Etoken TMS 2.0 SP3 Connectors Guide 0
Etoken TMS 2.0 SP3 Connectors Guide 0
Etoken TMS 2.0 SP3 Connectors Guide 0
System (TMS)
Version 2.0 SP3
Connectors Guide
April 2008
Contact
USA
1-866-202-3417
[email protected]
00800-22523346
+972-3-9781299
You can submit a question to the Aladdin eToken technical support team at
the following web page:
https://portal.aladdin.com/akscrmocp/gatepage.asp
Website
http://www.aladdin.com/eToken
Additional Documentation
We recommend reading the following Aladdin eToken publications:
II
Text Conventions
The following conventions are followed throughout this manual.
Convention
Explanation
Boldface
Italicized
Note
Caution
being discussed.
>
III
Table of Contents
Chapter 1 Introduction......................................................................................................1
Chapter 2 The TMS Microsoft CA Connector................................................................3
Introduction....................................................................................................................... 4
Prerequisites ...................................................................................................................... 4
Configuring the CA ............................................................................................................ 5
Setting CA Security Properties.......................................................................................... 9
Defining TPO Rules ......................................................................................................... 10
Environment.................................................................................................................... 52
Defining TPO Rules ......................................................................................................... 53
VI
Chapter 1
Introduction
eToken TMS is a robust full life-cycle management system for your entire
eToken enterprise authentication solution.
TMS provides a unique answer to one of the main challenges in managing
security in an enterprise: connecting the users, their security devices, and the
organizational policies to the associated security applications. TMS links them
all into a single automated and fully configurable system, removing the
barriers to the implementation of enterprise-wide security services - in
particular those that rely on PKI technology.
For more information, please see Aladdins eToken TMS 2.0 SP3 Installation
and Configuration Guide.
Aladdin TMS is based on an open standards architecture, with configurable
connectors. This supports integration with a wide range of security
applications including network logon, VPN, web access, one-time password
authentication, secure e-mail and data encryption.
Chapter 2
The TMS Microsoft CA Connector
The TMS Microsoft CA (MSCA) Connector enables the user to generate
certificates using the Microsoft Certification Authority (CA) services.
This chapter includes the following:
Introduction
Prerequisites
Configuring the CA
Setting CA Security Properties
Defining TPO Rules
Introduction
Two types of certification authorities (CAs) are provided by Windows 2000
and Windows Server 2003 Certificate Services:
Prerequisites
User stores supported
User Store
AD
Yes
MS SQL Server
OpenLDAP
Purpose
TPO
TPS
TMS Self
Management
Service Center
Center
xenroll
Token side
No
Yes
Yes
scrdenrl
CA and Token
No
Yes
No
Certadmin
CA side configuration
Yes
No
No
DLL
Purpose
TPO
TPS
TMS Self
Management
Service Center
Center
and enrollment
Certcli
CA side configuration
Yes
No
No
and enrollment
The required DLL files are supplied with the supported operating systems and
service packs.
In Windows XP, AdminPack must be installed for the required DLLs.
Configuring the CA
The CA must be configured before it is connected to TMS. This involves
adding the appropriate templates, and setting the security properties.
3. Right-click the template of the required certificate, and from the submenu select Properties.
The Properties dialog box opens.
4. Select the Security tab.
The Security tab opens.
3. For each request, enter the appropriate information in the relevant fields,
and click OK.
Create New Request Dialog Box Fields
Field name
Requirements
10
Description
Field name
Require-
Description
ments
Request
Required
Name
Name
Required
Type
Required
Windows
Version
Required
11
Field name
Require-
Description
ments
Certificate
Required
Usage
Templates
Required
12
For each request, the information entered in the Create New Request dialog
box is displayed. Enter additional information in the relevant fields.
Microsoft CA New Request Policies
Field name
Certificate
Requirements Description
Not required
backup
eToken
Virtual
Not required
support
13
Field name
Key is
Requirements Description
Not required
required
after
revocation
Not required
certificate
revocation
list (CRL)
Import the
Not required
certificate
to the local
machine
certificates.
store
Override
Not required
certificate
department
Certificate
Not required
department
Automatic
Not required
certificate
renewal
Reuse keys
when
certificate
is renewed
14
Not required
Field name
Random
Requirements Description
Not required
user
password
smartcard logon.
Force
Not required
smartcard
usage for
logon
15
Chapter 3
The TMS Network Logon Connector
The TMS Network Logon Connector ensures strong network protection,
combined with convenience and portability. The TMS Network Logon
Connector authenticates the user through a user name and password.
This chapter includes the following:
Introduction
Environment
Defining TPO Rules
17
Introduction
Windows operating systems enable you to use a different access mechanism
in place of the default authentication method.
The identification and authentications aspects of the Windows logon are
implemented as a replaceable DLL called GINA (Graphical Identification and
Authentication). A new GINA DLL can replace the standard msgina.dll when
the system needs to use another method of authentication in place of the
Windows default user name/password mechanism. Thus, Windows and
eToken together provide the ideal solution for corporate network security.
Depending on your organizations policies, it is possible for the users
themselves to create Windows logon profiles which are stored on their tokens.
The TMS Network Logon Connector, also referred to as the GINA Connector,
supports and provides easy deployment of user profiles for the Aladdin
eToken Network Logon product.
The TMS Network Logon Connector enables you to initialize each token with
a list of login profiles. Each login profile contains a user ID name, a domain
that the user belongs to, a password, and a set of options.
The TMS Network Logon Connector is installed automatically when installing
TMS. To start working with tokens, configure the connector by setting the
connector parameters.
Environment
User stores supported
User Store
AD
Yes
MS SQL Server
No
OpenLDAP
No
18
To display the policies associated with the TMS Network Logon Connector,
click the default profile in the Connector Policy Object Editor window.
The policies associated with the TMS Network Logon Connector are listed in
the following table.
TMS Network Logon Connector Policies
Policy
Required?
Description
Domain
Required
netbios name
Support
Not required
eToken Virtual
Logon factor
Not required
Password type
Not Required
Random
password
length
19
Chapter 4
The TMS P12 Certificate Import
Connector
This chapter contains the following sections:
Introduction
Environment
Defining TPO Rules
21
Introduction
The TMS P12 Certificate Import Connector enables the user to import onto
their smartcards and tokens:
PFX (P12) files: files that contain a certificate and a private key in a
P12 format
CER files: files that contain only the certificate without the private
key
Root CA certificate files.
Use the TMS P12 Certificate Import Connector in the following situations:
You already have PFX files, and you want to import them onto the
token.
For example, you use a third-party service to generate certificates for
your employees, and you receive the certificates from that service as
a group of PFX files.
You want to import CA certificates into Root CA certificates on the
token, and then copy those to the PC store upon token insertion.
Environment
User stores supported
22
User Store
AD
Yes
MS SQL Server
Yes
OpenLDAP
Yes
The TMS P12 Certificate Import Connector is used to put two types of
certificates onto a token:
User Certificates
CA Certificates
User Certificates
A user certificate is unique to each user. It includes a private key for
encryption, signing and other PKI usage.
23
The fields for each user certificate to be added are displayed in the User
Certificates Properties dialog box.
User
Certificate
Password Known
Enroll to eToken Virtual
24
25
Each line of an index file must contain three parameters separated by semicolons:
CA Certificates
A CA certificate is common to all users in the domain. It contains only the
certificate without a private key.
26
Certificate
Enroll to eToken Virtual
To add a CA certificate:
1. Click Add.
The Add new CA certificate dialog box opens.
2. Do the following:
27
Chapter 5
The TMS Flash Management
Connector
This chapter contains the following sections:
Introduction
Environment
Defining TPO Rules
29
Introduction
With the TMS Flash Management Connector, you can create a CD-ROM
partition on an eToken NG-Flash device. This allows you to include
applications and data on the CD-ROM partition of the device to share with all
the users in the domain.
You can also include an autorun file on the CD-ROM partition of the device.
This initiates an automated application execution whenever the device is
inserted to a computer USB.
The files to be uploaded to the token for the TMS Flash Management
Connector are in one of the following:
An FTP folder
A File System Upload folder
Note: During re-enrollment, if the name of the folder containing the files to
upload has not changed, the CD-ROM partition is not recreated, even if the
contents of the folder have changed. To force re-enrollment, change the name
of the folder containing the files.
Environment
User stores supported
30
User Store
AD
Yes
MS SQL Server
Yes
OpenLDAP
Yes
The policies associated with the TMS Flash Management Connector are listed
in the following table.
TMS Flash Management Connector Policies
Field name
Requirements
Description
CD-ROM
Not required
Partition
Size
File System
Required when
Upload
Folder
an FTP folder
FTP Server
Required when
File System
Upload folder
No default
31
Field name
Requirements
Description
FTP Folder
Required when
File System
token.
Upload folder
FTP
Not required
Username
FTP
Password
32
No default
The FTP logon username.
Default is anonymous
Not required
Chapter 6
The TMS Check Point Internal CA
Connector
The TMS Check Point Internal CA Connector is a software component that
provides TMS users with the ability to log in to Check Points security
applications using Aladdins eToken device as the user authentication
method.
The TMS Check Point Internal CA Connector supports Check Point Firewall
versions NG (R55) or NGX (R60) and later.
This chapter contains the following sections:
Overview
Internal CA vs. External CA
Requirements
Configuring the CP Firewall Management
Defining TPO Rules
33
Overview
Check Point Software Technologies Ltd (CP) is a leading provider of security
applications. Check Points main products are VPN and Firewall. At this time,
Check Point provides a unified security solution called NGX which includes
both VPN and Firewall.
Check Point security applications provide a secured environment, allowing
only authorized, authenticated users to log in. CP applications support
specific types of user authentication, including digital certificate-based
authentication (PKI).
With the TMS Check Point Internal CA Connector, the administrator enables
a simple and secure VPN connection to the network using the Check Point
Internal CA and a token.
The connector creates certificates for users using the Check Point Internal CA,
and loads the certificates automatically onto the users tokens. The connector
can also add new users to the Firewall Management.
Requirements
User stores supported
34
User Store
AD
Yes
MS SQL Server
Yes
OpenLDAP
Yes
35
4. Click Communication.
The Communication dialog box opens.
36
5. Enter and confirm an Activation Key. Record the Activation Key for use
in the Defining TPO Rules section.
7. Click OK.
37
38
39
5. Enter a Name for the profile, and select the Permissions tab.
The Permissions tab opens.
40
8. Click OK.
41
42
The procedures to set the policies are described in the following sections:
43
In the Firewall Display Name field, type any name. This name
will appear in the Firewall Server list.
In the Firewall IP Address or Name field, type the IP address or
name of the firewall.
Select Import Certificate to import the Check Point OPSEC
certificate to TMS for authentication against the Check Point
Firewall.
The Opsec Activation Key dialog box opens.
6. Type the activation key of the certificate created in the Configuring the CP
Firewall Management section, and click OK.
The New Firewall Configuration dialog box is displayed.
7. If the certificate was successfully imported, A valid Opsec certificate exists
message is displayed below the Firewall IP Address or Name field.
If an error message is displayed, correct the error.
8. To test the connection between TMS and the Check Point Firewall, click
Test Connection.
44
45
46
2. Select Define this policy setting and from the drop-down box, select a
template for initializing all the attribute fields of a new firewall user.
3. To view a list of templates available on the firewall, click Retrieve
templates from firewall.
4. Click OK.
Note: Check Point does not support concurrent write access to the internal
users database. To prevent enrollment failure, the Check Point
SmartDashboard application must not be open during an automatic new user
enrollment.
47
48
Do not synchronize
Always synchronize
Synchronize only on admin enrollment
Synchronize only on self enrollment
All Gateways
Selected Gateways: To retrieve the names of gateways, click
Retrieve names from firewall, and select gateways from the
Policy installation targets box.
5. Click OK.
49
Chapter 7
The TMS OTP Authentication
Connector
This chapter contains the following sections:
Introduction
Environment
Defining TPO Rules
51
Introduction
The One-Time-Password (OTP) concept was developed to provide a high level
of security. OTP technology allows for a password to be used only once
(hence: One-Time Password), and a new password is generated each time a
password is required.
eToken implements OTP technology in its NG-OTP and PASS tokens, and
implements smart card technology for use with PKI/digital certificates.
The TPO rules dictate which password(s) must be provided by the user for
authentication:
OTP Only The user must enter the number displayed on the
eToken NG-OTP or eToken PASS
OTP PIN and OTP The user must enter the secret OTP PIN, as
well as the number displayed on the eToken NG-OTP or eToken
PASS
Windows password and OTP The user must enter the Windows
password, as well as the number displayed on the eToken NG-OTP
or eToken PASS
Environment
User stores supported
User Store
AD
Yes
MS SQL Server
Yes
OpenLDAP
Yes
eToken NGOTP and eToken PASS are the only token hardware that can be
used for OTP authentication. They must be formatted with the HMAC SHA1
Support Module.
52
Requirements
Description
Authentication
Not required
Select from:
Method
OTP Only
Not required;
permission
Ignored in
non-AD
environments
No default
Not required
Select from:
53
Field name
Requirements
Description
Not required
Length
Not required
user
Allow OTP
enrollment to
eToken Virtual
54
Not required
Chapter 8
Glossary
Term
Abbreviation Description
Active Directory
AD
A Microsoft implementation
of LDAP directory services to
store information and
settings relating to an
organization in a central,
organized, accessible
database. Allows
administrators to assign
policies, deploy software,
and apply critical updates to
an entire organization
ASP
Authentication
Server
authentication, usually of
OTP tokens
Backend Service
Block Policy
Inheritance
Flag
policy calculation to
determine if settings in TPOs
higher than the current one
are ignored (on) or applied
(off)
CardOS 4.2
55
Term
Certification
Abbreviation Description
CA
Authority
Check Point
CPMI
Management
Interface
CP
Technologies Ltd.
Connectors
Cryptographic API
CAPI
Microsofts application
programming interface that
isolates programmers from
the code used to encrypt the
data
Cryptographic
Service Provider
CSP
56
Glossary
Term
Abbreviation Description
Disable Flag
Domain Controller
DC
(AD)
Domain Name
DNS
System
Provides a keyword-based
redirection service for the
Internet.
Stores and associates many
types of information with
domain names. Translates
domain names (computer
hostnames) to IP addresses.
Lists mail exchange servers
accepting e-mail for each
domain.
eToken Token
Management System
TMS
57
Term
Federal Information
Abbreviation Description
FIPS
Processing Standards
GINA
Identification and
Authentication
Library
Group Policy Object
GPO
58
Glossary
Term
Hash Message
Abbreviation Description
HMAC
A type of message
authentication code (MAC)
Authentication Code
calculated using a
cryptographic hash function
in combination with a secret
key. May be used to
simultaneously verify both
the data integrity and the
authenticity of a message.
Any iterative cryptographic
hash function, such as MD5
or SHA-1, may be used in
the calculation of an HMAC;
the resulting algorithm is
termed HMAC MD5 or HMAC
SHA-1 accordingly. The
cryptographic strength of the
HMAC depends upon the
cryptographic strength of the
underlying hash function, on
the size and quality of the
key and the size of the hash
output length in bits.
Lightweight Directory
LDAP
Access Protocol
Logical access
A collection of policies,
control
procedures, organizational
structure, and electronic
access control
Microsoft Active
ADAM
Directory Application
Mode
a system
59
Term
Abbreviation Description
Microsoft
MMC
A component of modern
Microsoft Windows operating
Management Console
Flag
One-Time Password
OTP
An authentication method
that uses a password
generator to create a
different password each time
a password is required. The
password is constantly
altered, making it more
difficult for an unauthorized
intruder to gain
unauthorized access to
restricted resources.
OPSEC
Security
Organizational Unit
OU
60
Glossary
Term
Abbreviation Description
PFX Files
Proximity Card
Contactless smartcard;
contactless integrated circuit
device
Public Key
PKCS
Cryptography
Standards
Public Key
PKCS#11
Cryptography
Standards #11
Public Key
Infrastructure
PKI
61
Term
Radio Frequency
Abbreviation Description
RFID
Identification
Root Certificate
A self-signed certificate of a
CA, and part of a public key
infrastructure scheme
RSA
RSA
Runtime
RTE
Environment
Secure Hash
Algorithm
SHA-1
A cryptographic hash
function designed by the
National Security Agency to
compute a fixed-length
digital representation
(known as a message
digest) that is, to a high
degree of probability, unique
for a given input data
sequence (the message)
62
Glossary
Term
Security Assertion
Abbreviation Description
SAML
Markup Language
Shadow Domain
Single Sign-On
SSO
A software authentication
that enables a user to
authenticate once to gain
access to the resources of
multiple software systems
SSL
Software
SDK
Development Kit
TPO
63
Term
Virtual Private
Network
Abbreviation Description
VPN
A private communications
network often used by
companies or organizations
to communicate
confidentially over a public
network. VPN traffic can be
carried over a public
networking infrastructure
(e.g. the Internet) on top of
standard protocols, or over a
service provider's private
network with a defined
Service Level Agreement
between the VPN customer
and the VPN service
provider.
64
Appendix 1
NOTICE
All attempts have been made to make the information in this document
complete and accurate. Aladdin is not responsible for any direct or indirect
damages or loss of business resulting from inaccuracies or omissions. The
specifications in this document are subject to change without notice.
65
Appendix 2
FCC Compliance
eToken USB has been tested and found to comply with the limits for a Class B
digital device, pursuant to Part 15 of the FCC rules. These limits are designed
to provide reasonable protection against harmful interference in a residential
installation.
This equipment generates uses and can radiate radio frequency energy and, if
not installed and used in accordance with the instructions, may cause harmful
interference to radio communications. However, there is no guarantee that
interference will not occur in a particular installation.
If this equipment does cause harmful interference to radio or television
reception, which can be determined by turning the equipment off and on, the
user is encouraged to try to correct the interference by one of the following
measures:
a. Reorient or relocate the receiving antenna.
b. Increase the separation between the equipment and receiver.
c. Connect the equipment to an outlet on a circuit different from that to which
the receiver is connected.
d. Consult the dealer or an experienced radio/TV technician.
FCC Warning
Modifications not expressly approved by the manufacturer could void the user
authority to operate the equipment under FCC rules.
All of the above applies also to the eToken USB.
FCC authorities have determined that the rest of the eToken product line does
not contain a Class B Computing Device Peripheral and therefore does not
require FCC regulation.
CE Compliance
The eToken product line complies with the CE EMC Directive and related
standards*.eToken products are marked with the CE logo and an eToken CE
conformity card is included in every shipment or upon demand.
67
UL Certification
The eToken product line successfully completed UL 94 Tests for Flammability
of Plastic Materials for Parts in Devices and Appliances. eToken products
comply with UL 1950 Safety of Information Technology Equipment
regulations.
Certificate of Compliance
Upon request, Aladdin Knowledge Systems will supply a Certificate of
Compliance to any software developer who wishes to demonstrate that the
eToken product line conforms to the specifications stated. Software
developers can distribute this certificate to the end user along with their
programs.
68