Page 1
ASURE ID ICLASS SE
CP1000 DESKTOP ENCODER
USER GUIDE
PLT-01067
Version: A.7
July 2017
hidglobal.com
Page 2
Copyright
© 2014 - 2017 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
This document may not be reproduced, disseminated or republished in any form without the prior
written permission of HID Global Corporation.
Trademarks
HID GLOBAL, HID, the HID Brick Logo, ICLASS SE, and FARGO are the trademarks or registered
trademarks of HID Global Corporation, or its licensors, in the U.S. and other countries.
Lumidigm is a registered trademark of Lumidigm, Inc.
MIFARE, MIFARE DESFire, MIFARE Classic, and MIFARE DESFire EV1 are registered trademarks of NXP
B.V. and are used under license.
Contacts
For additional offices around the world, see www.hidglobal.com/contact/corporate-offices.
Americas and Corporate Asia Pacific
611 Center Ridge Drive
Austin, TX 78753
USA
Phone: 866 607 7339
Fax: 949 732 2120
19/F 625 King’s Road
North Point, Island East
Hong Kong
Phone: 852 3160 9833
Fax: 852 3160 4809
Europe, Middle East and Africa (EMEA) Brazil
Haverhill Business Park Phoenix Road
Haverhill, Suffolk CB9 7AE
England
Phone: 44 (0) 1440 711 822
Fax: 44 (0) 1440 714 840
Condomínio Business Center
Av. Ermano Marchetti, 1435
Galpão A2 - CEP 05038-001
Lapa - São Paulo / SP
Brazil
Phone: +55 11 5514-7100
HID Global Technical Support: www.hidglobal.com/support
PLT-01067, Version: A.7 July 2017
Page 3
Contents
Chapter 1: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
1.1 Main Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
1.1.1 Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-2
1.1.2 Administration Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-2
1.1.3 Media Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3
1.1.4 Secure Object Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3
1.1.5 Secure Channel Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-4
1.1.6 Credential Credit Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-4
1.1.7 Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5
1.1.8 Plugin Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5
1.1.9 Work Orders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6
1.1.10 Work Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6
1.1.11 Custom Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6
1.1.12 Custom Media Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6
1.1.13 Data Mapper Applications (HF Migration) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6
Chapter 2: Encoder Application Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
2.1 Work Order Manager Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
2.2 Key Management Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
2.3 Reader Configuration Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
2.4 User Config Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
2.5 Home Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
2.6 File Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
2.7 Options Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
2.8 Language Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
2.9 Skins Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
2.10 Resources Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
2.11 Licensing Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
2.12 iCLASS SE Encoder Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
2.12.1 iCLASS SE Encoder Formats Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
2.12.2 iCLASS SE Encoder Plugins Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-15
2.12.3 iCLASS SE Encoder Database Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
2.12.4 iCLASS SE Encoder Options Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18
2.12.5 iCLASS SE Encoder About Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19
Chapter 3: Setup and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
3.1 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
3.2 Administrative Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
3.3 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
3.4 Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
3.5 Change Default Admin Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
3.6 Add System Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
July 2017 PLT-01067, Version: A.7
Page 4
Page iv
Chapter 4: Initial Configuration (Startup) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
4.1 Plugin Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
4.2 Formats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
4.3 Upload Encoder Configuration Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
4.4 Custom Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
Chapter 5: Work Order Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
5.1 Work Order Manager Home Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
5.1.1 Work Order Manager Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
5.1.2 Work Order Manager Configuration Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
5.2 Work Order Manager File Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
5.3 Open a Work Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
5.4 Close a Work Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
5.5 Create a Work Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
5.6 Rename a Work Order. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10
5.7 Delete a Work Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11
5.8 Print a Work Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12
5.9 File Save As a Work Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
5.10 Export Work Order Data to a CSV File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
5.11 Export Work Order Data to a PDF File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15
5.12 Add a Work Instruction to a Work Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16
5.13 Edit a Work Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19
5.14 Remove a Work Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20
5.15 Work Order Execution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
5.15.1 Add a Credential Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
5.15.2 To Add a Batch of Credential Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-23
5.15.3 Remove Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25
5.15.4 Execute Work Order on Selected Credential Records . . . . . . . . . . . . . . . . . . . . . . . . . 5-27
5.15.5 Execute a Work Order on All Credential Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29
5.15.6 Read Back . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-30
Chapter 6: Work Instruction Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
6.1 iCLASS Work Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
6.1.1 iCLASS: HID Access Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
6.1.2 iCLASS: Custom Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7
6.2 MIFARE Classic Work Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10
6.2.1 MIFARE Classic: HID Access Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10
6.2.2 MIFARE Classic: Custom Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13
6.2.3 MIFARE CLASSIC: Move Genuine SO Sector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16
6.3 MIFARE DESFire EV1 Work Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18
6.3.1 MIFARE DESFire EV1: HID Access Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18
6.3.2 MIFARE DESFire EV1: Custom Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21
6.4 Prox Work Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25
6.4.1 Prox: HID Access Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25
6.5 Seos Work Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27
6.5.1 Seos: HID Access Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27
6.5.2 Seos: Custom Encoding (Basic Mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-30
6.5.3 Seos: Custom Encoding (Standard Mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-34
6.5.4 Seos: Custom Encoding (Update Existing Data Object) . . . . . . . . . . . . . . . . . . . . . . .6-40
PLT-01067, Version: A.7 July 2017
Page 5
Page v
6.5.5 Seos: Custom Encoding (Rolling Custom Seos Keys) . . . . . . . . . . . . . . . . . . . . . . . . . 6-44
6.5.6 Seos: Reading a Seos Data Object from a Custom ADF . . . . . . . . . . . . . . . . . . . . . . . 6-48
6.5.7 Seos: Deleting a Custom ADF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-51
6.5.8 Work Instruction: Roll Card Authentication Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-52
6.6 Multi-Technology Card Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-58
Chapter 7: Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
7.1 Key Management Home Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
7.1.1 Key Management Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
7.1.2 Encoder Info Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
7.2 Key Manager File Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
7.3 Create Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
7.4 Remove Selected Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9
7.5 Import Keys and Key Sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11
7.6 Export Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-14
7.7 Load HID Key(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17
7.8 Remove HID Key(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-20
7.9 Revoke HID Key(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-22
7.10 Refresh HID Key List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-23
7.11 Add Key Set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-24
7.12 Edit Key Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-26
7.13 Delete Key Set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-28
7.14 Sync Encoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-30
7.15 Change Encoder Admin Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-32
Chapter 8: Reader Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
8.1 Reader Configuration Home Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
8.1.1 Reader Configuration Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
8.1.2 Encoder Info Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
8.2 Reader Configuration File Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
8.3 Data Mapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
8.4 Data Mapper Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
8.5 Elite Prep Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-14
8.6 Reader Options Config Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16
8.7 iCLASS Legacy Config Card. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17
8.8 Load HID Application Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20
Chapter 9: User Config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
9.1 User Config Home Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
9.1.1 User Config Home Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
9.2 User Config File Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
9.3 User Config View Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
9.4 Add a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
9.5 Remove a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
9.6 Edit a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
9.7 Change Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
9.7.0.1 Manage Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
9.7.0.2 Assign a Template to a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11
Chapter 10: Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-1
10.1 Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1
July 2017 PLT-01067, Version: A.7
Page 6
Page vi
Glossary
10.2 Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2
10.3 Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
10.3.1 Supported Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
10.3.2 Synchronize Database to Encoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5
10.4 Exceptions and Error Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5
PLT-01067, Version: A.7 July 2017
Page 7
Overview
The Asure ID iCLASS SE Encoder is a smart card provisioning product that consolidates most of HID
Global’s existing encoding products including the CP400 iCLASS Programmer, CP600 DESFire
Encoder, iCL-ELITE programmer, and 1050 ProxProgrammer.
The following features are included:
Encode HID Access Control Application with Standard, Elite, and Custom Security on to iCLASS
and MIFARE® Classic credentials
Encode HID Secure Identity Objects (SIO) with Elite Security on iCLASS, MIFARE Classic, MIFARE
DESFire EV1®, and Seos
Encode HID Access Control Application on to HID Prox cards and fobs
Encode Custom Data Objects on iCLASS, MIFARE Classic, MIFARE DESFire EV1, and Seos
Roll keys on existing card populations from a revoked key set to a new active key set
Migrate existing iCLASS and MIFARE Classic Standard Security (applications) card populations to
SE Security
Configure encoders for various Security models and Custom Data model interpreters
Chapter
®
1
®
Other Features and Use Cases:
Create and manage custom media and application keys
Export and Import custom keys
Import keys from HID Secure Key Management Platform
Manage all credential and reader transactions through work orders scripted from instruction sets
In-line personalization of credentials
Note: From this point, the iCLASS SE CP1000 Encoder is now referred to as the iCLASS SE Encoder.
July 2017 PLT-01067, Version: A.7
Page 8
Page 1-2 Overview
1.1 Main Concepts
To get the most out of the iCLASS SE Encoder, there are several concepts that should be understood.
1.1.1 Key Management
iCLASS SE Encoder is an HID Global product that provides solution to encode user credentials and
reader configuration data. To provide a high level of security, the encoder device uses a smart card
chip (an ISO 7816 compliant device) to perform the key management as well run the encoding
applications. This component of the encoder device is called Secure Access Module (SAM).
A typical encoding operation requires knowledge of default/transport keys of the credential, your
credential or reader configuration data and the new keys to be used to protect the credential. The
keys that are involved in encoding operation could be ones that are managed by HID Global or ones
created by the customer and provisioned in SAM.
To do secure key management, we follow state of the art security practices and use cryptographic
algorithms and practices that have been validated by our industry to provide secure solutions for
our customers. The rest of the document describes different types of keys and their management.
1.1.2 Administration Keys
To load, update, and delete configuration data and keys used during encoding operations Simple
Network Management Protocol (SNMP) version 3 messages are used. SNMP is an Internet-standard
protocol for managing devices on IP networks and defined by RFC 3411-RFC 3418. Though the
protocol is intended for IP devices HID makes use of it over other transport and application
protocols such as ISO 7816-3 (APDU) for PC/SC readers.
A typical SNMP message is encrypted and signed using 16-byte keys and also contains metadata
about the cryptographic mechanism used to protect the message. The message defines its actions
using verbs, such as GET, SET etc. The keys that are used for encryption are called SNMP encryption
and SNMP privacy keys and the keys used for signing are called the SNMP signing and SNMP
authentication keys.
A device or a software application implementing the SNMP standard is called an SNMP endpoint or
engine and is identified using one or more engineId/username pairs.
The encoder SAM is an SNMP endpoint that has two identities: the HID Admin and the OEM Admin.
Each identity is recognized using an engineId and username pair as described in the SNMP
standard. Each identity includes two associated keys: SNMP encryption and signing.
The purpose of HID Admin identity is to manage the keys and configuration data that originate from
HID. The OEM Admin identity can be used to create custom keys and perform operations that do
not require high levels of security.
When a customer receives an encoder, it has OEM Admin SNMP keys that are set to default/public
values. When the host application is started for the first time, it prompts you to change the keys to
be managed. The host application then stores the changed OEM Admin keys in the local database
and the keys are encrypted using your password of the application.
PLT-01067, Version: A.7 July 2017
Page 9
1.1.3 Media Keys
The keys that are used to authenticate a credential to perform read/write operations are called
media keys. For example, the debit and credit keys for a page in iCLASS credentials are the media
keys. In the case of MIFARE Classic, the Key A and Key B of a sector are the media keys and for
DESFire EV1 the application keys as well as the PICC master key are examples of media keys.
The lengths of these types of keys as well as the cryptographic algorithms, such as authentication
algorithm, that makes use of these keys are dependent upon the credential/media technology.
A typical encoding operation uses the default/known media key to first authenticate to the blank
credential, create the application, write the credential, and change the value of the key to the one
specified by the user. It is important to make a note that the new value can be a diversified key to
reduce the surface area of attack. In other words, all the credentials/media have different values for
the media keys. For the newer and more secure credentials (for example: Secure Objects) we make
use of NIST 108 key diversification algorithm whereas the older/legacy credentials make use of
proprietary key diversification algorithms invented by HID Global and/or chip vendors such as NXP.
For all the credential/media, the keys could fall in one of these categories:
HID Managed Standard Media Keys: These keys are managed securely by HID and are intended
for general customer base.
HID Managed Elite Media Keys: These keys are managed securely by HID and are specific to
customers who participate in the Elite program. For example an Elite customer identified using
an ICE0000 have a different set of media keys than the one identified using ICE0133.
Customer Generated and Managed Keys: These keys are either generated using the encoder
solution and/or entered by the customer. The keys reside in the encoder SAM, and can be
exported in encrypted form to be archived. Once created, knowledge of the plain text key is the
responsibility of the administrator. Custom Keys are not archived by HID.
Overview Page 1-3
All the HID managed keys are delivered in the form of static SNMP messages targeted to the
encoder, for which they were requested. Typically, the customer reads the engineId of the encoder
device using the host application and orders from HID Global the appropriate key set (for example:
standard, ICEXXX etc.). The keys are delivered in the form of a file that contains the static messages,
and the host application provides necessary user interface to load them in the encoder SAM.
Custom keys can be exported from the encoder device. The export format is again an SNMP
message that is protected using OEM Admin keys.
1.1.4 Secure Object Keys
The newer and more secure credentials used by HID Global readers are based on the Secure Object
(SO) technology. While it is outside the scope of this document to describe SO technology in detail,
in simple words, a SO is a structured credential that is based on state of the art industry standards
to ensure extensibility of credential structure and use industry validated and approved security
algorithms and mechanisms. The most important aspect of a SO is that it provides an additional
security for the credential and therefore we do not only rely on the security mechanisms of the
chip/media silicon vendor.
Very much like an SNMP message a SO also has a notion of encryption and signature. To reduce the
size of a secure object credential we make use of an Authenticated Encryption with Associated
Data (AEAD) algorithm called EAX’ (read as EAX prime). In simple words, EAX’ one key can be used
July 2017 PLT-01067, Version: A.7
Page 10
Page 1-4 Overview
to perform both encryption and signing of the SO credential. This key is called the SO encryption
key.
Note: It is called an encryption key but it also performs signature verification.
The SO encryption key could be managed by HID as a standard key and/or an Elite key, which is
similar to the management of Media keys described earlier. We also provide the support to create a
customer managed SO encryption key, however a SO credential that is protected using such a key is
not managed via HID and also has an additional signature using HID Global’s license key.
Additional information about secure objects can be requested from HID Global.
1.1.5 Secure Channel Key
The messages that are exchanged between a host application and the encoder device are
transferred over a mandatory secure channel
authenticity of the messages between the host application and the encoder device.
The encoder comes with a default value for the secure channel key, and very much like the OEM
Admin keys, the host application prompts you to provide a new value for the secure channel key.
This secure channel key is stored on a per user basis.
The secure channel mechanism is based on a slightly modified Global platform SCP secure channel
protocol. You can request more information about the secure channel from HID Global.
1.1.6 Credential Credit Management
All transactions with credentials are enabled by credential credits. These are discrete tokens that are
consumed with each transaction until none remain or until additional credits are ordered and
applied to the encoder.
The term Credential Credit, refers to the tokens purchased from HID that enable all credential write
transactions. The iCLASS SE Encoder is enabled until the authorized credits have been exhausted,
then you must request additional credits from HID Global.
The management of credits can be understood as a type of counter. When a customer orders “X”
credits, the counter is increased by “X” and the encoder is enabled until the counter is decremented
to 0, or until more credits are ordered.
The following attributes, are the building blocks to define a transaction which is enabled by a
Credential Credit Token.
5
. The secure channel ensures the confidentiality and
Technology Application Security Media
iCLASS HID Standard Genuine HID
MIFARE Classic SIO Elite Third Party
MIFARE DESFire EV1 Custom Custom Third Party
Prox HID Standard Genuine HID
Seos SIO Elite Genuine HID
For example: To encode iCLASS with HID Access Control application and Standard keys, this
transaction would require a different credential credit token than the same transaction using Elite
keys.
PLT-01067, Version: A.7 July 2017
Page 11
Things to know about credential credits:
Each credit token type is managed by its respective credit counter.
Credit top up messages are delivered in a secure SNMP message that is targeted for a specific
device by diversifying the keys with the device Engine ID.
Credit top up messages can be loaded only once.
A cap (10,000 credits) is placed on the number of credits that can be ordered at a time. This is
to limit the monetary value that can be loaded into a single encoder device which can be lost or
destroyed.
1.1.7 Formats
The iCLASS SE Encoder includes a format interpreter capable of parsing all open and custom
formats developed and maintained by HID Global.
Format fields are presented to you in the desktop UI for the purpose of assigning data to each field.
Formats must be ordered from Customer Service. Most formats are custom to a specific OEM or
end user, and are not freely distributed.
The H10301 (SIA Wiegand 26-bit) is the default format delivered with the desktop application.
Overview Page 1-5
1.1.8 Plugin Architecture
The iCLASS SE Encoder includes a plugin architecture which makes it highly configurable with
minimal maintenance and few releases. There are two types of plugins:
Technology
Configuration
Technology plugins are a packaged bundle that includes an applet which is loaded to the encoder
device and a UI plugin for the desktop application that is customized for the associated applet.
Applets are small C# applications designed to run on the .NET framework that is native to the
encoder device. These applets manage the interface to the credential and provide an API to the
desktop application. Applets can be tailored for a specific use case.
The UI plugin manages the interface to the encoder device and provides you with inputs and
information specific to the applet loaded on the device. For example, each technology applet
comes with a unique set of wizard pages gathering user input for work order creation.
Configuration plugins expose a UI for gathering inputs and creating reader configuration cards.
Reader configuration plugins are released as groups that organize parameters.
Things to know about plugins:
Each applet is digitally signed by a key managed by HID Global and known by all encoder
devices (global key). This identifies the applet as Genuine HID. Only Genuine HID plugins are
recognized by the encoder device.
Initially, one applet/plugin is created for each of the four supported technologies (iCLASS,
MIFARE Classic, MIFARE DESFire EV1, HID Prox, and Seos).
Custom plugins can be created on a Custom Product Opportunity (CPO) basis.
July 2017 PLT-01067, Version: A.7
Page 12
Page 1-6 Overview
1.1.9 Work Orders
All credential encoding activity is managed through Work Orders. Each Work Order includes a set
of Work Instructions to be executed on every credential presented to the encoder.
Work orders execute a work flow that you design
Work Orders are technology independent
Work Orders can be limited in scope or open-ended
1.1.10 Work Instructions
Each Work Instruction represents one step of an overall work flow that is executed on every
credential presented to the encoder.
Work Instructions are analogous to scripts
Work Instructions are technology specific
Work Instructions are wholly independent operations
1.1.11 Custom Applications
Custom Applications can be written to credentials. The iCLASS SE Encoder supports two types of
custom applications; Custom Media and Data Mapper.
1.1.12 Custom Media Applications
Manage keys for custom media applications.
Read and Write custom data to and from custom media applications.
Examples: custom vending applications or HF migration media (not the Config cards).
1.1.13 Data Mapper Applications (HF Migration)
Reader accesses custom credential application data autonomously and reports data on
communications ports.
Reader is configured with necessary authentication and encryption keys to access the raw
credential data.
Reader is configured with instructions for manipulating the raw data into a format that can be
managed by the host or access control system.
References
1
ISO/IEC 7816: http://en.wikipedia.org/wiki/ISO/IEC_7816
2
SAM: http://en.wikipedia.org/wiki/Secure_access_module
3
SNMP: http://tools.ietf.org/html/rfc3411
4
SIO: Secure Identity Objects; request information from HID Global
5
HID Secure Channel version 0.87
PLT-01067, Version: A.7 July 2017
Page 13
Chapter
Encoder Application Navigation
The iCLASS SE Encoder Desktop application has the following structure:
Application Modules, each with a subset of tabs.
Work Order Manager (File tab, Home tab)
Key Management (File tab, Home tab)
Reader Configuration (File tab, Home tab)
User Config (File tab, Home tab & View tab)
With the selection of an application module the window will display the specific module’s toolbar,
information and configuration panes, etc. The following is an overview of these windows.
2
July 2017 PLT-01067, Version: A.7
Page 14
Page 2-2 Encoder Application Navigation
2.1 Work Order Manager Module
The Work Order Manager module allows the user to define and save an encoding profile for a
credential deployment. Each Work Order defines the number of data fields encoded, as well as the
data type and field size. These data fields are concatenated into a single data stream and encoded
into an application, and are defined by the selected format.
A Work Order is comprised of one or many Work Instructions. A Work Instructions is a single
command issued during work order execution. The single work instruction can either read or write
to a specific memory location.
PLT-01067, Version: A.7 July 2017
Page 15
Encoder Application Navigation Page 2-3
2.2 Key Management Module
The Key Management module of the CP1000 Desktop Encoder allows the user to view and manage
the HID and Custom Keys.
July 2017 PLT-01067, Version: A.7
Page 16
Page 2-4 Encoder Application Navigation
2.3 Reader Configuration Module
The Reader Configuration window is used to create the Reader Data configuration cards (for both
keys and reader limited settings) The application allows the user to change the keys or behavior of a
Reader.
PLT-01067, Version: A.7 July 2017
Page 17
Encoder Application Navigation Page 2-5
2.4 User Config Module
The User Config module allows the administrator to create users for Asure ID and to set the functions
each user can access in the application. The Administrator can Add User, Remove User, Save Users
and Change Passwords.
July 2017 PLT-01067, Version: A.7
Page 18
Page 2-6 Encoder Application Navigation
2.5 Home Tab
The Home tab allows configuration and implementation of the iCLASS SE Desktop Encoder. See the
Work Order Manager, Key Management, Reader Configuration, and User Configuration chapters for
information on each of these Home tabs.
PLT-01067, Version: A.7 July 2017
Page 19
2.6 File Tab
The File tab contains specific options depending on which Application Module is selected. See the
Work Order Manager, Key Management, Reader Configuration, and User Configuration chapters for
information on each of these File tabs.
Encoder Application Navigation Page 2-7
July 2017 PLT-01067, Version: A.7
Page 20
Page 2-8 Encoder Application Navigation
2.7 Options Window
The Options window is available on every File tab, and allows you to manage the iCLASS SE Encoder
Formats, Plugins, Database, Options and User Options.
PLT-01067, Version: A.7 July 2017
Page 21
Encoder Application Navigation Page 2-9
2.8 Language Options
Asure ID allows you to set the default language of the application. Available languages are:
English Indonesian Spanish
Arabic Italian Thai
Chinese Japanese Turkish
Czech Korean
French Portuguese
German Russian
To set the default language of the application:
1. From the Language option, select a language from the list.
2. Click OK.
3. An Information window is displayed with a message that the language change occurs after
Asure ID is restarted. Click OK.
4. Restart the application.
July 2017 PLT-01067, Version: A.7
Page 22
Page 2-10 Encoder Application Navigation
2.9 Skins Options
Asure ID allows you to customize the look of the Asure ID application by selecting a predefined skin.
1. From the Skins options, select a Skin from the list.
Note: The change is immediately visible.
2. Click OK.
PLT-01067, Version: A.7 July 2017
Page 23
Encoder Application Navigation Page 2-11
2.10 Resources Options
Asure ID allows you to access resource information for the application.
Field Description
About Displays the current applets loaded and their version.
Native Data Source
Connection String
Check for software updates This option directs the software to check for updates when launched.
Check for updates now
This is the connection string used to connect to the native Data Source. It
contains location and connection information.
This button checks for software updates immediately.
• If changes are required, follow the instructions on the installation wizard.
• If changes are not required, a message indicating that the software is up
to date is displayed.
July 2017 PLT-01067, Version: A.7
Page 24
Page 2-12 Encoder Application Navigation
2.11 Licensing Options
Asure ID allows you to view, modify and activate the licensing information of the Asure ID application.
To activate the License Key, enter the information listed below and click an activation button.
Field Description
Activate License
First Name Enter the first name as it appears in the HID license.
Last Name Enter the Last Name as it appears in the HID license
Email Enter a valid email address that can obtain messages about licenses and accounts.
Company Name Enter the Company Name.
State/Province Enter the State or Province where the Company is located.
Country Enter the name of the Country where the Company is location.
Printer Make/Model Enter the printer (or Encoder) make and model.
License Key Enter the License Key for Asure ID received from HID Global.
Subscribe to product
newsletter
PLT-01067, Version: A.7 July 2017
Select the check box to subscribe to Asure ID product newsletters.
Page 25
Encoder Application Navigation Page 2-13
Field Description
Subscribe to
anonymous surveys
Phone Activation
Activate Online
Select the check box to subscribe to surveys.
This option displays an Activate Offline window that provides HID Global contact
information to activate the software. This window displays an Offline Request Key
that you submit to the HID Global contact. An Offline Response Key is given to you
to enter and Submit in the window.
This option requires an Internet connection and completely activates the license on
this device.
Asure ID
System License Displays the License Key activated for your information listed above.
License Level Displays the license level for the activated license key.
Additional Licenses
Additional license keys can be viewable if HID Global support has directed you to
install additional license keys.
July 2017 PLT-01067, Version: A.7
Page 26
Page 2-14 Encoder Application Navigation
2.12 iCLASS SE Encoder Options
This option allows you to modify iCLASS SE Encoder options on the Asure ID application.
Note: This option has multiple tabs for configuration. See the following sections for details.
2.12.1 iCLASS SE Encoder Formats Tab
The iCLASS SE Encoder includes a format interpreter capable of interpreting all open and custom
formats developed and maintained by HID Global. Formats must be ordered from Customer Service,
as formats are custom to a specific OEM or end user, and not freely distributed.
The Formats tab (see graphic above) lists the formats Installed on an Encoder. The default format,
delivered with Asure ID is H10301. Contact a HID Global representative for assistance if additional
formats are required.
Field Description
Installed Formats
Select the Install Format icon, to select and install an .EFI format file provided by
HID Global.
Remove Selected
Format(s)
Restore Default
Formats
This option removes the selected Format from the list of available formats.
This option allows you to restore a default Format that may have been removed
from the list.
PLT-01067, Version: A.7 July 2017
Page 27
Encoder Application Navigation Page 2-15
2.12.2 iCLASS SE Encoder Plugins Tab
Each plugin used by the iCLASS SE Encoder is digitally signed by a key managed by HID and known
by all encoders. Only Genuine HID plugins are recognized by the encoder. Initially, one plugin is
created for each supported card type (iCLASS, MIFARE Classic, MIFARE DESFire EVI, Prox and
Seos.
Plugins automatically install or refresh when Asure ID is started. Although additional plugins can be
installed, you can not delete the plugins installed by default. These plugins can only be Disabled or
Enabled.
Note: Disabling unused plugins may increase the overall performance of the Work Order Manager
and Reader Configurations within Asure ID.
The Plugins tab lists the plugins currently installed, the version number, the Applet version, and
whether the Applet is enabled or disabled.
Field Description
In addition to viewing the installed plugins, you can perform the following tasks:
Install Plugin. Browses for a plugin from HID Global and installs the file.
Delete Applet.
Note: Clears all applet .dll files from the SAM.
These applets are uploaded automatically on an as-needed basis when required for an
encoding operation.
July 2017 PLT-01067, Version: A.7
Page 28
Page 2-16 Encoder Application Navigation
Field Description
Refresh Plugin View.
Custom Key
Store Plugins
Active Plugin: Allows you to develop a module for encrypting custom keys and how
custom keys are imported and exported.
2.12.3 iCLASS SE Encoder Database Tab
The Database tab displays information stored in the Asure ID database for the iCLASS SE Encoder.
The Database window allows a user to view and manage records and keys.
Field Description
Displays the number of iCLASS SE Encoder/User Records.
Clear Encoders: Removes all Encoders (and admin keys) from the
Secure Encoder/User Records
Known HID Keys
PLT-01067, Version: A.7 July 2017
database.
IMPORTANT: Admin Keys must be re-entered to retain access to
credentials and credits on the encoder.
Displays the number of known HID Keys loaded on the database.
Clear HID Keys: Deletes all HID Keys from the database. Keys require
reloading in Key Management.
Note: These keys are not deleted from the currently active encoder.
Page 29
Encoder Application Navigation Page 2-17
Field Description
Lists the number of custom keys that are on the database.
Custom Keys
Clear Custom Keys: Deletes all Customer Keys from the database.
Note: These keys are not deleted from the currently active encoder.
Key Set Items
Import secured encoder Admin
keys from iCLASS SE desktop
application
Import Work Orders from
iCLASS SE desktop application
Import Keys and Key Sets from
iCLASS SE desktop application
Import Reader Configuration
Profiles from iCLASS SE
Encoder desktop application
Lists the number of Key sets.
Clear Key Set Items: Deletes all Key Sets.
The iCLASS SE Encoder is secured on a per user basis with Admin Keys.
This option allows these Secure Admin Keys to be imported to allow the
specific credential, keys, etc. to be moved from the original iCLASS SE
Encoder Desktop application (version 2.3.6.8 or 2.4.0.10) into Asure ID.
Note: The importer uses the current Asure ID user name and password to
decrypt the admin Keys. If the passwords are different, you are prompted
to enter the old password from the iCLASS SE Encoder Desktop software.
HID Work Orders can be imported from the original iCLASS SE desktop
application (version 2.3.6.8 or 2.4.0.10). Asure ID automates the importing
of these (non-encrypted) items.
Custom Keys and Key Sets can be imported from the original iCLASS SE
desktop application (version 2.3.6.8 or 2.4.0.10).
Import saved profiles created in the original iCLASS SE Encoder desktop
application Reader Configuration application.
July 2017 PLT-01067, Version: A.7
Page 30
Page 2-18 Encoder Application Navigation
2.12.4 iCLASS SE Encoder Options Tab
The Options tab contains basic configuration options, along with the option of checking the SAM
Firmware compatibility.
Field Description
You can set several basic configuration options, select all that are needed:
• Load work order from last session at startup
• Automatically focus next row in grid after executing a work order
Options
Custom Key
Access Code
PLT-01067, Version: A.7 July 2017
• Automatically add a new row after executing the last row in a work order
• Prompt user between each credential that is encoded during batch encoding
• Do not show firmware upgrade required dialog on startup
• Dynamically store and load keys and credential counters for encoders not present
when .ise or .xml configuration file is loaded.
You must enter the 4-9 digit code to securely access the Custom Keys from a workstation.
This code should be the same across all workstations where custom keys are
automatically synchronized.
Note: The SNMP encoder Admin keys must also match on all workstations where custom
keys are automatically synchronized.
Page 31
Encoder Application Navigation Page 2-19
Field Description
Low Credential
Credit Warning
Threshold
Actions
Sets the minimum threshold for consumed printing/encoding credits. A warning is issued
when the threshold is reached after an encoding operation is performed in the Work
Order Manager. The default minimum threshold is 25.
Check SAM Firmware Compatibility: Allows you to check and upgrade the SAM firmware
version.
When the desktop application is launched, it checks for the current SDK version of the
encoder device. If the SDK detected on the encoder is too old, the desktop application
boot loads the version of the SDK that is built into the assembly file to ensure
compatibility.
A message is displayed if the firmware is up to date.
Note: If the detected version is too new, you are directed to the HID support site to
download the latest version of the software. It cannot downgrade an encoder.
Load new Core Firmware to encoder: Allows you to upgrade the core firmware (.fw file)
on an iCLASS SE Encoder.
2.12.5 iCLASS SE Encoder About Tab
The About tab is displayed with the current application information.
July 2017 PLT-01067, Version: A.7
Page 32
Page 2-20 Encoder Application Navigation
This page intentionally left blank.
PLT-01067, Version: A.7 July 2017
Page 33
Setup and Configuration
The following setup and configuration instructions are for the iCLASS SE Encoder Desktop
application.
3.1 System Requirements
Microsoft Windows 10 (32-bit and 64-bit)
Type
Microsoft Windows 8.1 (32-bit and 64-bit)
Microsoft Windows 8 (32-bit and 64-bit)
Microsoft Windows 7 (32-bit and 64-bit)
Chapter
3
Computer/Processor
Memory
Hard Disk
Display
Software Environment
User Permissions
1 GHz or higher Pentium-compatible CPU
USB Ports
64-bit systems: 2 GB of RAM
32-bit systems: 1 GB of RAM or higher
1 GB free space
VGA or higher resolution monitor
Latest Operating System service pack
Local machine administrative rights for iCLASS installation and secure
database administration
Internet access for license activation or phone for phone activation
3.2 Administrative Privileges
You must have Administrator privileges to complete the Installation and Startup procedures. To verify
you are an Administrator on your computer:
1. Go to Control Panel > User Accounts > Manage User Accounts.
2. Under Users for the computer, locate your User Name and verify the associated Group column
displays Administrators.
July 2017 PLT-01067, Version: A.7
Page 34
Page 3-2 Setup and Configuration
3.3 Getting Started
Administrative Privileges
You must have Administrator privileges to complete the Installation and Startup procedures. To verify
you are an Administrator on the system:
1. Go to Control Panel > User Accounts > Manage User Accounts.
2. Under Users for this computer, locate your User Name and verify the associated Group column
displays Administrators.
Initial Setup
1. Plug in the CP1000 Desktop Encoder to a USB port on your PC.
2. Plug in the HID USB Flash Drive to a 2nd USB port on your PC.
3. From the USB flash drive, install the Asure_ID_Setup application file located in the Install
folder. Follow the Installation Wizard to install the application. If prompted, allow the
application to make changes to the computer.
4. Launch the Asure ID application and perform the configuration tasks.
Note: Log on credentials: Username: admin Password: admin.
Note: A Windows error may appear indicating that not all of the all drivers were installed
correctly. This is expected as the encoder has a chip that appears as a smart card and if Smart
Card PnP is enabled, Windows will try to locate a driver for this chip which cannot be located.
PLT-01067, Version: A.7 July 2017
Page 35
Setup and Configuration Page 3-3
3.4 Initial Configuration
Change Default Administrative Keys
It is important to change the default Administrative Keys during initial setup for security reasons.
1. During the initial installation, the Unsecured Encoder! window will appear, click Yes to change
the keys.
2. The Provide New Admin Keys for Encoder window is displayed. This window gives three
different options for changing the default Admin Keys:
Manual Entry – this option allows you to move information from a previous encoder, or
enter customer created keys. Manually enter your Admin Keys in the Auth Key, Privacy Key,
and Secure Channel Key fields and click OK to confirm.
Note: Admin Keys must contain 32 characters.
Randomly Generated Keys – this option will generate random keys. Click Generate
Random Keys to have the software randomly generate keys. Click OK to confirm.
Passphrase Generated Keys – this option allows you to enter a memorable passphrase
(minimum of five characters). The software will then generate keys based on the
July 2017 PLT-01067, Version: A.7
Page 36
Page 3-4 Setup and Configuration
passphrase. Enter your passphrase in the Passphrase field and click Generate Keys From
Passphrase. Click OK to confirm.
3. A message is displayed prompting you to make a backup copy of your new Admin Keys. Click
Yes to copy the new Admin Keys to the clipboard.
IMPORTANT: Safely store the value of the admin keys for future reference as HID is unable to
recover these keys if lost. If the admin keys are lost, the encoder will need to be sent to HID to be
reset.
PLT-01067, Version: A.7 July 2017
Page 37
Setup and Configuration Page 3-5
Enter the Asure ID CP1000 Edition License Key
The Asure ID CP1000 Edition License Key is AV352-YNRV6E6G. The Admin password should be
modified from the default values for security reasons.
1. Select Work Order Manager > File tab > Options.
2. Select the Licensing option.
3. Enter the License Key AV352-YNRV6E6G and click your activation option.
4. When the License Key is activated, the CP1000 Edition will display as shown below.
July 2017 PLT-01067, Version: A.7
Page 38
Page 3-6 Setup and Configuration
Change Default Admin Password
The Admin password should be modified from the default values for security reasons.
1. Select User Config > Home tab > Change Password.
2. Enter new and confirm password. Click OK.
PLT-01067, Version: A.7 July 2017
Page 39
Setup and Configuration Page 3-7
Upload Encoder Configuration Package
The following steps will load the required files (on the USB flash drive) on the CP1000 Desktop
Encoder.
1. Go to Work Order Manager > File tab > Upload Encoder Configuration Package.
2. Locate the Credits and Keys folder, on the USB Flash drive. Load the .ise file included on the
USB Flash drive.
July 2017 PLT-01067, Version: A.7
Page 40
Page 3-8 Setup and Configuration
3.5 Change Default Admin Password
The Admin password must be modified from the default values immediately (Username: admin,
Password: admin). For security reasons, this access should not be left on the application.
Warning: When creating, a new Admin user, or changing an Admin password, it is important that
this password is saved in a secure location. At this time there is no password reset feature in place.
See Section 9.7: Change Password for detailed information on modifying the default Admin password.
3.6 Add System Users
See Section 9.4: Add a User for detailed information on User Management and adding users.
Warning: When creating, a new Admin user, or changing an Admin password, it is important that
this password is saved in a secure location. At this time there is no password reset feature in place.
PLT-01067, Version: A.7 July 2017
Page 41
Initial Configuration (Startup)
This User Guide is specific to the iCLASS SE CP 1000 Desktop Encoder. The following sections cover
the initial configuration of the iCLASS SE Desktop Encoder.
4.1 Plugin Package
A plugin package configures both the iCLASS SE desktop software and the encoder for the type of
technology being used (for example iCLASS). This installation package contains all the counters,
configuration, format and key files necessary to execute work orders for various technologies.
Plugins initially provided include:
iCLASS MIFARE Classic
Data Mapper MIFARE DESFire EV1
Elite Prep Card Prox
Chapter
4
Load HID Application Keys Seos
iCLASS Legacy Config Card
During initial installation, all required plugins are installed. By default, the iCLASS SE Encoder Kit ships
with standard keys and a small number of credits to get started. See Section 2.12.2: iCLASS SE
Encoder Plugins Tab for more information on plugins.
July 2017 PLT-01067, Version: A.7
Page 42
Page 4-2 Initial Configuration (Startup)
4.2 Formats
HID programs thousands of formats used in the Security business. Every format has a name and a
number. A format describes how a credential is to be constructed and deciphered (for example: the
number of data fields, size, legal value ranges, and how they are constructed when written to a card).
The application is provided with a default format of H10301. If an additional/different format is
required, contact an HIDGlobal representative for assistance. To install a format file, follow the steps
listed in see Section 2.12.1: iCLASS SE Encoder Formats Tab.
4.3 Upload Encoder Configuration Package
The Credential Credits and Keys are delivered on the USB Flash drive in the Credits and Keys folder.
However, when additional credits are required they are ordered from HID Global.
Note: Credential Credits and/or Keys can be received as a single .ise from HID Global. See Section 7.7:
Load HID Key(s) for information on loading these files.
PLT-01067, Version: A.7 July 2017
Page 43
Initial Configuration (Startup) Page 4-3
1. Select Work Order Manager > File tab > Upload Encoder Configuration Package.
2. Browse to the iCLASS SE Encoder File (.ise file) provided by HID Global.
3. Double-click the file to be loaded or select the file and click Open.
4. The software updates the keys and key sets. A progress bar displays as the keys and credits are
loaded.
July 2017 PLT-01067, Version: A.7
Page 44
Page 4-4 Initial Configuration (Startup)
5. When successfully loaded, the message Package has been successfully installed appears at
the bottom of the window.
PLT-01067, Version: A.7 July 2017
Page 45
Initial Configuration (Startup) Page 4-5
After the upload is complete, the installed package contents are displayed on the Key
Management > Keys tab pane.
July 2017 PLT-01067, Version: A.7
Page 46
Page 4-6 Initial Configuration (Startup)
4.4 Custom Keys
The initial package provided to the customer includes a limited number of credentials to get the user
started. Custom Keys are crated from the Key Management application.
For information on Creating Custom Keys, see see Section 7.1.1: Key Management Toolbar.
PLT-01067, Version: A.7 July 2017
Page 47
Work Order Manager
The Work Order Manager module allows the user to create, manage and execute Work Orders.
5.1 Work Order Manager Home Tab
The Work Order Manager Home window contains the following areas.
Chapter
5
July 2017 PLT-01067, Version: A.7
Page 48
Page 5-2 Work Order Manager
5.1.1 Work Order Manager Toolbar
Toolbar Function Description
Open Opens an existing Work Order. See Section 5.3: Open a Work Order.
Close Closes the current Work Order. See Section 5.4: Close a Work Order.
New
Rename
Delete
Print Select Print to print the open Work Order. See Section 5.8: Print a Work Order.
Save As
Export to CSV
Export to PDF
Add Work
Instruction
Edit
Remove
If you select New, any currently opened Work Order closes and the Work Instruction
Wizard opens to create a Work Order. See Section 5.5: Create a Work Order.
Select Rename to rename an existing Work Order. The Manage Work Orders window
appears. Select the correct work order and click Rename Work Order. See Section
5.6: Rename a Work Order.
Select Delete to delete an existing Work Order. See Section 5.7: Delete a Work
Order.
Select Save As to save the open Work Order with a new name. See Section 5.9: File
Save As a Work Order.
Select Export to CSV to export the work order to a comma separated file. See
Section 5.10: Export Work Order Data to a CSV File.
Select Export to PDF to export the work order to a Adobe PDF file. See Section 5.11:
Export Work Order Data to a PDF File.
Select Add Work Instruction and the Work Instruction Wizard will walk you through
the creation of a Work Instruction. See Section 5.12: Add a Work Instruction to a
Work Order.
With a Work Order open, select the Edit option. Select a Work Instruction from the
list, and modify in the Work Instruction Wizard as needed. See Section 5.13: Edit a
Work Instruction .
With a Work Order open, select the Remove option. Select a Work Instruction from
the list to remove. See Section 5.14: Remove a Work Instruction .
Add a single record to the Work Order database. Each record added is a credential
Add Record
Add Batch Records
Remove Records
PLT-01067, Version: A.7 July 2017
to be encoded with the Work Order. See Section 5.11: Export Work Order Data to a
PDF File. See Section 5.15.1: Add a Credential Record.
Add a batch of records to be encoded with the Work Order database. See Section
5.15.2: To Add a Batch of Credential Records.
Delete Work Order records one or more records at a time. Shift + Click to select all
records or Ctrl + Click to select individual records for removal. See Section 5.15.3:
Remove Records.
Page 49
Work Order Manager Page 5-3
Toolbar Function Description
Execute Work Order on selected record. This allows the user to select a record, and
encode the work instruction(s). As each card is completed, the display for the
credential record is grayed out and the serial number of the card displays in the
Execute Selected
Execute All
Read Back
Card Info
column. With each encoding, the associated Credential Credits decreases by one.
See Section 5.15.4: Execute Work Order on Selected Credential Records.
Note: If there are not enough encoding credits for the process a message displays.
You need to contact HID Global and order more encoding credits.
Execute on all records in Work Order. The system selects all records and encode. The
process continues until all the credential records have been encoded. See Section
5.15.5: Execute a Work Order on All Credential Records.
Reads back the card currently on the encoder and attempts to read a card and
locate its corresponding record in the data of the current Work Order. An error
message displays if the card information does not match that in the Work Order. See
Section 5.15.1: Add a Credential Record.See Section 5.15.6: Read Back
Reads the UID and memory configuration of the presented card.
Place a card on the iCLASS SE Encoder, select the card technology type, then select
this option.
Note: Not all cards display the same information. In general the information is:
CSN - Card Serial Number
Card Type (for example, SO Only)
July 2017 PLT-01067, Version: A.7
Page 50
Page 5-4 Work Order Manager
5.1.2 Work Order Manager Configuration Pane
Field Description
Selected Encoder
Selected Technology Displays all card technologies loaded on the encoder.
Current Status Displays the status of the encoder.
SAM Version Displays the current SAM firmware version.
Credential Credits Displays all the credits loaded on the encoder.
Work Order Description Displays each work instruction on the open Work Order.
All available encoders are listed in the drop-down list. Click the Refresh to refresh
the type of encoder.
PLT-01067, Version: A.7 July 2017
Page 51
Work Order Manager Page 5-5
5.2 Work Order Manager File Tab
The Work Order Manager File tab contains specific options for this module.
Option Function Description
Install Plugin
Package
Install Formats
Upload Encoder
Configuration
Package
Upload Credential
Credits
Import Work Order
From File
Export Work Order
to File
Open Log File
Recent Items
Options See Chapter 2: Options Window for detailed information.
Exit Asure ID
The Install Plugin Package is a bundle of files that will install all the necessary
plugins for the encoder. See Section 4.3: Upload Encoder Configuration Package.
The Install Format imports an encrypted file determining how a PACS credential is
formatted. See Section 4.2: Formats.
The Upload Encoder Configuration Package uploads credential credits and HID
Keys on to the encoder. See Section 4.3: Upload Encoder Configuration Package.
The Upload Credential Credits allows the upload of Credential Credits (.xml)
provided by HID Global.
The Import Work Order From File allows you to upload a Work Order Export file
(.xml) to Asure ID CP1000 Edition application.
The Export Work Order to File allows you to save a Work Order for backup and to
upload the file at a later time.
The Open Log File allows you to view the log file of events for the Asure ID CP1000
Edition application.
The Recent Items displays the Recent Work Orders, for quick reference. Work
Orders can quickly be opened by double-clicking a Work Order on the list
The Exit Asure ID on the File menu, will log the current user out and exit the
application
July 2017 PLT-01067, Version: A.7
Page 52
Page 5-6 Work Order Manager
5.3 Open a Work Order
1. To Open an existing Work Order, select Work Order Manager.
2. Select Open from the toolbar.
3. Select a Work Order from the list, and click OK.
4. The Work Order information populates the Work Order Manager window.
PLT-01067, Version: A.7 July 2017
Page 53
Work Order Manager Page 5-7
5.4 Close a Work Order
1. When a Work Order is Open, select Close from the toolbar. See Section 5.3: Open a Work
Order.
2. The Work Order is closed.
July 2017 PLT-01067, Version: A.7
Page 54
Page 5-8 Work Order Manager
5.5 Create a Work Order
A Work Order is comprised of one or many Work Instructions. A Work Instruction is a single command
issued during Work Order execution. The single Work Instruction can either read or write to a specific
memory location.
1. Select Work Order Manager module. Select New from the toolbar
2. Select the required technology, and click OK.
3. See Chapter 6: Work Instruction Wizard, for details on each technology wizard. When you have
completed the wizard, return to the following step.
PLT-01067, Version: A.7 July 2017
Page 55
Work Order Manager Page 5-9
4. Select Yes to save the Work Order.
5. Enter a descriptive name for the Work Order, and click OK
6. The Work Order information is now displayed on the Work Order Manager window, with the
Work Order name displayed across the top of the window.
July 2017 PLT-01067, Version: A.7
Page 56
Page 5-10 Work Order Manager
5.6 Rename a Work Order
1. While in the Work Order Manager module, select Rename from the toolbar.
2. Select a Work Order from the Manage Work Order window, and click Rename Work Order.
3. Enter a new name of the Work Order on the New Work Order Name window, and click OK.
4. The Work Order name is updated on the list. Click OK.
PLT-01067, Version: A.7 July 2017
Page 57
Work Order Manager Page 5-11
5.7 Delete a Work Order
1. While in the Work Order Manager module, select Delete from the toolbar.
2. Select a Work Order from the Manage Work Order window, and click Delete Work Order.
3. The file is removed from the list.
4. Click OK.
July 2017 PLT-01067, Version: A.7
Page 58
Page 5-12 Work Order Manager
5.8 Print a Work Order
Work Orders can be simply printed to a local printer.
1. Open the Work Order Manager module.
2. Open a Work Order. See Section 5.3: Open a Work Order.
3. Click Print from the toolbar.
4. Select your normal printer options from the Print manager.
5. Click Print.
PLT-01067, Version: A.7 July 2017
Page 59
Work Order Manager Page 5-13
5.9 File Save As a Work Order
This process makes a copy of the Work Instruction to a new Work Order, where it can then be
modified, as needed. Note: The database is cleared for the new Work Order.
1. Open the Work Order Manager module.
2. Open a Work Order. See Section 5.3: Open a Work Order.
3. Click Save As from the toolbar.
4. Enter a new Template Name for the Work Order, and click OK.
5. The new Work Order is saved and opened with the new name ready to edit, if needed.
6. If the Work Order with this Template Name already exists, a Warning window appears.
To continue, click Yes to overwrite the current Work Order.
July 2017 PLT-01067, Version: A.7
Page 60
Page 5-14 Work Order Manager
5.10 Export Work Order Data to a CSV File
Work Order Data can be exported to a Comma Separated Values file (CSV) file.
1. On the Work Order Manager toolbar click Export to CSV.
2. Browse to a location to save the file, and click Save.
3. Below is an example of the CSV file.
PLT-01067, Version: A.7 July 2017
Page 61
Work Order Manager Page 5-15
5.11 Export Work Order Data to a PDF File
Work Order data can be exported to a Portable Document Format (PDF) file.
1. Work Order Manager module click Export to PDF.
2. Browse to a location to save the file, and click Save.
3. Below is an example of the PDF file:
July 2017 PLT-01067, Version: A.7
Page 62
Page 5-16 Work Order Manager
5.12 Add a Work Instruction to a Work Order
A Work Instruction is a single routine issued during Work Order execution. The single Work Instruction
can either read or write to a specific memory location.
Note: This example is of a Custom Configuration.
1. Open a Work Order.
2. Double-click a Work Order from the list to open.
PLT-01067, Version: A.7 July 2017
Page 63
Work Order Manager Page 5-17
3. The Work Order information is displayed on the Work Order Manager window.
Select Add Work Instruction.
4. Select the technology type from the list and click OK.
5. See Chapter 6: Work Instruction Wizard, for details on each technology wizard. When you have
completed the wizard, return to the following step.
July 2017 PLT-01067, Version: A.7
Page 64
Page 5-18 Work Order Manager
6. Select Yes to save the Work Order.
7. The new Work Instruction is now listed on the Work Order Description.
PLT-01067, Version: A.7 July 2017
Page 65
Work Order Manager Page 5-19
5.13 Edit a Work Instruction
The following describes the simple process of editing an existing Work Instruction.
1. Open a Work Order.
2. Click Edit in the Work Instructions section of the toolbar.
3. Double-click a Work Instruction from the list to edit.
4. The Work Order Instruction wizard is opened. See Chapter 6: Work Instruction Wizard, for
details on each technology wizard.
5. When complete, the Work Instruction selected is modified.
July 2017 PLT-01067, Version: A.7
Page 66
Page 5-20 Work Order Manager
5.14 Remove a Work Instruction
The following describes the simple process of removing an existing Work Instruction.
1. Open a Work Order.
2. The Work Instruction is now displayed on the Work Order Manager page.
3. Click Remove in the Work Instructions section of the toolbar.
4. Double-click the Work Instruction from the list to remove.
5. When complete, the Work Instruction is removed.
PLT-01067, Version: A.7 July 2017
Page 67
Work Order Manager Page 5-21
5.15 Work Order Execution
After the Work Instruction and Work Orders are created, you execute a work order. This section gives
an overview of the process to write SIO credentials to an iCLASS card(s), but is applicable to other
Use Cases.
5.15.1 Add a Credential Record
This section covers how to add a single credential record.
1. Open a Work Order.
2. From Work Order Manager click Add Record.
July 2017 PLT-01067, Version: A.7
Page 68
Page 5-22 Work Order Manager
3. A single credential record is added.
PLT-01067, Version: A.7 July 2017
Page 69
Work Order Manager Page 5-23
5.15.2 To Add a Batch of Credential Records
This section covers how to add a batch of credential records.
Note: A single credential record or a batch of credential records can be added by following these
steps.
1. Open a Work Order.
2. From Work Order Manager click Add Batch Records.
3. Enter the number of credential records to add. Click OK.l
July 2017 PLT-01067, Version: A.7
Page 70
Page 5-24 Work Order Manager
4. The credential records are added to the list.
PLT-01067, Version: A.7 July 2017
Page 71
Work Order Manager Page 5-25
5.15.3 Remove Records
1. Open a Work Order.
2. Select one record, or a range of records.
3. Click Remove Records.
4. Click Yes to verify the deletion.
July 2017 PLT-01067, Version: A.7
Page 72
Page 5-26 Work Order Manager
5. The credential records are removed.
PLT-01067, Version: A.7 July 2017
Page 73
Work Order Manager Page 5-27
5.15.4 Execute Work Order on Selected Credential Records
This section covers how to execute a Work Order on a credential record.
1. Open a Work Order.
2. Place the correct card type on the CP1000 Desktop Encoder.
3. Select the records to encode (Ctrl+Click or Shift+Click) to select a range of records.
4. From Work Order Manager click Execute Selected.
5. A progress window displays.
6. When the first card is complete, and if more than one credential was selected, a notice displays,
asking to place the next card on the encoder.
7. If prompted to do so, place the next card to be encoded on the reader.
July 2017 PLT-01067, Version: A.7
Page 74
Page 5-28 Work Order Manager
8. If encoding multiple cards, as each card is complete, the display for the credential record is
grayed out and the serial number of the card is read into the column. Note that the associated
Credential Credits decrements by 1 with each execution. Counter will be updated only after all
selected records have been encoded if encoding multiple records.
Note: If there are not enough encoding credits for the process you are executing, a message
appears with a similar message as shown below. You need to contact HID Global and order more
Encoding Credits.
PLT-01067, Version: A.7 July 2017
Page 75
Work Order Manager Page 5-29
5.15.5 Execute a Work Order on All Credential Records
This is the same process, as Section 5.15.4: Execute Work Order on Selected Credential Records
above. However, you do not need to select any credential records, and the process continues until
all the credential records have been executed.
July 2017 PLT-01067, Version: A.7
Page 76
Page 5-30 Work Order Manager
5.15.6 Read Back
The Read Back functionality attempts to read a card and decipher/locate its corresponding record
in the data.
1. To read a card, open a Work Order with the correct technology type and format.
2. Place the card on the reader.
3. From Work Order Manager click Read Back.
4. If successful, the Credential Record information on the card appears in the Card Info window if
a match is found.
PLT-01067, Version: A.7 July 2017
Page 77
Work Instruction Wizard
The Work Instruction Wizard appears any time you:
Create a New Work Order
Add a Work Instruction to a Work Order
Edit a Work Instruction
There are currently five (5) technology types available, with a corresponding Work Instruction wizard.
iCLASS
MIFARE Classic
MIFARE DESFire EV1
Prox
Seos
Chapter
6
See the following sections for detailed information on each work instruction wizard.
July 2017 PLT-01067, Version: A.7
Page 78
Page 6-2 Work Instruction Wizard
6.1 iCLASS Work Instructions
6.1.1 iCLASS: HID Access Application
This section covers the Work Instruction wizard for iCLASS, with the HID Access Application
encoding.
1. Select the iCLASS technology type, and click OK.
2. The Work Instruction Wizard opens to allows you to configure the Work Instruction for iCLASS.
Click Next.
PLT-01067, Version: A.7 July 2017
Page 79
Work Instruction Wizard Page 6-3
3. Select Data Format: You can make selections from the following. When complete click Next.
Field Description
Instruction Type Read, Write, or Roll Card Authentication Key
Data Type HID Access Application, or Custom
Overwrite Existing Credential: Allows the iCLASS SE Encoder to write over
Options
Credential Type
an application that has already been recorded in the Work Order database.
Enable User PIN Entry (available with SR (HID Access Application and SO
only)
SE (SO only), SR (HID Access Application and SO), or HID Access
Application.
Format: Select a Format from the list.
Note: For this example a Write/HID Application/SE (SO only) configuration is selected.
July 2017 PLT-01067, Version: A.7
Page 80
Page 6-4 Work Instruction Wizard
4. Define Format Parameters: You select, then customize each parameter defined for the selected
format. Select the line to modify. Each parameter is editable with text or from a drop-down
menu.
Field Description
Name
Parameter Type
Enforce Unique
Numbers
Default Value The default Static value is used when auto-creating a new Credential record.
Increment Step The step value used to increment Auto Number sequences.
Auto Numbers
The name is read from the Format file. It is recommended to not change this
name unless necessary.
This can be Auto Increment, Static, or Manual User Entry.
Note: Type is typically determined by the Format file.
Check this box for a runtime check of manual value entered by user to
guarantee uniqueness, prior to executing the Work Order.
This field sets the Auto Number Sequences for the Work Instruction. The ranges
are set by selecting the ellipses (…) and entering the ranges (see following
graphic).
Auto Number Sequences window
Select Add Range and set the range in the editable fields. Click OK.
5. Click Next to continue with the Wizard.
PLT-01067, Version: A.7 July 2017
Page 81
Work Instruction Wizard Page 6-5
6. Memory Map Selection: Select card configuration and location where the data is written.
Click Next.
Field Description
Expected Card Type Configured or Unconfigured.
Note: If Unconfigured is selected, the Card Configuration field below must be
set.
Note: Unconfigured card are not supported on CP1000 encoders.
Card Configuration Select the memory configuration from the drop-down list. Options are:
2K (default), 16k2, 16k16, 16k2+16k1, 16k16+16k1, 2K (SO Only), 16k2 (SO Only),
16k16 (SO Only), 16k2+16k1 (SO Only), 16k16+16k1 (SO Only).
Note: Memory Map is grayed out with the Data Type set to HID Access Application, as the HID
Access Application is always encoded in the same place. However, if the Data Type is set to
Custom, the Memory Map is active.
Expected Card Type: Configured
Note: This is the default and recommended setting. All iCLASS cards shipped from the HID
factory are configured, unless specifically requested.
July 2017 PLT-01067, Version: A.7
Page 82
Page 6-6 Work Instruction Wizard
Expected Card Type: Unconfigured
Note: Not available on CP1000 encoders.
7. Key Selection: Select a key to lock the AppArea after the data is written, and click Next.
Field Description
Card Authentication Keys Custom or HID defined Key Sets may be selected.
SO Encryption Key Custom or HID defined SO Encryption Key Sets may be selected.
8. You have completed the wizard. Click Finish.
9. Return to Section 5.5: Create a Work Order, step 5 to save the Work Order.
PLT-01067, Version: A.7 July 2017
Page 83
Work Instruction Wizard Page 6-7
6.1.2 iCLASS: Custom Encoding
This section covers the Work Instruction wizard for iCLASS, with Custom Encoding.
1. Select the iCLASS technology type, and click OK.
2. The Work Instruction Wizard opens to allow you to configure the Work Instruction for iCLASS.
Click Next.
3. Select Data Format: You can make selections from the following. When complete click Next.
Field Description
Instruction Type Read, Write, or Roll Card Authentication Key
Data Type For this example Custom must be selected.
Options Not available with Custom
Custom Data Plugin Type: ASCII Text, Hexadecimal Data, Unicode Text, and Integer.
Name: Modify the Name, if needed. Note: Name field constitutes column in Work
Order data view.
Note: For this example Write/Custom/ASCII Text/Custom_Field configuration is selected.
July 2017 PLT-01067, Version: A.7
Page 84
Page 6-8 Work Instruction Wizard
4. Memory Map Selection: Select card configuration and location where the data is written.
Click Next.
Field Description
Expected Card Type Configured or Unconfigured.
Card Configuration Select the memory configuration from the drop-down list.
Options are: 2K, 16k2, 16k16, 16k2+16k1, 16k16+16k1, 2K (SO Only), 16k2 (SO Only),
16k16 (SO Only), 16k2+16k1 (SO Only), 16k16+16k1 (SO Only)
Default is 2K.
Memory Map Define (select) the AppArea/Block.
Note: This is a scrollable field.
PLT-01067, Version: A.7 July 2017
Page 85
Work Instruction Wizard Page 6-9
5. Key Selection: Select a key to lock the AppArea after the data is written, and click Next.
Field Description
Keys Card Authentication Key: Custom or HID defined Key Sets may be selected. Select
the key used to authenticate to the key currently securing the AppArea to encode.
SO Encryption Key: Custom or Standard Key Sets may be selected.
New Card Authentication Key: None or Custom Key Sets may be selected. Select a
new key here only to change the key that is used to secure this AppArea.
Encryption Encryption Type: None, or 3DES
Encryption Key: This field appears with the 3DES selection above. Select the
Encryption Keys loaded. This encrypts the data on the card. Data must be decrypted
accordingly, when read by 3rd-party applications.
6. You have completed the wizard. Click Finish.
7. Return to see Section 5.5: Create a Work Order, step 5 to save the Work Order.
July 2017 PLT-01067, Version: A.7
Page 86
Page 6-10 Work Instruction Wizard
6.2 MIFARE Classic Work Instructions
6.2.1 MIFARE Classic: HID Access Application
This section covers the Work Instruction for MIFARE Classic, with HID Access Application encoding.
1. Select the MIFARE Classic technology type, and click OK.
2. The Work Instruction Wizard opens to allow you to configure the Work Instruction for MIFARE
Classic. Click Next.
3. Select Data Format: You can make selections from the following. When complete click Next.
Field Description
Instruction Type Read, Write, Roll Card Authentication Key, or Move Genuine SO Sector
Data Type HID Access Application, or Custom
Options Overwrite Existing Credential: Allows the iCLASS SE Encoder to write over an
application that has already been recorded in the Work Order database.
Enable User PIN Entry (available with SR (HID Access Application and SO only)
Credential Type SE (SO only), SR (HID Access Application and SO), or HID Access Application.
Format: Select a Format from the list.
Note: For this example, a Write/HID Application/SE configuration is selected.
PLT-01067, Version: A.7 July 2017
Page 87
Work Instruction Wizard Page 6-11
4. Define Format Parameters: Select, to define each parameter for the selected format. Select the
line to modify, each parameter is editable with text or from a drop-down menu.
Field Description
Name The name is read from the Format file. It is recommended to not change this
name unless necessary.
Parameter Type This can be Auto Increment, Static, or Manual User Entry.
Enforce Unique
Numbers
Default Value The default Static value for Static and Manual parameters.
Increment Step The step value used to increment Auto Number sequences.
Auto Numbers This field sets the Auto Number Sequences for the Work Instruction. The ranges
Check this box for a runtime check of manual value entered by user to
guarantee uniqueness, prior to executing the Work Order.
are set by selecting the ellipses (…) and entering the ranges. See following
graphic.
Auto Number Sequences window
Select Add Range and set the range in the editable fields. Click OK.
5. Click Next to continue with the Wizard.
July 2017 PLT-01067, Version: A.7
Page 88
Page 6-12 Work Instruction Wizard
6. Key Selection: Select a key to lock the AppArea after the data is written, and click Next.
Field Description
Key Set: Standard, Custom or HID defined Key Sets may be selected.
Authentication Keys are the keys currently used to protect the Sector.
Select Default if working with a blank card or Sector.
Keys
Authentication Key A: Select an option from the drop-down menu.
Authentication Key B: Select an option from the drop-down menu.
SO Encryption Key: Select an option from the drop-down menu.
Note: Only available when writing SE or SR cards.
MAD Write Key B: Select an option from the drop-down menu.
7. The wizard is complete. Click Finish.
8. Return to Section 5.5: Create a Work Order, step 5 to save the Work Order.
PLT-01067, Version: A.7 July 2017
Page 89
Work Instruction Wizard Page 6-13
6.2.2 MIFARE Classic: Custom Encoding
This section covers the Work Instruction wizard for MIFARE Classic, with Custom Encoding.
1. Select the MIFARE Classic technology type. Click OK.
2. The Work Instruction Wizard opens to allow you to configure the Work Instruction for MIFARE
Classic. Click Next.
3. Select Data Format: You can make selections from the following. When complete, click Next.
Field Description
Instruction Type Read, Write, Roll Card Authentication Key, or Roll Card Authentication Key.
Data Type For this example Custom must be selected.
Options Not available with Custom.
Custom Data Plugin Type: ASCII Text, Hexadecimal Data, Unicode Text, or Integer.
Name: Modify the Name, if needed. Note: Name field constitutes column in
Work Order data view.
Note: For this example a Write/Custom/ASCII Text/Custom_Field configuration s selected.
July 2017 PLT-01067, Version: A.7
Page 90
Page 6-14 Work Instruction Wizard
4. Memory Map Selection: Select card configuration and location where the data is written.
Click Next.
Field Description
Configuration Card Type: 1K, or 4K
Sector Trailer Authentication Key: Key A, or Key B
Update MAD Select the check box to update the MIFARE Application Directory (MAD).
Note: This is an optional parameter (sector 0 is always reserved for this
purpose).
Application ID: Enter the Application ID your company has registered with NXP
to update.
Change access
conditions
Memory Map Define (select) the MIFARE Sector/Block (scrollable field).
Select the check box to Change access conditions
Sector Trailer Access: Select an option from the drop-down menu.
Note: See the NXP Datasheet for more detail on Sector Trailer.
Block Access: Select an option from the drop-down menu.
Note: The legacy HID application can be encoded on Sector 1. This is a fixed
location. The HID SIO application can be encoded in Sector 4 generally, but can
be moved.
PLT-01067, Version: A.7 July 2017
Page 91
Work Instruction Wizard Page 6-15
5. Key Selection: Select a key to lock the AppArea after the data is written. Click Next.
Field Description
Keys Key Set: Not an option.
Authentication Keys are the keys currently used to protect the Sector.
Select Default if working with a blank card or Sector.
Authentication Key A: Select an option from the drop-down menu.
Authentication Key B: Select an option from the drop-down menu.
SO Encryption Key: Not available with the Custom option.
MAD Write Key B: Select an option from the drop-down menu.
6. The wizard is complete. Click Finish.
7. Return to Section 5.5: Create a Work Order, step 5 to save the Work Order.
July 2017 PLT-01067, Version: A.7
Page 92
Page 6-16 Work Instruction Wizard
6.2.3 MIFARE CLASSIC: Move Genuine SO Sector
This section covers the Work Instruction wizard for Move Genuine SO Sector process.
1. Select the MIFARE Classic technology type. Click OK.
2. The Work Instruction Wizard opens to allow you to configure the Work Instruction for Prox.
Click Next.
3. Select Data Format: Select the following. When complete click Next.
Field Description
Instruction Type Move Genuine SO Sector
PLT-01067, Version: A.7 July 2017
Page 93
Work Instruction Wizard Page 6-17
4. Configure the HID Genuine SO to a new sector. Click Next.
Field Description
MIFARE Card Type Options are: 1K or 4K
SO Sector Number Auto Detect
New Sector Number Select new sector number from the drop-down menu. Range is 1-15
New Sector Auth Key Type Options are: Key A or Key B.
New Sector Auth Key Options are Default Transport Key, or defined Authentication key.
5. When the wizard is complete, click Finish.
6. Return to Section 5.5: Create a Work Order, step 5 to save the Work Order.
July 2017 PLT-01067, Version: A.7
Page 94
Page 6-18 Work Instruction Wizard
6.3 MIFARE DESFire EV1 Work Instructions
6.3.1 MIFARE DESFire EV1: HID Access Application
This section covers the Work Instruction for MIFARE DESFire EV1, with HID Access Application
encoding.
1. Select the MIFARE DESFire EV1 technology type. Click OK.
2. The Work Instruction Wizard opens to allow you to configure the Work Instruction for MIFARE
DESFire EV1. Click Next.
3. Select Data Format: You can make selections from the following. When complete click Next.
Field Description
Instruction Type Read, Write, or Roll Card Authentication Key
Data Type HID Access Application, or Custom
Options Overwrite Existing Credential: Allows the iCLASS SE Encoder to write over an
application that has already been recorded in the Work Order database.
Enable User PIN Entry (available with SR (HID Access Application and SO only)
Credential Type SE (SO only), SR (HID Access Application and SO), or HID Access Application.
Format: Select a Format from the list.
Note: For this example, a Write/HID Access Application configuration is selected.
PLT-01067, Version: A.7 July 2017
Page 95
Work Instruction Wizard Page 6-19
4. Define Format Parameters: Select to define each parameter for the chosen format. Select the
line to modify. Each parameter is editable with text or from a drop-down menu.
Field Description
Name The name is read from the Format file. It is recommended to not change this
name unless necessary.
Parameter Type This can be Auto Increment, Static, or Manual User Entry.
Enforce Unique
Numbers
Default Value The default Static value for Static and Manual parameters.
Increment Step The step value used to increment Auto Number sequences.
Auto Numbers This field sets the Auto Number Sequences for the Work Instruction. The ranges
Check this box for a runtime check of manual value entered by user to
guarantee uniqueness, prior to executing the Work Order.
are set by selecting the ellipses (…) and entering the ranges. See following
graphic.
Auto Number Sequences window
Select Add Range and set the range in the editable fields. Click OK.
5. Click Next to continue with the Wizard.
July 2017 PLT-01067, Version: A.7
Page 96
Page 6-20 Work Instruction Wizard
6. Key Selection: Select a key to lock the AppArea after the data is written, and click Next.
Field Description
Key Set Key Set: Custom or HID defined key sets may be selected
Change Key Set: Standard (No option).
SO Encryption Key: Key set used to encrypt the SO credential. Standard,
Custom, or HID defined key sets may be selected.
Override default PICC Master Key: Allows you to override the HID
Standard or Elite PICC Master key on a DESFIRE card.
Application Keys
Key Type Displays the Key type.
Crypto Method Triple DES, AES, or 3 Key Triple DES (24 byte keys)
Key Diversifier Algorithm None, NIST SENC HMAC, NXP AV1 1 Key Triple DES, or NXP AV1 2 Key
Triple DES
Auth Key None, NXP Default Transport Key, or HID SO PICC Master Key. Also
custom Auth Key is listed.
7. The wizard is complete. Click Finish.
8. Return to Section 5.5: Create a Work Order, step 5 to save the Work Order.
PLT-01067, Version: A.7 July 2017
Page 97
Work Instruction Wizard Page 6-21
6.3.2 MIFARE DESFire EV1: Custom Encoding
This section covers the Work Instruction wizard for MIFARE DESFire EV1, with Custom Encoding.
1. Select the MIFARE DESFire EV1 technology type. Click OK.
2. The Work Instruction Wizard opens to allow you to configure the Work Instruction for MIFARE
DESFire EV1. Click Next.
3. Select Data Format: You can make selections from the following. When complete click Next.
Field Description
Instruction Type Read, Write, Roll Card Authentication Key, or Move Genuine SO Sector
Data Type For this example Custom must be selected.
Options Not available with Custom.
Custom Data Plugin Type: ASCII Text, Hexadecimal Data, Unicode Text
Name: Modify the Name, if needed. Note: Name field constitutes column in
Work Order data view.
Note: For this example, a Write/Custom/ASCII Text/Custom_Field configuration is selected.
July 2017 PLT-01067, Version: A.7
Page 98
Page 6-22 Work Instruction Wizard
4. Memory Map Selection: Select the card configuration and location where the data is to be
written. Click Next.
Field Description
Application ID Enter the 3-byte Application ID your company has registered with NXP, in
hexadecimal form.
File Number Select the file number (Range 0-31).
File Type Standard Data File is the only supported option.
File Size (bytes) Select the file size in bytes. Default is 16 bytes.
File Communication
Settings
Key Change Mode To change a key, requires authentication with the following: Master Key, Key 1-13,
PICC Master Key
Properties
Application Master
Key Properties
Select Ciphered or Plain for this example.
Authenticate with key to be changed, or Do not allow keys to be changed
Select the PICC Master Properties from the list.
Note: These options can only be managed when working with a blank card.
Select the Application Properties from the list.
PLT-01067, Version: A.7 July 2017
Page 99
Work Instruction Wizard Page 6-23
5. Key Selection: Set the Application Key options in accordance with the NXP datasheets, and
click Next. All options can be set from the associated drop-down menu.
Note: Selections must abide by the rules you set up for the card.
Field Description
Application Keys
Key Type Displays the Key type.
Crypto Method Triple DES, AES, or 3 Key Triple DES (24 byte keys)
Key Diversifier
Algorithm
Auth Key
Change Key
File Keys Note: Keys selected in the following must be configured in the Application Keys section
above
Read Key
Write Key
Read/Write Key
None, NXP AV1 1 Key Triple DES, or NXP AV1 2 Key Triple DES
The key used to authenticate to the key specified by Key Type.
None: To signify the key is not used. None is only valid for optional Keys 1-13.
NXP Default Transport Key: For blank cards, typically NXP Default Transport key
is used.
Custom Keys: Custom Keys will be listed, if they are 16 bytes or larger and have
been loaded to the currently selected encoder using the Key Manager.
If the card contains non-default keys (either loaded at the factory or by 3rd party),
than the proper custom key must be selected that can authenticate for the
specified Key Type.
The Change Key is used only if the user desires that the current key be changed
during the encoding operation.
None: To signify the key will not be changed.
NXP Default Transport Key: For blank cards, typically NXP Default Transport key
is used.
Custom Keys: Custom Keys will be listed, if they are 16 bytes or larger and have
been loaded to the currently selected encoder using the Key Manager.
Select Read Key number (Range 0-13). Default is 0.
Note: 0 indicates that the Application's Master Key will be used to provide access
to the file.
Select Write Key number (Range 0-13). Default is 0.
Note: 0 indicates that the Application's Master Key will be used to provide access
to the file.
Select Read/Write Key number (Range 0-13). Default is 0.
Note: 0 indicates that the Application's Master Key will be used to provide access
to the file.
July 2017 PLT-01067, Version: A.7
Page 100
Page 6-24 Work Instruction Wizard
6. When wizard is complete, click Finish.
7. Return to Section 5.5: Create a Work Order, step 5 to save the Work Order.
PLT-01067, Version: A.7 July 2017
Loading...