iO Identity Agent
The high performance Identity Agent
that enables roaming efficiency, whether
on virtual Windows desktops or any
mobile tablet device – Windows,
iPad/iPhone and Android
Pre-requisites
The iO Identity Agent itself requires:
an N3 network connection with access to the Spine
a working smartcard reader
an NHS smart card, containing a valid NHS Spine Session certificate
Java (JRE), additionally required for certain National Applications such as the NHS Portal and
SCR
It is important to ensure that the environment is clean before installing iO and that various other
components are installed in the correct order. Failure to do so will result in problems, either with iO
operating incorrectly or applications failing to authenticate.
Installation
To ensure a clean environment, follow these steps:
Exit and remove any previously installed NHS/HSCIC IA software
Uninstall Java
Remove any instances of TicketApiDll.dll and GATicket.jar files (including any with .io
extensions)
Restart the machine
Install Java (JRE)
Install Gemalto Classic Client (required by Impax, SystmOne, etc.)
Install any PACS software
Finally, install Isosec iO Identity Agent (always install iO last, after all other software has been
installed)
The iO installer will make a number of changes to the environment:
Install the latest NHS Root and Sub CA Certificates (if not already present)
Append the Internet Options trusted sites for the NHS Portal and NHS Terms and Conditions
sites
Fix any problems with other software (hence why it must be installed last)
© Isosec Ltd 2017
www.isosec.co.uk
iO Identity Agent
Registration Authorities
Registration Authorities will need to ensure that the Oberthur Middleware is installed on the
Registration Machine. AWP is required in order to facilitate the production of a new or updated card.
This software can be downloaded from:
www.isosec.co.uk/GSL/AWP_5.2.0_RC3_NHS_Admin_64-bit.msi
www.isosec.co.uk/GSL/AWP_5.2.0_RC3_NHS_Admin.msi
Firewall
To comply with the iO software licence and auditing, the following firewall rules must be made.
Failure to do this will result in an audit failure message, this will prevent a user from authenticating.
Allow *isosec.co.uk for ports 80 and 443
Configuration for Dell integrated smartcard reader keyboards
The drivers for a Dell keyboard with integrated smartcard reader must be reconfigured. It is
important to install the Microsoft driver instead.
The Microsoft driver is included in any machine running Windows 7 or higher. To do this follow these
instructions:
Open Device Manager and open the drop down menu on keyboards/smartcard reader keyboard
Right click on your keyboard and select the Update Driver Software option
Select Browse my computer for driver software
Select Let me pick from a list of device drivers on my computer
Tick the Show compatible hardware box and then select the Microsoft Usbccid
Smartcard Reader (WUDF) driver listed and select next
The driver will install
Restart the machine
© Isosec Ltd 2017
www.isosec.co.uk
iO Identity Agent
Configuration
There are a number of settings that control the behaviour of iO – these are stored in ISOSEC.properties
(Program Files\Isosec\iO Identity Agent). This file also contains the licence information. iO must be
restarted for any changes in the ISOSEC.properties file to take effect.
Following are the optional properties (stored in the product name section), with example values and
meaning:
Property
Example Value
Meaning
CMD_Browser
C:\Program Files
(x86)\Internet
Explorer\iexplore.exe
Location of browser executable,
used for LaunchURI and Auth
State URLs
CMDList_ProcessOnCardPresence
C:\Program
Files\Gemalto\Classic
Client\BIN\RegTool.exe
Semi-colon separated list of
executable locations to launch
on Card Presence
CMDList_ProcessOnCardRemoval
tsdiscon.exe
Semi-colon separated list of
executable locations to launch
on Card Removal
C:\Program Files\Internet
Semi-colon separated list of
CMDList_ProcessOnPostAuthenticatio Explorer (x86)\iexplore.exe
executable locations to launch
n
https://portal.national.ncrs.n
on Authentication
hs.uk
CMDList_ProcessOnReconnect
C:\Program
Files\Gemalto\Classic
Client\BIN\RegTool.exe
Semi-colon separated list of
executable locations to launch
on Reconnect
CMDList_ProcessOnStart
C:\Program
Files\Gemalto\Classic
Client\BIN\RegTool.exe
Semi-colon separated list of
executable locations to launch
on Start
CMDList_ProcessKillOnCardRemoval
iexplore.exe;RegTool.exe
Semi-colon separated list of
process names to kill on Card
Removal
CMDList_ProcessKillOnDisconnect
RegTool.exe
Semi-colon separated list of
process names to kill on
Disconnect
CMDList_ProcessKillOnExit
notepad.exe;calc.exe;cmd.ex Semi-colon separated list of
e
process names to kill on Exit
CMDList_ProcessKillOnPostDeauth
iexplore.exe
STR_Cert_Issuer_Pattern
Semi-colon separated list of
NHS Level 1A;SubCA02;
Certificate Issuer Patterns that
TSPINE_SubCA;NIS4_SubCA match the certificate issuer
present on user smart cards
© Isosec Ltd 2017
Semi-colon separated list of
process names to kill on Deauthentication
www.isosec.co.uk
iO Identity Agent
Property
STR_Cert_Issuer_Removal_Pattern
Example Value
Meaning
Semi-colon separated list of
Certificate Issuer Patterns that
NHS Level 1A;NHS Level 1B;
match the certificate issuer
SubCA02;NIS1_SUBCACC;
present in the user’s personal
TSPINE_SubCA;TSPINE_Sub
cert store to be removed on
CACC;
authentication, so that only the
NIS4_SubCA;NIS4_SubCACC
current user’s smart card
certificates are present
URL_SpineActivateRequest
https://gas.national.ncrs.nhs
.uk/login/authactivate;
https://gas.nis1.national.ncrs
.nhs.uk/login/authactivate;
https://gas.tsp.national.ncrs.
nhs.uk/login/authactivate;
https://gas.vn1.national.ncrs
.nhs.uk/login/authactivate
Semi-colon separated list of
URLs for Spine Authentication
activation requests (matching
STR_Cert_Issuer_Pattern semicolon order)
URL_SpineRoleSelection
https://sbapi.national.ncrs.n
hs.uk/saml/RoleSelectionGP.j
sp;
https://sbapi.nis1.national.nc
rs.nhs.uk/saml/RoleSelection
GP.jsp;
https://sbapi.tsp.national.ncr
s.nhs.uk/saml/RoleSelection
GP.jsp;
https://sbapi.vn1.national.nc
rs.nhs.uk/saml/RoleSelection
GP.jsp
Semi-colon separated list of
URLs for Role Selection
(matching
STR_Cert_Issuer_Pattern semicolon order)
FLAG_BlankScreenIgnoreAuthState
(introduced version 4.1)
1
Blank Screen on reconnect,
regardless of auth state.
FLAG_BlankScreenOnCardRemoval
1
Blank Screen on card removal,
to cover user’s
workspace/desktop
1
Disable Blank Screen on
reconnect, to cover user’s
workspace/desktop during
authenticated card verification
FLAG_DisableLaunchURIonAuthSucc
ess
1
Disable Launch URI returned as
part of the Role Selection
response. Generally used for
new users to accept
Spine/Portal terms and
conditions
FLAG_DisableMenuItemCancelLA
1
Disable ‘Cancel LA’ menu item
entry
FLAG_DisableBlankScreenOnReconn
ect
© Isosec Ltd 2017
www.isosec.co.uk
iO Identity Agent
Property
Example Value
Meaning
FLAG_DisableMenuItemLA_Switch
1
Disable user switching of
Options menu ‘Local Auth’ menu
item entry
FLAG_DisableMenuItemLockScreen
1
Disable ‘Lock Screen’ menu item
entry
1
Disable PIN entry during
authenticated user verification.
Handy for allowing users to
continue with their work,
unprompted, if the smart card is
always going to be present
FLAG_DisableRoleSelection
1
For some Spine authentications
there is no response from the
Role Selection URL. In such
cases disabling the Role
Selection is useful (e.g. in
‘Choose & Book’ environments)
FLAG_DisableSlotNotificationIcon
1
Disable system tray icon for
active Card Reader status (card
presence)
FLAG_DisableSpineSessionPersistenc
e
1
(Callisto Only)
Disable Spine Session
Persistence, do not retain spine
session when smart card is
removed
FLAG_DisconnectOnCardRemoval
1
Disconnect on card removal
1
Use large dialog size, if set then
all dialogs are double the
normal size, which is handy for
tablets
FLAG_LaunchURIandProcessPostAuth 0
If
FLAG_DisableLaunchURIonAuth
Success is not set, and a Role
Selection response URI is
launched, continue with
CMDList_ProcessOnPostAuthenti
cation
FLAG_LocalAuth
(LA Only)
1
Launch iO in Local Auth mode
FLAG_LockScreenOnCardRemoval
1
Lock Screen on card removal, to
cover user’s
workspace/desktop, requiring
authenticated card verification
to resume
FLAG_NoAuth
1
Don’t perform an authentication
FLAG_DisablePinReAuth
(Callisto Only)
FLAG_LargeDialogSize
© Isosec Ltd 2017
www.isosec.co.uk
iO Identity Agent
Property
Example Value
Meaning
FLAG_NoAuthCloseSlotSelectionDlg
1
When FLAG_NoAuth is set, close
Slot Selection dialog
FLAG_ReverseRoles
1
Reverse the order of the roles in
the Role Selection dialog
1
Display a separate Pin Fail
dialog after an incorrect/invalid
pin has been entered
FLAG_SeparatePinFailDlg
Default role to select, by ID
number. Useful for automating
testing
STR_DefaultRoleID
STR_Passcode
Password
Change the word Passcode in
dialogs to string present here
username:password colon
separated pairing for proxy user
validation, for auditing
STR_ProxyUserPass
TIMEOUT_Authentication
600
Timeout, in minutes, before the
ticket is destroyed (automatic
logout is performed)
TIMEOUT_Challenge
20
Timeout, in seconds, before a
fresh challenge is requested
TIMEOUT_MediumInactivity
60
Timeout, in seconds, before the
display is blanked. Useful for
privacy on tablets
180
Timeout, in seconds, after
TIMEOUT_MediumInactivity
before validation is required to
return from a blanked display.
Useful for privacy/security on
tablets
600
Timeout, in seconds,
TIMEOUT_MediumInactivity and
TIMEOUT_LongInactivity before
the user is automatically logged
out. Useful for security on
tablets
TIMEOUT_ReconnectPrompt
60
Timeout, in seconds, before the
verification dialog that appears
on reconnect is automatically
cancelled. TIMEOUT refreshes
on user input
TIMEOUT_Card_Status_Change
0
Timeout, in seconds, before iO
checks for change in cards
behaviour
TIMEOUT_LongInactivity
TIMEOUT_LogoutInactivity
© Isosec Ltd 2017
www.isosec.co.uk
iO Identity Agent
Following are the permanent Licence section properties, with meaning:
Property
FLAG_Audit
Meaning
Non-optional. iO sends the unique user ID to Isosec audit servers, upon each
successful authentication, to check against licence guidelines.
iO will never be disabled or stop working if user numbers are abnormally high, instead
a friendly e-mail will be sent (some trusts find this handy to get an idea of how many
unique users they have).
No other information, other than that contained in the [Licence] section of the
ISOSEC.properties file, is sent to the audit servers.
This information is sent encrypted, over port 80, so cannot be intercepted.
Available as an optional extra, enables the following optional entries to be used:
FLAG_Callisto
- FLAG_DisablePinReAuth
- FLAG_DisableSpineSessionPersistence
FLAG_Eval
Set for evaluation versions of iO. There is absolutely no difference, software wise,
between the evaluation and release versions of iO. It purely comes down to the
ISOSEC.properties file used
FLAG_LA
Available as an optional extra, enables the following optional entries to be used:
- FLAG_LocalAuth
© Isosec Ltd 2017
www.isosec.co.uk
">