Hid Cp1000 User manual

hidglobal.com

ASURE ID ICLASS SE

CP1000 DESKTOP ENCODER

USER GUIDE

PLT-01067

Version: A.7

July 2017

PLT-01067, Version: A.7 July 2017

This document may not be reproduced, disseminated or republished in any form without the prior

written permission of HID Global Corporation.

Trademarks

HID GLOBAL, HID, the HID Brick Logo, ICLASS SE, and FARGO are the trademarks or registered

trademarks of HID Global Corporation, or its licensors, in the U.S. and other countries.

Lumidigm is a registered trademark of Lumidigm, Inc.

MIFARE, MIFARE DESFire, MIFARE Classic, and MIFARE DESFire EV1 are registered trademarks of NXP

B.V. and are used under license.

Contacts

For additional offices around the world, see www.hidglobal.com/contact/corporate-offices.

Americas and Corporate Asia Pacific

611 Center Ridge Drive

Austin, TX 78753

USA

Phone: 866 607 7339

Fax: 949 732 2120

19/F 625 King’s Road

North Point, Island East

Hong Kong

Phone: 852 3160 9833

Fax: 852 3160 4809

Europe, Middle East and Africa (EMEA) Brazil

Haverhill Business Park Phoenix Road

Haverhill, Suffolk CB9 7AE

England

Phone: 44 (0) 1440 711 822

Fax: 44 (0) 1440 714 840

Condomínio Business Center

Av. Ermano Marchetti, 1435

Galpão A2 - CEP 05038-001

Lapa - São Paulo / SP

Brazil

Phone: +55 11 5514-7100

HID Global Technical Support: www.hidglobal.com/support

Contents

July 2017 PLT-01067, Version: A.7

Chapter 1: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

1.1 Main Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

1.1.1 Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-2

1.1.2 Administration Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-2

1.1.3 Media Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3

1.1.4 Secure Object Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3

1.1.5 Secure Channel Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-4

1.1.6 Credential Credit Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-4

1.1.7 Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5

1.1.8 Plugin Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5

1.1.9 Work Orders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6

1.1.10 Work Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6

1.1.11 Custom Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6

1.1.12 Custom Media Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6

1.1.13 Data Mapper Applications (HF Migration) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6

Chapter 2: Encoder Application Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

2.1 Work Order Manager Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

2.2 Key Management Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

2.3 Reader Configuration Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

2.4 User Config Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

2.5 Home Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

2.6 File Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7

2.7 Options Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

2.8 Language Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9

2.9 Skins Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10

2.10 Resources Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11

2.11 Licensing Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12

2.12 iCLASS SE Encoder Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14

2.12.1 iCLASS SE Encoder Formats Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14

2.12.2 iCLASS SE Encoder Plugins Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-15

2.12.3 iCLASS SE Encoder Database Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16

2.12.4 iCLASS SE Encoder Options Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18

2.12.5 iCLASS SE Encoder About Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19

Chapter 3: Setup and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

3.1 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

3.2 Administrative Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

3.3 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

3.4 Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

3.5 Change Default Admin Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8

3.6 Add System Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8

Page iv

PLT-01067, Version: A.7 July 2017

Chapter 4: Initial Configuration (Startup) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

4.1 Plugin Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

4.2 Formats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

4.3 Upload Encoder Configuration Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

4.4 Custom Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6

Chapter 5: Work Order Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

5.1 Work Order Manager Home Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

5.1.1 Work Order Manager Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

5.1.2 Work Order Manager Configuration Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

5.2 Work Order Manager File Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5

5.3 Open a Work Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6

5.4 Close a Work Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7

5.5 Create a Work Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8

5.6 Rename a Work Order. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10

5.7 Delete a Work Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11

5.8 Print a Work Order. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12

5.9 File Save As a Work Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13

5.10 Export Work Order Data to a CSV File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14

5.11 Export Work Order Data to a PDF File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15

5.12 Add a Work Instruction to a Work Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16

5.13 Edit a Work Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19

5.14 Remove a Work Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20

5.15 Work Order Execution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21

5.15.1 Add a Credential Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21

5.15.2 To Add a Batch of Credential Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-23

5.15.3 Remove Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25

5.15.4 Execute Work Order on Selected Credential Records . . . . . . . . . . . . . . . . . . . . . . . . . 5-27

5.15.5 Execute a Work Order on All Credential Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29

5.15.6 Read Back . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-30

Chapter 6: Work Instruction Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

6.1 iCLASS Work Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2

6.1.1 iCLASS: HID Access Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2

6.1.2 iCLASS: Custom Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7

6.2 MIFARE Classic Work Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10

6.2.1 MIFARE Classic: HID Access Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10

6.2.2 MIFARE Classic: Custom Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13

6.2.3 MIFARE CLASSIC: Move Genuine SO Sector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16

6.3 MIFARE DESFire EV1 Work Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18

6.3.1 MIFARE DESFire EV1: HID Access Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18

6.3.2 MIFARE DESFire EV1: Custom Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21

6.4 Prox Work Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25

6.4.1 Prox: HID Access Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25

6.5 Seos Work Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27

6.5.1 Seos: HID Access Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27

6.5.2 Seos: Custom Encoding (Basic Mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-30

6.5.3 Seos: Custom Encoding (Standard Mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-34

6.5.4 Seos: Custom Encoding (Update Existing Data Object) . . . . . . . . . . . . . . . . . . . . . . .6-40

July 2017 PLT-01067, Version: A.7

Page v

6.5.5 Seos: Custom Encoding (Rolling Custom Seos Keys) . . . . . . . . . . . . . . . . . . . . . . . . .6-44

6.5.6 Seos: Reading a Seos Data Object from a Custom ADF . . . . . . . . . . . . . . . . . . . . . . . 6-48

6.5.7 Seos: Deleting a Custom ADF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-51

6.5.8 Work Instruction: Roll Card Authentication Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-52

6.6 Multi-Technology Card Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-58

Chapter 7: Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1

7.1 Key Management Home Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2

7.1.1 Key Management Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3

7.1.2 Encoder Info Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4

7.2 Key Manager File Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5

7.3 Create Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6

7.4 Remove Selected Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9

7.5 Import Keys and Key Sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11

7.6 Export Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-14

7.7 Load HID Key(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17

7.8 Remove HID Key(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-20

7.9 Revoke HID Key(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-22

7.10 Refresh HID Key List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-23

7.11 Add Key Set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-24

7.12 Edit Key Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-26

7.13 Delete Key Set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-28

7.14 Sync Encoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-30

7.15 Change Encoder Admin Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-32

Chapter 8: Reader Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

8.1 Reader Configuration Home Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

8.1.1 Reader Configuration Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2

8.1.2 Encoder Info Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

8.2 Reader Configuration File Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4

8.3 Data Mapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5

8.4 Data Mapper Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6

8.5 Elite Prep Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-14

8.6 Reader Options Config Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16

8.7 iCLASS Legacy Config Card. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17

8.8 Load HID Application Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20

Chapter 9: User Config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

9.1 User Config Home Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

9.1.1 User Config Home Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2

9.2 User Config File Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2

9.3 User Config View Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3

9.4 Add a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4

9.5 Remove a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6

9.6 Edit a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7

9.7 Change Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8

9.7.0.1 Manage Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9

9.7.0.2 Assign a Template to a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11

Chapter 10: Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-1

10.1 Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1

Page vi

PLT-01067, Version: A.7 July 2017

10.2 Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2

10.3 Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

10.3.1 Supported Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

10.3.2 Synchronize Database to Encoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5

10.4 Exceptions and Error Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5

Glossary

Chapter

July 2017 PLT-01067, Version: A.7

Overview

The Asure ID iCLASS SE Encoder is a smart card provisioning product that consolidates most of HID

Global’s existing encoding products including the CP400 iCLASS Programmer, CP600 DESFire

Encoder, iCL-ELITE programmer, and 1050 ProxProgrammer.

The following features are included:

Encode HID Access Control Application with Standard, Elite, and Custom Security on to iCLASS®

and MIFARE®Classic credentials

Encode HID Secure Identity Objects (SIO) with Elite Security on iCLASS, MIFARE Classic, MIFARE

DESFire EV1®, and Seos®

Encode HID Access Control Application on to HID Prox cards and fobs

Encode Custom Data Objects on iCLASS, MIFARE Classic, MIFARE DESFire EV1, and Seos

Roll keys on existing card populations from a revoked key set to a new active key set

Migrate existing iCLASS and MIFARE Classic Standard Security (applications) card populations to

SE Security

Configure encoders for various Security models and Custom Data model interpreters

Other Features and Use Cases:

Create and manage custom media and application keys

Export and Import custom keys

Import keys from HID Secure Key Management Platform

Manage all credential and reader transactions through work orders scripted from instruction sets

In-line personalization of credentials

Note: From this point, the iCLASS SE CP1000 Encoder is now referred to as the iCLASS SE Encoder.

Page 1-2 Overview

PLT-01067, Version: A.7 July 2017

1.1 Main Concepts

To get the most out of the iCLASS SE Encoder, there are several concepts that should be understood.

1.1.1 Key Management

iCLASS SE Encoder is an HID Global product that provides solution to encode user credentials and

reader configuration data. To provide a high level of security, the encoder device uses a smart card

chip (an ISO 7816 compliant device) to perform the key management as well run the encoding

applications. This component of the encoder device is called Secure Access Module (SAM).

A typical encoding operation requires knowledge of default/transport keys of the credential, your

credential or reader configuration data and the new keys to be used to protect the credential. The

keys that are involved in encoding operation could be ones that are managed by HID Global or ones

created by the customer and provisioned in SAM.

To do secure key management, we follow state of the art security practices and use cryptographic

algorithms and practices that have been validated by our industry to provide secure solutions for

our customers. The rest of the document describes different types of keys and their management.

1.1.2 Administration Keys

To load, update, and delete configuration data and keys used during encoding operations Simple

Network Management Protocol (SNMP) version 3 messages are used. SNMP is an Internet-standard

protocol for managing devices on IP networks and defined by RFC 3411-RFC 3418. Though the

protocol is intended for IP devices HID makes use of it over other transport and application

protocols such as ISO 7816-3 (APDU) for PC/SC readers.

A typical SNMP message is encrypted and signed using 16-byte keys and also contains metadata

about the cryptographic mechanism used to protect the message. The message defines its actions

using verbs, such as GET, SET etc. The keys that are used for encryption are called SNMP encryption

and SNMP privacy keys and the keys used for signing are called the SNMP signing and SNMP

authentication keys.

A device or a software application implementing the SNMP standard is called an SNMP endpoint or

engine and is identified using one or more engineId/username pairs.

The encoder SAM is an SNMP endpoint that has two identities: the HID Admin and the OEM Admin.

Each identity is recognized using an engineId and username pair as described in the SNMP

standard. Each identity includes two associated keys: SNMP encryption and signing.

The purpose of HID Admin identity is to manage the keys and configuration data that originate from

HID. The OEM Admin identity can be used to create custom keys and perform operations that do

not require high levels of security.

When a customer receives an encoder, it has OEM Admin SNMP keys that are set to default/public

values. When the host application is started for the first time, it prompts you to change the keys to

be managed. The host application then stores the changed OEM Admin keys in the local database

and the keys are encrypted using your password of the application.

July 2017 PLT-01067, Version: A.7

Overview Page 1-3

1.1.3 Media Keys

The keys that are used to authenticate a credential to perform read/write operations are called

media keys. For example, the debit and credit keys for a page in iCLASS credentials are the media

keys. In the case of MIFARE Classic, the Key A and Key B of a sector are the media keys and for

DESFire EV1 the application keys as well as the PICC master key are examples of media keys.

The lengths of these types of keys as well as the cryptographic algorithms, such as authentication

algorithm, that makes use of these keys are dependent upon the credential/media technology.

A typical encoding operation uses the default/known media key to first authenticate to the blank

credential, create the application, write the credential, and change the value of the key to the one

specified by the user. It is important to make a note that the new value can be a diversified key to

reduce the surface area of attack. In other words, all the credentials/media have different values for

the media keys. For the newer and more secure credentials (for example: Secure Objects) we make

use of NIST 108 key diversification algorithm whereas the older/legacy credentials make use of

proprietary key diversification algorithms invented by HID Global and/or chip vendors such as NXP.

For all the credential/media, the keys could fall in one of these categories:

HID Managed Standard Media Keys: These keys are managed securely by HID and are intended

for general customer base.

HID Managed Elite Media Keys: These keys are managed securely by HID and are specific to

customers who participate in the Elite program. For example an Elite customer identified using

an ICE0000 have a different set of media keys than the one identified using ICE0133.

Customer Generated and Managed Keys: These keys are either generated using the encoder

solution and/or entered by the customer. The keys reside in the encoder SAM, and can be

exported in encrypted form to be archived. Once created, knowledge of the plain text key is the

responsibility of the administrator. Custom Keys are not archived by HID.

All the HID managed keys are delivered in the form of static SNMP messages targeted to the

encoder, for which they were requested. Typically, the customer reads the engineId of the encoder

device using the host application and orders from HID Global the appropriate key set (for example:

standard, ICEXXX etc.). The keys are delivered in the form of a file that contains the static messages,

and the host application provides necessary user interface to load them in the encoder SAM.

Custom keys can be exported from the encoder device. The export format is again an SNMP

message that is protected using OEM Admin keys.

1.1.4 Secure Object Keys

The newer and more secure credentials used by HID Global readers are based on the Secure Object

(SO) technology. While it is outside the scope of this document to describe SO technology in detail,

in simple words, a SO is a structured credential that is based on state of the art industry standards

to ensure extensibility of credential structure and use industry validated and approved security

algorithms and mechanisms. The most important aspect of a SO is that it provides an additional

security for the credential and therefore we do not only rely on the security mechanisms of the

chip/media silicon vendor.

Very much like an SNMP message a SO also has a notion of encryption and signature. To reduce the

size of a secure object credential we make use of an Authenticated Encryption with Associated

Data (AEAD) algorithm called EAX’ (read as EAX prime). In simple words, EAX’ one key can be used

Page 1-4 Overview

PLT-01067, Version: A.7 July 2017

to perform both encryption and signing of the SO credential. This key is called the SO encryption

key.

Note: It is called an encryption key but it also performs signature verification.

The SO encryption key could be managed by HID as a standard key and/or an Elite key, which is

similar to the management of Media keys described earlier. We also provide the support to create a

customer managed SO encryption key, however a SO credential that is protected using such a key is

not managed via HID and also has an additional signature using HID Global’s license key.

Additional information about secure objects can be requested from HID Global.

1.1.5 Secure Channel Key

The messages that are exchanged between a host application and the encoder device are

transferred over a mandatory secure channel5. The secure channel ensures the confidentiality and

authenticity of the messages between the host application and the encoder device.

The encoder comes with a default value for the secure channel key, and very much like the OEM

Admin keys, the host application prompts you to provide a new value for the secure channel key.

This secure channel key is stored on a per user basis.

The secure channel mechanism is based on a slightly modified Global platform SCP secure channel

protocol. You can request more information about the secure channel from HID Global.

1.1.6 Credential Credit Management

All transactions with credentials are enabled by credential credits. These are discrete tokens that are

consumed with each transaction until none remain or until additional credits are ordered and

applied to the encoder.

The term Credential Credit, refers to the tokens purchased from HID that enable all credential write

transactions. The iCLASS SE Encoder is enabled until the authorized credits have been exhausted,

then you must request additional credits from HID Global.

The management of credits can be understood as a type of counter. When a customer orders “X”

credits, the counter is increased by “X” and the encoder is enabled until the counter is decremented

to 0, or until more credits are ordered.

The following attributes, are the building blocks to define a transaction which is enabled by a

Credential Credit Token.

For example: To encode iCLASS with HID Access Control application and Standard keys, this

transaction would require a different credential credit token than the same transaction using Elite

keys.

Technology Application Security Media

iCLASS HID Standard Genuine HID

MIFARE Classic SIO Elite Third Party

MIFARE DESFire EV1 Custom Custom Third Party

Prox HID Standard Genuine HID

Seos SIO Elite Genuine HID

July 2017 PLT-01067, Version: A.7

Overview Page 1-5

Things to know about credential credits:

Each credit token type is managed by its respective credit counter.

Credit top up messages are delivered in a secure SNMP message that is targeted for a specific

device by diversifying the keys with the device Engine ID.

Credit top up messages can be loaded only once.

A cap (10,000 credits) is placed on the number of credits that can be ordered at a time. This is

to limit the monetary value that can be loaded into a single encoder device which can be lost or

destroyed.

1.1.7 Formats

The iCLASS SE Encoder includes a format interpreter capable of parsing all open and custom

formats developed and maintained by HID Global.

Format fields are presented to you in the desktop UI for the purpose of assigning data to each field.

Formats must be ordered from Customer Service. Most formats are custom to a specific OEM or

end user, and are not freely distributed.

The H10301 (SIA Wiegand 26-bit) is the default format delivered with the desktop application.

1.1.8 Plugin Architecture

The iCLASS SE Encoder includes a plugin architecture which makes it highly configurable with

minimal maintenance and few releases. There are two types of plugins:

Technology

Configuration

Technology plugins are a packaged bundle that includes an applet which is loaded to the encoder

device and a UI plugin for the desktop application that is customized for the associated applet.

Applets are small C# applications designed to run on the .NET framework that is native to the

encoder device. These applets manage the interface to the credential and provide an API to the

desktop application. Applets can be tailored for a specific use case.

The UI plugin manages the interface to the encoder device and provides you with inputs and

information specific to the applet loaded on the device. For example, each technology applet

comes with a unique set of wizard pages gathering user input for work order creation.

Configuration plugins expose a UI for gathering inputs and creating reader configuration cards.

Reader configuration plugins are released as groups that organize parameters.

Things to know about plugins:

Each applet is digitally signed by a key managed by HID Global and known by all encoder

devices (global key). This identifies the applet as Genuine HID. Only Genuine HID plugins are

recognized by the encoder device.

Initially, one applet/plugin is created for each of the four supported technologies (iCLASS,

MIFARE Classic, MIFARE DESFire EV1, HID Prox, and Seos).

Custom plugins can be created on a Custom Product Opportunity (CPO) basis.

Page 1-6 Overview

PLT-01067, Version: A.7 July 2017

1.1.9 Work Orders

All credential encoding activity is managed through Work Orders. Each Work Order includes a set

of Work Instructions to be executed on every credential presented to the encoder.

Work orders execute a work flow that you design

Work Orders are technology independent

Work Orders can be limited in scope or open-ended

1.1.10 Work Instructions

Each Work Instruction represents one step of an overall work flow that is executed on every

credential presented to the encoder.

Work Instructions are analogous to scripts

Work Instructions are technology specific

Work Instructions are wholly independent operations

1.1.11 Custom Applications

Custom Applications can be written to credentials. The iCLASS SE Encoder supports two types of

custom applications; Custom Media and Data Mapper.

1.1.12 Custom Media Applications

Manage keys for custom media applications.

Read and Write custom data to and from custom media applications.

Examples: custom vending applications or HF migration media (not the Config cards).

1.1.13 Data Mapper Applications (HF Migration)

Reader accesses custom credential application data autonomously and reports data on

communications ports.

Reader is configured with necessary authentication and encryption keys to access the raw

credential data.

Reader is configured with instructions for manipulating the raw data into a format that can be

managed by the host or access control system.

References

1ISO/IEC 7816: http://en.wikipedia.org/wiki/ISO/IEC_7816

2SAM: http://en.wikipedia.org/wiki/Secure_access_module

3SNMP: http://tools.ietf.org/html/rfc3411

4SIO: Secure Identity Objects; request information from HID Global

5HID Secure Channel version 0.87

Chapter

July 2017 PLT-01067, Version: A.7

Encoder Application Navigation

The iCLASS SE Encoder Desktop application has the following structure:

Application Modules, each with a subset of tabs.

Work Order Manager (File tab, Home tab)

Key Management (File tab, Home tab)

Reader Configuration (File tab, Home tab)

User Config (File tab, Home tab & View tab)

With the selection of an application module the window will display the specific module’s toolbar,

information and configuration panes, etc. The following is an overview of these windows.

Page 2-2 Encoder Application Navigation

PLT-01067, Version: A.7 July 2017

2.1 Work Order Manager Module

The Work Order Manager module allows the user to define and save an encoding profile for a

credential deployment. Each Work Order defines the number of data fields encoded, as well as the

data type and field size. These data fields are concatenated into a single data stream and encoded

into an application, and are defined by the selected format.

A Work Order is comprised of one or many Work Instructions. A Work Instructions is a single

command issued during work order execution. The single work instruction can either read or write

to a specific memory location.

July 2017 PLT-01067, Version: A.7

Encoder Application Navigation Page 2-3

2.2 Key Management Module

The Key Management module of the CP1000 Desktop Encoder allows the user to view and manage

the HID and Custom Keys.

Page 2-4 Encoder Application Navigation

PLT-01067, Version: A.7 July 2017

2.3 Reader Configuration Module

The Reader Configuration window is used to create the Reader Data configuration cards (for both

keys and reader limited settings) The application allows the user to change the keys or behavior of a

Reader.

July 2017 PLT-01067, Version: A.7

Encoder Application Navigation Page 2-5

2.4 User Config Module

The User Config module allows the administrator to create users for Asure ID and to set the functions

each user can access in the application. The Administrator can Add User, Remove User, Save Users

and Change Passwords.

Page 2-6 Encoder Application Navigation

PLT-01067, Version: A.7 July 2017

2.5 Home Tab

The Home tab allows configuration and implementation of the iCLASS SE Desktop Encoder. See the

Work Order Manager, Key Management, Reader Configuration, and User Configuration chapters for

information on each of these Home tabs.

July 2017 PLT-01067, Version: A.7

Encoder Application Navigation Page 2-7

2.6 File Tab

The File tab contains specific options depending on which Application Module is selected. See the

Work Order Manager, Key Management, Reader Configuration, and User Configuration chapters for

information on each of these File tabs.

Page 2-8 Encoder Application Navigation

PLT-01067, Version: A.7 July 2017

2.7 Options Window

The Options window is available on every File tab, and allows you to manage the iCLASS SE Encoder

Formats, Plugins, Database, Options and User Options.

Table of contents

Other HID Media Converter manuals

HID

HID iCLASS SE CP1000 User manual

HID

HID OMNIKEY 5121 User manual

HID

HID iCLASS SE CP1000 User manual

Popular Media Converter manuals by other brands

EtherWAN

EtherWAN EL900 Series quick start guide

Gefen

Gefen GTV-HTS-PRO user manual

Ayra

Ayra OSO 8DIS user manual

Perle

Perle C-1110-XXXXX installation guide

AJA

AJA Hi5 user manual

IMC Networks

IMC Networks iMcV-DS3 Operation manual

Milestone pro

Milestone pro MP-DA28UHD user manual

Cypress

Cypress CCR-2SRGB Operation manual

Ikegami

Ikegami IEN-T01P instruction manual

BGS technic

BGS technic 1812 instruction manual

Apantac

Apantac OG-HDTV-SDI-II user manual

Lenz

Lenz Digital plus LS100 manual

Anedio

Anedio D2 DAC operating manual

Icy Box

Icy Box IB-SPL1029AC manual

Fagor

Fagor SV2AM installation manual

B&B Electronics

B&B Electronics IE-MiniMc Operation manual

Advantech

Advantech B+B SmartWorx IMcV-10G user manual

Avenview

Avenview C-HDSDI-HDMI user guide

HID CP1000 User manual

Popular Media Converter manuals by other brands