EToken TMS 2.0 SP3 Installation and Configuration Guide 0
EToken TMS 2.0 SP3 Installation and Configuration Guide 0
EToken TMS 2.0 SP3 Installation and Configuration Guide 0
System (TMS)
Version 2.0 SP3
Contact
USA
1-212-329-6658
1-866-202-3494
[email protected]
0H
00800-22523346
0011800-22523346
+972-3-9781299
You can submit a question to the Aladdin eToken technical support team at
the following web page:
http://www.aladdin.com/forms/etoken_question/form.asp
1H
Website
http://www.aladdin.com/eToken
2H
Additional Documentation
We recommend reading the following Aladdin eToken publications:
II
Text Conventions
The following conventions are followed throughout this manual.
Convention
Explanation
Boldface
Italicized
Note
Caution
being discussed.
>
III
Table of Contents
Chapter 1 Introduction...................................................................................................... 1
3H
15H
Overview ............................................................................................................................ 2
4H
152H
Main Features.................................................................................................................... 3
5H
153H
154H
15H
156H
157H
158H
159H
160H
16H
162H
163H
164H
165H
16H
Prerequisites .................................................................................................................... 26
19H
167H
168H
169H
170H
17H
NameSpaces..................................................................................................................... 32
24H
172H
173H
Performance .................................................................................................................... 33
26H
174H
Chapter 6 Installation...................................................................................................... 34
27H
175H
Installation Components................................................................................................. 35
28H
176H
17H
178H
179H
180H
18H
182H
183H
184H
185H
186H
187H
18H
189H
190H
19H
192H
193H
194H
The Microsoft Active Directory Users and Computers Snap-in ................................... 115
47H
195H
196H
197H
198H
19H
20H
201H
20H
203H
204H
205H
206H
VI
207H
Table of Contents
208H
209H
210H
21H
21H
213H
214H
215H
216H
217H
218H
219H
Configuring IAS for use with MS SQL Server or OpenLDAP ...................................... 201
72H
20H
21H
2H
23H
24H
25H
26H
27H
28H
29H
230H
231H
23H
23H
234H
235H
236H
237H
VII
238H
239H
240H
241H
VIII
24H
Chapter 1
Introduction
This chapter describes the main features in the Aladdin Token Management
System.
This chapter includes the following:
Overview
Main Features
243H
Overview
eToken TMS is a robust full life-cycle management system for your entire
eToken enterprise authentication solution.
TMS provides a unique answer to one of the main challenges in managing
security in an enterprise: connecting the users, their security devices, and the
organizational policies to the associated security applications. TMS links them
all into a single automated and fully configurable system, removing the
barriers to the implementation of enterprise-wide security services - in
particular those that rely on PKI technology
TMS provides powerful tools so that you can cost-effectively and conveniently
handle all aspects of token life cycle management. TMS capabilities include
token deployment and revocation; web-based user self-service token
enrollment and password reset; automatic backup and restore of user
credentials; handling of lost and damaged tokens; and much more. In
addition, TMS provides comprehensive auditing and reporting capabilities to
help you comply with industry regulations such as Sarbanes Oxley, HIPAA,
Basel II, and more.
TMSs open and standard-based architecture, together with its seamless
integration with Microsoft Active Directory, guarantees the flexibility and
modularity you need to manage the authentication solution that best fits your
current and evolving business environment.
Introduction
Main Features
The main features of TMS are:
Solution for employees who lost or forgot their tokens while on the road
New design
New Design
The new design of the TMS allows:
Support for all eToken devices including the eToken Pass (OTP only
device)
Multilingual Support
TMS 2.0 SP3 supports MS SQL Server and OpenLDAP as user stores. This
enables the deployment of TMS in environments were Microsoft Active
Directory is not deployed or does not serve as the directory for users to be
managed by TMS.
Introduction
Chapter 2
System Requirements
This chapter describes the system requirements for Aladdin eToken TMS.
TMS comprises the following components: Server, Management Tools and
Client.
This chapter includes the following:
Installer 3.0
Installer is an application
Web Reference
http://www.microsoft.com/downlo
ads/details.aspx?familyid=5fbc54
70-b259-4733-a914a956122e08e8&displaylang=en
95H
http://www.microsoft.com/downlo
version 2.0 (x86) redistributable ads/details.aspx?familyid=0856E
ACB-4362-4B0D-8EDDpackage installs the .NET
AAB15C5E04F5&displaylang=en
Framework runtime and
96H
System Requirements
or Microsoft
SQL Server
Server 2005.
Web Reference
http://www.microsoft.com/downlo
ads/details.aspx?familyid=31711
d5d-725c-4afa-9d65e4465cdff1e7&displaylang=en
97H
2005 Express
Edition SP 2
(Required if
the
attendance
report
feature is to
be used).
TMS
User Store
Store:
Active Directory
ADAM
Active Directory
ADAM
Aladdin RTE
3.65 or
Aladdin PKI
Client 4.0 or
higher
Web Reference
XML Core
Services)
s/details.aspx?familyid=3144b72bb4f2-46da-b4b6c5d7485f2b42&displaylang=en
2000
http://www.microsoft.com/download
s/details.aspx?familyid=7edde11fbcea-4773-a29284525f23baf7&displaylang=en
9H
Manager
Runtime
Security
Update for
Windows
attacker to compromise
2000
(KB890859)
http://www.microsoft.com/download
s/details.aspx?familyid=992C1BF9A2C0-49D2-9059A1DAD6703213&displaylang=en
10H
10
System Requirements
5. Run:
C:\Windows\Microsoft.Net\Framework\v2.0.50727\aspnet_regiis.exe -i
6. If IIS is installed on a different computer, grant IWAM and ASPNET users
read permission to:
HKEY_LOCAL_MACHINE\software\aladdin\etoken\tms\server\admin
7. Restart your computer.
11
Windows XP SP2
Installer 3.0
Installer is an application
Web reference
http://www.microsoft.com/downl
oads/details.aspx?familyid=5fbc
5470-b259-4733-a914a956122e08e8&displaylang=en
10H
http://www.microsoft.com/downl
.NET
version 2.0 (x86) redistributable oads/details.aspx?familyid=085
6EACB-4362-4B0D-8EDDFramework
package installs the .NET
AAB15C5E04F5&displaylang=e
Version 2.0
Framework runtime and
Redistributabl associated files required to run n
the .NET Framework v2.0.
12
102H
System Requirements
Windows XP SP2
Windows Vista
Note: If you install the TMS Client on Windows Vista, the TMS Management
Center and TMS Self Service Center must be set as trusted sites.
Component Description
13
Chapter 3
TMS Deployment Strategies
This chapter describes the different options for deploying TMS and Microsoft
Active Directory (AD).
Note: TMS 2.0 SP3 also supports MS SQL Server and OpenLDAP as the user
store. See
Deployment of TMS with MS SQL Server on page 25 or
Deployment of TMS with OpenLDAP on page 31.
245H
246H
247H
248H
249H
250H
251H
15
25H
The Windows forms client is used only for the Token Policy Object (TPO)
editor. Other management or self service capabilities are available from a
web browser.
TMS Architecture
16
users, devices, and resources. You can group objects for ease of management
and application of security and group policy.
AD enables you to manage information, security, and single sign-on for user
access to network resources. Tight integration with security eliminates the
need to track accounts for authentication and authorization between systems.
Tokens and security applications are managed similar to other resources.
Forest: a forest consists of one or more trees. The forest represents the
security boundary for AD. All domain controllers in a forest host a copy of
the forest Configuration and Schema containers in addition to a domain
database.
17
Schema
The AD schema defines the objects that are available to the directory service.
You can add your own classes or attributes to an existing object type. The
schema operates at the forest level; all domains in all trees in one forest have
the same schema.
Note: When you install TMS, it changes the existing schema. To avoid this
you can use the shadow domain model. This is the location of the TMS data
storage, where the schema should be changed.
Replication
Objects in the directory are distributed among the domain controllers in a
forest, and all domain controllers can be updated directly. The AD replication
process ensures that changes made on one domain controller are
automatically synchronized with other domain controllers.
18
install the latest service packs and hot fixes (see page 229).
254H
19
Domain Environment
Directory Service
Production
Single
AD
Production
Multi
AD
Shadow
Single
AD
Shadow
Single
ADAM
Shadow
Multi
AD
Shadow
Multi
ADAM
20
Install and configure ADAM on a computer in your domain (see page 243)
25H
21
22
23
Chapter 4
Deployment of TMS with MS SQL
Server
TMS 2.0 SP3 supports MS SQL Server as a user store, with ADAM as the TMS
Configuration Store.
For information about installing MS SQL server, refer to the following
document:
Installation flow TMS 2.0 SP3 with SQL Database
This chapter includes the following:
Prerequisites
256H
You must perform the following tasks before implementing MS SQL Server as
a user store:
Prepare the data views so that TMS can connect to the database.
Prepare authentication .dll that will enable users to log on to TMS Centers.
Indexed Fields
257H
25
Prerequisites
You must perform the following tasks before implementing MS SQL Server as
a user store:
Prepare the data views so that TMS can connect to the database.
Prepare authentication .dll that will enable users to log on to TMS Centers.
AksTMSUsers
Represents your users table.
Field
Type
Description
Required Field
UserID
String
Yes
AccountName
String
Yes
PolicyObjectID
String
LogonName
String
No
AccountEnabled
Boolean
No
AccountLocked
Boolean
No
FirstName
String
No
LastName
String
No
Initials
String
No
MiddleName
String
No
26
Field
Type
Description
Required Field
Street
String
No
POBox
String
No
City
String
No
State
String
No
ZipCode
String
No
CountryCode
String
No
HomePostalAdress
String
No
String
No
MobilePhone
String
No
HomePhone
String
No
OrganizationName
String
No
Company
String
No
EmployeeNumber
String
No
DepartmentNumber
String
No
Office
String
No
DisplayName
String
No
AksTMSGroups
Represents your groups table.
Field
Type
Description
Required Field
GroupID
String
27
Field
Type
Description
Required Field
GroupName
String
DisplayName
String
No
AksTMSUserOfGroup
Represents membership of users in the groups.
Field
Type
Description
Required Field
GroupID
String
UserID
String
AksTMSGroupOfGroup
Represents the group hierarchy.
Field
Type
Description
Required
GroupID
String
MemberGroupID
String
group
AksTMSPolicyObjects
Represents hierarchy of the organization (equivalent to OU)
Field
Type
Description
PolicyID
String
Required
Yes (value
required)
PolicyName
Root
String
Boolean
Yes (value
name
required)
Yes (value
required)
28
Field
Type
Description
Required
ParentPolicyID
String
object
required)
No
DisplayName
String
Indexed Fields
To ensure optimum performance, all required fields in the SQL database
should be indexed:
29
Chapter 5
Deployment of TMS with OpenLDAP
TMS 2.0 SP3 supports OpenLDAP as a user store, with ADAM as the TMS
Configuration Store.
OpenLDAP Software is an open source implementation of the Lightweight
Directory Access Protocol.
For more information about OpenLDAP see http://www.openldap.org/
103H
258H
NameSpaces
259H
Indexed Fields
260H
Performance
261H
31
You must perform the following tasks before implementing MS SQL Server as
a user store:
Prepare the data views so that TMS can connect to the database.
Prepare authentication .dll that will enable users to log on to TMS Centers.
NameSpaces
The default namespace contains the following object classes:
organizationalPerson (User)
groupOfNames (Group)
32
However, if different object classes and attributes are required, an XML file
named LDAPSchema.xml should be created and placed in the installation
directory (under BIN)
Performance
For optimum performance, the following attributes should be
indexed:
index member, ou
pres,eq
index cn
pres,eq,sub
eq
33
Chapter 6
Installation
This chapter describes the installation of TMS.
This chapter includes the following:
Installation Components
264H
265H
26H
267H
268H
269H
34
270H
Installation Components
Install the following eToken TMS components:
Server
Management Tools
Client
File
Comments
Server
TMS_management
Tools
_2.0.msi
Client
TMS_client_2.0.msi
Schema
Modification
_2.0.msi
Scripts
51
36
Installation
Management Center and TMS Self Service Center must be set as trusted sites.
To install TMS on the client:
1. Double-click TMS_client_2.0.msi.
The installation wizard opens.
37
2. Click Next
The License Agreement window opens.
38
Installation
If you select the Custom installation, The Select Features window opens.
DesktopAgent
WebClient
6. Click Next.
The Ready to Install the Application window opens.
39
7. Click Next.
When installation is complete, the TMS 2.0 Client has been successfully
installed window opens.
40
Installation
2. Click Next.
The Production Domain window opens.
41
4. Select the TMS V1.5 data storage location and click Next.
If you selected Shadow Domain, in the TMS V1.5 Data Storage window,
the Shadow Domain window opens.
5. Click Next.
42
Installation
7. Enter the TMS 2.0 ADAM server and the ADAM service port number and
click Next.
43
8. Select any combination of the objects to be migrated from TMS 1.5 to TMS
2.0 and click Next:
Migrate policies
Note: Security properties of the TPO or GPO are not migrated. Only the
authenticated users rule is migrated.
44
Installation
45
10. Select one of the following override policies for the TMS 1.5 to TMS 2.0
migration and click Next:
11. When the database migration processes are completed, click Next.
46
Installation
47
48
Chapter 7
TMS Configuration
The TMS Configuration Wizard opens immediately after the installation
process is complete. Also, you can configure TMS later.
This chapter contains:
Opening the TMS Configuration Settings Wizard
273H
274H
49
275H
You can configure TMS at a later time but we recommend doing this
immediately.
To open the TMS Configuration Settings Wizard:
Select Start>Programs>eToken>TMS2.0>TMS Configuration Tool.
The TMS Configuration Settings Wizard opens.
50
TMS Configuration
2. Select the domain where the users have to be managed and click Next.
The TMS Data Storage window opens.
Production (AD)
51
Shadow (AD)
Shadow (ADAM)
5. Enter the TMS service account password, confirm and click Next.
52
TMS Configuration
XML File: enter the file system path to the XML file (this is the only
option available if the domain functional level is not 2003).
53
Note: Active Directory storage does not modify the schema. It is available
only with Windows 2003 Function Level. We recommend using this
option if more than one TMS server is to be installed, to ease database
sharing.
8. Click Next.
The TMS Service window opens.
In the TMS Service window, you can set the frequency of the service (see
The TMS Backend Service on page 175).
278H
279H
54
TMS Configuration
I will use this feature and would like to connect to the following
database server: enter the URL to the database server
55
56
TMS Configuration
17. Start editing TMS Roles by clicking Launch Roles Editor and click
Next.
57
58
281H
TMS Configuration
20. Select a policy in the Token Policy Object Links field and click Edit.
The Token Policy Object Editor opens.
59
60
TMS Configuration
61
Description
Server
Port
Naming Context
Anonymous User
Following User
62
TMS Configuration
Field
Description
appropriate fields.
5. Click OK.
You are returned to the OpenLDAP Directory window.
63
7. Click Next.
The Authentication Plug-in window opens.
64
TMS Configuration
65
9. In the ADAM server field, enter the name of the sever where ADAM is
located.
10. In the ADAM service port number field, enter the ADAM port number.
11. Click Next.
The TMS Services Account window opens.
66
TMS Configuration
12. In the Use this account field, enter the account to be used for TMS
operations.
13. Enter the password and confirm.
Note: The account does not have to be an administrator account, but
must have enough privileges to run the connectors (for information on
User Permissions see page 253).
283H
67
15. Enter the user in the Default authorized user field or click the Browse
button.
If you clicked the Browse button, The Select User or Group window
opens.
16. Enter a user name in the Enter the object name to select field and click
Check Names.
68
TMS Configuration
If more than one match is found for the entered name, a list of matching
names is displayed.
69
70
TMS Configuration
71
21. In the Store the XML file in the following directory field, enter the path to
the XML role management file and click Next.
Tip: This XML file contains the mapping between TMS users, groups and
72
285H
TMS Configuration
73
If you are evaluating TMS, select I will use the 90 days evaluation
license.
If you have a license, select I will use the following license provided
by Aladdin and past the license number into the field.
74
TMS Configuration
75
76
TMS Configuration
77
78
TMS Configuration
You can connect to the SQL Server by selecting the SQL Server name or,
alternatively, you can connect through an ODBC connection.
Tip: For information about creating an ODBC connection, refer to
Microsoft documentation.
3. To connect to the SQL Server, select SQL Server and click Browse.
4. To connect through ODBC, go to step 8
286H7
79
5. In the Select server name field, select the required server from the list.
6. Select one of the following:
password)
7. In the Selected database field, select the required database from the list
and click OK.
You are returned to the Relational Database window.
Go to step
8. To connect through ODBC, select ODBC and click Browse.
The Select ODBC Data Source opens.
9. Select the required ODBC data source and click OK
You are returned to the Relational Database window.
10. In the Relational Database window click Validate.
The system validates the connection and returns the instance name.
80
TMS Configuration
289H
81
Chapter 8
Post-Installation Configuration
After installation, Aladdin eToken TMS needs to be configured according to
the requirements of your organization.
We recommend that the complete configuration of the TMS be completed
immediately after the installation using the Configuration Wizard (see page
49).
290H
However, the configuration can also be performed at a later time. You can also
edit and modify the settings created during the first run of the configuration
wizard.
This chapter includes the following:
Configuring TMS Policy Settings for Active Directory
291H
83
29H
2. Right click production.com in the tree node of the navigation pane and
select Properties from the dropdown menu.
75
86
Post-Installation Configuration
87
88
295H
Post-Installation Configuration
2. Right Click on the TMS Policy Manager node, and select Connect to
Domain.
The Connect to <domain name> instance window opens.
89
90
Post-Installation Configuration
91
92
297H
Security Keys
Connectors
Roles
Backend Service
From the Windows Start menu, go to Programs > eToken > TMS 2.0 >
TMS Configuration Tool.
75
Export Key
Import Key
94
Post-Installation Configuration
4. Enter the file path to be exported or browse to the required file and click
Next.
The Export Password window opens.
95
From the Windows Start menu, go to Programs > eToken > TMS 2.0 >
TMS Configuration Tool
96
Post-Installation Configuration
4. Enter the path to the source file or browse for the required file and click
Next.
The Import Password window opens.
5. Enter the password that was set when this file was created and click Next.
97
From the Windows Start menu, go to Programs > eToken > TMS 2.0 >
TMS Configuration Tool
98
Post-Installation Configuration
Configuring Connectors
To configure the connectors:
1. From the Windows Start menu, go to Programs > eToken > TMS 2.0 >
TMS Configuration Tool
2. From the Action menu, select Connectors.
99
TMS Assignments
100
Post-Installation Configuration
TMS Helpdesk: allowed to perform all TMS tasks except modifying TPOs
TMS End User: allowed to use all self service options on the eToken
Remote Help Center web site and the eToken Administration center.
Defining Roles
Use the TMS Authorization Manager to:
101
3. Select eToken Management Center, and click New Scope on the Action
menu.
102
Post-Installation Configuration
4. Select one of the following containers to which the role will be applied:
Domain
103
2. Enter the Name and Description of the new role definition and click Add.
The TMS Administrator Definition Properties window opens.
104
Post-Installation Configuration
105
2. Enter the Name and Description of the new role definition and click
Add.
To change the Role Store:
1. From the windows Start menu, go to Programs>eToken >TMS 2.0> TMS
Configuration Tool.
2. On the Action menu, select Roles, and then click Change Role Store from
the available choices.
106
Post-Installation Configuration
3. Select where you want to create the store and click OK.
2. On the Action menu, select Backend Service, and then click Change
Schedules.
107
Weekly: specify the day of the week and the time at which scheduling
is to occur
108
Post-Installation Configuration
Viewing License
The Administrator can view the License details in the License Details window.
1. From the windows Start menu, go to Programs>eToken >TMS 2.0> TMS
Configuration Tool.
2. On the Action menu, select License > View.
The License Details window opens with the details of the current license.
Upgrading License
If the Administrator requires to upgrade the License, he/she can do so in the
Upgrade License window.
109
3. Enter the new license string provided by Aladdin, click Set License and
click Close to exit the window.
110
Post-Installation Configuration
29H
111
301H
3. Browse to the account, enter the password, confirm the password and
click OK.
112
Chapter 9
Defining Token Policies
After installing the TMS, you should define the user profiles as required by
your organization.
TMS extends the Microsoft Active Directory Users and Computers snap-in by
installing several snap-in extensions.
This chapter includes the following:
Un d e r s t a n d i
TPOs
30H
304H
ng
305H
TPO Settings
306H
114
Understanding TPOs
When defining resources for users in the organization, Aladdin eToken TMS
follows the Microsoft concept of objects. In Microsoft they are known as
Group Policy Objects (GPO). In TMS they are called Token Policy Objects
(TPO).
For more information on GPOs, and Organizational Units (OUs), refer to
Microsoft Active Directory documentation.
This document assumes you are familiar with the general Active Directory
(AD) concepts such as Organizational Units (OUs), GPO, Active Directory
user, Domain, AD groups, and AD security list.
TPO Overview
TPO (Token Policy Object) is an Active Directory object that contains TMS
connector rules definitions. It operates exactly the same way that a GPO
would operate.
In TMS, a new TPO tab on the containers Properties window is added.
TPOs contain exactly the same type of connector rules and may be attached to
zero or more OUs or Domains, in exactly the same way as a GPO would be
attached to them.
114
Note: When working in Shadow mode, it is possible to work only with TPOs.
From the start menu, select Programs > Administrative Tools > Active
Directory Users and Computers.
The Active Directory Users and Computers Snap-in opens.
115
Note: To use the TPO editor, you must have the necessary permissions to the
Note: If you want to assign the TPO to all the users in the domain, you
116
117
conflict between policies, the system will follow the policy definition of the
upper object. To change the order of the Token Policy Objects, select an
object and move it by using the Up and Down buttons.
118
309H
119
120
4. Click Edit.
The GPO Editor opens.
121
122
6. Click Add and navigate to the file in which the TMS files are placed.
For example: C > Program Files > Aladdin > eToken > Adm > Tms.adm.
7. In the GPO Editor select Computer Configuration>Administrative
Templates>Token Management System.
8. The Token Management System Settings window opens.
The right pane of the TMS Settings window displays all the server settings as
shown in the following table.
9. To change a setting, right click on the setting icon, select Properties and
make the required changes described as follows:
123
TMS Servers
Settings
Description
Default TMS
server
The URL of the server running the TPO editor web service.
Use this setting only if it differs from the default TMS server.
Desktop Agent The URL of the server running the Desktop Agent web
server
service. Use this setting only if it differs from the default TMS
server.
HelpDesk
The URL of the server running the TMS Management web site.
server
Use this setting only if it differs from the default TMS server.
Proxy server
Proxy user
Proxy
Password
Note: The settings are updated at the next group policy update. To run a
124
A New Token Policy Object is added to the Token Policy Object Links.
2. Enter a name for the new Token Policy Object, and click OK to exit the
window.
To add a policy object:
1. In the Token Policy Object editor, click Add.
The Add a Token Object link dialog box opens.
2. Enter a name for the added policy object and click OK to exit the dialog
box.
125
Remove the link from the list to delete the link from the specific OU
TPO
Remove the link and delete the Token Policy Object permanently
126
127
3. Click Add.
The Select User or Group dialog box opens.
4. Enter:
128
129
6. Click Properties to open the Policy Properties dialog box, and select the
Security tab.
7. In the Group or user name box, select a group or user and in the
Permissions for Administrator box, clear the Allow value from the
attribute Apply Token Policy.
8. Click Add to add users to the security list to which you want the amended
TPO to apply.
The Select Users, Computers, or Groups dialog box opens.
130
No Override
The No Override is a flag defined by Microsoft and relates to any single line
between an OU and TPO. The flag can be set in the Options dialog box that is
opened from the OU Properties Token Policy tab by selecting Option When
this flag is set, child OUs of the current OU will not be able to override any
TPO definitions of the OU. The No Override flag has a higher priority than the
Block Policy Inheritance flag.
TMS enrollment process supports this flag. For more information about the
flag please refer to Microsoft documentation.
TMS defines this flag with the same name that applies to TPOs and can be
viewed and set in the TPO Options dialog box.
131
TPO Disable
The TPO Disable flag enables an administrator to temporarily disable a link
between an OU and a specific TPO. The flag can be set in the Options dialog
box that is opened from the OU Properties Token Policy tab by selecting
Options.
TPO Settings
TPO Settings are important for determining how TMS controls and executes
policies. There are a number of default settings that operate once TMS is
installed. The Administrator must determine if these defaults are suitable
according to organizational policy.
TPOs are divided into different sections. Each section deals with a specific set
of parameters. Each policy can be edited individually. Each section has a
picture of the TPO Editor and a table detailing its name, a description of the
policy and the default setting. The various sections are:
General Settings
Connectors Settings
eToken Settings
Enrollment Settings
Recovery Settings
Audit Settings
310H
31H
312H
31H
314H
315H
316H
317H
319H
132
2. Select the appropriate section and the policies for that section (Mail
Server) as shown in the right pane.
3. Double-click the required Policy (or select Properties from the right-click
dropdown list).
133
Policy Name
Policy Icon
Default setting
134
6. If this is the only policy to edit, select Apply and OK to return to the
Token Policy Object Editor.
OR
Select Next to move to the next Policy Properties dialog box.
7. Continue this process for all policies or return to the Token Policy Editor
to select specific policies to edit.
TMS Policy Object
Node
TMS Policy Object
Policy/DN
Description
All TMS policy settings are placed
here
135
General Settings
General Settings define the general settings under its node.
Currently the Mail Server is the only node under the General Settings.
Mail Settings
Node
Policy/DN
Description
Default
Mail server
localhost
Mail sender
Server
are sent.
account name
used. Logon to
136
Node
Policy/DN
Description
Default
This setting is not
account
password
on
Connector Settings
Connector Settings controls the behavior of applications on the eToken.
Connector settings
eToken Settings
eToken Settings controls how TMS sets the eToken properties
Note: Additional settings can be set only in eToken PKI.
137
eToken Settings
Node
Policy/DN
Description
Default
eToken
Settings
Token name
for
name before it is
not be changed
unassigned
assigned
tokens
138
Token name
for assigned
assigned name
not be changed
tokens
template
Node
Policy/DN
Description
Default
eToken
Initialization
Token
Defines eToken
Token will be
backward
backward
backward
compatibility
compatibility
compatible with
RTE versions 3.65
and lower
Passwords
One factor
Configuration
Token requires a
requires a user
user password
password to log on
Default user
User password is
password
eToken user
1234567890
password
Password
Policy
Proxy mode
Defines whether
proxy mode
parameters are
read from the host
(proxy mode)
Minimum
Defines the
Minimum password
password
minimum length of
length is 4
length
the eToken
password
Password
Defines if the
Password
must meet
password has to
complexity
complexity
meet MS Windows
requirements must
requirements
style complexity
be met
requirements
Maximum
Defines the
Maximum usage
usage period
maximum usage
period is 90 days
period of eToken
password
139
Node
Policy/DN
Description
Default
Minimum
Defines the
usage period
minimum number
Token has no
minimum usage
period
warned before
password expires
password actually
expires
should be warned
Passwords
History size is 15
history size
old passwords
passwords
saved on the
eToken are not
allowed to be
repeated
First logon
Password change
password
user has to
is not required.
change
after
password on first
enrollment
logon after
enrollment
Note: Before
using the policy
you must initialize
the token in TMS
or you must
enable the policy
Initialize token
during the
enrollment.
This policy is not
supported by
eToken Virtual.
140
Node
Policy/DN
Description
Default
eToken
Properties
Maximum
Defines the
Maximum user
number of
maximum user
logon failed
user logon
logon failures
attempts is 15
failures
allowed
times
Maximum
Defines the
Maximum
number of
maximum
administrator logon
administrator
administrator logon
failed attempts is
logon failures
failures allowed
15 times
Reserve
No space is
RSA keys is
keys
reserved
keys
Number of
No space is
RSA keys
of space reserved
reserved
keys
FIPS
Determines if the
compliant
eToken will be
compliant
initialized FIPS
compliant
Initialize the
Determines if
PKCS#11
eToken is initialized
is initialized
user PIN
Load 2048-bit
Determines if the
RSA keys
keys support
support
support module is
module is not
modules
loaded on the
loaded
eToken
Load HMAC
Determines if the
SHA1 support
HMAC SHA1
support module is
module
support module is
not loaded
loaded on the
eToken
141
Node
Policy/DN
Description
Default
Initialization
Key
Use default
Defines whether
The default
initialization
the default
initialization key is
key
initialization key is
key
key.
Usually, the default
keys are those
supplied by
Aladdin, so this
policy remains with
its default setting.
Current
Specifies the
The default
initialization
current initialization
initialization key is
key
initialization key is
initialization key
not used.
This is required if
you have
configured the Use
default initialization
key policy not to
use the default
keys as supplied by
Aladdin.
Create a new
Defines whether a
New initialization
initialization
new initialization
key
key is created.
This setting is
enabled if you wish
to create an
initialization key
that can be used
only by TMS.
142
Node
Policy/DN
Description
Default
New
New initialization
initialization
key
initialization key.
The Create a new
initialization key
policy must be
enabled if you want
to define a new
initialization key.
The new key can be
used only by TMS.
Select Define this
Policy Setting,
then select one of
the following:
Default: Remain
with default
initialization key
Random: Creates
a randomly
generated
initialization key. If
you loose the key,
the token will be
unusable.
This
Value/Confirm:
Creates a static
initialization key.
143
Node
Policy/DN
Description
Default
Advanced
Settings
Private data
Defines when
Always
caching mode
private data is
cached
RSA keys
secondary
keys secondary
authentication
authentication is
mode
used
Never
Enrollment Settings
Enrollment Settings control the eToken enrollment process.
General Properties
Notification
The Notification settings define the behavior of the Notification Letter.
See also Configuring Enrollment Notification Letters page 155.
320H
321H
Note: The General Properties and Notification Settings are applied only to
144
Enrollment Settings
Node
Policy/DN
Description
Default
General
Maximum
Properties
number of
number of non-
user
active tokens
per user
user
Initialize
Determines if the
token during
eToken is initialized
initialized during
enrollment
during enrollment
enrollment
Set a random
Determines if a
Random token
token user
password
password is set
during enrollment
Random
token user
eToken user
password length is 12
password
password length
characters
Random
token user
eToken user
password
password content
digits only
User
notification
notified on a new
notified
enabled
eToken enrollment.
length
content
Notification
template file
None
for notification
145
Node
Policy/DN
Description
Default
Save
Determines whether
notification
to save the
is not saved
letter
notification letter to
the hard drive
146
Notification
Sets enrollment
letter storage
notification letter
location
storage location
Send
Determines whether
Email notification is
notification
to send a notification
not sent
Notification
email subject
email subject
Determines whether
Notification letter is
notification
to print the
not printed
letter
notification letter
Use an
Determines if an
No external program
external
external program is
is used
program
used
Select
Defines which
No external program
external
external program to
is used
program
use
No location required
No subject
Recovery Settings
Recovery Settings sets options for lost eTokens or lost eToken passwords
Recovery Settings
Node
Policy/DN
Description
Default
Recovery
Allow token
Enables creation of
Tokens can be
Settings
unlock
Administrator
Defines which
Random administrator
Virtual
allowed to have a
to have a replacement
enabled
replacement eToken
eToken Virtual
Virtual
Maximum
replacement eToken
Virtual
147
Node
Policy/DN
Description
Default
eToken Virtual is
download
Virtual is downloaded
downloaded manually
method
to user machine
User
No questions (users
authentication
cannot authenticate)
questions
authentication
Number of
No random questions
random
random questions to
used
questions
used
authentication
Maximum
number of
number of
authentication
authentication retries
3 logon attempts
Sets if user
User authentication is
authentication
authentication is
not required
required
Maximum
password
usage period a
is 3 days
login usage
temporary password
period
148
Audit Settings
Audit Settings details where audit information is logged.
149
Audit Settings
Node
Policy/DN
Description
Default
Audit
Audit log
Settings
server
Audit log
name
use
Audit source
name
name to use
Administrator
Defines if the
Audit
Notification notification
enabled
Application
TmsAudit
No notification is used
administrator is
notified about audit
events
Administrator
Details the
Administrator is not
notification
administrator
notified
configuration
notification
configuration
User
notification
notified
enabled
150
User
notification
notification
notified
configuration
configuration
Policy/DN
Description
Default
TMS
Disable
Determines if
Temporary password
Backend
temporary
temporary password
logon is disabled
Service
password
logon is automatically
automatically
Settings
logon
disabled
Revoke open
Determines if open
eToken
eToken Virtual is
revoked automatically
Virtual
revoked automatically
Automatically
Determines if the
revoke token
user is automatically
with missing
revoked
user
is automatically
revoked
151
Node
Policy/DN
Description
Default
Automatically
Determines if the
revoke token
user is not
with disabled
automatically revoked
user
automatically revoked
Automatically
Automatically keep
Users data is
synchronize
TMS database
automatically
users data
integrity by
synchronized
synchronizing users
data
152
Policy/DN
Description
Default
Desktop
Enable token
Defines whether to
Agent
update alerts
are enabled
Settings
period start
expires
expiry date
Alert
message
requires update
of an eToken update
alert
Alert title
eToken Notification
message click
action
No action
balloon
Detailed
The message
message
Empty
153
Node
Policy/DN
Description
Default
Action
Not defined
website URL
Minimum
alert interval
interval in days
is 4 days
interval
whenever an eToken
14 days
is inserted or when
the specified number
of days has passed
since the last alert
check (even if an
eToken was not
inserted)
Enable token
Defines whether to
Token
auditing
enable auditing of
insertion/removal
auditing is enabled
removal events
154
Chapter 10
Configuring Enrollment Notification
Letters
When the administrator makes a change affecting a user, TMS can generate a
notification letter and perform one of more of the following actions: email it
to the user, save it as a file, print a hard copy.
The notification can include any required text and details such as passwords
and serial numbers which are derived from TMS through the use of key
words.
This chapter includes the following:
Main Steps
Keywords
155
Main Steps
To set up and configure enrollment or audit notification letters you must
perform the following steps:
Note: For details about changing the settings in TPO, see Enrollment
156
Description
$Office
$User_Email
$User_First_Name
$User_Last_Name
Address
Keyword
Description
$City
City
$Country_Region
Country or region
$State_Province
State or province
$Street
Street name
$PO_Box
$Zip_Postal_Code
Zip code
Organization
Keyword
Description
$Company
Name of company
$Department
Name of department
157
Account
Keyword
Description
$User_Logon_Name
$User_Account_Name
Token
Keyword
Description
$etoken_admin_password
$Token_Password
eToken password
Note: The password is retrieved
only if set to random.
$Token_Serial
Enrollment
158
Keyword
Description
$Enrollment_Date
$Enrollment_Time
OTP Connector
Keyword
Description
$otp_pin
159
Chapter 11
Auditing TMS Events
The administrator can use the Event Viewer to see the details of TMS
administration events, and can configure TMS to send email notifications to
end users and administrators.
This chapter contains the following sections:
161
32H
3. Double click the policy, Audit log server, in the right pane (or right-click
and select Properties).
The Audit log server Properties dialog box opens.
162
163
6. To change the default setting, check Define this policy setting, enter
the log name and click OK.
The policy, Audit log name is defined.
7. Double click the policy, Audit source name, in the right pane (or rightclick and select Properties).
The Audit source name Properties dialog box opens.
164
325H
165
166
167
327H
14. Click OK
The policy, Administration notification configuration is defined.
To configure the User Notification:
1. Open the TPO Editor (See Configuring TPO Objects, page 115 ).
328H
329H
168
169
170
171
31H
The keys of events as they appear in the Event Viewer can also be used in the
Audit Notification Letter.
Note: In addition to the following audit keywords, the keywords for the
Enrollment Letter can also be used in the Audit Notification Letter. See
Enrollment Notification Letter Keywords, page 157.
32H
3H
Audit
Keyword
Description
$Audit_Category
$Audit_Date_Time
$Audit_Event
$Audit_Message
$Audit_Type
172
2. Choose the required event. The event will be stored in TMSAudit in the
Source column of the table in the right pane.
173
174
Chapter 12
The TMS Backend Service
The Backend Service is used to control the TMS. This chapter describes the
different functions of the Backend Service.
This chapter includes the following:
Overview
34H
175
Overview
The Backend Service generally works in the background, performing different
services as configured by the Administrator.
The different services controlled by the Backend Service Center are:
Start Process
Stop Service
Pause Service
Continue Service
Start Service
176
Weekly: specify the day of the week and the time at which scheduling
is to occur
1. Right-Click
on the taskbar.
177
Managing Revocation
Automatic revocation is required when the user is deleted from the AD (for
example, the user left the company) or when the user is disabled in the AD
(for example, the user is absent for a long time).
178
Managing Revocation
179
Chapter 13
The TMS Desktop Agent
The Desktop Agent can be used for sending expiry alerts to the Administrator
as well as the user, to audit the removal and insertion of the eToken, and for
downloading the eToken Virtual automatically from the web site to the users
computer.
Note: The TMS Desktop Agent works only when Active Directory (AD) or
36H
Expiry Alert
37H
38H
181
Overview
The Desktop Agent is an application used to perform a number of operations
as set by the Administrator. It can be installed on the desktops of all users (see
Installing the TMS Client Component, page 37). Every eToken inserted into to
a computer on the network is logged on to the TMS, so the Administrator can
keep records of the number of users logged on at a given time, date, week and
so on.
340H
341H
Expire Alert
Expiry Alert
The Desktop Agent alerts users when their eTokens are about to expire. The
Administrator can also keep records of when eTokens are expected to expire.
Thus the users and administrators can take timely action.
To configure the Expiry Alert:
1. Open the TPO Editor as described in Configuring TPO Objects on page
115.
342H
34H
2. Select Desktop Agent Settings from the navigation tree in the left pane.
182
The Policies associated with Desktop Agent Settings are displayed in the
right pane.
3. Double click the property, Enable eToken update alerts (or right-click
and select Properties).
The Enable eToken update alerts Properties dialog box opens.
183
The default setting is: Expiry alert starts 30 days before eToken expires.
6. Check Define this policy setting, enter the number of days before
expiry you want to receive the alert and click OK.
You will receive an alert on the requested day as a pop-up balloon.
7. Double click the property, Alert message, in the right pane (or rightclick and select Properties).
184
185
186
You will receive an alert, with the selected action, on the requested day as
a pop-up balloon.
13. Double click the property, Detailed message, in the right pane (or rightclick and select Properties).
The Detailed message Properties dialog box opens.
187
15. Double click the property, Action website URL, in the right pane (or
right-click and select Properties).
The Action website URL Properties dialog box opens.
188
345H
19. Double click the property, Alert check interval, in the right pane, (or
right-click and select Properties).
The Alert check interval Properties dialog box opens.
189
20. Check Define this policy setting, enter the number of days you want
between two consecutive alert checks and click OK.
Your alerts will be checked whenever the eToken is inserted or after the
set number of days, even if the eToken is not inserted.
Alert Interval
The Alert interval (time between two alerts) can be set using two criteria:
Minimum alert interval
This is for users who require to insert the eToken in their computers a
number of times per day. It is not necessary to inform these users about
the token expiry date every time they insert the token in their computers.
Hence the minimum time period, say seven days. So these users will be
reminded every seven days that their token are about to expire.
Set time interval
Some users require to insert their tokens in their computers only once in
week or month. These users require to be reminded that their tokens are
about to expire, without their having to insert their tokens in their
computers. The Set time interval sets the time between two alerts such
that the reminder appears on their computers even without inserting their
tokens in their computers.
347H
190
349H
2. Select Recovery Settings from the navigation tree in the left pane.
The Policies associated with Recovery Settings are displayed in the right
pane.
191
5. Click OK.
The policy, eToken Virtual download method is configured.
192
The time interval for messages arriving from the token, used to determine
if the token is inserted.
The configurations are set in the web.config file, typically located at:
C:\Program Files\Aladdin\eToken\Tms20\Web\TmsAgent
The configuration settings are added to the <appSettings> section in the
Web.config file using the syntax shown in the following example:
<add key="SoftTokenTempFolder" value="C:\Documents and
Settings\Administrator\Local Settings\Temp">
TMS Desktop Agent Web Services Settings
Key
Value
Description
Default
System
is saved temporarily
Temp
Type
SoftTokenTempFolder
Path
directory
DeleteSoftTokenTempFile
Boolean
True
Integer
193
Chapter 14
OTP Configuration
The behavior of One Time Password (OTP) can be configured in the web
services located on the TMS server, and in the OTP plug-in on the IAS
(RADIUS) server.
For more details see OTP Authentication for MS IAS Administrators Guide
Version 2.0 SP3.
This chapter contains the following sections:
195
OTP Configuration
The configurations are set in the web.config file, typically located at:
C:\Program Files\Aladdin\eToken\Tms20\Web\OTPAuthentication
The configuration settings are added to the <appSettings> section in the
web.config file using the syntax shown in the following example:
<add key="BlankPresses" value="30" />
Note: These settings can also be configured in the Internet Information
Value Type
Description
Default
BlankPresses
Numeric
30
196
OTP Configuration
Key
Value Type
Description
Default
Numeric
authentications allowed
before the OTP is
locked.
AuditCondition
String
Defines which
OnFailure
authentication events
to include in the audit.
OnFailure When
authentication fails.
Always When
authentication fails or
succeeds.
<exclude group
account name>
< connection
for OTP.
string name>
None
For example:
Add key:
ExcludeGroupName1
Value: SalesGroup aladdin.org
197
Key
Value Type
Description
Default
ExcludeGroupCheck
String
Determines the
Default(4)
1 - W2003: works
via security token
(only for 2003
server)
2 Preload: preload
exclude group
members (see also
PreloadGroupsRefres
h property)
3 Token: to use
this option the token
in the DB should be
updated consistently
via TMS Backend
Service (cannot be
used with other
values)
4 Default: default
(1 in Windows 2003,
5 in Windows 2000)
198
OTP Configuration
Key
Value Type
Description
Default
MaxDelayedDBUpdates
Numeric
To save system
100
The time-out when calling OTP Web Services from the IAS plug-in
199
Value
Description
Type
enable_otp_authentication
Boolean
This parameter
determines whether
OTP authentication
or standard
authentication is
used.
Values:
True Authentication
requests are
validated with OTP
False Authentication
requests are
validated with
standard
authentication
otp_web_service_url
String
URL of eToken
Authentication Web
Service
return_pap_cred
Boolean
Determines if the
RADIUS server
returns the
password as an
attribute of the
RADIUS response
return_pap_cred_attribute_number
Numeric
200
Default
OTP Configuration
Key
Value
Description
Default
Type
web_service_request_timeout
Time in
Specifies the
seconds
web_service_comm_error_behavior
Enumera
Determines how to
tor
201
202
OTP Configuration
203
204
OTP Configuration
205
Chapter 15
Exporting TMS Data
TMS Management Center allows the administrator to configure some predefined reports. However, to create custom reports using an external
application TMS data must be exported in a supported format. To do this, the
administrator can use the TMS Export Tool to export TMS data to an MDB
file using SQL server.
This chapter contains the following section:
207
208
Chapter 16
eToken Pass
The administrator can add eToken Pass devices to TMS, using the import file
option.
After receiving an eToken Pass, the administrator can enroll the eToken Pass
or the user can enroll the token from the TMS Self Service Center.
This chapter includes the following:
Importing the eToken Pass XML File
351H
352H
209
Pass XML more than once, the eToken Pass devices in TMS would loose
synchronization causing serious dysfunction.
In TMS 2.0 SP2 and higher, the eToken Pass devices that are already in the
system will not be affected by a re-import of the XML file. You may want to
re-import the file to ensure that the complete list of eToken Pass devices has
been successfully entered into TMS.
eToken Pass devices are shipped from the factory with an accompanying XML
file. This file is required to activate the eToken Pass devices in TMS in your
enterprise. It contains specific information about the eToken Pass devices in
your enterprise, and ensures that only devices registered for your enterprise
can be used to gain access to your system.
The eToken Pass XML file can be imported with the TMS Management Center
or through the Windows command line.
Reference Guide.
To import the eToken Pass XML file through the TMS Management
Center:
1. To open the TMS Management Center, in your internet browser, enter the
URL of the TMS Management Center (for example:
http://localhost/tmsmanage)
105H
210
eToken Pass
6. Click Run.
211
7. To see the error message, click on the link Click here to see a detailed
error description.
The Action Log screen opens.
212
eToken Pass
The eToken Pass is enrolled in the TMS Self Service Center (can be performed by the
end user).
213
214
eToken Pass
Reference Guide.
To Enroll eToken Pass in TMS Self Service Center
1. To open the TMS Self Service Center, in your internet browser, enter the
URL of the TMS Self Service Center (for example:
http://localhost/tmsservice)
106H
215
216
eToken Pass
eToken Pass Serial No: enter the serial number as printed on the
eToken Pass cover. It is also displayed when the token button is
pressed continuously for a few seconds.
OTP PIN: if required by the OTP policy, enter the new OTP PIN.
First OTP value: enter the first OTP value generated by the device
(that is, the value generated after pressing the button the first time).
Second OTP value: enter the second OTP value generated by the
device (that is, the value generated after pressing the button for a
second time).
4. Click Submit.
eToken Pass is enrolled in TMS.
When the user has carried out the enrollment steps, TMS performs the
following actions:
Synchronizes with the OTP server using the two OTP numbers provided
217
PASS. If not, to display the eToken PASS serial number, press and hold
the button on the token.
The eToken was enrolled successfully message appears at the bottom of
the window.
218
eToken Pass
219
Chapter 17
Configuring eToken SSO Backup in
TMS
Most SSO profiles are created by the end user after enrollment. The profiles
are saved on the users token, and a backup file can be created. However, if
the token is broken or lost and the backup is not available or is not updated,
the profiles will be lost.
TMS can create backups for all profiles on the users token, which can be
retrieved with the eToken replacement feature in the TMS Self Service Center
or TMS Management Center.
The SSO profiles on the users token are synchronized with the TMS Server
through the TMS Desktop Agent. Every action performed on the users token
is backed-up to TMS.
This chapter includes the following:
Prerequisites
354H
221
Prerequisites
The following are required:
2. Select the Organization Unit (OU) to which you want to configure SSO
Backup.
(To assign the configuration to all the users in the domain, select the
domain).
222
223
5. Click Open.
224
225
9. Select Define this policy setting, select Enable and Click Definitions.
The Connector Policy Object Editor opens.
226
tokens.
eToken Virtual.
backed-up profiles.
13. Click OK.
227
Chapter 18 Glossary
Term
Shadow Domain
Abbreviation Description
Using a different Active
Directory domain to store
TMS data.
Proximity Card
Contacless Smartcard.
Contactless integrated circuit
device.
CardOS 4.2
Logical access
Collection of policies,
control
procedures, organizational
structure and electronic
access control.
Authentication server
Root certificate
Backend Service
229
Term
Abbreviation Description
A TPO flag used during
Block Policy
Inheritance
flag
Connectors
Application extensions to
TMS allow TMS to handle
different security
applications.
Domain Controller
(AD)
Intermediate
A subordinate certificate
certificate
230
Glossary
Term
Abbreviation Description
In cryptography, a public
key certificate (or identity
certificate) is a certificate
that uses a digital signature
to bind together a public key
with identity information
such as the name of a
person or an organization,
their address, and so forth.
The certificate can be used
to verify that a public key
belongs to an individual.
TPO No Override
flag
231
Term
Active Directory
Abbreviation Description
AD
Active Directory is an
implementation of LDAP
107H
directory services by
108H
ADAM
Is a directory service
Directory Application
Mode
ASP
232
Glossary
Term
Certification
Abbreviation Description
CA
Authority
An authority in a network
that issues and manages
security credentials and
public keys for message
encryption and decryption.
As part of a public key
infrastructure (PKI), a CA
checks with a registration
authority (RA) to verify
information provided by the
requestor of a digital
certificate. If the RA verifies
the requestor's information,
the CA can then issue a
certificate.
Cryptographic API
CAPI
Check Point
CP
Software company,
responsible for the VPN1
firewall.
Check Point
CPMI
Management
Interface
233
Term
Cryptographic
Abbreviation Description
CSP
Service Provider
In Microsoft Windows, a
1H
Cryptographic Service
Provider (CSP) is a
software library that
implements the
Cryptographic Application
12H
Programming Interface
(CAPI). CSP's implement
encoding and decoding
functions, which computer's
application programs may
use for e.g. strong
authentication of the user or
for secure email.
Domain Controller
DC
On Windows Server
13H
security authentication
requests (logging in,
checking permissions, etc.)
within the Windows Server
15H
domain.
Data Encryption
Standard
DES
Standard cryptographic
algorithm developed by the
US National Bureau of
Standards. Now replaced by
AES.
234
Glossary
Term
Domain Name
Abbreviation Description
DNS
System
importantly, it translates
domain names (computer
hostnames) to IP addresses.
18H
19H
Federal
FIPS
Federal Information
Information
Processing Standards
Processing
Standards
announced standards
124H
127H
ISO, etc.)
128H
Graphical
identification and
GINA
MS network logon
mechanism
authentication
library.
235
Term
Group Policy Object
Abbreviation Description
GPO
hash message
HMAC
A keyed-hash message
authentication
authentication code, or
HMAC, is a type of message
code
129H
may be used to
simultaneously verify both
the data integrity and the
132H
authenticity of a message.
13H
LDAP
236
Glossary
Term
Microsoft
Abbreviation Description
MMC
The Microsoft
Management Console
Management Console
(MMC) is a component of
modern Microsoft Windows
136H
provides system
administrators and advanced
users with a flexible
interface through which they
may configure and monitor
the system.
Open Platform for
OPSEC
Security
One Time Password
OTP
An authentication method
based on a password
generator which creates a
different password each time
a password is required.
The purpose of a one-time
password (OTP) is to make
it more difficult to gain
unauthorized access to
restricted resources, like a
computer account.
Traditionally static
138H
237
Term
Organizational Units
Abbreviation Description
OU
PFX
Public Key
PKCS
Cryptography
Standards
Public Key
PKCS#11
Cryptography
Standards #11
Public Key
PKI
Infrastructure
Radio Frequency
Identification
RFID
238
Glossary
Term
Abbreviation Description
RSA
In cryptology, RSA is an
139H
14H
RTE
Environment
Security Assertion
SAML
Markup Language
Software
Development Kit
Secure Hash
SHA1
Algorithm
239
Term
Single Socket Layer
Abbreviation Description
SSL
Single Sign On
SSO
TMS
Management System
TPO
240
Glossary
Term
Virtual Private
Abbreviation Description
VPN
Network
(VPN) is a private
communications network
148H
241
Appendix 1
2. Enter the folder name to which you wish to extract the file, or click
Browse to select a folder.
3. Click Unzip.
The WinZip Self-Extractor prompts a notice that the unzipping process
was completed successfully. Click Close to exit the extractor.
4. Extract the ADAMretailX86Browse to the folder where you.exe file and
run adamsetup.exe.
243
5. Click Next.
The License Agreement dialog box opens.
244
245
9. Enter the Instance name or maintain the default value and click
Next.The Ports dialog box opens.
10. Enter the port numbers (we recommend using ports in the range of 102565535) and click Next.
246
12. Enter a folder to store information associated with ADAM or browse for a
folder. Click Next.
247
14. Specify the user or group that will have administrative privileges and
click Next.
248
15. Select Import the selected LDIF files. Choose the MsInetOrgPerson.LDF file, and click Add.
16. Click Next.
The Ready to Install dialog box opens.
17. Click Next.
18. Click Finish to exit the Active Directory Application Mode Setup Wizard.
To configure ADAM
1. Run ADAM ADSI edit from the Start menu, under programs\ADAM.
249
250
Server name Enter the server name as defined during the ADAM
installation (usually the local host or local machine name)
Port Enter the Port as defined during the ADAM installation (LDAP
port)
4. Click OK. In ADAM adsiedit, select the CN=Partition directory. Rightclick DC=TMS and select New Connection to Naming Context.
The DC=TMS container now appears.
251
Appendix 2
User Permissions
The Administrator can configure the users privileges and edit them as
required.
The TMS should allow help desk personnel the option of performing most of
the TMS operations (for example: enroll tokens, delete tokens and so on).
The minimum permissions the help desk user should have in order to perform
basic TMS operations are specified in this appendix.
Different operations require different permissions; the following are the
required permissions to perform the different operations with the TMS.
The user should be a member of the Schema Administrator group and the
Domain Administrator group
To manage TMS:
The user should have the permission to change other domain users
passwords.
253
User Permissions
3. Right click on the user's name, and select properties (in this example the
user's name is Aladdin).
4. Select the Security tab and click Add.
The Aladdin properties dialog box opens.
254
User Permissions
5. Enter the name of the help desk user (in this example the user name is:
Helpdesk) click OK.
6. Click Advanced.
7. Select the help desk user from the list and click Edit.
255
User Permissions
256
User Permissions
9. Select Allow for the following attributes: Read msNPAllowDialin and Write
msNPAllowDialin
To manage MS-CA Connector:
The user needs to read and enroll permissions for the templates that will be
used (enrollment agent, smartcard logon etc.):
1. Open the CA snap-in. Right click the Certificate Templates and choose
manage.
2. From the certificate list, double click the certificate the TMS should enroll.
3. In the security tab give the help desk user the permissions to Read and
Enroll.
4. In the CA snap-in, right click the CA name, and choose Properties.
5. In the security tab give the help desk user the permission to Issue and
Manage Certificates.
To mange P12 Connector:
Read permissions to the libraries where the pfx files and the password
257
User Permissions
9. On the summary page, review the proposed settings, and then click
Finish.
To manage TMS web site:
258
The helpdesk user needs to have read permissions to the TMS web site
directory on the IIS server
Appendix 3
NOTICE
All attempts have been made to make the information in this document
complete and accurate. Aladdin is not responsible for any direct or indirect
damages or loss of business resulting from inaccuracies or omissions. The
specifications in this document are subject to change without notice.
259
Appendix 4
FCC Compliance
eToken USB has been tested and found to comply with the limits for a Class B
digital device, pursuant to Part 15 of the FCC rules. These limits are designed
to provide reasonable protection against harmful interference in a residential
installation.
This equipment generates uses and can radiate radio frequency energy and, if
not installed and used in accordance with the instructions, may cause harmful
interference to radio communications. However, there is no guarantee that
interference will not occur in a particular installation.
If this equipment does cause harmful interference to radio or television
reception, which can be determined by turning the equipment off and on, the
user is encouraged to try to correct the interference by one of the following
measures:
a. Reorient or relocate the receiving antenna.
b. Increase the separation between the equipment and receiver.
c. Connect the equipment to an outlet on a circuit different from that to which
the receiver is connected.
d. Consult the dealer or an experienced radio/TV technician.
FCC Warning
Modifications not expressly approved by the manufacturer could void the user
authority to operate the equipment under FCC rules.
All of the above applies also to the eToken USB.
FCC authorities have determined that the rest of the eToken product line does
not contain a Class B Computing Device Peripheral and therefore does not
require FCC regulation.
CE Compliance
The eToken product line complies with the CE EMC Directive and related
standards*.eToken products are marked with the CE logo and an eToken CE
conformity card is included in every shipment or upon demand.
261
UL Certification
The eToken product line successfully completed UL 94 Tests for Flammability
of Plastic Materials for Parts in Devices and Appliances. eToken products
comply with UL 1950 Safety of Information Technology Equipment
regulations.
Certificate of Compliance
Upon request, Aladdin Knowledge Systems will supply a Certificate of
Compliance to any software developer who wishes to demonstrate that the
eToken product line conforms to the specifications stated. Software
developers can distribute this certificate to the end user along with their
programs.
262
Index
Organizational Unit
Aladdin Website
Architecture
Authorization Manager
CE Compliance
Certificate of Compliance
Configuring
Backend Service
Connectors
Security Keys
TMS Public Key
TMS service account
TMS Settings
Token Policy
TPO Objects
Contacting Aladdin eToken
Austria
Belgium
France
Germany
Ireland
Italy
Netherlands
Rest of the world
Spain
Switzerland
UK
USA
Copyrights and Trademarks
Defining
Defining Token Policies
Deployment Strategies
Domain
Domain Controller Roles
Microsoft Active Directory Application Mode
Replication
Edit TMS Settings
Editing
TMS
TMS Settings
Export Keys
FCC Compliance
15
II
13, 14
99
259
260
81, 83, 87
105
97
91
96
110
81, 83, 87
109
113
II
II
II
II
II
II
II
II
II
II
II
II
II
257
56, 99
111
13
15
16
16
16
91
81, 91
108
91
92
259
263
FCC Warning
Flags
Block Policy Inheritance
No Override
TPO Disable
Forest
Glossary
Import Keys
Installation Components
Installing
AD Shadow Domain
ADAM Shadow Domain
TMS Client Component
TMS Management Station Component
TMS Server Component
Installing and Configuring ADAM
Installing TMS
AD Multi Domain Shadow Environment
AD Single Domain Production Environment
AD Single Domain Shadow Environment
ADAM Multi Domain Shadow Environment
ADAM Single Domain Shadow Environment
ISO 9002 Certification
Microsoft Active Directory
Migrating from TMS 1.5 to TMS 2.0
Operations
Overview
Enhanced User Experience
Main Features
New and Enhanced Functionality
New Design
New in TMS
Post-Installation Configuration
Production Domain
Removing TMS 1.5
Role Store
Roles
Defining
New Roles
Predefined
Schema
Shadow Domain
System Requirements
Client Component
Tasks
264
259
129
129
130
15
227
94
33
18
18
19
35
35
34
241
19
20
19
19
21
20
260
13, 14
38
98
2
4
3
4
3
3, 4
81
17
45
104
98
56, 99
101
99
16
17
5
5
98
Text Conventions
The Microsoft Active Directory Users and Computers Snap-in
The TMS Backend Service
The TMS Desktop Agent
TMS Architecture
TMS Assignments
TMS Configuration
TMS Deployment Options
Production and Shadow Domains
TMS Settings
Audit
Backend Service
Desktop Agent
Enrollment
eToken
Recovery
TMS System Objects
Token Policy Object
Token Policy Object Editor
TPO Scope
Specifying
Using the Security tab to control TPO scope
TPO Settings
Connectors
Mail
Tree
UL Certification
Understanding TPOs
User Permissions
III
113
173
179
14
98
47
17, 18
17
147
149
150
142
135
145
112
85
86
126
126
130
135
134
15
260
112
251
265