PROTEC2 CLIQ™

Technical brochure
 Overview

PROTEC2 CLIQ™ SYSTEM

PROTEC² CLIQ™ is an easy to use access control system based on detainer disc cylinders and electronic identification.
Thanks to our double technology, the access is double secured. ABLOY PROTEC² which is based on the patented
rotating disc cylinder mechanism, takes care of the mechanical security at your site, while electronic CLIQ™ technology
allows flexible control of keys, access rights and audit trails. PROTEC² CLIQ™ combines both technologies into one
effective solution.

PROTEC² CLIQ™ keys are also available as Connect keys that can be wirelessly programmed using CLIQ™ Connect
smartphone application in addition to Remote programming devices (RemotePDs) and local programming devices
(LocalPDs). This enables the users to update their keys while in the field.

AN INTELLIGENT COMBINATION OF ELECTRONICS

AND MECHANICS AND ONLINE OPENING WITH
SMARTPHONE APPLICATION
Mechanical ABLOY PROTEC2
• Durable design without springs and pins
• Disc Blocking System – patented feature
that stops attempts to manipulate the discs
Electronic CLIQ™ technology • Bump proof and virtually pick proof
• The key and cylinder features are
• CLIQ™ technology which is especially patented until 2031
designed for locking industry provides • 1,97 billion different key combinations
unique identification for every opening • The symmetrical key can be inserted both ways
through encrypted communication • Only one key needed for each user
• Battery inside the key provides wireless • Reliable function in severe environments
function of time and calendar with
complete audit trail
• Calendar and time-based access rights are
easy to change remotely
• Mechanical system is easily and cost-
efficiently expandable with
CLIQ™ properties
CLIQ™ Connect technology

• CLIQ™ Connect keys can be updated

with a smartphone application
• Enables keys to be updated by the
keyholders while working in the field
• For keys with the Online opening feature
the key's access rights are checked in real
time when the key is entered to a cylinder
• Key audit trail is transferred to CLIQ™
Web Manager when the key is updated with the
smartphone application
• PIN validation allows keyholders to activate
the key in offline environments, and ties the
responsibility of a key closer to the keyholder
 Overview

How system works?

Browser-based CLIQ™ Web Manager allows to change access rights whenever and wherever required.

Manage the system remotely Access rights are updated in the After updating the rights,
with CLIQ™ Web Manager WallPD or MobilePD or using keyholders have access
software the CLIQ™ Connect smartphone everywhere they need,
– define validity and application on locations all using a single key.
access rights of keys. around the world.

Applications

PROTEC² CLIQ™ is used among Professional End Users such as utilities, telecom, petroleum,
transportation, hospitals, governmental institutions, banks and museums and railways.

Telemedia Transportation/Logistics Healthcare Power industry Water industry Designed for you
PROTEC² CLIQ™ products

KEYS
The PROTEC² CLIQ™ key has a metal shaft and a watertight plastic bow which holds the
electronics and battery. All PROTEC² CLIQ™ keys are equipped with a realtime clock and
a memory to allow time-based functions and collection of audit trails.

The PROTEC² CLIQ™ keys are also available as CLIQ™ Connect keys. CLIQ™ Connect
keys can be updated via bluetooth using CLIQ™ Connect smartphone application.

PROTEC² CLIQ™ user key specifications:

• Battery lifetime up to 10 years of operation and battery easy to change by opening

a plastic cover.
• For bluetooth operated CLIQ™ Connect keys, battery lifetime is 1 year.
• Battery type is CR2450N
• Buzzer indication and bicolor LED on both sides of the key
• Additional RFID cover available for use with transponders for access control readers.
Available also with a Mifare 1K Tag installed to the cover.
• Additional color covers available
• IP57 certified
• Operating temperature is -20 -+50
• Time functionalities available in all user keys (Validity settings, schedules,
time stamps in audit trails)
 PROTEC² CLIQ™ products

Normal user key

Normal user key is intended for cases where access rights are stable (e.g.
grand master key) or changes are very rare. Changing the access rights for
normal user key is done by changing electronical openings
inside CLIQ™ locks via programming key, since there is no list of
authorised locks on the key. Electrical openings in locks are defined in
the locking planning software when the system is ordered and
preprogrammed to the locks at the factory.

Dynamic key

Dynamic key is intended for cases when access rights often change
as it is easy to program changed access rights directly to user keys.
Authorised cylinder and/or cylinder groups needs to be programmed
to dynamic keys via customer software (locally or remotely).

Programming key

Programming key is used as a credential to access the CLIQ™ Web

Manager software. Administrator can create programming tasks in
CLIQ™ Web Manager and the tasks are distributed to programming
keys with localPD or Remote programming devices (eg. WallPD or
CLIQ™ Connect app) in the field. Also cylinders´ audit trails can be
retrieved with a programming key.

CLIQ™ Connect key

All keys are also available as bluetooth versions

which enables them to be updated wirelessly.
 PROTEC² CLIQ™ products

CLIQ™ keys

COMPATIBLE WITH
DEFINED VALIDITY

OR LOCK GROUPS

ONLINE OPENING

REALTIME AUDIT

PIN VALIDATION
WEEKLY SCHED-
FOREIGN AUDIT

LIST OF LOCKS

CONNECT APP
BATTERY LIFE

AUDIT TRAIL
CUSTOMER

TRAIL

TRAIL
ULES
2.4.2015
2.4.2015
2.4.2015
2.4.2015
ToToTo
ensure
ensure
To
please
ensure
please
proper
proper
ensure
please
note
note
pleasenote
properfunction
properfunction
following
note
function
following
ofofof
function
following
your
your
ofyour
precautions:
following
ABLOY
ABLOY
your
precautions:
precautions:
precautions:
ABLOY
PROTEC
PROTEC
ABLOYPROTEC
CLIQ
CLIQ
PROTEC key,
CLIQkey,
CLIQ key,
key, ABLOY
ABLOY
ABLOY
ABLOY CLIQ
CLIQ
®®®®
CLIQ
CLIQ-AVAIMEN
-AVAIMEN
-AVAIMEN
-AVAIMEN
Käyttöohje
Käyttöohje
Käyttöohje
Käyttöohje

Rev.A
Rev.A
Rev.A
Rev.A
PROTEC² CLIQ™

9311271
9311271
9311271
9311271
Normal user key TQ406/TQG406 Up to 10y x 2000 20 50
ABLOY
ABLOY
ABLOY
ABLOY CLIQ
CLIQ
®®®®
CLIQ
CLIQKEY
KEY
KEY
KEY
Dynamic key TQ406/TQG407 Up to 10y x 2000 20 3500 50 Instructions
Instructions
Instructions
for
for
Instructionsforuse
use
foruse
use
Programming
Avoid
Avoid
Avoid
dropping
dropping
Avoid key
dropping
the
the
dropping the TQ403/TQG403
the Keep
Keep
Keep
the
the
Keep the
key
key
thekey
awayaway Up to
away
keyaway Do10y
DoDo
not
not
Donot
use
use
not xexcess
use excess10 000
excess
excess
use
key.
key.
key.
key. from
from
from
dirt
dirt
from dirt
and
and
and
dirt and force
force
force
on
onon
forcethe
the
on the
key
key
thekey
totopull
key topull
topullpull
moisture.
moisture.
moisture.
moisture. doors
doors
doors
open
open
doors open
with
with
open with
it.it.it.it.
with

MAX
MAX
MAX
MAXMAX
MAX
MAX
MAX
+50°C
+50°C
+50°C
-20°C
-20°C
+50°C -20°C
-20°C

CLIQ™
Avoid
Avoid
Avoid
Avoid Connect
exposing
exposing
exposing
the
exposingkeys
the
the
the Changing
Changing
Changingthe
Changing the
the
battery
battery
thebattery
battery Incorrect
Incorrect
Incorrect
lubrication
lubrication
Incorrect lubrication isisisis
lubrication
key
key
key
totoexcessive
key toexcessive
toexcessive
heat
heat
excessiveheat
heat only
only
only
by
byby
onlyprofessional
professional
by professional
professional harmful
harmful
harmful
for
forfor
harmful cylinder
cylinder
for cylinder
cylinder
orNormal
orcoldness.
orcoldness.
orcoldness.
coldness.
user key ABLOY
ABLOY
ABLOYdealers
ABLOYdealers
dealersor
dealers
TQB406/TQGB406 ororor electronics.
electronics.
electronics.
Use
Use
electronics.
1ABLOY
yABLOY Use
only
only
Use only
only
locksmiths.
locksmiths.
locksmiths.
locksmiths. ABLOY
ABLOY
oil.
oil.oil. x
oil. 2000 20 50 x x

Dynamic key TQB407/TQGB407 1y x 2000 20 800 50AnAnAn

ASSA
ASSA
An
x
ASSA
ABLOY
ABLOY
ASSAABLOY
Group
Group
ABLOYGroup
brand
brand
Groupbrand
brand
x

Programming key TQB403/TQGB403 1y x 8000 x x

Online opening key TQC407/TQGC407 1y x 2000 20 800 50 x x x x

All new PROTEC2 CLIQ™ Remote and CLIQ™ Connect keys are compatible with Remote programming devices.

OPERATION INSTRUCTIONS
Use the cylinders with the key in a normal way, like using mechanical cylinders.
After inserting the key into the cylinder´s keyway wait for the sound signal before starting to turn the key. Signals are:

11beep
1beep
1beep
and
and
beepand
green
green
andgreen
LED
LED
greenLED
LED 33beeps
3beeps
3beeps
and
and
beepsand
red
red
andred
LED
LED
redLED
LED 33long
3long
3long
beep
beep
longbeep
and
and
beepand
green
green
andgreen
LED
LED
greenLED
LED No
No
No
beep
beep
Nobeep
beep
9311271 Rev.A 2.4.2015

9311271 Rev.A 2.4.2015

Key
Key
Key
accepted,
accepted,
Keyaccepted,
the
accepted,the
the
lock
lock
thelock
can
can
lockcan
be
bebe
can be The
The
The
key
key
The key
isisdenied,
key isdenied,
isdenied,
ititisitisitisis
denied, ToThe
The ensure
The
battery
battery
The proper
battery
maybe
maybe
battery maybefunction
weak
maybeweak
weak orof
ororcold
weak coldyour ABLOY
orcold
cold PROTEC
InInthat
In
that
Inthat
case
case
thatcaseCLIQ
the
the
casethe
lock
lock
the key,
lock
cannot
cannot
lockcannot
be
bebe
cannot
opened
opened
openedafter
after
after
the
the
the
beep.
beep.
beep. unauthorized
unauthorized
unauthorized by
byby
either
either
either code
code
code
orororor please
(try
(tryTo
(try note
ensure
warming
warming
warmingfollowing
theproper
the
the
key
key
key precautions:
ininfunction
your
in
your of your ABLOY PROTEC CLIQ key, be
opened after the beep. unauthorized by either code (try warming
please note the key
following inyour
hand).
yourhand).
hand).
hand).
precautions: opened
opened
openedand
openedand
and
the
the
andthe
battery
battery
thebattery
must
must
battery must
be
bebe
must be
time.
time.
time.
time. replaced.
replaced.
replaced.
replaced.

To ensure proper function of your PROTEC² CLIQ™ key,Avoid

please note
dropping the following
Keep theprecautions:
key away Do not use excess
9311271 Rev.A 2.4.2015

key. Avoid dropping the fromKeep

dirt and
the key away forceDo
onnot
theuse
keyexcess
to pull
To ensure proper function of your ABLOY PROTEC CLIQ key,
please note following precautions:
key. from dirt and®
moisture.
moisture.
ABLOY CLIQ -AVAIMEN
doors open
force onwith
the it.
key to pull
doors open with it.
Käyttöohje
MAX MAX
+50°CMAX
-20°CMAX ABLOY ® CLIQ KEY
+50°C -10°C
Instructions for use
Avoid exposing the Changing the battery Incorrect lubrication is
Avoid dropping the Keep the key away Do not use excess key to excessive
Avoid heatthe only Remove
exposing by professional
the battery harmful for cylinder
Incorrect lubrication is
key. from dirt and force on the key to pull or coldness.
key to excessive heat ABLOY dealers or insert electronics.
harmfulUse only
for cylinder
moisture. doors open with it. cover and then
or coldness. locksmiths. ABLOY oil.
a new battery to the key. ABLOY oil. Use only
electronics.

MAX MAX
+50°C -20°C
 PROTEC² CLIQ™ products

PROGRAMMING DEVICES
PROTEC² CLIQ™ keys can be updated locally via the local programming device and also
remotely with the remote programming devices. Remote features allow collection of audit
trails, updating key’s access rights, schedules and enables the use of key revalidation.

WallPD PDA100
WallPD is an indoor remote programming device which is
used for updating keys. The communication between CLIQ™
Remote server, WallPD and the PROTEC² CLIQ™ key is
encrypted for maximum security.

• Wall mounted remote programming unit

• Locking system specific
• No data storage
• IP42 rated
• LAN connection
• Power through 12-24 voltage adapter or PoE
(Power over Ethernet)
• Support for proxy server
• Plug&play capability*
• Offline update capability

MobilePD PDA200

MobilePD is a portable and personal programming device

which is an optimal choice for a keyholder when PROTEC²
CLIQ™ key needs to be updated in various locations. MobilePD
acts the same way as the WallPD regarding key update, but
gets power from AAA-batteries and connection to Internet via
a mobile phone (Bluetooth) or laptop (USB).

• Powered by standard 4x AAA batteries

• PDA200 Bluetooth & USB (for mobile phone and PC)
• Support for proxy server
• Plug&play capability*
• Offline update

*RemotePD plug&play requirements:

- CLIQ™ Web Manager with DCS integration
- DHCP in use
- No proxies set up for RemotePD
PROTEC² CLIQ™ products

Outdoor WallPD PDA120

Outdoor WallPD is a remote programming device

which can be installed outdoors and in hostile
locations. Like the WallPD, outdoor WallPD connects
to remote server via Ethernet and supports PoE.

• IP57 Water & dust protection

• IK9 Attack resistance

CLIQ™ reader TQ124

The CLIQ™ reader is a relay-controlled device which sends

a signal to other devices or systems such as electric locks or
alarm systems. CLIQ™ reader can be installed outdoors as it
fulfills IP53 rating. It has a PROTEC2 CLIQ™ cylinder inside
thus it accepts only a key with correct access rights.

The escutcheon of the CLIQ™ reader is installed outdoors next

to the entrance. It is wired with the relay box which can be
installed indoors.
Relay operation is performed only when a key has correct
access. Also the reader can be programmed with a programming
key as any other CLIQ™ lock.

• Power input 12-24 VDC -10 / +15%

• Power consumption 60mA
• Relay load max. 0,8A 30V AC/DC resist 20W
• Max. 2 meter length of the wire between escutcheon and electronics.
• Note to cut the cable to proper length, do not extend the cable.

WallPD with reader PDA110

The WallPD with reader consists of 2 parts. It is a
WallPD with a external escutcheon. The WallPD
is installed indoors while the escutcheon, which
has IP53 rating, is installed outdoors next to the
entrance door. The escutcheon is connected to the
Wall PD with a 2 meter cable.

• Maximum wire length 2 meters

• Inside unit specs same as PDA100
• Keys can be updated in both devices
• Does not contain a relay box
 PROTEC² CLIQ™ products

Local programming device PDA500

LocalPD is a PROTEC² CLIQ™ key programming device which is connected to a

PC. LocalPD is used to authenticate administrators to CLIQ™ Web Manager system
with the programming key and to program PROTEC2 CLIQ™ keys locally.

• USB connection to PC
• Requires drivers (plug-and-play installation)
• USB powered
• Is used with CLIQ™ CONNECT PC App

CLIQ™ Connect

PROTEC² CLIQ™ user keys and programming keys are also available as
CLIQ™ Connect keys that can be programmed using the CLIQ™ Connect
smartphone application in addition to the RemotePDs and the localPD.
This enables the keyholders and administrators to update their keys while in
the field. Also the audit trail is transferred to CLIQ™ Web Manager when
the key is updated.

Keys with Online opening feature use the CLIQ™ Connect application
to check access rights in real time when the key is inserted to a
cylinder. This enables real time access control for locations without
landline internet connection.

CLIQ™ CONNECT also enables using and additional PIN-code to activate

the keys. This enables key activation even in circumstanses where there is
no network connection available. As the PIN is something only the keyholder
knows, the system efficiently prevents internal threats as well.

CLIQ™ Connect keys use Bluetooth Low Energy technology to communicate with the
application. The CLIQ™ Connect application then uses the smartphone’s internet connection
to connect to the CLIQ™ Remote application server in order to update the key’s access rights
and validity.

CLIQ™ Connect smartphone application is compatible with iOS version 9.0 or later and Android
version 5 or later. The application is available at Apple App Store and Google Play Store.

It is possible to keep multiple CLIQ Connect keys paired in the application at a time. The
maximum number of simultaneously paired CLIQ Connect keys depends on the device and
circumstances.

End-to-end HTTPS connections (TCP port 443) must to be allowed to CLIQ™ Remote server.
 PROTEC² CLIQ™ products

CLIQ™ Devices

REMOTE
OFFLINE OPERATES CONNECTION PIN
UPDATE OF POWER
UPDATE RELAY TYPE VALIDATION
CLIQ KEYS

WallPD 12/24VDC
a a LAN
or POE 3W

MobilePD USB/
Bluetooth Bluetooth to 4 x AAA
a a smartphone,
USB to PC
battery /
USB

LocalPD

(a) 1 USB to PC USB

WallPD with reader

12/24VDC
a a LAN
or POE 3W

Outdoor WallPD
12/24VDC
a a LAN
or POE 3W

Connect APP
Bluetooth to
Smartphone,
a CLIQ™ Connect
Key
IOS/Android a
CLIQ™ reader
12/24VDC
TQ124
1,5W
a

CYLINDER FUNCTION
PROTEC² CLIQ™ cylinder contains mechanical cylinder structure of unique PROTEC² structure with nine discs. In
addition the cylinder contains PROTEC² CLIQ™ cylinder electronics which controls the electronic blocking system.
This electronically controlled cylinder blocking is realized by using a small electric motor to guide the turning of
one detainer disc. The cylinder itself has no electric power source. This means no need of wires or battery change
to the cylinders.
PROTEC2 CLIQ™ key structure allows it to operate not only the PROTEC2 CLIQ™ electronic cylinders but also
mechanical PROTEC2 cylinders with eleven discs. PROTEC2 CLIQ™ key bow contains key electronics and battery to
power the functions of the cylinder and the key itself in a watertight package. Electronic communication between
the key and the cylinder happens via bipolar galvinc contacts. The key shaft itself functions as one pole the other
one being an insulated metal strip on the side of the key shaft. Also the power to carry out the cylinder´s functions,
is supplied via these contacts.
 PROTEC² CLIQ™ products

When a key is inserted into a cylinder, the electronic communication is activated between the key and
the cylinder. If the key is authorised to open the cylinder, the battery in the key powers the opening and
closing function of the electronic blocking of the cylinder. Both cylinder audit trail and key audit trail are
stored simultaneously.

CYLINDER MEMORY
Cylinder memory capacity

Authorized key groups / programming 1800

keys (max. 65535 keys in each group)
A list of unauthorized keys 3000
Audit trail 2000
Foreign audit trail 20

ADVANCED CYLINDER FEATURES

Sequence lock

CLIQ™ cylinders are also available with the Sequence lock feature that can be programmed to the cylinder
memory in the factory.

This lock type will require two valid keys to be inserted to the cylinder before the lock can be opened.
When the first valid key is inserted, the lock does not indicate or open. If a second valid key is entered
within 1 minute, the lock will open. The sequence starts from the beginning after one minute has passed.

PRODUCT RANGE

Wide product range - one key fits all

Robust and IP68 classified Suitable lock cylinders Cabinet locks and Key deposits for
padlocks with CLIQ™ for every door. cam locks with or storing route keys
functionality for the Available also inbuilt without CLIQ™. securely.
harshest conditions. with dust protection.
 Software

CLIQ™ Web Manager

CLIQ™ Web Manager (CWM) is a Web-based software that enables the management and control of PROTEC² CLIQ™,
an electromechanical locking system enabling full control over access authorizations and key holder activities. The
CLIQ™ system presents a solution that ensures the reliability of mechanical keys and cylinders as well as the security
and flexibility inherent in electronic locks. The CLIQ™ Web Manager user interface is currently available in 23 different
languages.

BASIC FEATURES
1. Secure login to management software
a. Triple authentication login requires local programming device, programming key with
PIN code and a valid programming key certificate for the web browser.
2. Users and products
a. Creating, importing and editing user information
b. Handing out and handing in keys to users
c. Managing lost keys
d. Managing broken keys and cylinders and also product replacements
e. Changing cylinder status and location information
f. Handling cylinders in different time zones
g. Managing remote programming devices
h. Searching, viewing and exporting information on users and components
3. Access rights
a. Defining, restricting and changing access rights
b. Time based access rights are available for all user keys. It is possible to set validity
settings (inactive, active between a time period or always active), weekly schedules and an
additional revalidation for all user keys.
4. Audit trails
a. Collecting, viewing and exporting key and cylinder audit trails. Audit trail events can be
automatically collected from user keys during remote programming.
5. Receipts and reports
a. Printing key hand out and hand in receipts
b. Viewing, exporting and printing reports of system like keys, cylinders, persons and audit trails.

ADVANCED FEATURES
1. Administration roles
a. are used for defining the functions a locking system administrator is allowed to perform.
The functions visible in software depend on the role assigned to the programming key
used by the administrator who is logged in. Administrators only have access to functions they
need in their work. For example, an administrator responsible for key management may only
have access to the hand out/hand in and the key lost/broken procedures.
 Software

2. Domains
a. are an administrative grouping feature which allows control over the specific parts of a
locking system where administrators have access to. A domain consists of a set of cylinders/
cylinder groups, user keys and persons typically associated with a geographic or administrative
region. Programming keys associated with a domain are only given administration rights for the
included cylinders.
3. Remote programming
a. is a feature for writing information to user keys and programming keys via remote programming
devices. For user keys it is possible to change cylinder authorizations (only for dynamic keys),
validity settings and weekly schedules via remote updates. The latest audit trails can be also
automatically downloaded from the key to the software during remote update. For programming
keys it is possible to assign cylinder programming tasks via remote updates.
b. CLIQ™ system can also include CLIQ™ Connect keys which support remote programming via
CLIQ™ Connect smartphone application.
4. Online opening
a. is a feature that can be set on CLIQ™ Connect keys. Once a key is entered to a cylinder, it will
request access rights from the CLIQ™ Web Manager software via smartphone app in real time. If
access rights are approved in the software the key can open the lock. Key will always request
online opening for every cylinder it can access.
5. Key revalidation
a. is a feature ensuring that keys are updated at certain time intervals. With key revalidation, keys
must be inserted in a RemotePD ("revalidated") at specified time intervals to stay active. Once
revalidated, the key stays active for the number of days, hours, and minutes specified as the
revalidation interval, counting from the time it was revalidated. If a key is not revalidated within
the specified interval, it becomes inactive until it is revalidated again.
6. Cylinder groups
a. is a set of cylinders which is used to simplify the administration in locking systems with many
cylinders. Access can be given to a cylinder group in the same way as to a single cylinder.
Combinations of cylinder groups and single cylinders can be used to create higher flexibility.
Cylinder groups are optional feature and can be defined during planning of the system.
b. Note! All CLIQ™ locks needs to be mechanically keyed alike in cylinder group systems.
7. Access profiles
a. are used to give people who have specific roles the required accesses without having to configure
each key individually. Keys and users can be associated to access profiles. The access profile
then determines where the associated users and keys have access to. Access profiles can be freely
defined in the software for example per user group office workers, cleaners, maintenance, etc.
Access profiles work dynamically. If changes are made on access profile, system will generate
remote programming tasks for each associated key automatically.
8. Flexible revalidation
a. is a feature that makes it possible to set the key revalidation interval per access profile and per
cylinder group. This feature is useful when the security level of cylinders or access profiles in
the system varies. For example access to server room is considered to be more sensitive
than access to a meeting room or more frequent revalidation might be required for subcontractors
as compared to company’s own employees.
 Software

9. Temporary access groups

a. are used to temporarily expand the access of keys by associating them with a selection of access
profiles, cylinder groups and individual cylinders. The access of a temporary access
group is the combined access of the included access rights during a time period that is defined with
a start and an end date. Start date defines the time when temporary access rights are available
from remote programming devices and end date defines the time when access right removal tasks
are downloadable. This feature should be used together with key revalidation to ensure keys are
frequently updated. This feature is useful for example in a case where one or more maintenance
technicians are on call and need temporary access for multiple sites during their shift.
10. Offline update
a. is a function that enables keys to be revalidated through a RemotePD even if the device has
temporarily lost its network connection. This is useful in situations when it is critical that a key
can get its validity extended even if the network connection is unstable. Updates of accesses
cannot be made in offline mode. Offline Update is configurable per RemotePD.
11. Integrations
a. with a third party systems (like HR system, or an access control software) are possible through
SOAP Web Services interface.

ADDITIONAL SERVICES PROVIDED BY ASSA ABLOY

ASSA ABLOY provides additional services to CLIQ™ Web Manager Installations. Below is the list of services that can
be integrated with installations. All services are hosted by ASSA ABLOY.

Digital Content server

Digital Content Server (DCS) manages and delivers digital content, such as certificates, locking system data,
firmware and software licenses to the CLIQ™ Web Manager installations in a secure manner. DCS is integrated
automatically in all Abloy hosted CLIQ™ Web Manager environments. DCS can be integrated with customers own
in-house installations as well. If an installation is not integrated with DCS, the digital content like certificates,
locking data and software licenses can be downloaded from DCS using external admin accounts. Abloy will create
DCS external admin accounts for all customers with own in-house installations.

Directory service

Directory service is an addition to DCS. It provides the correct CLIQ™ Remote server URLs as a service for remote
programming devices and CLIQ™ Connect applications. This service enables plug and play functionality for remote
programming devices, use of CLIQ™ Connect smartphone application to program CLIQ™ Connect keys and as well
as use of CLIQ™ Connect PC application to program remote programming tasks for CLIQ™ keys.

CLIQ™ Connect update service

CLIQ™ Connect update service provides CLIQ™ Connect PC application software to CLIQ™ Web Manager client PCs.

Software as a Service (SaaS)

 Software

INSTALLATION OPTIONS
Customer has two options in ordering CLIQ™ Web Manager software. Customer can either choose software as a
services (SaaS) or own in-house installation option.

Software as a Service means that installation and maintenance of CLIQ™ Web Manager environment is provided
as a service by Abloy Oy. Software upgrades, backups of databases and importing extensions to locking system
are done automatically. Customer only needs to setup network connections to CLIQ™ Web Manager and CLIQ™
Remote services and deploy client PC(s) for CLIQ™ Web Manager software usage.
Abloy hosted CLIQ™ Web Manager Environments:
• Service availability: 24/7, High-availability environment (SLA 99.0%, excluding planned maintenance)
• All CLIQ™ services are monitored 24/7
• Professional support available 24/7

Below picture presents the overview of software as a service setup. Customer’s network and devices are found
on the left side of the picture and hosting provider’s environment is depicted in the right side. Please notice the
required network connections and the direction of arrows pointing out where connections are initiated from the
picture.

Service Example URL

CLIQ Web Manager https://cwm00.abloy.com:443/CLIQWebM
CLIQ Remote https://remote00.abloy.com:443/CLIQRe
Certificate enrollment https://remote00.abloy.com:8443/CLIQW
CLIQ Connect PC update server http://cliqconnect.assaabloy.com

Service Service Example URL Example URL Abbreviation Explanation

CLIQ Web Manager https://cwm00.abloy.com:443/CLIQWebManager
CLIQ Remote
CLIQ Web Manager https://cwm00.abloy.com:443/CLIQWebManager
https://remote00.abloy.com:443/CLIQRemote
HTTP Hyper Text Transfer Protocol
HTTPS Hyper Text Transfer Protocol Secure
CLIQ Remote https://remote00.abloy.com:8443/CLIQWebManagerEnrolment
Certificate enrollment https://remote00.abloy.com:443/CLIQRemote
CRL Certificate Revocation List
CLIQ Connect PC update server http://cliqconnect.assaabloy.com
Certificate enrollment https://remote00.abloy.com:8443/CLIQWebManagerEnrolment
URL Uniform Resource Locator

Abbreviation CLIQ Connect PC update server

Explanation http://cliqconnect.assaabloy.com
HTTP Hyper Text Transfer Protocol
HTTPS Hyper Text Transfer Protocol Secure
Abbreviation Explanation

!
CRL Certificate Revocation List
URL Note: It is possible
Uniform Resource Locator to setup
a proxy server between remote programming devices and
HTTP Hyper Text Transfer Protocol
CLIQ™ RemoteHyper
HTTPS server.Text
Proxy settings
Transfer are setSecure
Protocol up in CLIQ™ Web Manager user interface
and
CRL configured to remote programming
Certificate Revocation List devices during deployment phase.
URL Uniform Resource Locator
 Software

Customer’s own in-house installation

CLIQ™ Web Manager system can be installed to customer’s own environment. Customer is then responsible of setting
up, installing and maintaining the environment for CLIQ™ system, installing the software, taking regular backups of
databases and other maintenance tasks such as software version updates and importing extensions.
Abloy will provide software installation packages including CLIQ™ certificates to customers. Certificates includes
locking system specific certificates for each remote programming device and programming key and also certificates
for installation. The certificate file for installation is called serverbundle.ccb. CLIQ™ Remote server’s hostname (e.g.
CLIQ™remote.mycompany.com) is embedded to serverbundle file to make CLIQ™ installation more secure and use
standard security methods. Therefore customer needs inform CLIQ™ Remote server’s hostname to Abloy before
serverbundle file can be created and delivered to customer.

TLS certificates for CLIQ™ Web Manager

Customer needs to purchase or create third-party TLS certificates for CLIQ™ Web Manager application and CLIQ™
Web Manager Enrolment application. Both applications are accessed using web browsers from client PCs. TLS
certificates needs to be issued by a certificate authority (CA) that is trusted by these web browsers; otherwise web
browsers cannot authenticate the server. The users will by informed by a security warning that the server cannot be
trusted. Enrolment application is used for fetching new certificates for programming keys and CLIQ™ Web Manager
application is the management software. Enrolment application is installed if DCS integration is in use and is available
from CLIQ™ Remote server.
It is highly recommended to get certificates issued by a CA that is trusted by default by the supported web browsers
to avoid configuration at each client. Examples of such CAs are VeriSign, Comodo and RapidSSL and the product
name for this type of certificate is usually “TLS certificate” or “SSL certificate”.
As the certificate must be issued to the correct server host name (Fully Qualified Domain Name, FQDN), e.g.
“CLIQ™webmanager.mycompany.com”, it is only possible to order certificates from a CA if you are the legitimate
owner of the domain used, in this example “mycompany.com”.
Address the CA of your choice for instructions on how to purchase TLS server certificates. TLS server certificates
are required when installing and configuring CLIQ™ application on servers. Customer will need one certificate for
CLIQ™ Web Manager application and one for enrolment application. In the ordering phase, it is required to mention
FQDNs for both servers (e.g. CLIQ™webmanager.mycompany.com and CLIQ™remote.mycompany.com). Alternatively
a wildcard / multidomain certificate can be used (e.g. *.mycompany.com) on both servers.

Below is the list of requirements for certificates

• Maximum length of FQDN is 81 characters
• Minimum RSA key length is 2048 bits
• Minimum signature hash algorithm is SHA-2/SHA256
• Supported formats are PKCS#1, Base64 and PEM (in cleartext, no encryption).
• Two files needed per server: TLS server certificate file and TLS private key file

System setup

The recommended setup contains four dedicated servers: CLIQ™ Web Manager application server, CLIQ™ Web
Manager database server, CLIQ™ Remote application server and CLIQ™ Remote database server. Servers can be
either physical or virtual servers. The main reasons for having four dedicated servers are security, performance and
reliability. Usually MobilePDs and CLIQ™ Connect applications will connect to CLIQ™ Remote service from Internet
side, therefore CLIQ™ Remote service needs to be available from there. The suggested setup is to place CLIQ™
 Software

Remote environment (application + database) to DMZ while locating CLIQ™ Web Manager part to more secured
Intranet (LAN). No CLIQ™ sensitive information is stored on the CLIQ™ Remote side.

!Note!
• It is not supported to install databases to same server as the CLIQ™ Web Manager or CLIQ™ Remote
application.
• CLIQ™ Web Manager and CLIQ™ Remote applications cannot be installed in the same server.
• Minimum setup is three dedicated servers, where both databases are installed in one database server.
For large systems (>1000 system elements) there may appear performance issues, therefore this setup is
not recommended.
• Both databases can be located in existing SQL cluster solution if available.
• Time synchronization of servers is important. All servers need to use the same system time and therefore
shall be synchronized to a NTP (Network Time Protocol) server.
For security reasons it is recommended to use servers physically separated by firewalls to minimize the
exposure of each node to unauthorized network traffic. An overview of the system is depicted in below
picture. Please notice that direction of arrows shows where connections are initiated and that firewalls
are discarded from picture.

Service Example URL Abbreviation Explanation

CLIQ™ Web Manager https://cwm.customer.domain.com:443/CLIQWebManager HTTP Hyper Text Transfer Protocol

CLIQ™ Remote https://remote.customer.domain.com:443/CLIQRemote HTTPS Hyper Text Transfer Protocol Secure

Enrolment https://remote.customer.domain.com:8443/CLIQWebManagerEnrolment CRL Certificate Revocation List

CLIQ™ Connect Update server http://cliqconnect.assaabloy.com URL Uniform Resource Locator

TDS Tabular Data Stream

SMTP Simple Mail Transfer Protocol

 Software

Below is the list of system elements with explanations

1. CLIQ™ Web Manager User Client PC is used by administrators of CLIQ™ locking systems to access the
CLIQ™ Web Manager software. CLIQ™ Web Manager software is accessed by using a web browser and
CLIQ™ Connect PC application.
2. Local programming device (localPD) is connected to client PCs enabling access to CLIQ™ Web Manager
software. The left key port of localPD is intended for programming keys and right port is for user keys.
3. CLIQ™ Web Manager software can be integrated with customers’ own IT systems through SOAP Web
Services interface.
4. Wall mounted programming device is used for programming CLIQ Connect keys. These
devices are connected to CLIQ™ Remote server.
5. Mobile programming device is similar to wall mounted programming device, except it is a handheld
device and utilizes the data connection of the mobile phone by using Bluetooth technology.
6. Smart phone with CLIQ™ Connect application is used to program access right for CLIQ™ Connect keys.
7. CLIQ™ Web Manager application server is the key part of the system, where CLIQ™ Web Manager
application is running. Two services are installed to this server via installer: CLIQ Web Manager Tomcat
service and Apache service. CLIQ Web Manager graphical user interface is available from this server.
8. CLIQ™ Web Manager database server contains the database for CLIQ™ Web Manager application.
9. Admin PC is intended for creating and managing CLIQ Web Manager and CLIQ Remote databases via
SQL Management studio. CLIQ Web Manager database schema is populated and updated by a software
called Service Tool. Admin PC is not mandatory, Service Tool and SQL management studio can be run
from any other PC or server which have connection to database server.
10. Email server is required for sending email messages for key holders for example on pending key updates.
11. CLIQ Remote server application server handles key update tasks. Update tasks are created in CLIQ Web
Manager and send to CLIQ Remote side until executed or cancelled. Two services are installed to this
server via installer: CLIQ Remote tomcat service and apache service. There will be following applications
available from this server, CLIQ Remote application and CLIQ Web Manager Enrolment application.
Enrolment applications is only installed if CLIQ Web Manager system is integrated with DCS server.
Enrolment application is used for fetching new certificates for programming keys.
12. CLIQ™ Remote database server contains the database for CLIQ™ Remote application.
13. CLIQ™ Connect update server is used for downloading the latest CLIQ™ Connect PC application to
CLIQ™ Web Manager Client PCs.
14. Digital Content Server is managing and delivering digital content to CLIQ™ Web Manager installations.
DCS is an ASSA ABLOY service, which is available from Internet.
15. Directory service is a background service from ASSA ABLOY for searching the correct service URL for
CLIQ Remote server. WallPDs, MobilePDs and CLIQ Connect applications will use Directory Service
automatically.

It is possible to setup Proxy servers between the following system elements:

• Between CLIQ™ Web Manager server and Digital Content Server. This proxy is set up during CLIQ™
Web Manager installation on server via installer. Installation parameters can be changed afterwards.
• Between CLIQ™ Remote server and remote programming devices. Proxy settings are assigned
in CLIQ™ Web Manager user interface and configured to remote programming devices during remotePD
deployment phase.
• Between CLIQ Connect PC application and CLIQ Web Manager/CLIQ Remote server. Proxy settings are
configured in CLIQ Connect PC application.

Below is the summary of all network connections needed by CLIQ™ Web Manager installation. Note that all
connections are initiated by end point 1. SSL/TLS requires mutual authentication using client certificates. All
connections must be end-to-end connections which cannot be terminated between.
 Software

NETWORK CONNECTIONS

END POINT 1 PROTOCOL / END POINT 2 PURPOSE

TCP PORT
User client PC HTTPS / 443 CWM server CWM user interface

Downloading latest CLIQ

User client PC HTTP / 80 Connect update server
Connect PC application

Enroll programming key

User client PC HTTPS / 8443 CLIQ Remote server
certificate

CLIQ Connect PC and

User client PC HTTPS / 443 CLIQ Remote server
programming tasks

Searching correct URL for

User client PC HTTPS / 443 Directory service
CLIQ Remote service

Remote PDs HTTPS / 443 CLIQ Remote server Programming tasks

Searching correct URL for

Remote PDs HTTPS / 443 Directory service
CLIQ Remote service

Smartphone with CLIQ Connect

HTTPS / 443 CLIQ Remote server Programming tasks
application

Smartphone with CLIQ Connect Searching correct URL for

HTTPS / 443 Directory service
smartphone CLIQ Remote service

CWM server TDS / 1433 CWM database server Database connection

Establish remote
CWM server HTTPS / 443 CLIQ Remote server
functionalities

CWM server SMTP / 25 Email server Email functionalities

Deliver digital content to

CWM server HTTPS / 7443 DCS
installation

Download certificate
CWM server HTTP / 80 DCS
revocation list

CLIQ Remote server TDS / 1433 CLIQ Remote database server Database connection

Download certificate
CLIQ Remote server HTTP / 80 DCS
revocation list

Admin PC TDS / 1433 Database servers Manage CLIQ databases

Web Service client HTTPS / 443 CWM server Web Service calls
 Software

Monitoring

CLIQ™ Web Manager and CLIQ™ Remote services can be monitored from the applications log files, which can be
found from servers.
• CLIQ™ Web Manager server
o CLIQ WebManager.log from [installation folder]\tomcat\logs
• CLIQ™ Remote server
o CLIQ Remote.log from [installation folder]\tomcat\logs
The following applications needs to be monitored from server side:
• CLIQ™ Web Manager server
o Apache and CLIQ Web Manager
• CLIQ™ Remote server
o Apache and CLIQ Remote

High-Availability setup

To achieve highest possible service availability, it is possible to setup a high-availability (HA) environment for
CLIQ™ Web Manager. HA environment contains the following.
• Two pairs of application servers, where one is active and another is passive at a time.
o One pair consists of CLIQ™ Web Manager and CLIQ™ Remote servers.
• Database servers for both CLIQ™ Web Manager and CLIQ™ Remote. Databases can be installed to
an SQL cluster.
It is important that applications in both servers pairs are not running at the same time, because applications in
different server pairs are configured to use same databases (e.g. CLIQ™ Web Manager in server pair #1 is using the
same database than CLIQ™ Web Manager in server pair #2.)

It is recommended that these server pairs should be located in different datacenters. At least to the level that if
one datacenter goes down the other pair in other datacenter will continue to function.
Both CLIQ™ Web Manager and CLIQ™ Remote services require external IPs and FQDNs (fully qualified domain
names) for customers to reach the services. It is needed to setup a routing policy that network traffic is routed
always to the active server pair. In an active server there are Apache and CLIQ™ Web Manager (or CLIQ™ Remote)
services running and in a passive server those services are stopped.
Service failover between an active and passive server pair needs to be done manually, CLIQ™ Web Manager
software will not do this automatically. At first, shutdown services from an active server pair and then start
services from passive pair. This is important in order to avoid database conflicts.
Please contact Abloy software services if you need more information on setting up a high-availability environment
for a customer.
 Software

Maintenance

Abloy will release approximately two major versions of CLIQ™ Web Manager per year. Minor patch releases are
published when needed. Abloy will support the current and one earlier major version..
It is highly recommended to update operating system patches offered by Microsoft regularly to the servers.

Security

PROTEC² CLIQ™ security is based on mechanical key system combined with CLIQ™ electronic access rights. A
CLIQ™ system can be mechanically keyed alike or masterkeyed, but all systems are still always mechanically
different. On top of this, TLS certificates are used to authenticate elements of the system. All data between keys,
cylinders, remote programming devices and CLIQ™ Web Manager is encrypted.
CLIQ™ elements are produced at the high security factory premises. All sensitive CLIQ™ data exported by the
factory is encrypted, imported and stored centralized in the CLIQ™ Web Manager database. All business logic for
handling CLIQ™ security is kept centralized in CLIQ™ Web Manager server. No CLIQ™ sensitive data is stored on
the CLIQ™ Remote application server and therefore CLIQ™ Remote server can be used in the demilitarized zone
(DMZ) recommended for external access.
The security of CLIQ™ Web Manager system is based on Public Key Infrastructure (PKI). It is used for the following
reasons.
1. Confidentiality: Encryption of data in transit and in rest
a. CWM needs to prevent an attacker from reading data sent over any network used including the
Internet so that an attacker for example cannot give himself or someone else access to cylinders
he should not be authorized to use.
b. CWM needs to prevent an attacker from reading stored data used by CWM so that an attacker for
example cannot give himself or someone else access to cylinders he should not be authorized to
use. To do this CWM uses various encryption techniques and ciphers.
2. Privacy: Encryption of private information
a. CWM needs to prevent an attacker from reading sensitive data such as employee
information sent over any network used including the Internet so that an attacker for
example cannot map employees to specific keys and work positions and so that personal
integrity of employees isn’t compromized.
3. Integrity: Message tampering and corruption protection
a. CWM needs to be able to verify the integrity of data sent over any network used including
the Internet so that CWM can be certain the data is authentic and not edited by an attacker or
corrupted during transfer. This is required even though the data is encrypted since an attacker
can still edit encrypted data and data can still be corrupted during transit.
4. Authorization: Who can access
a. CWM needs to be in control of who can access, what can be accessed and at what time.
5. Authenticity: Identification of sender
a. CWM needs to know the identity for all clients it communicates with so that CWM can use
that data to verify that the client is authorized, for traceability in logs, installation
separation and branding of CWM.
CLIQ™ Web Manager is using HTTPS/SSL/TLS protocols for encrypting the network traffic. Please see the network
connections and used protocols from the previous section. Data between the CLIQ™ key and CLIQ™ lock and
between CLIQ™ key and CLIQ™ Web Manager client are encrypted in AES.
 Software

Classifications and standards

IP classification, EN 60079-0 and EN 1303:2005 and SFS 5970/7020

IP68 designation EN 60079-11 EN 15684:2012 class 1 and class 3
APEX approval Grade 6

IP codes indicate how well The ATEX approval indicates Durability (number of cycles Manipulation and physical
an item is protected against that the products can be 100 000) and key related attack
dust and water ingress. used in areas which contain security (100 000
any types of gases, vapours, combinations)
The IP68, the highest ignitable dust or air*
designation indicates a
hermetic seal.

*the ingination temperature of the

hazardous subtances must not
be below 135 ˚C

!
Please check the latest system
Note! requirements and product features with
your local PROTEC² CLIQ™ dealer.
Telemedia Transportation/Logistics Designed for you

DOUBLE SECURED
MECHANICAL ELECTRONIC
LOCKING ACCESS CONTROL

Healthcare Power industry Water industry

 Award winning

Abloy Oy develops continuously the products and solutions offered. Therefore, the information contained in the marketing materials is subject to change without notice.
Double secured access
control technology
PROTEC2 CLIQ™
system by Abloy Oy

2000 pcs Punamusta Oy, Joensuu

PEFC/02-31-151

ABLOY secures people, property, and MANUFACTURER:

business operations on land, at sea,
and in the air – in all circumstances.
Abloy Oy
Wahlforssinkatu 20
ASSA ABLOY is the global leader in door P.O. Box 108
opening solutions, dedicated to satisfying FI-80101 Joensuu | Finland
end-user needs for security, safety and Tel. +358 20 599 2501
8807193  8/2018

convenience. WWW.ABLOY.COM

An ASSA ABLOY Group brand