Etoken TMS 2.0 SP3 Connectors Guide 0

Token Management
System (TMS)
Version 2.0 SP3
Connectors Guide
April 2008
Contacting Aladdin eToken

If you have any questions about Aladdin eToken, contact your local reseller or
the Aladdin eToken technical support team:
Region
Contact
USA
1-866-202-3417
[email protected]
Austria, Belgium, France, Germany, Italy,
00800-22523346
Netherlands, Spain, Switzerland, UK, Ireland

Rest of the World
+972-3-9781299
You can submit a question to the Aladdin eToken technical support team at
the following web page:
https://portal.aladdin.com/akscrmocp/gatepage.asp
Website
http://www.aladdin.com/eToken
Additional Documentation
We recommend reading the following Aladdin eToken publications:
eToken TMS 2.0 SP3 Installation and Configuration Guide

eToken TMS 2.0 Reference Guide
eToken TMS 2.0 ReadMe
eToken TMS 2.0 SDK Reference Guide
eToken OTP Authentication 2.0 Administrators Guide
eToken TMS - Entrust Connector 2.0 SP2 Administrators Guide
II
About This Manual

Intended Audience
This manual should be read by eToken customers and system
administrators/integrators who wish to install and configure eToken
TMS 2.0.
Text Conventions
The following conventions are followed throughout this manual.
Convention
Explanation
Boldface
Used to indicate text that you click, type, or execute.

Example: Click Enter or Save or Delete.
Italicized
Used to highlight objects in the application.

Example: The Production Domain window opens.
Indicates additional information related to the task
Note
Caution
being discussed.
Identifies potential problems that the user should

look out for when completing a task, or problems to
be addressed before completing a task.
>
Used as a short cut to indicate the path to be

followed.
Example: Programs > eToken > TMS indicates:
From the Programs menu, choose the eToken
submenu. In eToken, choose the TMS option.
Provides ancillary information on the topic being
discussed. Read the sidebars to learn additional
information about the topic.
III
Table of Contents
Chapter 1 Introduction......................................................................................................1
Chapter 2 The TMS Microsoft CA Connector................................................................3
Introduction....................................................................................................................... 4
Prerequisites ...................................................................................................................... 4
Configuring the CA ............................................................................................................ 5
Setting CA Security Properties.......................................................................................... 9
Defining TPO Rules ......................................................................................................... 10
Chapter 3 The TMS Network Logon Connector ..........................................................17

Introduction..................................................................................................................... 18
Environment.................................................................................................................... 18
Chapter 4 The TMS P12 Certificate Import Connector ..............................................21

Introduction..................................................................................................................... 22
Environment.................................................................................................................... 22
Chapter 5 The TMS Flash Management Connector ....................................................29

Introduction..................................................................................................................... 30
Environment....................................................................................................................30
Defining TPO Rules ..........................................................................................................31
Chapter 6 The TMS Check Point Internal CA Connector ..........................................33

Overview .......................................................................................................................... 34
Internal CA vs. External CA ............................................................................................ 34
Requirements .................................................................................................................. 34
Configuring the CP Firewall Management ..................................................................... 35
Chapter 7 The TMS OTP Authentication Connector ..................................................51

Introduction..................................................................................................................... 52
TMS 2.0 SP3 Connectors Guide
Environment.................................................................................................................... 52
Chapter 8 Glossary ..........................................................................................................55

Appendix 1 Copyrights and Trademarks ......................................................................65
NOTICE ........................................................................................................................... 65
Appendix 2 FCC Compliance .........................................................................................67

FCC Warning ................................................................................................................... 67
CE Compliance ................................................................................................................ 67
UL Certification ...............................................................................................................68
ISO 9002 Certification .................................................................................................... 68
Certificate of Compliance ................................................................................................ 68
VI
Chapter 1
Introduction
eToken TMS is a robust full life-cycle management system for your entire
eToken enterprise authentication solution.
TMS provides a unique answer to one of the main challenges in managing
security in an enterprise: connecting the users, their security devices, and the
organizational policies to the associated security applications. TMS links them
all into a single automated and fully configurable system, removing the
barriers to the implementation of enterprise-wide security services - in
particular those that rely on PKI technology.
For more information, please see Aladdins eToken TMS 2.0 SP3 Installation
and Configuration Guide.
Aladdin TMS is based on an open standards architecture, with configurable
connectors. This supports integration with a wide range of security
applications including network logon, VPN, web access, one-time password
authentication, secure e-mail and data encryption.
Chapter 2
The TMS Microsoft CA Connector
The TMS Microsoft CA (MSCA) Connector enables the user to generate
certificates using the Microsoft Certification Authority (CA) services.
This chapter includes the following:
Introduction
Prerequisites
Configuring the CA
Setting CA Security Properties
Defining TPO Rules
Introduction
Two types of certification authorities (CAs) are provided by Windows 2000
and Windows Server 2003 Certificate Services:
Standalone: permits the generation of certificates for anyone

Enterprise: permits the generation of certificates for authenticated
users only, and requires Active Directory to be installed
The TMS Microsoft CA Connector interacts with both types of CAs, enabling
certificates to be generated for these CAs.
For more information on certificates and CAs, refer to Microsoft
documentation.
Prerequisites
User stores supported
User Store
Supported by this Connector
AD
Yes
MS SQL Server
Only for offline requests where the subject name is provided

manually
Supported only for a standalone CA
OpenLDAP
Only for offline requests where the subject name is provided

manually
Supported only for a standalone CA
Microsoft DLL files required for MSCA

DLL
Purpose
TPO
TPS
TMS Self
Management
Service Center
Center
xenroll
Token side
No
Yes
Yes
scrdenrl
CA and Token
No
Yes
No
Certadmin
CA side configuration
Yes
No
No
DLL
Purpose
TPO
TPS
TMS Self
Management
Service Center
Center
and enrollment
Certcli
CA side configuration
Yes
No
No
and enrollment
The required DLL files are supplied with the supported operating systems and
service packs.
In Windows XP, AdminPack must be installed for the required DLLs.
Configuring the CA
The CA must be configured before it is connected to TMS. This involves
adding the appropriate templates, and setting the security properties.
Adding a Template to the CA

To add a template to the CA:
1. From the Windows Start menu, go to Programs > Administrative Tools
> Certification Authority.
The Certification Authority window opens.
2. In the navigation pane, expand the entry under Certification Authority

(Local), and select Certificate Templates.
In this example, tms.ca is the entry under the client environments
Certification Authority (Local).
Templates that are in the database and in the CA are displayed in the right
pane.
3. Right-click the required certificate template, and from the sub-menu

select New > Certificate Template to Issue.
The Enable Certificate Templates dialog box opens.
4. Select the appropriate certificate template, and click OK.
Setting Template Security Properties

Set the templates security properties to define which privileges are given to
each organizational group. Authorize those users who need to enroll
certificates in the CA to request certificates.
Setting Properties in Windows Server 2003

To set template security properties in Windows Server 2003:
> Certification Templates.
The Certification Templates window opens.
2. In the navigation pane, right-click Certificate Authority, and from the

sub-menu select Manage.
The templates are displayed in the right pane.
3. Right-click the template of the required certificate, and from the submenu select Properties.
The Properties dialog box opens.
4. Select the Security tab.
The Security tab opens.
5. Select the required permissions for all relevant organizational groups.
Setting Properties in Windows 2000 Server

To set template security properties in Windows 2000 Server:
> Active Directory Sites and Services.
The Active Directory window opens.

2. On the View menu, select Show Properties Node.
3. In the navigation pane, select Certificate Templates.
The templates are displayed in the right pane.
4. In the right pane, right-click the required template, and from the submenu, select Properties.
6. Select the required permissions for all relevant organizational groups.
Setting CA Security Properties

Set the CAs security properties to define which permissions are given to each
organizational group.
To set CA security properties:
1. From the Start menu go to Programs > Administrative Tools > Active
Directory Sites and Services.
The Active Directory window opens.
2. In the navigation pane, right-click Certificate Authority and from the
sub-menu select Properties.
4. Set the required permissions for each organizational group.
Defining TPO Rules

To create a new request:
1. In the TPO Editor, right-click Microsoft CA Connector, or on the menu
bar, click Action.
2. Select Create new request.
The Create New Request dialog box opens.
3. For each request, enter the appropriate information in the relevant fields,
and click OK.
Create New Request Dialog Box Fields
Field name
Requirements
10
Description
Field name
Require-
Description
ments
Request
Required
Name
May be any name. If a request with the same

Request Name exists in a different TPO
definition, the new parameters are merged
with that requests parameters during
enrollment. If the Request Name does not
exist in a TPO relevant to the enrolled user,
the request is added. The default name for a
new request is followed by the next sequential
number.
Name
Required
CA from the list of CAs installed in the AD tree.

The default is the first CA in the drop-down
list.
No default
Type
Required
Standalone: permits the generation of

certificates for anyone.
Enterprise: permits the generation of
certificates only for authenticated users.
Depends on Active Directory being present.
For more information on Active Directory,
please refer to Microsoft documentation.
No default
Windows
Version
Required
OS version of the CA machine:

Server 2000
Server 2003
No default
11
Field name
Require-
Description
ments
Certificate
Required
Usage
Type of templates to be enrolled:

Smartcard Logon
Encryption
Signature
VPN
Other
Used as a filter to narrow the selection in the
Templates drop-down list.
No default
Templates
Required
A certificate template from one or both of the

template lists appropriate for the Certificate
Usage selected:
Administrator generated certificate template: used
when enrollment is performed by the
administrator.
User generated certificate template: used during
self-service enrollment.
No default
Once a request is created, these fields cannot be modified. If a change is

required in the fields, the request must be deleted and a new request created.
12
The policies of a request associated with the Microsoft CA Connector are

displayed on the Connector Policy Object Editor window.
For each request, the information entered in the Create New Request dialog
box is displayed. Enter additional information in the relevant fields.
Microsoft CA New Request Policies
Field name
Certificate
Requirements Description
Not required
backup
eToken
Virtual
Provides a backup for the private keys in

the TMS database.
Not required
Certificate is stored on an eToken Virtual

for backup.
support
13
Field name
Key is
Not required
required
When a certificate is revoked on the CA:

It is not removed from the token
after
It may be restored for token recovery
revocation
It may be imported to another token for token

replacement
Publish the
Not required
certificate
The CA publishes a new CRL whenever a

certificate is revoked.
revocation
list (CRL)
Import the
Not required
Certificates are posted on the local
certificate
computer certificate store. Used during
to the local
self-service enrollment for off-line
machine
certificates.
store
Note 1: This is applicable only for

certificates generated by users requests,
and not for enrollments done by an
administrator.
Note 2: Only an administrator can
generate or use a key in this store.
Override
Not required
certificate
The department in an off-line certificate is

overridden.
department
Certificate
Not required
department
The department that overrides another

department in an off-line certificate when
Override certificate department is enabled.
Automatic
Not required
certificate
An expired certificate is automatically

renewed upon next enrollment.
renewal
Reuse keys
Previous keys are reused if a new
when
certificate is generated when Automatic
certificate
certificate renewal is enabled.
is renewed
14
Not required
Field name
Random
Not required
Sets a random user password unknown to
user
the user, forcing the user to log on with a
password
smartcard logon.
Force
Not required
Sets the Account option in the AD user
smartcard
properties to Smart card is required for
usage for
interactive logon, forcing the user to log on
logon
with a smartcard logon.
15
Chapter 3
The TMS Network Logon Connector
The TMS Network Logon Connector ensures strong network protection,
combined with convenience and portability. The TMS Network Logon
Connector authenticates the user through a user name and password.
This chapter includes the following:
Introduction
Environment
Defining TPO Rules
17
Introduction
Windows operating systems enable you to use a different access mechanism
in place of the default authentication method.
The identification and authentications aspects of the Windows logon are
implemented as a replaceable DLL called GINA (Graphical Identification and
Authentication). A new GINA DLL can replace the standard msgina.dll when
the system needs to use another method of authentication in place of the
Windows default user name/password mechanism. Thus, Windows and
eToken together provide the ideal solution for corporate network security.
Depending on your organizations policies, it is possible for the users
themselves to create Windows logon profiles which are stored on their tokens.
The TMS Network Logon Connector, also referred to as the GINA Connector,
supports and provides easy deployment of user profiles for the Aladdin
eToken Network Logon product.
The TMS Network Logon Connector enables you to initialize each token with
a list of login profiles. Each login profile contains a user ID name, a domain
that the user belongs to, a password, and a set of options.
The TMS Network Logon Connector is installed automatically when installing
TMS. To start working with tokens, configure the connector by setting the
connector parameters.
Environment
User Store
AD
Yes
MS SQL Server
No
OpenLDAP
No
Defining TPO Rules

When the TMS Network Logon Connector is defined in the TPO, a default
profile is created for the domain in which TMS is installed.
18
The TMS Network Logon Connector
To display the policies associated with the TMS Network Logon Connector,
click the default profile in the Connector Policy Object Editor window.
The policies associated with the TMS Network Logon Connector are listed in
the following table.
TMS Network Logon Connector Policies
Policy
Required?
Description
Domain
Required
The netbios name of the domain in the
netbios name
Active Directory that the user enters upon

logon.
No default
Support
Not required
eToken Virtual
The eToken Network Logon profile is

stored on an eToken Virtual for backup.
No default
Logon factor
Not required
One-factor: requires only the tokens

presence to log on.
Two-factor: requires the tokens presence
and a password to log on.
The default value is: Two-factor
Password type
Not Required
Manual: requires the system administrator

to provide the user password during
enrollment.
Random: causes the connector to generate
a new random user password during
enrollment, to reset the user password in
the domain, and to write this new
password to the token.
The default value is: Manual
Random
The random password length is
password
determined by the administrator.
length
The default value is: 14 characters
19
Chapter 4
The TMS P12 Certificate Import
Connector
This chapter contains the following sections:
Introduction
Environment
Defining TPO Rules
21
Introduction
The TMS P12 Certificate Import Connector enables the user to import onto
their smartcards and tokens:
PFX (P12) files: files that contain a certificate and a private key in a
P12 format
CER files: files that contain only the certificate without the private
key
Root CA certificate files.
Use the TMS P12 Certificate Import Connector in the following situations:
You already have PFX files, and you want to import them onto the
token.
For example, you use a third-party service to generate certificates for
your employees, and you receive the certificates from that service as
a group of PFX files.
You want to import CA certificates into Root CA certificates on the
token, and then copy those to the PC store upon token insertion.
Environment
22
User Store
AD
Yes
MS SQL Server
Yes
OpenLDAP
Yes
The TMS P12 Certificate Import Connector
Defining TPO Rules

The policies associated with the TMS P12 Certificate Import Connector are
displayed on the Connector Policy Object Editor screen.
The TMS P12 Certificate Import Connector is used to put two types of
certificates onto a token:
User Certificates
CA Certificates
User Certificates
A user certificate is unique to each user. It includes a private key for
encryption, signing and other PKI usage.
23
The fields for each user certificate to be added are displayed in the User
Certificates Properties dialog box.
The fields are:
User
Certificate
Password Known
Enroll to eToken Virtual
Adding Individual User Certificates

To add a user certificate:
1. In the User Certificates Properties dialog box, click Add.
The Add new user certificate dialog box opens.
24
2. Click the User Browse button.

The Select User dialog box opens.
3. Enter user details, and click OK.
4. Click the Certificate Browse.
The Open dialog box opens.
5. Select the certificate file , and click OK.
6. In the Add new user certificate dialog box, select Password unknown if
the user must enter the password during enrollment
OR
Type the Password if the password of the PFX file is known.
7. Select Enroll to eToken Virtual to import this certificate to the eToken
Virtual for backup.
8. Click Add.
The user certificate is saved. You can add another certificate if required.
Adding from an Index File

User certificates may be added by importing an index file linking PFX
certificate files with users.
Note: The index file must be in UTF8 format if it includes non-ASCII
characters.
25
Each line of an index file must contain three parameters separated by semicolons:
AD user account name

Full path to the PFX certificate file
Password of the PFX certificate file
Sample Index File
For each certificate, a separate index entry is required. If a user is linked to

more than one certificate, each certificate should appear on a different line.
To import an index file, click Add from file on the User Certificates
Properties dialog box.
CA Certificates
A CA certificate is common to all users in the domain. It contains only the
certificate without a private key.
26
The fields for each CA certificate to be added are displayed on the CA

Certificates Properties dialog box.
The fields are:
Certificate
Enroll to eToken Virtual
To add a CA certificate:
1. Click Add.
The Add new CA certificate dialog box opens.
2. Do the following:
Click Browse to browse for the CA certificate.

Select Enroll to eToken Virtual to import this certificate to the
eToken Virtual for backup.
Click Add.
27
Chapter 5
The TMS Flash Management
Connector
Introduction
Environment
Defining TPO Rules
29
Introduction
With the TMS Flash Management Connector, you can create a CD-ROM
partition on an eToken NG-Flash device. This allows you to include
applications and data on the CD-ROM partition of the device to share with all
the users in the domain.
You can also include an autorun file on the CD-ROM partition of the device.
This initiates an automated application execution whenever the device is
inserted to a computer USB.
The files to be uploaded to the token for the TMS Flash Management
Connector are in one of the following:
An FTP folder
A File System Upload folder
Note: During re-enrollment, if the name of the folder containing the files to
upload has not changed, the CD-ROM partition is not recreated, even if the
contents of the folder have changed. To force re-enrollment, change the name
of the folder containing the files.
Environment
30
User Store
AD
Yes
MS SQL Server
Yes
OpenLDAP
Yes
The TMS Flash Management Connector
Defining TPO Rules

The policies associated with the TMS Flash Management Connector are
The policies associated with the TMS Flash Management Connector are listed
in the following table.
TMS Flash Management Connector Policies
Field name
Requirements
Description
CD-ROM
Not required
The size of the region reserved on the token
Partition
for the CD-ROM partition.
Size
The default size is calculated automatically
File System
Required when
The name of the File System Upload folder
Upload
files are not in
containing the files to be uploaded to the CD-
Folder
an FTP folder
ROM partition of the token. This directory must

be accessible to every client machine used for
enrollment.
No default
FTP Server
Required when
The name or IP address of the FTP server of
files are not in a
the files to be uploaded to the CD-ROM
File System
partition of the token.
Upload folder
No default
31
Field name
Requirements
Description
FTP Folder
Required when
The name of the FTP folder containing the files
files are not in a
to be uploaded to the CD-ROM partition of the
File System
token.
Upload folder
FTP
Not required
Username
FTP
Password
32
No default
The FTP logon username.
Default is anonymous
Not required
The FTP logon password.

No default
Chapter 6
The TMS Check Point Internal CA
Connector
The TMS Check Point Internal CA Connector is a software component that
provides TMS users with the ability to log in to Check Points security
applications using Aladdins eToken device as the user authentication
method.
The TMS Check Point Internal CA Connector supports Check Point Firewall
versions NG (R55) or NGX (R60) and later.
Overview
Internal CA vs. External CA
Requirements
Configuring the CP Firewall Management
Defining TPO Rules
33
Overview
Check Point Software Technologies Ltd (CP) is a leading provider of security
applications. Check Points main products are VPN and Firewall. At this time,
Check Point provides a unified security solution called NGX which includes
both VPN and Firewall.
Check Point security applications provide a secured environment, allowing
only authorized, authenticated users to log in. CP applications support
specific types of user authentication, including digital certificate-based
authentication (PKI).
With the TMS Check Point Internal CA Connector, the administrator enables
a simple and secure VPN connection to the network using the Check Point
Internal CA and a token.
The connector creates certificates for users using the Check Point Internal CA,
and loads the certificates automatically onto the users tokens. The connector
can also add new users to the Firewall Management.
Internal CA vs. External CA

Certificate-based authentication required the user to provide a digital
certificate valid for logging in to a CP secured environment.
Digital certificates are issued by a Certification Authority (CA). CP software
supports two types of CAs:
An internal CA, included in CP products

This type of configuration is the most common.
An external CA, for example, Microsoft CA
This configuration is less common and is not supported by the TMS
Check Point Internal CA Connector.
Requirements
34
User Store
AD
Yes
MS SQL Server
Yes
OpenLDAP
Yes
The TMS Check Point Internal CA Connector
The TMS Check Point Internal CA Connector requires the following:
Administrator rights are required for configuration, rights, and access

to the CP SmartDashboard from the computer.
For TMS token users to issue login certificates from the CP internal
CA, they must exist in the CP internal users database.
Check Points Firewall users must be stored in the CP internal users
database.
Configuring the CP Firewall Management

The TMS Check Point Internal CA Connector must be configured to work with
the Check Point Firewall Management as an external application. This
involves the following procedures:
Defining the OPSEC Properties

Defining the Permissions Profile
Installing the Policies
Defining the OPSEC Properties

To create an OPSEC application:
1. Open the CP SmartDashboard.
In the left pane, go to Servers and OPSEC Applications > OPSEC
Applications > OPSEC Application.
2. Right-click OPSEC Application, and select New OPSEC Application.
35
The OPSEC Application Properties dialog box opens.
3. Insert the required information in the following fields:
Name: Enter TmsOpsec
Host: Enter the computer name where the Firewall Management is

located
Client Entities: Select CPMI
4. Click Communication.
The Communication dialog box opens.
36
5. Enter and confirm an Activation Key. Record the Activation Key for use
in the Defining TPO Rules section.
6. Click Initialize, and then Close.

Note: At this point in the procedure, the Trust state is: Initialized but trust
not established. Trust will be established later in the configuration.
In the OPSEC Application Properties dialog box, the Communication
information is displayed in the DN field.
7. Click OK.
37
Defining the Permissions Profile

To define a permissions profile for the application:
1. On the CP SmartDashboard left pane, right-click the new OPSEC
application, TmsOpsec.
2. From the sub-menu, select Edit.
38
The OPSEC Application Properties dialog box opens.
3. In the OPSEC Application Properties dialog box, select the CPMI

Permissions tab.
39
4. Select Permissions Profile, and click New.

The Permissions Profile Properties dialog box opens.
5. Enter a Name for the profile, and select the Permissions tab.
The Permissions tab opens.
6. Select the appropriate permissions.
40
Ensure that Check Point Users Database is selected and defined as

Read/Write.
7. Click OK.
In the OPSEC Application Properties dialog box, the new permissions
profile is selected in the Permissions Profile drop-down box.
8. Click OK.
Installing the Policies

To install the policies:
1. Open the Install Policy tool from the CP SmartDashboard.
41
The Install Policy dialog box opens.
2. Select the Installation Target, and click OK.

The Installation Process dialog box opens.
3. When the process completes, click Close.
42
Defining TPO Rules

After the TMS Check Point Internal CA Connector is added to TMS, the
policies associated with it have to be defined. These policies are displayed on
the Connector Policy Object Editor screen.
The procedures to set the policies are described in the following sections:
Defining the Check Point Server Policy

Defining the Enable Firewall User Creation Policy
Defining the Firewall Username Template Policy
Defining the Firewall User Template Policy
Defining the Auto Install Policies Policy
Defining the eToken Virtual Support Policy
Defining the Check Point Server Policy

To define the Check Point Firewall:
1. Select Check Point Server in the right pane of the Connector Policy
Object Editor screen.
43
The Check Point Server Properties dialog box opens.
2. Select Define this policy setting.

3. To add a new firewall, select Add Firewall.
The New Firewall Configuration dialog box opens.
4. To change an existing firewalls settings, select a firewall server from the
Firewall Server drop-down list, and select Edit Firewall Settings.
The Firewall Settings dialog box opens.
5. In the New Firewall Configuration dialog box or the Firewall Settings
dialog box, do the following:
In the Firewall Display Name field, type any name. This name
will appear in the Firewall Server list.
In the Firewall IP Address or Name field, type the IP address or
name of the firewall.
Select Import Certificate to import the Check Point OPSEC
certificate to TMS for authentication against the Check Point
Firewall.
The Opsec Activation Key dialog box opens.
6. Type the activation key of the certificate created in the Configuring the CP
Firewall Management section, and click OK.
The New Firewall Configuration dialog box is displayed.
7. If the certificate was successfully imported, A valid Opsec certificate exists
message is displayed below the Firewall IP Address or Name field.
If an error message is displayed, correct the error.
8. To test the connection between TMS and the Check Point Firewall, click
Test Connection.
44
If the connection is successful, the TMS Check Point Internal CA

Connector message The connection to the firewall was tested successfully
is displayed.
9. Click OK.
10. When a TMS user is mapped to a user on the Check Point Firewall user
database, the TMS user attributes are copied when the user is added to the
firewall user database.
To override the default mapping of existing users in the Check Point
Firewall, select the Users Map tab in the Firewall Settings dialog box. To
see all the users defined on the firewall user database, select Get all
firewall users.
Note: Only a TMS user defined in the Microsoft AD can be mapped to a
user on the Check Point Firewall user database.

The list of usernames is displayed in the Firewall Username table.
11. To locate a TMS Username to be mapped to a specific Firewall Username,

double-click the TMS Username blank column on the row of the Firewall
Username.
The Select User dialog box opens.
12. Select the TMS user to be mapped, and click OK.
45
The updated list of mapped Firewall Usernames opens.
13. Click OK to save the firewall settings.
Defining the Enable Firewall User Creation Policy

To create a new firewall user during enrollment, Define this policy setting
must be enabled. If it is not, enrollment of a user not on the firewall will fail.
To set the Enable Firewall User Creation policy setting:
1. Select Enable Firewall User Creation in the right pane of the Connector
Policy Object Editor screen.
The Enable Firewall User Creation Properties dialog box opens.
2. Select Define this policy setting and Enabled, and click OK.
Defining the Firewall Username Template Policy

Defining a Firewall Username Template policy creates a matching
relationship between the firewall username and its TMS user attributes. This
relationship is used to assign new firewall usernames, and to search for
existing firewall users.
To set the Firewall Username Template policy setting:
1. Select Firewall Username Template in the right pane of the
Connector Policy Object Editor screen.
The Firewall Username Template Properties dialog box opens.
46
3. Select a template for firewall usernames by selecting one or more TMS

user attributes that ensure a unique username for each user, and click
OK.
When a new firewall user is created, the values of its selected user attributes
are retrieved from the directory service (AD, LDAP, or SQL Server). These
values are strung together to form a firewall username to which the Check
Point certificate is issued.
Defining the Firewall User Template Policy

Defining a Firewall User Template policy enables the definition of new
firewall users.
To set the Firewall User Template policy setting:
1. Select Firewall User Template in the right pane of the Connector
The Firewall User Template Properties dialog box opens.
2. Select Define this policy setting and from the drop-down box, select a
template for initializing all the attribute fields of a new firewall user.
3. To view a list of templates available on the firewall, click Retrieve
templates from firewall.
4. Click OK.
Note: Check Point does not support concurrent write access to the internal
users database. To prevent enrollment failure, the Check Point
SmartDashboard application must not be open during an automatic new user
enrollment.
47
Defining the Auto Install Policies Policy

Gateway synchronization occurs automatically or via the Check Point
SmartDashboard management application.
To install a gateway policy:
1. Select Auto Install Policies in the right pane of the Connector Policy
Object Editor screen.
The Auto Install Policies Properties dialog box opens.
48
3. From the Synchronize on drop-down list, select from:
Do not synchronize
Always synchronize
Synchronize only on admin enrollment
Synchronize only on self enrollment
4. From the Install policies to drop-down list, select from:
All Gateways
Selected Gateways: To retrieve the names of gateways, click
Retrieve names from firewall, and select gateways from the
Policy installation targets box.
5. Click OK.
Defining the eToken Virtual Support Policy

To import the Check Point certificate to an eToken Virtual for backup, define
an eToken Virtual Support policy.
To set the eToken Virtual Support policy setting:
1. Select eToken Virtual Support in the right pane of the Connector
2. Select Define this policy setting and Enabled, and click OK.
49
Chapter 7
The TMS OTP Authentication
Connector
Introduction
Environment
Defining TPO Rules
51
Introduction
The One-Time-Password (OTP) concept was developed to provide a high level
of security. OTP technology allows for a password to be used only once
(hence: One-Time Password), and a new password is generated each time a
password is required.
eToken implements OTP technology in its NG-OTP and PASS tokens, and
implements smart card technology for use with PKI/digital certificates.
The TPO rules dictate which password(s) must be provided by the user for
authentication:
OTP Only The user must enter the number displayed on the
eToken NG-OTP or eToken PASS
OTP PIN and OTP The user must enter the secret OTP PIN, as
well as the number displayed on the eToken NG-OTP or eToken
PASS
Windows password and OTP The user must enter the Windows
password, as well as the number displayed on the eToken NG-OTP
or eToken PASS
Environment
User Store
AD
Yes
MS SQL Server
Yes
OpenLDAP
Yes
eToken NGOTP and eToken PASS are the only token hardware that can be
used for OTP authentication. They must be formatted with the HMAC SHA1
Support Module.
52
The TMS OTP Authentication Connector
Defining TPO Rules

The policies associated with the TMS OTP Authentication Connector are
The different policies are described in the following table.

Field name
Requirements
Description
Authentication
Not required
Select from:
Method
OTP Only
OTP PIN and OTP
Windows password and OTP
The default is OTP PIN and OTP

Allow dial-in
Not required;
With dial-in permission enabled, the
permission
Ignored in
dial-in permission fields are changed
non-AD
OTP PIN Type
during enrollment to allow access.
environments
No default
Not required
Select from:
Manual: The user chooses a PIN.
Random: During admin

enrollment, the connector creates
a random PIN. This is not relevant
for user enrollment.
The default setting is manual
53
Field name
Requirements
Description
Minimum OTP PIN
Not required
The minimum length of an OTP PIN

that a user may choose.
Length
The default is 4 characters

Note: An OTP PIN length should not
exceed 10 characters.
Allow self OTP
Not required
This parameter determines behavior
PIN reset by the
during OTP re-enrollment.
user
The first time the user enrolls the OTP

in the TMS Self Service Center, the
OTP PIN must be entered.
On subsequent occasions when the
user performs OTP enrollment in the
TMS Self Service Center, they are not
required to enter the OPT PIN if this
key is enabled.
No default
Allow OTP
enrollment to
eToken Virtual
54
Not required
The OTP profile is stored in the

eToken Virtual for backup.
Chapter 8
Glossary
Term
Abbreviation Description
Active Directory
AD
A Microsoft implementation
of LDAP directory services to
store information and
settings relating to an
organization in a central,
organized, accessible
database. Allows
administrators to assign
policies, deploy software,
and apply critical updates to
an entire organization
Active Server Pages
ASP
Microsoft technology for

creating web applications
Authentication
A server responsible for
Server
authentication, usually of
OTP tokens
Backend Service
Service running on the TMS

server, responsible for TMS
maintenance operations
A TPO flag used during
Block Policy
Inheritance
Flag
policy calculation to
determine if settings in TPOs
higher than the current one
are ignored (on) or applied
(off)
CardOS 4.2
Card operating system
55
Term
Certification
CA
Authority
A network that issues and

manages security credentials
and public keys for message
encryption and decryption.
As part of a public key
infrastructure (PKI), a CA
checks with a registration
authority (RA) to verify
information provided by the
requestor of a digital
certificate. If the RA verifies
the requestor's information,
the CA can issue a
certificate.
Check Point
CPMI
The programmatic interface
Management
used to contact and manage
Interface
the Check Point Firewall
Check Point Software
CP
Technologies Ltd.
Software company that

markets the VPN-1 firewall
and other security solutions
Connectors
Application extensions which

allow TMS to handle
different security
applications
Cryptographic API
CAPI
Microsofts application
programming interface that
isolates programmers from
the code used to encrypt the
data
Cryptographic
Service Provider
CSP
A software library that

provides encoding and
decoding functions for
application programs when
implementing CAPI
56
Glossary
Term
Disable Flag

determine if this TPO is
ignored (on) or applied (off)
Domain Controller
DC
(AD)
One or more computers that

control an AD domain. Each
AD domain must have one.
The domain controllers
responsibilities include
managing Active Directory
data, and handling users
logins. Although Active
Directory data may be
changed from any client
machine, the schema may
be changed only by a single
domain controller at a time.
Domain Name
DNS
System
Provides a keyword-based
redirection service for the
Internet.
Stores and associates many
types of information with
domain names. Translates
domain names (computer
hostnames) to IP addresses.
Lists mail exchange servers
accepting e-mail for each
domain.
eToken Token
Management System
TMS
A robust full life-cycle

management system that
connects the users, their
security devices, and the
organizational policies to the
associated security
applications
57
Term
Federal Information
FIPS
Standards developed by the

United States federal
Processing Standards
government for use by all

non-military government
agencies and by government
contractors. Many FIPS
standards are modified
versions of standards used
in the wider community,
ANSI, IEEE, ISO.
Graphical
GINA
Identification and
Microsofts network logon

mechanism
Authentication
Library
Group Policy Object
GPO
A collection of settings that

define how a system will
behave for a defined group
of users. Associated with AD
containers
58
Glossary
Term
Hash Message
HMAC
A type of message
authentication code (MAC)
Authentication Code
calculated using a
cryptographic hash function
in combination with a secret
key. May be used to
simultaneously verify both
the data integrity and the
authenticity of a message.
Any iterative cryptographic
hash function, such as MD5
or SHA-1, may be used in
the calculation of an HMAC;
the resulting algorithm is
termed HMAC MD5 or HMAC
SHA-1 accordingly. The
cryptographic strength of the
HMAC depends upon the
cryptographic strength of the
underlying hash function, on
the size and quality of the
key and the size of the hash
output length in bits.
Lightweight Directory
LDAP
Access Protocol
Network proposal for

querying and modifying
directory services
Logical access
A collection of policies,
control
procedures, organizational
structure, and electronic
access control
Microsoft Active
ADAM
A directory service that runs
Directory Application
as a user service and not as
Mode
a system
59
Term
Microsoft
MMC
A component of modern
Microsoft Windows operating
Management Console
systems that provides

system administrators and
advanced users with a
flexible interface through
which they may configure
and monitor the system
No Override
Flag

determine if settings in TPOs
lower than the current one
are ignored (on) or applied
(off)
One-Time Password
OTP
An authentication method
that uses a password
generator to create a
different password each time
a password is required. The
password is constantly
altered, making it more
difficult for an unauthorized
intruder to gain
unauthorized access to
restricted resources.
Open Platform for
OPSEC
Security
Organizational Unit
A Check Point standard for

managing security
OU
The smallest unit within a

domain. Used to subdivide
the various administrative
divisions
60
Glossary
Term
PFX Files
Files stored and transported

in a portable binary
PKCS#12 format. Used for
user or server private keys,
public keys, and certificates
Proximity Card
Contactless smartcard;
contactless integrated circuit
device
Public Key Certificate
An identity certificate that

uses a digital signature to
combine a public key with
identity information such as
the name of a person or an
organization and their
address. The certificate is
used to verify that a public
key belongs to an individual.
Public Key
PKCS
Set of public key related
Cryptography
standards published by RSA
Standards
Data Security Inc
Public Key
PKCS#11
Cryptography
Inter-platform standard for

cryptographic devices
Standards #11
Public Key
Infrastructure
PKI
Method for securing web and

network access, consisting of
protocols, services, and
standards, supporting
associated software
61
Term
Radio Frequency
RFID
Identification
Technology using devices

attached to objects that
transmit data to an RFID
receiver. Advantages include
data capacity, read/write
capability, and no line-ofsight requirements
Root Certificate
A self-signed certificate of a
CA, and part of a public key
infrastructure scheme
RSA
RSA
The first algorithm known to

be suitable for signing as
well as for public-key
encryption. Believed to be
secure given sufficiently long
keys and the use of up-todate implementations
RSA 1024bit, 2048bit
Different keys sizes for the

RSA public key algorithm
Runtime
RTE
Environment
A generic term; or an earlier

version of eToken PKI Client,
called eToken RTE
Secure Hash
Algorithm
SHA-1
A cryptographic hash
function designed by the
National Security Agency to
compute a fixed-length
digital representation
(known as a message
digest) that is, to a high
degree of probability, unique
for a given input data
sequence (the message)
62
Glossary
Term
Security Assertion
SAML
Markup Language
An XML standard for

exchanging authentication
and authorization data
between security domains
Shadow Domain
A domain, other than the

Active Directory domain,
used to store TMS data
Single Sign-On
SSO
A software authentication
that enables a user to
authenticate once to gain
access to the resources of
multiple software systems
Single Socket Layer
SSL
Protocol for managing the

security of a message
transmission over the
Internet; starts with HTTPS
Software
SDK
Development Kit
A set of development tools

used to create applications
for a certain platform
TMS Public Key
A key used by the TMS

Client when sending data to
TMS
TMS Security Keys
Keys used to encrypt TMS

data in the Active Directory
Token Policy Object
TPO
An object which may be

connected to an OU or a
domain, and contains the full
set of TMS settings
63
Term
Virtual Private
Network
VPN
A private communications
network often used by
companies or organizations
to communicate
confidentially over a public
network. VPN traffic can be
carried over a public
networking infrastructure
(e.g. the Internet) on top of
standard protocols, or over a
service provider's private
network with a defined
Service Level Agreement
between the VPN customer
and the VPN service
provider.
64
Appendix 1
Copyrights and Trademarks

The eToken system and its documentation are copyrighted 1985 to
present, by Aladdin Knowledge Systems Ltd.
All rights reserved.
eToken is a trademark and ALADDIN KNOWLEDGE SYSTEMS LTD is a
registered trademark of Aladdin Knowledge Systems Ltd.
All other trademarks, brands, and product names used in this Manual are
trademarks of their respective owners.
This manual and the information contained herein are confidential and
proprietary to Aladdin Knowledge Systems Ltd. (hereinafter Aladdin). All
intellectual property rights (including, without limitation, copyrights, trade
secrets, trademarks, etc.) evidenced by or embodied in and/or
attached/connected/related to this manual, information contained herein and
the Product, are and shall be owned solely by Aladdin. Aladdin does not
convey to you an interest in or to this manual, information contained herein
and the Product, but only a limited right of use. Any unauthorized use,
disclosure or reproduction is a violation of the licenses and/or Aladdin's
proprietary rights and will be prosecuted to the full extent of the Law.
NOTICE
All attempts have been made to make the information in this document
complete and accurate. Aladdin is not responsible for any direct or indirect
damages or loss of business resulting from inaccuracies or omissions. The
specifications in this document are subject to change without notice.
65
Appendix 2
FCC Compliance
eToken USB has been tested and found to comply with the limits for a Class B
digital device, pursuant to Part 15 of the FCC rules. These limits are designed
to provide reasonable protection against harmful interference in a residential
installation.
This equipment generates uses and can radiate radio frequency energy and, if
not installed and used in accordance with the instructions, may cause harmful
interference to radio communications. However, there is no guarantee that
interference will not occur in a particular installation.
If this equipment does cause harmful interference to radio or television
reception, which can be determined by turning the equipment off and on, the
user is encouraged to try to correct the interference by one of the following
measures:
a. Reorient or relocate the receiving antenna.
b. Increase the separation between the equipment and receiver.
c. Connect the equipment to an outlet on a circuit different from that to which
the receiver is connected.
d. Consult the dealer or an experienced radio/TV technician.
FCC Warning
Modifications not expressly approved by the manufacturer could void the user
authority to operate the equipment under FCC rules.
All of the above applies also to the eToken USB.
FCC authorities have determined that the rest of the eToken product line does
not contain a Class B Computing Device Peripheral and therefore does not
require FCC regulation.
CE Compliance
The eToken product line complies with the CE EMC Directive and related
standards*.eToken products are marked with the CE logo and an eToken CE
conformity card is included in every shipment or upon demand.
67
*EMC directive 89/336/EEC and related standards EN 55022, EN 50082-1.
UL Certification
The eToken product line successfully completed UL 94 Tests for Flammability
of Plastic Materials for Parts in Devices and Appliances. eToken products
comply with UL 1950 Safety of Information Technology Equipment
regulations.
ISO 9002 Certification

The eToken product line is designed and manufactured by Aladdin
Knowledge Systems, an ISO 9002-certified company. Aladdin's quality
assurance system is approved by the International Organization for
Standardization (ISO), ensuring that Aladdin products and customer service
standards consistently meet specifications in order to provide outstanding
customer satisfaction.
Certificate of Compliance
Upon request, Aladdin Knowledge Systems will supply a Certificate of
Compliance to any software developer who wishes to demonstrate that the
eToken product line conforms to the specifications stated. Software
developers can distribute this certificate to the end user along with their
programs.
68

Etoken TMS 2.0 SP3 Connectors Guide 0

Uploaded by

Copyright:

Available Formats

Etoken TMS 2.0 SP3 Connectors Guide 0

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Etoken TMS 2.0 SP3 Connectors Guide 0

Uploaded by

Copyright:

Available Formats

Token Management

Contacting Aladdin eToken

Austria, Belgium, France, Germany, Italy,

Netherlands, Spain, Switzerland, UK, Ireland

eToken TMS 2.0 SP3 Installation and Configuration Guide

About This Manual

Used to indicate text that you click, type, or execute.

Used to highlight objects in the application.

Identifies potential problems that the user should

Used as a short cut to indicate the path to be

Chapter 3 The TMS Network Logon Connector ..........................................................17

Chapter 4 The TMS P12 Certificate Import Connector ..............................................21

Chapter 5 The TMS Flash Management Connector ....................................................29

Chapter 6 The TMS Check Point Internal CA Connector ..........................................33

Chapter 7 The TMS OTP Authentication Connector ..................................................51

TMS 2.0 SP3 Connectors Guide

Chapter 8 Glossary ..........................................................................................................55

Appendix 2 FCC Compliance .........................................................................................67

TMS 2.0 SP3 Connectors Guide

Standalone: permits the generation of certificates for anyone

Supported by this Connector

Only for offline requests where the subject name is provided

Only for offline requests where the subject name is provided

Microsoft DLL files required for MSCA

The TMS Microsoft CA Connector

Adding a Template to the CA

The Certification Authority window opens.

TMS 2.0 SP3 Connectors Guide

2. In the navigation pane, expand the entry under Certification Authority

3. Right-click the required certificate template, and from the sub-menu

Setting Template Security Properties

Setting Properties in Windows Server 2003

The Certification Templates window opens.

The TMS Microsoft CA Connector

2. In the navigation pane, right-click Certificate Authority, and from the

TMS 2.0 SP3 Connectors Guide

5. Select the required permissions for all relevant organizational groups.

Setting Properties in Windows 2000 Server

The Active Directory window opens.

The TMS Microsoft CA Connector

6. Select the required permissions for all relevant organizational groups.

Setting CA Security Properties

TMS 2.0 SP3 Connectors Guide

Defining TPO Rules

The TMS Microsoft CA Connector

May be any name. If a request with the same

CA from the list of CAs installed in the AD tree.

Standalone: permits the generation of

OS version of the CA machine:

TMS 2.0 SP3 Connectors Guide

Type of templates to be enrolled:

A certificate template from one or both of the

Once a request is created, these fields cannot be modified. If a change is

The TMS Microsoft CA Connector

The policies of a request associated with the Microsoft CA Connector are

Provides a backup for the private keys in

Certificate is stored on an eToken Virtual

TMS 2.0 SP3 Connectors Guide