CLIQ Remote - System description and requirements
1. Introduction CLIQ Remote - Access at a distance CLIQ Remote is an electromechanical lock system with an additional level of security and flexibility, a natural choice for those looking for a modern security solution. CLIQ Remote combines a modern mechanical basic platform with an advanced electronic function. A major advantage of CLIQ Remote is the distance function. This locking system can change access and permission at a distance. For example, you can sit in Stockholm and, through the CLIQ Web Manager software give access to your keys via the programming terminal. A contractor in the North of Sweden may get access to a facility, maybe an antenna or a mast, by programming his/her key in wall readers at the facility. CLIQ Remote features: 1. A key with CLIQ has built-in clock and memory. 2. Validation of keys increases security in case of loss. 3. Audit trails and logs provides security for all users and managers. 4. Update permissions remotely minimizes work and saves time. 5. The combination of electronic and mechanical locking gives a unique level of security 2
2. Main features of CLIQ Remote List of functions in the CLIQ Remote locking system: Easy to install - CLIQ is a cost efficient offline systems that do not require electrical wiring or batteries in the lock cylinders. Event Logs - CLIQ provides easy access to accurate verified log data from each cylinder lock and key in the lock system. Individual keys - Protected by strong digital encryption, each key can be designated for use by a single individual. The key can then be given access to all the areas that the individual should move in. If the key is lost and blocked, a new key can be generated in its place. Time-based access - CLIQ enables the definition of a time-based schedule in which the days and times of access is permitted. Digital Key Management - CLIQ Web Manager keeps track of which keys that belong to different key holders. The keys can be issued completely digitally without the interference of paper. It s smart administration and good for the environment. Electronic keying - keys can be updated without the presence of physical key of the administrator. Validation of keys - Adds safety to the locking system by forcing key holders to validate the key with updates in an adjacent programming station. It also ensures that the event logs are transmitted to the server and is available for system administrators. Grouping Features - Simplifies administration. CLIQ Web Manager makes it possible to provide access to groups of cylinders and groups of people based on e.g. geographical location or role in the organization. Domains - Just like grouping permissions and users the administrator's role can also be controlled to see only their part of the locking system with the domain function. 3
3. Documentation about CLIQ Remote List of information that is available on the CLIQ Remote system: Brochure - CLIQ Remote Access at a distance Product sheet - CLIQ Remote Cylinder Product sheet - CLIQ Remote Key Product sheet - Wall PD Product sheet - Vandal-resistant Wall PD Product sheet - Mobile PD Product sheet - CLIQ Web Manager / System requirements CLIQ Remote IT-Compliance CLIQ Certifications and classifications CLIQ Remote FAQ SSL-certificates An introduction Manual CLIQ Web Manager The above information is available through your ASSA Retailer and on: http://export.assa.se/en/site/assaexport/ Design of a CLIQ Remote locking system should be made in cooperation between the property / security manager and installer, to gain insight in how the business can benefit from the features and thus build a system that meets the customer's needs. At the planning stage it should be taken into account how the expansion of the system can be done in an efficient manner. It is also important to the company's IT department is involved at an early stage so that the necessary rights to PCs and networks is approved. ASSA manages servers, backup and IT operation when the agreement of the SaaS service contract has been signed. Check the following: Fire Regulations for the door environment Fire Standards Evacuation routes Emergency exits Safety regulations Mechanical requirements for perimeter protection Safety requirements for special areas such as server rooms / technical rooms Local requirements from the insurance company IT security with firewalls, administrator rights, etc. 4
4. Important Information The following information is required before you begin the installation of a CLIQ Remote system. This information is also needed to if you contact the ASSA technical support. 4.1 Agreement The agreement for SaaS services and certificate is signed between ASSA and the client company at the time of approval of the license agreement made via the e-mail address specified in advance. The customer undertakes to register a new email address in the e-mail system. This is to ensure that the communication regarding licenses and certificates is not specified to a certain employee. This address is then connected to the system operator for the system. The locking system should be treated as a business function. The name of this account should be: "cliqremote" Selected address: Ex: cliqremote@customer.com System manager A person shall be appointed to the transmission system and be responsible for software and contact the dealer or installer. The system operator has been appointed:. The E-mail address registered will receive the Certificate Files from ASSA. 5
4.2 Checklist for system setup The following manuals should be at the IT department of the client company before beginning the installation and the infrastructure to be prepared for the new locking system. Make sure that these requirements are met: (mark with an X)) Manual CLIQ Web Manager [ ] CLIQ Remote - FAQ [ ] E-mail Address is created [ ] Drivers for Terminal PD are installed [ ] on the client computers The recommended version of Java installed [ ] on the client computers Places of wall-mounted PD s are assigned [ ] and network connectivity is available Communication on port 443 is allowed [ ] Outgoing traffic Communication on port 8443 is allowed [ ] Outgoing traffic This document is signed by both parties [ ] 4.3 Support Support of the software is handled by a retailer selected by the customer. If the customer and the dealer opts support directly between the customer and ASSA this is concluded in a separate agreement. What type of Support Agreement has been selected: The retailer provides support [ ] Support agreement CLIQ Remote [ ] (For direct support between the customer and ASSA) 6
5. System Overview The diagram describes the functions of the CLIQ Web Manager environment. 5.1 SSL Client-certificate Encryption protects data during transmission The CLIQ Remote Web server and the browser uses Certificates of Secure Sockets Layer (SSL) protocol to assist users to protect data during transmission. A unique, encrypted channel for private communications are created on the otherwise public Internet. Each SSL Certificate consists of a pair of keys, as well as verified identification data. When a CLIQ Remote (or client) points to a secure website, the server shares the public key with the client in order to create an encryption method and a unique session key. CLIQ Web Manager confirms that it recognizes and trusts the issuer of the SSL certificate. This process is called the "SSL handshake" and it initiates a secure session that protects message privacy and message integrity. 7
6. The CLIQ Remote server All CLIQ Remote servers are managed by ASSA AB and made available to the client company through a Service Agreement (SaaS). System functionality: The ability to manage the locking system. Adding up the staff. Hand out keys. Change the permissions on the keys. Being able to tag (label) all the objects to facilitate the search. - An average key update is about 20-30kB. To update daily CLIQ keys by Wall PD units. Being able to block the lost keys. Primarily from being updated in Wall PD, but also to block the key in the cylinders. Being able to read the logs out of the cylinders and keys. 6.1 Schematic overview Figure 1: 8
7. Administrator PC Requirements to run the CLIQ Web Manager software 7.1 Client computer hardware Hardware CPU RAM Hard Disk Minimum requirement Capable of running Windows Vista/7/8/10 Capable of running Windows Vista/7/8/10 20 Mb available 7.2 Client tablets Hardware Microsoft Surface Pro* Minimum requirement Windows 7 Pro/Ent/Ult (32 or 64bit) Windows 8 (32 or 64bit) *All tablets capable of running Microsoft based operating systems 7.3 Software Software Operating System ASSA CLIQ Connect Web browser PDF-reader Required product Windows Vista/7/8/10 Linux capable of running Mozilla Firefox OSX capable of running Mozilla Firefox ASSA ABLOY CLIQ Connect (latest version by ASSA) Internet Explorer 8/9/10/11 (32 or 64-bit) Firefox 16.0.2 or later (32 or 64-bit) All standard readers *The browser security setting Do not save encrypted pages to disk must be disabled. 9
8. Login to the web software ASSA provides the end customer with the information and files required to sign in and manage the CLIQ Remote locking system. Via our Admin Page for CLIQ Web Manager at assa.se the following is offered: Download center - Driver files Knowledge - ASSA Smart Guides for user Operating information - the latest news about new versions and features of the software Ability to create new SSL certificates - When administrators need to renew their credentials 10
9. Updating devices (PD) To change permissions for keys the system uses programming units called PD s. The Local PD is used by the administrator to log into the CLIQ Web Manager software. The Remote PDs (Wall PDs and Mobile PD s) access the CLIQ Remote server by mutual authentication to create an https session. Also the CLIQ Web Manager server uses an https session to communicate with the CLIQ Remote server. The mutual authentication requires a client certificate for CLIQ Web Manager and a server certificate for the CLIQ Remote web application. Each Remote PD is also prepared with a client certificate and a CA certificate to establish an https session with the CLIQ Remote application. Web services require their own client certificate. - An average key update is about 20-30kB. For sending e-mail notifications to the users an SMTP server is used. This server is covered by a service contract and is provided by ASSA. Figure 2: Local PD Figure 3: Mobile PD with smart phone Figure 4: Wall PD Figure 5: Vandal-resistant wall PD 11
10. Wall PD setup information This information must be available before the installation of a CLIQ Remote systems can begin. Also remember to draw the network cables to the places where Wall PD units are to be installed before the installation starts. A Wall PD is used in a CLIQ Remote system to allow the user to update their key authorizations without having to seek out the administrator. 1. How many key updating devices should be installed?: (write number) Wall mounted [ ] Mobile [ ] 2. What type of IP address will the Wall PD units use: (mark with an X) Static IP [ ] Dynamic DHCP [ ] 3. If static IP address is used which addresses can be used: Which Subnet Mask should be used: Which default gateway should be used: Eventual DNS server adress: Name for the Wall PD in the network:..... 4. What power source will the Wall PD units use: Power over Ethernet PoE [ ] 12v 24v separate supply [ ] 5. To deploy a Wall PD a USB memory less than 2Gb is needed. A certificate is generated in the web software CLIQ Web Manager and then transferred to the Wall PD device with a mini USB cable. For more information see CLIQ Web Manager Manual USB memory is available Yes [ ] No [ ] 12
11. Maintenance An overview of the planed maintenance and its impact on the system. Downtime matrix Info Dynamic keys Normal keys Remote PDs Administration SOE Environment Service windows Patch OS Reserved for Every 3 rd weekend in month. 17-21 saturday SOE DB changes upgrades Reserved for Every 3 rd weekend in month. 17-21 saturday Can do offline revalidate Cannot be reprogrammed PD can do an offline revalidation Not functional VM restoration Exchange server changes mail SOE Network /infrastructure/ storage changes Can do offline revalidate Cannot be reprogrammed PD can do an offline revalidation Upgrades of CWM (with DB changes) Can do offline revalidate PD can do an offline revalidation Not functional Cannot be reprogrammed Upgrades of CWM (no DB changes) 2 times a year Office hours 2hours Migration of CWM environment Can do offline revalidate Cannot be reprogrammed PD can do an offline revalidation Not functional Extensions Customer locks the system, update DB, customer unlocks system Not functional Renew Server cert The acronym CWM is used for CLIQ Web Manager. *CWM - CLIQ Web Manager. * Offline PD is a backup feature that allows key validation if the network is not be available, please contact your sales representative for more information on configuration. 13
By signing this agreement the customer assures that the IT Compliance requirements set by ASSA are met. This Agreement is signed in two (2) copies, of which each party has received one. Place and date Place and date Signature Signature Name Customer name 14
Feedback on this document can be sent to: erik.johnsson@assaabloy.com 15
16