Back to secure network site

UVa Rainbow iKey Hardware Token
Software Installation, Testing, and JointVPN Use


The JointVPN service is only available on the Windows platform at this time. We will work to support Macintosh computers as soon as Apple and Cisco deliver the necessary prerequisites.

All iKey Hardware Token users must complete Steps 1, 2, 3, and 4. If you will be using your Hardware Token with the ITC-HS/CS JointVPN service, you will also need to complete Steps 5 and 6. The instructions in the sections below appear long and somewhat complicated. This is due to the large number of screen images that were used to avoid any potential confusion. The installation procedures are actually relatively quick to complete and you will find the system easy to use.



Step 1: Installing the UVa High Assurance CA Root Certificate
Procedure to install the High Assurance root certificate
Item Installation Procedure Item
A
  • Perform this task using Internet Explorer

  • Perform this task while logged in as the person who will use the VPN service

  • Click HERE to start the installation process and then click on the buttons as shown by the mouse pointer in Steps B-G below. The critical items are Steps B and C where you first select the Open button on the download screen and then use the Install button to start the certificate installation process. A common mistake is to select the OK button instead of the Install button in Step C below.
B
C
D
E
F
G
H NEW NEW NEW Click HERE to install the Intermediate CA certificate. Follow the same process as above noting especially steps B and C as described above. There will be a few less pop-up boxes that you need to complete ti install this second certificate.

 
 

 
 
Step 2: Installing the Rainbow iKey Hardware Token Software
Rainbow iKey Hardware Token Software Installation Procedure
Item Installation Procedure Item
A
  • IMPORTANT: do not insert your Rainbow iKey into a USB port at this time. The software installation program will prompt you at the proper time to insert your iKey token.

  • First make sure that you are logged into Windows as Administrator or logged in with an account that has Administrator privileges.

  • Exit from any running programs.

  • Browse to the folder containing the UVa ITC customized Rainbow iKey software package and double-click on the setup icon shown immediately below.
B After a few moments you should see the screen shown immediately below. Click Next to begin the software installation process.
C You must accept the software license to continue. Click the Yes button to continue with the software installation.
D Please DO NOT change the default software installation location. Simply click the Next button to continue. If you install this software in an alternate location it will be nearly impossible for ITC to assist with any problems that you might encounter.
E Click the Next button to start the software installation process.
F You will see the pop-up message below towards the end of the software installation process. At this time insert your iKey token into a USB slot on your PC. It is important that you do not insert your token before being prompted to do so.
G You will see the pop-up window below when the initial phase of the installation is completed. Click Finish to restart your computer.
  • Remove your iKey hardware token while your system is restarting.

  • IMPORTANT: the software installation process will continue and complete after your system restarts. Since the software installation will finish when you login, be sure to login after this first restart as Administrator or using an account with Administrator privileges. Once the installation completes you can log back into your normal user account.

H IMPORTANT: ITC recommends that you allow Windows Update to install a new version of the Rainbow iKey driver. This is especially true if you you are experiencing any problems with a particular computer. Run Windows Update and select the Custom Install option. Under Select Optional Hardware Updates you will find a new Rainbow iKey driver. You should have Windows Update download and install this new driver. The newer driver has cleared up problems for some users on some machines and we have never heard any reports of it causing problems. ITC recommends that you install the updated driver from Windows Update as soon as you have a chance and if you encounter any problems using your iKey Hardware Token.

 
 

 
 
Step 3: Setting your Rainbow iKey passphrase (password)
Rainbow iKey Hardware Passphrase Change Procedure
Item Procedure
A

REQUIREMENT: You must have the defualt password for your iKey Hardware Token. This password was provided to you along with your iKey.

Insert your iKey Hardware Token into the USB reader device and wait a few seconds.

B Open the iKey PassPhrase Utility: From the Windows Start menu select Programs, Rainbow Technologies, iKey 2000 Series Software, PassPhrase Utility.

C

The Password Utility will open, click the "Update Password" button.

D The Update Token Password dialog will appear, enter the defualt password you were given with your iKey as the old password, enter (and reenter) a new password for your hardware token. Click OK.
WARNING: If you enter the old password incorrectly ten times the token will permanently shut down. If you exceed this number of attempts, you will have to return your token to ITC and have it reprogrammed with new credentials.

E

Click OK and close the Password Utility window. You may repeat this procedure to change your iKey password in the future.
 
 
 
 
Step 4: Testing the Rainbow iKey Software and Token
Rainbow iKey Hardware Token Test Procedure
Item Procedure
A
  • This test must be run using Microsoft Internet Explorer

  • Insert your iKey Hardware Token into the USB reader device and wait a few seconds.

  • Click here to start the test.

  • Note: if you rerun the test using the same instance of your web browser within ten minutes of your initial test, you will not be prompted again for the pass phrase to your iKey Hardware Token (Item C below) the second time.
B The first thing that you will see is a pop-up window like the one shown below. The window will show your name as it stored in the Hardware Token. Press the OK button to continue.
C The system will next prompt you for the pass phrase (password) that you set on your hardware token. Enter your pass phrase to continue.
WARNING: you can only enter your pass phrase incorrectly ten times before the token will permanently shut down. If you exceed the number of attempts, you will have to return your token to ITC and have it reprogrammed with new credentials.
D You should next see a screen similar to the one below containing the information from your certificate.

 
 

 
 
Step 5: Installing the VPN Client software
Installing the Cisco VPN Client Software
Item Procedure
A
  • Go to the main ITC VPN Client site by clicking here
  • Follow the insructions on the main VPN site to download and install the VPN client on your computer.
  • After the VPN client installer completes, return to this web site and follow the instructions below to configure the client for use on the JointVPN.
B Return to this web site and procede to Step 6 below to complete the process of configuring the VPN client for use on the JointVPN.

 
 

 
 
Step 6: Using the JointVPN Client Software and iKey Hardware Token
Using the ITC-HS/CS Joint VPN Service
Item Procedure
A
  • Insert your iKey Hardware Token into the USB reader device and wait a few seconds.
    The few seconds of delay allows Windows to register the digital certificate stored on your hardware token with the operating system. This registration must take place before you start the VPN client software.
  • You must always insert your hardware token a few seconds before you start the VPN client. This is true every time that you use the system, not just the first time.
 
  • Items B through E must be completed one time only. These steps are performed immediately after you have first installed the iKey Hardware Token and VPN client software and before you attempt to start your first JointVPN session.

  • Once Items B through E are completed, your normal daily use of the system is Items A and F only. Remember to always first insert your hardware token into a USB port a few seconds before you start the Cisco VPN client software.
B Using your mouse, single-click on the JointVPN profile as shown in the image below. This action will highlight and select the profile as shown in the image below.
C Click on the Modify button as shown in the image below.
D
  • The new window shown in the image immediately below should now be visible.
  • Using your mouse, select the certificate on your iKey Hardware Token as shown below. If your only certificate is the one on your iKey Hardware Token, then the proper certificate will already be displayed. If you have other Digital Certificates on your computer, these will also be displayed. The certificate on your iKey will not have a number after your name. All other certificates issued by the university will display a number after your name. You must select the certificate without a number after your name.
  • Note that the word (Microsoft) in parenthesis should be displayed immediately after your name in the certificate field.
E Click on the Save button as shown below to complete the initial one-time configuration step.
F In order to establish a JointVPN session, first highlight the JointVPN profile using your mouse. Then click on the Connect button as shown in the image below.

The VPN system will start to establish your session. You will be prompted for the password to your iKey Hardware Token during the VPN session start-up process. You enter your password into the same pop-up window as your saw in Item C of Step 4 (iKey Hardware Token Testing Procedure) above.

The Cisco VPN client window will automatically close once the VPN session has been established. A small lock icon will appear in the notifications area in the Task Bar at the bottom right edge of your computer's screen. The closed lock indicates that a secure VPN connection has been established.

G
Special Use JointVPN Profile
  • Some users will need to log into Windows Domain services that are located either on the Clinical Subnet or on the JointVPN network itself.
  • Your department or your LSP will typically notify you if you are one of the people who needs to log into a Windows Domain that is protected by the JointVPN.
  • If you need to log into a Windows Domain, use the JointVPN-SpecialRelogin VPN profile instead of the standard JointVPN profile as shown in the image below.
  • NOTE: before you can use the JointVPN-SpecialRelogin profile, you must first do Items B through E above on the JointVPN-SpecialRelogin profile. You do these steps the same way that you did for the JointVPN profile but on the JointVPN-SpecialRelogin profile instead.
  • Once the JointVPN-SpecialRelogin profile has been Saved (as in Item E above) you can connect using this profile as documented in Item F above and below the next image.

  • To use the JointVPN-SpecialRelogin profile, select the profile with your mouse and then click on the Connect button.
    • You will be prompted for your iKey Hardware Token password in the usual way as in Item C of the iKey Hardware Token test procedure above.
    • Once the VPN session is established, you will see the pop-up window below for five seconds. At the end of the five second interval, you will be automatically logged out of and then back into Windows. At the Windows login prompt, enter your normal Windows password. Once you have logged back into Windows, you will be fully logged into your Windows Domain and ready to work.

    • Technical professionals will note that your first Windows login used cached credentials since no access to the Domain Controller existed before the VPN tunnel was established. Once the user logged into the local workstation using their cached credentials, the VPN session was started using the iKey Hardware Token. As soon as the VPN tunnel was established, the VPN client software forced a Windows logoff and relogin. Since the VPN session was maintained throughout the logoff and relogin process and a connection to the domain controller was thus possible, the second Windows login was a full domain login using all of the normal login processing scripts. This technique enables the use of all Windows Domain capabilities even when the domain resides completely on a protected network segment and the user's workstation is located outside of the firewall and uses a VPN for its connection.

© 2008 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.