The ID Server installation and setup is a simple and straight forward process. If this is your first time installing your On-Premise ID Server, please read the tutorial below and use the Installer, which will help you with the configuration and deployment.
Let us know if you have any questions or if you need assistance with a custom integration or feature.
Why bother? We offer a complete installation and configuration package and a ready-to-use turnkey solution.
The highest protection for your company data, total control with your own server. An On-Premise installation of the SecSign ID two-factor authentication server offers the flexibility to connect with your preferred servers, services, and devices. You can customize the SecSign ID with your own organization’s branding and protect your data on-site.
We offer Turnkey VM, JAVA Server, Windows or Linux.
Depending on your infrastructure, the ID Server can run on a physical system or as a virtualization in the cloud, for example AWS. Just make sure, that the system complies with the following minimum hardware requirements:
There are no specific requirements for the SecSign ID Server operating system, however it needs to be deployed on an environment capable of running the Java Runtime Environment. We recommend the newest stable Ubuntu Linux or a Windows Server.
3Network and Connectivity
Production Environment: The SecSign ID Server should be publicly accessible on port 443 (SSL), for the requests from web browsers and mobile devices. You need to get a domain for this interface and SSL certificates. The ID Server can be set up to obtain SSL certificates automatically via the Let’s Encrypt authority.
Testing Environment: One publicly accessible IP address is enough for testing the ID Server. If all clients and the ID Server reside in the same network, the IP does not need to be public. Please refer to the following steps to set up the environment.
All following commands and requirements are documented for Linux Ubuntu LTS and Windows Server 2016. Other OS versions or Linux flavors are very similar to set up.
1System & OS
We recommend the newest stable Ubuntu Linux. You can also use any other Linux flavor capable of running Java applications, the newest Apple OSX or a Windows Server. The Server can run on a physical system, as a local virtualization or in the cloud, for example AWS:
Depending on your needs and infrastructure, there is a vast amount of operating systems available, which are capable of running the Java Runtime Environment. Refer to the compatibility list if you are unsure.
For testing purposes, you can most likely just use your alredy running local Windows, Linux or OSX setup.
After setting up the OS, the Java Runtime Environment (JRE) needs to be installed. You can download the install packages for free at oracle.
We recommend creating a dedicated user ‘secsignid’, who gets all the rights to start and stop the server
Any of the following databases may be used: Apache Derby, IBM DB/2, Microsoft SQL Server, MySQL (with InnoDB Storage Engine), Oracle, PostgreSQL, Sybase/SAP. Default is Apache Derby and will be installed and configured automatically.
The SecSign ID Server interface handles the authentication requests from web services and the users smartphones to accept or decline the authentication.
To ensure easy and secure encrypted communication, you need to assign a domain to your server IP and create a valid SSL certificate:
The SecSign ID Server should be accessible on port 443. Since ports below 1024 are reserved for root, you have two options:
Option 1) We recommend port redirection at the firewall/router configuration or using iptables to redirect external port 443 to another internal port. This way, the SecSignID Server can run using any ports, for instance 25100 for SecSignID app requests and the web interface. The internal interface port will be redirected, so it is available on external port 443.
Option 2) The SecSignID Server may be started directly listening on port 443 with root privileges. If ‘secsign’ is not root, you can use
authbind: Use authbind to grant one-time access, with finer user/group/port control. Install authbind using your favorite package manager and configure it to grant access to the relevant ports, e.g. to allow 443 from all users and groups:
sudo apt-get update
sudo apt-get install authbind
sudo touch /etc/authbind/byport/443
sudo chown secsign /etc/authbind/byport/443
sudo chmod 755 /etc/authbind/byport/443
authbind --deep /path/to/binary
setcap on the Java binary would allow any Java Application to also bind to 443, which might be a security risk.
When the interface is set up, you need to point your domain name to your IP addresses. Your DNS (or the DNS of your domain name registrar) needs to be informed by creating an A Record (or ‘address record’). It specifies if your users need to add the custom port number or can just enter the HTTPS address:
|Interface Name||IP Address||Port||URL|
|SecSign ID Server interface||126.96.36.199||443||https://idserver1.secsign.com|
|SecSign ID Server interface||188.8.131.52||25100||https://idserver1.secsign.com:25100|
You can use your own SSL certificates (in *.der or *.pem format) or use the Let’s encrypt service, which will generate valid SSL certificates during the server installation automatically.
1. Only for testing purposes, one local IP address may be sufficient. Ports below 1024 are reserved for root, however the SecSignID Server can run using any ports (for instance 25100 for SecSignID app and web requests). You can configure the port later with the Installer.
2. To ensure secure encrypted communication between the ID Server, mobile phones and web services, you need valid certificates. The ID Server can generate valid certificates via Let’s Encrypt automatically. Since you might test the SecSign ID Server on a local machine, without a publicly static IP or domain, you need a dynamic dns service, which is easy to set up. Just choose a domain name and insert your IP address after registration. With this service, you’ll have a web address which routes to your machine.
3. You can generate your own self-signed SSL certificates or use the Let’s encrypt service, which will generate valid SSL certificates during the server installation automatically.
Expand the distribution zip in a location of your choice, f.i. under
/opt/, creating a directory
/opt/SecSign-ID-Server. If you choose another working directory, you have to edit the start files and change the server path later. Change ownership of this directory to the user that will be running this process
unzip SecSign-ID-Server-version-N.zip -d /opt
chown -R secsignid /opt/SecSign-ID-Server
If your working directory is not under
/opt/SecSign-ID-Server/ you have to adjust the starting script
SecSign-ID-Server.sh (Linux) or
SecSign-ID-Server.bat (Windows) to point to the desired directories.
There are four Parameters to be edited in the starting scripts:
# the username (unix user) the server is running under when started
# where the server lives
# where to find the "java" executable
### Add JDBC library - uncomment one of the lines below
### [and edit to point to the correct JDBC library]
Adjust the JAVA parameter according to the version of Oracle Java installed.
If you choose to use another database (alternative to the Apache Derby Database included by default) adjust the CLASSPATH parameter according to the database chosen.
After you have copied your files to the server directory and created the user ‘secsignid’ (like described above), it is time to start the SecSignID Server:
chmod 755 SecSign-ID-Server.sh
If you have Problems starting the server, check out 11. Troubleshooting. All logs and debug files are located in your working directory. Usually
After the first server start, the Installer will be activated, the output of the console displays the address & port. Don’t worry, that the Server is not listening on 25100 (last line of output). We’ll change that with the installer.
Usually, the Installer binds to all available interfaces on port 28080. Use a web browser and open the Installer, for example https://ubuntu:28080 on your local machine or http://192.168.202.223:28080 on another machine inside the network if available. To find your server ip address, type ‘ifconfig’ (‘ipconfig’ for Windows) into the terminal.
In install mode, you’ll be able to tweek the settings to get your ID Server going in most standard scenarios. The Installer can create cetrificates and a Derby database automatically. The SecsignID Server will be bound to all interfaces on port 25100. This can be usefull for testing the server, fast deployment or for external/internal port mapping.
If you are looking for custom settings, just click on ‘Show Advanced Settings’ to display more possibilities to configure your ID Server
When everything is set up, it’s time to deploy the SecSignID Server. Just click on the last option “Deploy after Server Restart”, this will deactivate the Installer.
Restart the Server with
The console or terminal should now tell you, that it is listening on the mobile port (default is 25100). If it is not listening, scroll down to 11. Troubleshooting
If your server is up and running (not in install mode), you can create your first SecSignID on your mobile app. This ID will get admin rights automatically. Following IDs don’t get any rights except locking and unlocking their ID and a profile page. To set up your admin account, do the following:
The following settings are based on our public available SecSignID Apps. If you ordered a custom app, the ID setup may be different and easier. Depending on customizations, the server URL may be preconfigured, or you have to login with your LDAP credentials to create a SecSignID. The UI might be brand specific.
Use an internet browser and open the Admin URL, you specified earlier, for example admin.your-domain.com.
You don’t have to choose a long and complicated name, a simple easy to remember SecSignID is sufficient. After entering the ID, the login page will display a QR code.
Note: If you prefer a specific naming pattern for your users, our custom apps offer easy onboarding and custom user enrollment. Besides a company specific design or integration, there are several easy ways to set up your user accounts. For example, automatically use their Active Directory name, email address or lastname.companyX. Set up all accounts as the administrator or send user specific activation links or let your users choose a name with set prefix or suffix
This will open the camera app to scan the QR code.
Your PIN will never be transmitted or stored. It will be used only to secure your private key on your mobile device.
For iPhone users the touch authentication is set on default. To use the PIN for authentication simply change the ID settings. For Android users the fingerprint authentication can be setup in the corresponding settings.
This is your SecSignID for the first admin, which is bound to your mobile device. The Server will initiate a 2FA right after creating your new ID in order to log into the dashboard. You will receive a notification (if you activated and configured) – otherwise, just open the SecSignID app and tap on your user ID. After you provide your PIN or finger print, you’ll see the access symbols. Tap the matching access symbol.This provides final confirmation that you initiated the login and completes the authentication process.
The admin area also contains your ID Server management, where you can change user details and ID status, manage user groups, PIN accounts, certificates, data processes, workflows, SSO settings, LDAP directories and see usage statistics.
It is a useful tool to handle user accounts and manage ID Server related settings.
Easy self-enrollment for users with your specifications or you want your users to use their company ID? It’s your decision. There is no need to transfer any user data to our server. You are in control, always. You have specific requirements? Contact us for customized solutions.
Give your users the option of inline self-enrollment or bulk self-enrollment, no need for administrative guidance.
Simply let the users generate their own ID with their next login. You have no control of what SecSignID names your users choose. This is the default setting.
Send activation links to your users. With this link, they activate their account on their smartphones and are ready to go. This is a custom function, which depends on your preferences and Identity System. This function needs to be inquired separately, contact us to learn more.
Automatic Enrollment enables you to control the ID creation process via your already setup user management system.
LINK YOUR USER MANAGEMENT SYSTEM
Your users enter their user management data and they automatically get an ID assigned. No hassle for you and your users, as easy as on-boarding gets. Perfect for predefined user names or naming patterns. A custom ID app can facilitate AD/Ldap Login and automatic SecSignID creation based on user accounts.
This function needs to be inquired separately. Get in touch to learn more about custom ID Apps.
ASSINGING AN ID
We offer several Plugins and APIs, which can handle user self enrollment. Let your users register with just their SecSignID to create a new account. Or they can login with their old username & password and additional SecSignID, to bind the ID to the user account. Alternatively, your users can go to their profile pages to set up their SecSignID.
The administrator is always able to change, update or block SecSignIDs.
To ensure the health of your SecSignID Server and minimize outages, we recommend the following maintainance operations:
If you decide to purchase the Support Plan for Managed On-Premise, our specialists will handle initial system integration, user enrollment, updates and backups of your authentication system. A dedicated technician will take care of every step involved, to have all the benefits of an On-Premise Server without the additional overhead of integration, maintenance and troubleshooting.
We offer a vast amount of additional features, so you can integrate your On-Premise SecSignID Server into your existing infrastructure and make secure authentication worry free – for your users and administrators. Click on the Add-Ons to discover how easy it is to enhance your infrastructure:
Give your users the possibility to log in with their SecSignID only ONCE to securely access all of their corporate apps and services. No risk for access to 3rd-party sites, no passwords or lost/stolen user credentials, all logins are under your control. This greatly increases productivity while keeping data secure.
With this additional feature, your users log into the admin area of your ID Server and have (beside their profile information etc.) a summary with all services, they are allowed to use. They can use an app or service with just one click. Easy integration policies ensure an effortless user and service management.Read more
Provide your users with uncompromising security and simplify the workflow. Add two-factor authentication to your local user management (Active Directory) and provide your users with easy authentication for numerous services. The SecSign ID server can readily be integrated with your active directory, LDAP or your individual user management system by using our convenient interfaces and plugins.
Control the SecSign ID naming, for example use of the company’s Email address. The information can be integrated directly from your user management system and privacy policies are enforced based on your requirements. The registration is even easier and you don’t need to worry about compliance.Read more
OAuth is an authentication protocol that allows for the interaction between two applications without revealing the login credentials. Most websites and applications offer the possibility to connect accounts with existing accounts with the standard OAuth2.0 protocol (RFC 6749).
An OAuth provider login can be secured with the SecSignID two-factor authentication and your On-Premise ID Server can also act as the provider itself.Read more
Use SecSign ID to enable two factor authentication on your Windows Server with an easy and highly secure user login using iOS or Android mobile devices.
Or deploy a Cisco ASA firewall device, which offers a coordinated combination of hardware, hardened operation system and firewall software. It implements an encrypted remote access to company applications and shared resources via for example SSL or IPsec. SecSign ID can be integrated in the existing system and offers secure two-factor authentication for your VPN service.
Use your local Active Directory for authentication at cloud services and secure access with our SecSign ID on-premise Two-Factor Authentication server.
The authentication is redirected via the Active Directory, secured with your on-premise SecSignID server. The authentication takes place on the local ID server. That way all user can be managed and controlled local in the Active Directory. No sensitive data is ever transmitted to the cloud service.
Enforce mandatory company-specific regulations and standards for every login and monitor access rights. Secure two-factor Authentication for ALL logins. Self-enrollment, Automatic Enrollment or Administrative Enrollment makes it easy to integrate.Read more
For reliability and fail-safe operation it is possible to run more than one instance of the SecSign-ID-Server parallel, either with redundant servers behind a single hostname or with replicated server.
A Load Balancer can distribute traffic and control the individual server workload. Critical services with high peak requests can utilize a dynamic cluster of virtual machines to adjust to changing server and network requirements
Besides the available PIN code and fingerprint authentication, we offer a variety of custom second factors to fit your company’s needs. Utilize SMS messages, security cards or tokens, face recognition, vein or iris scanners and so on.
Get in touch to find out, if we can deploy and integrate your custom 2nd factor.Contact us
Maximize user compliance and reduce expenses with customized onboarding and self enrollment with your on-premise SecSign ID server. We develop your Two-Factor Authentication app in your corporate design based on your vision – Maximum brand recognition for your customers.
SecSignID can also be integrated into existing iOS / Android / OSX / Windows Apps. We offer a SDK to easily integrate your on-premise authentication service.
You have special requirements for your authentication service? We will be by your side, to utilize other authentication factors or integrate the SecSignID into custom environments and systems. Get in touch, to discuss your specific requirements.Contact us
The highest protection for your company data, total control with your own server. Exchange of large files and messages, digital signatures and more – always encrypted and protected with Two-Factor Authentication. It’s like Email, just better: Encryption on all levels, truly secure user authentication, no spam, unlimited sized files, cloud sharing and collaboration. Your individualized portal with your logo, your URL and company branding. With the SecSign Portal you can collaborate with other users, sign and share legal documents.
Compliance with international and national regulations, legally binding signatures and applications for both companies and private users. Implement advanced or qualified (QES) signatures and design your workflows to comply various regulations (eIDAS, FDA, …).
For reliability and fail-safe operation it is possible to run more then one instance of the SecSign-ID-Server parallel, either with redundant servers behind a single hostname (sharing the same database) or with replicated server. Both methods can also be combined.
After successful configuration and operation start of the first instance, simply start another or several copies of the first SecSign-ID-Server instance, all accessing the same database (completely duplicating the configuration of the first instance, optionally changing ports or hostnames as required). It is also possible to use a load balancing router behind the single public-hostname to distribute requests across the multiple SecSign-ID-Server instances. For optional additional database fail safe operation you may also use a database cluster (adjusting the secpkidb.URLProtocol property accordingly, as required for the specific database).
Both the first and the remote (fallback) sites may use local redundancy with multiple SecSign-ID-Server instances and load balancing router or also cluster database instances.
As protection against complete failure of the computer center or its internet access, you may choose to install a ‘fallback’ replicated SecSign-ID-Server at a remote site. This will use its own independent database and will be automatically found by the mobile devices if the host names follow the naming rule described below. This will allow the use of the safe encrypted replication provided by the SecSign-ID-Server over the public internet.
1 – After successful configuration and start of the first instance, install a copy of the first instance at a second remote site accessible through a second public hostname and using another database instance.
2 – At the remote site, start the installer, go to manual installation and adjust the database settings (or edit it in SecSign-ID-Server.properties). Deploy & restart.
3 – Start the installer at the first instance, go to manual installation and adjust the fallback server settings in the tab “6. Advanced” to something like
Alternately, you can edit the parameters seccommerce.secappserver.0 and seccommerce.secappserverport.0 in SecSign-ID-Server.properties. Additional fallback SecSign-ID-Server instances can be installed at further remote sites and configured using “seccommerce.secappserver.1” and so on.
In order for the mobile devices to automatically find the fallback server (in case the access to the first instance fails), the public domain name should be defined according to a simple naming rule as in the example:
id1.public-domain-here.com (main SecSign ID Server)
id2.public-domain-here.com (fallback Server)
id3.public-domain-here.com (second fallback Server)
At the mobile device SecSign-ID-App the user only needs to configure the first hostname, the App will determine alternative name when the access to the first instance fails and automatically try to access the other hostname.
Sure, we can assist you set up everything or perform the whole installation and configuration. Just let us know while ordering or contact support.
Yes, we offer ready to use turnkey solutions, configured by our experts. You do not need to do anything. The default configuration is the latest Ubuntu Linux, the fully configured SecSignServer with a Derby Database. We also offer custom configurations and advanced system integration. You can find the option on our ordering page or contact support.
/opt/SecSign-ID-Server/SecSign-ID-Server.properties (or your custom server directory) and change the first property to:
Restart the server with
And open the Installer URL with an internet browser.
The Installer is just a little tool, which helps you to set all parameters in
/opt/SecSign-ID-Server/SecSign-ID-Server.properties (or inside your custom server directory). It is intended to be a helper for first time installations. You need to stop the server operation in order to start the Installer.
However, you can just edit all parameters during operation in
/opt/SecSign-ID-Server/SecSign-ID-Server.properties (or inside your custom server directory). The changes will be active after server restart.
If the Installer port is already in use, it cannot bind and fails to start. The default port is 28080. You can either stop the blocking service or change the installer port.
To change the installer port, open
/opt/SecSign-ID-Server/SecSign-ID-Server.properties (or inside your custom server directory), search “secwebserver.port” and change it to your preferred port.
If there was no error during the server start, and you did not click on “deploy server” so far, you need to find the IP address and port. The Installer will try to bind to all available IP addresses and interfaces on port 28080.
To find the available IP addresses, type
ifconfig in a Linux terminal or
ipconfig in a Windows power shell. Open an internet Browser like Firefox and type for example: http://192.168.202.155:28080
You can switch between the Installer modes without problem (just don’t forget to save). Just use the button “BACK TO MAIN MENU” and choose another Install mode.
If you already deployed the server, open
/opt/SecSign-ID-Server/SecSign-ID-Server.properties (or inside your custom server directory) and change the first property to:
Restart the server with
And open the Installer URL with an internet browser.
If you get an error, that this website cannot be displayed or a timeout, you are most likely trying to open the wrong address (see “I can’t find the Installer URL”).
If you reload the page and still have trouble, contact us and we’ll help you setting up your ID Server.
Server Start Errors
Here is a list of what can go wrong during server start. All Error Messages will be displayed at the terminal or console and saved in the logs:
You try to start the server from a different directory. Move to the working directory (default:
/opt/SecSign-ID-Server/) and try again:
This is a common error, when another service uses the port, so the SecSignID Server cannot use it. In this case, stop the other service or activate the Installer again and change the port.
It also occurs when the same instance of the SecSignID Server is started twice on the same ports.
Your license was issued for a previous Version of the ID Server. Please contact support to get a new license.
If the Server is not able to locate the license file, you’ll get an error like the following:
ERROR: Cannot load licence file ./secPKIWrongLicenceIDServer.pkcs7: java.io.FileNotFoundException: ./secPKIDemoLicenceIDServerr.pkcs7 (No such file or directory)
We usually provide the license file and all license related settings, when you get the server files. Make sure, that there is a license file (*.pkcs7) in your server working directory and copy the filename. Fire up the Installer and open the Manual Installation. You can check the license file an location in the first tab. It should be something like “./SecSign-ID-CompanyName-Licence.pkcs7”.
If you license file is missing, contact us to get a new license file or if you are a new customer purchase a the ID Server incl. license.
In the default setting, your SecSignID Server sends emails to the administrator, if an error occurs. This can be changed in the “Manual Installation” mode under the tab emails. Your ID Server was not able to send an email via any of the configured mail servers. Please open the Installer again and change your SMTP settings in the “Quick Installation” or “Manual Installation” mode. If the error persits, make sure that the machine with the ID Server is able to connect to the mail server – check firewalls and so on.
ID App Errors
Here is a list of what can go wrong setting up your (first) SecSignID. All Error Messages will be displayed in the iOS/OSX/Android/Windows App:
The app cannot reach the SecSignID Server. This can happen for several reasons:
You can check if the server actually listens on the mobile port by typing for example: (Ubuntu)
netstat -tulnp | grep 4434
The app is just able to connect to the ID Server with a valid SSL certificate. The Installer lets you choose between automatic certificate creation via “Let’s Encrypt” and manual certificate files. In both cases, make sure that your server has valid certificates for your domains. If you just want to test the ID Server with an internal IP address, you have to create your own certificates, with an intermediate certificate (see “Manual certificate creation” settings in the Installer)
Keywords: two-factor authentication, 2fa, SecSign ID, Cisco, ASA, VPN, ASDM, ESXi
We provide an ever growing list of APIs and plugins to easily integrate the SecSign ID Two-Factor Authentication in any project. An overview is available at Plugin and APIs.
We do not only offer APIs in different programming languages but also plugins for CMS, Server and VPN environments, oAuth2 and many more. These plugins use our APIs and offer additional functionalities, for example user management, easy and native installation, logging or integration in firewalls or Active Directory.
The JIRA plugin for example uses the JAVA-API. The PHP-Api and JS-API is used by WordPress, Joomla, Drupal, Typo3 and many more. The ASP.net/C#-API is used for the Windows and Cisco VPN and the C-API is used for protecting Unix SSH services. The Objective-C API is used by our AppleTV and iPhone/iPad apps.
You can experience the SecSign ID two-factor authentication and the two-factor login by simply integrating the plugin into your website or test environment. Or you can try out the login process on our website without having to register first. You already have a SecSign ID or you want one? Login now and use the portal or use our hassle free registration.
See for yourself how fast and convenient the login process using challenge-response authentication with 2048-bit key pairs is. There is no need for passwords, and no passwords or other confidential information are ever transmitted. It is easy to integrate and simple to use.
For more information about the patented SafeKey procedure and it's unique security can be found here.
If you are missing an API for the programming language you are working with, feel free to contact us and we’ll find a solution with you. If you need help with the integration into an existing system or you can’t find the plugin for your content management system you are working with, don’t hesitate to contact our support team.
Choose between our SecSign ID Cloud or operate your own on-premise Two-Factor Authentication server.
Operate your own YourBrand ID app - Two-Factor Authentication customized to your needs.
Integrate SecSign ID Two-Factor Authentication in existing apps with our ready-to-use SDK.
Use the Two-Factor Authentication Server to secure your company Active Directory/LDAP. Your own Identity and Access Management System, for example for mandatory updates and additional security features.
Integration in any login environment: web, local, VPN, remote desktop, mobile logins and many more.
No need for complex integration: we have plugins for almost all environments.
Want to learn more about SecSign’s innovative and highly secure
solutions for protecting your user accounts and sensitive data?
Use our contact form to submit your information, and a SecSign sales representative will contact you within one business day.
If you need assistance with an existing SecSign account or product
installation, please see the FAQs for more information on the most common questions. You don’t find the solution to your problem? Don’t hesitate to contact the
I am Interested in