Sentry Base: Installation and Configuration v2.0

Version 32

    Table of Contents

    Introduction

    The Pharos Sentry Base software provides an endpoint to which all Pharos Sentry clients connect. Typically, Sentry Base is installed on each Blueprint Collector server or Uniprint Print Server in a Pharos Secure Release environment. Each Sentry client is then configured to point to Sentry Base for operations. Sentry clients do not require manual configuration. All configuration is handled automatically by Sentry Base. This significantly decreases the time and work involved in rolling out devices, especially in large-scale enterprise installations.

     

    Pre-requisites

    Blueprint Enterprise

    • Blueprint 5.1 (latest Service Pack applied) or greater

    Pharos Uniprint

    • Uniprint 8.4 or greater
    • A working Uniprint system must be present before installing Sentry (e.g. Printers to be controlled by Sentry and Pharos Bank for authentication and charging are already setup).
    • Add a Network Terminal entry in Pharos Administrator. See Adding a Network Terminal Entry in Uniprint  for information on how to create a corresponding Network Terminal for a Sentry SR25 client.
    • Card IDs are pre-populated in Pharos Database.

     

    Server Requirements

    The server requirements for Sentry Base are the same as any Blueprint Collector or Uniprint Print Server Servers. The following Windows operating systems are supported.

    • Windows Server 2008
    • Windows Server 2008 R2
    • Windows Server 2012
    • Windows Server 2012 R2
    • Windows Server 2016

     

    Limitations

    • IPv4 is required - will not operate on IPv6 only network
    • Automatic terminal creation and user card registration are not supported on Uniprint.

    Installing Pharos Sentry Base

    While Pharos Sentry Base is typically installed on a Blueprint Collector or a Uniprint Print server, it can be installed on any compatible server. It can also be installed in demo mode.

     

    Note: The MSI must be installed using an account with the administrator rights.

    1. Log on to the server using an account with administrator rights
    2. In the Sentry distribution package, locate and run the file Base/Installation/PharosSystems-SentryBase.msi. Follow the on-screen instructions.
    3. If you are installing Sentry Base on a Blueprint Collector, the option Restart Blueprint Server is selected by default. This will automatically restart all the Collector Services.

     

    Connect Sentry Base to Pharos Servers

    You access the Base Administrator by going to https://localhost:9072/ in your web browser. You can also launch the Base Administrator from the Start menu of the server where you installed the Sentry Base. You will be prompted to enter the administrator password (the default password is pharos). The Sentry Base administrator console will appear. In the navigation bar, click Base Settings to access the configuration parameters.

     

    Blueprint

    BaseSettingsBlueprint.png

    Uniprint

    BaseSettingUniprint.png

    To configure a setting, click the selector to the left of an entry and then click the Update button. A dialog box opens which allows you to change the value. Unless you’re using demo mode, you will need the following server configuration settings:

     

    Pharos Analyst Hostname and Port: This is the Server Host Name/Address of the Pharos Analyst, as defined in the Blueprint Server Configuration utility on the Analyst server. If the Analyst and Collector are running on the same machine, these will be the same. Typically, this will be the Fully Qualified Domain Name (FQDN) of the Pharos Analyst server.

    This setting is available for Blueprint installations only.

     

    Pharos EDI Server Hostname and Port:

      • For Blueprint, the Server Host Name/Address of the Pharos Collector, as defined in the Blueprint Server Configuration utility on the Collector server. Typically, this will be the FQDN of the Pharos Collector server.
      • For Uniprint, this corresponds to the server host name/address of where the Pharos EDI Server is installed. Typically, the Pharos EDI server is installed with Uniprint Print Services.

     

    Pharos EDI Server Site Code:

      • This is the EDI password for the Pharos server (the default password is pharos for Blueprint).
      • For Uniprint, the EDI password is set when you installed the EDI Server. The EDI password can be viewed at System > System Settings > Security context of Pharos Administrator.

     

         Test Server Connection

    When all settings have been applied, click the Test server connection button to validate that Sentry Base can successfully communicate with Pharos Servers.

     

    Create the Configuration File on a USB Flash Drive

    Once you have entered the appropriate information to configure Sentry Base and connect to Blueprint Enterprise or Uniprint, you need to create a USB flash drive to configure each Sentry SR25 client to point to Sentry Base. To create a Sentry SR25 configuration drive:

     

    1. In Sentry Base, click SR25 Firmware and then click Download Configuration.
    2. Save the SR25.ZIP file to a preferred location or your browser’s default Download folder.
    3. Copy the SR25.ZIP file to the root folder of your USB drive.

     

    The SR25.ZIP file contains all of the information the Sentry SR25 client needs to configure itself to talk to the Sentry Base server. The ZIP file must be copied and not modified. If the ZIP file is modified, the Sentry SR25 will not recognize it and configuration will fail.

     

    Once you have successfully configured Sentry Base to connect to  Pharos Server, and you have downloaded the Sentry SR25 configuration file, you're ready to use the USB flash drive to configure each Sentry SR25.

     

    NOTE: After performing the configuration using the USB flash drive, check the Sentry Base status to verify that the SR25 is connected and recognized by Sentry Base.

     

    Deploy SR25 Hardware

    After you have installed and configured Sentry Base, and you have created the USB configuration flash drive, you’re ready to start installing SR25s. Proceed to the Sentry SR25 Deployment Guide for instructions on how to deploy SR25.

     

    Updating Pharos Sentry Base

    To upgrade the Sentry Base to the latest version, run the PharosSystems-SentryBase.msi.This will uninstall the old version of Sentry Base and install the new version (2.0.6). After updating your Sentry Base, we recommend updating SR25 client to the latest firmware.

     

    Updating SSL certificate

    When the certificate on the Sentry Base changes, the communication between the Base and the SR25 will break.  The following instructions show how to update Sentry to use a new certificate.

    1. Update your Sentry Base to version 2.0.6. See instructions above.
    2. On your updated Sentry Base server, navigate to C:\Program Files (x86)\PharosSystems\SentryBase\Bin and run the PharosSystems.BaseService config file as an administrator.
    3. Locate  <add key="SentryAntiReplayTimeMinutes" value="5"/>. Replace the value from 5 to 1500 (from 5 minutes to 25 hours). This gives all the SR25 clients enough time to talk to the new Base.
    4. Upload the new SR25 firmware to the Sentry Base.
      1. Log in to the Sentry Base Web Administrator. Click on SR25 Firmware and then click Upload Firmware.
      2. Browse to the location of the new SR25 firmware and then click Upload.
      3. Wait overnight for old SR25 clients to be upgraded  to the new SR25 firmware.
    5. Reset the SentryAntiReplayTimeMinutes back to 5 minutes.

     

    After the Sentry Base and the SR25 clients have been updated, you can now update the certificate on your Base server.

    1. Run the Sentry Base Configurator (From the C:\Program Files (x86)\PharosSystems\SentryBase\Bin double-click the BaseServiceConfigurator file).
    2. Select the new SSL Certificate. You can also select additional CA for use in future.
    3. For Blueprint installations, click Start Configuring Base. If you are installing Sentry Base on a Blueprint Collector, the option Configure and restart Blueprint is selected by default. This will automatically restart the Collector Services. This feature is not available on Pharos Uniprint.
    4. Create the configuration file on a USB Flash drive.
    5. Deploy SR25. Proceed to the Sentry SR25 Deployment Guide for more information.

     

    Working with Sentry Base

    Log on to the Base administrator by going to https://localhost:9072/in your web browser. You can also launch the Base Administrator from the Start menu. After you enter the administrator password (the default password is pharos) you will see all Sentry clients that are currently active in the system. Each Sentry client that contacts the Base is recorded and shown in this view. (Initially, no Sentry clients will be shown.)

     

    Any time a Sentry client connects with Sentry Base, it will appear in this view. To see a Sentry client in the list, power on a Sentry client (SR25) that is pointed to the Sentry Base and then press the Refresh button.

     

    Sentries.PNG

    Sentry Base with no connected Sentry clients

     

     

    updateSelectedRows.PNG

     

    All Sentry clients that have contacted the Base will appear in this view. You can click the column headers to sort the Sentry list (ascending or descending). You can also use the Search box to filter the items that are displayed in the list. As you type characters in the Search box, the list will show only those items that match the search string. For example, with the MAC address column selected, typing 0011 in the Search box would update the display to show only those Sentry clients with a MAC address that starts with 0011.

     

    For detailed information on an individual Sentry client, click the selector to the left of the Sentry client entry and then click the Update button to open the Update selected row(s) dialog box, shown here.

     

    If a Sentry client is removed from the system (e.g. a printer is retired) it will not be automatically removed from this list. To remove a Sentry client from the list, click the Delete button in the Update selected row(s) dialog box. The Sentry client will be removed from the list and will only be re-listed upon the next successful connection to Sentry Base.

     

     

     

     

     

     

     

     

     

    Status Log

    Click Status Log to view recent activity from the Sentry clients as they communicate with the Sentry Base. The default view shows the messages in order of time received. You can click a column header to sort using a different parameter. Again, you can use the Search box to display only those Sentry clients that match your search string.

    StatusLog.PNG

    Card Swipe Log

    Click Card Swipe Log to view the result of all card swipe events at a Sentry client. The Hostname column shows the hostname of the Sentry client reporting the card swipe event.

     

    • The IP column is the IP address of the Sentry client.
    • The Printer IP column is the IP address of the printer being managed (for Sentry Embedded clients, this will be the same as the IP address).
    • The Card ID column shows the value read from the user’s card.
    • The Card reader ID is the unique USB ID of the card reader connected to the Sentry client (click the Card Readers tab to view more information).
    • The Result column shows the action taken by Sentry Base as a result of the card swipe, including any error message reporting.

    CardSwipeLog.PNG

    Card Readers

    Click Card Readers to view all card readers that have been registered with the system. When a card swipe event is received by the Sentry Base, it will be ignored if the reader ID is not in the list of registered readers. This is a security precaution that prevents a non-standard reader (or USB keyboard) from being plugged into a Sentry client and being used to initiate a swipe event.

     

    When a Sentry client is powered on or a card reader installed, a message is sent to the Sentry Base to register the card reader. Sentry Base will add it to the list unless it’s already present.  When the system is in production and all new readers IDs have been discovered, the system can be locked down to ignore these card reader registration messages. At this point, the system is protected against any unapproved USB devices creating swipe events.

    CardReaders.PNG

    Base Settings

    All Sentry Base configuration options are set using the Base Settings page shown below. Simply click the selector to the left of the desired parameter and then click the Update button. You can click the Download log button to collect logging information from Sentry Base.

     

    Blueprint Base SettingsUniprint Base Settings

     

     

    BaseSettingBlueprint2.png

     

     

    BaseSettingsUniprint2.png

     

    Pharos Analyst Hostname and Port

    This is the Server Host Name/Address of the Pharos Analyst, as defined in the Blueprint Server Configuration utility on the Analyst server. If the Analyst and Collector are running on the same machine, these will be the same. Typically, this will be the Fully Qualified Domain Name (FQDN) of the Pharos Analyst server.

    This setting is available for Blueprint installations only.

     

    Pharos EDI Server Hostname

      • For Blueprint, the Server Host Name/Address of the Pharos Collector, as defined in the Blueprint Server Configuration utility on the Collector server. Typically, this will be the FQDN of the Pharos Collector server.
      • For Uniprint, this corresponds to the server host name/address of where the Pharos EDI Server is installed. Typically, the Pharos EDI server is installed with Uniprint Print Services.

     

    Pharos EDI Server Site Code

      • This is the EDI password for the Pharos server (the default password is pharos for Blueprint).
      • For Uniprint, the EDI password was set when you installed the EDI Server. The EDI password can be viewed at System > System Settings > Security context of Pharos Administrator.

     

    Printer Text: Card Reader Not Recognized

    This is the default message that will be displayed on the LCD panel of an SR25-controlled printer if a card read event is initiated with a card reader that is not registered with Sentry Base. To change the message, select the item and click the Update button. Then change the value and click Update.

     

    Printer Text: Error Try Again

    This is the default message that will be displayed on the LCD panel of an SR25-controlled printer if an error occurred as the result of a swipe event. To change the message, select the item and click the Update button. Then change the value and click Update.

     

    Printer Text: No Print Jobs

    This is the default message that will be displayed on the LCD panel of an SR25-controlled printer if the user associated with the card does not have any print jobs in the Secure Release Here queue. To change the message, select the item and click the Update button. Then change the value and click Update.

     

    Printer Text: Swipe Your Card

    This is the default message that will be displayed on the LCD panel of an SR25-controlled printer when a user first walks up to the device and has not yet taken any action. To change the message, select the item and click the Update button. Then change the value and click Update.

     

    Printer Text: Unknown Card

    This is the default message that will be displayed on the LCD panel of an SR25-controlled printer when the card swiped at the reader cannot be found in the backend Pharos server. To change the message, select the item and click the Update button. Then change the value and click Update.

     

    Show Message on Printer Screen

    Some older printers may not allow messages to be displayed on the LCD panel. This control allows this functionality to be turned off in the unlikely event that an older printer reacts unfavorably to this functionality.

     

    Demo Mode

    When this parameter is set to True, Sentry Base will not connect to the Pharos server. Instead it operates in demo mode which can be useful for product demonstrations and during staging.  When the system is in demo mode, all card swipes are accepted and a sample print job is delivered to the target printer. The location of the demo print file is
    C:\Program Files (x86)\PharosSystems\SentryBASE\Data\DemoPrintFile.pdf.

     

    With demo mode, you can deploy Sentry Base before you install the Pharos server. Sentry clients can be configured and tested (print jobs will be delivered). When all Sentry clients are connected and ready, you can point Sentry Base to a Pharos server and then take Sentry Base out of demo mode. At this point, the Secure Release system should be available for all registered users.

     

    Smart Card Configuration

    This parameter is used only with the CAC-PIV extension to the Sentry product family.  If a CAC-PIV card is not being used, this setting is ignored. This can be set to one of three values: CAC, PIV or PIV_PIN. These represent the three different smart card authentication scenarios for the CAC-PIV card.

     

    Debugging Log Level

    You can use this option to add logging detail to the log file during troubleshooting. The default value is 0 which means that minimum logging is recorded. Setting this value to 4 (the maximum value) saves a lot of data; this option should only be enabled during troubleshooting operations.

     

    Testing Card IDs

    This option assists in the testing phase during deployment. As you install each device you need to test it by swiping a card and releasing a print job. Any card ID that is entered in this field will have a dummy print job in the queue for testing purposes. Simply add the card ID of any user that will be testing devices during the installation process. This makes the testing process much easier and more efficient, as the tester does not have to repeatedly submit jobs to verify successful operations.

     

    Use One Key for All Base Servers

    A unique encryption key is generated for every Sentry Base installation. This key is used for secure communication between each Base server and their associated SR25 clients. The key is included in the SR25 USB configuration file (SR25.ZIP).

     

    This option is set to “false” by default. This means that all base servers and the SR25 clients use the key generated during base server installation.

    When this option is set to “true”, a new encryption key is generated based on your site code (alphanumeric code assigned by Pharos, which uniquely identifies your site). It will also set all the base servers and SR25 clients to use a single key (instead of using the unique keys generated for each base server).

     

    Note: Make sure to update your SR25 clients with the new configuration file whenever you switch between options or your system will stop working.

     

    Allow Firmware Downgrade

    When this option is set to True, it allows downgrading the firmware on your SR25 clients. By default, this option is set to "false" to disallow downgrades to earlier firmware versions.

    Note: Allowing firmware downgrade should be used cautiously because it is possible to run into a scenario where your SR25 firmware will not be compatible with your existing Sentry Base.

     

    Base Server IP Address

    This is the Server Host Name/Address of the Sentry Base server as defined in the Blueprint Server Configuration utility. Again, this is usually the FQDN of the Sentry Base server. This setting will be used as the registration server in the SR25 USB configuration file (SR25.ZIP).

     

    NOTE: If Sentry Base has multiple IP addresses available, the IP address used to access the Base should be entered here. Otherwise, the Base configuration could select an unintended IP setting if multiple options are available to it.

     

    Log Server Hostname

    This is the Host Name/Address of the server that the SR25 clients can send log messages to.

     

    Web Admin Idle Timeout

           This is the amount of time (in minutes) the Sentry Base Web Admin can sit idle for during a session before a user is automatically logged off.