
– To start the services later, enter no.
A message appears, informing you how you can start the services later:
You can start the services later by running
"identityguard.sh start"
g You are prompted to keep a backup copy of the configuration data:
Do you wish to keep the backup copy of configuration data?
[yes or no]
– To keep a backup copy of the configuration data, enter yes.
Entrust Identity Enterprise displays the location and the file name of the
saved configuration data. For example:
Configuration data stored in directory
/opt/entrust/config.10029
– To not back up configuration data, enter no.
You can create a backup file anytime after installation. See “Backing up
your configuration” on page 207 for instructions.
The upgrade is now complete.

256 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 12

Adding a patch to Entrust Identity

Enterprise
This chapter is intended for administrators who are responsible for installing and
maintaining Entrust Identity Enterprise, including adding periodic patches to the
installation. It provides an overview, basic steps for applying a patch, and other
information you need when patching.
This chapter contains the following sections:
• “Patching overview” on page 258
• “Compatibility with Self-Service Module” on page 259
• “Basic patching procedure for the Entrust Identity Enterprise server” on
page 262

257
 Patching overview
The changes in Entrust Identity Enterprise patches are cumulative, so if you install the
latest patch, you get all the updates since the initial base installation. You can install
any patch to the base installation; however, if you have already installed a patch, you
can only install newer patches to the patched system. Entrust Identity Enterprise
patches cannot be uninstalled.
All instances of Entrust Identity Enterprise server in your implementation must be at
the same patch level.

Multi-server considerations
If you have multiple Entrust Identity Enterprise servers configured, patch them
following the procedure below.

Note:
The following patching procedure assumes you can take your servers offline for
a brief period. If you would rather maintain high-availability throughout the
patch application, see instead “High-availability considerations” on page 240 for
a different procedure.

To apply a patch in a multi-server environment

1 Back up all Entrust Identity Enterprise servers so that you can restore a working
configuration if needed.
2 Take all servers offline.
3 Apply the patch to each of the Entrust Identity Enterprise servers.
4 Bring all servers online again.

Maintaining high-availability
An Entrust Identity Enterprise patch installation normally requires a short service
outage. If you cannot take your system offline, even for a short time, see the
guidance in “High-availability considerations” on page 240,

258 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Compatibility with Self-Service Module
If you also use the Entrust Identity Enterprise Self-Service Module, when you apply a
patch to Entrust Identity Enterprise server, you must also apply a compatible patch to
the Self-Service Module installation, if one exists. The following table lists compatible
server and Self-Service Module patches.
As with the Entrust Identity Enterprise server, all instances of Self-Service Module in
your implementation must be at the same patch level.

Server Self-Service Module

Release 13.0 December 2020 Release 13.0 December 2020
Patch 315066 October 2021 Patch 315067 October 2021
Patch 417303 December 2021 Patch 417304 December 2021
Patch 430599 April 2022 Any one of the following patches:
Patch 430600 April 2022
Patch 430605 June 2022
Patch 430606 August 2022
Patch 430604 August 2022 Any one of the following patches:
Patch 430600 April 2022
Patch 430605 June 2022
Patch 430606 August 2022
Patch 452872 October 2022 Patch 452874 October 2022
Patch 452873 January 2023 Patch 452875 January 2023
Patch 452877 March 2023 Patch 452879 March 2023
Patch 452882 June 2023 Patch 452884 June 2023
Patch 552330 September 2023 Patch 552331 September 2023
Patch 552330 September 2023 Patch 552336 February 2024
Patch 572543 May 2024 Patch 573340 May 2024
Patch 623359 October 2024 Patch 623360 October 2024
Patch 623364 November 2024 Patch 623360 November 2024

Adding a patch to Entrust Identity Enterprise 259

Report any errors or omissions
 Attention:
Error logs are generated if Identity Enterprise Server and Identity Enterprise Self
Service Module are at different patch levels.

Due to an enhanced communication protocol introduced in Identity Enterprise

Server Patch 315066 and Identity Enterprise Self Service Module Patch 315067,
Entrust Identity Enterprise Self Service Module will not function at all if it is not
at a compatible patch level with Entrust Identity Enterprise server.

Note:
If your organization has an existing Release 13.0 Entrust Identity Enterprise server
installation that already has a patch applied and want to install a new Release
13.0 Self-Service Module (SSM), you must patch SSM to bring it up to a
compatible server patch level before you start Self-Service Module.

On Windows, at the end of the installation wizard, deselect the Start Entrust
IdentityGuard Self-Service Module upon successful installation checkbox.

On Linux, when the install process tries to verify the password associated with
the administrative account used for the Self-Service component or the
Transaction component, Entrust Identity Enterprise displays an error message and
associated stack trace that begins with ‘Exception in thread “main” AxisFault’.
When prompted to enter new values, choose No. Then, at the end of the
installation process, answer No to the question about starting Self-Service
Module.

Install the required patch and start Self-Service Module. For more information,
see the installation procedures in the Entrust Identity Enterprise Self-Service
Module Installation and Configuration Guide

260 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Check master key binding
Prior to installing the patch, check whether the master keys for your Entrust Identity
Enterprise installation are properly bound.

To check the master key binding:

1 Log in to the Master User Shell (supersh) as a master user.
2 Run the following script:
system bindcheck
The Master User Shell runs a bind check and shows the binding status.
3 If the binding status states “The master keys are bound, but you should update
the binding”, run the following system bind command in Master User Shell
before applying the patch:
system bind
OR
If the binding status states “The master keys are bound to the computer”, no
further action is required.

Adding a patch to Entrust Identity Enterprise 261

Report any errors or omissions
 Basic patching procedure for the Entrust
Identity Enterprise server
The following procedure describes how to install an Entrust Identity Enterprise patch.
Refer to the README file bundled with the patch software for details specific to the
patch.

To install an Entrust Identity Enterprise patch

1 Before you proceed with a patch installation, back up your configuration. See
“Backing up and restoring Entrust Identity Enterprise” on page 201 for
instructions.
2 Shut down the Entrust Identity Enterprise services and any running Entrust
Identity Enterprise Web applications (for example, the Administration interface),
the Master User Shell, and any other Entrust Identity Enterprise components (for
example, Self-Service Module, Federation Module, or Print Module). If the
services are still running, the patch installer displays an error and exits.

Note:
If you are doing a new Entrust Identity Enterprise installation (on Windows and
using a database as a repository) and intend to immediately bring the installation
up to the latest patch level, Entrust recommends that you use the Entrust Identity
Enterprise Configuration Panel after installation to initialize the Entrust Identity
Enterprise server before installing the patch. If you do not, the Configuration
Panel could be come unresponsive. To avoid the issue, ensure that the jar file (or
files) required for the JDBC driver you are using are first copied into the folder
<IG_HOME>/lib/db/

Note that the recommended method of initializing Entrust Identity Enterprise is

still to install the base commercial release, then initialize it, and then install the
latest patch.

3 Install the patch on your primary Entrust Identity Enterprise server.

• To install the patch on Linux against an existing 13.0 installation, run the
patch install.sh script.
• To install this patch on Microsoft Windows, run the Windows patch installer
IG_130_<patch_number>.msp.
4 Restart the Entrust Identity Enterprise services on your primary Entrust Identity
Enterprise server.

262 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
5 Repeat the patch installation procedure for each replica server in your Entrust
Identity Enterprise implementation.
6 If using the Entrust Identity Enterprise Self-Service Module, apply a compatible
Self-Service Module patch to each Self-Service Module installation. For
information about installing the Self-Service Module, see the Entrust Identity
Enterprise Self-Service Module Installation and Configuration Guide.

Adding a patch to Entrust Identity Enterprise 263

Report any errors or omissions
264 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12
Report any errors or omissions
 13

Using the sample application

This appendix provides administrators with information for using the sample
application. The sample application is a Web application designed to demonstrate the
various features of Entrust Identity Enterprise. The sample application allows you to
assume the role of an end user, registering and logging in to the Any Bank Web site
using the various authentication methods supported by Entrust Identity Enterprise.

Attention:
The sample application is designed to simulate a Web site with Entrust Identity
Enterprise installed. The sample application is not intended to perform as a fully
featured application.

The sample application should not be used in a production environment nor

should it be used as the basis for writing your own application.

This appendix contains the following sections:

• “Sample application overview” on page 266
• “Installing the sample application” on page 269
• “Enabling or disabling the sample application” on page 276
• “Preparing to use the sample application” on page 280
• “Accessing the sample application” on page 290
• “Using two-step authentication” on page 292
• “Using step-up authentication” on page 312
• “Changing the browser information” on page 330
• “Answering second-factor authentication challenges” on page 333
• “Performing a wire transfer using transaction authentication” on page 340

265
 Sample application overview
The sample application is a Web application designed to demonstrate the various
features of Entrust Identity Enterprise. The sample application allows you to assume
the role of an end user, registering and logging in to the AnyBank Web site using the
various authentication methods supported by Entrust Identity Enterprise.
You can use the sample application as a way to familiarize yourself with the various
features of Entrust Identity Enterprise. The sample application is not intended to
perform as a fully featured application, but it demonstrates how an actual application
can use the various features of Entrust Identity Enterprise.
When enrolling a user with the sample application, the user can choose one or more
second-factor authentication methods. While a typical deployment would not allow
the user to choose their own second-factor authentication method, the sample
application provides this ability as a way to demonstrate the various second-factor
authenticators supported by Entrust Identity Enterprise.
To demonstrate how Entrust Identity Enterprise can provide strong multifactor
authentication, the sample application provides two authentication scenarios:
• two-step authentication (see “Using two-step authentication” on page 292)
• step-up authentication (see “Using step-up authentication” on page 312)
This section contains the following topics:
• “About error messages” on page 266
• “About changing information in the sample application” on page 267
• “About the sample policy” on page 267
• “About the sample role” on page 268

About error messages

As you use the sample application, if you attempt an operation that returns an Entrust
Identity Enterprise error message, the sample application displays the error message
(in red letters) in your browser.
For example, if you attempt to login with a user that does not exist, the sample
application displays the following error message:

The sample application displays the actual Entrust Identity Enterprise error message
only as a learning tool for you to understand Entrust Identity Enterprise’s behavior
under various scenarios. In an actual Entrust Identity Enterprise deployment, it is
recommended that your application convert the Entrust Identity Enterprise error
codes into display messages that adhere to your organization’s security policies.

266 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
About changing information in the sample application
When enrolling a user or performing a login, the sample application presents you with
several pages where you can input information (such as a password registration page
and a grid registration page). If you use your browser’s back button and attempt to
change any information you have previously entered, the changes are not registered
and the sample application returns you to the last active page (the page you were on
before you started using the browser’s back button).
To change any information associated with the user, you must use the Administration
interface or master user shell.

Note:
You can change the user’s password and contact information with the sample
application, but only after you enroll or login to the Any Bank Web site. For more
information on changing a user’s information, see the Entrust Identity Enterprise
Server Administration Guide.

If you return to the Welcome page (without clicking either the Exit Session link or
Logoff link) and attempt to enroll again or perform another login, you are returned
to the last active page. However, if you return to the Welcome page you can change
your browser information (see “Changing the browser information” on page 330).

About the sample policy

When you install the sample application, Entrust Identity Enterprise creates a sample
policy. The sample policy determines how the Entrust Identity Enterprise features are
defined and applied to the Entrust Identity Enterprise users and operations used by
the sample application.
The sample policy is based on the built-in default policy with the changes shown in
Table 19:

Table 19: Different policy settings in the sample policy

Policy category Policy Value

Administration Idle Timeout 1440

Mutual Authentication Return Mutual Authentication Secrets With Yes (selected)

Challenge

One-time password OTP Delivery Enabled Yes (selected)

One-time password OTP Lifetime 3600

Using the sample application 267

Report any errors or omissions
 Table 19: Different policy settings in the sample policy (continued)

Policy category Policy Value

Personal Verification Number Change Required on Administrator Reset No (deselected)

Authentication Types Machine Authentication Types Q&A

For more information about policies, see the Entrust Identity Enterprise Server
Administration Guide.

About the sample role

When you install the sample application, Entrust Identity Enterprise creates a sample
administrator and assigns that administrator a sample role. Entrust Identity Enterprise
also creates a sample group and assigns the administrator to that sample group.
The sample application uses the sample administrator to manage the users in the
sample group. The sample role determines what operations the sample administrator
can perform on the users in the sample group.
The sample role is based on the built-in useradmin system role and includes the
following additional permissions:
• groupGet
• userMachineSecretCreate
• ipListGet
• userSetLocationHistory
For more information on roles, see the Entrust Identity Enterprise Server
Administration Guide.

268 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Installing the sample application
You must install the sample application before you can access it. On Linux, you may
have already installed the sample application if you initialized Entrust Identity
Enterprise as a primary server using the configuration script.
If you have upgraded Entrust Identity Enterprise from a previous version and have
already configured and deployed the previous version’s sample application, you do
not need to configure the sample application again.

Note:
The sample application is intended for test environments or proof-of-concept
environments. You should never install the sample application in a production
environment.

When you install the sample application, Entrust Identity Enterprise will create the
following:
• a role called samplerole
• a policy called samplepolicy
• a group called samplegroup
• an administrator in samplegroup (the administrator has access to
samplegroup)
• an igsample.properties file
This section contains the following procedures:
• “To install the sample application on Windows” on page 269
• “To install the sample application on Linux” on page 273

To install the sample application on Windows

1 If you have previously configured the sample application, delete each of the
following individually to reconfigure the sample application:
• sample administrator
• sample group (samplegroup)
• sample role (samplerole)
• sample policy (samplepolicy)
2 The sample application runs using an Entrust Identity Enterprise user account. If
you are using a directory repository (Active Directory, AD LDS, or LDAP
directory), the user account must already exist in the directory, and must exist in
the same search base as the Entrust Identity Enterprise policy user.

Using the sample application 269

Report any errors or omissions
 You can use an existing entry in the directory for the sample application
administrator, or you can create a new entry in the directory.
3 Log in to the server hosting the primary Entrust Identity Enterprise Server.
You can install the sample application only on a primary server. You cannot install
the sample application on a replica server.
4 Launch the Entrust Identity Enterprise Configuration Panel, if it is not open:
• On Microsoft Windows Server 2019 or 2016, click the Windows button,
then select Entrust Identity Enterprise > Configuration Panel.
• On Microsoft Windows Server 2012 or 2012 R2, select Start, then click the
down arrow to access Apps, then click Configuration Panel.
When viewing by name or category, Configuration Panel is listed under
Entrust Identity Enterprise.
The Configuration Panel appears.

270 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
5 Under Sample Application Setup, click Set Up the Sample Application.
The Master User Login dialog box appears. A master user must log in to
complete the setup.

6 In the Master user name field, enter the name of a master user (Master1,
Master2, Master3).
7 In the Master password field, enter the password of the master user.
8 Click OK.
The Entrust Identity Enterprise Sample Web Application Setup page appears.

Using the sample application 271

Report any errors or omissions
 9 In the Administrator user name, enter a user ID for the sample administrator.
If you are using a directory repository (Active Directory, AD LDS, or LDAP
directory), the administrator must already exist in the directory.
10 In the Administrator password and Confirm password fields, enter and confirm
a password for the sample administrator.
The password must contain at least eight characters, and must include at least
one uppercase character, one lowercase character, and one number.

272 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Note:
The sample administrator password is stored in clear text in the file
igsample.properties until the sample application is started. When the
sample application is first started, it will encrypt the password.

11 Click Save to configure the sample application.

The sample application is configured and by default, enabled.
A confirmation dialog box appears.

12 Click OK.

To install the sample application on Linux

1 If you have previously configured the sample application, delete each of the
following individually to reconfigure the sample application:
• sample administrator
• sample group (samplegroup)
• sample role (samplerole)
• sample policy (samplepolicy)
2 The sample application runs using an Entrust Identity Enterprise user account. If
you are using a directory repository (Active Directory, AD LDS, or LDAP
directory), the user account must already exist in the directory, and must exist in
the same search base as the Entrust Identity Enterprise policy user.
You can use an existing entry in the directory for the sample application
administrator, or you can create a new entry in the directory.
3 Log in to the server hosting the primary Entrust Identity Enterprise Server.

Using the sample application 273

Report any errors or omissions
 You can install the sample application only on a primary server. You cannot install
the sample application on a replica server.
4 Switch to the user account that owns Entrust Identity Enterprise Server.
5 Navigate to the Entrust Identity Enterprise installation directory ($IG_HOME),
typically:
/opt/entrust/identityguard130
6 Enter the following command to source the environment settings:
. ./env_settings.sh
(Include a space between the two periods in the command.)
7 Change to the $IG_HOME/bin directory, typically:
/opt/entrust/identityguard130/bin
8 Enter the following command to run the sample application configuration script:
./configsample.sh
9 The configuration script displays information about the Entrust Identity Enterprise
user account that will run the sample application, and prompts you to provide a
user ID for the user account:
Setting up Entrust Identity Enterprise Sample
The Entrust Identity Enterprise Sample requires an administrator.
A role called samplerole, a policy called samplepolicy and a group
called samplegroup will be created. The administrator will be
created in the samplegroup and have access to the samplegroup. If
you are using an LDAP repository, an entry must already exist for
the administrator.
WARNING: The password for the sample administrator will be stored
in cleartext in the file
$IDENTITYGUARD_HOME/etc/igsample.properties until the Entrust
Identity Enterprise Sample is started. When the Sample is first
started it will encrypt the password.
Enter the adminid for Sample administrator:
Enter a user ID for the sample administrator.
If you are using a directory repository (Active Directory, AD LDS, or LDAP
directory), the administrator must already exist in the directory.
10 The configuration script prompts you to provide a password for the sample
administrator:
Enter the password for Sample administrator:
Enter a password for the administrator.
The password must contain at least eight characters, and must include at least
one uppercase character, one lowercase character, and one number.

274 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Note:
The sample administrator password is stored in clear text in the file
igsample.properties until the sample application is started. When the
sample application is first started, it will encrypt the password.

11 The configuration script prompts you to confirm the password:

Confirm:
Enter the password again to confirm the password.
12 A master user must log in to complete the setup. The configuration script
prompts you to provide a master user name:
A master user must login to complete the setup.
You must login to perform this command.
Userid:
Enter the name of a master user (Master1, Master2, Master3).
13 The configuration script prompts you to provide the password for the master
user:
Password:
Enter the password of the master user.
14 If the setup was successful, the configuration displays a success message:
Setup of Entrust Identity Enterprise Sample was successful.
15 The configuration script asks if you want to enable the sample service:
Do you want to enable the sample service? [yes or no]
You must enable the sample application before you can use it.
• To enable the sample application, enter yes.
• To disable the sample application, enter no. You can manually enable the
sample application later.

Using the sample application 275

Report any errors or omissions
 Enabling or disabling the sample application
To use the sample application, it must be enabled. When you installed the sample
application on Linux, you had the option to enable the sample application
immediately or manually enable it later.

Note:
The sample administrator password is stored encrypted in the
igsample.properties file. For security reasons, disable the sample application
when you are not using it.

This section contains the following procedures:

• “To enable or disable the sample application manually on Windows” on
page 276
• “To enable or disable the sample application manually on Linux” on
page 278

To enable or disable the sample application manually on Windows

1 Launch the Entrust Identity Enterprise Configuration Panel, if it is not open:
• On Microsoft Windows Server 2019 or 2016, click the Windows button,
expand Entrust Identity Enterprise in the list of applications, then click
Configuration Panel.
• On Microsoft Windows Server 2012 or 2012 R2, select Start, then click the
down arrow to access Apps, then click Configuration Panel.
When viewing by name or category, Configuration Panel is listed under
Entrust Identity Enterprise.
The Configuration Panel appears.

276 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
2 Under Web Service and Application Manager, click Launch Web Service and
Application Manager.
The Web Service and Application Manager dialog box appears.

Using the sample application 277

Report any errors or omissions
 3 Click the Controls tab.
4 Under Sample Application:
• To enable the sample application, select Enabled.
• To disable the sample application, select Disabled.
5 Click Apply Changes.

To enable or disable the sample application manually on Linux

1 Switch to the Linux user account that owns Entrust Identity Enterprise Server.
2 Navigate to the Entrust Identity Enterprise installation directory, typically:
/opt/entrust/identityguard130
3 Enter the following command to source the environment settings:
. ./env_settings.sh
(Include a space between the two periods in the command.)
4 Change to the $IG_HOME/bin directory, typically:

278 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 /opt/entrust/identityguard130/bin
5 Enter one of the following commands:
• To enable the sample application, enter the following command:
identityguard.sh enable sample
• To disable the sample application, enter the following command:
identityguard.sh disable sample

Using the sample application 279

Report any errors or omissions
 Preparing to use the sample application
Before you can use the sample application, you must configure it.
This section contains the following topics:
• “Browser requirements for the sample application” on page 280
• “Configuration considerations” on page 281
• “Changing the sample application logging levels” on page 283
• “Ensuring mutual authentication works” on page 284
• “Configuring the sample application for certificate-based authentication
(Optional)” on page 286

Browser requirements for the sample application

You can use Mozilla Firefox, Google Chrome, Microsoft Edge, or Safari Web browsers
to run the sample application, and you must have JavaScript installed. For more detail,
see the Entrust Identity Enterprise Server 13.0 release notes (the supported Web
browsers are the same as for Entrust Identity Enterprise Server services such as Entrust
Identity Enterprise Properties Editor).
If you are enabling the machine nonce policy in Entrust Identity Enterprise, you must
also have cookies enabled.

Note:
As of Entrust Identity Enterprise Device Fingerprint SDK 2.1, storing machine
nonces in Flash objects is no longer supported. If upgrading to Entrust Identity
Enterprise Device Fingerprint SDK 2.1 from an earlier version configured to store
machine nonces in Flash objects, no code changes are required. The Entrust
Identity Enterprise system recognizes that Flash is no longer supported and
automatically stores the machine nonces in cookies and HTML5 local storage
instead.

280 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Configuration considerations
Review the information in Table 20 before and after configuring the sample
application.

Table 20: Configuration considerations for the sample application

Changing the sample • The sample application logs describe events that occur while the
application logging levels sample application is running.
• You can change the logging level to write more logs, fewer logs,
or disable logging entirely.
For information on changing the sample application logging
levels, see “Changing the sample application logging levels” on
page 283.
Creating sample users • If you are using a directory as your default Entrust Identity
Enterprise repository, you must create user entries in the directory
before you can create the Entrust Identity Enterprise users with
the sample application.
• All users created using the sample application are assigned to the
sample group (samplegroup). The sample group was created
when you installed the sample application.
Configuring the word • When you install Entrust Identity Enterprise, a word map file is
map file included.
• The word map file allows for common typing mistakes when
users are answering knowledge-based questions, such as
interchanging common abbreviations (Dr instead of Doctor)
and misspellings (adn instead of and).
• By default, the sample policy allows users to enter inexact
answers for knowledge-based authentication. This means that
Entrust Identity Enterprise uses the word map file.
• Configure the word map file to test Entrust Identity Enterprise’s
ability to allow for inexact matches to answers.
For more information on the word map file and inexact answers,
see the Entrust Identity Enterprise Server Administration Guide.
Note: The word map file applies to all users in your Entrust Identity
Enterprise system, not just the users in the sample user group.

Using the sample application 281

Report any errors or omissions
 Table 20: Configuration considerations for the sample application (continued)

Creating out-of-band • When using the sample application, you can create contact
delivery methods information for a user and assign an out-of-band delivery
method. The sample application uses the out-of-band delivery
method to send a one-time password to the user.
• An out-of-band delivery method is a mechanism that can send a
one-time password to the user by an out-of-band method (for
example, email). You must define all delivery methods outside of
the sample application.
For more information on configuring out-of-band delivery methods,
see the Entrust Identity Enterprise Server Administration Guide.
Note: By default, at least one valid out-of-band delivery method
must be configured so a user can authenticate with a one-time
password. To allow a user to authenticate with a one-time password
without configuring a valid out-of-band delivery method, you must
modify the sample policy or the user account to disable the delivery
of one-time passwords by an out-of-band delivery method. For
more information, see the Entrust Identity Enterprise Server
Administration Guide.
Configuring the IP • The sample application provides a step-up authentication
blacklist scenario. This scenario includes risk-based authentication. Part of
risk-based authentication is the IP blacklist.
For more information on the step-up authentication scenario, see
“Using step-up authentication” on page 312.
• Using the Administration interface, you can configure the IP
blacklist for risk-based authentication.
For more information on configuring the IP blacklist for
risk-based authentication, see the Entrust Identity Enterprise
Server Administration Guide.
Note: The IP blacklist applies to all users in your Entrust Identity
Enterprise system, not just the users in the sample user group.
Configuring the sample • When using the sample application, you may want to modify the
group and sample policy sample user group and sample policy used by the sample
application. For example, you may want to add another
repository to the group or change the risk-based authentication
policies.
For more information about configuring groups and policies, see
the Entrust Identity Enterprise Server Administration Guide.
(Optional) Configuring • See “Configuring the sample application for certificate-based
certificate authentication authentication (Optional)” on page 286.

282 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Table 20: Configuration considerations for the sample application (continued)

Loading token data • Load all token data before attempting any token-related
operations. For information about loading token data, see the
Entrust Identity Enterprise Server Administration Guide.
Loading the soft token • Load the soft token license before attempting any soft
license token-related operations. For information on loading the soft
token license, see the Entrust Identity Enterprise Server
Administration Guide.
Installing and configuring • Install and configure the Self-Service Module and enable
the Self-Service Module transaction authentication before attempting the wire transfer
action available on the Account Summary page of the sample.
(The wire transfer action demonstrates the transaction
authentication feature.)
For a complete list of tasks required to enable transaction
authentication, see the Entrust Identity Enterprise Self-Service
Module Installation and Configuration Guide.
Creating preproduced • When using the sample application, you can assign a user a
cards preproduced grid card. Create all preproduced cards before using
the sample application. For more information, see the Entrust
Identity Enterprise Server Administration Guide.
• You do not need to create preproduced cards to use grid
authentication in the sample application. The sample application
allows you to create cards directly for users.
Administering user • The sample application only allows you to create users and
accounts perform some basic operations to the user account such as
changing the user’s password and contact information.
• To modify or delete users accounts, you must use the
Administration interface or the master user shell. For more
information, see the Entrust Identity Enterprise Server
Administration Guide.

Changing the sample application logging levels

The sample application logs describe events that occur while the sample application
is running. Each log message includes the message level (either ERROR or DEBUG)
and the action performed by the sample application or the error that occurred. You
can change the logging level to write more logs, fewer logs, or disable logging
entirely.
The sample application logs to the application server’s standard output:
• On Windows:
$IG_HOME/apache-tomcat-<version>/logs/stdout.log

Using the sample application 283

Report any errors or omissions
 Where $IG_HOME is the Entrust Identity Enterprise installation folder. For
example:
C:/Program Files/apache-tomcat-<version>/logs/stdout.log
• On Linux:
$CATALINA_HOME/logs/catalina.out
Where $CATALINA_HOME is the Apache Tomcat installation folder. For
example:
/opt/entrust/apache-tomcat-<version>/logs/catalina.out
For more information about logging, see the Entrust Identity Enterprise Server
Administration Guide.

To change the sample application logging levels

1 In a text editor, open the igsample.properties file. You can find the file in
the following folder:
$IG_HOME/etc/
Where $IG_HOME is the Entrust Identity Enterprise installation folder. For
example:
• On Windows:
C:/Program Files/Entrust/IdentityGuard/identityguard130/etc/igs
ample.properties
• On Linux:
/opt/entrust/identityguard130/etc/igsample.properties
2 Add the following line:
identityguard.samplewebapp.loglevel=<level>
Where <level> is one of OFF, ERROR, or DEBUG.
• OFF disables log messages about the sample application.
• ERROR writes only ERROR log messages.
• DEBUG writes DEBUG and ERROR log messages.
If you do not specify a logging level, only ERROR messages are logged.
3 Save your changes and close the file.
4 Restart the Entrust Identity Enterprise service.

Ensuring mutual authentication works

If you are using Entrust Identity Enterprise with the Self-Service Module, and you
want to test the mutual authentication feature using the Entrust Identity Enterprise
sample application, follow the instructions below to ensure mutual authentication
works.

284 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
To ensure mutual authentication works
1 Log in to the Self-Service Module’s Configuration interface. For details, see the
Entrust Identity Enterprise Self-Service Module Installation and Configuration
Guide.
2 Click Registration.
3 Click Personal Information.
4 Scroll down to the question that asks Do you want to require users to provide
mutual authentication secrets as part of self-registration?
5 Write down the mutual authentication phrase and image keys. In the preceding
figure, the keys are SECRET_PHRASE and SECRET_IMAGE. These are the default
key names.
6 In a text editor, open the igsample.properties file. You can find the file in
the following folder:
Where $IG_HOME is the Entrust Identity Enterprise installation folder. For
example:
• On Windows:
C:/Program Files/Entrust/IdentityGuard/identityguard130/etc/igs
ample.properties
• On Linux:
/opt/entrust/identityguard130/etc/igsample.properties
7 Look for these lines (which may or may not be present):
identityguard.samplewebapp.appSecretImageName=SECRET_IMAGE
identityguard.samplewebapp.appSecretPhraseName=SECRET_PHRASE
• If the lines are present, ensure that the names are the same as those defined
in the Self-Service Module.
• If the lines are not present, the names default to SECRET_PHRASE and
SECRET_IMAGE. If these defaults are not the ones defined in the Self-Service
Module, add the lines and appropriate key names to the file.
For example, if in Self-Service the key names are MY_GRAPHIC and MY_WORD
add the following lines to the file:
identityguard.samplewebapp.appSecretImageName=MY_GRAPHIC
identityguard.samplewebapp.appSecretPhraseName=MY_WORD
8 Save the file.
9 Restart the Entrust Identity Enterprise service if you made any changes.

Using the sample application 285

Report any errors or omissions
 Configuring the sample application for certificate-based
authentication (Optional)
Configuring the sample application to use certificate-based authentication is optional;
you do not need to set up the sample application for certificate authentication unless
you wish to demonstrate this method of authentication.
To use the certificate authentication in the Entrust Identity Enterprise sample
application, you require a client-authenticated SSL connection between your browser
and the sample application servlet. You must configure the application server on
which you deploy the sample application to require client authenticated SSL.
The installation provides a listening port that requires SSL (the default is 8447). There
are no additional steps required.
This topic contains the following procedures:
• “To configure the sample application for certificate-based authentication on
Windows” on page 286
• “To configure the sample application for certificate-based authentication on
Linux” on page 287

To configure the sample application for certificate-based authentication on

Windows
1 Use your Certification Authority (CA) to issue Web credentials.
2 Log in to the server hosting the primary Entrust Identity Enterprise Server.
3 Export your CA certificate to a file and transfer it to a folder on the Entrust
Identity Enterprise server.
4 Open a command line.
5 Navigate to the directory containing the keytool utility (keytool.exe).
• For the embedded Tomcat application server, the keytool utility is located in
the following folder:
<IG_HOME>\jdk<version>\bin
Where <IG_HOME> is the Entrust Identity Enterprise installation directory,
and <version> is the Java version. For example:
C:\Program Files\Entrust\IdentityGuard\jdk<version>\bin
6 Enter the following command to install the CA certificate into the Entrust Identity
Enterprise keystore:
keytool -importcert -alias <certalias> -trustcacerts -file
<ca_certfile> -keystore <path_to_keystore> -storepass <password>

286 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Where:
• <certalias> is a unique alias name for the CA certificate.
• <ca_certfile> is the full path and file name of the CA certificate file.
• <path_to_keystore> is the path to the keystore. For embedded Tomcat,
the path is <IG_HOME>\etc\keystore.
• <password> is the password of the keystore. For embedded Tomcat, the
default password is entrust.
For example:
keytool -importcert -alias Example_CA -trustcacerts -file
"C:\ca_certificate.der" -keystore "C:\Program
Files\Entrust\IdentityGuard\identityguard130\etc" -storepass
entrust
For details on the keytool commands and options, see
https://docs.oracle.com/en/java/javase/11/tools/keytool.html.
7 Restart the Entrust Identity Enterprise services.
8 Import the CA certificate into the Entrust Identity Enterprise server using the
Administration interface or the master user shell.
9 Access the sample application using the new client-authenticated SSL port.
Ensure that the user’s certificate is present in the browser’s certificate store. See
“Accessing the sample application” on page 290.
10 When prompted, select the user’s certificate from the dialog box. If the user’s
certificate is not listed in the dialog box, then the CA certificate was not imported
into the Entrust Identity Enterprise keystore.
11 In the sample application, select Enroll a User for Step-Up Authentication, and
enroll the user for Step-Up Authentication.
12 Log in to the sample application. (You will not see the assigned certificate until
you have logged in.)
When registering the user, and when logging in, select Remember Me.

To configure the sample application for certificate-based authentication on

Linux
1 Use your Certification Authority (CA) to issue Web credentials.
2 Log in to the server hosting the primary Entrust Identity Enterprise Server.
3 Export your CA certificate to a file and transfer it to a folder on the Entrust
Identity Enterprise server.
4 Open a command line.

Using the sample application 287

Report any errors or omissions
 5 Change to the directory containing the keytool utility.
• For the embedded Tomcat application server, the keytool utility is located in
the following folder:
$IG_HOME/jdk<version>/bin
Where $IG_HOME is the Entrust Identity Enterprise installation directory, and
<version> is the Java version. For example:
/opt/entrust/jdk<version>/bin
6 Enter the following command to install the CA certificate into the Entrust Identity
Enterprise keystore:
./keytool -importcert -alias <certalias> -trustcacerts -file
<ca_certfile> -keystore <path_to_keystore> -storepass <password>
Where:
• <certalias> is a unique alias name for the CA certificate.
• <ca_certfile> is the full path and file name of the CA certificate file.
• <path_to_keystore> is the path to the keystore. For embedded Tomcat,
the path is $IG_HOME/identityguard130/etc/keystore.
• <password> is the password of the keystore. For embedded Tomcat, the
default password is entrust.
For example:
keytool -importcert -alias Example_CA -trustcacerts -file
/tmp/ca_certificate.der -keystore
/opt/entrust/identityguard130/etc -storepass entrust
For details on the keytool commands and options, see
https://docs.oracle.com/en/java/javase/11/tools/keytool.html.
7 Restart the Entrust Identity Enterprise services.
8 Import the CA certificate into the Entrust Identity Enterprise server using the
Administration interface or the master user shell.
9 Access the sample application using the new client-authenticated SSL port.
Ensure that the user’s certificate is present in the browser’s certificate store. See
“Accessing the sample application” on page 290.
10 When prompted, select the user’s certificate from the dialog box. If the user’s
certificate is not listed in the dialog box, then the CA certificate was not imported
into the Entrust Identity Enterprise keystore.
11 In the sample application, select Enroll a User for Step-Up Authentication, and
enroll the user for Step-Up Authentication.
12 Log in to the sample application. (You will not see the assigned certificate until
you have logged in.)
When registering the user, and when logging in, select Remember Me.

288 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Using the sample application 289
Report any errors or omissions
 Accessing the sample application
After you configure and deploy the sample application, you can then access it from a
Web browser. For an Entrust Identity Enterprise Server installed on a Windows Server,
you can also access the application from the Windows start menu.

To access the sample Web application from the Windows start menu
• On Microsoft Windows Server 2019 or 2016, click the Windows button,
then select Entrust Identity Enterprise > Sample Application.
• On Microsoft Windows Server 2012 or 2012 R2, select Start, then click the
down arrow to access Apps, then click Sample Application.
When viewing by name or category, Sample Application is listed under
Entrust Identity Enterprise.
The sample application opens in your default browser.

To access the sample Web application from a URL

1 Open a Web browser.
2 Enter one of the following URLs:
https://<hostname>:<https port>/IdentityGuardSampleApp
http://<hostname>:<http port>/IdentityGuardSampleApp

290 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
https://<hostname>:<client auth SSL port>/IdentityGuardSampleApp
Where:
• <hostname> is the fully qualified domain name for the Entrust Identity
Enterprise host.
• <https port> is the Authentication Service HTTPS port (default 8443.
• <http port> is the Authentication Service HTTP port (default 8080.
• <client auth SSL port> is the Authentication Service
client-authenticated HTTPS port number field (default 8447.
For example:
https://igserver.mycompany.com:8443/IdentityGuardSampleApp
http://igserver.mycompany.com:8080/IdentityGuardSampleApp
https://igserver.mycompany.com:8447/IdentityGuardSampleApp
The sample application appears.

Using the sample application 291

Report any errors or omissions
 Using two-step authentication
To demonstrate how Entrust Identity Enterprise can provide strong multifactor
authentication, the sample application provides two authentication scenarios:
two-step authentication and step-up authentication.
In two-step authentication, a user authenticates to your organization in two steps. In
the first step, the user performs first-factor authentication (user name and password).
In the second step, the user performs second-factor authentication (such as grid
authentication).
For the two-step authentication scenario, the sample application demonstrates how
a user might enroll and perform two-step authentication.
For more information on any of the authentication methods supported by Entrust
Identity Enterprise, see the Entrust Identity Enterprise Server Administration Guide.
This section contains the following topics:
• “Enrolling a user for two-step authentication” on page 292
• “Registering a second-factor method for two-step authentication” on
page 297
• “Performing two-step authentication” on page 308

Enrolling a user for two-step authentication

For the two-step authentication scenario, the sample application demonstrates how
a user might enroll for two-step authentication. When enrolling for two-step
authentication, a user first enters a user name and password, and then registers a
second-factor authentication method (such as a grid or token).
While a typical deployment would not allow the user to choose a second-factor
authentication method, the sample application provides this ability to allow you to
test two-step authentication with the different authentication methods that are
supported by Entrust Identity Enterprise.
For more information about any of the authentication methods supported by Entrust
Identity Enterprise, see the Entrust Identity Enterprise Server Administration Guide.

To enroll a user for two-step authentication

1 Open the sample application. (See “Accessing the sample application” on
page 290.)
2 Click Enroll a User for Two-Step Login.

292 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 The Enrollment for Two-Step Login page appears.

3 In the User ID field, enter the user name of the user.

4 In the Full Name field, enter the user’s full name.
5 In the Second Factor drop-down menu, select a second-factor authentication
method:

6 Click Enroll.

Using the sample application 293

Report any errors or omissions
 The Create Password page appears.

7 In the Password and Confirm Password fields, enter a password for the user.
8 Click Next.
A registration page appears.

Note:
Even if you chose machine authentication as your second-factor authentication
method, you must register another second-factor authentication method before
you can register your computer. By default, you must register knowledge-based
questions and answers. You can change the default authentication method by
modifying the sample policy. For more information on modifying policies, see the
Entrust Identity Enterprise Server Administration Guide.

9 Register your second-factor authentication method. For more information, see

“Registering a second-factor method for two-step authentication” on page 297.
If you chose machine authentication, the Identify Your Machine page appears.

10 (Machine authentication only: Enter a descriptive label for the computer in the
Machine Label field) and click Next.

294 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 The Enrollment Confirmation page appears.

11 Click Next.
The Accounts Summary page appears.

12 From this page, you can do the following:

• To simulate a user transferring money between accounts, click Transfer
Money.
• To simulate how transaction authentication works using a mobile device,
click Wire Transfer. See “Performing a wire transfer using transaction
authentication” on page 340.
• To simulate a user paying a bill, click Pay Bills.
• To simulate a user adding bill payee, click Add Bill Payee.
• To change the user’s password, click Change Password.
For information on changing the password, see “To change a user’s
password” on page 296.
• To change the user’s contact information, click Update Profile.

Using the sample application 295

Report any errors or omissions
 For information on changing the contact information, see “To change a
user’s contact information” on page 296.
• To log out and return to the Welcome page, click Logoff.

To change a user’s password

1 In the Current Password field, enter the user’s current password.

2 In the New Password and Confirm Password fields, enter the new password for
the user.
The new password must conform to the password rules in the sample policy. To
view the password rules, select click here.
3 Click Update to accept the change and return to the Account Summary page.
• If you changed a user’s password as part of the two-step authentication
scenario, see Step 12 on page 295.
• If you changed a user’s password as part of the step-up authentication
scenario, see Step 13 on page 321.

To change a user’s contact information

1 For each contact information entry (for example, the Email entry), you can
change the information as follows:

296 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 a To change the value of the contact information (for example, to change the
email address), enter a new value in the Value text field.
b To change the out-of-band delivery method, select a different out-of-band
delivery method in the Delivery Method drop-down list.
An out-of-band delivery method is a mechanism that can send a one-time
password to the user by an out-of-band method (for example, email). You
must define all delivery methods outside of the sample application. For more
information, see the Entrust Identity Enterprise Server Administration Guide.
c If you want this contact information entry to be the default entry, click the
Default option.
2 Click Update to accept the changes and return to the Account Summary page.
• If you changed a user’s contact information as part of the two-step
authentication scenario, see Step 12 on page 295.
• If you changed a user’s contact information as part of the step-up
authentication scenario, see Step 13 on page 321.

Registering a second-factor method for two-step authentication

When enrolling a user for two-step authentication (see “Enrolling a user for two-step
authentication” on page 292), you must register a second-factor authentication
method. For two-step authentication with a one-time password, you must register
contact information.
This topic contains the following procedures:
• “To register a grid for two-step authentication” on page 298
• “To register knowledge-based questions and answers for two-step
authentication” on page 301
• “To register contact information for two-step authentication” on page 302
• “To register a challenge-response token for two-step authentication” on
page 303
• “To register a response-only token for two-step authentication” on
page 306

Note:
Registering an Entrust Identity Enterprise Mobile soft token is not possible
through the sample. You must use Entrust Identity Enterprise Administration or
the Self-Service Module.

Using the sample application 297

Report any errors or omissions
 To register a grid for two-step authentication

1 Register a grid for the user in one of two ways.

• To register a preproduced grid for the user, enter the serial number of the grid
in the text field and then click Activate.
• To create a new grid for the user, select click here.
The Optional PVN Registration page appears.

2 If you want to give the user a personal verification number (PVN), do the
following.
a Select Create a Personal Verification Number (PVN) and then click Next.
The Create Personal Verification Number (PVN) page appears.

b In the PVN and Confirm PVN fields, enter the personal verification number.
c Click Next.
3 If you do not want to give the user a PVN, click Next.

298 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 The Grid Challenge page appears.

4 To answer the challenge with the grid card, do the following:

Note:
If you do not have the grid in front of you, you can use the Administration
interface to view the grid. For more information, see the Entrust Identity
Enterprise Server Administration Guide.

a In the grid coordinate fields (for example, [F5], [H5], and [I2]), enter the
values for those coordinates as they appear on the user’s grid card.
Depending on the sample policy and the user’s account settings, additional
fields may appear.
– If the user has a PVN, enter the PVN in the PVN field.
– If the user must update the PVN, then enter the new PVN in the New PVN
and Confirm PVN fields.
– If the challenge requires a PVN and the user does not have a PVN, enter a
new PVN in the New PVN and Confirm PVN fields.
b Click Next.
5 To answer the challenge with a temporary PIN, do the following:

Note:
You can assign the user a temporary PIN in the Administration interface. For more
information, see the Entrust Identity Enterprise Server Administration Guide.

a Click Temporary PIN.

Using the sample application 299

Report any errors or omissions
 The Temporary PIN Challenge appears.

b In the Temporary PIN field, enter the user’s temporary PIN.

Depending on the sample policy and the user’s account settings, additional
fields may appear.
– If the user has a PVN, enter the PVN in the PVN field.
– If the user must update the PVN, then enter the new PVN in the New PVN
and Confirm PVN fields.
– If the challenge requires a PVN and the user does not have a PVN, enter a
new PVN in the New PVN and Confirm PVN fields.
c Click Next.
6 Click Next.
7 See Step 10 on page 294.

300 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
To register knowledge-based questions and answers for two-step
authentication

1 Select as many questions as required by policy (the default is three). If desired,

you can also select additional questions.

Note:
The image above is an example; there are many more questions available than
shown in the graphic.

2 For each question you selected, enter the answer in the text field or select the
answer from the drop-down list.
3 Click Next to continue.
4 See Step 10 on page 294.

Using the sample application 301

Report any errors or omissions
 To register contact information for two-step authentication

1 For the Email contact information entry, enter the user’s email contact
information.
a In the Value field, enter the user’s email address.
b In the Delivery Method drop-down list, select an out-of-band delivery
method.
An out-of-band delivery method is a mechanism that can send a one-time
password to the user by an out-of-band method (for example, email). You
must define all delivery methods outside of the sample application. For more
information, see the Entrust Identity Enterprise Server Administration Guide.
c If you want this contact information entry to be the default entry, click the
Default option.
2 For the Phone contact information entry, enter the user’s phone contact
information
a In the Value field, enter the user’s phone number.
b In the Delivery Method drop-down list, select an out-of-band delivery
method.
An out-of-band delivery method is a mechanism that can send a one-time
password to the user by an out-of-band method (for example, voice mail).
You must define all delivery methods outside of the sample application. For
more information, see the Entrust Identity Enterprise Server Administration
Guide.
c If you want this contact information entry to be the default entry, click the
Default option.
3 Click Next.

302 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 The Optional PVN Registration page appears.

4 If you want to give the user a personal verification number (PVN), do the
following.
a Select Create a Personal Verification Number (PVN) and then click Next.
The Create Personal Verification Number (PVN) page appears.

b In the PVN and Confirm PVN fields, enter the personal verification number.
c Click Next.
5 See Step 10 on page 294.

To register a challenge-response token for two-step authentication

1 In the Select the Token Vendor drop-down list, select a token vendor.
2 In the text field, enter the serial number of the token.

Using the sample application 303

Report any errors or omissions
 3 Click Activate.
The Optional PVN Registration page appears.

4 If you want to give the user a personal verification number, do the following.
a Select Create a Personal Verification Number (PVN) and then click Next.
The Create Personal Verification Number (PVN) page appears.

b In the PVN and Confirm PVN fields, enter a personal verification number.
c Click Next.
The Token Challenge page appears.

5 To answer the challenge with the token, do the following:

a The Token Challenge page displays a challenge string in red numbers (for
example 23419279).

304 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Enter this challenge string into your challenge-response token, and then
press the button on the token to generate a dynamic password.
b In the Token Response field, enter the dynamic password generated by the
token.
Depending on the sample policy and the user’s account settings, additional
fields may appear.
– If the user has a PVN, enter the PVN in the PVN field.
– If the user must update the PVN, then enter the new PVN in the New PVN
and Confirm PVN fields.
– If the challenge requires a PVN and the user does not have a PVN, enter a
new PVN in the New PVN and Confirm PVN fields.
c Click Next.
6 To answer the challenge with a temporary PIN, do the following:

Note:
You can assign the user a temporary PIN in the Administration interface. For more
information, see the Entrust Identity Enterprise Server Administration Guide.

a Click Temporary PIN.

The Temporary PIN Challenge page appears.

b In the Temporary PIN field, enter the user’s temporary PIN.

Depending on the sample policy and the user’s account settings, additional
fields may appear.
– If the user has a PVN, enter the PVN in the PVN field.
– If the user must update the PVN, then enter the new PVN in the New PVN
and Confirm PVN fields.
– If the challenge requires a PVN and the user does not have a PVN, enter a
new PVN in the New PVN and Confirm PVN fields.
c Click Next.

Using the sample application 305

Report any errors or omissions
 7 See Step 10 on page 294.

To register a response-only token for two-step authentication

1 In the Select the Token Vendor drop-down list, select a token vendor.
2 In the text field, enter the serial number of the token.
3 Click Activate.
The Optional PVN Registration page appears.

4 If you want to give the user a personal verification number (PVN), do the
following:
a Select Create a Personal Verification Number (PVN) and then click Next.
The Create Personal Verification Number (PVN) page appears.

b In the PVN and Confirm PVN fields, enter the personal verification number.

306 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 c Click Next.
The Token Challenge page appears.

5 To answer the challenge with the token, do the following:

a Press the button on the token to generate a dynamic password.
b In the Token Response field, enter the dynamic password generated by the
token.
Depending on the sample policy and the user’s account settings, additional
fields may appear.
– If the user has a PVN, enter the PVN in the PVN field.
– If the user must update the PVN, then enter the new PVN in the New PVN
and Confirm PVN fields.
– If the challenge requires a PVN and the user does not have a PVN, enter a
new PVN in the New PVN and Confirm PVN fields.
c Click Next.
6 To answer the challenge with a temporary PIN, do the following:

Note:
You can assign the user a temporary PIN in the Administration interface. For more
information, see the Entrust Identity Enterprise Server Administration Guide.

a Click Temporary PIN.

Using the sample application 307

Report any errors or omissions
 The Temporary PIN Challenge page appears.

b In the Temporary PIN field, enter the user’s temporary PIN.

Depending on the sample policy and the user’s account settings, additional
fields may appear.
– If the user has a PVN, enter the PVN in the PVN field.
– If the user must update the PVN, then enter the new PVN in the New PVN
and Confirm PVN fields.
– If the challenge requires a PVN and the user does not have a PVN, enter a
new PVN in the New PVN and Confirm PVN fields.
c Click Next.
7 See Step 10 on page 294.

Performing two-step authentication

For the two-step authentication scenario, the sample application demonstrates how
a user might perform two-step authentication. When performing two-step
authentication, the user first enters a user name and password, and then answers a
second-factor authentication challenge (such as a grid challenge).
For more information on any of the authentication methods supported by Entrust
Identity Enterprise, see the Entrust Identity Enterprise Server Administration Guide.

Note:
The sample application provides a way to clear the cookies containing the
machine secrets (see “Changing the browser information” on page 330). If you
are testing machine authentication, do not clear the machine cookies before
performing two-step authentication or you will be presented with a
second-factor authentication challenge.

308 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
To perform two-step authentication
1 Open the sample application. (See “Accessing the sample application” on
page 290.)
2 Click Perform a Two-Step Login.
The Two-Step Login page appears.

3 In the User ID field, enter the user name of the user.

Note:
If the user registered through the Self-Service Module, ensure that they belong
to the Entrust Identity Enterprise group called samplegroup. Only users from
samplegroup are allowed to log in to the sample application. If the user
registered through the sample application, this person was added to the
samplegroup upon registration, and no further configuration is required.

4 In the Password field, enter the user’s password.

5 To enable machine authentication, select Remember Me.
6 Click Login.

Using the sample application 309

Report any errors or omissions
 If the user’s password needs to be changed (for example, it has expired), the
Update Your Password page appears.

7 To update the user’s password, do the following:

a Enter new password in the New Password and Confirm Password fields.
The new password must conform to the password rules in the sample policy.
To view the password rules, select click here.
b Click Next.
If you did not enable machine authentication, or if machine authentication failed,
a second-factor challenge page appears.
8 (If applicable) Answer the second-factor authentication challenge. For more
information, see “Answering second-factor authentication challenges” on
page 333.

310 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 The Accounts Summary page appears.

9 From this page, you can do the following:

• To simulate a user transferring money between accounts, click Transfer
Money.
• To simulate transaction authentication using a mobile device, click Wire
Transfer. See “Performing a wire transfer using transaction authentication”
on page 340.
• To simulate a user paying a bill, click Pay Bills.
• To simulate a user adding bill payee, click Add Bill Payee.
• To change the user’s password, click Change Password. For information on
changing the password, see “To change a user’s password” on page 296.
• To change the user’s contact information, click Update Profile. For
information on changing the contact information, see “To change a user’s
contact information” on page 296.
• To log out and return to the Welcome page, click Logoff.

Using the sample application 311

Report any errors or omissions
 Using step-up authentication
To demonstrate how Entrust Identity Enterprise can provide strong multifactor
authentication, the sample application provides two authentication scenarios:
two-step authentication and step-up authentication.
In step-up authentication, a user only performs second-factor authentication
depending on the level of risk involved. For example, a user may only require
second-factor authentication for certain operations, or if the user is deemed to be a
potential security risk.
Risk-based authentication is only performed if you select Remember Me. Risk-based
authentication always includes IP checking and machine authentication. If you have
accessed the sample application through a client-authenticated SSL port, certificate
authentication is also included.
The sample application demonstrates how step-up authentication can be applied in
the following ways:
• When a user logs in, Entrust Identity Enterprise performs risk-based
authentication on the user at the normal security level.
If the user fails the risk-based authentication, the user may be rejected from
authenticating or may be presented with a second-factor authentication
challenge.
• After logging in and attempting to perform a certain operation, the user is
presented with a second-factor authentication challenge.
• After logging in and attempting to perform a sensitive operation, Entrust
Identity Enterprise performs risk-based authentication on the user at an
enhanced security level.
– If the user fails the risk-based authentication, the user may be rejected from
authenticating or may be presented with a second-factor challenge.
– The default enhanced security level specifies that even if the user passes
the risk-based authentication, the user must answer a second-factor
authentication challenge.
For the step-up authentication scenario, the sample application demonstrates how a
user might enroll and perform step-up authentication.
For more information on any of the authentication methods supported by Entrust
Identity Enterprise, see the Entrust Identity Enterprise Server Administration Guide.
This section contains the following topics:
• “Enrolling a user for step-up authentication” on page 313
• “Performing step-up authentication” on page 324

312 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Enrolling a user for step-up authentication
For the step-up authentication scenario, the sample application demonstrates how a
user might enroll for step-up authentication. When enrolling, a user first enters a user
name and password, and then registers one or more second-factor authentication
methods (such as a grid and token).
While a typical deployment would not allow the user to choose more than one
second-factor authentication method, the sample application provides this ability to
allow you to test step-up authentication with the different authentication methods
that are supported by Entrust Identity Enterprise.
After enrolling, the sample application demonstrates how step-up authentication can
be applied in the following ways:
• If the user attempts to perform a certain operation, the user is presented with
a second-factor authentication challenge.
• If the user attempts to perform a sensitive operation, Entrust Identity
Enterprise performs risk-based authentication on the user at an enhanced
security level.
– If the user fails the risk-based authentication, the user may be rejected from
authenticating or may be presented with a second-factor challenge.
– By default, even if the user passes the risk-based authentication, the user
must answer a second-factor authentication challenge.
For more information on any of the authentication methods supported by Entrust
Identity Enterprise, see the Entrust Identity Enterprise Server Administration Guide.

To enroll a user for step-up authentication

1 Open the sample application. (See “Accessing the sample application” on
page 290.)
2 Click Enroll a User for Step-Up Authentication.

Using the sample application 313

Report any errors or omissions
 The Enrollment for Step-Up Authentication page appears.

3 On the Enrollment for Step-Up Authentication page, do the following:

a In the User ID field, enter the user name of the user.
b In the Full Name field, enter the user’s full name.
c To register the computer for machine authentication, select Remember Me.
d Click Enroll to continue.
The Create Password page appears.

4 On the Create Password page, do the following:

a In the Password and Confirm Password fields, enter a password for the user.
The password must conform to the password rules in the sample policy. To
view the password rules, select click here.
b Click Next.

314 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 The Enter Contact Information page appears.

5 On the Enter Contact Information page, do the following:

a For the Email contact information entry, enter the user’s email contact
information.
– In the Value text field, enter the user’s email address.
– In the Delivery Method drop-down list, select an out-of-band delivery
method.
An out-of-band delivery method is a mechanism that can send a one-time
password to the user by an out-of-band method (for example, email). You
must define all delivery methods outside of the sample application. For
more information, see the Entrust Identity Enterprise Server Administration
Guide.
– If you want this contact information entry to be the default entry, click the
Default option.
b For the Phone contact information entry, enter the user’s phone contact
information
– In the Value text field, enter the user’s phone number.
– In the Delivery Method drop-down list, select an out-of-band delivery
method.
An out-of-band delivery method is a mechanism that can send a one-time
password to the user by an out-of-band method (for example, voice mail).
You must define all delivery methods outside of the sample application. For
more information, see the Entrust Identity Enterprise Server Administration
Guide.
– If you want this contact information entry to be the default entry, click the
Default option.
c Click Next. If you do not wish to register for OTP authentication, click Skip.

Using the sample application 315

Report any errors or omissions
 The Mutual Authentication Registration page appears.

6 On the Mutual Authentication Registration page, do the following:

a (Optional) To select a new image, click Change Image.
A page of images appear.

– Click back and more to view more images.

– To select an image, click the image.
After selecting an image, the main Mutual Authentication Registration page
reappears.
b In the Caption field, enter a caption for the image.
c Click Next to continue.

316 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 The Knowledge-Based Q&A Registration page appears.

7 On the Knowledge-Based Q&A Registration page, do the following:

a Select as many questions as is required by policy (the default is three). If
desired, you can also select additional questions.

Note:
The images above and below are examples; there are many more questions
available than shown in the graphics.

b For each question you selected, enter the answer in the text field or select
the answer from the drop-down list.

c Click Next to continue.

Using the sample application 317

Report any errors or omissions
 The Optional Grid Registration page appears.

8 To register a grid for the user, do the following:

a Select Create a Grid.
b Click Next to continue.
The Grid Registration page appears.

c To activate a preproduced (unassigned grid card), enter the serial number of

the grid card in the text field and click Activate.
d To create a grid card for the user, select click here.
The Optional Token Registration page appears.

9 To register a token for the user, do the following:

318 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 a select Register for a Token.
b Click Next to continue.
If you chose to register a token, the Token Registration page appears.

c Select a token vendor from the drop-down list.

d In the text field, enter the serial number of the token. Or, click Skip.
e Click Activate.
The Optional PVN Registration page appears.

10 To create a personal verification number (PVN), do the following:

a Select Create a Personal Verification Number (PVN).
b Click Next.
If you chose to create a PVN, the Create Personal Verification Number
(PVN) page appears.

Using the sample application 319

Report any errors or omissions
 c In the PVN and Confirm PVN fields, enter a personal verification number for
the user.
d Click Next.
If you chose to register your computer for machine authentication, the Identify
Your Machine page appears.

11 On the Identify Your Machine page, do the following:

a In the Machine Label field, enter a label for the machine secret.
b Click Next to continue.
The Enrollment Confirmation page appears.

12 Click Next.

320 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 The Accounts Summary page appears.

13 From this page, you can do the following:

• To simulate a user transferring money between accounts, click Transfer
Money. For information on transferring money, see “To transfer money with
step-up authentication” on page 322.
For transfers of $10,000 or more, Entrust Identity Enterprise performs
risk-based authentication at an enhanced security level. If required, the user
must answer a one-time password challenge.
• To simulate transaction authentication using a mobile device, click Wire
Transfer. For information on performing a wire transfer, see “Performing a
wire transfer using transaction authentication” on page 340. This procedure
requires an Entrust Identity Enterprise Mobile soft token.
• To simulate a user paying a bill, click Pay Bills. For information on paying a
bill, see “To pay a bill with step-up authentication” on page 323. This
procedure requires a grid or temporary PIN.
• To simulate a user adding bill payee, click Add Bill Payee. For information on
adding a bill payee, see “To add a bill payee with step-up authentication” on
page 324. This procedure requires a token or temporary PIN.
• To change the user’s password, click Change Password. For information on
changing the password, see “To change a user’s password” on page 296.
• To change the user’s contact information, click Update Profile. For
information on changing the contact information, see “To change a user’s
contact information” on page 296.
• To log out and return to the Welcome page, click Logoff.

Using the sample application 321

Report any errors or omissions
 To transfer money with step-up authentication

1 In the Amount field, enter a monetary amount.

2 (Optional) In the From Account and To Account drop-down lists, select different
accounts.
3 Click Confirm.
The Transaction Confirmation page appears.

4 To continue with the transaction, click Confirm.

For amounts of $10,000 or greater, Entrust Identity Enterprise performs
risk-based authentication at the enhanced security level. By default, if the
risk-based authentication does not reject the user from continuing, a one-time
password challenge appears. For more information on answering a one-time
password challenge, see “To answer a one-time password challenge” on
page 335.
The Transaction Result page appears.

5 Click Next to return to the Account Summary page (see Step 13 on page 321).

322 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
To pay a bill with step-up authentication

1 In the Amount field, enter a monetary amount.

2 (Optional) In the From Account and To Account drop-down lists, select different
accounts.
3 Click Confirm.
The Transaction Confirmation page appears.

4 To continue with the transaction, click Confirm.

A grid challenge appears. For more information about answering a grid
challenge, see “To answer a grid challenge” on page 333.
The Transaction Result page appears.

5 Click Next to return to the Account Summary page (see Step 13 on page 321).

Using the sample application 323

Report any errors or omissions
 To add a bill payee with step-up authentication

1 (Optional) In the Payee drop-down list, select a bill payee.

2 Click Confirm.
The Transaction Confirmation page appears.

3 To continue with the transaction, click Confirm.

A token challenge appears. For more information about answering a token
challenge with a challenge-response token, see “To answer a challenge-response
token challenge” on page 336. For more information about answering a token
challenge with a response-only token, see “To answer a response-only token or
soft token challenge” on page 338.
The Transaction Result page appears.

4 Click Next to return to the Account Summary page (see Step 13 on page 321).

Performing step-up authentication

For the step-up authentication scenario, the sample application demonstrates how a
user might perform step-up authentication.
When a user logs in, Entrust Identity Enterprise performs risk-based authentication on
the user at the normal security level. If the user fails the risk-based authentication, the
sample application either presents the user with a second-factor authentication
challenge or rejects the user from authenticating.

324 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
After logging in, the sample application also demonstrates how step-up
authentication can be applied in the following ways:
• After logging in and attempting to perform a certain operation, the user is
presented with a second-factor authentication challenge.
• After logging in and attempting to perform a sensitive operation, Entrust
Identity Enterprise performs risk-based authentication on the user at an
enhanced security level.
– If the user fails the risk-based authentication, the user may be rejected from
authenticating or may be presented with a second-factor challenge.
– By default, even if the user passes the risk-based authentication, the user
must answer a second-factor authentication challenge.
For more information on any of the authentication methods supported by Entrust
Identity Enterprise, see the Entrust Identity Enterprise Server Administration Guide.

Note:
The sample application provides a way to change the browser information (IP
address and cookies containing the machine secrets). Change the browser
information to test Entrust Identity Enterprise’s risk-based authentication
features. For more information, see “Changing the browser information” on
page 330.

To log in to the Accounts Summary page for step-up authentication

1 Open the sample application. (See “Accessing the sample application” on
page 290.)
2 Click Perform a Login.

Using the sample application 325

Report any errors or omissions
 The Step-Up Login page appears.

3 In the User ID field, enter the user name of the user.

Note:
If the user registered through the Self-Service Module, ensure that they belong
to the Entrust Identity Enterprise group called samplegroup. Only users from
samplegroup are allowed to log in to the sample application.

If the user registered through the sample application (not the Self-Service
Module), this person was added to the samplegroup upon registration, and no
further configuration is required.

4 To enable machine authentication, click Remember Me.

5 Click Login to continue.
If you fail the risk-based authentication at the normal security level but are not
rejected from authenticating, a second-factor challenge appears.
6 (If applicable) Answer the second-factor authentication challenge. For more
information, see “Answering second-factor authentication challenges” on
page 333.
If you passed the risk-based authentication at the normal security level, or if you
successfully answered a second-factor challenge, the Mutual Authentication
Confirmation page appears.

326 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
7 If the image and caption are the same image and caption you registered during
enrollment, then enter the user’s password in the Password field and then click
Next.
If the user’s password needs to be changed (for example, it has expired), the
Update Your Password page appears.

8 To update the user’s password, do the following:

a Enter new password in the New Password and Confirm Password fields.
The new password must conform to the password rules in the sample policy.
To view the password rules, select click here.
b Click Next.

Using the sample application 327

Report any errors or omissions
 The Accounts Summary page appears.

9 From this page, you can do the following:

• To simulate a user transferring money between accounts, click Transfer
Money. For information on transferring money, see “To transfer money with
step-up authentication” on page 322.
For transfers of $10,000 or more, Entrust Identity Enterprise performs
risk-based authentication at an enhanced security level. If required, the user
must answer a one-time password challenge.
• To simulate transaction authentication using a mobile device, click Wire
Transfer. For information on performing a wire transfer, see “Performing a
wire transfer using transaction authentication” on page 340. This procedure
requires an Entrust Identity Enterprise Mobile soft token.
• To simulate a user paying a bill, click Pay Bills.
For information on paying a bill, see “To pay a bill with step-up
authentication” on page 323. This procedure requires a grid or temporary
PIN.
• To simulate a user adding bill payee, click Add Bill Payee.
For information on adding a bill payee, see “To add a bill payee with step-up
authentication” on page 324. This procedure requires a token or temporary
PIN.
• To change the user’s password, click Change Password.
For information on changing the password, see “To change a user’s
password” on page 296.
• To change the user’s contact information, click Update Profile.

328 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 For information on changing the contact information, see “To change a
user’s contact information” on page 296.
• To log out and return to the Welcome page, click Logoff.

Using the sample application 329

Report any errors or omissions
 Changing the browser information
When performing step-up authentication (see “Performing step-up authentication”
on page 324), Entrust Identity Enterprise performs risk-based authentication on the
user. Risk-based authentication consists of checking the user’s IP/Geolocation data
and machine secrets before rejecting the user from authenticating, issuing a
second-factor challenge to the user, or authenticating the user without a
second-factor challenge.
For you to test the risk-based authentication policies, the sample application provides
a way for you to simulate an authentication attempt from another IP address, or
remove the cookies containing the machine secrets.
In the sample application, you can simulate a change in the IP address when you want
to test the risk-based authentication policies related to IP geolocation. For example,
you can change the IP address so it fails the IP blacklist test.

Note:
The sample application does not actually change your browser’s IP address. The
IP address remains the same, but the sample application uses the different IP
address when you attempt to authenticate through the sample application.

Additionally, you can delete the cookies containing the machine secrets to test the
machine authentication policies for both the two-step and step-up authentication
scenarios.
You can change the browser information at any time during the step-up
authentication scenario. For example, you can change the IP address before you login
to the Any Bank Web site or before performing a sensitive operation.
For more information on risk-based authentication, see the Entrust Identity Enterprise
Server Administration Guide.

To change the browser information

1 Open the sample application. (See “Accessing the sample application” on
page 290.)
2 Click Set Your Browser’s IP Address.

330 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 The Set the IP Address for this Browser Session page appears.

3 To change the IP address to a specific IP address, enter the IP address in the text
fields and then click Change IP.
4 To select an IP address from a list of IP addresses, do the following:
a In the Country List drop-down list, select a country. (Select IP Blacklist to use
an IP address from your IP blacklist).
b In the IP Range drop-down list, select a range of IP addresses.
The first IP address in that range appears in the IP address text fields.
c (Optional) Change the IP address in the text fields as desired.
d Click Change IP.
5 To view all the cookies that contain Entrust Identity Enterprise machine secrets,
click View Cookies.

Using the sample application 331

Report any errors or omissions
 A dialog box appears.

Click OK to close the dialog box.

6 To clear the machine cookies, click Clear Machine Cookies.
Once you have changed the browser information, click Return to Previous Page to
return to the previous page.
The IP address change remains in effect until you click either the Logoff link or Exit
Session link.

332 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Answering second-factor authentication
challenges
As you use the sample application, you will authenticate with most or all of the
second-factor authentication methods supported by Entrust Identity Enterprise.
This section contains the following procedures:
• “To answer a grid challenge” on page 333
• “To answer a knowledge-based question and answer challenge” on
page 335
• “To answer a one-time password challenge” on page 335
• “To answer a challenge-response token challenge” on page 336
• “To answer a response-only token or soft token challenge” on page 338

To answer a grid challenge

1 To answer the challenge with the grid card, do the following:

Note:
If you do not have the grid in front of you, you can use the Administration
interface to view the grid. For more information, see the Entrust Identity
Enterprise Server Administration Guide.

a In the grid coordinate fields (for example, [F5], [H5], and [I2]), enter the
values for those coordinates as they appear on the grid card.
Depending on the sample policy and the user’s account settings, additional
fields may appear.

Using the sample application 333

Report any errors or omissions
 – If the user has a personal verification number (PVN), enter the PVN in the
PVN field.
– If the user must update the PVN, then enter the new PVN in the New PVN
and Confirm PVN fields.
– If the challenge requires a PVN and the user does not have a PVN, enter a
new PVN in the New PVN and Confirm PVN fields.
b Click Next.
2 To answer the challenge with a temporary PIN, do the following:

Note:
You can assign the user a temporary PIN in the Administration interface. For more
information, see the Entrust Identity Enterprise Server Administration Guide.

a Click Temporary PIN.

The Temporary PIN Challenge appears.

b In the Temporary PIN field, enter the user’s temporary PIN.

Depending on the sample policy and the user’s account settings, additional
fields may appear.
– If the user has a personal verification number (PVN), enter the PVN in the
PVN field.
– If the user must update the PVN, then enter the new PVN in the New PVN
and Confirm PVN fields.
– If the challenge requires a PVN, and the user does not have a PVN, enter
a new PVN in the New PVN and Confirm PVN fields.
c Click Next.
– If you answered a grid challenge as part of the two-step authentication
scenario, see Step 9 on page 311.
– If you answered a grid challenge while paying a bill as part of the step-up
authentication scenario, see Step 5 on page 323.

334 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 – If you answered a grid challenge while performing a login in the step-up
authentication scenario, see Step 7 on page 327.

To answer a knowledge-based question and answer challenge

1 For each question, enter the response in the text field, or select the response from
the drop-down list.
2 Click Next.
• If you answered a knowledge-based challenge as part of the two-step
authentication scenario, see Step 9 on page 311.
• If you answered a knowledge-based challenge while performing a login in
the step-up authentication scenario, see Step 7 on page 327.

To answer a one-time password challenge

1 Retrieve the user’s one-time password in one of two ways:

• If you configured a valid out-of-band delivery method, retrieve the one-time
password through that method (for example, the user’s email account).
• Use the Administration interface to view the one-time password.
2 In the OTP Response field, enter the user’s one-time password.

Using the sample application 335

Report any errors or omissions
 Depending on the sample policy and the user’s account settings, additional fields
may appear.
• If the user has a personal verification number (PVN), enter the PVN in the
PVN field.
• If the user must update the PVN, then enter the new PVN in the New PVN
and Confirm PVN fields.
• If the challenge requires a PVN and the user does not have a PVN, enter a
new PVN in the New PVN and Confirm PVN fields.
3 Click Next.
• If you answered a one-time password challenge as part of the two-step
authentication scenario, see Step 9 on page 311.
• If you answered a one-time password challenge while transferring money as
part of the step-up authentication scenario, see Step 5 on page 322.
• If you answered a one-time password challenge while performing a login in
the step-up authentication scenario, see Step 7 on page 327.

To answer a challenge-response token challenge

1 To answer the challenge with the token, do the following:

a The Token Challenge page displays a challenge string in red numbers (for
example 23419279).
Enter this challenge string into your challenge-response token and then press
the button on the token to generate a dynamic password.
b In the Token Response field, enter the dynamic password generated by the
token.
Depending on the sample policy and the user’s account settings, additional
fields may appear.

336 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 – If the user has a personal verification number (PVN), enter the PVN in the
PVN field.
– If the user must update the PVN, then enter the new PVN in the New PVN
and Confirm PVN fields.
– If the challenge requires a PVN and the user does not have a PVN, enter a
new PVN in the New PVN and Confirm PVN fields.
c Click Next.
2 To answer the challenge with a temporary PIN, do the following:

Note:
You can assign the user a temporary PIN in the Administration interface. For more
information, see the Entrust Identity Enterprise Server Administration Guide.

a Click Temporary PIN.

The Temporary PIN Challenge page appears.

b In the Temporary PIN field, enter the user’s temporary PIN.

Depending on the sample policy and the user’s account settings, additional
fields may appear.
– If the user has a personal verification number (PVN), enter the PVN in the
PVN field.
– If the user must update the PVN, then enter the new PVN in the New PVN
and Confirm PVN fields.
– If the challenge requires a PVN and the user does not have a PVN, enter a
new PVN in the New PVN and Confirm PVN fields.
c Click Next.
– If you answered a token challenge as part of the two-step authentication
scenario, see Step 9 on page 311.
– If you answered a token challenge while adding a bill payee as part of the
step-up authentication scenario, see Step 4 on page 324.

Using the sample application 337

Report any errors or omissions
 – If you answered a token challenge while performing a login in the step-up
authentication scenario, see Step 7 on page 327.

To answer a response-only token or soft token challenge

1 To answer the challenge with the token, do the following:

a Press the button on the token to generate a dynamic password. If you are
using a soft token, open the Entrust Identity Enterprise Mobile application.
The application displays a Security Code.
b In the Token Response field, enter the dynamic password or security code.
Depending on the sample policy and the user’s account settings, additional
fields may appear.
– If the user has a personal verification number (PVN), enter the PVN in the
PVN field.
– If the user must update the PVN, then enter the new PVN in the New PVN
and Confirm PVN fields.
– If the challenge requires a PVN and the user does not have a PVN, enter a
new PVN in the New PVN and Confirm PVN fields.
c Click Next.
2 To answer the challenge with a temporary PIN, do the following:

Note:
You can assign the user a temporary PIN in the Administration interface. For more
information, see the Entrust Identity Enterprise Server Administration Guide.

a Click Temporary PIN.

338 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 The Temporary PIN Challenge page appears.

b In the Temporary PIN field, enter the user’s temporary PIN.

Depending on the sample policy and the user’s account settings, additional
fields may appear.
– If the user has a personal verification number (PVN), enter the PVN in the
PVN field.
– If the user must update the PVN, then enter the new PVN in the New PVN
and Confirm PVN fields.
– If the challenge requires a PVN and the user does not have a PVN, enter a
new PVN in the New PVN and Confirm PVN fields.
c Click Next.
– If you answered a token challenge as part of the two-step authentication
scenario, see Step 9 on page 311.
– If you answered a token challenge while adding a bill payee as part of the
step-up authentication scenario, see Step 4 on page 324.
– If you answered a token challenge while performing a login in the step-up
authentication scenario, see Step 7 on page 327.

Using the sample application 339

Report any errors or omissions
 Performing a wire transfer using transaction
authentication
Transaction authentication is an optional feature available for use with Entrust
Identity Enterprise Mobile and the Self-Service Module. A demonstration of
transaction authentication is available through the Wire Transfer option on the
Accounts Summary page (Figure 2).

Figure 2: Account Summary page

To prepare for the wire transfer

1 Ensure you have installed and configured the Self-Service Module and Entrust
Identity Enterprise server for transaction authentication. For a complete list of
tasks, see the Entrust Identity Enterprise Self-Service Module Installation and
Configuration Guide.
2 Ensure a user has installed Entrust Identity Enterprise Mobile on their mobile
device and has activated the soft token within.

To perform a wire transfer

1 Open the sample and click Perform a login. When presented with the Token
Response field, enter the security code displayed by Entrust Identity Enterprise
Mobile.
2 On the Accounts Summary page, click Wire Transfer.
3 On the Transfer Funds page, in the Amount field, enter 10000 and click Confirm.

340 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
4 Click Confirm again when prompted.
Clicking Confirm triggers a notification to be sent to your mobile device. You are
made aware of the notification with a vibration or ring tone.
The notification appears on your mobile device as a pop-up.
5 On your mobile device:
a Click View.
The transaction details appear including the accounts involved and the
amount being transferred.
b Select OK if the details match what you expect. Select Cancel if you want to
terminate the transaction. Select Concern if the details do not match what
you expect and you suspect fraud.
6 Assuming you selected OK, a confirmation code appears on your mobile device.
Enter it onto the sample and click Next.

The wire transfer is completed. You have performed a wire transfer using
transaction authentication.

Using the sample application 341

Report any errors or omissions
342 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12
Report any errors or omissions
 14

Uninstalling Entrust Identity

Enterprise
This chapter provides instructions for uninstalling Entrust Identity Enterprise Server
from your system.
Topics in this section:
• “Uninstalling Entrust Identity Enterprise on Linux” on page 344
• “Uninstalling Entrust Identity Enterprise Windows” on page 346

343
 Uninstalling Entrust Identity Enterprise on
Linux
Entrust Identity Enterprise Server does not include an uninstall script. You must
perform the following procedure to uninstall Entrust Identity Enterprise.
Uninstalling the server also uninstalls the Radius proxy component, if configured.

To uninstall Entrust Identity Enterprise on Linux

1 (Optional.) Create a backup file for your configuration, in case you want to
restore your system later. Complete the steps in “Backing up your configuration”
on page 207.
2 Stop the Entrust Identity Enterprise service. For instructions see “Managing
Entrust Identity Enterprise services” on page 188.
3 As root:
a Navigate to the $IG_HOME/bin directory, typically:
opt/entrust/identityguard130/bin
b Enter the following command to uninstall the Radius proxy service:
./igsvcconfig.sh igradius uninstall
c Enter the following command to uninstall the Entrust Identity Enterprise
service:
./igsvcconfig.sh identityguard uninstall
d Remove the Entrust Identity Enterprise directories.
For example:
rm -f -r /opt/entrust/identityguard130
rm -f -r /opt/entrust/jre11.0.8_10
rm -f -r /opt/entrust/apache-tomcat-<version>
4 (Optional) Remove the Entrust Identity Enterprise data from the repository on
the repository server.
• For database repositories, Entrust Identity Enterprise provides the following
SQL files to remove all Entrust Identity Enterprise tables. You can find the files

344 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 in $IG_HOME/etc/sql. The files are also available in the Entrust Identity
Enterprise Server for Linux installation package.

Table 21: Database drop files

Database type Name of drop files

DB2 drop_db2_v130_schema.sql

MySQL drop_mysql_v130_schema.sql

Oracle drop_oracle_v130_schema.sql

PostgreSQL drop_postgresql_v130_schema.sql

SQL Server drop_sqlserver_v130_schema.sql

• For directory repositories, you must remove this data manually.

5 To remove generated files such as logs, manually delete the Entrust Identity
Enterprise installation directory.

Uninstalling Entrust Identity Enterprise 345

Report any errors or omissions
 Uninstalling Entrust Identity Enterprise
Windows
Complete the following procedure to uninstall the Entrust Identity Enterprise Server
on Microsoft Windows.
Uninstalling the server also uninstalls the Radius proxy component, if configured.

To uninstall Entrust Identity Enterprise Server on Microsoft Windows

1 (Optional.) Create a backup file for your configuration, in case you want to
restore your system later. Complete the steps in “Backing up your configuration”
on page 207.
2 Open the Windows Control Panel:
• On Microsoft Windows Server 2019 or 2016, click the Windows button,
then select Control Panel.
• On Windows Server 2012 or 2012 R2, select Start, then click the down arrow
to access Apps, then click Control Panel.
3 In the Control Panel, click Programs and Features
4 Right-click Entrust Identity Enterprise Server 13.0. and then select Uninstall.
A dialog box prompts you to confirm that you want to uninstall Entrust Identity
Enterprise.
5 Click Yes.
Entrust Identity Enterprise is uninstalled.
6 (Optional.) Remove the Entrust Identity Enterprise data from the repository on
the repository server.
• For database repositories, Entrust Identity Enterprise provides the following
SQL files to remove all Entrust Identity Enterprise tables. You can find the files

346 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 in <IG_HOME>/etc/sql. The files are also available in the Entrust Identity
Enterprise Server for Windows installation package.

Table 22: Database drop files

Database type Name of drop files

DB2 drop_db2_v130_schema.sql

MySQL drop_mysql_v130_schema.sql

Oracle drop_oracle_v130_schema.sql

PostgreSQL drop_postgresql_v130_schema.sql

SQL Server drop_sqlserver_v130_schema.sql

• For directory repositories, you must remove this data manually.

7 To remove generated files such as logs, manually delete the Entrust Identity
Enterprise installation directory.

Uninstalling Entrust Identity Enterprise 347

Report any errors or omissions
348 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12
Report any errors or omissions
 Glossary

Glossary of Terms
active grid card or token The card or token that the end user is presently using for
authentication.
Administration API The Java Platform or .NET (C#) API that applications can
use to integrate with the Administration service.
Administration interface The Web interface used by administrators to manage end
users (see end user).
Administration service The Entrust Identity Enterprise Web service responsible for
managing administrators, users, cards, tokens, PINs, and
so on.
Administration WSDL The WSDL definition for the Administration service.
administrator The Entrust Identity Enterprise user who manages the
day-to-day activity of end users using the Administration
service (see also end user).
alias An additional unique name for an end user.
See also user name.
anonymous authentication See one-step authentication.
auditor role A predefined role that has read access to operations
available through the Administration service.
authentication The process of proving your identity, and/or determining
the validity of a set of credentials presented to the system.
Authentication API The Java Platform or .NET (C#) API that applications can
use to integrate with the Authentication service.
authentication secret The secrets shared between the organization and the user
when organization authentication is configured.

349
 Authentication service The Entrust Identity Enterprise Web service used for
retrieving challenge requests and authenticating user
responses.
Also see Authentication API.
Authentication WSDL The WSDL definition for the Authentication service.
card A physical grid card that is printed and distributed to
users.
cardspec attributes See card specification attributes.
card specification attributes The policy attributes that determine the characteristics of
a grid for grid authentication. For example, the characters
to use in a grid, its expiry based on duration or use, the
number of rows and columns, and so on.
cell A row and column coordinate in a grid.
challenge generation algorithm An algorithm used to produce the challenge when using
grid authentication. Entrust Identity Enterprise has two
challenge generation algorithms:
• least-used cell challenge generation algorithm
• random challenge generation algorithm
client application Any application that uses the Authentication API and/or
the Administration API to access Entrust Identity
Enterprise’s administration and multifactor authentication
capabilities on behalf of the end user.
client authentication The authentication process whereby users prove their
identity to an application, using, for example, Entrust
Identity Enterprise Server.
Consumer deployment An Entrust Identity Enterprise deployment where the end
users are external to the organization (for example, they
are customers or partners), and are authenticating to a
Web-based application.
credentials A set of data (for example, a user name and password,
grid, or dynamic password) that defines a user to the
system.
default role A predefined role that has access to most operations
available through the Administration service.
Entrust Identity Enterprise does not install with a
predefined role named default.
dynamic password The random number displayed by a token that changes
automatically at regular intervals.

350 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
end user A user who authenticates to Entrust Identity Enterprise
using one of the available multifactor authentication
methods.
Enterprise deployment A deployment of Entrust Identity Enterprise where the
end users are internal to the organization (for example,
employees) and are authenticating to internal services.
Entrust Identity Enterprise Server An Entrust product that provides multifactor
authentication to increase the security of an online
identity.
Entrust Identity Enterprise Desktop An Entrust Identity Enterprise client that adds
for Microsoft Windows second-factor authentication capabilities to the
first-factor authentication performed by Microsoft
Windows Winlogin and the RAS/IAS servers.
See also Entrust Identity Enterprise Remote Access Plug-in
for Microsoft Windows Servers.
Entrust Identity Enterprise Remote An Entrust Identity Enterprise client that installs on the
Access Plug-in for Microsoft RAS and IAS servers to enable Entrust Identity Enterprise
Windows Servers second-factor authentication for remote Microsoft
Windows users.
Entrust Identity Enterprise Mobile An application that is installed on users’ mobile devices
and contains a soft token (or multiple soft tokens).
external authentication The first-factor authentication provided by Entrust
Identity Enterprise in a deployment where remote users
connect through a VPN and no external Radius server
exists.
file-based repository A file containing preproduced cards, unassigned token, or
unassigned smart credential information that is located on
the primary Entrust Identity Enterprise Server. Used only
when your repository is an LDAP Directory.
first-factor authentication The first authentication challenge presented to the user.
Usually user name and password authentication.
first-factor authentication The application which performs first-factor authentication
application and to which Entrust Identity Enterprise is added as the
second factor of authentication.
grid An assortment or table of characters listed in row and
column format.
See also card.
grid authentication A second-factor authentication method that challenges a
user for a set of grid coordinates or cells.

Glossary of Terms 351

Report any errors or omissions
 grid location replay authentication A type of organization authentication used with grid
authentication that requires the organization to display
the contents of certain coordinates in the grid once the
user has authenticated.
group A means to organize end users, administrators, tokens,
and cards to delegate administrative tasks and assign
policy behavior (such as allowed authentication
methods).
identityguard.properties file The Java properties file containing all the configuration
settings for a particular Entrust Identity Enterprise Server.
image replay authentication See message or image replay authentication.
initialization A one-time process completed while setting up Entrust
Identity Enterprise that provides the system with the
license keys and creates the master users, and the master
key.
If repeated, re-initialization replaces the master key,
overwrites policy data already stored in the repository,
and renders existing user, preproduced grid card and
unassigned token information unusable.
See master key.
knowledge-based authentication A second-factor authentication method that challenges a
user for correct responses to a series of questions.
layered authentication An authentication process in which additional
authentication challenges are presented for particular
transactions that require stronger authentication than the
user presently has.
least-used cell challenge generation A challenge generation algorithm that uses a configured
algorithm number of least-used coordinates (cells) when creating
the challenge.
machine authentication An authentication process in which a user is associated
with a particular computer through the use of a machine
secret. After association, second-factor authentication is
transparent for the user on that computer.
machine authentication type list A list of machine authentication methods assigned to a
user, based on their policy.
machine secret One or more nonces and optional application-provided
data that uniquely identify a particular computer.
master key The key that Entrust Identity Enterprise uses to encrypt
information stored in the repository.

352 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
master key protection file The file containing the obfuscation key used to access the
master key.
master user The Entrust Identity Enterprise user that configures how
Entrust Identity Enterprise will work in your system.
Entrust Identity Enterprise has three master users.
See master user shell.
master user shell A command line used by master users to configure Entrust
Identity Enterprise.
See master user.
message or image replay A type of organization authentication in which the
authentication organization displays a predefined message or image
either before or after the user has authenticated.
multifactor authentication An authentication process in which two or more
authentication methods are used consecutively to verify a
user and often an organization.
mutual authentication An authentication process in which both the user and the
organization verify themselves as legitimate.
See also organization authentication and user
authentication.
nonce A random value generated for security purposes.
one-step authentication An authentication process in which first-factor and
second-factor authentication challenges are presented to
the end user at the same time. Also referred to as
“anonymous authentication” as the system does not
know the identity of the user.
Available only when using grid authentication.
See also two-step authentication.
one-time password A set of characters provided to a user out-of-band that
can only be used once for authentication.
See also out-of-band authentication.
organization authentication An authentication process in which the organization
verifies itself as authentic to the end user. Entrust Identity
Enterprise supports the following types:
• grid location replay authentication
• message or image replay authentication
• serial number replay authentication
OTP See one-time password.

Glossary of Terms 353

Report any errors or omissions
 out-of-band authentication A second-factor authentication method that challenges a
user for a one-time password that is sent (for example) to
their mobile phone when the challenge occurs.
password attributes The policy attributes that determine the password rules.
For example, the password length, expiry date, and so on.
personal verification number An additional authentication feature that can be added to
a grid, token, temporary PIN, or one-time password.
pinspec attributes See temporary PIN attributes.
policy A set of attributes that determines the characteristics for
each member in a group.
primary Entrust Identity Enterprise In a replicated system, this is the Entrust Identity
Server Enterprise Server on which the file-based repository is
stored.
Therefore, it usually also is the Entrust Identity Enterprise
Server hosting the Administration service to which all
instances of the Administration interface connect.
property An attribute that defines how the Entrust Identity
Enterprise system works. Properties are defined in the
identityguard.properties file. You can edit properties using
the Properties editor.
Properties editor The Web interface used by administrators to manage the
identityguard.properties file.
PVN See personal verification number.
question and answer authentication See knowledge-based authentication.
Radius See Remote Authentication Dial-In User Service (Radius).
Radius proxy An Entrust Identity Enterprise client that adds
authentication capabilities to a deployment where remote
users connect through a VPN.
random challenge generation A challenge generation algorithm that picks coordinates in
algorithm a grid randomly when creating a challenge.
registration The process of adding new users to Entrust Identity
Enterprise by obtaining their information and setting
required attributes such as group association and
authentication method.

354 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
Remote Authentication Dial-In User Remote Authentication Dial-In User Service. An industry
Service (Radius) standard authentication protocol used to authenticate
users with Radius clients.
A Radius client passes information about a user to a
designated Radius server and then acts on the response
that the Radius server returns. Transactions between the
Radius client and the Radius server are authenticated
through a server secret, which is never sent over the
network.
repository The Entrust Identity Enterprise information associated
with users and administrators stored in a database or
directory. A repository contains information such as:
• group association
• available authentication methods
• username and aliases
• authentication information such as grids, token data,
questions and answers, temporary PINs, one-time
passwords, and so on
• preproduced cards and unassigned token data
replica Entrust Identity Enterprise In a system with more than one Entrust Identity Enterprise
Server Server, any Entrust Identity Enterprise Server that does not
function as the primary Entrust Identity Enterprise Server.
Replicas are usually identical to each other.
role Defines, for administrators (see administrator), what
operations they can perform using the Administration
service.
Entrust Identity Enterprise installs with three roles:
• auditor role
• useradmin role
• superuser role
sample application The client Web application installed with the Entrust
Identity Enterprise Server that demonstrates the various
capabilities and authentication methods of Entrust
Identity Enterprise.
second-factor authentication The second authentication method in a system that uses
two independent mechanisms of authentication. It
ensures strong authentication. See strong authentication.

Glossary of Terms 355

Report any errors or omissions
 serial number replay authentication A type of organization authentication used with grid
authentication that requires the organization to display
the grid card’s unique serial number to the user.
shared secret A name and value pair associated with an end user and
used by a client application only (not Entrust Identity
Enterprise).
Simple Object Access Protocol Simple Object Access Protocol. An XML protocol that
(SOAP) governs the exchange of information in a distributed
environment. SOAP provides a way for programs running
in two different operating systems (such as Windows and
Linux) or written in different programming languages
(such as Java Platform and C#) to exchange information,
using HTTP and XML. Refer to
http://www.w3.org/2000/xp/Group/.
single-factor authentication An authentication system in which the user is verified
using only one authentication method (usually a user
name and password).
See also second-factor authentication.
single-stage authentication See one-step authentication.
SOAP See Simple Object Access Protocol (SOAP).
soft token A soft token is piece of software that is typically installed
on a mobile device. Its purpose is to generate a dynamic
password that changes periodically (for example, every
minute). Users enter this password onto your Web site to
authenticate. Entrust Identity Enterprise Mobile is an
example of an application that contains one or more soft
tokens.
A soft token can be thought of as a token, without the
hardware casing.
strong authentication A form of client authentication in which users prove their
identity by logging in with credentials other than just user
name and password (for example, a grid or token).
super shell See master user shell.
superuser role A predefined role that has access to all operations
available through the Administration service.
supersh See master user shell.
temporary PIN A character string assigned to a user for a brief period of
time or usage duration to substitute for a temporarily
unavailable grid card or token.

356 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
temporary PIN attributes The policy attributes that determine the characteristics of
the temporary PIN. For example, the number of
characters in the PIN, its expiry date, and so on.
token A battery-operated hardware device that provides a user
with a dynamic password that changes periodically (for
example, every minute).
token authentication A second-factor authentication method that challenges a
user for a token-generated string. The response can
include a PVN.
token PIN A numeric value that associates a user with their token.
When a user receives a token challenge, they must prefix
their response with the static token PIN, thereby
enhancing the strength of the authentication.
Do not confuse with temporary PIN or dynamic password.
two-step authentication An authentication process in which first-factor and
second-factor authentication challenges are presented to
the end user consecutively. The end user is authenticated
and verified using the first-factor authentication method
before being challenged with second-factor
authentication.
See also one-step authentication.
two-stage authentication. See two-step authentication.
useradmin role A predefined role that allows administration of an end
user through the Administration service.
user authentication An authentication process in which the end user is verified
as authentic by the organization. Entrust Identity
Enterprise supports the following types:
• grid authentication
• token authentication
• knowledge-based authentication
• out-of-band authentication
user name The name of the Entrust Identity Enterprise user in their
first-factor authentication system.
A user name must be unique within its group.
userspec attributes See user specification attributes.

Glossary of Terms 357

Report any errors or omissions
 user ID The globally unique name of an end user or administrator.
It includes both the Entrust Identity Enterprise group
name and the user name of the user in the first-factor
authentication system, written as group/username.
user specification attributes The policy attributes that determine the rules for an end
user’s interaction with Entrust Identity Enterprise. For
example, the number of aliases a user can have, their
authentication methods, and so on.
Web service A program that runs within an application server that
communicates to other requesting components, often
using the Simple Object Access Protocol (SOAP). Web
services have two advantages:
• The SOAP protocol provides a standard way for the
Web service and its clients to encode and decode (or
"parse") the program data so that programmers don't
have to write their own. The standard also means that
programs written by different companies can
communicate with the Web service.
• SOAP envelopes are typically sent within HTTP
requests so you do not have to open additional ports
in your firewall for clients to communicate with the
Web service.
Entrust Identity Enterprise has two Web services:
Administration service and Authentication service.
WSDL Web Services Definition Language. An XML format for
describing network services as a set of endpoints
operating on messages. WSDL service definitions provide
the technical details for describing a Web service that
would be required for someone to actually invoke the
service (for example, input parameters, output format,
and so on).

358 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

Report any errors or omissions
 Index
IndexIndex
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
A restoring IdentityGuard 213

active card
definition 349 C
active token
card
definition 349 definition 350
Administration API
preproduced 283
definition 349
card specification attributes
Administration interface definition 350
definition 349
cardspec. See card specification attributes
Administration service
cell
definition 349 definition 350
Administration WSDL
certificate
definition 349
updating 180
administrator challenge
creating first administrator manually 148
grid 333
definition 349
knowledge-based 335
alias one-time password 335
definition 349
token 336, 338
anonymous authentication. See one-step authentication
challenge generation algorithm
auditor role definition 350
definition 349
challenges
authentication
answering 333
definition 349 client application
strong
definition 350
definition 356
client authentication
Authentication API definition 350
definition 349
clock synchronization 27
authentication secret
configuring
definition 349 considerations for sample application 281
Authentication service
considerations
definition 350
sample application 281
Authentication WSDL
Consumer deployment
definition 350 definition 350
credentials
B definition 350
Customer support 19
backup and restoring
overview 202
backup files 203 D
backups
default role
backup strategy 202

359
 - A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
definition 350 G
delivery
out-of-band authentication 282 Getting help
delivery method 282 Technical Support 19
deployment grid
worksheets 22 definition 351
deployment, Consumer grid authentication
definition 350 challenge 333
deployment, Enterprise definition 351
definition 351 grid location replay authentication
disabling services 192 definition 352
downloading Entrust IdentityGuard 30 group
dynamic password definition 352
definition 350
I
E IdentityGuard
enabling services 191, 195 disabling 192, 193, 195
end user enabling 191, 193, 195
definition 351 failed initialization 147
enroll installing a replica server 89
user 313 querying status 189, 190, 191
user for two-step 292 restarting 189, 190, 191
Enterprise deployment starting 189, 190, 191
definition 351 starting and stopping on Windows 194
Entrust IdentityGuard Mobile 351 stopping 189, 190, 191
Entrust IdentityGuard Remote Access Plug-in for Microsoft uninstalling on Windows with embedded Tomcat 346
Windows Servers identityguard.properties file
definition 351 definition 352
error messages identityguard.sh 190
sample application 266 image replay authentication
exit session 267 definition 352, 353
external authentication initialization
definition 351 definition 352
initializing IdentityGuard
reasons for failure 147
F installation on Windows
troubleshooting 162
file-based repositories
IP blacklist 282
backing up 205
file-based repository
definition 351 K
first-factor authentication
definition 351 knowledge-based authentication
first-factor authentication application challenge 335
definition 351 definition 352

360 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
L one-time password
challenge 335
layered authentication definition 353
definition 352 organization authentication 353
least-used cell challenge generation algorithm OTP. See one-time password
definition 352 out-of-band authentication 282
loadbalancing 90 definition 354
loading tokens 283 overview
logging 281 sample application 266
changing sample application logging 284
configuring 86, 107
sample application 283 P
to Syslog 86, 107
password attributes
logoff 267
definition 354
pinspec attributes. See temporary PIN attributes
M policy
definition 354
machine authentication preproduced cards 283
definition 352 Professional Services 20
machine authentication type list Properties editor
definition 352 definition 354
machine secret property
definition 352 definition 354
master key PVN. See personal verification number
definition 352
master key protection file
definition 353 Q
master user
question and answer authentication. See knowledge-based
definition 353 authentication
master user shell
definition 353
message replay authentication R
definition 353
migrating IdentityGuard 226 Radius
multifactor authentication definition 355
definition 353 Radius proxy
mutual authentication 353 automatic restart 50, 253
random challenge generation algorithm
definition 354
N registering
second-factor method 297
nonce two-step authentication 297
definition 353
registration
non-SSL ports 164
definition 354
replica server
O configuring 89
initializing 89
one-step authentication installing 89
definition 353

Index 361
 - A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
new SSL certificate 90 soft token 356
repository SSL
configuration guides 32 ports 164
definition 355 starting services 187
preparing 32 step-up authentication 324
restoring IdentityGuard from backup 213 enrolling 313
role using 312
definition 355 stopping services 187
strong authentication
definition 356
S super shell. See master user shell
sample administrator 268 supersh. See master user shell
sample application superuser role
accessing 290 definition 356
answering challenges 333 Syslog
changing browser information 330 logging to 86, 107
changing information 267
changing logging levels 284
configuration considerations 281
T
definition 355 Technical Support 19
error messages 266 temporary PIN
logging 281, 283 definition 356
overview 266 temporary PIN attributes
sample administrator 268 definition 357
sample policy 267 time synchronization, time server 27
sample role 268 token
sample users 281 challenge 336, 338
step-up authentication 312 definition 357
two-step authentication 292 token authentication
using 265 definition 357
sample policy 267 token PIN. See static PIN
sample role 268 tokens
sample users 281 loading 283
sample Web application. See sample application two-stage authentication. See two-step authentication
second-factor authentication two-step
challenges 333 registering 297
definition 355 two-step authentication 308
serial number replay authentication definition 357
definition 356 enrolling 292
services using 292
starting and stopping 187 typographic conventions 14
shared secret
definition 356
single-factor authentication U
definition 356 uninstalling IdentityGuard
single-page authentication. See one-step authentication on Windows with embedded Tomcat 346
SOAP upgrade
definition 356 logging 242

362 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
overview 236
preparation 237
worksheet 239
user
definition 351
enroll 313
user authentication
definition 357
user ID
definition 358
user name
definition 357
user specification attributes
definition 358
useradmin role
definition 357
users
administering 283
userspec attributes. See user specification attributes

W
Web service
definition 358
word map file 281
worksheet
installation 35
upgrade 239
worksheets
deployment 22
WSDL
definition 358

Index 363
 - A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -

364 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

 - A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -

365 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12

 - A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -

366 Entrust Identity Enterprise 13.0 Installation Guide Document issue: 12