Skip to content

Configuration - from end of installation

Configuration - ActiveAccess

The purpose of this section is to provide an overview of the steps required in order to configure the system for testing purposes. This requires you to set up at least one issuer, create test cards and upload the authentication and enrolment pages.

Creating a New Issuer

  • Login to the Administration server using an account with system admin access (such as administrator)

  • Use the Issuer Management section and create an issuer. The system creates an issuer and displays a 19-digit Issuer ID. Make a note of the Issuer ID for future use.

Note

At this stage the new issuer is not registered.

  • Send the Issuer ID and Issuer Name to GPayments and request an ActiveAccess license key. Once you receive the license key for the issuer, copy the contents of the license key into the Issuer Details page. Apply the changes and make sure that the message License key is valid is displayed.

The Administration server creates a set of cryptographic keys for the issuer in the HSM local to the administration server. If ActiveAccess is installed on a separate server, and as such uses its own hardware security module, these keys need to be transferred to that server's HSM.

  • Export the following keys to the ActiveAccess HSM:

    RSAVbV< Issuer_ID >_pub

    RSAVbV< Issuer_ID >_pri

    RSAMSC< Issuer_ID >_pub

    RSAMSC< Issuer_ID >_pri

    RSAJCB< Issuer_ID >_pub

    RSAJCB< Issuer_ID >_pri

    RSASK< Issuer_ID >_pub

    RSASK< Issuer_ID >_pri

    RSADC< Issuer_ID >_pub

    RSADC< Issuer_ID >_pri

    RSADEVICE< Issuer_ID >_pub

    RSADEVICE< Issuer_ID >_pri

    SPA< Issuer_ID >

    VbVA< Issuer_ID >

    VbVB< Issuer_ID >

    JCBA< Issuer_ID >

    JCBB< Issuer_ID >

    MSCA< Issuer_ID >

    MSCB< Issuer_ID >

    SKA< Issuer_ID >

    SKB<< Issuer_ID >

    DCA< Issuer_ID >

    DCB< Issuer_ID >

    Card< Issuer_ID >

    Where < Issuer_ID > is the actual Issuer ID provided in the previous steps.

Info

For further information on key export and import, please see section 0 - Key Transfer.

Note

If you have enabled the Use parent keys option, the only key generated for the issuer is Card< Issuer_ID >

  • If the enrolment server or registration servers have been set-up on a different machine to administration server, these keys need to be transferred to their server HSM.

  • Export the following keys to the enrolment or registration server HSM:

    Card < Issuer_ID >

Where < Issuer_ID > is the actual Issuer ID provided in the previous steps.

Info

For further information on key export and import, please see section 0 - Key Transfer.

  • Use the Certificates Details section to create a certificate request for the issuer.

Note

Skip this step if you have enabled the Use parent certificate, public and encryption keys option.

  • Send the certificate request to the appropriate Mastercard, Visa, JCB, American Express or Diners Club International certificate authority for signing.

  • Import the signed certificate back to the system using the Certificates Details section (the certificate must be in p7b format and include all the certificates in the certification path)

Note

Skip this step if you have enabled the Use parent certificate, public and encryption keys option.

  • Upload the issuer public key certificate using the Public & Encryption Key Management function in the administration server.

Note

Skip this step if you have enabled the Use parent certificate, public and encryption keys option.

  • Upload the authentication and enrolment pages (if applicable) for the issuer using the Custom Pages function in the administration server.

Creating a New Issuer Group

  • Login to the Administration server using an account with system admin access (such as administrator)

  • Use the Group Management section to create an issuer group.

    Administration server creates a set of cryptographic keys for the issuer group in the HSM local to the administration server. If ActiveAccess is installed on a separate server, and as such uses its own hardware security module, these keys need to be transferred to that server's HSM.

  • Export the following keys to the ActiveAccess HSM:

    RSAVbV< Group_ID >_pub

    RSAVbV< Group_ID >_pri

    RSAMSC< Group_ID >_pub

    RSAMSC< Group_ID >_pri

    RSAJCB< Group_ID >_pub

    RSAJCB< Group_ID >_pri

    RSASK< Group_ID >_pub

    RSASK< Group_ID >_pri

    RSADC< Group_ID >_pub

    RSADC< Group_ID >_pri

    RSADEVICE< Group_ID >_pub

    RSADEVICE< Group_ID >_pri

    SPA< Group_ID >

    VbVA< Group_ID >

    VbVB< Group_ID >

    JCBA< Group_ID >

    JCBB< Group_ID >

    MSCA< Group_ID >

    MSCB< Group_ID >

    SKA< Group_ID >

    SKB< Group_ID >

    DCA< Group_ID >

    DCB< Group_ID >

  • Where < Group_ID > is the group's unique identifier as displayed in the issuer group details page.

Note

Skip this step if you have enabled the Use parent certificate, public and encryption keys option.

Info

For further information on key export and import, please see section 0 - Key Transfer.

  • Use the Certificate Details section to create a certificate request for the group.

Note

Skip this step if you have enabled the Use parent certificate, public and encryption keys option.

  • Send the certificate request to the appropriate Mastercard, Visa, JCB, American Express, or Diners Club International certificate authority for signing.

Note

Skip this step if you have enabled the Use parent certificate, public and encryption keys option.

  • Import the signed certificate back to the system using the Certificate Details section (the certificate must be in p7b format and include all the certificates in the certification path)

Note

Skip this step if you have enabled the Use parent certificate, public and encryption keys option.

  • Upload the group public key certificate using the Public & Encryption Key Management function in the administration server.

Note

Skip this step if you have enabled the Use parent certificate, public and encryption keys option.

Configuring an Issuer for ActiveDevice

To activate device authentication for an issuer:

  • Login to the Administration server using an account with system admin access (such as administrator)

  • Use System Management > Issuer Management to find issuer's account and access issuer details

  • Install a license key with ActiveDevice functionality enabled. If an appropriate license key is installed the license status shows Device authentication enabled.

Note

Contact GPayments if you don't have a license key with the ActiveDevice option enabled.

  • Create and install an issuer signing certificate for ActiveDevice, make sure that the CA is in the ActiveDevice's trusted CA list (in ActiveAccess)

  • Click on the ActiveDevice settings link. Select the appropriate token type for the issuer (e.g. VASCO) and apply the changes.

  • Upload two-factor authentication pages customised for this issuer. Use Issuer > Custom Pages > Upload File to locate and upload the two-factor custom pages. If testing you can use the sample two-factor pages which can be found in the /pkg/Custom Pages/Samples/directory.