IBM® Security Access Manager for Enterprise Single Sign-On Version 8.2 Configuration Guide GC23-9692-01 IBM® Security Access Manager for Enterprise Single Sign-On Version 8.2 Configuration Guide GC23-9692-01 Note Before using this information and the product it supports, read the information in “Notices” on page 123. Edition notice Note: This edition applies to version 8.2 of IBM Security Access Manager for Enterprise Single Sign-On, (product number 5724–V67) and to all subsequent releases and modifications until otherwise indicated in new editions. © Copyright IBM Corporation 2002, 2012. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents About this publication ........v Changing the AccessAgent interface .....52 Intended audience ............v Disabling the ESSO GINA or ESSO Credential What this publication contains ........v Provider ..............52 Publications ..............vi Configuring the AccessAgent functionality features 53 IBM Security Access Manager for Enterprise Changing the Ctrl+Alt+Delete support in Single Sign-On library ..........vi Windows 7 .............53 Accessing terminology online .......viii Configuring the transparent screen lock settings 53 Accessing publications online .......viii Enabling single sign-on for Java applications . 55 Ordering publications .........viii Configuring AccessAgent to use EnWinNetUse 56 Accessibility ..............ix Enabling the Observer Help ........57 Tivoli technical training ..........ix Configuring event reporting in the Windows Tivoli user groups ............ix Event log ..............58 Support information ...........ix Configuring the system modal message box . 58 Conventions used in this publication ......ix Enabling emergency hot key for private desktops 58 Typeface conventions ..........x Configuring the AccessAgent accessibility features 59 Operating system-dependent variables and paths x Enabling animation effect for AccessAgent . 59 AccessAgent keyboard shortcuts ......59 Chapter 1. Configuring the IMS Server . 1 Accessing the IMS Configuration Utility .....1 Chapter 4. Configuring Citrix and Provisioning IMS Server Administrators .....1 Terminal Servers ..........61 Basic settings ..............2 Configuring a Citrix deployment .......61 Adding an authentication service ......2 Configuring a Terminal Server deployment ....61 Configuring the IMS Server to use directory Changing the Server AccessAgent mode .....61 servers ...............3 Customizing AccessAgent on the Citrix or Terminal Enabling biometric support ........10 Server ................62 Configuring ActiveCode deployment .....10 Configuring the time threshold for synchronization Advanced settings ............14 timestamp ...............63 Setting AccessAdmin ..........14 Setting the IMS Server ..........21 Chapter 5. Configuring a strong Setting the data source .........25 authentication setup .........65 Setting message connectors ........28 Setting up RFID authentication ........65 Setting the IMS bridge..........32 Setting up ARFID authentication .......66 Configuring user authentication ......34 Installing an ARFID reader in a computer Utilities................39 without AccessAgent ..........66 Uploading system data .........39 Installing an ARFID reader in a computer with Exporting the IMS Server configuration with the AccessAgent .............66 IMS Configuration Utility ........40 Setting up fingerprint authentication ......67 Importing the IMS Server configuration with the Installing the Native Library Invoker resource IMS Configuration Utility ........41 adapter ...............67 Translating event and result codes ......43 Integrating a BIO-key fingerprint reader ....68 Configuring HTTP compression .......43 Integrating a DigitalPersona fingerprint reader . 69 Integrating a UPEK fingerprint reader ....70 Chapter 2. Backing up and recovering Setting up smart card authentication ......70 the IMS Server, WebSphere Application Enabling two-way SSL..........71 Server profiles, and database .....45 Importing smart card CA certificates .....71 Backing up WebSphere Application Server profiles 45 Enabling smart card authentication .....72 Restoring the WebSphere Application Server profiles 46 Configuring hybrid smart cards ......75 Backing up the database in DB2 .......46 Using the smart card self-certification tool . 75 Restoring the database in DB2 ........47 Configuring DNIe smart cards .......76 Unregistering the DNIe certificate store ....77 Chapter 3. Configuring AccessAgent 49 Adding a registry key for the DNIe smart card middleware .............77 Configuring the AccessAgent user interface....49 Setting up OTP and MAC authentication ....78 Launching applications from ESSO GINA . 49 Configuring OTP (OATH) ........78 Changing the AccessAgent banner......52 Configuring OTP (VASCO) ........79 © Copyright IBM Corp. 2002, 2012 iii Configuring MAC ...........81 Appendix F. Planning worksheet . 101 Configuring MAC-only registration of users . 82 About RADIUS authentication .......82 Appendix G. Command-line interface Configuring OTP token policy settings ....83 reference .............113 Advanced settings for OATH-based OTPs . 84 cleanImsConfig command .........113 Chapter 6. Configuring a secure deployIsamessoIms command ........114 deployIsamessoImsConfig command .....115 deployment.............87 exportImsConfig command .........115 Removing sample WebSphere Application Server managePolPriority command ........116 servlets and applications ..........87 setupCmdLine command .........116 Securing access to configuration data ......87 upgradeSymCrypto command ........116 Setting a limit on logon attempts .......88 uploadDpx command ..........117 Restricting HTTP connections ........88 uploadOath command ..........118 Disabling directory browsing ........89 uploadSync command ..........118 vrfyLogs command ...........119 Appendix A. Logging on to Scripts for Virtual Appliance ........119 AccessAdmin ............91 collectLogs command..........119 configureTcrforIms command .......120 Appendix B. Setting up policy installTcr command ..........120 resetImsVa command..........121 templates .............93 Notices ..............123 Appendix C. Automatically assigning User Policy Templates to new users . 95 Glossary .............127 Appendix D. Excluding machine Index ...............135 attributes..............97 Appendix E. Configuring JMX support 99 iv IBM® Security Access Manager for Enterprise Single Sign-On: Configuration Guide About this publication The IBM® Security Access Manager for Enterprise Single Sign-On provides sign-on and sign-off automation, authentication management, and user tracking to provide a seamless path to a strong digital identity. The IBM Security Access Manager for Enterprise Single Sign-On Configuration Guide provides information about configuring the different components of the product. Intended audience This publication is for Administrators who set up the main components of IBM Security Access Manager for Enterprise Single Sign-On after completing the necessary installations. Administrators configure the following components: v IMS Server v AccessAgent v Authentication factors such as: – Passwords – Secrets – ARFID – RFID – Fingerprint readers (BIO-key, DigitalPersona, UPEK) – Smart cards What this publication contains This publication contains the following sections: v Chapter 1, “Configuring the IMS Server,” on page 1 Covers the different configurable settings and utilities in the IMS Configuration Utility. You can provision an IMS Server administrator, register an authentication service, configure the enterprise directory, data source, and user authentication. v Chapter 2, “Backing up and recovering the IMS Server, WebSphere Application Server profiles, and database,” on page 45 Provides information on how to back up the database for recovery when data loss occurs. v Chapter 3, “Configuring AccessAgent,” on page 49 Provides instructions for configuring AccessAgent user interface and behavior. You can choose not to enable the ESSO GINA and change the AccessAgent banner. v Chapter 4, “Configuring Citrix and Terminal Servers,” on page 61 Provides instructions for configuring the Citrix and Terminal Server and how to implement the AccessAgent lightweight mode. v Chapter 5, “Configuring a strong authentication setup,” on page 65 Provides instructions for installing and configuring ARFID and biometric readers, as well as configuring smart card middleware support. v Chapter 6, “Configuring a secure deployment,” on page 87 © Copyright IBM Corp. 2002, 2012 v Provides instructions for protecting your deployment against potential security risks. v Appendix A, “Logging on to AccessAdmin,” on page 91 Describes how to access and log on to AccessAdmin. v Appendix B, “Setting up policy templates,” on page 93 Provides instructions on how you can automatically set up policy templates, depending on the needs of your organization. v Appendix C, “Automatically assigning User Policy Templates to new users,” on page 95 Provides instructions on how you can configure user attributes and map them to user policy templates in AccessAdmin. v Appendix D, “Excluding machine attributes,” on page 97 Provides steps on how you can manage machine attributes with the IMS Server. v Appendix E, “Configuring JMX support,” on page 99 Describes how you can use Java Management Extensions to monitor the IMS server beans. v Appendix F, “Planning worksheet,” on page 101 Provides the default and sample values for the installation