SafeWord includes easy to use tokens, seamlessly integrates with your existing Microsoft Windows
management tools. In Risco Access Control system, SafeWord OTP Server is used to deploy OTP devices
assigned to operators, installers and users for authentication.
1.1 SafeWord OTP Server Environment
This section describes the software and hardware environments required to run the SafeWord OTP
Server.
1.1.1 Software Environment
The following table lists the basic software requirements for installing SafeWord OTP Server:
Table 2: Software Environment
Operating System
Database
Server Software
Other Software
1.1.2 Hardware Environment
The following table lists the basic hardware requirements for installing SafeWord OTP Server:
Servers
Disk Space
RAM
Other Hardware
Server: 32 or 64-bit Windows Server 2003 or 2008
Desktop: 32 or 64-bit Windows XP (SP2), Vista
Not Applicable
Not Applicable
Not Applicable
Table 3: Hardware Environment
CPU: Pentium IV or AMD @ 1.8 GHz (minimum), 2 GHz
(recommended)
3-5 GB (min) 10 GB (recommended) on NTFS-formatted drive
7. Read the License Agreement completely before installing the application and click Next. The
Change Destination Location dialog box appears. The default path where the installed files will
be saved appears
Figure 6: Change Destination
8. Click Browse to change the path as per your requirement. Click Next. The Select Components
dialog box appears.
14. Click the I will manage users in Active Directory option button if you need to use Microsoft's
Active Directory to manage user details for SafeWord.
Or
15. Click I will manage users in SafeWord, with ESP option button if SafeWord Management
Console is intended to manage user details.
16. Click Next. The Server Components dialog box appears. The default port numbers already exist
in the dialog box. Change as per your requirement.
After the installation is complete, ensure that the following six services are installed and running in the
local machine:
• SafeWord Administration Server
• SafeWord Authentication Engine
• SafeWord Database Server
• SafeWord RADIUS Accounting Server
• SafeWord RADIUS Server
• SafeWord User Center
1.3 Starting the Services
In case the services do not run automatically, following steps will tell you how to start the services:
1. On your computer, click Start My Computer right-click and select Manage. The Computer
Management window appears.
2. Click Services and all the services installed on your local machine are displayed.
3. Select a service and click the Start link available in the left side of the window. The service starts
running.
4. Repeat the steps to run the rest of the services.
1.4 Activating SafeWord Token Authenticators
To use a SafeWord Server, activation is required. The Activation Certificate that came with your software
contains the SafeWord 2008 Serial number and Token Group ID and allows you to download the
activation key and token data records.
Following sections describes the activation process.
1.4.1 Registering on the Portal
After installing the SafeWord OTP Server and running the SafeWord services, you will now activate the
SafeWord Tokens. To activate the tokens:
1. To activate the product, visit the website https://ssl.aladdin.com/PartnerLogin.aspx
2. Enter the credentials in the User Name and Password fields and follow instructions provided on
the Website.
3. After the product is registered, you will have to download the activation files including an HTML
page named with the product key. For example. NSJ0-2E1U-1WQ9-CR92.html
IMPORTANT: Save the activation files as these files can be downloaded only once.
1.4.2Activation using ADUC
To activate the product from ADUC:
1. In ADUC, right-click the SafeWord folder.
2. The first time you right-click on the SafeWord folder, you will be prompted to enter and re-enter
(to verify) an Administrator password.
3. Click OK.
4. Right-click on the SafeWord folder and select Activate Product.
5. Log in to the portal using the credentials received when you registered.
Note: Token Group IDs that have not been activated may be entered at this time. All upgraded
Token records have already been activated.
6. Complete the activation form and click Submit. The SafeWord Activation window appears
showing the license activation and token import progress. Upon completion, the activation file
key.html is downloaded to <Install_Dir>\Aladdin\SafeWord\ImportData. This is the key to
activate your software and your token data records.
Figure 13: SafeWord Activation
Note: You should back up these files in case you need to reactivate the product or re-import
token records later.
The Administration Server and Authentication Engine services will restart.
7. To verify the activation, browse to <Install_Dir>\SERVERS\AdminServer\activation.
8. The successfully processed license file is renamed key.activated.html.
9. Re-launch ADUC.
1.4.3 Activation using the Website
To activate using Website, you need to create an RCR.txt file. You can either create it using SafeWord
Management Console or ADUC. In case you are using SafeWord Management Console, follow the steps
given below. There are separate steps given for using ADUC.
Using SafeWord Management Console
To manually activate SafeWord 2008, do either of the following:
1. Create an RCR.txt file manually by doing the following:
• Right-click the SafeWord folder in the left directory tree and select Support.
• Click Save to automatically save the RCR.txt file to a temporary directory.
After creating an RCR.txt file, perform the following steps:
2. Browse to www.aladdin.com/sw08-activation and log in using the username and password that
were sent to you when you registered.
3. Enter your SafeWord Software serial number in the appropriate field. (The serial number format is
NSXX-XXXX-XXXX-XXXX.)
4. Click Continue. The SafeWord Activation page appears.
Note: Token Group IDs that have not been activated may be entered at this time. All upgraded
Token records have already been activated.
5. Import the required support data (RCR.txt) that you created in step 1.
6. Complete the activation form, then click Submit. You can now download the files that contain
the key to activate your software and your token data records. You should back up these files in
case you need to reactivate the product or re-import token records later.
7. Copy key.html into the following subdirectory on the SafeWord system:
<Install_Dir>\SERVERS\AdminServer\activation.
Note: Ensure the file name is key.html. Using any variation (key.htm or key.html.html, for
instance) will cause the activation to fail.
8. Restart the SafeWord Administration Server and Authentication Engine by browsing to Start >
Programs > Administrative Tools > Services, right-click on SafeWord Administration Server
and select Restart (repeat for the Authentication Engine).
9. To verify the activation, browse to <Install_Dir>\SERVERS\AdminServer\activation. The
successfully processed license file is renamed key.activated.html.
If you already have an existing Active Directory (AD) database of users, the SafeWord Management
Snap-in allows you to use the familiar Active Directory Users and Computers (ADUC) console to assign
SafeWord tokens and SoftPINs to your existing users.
1.5.1 Assigning Tokens to Users
To assign tokens to already created users in AD:
1. Launch ADUC.
2. On the left side of the window, select the Users folder.
Note: You can choose to have users in a container other than the default Users folder. This
container is sometimes referred to as an “organizational unit” and is special because of its
security boundary. You can delegate administration of this organizational unit, whereas
administration of the default Users folder cannot be delegated. The default Users folder is
a regular container and is named Users.
3. Locate the user to whom you will be assigning a token, right-click the user’s name and select
Properties, then in the user’s Properties window click the SafeWord tab.
Figure 14: User Properties
Note: If some of your users will share a token, assign the same token serial number to each user
who will share it.
4. In the Token serial number field (found in the SafeWord tab), enter the token’s serial number,
and an optional four-digit PIN.
5. Click Apply to activate the lower portion of the window, allowing you to test the token (refer to
section 2.4.2 Testing Tokens).
Once a token has been assigned it should be tested. A token test option is located on a user’s SafeWord
tab in ADUC. To test a token, do the following:
1. Open the user’s Properties window and click the SafeWord tab.
2. Confirm that the Token serial number field is populated with the serial number of the token you
are testing.
3. Generate a one time passcode using the token and enter it in the Passcode field under Token
Test.
Note: You do not need to append a PIN to the end of the Passcode in the Management Console,
even if the user requires a PIN to log in.
4. Click Test.
5. Click OK in the window indicating a successful test.
1.6 Managing Users in SafeWord Management Console
SafeWord Management Console handles users (stored in the SafeWord database) and authenticator
management, security policy administration, group management, viewing logs, and generating reports.
To manage users in the SafeWord Management Console:
1. On your computer, click Start All Programs Aladdin SafeWord.
Note: To change the password, select the Change Password check box.
7. Click OK. The following figure appears.
Figure 18: SafeWord 2008 Management Console
8. To use OTP token, you need to import the authenticators in SafeWord Database.
9. To import, click File Import Software/Hardware Authenticators.
Figure 19: Locate Authenticator Import File
10. Click Browse. Select the ImportAlpine.dat file that is downloaded with activation files and click
Next. The Select Admin Group dialog box appears. There are two types of admin groups –
RESERVED and USERS. RESERVED group user have default administrator privileges and USERS
group users have restricted rights.
11. By default, the RESERVED group name appears. Change the admin group as per your
requirement, where you want to import the tokens. After the tokens are imported, you can now
use the OTP Token Devices.
1.7 Adding Users in SafeWord
You may add a new user in the default admin groups. To add a new user:
1. Go to SafeWord Management Console. Apart from the default ‘ADMINISTRATOR’ user, there are
other users such as BAD_USER_ID and ENROLL_SYS_ADMIN.
11. Click Re-sync to re-synchronize the OTP device before first use. The Re-synchronize
Authenticator dialog box appears.
Figure 27: Re-synchronize Authenticator
12. Press a button on the OTP device and enter the password generated from the device in the First
Passcode field.
13. Press and generate another password on the OTP device and enter the password generated from
the device in the Second Passcode field. The Re-sync button is enabled.
14. Click Re-sync. The OTP Device is now synchronized with the user name and ready to be used.
1.8 Configuring RADIUS Server
The Remote Authentication Dial In User Service (RADIUS) is a protocol used for remote user
authentication and accounting. RAC system sends the authentication request to RADIUS server. RADIUS
Server communicates with SafeWord Authentication Server for validating the request.
To configure RADIUS Server:
1. Go to Start All Programs Aladdin SafeWord Configuration RADIUS Server
Configuration. The SafeWord RADIUS Server Configuration Web page appears.
Figure 28: SafeWord RADIUS Server Configuration
2. Click Authentication Engine to provide details of the SafeWord Authentication Servers. The
Authentication Settings window appears.
3. In the Host name/IP address field, enter the host name/IP address of the machine where the
SafeWord Authentication Servers are installed and will be used for authenticating requests.
4. Enter the port number in the Port Number field.
5. Click Apply to save and apply the settings. You go back to the home page.
RISCO Group and its subsidiaries and affiliates warrants its products to be free from defects in materials
and workmanship under normal use for 24 months from the date of production. Because Seller does not
install or connect the product and because the product may be used in conjunction with products not
manufactured by the Seller, Seller cannot guarantee the performance of the security system which uses
this product. Seller's obligation and liability under this warranty is expressly limited to repairing and
replacing, at Seller's option, within a reasonable time after the date of delivery, any product not meeting
the specifications. Seller makes no other warranty, expressed or implied, and makes no warranty of
merchantability or of fitness for any particular purpose.
In no case shall seller be liable for any consequential or incidental damages for breach of this or any
other warranty, expressed or implied, or upon any other basis of liability whatsoever.
Seller's obligation under this warranty shall not include any transportation charges or costs of
installation or any liability for direct, indirect, or consequential damages or delay.
Seller does not represent that its product may not be compromised or circumvented; that the product
will prevent any personal injury or property loss by burglary, robbery, fire or otherwise; or that the
product will in all cases provide adequate warning or protection.
Seller, in no event shall be liable for any direct or indirect damages or any other losses occurred due to
any type of tampering, whether intentional or unintentional such as masking, painting or spraying on
the lenses, mirrors or any other part of the detector.
Buyer understands that a properly installed and maintained alarm may only reduce the risk of burglary,
robbery or fire without warning, but is not insurance or a guaranty that such event will not occur or that
there will be no personal injury or property loss as a result thereof.
Consequently seller shall have no liability for any personal injury, property damage or loss based on a
claim that the product fails to give warning. However, if seller is held liable, whether directly or
indirectly, for any loss or damage arising under this limited warranty or otherwise, regardless of cause or
origin, seller's maximum liability shall not exceed the purchase price of the product, which shall be
complete and exclusive remedy against seller.
No employee or representative of Seller is authorized to change this warranty in any way or grant any
other warranty.
WARNING: This product should be tested at least once a week.