HID CP1000 User Manual

ASURE ID ICLASS SE
CP1000 DESKTOP ENCODER

USER GUIDE

PLT-01067

Version: A.7

July 2017

hidglobal.com

Copyright

© 2014 - 2017 HID Global Corporation/ASSA ABLOY AB. All rights reserved.

This document may not be reproduced, disseminated or republished in any form without the prior
written permission of HID Global Corporation.

Trademarks

HID GLOBAL, HID, the HID Brick Logo, ICLASS SE, and FARGO are the trademarks or registered
trademarks of HID Global Corporation, or its licensors, in the U.S. and other countries.

Lumidigm is a registered trademark of Lumidigm, Inc.

MIFARE, MIFARE DESFire, MIFARE Classic, and MIFARE DESFire EV1 are registered trademarks of NXP
B.V. and are used under license.

Contacts

For additional offices around the world, see www.hidglobal.com/contact/corporate-offices.

Americas and Corporate Asia Pacific

611 Center Ridge Drive
Austin, TX 78753
USA
Phone: 866 607 7339
Fax: 949 732 2120

19/F 625 King’s Road
North Point, Island East
Hong Kong
Phone: 852 3160 9833
Fax: 852 3160 4809

Europe, Middle East and Africa (EMEA) Brazil

Haverhill Business Park Phoenix Road
Haverhill, Suffolk CB9 7AE
England
Phone: 44 (0) 1440 711 822
Fax: 44 (0) 1440 714 840

Condomínio Business Center
Av. Ermano Marchetti, 1435
Galpão A2 - CEP 05038-001
Lapa - São Paulo / SP

Brazil
Phone: +55 11 5514-7100

HID Global Technical Support: www.hidglobal.com/support

PLT-01067, Version: A.7 July 2017

Contents

Chapter 1: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

1.1 Main Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

1.1.1 Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-2

1.1.2 Administration Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-2

1.1.3 Media Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3

1.1.4 Secure Object Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3

1.1.5 Secure Channel Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-4

1.1.6 Credential Credit Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-4

1.1.7 Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5

1.1.8 Plugin Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5

1.1.9 Work Orders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6

1.1.10 Work Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6

1.1.11 Custom Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6

1.1.12 Custom Media Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6

1.1.13 Data Mapper Applications (HF Migration) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6

Chapter 2: Encoder Application Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

2.1 Work Order Manager Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

2.2 Key Management Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

2.3 Reader Configuration Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

2.4 User Config Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

2.5 Home Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

2.6 File Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7

2.7 Options Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

2.8 Language Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9

2.9 Skins Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10

2.10 Resources Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11

2.11 Licensing Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12

2.12 iCLASS SE Encoder Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14

2.12.1 iCLASS SE Encoder Formats Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14

2.12.2 iCLASS SE Encoder Plugins Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-15

2.12.3 iCLASS SE Encoder Database Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16

2.12.4 iCLASS SE Encoder Options Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18

2.12.5 iCLASS SE Encoder About Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19

Chapter 3: Setup and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

3.1 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

3.2 Administrative Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

3.3 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

3.4 Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

3.5 Change Default Admin Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8

3.6 Add System Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8

July 2017 PLT-01067, Version: A.7

Page iv

Chapter 4: Initial Configuration (Startup) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

4.1 Plugin Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

4.2 Formats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

4.3 Upload Encoder Configuration Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

4.4 Custom Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6

Chapter 5: Work Order Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

5.1 Work Order Manager Home Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

5.1.1 Work Order Manager Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

5.1.2 Work Order Manager Configuration Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

5.2 Work Order Manager File Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5

5.3 Open a Work Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6

5.4 Close a Work Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7

5.5 Create a Work Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8

5.6 Rename a Work Order. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10

5.7 Delete a Work Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11

5.8 Print a Work Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12

5.9 File Save As a Work Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13

5.10 Export Work Order Data to a CSV File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14

5.11 Export Work Order Data to a PDF File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15

5.12 Add a Work Instruction to a Work Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16

5.13 Edit a Work Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19

5.14 Remove a Work Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20

5.15 Work Order Execution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21

5.15.1 Add a Credential Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21

5.15.2 To Add a Batch of Credential Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-23

5.15.3 Remove Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25

5.15.4 Execute Work Order on Selected Credential Records . . . . . . . . . . . . . . . . . . . . . . . . . 5-27

5.15.5 Execute a Work Order on All Credential Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29

5.15.6 Read Back . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-30

Chapter 6: Work Instruction Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

6.1 iCLASS Work Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2

6.1.1 iCLASS: HID Access Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2

6.1.2 iCLASS: Custom Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7

6.2 MIFARE Classic Work Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10

6.2.1 MIFARE Classic: HID Access Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10

6.2.2 MIFARE Classic: Custom Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13

6.2.3 MIFARE CLASSIC: Move Genuine SO Sector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16

6.3 MIFARE DESFire EV1 Work Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18

6.3.1 MIFARE DESFire EV1: HID Access Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18

6.3.2 MIFARE DESFire EV1: Custom Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21

6.4 Prox Work Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25

6.4.1 Prox: HID Access Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25

6.5 Seos Work Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27

6.5.1 Seos: HID Access Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27

6.5.2 Seos: Custom Encoding (Basic Mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-30

6.5.3 Seos: Custom Encoding (Standard Mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-34

6.5.4 Seos: Custom Encoding (Update Existing Data Object) . . . . . . . . . . . . . . . . . . . . . . .6-40

PLT-01067, Version: A.7 July 2017

Page v

6.5.5 Seos: Custom Encoding (Rolling Custom Seos Keys) . . . . . . . . . . . . . . . . . . . . . . . . . 6-44

6.5.6 Seos: Reading a Seos Data Object from a Custom ADF . . . . . . . . . . . . . . . . . . . . . . . 6-48

6.5.7 Seos: Deleting a Custom ADF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-51

6.5.8 Work Instruction: Roll Card Authentication Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-52

6.6 Multi-Technology Card Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-58

Chapter 7: Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1

7.1 Key Management Home Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2

7.1.1 Key Management Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3

7.1.2 Encoder Info Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4

7.2 Key Manager File Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5

7.3 Create Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6

7.4 Remove Selected Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9

7.5 Import Keys and Key Sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11

7.6 Export Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-14

7.7 Load HID Key(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17

7.8 Remove HID Key(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-20

7.9 Revoke HID Key(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-22

7.10 Refresh HID Key List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-23

7.11 Add Key Set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-24

7.12 Edit Key Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-26

7.13 Delete Key Set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-28

7.14 Sync Encoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-30

7.15 Change Encoder Admin Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-32

Chapter 8: Reader Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

8.1 Reader Configuration Home Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

8.1.1 Reader Configuration Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2

8.1.2 Encoder Info Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

8.2 Reader Configuration File Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4

8.3 Data Mapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5

8.4 Data Mapper Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6

8.5 Elite Prep Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-14

8.6 Reader Options Config Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16

8.7 iCLASS Legacy Config Card. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17

8.8 Load HID Application Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20

Chapter 9: User Config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

9.1 User Config Home Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

9.1.1 User Config Home Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2

9.2 User Config File Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2

9.3 User Config View Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3

9.4 Add a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4

9.5 Remove a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6

9.6 Edit a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7

9.7 Change Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8

9.7.0.1 Manage Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9

9.7.0.2 Assign a Template to a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11

Chapter 10: Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-1

10.1 Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1

July 2017 PLT-01067, Version: A.7

Page vi

Glossary

10.2 Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2

10.3 Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

10.3.1 Supported Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

10.3.2 Synchronize Database to Encoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5

10.4 Exceptions and Error Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5

PLT-01067, Version: A.7 July 2017

Overview

The Asure ID iCLASS SE Encoder is a smart card provisioning product that consolidates most of HID
Global’s existing encoding products including the CP400 iCLASS Programmer, CP600 DESFire
Encoder, iCL-ELITE programmer, and 1050 ProxProgrammer.

The following features are included:

 Encode HID Access Control Application with Standard, Elite, and Custom Security on to iCLASS

and MIFARE® Classic credentials

 Encode HID Secure Identity Objects (SIO) with Elite Security on iCLASS, MIFARE Classic, MIFARE

DESFire EV1®, and Seos

 Encode HID Access Control Application on to HID Prox cards and fobs

 Encode Custom Data Objects on iCLASS, MIFARE Classic, MIFARE DESFire EV1, and Seos

 Roll keys on existing card populations from a revoked key set to a new active key set

 Migrate existing iCLASS and MIFARE Classic Standard Security (applications) card populations to

SE Security

 Configure encoders for various Security models and Custom Data model interpreters

Chapter

®

1

®

Other Features and Use Cases:

 Create and manage custom media and application keys

 Export and Import custom keys

 Import keys from HID Secure Key Management Platform

 Manage all credential and reader transactions through work orders scripted from instruction sets

 In-line personalization of credentials

Note: From this point, the iCLASS SE CP1000 Encoder is now referred to as the iCLASS SE Encoder.

July 2017 PLT-01067, Version: A.7

Page 1-2 Overview

1.1 Main Concepts

To get the most out of the iCLASS SE Encoder, there are several concepts that should be understood.

1.1.1 Key Management

iCLASS SE Encoder is an HID Global product that provides solution to encode user credentials and
reader configuration data. To provide a high level of security, the encoder device uses a smart card
chip (an ISO 7816 compliant device) to perform the key management as well run the encoding
applications. This component of the encoder device is called Secure Access Module (SAM).

A typical encoding operation requires knowledge of default/transport keys of the credential, your
credential or reader configuration data and the new keys to be used to protect the credential. The
keys that are involved in encoding operation could be ones that are managed by HID Global or ones
created by the customer and provisioned in SAM.

To do secure key management, we follow state of the art security practices and use cryptographic
algorithms and practices that have been validated by our industry to provide secure solutions for
our customers. The rest of the document describes different types of keys and their management.

1.1.2 Administration Keys

To load, update, and delete configuration data and keys used during encoding operations Simple
Network Management Protocol (SNMP) version 3 messages are used. SNMP is an Internet-standard
protocol for managing devices on IP networks and defined by RFC 3411-RFC 3418. Though the
protocol is intended for IP devices HID makes use of it over other transport and application
protocols such as ISO 7816-3 (APDU) for PC/SC readers.

A typical SNMP message is encrypted and signed using 16-byte keys and also contains metadata
about the cryptographic mechanism used to protect the message. The message defines its actions
using verbs, such as GET, SET etc. The keys that are used for encryption are called SNMP encryption
and SNMP privacy keys and the keys used for signing are called the SNMP signing and SNMP
authentication keys.

A device or a software application implementing the SNMP standard is called an SNMP endpoint or
engine and is identified using one or more engineId/username pairs.

The encoder SAM is an SNMP endpoint that has two identities: the HID Admin and the OEM Admin.
Each identity is recognized using an engineId and username pair as described in the SNMP
standard. Each identity includes two associated keys: SNMP encryption and signing.

The purpose of HID Admin identity is to manage the keys and configuration data that originate from
HID. The OEM Admin identity can be used to create custom keys and perform operations that do
not require high levels of security.

When a customer receives an encoder, it has OEM Admin SNMP keys that are set to default/public
values. When the host application is started for the first time, it prompts you to change the keys to
be managed. The host application then stores the changed OEM Admin keys in the local database
and the keys are encrypted using your password of the application.

PLT-01067, Version: A.7 July 2017

1.1.3 Media Keys

The keys that are used to authenticate a credential to perform read/write operations are called
media keys. For example, the debit and credit keys for a page in iCLASS credentials are the media
keys. In the case of MIFARE Classic, the Key A and Key B of a sector are the media keys and for
DESFire EV1 the application keys as well as the PICC master key are examples of media keys.

The lengths of these types of keys as well as the cryptographic algorithms, such as authentication
algorithm, that makes use of these keys are dependent upon the credential/media technology.

A typical encoding operation uses the default/known media key to first authenticate to the blank
credential, create the application, write the credential, and change the value of the key to the one
specified by the user. It is important to make a note that the new value can be a diversified key to
reduce the surface area of attack. In other words, all the credentials/media have different values for
the media keys. For the newer and more secure credentials (for example: Secure Objects) we make
use of NIST 108 key diversification algorithm whereas the older/legacy credentials make use of
proprietary key diversification algorithms invented by HID Global and/or chip vendors such as NXP.

For all the credential/media, the keys could fall in one of these categories:

 HID Managed Standard Media Keys: These keys are managed securely by HID and are intended

for general customer base.

 HID Managed Elite Media Keys: These keys are managed securely by HID and are specific to

customers who participate in the Elite program. For example an Elite customer identified using
an ICE0000 have a different set of media keys than the one identified using ICE0133.

 Customer Generated and Managed Keys: These keys are either generated using the encoder

solution and/or entered by the customer. The keys reside in the encoder SAM, and can be
exported in encrypted form to be archived. Once created, knowledge of the plain text key is the
responsibility of the administrator. Custom Keys are not archived by HID.

Overview Page 1-3

All the HID managed keys are delivered in the form of static SNMP messages targeted to the
encoder, for which they were requested. Typically, the customer reads the engineId of the encoder
device using the host application and orders from HID Global the appropriate key set (for example:
standard, ICEXXX etc.). The keys are delivered in the form of a file that contains the static messages,
and the host application provides necessary user interface to load them in the encoder SAM.

Custom keys can be exported from the encoder device. The export format is again an SNMP
message that is protected using OEM Admin keys.

1.1.4 Secure Object Keys

The newer and more secure credentials used by HID Global readers are based on the Secure Object
(SO) technology. While it is outside the scope of this document to describe SO technology in detail,
in simple words, a SO is a structured credential that is based on state of the art industry standards
to ensure extensibility of credential structure and use industry validated and approved security
algorithms and mechanisms. The most important aspect of a SO is that it provides an additional
security for the credential and therefore we do not only rely on the security mechanisms of the
chip/media silicon vendor.

Very much like an SNMP message a SO also has a notion of encryption and signature. To reduce the
size of a secure object credential we make use of an Authenticated Encryption with Associated
Data (AEAD) algorithm called EAX’ (read as EAX prime). In simple words, EAX’ one key can be used

July 2017 PLT-01067, Version: A.7

Page 1-4 Overview

to perform both encryption and signing of the SO credential. This key is called the SO encryption
key.

Note: It is called an encryption key but it also performs signature verification.

The SO encryption key could be managed by HID as a standard key and/or an Elite key, which is
similar to the management of Media keys described earlier. We also provide the support to create a
customer managed SO encryption key, however a SO credential that is protected using such a key is
not managed via HID and also has an additional signature using HID Global’s license key.

Additional information about secure objects can be requested from HID Global.

1.1.5 Secure Channel Key

The messages that are exchanged between a host application and the encoder device are
transferred over a mandatory secure channel
authenticity of the messages between the host application and the encoder device.

The encoder comes with a default value for the secure channel key, and very much like the OEM
Admin keys, the host application prompts you to provide a new value for the secure channel key.
This secure channel key is stored on a per user basis.

The secure channel mechanism is based on a slightly modified Global platform SCP secure channel
protocol. You can request more information about the secure channel from HID Global.

1.1.6 Credential Credit Management

All transactions with credentials are enabled by credential credits. These are discrete tokens that are
consumed with each transaction until none remain or until additional credits are ordered and
applied to the encoder.

The term Credential Credit, refers to the tokens purchased from HID that enable all credential write
transactions. The iCLASS SE Encoder is enabled until the authorized credits have been exhausted,
then you must request additional credits from HID Global.

The management of credits can be understood as a type of counter. When a customer orders “X”
credits, the counter is increased by “X” and the encoder is enabled until the counter is decremented
to 0, or until more credits are ordered.

The following attributes, are the building blocks to define a transaction which is enabled by a
Credential Credit Token.

5

. The secure channel ensures the confidentiality and

Technology Application Security Media

iCLASS HID Standard Genuine HID

MIFARE Classic SIO Elite Third Party

MIFARE DESFire EV1 Custom Custom Third Party

Prox HID Standard Genuine HID

Seos SIO Elite Genuine HID

For example: To encode iCLASS with HID Access Control application and Standard keys, this
transaction would require a different credential credit token than the same transaction using Elite
keys.

PLT-01067, Version: A.7 July 2017

Things to know about credential credits:

 Each credit token type is managed by its respective credit counter.

 Credit top up messages are delivered in a secure SNMP message that is targeted for a specific

device by diversifying the keys with the device Engine ID.

 Credit top up messages can be loaded only once.

 A cap (10,000 credits) is placed on the number of credits that can be ordered at a time. This is

to limit the monetary value that can be loaded into a single encoder device which can be lost or
destroyed.

1.1.7 Formats

The iCLASS SE Encoder includes a format interpreter capable of parsing all open and custom
formats developed and maintained by HID Global.

Format fields are presented to you in the desktop UI for the purpose of assigning data to each field.

Formats must be ordered from Customer Service. Most formats are custom to a specific OEM or
end user, and are not freely distributed.

The H10301 (SIA Wiegand 26-bit) is the default format delivered with the desktop application.

Overview Page 1-5

1.1.8 Plugin Architecture

The iCLASS SE Encoder includes a plugin architecture which makes it highly configurable with
minimal maintenance and few releases. There are two types of plugins:

 Technology

 Configuration

Technology plugins are a packaged bundle that includes an applet which is loaded to the encoder
device and a UI plugin for the desktop application that is customized for the associated applet.

 Applets are small C# applications designed to run on the .NET framework that is native to the

encoder device. These applets manage the interface to the credential and provide an API to the
desktop application. Applets can be tailored for a specific use case.

 The UI plugin manages the interface to the encoder device and provides you with inputs and

information specific to the applet loaded on the device. For example, each technology applet
comes with a unique set of wizard pages gathering user input for work order creation.

Configuration plugins expose a UI for gathering inputs and creating reader configuration cards.
Reader configuration plugins are released as groups that organize parameters.

Things to know about plugins:

 Each applet is digitally signed by a key managed by HID Global and known by all encoder

devices (global key). This identifies the applet as Genuine HID. Only Genuine HID plugins are
recognized by the encoder device.

 Initially, one applet/plugin is created for each of the four supported technologies (iCLASS,

MIFARE Classic, MIFARE DESFire EV1, HID Prox, and Seos).

 Custom plugins can be created on a Custom Product Opportunity (CPO) basis.

July 2017 PLT-01067, Version: A.7

Page 1-6 Overview

1.1.9 Work Orders

All credential encoding activity is managed through Work Orders. Each Work Order includes a set
of Work Instructions to be executed on every credential presented to the encoder.

 Work orders execute a work flow that you design

 Work Orders are technology independent

 Work Orders can be limited in scope or open-ended

1.1.10 Work Instructions

Each Work Instruction represents one step of an overall work flow that is executed on every
credential presented to the encoder.

 Work Instructions are analogous to scripts

 Work Instructions are technology specific

 Work Instructions are wholly independent operations

1.1.11 Custom Applications

Custom Applications can be written to credentials. The iCLASS SE Encoder supports two types of
custom applications; Custom Media and Data Mapper.

1.1.12 Custom Media Applications

 Manage keys for custom media applications.

 Read and Write custom data to and from custom media applications.

Examples: custom vending applications or HF migration media (not the Config cards).

1.1.13 Data Mapper Applications (HF Migration)

 Reader accesses custom credential application data autonomously and reports data on

communications ports.

 Reader is configured with necessary authentication and encryption keys to access the raw

credential data.

 Reader is configured with instructions for manipulating the raw data into a format that can be

managed by the host or access control system.

References

1

ISO/IEC 7816: http://en.wikipedia.org/wiki/ISO/IEC_7816

2

SAM: http://en.wikipedia.org/wiki/Secure_access_module

3

SNMP: http://tools.ietf.org/html/rfc3411

4

SIO: Secure Identity Objects; request information from HID Global

5

HID Secure Channel version 0.87

PLT-01067, Version: A.7 July 2017

Chapter

Encoder Application Navigation

The iCLASS SE Encoder Desktop application has the following structure:

Application Modules, each with a subset of tabs.

 Work Order Manager (File tab, Home tab)

 Key Management (File tab, Home tab)

 Reader Configuration (File tab, Home tab)

 User Config (File tab, Home tab & View tab)

With the selection of an application module the window will display the specific module’s toolbar,
information and configuration panes, etc. The following is an overview of these windows.

2

July 2017 PLT-01067, Version: A.7

Page 2-2 Encoder Application Navigation

2.1 Work Order Manager Module

The Work Order Manager module allows the user to define and save an encoding profile for a
credential deployment. Each Work Order defines the number of data fields encoded, as well as the
data type and field size. These data fields are concatenated into a single data stream and encoded
into an application, and are defined by the selected format.

A Work Order is comprised of one or many Work Instructions. A Work Instructions is a single
command issued during work order execution. The single work instruction can either read or write
to a specific memory location.

PLT-01067, Version: A.7 July 2017

Encoder Application Navigation Page 2-3

2.2 Key Management Module

The Key Management module of the CP1000 Desktop Encoder allows the user to view and manage
the HID and Custom Keys.

July 2017 PLT-01067, Version: A.7

Page 2-4 Encoder Application Navigation

2.3 Reader Configuration Module

The Reader Configuration window is used to create the Reader Data configuration cards (for both
keys and reader limited settings) The application allows the user to change the keys or behavior of a
Reader.

PLT-01067, Version: A.7 July 2017

Encoder Application Navigation Page 2-5

2.4 User Config Module

The User Config module allows the administrator to create users for Asure ID and to set the functions
each user can access in the application. The Administrator can Add User, Remove User, Save Users
and Change Passwords.

July 2017 PLT-01067, Version: A.7

Page 2-6 Encoder Application Navigation

2.5 Home Tab

The Home tab allows configuration and implementation of the iCLASS SE Desktop Encoder. See the
Work Order Manager, Key Management, Reader Configuration, and User Configuration chapters for
information on each of these Home tabs.

PLT-01067, Version: A.7 July 2017

2.6 File Tab

The File tab contains specific options depending on which Application Module is selected. See the
Work Order Manager, Key Management, Reader Configuration, and User Configuration chapters for
information on each of these File tabs.

Encoder Application Navigation Page 2-7

July 2017 PLT-01067, Version: A.7

Page 2-8 Encoder Application Navigation

2.7 Options Window

The Options window is available on every File tab, and allows you to manage the iCLASS SE Encoder
Formats, Plugins, Database, Options and User Options.

PLT-01067, Version: A.7 July 2017

Encoder Application Navigation Page 2-9

2.8 Language Options

Asure ID allows you to set the default language of the application. Available languages are:

 English  Indonesian  Spanish

 Arabic  Italian  Thai

 Chinese  Japanese  Turkish

 Czech  Korean

 French  Portuguese

 German  Russian

To set the default language of the application:

1. From the Language option, select a language from the list.

2. Click OK.

3. An Information window is displayed with a message that the language change occurs after
Asure ID is restarted. Click OK.

4. Restart the application.

July 2017 PLT-01067, Version: A.7

Page 2-10 Encoder Application Navigation

2.9 Skins Options

Asure ID allows you to customize the look of the Asure ID application by selecting a predefined skin.

1. From the Skins options, select a Skin from the list.

Note: The change is immediately visible.

2. Click OK.

PLT-01067, Version: A.7 July 2017

Encoder Application Navigation Page 2-11

2.10 Resources Options

Asure ID allows you to access resource information for the application.

Field Description

About Displays the current applets loaded and their version.

Native Data Source
Connection String

Check for software updates This option directs the software to check for updates when launched.

Check for updates now

This is the connection string used to connect to the native Data Source. It
contains location and connection information.

This button checks for software updates immediately.

• If changes are required, follow the instructions on the installation wizard.

• If changes are not required, a message indicating that the software is up
to date is displayed.

July 2017 PLT-01067, Version: A.7

Page 2-12 Encoder Application Navigation

2.11 Licensing Options

Asure ID allows you to view, modify and activate the licensing information of the Asure ID application.
To activate the License Key, enter the information listed below and click an activation button.

Field Description

Activate License

First Name Enter the first name as it appears in the HID license.

Last Name Enter the Last Name as it appears in the HID license

Email Enter a valid email address that can obtain messages about licenses and accounts.

Company Name Enter the Company Name.

State/Province Enter the State or Province where the Company is located.

Country Enter the name of the Country where the Company is location.

Printer Make/Model Enter the printer (or Encoder) make and model.

License Key Enter the License Key for Asure ID received from HID Global.

Subscribe to product

newsletter

PLT-01067, Version: A.7 July 2017

Select the check box to subscribe to Asure ID product newsletters.

Encoder Application Navigation Page 2-13

Field Description

Subscribe to

anonymous surveys

Phone Activation

Activate Online

Select the check box to subscribe to surveys.

This option displays an Activate Offline window that provides HID Global contact
information to activate the software. This window displays an Offline Request Key
that you submit to the HID Global contact. An Offline Response Key is given to you
to enter and Submit in the window.

This option requires an Internet connection and completely activates the license on
this device.

Asure ID

System License Displays the License Key activated for your information listed above.

License Level Displays the license level for the activated license key.

Additional Licenses

Additional license keys can be viewable if HID Global support has directed you to
install additional license keys.

July 2017 PLT-01067, Version: A.7

Page 2-14 Encoder Application Navigation

2.12 iCLASS SE Encoder Options

This option allows you to modify iCLASS SE Encoder options on the Asure ID application.

Note: This option has multiple tabs for configuration. See the following sections for details.

2.12.1 iCLASS SE Encoder Formats Tab

The iCLASS SE Encoder includes a format interpreter capable of interpreting all open and custom
formats developed and maintained by HID Global. Formats must be ordered from Customer Service,
as formats are custom to a specific OEM or end user, and not freely distributed.

The Formats tab (see graphic above) lists the formats Installed on an Encoder. The default format,
delivered with Asure ID is H10301. Contact a HID Global representative for assistance if additional
formats are required.

Field Description

Installed Formats

Select the Install Format icon, to select and install an .EFI format file provided by
HID Global.

Remove Selected

Format(s)

Restore Default

Formats

This option removes the selected Format from the list of available formats.

This option allows you to restore a default Format that may have been removed
from the list.

PLT-01067, Version: A.7 July 2017

Encoder Application Navigation Page 2-15

2.12.2 iCLASS SE Encoder Plugins Tab

Each plugin used by the iCLASS SE Encoder is digitally signed by a key managed by HID and known
by all encoders. Only Genuine HID plugins are recognized by the encoder. Initially, one plugin is
created for each supported card type (iCLASS, MIFARE Classic, MIFARE DESFire EVI, Prox and
Seos.

Plugins automatically install or refresh when Asure ID is started. Although additional plugins can be
installed, you can not delete the plugins installed by default. These plugins can only be Disabled or
Enabled.

Note: Disabling unused plugins may increase the overall performance of the Work Order Manager
and Reader Configurations within Asure ID.

The Plugins tab lists the plugins currently installed, the version number, the Applet version, and
whether the Applet is enabled or disabled.

Field Description

In addition to viewing the installed plugins, you can perform the following tasks:

Install Plugin. Browses for a plugin from HID Global and installs the file.

Delete Applet.

Note: Clears all applet .dll files from the SAM.

These applets are uploaded automatically on an as-needed basis when required for an
encoding operation.

July 2017 PLT-01067, Version: A.7

Page 2-16 Encoder Application Navigation

Field Description

Refresh Plugin View.

Custom Key

Store Plugins

Active Plugin: Allows you to develop a module for encrypting custom keys and how

custom keys are imported and exported.

2.12.3 iCLASS SE Encoder Database Tab

The Database tab displays information stored in the Asure ID database for the iCLASS SE Encoder.
The Database window allows a user to view and manage records and keys.

Field Description

Displays the number of iCLASS SE Encoder/User Records.

Clear Encoders: Removes all Encoders (and admin keys) from the

Secure Encoder/User Records

Known HID Keys

PLT-01067, Version: A.7 July 2017

database.

IMPORTANT: Admin Keys must be re-entered to retain access to
credentials and credits on the encoder.

Displays the number of known HID Keys loaded on the database.
Clear HID Keys: Deletes all HID Keys from the database. Keys require

reloading in Key Management.

Note: These keys are not deleted from the currently active encoder.

Encoder Application Navigation Page 2-17

Field Description

Lists the number of custom keys that are on the database.

Custom Keys

Clear Custom Keys: Deletes all Customer Keys from the database.

Note: These keys are not deleted from the currently active encoder.

Key Set Items

Import secured encoder Admin
keys from iCLASS SE desktop
application

Import Work Orders from
iCLASS SE desktop application

Import Keys and Key Sets from
iCLASS SE desktop application

Import Reader Configuration
Profiles from iCLASS SE
Encoder desktop application

Lists the number of Key sets.
Clear Key Set Items: Deletes all Key Sets.

The iCLASS SE Encoder is secured on a per user basis with Admin Keys.
This option allows these Secure Admin Keys to be imported to allow the
specific credential, keys, etc. to be moved from the original iCLASS SE
Encoder Desktop application (version 2.3.6.8 or 2.4.0.10) into Asure ID.

Note: The importer uses the current Asure ID user name and password to
decrypt the admin Keys. If the passwords are different, you are prompted
to enter the old password from the iCLASS SE Encoder Desktop software.

HID Work Orders can be imported from the original iCLASS SE desktop
application (version 2.3.6.8 or 2.4.0.10). Asure ID automates the importing
of these (non-encrypted) items.

Custom Keys and Key Sets can be imported from the original iCLASS SE
desktop application (version 2.3.6.8 or 2.4.0.10).

Import saved profiles created in the original iCLASS SE Encoder desktop
application Reader Configuration application.

July 2017 PLT-01067, Version: A.7

Page 2-18 Encoder Application Navigation

2.12.4 iCLASS SE Encoder Options Tab

The Options tab contains basic configuration options, along with the option of checking the SAM
Firmware compatibility.

Field Description

You can set several basic configuration options, select all that are needed:

• Load work order from last session at startup

• Automatically focus next row in grid after executing a work order

Options

Custom Key
Access Code

PLT-01067, Version: A.7 July 2017

• Automatically add a new row after executing the last row in a work order

• Prompt user between each credential that is encoded during batch encoding

• Do not show firmware upgrade required dialog on startup

• Dynamically store and load keys and credential counters for encoders not present
when .ise or .xml configuration file is loaded.

You must enter the 4-9 digit code to securely access the Custom Keys from a workstation.
This code should be the same across all workstations where custom keys are
automatically synchronized.

Note: The SNMP encoder Admin keys must also match on all workstations where custom
keys are automatically synchronized.