Date post: | 27-Dec-2015 |
Category: |
Documents |
Upload: | branislav-ostojic |
View: | 124 times |
Download: | 9 times |
SafeNet Authentication Manager (SAM)Version 8.0 Revision A
Administrator’s Guide
Copyright © 2010 SafeNet, Inc. All rights reserved.
All attempts have been made to make the information in this document complete and accurate.
SafeNet, Inc. is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications contained in this document are subject to change without notice.
SafeNet and SafeNet Authentication Manager are either registered with the U.S. Patent and Trademark Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in the United States and other countries. All other trademarks referenced in this Manual are trademarks of their respective owners.
SafeNet Hardware and/or Software products described in this document may be protected by one or more U.S. Patents, foreign patents, or pending patent applications.
Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and UL Notification.
Date of publication: September 2010Last update: Tuesday, September 21, 2010 3:24 pm
iii
Support
We work closely with our reseller partners to offer the best worldwide technical support services. Your reseller is the first line of support when you have questions about products and services. However, if you require additional assistance you can contact us directly at:
Telephone
You can call our help‐desk 24 hours a day, seven days a week:USA: 1‐800‐545‐6608 International: +1‐410‐931‐7520
You can send a question to the technical support team at the following email address:[email protected]
Website
You can submit a question through the SafeNet Support portal:http://c3.safenet-inc.com/secure.asp
Additional Documentation
The following SafeNet publications are available:SafeNet Authentication Manager 8.0 User’s GuideSafeNet Authentication Manager 8.0 ReadMe
iv
Table of Contents
Part I Overview of SafeNet Authentication Manager1. Introduction................................................................................................ 3
Overview of SafeNet Authentication Manager ......................................................4SafeNet Authentication Manager 8.0 Core Benefits............................................. 4
New and Enhanced Features in SafeNet Authentication Manager 8.0.................... 5Cloud support and integration with SaaS providers, Google Apps and Salesforce.com...................................................................................................... 5Enhanced MobilePASS Software Authentication Solution................................... 6Integration with SafeNet HSMs for secure key storage........................................ 6Token History Management .................................................................................. 6Token Policy Object (TPO) Export and Import...................................................... 7Additional Platform ................................................................................................ 7
Supported Authenticators.......................................................................................... 72. System Requirements.............................................................................. 9
SAM Server System Requirements ....................................................................10SAM Management Tools System Requirements.................................................... 13SAM Client System Requirements.......................................................................... 14SAM External Web Portals...................................................................................... 15
Part II Installation and Configuration3. User Store Deployment..........................................................................19
Supported User Stores .......................................................................................20Remote Active Directory.......................................................................................... 21Configuring a Microsoft SQL Server User Store..................................................... 21
Preparing Microsoft SQL Server Views .............................................................. 22Indexed Fields ..................................................................................................... 25Preparing an MS SQL Server Authentication dll ................................................ 25
vi
Configuring an LDAP User Store.............................................................................29Preparing LDAP Authentication Dll .....................................................................29Supported Authentication Types .........................................................................30
4. Installation and Configuration Checklist .............................................37Step 1: Perform Pre-Installation Tasks ...............................................................38Step 2: Install SafeNet Authentication Manager .....................................................38
SafeNet Authentication Client Configuration.......................................................38OTP Configuration...............................................................................................39
Step 3: Configure SafeNet Authentication Manager ...............................................405. Installation ................................................................................................43
Installation Components .....................................................................................44Silently Installed Component...............................................................................45
Installation Steps in an AD Environment .................................................................46Installing in a Single Domain Environment .........................................................46Installing in a Multi Domain Environment............................................................47Installing SAM in a Multi Forest Environment .....................................................47Installing and Running Schema Modification Scripts..........................................48
Installing the SafeNet Authentication Manager Server ...........................................52Installing the SAM Management Tools ....................................................................57Installing SAM Client Using the Installation Wizard ................................................60Installing SAM Client Using the Command Line .....................................................63Un-installation ..........................................................................................................64
Removing SAM Server from the Computer ........................................................64Removing SAM from the Domain........................................................................65
Propagating the SAM Server Name........................................................................66Duplicating a SAM Server........................................................................................70
Licensing a Duplicate Server...............................................................................716. Upgrade and Migration...........................................................................73
Upgrading to SAM 8.0 Server .............................................................................74Upgrading to SAM 8.0 Client ...................................................................................75Upgrading to SAM 8.0 Management Tools .............................................................75Migrating from TMS 2.0 in an OpenLDAP Environment .........................................76Migrating from TMS 2.0 with a Shadow Domain.....................................................76Migrating from SafeWord to SafeNet Authentication Manager 8.0.........................77
Exporting Data from the SafeWord Database.....................................................77Importing SafeWord Data into SAM....................................................................80
vii
7. Basic Configuration................................................................................85Configuring for Active Directory ..........................................................................86Configuring for Standalone User Store ................................................................... 94Configuring for OpenLDAP, Novell eDirectory or Remote AD.............................. 102Configuring for MS SQL Server .............................................................................115
8. Token Policy Object Links ...................................................................121Accessing Token Policy Object Links ...............................................................122
Accessing TPO Links in an AD Environment ................................................... 122Accessing TPO Links in a Non-AD Environment ............................................. 125Accessing TPO Links in a Standalone User Store Environment ..................... 127
Creating a New TPO Link...................................................................................... 130Adding a TPO Link ................................................................................................ 132Deleting a TPO Link .............................................................................................. 133Specifying the Scope of a TPO Link ..................................................................... 133
TPO Inheritance Behavior................................................................................. 134Setting No Override and Disabled Options....................................................... 136Blocking Policy Inheritance ............................................................................... 137Applying TPO Links to Limited Users and Groups........................................... 138
Importing and Exporting Token Policy Objects ..................................................... 140Exporting Token Policy Objects ........................................................................ 140Importing Token Policy Objects......................................................................... 142
9. Token Policy Object Settings ..............................................................145Using the Token Policy Object Editor to Edit TPOs ..........................................146General Settings.................................................................................................... 150
Mail Configuration ............................................................................................. 150SMS Provider Configuration ............................................................................. 151
Connector Settings................................................................................................ 152Token Settings ....................................................................................................... 152
Token Initialization............................................................................................. 152Token Password................................................................................................ 153Password Quality .............................................................................................. 153Manual Complexity............................................................................................ 155Initialization Parameters.................................................................................... 157Initialization Key ................................................................................................ 158Advanced Settings ............................................................................................ 161
viii
Enrollment Settings................................................................................................162General Properties ............................................................................................162SafeNet eToken Virtual Enrollment ...................................................................165Enrollment Notification.......................................................................................165
Recovery Settings..................................................................................................166Audit Settings.........................................................................................................170MobilePASS Settings.............................................................................................170Backend Service Settings......................................................................................171Legacy TMS Desktop Agent Settings....................................................................173Badging Settings....................................................................................................174
Photo Storage....................................................................................................175Printing Parameters...........................................................................................175
10. SAM Configuration Manager ...............................................................179Launching the SAM Configuration Manager .....................................................180Selecting the SAM Instance...................................................................................180Importing and Exporting the SAM Settings File ....................................................181
Exporting the SAM Settings File........................................................................181Importing the SAM Settings File........................................................................183
Adding SAM Connectors .......................................................................................183Configuring Roles ..................................................................................................185Scheduling the SAM Backend Service..................................................................185Configuring the License .........................................................................................187Configuring IIS and Web Services.........................................................................187
Configuring OTP Web Services ........................................................................187Configuring Features of the SAM Management Center ...................................187Configuring Features of the SAM Self Service Center .....................................188Configuring Features of the SAM Rescue Service Center ...............................190Configuring Features of SAM Web Service API ...............................................190Configuring Desktop Agent ...............................................................................192Configuring Server Synchronization..................................................................192
Selecting the Authentication Plug-In......................................................................193Defining a Failover Configuration ..........................................................................194Exporting and Importing the Signing Certificate....................................................196
Exporting a Signing Certificate ..........................................................................196Importing a Signing Certificate ..........................................................................197
ix
Changing the SAM Service Account..................................................................... 19811. Connector Configuration .....................................................................201
Connector for Microsoft CA...............................................................................202Supported User Stores...................................................................................... 202Microsoft DLL Files Required for MSCA........................................................... 203Configuring the Microsoft CA............................................................................ 204
Connector for OTP Authentication ........................................................................ 217Supported User Stores...................................................................................... 217Defining TPO Rules .......................................................................................... 217
Connector for Flash Management......................................................................... 221Supported User Stores...................................................................................... 221Defining TPO Rules .......................................................................................... 222
Connector for P12 Certificate Import..................................................................... 224Supported User Stores...................................................................................... 225Defining TPO Rules .......................................................................................... 225
Connector for SafeNet Network Logon................................................................. 232Supported User Stores...................................................................................... 233Defining TPO Rules .......................................................................................... 233
Connector for eToken Anywhere........................................................................... 237CA Requirements.............................................................................................. 237Supported User Stores...................................................................................... 238Defining TPO Rules .......................................................................................... 238
Connector for Check Point Internal CA................................................................. 243Internal CA vs. External CA .............................................................................. 243Supported User Stores...................................................................................... 244Configuring the CP Firewall Management........................................................ 244Defining TPO Rules .......................................................................................... 254
Connector for Entrust ............................................................................................ 264Entrust Authority Security Manager .................................................................. 264SafeNet Authentication Manager - Entrust Integration..................................... 265Main Features ................................................................................................... 266Architecture ....................................................................................................... 266Deployment Recommendations........................................................................ 267System Requirements....................................................................................... 268Prerequisites ..................................................................................................... 269Connector for Entrust Configuration ................................................................. 272Opening the Connector Policy Object Editor .................................................... 272
x
Defining the CA Policy.......................................................................................274Defining the Add User to Security Manager Policy...........................................277Defining the Security Manager and SAM on Different Domains Policy............278Defining the Domain Username Policy .............................................................279Defining the Domain User Password Policy .....................................................280Defining the User Path Policy............................................................................281Defining the Username Template Policy ...........................................................282Mapping Attributes.............................................................................................283Defining the Add User to Security Manager Directory Policy ...........................284Defining the User Role Policy............................................................................285Defining the Certificate Type Policy...................................................................286Defining the Last Security Manager Update Policy ..........................................286Defining the SafeNet eToken Rescue Support Policy ......................................287Entrust Security Manager Administration Configuration...................................288Using SAM with Entrust.....................................................................................290Behavior and Limitations ...................................................................................292
12. Licensing ................................................................................................293Licensing Overview...........................................................................................294Evaluation License.................................................................................................294Upgrading Licenses from Earlier Versions ............................................................295Viewing Licenses ...................................................................................................295Applying a License.................................................................................................296Multi-Domain Licenses ..........................................................................................298
13. Authorization Manager .........................................................................299Authorization Management Overview...............................................................300Predefined Roles ...................................................................................................301Defining a New Scope ...........................................................................................301Defining Roles........................................................................................................303Defining Tasks........................................................................................................306
14. User Permissions..................................................................................309Permissions for Basic Administration................................................................310
SAM Service Account Permissions...................................................................310User Permissions for Installing SAM.................................................................310
xi
Granting Dial-In Permission to the User Account ..................................................311Granting Permissions for Microsoft CA Templates ............................................... 314Delegating Password Reset Control ..................................................................... 315
15. Audit Messages and Enrollment Notifications.................................321Audit Messages ................................................................................................322
Configuring Audit Settings for Viewing in Windows Event Viewer ................... 322Viewing SAM Events in the Event Viewer ........................................................ 323Configuring Audit Settings for Sending Notification Messages........................ 325
Enrollment Notification........................................................................................... 332Configuring Enrollment Notification Messages................................................. 332
Configuring Audit, Enrollment and MobilePASS Activation Notification Templates ...335
Notification Letter Keywords ............................................................................. 336Configuring SMS Notification Template ................................................................ 338
16. OTP Configuration ................................................................................339OTP Web Service Settings ...............................................................................340
Blank Presses ................................................................................................... 340Blank Presses Resync ...................................................................................... 340Time Sync.......................................................................................................... 341Time Resync ..................................................................................................... 341
OTP Web Service Configuration ........................................................................... 342Configuring SAM IAS Plug-In................................................................................ 345Configuring IAS for a Non-AD User Store............................................................. 348
17. Backend Service....................................................................................353Overview of Backend Services .........................................................................354Controlling SAM Backend Services ...................................................................... 355
Part III Post-Installation Configuration18. User Management in an ADAM Environment...................................359
ADAM Environment User Store Overview ........................................................360
xii
Opening SafeNet Authentication Manager - Policy Manager ...............................360Adding a User ........................................................................................................362Viewing and Editing User Properties .....................................................................364Adding a Group or OU...........................................................................................365Viewing and Editing Group Properties...................................................................367
19. Desktop Agent .......................................................................................371Overview of the Desktop Agent ........................................................................372Adding the Desktop Agent Template to the GPO Editor .......................................372Editing the Desktop Agent Settings in the GPO Editor .........................................377Desktop Agent Settings .........................................................................................379Configuring Automatic Download of SafeNet eToken Rescue..............................385Configuring Attendance Reports ...........................................................................386
Opening the Desktop Agent Settings Window..................................................386Creating an Attendance Reports MS SQL Server Database ...........................387Adding a Renamed MDF file to MS SQL Server ..............................................389Connecting to an Existing MS SQL Server Database through an ODBC Connection.........................................................................................................391Saving Data for Attendance Reports.................................................................396Clearing the Token Connection Data History....................................................398Displaying an Error Message Following Server Error.......................................399
Configuring the Legacy Desktop Agent.................................................................400SAM Desktop Agent Web Services Settings ....................................................401
Troubleshooting .....................................................................................................40120. External Portals .....................................................................................403
Overview of SAM External Portals....................................................................404Deliverables ...........................................................................................................404Prerequisites ..........................................................................................................404Installing the SAM External Portals .......................................................................405Configuring SAM Portals .......................................................................................409
Configuring Roles for SAM Portals ...................................................................409Adding a Portal Connection...............................................................................410Configuring Cloud Logon...................................................................................412
xiii
Setting the Logon Credentials in Google Apps..................................................... 416Setting the Logon Credentials in Force.com......................................................... 417Configuring the Username Attributes.................................................................... 418
21. Customizing SAM Websites................................................................421Customizing Text ..............................................................................................422
Editing the Text in the Resource Files .............................................................. 422Implementing Text Changes with the SAM Branding Tool ............................... 423
Customizing Graphic Files .................................................................................... 424
Part IV SAM Management22. SAM Management Center Main Features..........................................429
Client Requirements .........................................................................................430Browser Settings ................................................................................................... 430OTP Tokens........................................................................................................... 430
Temp OTP ......................................................................................................... 431MobilePASS Tokens.......................................................................................... 431
SafeNet eToken Virtual Products .......................................................................... 432SafeNet eToken Virtual ..................................................................................... 433SafeNet eToken Virtual Temp ........................................................................... 433SafeNet eToken Rescue ................................................................................... 434SafeNet eToken Rescue Use Case .................................................................. 434
eToken Network Logon.......................................................................................... 435eToken Network Logon Device Options ........................................................... 436eToken Network Logon Use Case .................................................................... 436
23. Helpdesk.................................................................................................437Helpdesk Page Overview..................................................................................438
xiv
Accessing the Helpdesk Page...............................................................................439Unlocking a User....................................................................................................447Enabling a Temp Logon.........................................................................................449Enabling User Access to a SafeNet eToken Rescue............................................452Resetting the Default User Password ...................................................................455Revoking a User's Token .......................................................................................455Unassigning a User's Token ..................................................................................457Unlocking a User's Token ......................................................................................459Temporarily Disabling a Token...............................................................................462Enabling a Token ...................................................................................................464Replacing a User's Token ......................................................................................465OTP Options ..........................................................................................................470
Extending an OTP .............................................................................................471Replacing a Temp OTP with an OTP Token .....................................................473Replacing an OTP Token with a Temp OTP .....................................................474Resetting an OTP PIN.......................................................................................477Validating an OTP Token...................................................................................478Locking an OTP.................................................................................................480Unlocking an OTP .............................................................................................482
Certificate Recovery Workflow Options.................................................................483Requesting a Certificate Recovery Workflow....................................................484Approving a Certificate Recovery Workflow......................................................486Cancelling a Certificate Recovery Workflow .....................................................488Rejecting a Certificate Recovery Workflow.......................................................491Recovering Certificates .....................................................................................493
24. Deployment ............................................................................................497Deployment Page Overview .............................................................................498Accessing the Deployment Page...........................................................................499Assigning a Token..................................................................................................503Enrolling a Smartcard or USB Token.....................................................................505Enrolling an OTP Token.........................................................................................509MobilePASS Token Enrollment.............................................................................. 511
Preparing the MobilePASS Token Notification Procedure ................................512Enrolling a MobilePASS Token..........................................................................512Sending a MobilePASS Token to the User........................................................515Using a MobilePASS Token to Generate an OTP.............................................515
xv
25. Inventory.................................................................................................517Inventory Page Overview..................................................................................518Accessing the Inventory Page............................................................................... 519Initializing a Token ................................................................................................. 523Adding Tokens to the SAM Inventory.................................................................... 526
Adding a File of Tokens to the SAM Inventory.................................................. 526Adding a Token to the SAM Inventory .............................................................. 528
Removing a Token from the SAM Inventory ......................................................... 53026. Reports ...................................................................................................533
SAM Reports Page Overview ...........................................................................534Accessing the Reports Page................................................................................. 534Generating a Token Inventory Report ................................................................... 536Generating a Token History Report....................................................................... 541Generating a Token Expiration Report.................................................................. 546Generating a Token Audit Report.......................................................................... 550Generating an OTP Usage Report........................................................................ 553Generating a Token Connections Report.............................................................. 555Generating an Hourly Distribution Chart ............................................................... 559
27. Downloads .............................................................................................563SAM Downloads Page Overview ......................................................................564Accessing the SAM Downloads Page................................................................... 564Downloading SAM Web Client .............................................................................. 565Downloading MobilePASS Applications................................................................ 569
Part V AppendixesA. AD Schema Enhancement...................................................................573
Prefixes Registered with Microsoft....................................................................574Naming Conventions ............................................................................................. 574Schema Attributes and Classes Tables ................................................................ 574
Attributes ........................................................................................................... 575Classes.............................................................................................................. 588Schema extensions for TMS 5.0 and Later ...................................................... 590Schema Extensions for SAM 8.0 and Later...................................................... 592
xvi
Part I Overview of SafeNet Authentication Manager
This section provides an overview of SAM, including the new features in this version.
In this section:
Chapter 1: Introduction (page 3)Chapter 2: System Requirements (page 9)
2
Chapter 1
IntroductionSafeNet Authentication Manager (SAM) enables management of the complete user authentication life cycle. SafeNet Authentication Manager links tokens with users, organizational rules, and security applications to allow streamlined handling of usersʹ needs throughout the various stages of their authenticator lifecycle.
In this section:
Overview of SafeNet Authentication ManagerNew and Enhanced Features in SafeNet Authentication Manager 8.0Supported Authenticators
4 SafeNet Authentication Manager Administrator’s Guide
Overview of SafeNet Authentication ManagerSafeNet Authentication Manager 8.0 (formerly known as eToken TMS) provides your organization with a comprehensive platform to manage all of your authentication requirements, across the enterprise and the cloud, in a single, integrated system. Enabling strong authentication for cloud applications using identity federation technology and offering support for SafeNetʹs portfolio of OTP and certificate‐based authenticators, SafeNet Authentication Manager (SAM) is designed to evolve with your changing needs so you can:
Maintain strong on‐premise authentication for cloud‐based SaaS applications such as Google Apps and SalesForce.comSeamlessly enhance your authentication infrastructure from OTP‐only environments to more flexible ones that support both OTP and certificate‐based (PKI) solutions and applications. Deploy a range of software authentication solutions
SafeNet Authentication Managerʹs capabilities include central, delegated, and self‐service interfaces that allow different levels of service to different communities of users and administrators.
SafeNet Authentication Manager 8.0 Core BenefitsExtend your current enterprise authentication infrastructure to the cloud seamlesslyComplete support for your entire authentication solution (OTP, CBA, security applications) in a single systemExtensible, open platform with self‐service and remote support for Linux, Mac and WindowsFlexibility to evolve your authentication infrastructure to include OTP and CBA solutions as well as advanced security applicationsReduce the workload of your IT staff with an integrated IT infrastructure, automated processes and intuitive user self‐service toolsControl of your authenticator inventory and usageEnhanced user productivity and remote access from wherever they are without compromising securityComprehensive auditing and reporting features enable compliance with privacy regulations
Introduction 5
New and Enhanced Features in SafeNet Authentication Manager 8.0
The following features have been included in SafeNet Authentication Manager 8.0.
Cloud support and integration with SaaS providers, Google Apps and Salesforce.com
Description: SAM provides a seamless strong authentication experience for enterprise users who want to access SaaS applications such as Google Apps and Salesforce.com (SFDC). This is achieved by federating their enterprise identity to the cloud, in short, enabling a Single Credential experience in which the user logs into the SAM portal using their access credentials and is then automatically redirected to the specific cloud application.How it works: User authentication first happens in the enterprise (the user logging into SAM), and only after users are successfully authenticated are they redirected to the cloud service though the use of identity federation protocols such as Security Assertion Markup Language (SAML), an XML‐based standard for exchanging authentication and authorization data. SafeNet Authentication Manager will act as the trusted identity provider, giving authenticated users permission to access the application. The SaaS application will be configured to allow access only to those users authenticated by the SafeNet Authentication Manager. The enterprise maintains control of user access, as every use of the cloud resource is first validated on premise.Benefits: Enables enterprise users to access SaaS applications securely via two‐factor authentication from anywhere. Existing SafeNet TMS/SAM customers can leverage their current on‐premise authentication deployment to seamlessly and cost‐effectively extend the same strong authentication solution to their cloud applications.There is no additional hardware or software to deploy ‐ users can leverage their current authenticators. Comprehensive management of all authentication operations for both on‐premise and cloud can be performed within a single platform.
6 SafeNet Authentication Manager Administrator’s Guide
Enhanced MobilePASS Software Authentication Solution
Over‐the‐air deployment ‐ can be achieved two ways:Direct download link sent to the user via email; using their mobile device, the user then clicks on the link and is prompted to install the application on their deviceSoftware distribution push via BlackBerry Enterprise Server (BES)
Simple Remote Self‐Enrollment and Activation portal for end usersBroad range of mobile device support: BlackBerry (4.2 and above), iPhone (3.0 and above), J2ME, Android
Integration with SafeNet HSMs for secure key storageDescription: SafeNet Authentication Manager security keys are stored in the HSM; encryption and decryption of SAM data is executed on the HSMBenefits: storing the SAM security keys in the HSM rather than locally in the file system enhances the security and the protection of stored secrets such as OTP seeds and archived private keys from unauthorized copy or leakage; this is an increasing requirement among both financial and government customersSupported HSM models: Luna SA 4.4 and PCI 7000
Token History ManagementStores historical data of tokens that have been unassigned or removed. When a users leave the company, their tokens are initialized and all data removed. However, if the token was used to access encrypted company data, for example, it might be necessary later to retrieve the encryption key. SAM now enables such a process by keeping a history of unassigned tokens enabling certificate export for historic certificates.
Introduction 7
Token Policy Object (TPO) Export and ImportTPO settings can be exported to, and imported from, a password protected fileEnables the duplication of the same TPO settings in multiple SAM installationsAssists the SafeNet support team when providing assistance to customers
Additional PlatformWindows Server 2008 R2 is now supported
Supported AuthenticatorsThe following authenticators are supported in SafeNet Authentication Manager 8.0:
SafeNet eToken PROSafeNet eToken NG FlashSafeNet eToken NG OTPSafeNet eToken Smart CardSafeNet eToken AnywhereSafeNet eToken VirtualSafeNet eToken Virtual TempSafeNet eToken RescueeToken AnywhereMobilePASSMobliePASS MessagingAlpineGold 3000 PlatinumSilver
8 SafeNet Authentication Manager Administrator’s Guide
Chapter 2
System RequirementsBefore installing SAM, ensure that your system meets the requirements for each of the components.See Installation Components on page 44.
In this chapter:
SAM Server System RequirementsSAM Management Tools System RequirementsSAM Client System RequirementsSAM External Web PortalsWindows Password
10 SafeNet Authentication Manager Administrator’s Guide
SAM Server System Requirements
Component Requirement Comment
Operating System One of the following:Windows Server 2003 SP2 (32-bit, 64-bit)Windows Server 2003 R2 (32-bit and 64-bit)Windows Server 2008 SP2 (32-bit, 64-bit)Windows Server 2008 R2 (64-bit)
System Requirements 11
Additional Software Windows Installer 3.0 or later
The Microsoft® Windows® Installer is an application installation and configuration service. WindowsInstaller-KB884016-v2-x86.exe is the redistributable package for installing or upgrading Windows Installer.http://www.microsoft.com/downloads/details.aspx?familyid=5fbc5470-b259-4733-a914-a956122e08e8&displaylang=en
32-bit:Microsoft .NET Framework Version 2.0 SP1(x86) redistributable package or later
64-bit:Microsoft .NET Framework version 2.0 (x64) redistributable package or later
The Microsoft .NET Framework version 2.0 redistributable package installs the .NET Framework runtime and associated files required to run applications developed to target the .NET Framework 2.0.
32-bit:http://www.microsoft.com/downloads/details.aspx?familyid=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en
64-bit:http://www.microsoft.com/downloads/details.aspx?familyid=B44A0000-ACF8-4FA1-AFFB-40E78D788B00&displaylang=en
One of the following:Microsoft SQL Server 2005Microsoft SQL Server 2008
Required for producing Attendance Reports only
Java Runtime Environment 1.5 or later
Required for MobilePASS tokens only
Component Requirement Comment (Continued)
12 SafeNet Authentication Manager Administrator’s Guide
SAM Configuration Store
Active Directory (if Active Directory is to be used as the configuration store).
See SAM Configuration Store on page 23.Note: If ADAM is to be used as the configuration store, it does not need to be installed separately, as it is installed during the SAM installation.
SAM User Store One of the following, if an external user store is used:
Active Directory (Windows 2003, 2003R2, 2008, or 2008R2)MS SQL Server 2005 or 2008OpenLDAP 2.3.38 or laterNovell eDirectory 8.7.3 or later
See User Store on page 21.Note: If the integrated configuration of a Standalone user store is used, ADAM is installed during the SAM installation, and a pre-installed user store is not required.
PKI Client/SafeNet Authentication Client
The following versions are supported:
eToken PKI Client version 4.55eToken PKI Client version 5.1 SP1SafeNet Authentication Client version 8.0 or later (recommended to ensure support of all new features)
Required to work with tokens and with connector configurations. eToken PKI Client or SafeNet Authentication Client should be installed on both the server and the client computers for a fully featured SafeNet Authentication Manager system.Note: Not required for OTP-only implementations.
Component Requirement Comment (Continued)
System Requirements 13
SAM Management Tools System RequirementsComponent Requirement Comment
Operating System One of the following:Windows Server 2003 SP2 (32-bit, 64-bit)Windows Server 2003 R2 (32-bit, 64-bit)Windows Server 2008 SP2 ((32-bit, 64-bit)Windows Server 2008 R2 (64-bit)Windows XP SP3 (32-bit, 64-bit)Windows Vista SP2 (32-bit, 64-bit)Windows 7 (32-bit, 64-bit)
Use Windows Vista and Windows 7 for non-AD environments only.
Additional Software Windows Installer 3.0 or later See the Windows Installer comment on page 11.
Microsoft .NET Framework Version 2.0 SP1 Redistributable or later
See the Microsoft .NET Framework comment on page 11.
eToken PKI Client or SafeNet Authentication Client
The following versions are supported:
eToken PKI Client version 4.55eToken PKI Client version 5.1 SP1SafeNet Authentication Client version 8.0 or later (recommended to ensure support of all new features)
Required to work with tokens and with connector configurations. eToken PKI Client or SafeNet Authentication Client should be installed on both the server and the client computers for a fully featured SAM system.Note: Not required for OTP-only implementations.
Browser Internet Explorer 6.0, 7.0, or 8.0
Trusted Sites SAM Management Center Must be set as a trusted site.
14 SafeNet Authentication Manager Administrator’s Guide
SAM Client System RequirementsComponent Requirement Comment
Operating System One of the following:Windows Server 2003 SP2 (32-bit, 64-bit)Windows Server 2003 R2 (32-bit, 64-bit)Windows Server 2008 SP2 ((32-bit, 64-bit)Windows Server 2008 R2 (64-bit)Windows XP SP3 (32-bit , 64-bit)Windows Vista SP2 (32-bit, 64-bit)Windows 7 (32-bit, 64-bit)
eToken PKI Client or SafeNet Authentication Client
The following versions are supported:
eToken PKI Client version 4.55eToken PKI Client version 5.1 SP1SafeNet Authentication Client version 8.0 or later (recommended to ensure support of all new features)
Note: eToken PKI Client 5.1 SP1 or later is required for a Windows 7 environment
Required to work with tokens and with connector configurations.Note: Not required for OTP-only implementations.
Browser Internet Explorer 6.0, 7.0, or 8.0Firefox 3.6 (OTP operations only)Safari 5 (OTP operations only)
Trusted Sites SAM Self Service Center Must be set as a trusted site.
System Requirements 15
SAM External Web PortalsComponent Requirement Comment
Browser Internet Explorer 6.0, 7.0, or 8.0Firefox 3.6Chrome 5Safari 5 (Mac)
16 SafeNet Authentication Manager Administrator’s Guide
Part II Installation and ConfigurationThe following chapters describe how to install and configure SAM.
In this section:
Chapter 4: Installation and Configuration Checklist (page 37) Chapter 3: User Store Deployment (page 19)Chapter 5: Installation (page 43) Chapter 6: Upgrade and Migration (page 73)Chapter 7: Basic Configuration (page 85)Chapter 8: Token Policy Object Links (page 121)Chapter 9: Token Policy Object Settings (page 145)Chapter 10: SAM Configuration Manager (page 179)Chapter 11: Connector Configuration (page 201)Chapter 13: Authorization Manager (page 299)Chapter 15: Audit Messages and Enrollment Notifications (page 321)Chapter 12: Licensing (page 293)Chapter 16: OTP Configuration (page 339)Chapter 17: Backend Service (page 353)
18
Chapter 3
User Store DeploymentTypically, Microsoft Active Directory is deployed as part of the Windows operating system, and is available when installing SafeNet Authentication Manager.To use a different user store (MS SQL Server, OpenLDAP, or Novell eDirectory) that is not already installed, you must deploy it before installing SAM.Alternatively, you can install a Standalone user store, which is an integrated configuration store and user store based on ADAM. In this case, ADAM is installed as part of the SAM installation.See User and Configuration Stores on page 21.
In this section:
Supported User StoresRemote Active DirectoryConfiguring a Microsoft SQL Server User StoreConfiguring an LDAP User Store
20 SafeNet Authentication Manager Administrator’s Guide
Supported User StoresSafeNet Authentication Manager can work with any of the following user stores:
Microsoft Active Directory (Windows Server 2003 or Windows Server 2008)
Note:You cannot work with Active Directory and a different store (MS SQL Server, OpenLDAP, Novell, or Remote AD). However, when working with AD you can use several domains.When working with MS SQL Server, OpenLDAP, Novell, or Remote AD, you can use several of them together, but not with AD.
ADAM (with Standalone user store ‐ an integrated configuration and user store)Remote Active DirectoryMicrosoft SQL Server 2005/2008OpenLDAPNovell eDirectory
Note:For a fully featured SafeNet Authentication Manager solution including SAM Desktop Agent, Microsoft Active Directory must be used.In non‐AD environments, SafeNet Authentication Manager supports the following connectors:
Connector for OTP AuthenticationConnector for eToken AnywhereConnector for Check Point Internal CAConnector for Microsoft CA, with offline CAConnector for Flash ManagementConnector forP12 Certificate Import
User Store Deployment 21
Remote Active DirectoryA remote Active Directory can be used as a user store when working in a multi‐forest environment. This avoids the necessity of installing a SafeNet Authentication Manager server in each forest. A typical use for this would be when deploying OTP in a multi‐forest environment.To enable connection to the remote Active Directory, during configuration SafeNet Authentication Manager must be supplied with the user name and password that will enable access to the domain.
Configuring a Microsoft SQL Server User StorePerform the following tasks before implementing MS SQL Server as a user store:
Prepare the data views so that SafeNet Authentication Manager can connect to the database.Prepare the authentication dll file that will enable users to log on to the SAM Management Center, SAM Self Service Center, and SAM Rescue Service Center.
22 SafeNet Authentication Manager Administrator’s Guide
Preparing Microsoft SQL Server ViewsThe required views must be created in MS SQL Server.This set of views must be prepared as described to enable SafeNet Authentication Manager to connect to the database.
AksTMSUsersAksTMSUsers represents the user table.
Field Type Description Required
UserID String The unique user ID Yes
AccountName String The unique user account name
Yes
PolicyObjectID String The direct organization unit Yes (can be null)
LogonName String The unique user logon name No
AccountEnabled Boolean Used by OTP authentication No
AccountLocked Boolean Used by OTP authentication No
FirstName String The user’s first name No
LastName String The user’s last name No
Initials String The user’s initials No
MiddleName String The user’s middle name No
Street String The user’s address street No
POBox String The user’s address PO Box number
No
City String The user’s address city No
State String The user’s address state No
ZipCode String The user’s address zip code No
CountryCode String The user’s address country code
No
User Store Deployment 23
AksTMSGroupsAksTMSGroups represents the group table.
HomePostalAdress
String The user’s home postal address
No
Email String The user’s email No
MobilePhone String The user’s mobile phone No
HomePhone String The user’s home phone No
OrganizationName
String The user’s organization name
No
Company String The user’s company No
EmployeeNumber
String The user’s employee number
No
DepartmentNumber
String The user’s department number
No
Office String The user’s office No
DisplayName String The user’s full display name No
Field Type Description (Continued) Required
Field Type Description Required
GroupID String The unique group ID Yes (value required)
GroupName String The unique group name Yes (value required)
DisplayName String The group full display name No
24 SafeNet Authentication Manager Administrator’s Guide
AksTMSUserOfGroupAksTMSUserOfGroup represents membership of users in the groups.
AksTMSGroupOfGroupAksTMSGroupOfGroup represents the group hierarchy.
AksTMSPolicyObjectsAksTMSPolicyObjects represents hierarchy of the organization (equivalent to OU).
Field Type Description Required
GroupID String The group unique ID Yes (value required)
UserID String The user belongs to group
Yes (value required)
Field Type Description Required
GroupID String The unique group ID
Yes (value required)
MemberGroupID String The subgroup belongs to group
Yes (value required)
Field Type Description Required
PolicyID String The unique policy object ID
Yes (value required)
PolicyName String The unique policy object name
Yes (value required)
User Store Deployment 25
Indexed FieldsTo ensure optimum performance, all required fields in the SQL database should be indexed:
AksTMSUsers: UserID, AccountName, PolicyObjectIDAksTMSGroups: GroupID, GroupNameAksTMSUserOfGroup: GroupID, UserIDAksTMSPolicyObjects: PolicyID, PolicyName, Root, ParentPolicyID
Preparing an MS SQL Server Authentication dllThis section describes how to configure MS SQL Server authentication in SAM.
SQL Authentication OverviewWhen SafeNet Authentication Manager is configured to work with a user store based on an SQL database, it must be able to authenticate the users who log on to the various SafeNet Authentication Manager applications: SAM Management Center, SAM Self Service Center,SAM Rescue Service Center and SAM Policy Management.When the administrator installs SafeNet Authentication Manager and configures a user store based on an SQL database, the SafeNet Authentication Manager Installation Wizard enforces the selection of the authentication dll file that implements the authentication process.
Root Boolean Policy object is root Yes (value required)
ParentPolicyID String The ID of the parent policy object
Yes (value not required)
DisplayName String The policy’s full display name
No
Field (Continued) Type Description Required
26 SafeNet Authentication Manager Administrator’s Guide
SQLAuthentication.dll Authentication FileA default SQL authentication dll is provided with SAM: SQLAuthentication.dll.
This dll file reads a specific configuration at runtime when the associated application is loaded.SQLAuthentication.dll is typically located at:C:\Program Files\SafeNet\Authentication\SAM\x32\Bin
SQLAuthentication.dll.config Configuration FileThe configuration file must be named SQLAuthentication.dll.config,and must be located in the same directory asSQLAuthentication.dll
The SQLAuthentication.dll.config file is an XML file.
Note:After updating the SQLAuthentication.dll.config configuration file, reset the IIS server to update SAM.
Supported Authentication TypesSQL User is the only authentication type supported.This authentication type takes advantage of the SQL Server built‐in authentication service. When a SafeNet Authentication Manager user authentication request arrives, an appropriate SQL connection string is built at runtime and is then used by an SQL connection object to connect to the server.If a connection is established successfully, the authentication request is accepted. If the connection fails, the authentication request is rejected.
User Store Deployment 27
Since there may be several user store databases in an organization, each user store may be configured to transfer a userʹs authentication request to a different SQL database as explained in the following <Instance> xml node.
Tip:We recommend referring to the sample SQLAuthentication.dll.config file when reading this section.
Typically,SQLAuthentication.dll.config is located at:C:\Program Files\SafeNet\Authentication\SAM\x32\AuthPlugin\
<Instance>Allows mapping a userʹs authentication request by the user store unique name to which the user belongs.For example, in the above configuration file example, each user belongs to “organization‐usa.” The user store will be authenticated using the connection string pointing to SQLSRV‐USA‐MACHINE, while each user belonging to “organization‐europe” will be authenticated using the connection string pointing to SQLSRV‐EUR‐MACHINE.If there is only one user store, only one <Instance> section should be used (adding default=”true” attribute).
<TMSUserIdentifier>Indicates which user property should be used as the SQL Server user name. The value at runtime is inserted into the {0} at the ConnectionString XML node.User fields that can be selected are: AccountName, LogonName, Email, EmployeeNumber, and Name.
<Provider>This value holds the provider retrieving data from the database. Use the following value: System.Data.SqlClient
28 SafeNet Authentication Manager Administrator’s Guide
<ConnectionString>
Note:The <ConnectionString> template described here must be formatted according the selected provider. Each provider defines the connection string format.
Contains a template for the database connection string. The template should be formatted according to the provider type, as described in previous section.
The {0} is replaced at runtime with the value of TMSUser property indicated in TMSUserIdentifierThe {1} is replaced at runtime with the value of authentication request password
The following sample shows a connection string for connecting to Microsoft SQL Server:<ConnectionString>Data Source=SQLSRV-MACHINE\SQLEXPRESS;Initial Catalog=;Integrated Security=False;User ID={0};Password={1}</ConnectionString>
User Store Deployment 29
Configuring an LDAP User StoreSafeNet Authentication Manager supports OpenLDAP and Novell eDirectory as user stores.Perform the following tasks before implementing an LDAP directory as a user store:
Prepare the authentication dll file that will enable users to log on to SAM Management Center, SAM Self Service Center, and SAM Rescue Service Center.If you require an LDAP schema different from the default, you must make the changes in the SAM Configuration Manager. See Changing the Schema Configuration on page 199.
Notes:In contrast to AD, OpenLDAP does not use a specific schema
definition for users, groups, etc. It uses a basic definition that is extended on each installation.
Novell eDirectory has a default schema that is similar to AD.
Preparing LDAP Authentication DllThis section describes how to configure LDAP authentication in SafeNet Authentication Manager.
LDAP Authentication OverviewWhen SafeNet Authentication Manager is configured to work with a user store that is not Microsoft Active Directory, it must be able to authenticate the users who log on to the various SafeNet Authentication Manager applications: SAM Management Center, SAM Self Service Center, SAM Rescue Service Center, and SAM Policy Management.When the administrator installs SafeNet Authentication Manager and configures a non Active Directory user store, the SafeNet Authentication Manager Installation Wizard enforces the selection of the authentication dll file that implements the authentication process.
30 SafeNet Authentication Manager Administrator’s Guide
LDAPAuthentication.dll Authentication FileA default LDAP authentication dll file is provided with SafeNet Authentication Manager: LDAPAuthentication.dllThis dll file reads the specific configuration at runtime when the associated application is loaded.LDAPAuthentication.dll is typically located at:C:\Program Files\SafeNet\Authentication\SAM\x32\Bin
LDAPAuthentication.dll.config Configuration FileThe configuration file must be named LDAPAuthentication.dll.config,and must be located in the same directory asLDAPAuthentication.dll
The LDAPAuthentication.dll.config file is an XML file.
Supported Authentication TypesThere are two supported LDAP authentication types:
Fast Bind ConfigurationSlow Bind Configuration
Both authentication types take advantage of the LDAP Directory server built‐in authentication service.
Tip:Use fast bind authentication when the users are stored in LDAP
directory and you wish to authenticate them with the same directory.Use slow bind authentication when the users are stored in one
database and you wish to authenticate them with a different database (which is an LDAP directory).
User Store Deployment 31
Fast Bind ConfigurationThe most common configuration is the fast bind authentication. It is a one‐phase authentication where the user DN and user password are passed to the LDAP directory, which in return accepts or rejects the authentication request.In this configuration, both users and passwords are placed in the same store. This store is always an LDAP directory where each user in the directory must be authorized to perform authentication.The XML file should be as follows:<Configuration>
<AuthenticationType>FastBind</AuthenticationType>
</Configuration>The file will always be the same regardless of the LDAP directory manufacturer or any other criteria.
Slow Bind ConfigurationSlow bind authentication is two‐phase authentication:
First phase is searching and retrieving the userʹs LDAP path (User DN) from a pre‐configured LDAP directory.Second phase is authenticating that user (as in fast bind).
In this configuration, the user store is usually located in one database (of any type) and the passwords are located in another database which must be an LDAP directory. For example, the user store is an SQL database and the passwords in an OpenLDAP or eDirectory database.As in fast bind authentication, each user in the LDAP directory must be authorized to perform authentication.
32 SafeNet Authentication Manager Administrator’s Guide
The XML file should be as follows:<?xml version="1.0" encoding="utf-8" ?><Configuration>
<AuthenticationType>SlowBind</AuthenticationType>
<SlowBind>
<Instance name="InstanceName1">
<TMSUserIdentifier>AccountName</TMSUserIdentifier>
<Server>Server1.com:389</Server>
<BaseDN>dc=MyCompany1,dc=com</BaseDN>
<FilterTemplate>(&(cn={0})(objectClass=Person))</FilterTemplate>
<UserDN>cn=Admin,dc=MyCompany1,dc=com</UserDN>
<Password></Password>
</Instance>
<Instance default="true">
<TMSUserIdentifier>AccountName</TMSUserIdentifier>
<Server>Server1.com:389</Server>
<BaseDN>dc=MyCompany1,dc=com</BaseDN>
<FilterTemplate>(&(cn={0})(objectClass=Person))</FilterTemplate>
<UserDN>cn=Admin,dc=MyCompany1,dc=com</UserDN>
<Password></Password>
</Instance>
</SlowBind>
</Configuration>
If there are multiple user store databases in an organization, there may be several matching LDAP directories containing the passwords.The configuration file allows the binding of each user store to a specific LDAP directory.
<Instance>
Allows mapping a user store to an LDAP directory. If there is only one LDAP directory, only one <Instance> section should be used (adding default=”true” attribute).
User Store Deployment 33
If there are several LDAP directories, the “name” attribute should be used to map the user store with LDAP directories, providing the user store unique instance name.
<TMSUserIdentifier>
Holds the user property that is used to locate the user in the LDAP directory. The value at runtime is inserted into the {0} in the FilterTemplate XML node.User fields that can be selected are: AccountName, LogonName, Email, EmployeeNumber and Name.
<Server>
IP or DNS of the LDAP directory
<BaseDN>
The root LDAP path for user searching
<FilterTemplate>
This LDAP query template is used to build an LDAP search string at runtime in order to find the user requesting authentication in the LDAP directory.The {0} is replaced at runtime with the value of user property indicated in TMSUserIdentifier.
<UserDN>
The User LDAP path used to perform the searches in the LDAP directory. This entry must have permissions to search and read LDAP entries in the LDAP directory.
34 SafeNet Authentication Manager Administrator’s Guide
<Password>
The password of UserDN
Note:The password must be encrypted using the Encrypt Password Tool (EncryptPassword.exe) and placed in the configuration file. See Using the Encrypt Password Tool (EncryptPassword.exe) on page 34.
Using the Encrypt Password Tool (EncryptPassword.exe)Use the Encrypt Password Tool when LDAP Authentication is configured to slow bind authentication only.The tool generates an encrypted password from a plaintext password. The encrypted password must be placed inside the <Password> Xml node of the configuration file.The tool must be run from the computer where the SafeNet Authentication Manager Server is installed.By default, the Encrypt Password Tool (EncryptPassword.exe) is located at:C:\Program Files\SafeNet\Authentication\SAM\x32\Authentication
Configuration Example - Slow Bind AuthenticationIn this scenario, we assume a company works with an LDAP directory that is currently not supported by SafeNet Authentication Manager.
To export users to a database supported by SAM:
1. Export the users from the LDAP directory into a Microsoft SQL server database which is supported by SafeNet Authentication Manager.After this process there are two installed databases:
Microsoft SQL Server containing only users LDAP directory containing both users and passwords
2. Install SAM 8.0 Server or later.3. Select SQL Server from the list of user databases.
User Store Deployment 35
4. Select the LDAPAuthentication.dll in the authentication window.5. Complete the installation.
Configuring LDAPAuthentication.dll.configConfigure LDAPAuthentication.dll before running any SAM management application.
To configure LDAPAuthentication.dll:
1. Open the LDAPAuthentication.dll.config file, located in the SAM installation folder.
2. Create a configuration, as in the following example of a slow bind configuration:
<?xml version="1.0" encoding="utf-8" ?><Configuration>
<AuthenticationType>SlowBind</AuthenticationType>
<SlowBind>
<Instance default="true">
<TMSUserIdentifier>AccountName</TMSUserIdentifier>
<Server>10.0.0.99:389</Server>
<BaseDN>dc=organization,dc=com</BaseDN>
<FilterTemplate>(&(cn={0})(objectClass=organizationalPerson))</FilterTemplate>
<UserDN>cn=Administrator,dc=organization,dc=com</UserDN>
<Password> AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAper6yavZzE21ObZafmdDMgQAAAAIAAAAVABNAFMA AAADZgAAqAAAABAAAABAt5/hxHf7tgrMsMX+l+glAAAAAASAAACgAAAAEAAAAP1sMRXQv93p Tj2fj82oTfcQAAAAq06pe9IwfKx4rSVIZiTbaxQAAACms9JMPxfv1/XNsngjP+PQsC/t1w==
</Password>
</Instance>
</SlowBind>
</Configuration>This configuration file assumes the following:
The LDAP directory is located at 10.0.0.99 port 389The baseDN is dc=organization,dc=com
36 SafeNet Authentication Manager Administrator’s Guide
The user object in the LDAP directory has the organizationalPerson value in objectClass attributeThe user object is uniquely identified by the cn attributeThe user that has read permissions in the LDAP directory is cn=Administrator,dc=organization,dc=comThe password of cn=Administrator,dc=organization,dc=com should be retrieved as follows:
Run EncryptPassword.exeEnter the password in the Plaintext‐>Password textbox (i.e. Pas$word)Click Encrypt (you should see the encrypted password in the cipher textbox)Click Copy in order to copy encrypted password to clipboardPaste the encrypted password into <Password> xml node
Running an LDAP Management ToolRun any LDAP management tool in order to use the new configuration. Run iisreset before running the management tool.
Chapter 4
Installation and Configuration ChecklistThis section provides a checklist of the main tasks required to install, configure, and deploy SafeNet Authentication Manager.
In this chapter:
Step 1: Perform Pre-Installation TasksStep 2: Install SafeNet Authentication ManagerStep 3: Configure SafeNet Authentication Manager
38 SafeNet Authentication Manager Administrator’s Guide
Step 1: Perform Pre-Installation TasksPerform the following tasks before installing SafeNet Authentication Manager.
Step 2: Install SafeNet Authentication ManagerPerform the following tasks to install SafeNet Authentication Manager.
SafeNet Authentication Client ConfigurationPerform the following tasks to install SafeNet Authentication Manager in a SafeNet Authentication Client configuration.
Order Action Reference
1. Check system requirements.Install any prerequisite applications.
See Chapter 2: System Requirements, on page 9 System Requirements on page 9
2. Deploy user store Note: If you are using a Standalone user store, this is not required. See Configuring for Standalone User Store on page 94
See Chapter 3: User Store Deployment, on page 19 User Store Deployment on page 19
Order Action Reference
1. Install SafeNet Authentication Client. See SafeNet Authentication Client Administrator’s Guide
2. Install SafeNet Authentication Manager server component
Installing the SafeNet Authentication Manager Server on page 52
Installation and Configuration Checklist 39
OTP ConfigurationPerform the following tasks to install SafeNet Authentication Manager in an OTP configuration.
3. Configure SafeNet Authentication Manager Server and required connectors
See Chapter 7: Basic Configuration, on page 85
4. Install SafeNet Authentication Manager Management Tools component
Installing the SAM Management Tools on page 57
5. Install SafeNet Authentication Manager Client component
Installing SAM Client Using the Installation Wizard on page 60
Order Action Reference
Order Action Reference
1. Install SafeNet Authentication Manager server component (selecting the OTP installation option)
Installing the SafeNet Authentication Manager Server on page 52
2. Configure SafeNet Authentication Manager Server
See Chapter 7: Basic Configuration, on page 85
3. Install and configure the required OTP plug-ins
See the eToken OTP Authentication Administrator's Guide
4. Configure RADIUS server Configuring SAM IAS Plug-In on page 345
5. Install SafeNet Authentication Manager Management Tools component
Installing the SAM Management Tools on page 57
40 SafeNet Authentication Manager Administrator’s Guide
Step 3: Configure SafeNet Authentication ManagerAfter the SafeNet Authentication Manager server is installed, it must be configured.`
Order Action Reference
1. Run the SafeNet Authentication Manager Configuration Settings Wizard to set the basic configuration
See Chapter 7: Basic Configuration, on page 85
2. Use the SafeNet Authentication Manager Configuration Manager to configure the following (not necessarily in this order):
ConnectorsRoles and TasksBackend ServicesLicenseWeb ServicesDisplayFailoverSchemaService accountServer SynchronizationHSM support
See Chapter 10: SAM Configuration Manager, on page 179
Installation and Configuration Checklist 41
3. Use the GPO Editor to propagate the SafeNet Authentication Manager Server name
See Propagating the SAM Server Name on page 66
4. Use the TPO Editor to configure the following settings:
General Connectors Enrollment Certificate Recovery WorkflowAudit SAM Backend Service SAM Desktop Agent MobilePASS Badging
See Chapter 9: Token Policy Object Settings, on page 145
Order Action Reference
42 SafeNet Authentication Manager Administrator’s Guide
Chapter 5
InstallationThis chapter describes the installation of SafeNet Authentication Manager.
Note:See Upgrade and Migration on page 73 if SafeNet Authentication Manager or TMS is already installed on the computer.
If a message to restart your computer is displayed, either before or after the installation of SafeNet Authentication Manager, you must restart your computer.
In this chapter:
Installation ComponentsInstallation Steps in an AD EnvironmentInstalling the SafeNet Authentication Manager ServerInstalling the SAM Management ToolsInstalling SAM Client Using the Installation WizardInstalling SAM Client Using the Command LineUn-installationPropagating the SAM Server NameDuplicating a SAM Server
44 SafeNet Authentication Manager Administrator’s Guide
Installation Components
Component File Description
SAM Server SAMServer-x32-8.0.msi orSAMServer-x64-8.0.msi
Install SafeNet Authentication Manager on the required server. This must be a member server running IIS on which the SafeNet Authentication Manager web application will be installed. One or more such servers may be installed in the organization.Note: We recommend running a dedicated SafeNet Authentication Manager (IIS) server.
SAM Management Tools
SAMManagement-x32-8.0.msiorSAMManagement-x64-8.0.msi
Install on every workstation from where the administrator will access the TPO editor.
SAM Client SAMClient-x32-8.0.msiiorSAMClient-x64-8.0.msi
Install on every workstation where the Self Service Center, or Management Center are to be used or any client where the SafeNet Desktop Agent is to be used.
SAM Schema Modification Scripts
SAMSchema-x32-8.0.msi
If the user installing the SafeNet Authentication Manager Server does not have the permissions required for modifying the AD schema, the schema modification scripts must be installed before SafeNet Authentication Manager is configured. The scripts implement changes to the Active Directory (AD) schema required by SafeNet Authentication Manager.
SAM Portals SAMPORTALS-x32-8.0.msiorSAMPORTALS-x64-8.0.msi
The SAM Portals installation files are supplied separately.
Installation 45
Note:We recommend configuring SafeNet Authentication Manager websites using SSL.See Microsoft documentation for creating an SSL‐protected virtual directory in IIS.
Silently Installed ComponentASP.NET.AJAX is installed together with SafeNet Authentication Manager.ASP.NET AJAX is a set of technologies to add AJAX (Asynchronous JavaScript And XML) support to ASP.NET.AJAX is a group of interrelated web development techniques used for creating interactive web applications or rich internet applications. With AJAX, web applications can retrieve data from the server asynchronously in the background without interfering with the display and behavior of the existing webpage.ADAM is installed when a Standalone user store (an integrated configuration store and user store) is installed, or when an external user store, such as Microsoft SQL Server, OpenLDAP or Novell eDirectory is used.
46 SafeNet Authentication Manager Administrator’s Guide
Installation Steps in an AD EnvironmentSafeNet Authentication Manager can be installed in a single or multi domain environment.
Installing in a Single Domain Environment
To install in a single domain environment:
1. If Active Directory is used as the SafeNet Authentication Manager Configuration Store, and the user performing the installation does not have permissions to modify the AD schema, you must install and run the schema modification scripts on the domain controller. (See Installing and Running Schema Modification Scripts on page 48.)
2. Install the SafeNet Authentication Manager server on a member server in your domain. (See Installing the SafeNet Authentication Manager Server on page 52.)
3. Configure the SafeNet Authentication Manager Server. (See Basic Configuration on page 85.)
4. Install Management Tools on every client from which the administrator is required to access the TPO editor. (See Installing the SAM Management Tools on page 57.)
5. Install SafeNet Authentication Manager Client on every computer from which enrollment or any other token operation is to be performed using SafeNet Authentication Manager. (See Installing SAM Client Using the Installation Wizard on page 60.)
Installation 47
Installing in a Multi Domain Environment
To install in a multi domain environment:
1. If Active Directory is used as the SafeNet Authentication Manager Configuration Store, and the user performing the SafeNet Authentication Manager installation does not have permissions to modify the AD schema, you must install and run the schema modification scripts on the domain controller. (See Installing and Running Schema Modification Scripts on page 48.)
2. Install the SafeNet Authentication Manager server on one member server in one of your domains. (See Installing the SafeNet Authentication Manager Server on page 52.)
3. Configure SafeNet Authentication Manager for every domain in the forest where you want SAM to be used.
4. Install SAM Management Tools on every client from which the administrator is required to access the TPO editor. (See Installing the SAM Management Tools on page 57.)
5. Install SafeNet Authentication Manager Client on every computer from which enrollment or any other eToken operation is to be performed using SafeNet Authentication Manager. (See Installing SAM Client Using the Installation Wizard on page 60.)
Installing SAM in a Multi Forest Environment
To install SAM in a multi domain environment:
1. Install the SafeNet Authentication Manager server on one member server in one of your domains in one of the forests. (See Installing the SafeNet Authentication Manager Server on page 52.)
2. Configure SafeNet Authentication Manager (using Remote AD) for every domain in every forest where you want SafeNet Authentication Manager to be used (except the domain where the SafeNet Authentication Manager server is installed).
3. Install SafeNet Authentication Manager Management Tools on every client from which the administrator is required to access the TPO editor. (See Installing the SAM Management Tools on page 57.)
48 SafeNet Authentication Manager Administrator’s Guide
4. Install SafeNet Authentication Manager Client on every computer from which enrollment or any other token operation is to be performed using SafeNet Authentication Manager. (See Installing SAM Client Using the Installation Wizard on page 60.)
Installing and Running Schema Modification ScriptsActive Directory (AD) must be modified before it can be used as the SafeNet Authentication Manager Configuration Store.If the user who installs SafeNet Authentication Manager has AD schema modification permissions, then AD is modified automatically during SafeNet Authentication Manager configuration.If the user who installs SafeNet Authentication Manager does not have these permissions, the Schema Modification Scripts must be installed and run prior to setting the configuration.
Tip:Install the schema modification scripts only if the user installing SafeNet Authentication Manager does not have permissions to modify the AD schema.
The scripts are installed using the SafeNet Authentication Manager ‐ Schema Modification Scripts Installation Wizard.
Installation 49
Installing the Schema Modification ScriptsInstall the SafeNet Authentication Manager Schema Modification Scripts in the root domain before SafeNet Authentication Manager is configured.
To install the Schema Modification Scripts:
1. Run SAMSchema‐x32‐8.0.msiThe Welcome to the SafeNet Authentication Manager ‐ Schema Modification Scripts Installation Wizard opens.
2. Click Next.
50 SafeNet Authentication Manager Administrator’s Guide
The Licenses Agreement window opens.
3. Accept the license agreement and click Next.The Destination Folder window opens, displaying the default installation folder.
4. If there are no other SafeNet authentication applications or legacy eToken applications installed, you can click Browse to select a different destination folder. Otherwise, the destination folder cannot be changed.
Installation 51
This folder will be used as the installation library for all future SafeNet authentication application installations.
Note:The default folder is:C:\Program Files\SafeNet\Authentication\SAM\x32\Bin. C:\Program Files\SafeNet\Authentication\SAM\x64\Bin
5. Click Next.The SafeNet Authentication Manager Schema Modification Scripts installation begins.When the installation process is complete, the SafeNet Authentication Manager ‐ Schema Modification Scripts has been successfully installed window opens.
6. Click Finish to exit the installation wizard.The installation process creates the VB script file:C:\Program Files\SafeNet\Authentication\SAM\x32\Bin\schemaInstall.vbs
52 SafeNet Authentication Manager Administrator’s Guide
Running the Schema Modification ScriptsFollowing the installation of the schema modification script, the script must be run.
Note:To run the schema modification script, the permissions must allow changes to be made to the schema.
To run the schema modification script:
Run the following command: Cscript.exe schemaInstall.vbs [domain name] /AD
For example:Cscript.exe schemaInstall.vbs production.com /AD
Installing the SafeNet Authentication Manager ServerThe SafeNet Authentication Manager server must be installed before the other components.
Note:SafeNet Authentication Client should be installed on the computer where SafeNet Authentication Manager server is installed. This is not required if SafeNet Authentication Manager is used only for OTP authentication. See SAM Management Tools System Requirements on page 13.
The SafeNet Authentication Manager ‐ Server Installation Wizard and SafeNet Authentication Manager ‐ Configuration Settings Wizard enable you to install SafeNet Authentication Manager Server and create a basic configuration. When the SafeNet Authentication Manager ‐ Server Installation Wizard completes the installation process, it launches the SafeNet Authentication Manager ‐ Configuration Settings Wizard.
Installation 53
To install and configure the SafeNet Authentication Manager Server:
1. Double‐click SAMServer‐x32‐8.0.msi (32‐bit) or SAMServer‐x64‐8.0.msi (64‐bit).The SafeNet Authentication Manager Server Installation Wizard opens.
2. Click Next.The License Agreement window opens.
3. Select I accept the license agreement and click Next.
54 SafeNet Authentication Manager Administrator’s Guide
The Destination Folder window opens, displaying the default installation folder.
4. If there are no other SafeNet authentication applications or legacy eToken applications installed, you can click Browse to select a different destination folder. Otherwise, the destination folder cannot be changed.This folder will be used as the installation library for all future SafeNet authentication application installations.
5. Click Next.The installation process starts.
Installation 55
On completion of the installation process, the successfully installed window opens.
6. Click Finish.
Note:If you ran the installation from the command line, the SafeNet Authentication Manager ‐ Configuration Settings Wizard does not open automatically.
The SafeNet Authentication Manager ‐ Configuration Settings Wizard window opens.
56 SafeNet Authentication Manager Administrator’s Guide
The SAM Configuration Settings Wizard enables you to set up a basic configuration that can be fine‐tuned later using the SafeNet Authentication Manager Configuration Manager.
Tip:We recommend completing the SafeNet Authentication Manager configuration at this time so that you can start working with the application. However, the configuration can be performed later using the SafeNet Authentication Manager Configuration Manager.
7. To continue with the SafeNet Authentication Manager ‐ Configuration Settings Wizard, click Next, or to exit, click Cancel. For a description of the SafeNet Authentication Manager ‐ Configuration Settings Wizard, see the following:
Configuring for Active Directory on page 86Configuring for Standalone User Store on page 94Configuring for OpenLDAP, Novell eDirectory or Remote AD on page 102Configuring for MS SQL Server on page 115
Installation 57
Installing the SAM Management ToolsInstall the SAM Management Tools on every workstation where the administrator will need to use the TPO Editor.
To install SAM Management Tools:
1. Double‐click SAMManagement-x32-8.0.msi (32-bit) or SAMManagement-x64-8.0.msi(64-bit).The SAM Management Tools Installation Wizard opens.
2. Click Next.
58 SafeNet Authentication Manager Administrator’s Guide
The License Agreement window opens.
3. Select I accept the license agreement and click Next.The Destination Folder window opens, displaying the default installation folder.
4. If there are no other SafeNet authentication applications or legacy eToken applications installed, you can click Browse to select a different destination folder. Otherwise, the destination folder cannot be changed.This folder will be used as the installation library for all future SafeNet authentication application installations.
5. Click Next.
Installation 59
The installation process starts.
On completion of the installation process, the successfully installed window opens.
6. Click Finish.SAM Management Tools has been installed.
The SAM Management Tools must be connected to the SAM server. See Propagating the SAM Server Name on page 66.
60 SafeNet Authentication Manager Administrator’s Guide
Installing SAM Client Using the Installation WizardInstall SafeNet Authentication Manager Client on every computer from which enrollment or any other eToken operation is to be performed using SAM.
Note:SafeNet Authentication Manager Server 8.0 supports TMS Client 2.0 and later. However, when the SafeNet Authentication Manager server is updated, we recommend updating SafeNet Authentication Manager Client to the same version to avoid compatibility issues.
To install SafeNet Authentication Manager Client:
1. Double‐click SAMClient-x32-8.0.msi (32-bit) or SAMClient-x64-8.0.msi (64-bit).The SafeNet Authentication Manager Client Installation Wizard opens.
2. Click Next.
Installation 61
The License Agreement window opens.
3. Select I accept the license agreement and click Next.The Destination Folder window opens, displaying the default installation folder.
4. If there are no other SafeNet authentication applications or legacy eToken applications installed, you can click Browse to select a different destination folder. Otherwise, the destination folder cannot be changed.This folder will be used as the installation library for all future SafeNet authentication application installations.
5. Click Next.
62 SafeNet Authentication Manager Administrator’s Guide
The Select Installation Type window opens.
6. Select one of the following installation types:Typical ‐ Includes the SAM Desktop AgentComplete ‐ Includes the SAM Desktop Agent and the legacy TMS Desktop Agent.
Note:The legacy TMS Desktop is required for installations where previous TMS Client installations are still supported.
7. Click Next.The installation proceeds.
Installation 63
On completion of the installation process, the successfully installed window opens.
8. Click Finish.SafeNet Authentication Manager Client has been installed.
Installing SAM Client Using the Command LineTo install, remove or repair SafeNet Authentication Manager Client using the command line, copy the msi file (SAMClient-x32-8.0.msi or SAMClient-x64-8.0.msi) to any location on the client computer and use the standard Windows Installer msiexe syntax as in the following example:msiexe /i C:\SAMClient-x32-8.0.msi /qn
where:
SAMClient-x32-8.0.msi is the 32-bit SafeNet Authentication Manager Client installation file.
For 64-bit, use SAMClient-x64-8.0.msi.
Parameters:
i = installx = remove
64 SafeNet Authentication Manager Administrator’s Guide
f = repairqn = displays no user interface (“silent”)qb = displays a basic user interface (progress bar)
Un-installationPerform the following steps to delete SafeNet Authentication Manager from Active Directory and from the server computer.
WARNING!If you want to keep using the SafeNet Authentication Manager Configuration Store, for example, after upgrading or replacing the SafeNet Authentication Manager server, you must back up your SafeNet Authentication Manager Settings file before uninstalling.
Removing SAM Server from the Computer
To remove the SafeNet Authentication Manager server from the computer:
1. Uninstall SafeNet Authentication Manager using the Windows Add/Remove Programs feature.
2. If the SafeNet Authentication Manager Authorization Management store was in the format of an XML file, delete the roles.xml file.
Note:The actual file name is based on the actual domain name.
3. Delete the SAM folder from the SafeNet Authentication Manager installation folder. For example: C:\Program Files\SafeNet\Authentication\
4. In the registry, browse to HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\Authentication\SAM and delete the SAM key.
Installation 65
Removing SAM from the Domain1. Open Active Directory Users & Computers, and select
View>Advanced Features.2. Expand the domain, and delete the SAM_DB container.
The SafeNet Authentication Manager database is deleted. 3. Delete SAM.
The SAM Authorization Management store is deleted (if the SAM Authorization Management store was located in AD).
4. Delete the following two files:schema.demo.xmldomain.xml
The files are located in:C:\Documents and Settings\All Users\Application Data\SafeNet\Authentication
5. In a multi‐domain environment, perform step 2, step 3, and step 4 for each domain that is managed by SafeNet Authentication Manager.
Note:Schema changes are one‐way and cannot be deleted. This is determined by the AD architecture.
66 SafeNet Authentication Manager Administrator’s Guide
Propagating the SAM Server NameThe SafeNet Authentication Manager Server name should be known to all domain users. This can be done using the Administrative Templates (ADM) file. This file allows the users to handle the registration keys of the entire domain.SafeNet Authentication Manager provides the ADM file to propagate the SAM Server name to all the domain users.
To propagate the SafeNet Authentication Manager Server name:
1. In the Windows Control Panel select Administrative Tools>Active Directory Users and Computers.The Active Directory Users and Computers window opens.
2. In the navigation pane, right‐click the domain and select Properties from the drop‐down menu.The Properties window opens.
3. Select the Group Policy tab.
Installation 67
4. Click Edit.
The GPO Editor opens.
68 SafeNet Authentication Manager Administrator’s Guide
5. Right‐click Administrative Template in the navigation pane and click Add/Remove Templates…...The Add/Remove Templates window opens.
6. Click Add and navigate to the file in which the SafeNet Authentication Manager (adm) files are stored.For example:C:\Program Files\SafeNet\Authentication\SAM\x32\Adm\SAM.adm.
7. Click Open.You are returned to the Add/Remove Templates window.
8. Click Close.The SafeNet Authentication Manager Settings folder appears in the Administrative Templates folder.
Installation 69
9. In the GPO Editor, select Computer Configuration>Administrative Templates>Token Management System Settings.The Token Manager System Settings window opens.
The right pane of the SAM Settings window displays all the server settings.
10. To change a setting, right‐click the setting icon, select Properties, and make the required changes as follows:
Settings Description
Default SAM server The URL of the default server in the organization. The URL uses the following syntax: http://computername where computername is the computer where IIS and SAM Server are located.
TPO server The URL of the server running the TPO editor web service. Use this setting only if it differs from the default SAM server.
Desktop Agent server The URL of the server running the SAM Desktop Agent web service. Use this setting only if it differs from the default SAM server.
HelpDesk server The URL of the server running the SAM Management Center. Use this setting only if it differs from the default SAM server.
70 SafeNet Authentication Manager Administrator’s Guide
Note:The settings are updated during the next group policy update. To run a group policy update immediately, run the following command: gpupdate /force
Duplicating a SAM Server
To duplicate a SafeNet Authentication Manager Server:
1. Install a new SafeNet Authentication Manager Server.2. Export the SafeNet Authentication Manager Settings File from the
original SafeNet Authentication Manager Server to the duplicate SAM Server.
Notes:The SAM Service Account must have the same password on all computers.We recommend restarting IIS to ensure that un‐required cached data is removed.After completing the configuration, it might be necessary to wait a short time before logging on to the SAM Management Center or SAM Policy Management.
Proxy server The address/port of the proxy server in the format proxy: port. If port is omitted, the default port will be used (80). If empty, no proxy, ignore all other parameters. If set to <CURRENT_USER>, the settings will be taken from Internet Explorer.
Proxy user Proxy username if required
Proxy Password Proxy password if required
Settings (Continued) Description (Continued)
Installation 71
Licensing a Duplicate ServerThe original SafeNet Authentication Manager Server functions as the licensing server. Each additional server uses the same licensing pool. See Licensing on page 293.
72 SafeNet Authentication Manager Administrator’s Guide
Chapter 6
Upgrade and Migration
WARNING!We strongly recommend that you perform a backup of all SAM data before upgrading to SafeNet Authentication Manager 8.0.
In this section:
Upgrading to SAM 8.0 ServerUpgrading to SAM 8.0 ClientUpgrading to SAM 8.0 Management ToolsMigrating from TMS 2.0 in an OpenLDAP EnvironmentMigrating from TMS 2.0 with a Shadow DomainMigrating from SafeWord to SafeNet Authentication Manager 8.0
74 SafeNet Authentication Manager Administrator’s Guide
Upgrading to SAM 8.0 ServerSafeNet Authentication Manager 8.0 supports upgrade from TMS 2.0 SP4 Server.SafeNet Authentication Manager 8.0 Server must be installed on a different computer to the TMS version being upgraded, or alternatively, the previous version must be uninstalled (TMS data is not removed when TMS 2.0 is uninstalled). After SafeNet Authentication Manager 8.0 Server is installed, run the configuration wizard and connect to the existing TMS User Store and Configuration Store.
WARNING!We strongly recommend that you perform a backup of all TMS data before upgrading to SafeNet Authentication Manager 8.0.
We strongly recommend installing SafeNet Authentication Manager 8.0 on a different computer to the existing installation of TMS.
To upgrade from TMS to SafeNet Authentication Manager 8.0:
1. Do one of the following:If the roles are stored in an XML file, copy the XML file to a shared folder on the network or copy it to the computer where SafeNet Authentication Manager 8.0 is to be installed.If ADAM is used as the configuration store, replicate it on the new SafeNet Authentication Manager 8.0 Server computer.
2. Install SafeNet Authentication Manager 8.0 on a different computer to the existing installation of TMS 2.0.
3. Configure SafeNet Authentication Manager 8.0 to connect it to the same configuration and user stores used by TMS 2.0.
Note:When running the SAM Configuration Settings Wizard for the first time after installing SafeNet Authentication Manager 8.0, you will be prompted to import the TMS Settings File if it is not present on the SafeNet Authentication Manager 8.0 computer. See Importing the SAM Settings File on page 183.
Upgrade and Migration 75
4. To obtain all required SafeNet Authentication Manager 8.0 features, re‐configure SafeNet Authentication Manager 8.0 as required, and if relevant, re‐configure the OTP plug‐ins. (See eToken OTP Authentication Administrator’s Guide.)
Note:You may need to upgrade your SafeNet Authentication Manager license to support all features in SafeNet Authentication Manager 8.0.To ensure that your license is valid, see Viewing Licenses on page 295. To add a license, see Applying a License on page 296.
Upgrading to SAM 8.0 Client
To upgrade TMS Client 2.0 or 5.0 to SAM 8.0 Client:
Install SafeNet Authentication Manager 8.0 Client on the client computer.See Installing SAM Client Using the Installation Wizard on page 60 or Installing SAM Client Using the Command Line on page 63.TMS Client version 2.0 or 5.0 is upgraded automatically.
Upgrading to SAM 8.0 Management Tools
To upgrade TMS Management Tools version 2.0 or 5.0 to SAM 8.0 Management Tools:
Install SAM 8.0 Management Tools.See Installing the SAM Management Tools on page 57TMS Management Tools version 2.0 or 5.0 is upgraded automatically.
76 SafeNet Authentication Manager Administrator’s Guide
Migrating from TMS 2.0 in an OpenLDAP EnvironmentWhen migrating from TMS 2.0 to SafeNet Authentication Manager 8.0 in an OpenLDAP environment, do not use the original instance name. The instance name must be taken from the SafeNet Authentication Manager database, such as dc_my‐domain_dc_com in the following example:
Migrating from TMS 2.0 with a Shadow DomainIf your installation of SAM 2.0 uses a shadow domain, this must be migrated to AD or ADAM in SafeNet Authentication Manager 8.0.
Tip:We recommend contacting SafeNet Support before performing this procedure. For contact information, see Support on page iii.
Upgrade and Migration 77
Migrating from SafeWord to SafeNet Authentication Manager 8.0
Migration of data from SafeWord to SAM is performed in two stages:1. Export a file of encrypted data from the SafeWord database.2. Import the SafeWord data file into SAM.
Notes:Before starting the migration process, ensure that the order for
entering the OTP and the PIN is the same for both SAM and SafeWord. This setting is determined in SAM by configuring the following TPO: OTP and OTP PIN / Windows password order. (See TMS OTP Authentication Connector on page 286.)
During the migration from SafeWord, all lower‐case letters in user passwords are converted to upper‐case letters. Instruct your users to enter letters in their password in upper‐case only.
Exporting Data from the SafeWord DatabaseWhen the SafeWord database is Active Directory, the exported data includes only token data.When the SafeWord database is not Active Directory (for example, MySQL), the exported data includes both user and token data.Use the Export SafeWord Database Tool (ExportSafewordDatabase.exe) to export data from SafeWord.The tool is located at:C:\Program Files\SafeNet\Authentication\SAM\x32\Bin
To run the Export SafeWord Database Tool, the following must be installed:
JRE 1.5 or laterMySQL
78 SafeNet Authentication Manager Administrator’s Guide
To export data from the SafeWord database:
1. Copy the ExportSafewordDatabase.exe file to SafeWord/JRE/BIN, and run the application.The Export SafeWord Database window opens.
2. Enter the fields as follows:
3. Click Export Database.The export process proceeds.
Field Description
Server name The name of the SafeWord server
Port number The port number of the SafeWord server
User name SafeWord Administrator username
User Password SafeWord Administrator password
File encrypted password: Enter a password for the encrypted file
Confirm password Confirm the password for the encrypted file
Upgrade and Migration 79
When the process is complete, the SafeWord database exported successfully window opens.
4. Click OK.The location of the exported file is displayed in the Export database status field.
5. Click Close to complete the process.
80 SafeNet Authentication Manager Administrator’s Guide
Importing SafeWord Data into SAMThe file containing data exported from SafeWord (ExportedEncDB.ldif) must now be imported into SAM using the SAM SafeWord Migration Tool (SAMSafewordMigrationWizard.exe).The tool is located at:C:\Program Files\SafeNet\Authentication\SAM\x32\Bin
To import SafeWord data into SafeNet Authentication Manager:
1. Place the exported SafeWord data file (ExportedEncDB.ldif) on the computer running the SAM Server.
1. Run SAMSafewordMigrationWizard.exe.The SAM SafeWord Migration Tool opens.
2. Click Next.
Upgrade and Migration 81
The Migration Sources window opens.
3. Select Full Migration and browse to the exported SafeWord database file(ExportedEncDB.ldif).
4. In the File encrypted password field, enter the password of the SafeWord database file.
Note:The partial migration option is used when some of the tokens did not export from SafeWord. In this case, a SafeWord‐SAM Migration Report is created. To perform a partial migration, select Partial Migration and browse to the report file.
5. Click Next.
82 SafeNet Authentication Manager Administrator’s Guide
If the SafeWord data includes added attributes (relevant only in a non‐AD environment) the SafeWord Personalization Data window opens, displaying the added SafeWord attributes.
6. In the drop‐down box next to each SafeWord attribute, select the equivalent SAM attribute.
7. Click Next.The Override Flags window opens.
8. Determine the required override policy by selecting one of the following options:
Never override the existing objectAlways override the existing object
Upgrade and Migration 83
Override the existing object with a newer one9. Click Next.
The Report File window opens.
10. Browse to the appropriate location for saving the report file.The report file is used to store SafeWord data that is not successfully migrated. The report file can later be used to migrate data that was not migrated successfully, by selecting Partial Import in the Migration Sources window. See step 2 on page 80.
11. Click Next.The Begin Migration window opens.
84 SafeNet Authentication Manager Administrator’s Guide
12. Click Next.The migration proceeds. When the migration is complete, the Migration Completed window opens.
If the migration fails, an appropriate message is displayed in the Migration Completed window.
13. Click Finish to exit the migration wizard.
Chapter 7
Basic ConfigurationThe SafeNet Authentication Manager Configuration Settings Wizard enables you to create the basic SafeNet Authentication Manager configuration. The configuration steps vary according to the user store being used.After using the SafeNet Authentication Manager Configuration Settings Wizard to set up the basic configuration, you can make additional changes using the SAM Configuration Manager (page 179) and SAM Policy Management (page 121).
In this section:
Configuring for Active DirectoryConfiguring for Standalone User StoreConfiguring for OpenLDAP, Novell eDirectory or Remote ADConfiguring for MS SQL Server
86 SafeNet Authentication Manager Administrator’s Guide
Configuring for Active Directory
To configure SafeNet Authentication Manager for AD:
1. The SAM Configuration Settings Wizard is launched directly from the SAM 8.0 Server Installation Wizard. (See Installing the SafeNet Authentication Manager Server on page 52.)It can also be launched manually, as follows:a. Select Start>Programs>SafeNet> SafeNet Authentication
Manager > Configuration Manager.The SafeNet Authentication Manager ‐ Configuration Manager opens.
b. If no configuration exists, the SAM Configuration Settings Wizard opens automatically. Otherwise, select General>New Configuration...
Basic Configuration 87
The SafeNet Authentication Manager ‐ Configuration Settings Wizard window opens.
2. Click Next to start the configuration.The SAM User Store Configuration window opens.
3. Select External user store.
88 SafeNet Authentication Manager Administrator’s Guide
The User Store window opens.
4. Select Microsoft Active Directory.The user store is Microsoft Active Directory located in the production domain.The Microsoft Active Directory Domain window opens.
5. Enter the domain where the tokens will be managed, and click Next.
Basic Configuration 89
The Data Storage window opens.
6. Select one of the following as the SafeNet Authentication Manager Configuration Store, and click Next:
Microsoft Active DirectoryADAM
The Service Account window opens.
90 SafeNet Authentication Manager Administrator’s Guide
7. In the Username field, enter the Windows user account to be used for managing SAM operations.
Note:It is not mandatory that the account be an administrator account, but there must be sufficient permissions to run the connectors.See User Permissions on page 309.
8. In the Password and Confirm Password fields, enter the password for the account, and click Next.The Configuration Store Security window opens.
Basic Configuration 91
The Configuration Type window opens.
9. Select one of the following:Complete configuration ‐ Select to continue with the basic setupSimplified OTP‐only configuration‐ Select to create a typical configuration for managing OTP tokens only
.
The Configuration Details window opens.
Simplified OTP-Only InstallationIf you selected Simplified OTP-only configuration, SafeNet Authentication Manager is automatically configured with a typical OTP configuration providing a working SafeNet Authentication Manager OTP solution.The simplified OTP- only configuration is as follows:
Connectors - SAM OTP Authentication Connector is installed.SAM Backend Service - Activated on this server, scheduled to operate every 24 hours.Attendance reports - Not used (not relevant for OTP tokens).In addition, the SAM default policy is set as follows:
Load OTP support (required for OTP) is selected in the token initialization settings.
The SAM OTP Authentication Connector is set by default to enable enrolment of OTP tokens without requiring changes in the TPO settings.
92 SafeNet Authentication Manager Administrator’s Guide
10. To confirm the configuration details, click Next.The installation proceeds.
11. When the installation has finished, click Next.The Configuration Completed window opens.
Basic Configuration 93
12. To configure additional SAM settings, open SAM Policy Management.See Token Policy Object Links on page 121.
94 SafeNet Authentication Manager Administrator’s Guide
Configuring for Standalone User StoreWhen configuring SafeNet Authentication Manager for an internal store, an ADAM directory is used for both the user store and configuration store. If ADAM is not installed on the computer, it is installed during the configuration process.
To configure SafeNet Authentication Manager for Standalone user store:
1. The SAM Configuration Settings Wizard is launched directly from the SAM 8.0 Server Installation Wizard. (See Installing the SafeNet Authentication Manager Server on page 52.)It can also be launched manually, as follows:a. Select Start>Programs>SafeNet> SafeNet Authentication
Manager > Configuration Manager.The SafeNet Authentication Manager ‐ Configuration Manager opens.
b. If no configuration exists, the SAM Configuration Settings Wizard opens automatically. Otherwise, select General>New Configuration...
Basic Configuration 95
The SAM Configuration Settings Wizard window opens.
2. To start the configuration, click Next. The User Store Configuration window opens.
3. Select Standalone user store.
96 SafeNet Authentication Manager Administrator’s Guide
The Instance Type window opens.
4. Select one of the following:Create a new database instance on this serverCreate a replica of an existing database instance ‐ Select when you are installing secondary SAM Servers. To use this option you must previously have created an XML file of import settings using the SAM Configuration Management Tool.
5. If you selected Create a new database instance on this server, go to step 7.If you selected Create a replica of an existing database instance, the Settings File window opens.
Basic Configuration 97
6. Click Browse to select the file containing the import settings (typically SAMSettingsExport.xml), enter the password in the File Password field and click Next.The Service Account window opens.
98 SafeNet Authentication Manager Administrator’s Guide
7. In the Username field, enter the Windows user account to be used for managing SafeNet Authentication Manager operations.
Note:It is not mandatory that the account be an administrator account, but there must be sufficient permissions to run the connectors. See User Permissions on page 309.
8. In the Password and Confirm Password fields enter the password for the account and click Next.
Note:SafeNet Authentication Manager does not support a password length of zero, even if the computer’s local policy is configured to accept a minimum password length of zero.
The Authorization Manager Account window opens.
9. In the Username field, enter a name for the user account.10. In the Password and Confirm Password fields enter the password for
the account and click Next.The Configuration Store Security window opens.
Basic Configuration 99
11. Do one of the following:To store the SafeNet Authentication Manager security keys on the SafeNet Hardware Security Manger (HSM), select Generate and store security keys in the SafeNet HSM and click Next.To store the SafeNet Authentication Manager security keys on the server click Next, without selecting Generate and store security keys in the SafeNet HSM
The Configuration Type window opens.
12. Select one of the following and click Next:
100 SafeNet Authentication Manager Administrator’s Guide
Complete configuration ‐ Select to continue with the basic setup of Connectors, Role Management and SAM Backend Service scheduling and Attendance Reports.Simplified OTP‐only configuration‐ Select to create a typical configuration for OTP.
The Configuration Details window opens.
13. To confirm the configuration details, click Next.The installation proceeds.
14. When the installation has finished, click Next.The Configuration Completed window opens.
Basic Configuration 101
102 SafeNet Authentication Manager Administrator’s Guide
Configuring for OpenLDAP, Novell eDirectory or Remote AD
To configure SafeNet Authentication Manager for OpenLDAP, Novell eDirectory or Remote AD:
1. The SAM Configuration Settings Wizard is launched directly from the SAM 8.0 Server Installation Wizard. (See Installing the SafeNet Authentication Manager Server on page 52.)It can also be launched manually, as follows:a. Select Start>Programs>SafeNet> SafeNet Authentication
Manager> Configuration Manager.The SafeNet Authentication Manager ‐ Configuration Manager window opens.
b. If no configuration exists, the SAM Configuration Settings Wizard opens automatically. Otherwise, select General>New Configuration.
Basic Configuration 103
The SAM Configuration Settings Wizard window opens.
2. To start the configuration, click Next. The User Store Configuration window opens.
3. Select External user store and click Next.
104 SafeNet Authentication Manager Administrator’s Guide
The User Store window opens.
4. Select OpenLDAP Production Domain, Novell eDirectory or Microsoft Remote Active Directory Domain. The OpenLDAP Directory, Novell eDirectory or Microsoft Remote Active Directory window opens. (The windows are identical except for the title).
5. Click Browse next to the Select Directory field.The Select OpenLDAP, Novell eDirectory or Remote AD Server window opens. (The windows are identical except for the title.)
Basic Configuration 105
6. Enter the fields as follows:
7. Click OK.You are returned to the OpenLDAP Directory/Novell eDirectory/Microsoft Remote Active Directory window.
Field Description
Server Enter the IP address of the directory server
Port Enter the directory server port. This is determined when the directory is configured.
Naming Context Click Browse and select the required naming context.
Simple Binding, using an anonymous user
Select this option to connect to the directory server without a user and password. This is possible only if this option is enabled in the system.
Simple Binding, using the following user
Select this option to connect to the directory server using the User DN and Password. Enter the User DN and Password in the appropriate fields.
Use a secure connection
If OpenLDAP is configured to run in a secure mode, select this option to encrypt the data to be transferred.
106 SafeNet Authentication Manager Administrator’s Guide
8. In the Instance name field, enter an instance name and click Validate.Define an instance name that is unique for each SafeNet Authentication Manager configuration on the same SAM server.The connection to the OpenLDAP/eDirectory is validated.
9. You can change the schema configuration if the default attributes are not suitable for your requirements. To make changes to the default schema, click Edit Default Schema.The Edit User Repository Schema window opens.
Basic Configuration 107
WARNING!Changing the schema can cause SafeNet Authentication Manager to behave unpredictably. We recommend against changing the default schema configuration unless it is absolutely necessary.
10. Make the required changes to the schema and click Close.11. Click Next.
The Authentication Plug‐In window opens.
108 SafeNet Authentication Manager Administrator’s Guide
Note:The Authentication plug‐in file is required to enable the user to log on to the SAM Management Center, the SAM Self‐Service Center and TPO. This is because Active Directory is not available to provide the mechanism for authenticating user name and password.See Preparing LDAP Authentication Dll on page 29.
12. Click Browse and navigate to the authentication dll file (LDAPAuthentication.dll) and click Open.
Notes:Remote AD uses the same authentication dll as OpenLDAPThe authentication dll file is typically located at: C:\Program Files\SafeNet\Autnetication\SAM\x32\AuthPlugin.
Basic Configuration 109
You are returned to the Authentication Plug‐In window.13. Click Next.
The ADAM Instance window opens.
14. To create a new ADAM instance, select SafeNet Authentication Manager creates a new ADAM instance on the local computer.
15. To use an existing ADAM instance do the following:Select SafeNet Authentication Manager uses an existing ADAM instance. In the ADAM server field, enter the name of the server where ADAM is located
110 SafeNet Authentication Manager Administrator’s Guide
In the ADAM service port number field, enter the ADAM port number.
16. Click Next.The SAM Services Account window opens.
17. In the Username field, enter the Windows user account to be used for managing SafeNet Authentication Manager operations.
Note:It is not mandatory that the account be an administrator account, but there must be sufficient permissions to run the connectors.
18. In the Password and Confirm Password fields enter the password for the account and click Next.The Authorization Manager Account window opens.
Basic Configuration 111
19. In the Username field, enter a user who is authorized to manage SafeNet Authentication Manager and click Next.
If you click the Browse button for the Username field, the Select User or Group window opens.1. Enter a user name in the Enter the object name to select field and click
Check Names.2. If more than one match is found for the entered name, a list of matching names is
displayed.3. Select the required name and click OK.
The selected user is displayed in the Enter the object name to select field.4. Click OK.
The selected user is displayed in the Authorization Manager Account window, Username field.
5. Click Next.
112 SafeNet Authentication Manager Administrator’s Guide
The Configuration Store Security window opens.
20. Do one of the following:To store the SafeNet Authentication Manager security keys on the SafeNet Hardware Security Manger (HSM), select Generate and store security keys in the SafeNet HSM and click Next.To store the SafeNet Authentication Manager security keys on the server click Next, without selecting Generate and store security keys in the SafeNet HSM
The Configuration Type window opens.
Basic Configuration 113
21. Select one of the following and click Next:Complete configuration ‐ Select to continue with the basic setup of Connectors, Role Management and SAM Backend Service scheduling and Attendance Reports.Simplified OTP‐only configuration‐ Select to create a typical configuration for OTPSee Simplified OTP‐Only Installation on page 91.
22. Click Next.The Configuration Details window opens.
23. To confirm the configuration details, click Next.The installation proceeds.
114 SafeNet Authentication Manager Administrator’s Guide
24. When the installation has finished, click Next.The Configuration Completed window opens.
Basic Configuration 115
Configuring for MS SQL Server
To configure SafeNet Authentication Manager for MS SQL Server:
1. The SAM Configuration Settings Wizard is launched directly from the SAM 8.0 Server Installation Wizard. (See Installing the SafeNet Authentication Manager Server on page 52.)It can also be launched manually, as follows:a. Select Start>Programs>SafeNet> SafeNet Authentication
Manager> Configuration Manager.The SafeNet Authentication Manager ‐ Configuration Manager window opens.
b. If no configuration exists, the SAM Configuration Settings Wizard opens automatically. Otherwise, select General>New Configuration.
116 SafeNet Authentication Manager Administrator’s Guide
The SafeNet Authentication Manager ‐ Configuration Settings Wizard window opens.
2. To start the configuration, click Next. The User Store Configuration window opens.
3. Select External user store and click Next.
Basic Configuration 117
The Production Type window opens.
4. Select Microsoft SQL and click Next.The Microsoft SQL window opens.You can connect to the SQL Server by selecting the SQL Server name or, alternatively, you can connect through an ODBC connection.
Tip:For information about creating an ODBC connection, refer to Microsoft documentation.
5. To connect to the SQL Server, select SQL Server and click Browse.The SQL Server window opens.
118 SafeNet Authentication Manager Administrator’s Guide
6. In the Select server name field, select the required server from the list.
7. Select one of the following:Use Windows AuthenticationUse SQL Server Authentication (if selected, enter user name and password)
8. In the Select a database name field, select the required database from the list and click OK.You are returned to the Microsoft SQL window.
9. In the Microsoft SQL window click Validate.The system validates the connection and returns the instance name.
10. Click Next.The Authentication Plug‐in window opens.
To connect through ODBC:
1. Select ODBC and click Browse.The Select ODBC Data Source window opens.
2. Select the required ODBC data source and click OK.You are returned to the Microsoft SQL window.
Basic Configuration 119
11. Click Browse and navigate to the authentication dll file (SQLAuthentication.dll) and click Open.The remaining steps are the same as described for the OpenLDAP configuration.
12. Continue from step 12 on page 108.
120 SafeNet Authentication Manager Administrator’s Guide
Chapter 8
Token Policy Object LinksTPO settings determine the SafeNet Authentication Manager behavior for users in specific organizational units.
In this section:
Accessing Token Policy Object LinksCreating a New TPO LinkAdding a TPO LinkDeleting a TPO LinkSpecifying the Scope of a TPO LinkImporting and Exporting Token Policy Objects
122 SafeNet Authentication Manager Administrator’s Guide
Accessing Token Policy Object LinksDepending on the type of SafeNet Authentication Manager user store, the TPO settings are managed using the Active Directory Users and Computers administrative tool, or through SAM Policy Management.
Accessing TPO Links in an AD EnvironmentIf you are using Microsoft AD as your external user store, the SafeNet Authentication Manager policy settings are accessed using the Active Directory Users and Computers administrative tool.
Note:To access the TPO Editor, you must have the necessary permissions to the SafeNet Authentication Manager Authorization Management Store.
To access a TPO Link in an AD Environment:
1. Select Start>Programs>Administrative Tools>Active Directory Users and Computers.The Active Directory Users and Computers window opens.
Token Policy Object Links 123
2. In the navigation pane, right‐click the domain or organizational unit associated with the TPO, or to which you want to assign the TPO, and select Properties from the dropdown menu.The Properties window opens.
3. Select the Token Policy tab, and click Open.
124 SafeNet Authentication Manager Administrator’s Guide
The Current Token Policy Object Links window opens.
4. For available options:See Creating a New TPO Link on page 130See Adding a TPO Link on page 132See Deleting a TPO Link on page 133See Specifying the Scope of a TPO Link on page 133See Using the Token Policy Object Editor to Edit TPOs on page 146
Token Policy Object Links 125
Accessing TPO Links in a Non-AD EnvironmentIf you are using MS SQL Server, OpenLDAP, Novell eDirectory or Remote AD as your external user store, or are using a standalone user store, the SafeNet Authentication Manager policy settings are accessed using SafeNet Authentication Manager ‐ Policy Manager.
To open SafeNet Authentication Manager - Policy Manager in a non-AD environment:
1. Select Start>Programs>SafeNet>SafeNet Authentication Manager>Policy Management.The SafeNet Authentication Manager ‐ Policy Manager window opens.
2. Right‐click the SAM Policy Manager node, and select Connect to Instance.
3. If prompted, enter the name of your SafeNet Authentication Manager Server, and click OK.The Policy Manager displays the domain and its organizational units (OU).
4. Right‐click the root or organizational unit associated with the TPO, or to which you want to assign the TPO, and select Properties from the dropdown menu.The Current Token Policy Object Links window opens.
126 SafeNet Authentication Manager Administrator’s Guide
5. For available options:See Creating a New TPO Link on page 130See Adding a TPO Link on page 132See Deleting a TPO Link on page 133See Specifying the Scope of a TPO Link on page 133See Using the Token Policy Object Editor to Edit TPOs on page 146
Token Policy Object Links 127
Accessing TPO Links in a Standalone User Store EnvironmentIf you are using a standalone user store, the SafeNet Authentication Manager policy settings are accessed using SafeNet Authentication Manager ‐ Policy Manager.
To open SAM Policy Management in a standalone user store environment:
1. Select Start>Programs>SafeNet>SafeNet Authentication Manager>Policy Management.
2. Select Action>Connect to instance.SafeNet Authentication Manager ‐ Policy Manager connects to the SafeNet Authentication Manager Server, and the Authentication window opens.
3. Enter the SafeNet Authentication Manager administrator username and password, and click OK.
128 SafeNet Authentication Manager Administrator’s Guide
The instance is displayed.
4. Right‐click the root or organizational unit associated with the TPO, or to which you want to assign the TPO.
5. Select Properties from the dropdown menu.
Token Policy Object Links 129
The Current Token Policy Object Links window opens.
6. For available options:See Creating a New TPO Link on page 130See Adding a TPO Link on page 132See Deleting a TPO Link on page 133See Specifying the Scope of a TPO Link on page 133See Using the Token Policy Object Editor to Edit TPOs on page 146
130 SafeNet Authentication Manager Administrator’s Guide
Creating a New TPO LinkWhen you create a new TPO link, only its required policies are enabled. These are determined by the type of tokens that are available to the OU’s users.
To create a new TPO link:
1. In the Current Token Policy Object Links window, click New (See Accessing Token Policy Object Links on page 122).The Token Type Selection window opens.
2. Select the type of token to which the policy will be applied:All Tokens: (Default) contains all policiesMobilePASS: contains policies relevant to MobilePASS onlySafeNet eToken Virtual Temp: contains policies relevant to SafeNet eToken Virtual Temp onlyMobilePASS Messaging: contains policies relevant to MobilePASS Messaging only
Note:By default, the SafeNet Authentication Manager configuration creates a Default policy TPO, linked to the root, that is defined as All Tokens.
Token Policy Object Links 131
A new Token Policy Object link is added to the Token Policy Object Links.
3. Enter a name for the new TPO link, and click OK.
Note:The default name assigned to a new TPO link is determined by the token type to which it applies.We recommend changing the names of new TPO links to meaningful names.
132 SafeNet Authentication Manager Administrator’s Guide
Adding a TPO LinkYou can add a link to an existing TPO.
To add a link to an existing TPO:
1. In the Current Token Policy Object Links window, click Add.The Add TPO Link window opens, displaying the TPOs found in the root or OU.
Note:All TPOs are displayed, regardless of whether they are already linked to a root or OU. You can link the same TPO to multiple roots or OUs.
2. Select the TPO to link to the current OU or root, and click OK.
Token Policy Object Links 133
Deleting a TPO LinkYou can delete a link from the OU to an existing TPO, and also delete the TPO from the root or OU.
To delete a TPO link:
1. In the Current Token Policy Object Links window, select the policy to delete, and click Delete.The Delete window opens.
2. Select one of the following, and click OK.Remove the link from the list: deletes the link from the current OU’s TPO. The link remains available in the system.Remove the link from the list, and permanently delete the Token Policy Object: deletes the link entirely from the system.
Specifying the Scope of a TPO LinkThe following describes the standard TPO behavior:
Each policy setting applies to all users of the root or OU linked to the TPO.If a policy setting is not defined for a child OU, the rule defined for its parent container (OU or root) applies.
You can control the scope of the TPO rules by doing the following:Set TPO link No Override and Disabled optionsSee Setting No Override and Disabled Options on page 136.
134 SafeNet Authentication Manager Administrator’s Guide
Block policy inheritanceSee Blocking Policy Inheritance on page 137.Apply TPO links only to certain users and groupsSee Applying TPO Links to Limited Users and Groups on page 138.
TPO Inheritance BehaviorYou can define unique TPO settings for each container.Use the No Override setting to force policy inheritance.Use the Block policy inheritance setting to restrict policy inheritance.The following tables determine which TPO setting applies to a child container.
Standard TPO ScopeTable shows which setting applies to a child container
Setting Defined in Parent Setting Not Defined in Parent
Setting Defined in Child
Child setting Child setting
Setting Not Defined in Child
Parent setting SafeNet Authentication Manager default
Options > No Override in Parent TPOTable shows which setting applies to a child container
Setting Defined in Parent Setting Not Defined in Parent
Setting Defined in Child
Parent setting Child setting
Setting Not Defined in Child
Parent setting SafeNet Authentication Manager default
Token Policy Object Links 135
Note:Block Policy does not apply if No Override is set in the parent container.
Block Policy Inheritance in Child TPOTable shows which setting applies to a child container
Setting Defined in Parent Setting Not Defined in Parent
Setting Defined in Child
Child setting Child setting
Setting Not Defined in Child
SafeNet Authentication Manager default
SafeNet Authentication Manager default
Options > Disabled in Parent TPOTable shows which setting applies to a child container
Setting Defined in Parent Setting Not Defined in Parent
Setting Defined in Child
Child setting Child setting
Setting Not Defined in Child
SafeNet Authentication Manager default
SafeNet Authentication Manager default
Options > Disabled in Child TPOTable shows which setting applies to a child container
Setting Defined in Parent Setting Not Defined in Parent
Setting Defined in Child
Parent setting SafeNet Authentication Manager default
Setting Not Defined in Child
Parent setting SafeNet Authentication Manager default
136 SafeNet Authentication Manager Administrator’s Guide
Setting No Override and Disabled Options1. In the Current Token Policy Object Links window, select the
appropriate policy, and click Options (See Accessing Token Policy Object Links on page 122).The policy’s Link Options window opens.
2. Select one of the following, and click OK.No Override: Prevents other Token Policy Objects from overriding policy set in this TPOWhen this option is selected, child OUs of the current OU cannot override any TPO rules defined in this OU.
Note:The No Override setting has a higher priority than the Block Policy Inheritance setting. See Blocking Policy Inheritance on page 137.
Disabled: The Default policy is not applied to this containerWhen this option is selected, the rules of the TPO link are not applied to the OU or root container. To reestablish the link, clear this checkbox.
Properties > Deny Group or User in Child TPOTable shows which setting applies to a child container
Setting Defined in Parent Setting Not Defined in Parent
Setting Defined in Child
Parent setting SafeNet Authentication Manager default
Setting Not Defined in Child
Parent setting SafeNet Authentication Manager default
Token Policy Object Links 137
Blocking Policy InheritanceBlock policy inheritance is a setting defined by Microsoft for each Organization Unit. The SafeNet Authentication Manager enrollment process supports this setting.Select this option to prevent users of the current OU from getting TPO definitions from any parent container.
Note:The No Override setting has a higher priority than the Block Policy Inheritance setting. See Setting No Override and Disabled Options on page 136.
To block policy inheritance:
1. In the Current Token Policy Object Links window, select the appropriate policy, and select Block policy inheritance(See Accessing Token Policy Object Links on page 122).
2. Click OK.
138 SafeNet Authentication Manager Administrator’s Guide
Applying TPO Links to Limited Users and GroupsEach TPO link has a security list that can be used to limit its application to specific users and groups. If the Apply to status of a user or group is set to Deny in the policy’s security list, the effect is the same as disabling the TPO.Each new TPO link includes a default group, All users group, whose Apply to status is set to Allow.To manage filters, do one of the following:
Add the users or groups to which the TPO should not be applied, and set their Apply to status to Deny.Remove the group All users group, and add only the users or groups to which the TPO should be applied. Set their Apply to status to Allow.
Token Policy Object Links 139
To filter users and groups:
1. In the Current Token Policy Object Links window, select the appropriate policy, and click Properties (See Accessing Token Policy Object Links on page 122).The policy’s Properties window opens.
2. Select the Apply to tab.3. In the User or Group box, select the appropriate user or group, and
select one of the following:Allow: apply the TPO settingsDeny: do not apply the TPO settings
4. To remove a user or group from the list, select the user or group, and click Remove.
5. To add a user or group to the list, click Add.
140 SafeNet Authentication Manager Administrator’s Guide
The User or Group window opens.
Enter the user or group to be added to the filter list, and click OK.The Token Properties window displays the newly added user or group.
6. Select the new user or group, and select Allow or Deny, as required.
7. Click OK.
Importing and Exporting Token Policy ObjectsThe Token Policy Object import and export feature enables you to duplicate the same settings in multiple installations of SafeNet Authentication Manager.Also, you may be asked to create a an export file when receiving assistance from SafeNet Support.
Exporting Token Policy Objects1. In the Current Token Policy Object Links window, select the
appropriate policy, and click Export (See Accessing Token Policy Object Links on page 122).The Export Policy window opens.
Token Policy Object Links 141
2. Click Browse and navigate to the folder where you want the exported TPO to be saved.
3. Enter the file name in the File Name field and click Save.You are returned to the Export Policy window.
4. Enter a password in the File Password field and click OK.
Tip:Remember the password.You will require it when importing the TPO file back into SafeNet Authentication Manager.
A message confirms that the policy was exported successfully.
142 SafeNet Authentication Manager Administrator’s Guide
5. Click OK to close the window.
Importing Token Policy Objects1. In the Current Token Policy Object Links window, ensure that none
of the policies are selected and click Import (See Accessing Token Policy Object Links on page 122).The Import Policy window opens.
2. Click Browse and navigate to the location of the TPO file to be imported.
3. Select the TPO file to be imported and click Open.You are returned to the Import Policy window.
Token Policy Object Links 143
4. In the File Password field, enter the password (created when the TPO file was exported) and click OK.A message confirms that the policy was imported successfully.
5. Click OK to close the window.The imported TPO is displayed in the Current Token Policy Object Links window.
144 SafeNet Authentication Manager Administrator’s Guide
Chapter 9
Token Policy Object SettingsTPO settings determine how SafeNet Authentication Manager controls and executes token policies.
In this section:
Using the Token Policy Object Editor to Edit TPOsGeneral SettingsConnector SettingsToken SettingsEnrollment SettingsRecovery SettingsAudit SettingsMobilePASS SettingsBackend Service SettingsLegacy TMS Desktop Agent SettingsBadging Settings
146 SafeNet Authentication Manager Administrator’s Guide
Using the Token Policy Object Editor to Edit TPOs Edit the TPO settings to change the behavior of SafeNet Authentication Manager.
Note:After making changes to TPO settings, restart the browser running the SAM Management Center and SAM Self Service Center to apply the relevant changes.
To edit TPO settings:
1. Open the Current Token Policy Object Links window using the appropriate method.
See Accessing TPO Links in an AD Environment on page 122.See Accessing TPO Links in a Non‐AD Environment on page 125.See Accessing TPO Links in a Standalone User Store Environment on page 127.
2. Select the appropriate policy object link, and click Edit.The Token Policy Object Editor opens.
3. Select the appropriate node in the left pane.In this example, we select the Mail Configuration TPO settings node to edit.
Token Policy Object Settings 147
The Mail Configuration policies are displayed in the right pane.4. Right‐click the appropriate policy in the right pane, and select
Properties from the dropdown menu.In this example, we select the Mail server name policy to edit.The Mail server name properties window opens.
The policy Properties window contains the following:Navigation controls (Previous and Next)Node name (In this example, Mail Configuration)Policyʹs function (In this example, Mail server name)Default setting, applied if the policy is not defined (In this example, localhost)Define this policy setting option, which enables the policyWhen appropriate, a field to enter information (In this example, Mail server name or IP address)
5. To enable the policy, select the Define this policy setting option, and enter the server name or IP address in the Mail server name field.
148 SafeNet Authentication Manager Administrator’s Guide
Note:If the selected Organizational Unit (OU) is a child of another OU or root, and a policy is not defined, the child OU inherits the setting defined in the parent OU. To disable the policy setting so that its setting is not inherited from the parent OU, select Define this policy setting, and select Disabled.
6. Do one of the following:Select OK to return to the Token Policy Object Editor.Select Next or Previous to move to the other policy Properties windows.
Token Policy Object Settings 149
The policy setting is displayed in the Token Policy Object Editor.
150 SafeNet Authentication Manager Administrator’s Guide
General SettingsGeneral settings control certain global settings for SafeNet Authentication Manager.
Mail Configuration
Policy Description Default Token Type
Mail server name
Defines the mail server name or address.
localhost All devices including MobilePASS and SafeNet eToken Virtual Temp
Mail sender Defines from who SafeNet Authentication Manager emails are sent.Note: Ensure that the email address is correct. SafeNet Authentication Manager does not check for a valid email address format.
[email protected] All devices including MobilePASS and SafeNet eToken Virtual Temp
Mail server user account name
Defines the account name with which the user logs on to the mail server.
Empty (No logon required)
All devices including MobilePASS and SafeNet eToken Virtual Temp
Mail server user account password
Defines the account password with which the user logs on to the mail server.
Empty (No logon required)
All devices including MobilePASS and SafeNet eToken Virtual Temp
Token Policy Object Settings 151
SMS Provider ConfigurationSafeNet Authentication Manager supports sending an OTP to a users mobile phone via SMS. The SMS Provider Configuration provides information about the SMS service provider and account.
Policy Description Default Token Type
SMS Provider Name
URL of the SMS service provider.
None MobilePASS Messaging
Username Username required for logging on to the SMS account.
None MobilePASS Messaging
SMS provider password
Password required for logging on to the SMS account.
None MobilePASS Messaging
152 SafeNet Authentication Manager Administrator’s Guide
Connector SettingsConnector settings control the connector applications on tokens. See Connector Configuration on page 201.
Token SettingsThe token settings control how SafeNet Authentication Manager sets token properties.
Token Initialization
Policy Description Default Token Type
Token name for unassigned tokens
Defines the default token name for tokens not yet assigned.
My Token All devices excluding MobilePASS
Token name template for assigned tokens
Defines the template used to create names for assigned tokens.
My Token All devices excluding MobilePASS
Enable token naming in the Self Service Center
Determines if the user can set or change the token name in the Self Service Center.
User can name the token
Policy Description Default Token Type
eToken PKI Client 3.65 compatible
Determines if tokens are compatible with eToken PKI Client 3.65.
Tokens are compatible with eToken PKI Client 3.65
All devices excluding MobilePASS
Token Policy Object Settings 153
Token Password
Password Quality
Policy Description Default Token Type
One-factor logon Determines if the Token Password is required during logon. If enabled, users authenticate simply by connecting their tokens. If disabled, they are required also to enter the token password.
Disabled (Token requires a user password)
All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Default Token Password
Defines the default Token Password.
1234567890 All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Policy Description Default Token Type
Proxy mode Determines if the password policy parameters are read from the host (proxy mode).
Proxy mode is not used (Password policy parameters are not read from the host)
All devices excluding MobilePASS
Minimum password length
Defines the minimum length of a Token Password.
4 characters All devices excluding MobilePASS
Maximum password usage period
Defines the maximum number of days before a Token Password must be changed.
90 days All devices excluding MobilePASS
154 SafeNet Authentication Manager Administrator’s Guide
Minimum password usage period
Defines the minimum number of days before a Token Password can be changed.
No minimum All devices excluding MobilePASS
Password expiration warning period
Determines when users are warned that their Token Password will expire.
No warning (User will not be warned before password expires)
All devices excluding MobilePASS
Password history size Defines the number of recent Token Passwords saved to the token that cannot be reused.
15 passwords All devices excluding MobilePASS
Password must be changed on first logon
Determines if users must change their token password on first logon after initialization.
Not required All devices excluding MobilePASS
Maximum consecutive character repetitions
Defines the maximum number of times that the same character can be repeated consecutively in a token password.
3 characters All devices excluding MobilePASS
At least 3 complexity rules
Determines if token passwords must contain at least three character types.Note: This is not applicable if the “Apply manual complexity” policy is enabled.
Enabled All devices excluding MobilePASS
Policy (Continued) Description Default Token Type
Token Policy Object Settings 155
Manual Complexity
Policy Description Default Token Type
Apply manual complexity
Determines if the token password must meet manually defined complexity requirements (as opposed to at least 3 complexity rules).
Disabled All devices excluding MobilePASS
Numerals Determines if, in token passwords, numerals are permitted, forbidden or mandatory.Note: This policy applies only if the “Apply manual complexity ” policy is enabled.
Permitted All devices excluding MobilePASS
156 SafeNet Authentication Manager Administrator’s Guide
Upper-case letters Determines if, in token passwords, upper-case letters are permitted, forbidden or mandatory.Note: This policy applies only if the “Apply manual complexity ” policy is enabled.
Permitted All devices excluding MobilePASS
Lower-case letters Determines if, in token passwords, lower-case letters are permitted, forbidden or mandatory.Note: This policy applies only if the “Apply manual complexity ” policy is enabled.
Permitted All devices excluding MobilePASS
Special characters Determines if, in token passwords, special characters are permitted, forbidden or mandatory.Note: This policy applies only if the “Apply manual complexity ” policy is enabled.
Permitted All devices excluding MobilePASS
Policy Description Default Token Type
Token Policy Object Settings 157
Initialization Parameters
Policy Description Default Token Type
Maximum number of user logon failures
Defines how many consecutive Token Password failures lock the token.
15 consecutive times
All devices excluding MobilePASS
Maximum number of administrator logon failures
Defines how many consecutive administrator password failures lock the token.
15 consecutive times
All devices excluding MobilePASS
Manually reserve space for RSA keys
Determines if a non-standard amount of space is reserved on tokens for RSA keys.If enabled, set the amount of space to reserve in the “Amount of space manually reserved for RSA” policy.
Disabled (Standard space reserved)
All devices excluding MobilePASS
Manually set number of reserved RSA keys
Defines the amount of space to manually reserve for RSA keys.Note: This setting applies only if the “Manually reserve space for RSA keys” policy is enabled.
Standard space reserved
All devices excluding MobilePASS
158 SafeNet Authentication Manager Administrator’s Guide
Initialization Key
FIPS Determines if tokens are initialized as FIPS compliant.
Not FIPS compliant All devices excluding MobilePASS
PKCS#11 user PIN initialization
Determines if tokens are initialized with a PKCS#11 user PIN.
Enabled (PKCS#11 user PIN is initialized)
All devices excluding MobilePASS
2048-bit RSA key support
Determines if the 2048-bit RSA key is supported.
Not supported All devices excluding MobilePASS
OTP support Determines if OTP is supported.
Not supported All devices excluding MobilePASS
Policy Description Default Token Type
Policy Description Default Token Type
Use standard initialization key for first-time initializations
Defines whether the standard token initialization key is used for first-time initializations.Note: To use a non-standard initialization key for new tokens, disable this policy and define the initialization key in the “First-time initialization key” policy.
Use the standard initialization key
All devices excluding MobilePASS
First-time initialization key
Defines the non-standard first-time initialization key.
Standard initialization key
All devices excluding MobilePASS
Token Policy Object Settings 159
Change initialization key for subsequent initializations
Defines whether a new initialization key is used for subsequent initializations.Note: If this policy is enabled, tokens can be re-initialized only by SAM or by someone knowing the subsequent initialization key. To change the initialization key for tokens already initialized, enable this policy, and define the subsequent initialization key in “Subsequent initialization key” policy.
Do not use a different initialization key
All devices excluding MobilePASS
Policy Description Default Token Type
160 SafeNet Authentication Manager Administrator’s Guide
Subsequent initialization key
Defines a new initialization key to use for subsequent initializations.Select Define this Policy Setting, then select one of the following:
Standard: use the standard initialization keyRandom: create a randomly generated initialization key (known only to SAM)New initialization key: create a static initialization key
Note: If this policy is defined, tokens can initialized only by SAM or by someone knowing the subsequent initialization key.To create a different initialization key for tokens already initialized, you must define the subsequent initialization key in this policy, and enable the "Change subsequent initialization key" policy.
Standard initialization key
All devices excluding MobilePASS
Policy Description Default Token Type
Token Policy Object Settings 161
Advanced Settings
Policy Description Default Token Type
Private data caching
Defines when private data is cached.
Select Define this Policy Setting, then select one of the following:
AlwaysWhile user is logged onNever
Always All devices excluding MobilePASS
RSA key secondary authentication
Defines how RSA keys secondary authentication is used.Select Define this Policy Setting, then select one of the following:
NeverAlways prompt userPrompt on application requestAlways
Never All devices excluding MobilePASS
162 SafeNet Authentication Manager Administrator’s Guide
Enrollment SettingsEnrollment settings control the SafeNet Authentication Manager token enrollment process.
General Properties
Policy Description Default Token Type
Maximum number of active tokens per user
Defines the maximum number of non-revoked tokens per user.
1 All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Initialize token on each enrollment
Determines if tokens are initialized during each enrollment.
No initialization All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Initialize new token on first enrollment
Determines if new tokens are initialized during their first enrollment in SafeNet Authentication Manager.Note: The Initialize new token on first enrollment setting is effective only if enrollment is done through the SAM Service Center.
No initialization
Token Policy Object Settings 163
Set random Token Password
Determines if a random Token password is set during initialization.Note: If this policy is enabled, ensure that users receive their Token Passwords via enrollment notification settings defined in the TPO.
Random Token Password is not set
All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Random Token Password length
Defines the random token password length.
12 characters All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Random Token Password content
Defines the random Token Password content.
Numerals only All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Password must be changed on first logon
Determines if users must change their Token Passwords on first logon after enrollment.
Password change not required
All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Policy Description Default Token Type
164 SafeNet Authentication Manager Administrator’s Guide
Ignore connector incompatibility during enrollment
Determines if the token enrollment fails when a connector is not compatible with the token type.
Do not ignore incompatibility (Enrollment fails)
All devices excluding MobilePASS
Enable SafeNet eToken Virtual creation
Determines if a SafeNet eToken Virtual may be created during enrollment (instead of enrolling a physical token).
Not enabled eToken Virtual
Require user to complete authentication questionnaire
Determines if users must complete authentication questionnaires during enrollment.
Not required All devices excluding MobilePASS
Policy Description Default Token Type
Token Policy Object Settings 165
SafeNet eToken Virtual Enrollment
Enrollment NotificationEnrollment Notification settings enable enrollment notification letters configuration. See Enrollment Notification on page 332.
Policy Description Default Token Type
SafeNet eToken Virtual locking method
Determines the method for locking SafeNet eToken Virtual authenticators.(See SafeNet eToken Virtual Products on page 432).Select Define this Policy Setting, then select one of the following:
Portable drive onlyComputer onlyPortable drive or computer
Computer only All devices excluding MobilePASS and SafeNet eToken Virtual Temp
166 SafeNet Authentication Manager Administrator’s Guide
Recovery SettingsRecovery Settings set options for tokens that cannot be used because they have been lost, or their passwords have been forgotten.
Policy Description Default Token Type
Enable token unlock
Determines if an administrator password is created for token unlock.Note: To be unlocked, a token must have an Administrator Password saved to it during initialization.To enable this, enable this policy and define the "Unlock password type " policy. A locked token that does not have an Administrator Password cannot be used for logon until it is re-initialized.
Enabled All devices excluding MobilePASS
Token Policy Object Settings 167
Unlock password type
Defines the administrator password type.Note: To be unlocked, a token must have an Administrator Password saved to it during initialization.To enable this, enable the "Enable token unlock" policy and define this policy. A locked token that does not have an Administrator Password cannot be used for logon until it is re-initialized.
Random password
All devices excluding MobilePASS
Maximum number of SafeNet eToken Virtual unlocks
Defines how many times a SafeNet eToken Virtual can be unlocked.Note: The number of unlocks includes both successful and unsuccessful attempts.
20 times All devices excluding SafeNet eToken Virtual Temp
Enable SafeNet eToken Rescue
Determines if users can download a SafeNet eToken Rescue as a replacement token.
Not allowed All devices excluding SafeNet eToken Virtual Temp
Policy Description Default Token Type
168 SafeNet Authentication Manager Administrator’s Guide
Maximum SafeNet eToken Rescue usage period
Defines the number of days a SafeNet eToken Rescue can be used
14 days All devices excluding SafeNet eToken Virtual Temp
SafeNet eToken Rescue download options
Determines when a SafeNet eToken Rescue is downloaded to a user’s computer; User manually initiates a download, or Automatic download in first logon.
User manually initiates download
All devices excluding SafeNet eToken Virtual Temp
User authentication questionnaire
Defines the questions to be asked for user authentication.
No questions (users cannot authenticate to the Rescue Service Center)
All devices
Number of random questions asked
Defines how many random questions are asked for user authentication.
0 (No questions asked)
All devices
Maximum number of authentication retries
Defines how many incorrect authentication answers lock the user, when attempting to authenticate to the Rescue Service Center.
3 All devices
User authentication for Helpdesk
Determines if user authentication is required to access the Helpdesk.
Not required All devices
Maximum Temp Logon usage period
Defines the number of days a temporary password can replace a missing token.
3 days All devices excluding MobilePASS
Policy Description Default Token Type
Token Policy Object Settings 169
Maximum Temp OTP password usage period
Defines the number of days a Temp OTP password can replace a missing OTP token.
14 days All devices
Enable token history
Enables the token history feature.
Not enabled
Require certificate recovery workflow
Determines if a certificate recovery workflow is required.
Not required
Policy Description Default Token Type
170 SafeNet Authentication Manager Administrator’s Guide
Audit SettingsAudit settings enable audit information logging and audit notification letters configuration. See Audit Messages on page 322.
MobilePASS SettingsMobilePASS settings apply to MobilePASS tokens.
General PropertiesPolicy Description Default Token Type
Maximum number of active MobilePASS tokens per user
Defines the maximum number of MobilePASS tokens allowed for each user.
1 MobilePASS
Enable MobilePASS Messaging
Determines if MobilePASS Messaging enrollment is enabled.
Not enabled MobilePASS
Enable automatic enrollment of MobilePASS Messaging tokens
Determines if automatic MobilePASS Messaging enrollment is enabled.
Not enabled MobilePASS
Verify SMS number on self-enrollment
Determines if the SMS number is verified on self-enrollment.
SMS number is verified
MobilePASS
Token Policy Object Settings 171
Backend Service SettingsSafeNet Authentication Manager Backend Service settings control Backend Service activities.
Policy Description Default Token Type
Disallow Temp Logon
Determines if the backend service disallows the use of a temporary password as replacement for a missing password.
Disallow All devices excluding MobilePASS
Revoke opened SafeNet eToken Rescue upon expiration
Determines if an opened SafeNet eToken Rescue is automatically revoked upon expiration.
Revoke All devices excluding SafeNet eToken Virtual Temp
Revoke tokens of users deleted from SAM user store
Determines if tokens are automatically revoked when their users are deleted from the user store.
Revoke All devices
172 SafeNet Authentication Manager Administrator’s Guide
Revoke tokens of users disabled in SAM user store
Determines if tokens are automatically revoked when their users are disabled in the user store.
Not revoked All devices
Synchronize users data
Determines if SAM database integrity is maintained by synchronizing users’ data.
Synchronize All devices
Synchronize license data
Determines if license counters are automatically calculated and updated.Note: Enable this policy to optimize SAM performance.
Synchronize All devices
Policy Description Default Token Type
Token Policy Object Settings 173
Legacy TMS Desktop Agent SettingsLegacy Desktop Agent settings control the legacy TMS Desktop Agent capabilities.
Policy Description Default
Display token update alerts
Defines whether to display alerts to the user if the token content is not aligned with definitions or about to expire.
Token update alerts are enabled
Update alert period Defines the number of days to show update alert prior to eToken expiration date.
Expiration alert starts 30 days before token expires
Update alert text Defines the message the user sees in cases of an token update alert.
Update your token
Update alert title Defines the alert message title the user sees in cases of an token update alert.
Token Notification
Update alert click action Determines the action that occurs when the user clicks the alert balloon; No action, Show detailed message or Open website.
No action
Update alert detailed message
The message displayed when the user clicks on the balloon. Used only if the “Update alert click action” policy is set to 'Show detailed message.'
Empty
Update alert website URL The website URL to open when the user clicks on the balloon. Used only if the “Update alert click action” policy is set to 'Open website.'
Not defined
174 SafeNet Authentication Manager Administrator’s Guide
Badging SettingsBadging settings control how badges are printed.
Update alert interval Defines the minimum interval in days between two alerts to the same user (for connected tokens).
Minimum alert interval is 4 days
Update check interval Alerts will be checked whenever an token is inserted or when the specified number of days has passed since the last alert check (even if an token was not inserted).
Alert check interval is 14 days
Token connection auditing Determines if token insertion and removal events are audited.
Token insertion/removal auditing is enabled
Policy (Continued) Description (Continued) Default (Continued)
Policy Description Default Token Type
Enable badging
Determines if badging is enabled.
Disabled All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Expiration date on badge
Determines if an expiration date is printed on the badge, and sets the date.
Empty (No date printed)
All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Token Policy Object Settings 175
Photo Storage
Note:The file system folder should not be a network folder.
Printing Parameters
Policy Description Default Token Type
Photo storage method
Determines if the users’ photos are located on a file system or in the SAM User Store.
File system All devices excluding MobilePASS and SafeNet eToken Virtual Temp
File system photo directory
Determines the location of the photos stored in a file system.
Empty All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Policy Description Default Token Type
Print front of badge
Determines if the front of the badge is printed.
Enabled All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Print back of badge
Determines if the back of the badge is printed.
Disabled All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Orientation - front side
Determines if the badge’s front side orientation is portrait or landscape.
Portrait All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Orientation - back side
Determines if the badge’s back side orientation is portrait or landscape.
Landscape All devices excluding MobilePASS and SafeNet eToken Virtual Temp
176 SafeNet Authentication Manager Administrator’s Guide
Image generator plug-in
Defines the assembly plugin for generating the badge’s printing file.Note: Define this setting if you have developed an SDK plugin that uses a custom image generator or printer.
SAM-supplied plugin
All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Template - front side
Determines the template file used for printing the badge’s front side.
SAM-supplied generic template
All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Template - back side
Determines the template file used for printing the badge’s back side.
SAM-supplied generic template
All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Laminate - front side
Determines if a protective topcoat is printed on the badge’s front side.
Enabled All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Policy Description Default Token Type
Token Policy Object Settings 177
Laminate - back side
Determines if a protective topcoat is printed on the badge’s back side.
Enabled All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Printing plug-in Determines if a printing plugin is used for printing the badge image.Note: Define this setting if you have developed an SDK plugin that uses a custom image generator or printer.
SAM-supplied plugin
All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Enable duplex printing
Determines if two-sided printing is enabled.
Enabled All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Policy Description Default Token Type
178 SafeNet Authentication Manager Administrator’s Guide
Chapter 10
SAM Configuration ManagerUse the SafeNet Authentication Manager Configuration Manager to change the default settings in accordance with your organization’s policies.
In this section:
Launching the SAM Configuration ManagerSelecting the SAM InstanceImporting and Exporting the SAM Settings FileAdding SAM ConnectorsConfiguring RolesScheduling the SAM Backend ServiceConfiguring the LicenseConfiguring IIS and Web ServicesSelecting the Authentication Plug-InDefining a Failover ConfigurationExporting and Importing the Signing CertificateChanging the SAM Service Account
180 SafeNet Authentication Manager Administrator’s Guide
Launching the SAM Configuration Manager
Note:In Windows Server 2008 and Windows Server 2008 R2, the SAM Configuration Manager must be run as Administrator.
To launch the SAM Configuration Manager:
Select Start>Programs>SafeNet>SafeNet Authentication Manager Configuration Manager.The SAM Configuration Manager window opens, displaying details of the SAM instance.
Selecting the SAM InstanceIf more than one SafeNet Authentication Manager instance has been configured, select the required instance.
To select the SAM instance:
1. Launch the SAM Configuration Manager (See Launching the SAM Configuration Manager on page 180).
2. From the General menu, select Select Configuration, and select the appropriate SafeNet Authentication Manager configuration name assigned in the SafeNet Authentication Manager Configuration Settings Wizard.
SAM Configuration Manager 181
Importing and Exporting the SAM Settings FileThe SafeNet Authentication Manager Settings File contains data used for SafeNet Authentication Manager processes, including security keys used for SafeNet Authentication Manager data encryption in the Active Directory. The SafeNet Authentication Manager Settings File can be exported for backup or sharing, and imported later.Import the SafeNet Authentication Manager Settings File from the backup file when you need to restore a damaged computer, or when you are setting up an additional SafeNet Authentication Manager Server that uses the same settings.Each SafeNet Authentication Manager Settings File contains a global security key, and a security key for each connector. If there is more than one instance of SAM Server on a computer, each instance has its own SAM Settings File.
Notes:The SafeNet Authentication Manager Settings File should be
exported after installation.We recommend exporting the SafeNet Authentication Manager
Settings File whenever a connector is added.
These are typically configured for renewal every year. The Settings File options in the Action dropdown menu are enabled only when there are keys due for renewal.
Exporting the SAM Settings File
To export the SAM Settings File:
1. Launch the SAM Configuration Manager (See Launching the SAM Configuration Manager on page 180).
2. From the Action menu, select Settings File > Export.
182 SafeNet Authentication Manager Administrator’s Guide
The Export Settings File window opens.
3. Enter a path for the exported settings file, and create and confirm a password for the new file.The default path isC:\Documents and Settings\Administrator\My Documents\SAMSettingsExport.xm
Tip:Remember the file password. You must provide it when importing the file.
4. Click Export.The file is exported, and the Export Completed window opens.
5. Click OK.
SAM Configuration Manager 183
Importing the SAM Settings File1. Launch the SAM Configuration Manager (See Launching the SAM
Configuration Manager on page 180).2. From the Action menu, select Settings File>Import.
The Import Settings File window opens.
3. Enter the path and the file password of the exported settings file, and click Import.The file is imported, and the Import Completed window opens.
4. Click OK.
Adding SAM ConnectorsDuring token enrollment, applications for the SAM connectors installed on SAM are enabled on the token. If a SAM connector is not installed at the time of token enrollment, its connector applications are not enabled on the token.See Connector Configuration on page 201, to configure connectors.
184 SafeNet Authentication Manager Administrator’s Guide
To add a new connector:
1. Launch the SAM Configuration Manager (See Launching the SAM Configuration Manager on page 180).
2. From the Action menu, select Connectors > Add Connector.The Open window opens, displaying all the available connectors files.
3. Select the required connector and click Open.In this example, we install the Entrust Connector.
SAM Configuration Manager 185
The connector is installed and is included in the SafeNet Authentication Manager Configuration Manager window.
Note:We recommend exporting the SafeNet Authentication Manager Settings File whenever a connector is added.
Configuring RolesSee Authorization Manager on page 299.
Scheduling the SAM Backend Service
To schedule SAM Backend Service:
1. Launch the SAM Configuration Manager (See Launching the SAM Configuration Manager on page 180).
2. From the Action menu, select Backend Service > Change Scheduling.The Backend Service Scheduling window opens.
186 SafeNet Authentication Manager Administrator’s Guide
3. To activate the scheduled operation of SAM Backend Service, select Enable scheduling, and select one of the following:
Periodically: enter the number of hours between each scheduled operationDaily: enter the time when scheduled operations are performedWeekly: enter the day of the week and the time when scheduled operations are performed
4. Click OK.
Note:After scheduling the Backend Service, you must restart the Backend Service for the changes to take effect.
SAM Configuration Manager 187
Configuring the LicenseSee Licensing on page 293.
Configuring IIS and Web Services
Configuring OTP Web ServicesSee OTP Web Service Settings on page 340.
Configuring Features of the SAM Management CenterYou can change certain default features of the SAM Management Center.
To configure certain features of the SAM Management Center:
1. Launch the SAM Configuration Manager (See Launching the SAM Configuration Manager on page 180).
2. From the Action menu, select IIS and SAM Web Services>Management Center.The Management Center Settings window opens.
188 SafeNet Authentication Manager Administrator’s Guide
3. Complete the fields as follows and click OK:
Configuring Features of the SAM Self Service CenterYou can change certain default features of the SAM Self Service Center.
Note:There is no default value for the SafeNet Authentication Client download file location. We recommend that you define the file’s location in case a user does not have SafeNet Authentication Client installed.
To configure certain features of the SAM Self Service Center:
1. Launch the SAM Configuration Manager (See Launching the SAM Configuration Manager on page 180).
2. From the Action menu, select IIS and SAM Web Services>Self Service Center.The SAM Self Service Center Configuration window opens.
Field Description
SAM Client download file Enter the path to the 32-bit SAM Client installation file (msi)
SAC Client X64 download file
Enter the path to the 64-bit SAM Client installation file (msi)
Show the user display name
Select to show the user’s display name, instead of the account name
Maximum rows per report page
Select the number of rows to be displayed on each page of a report
Maximum tokens and users search results
Select the number of records to be displayed that match the search criteria. The larger the number, the longer the search time.To display more results, increase this number.
Token Serial Format Select the format in which the token serial number is displayed: Hexa Decimal or Decimal.
SAM Configuration Manager 189
3. Complete the fields as follows and click OK:
Field Description
SafeNet Authentication Client 32-bit download file
SafeNet Authentication Client 64-bit download file
Click Browse to select the path to the SafeNet Authentication Client installation file in the ClientDownload folder.Note: Ensure that the SafeNet Authentication Client file has been copied to the ClientDownload folder where the SafeNet Authentication Manager Client file is located.
SafeNet Authentication Manager Client 32-bit download file
SafeNet Authentication Manager Client 64-bit download file
Enter the path to the SafeNet Authentication Manager Client installation file.Note: By default, the path is entered during the installation process
190 SafeNet Authentication Manager Administrator’s Guide
Configuring Features of the SAM Rescue Service CenterYou can change certain default features of the SAM Rescue Service Center.
To configure certain features of the SAM Remote Service Center:
1. Launch the SAM Configuration Manager (See Launching the SAM Configuration Manager on page 180).
2. From the Action menu, select IIS and SAM Web Services>Rescue Service Center.The SAM Remote Service Center Settings window opens.
3. Enter the number of minutes that a SafeNet eToken Rescue is kept on the SafeNet Authentication Manager Server after the user logs off.
Configuring Features of SAM Web Service APIThe SAM Web Service API enables developers to develop applications that can contact SafeNet Authentication Manager directly, without the user being required to log on through a SafeNet Authentication Manager website. The new application allows the end‐user to log on to a different application that accesses SafeNet Authentication Manager.
Note:Only server‐based operations are available.
SAM Configuration Manager 191
To configure certain features of the SAM Web service API:
1. Launch the SAM Configuration Manager (See Launching the SAM Configuration Manager on page 180).
2. From the Action menu, select IIS and SAM Web Services>Web API Service.The Web API Service Settings window opens.
3. Complete the fields as follows and click OK.
Field Description
Sessions do not expire Select to enable the session to continue for an unlimited time.
Sessions expire after (in minutes)
To limit the length of time for the session, clear the Sessions do not expire field, and enter, in minutes, the maximum session time permitted.
Delete expired sessions every (in minutes)
Even when a session is no longer active, it remains open until deleted. Enter an interval, in minutes, between attempts to delete expired sessions from the system.
Unlimited number of concurrent open sessions
Select to enable an unlimited number of open sessions.
Maximum number of concurrent open sessions
To limit the number of open sessions, clear the Unlimited number of concurrent open sessions field, and enter the maximum number of sessions that can be opened concurrently.
192 SafeNet Authentication Manager Administrator’s Guide
Configuring Desktop AgentSee Desktop Agent on page 371.
Configuring Server SynchronizationIn a distributed environment, with more than one SafeNet Authentication Manager server, the Server Synchronization feature is used to synchronize the token and user records during the assignment operation. This ensures that two or more token assignment sessions will not be able to assign the same token twice or to assign more than the permitted number of tokens for the user.
To configure server synchronization:
1. Launch the SAM Configuration Manager (See Launching the SAM Configuration Manager on page 180).
2. From the Action menu, select IIS and SAM Web Services>Server Synchronization.The Server Operations Synchronization Settings window opens.
SAM Configuration Manager 193
3. To activate server synchronization, select Server Synchronization.4. For each sever to be included in the synchronization operations,
click Add, type the server URL, and click Test to verify the URL.5. To change the default locking time, enter a new locking time (in
milliseconds).The locking time determines the maximum time the user and user’s token records are locked during an assignment operation.
6. To change the default failure timeout, enter a new failure timeout (in milliseconds).The failure timeout is the time required for an failed lock operation to initiate an error response.
7. Click OK.The Restart IIS Application Pool window opens.
8. To save the changes and restart the IIS Application Pool, click Yes.
Selecting the Authentication Plug-InWhen SafeNet Authentication Manager uses a non‐AD external user store, Active Directory cannot be used to authenticate usernames and passwords. An authentication plug‐in file is required to enable users to log on to the SAM websites.The plug‐in dll was set in the SAM Configuration Wizard. See Chapter 7 Configuring for OpenLDAP, Novell eDirectory or Remote AD, step 12 on page 108, or Configuring for MS SQL Server step 11 on page 119.Use the SAM Configuration Manager to set a different authentication plug‐in dll.
194 SafeNet Authentication Manager Administrator’s Guide
To set a different authentication plug-in:
1. Launch the SAM Configuration Manager (See Launching the SAM Configuration Manager on page 180).
2. From the Action menu, select Website Authentication Settings > Change.The Authentication Settings window opens.
3. Navigate to the appropriate authentication dll file, and click OK.
Defining a Failover ConfigurationThe failover configuration feature enables you to set up a failover configuration for LDAP user stores that do not follow the standard AD configuration. When the standard AD configuration is used, a failover configuration is not required.SafeNet Authentication Manager will connect to the failover LDAP user store if the primary user store stops responding.To create a failover configuration:1. Launch the SAM Configuration Manager (See Launching the SAM
Configuration Manager on page 180).2. Select General > Failover Configuration > New.3. The New Failover Configuration window opens.
4. Click Browse next to the Select Directory field.
SAM Configuration Manager 195
In this example, the Select OpenLDAP Server window opens.
5. Enter the fields as follows:
Field Description
Server Enter the IP address of the directory server
Port Enter the directory server port. This is determined when the directory is configured.
Naming Context Click Browse and select the required naming context.
Simple Binding, using an anonymous user
Select this option to connect to the directory server without a user and password. This is possible only if this option is enabled in the system.
Simple Binding, using the following user
Select this option to connect to the directory server using the User DN and Password. Enter the User DN and Password in the appropriate fields.
Use a secure connection
If OpenLDAP is configured to run in a secure mode, select this option to encrypt the data to be transferred.
196 SafeNet Authentication Manager Administrator’s Guide
6. The selected directory is displayed in the New failover configuration window.
7. Click Save to save the configuration, and click Close.
Exporting and Importing the Signing CertificateYou can create a password protected file containing the settings for the SafeNet Authentication Manager security keys. This file can later be imported back into SafeNet Authentication Manager.
Exporting a Signing Certificate
To export a signing certificate:
1. Launch the SAM Configuration Manager (See Launching the SAM Configuration Manager on page 180).
2. From the Action menu, select Signing Certificate>Export.The Export Certificate window opens.
3. To change the default installation folder, click Browse and navigate to the required location.
4. Enter a password in the File Password field, and confirm in the Confirm Password field.
5. Click Export.
SAM Configuration Manager 197
Importing a Signing Certificate
To import a signing certificate:
1. Launch the SAM Configuration Manager (See Launching the SAM Configuration Manager on page 180).
2. From the Action menu, select Signing Certificate>Import.The Import Certificate window opens.
3. Click Browse and navigate to the file.4. Enter the password in the File Password field and click Import.
Tip:Remember the file password. You must provide it when importing the file.
198 SafeNet Authentication Manager Administrator’s Guide
Changing the SAM Service AccountThe SAM Service Account is used to manage SafeNet Authentication Manager operations. It may be necessary to change the account details and password that were entered during installation.
Notes:The SAM Service Account need not be an administrator account,
but it must have sufficient permissions to run the connectors.See Permissions for Basic Administration on page 310.
The SAM Service Account can be changed only if the user has a Windows 2000 logon name (UPN).
To change the Service Account and password:
1. Launch the SAM Configuration Manager (See Launching the SAM Configuration Manager on page 180).The SAM Configuration Manager window opens.
2. Select General > Change Service Account.The SAM Service Account window opens.
3. Click Browse next to the Username field.The Select User window opens.
SAM Configuration Manager 199
4. Enter the account name in the Enter the object name to select field, and click OK.The selected account name is displayed in the Change SAM Services Account window.
5. In the Password and Confirm Password fields enter a password for the account, and click OK.
200 SafeNet Authentication Manager Administrator’s Guide
Chapter 11
Connector ConfigurationSafeNet Authentication Manager is based on an open standards architecture, with configurable connectors. This supports integration with a wide range of security applications including network logon, VPN, web access, one‐time password authentication, secure email, and data encryption.Use the Token Policy Object Editor to change the SafeNet Authentication Manager connectors’ default configurations. See Using the Token Policy Object Editor to Edit TPOs on page 146.
In this section:
Connector for Microsoft CAConnector for OTP AuthenticationConnector for Flash ManagementConnector for P12 Certificate ImportConnector for SafeNet Network LogonConnector for Check Point Internal CAConnector for Entrust
202 SafeNet Authentication Manager Administrator’s Guide
Connector for Microsoft CA The connector for Microsoft CA (MSCA) enables the user to generate certificates using the Microsoft Certificate Authority (CA) services.Two types of certification authorities (CAs) are provided by Windows Server 2003/2003R2/2008/2008R2 Certificate Services:
Standalone: permits the generation of certificates for anyoneEnterprise: permits the generation of certificates for authenticated users only, and requires Active Directory to be installed
The SafeNet Authentication Manager Microsoft CA Connector interacts with both types of CAs, enabling certificates to be generated for these CAs.For more information on certificates and CAs, see Microsoft documentation.
Supported User Stores
User Store Supported by this Connector?
AD Yes
MS SQL Server, OpenLDAP, Novell eDirectory, Remote AD, ADAM
Only for offline requests where the subject name is provided manuallySupported only for a standalone CA
Connector Configuration 203
Microsoft DLL Files Required for MSCAThe required DLL files are supplied with the supported operating systems and service packs.
Windows XP and Windows Server 2003In Windows XP, install the AdminPack to obtain all required DLLs.
Windows Vista, Windows 7 and Windows Server 2008
DLL Purpose TPO SAM Management Center
SAM Self Service Center
xenroll Token side No Yes Yes
scrdenrl CA and Token No Yes No
Certadmin CA side configuration and enrollment
Yes No No
Certcli CA side configuration and enrollment
Yes No No
DLL Purpose TPO SAM Management Center
SAM Self Service Center
certEnroll Token side No Yes Yes
204 SafeNet Authentication Manager Administrator’s Guide
Configuring the Microsoft CAThe Microsoft CA must be configured before it is connected to SafeNet Authentication Manager. This involves adding the appropriate templates, and setting the security properties.
Adding a Template to the CAThe certificate template must be deployed so the CA can issue certificates based on it.
To add a template to the CA:
1. From the Windows Start menu, go to Programs > Administrative Tools > Certification Authority.The Certification Authority window opens.
2. In the navigation pane, expand the entry under Certification Authority (Local), and select Certificate Templates.
Connector Configuration 205
Templates that are in the database and in the CA are displayed in the right pane.
3. Right‐click the Certificate Template node, and from the sub‐menu, select New > Certificate Template to Issue.The Enable Certificate Templates window opens.
4. Select the required certificate template, and click OK.The added certificate template is included in the right pane.
Setting Template Security PropertiesSet the templateʹs security properties to define which permissions are given to each organizational group. Authorize those users who need to enroll certificates in the CA to request certificates.
206 SafeNet Authentication Manager Administrator’s Guide
To set template security properties in Windows Server 2003:
1. From the Windows Start menu, go to Programs > Administrative Tools > Certification Authority.The Certification Authority window opens.
2. In the navigation pane, expand the entry under Certification Authority (Local).
3. Right‐click Certificate Templates, and from the sub‐menu, select Manage.
Connector Configuration 207
The templates are displayed in the right pane.
4. Right‐click the template of the required certificate, and from the sub‐menu, select Properties.The Properties window opens.
5. Select the Security tab.
6. Select the required permissions for all relevant organizational groups, and click OK.
208 SafeNet Authentication Manager Administrator’s Guide
Duplicating a TemplateWe recommend creating a duplicate template to use as a backup.
To create a duplicate template:
1. Select the required template (See Setting Template Security Properties on page 205).
2. Right‐click on the template and select Duplicate Template.The Properties of New Template window opens.
3. If required, make changes to the properties of the template.4. Click OK.
A template named Copy of <template name> is added to the list of certificate templates
Connector Configuration 209
Changing the Minimum Key SizeThe default Smartcard Logon template has a default key size of 512. For Smartcard logon with JavaCard, a minimum key size of 1024 is required.
To change the minimum key size:
1. Select the Smartcard User template (See Setting Template Security Properties on page 205).
2. Right‐click on Smartcard User and select Duplicate Template.The Properties of New Template window opens.
3. In the Minimum key size field enter 1024 or 2048 as required.4. Click OK.
A template named Copy of Smartcard user is added to the list of certificate templates
210 SafeNet Authentication Manager Administrator’s Guide
Setting CA Security PropertiesSet the CAʹs security properties to define which permissions are given to each organizational group.
To set CA security properties:
1. From the Start menu go to Programs > Administrative Tools > Active Directory Sites and Services.The Active Directory Sites and Services window opens.
2. In the navigation pane, right‐click Certificate Authority, and from the sub‐menu, select Properties.The Properties window opens.
3. Select the Security tab.4. Set the required permissions for each organizational group, and
click OK.
Defining TPO RulesUse the Connector Policy Object Editor to set the SAM connector policies.
To create a new request:
1. Open the TPO Editor (See Accessing Token Policy Object Links on page 134).
2. In the left pane, click the Connector Settings.
Connector Configuration 211
The list of installed SafeNet Authentication Manager connectors opens in the right pane.
3. In the right pane, right‐click Connector for Microsoft CA and select Properties.The Connector for Microsoft CA Properties window opens.
4. Select Define this policy setting, select Enabled, and click Definitions.
212 SafeNet Authentication Manager Administrator’s Guide
The Connector Policy Object Editor opens.
5. By default, there is no limit to the number of certificates that can be enrolled to a token. To limit the maximum number of certificate on the token do the following:a. In the right pane, right‐click on Maximum number of
certificates on token, and select Properties.b. Select Define this policy setting.c. Enter the maximum number of certificates that can be
enrolled on the token and click OK.6. Right‐click Microsoft CA Connector, and select Create new
request.
Connector Configuration 213
The Create New Request window opens.
7. For each request enter the fields as follows:
Field Name Description
Request Name May be any name. If a request with the same request name exists in a different TPO definition, the new parameters are merged with that request's parameters during token enrollment. If the request name does not exist in a TPO relevant to the enrolled user, the request is added.Default: New Request, followed by the next sequential number
Name CA from the list of CAs installed in the AD tree.Default: the first CA in the drop-down list
Type Depends on Active Directory being present.Standalone: permits the generation of certificates for anyoneEnterprise: permits the generation of certificates for authenticated users only
No default
214 SafeNet Authentication Manager Administrator’s Guide
Once a request is created, these fields cannot be modified. If a change is required in the fields, the request must be deleted and a new request created.
8. Click OK.
Windows Version Windows version on the CA computer:Server 2003-(2008)No default
Certificate Usage Filter used to narrow the selection in the Templates drop-down list.Type of templates to be enrolled:
Smartcard LogonEncryptionSignatureVPNOther
No default
Templates A certificate template from one or both of the template lists appropriate for the Certificate Usage selected:
Administrator-generated certificate template: used when enrollment is performed by the administrator.User-generated certificate template: used during self-service enrollment
No default
Field Name Description (Continued)
Connector Configuration 215
9. In the Connector Policy Object Editor window, select the request node to see its policies.
Note:The first four polices in the list are set when the request is created. They cannot be modified. If a change is required in any of these four policies, delete the request and create a new request with the appropriate settings.
10. Configure the request policies as follows:
Field Name Description
Certificate backup Determines if the request’s certificate and keys are backed up in the SafeNet Authentication Manager database
SafeNet eToken Rescue support
Determines if the request’s certificate is backed up to a SafeNet eToken Rescue temporary replacement token
Key required after revocation Determines if the certificate is also removed from the token when it is revoked on the CA
Publish CRL Determines if the CA publishes a new certificate revocation list whenever a certificate is revoked
216 SafeNet Authentication Manager Administrator’s Guide
11. Click OK repeatedly to close the Connector Policy Object Editor window and the Connector for Microsoft CA Properties window.The updated connector settings have now been applied.
Store in local computer certificate store
Determines if the certificate is imported to the local computer certificate storeNote 1: This is applicable only for certificates generated by users' requests during self-service enrollment for off-line certificates, and not for enrollments done by an administrator. Note 2: Only a user with administrator rights on the local computer can generate or use a key in this store.
Override certificate department
Determines if the default user department is overridden in the certificate subject of an off-line certificate
Certificate department Defines the department name that overrides the default department in an off-line certificate when Override certificate department is enabled
Automatic certificate renewal Determines if an expired certificate is automatically renewed on next enrollment
Reuse keys for renewed certificate
Determines if previous keys are reused if a new certificate is generated when Automatic certificate renewal is enabled
Random user password Sets a random user password unknown to the user, forcing the user to log on with a Smartcard
Force smartcard usage for logon
Sets the Account option in the AD user properties to Smartcard is required for interactive logon, forcing the user to log on with a smartcard
“Undestroyable” certificate and keys on token
Determines if the clear function in eToken PKI Client will not delete the certificate and keys on the token
Field Name (Continued) Description (Continued)
Connector Configuration 217
Connector for OTP AuthenticationThe TPO rules dictate which password(s) must be provided by the user for authentication:
OTP Only: the user must enter the number displayed on the OTP tokenOTP PIN and OTP: the user must enter the secret OTP PIN, as well as the number displayed on the OTP tokenWindows password and OTP: the user must enter the Windows password, as well as the number displayed on the OTP token (This option is supported only in AD mode)
Supported User Stores
Defining TPO RulesUse the Connector Policy Object Editor to set the SAM connector policies.
To open the Connector Policy Object Editor:
1. Open the TPO Editor (See Accessing Token Policy Object Links on page 134).
2. In the left pane, click the Connector Settings node.
User Store Supported by this Connector?
AD, MS SQL Server, OpenLDAP, Novell eDirectory, Remote AD, ADAM
Yes
218 SafeNet Authentication Manager Administrator’s Guide
The list of installed SafeNet Authentication Manager connectors opens in the right pane.
3. In the right pane, right‐click Connector for OTP Authentication, and select Properties.The Connector for OTP Authentication Properties window opens.
4. Select Define this policy setting, select Enable, and click Definitions.
Connector Configuration 219
The Connector Policy Object Editor opens.
5. Edit the policies as follows:
Field name Description
Authentication Code Defines which information users must provide to authenticate using an OTP.
OTP only OTP PIN and OTPWindows password and OTP
Default: OTP PIN and OTP
Authentication Code order
Select from:OTP firstOTP PIN or Windows password first
Default: OTP PIN or Windows password first
Allow dial-in access Determines if the users’ dial-in permission fields are changed to allow access during OTP token enrollments.Default: User’s dial-in property is not changed
OTP PIN type Defines how the OTP PIN is created during enrollment:Manual: The user chooses a PIN.Random: During admin enrollment, the connector creates a random PIN. This is not relevant for user enrollment.
Default: Manual
220 SafeNet Authentication Manager Administrator’s Guide
Minimum OTP PIN length
The minimum length of an OTP PIN that a user chooses manually, and the exact length of a random OTP PINDefault: 4 charactersNote: An OTP PIN length should not exceed 10 characters
Allow OTP PIN reset during enrollment
When the SAM Self Service Center is used to enroll a new OTP token protected by an OTP PIN, the user creates an OTP PIN.This parameter determines the behavior of subsequent enrollments of the OTP token protected by an OTP PIN.
Enabled: the OTP PIN is reset during each subsequent enrollment of the OTP tokenDisabled: the user must provide the current OTP PIN during each subsequent enrollment
Default: Not enabled (Users cannot reset OTP PIN)
OTP generation using SafeNet eToken Rescue
Determines if an OTP can be generated on a SafeNet eToken Rescue replacement tokenDefault: Not enabled (An OTP profile is not enrolled to a SafeNet eToken Rescue)
OTP maximum usage period
Defines after how many days an OTP token expiresDefault: Does not expire
Temp OTP length Defines the length of a Temp OTPDefault: 12 characters
Temp OTP content Defines the content of a Temp OTP:LettersNumbersSpecial characters
orCustom content
Default: Numbers only
Apply Authentication Code to Temp OTP
Determines if the Temp OTP alone is used for authentication, or if it replaces an OTP in the method defined in the Authentication Code policy.Default: Not enabled (Authentication Code is Temp OTP only)
Field name Description (Continued)
Connector Configuration 221
6. Click OK repeatedly to close the Connector Policy Object Editor window and the SAM OTP Authentication Connector Properties window.The updated connector settings are applied.
Connector for Flash ManagementWith the Connector for Flash Management, you can create a CD‐ROM partition on an eToken NG‐Flash device. This allows you to include applications and data on the CD‐ROM partition of the device to share with all the users in the domain.You can also include an autorun file on the CD‐ROM partition of the device. This initiates an automated application execution whenever the device is connected to a computer USB.The files to be uploaded to the token for the Connector for Flash Management must be in one of the following:
An FTP folderA network folder that can be accessed for download
Note:During re‐enrollment, if the name of the folder containing the files to upload has not changed, the CD‐ROM partition is not recreated, even if the contents of the folder have changed. To force the CD‐ROM partition to be recreated during re‐enrollment, change the name of the folder containing the files.
Supported User Stores
User Store Supported by this Connector?
AD, MS SQL Server, OpenLDAP, Novell eDirectory, Remote AD, ADAM
Yes
222 SafeNet Authentication Manager Administrator’s Guide
Defining TPO RulesUse the Connector Policy Object Editor to set the connector policies.
To open the Connector Policy Object Editor:
1. Open the TPO Editor (See Accessing Token Policy Object Links on page 134).In the left pane, click the Connector Settings node.The list of installed connectors opens in the right pane.
2. In the right pane, right‐click Connector for Flash Management, and select Properties.
Connector Configuration 223
The Connector for Flash Management Properties window opens.
3. Select Define this policy setting, select Enable, and click Definitions.The Connector Policy Object Editor opens.
224 SafeNet Authentication Manager Administrator’s Guide
4. Edit the policies as follows:
5. Click OK repeatedly to close the Connector for Flash Management Properties and the Connector Policy Object Editor windows.The updated connector settings have now been applied.
Connector for P12 Certificate ImportThe Connector for P12 Certificate Import enables the user to import onto their smartcards and tokens:
PFX (P12) files: files that contain a certificate and a private key in a P12 formatCER files: files that contain only the certificate without the private keyRoot CA certificate files
Policy Description
CD-ROM partition size The size of the region reserved on the token for the CD-ROM partitionDefault: size is calculated automatically
File system upload folder The name of the file system upload folder containing the files to be uploaded to the CD-ROM partition of the token. This directory must be accessible to every client computer used for enrollment.No default
FTP server The name or IP address of the FTP server of the files to be uploaded to the CD-ROM partition of the tokenNo default
FTP folder The name of the FTP folder containing the files to be uploaded to the CD-ROM partition of the tokenNo default
FTP username The FTP logon usernameDefault: anonymous
FTP password The FTP logon passwordDefault: anonymous
Connector Configuration 225
The Connector for P12 Certificate Import is used to import two types of certificates onto a token:
User certificatesCA certificates
Use the Connector for P12 Certificate Import in the following situations:
You already have PFX files, and you want to import them onto the token.For example, you use a third‐party service to generate certificates for your employees, and you receive the certificates from that service as a group of PFX files.You want to import CA certificates into Root CA certificates on the token, and then copy those to the certificate store on the computer when the token is connected.SafeNet Authentication Manager copies the certificate to the token. SafeNet Authentication Client copies the certificate from the token to the certificate store on the computer.
Supported User Stores
Defining TPO RulesUse the Connector Policy Object Editor to set the connector policies.
To open the Connector Policy Object Editor:
1. Open the TPO Editor (See Accessing Token Policy Object Links on page 134).
2. In the left pane, click the Connector Settings node.
User Store Supported by this Connector?
AD, MS SQL Server, OpenLDAP, Novell eDirectory, Remote AD, ADAM
Yes
226 SafeNet Authentication Manager Administrator’s Guide
The list of installed connectors opens in the right pane.
3. In the right pane, right‐click Connector for P12 Certificate Import, and select Properties.The Connector for P12 Certificate Import Properties window opens.
4. Select Define this policy setting, select Enable, and click Definitions.
Connector Configuration 227
The Connector Policy Object Editor opens.
228 SafeNet Authentication Manager Administrator’s Guide
Adding a User Certificate
To add a user certificate:
1. In the Connector Policy Object Editor window, right‐click User certificates, and select Properties.The User certificates Properties window opens.
2. Click Add.
Connector Configuration 229
The Add new user certificate window opens.
Note:You cannot use an asterisk (*) in the User field.
3. In the User field, enter user details.4. Click Browse next to the Certificate field.
The Open window opens.
5. Navigate to the certificate file, select the certificate, and click OK.In the Add new user certificate window, do one of the following:
230 SafeNet Authentication Manager Administrator’s Guide
If the user must enter the password during enrollment, select Password unknown.If the password of the PFX file is known, enter the password.
6. Select Enroll to an eToken Rescue to import this certificate to a SafeNet eToken Rescue for backup.
7. Click Add.The user certificate is saved. You can add another certificate if required.
Adding User Certificates from an Index FileUser certificates may be added by importing an index file linking PFX certificate files with users.
Note:The index file must be in UTF8 format if it includes non‐ASCII characters.
Each line of the index file must contain three parameters separated by semi‐colons:
AD user account nameFull path to the PFX certificate filePassword of the PFX certificate file Sample Index File:
For each certificate, a separate index entry is required. If a user is linked to more than one certificate, each certificate should appear on a different line.
Connector Configuration 231
To import an index file:
1. In the User certificates Properties window, click Add from file.The Open window opens.
2. Navigate to the appropriate folder, select the .txt file, and click Open.
3. Click OK repeatedly to close the Connector for P12 Certificate Import Properties window.The updated connector settings have now been applied.
Adding a CA certificateA CA certificate is common to all users in the domain. It contains the certificate only, without a private key.
To add a CA certificate:
1. In the Connector Policy Object Editor window, right‐click CA certificates, and select Properties.The CA certificates Properties window opens.
2. Click Add.
232 SafeNet Authentication Manager Administrator’s Guide
The Add new CA certificate window opens.
3. Click Browse.
The Open window opens.4. Navigate to the appropriate folder, select the .cer CA certificate
file, and click Open.5. Select Enroll to a SafeNet eToken Rescue to import this certificate
to a SafeNet eToken Rescue for backup.6. Click Add.7. Click Exit.8. Click OK repeatedly to close the SAM P12 Certificate Import
Connector Properties window.The updated connector settings have now been applied.
Connector for SafeNet Network Logon
Note:SafeNet Authentication Manager supports enrollment to eToken Network Logon 5.0 or later.
Windows operating systems enable you to use an alternate access mechanism in place of the default authentication method.In the Microsoft Windows XP family, including Windows 2000, Windows XP and Windows Server 2003, the identification and authentications aspects of the Windows logon are implemented as a replaceable dll called GINA (Graphical Identification and Authentication). A new GINA dll can replace the standard msgina.dll when the system needs to use another method of authentication in place of the Windows default user name/password mechanism. Thus, Windows and eToken together provide the ideal solution for corporate network security.
Connector Configuration 233
In the Microsoft Windows Vista family, including Windows Vista and Server 2008, the identification and authentication aspects of the Windows logon are implemented by the Credentials Provider.Depending on your organizationʹs policies, it is possible for the users themselves to create Windows logon profiles which are stored on their tokens.The Connector for Network Logon provides easy deployment of user profiles for the SafeNet Network Logon product.The Connector for Network Logon enables you to initialize each token with a list of logon profiles. Each logon profile contains a user ID name, the domain that the user belongs to, a password, and a set of options.To start working with tokens, configure the Connector for Network Logon by setting the connector parameters.
Supported User Stores
Defining TPO RulesWhen the Connector for Network Logon is defined in the TPO, a default profile is created for the domain in which SafeNet Authentication Manager is installed.Use the Connector Policy Object Editor to set the connector policies.
To open the Connector Policy Object Editor:
1. Open the TPO Editor (See Accessing Token Policy Object Links on page 134).
2. In the left pane, click the Connector Settings node.
User Store Supported by this Connector?
AD Yes
MS SQL Server, OpenLDAP, Novell eDirectory, Remote AD, ADAM
No
234 SafeNet Authentication Manager Administrator’s Guide
The list of installed connectors opens in the right pane.
3. In the right pane, right‐click Connector for Network Logon, and select Properties.The Connector for Network Logon Properties window opens.
4. Select Define this policy setting, select Enable, and click Definitions.The Connector Policy Object Editor opens.
5. Click the appropriate network logon profile (in this example, Profile1) in the navigation pane.
Connector Configuration 235
The profile’s policies are displayed in the right pane.
6. Edit the policies as follows:
Policy Description
Domain netbios name Defines the netbios name of the domain in the Active Directory that the user enters upon logonNo default
SafeNet eToken Rescue support Determines if the profile is saved to a SafeNet eToken Rescue replacement tokenDefault: Not enabled
236 SafeNet Authentication Manager Administrator’s Guide
7. Click OK repeatedly to close the Connector Policy Object Editor window and the Connector for Network Logon Properties window.The updated connector settings have now been applied.
Logon factor Determines the logon factor:One-factor: Not supported in NL 5.0.For one-factor logon, we recommend using a token that is configured for one-factor logon in eToken PKI Client.Two-factor: requires the token's presence and a password to log on.
Default: Two-factor
Password type Determines the password type:Manual password: requires the system administrator to provide the user password during enrollment.Random password: causes the connector to generate a new random user password during enrollment, to reset the user password in the domain, and to write this new password to the token.
Default: Manual passwordNote: If a manual password is used, when the token is revoked, the password is not removed from the SAM configuration store. If a random password is used, when the token is revoked, the password is removed from the SAM configuration store.
Random password length Determines the random password lengthDefault: 14 characters
Policy (Continued) Description (Continued)
Connector Configuration 237
Connector for eToken AnywhereeToken Anywhere is a portable, reader‐less smartcard token that enables secure access to the Web, authentication applications, digital signatures, encryption and decryption, and secure e‐mail from any computer with a USB port and an Internet connection. With the eToken PRO Anywhere device, users can access their networks and critical data, easily, conveniently, and securely, without requiring a client installation.
Tip:For information about installing and using the eToken PRO Anywhere configuration tool, see the eToken PRO Anywhere How To Guide.
CA RequirementsTo enroll User/Server certificates on an eToken Anywhere device, SafeNet Authentication Manager must be installed, and the Connector for Microsoft CA Connector or Connector for P12 Certificate Import must be configured. See Connector for Microsoft CA on page 202 or Connector for P12 Certificate Import on page 249.When the Microsoft Standalone Root CA certificate is installed on the Secured site Local computer ‐Trusted Root CA store, it is not necessary to install this certificate on the eToken Anywhere (using the SAM P12 Certificate Import Connector).
To log on with eToken Anywhere when the CA is not installed on the device:
When prompted, enter the user PIN and perform a login. If a user selects Choose a digital certificate > view certificate during SSL authentication, a message is displayed indicating that the certificate is not trusted.If the user then clicks the OK button in the Choose a digital certificate window, the user can enter the PIN and authenticate successfully.
238 SafeNet Authentication Manager Administrator’s Guide
Supported User Stores
Defining TPO RulesUse the Connector Policy Object Editor to set the connector policies.
To open the Connector Policy Object Editor:
1. Open the TPO Editor (See Accessing Token Policy Object Links on page 134).
2. In the left pane, click the Connector Settings node.The list of installed connectors opens in the right pane.
3. In the right pane, right‐click Connector for eToken Anywhere, and select Properties.
User Store Supported by this Connector?
AD, MS SQL Server, OpenLDAP, Novell eDirectory, Remote AD, ADAM
Yes
Connector Configuration 239
The Connector for eToken Anywhere Properties window opens.
4. Select Define this policy setting, select Enable, and click Definitions.The Connector Policy Object Editor opens.
5. In the right pane, right‐click ISO file definitions, and select Properties.
240 SafeNet Authentication Manager Administrator’s Guide
The ISO file definitions properties window opens.
6. Select Define this policy setting and click Launch.The eToken Anywhere Configuration Tool opens.
Connector Configuration 241
7. Enter the fields as follows:
8. Click the Save Profile icon.The eToken Anywhere Configuration Tool automatically downloads the website certificate and creates the eToken Anywhere application files.A confirmation message is displayed.
9. Click OK.10. The eToken Anywhere Configuration Tool closes.
You are returned to the ISO file definition properties window.11. To export the eToken Anywhere application files to the previously
created virtual directory, click Export app.
Field Description
eToken Anywhere Application location
Enter the URL of the folder on the server that will hold the eToken Anywhere application.
Application website URL Enter the URL of the secured website, for example, SSLVPN.
URL display name Enter the name of the site. This will be visible when right-clicking the eToken PRO Anywhere tray icon.Default: the website URL
“Forgot my password” URL Enter the URL of the website to open should the user forget the password
Enable eToken PRO Anywhere remote enrollment
Select this option to enable the user to enroll an eToken PRO Anywhere device.
Remote enrollment URL Enter the URL used to self-enroll eToken PRO Anywhere devices.
242 SafeNet Authentication Manager Administrator’s Guide
The Browse For Folder window opens.
12. Select the folder in which to save the eToken Anywhere application, and click OK.You are returned to the ISO file definition properties window.
13. To export the eToken Anywhere iso file, click Export iso.The Save As window opens.
14. Select the folder in which to save the eToken Anywhere iso file, and click OK.
15. Click OK repeatedly to close the Connector Policy Object Editor window and the Connector for eToken Anywhere Properties window.The updated connector settings have now been applied.
Connector Configuration 243
16. Check that the files are downloadable by browsing directly to the files using a web browser, as follows:
https://URL/etanywhereapplication/etany.dathttps://URL/etanywhereapplication/etany.sig
Connector for Check Point Internal CACheck Point Software Technologies Ltd is a leading provider of security applications. Check Pointʹs main products are VPN and Firewall applications. Check Point provides a unified security solution called NGX which includes both VPN and Firewall.The Connector for Check Point Internal CA is a software component that provides SafeNet Authentication Manager users with the ability to log in to Check Pointʹs security applications using SafeNet authenticators as the user authentication method.The Connector for Check Point Internal CA supports Check Point Firewall versions NG (R55) or NGX (R60) and later.Check Point security applications provide a secured environment, allowing only authorized, authenticated users to log in. Check Point applications support specific types of user authentication, including digital certificate‐based authentication (PKI).With the Connector for Check Point Internal CA, the administrator creates certificates for Check Point Internal CA users, and loads the certificates automatically onto the usersʹ tokens. The connector can also be used to add new users to the Firewall Management.
Internal CA vs. External CACertificate‐based authentication requires the user to provide a digital certificate valid for logging in to a Check Point secured environment.Digital certificates are issued by a Certification Authority (CA). CP software supports two types of CAs:
An internal CA, included in Check Point productsThis type of configuration is the most common.An external CA, for example, Microsoft CA
244 SafeNet Authentication Manager Administrator’s Guide
This configuration is less common and is not supported by the Connector for Check Point Internal CA.
Supported User Stores
The following are requirements for the Connector for Check Point Internal CA:
Administrator rights for configuration and access to the Check Point SmartDashboard from the computerToken users who issue login certificates from the Check Point internal CA must exist in the CP internal users databaseCheck Point Firewall users must be stored in the Check Point internal users database
Note:64‐bit operating systems are not supported.
Configuring the CP Firewall ManagementThe Connector for Check Point Internal CA must be configured to work with the Check Point Firewall Management as an external application. This involves the three procedures.
See Defining the OPSEC Properties on page 245See Defining the Permissions Profile on page 247See Installing the Policies on page 253
User Store Supported by this Connector?
AD, MS SQL Server, OpenLDAP, Novell eDirectory, Remote AD, ADAM
Yes
Connector Configuration 245
Defining the OPSEC Properties
To create an OPSEC application:
1. Open the CP SmartDashboard.2. In the left pane, go to Servers and OPSEC Applications > OPSEC
Applications > OPSEC Application.3. Right‐click OPSEC Application, and select New OPSEC
Application.The OPSEC Application Properties window opens.
4. Enter the required information in the following fields:Name: SAMOpsecHost: the computer name where the Firewall Management is locatedClient Entities: CPMI
246 SafeNet Authentication Manager Administrator’s Guide
5. Click Communication.The Communication window opens.
6. Enter and confirm an Activation Key. Record the Activation Key for later use. See Defining TPO Rules on page 254.
7. Click Initialize, and then Close.
Note:At this point in the procedure, the Trust state is Initialized but trust not established. Trust will be established later in the configuration.
Connector Configuration 247
In the OPSEC Application Properties window, the communication information is displayed in the DN field.
8. Click OK.
Defining the Permissions Profile
To define a permissions profile for the application:
1. Open the CP SmartDashboard.2. In the left pane, go to Servers and OPSEC Applications > OPSEC
Applications > OPSEC Application.
248 SafeNet Authentication Manager Administrator’s Guide
3. Right‐click the new OPSEC application, SAMOpsec, and from the sub‐menu, select Edit.
The OPSEC Application Properties window opens.
Connector Configuration 249
4. Select the CPMI Permissions tab.
5. Select Permissions Profile, and click New.
250 SafeNet Authentication Manager Administrator’s Guide
The Permissions Profile Properties window opens.
6. In the General tab, enter a Name for the profile.
Connector Configuration 251
7. Select the Permissions tab.
8. Select the required permissions.Ensure that Check Point Users Database is selected and defined as Read/Write.
9. Click OK.
252 SafeNet Authentication Manager Administrator’s Guide
In the OPSEC Application Properties window, the new permissions profile is selected in the Permissions Profile dropdown box.
10. Click OK.
Connector Configuration 253
Installing the Policies
To install the policies:
1. Open the Install Policy tool from the CP SmartDashboard.The Install Policy window opens.
2. Select the installation target, and click OK.
254 SafeNet Authentication Manager Administrator’s Guide
The Installation Process window opens.
3. When the process completes, click Close.
Defining TPO RulesUse the Connector Policy Object Editor to set the connector policies.
To open the Connector Policy Object Editor:
1. Open the TPO Editor (See Accessing Token Policy Object Links on page 134).
2. In the left pane, click the Connector Settings node.
Connector Configuration 255
The list of installed connectors opens in the right pane.
3. In the right pane, right‐click Connector for Check Point Internal CA, and select Properties.The Check Point Internal CA Connector properties window opens.
4. Select Define this policy setting, select Enable, and click Definitions.
256 SafeNet Authentication Manager Administrator’s Guide
The Connector Policy Object Editor opens.
Connector Configuration 257
Defining the Check Point Server PolicyDefine the Check Point Server policy to establish a connection between SafeNet Authentication Manager and Check Point Firewalls, and to map SafeNet Authentication Manager usernames to CP Firewall usernames.
To define the Check Point Server policy:
1. In the right pane of the Connector Policy Object Editor window, right‐click Check Point Server, and select Properties.The Check Point Server Properties window opens.
2. Select Define this policy setting.3. Do one of the following:
To add a new firewall, select Add Firewall.To change an existing firewallʹs settings, select the firewall server from the Firewall Server dropdown list, and select Edit Firewall Settings.To remove a firewall, select the firewall server from the Firewall Server dropdown list, select Remove Firewall, and click OK.
258 SafeNet Authentication Manager Administrator’s Guide
If you selected Add the New Firewall Configuration window opens.
If you selected Edit, the firewall settings are displayed in the Firewall Settings window opens.
4. In the New Firewall Configuration window or the Firewall Settings window, do the following:
In the Firewall display name field, type any name. This name will appear in the Firewall Server list.
Connector Configuration 259
In the Firewall name or IP address field, type the name or IP address of the firewall.Select Import OPSEC Certificate to import the Check Point OPSEC certificate to SAM for authentication against the Check Point Firewall.
The OPSEC Activation Key window box opens.
5. See Configuring the CP Firewall Management on page 244, and type the activation key of the certificate created. Click OK.If the certificate was successfully imported, A valid OPSEC certificate exists message is displayed below the Firewall name or IP address field.
6. To test the connection between SAM and the Check Point Firewall, click Test firewall connection.If the connection is successful, the The connection to the firewall was tested successfully message is displayed.
7. Click OK.When a SafeNet Authentication Manager user is mapped to a user on the Check Point Firewall user database, the SafeNet Authentication Manager user attributes are copied when the user is added to the firewall user database.
Note:Only a SafeNet Authentication Manager user defined in the Microsoft AD can be mapped to a user on the Check Point Firewall user database.
8. To override the default mapping of existing users in the Check Point Firewall, select the Users Map tab in the Firewall Settings window.
9. To see all the users defined on the firewall user database, select Get all firewall users.
260 SafeNet Authentication Manager Administrator’s Guide
The list of usernames is displayed in the Firewall Username table.
10. To locate a SAM Username to be mapped to a specific Firewall Username, double‐click the SAM Username blank column on the row of the appropriate Firewall Username.The Select User window opens.
11. Select the SafeNet Authentication Manager user to be mapped, and click OK.The list of mapped Firewall Usernames includes the SAM user.
12. Click OK to save the firewall settings.
Defining the Enable Firewall User Creation PolicyTo create a new firewall user during enrollment, this policy setting must be enabled. If it is not, enrollment of a user not on the firewall will fail.
To set the Enable Firewall User Creation policy:
1. In the right pane of the Connector Policy Object Editor window, right‐click Enable Firewall User Creation, and select Properties.The Enable Firewall User Creation Properties window opens.
2. Select Define this policy setting, select Enabled, and click OK.
Connector Configuration 261
Defining the Firewall Username Template PolicyDefine the Firewall Username Template policy to create a matching relationship between the firewall username and its SafeNet Authentication Manager user attributes. This relationship assigns new firewall usernames, and searches for existing firewall users.
To set the Firewall Username Template policy:
1. In the right pane of the Connector Policy Object Editor window, right‐click Firewall Username Template, and select Properties.The Firewall Username Template Properties window opens.
2. Select Define this policy setting.3. To create a template for firewall usernames, select one or more
SAM user attributes that ensure a unique username for each user, and click Add to template after each selection.
4. Click OK.When a new firewall user is created, the values of its selected user attributes are retrieved from the directory service (AD, OpenLDAP, Novell eDirectory, or MS SQL Server). These values are strung together to form a firewall username to which the Check Point certificate is issued.
262 SafeNet Authentication Manager Administrator’s Guide
Defining the Firewall User Template PolicyDefine the Firewall User Template policy to enable the creation of new users on the firewall users database.
To set the Firewall User Template policy:
1. In the right pane of the Connector Policy Object Editor window, right‐click Firewall User Template, and select Properties.The Firewall User Template Properties window opens.
2. Select Define this policy setting and from the drop‐down box, select a template for initializing all the attribute fields of a new firewall user.
3. To view a list of templates available on the firewall, click Retrieve templates from firewall.
4. Click OK.
Note:Check Point does not support concurrent write access to the internal users database. To prevent enrollment failure, the Check Point Smart Dashboard application must not be open during an automatic new user enrollment.
Connector Configuration 263
Defining the Auto Install Policies PolicyAuto Install Policies determines how and when to install policies on the firewall gateways so that there is synchronization with the user database.
To install a gateway policy:
1. In the right pane of the Connector Policy Object Editor window, right‐click Auto Install Policies, and select Properties.The Auto Install Policies Properties window opens.
2. Select Define this policy setting.3. From the Synchronize schedule drop‐down list, select one of the
following:NeverAlwaysOn administrator enrollment onlyOn self enrollment only
264 SafeNet Authentication Manager Administrator’s Guide
4. From the Install policies to drop‐down list, select one of the following:
All gatewaysSelected gateways: To retrieve the names of gateways, click Retrieve names from firewall, and select gateways from the Policy installation targets box.
5. Click OK repeatedly to close the Check Point Server Properties and the Connector Policy Object Editor windows.The updated connector settings have now been applied.
Defining the SafeNet eToken Rescue Support PolicyTo import the Check Point certificate to a SafeNet eToken Rescue for backup, enable the SafeNet eToken Rescue Support policy.
To set the SafeNet eToken Rescue Support policy:
1. In the right pane of the Connector Policy Object Editor window, right‐click SafeNet eToken Rescue Support, and select Properties.
2. Select Define this policy setting, select Enabled, and click OK.
Connector for Entrust
Entrust Authority Security ManagerThe Entrust Authority public‐key infrastructure (PKI) uses Entrust Authority Security Manager as the Certification Authority (CA) system responsible for issuing and managing usersʹ digital identities.Entrust Authority Security Manager manages the full lifecycle of Digital Identities required to automate all security‐related processes in an organization. It provides the underlying security infrastructure that issues, manages, and administers user keys and certificates. It is the centralized, auditable Policy Management that enforces policies automatically and in real‐time.
Connector Configuration 265
As the organizationʹs CA system, the Entrust Authority Security Manager software enables the use of digital signature, digital receipt, encryption, and permissions management services across a wide variety of applications and solutions.
Note:Entrust Authority Security Toolkit for the Java Platform must be installed. See System Requirements on page 268.
SafeNet Authentication Manager - Entrust IntegrationIntegrating SAM infrastructure with Entrust Authority Security Manager PKI functionality enables the seamless integration of Entrust‐based certificate and keys lifecycle management in the SafeNet Authentication Manager token management and enrollment websites.Customers deploying the SafeNet Authentication Manager Entrust Connector seamlessly manage the whole Entrust digital IDʹs lifecycle through the SAM Management Center.
The SAM Management Center provides users with:
No‐touch self‐service token installationEntrustʹs certificate enrollment and management operationsAutomated user provisioningPolicy‐based enrollmentThe “employee on the road” continued functionality solution
266 SafeNet Authentication Manager Administrator’s Guide
Main Features
The Connector for Entrust does the following:
Provides seamless integration between SafeNet Authentication Manager and the Entrust CA. Through the SafeNet Authentication Manager infrastructure, token users enroll certificates issued by Entrust, and generate private keys on tokens.Enables Entrust customers to manage PKI lifecycle operations, including key enrollment, key revocation, key recovery, and re‐enrollment, through the SAM Management Center or SAM Self Service Center.Allows automated certificate renewal, as well as the change and addition of key pairs, through the SAM Remote Service Center, SAM Management Center, and SAM Self Service Center.Supports the SafeNet Authentication Manager “employee on the road” feature. This solution provides a user with continued access to computers and networks after losing or damaging a token.Enables the configuration of TPO settings to control the automated enrollment of certificates to tokens based on specific groups of users.Allows automated user provisioning into the Entrust CA, if the user does not already exist for automated enrollment.Requires that only the SafeNet Authentication Manager client be installed, and not the Entrust client, to enroll Entrust certificates to a token.Enables the auditing of Entrust‐related PKI operations performed using the Connector for Entrust.
ArchitectureCertificate requests are processed as follows:1. The SafeNet Authentication Manager Server transfers certificate
requests from the SafeNet Authentication Manager client to Entrust Authority Security Manager.
2. The Entrust CA issues the certificates.3. Entrust Authority Security Manager publishes the issued
certificates within its user directory.
Connector Configuration 267
In one possible SafeNet Authentication Manager ‐ Entrust Authority Security Manager integration scenario, user information is held in one common user directory.
Alternatively, one user directory may store user information for SAM in one domain, while another LDAP user directory stores user information for Entrust Authority Security Manager in another domain.
Deployment RecommendationsFor security, maintenance, and availability reasons, we strongly recommend the following practices:
Use a separate server for deploying each server side component. These include the Entrust Authority, the SafeNet Authentication Manager Server, and the Active Directory domain controllers.Although SafeNet Authentication Manager supports the installation of the Entrust Authority software on the same server as the SafeNet Authentication Manager Server, this type of deployment is recommended for testing and demonstration purposes only.
268 SafeNet Authentication Manager Administrator’s Guide
Create and enforce a regular backup policy of all servers, including the Active Directory domain controllers, the SafeNet Authentication Manager Server, and the Entrust Authority.Backups should be saved in a separate offline storage or on backup tapes, preferably in a location separate from the servers. Failure to maintain updated backups of the server components may result in lost data in the event of an unexpected hardware or software failure.
System Requirements
Server
Note:JRE is required only if SafeNet eToken Rescue tokens are used.
Component Supported Version(s)
TMS or SafeNet Authentication Manager Server
2.0 SP3 or later
Entrust Authority Security Manager
7.1
Entrust Authority Security Manager Administration
7.1
Entrust Authority Security Runtime Components
7.1
Java Runtime Environment (JRE) 1.5
Entrust Authority Security Toolkit for the Java Platform
Connector Configuration 269
Administrator Workstation
Non-Administrator Workstation
Note:JRE is required only if you do not enroll your tokens centrally, or if you want to provide Entrust self service operations to your clients.
Prerequisites
Installing the Entrust Java Toolkit
To install the Entrust Java Toolkit:
1. After installing the SafeNet Authentication Manager Server, create a folder named Entrust Java Toolkit in the X32 or X64 folder in the SafeNet Authentication Manager installation folder.
2. Ensure that you have a licensed version of the Entrust Authority Security Toolkit for the Java Platform installed.
Component Supported Version(s)
TMS or SafeNet Authentication Manager Management Tools
2.0 SP3 or later
Java Runtime Environment (JRE) 1.5
Component Supported Version(s)
TMS or SafeNet Authentication Manager Client
2.0 SP2 or later
Java Runtime Environment (JRE) 1.5
270 SafeNet Authentication Manager Administrator’s Guide
3. Copy the Entrust Authority Security Toolkit for the Java Platform file (enttoolkit.jar) to the newly‐created Entrust Java Toolkit folder in SAM.
Tip:For more information, contact SafeNet Support. See Support on page iii.
Installing JRESun Microsystemsʹ Java Runtime Environment (JRE) version 1.5 must be installed on each SafeNet Authentication Manager client computer and server that performs enrollment, update, revocation, and other token and certificate operations.
Note:JRE is not required on usersʹ workstations if you enroll tokens centrally, or if you do not provide Entrust self service operations to your clients.
The Connector for Entrust functionality does NOT support versions of JRE other than 1.5.If your installation requires client computers to run a JRE version other than 1.5, install and configure a “side by side” installation. See Installing Multiple Versions of JRE on page 270.Otherwise, download JRE 1.5 from Sun Microsystemsʹ website at http:/java.sun.com and install it on the client computers that require it.
Installing Multiple Versions of JREYou can install a “side by side” installation of JRE 1.5 by copying a JRE folder from a different computer. Do this if you have other applications on the client computer that require other versions of JRE.
Connector Configuration 271
To copy JRE from another computer:
1. Download JRE 1.5 from Sun Microsystem’s website at http:/java.sun.com , and install it on a computer that is not required as a SafeNet Authentication Manager client or server in the SafeNet Authentication Manager ‐ Entrust implementation.This installs the JRE folder which is typically located at:C:\Program Files\Java\JRE1.5.0_xx
2. Copy the JRE folder to each SafeNet Authentication Manager server and client computer.
3. Create the JRE 1.5 registry key on each computer where the JRE folder has been copied.
Creating a JRE 1.5 Registry KeyIf you install JRE 1.5 by running the standard installer, the Connector for Entrust is automatically directed to JRE 1.5 and you do not need to edit the registry.However, in the following circumstances you must create a new registry key to direct the Connector for Entrust to JRE 1.5:
In addition to JRE 1.5, you have installed a different version of JRE on the client computer.You installed JRE 1.5 by copying the JRE folder from a different computer. See Installing Multiple Versions of JRE on page 270.
To create a new registry key:
1. To open the Registry Editor, go to Start>Run and enter Regedit.2. In the Registry Editor, navigate to
HKEY_LOCAL_MACHINE>SOFTWARE>SafeNet>Authentication>SAM.
3. Right‐click SAM, and select New>Key.4. Replace the New Key name with Connectors.5. Right‐click the new Connectors folder, and select New>Key.6. Replace the New Key name with Entrust.7. Right‐click the new Entrust folder, and select New>String Value.
8. In the right pane, replace the New Value name with RuntimeLib.
272 SafeNet Authentication Manager Administrator’s Guide
9. Right‐click RuntimeLib, and select Modify.The Edit String window opens.
10. In the Value data field, enter the path to the jvm.dll file, and click OK.The jvm.dll is typically located at: C:\Program Files\Java\jre1.5.0_xx\bin\client
Connector for Entrust ConfigurationThe Connector for Entrust is included in the Connectors Settings node in the TPO Editor, enabling the definition of an enrollment policy.To set the Connector for Entrust policies, open the Connector Policy Object Editor, and then define each policy setting.
Opening the Connector Policy Object Editor
To open the Connector Policy Object Editor:
1. Open the TPO Editor (See Accessing Token Policy Object Links on page 134).
2. In the left pane, click the Connector Settings node.
Connector Configuration 273
The list of installed connectors opens in the right pane.
3. In the right pane, right‐click Connector for Entrust, and select Properties.The Connector for Entrust Properties window opens.
4. Select Define this policy setting, select Enable, and click Definitions.The Connector Policy Object Editor window opens.
274 SafeNet Authentication Manager Administrator’s Guide
Defining the CA Policy
To define the policy:
1. In the right pane of the Connector Policy Object Editor window, double‐click CA.The CA Properties window opens.
Connector Configuration 275
2. Select Define this policy setting.
276 SafeNet Authentication Manager Administrator’s Guide
3. Enter the fields as follows:
Note:The policy settings for the .epf file and the security officerʹs password are applied to the entire domain. Once the CA properties are defined, they are applied to all Entrust TPOs created afterwards. Any changes to the CA settings for one TPO are applied to all TPOs in the domain.
Field Description
Select Security Manager Administration .ini file
The UNC (network) path to Entrust Authority Security Manager Administration .ini file.Full read and write permissions to the destination folder are required.
Select security officer's .epf file
The UNC (network) path to a security officer's Entrust profile file (.epf).Tip: During the Entrust Authority Security Manager installation, an .epf was created for the initial user, First Officer.The file is typically located at: C:authdata/manager/epf
Enter security officer's password
The password of the .epf's officer.
Enter IP address of Security Manager
The IP address or server name of the Entrust Authority Security Manager.
Enter port of Security Manager
Entrust Authority Security Manager port is typically 829.To see the port number, open the Entrust Authority Security Manager Administration .ini file, typically located at: C:\Program Files\entrust\Security Manager Administration, and look in the Entrust Settings section for the following line: Authority=<computer name>+<port number>
Enter IP address of Security Manager domain directory
The IP address of the Security Manager domain's user directory.
Connector Configuration 277
4. Click Validate to check that Entrust Authority Security Manager Administration .ini file, the security officerʹs .epf, and the password are valid.
5. Click OK.
Defining the Add User to Security Manager PolicyTo enroll new users that are not yet on the Entrust Authority Security Manager internal user list, enable the Add User to Security Manager policy.
To define the policy:
1. In the right pane of the Connector Policy Object Editor window, double‐click Add User to Security Manager.The Add User to Security Manager Properties window opens.
2. Select Define this policy setting, select one of the following, and click OK.
Enabled: Upon enrollment, SafeNet Authentication Manager automatically adds the user to the Entrust Authority Security Manager internal user list if the user is not found on the list.
278 SafeNet Authentication Manager Administrator’s Guide
Disabled: Users are not added to the Entrust Authority Security Manager internal user list. If enrollment is requested for a user not found on the Entrust Authority Security Manager internal user list, the enrollment fails.
Note:If the Security Manager and SafeNet Authentication Manager are not in the same domain, users are added to the Entrust Authority Security Manager internal user list only if the Security Manager and SafeNet Authentication Manager on Different Domains policy is enabled.
Defining the Security Manager and SAM on Different Domains PolicySet the Security Manager and SafeNet Authentication Manager on Different Domains policy to True only if the Security Manager and SafeNet Authentication Manager are not in the same domain.If this policy is set to True, the following policies must be defined:
Username for Security Manager Domain DirectoryUser Password for Security Manager Domain DirectoryUser Path on Security Manager Domain DirectoryUsername Template
To define the policy:
1. In the right pane of the Connector Policy Object Editor window, double‐click Security Manager and SAM on Different Domains.The Security Manager and SAM on different domains Properties window opens.
Connector Configuration 279
2. Select Define this policy setting, select one of the following, and click OK.
Enabled: Upon enrollment, SafeNet Authentication Manager maps the user defined in the SafeNet Authentication Manager domain directory to the Entrust Authority Security Manager domain user directory.Select this option only if the Security Manager and SafeNet Authentication Manager are not in the same domain. Disabled: Users are not mapped to a different domain. If Security Manager and SafeNet Authentication Manager are not in the same domain, and an enrollment is requested, the enrollment fails.
Defining the Domain Username PolicyDefine the Username for Security Manager Domain Directory policy if the Security Manager and SAM on Different Domains policy is enabled.
To define the policy:
1. In the right pane of the Connector Policy Object Editor window, double‐click Username for Security Manager Domain Directory.The Username for Security Manager Domain Directory Properties window opens.
280 SafeNet Authentication Manager Administrator’s Guide
2. Select Define this policy setting, and enter a username that has connect permissions to the Entrust Authority Security Manager domain directory.
3. Click OK.
Defining the Domain User Password PolicyDefine the User Password for Security Manager Domain Directory policy if the Security Manager and SAM on Different Domains policy is enabled.
To define the policy:
1. In the right pane of the Connector Policy Object Editor window, double‐click User Password for Security Manager Domain Directory.The User Password for Security Manager Domain Directory Properties window opens.
Connector Configuration 281
2. Select Define this policy setting, and enter the password of the administrator or user defined in the Username for Security Manager Domain Directory policy setting.
3. Confirm the password.4. Click OK.
Defining the User Path PolicyDefine the User Path on Security Manager Domain Directory policy if the Security Manager and SAM on Different Domains policy is enabled.
To define the policy:
1. In the right pane of the Connector Policy Object Editor window, double‐click User Path on Security Manager Domain Directory.The User Path on Security Manager Domain directory Properties window opens.
282 SafeNet Authentication Manager Administrator’s Guide
2. Select Define this policy setting, and enter the domain path to the Entrust usersʹ OU or group in the Security Manager domain directory.
3. Click OK.
Defining the Username Template PolicyDefine the Username Template policy if the Security Manager and SAM on Different Domains policy is enabled.
To define the policy:
1. In the right pane of the Connector Policy Object Editor window, double‐click Username Template.The Username Template Properties window opens.
Connector Configuration 283
2. Select Define this policy setting.3. To create the appropriate Directory username template, select one or
more attributes in the SafeNet Authentication Manager user list, and click Add to template after each selection.
4. Click OK.
Mapping AttributesAttributes from the Entrust user store must be mapped to the attributes on the SafeNet Authentication Manager user store.
To define the policy:
1. In the right pane of the Connector Policy Object Editor window, double‐click Attribute Mapping.The Attribute mapping Properties window opens.
284 SafeNet Authentication Manager Administrator’s Guide
2. Select Define this policy setting and map the attributes.
Defining the Add User to Security Manager Directory PolicyEnable the Add User to Security Manager Directory policy only if the following policies are enabled:
Add User to Security ManagerSecurity Manager and SAM on Different Domains
To define the policy:
1. In the right pane of the Connector Policy Object Editor window, double‐click Add User to Security Manager Directory.The Add User to Security Manager Directory Properties window opens.
Connector Configuration 285
2. Select Define this policy setting, select one of the following, and click OK.
Enabled: Upon enrollment, SAM adds the user to the user directory in the Entrust Authority Security Manager domain, if:
The Add User to Security Manager policy is enabledThe Security Manager and SAM on different domains policy is enabledThe user does not yet exist in the user directory in the Entrust Authority Security Manager domainUsers can be added only to an AD or general LDAP directory.
Disabled: Users are not added to the user directory in the Entrust Authority Security Manager domain. If enrollment is requested for a user not found in the user directory in the Entrust Authority Security Manager domain, the enrollment fails.
Defining the User Role Policy
To define the policy:
1. In the right pane of the Connector Policy Object Editor window, double‐click User Role.The User Role Properties window opens.
2. Select Define this policy setting.3. In the Select the user role dropdown list, select a role from the list
of roles defined in Entrust Authority Security Manager Administration.
4. Click OK.
Note:If the unique name of the selected user role is changed in Entrust Authority Security Manager Administration, you must select the renamed user role in TPO so that the name remains the same in both Entrust and SafeNet Authentication Manager. If this is not done, enrollment will fail.
286 SafeNet Authentication Manager Administrator’s Guide
Defining the Certificate Type Policy
To define the policy:
1. In the right pane of the Connector Policy Object Editor window, double‐click Certificate Type.The Certificate Type Properties window opens.
2. Select Define this policy setting.3. In the Select the certificate type dropdown list, select a certificate
type from the list of certificate types defined in Entrust Authority Security Manager Administration.
Note:The certificate type selected here overrides the setting in Entrust Authority Security Manager.
4. Click OK.
Defining the Last Security Manager Update Policy
To define the policy:
1. In the right pane of the Connector Policy Object Editor window, double‐click Last Security Manager Update.The Last Security Manager Update Properties window opens.
2. Select Define this policy setting.
Note:The Last Security Manager Update policy controls the update behavior of the Entrust content on the tokens. When this date is updated, all tokens controlled by this TPO will be considered out‐of‐date. The Entrust content on a token will be updated the next time the user accesses the SAM Self Service Center.
3. Select the date when you last changed the policy settings in Entrust Authority Security Manager.
4. Click OK.
Connector Configuration 287
Defining the SafeNet eToken Rescue Support Policy
To define the policy:
1. In the right pane of the Connector Policy Object Editor window, double‐click SafeNet eToken Rescue Support.The SafeNet eToken Rescue Support Properties window opens.
2. Select Define this policy setting.3. Select one of the following, and click OK.
Enabled: Entrust certificates are added to a SafeNet eToken RescueDisabled: Entrust certificates are not added to a SafeNet eToken Rescue
4. To complete the connector configuration, click OK.
288 SafeNet Authentication Manager Administrator’s Guide
Entrust Security Manager Administration Configuration
Creating a Certificate with Backup
To create a certificate with backup:
1. In the Entrust Security Manager Administration, navigate to Security Policy>User Policies.
2. Select the required security policy.3. In the General Information tab, in the Policy Attributes area, select
Back up private key.4. Make sure that Generate key at client is not selected.5. Click Apply.
Connector Configuration 289
Working with Java Card
To work with Java Card, the following steps must be performed before enrollment:
1. In the Entrust Security Manager Administration, navigate to Security Policy>User Policies.
2. Select End User Policy.3. In the General Information tab, in the Policy Attributes area, select
Public Token Certs.4. Click Apply.
Working with SafeNet eToken Rescue
To work with SafeNet eToken Rescue, the following steps must be performed before enrollment:
1. In the Entrust Security Manager Administration, navigate to Security Policy>User Policies.
2. Select End User Policy.3. In the General Information tab, in the Policy Attributes area, select
Public Token Certs and Private key export from CAPI.4. Click Apply.
290 SafeNet Authentication Manager Administrator’s Guide
Using SAM with EntrustSafeNet Authentication Manager offers standard features when used with any certification authority and deployment mode, including Entrust Authority. However, some functions are specific to the Entrust ‐ SafeNet Authentication Manager integration.
SAM Remote Service Center
Receiving a Virtual Token to Replace a Lost or Damaged TokenThe Connector for Entrust supports the SafeNet Authentication Manager “employee on the road” feature. This feature enables a user continued access to computers and networks after losing or damaging their token.If an eToken device is lost when away from the office, the user should access the SAM Remote Service Center website. After answering the required personal authentication questions, the user receives a virtual (software‐based) token that contains a copy of their previously enrolled Entrust keys. Upon returning to the office, the user accesses the SAM Self Service Center website, and enrolls a replacement physical token. During this process, the original keys are revoked (if so configured in Entrust), the Entrust CRL is updated to reflect this change, and an Entrust recovery process is performed silently. In addition, keys marked to be available after revocation are also placed on the new token to allow continued access to data protected by those keys.
Note:Key recovery with SafeNet eToken Rescue using SAM requires the enabling of key backup in Entrust.
SAM Self Service Center
Enrolling Entrust CertificatesUsers can use the SAM Self Service Center to enroll tokens with Entrust certificates, even if the SafeNet Authentication Manager Client or Entrust Client is not installed on the local computer.
Connector Configuration 291
If the TPO is set correctly to add users in Entrust upon enrollment, user enrollment in SafeNet Authentication Manager will succeed, regardless of whether or not the user was previously enabled in Entrust. The user is automatically enrolled in Entrust according to the TPO rules assigned to the user. Activation keys are not required and the userʹs token is enrolled with the certificates as defined by the TPO rules.If the TPO rules determine that the user cannot be automatically enrolled in Entrust, or if a TPO for the user does not exist, the user is prompted to contact the Help Desk.
SAM Management Center
Viewing Error Messages, Audits, and ReportsThe organizationʹs security officer can use the Help Desk feature in the SAM Management Center to view eToken Entrust‐related information. This includes audit logs for certificate related operations performed in Entrust from SafeNet Authentication Manager, such as configuration changes, enrollment, and revocation.
To display Connector for Entrust information:
1. In Help Desk, search for the required token.The token is displayed, and the Application Field displays the Connector for Entrust.
2. Click the Details link.The Application Details window opens.Error messages showing failed operations relating to Entrust Authority Security Manager are displayed in the default application event log. The error messages show the action attempted, and the specific Entrust Authority Security Manager error.
292 SafeNet Authentication Manager Administrator’s Guide
Behavior and LimitationsThe following information provides clarification about expected behavior and known limitations of the SAM Entrust Connector.
Only one Entrust CA is supported.When generating a SafeNet eToken Rescue containing an Entrust certificate to support the “I lost my token” scenario, a key recovery operation is performed by the Entrust Authority. This is because SafeNet Authentication Manager does not keep copies of Entrust key pairs for recovery purposes. This is different from the behavior of Connector for Microsoft CA.The Connector for Entrust does not include support for supplying or using activation codes manually. All activation and enrollment processes are automated. If you attempt to enroll a user for which activation codes have already been generated through the Entrust Authority Security Administration, the user will be silently enrolled, and the activation codes will be ignored.When enrolling in Entrust Authority Security Manager using SafeNet Authentication Manager, the Entrust user role and certificate type defined in Entrust Authority Security Manager are ignored, and the settings from the SafeNet Authentication Manager TPO are used instead.User configuration changes done on Entrust Authority Security Manager side do not take effect automatically. To apply configuration changes, perform the configuration in the SafeNet Authentication Manager TPO.SafeNet Authentication Manager TPO configuration changes take effect only when the last configuration update date on the TPO is modified.In the Entrust Authority Security Manager, the spillover parameter must be disabled.
Chapter 12
LicensingSAM licenses are issued according to token type and SafeNet Authentication applications.Licenses can be accumulated; when you purchase an additional license it is added to your existing one.
In this section:
Licensing OverviewEvaluation LicenseUpgrading Licenses from Earlier VersionsViewing LicensesApplying a LicenseMulti-Domain Licenses
294 SafeNet Authentication Manager Administrator’s Guide
Licensing OverviewYou can accumulate SafeNet Authentication Manager licenses by adding new licenses to your existing one. The sum of allowed users and tokens is the sum of all accumulated licenses.A SafeNet Authentication Manager license counts the following items separately:
A user with any type of tokenA MobilePASS tokenAn SafeNet eToken Virtual authenticatorA token with SafeNet SSO profilesA token with SafeNet Network Logon profiles
Each license‐related action, such as token assignment or MobilePASS enrollment, increments or decrements the appropriate license counter. The maximum number allowed for each counter is determined by the license(s) purchased.
Evaluation LicenseNew SafeNet Authentication Manager installations may be assigned an evaluation license. A SafeNet Authentication Manager evaluation license has the following features:
Allows a maximum of 10 token usersAllows a maximum of 10 of each of the following tokens:
A MobilePASS tokenAn SafeNet eToken Virtual authenticatorA token with SafeNet SSO profilesA token with SafeNet Network Logon profiles
Has an expiration dateSafeNet Authentication Manager evaluation licenses can be accumulated. The latest expiration date of all the licenses is applied.The SafeNet Authentication Manager evaluation license is cancelled when a standard license is added.
Licensing 295
Upgrading Licenses from Earlier VersionsWhen data is migrated from TMS version 2.0 or later to SafeNet Authentication Manager 8.0, the earlier versions’ licenses remain valid.You may need to upgrade your SafeNet Authentication Manager license for new features, such as SafeNet eToken Virtual or MobilePASS, or to use certain connectors, such as SAM Connector for SafeNet SSO.To ensure that your license is valid, see Viewing Licenses on page 295. To add a license, see Applying a License on page 296.
Viewing LicensesYou can view your licenses in the SafeNet Authentication Manager Configuration Manager.
To view licenses:
1. Launch the SAM Configuration Manager (See Launching the SAM Configuration Manager on page 192).The SAM Configuration Manager window opens.
Note:In the following situations, a warning message is displayed in the bottom frame of the SAM Configuration Manager window:
Your license has reached nearly all of its capacityYour license has an expiration date
2. From the Action menu, select License >View.
296 SafeNet Authentication Manager Administrator’s Guide
The License Details window displays the details of the current license.
3. Click Close to exit the window.
Applying a LicenseUse the SAM Configuration Manager to add a new license or apply an existing license from a different domain or user store.
To add or apply a license:
1. Launch the SAM Configuration Manager (See Launching the SAM Configuration Manager on page 192).The SAM Configuration Manager window opens.
2. From the Action menu, select License>Add.
Licensing 297
The Add License window opens.
:3. To add a new license, do the following:
a. Select Increase the license allowance by adding a new SAM license to the primary license.
b. Copy the new license string provided by SafeNet.4. To apply an existing license, do the following:
a. Select Use the primary license already configured for the following domain.
b. Click Browse.c. Select the domain containing the current license.
5. Click Add License and then click Close to exit the window.
298 SafeNet Authentication Manager Administrator’s Guide
Multi-Domain LicensesThe same license can be used in a multi‐domain environment and with multiple user stores. The primary license is installed on one server, and secondary licenses are installed on additional servers. The secondary servers must be configured as the primary.For example, if you need SafeNet Authentication Manager installed on two domains, each having 1,000 users and 200 tokens with SafeNet SSO profiles, you can install a license for 2,000 users and 400 tokens with SafeNet SSO profiles on one of the domains. When configuring the other SafeNet Authentication Manager instance, select the domain on which the license file is installed.
Note:Since the same license can be used for multiple domains, the licensing counter can become inaccurate due to replication or failed operations. Use the SAM Backend Service to ensure that licensing data from all domains remains synchronized.See Controlling SAM Backend Services on page 355 to manually initiate the SAM Backend Service Synchronize licenses process.
Chapter 13
Authorization ManagerUse the SafeNet Authentication Manager Authorization Manager to manage roles, tasks, operations, and role assignments.
Note:In SafeNet Authentication Manager, the authorization management settings (roles) are stored in the configuration store.
In this section:
Authorization Management OverviewPredefined RolesDefining a New ScopeDefining RolesDefining Tasks
300 SafeNet Authentication Manager Administrator’s Guide
Authorization Management OverviewSafeNet Authentication Manager encompasses three levels of assignments, built into a hierarchical structure:
Role: Level 1 activity (group of one or more tasks)Task: Level 2 activity (group of one or more operations)Operation: Level 3 activity (single action)
The lowest level in the hierarchy is Operation. A Task consists of one or more Operations and may include other Tasks. A Role is made up of a number of Tasks and Operations.In addition, a Scope may be determined for each role, to determine which Domain, OU, or Group the role applies to.Use the Authorization Manager to:
Define roles and tasksAllocate role assignmentsCreate additional roles, tasks, operations and role assignments
Authorization Manager 301
Predefined RolesSafeNet Authentication Manager is configured with the following predefined roles:
Defining a New ScopeYou can assign a new scope for the SAM Management Center. This determines if the roles apply to the domain, to an organizational unit (OU) or a group.A scope enables you to define local administrators or help desk staff with responsibility for only a section of the user store, such as an OU or a group of users. Some common examples would be to define local administrators in a specific location (OU scope) or to define a special administrator for senior managers (group scope).
Predefined Role Website(s) Assigned Tasks Allowed
Administrator SAM Management Center All SAM tasks
Helpdesk SAM Management Center All SAM tasks except modifying TPOs
Certificate Recovery
SAM Management Center Certificate Recovery
First Tier Approvers SAM Management Center First tier approval of certificate recovery
Second Tier Approvers
SAM Management Center Second tier approval of certificate recovery
User SAM Self Service CenterSAM Rescue Service Center
All self service options on the SAM Remote Service Center and the SAM Self Service Center
302 SafeNet Authentication Manager Administrator’s Guide
To define a new scope for the SAM Management Center:
1. Launch the SAM Configuration Manager (See Launching the SAM Configuration Manager on page 192).
2. From the Action menu, select Authorization Manager>Edit Roles.The SafeNet Authentication Manager ‐ Authorization Manager opens.
3. In the SAM Authorization Manager left pane, right‐click SAM Management Center, and select New Scope.The New Scope window opens.
4. Select one of the following containers for which the role will apply:
Domain
Authorization Manager 303
OU (Organizational Unit)Click Browse. The OU window opens. Select the required OU, and click OK.GroupClick Browse. The User or Group window opens. Enter the required group name, and click OK.
5. Type a description, and click OK.
Defining Roles
Note:If you change the name of a Role, the Users assigned to that Role are removed.
To define a new role definition:
1. In the SAM Authorization Manager left pane, expand the appropriate node to Definitions > Role Definitions.
2. Right‐click Role Definitions and select New role definition.
304 SafeNet Authentication Manager Administrator’s Guide
The Role Definition window opens.
3. Enter the Name and Description of the new role definition, and
click Add.The Add Definition window opens.
4. Select the Roles tab.
5. If required, select a role to be added as a sub‐role to the new role.6. Select the Tasks tab.
Authorization Manager 305
7. Select the tasks to include in the new role.8. Select the Operations tab.
9. Select the operations to include in the new role, and click OK.The new role is created.
306 SafeNet Authentication Manager Administrator’s Guide
Defining Tasks
To define a new task definition:
1. In the SAM Authorization Manager left pane, expand the appropriate node to Definition > Task Definitions.
2. Right‐click Task Definitions and select New task definition.The New Task window opens.
3. Enter the Name and Description of the new task definition, and click Add.The Add Definition window opens.
4. Select the Tasks tab.
Authorization Manager 307
5. If required, select a task to be added as a sub‐task to the new task.6. Select the Operations tab.
7. Select the operations to include in the task, and click OK.The new task is created.
308 SafeNet Authentication Manager Administrator’s Guide
Chapter 14
User PermissionsThe administrator can configure the usersʹ permissions, and change them as required.
In this section:
Permissions for Basic AdministrationGranting Dial-In Permission to the User AccountGranting Permissions for Microsoft CA TemplatesDelegating Password Reset Control
310 SafeNet Authentication Manager Administrator’s Guide
Permissions for Basic Administration
SAM Service Account Permissions
User Permissions for Installing SAM
Operation Permission Required
Managing eToken Network Logon
Permission to change other domain users' passwords
Managing the SAM OTP Authentication Connector
Permission to change the dial-in properties of the user accountSee Granting Dial-In Permission to the User Account on page 311
Managing the SAM Microsoft CA Connector
Read and enroll permissions for the templates to be used, such as: enrollment agent, and smartcard logonSee Granting Permissions for Microsoft CA Templates on page 314
Managing the SAM P12 Certificate Import Connector
Read permissions to the libraries where the pfx files and the password index files are stored
Managing the SAM Check Point Internal CA Connector
No additional permissions
Resetting passwords Delegate the task to the required group, for example, Helpdesk groupSee Delegating Password Reset Control on page 315
Operation Permission Required
Installing SafeNet Authentication Manager
In AD/AD installations, must be a member of the Schema Administrator group and the Domain Administrator group
Managing SAM websites Read permissions to the SAM website directory on the IIS server
User Permissions 311
Granting Dial-In Permission to the User AccountDial‐in permissions are required for the user managing the SAM OTP Authentication Connector. See Permissions for Basic Administration on page 310.
To grant dial-in permission to the user account:
1. Open ADSI Edit.
Tip:In Windows Server 2003, ADSI Edit is part of the Windows Support Tools installed from the server installation media.In Windows Server 2008, the Windows Support Tools are included in the RSAT (Remote Server Administration Tools). ADSI Edit is part of the Active Directory Domain Controller Tools feature.
The Console 1 window opens.
2. In the left pane, expand the appropriate domain.
312 SafeNet Authentication Manager Administrator’s Guide
3. Right‐click the user to be the SafeNet Authentication Manager Helpdesk administrator, and select Properties.The user’s Properties window opens.
4. Select the Security tab, and click Add.The Select Users, Computers, or Groups window opens.
5. Enter the name of the SafeNet Authentication Manager Helpdesk user, and click OK.
User Permissions 313
The Helpdesk user is added to the list.
6. Click Advanced.The Advanced Security Settings window opens.
7. Select the Helpdesk user from the list, and click Edit.
314 SafeNet Authentication Manager Administrator’s Guide
The Permission Entry window opens.
8. Select the Properties tab.9. Select Allow for the following attributes:
Read msNPAllowDialinWrite msNPAllowDialin
10. Click OK.
Granting Permissions for Microsoft CA TemplatesCA‐related permissions are required for the user managing the SAM Microsoft CA Connector. See Permissions for Basic Administration on page 310.
To grant permissions for Microsoft CA templates:
1. Open the CA snap‐in.2. Right‐click Certificate Templates, and select Manage.3. From the certificate list, double‐click the certificate for SafeNet
Authentication Manager to enroll.4. In the security tab, assign the Helpdesk user the permissions to
Read and Enroll.
User Permissions 315
5. In the CA snap‐in, right‐click the CA name, and select Properties.6. In the Security tab, assign the Helpdesk user the permission to
Issue and Manage Certificates.
Delegating Password Reset ControlThe SAM Service Account is used to manage SafeNet Authentication Manager operations. See Changing the SAM Service Account on page 198 to set a different SAM Service Account.
Note:We recommend using a SAM Service Account with a strong non‐expiring password. Certain functions, such as the TPO Editor, may stop responding when the SAM Service Account password expires.
To delegate control of password resets to the SAM Service Account:
1. In the Active Directory Users and Computers snap‐in, select the SAM domain.
2. In the right pane, right‐click Users, and select Delegate Control.
316 SafeNet Authentication Manager Administrator’s Guide
The Delegation of Control Wizard opens.
3. Click Next.The Users or Groups window opens.
4. Click Add.
User Permissions 317
The Select Users window opens.
5. Click Advanced.The advanced Select Users window opens.
6. Click Find Now.
318 SafeNet Authentication Manager Administrator’s Guide
The search results are displayed in the Select Users window.
7. Double‐click the SAM Service Account.The username appears in the Select Users window.
8. Click OK.
User Permissions 319
The username appears in the Users or Groups wizard window.
9. Click Next to continue.The Tasks to Delegate window opens.
10. Select Delegate the following common tasks, and select Reset user passwords and force password change at next logon.
11. Click Next to continue.
320 SafeNet Authentication Manager Administrator’s Guide
The Completing the Delegation of Control Wizard window opens.
12. On the summary page, review the proposed settings, and then click Finish.
Chapter 15
Audit Messages and Enrollment Notifications
You can configure TPO settings for the following activities:Viewing the details of SafeNet Authentication Manager administration events using the Windows Event ViewerSetting up audit notification letters for SafeNet Authentication Manager user and administrator eventsSetting up enrollment notification letters and SMS messages for token enrollments
In this section:
Audit MessagesEnrollment NotificationConfiguring Audit, Enrollment and MobilePASS Activation Notification TemplatesConfiguring SMS Notification Template
322 SafeNet Authentication Manager Administrator’s Guide
Audit MessagesYou can view SafeNet Authentication Manager audit messages in the Windows Event Viewer or send them by email.
Configuring Audit Settings for Viewing in Windows Event ViewerAudit Settings policies control audit information logging so that the events can be viewed using the Windows Event Viewer.To enable audit information logging, define the TPO Audit Settings policies. See Using the Token Policy Object Editor to Edit TPOs on page 146 to edit the TPO settings.
Audit Settings
Policy Description Default Token Type
Audit log server name
Defines the server address of the audit log
localhost All devices
Audit log name Defines the name of the audit log
Application All devices
Audit source name Determines the source name displayed in the Windows Event Viewer
SAMAudit All devices
Audit Messages and Enrollment Notifications 323
Viewing SAM Events in the Event Viewer
To view audited SAM events in the Event Viewer:
1. Right‐click My Computer, and select Manage.The Computer Management window opens.
2. In the left pane, select Event Viewer > Application.A list of events is displayed in the right pane.By default, SAM events are indicated by SAMAudit in the source column of the table.
3. Double‐click the required event.
324 SafeNet Authentication Manager Administrator’s Guide
The Event Properties window opens.
The Event Properties window displays the following information:Date: the date the event occurredSource: the event sourceTime: the time the event occurredCategory: the event categoryType: the event type (for example, Information)Event ID: a unique ID for each eventUser: user informationComputer: the computer on which the event is recordedDescription: a brief description of the event
Audit Messages and Enrollment Notifications 325
Configuring Audit Settings for Sending Notification MessagesTo set up and configure audit notification letters, perform the following steps:
Configure the TPO audit settings.Edit the audit notification letter templates. See Configuring Audit, Enrollment and MobilePASS Activation Notification Templates on page 335.
The Audit Notification Settings in TPO enable you to do the following:Activate the Notification function for users and/or the administrator.Select the HTML template file for user and/or administrator notification.
Audit Notification Policies
Policy Description Default Token Type
Administrator notification
Defines if the administrator is notified of audit events
No notification All devices
Administrator notification configuration
Defines the administrator notification configuration
Empty (Administrator is not notified)
All devices
User notification Defines if users are notified of audit events related to their tokens
No notification All devices
User notification configuration
Defines the user notification configuration
Empty (User is not notified)
All devices
326 SafeNet Authentication Manager Administrator’s Guide
Configuring Administrator Audit Notification Settings
To configure the administrator audit notification settings:
1. Open the Token Policy Object Editor (See Accessing Token Policy Object Links on page 122).
2. In the left pane, select Audit Settings>Audit Notification Settings.
3. In the right pane, right‐click Administration notification, and select Properties from the dropdown menu.The Administration notification Properties window opens.
4. Select the Define this policy setting option, select Enabled and click OK.
5. In the right pane of the Token Policy Object Editor, right‐click Administration notification configuration, and select Properties from the dropdown menu.
Audit Messages and Enrollment Notifications 327
The Administration notification configuration Properties window opens.
6. Select Define this policy setting, click Add, and enter a name for
a new rule.
7. To define a rule, select it, and click Edit.
328 SafeNet Authentication Manager Administrator’s Guide
The Administrator notification rule window opens.
8. In the Events tab, select the events requiring notification9. Select for which event levels to send notifications: Information,
Error, Warning.10. To configure email notification for the administrator, select the
Emails tab.
11. Click Add, and enter the appropriate email address.12. In the Subject field, enter the content of the email subject line.13. In the Template field, enter the path to the email template.
See Configuring Audit, Enrollment and MobilePASS Activation Notification Templates on page 335.
Audit Messages and Enrollment Notifications 329
14. To select an external program to send the notification, select the External Program tab.
15. Select Browse and navigate to the external application file (.exe).16. Click on the required keywords.
The selected keywords are displayed in the box after the external application file.
17. Click OK to save the changes to the Administration notification configuration policy.
Configuring User Audit Notification Settings
To configure the user audit notification settings:
1. Open the Token Policy Object Editor (See Accessing Token Policy Object Links on page 122).
2. In the left pane, select Audit Settings>Audit Notification Settings.
3. In the right pane, right‐click User notification, and select Properties from the dropdown menu.
330 SafeNet Authentication Manager Administrator’s Guide
The User notification Properties window opens.
4. Select the Define this policy setting option, select Enabled and click OK.
5. In the right pane of the Token Policy Object Editor, right‐click User notification configuration, and select Properties from the dropdown menu.The User notification configuration Properties window opens.
6. Select Define this policy setting, click Add, and enter a name for the new rule.
Audit Messages and Enrollment Notifications 331
7. To define a rule, select it, and click Edit.The User notification rule window opens.
8. Select the events requiring notification.9. Select one or both of the following:
Notify the user about events performed for them by othersNotify the user about events performed by themselves
10. Select for which event levels to send notifications: Information, Error, Warning.
11. In the Subject field, enter the content of the email subject line.12. In the Template field, enter the path to the email template.
See Configuring Audit, Enrollment and MobilePASS Activation Notification Templates on page 335.
13. Click OK to define the User notification configuration policy.
332 SafeNet Authentication Manager Administrator’s Guide
Enrollment Notification
Configuring Enrollment Notification MessagesSafeNet Authentication Manager can generate enrollment notification letters and email them to the token users.Notifications can include text and variables, such as passwords and serial numbers which are derived from SafeNet Authentication Manager through the use of keywords.To set up and configure enrollment notification letters, perform the following steps:
Configure the TPO enrollment notification settings.Edit the enrollment notification letter templates. See Configuring Audit, Enrollment and MobilePASS Activation Notification Templates on page 335.
Enrollment Notification Policies
Policy Description Default Token Type
User notification Determines if user notification letters are prepared when their tokens are enrolled through the SAM Management Center
No notification All devices including MobilePASS and SafeNet eToken Virtual Temp
HTML template file Defines the HTML template file to use as a template for enrollment notification letters
Empty All devices including MobilePASS and SafeNet eToken Virtual Temp
Save notification letters
Determines if enrollment notification letters are saved
Not saved All devices including MobilePASS and SafeNet eToken Virtual Temp
Audit Messages and Enrollment Notifications 333
Notification letters storage location
Defines where enrollment notification letters are saved
Empty All devices including MobilePASS and SafeNet eToken Virtual Temp
Send notification letters by email
Determines if enrollment notification letters are sent by email
No email notification
All devices including MobilePASS and SafeNet eToken Virtual Temp
Notification email subject
Defines the enrollment notification email subject
Empty All devices including MobilePASS and SafeNet eToken Virtual Temp
Print notification letters
Determines if enrollment notification letters are printed
Not printed All devices including MobilePASS and SafeNet eToken Virtual Temp
Use external program
Determines if an external notification program is usedNote: This can include any application that performs an action not supported by the standard SafeNet Authentication Manager settings, such as updating a database upon notification.
No external program
All devices including MobilePASS and SafeNet eToken Virtual Temp
Policy Description Default Token Type
334 SafeNet Authentication Manager Administrator’s Guide
External program and keywords
Defines which external program to use if Use an external program is selected, and its keywords
Empty (No external program is used)
All devices including MobilePASS and SafeNet eToken Virtual Temp
Notify via SMS Determines if a notification is send via SMSNote: To use SMS notification, you must enable this policy and define the SMS notification template policy
SMS notification is not used
All devices including MobilePASS and SafeNet eToken Virtual Temp
SMS notification template
Determines the file that contains the text for the SMS message. See Configuring SMS Notification Template on page 338.Note: To use an external enrollment notification application, enable the “Use external program” policy, and define this policy
Not defined All devices including MobilePASS and SafeNet eToken Virtual Temp
Policy Description Default Token Type
Audit Messages and Enrollment Notifications 335
Configuring Audit, Enrollment and MobilePASS Activation Notification Templates
Each template contains text and keywords. To customize a template, replace its text, and add keywords as required.Sample templates are provided in the MailTemplates folder, typically located at:C:\Program Files\SafeNet\Authentication\SAM\x32\Templates
Audit Notification Templates
Enrollment Notification Templates
Template Description File Name
Audit Event Notification (administrator)
Informs administrator of audit event
Default_SAM_Admin_Audit_Notification_Letter.htm
Audit Event Notification (user)
Informs users of audit events Default_SAM_User_Audit_Notification_Letter.htm
Template Description File Name
Enrollment Notification
Informs user of new token and supplies the password
Default_SAM_Enrollment_Notification_Letter.htm
Enrollment Notification (Complex password)
Informs user of new token and supplies the passwordThis option allows the Token Password to contain special characters, using a different HTML syntax.Note: This template is not supported by Outlook 2007
Default_SAM_Enrollment_Notification_Letter_Complex_Password.htm
336 SafeNet Authentication Manager Administrator’s Guide
Notification Letter KeywordsVariables used in notification letters are retrieved by SafeNet Authentication Manager from data in the user store. If the data does not exist in the user store, it will not appear in the notification letter; the keywords will be displayed instead.If changes have been made to data in the user store, run the SAM Backend Services Synchronize User Data process before generating enrollment letters to ensure that the data is available for inclusion in the user notification letter.See Backend Service on page 353.
General KeywordsThe general keyword can be used in all notification letter templates (Audit, Enrollment Notification and MobilePASS Activation).
Keyword Description
$Office User's office location
$User_Email User's email address
$User_First_Name User's first name
$User_Last_Name User’s last name
$City City
$Country_Region Country or region
$State_Province State or province
$Street Street name
$PO_Box Post Office box number
$Zip_Postal_Code Zip code
$Company Name of company
Audit Messages and Enrollment Notifications 337
Audit KeywordsThe Audit Keywords can be used only in the Audit Notification templates:
Audit Event Notification (administrator) (Default_SAM_Admin_Audit_Notification_Letter.htm)Audit Event Notification (user) (Default_SAM_User_Audit_Notification_Letter.htm)
The keys of events as they appear in the Windows Event Viewer can be used in audit notification letters.
$Department Name of department
$User_Logon_Name The name the user uses to log on to a domain. Uses the syntax: [email protected]
$User_Account_Name The user's name in the pre-Windows 2000 syntax: domainname\username
Keyword (Continued) Description (Continued)
Keyword Description
$Audit_Category The application creating the event. For example: SAM Self Service Center, SAM Management Center, SAM Remote Service Center, or Management Tools
$Audit_Date_Time The time and date of the event
$Audit_Event The name of the event
$Audit_Message The message describing the event
$Audit_Type The event level: Information, Error, or Warning
338 SafeNet Authentication Manager Administrator’s Guide
Enrollment KeywordsThe Enrollment Keywords can be used only in the Enrollment Notification templates:
Enrollment Notification (Default_SAM_Enrollment_Notification_Letter.htm)Enrollment Notification (Complex password) (Default_SAM_Enrollment_Notification_Letter_Complex_Password.htm)
Configuring SMS Notification TemplateIf the Notify via SMS policy is activated, a template must be created to determine the content of the message (See Enrollment Notification Policies on page 332).The template is a text (.txt) file. The SMS message consists of the text as it appears in the template; keywords are not supported.
Keyword Description
$Enrollment_Date Date token was enrolled
$Enrollment_Time Time token was enrolled
$otp_pin The OTP PIN to be sent to the user during enrollment, or the Token Password (if it’s random).
Chapter 16
OTP ConfigurationOne Time Password (OTP) behavior can be configured in the web services located on the SafeNet Authentication Manager Server, and in the OTP plug‐in on the IAS (RADIUS) server.
In this section:
OTP Web Service SettingsOTP Web Service ConfigurationConfiguring SAM IAS Plug-InConfiguring IAS for a Non-AD User Store
340 SafeNet Authentication Manager Administrator’s Guide
OTP Web Service SettingsTo facilitate OTP authentication, the system saves the following values:
the OTP provided by the user during the last OTP token enrollment or successful authenticationthe OTP provided by the user during the last authentication attempt, regardless of whether or not it successfully matched any of the values calculated by the system within the Blank Presses range
Blank PressesDuring each OTP authentication attempt, the system calculates the OTP value that should follow the OTP saved from the last successful authentication.When a user generates an OTP on the token without submitting it for authentication, the OTP generation is considered a blank press.The administrator determines how many blank presses are tolerated by setting the range of OTP values to be checked during OTP authentication.
Blank Presses ResyncIf the OTP provided by the user does not match any of the OTP values within the Blank Presses range, a different method may allow the user to authenticate successfully.
Blank Presses setting OTP Authentication Behavior
0 The OTP provided by the user must match the OTP value that the system calculates to follow the last OTP successfully used for authentication.
30 The OTP provided by the user must match one of the next 31 OTP values that the system calculates to follow the last OTP successfully used for authentication.
OTP Configuration 341
If the Blank Presses Resync setting is larger than the Blank Presses setting, the system compares the last two OTPs provided ‐ the OTP saved during the last authentication attempt, and the OTP just entered ‐ with all the pairs of OTP values calculated by the system within the Blank Presses Resync range.
Time SyncSome systems calculate OTPs using a formula based on the current time.There may be a minor difference between the time settings on the system and on the OTP token. The administrator determines the amount of time difference that is tolerated by defining the Time Sync range to be checked during OTP authentication.
Time ResyncIf the OTP provided by the user does not match any of the OTP values within the Time Sync range, a different method may allow the user to authenticate successfully.If the Time Resync setting is larger than the Time Sync setting, the system compares the last two OTPs provided ‐ the OTP saved during the last authentication attempt, and the OTP just entered ‐ with all the pairs of OTP values calculated by the system within the Time Resync range.
Time Sync setting OTP Authentication Behavior
0 The OTP provided by the user must match the OTP value that the system calculates based on the system’s current time.
30 The OTP provided by the user must match one of the OTP values that the system calculates within 31 increments of the system’s current time.
342 SafeNet Authentication Manager Administrator’s Guide
OTP Web Service Configuration
To configure the OTP Web Service:
1. Open the SAM Configuration Manager (See Launching the SAM Configuration Manager on page 180.
2. From the Action menu, select IIS and Web Services > OTP Web Service.The OTP Web Service Settings window opens.
OTP Configuration 343
3. Complete the fields as follows, and click OK:
Field Description Default
Blank Presses The range of OTP values to check during authentication(The number of blank presses tolerated before the OTP token must be validated.)
30
Audit Condition Which authentication events to include in an audit:
OnFailure: only when authentication failsAlways: all authentication attemptsNever: do not audit
OnFailure
Blank Presses Resync.
The range of OTP value pairs to check if the OTP did not match a value within the Blank Presses range
100
Max Delayed DB Updates
The maximum number of update entries accumulated before they must be written to the SAM database. Saves system resources during times of peak activity.
Time Sync. The time difference tolerated between the system and the OTP token, in increments
30
Time Resync. The range of OTP value pairs to check if the OTP did not match a value within the Time Sync range
100
Authentication Retries
The number of failed authentication attempts before the token is locked
5
344 SafeNet Authentication Manager Administrator’s Guide
Exclude Group Check
The behavior of the Exclude Group check:
Disabled: The check for Exclude Groups is disabled.Default: Exclude all members of the Exclude Groups and their child groups. All groups above the user are checked during each authentication attempt.DefaultFlat: Exclude all members of the Exclude Groups, but not of their child groups.Preload: Exclude members of the Exclude Groups already in the SAM Configuration Store, but do not refresh the list. (See also Preload Groups Refresh.)Token: Exclude all tokens marked in the SAM Configuration Store as being a member of an Exclude Group. This information is updated by the SAM Backend Service, scheduled to run every 24 hours, by default.
Default
Exclude Groups Click New to add an Exclude Group. OTP authentication is not enabled for members of Exclude Groups. They must use standard authentication.
None
Field (Continued) Description (Continued) Default
OTP Configuration 345
Configuring SAM IAS Plug-InThe IAS plug‐in, located on the IAS (RADIUS) server, can be configured to determine OTP authentication behavior.The configuration settings are added to the <ias_plugin_configuration> section in the otp_plugin_config.xml file.SAM IAS Plug-In Settings
Preload Groups Refresh
If Exclude Group Check is set to Preload, this determines the time interval, in minutes, between Exclude Groups refreshes in the OTP Web Service
120
Netbios Click New to map between a NetBios name and a DNS name
Field (Continued) Description (Continued) Default
Key Value Type
Description
enable_otp_authentication Boolean Determines whether OTP authentication is used.Values:
True: OTP authenticationFalse: Standard (non-OTP) authentication
Default: True
otp_web_service_url String Defines the SafeNet Authentication Web Service URL
346 SafeNet Authentication Manager Administrator’s Guide
no_otp_token_behavior Enumerator Determines behavior when there is no OTP.Values:
Reject: Reject authentication requestPass: Allow MS IAS standard authenticationFail: Discard the authentication request
Default: Reject
user_not_found_behavior Enumerator Determines behavior when the user is not found.Values:
Reject: Reject authentication requestPass: Allow MS IAS standard authenticationFail: Discard the authentication request
Default: Reject
protocol_not_supported_behavior
Enumerator Determines behavior when the protocol is not supported.Values:
Reject: Reject authentication requestPass: Allow MS IAS standard authenticationFail: Discard the authentication request
Default: PassNote: The value should be changed to Reject to ensure that it’s not possible to authenticate without a RADIUS secret key.
return_pap_cred Boolean Determines if the RADIUS server returns the password as an attribute of the RADIUS response.Default: False
return_pap_cred_attribute_number
Numeric Specifies the Radius attribute number of the returned password. For example, "2" is for ratUserPasswordDefault: 2
Key Value Type
Description
OTP Configuration 347
web_service_request_timeout
Time in seconds
Specifies the timeout period when calling the OTP Web Service from the IAS Plug-in.Default: 15
web_service_comm_error_behavior
Enumerator Determines how to handle an OTP Web Service communication failure.Values:
Reject: Reject authentication requestPass: Allow MS IAS standard authenticationFail: Discard the authentication request
Default: Fail
TMS_db_offline_behavior Enumerator Determines how to handle the exception when the SAM database is not available.Values:
Reject: Reject authentication requestPass: Allow MS IAS standard authenticationFail: Discard the authentication request
Default: Fail
Key Value Type
Description
348 SafeNet Authentication Manager Administrator’s Guide
Example of otp_plugin_config.xml<?xml version="1.0" ?> - <ias_plugin_configuration>
<enable_otp_authentication>true</enable_otp_authentication>
<otp_web_service_url>http://localhost/OTPAuthentication/Service.asmx</otp_web_service_url>
<no_otp_token_behavior>reject</no_otp_token_behavior>
<user_not_found_behavior>reject</user_not_found_behavior>
<protocol_not_supported_behavior>pass</protocol_not_supported_behavior>
<return_pap_cred>false</return_pap_cred>
<return_pap_cred_attribute_number>2</return_pap_cred_attribute_number>
<web_service_request_timeout>15</web_service_request_timeout>
<web_service_comm_error_behavior>fail</web_service_comm_error_behavior>
<TMS_db_offline_behavior>fail</SAM_db_offline_behavior>
</ias_plugin_configuration>
Configuring IAS for a Non-AD User StoreIf you are using a user store other than Active Directory, IAS must be configured to accept users without validating credentials.
Note:The following configuration must be set to prevent users being able to authenticate without a password:<protocol_not_supported_behavior>fail</protocol_not_supported_behavior>
OTP Configuration 349
To configure IAS to accept users without validating credentials:
1. From the Windows Start menu, select Programs>Administrative Tools>Internet Authentication Service.The Internet Authentication Service window opens.
2. Select Connection Request Processing>Connection Request Polices.
3. In the right pane, right‐click Use Windows authentication for all users, and select Properties.
350 SafeNet Authentication Manager Administrator’s Guide
The Use Windows authentication for all users Properties window opens.
4. Click Edit Profile.
OTP Configuration 351
The Edit Profile window opens.
5. On the Authentication tab, select Accept users without validating credentials.
6. Click OK repeatedly until you return to the Internet Authentication Service main window.
352 SafeNet Authentication Manager Administrator’s Guide
Chapter 17
Backend ServiceThe SafeNet Authentication Manager Backend Service works in the background, performing the different services configured by the administrator.
In this section:
Overview of Backend ServicesControlling SAM Backend Services
354 SafeNet Authentication Manager Administrator’s Guide
Overview of Backend ServicesYou can change the scheduling of services in the SAM Configuration Manager. See Scheduling the SAM Backend Service on page 185.The actions controlled by the Backend Service are:
Disable temporary password logonRevoke open SafeNet eToken RescuesAutomatically revoke tokens with missing usersAutomatically revoke tokens with disabled usersSynchronize users dataSynchronize license data
Control the SAM Backend Service using the following options:Start ProcessStart ServiceStop ServicePause ServiceContinue Service
Backend Service 355
Controlling SAM Backend Services
To control SAM Backend Services:
1. In the taskbar, right‐click the Backend Services icon: The Backend Services menu opens.
2. To select a domain, click Services, and select the appropriate domain.
3. To control the Backend Service process, select one of the following:
Stop Backend ServicePause Backend ServiceContinue Backend ServiceStart Backend Service
4. To initiate the SAM Backend Service process, select Start process.The Start process options are displayed.
5. Select the required action to run in the background:
p
356 SafeNet Authentication Manager Administrator’s Guide
All: runs all tasksSynchronize user data: updates user properties that have changed since the last updateAutomatic revocation when: automatically revokes a token if the selected event occurred:
User is deleted from the user store: the employee left the companyUser is disabled in the user store: the employee has an extended absence
Revoke opened SafeNet eToken Rescue: revokes all expired SafeNet eToken RescuesDisable Temp Logon: disables all expired temporary logon passwordsSynchronize licenses: updates license information that has changed since the last update. This is required when SafeNet Authentication Manager is implemented over multi‐domains or whenever the licensing counter becomes inaccurate due to replication or failed operations. See Multi‐Domain Licenses on page 298.
6. Click Exit.
Part III Post-Installation ConfigurationAfter installation, SAM needs to be configured according to the requirements of your organization.For OTP specific configuration, see Chapter 16: OTP Configuration (page 339)
In this section:
Chapter 18: User Management in an ADAM Environment (page 359)Chapter 19: Desktop Agent (page 371)Chapter 21: Customizing SAM Websites (page 421)
358
Chapter 18
User Management in an ADAM Environment
If you are using a Standalone user store, use SafeNet Authentication Manager‐ Policy Manager to manage users, groups, and OUs.
In this section:
ADAM Environment User Store OverviewOpening SafeNet Authentication Manager - Policy ManagerAdding a UserViewing and Editing User PropertiesAdding a Group or OUViewing and Editing Group Properties
360 SafeNet Authentication Manager Administrator’s Guide
ADAM Environment User Store OverviewDuring SafeNet Authentication Manager installation in an ADAM environment, the Standalone user store is initialized in the SafeNet Authentication Manager. A user account with user store administrator rights is created on the serverAfter installation, the administrator uses SAM Policy Management to add users to the appropriate groups in the user store.
Opening SafeNet Authentication Manager - Policy Manager
To open SAM Policy Management:
1. Select Start>Programs>SafeNet> SafeNet Authentication Manager>Policy Management.SafeNet Authentication Manager ‐ Policy Manager connects to the SafeNet Authentication Manager Server, and the Authentication window opens.
2. Enter the SAM administrator username and password, and click OK.
User Management in an ADAM Environment 361
The SafeNet Authentication Manager ‐ Policy Manager window opens.
3. In the left pane, select the appropriate container.The users and groups inside the selected container are displayed in the right pane.
362 SafeNet Authentication Manager Administrator’s Guide
Adding a User
To add a user to the Standalone user store:
1. Open SafeNet Authentication Manager ‐ Policy Manager. See Opening SafeNet Authentication Manager ‐ Policy Manager on page 360.The SafeNet Authentication Manager ‐ Policy Manager window opens.
2. In the left pane, right‐click the appropriate container, and select New > User.
The New Object ‐ User window opens.
3. Complete the information and click Next.
User Management in an ADAM Environment 363
The Password window opens.
4. Create a password for the user, confirm it, and click Next.The Click Finish window opens.
5. Review the information displayed, and click Finish.The new user appears in the right pane of the SAM Policy Management window.
See Viewing and Editing User Properties on page 364 to add more information about the user to the user store.
364 SafeNet Authentication Manager Administrator’s Guide
Viewing and Editing User Properties
To view and edit user information:
1. Open SafeNet Authentication Manager ‐ Policy Manager. See Opening SafeNet Authentication Manager ‐ Policy Manager on page 360.The SafeNet Authentication Manager ‐ Policy Manager window opens.
2. In the right pane, right‐click the appropriate user, and from the dropdown menu, select Properties.The user’s Properties window opens.
User Management in an ADAM Environment 365
3. Select each tab to view or modify its information.
Note:In the Account tab, it is not possible to change the User logon name or the Account name of the SAM Administrator.
4. Click OK to save the changes.
Adding a Group or OU
To add a group or OU to the Standalone user store:
1. Open SafeNet Authentication Manager ‐ Policy Manager. See Opening SafeNet Authentication Manager ‐ Policy Manager on page 360.The SafeNet Authentication Manager ‐ Policy Manager window opens.
366 SafeNet Authentication Manager Administrator’s Guide
2. In the left pane, right‐click the appropriate container, select New, and select the type of object to add.
3. When adding a group, the New Object ‐ Group window opens.
Assign a Group name, and click OK.
Note:Do not include an ampersand symbol, “&”, in the assigned name.
User Management in an ADAM Environment 367
4. When adding an OU, the New Object ‐ Organizational Unit window opens.
Assign a Name, and click OK.
Note:Do not include an ampersand symbol, “&”, in the assigned name.
Viewing and Editing Group Properties
To view and edit the properties of a group:
1. Open SafeNet Authentication Manager ‐ Policy Manager. See Opening SafeNet Authentication Manager ‐ Policy Manager on page 360.The SafeNet Authentication Manager ‐ Policy Manager window opens.
2. In the right pane, right‐click the appropriate group, and from the dropdown menu, select Properties.In this example, the group Users is selected.
368 SafeNet Authentication Manager Administrator’s Guide
The object’s Properties window opens to the General tab.
3. To modify the object’s description, change the Description, and click OK.
4. To view or modify the list of members, select the Members tab.
5. To remove a member, select the member, and click Remove.6. To add a member, click Add.
User Management in an ADAM Environment 369
The User or Group window opens.
7. Enter the user or group name and, to verify that the object exists, click Check names.
8. Click OK.9. To view or modify the list of groups of which the object is a
member, select the Member of tab.
10. To remove an object from the list, select the object, and click Remove.
11. To add an object to the list, click Add.
370 SafeNet Authentication Manager Administrator’s Guide
The User or Group window opens.
12. Enter the name and, to verify that the object exists, click Check names.
13. Click OK to save the changes.
Chapter 19
Desktop AgentThe Desktop Agent can be used for sending expiration alerts to administrators and users, to audit the removal and connection of tokens, and to download SafeNet eToken Rescue files automatically from the website to the userʹs computer.
Note:The Desktop Agent works only when Active Directory (AD) or ADAM is used as the user store.
In this section:
Overview of the Desktop AgentAdding the Desktop Agent Template to the GPO EditorEditing the Desktop Agent Settings in the GPO EditorDesktop Agent SettingsConfiguring Automatic Download of SafeNet eToken RescueConfiguring Attendance ReportsConfiguring the Legacy Desktop AgentTroubleshooting
372 SafeNet Authentication Manager Administrator’s Guide
Overview of the Desktop AgentThe Desktop Agent is an application used to perform operations set by the administrator. The Desktop Agent, also known as the SAM Agent, can be installed as a SAM Client component on the desktops of SAM users. It functions as a feature of SafeNet Authentication Client.Users of eToken PKI Client use the legacy TMS Desktop Agent.Users log on to SAM automatically when they connect their token to a computer on the network. Depending on your SafeNet Authentication Manager configuration, the Desktop Agent does the following:
Sends alerts to users when their token content is about to expire or is not up‐to‐dateEnables automatic distribution of SafeNet eToken Rescue files to users’ computersKeeps a record of the total number of tokens logged on at any given time; this token connection and removal audit can be used for an Hourly Distribution of Token Connections report
Open the Desktop Agent Status window from the SafeNet Authentication Client tray menu or from the eToken PKI Client tray menu. For a description of the Desktop Agent Status window, see the SafeNet Authentication Manager User’s Guide.
Adding the Desktop Agent Template to the GPO EditorConfigure the Desktop Agent using the Group Policy Object Editor (GPO Editor). The configuration uses an Administrator Template (ADM) file, which must be added to the GPO Editor.
Desktop Agent 373
To add the ADM file to the GPO Editor:
1. From the Start menu, go to Start > Programs > Administrative Tools > Active Directory Users and Computers.
2. Right‐click the domain, and click Properties.
Note:The ADM can be configured either on the OU or on the domain level, and it can be limited to specific groups or users.In this example, the ADM is configured on the domain level.
The domain’s Properties window opens.
374 SafeNet Authentication Manager Administrator’s Guide
3. Select the Group Policy tab.
4. Select the appropriate Group Policy Object name, and click Edit.The Group Policy Object Editor window opens.
5. In the navigation pane, right‐click Administrative Templates, and from the dropdown menu, select Add/Remove Templates.
Desktop Agent 375
The Add/Remove Templates window opens.
6. Click Add, and navigate to the appropriate ADM file.The default path is:
In 32‐bit environments:C:\Program Files\SafeNet\Authentication\SAM\x32\Adm
In 64‐bit environments:C:\Program Files\SafeNet\Authentication\SAM\x64\Adm
The Policy Templates window displays the SAM template options.
7. Select the appropriate Desktop Agent template for your installation:
SAC_Desktop_Agent.adm: for environments running SafeNet Authentication Client 8.0 or laterPKI_Desktop_Agent.adm: for environments running legacy eToken PKI Client
376 SafeNet Authentication Manager Administrator’s Guide
In this example, SAC_Desktop_Agent.adm is selected.8. Click Open.
The SAC_Desktop_Agent template is added to the list of administrative templates in the Add/Remove Templates window.
9. Click Close.In the Group Policy Object Editor window’s navigation pane, SAM Desktop Agent Settings is displayed under Administrative Templates.
Desktop Agent 377
Editing the Desktop Agent Settings in the GPO EditorBefore editing the Desktop Agent, the Desktop Agent administrative template must be added to the GPO Editor. For more information, see Adding the Desktop Agent Template to the GPO Editor on page 372.
Note:In this example, the SAM Desktop Agent is installed. When using the legacy Desktop Agent, substitute TMS for SAM.
To edit the Desktop Agent Settings:
1. In the navigation pane of the GPO Editor window, select Computer Configuration > Administrative Templates > SAM Desktop Agent Settings.SAM Desktop Agent Settings contains the following templates:
SAM Desktop Agent General SettingseToken Update AlertseToken Rescue Automatic DownloadseToken Attendance Reports
2. Click on a template in the navigation pane or in the right pane.In this example, eToken Update Alerts is selected.
378 SafeNet Authentication Manager Administrator’s Guide
The right pane displays the settings contained in the selected template.
3. To change a setting, double‐click on the setting (for example, Check server for expiration date) in the right pane.The Properties window for the selected setting opens.
Desktop Agent 379
Note: The Explain tab contains a description of the setting.
4. Make the required changes in the Setting tab:Not Configured: the default value is usedEnabled: enables you to select or enter a value in the box (see the Explain tab for details)Disabled: do not use, this is not activated for Desktop Agent settings
5. Click OK, or click Next to go to the next setting.Edit the settings. For more information, see Desktop Agent Settings on page 379.
6. To save the changes, run Start > Run > gpupdate, and click OK.
Desktop Agent Settings
Note:In this example, the SAM Desktop Agent is installed. Some setting names differ slightly in the legacy Desktop Agent.
Template Setting Description
SAM Desktop Agent General Settings
SAM Servers Defines the list of SAM Servers used for the SAM Desktop Agent.Note: The list must be in URL format, separated by ';'. The full path must be used.For example,http://netbios1/SAMagent/service.asmx;http://netbios2/SAMagent/service.asmx
380 SafeNet Authentication Manager Administrator’s Guide
SAM Desktop Agent General Settings
Load balance SAM servers
Determines the load balance of the servers listed in the 'SAM Servers' setting.Values:
1 (True) - Each client randomly selects a server from the list, and then round-robins to the next server listed for each subsequent request.0 (False) - The first server on the list is always accessed, and the next servers are used for failover only.Default is 0
SAM Desktop Agent General Settings
Communication error retry period
Defines the number of minutes to wait before the next communication attempt following a communication error.
Default is 10 minutes.
eToken Update Alerts Ignore certificate expiration alert
Determines if already expired certificates are part of the expiry date computation.
Values:• 1 (True) - Ignore expired certificates• 0 (False)- Don't ignore expired certificates
- Default is 0 (False)
Template (Continued) Setting (Continued) Description (Continued)
Desktop Agent 381
eToken Update Alerts Check server for expiration dates
Determines if the server is checked for expiration dates of token data, such as certificates or OTP.Notes:
Set this value to 0 if tokens do not contain time-limited data.If the 'Check token for expiration dates' setting is set to 1, data on the token is checked before data on the server.It is recommended to use frequent periodic checks for expirable content.
Values:1 (True) - The server is checked0 (False)- The server is not checkedDefault is 1 (True)
eToken Update Alerts Check token content Determines if the server is checked for TPO changes that apply to the token.Note:It is recommended to minimize the frequency of the periodic checks to reduce server overload. Co-ordinate the frequency of the checks with changes to the TPO settings.Values:
1 (True) - The server is checked0 (False)- The server is not checkedDefault is 1 (True)
Template (Continued) Setting (Continued) Description (Continued)
382 SafeNet Authentication Manager Administrator’s Guide
eToken Update Alerts Check token for expiration dates
(For installations running eToken PKI Client only)
Determines if physical tokens are checked for expiration dates of data, such as certificates and profiles.Note: Set this value to 0 if tokens do not contain time-limited data.If the 'Check server for expiration dates' setting is set to 1, data on the token is checked before data on the server.
Values:1 (True) - The token is checked0 (False) - The token is not checkedDefault is 0 (False)
Important:Even if the Check token for expiration dates setting is set as true, the Check server for expiration date and/or Check token content settings must be enabled for the Verify Token Content feature to appear in the SafeNet Authentication Client tray icon menu.
eToken Update Alerts Pre-expiration alert period
Defines the number of days before token data expires that an alert is displayed.Note: An alert is displayed only after verification of expiration dates on the token or server.
Default is 30 days
eToken Update Alerts Alert text Defines the text to display in the alert balloon upon token data expiration or when the token content must be updated.
Default message is “Your token content must be updated.”When 'Alert message click action' is set to 1 or 2 - the message prompts the user to click the balloon
Template (Continued) Setting (Continued) Description (Continued)
Desktop Agent 383
eToken Update Alerts Pre-expiration alert text Defines the text to display in the alert balloon within the time defined in the 'Pre-expiration alert period' setting.The following keywords can be included in the text, and will be replaced by their actual values.
$EXPIRY_DATE - the token data's expiration date$EXPIRE_IN_DAYS - the number of days until expiration.Default message is “Data on your token expires in $EXPIRE_IN_DAYS.”
eToken Update Alerts Alert title Defines the title of the alert balloon.Default title is “eToken Notification”
eToken Update Alerts Alert message click action
Defines the action performed if the user clicks the alert balloon.
Values:0 No action1 Show the detailed message defined in the 'Alert detailed message' setting2 Open the website defined in the 'Alert website URL' settingDefault is 0 (No action)
eToken Update Alerts Alert detailed message Defines the message displayed if the user clicks the alert balloon when the 'Alert message click action' setting is set to 1.
Default is empty string
eToken Update Alerts Alert website URL Defines the website URL opened if the user clicks the alert balloon when the 'Alert message click action' setting is set to 2.
Default is empty string
Template (Continued) Setting (Continued) Description (Continued)
384 SafeNet Authentication Manager Administrator’s Guide
eToken Update Alerts Update alert minimum interval
If the 'Check token content' or 'Check server for expiration dates' setting is activated (set to 1), defines the number of days to wait before the next server check following a successful server verification.
Default is 14 daysNote: We recommend setting the alert minimum interval to as long an interval as possible, to avoid server overload.
SafeNet eToken Rescue Automatic Download
Download SafeNet eToken Rescue Automatically
Determines if a SafeNet eToken Rescue replacement token is automatically downloaded when change to the token content is detected.
Values:1 (True) - Automatically download0 (False)- Do not automatically downloadDefault is 0 (False)
If automatic download is activated, the file is downloaded to:XP:C:\Documents and Settings\username \My Documents\eTokenRescue
VISTA: %USERPROFILE%\Documents\eTokenResc
SafeNet eToken Rescue Automatic Download
Download check minimum interval
If the 'Download SafeNet eToken Rescue automatically' setting is set to 1, this defines the number of days between checks of the SAM database to determine if the token content has changed.
Default is 14 days
Template (Continued) Setting (Continued) Description (Continued)
Desktop Agent 385
Configuring Automatic Download of SafeNet eToken Rescue
To enable the automatic download of SafeNet eToken Rescue to usersʹ computers, the SAM Servers must be part of the Local Intranet zone (To see the Internet Explorer security settings for the Local Intranet zone, in Internet Explorer select Tools‐>Internet Options‐>Security tab‐>Local Intranet).
There are two ways of including the SAM Servers in the Local Intranet zone:
By default, IE assumes that a site is an intranet site if the server name does not contain periods (for example: http://mySAM/SAMagent)Configure GPO to contain the names of all SAM Servers in the URL in the zone mapping. The following methods can be used to update GPO:
To configure the Intranet Zone for computers:
1. Add the URLs to the following setting in GPO Editor: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List
2. Set the authentication mode to automatic logon only when in Intranet Zone in the following setting in GPO Editor:
eToken Attendance Reports
Enable token auditing Determines if token auditing is enabled.
Values:1 (True) - Enabled0 (False)- Not enabledDefault is 0 (False)
Template (Continued) Setting (Continued) Description (Continued)
386 SafeNet Authentication Manager Administrator’s Guide
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\{zone name}\Logon Options
To configure the Intranet Zone for Users:
1. Add the URLs to the following setting in GPO Editor: User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List
2. Set the authentication mode to automatic logon only when in Intranet Zone in the following setting in GPO Editor:User Configuration \Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\{zone name}\Logon Options
Configuring Attendance Reports Attendance Reports list token connection and removal events, enabling the system administrator to keep records of when tokens are in use, at what time the maximum number of tokens are in use, the days of the week when the maximum work is done, and other information.
Opening the Desktop Agent Settings Window
To open the Desktop Agent Settings window:
1. From Windows desktop select Start > Programs > SafeNet > SafeNet Authentication Manager > Configuration Manager.
2. In the SAM Configuration Manager, select Action > IIS and Web Services > Desktop Agent.
Desktop Agent 387
The Desktop Agent Settings window opens.
Creating an Attendance Reports MS SQL Server Database
To create an MS SQL Server Attendance Reports database, do one of the following:
Create an MDF File from the supplied SQL script and then attach it to an MS SQL Server.Copy the SQL script to the clipboard and use it in an external toolCreate the database when making a connection to the MS SQL Server
388 SafeNet Authentication Manager Administrator’s Guide
To connect to an existing MS SQL Server database through an MS SQL Server connection:
1. Open the Desktop Agent Settings window. For more information, see Opening the Desktop Agent Settings Window on page 386.
1. Click Edit Connection.The Token Connection Audit Database window opens.
2. Select SQLServer, and click OK.The SQL Server window opens.
Desktop Agent 389
3. In the Select a server name field, select a server from the dropdown list.
Note:For the full name of the server to be displayed in the Select a server name field, the SQL Server Browser service must be running. To activate the service, select Start > Programs > Administrative Tools > Services. Right‐click SQL Server Browser, and select Start.
4. Select one of the following Authentication types:Use Windows authenticationUse SQL Server authentication(Enter Username and Password)
Note:If the Windows authentication option is selected, ensure that the SAM System Account has permissions to the MS SQL Server database. This is not required if SQL Server authentication is selected.
5. In the Database area, click Select, and select the required database.6. Click OK.
Adding a Renamed MDF file to MS SQL ServerBy default, the MDF file is saved with the filename SAMAttendanceReports.mdfAlso, log file is also saved with the default filename SAMAttendanceReports_log.ldfIf you change the name of one of the files, when you attempt to add the file to MS SQL Server, the file is not found.
To attach the renamed file, in the MS SQL Server Attach Databases window in the database details list, click on the browse button in the Current File Path field, navigate to the renamed field and select it. It will now be added correctly.
390 SafeNet Authentication Manager Administrator’s Guide
To save the SQL script to the Clipboard:
Click Copy to Clipboard.
To create a new MS SQL Database while creating a new connection:
1. Open the Desktop Agent Settings window. For more information, see Opening the Desktop Agent Settings Window on page 386.
1. Click Edit Connection.The Token Connection Audit Database window opens.
2. Select SQLServer, and click OK.The SQL Server window opens.
Desktop Agent 391
3. In the Select a server name field, select a server from the dropdown list.
Note:For the full name of the server to be displayed in the Select a server name field, the SQL Server Browser service must be running. To activate the service, select Start > Programs > Administrative Tools > Services. Right‐click SQL Server Browser, and select Start.
4. In the Database area, click New.The Create Database window opens.
5. Select the required authentication type, enter the new database name, and click OK.The new database is created.
6. Click OK.
Connecting to an Existing MS SQL Server Database through an ODBC ConnectionTo connect using an ODBC connection, do the following:
Create an ODBC connector.Connect to an existing MS SQL Server database through an ODBC connection.
392 SafeNet Authentication Manager Administrator’s Guide
To create an ODBC Connector:
1. Select Start > Programs > Administrative Tools > Data Sources (ODBC).The ODBC Data Source Administrator window opens.
2. In the System DSN tab, click Add.The Create New Data Source window opens.
3. Select SQL Server, and click Finish.
Desktop Agent 393
The Create a New Database to SQL Server window opens.
4. Enter a name for the data source, enter a description, select the server to connect to, and click Next.
5. Select the required authentication options, and click Next.
394 SafeNet Authentication Manager Administrator’s Guide
6. Select the required options, and click Next.
7. Select the required options, and click Finish.
Desktop Agent 395
The ODBC Microsoft SQL Server Setup window opens.
8. Click OK.
To connect to an existing MS SQL Server database through an ODBC connection:
1. Open the Desktop Agent Settings window. For more information, see Opening the Desktop Agent Settings Window on page 386.
2. Click Edit Connection.The Attendance Configuration window opens.
3. Select ODBC, and click OK.
396 SafeNet Authentication Manager Administrator’s Guide
The Select ODBC Source window opens.4. On the System DSN tab, select the required ODBC connector, and
click OK.
Note:After connecting to MS SQL Server through an ODBC connection, the SQL Server Service must be restarted. To restart the service, select Start > Programs > Administrative Tools > Services. Right‐click SQL Server service, and select Restart.
Saving Data for Attendance ReportsAttendance reports contain a selected subset of token connection data. By selecting Save Token Connection Data, a full set of token connection data is created in an MS SQL Server data table. Each token connection is represented as an entry in the table. This makes the complete set of data available for examination and analysis.
Note:We recommend using this feature only when it is required for analytical purposes as the additional data imposes an extra load on the system.
Desktop Agent 397
To save the token connection data on the client:
1. Open the Desktop Agent Settings window. For more information, see Opening the Desktop Agent Settings Window on page 386.
2. Select Save Token Connection data, and click OK.
398 SafeNet Authentication Manager Administrator’s Guide
Clearing the Token Connection Data History
To clear the token connection data:
1. Open the Desktop Agent Settings window. For more information, see Opening the Desktop Agent Settings Window on page 386.
2. Select a date in the Clear Token Connection data created before field.3. To clear the data even of open connections, select Include open
connections.An open connection occurs when a connection has a start date but no end date. This can occur when the computer is shut down without the connections being closed, or when there is a technical fault.
4. Click Clear History.5. Click OK.
Desktop Agent 399
Displaying an Error Message Following Server Error
To write an error to the log on the client computer following a server error:
1. Open the Desktop Agent Settings window. For more information, see Opening the Desktop Agent Settings Window on page 386.
2. Select Notify client upon server error, and click OK.
Note:We recommend using this feature only when it is required for analytical purposes or requested by support staff, to avoid an additional load on the system.
400 SafeNet Authentication Manager Administrator’s Guide
Configuring the Legacy Desktop AgentThe legacy Desktop Agent was superseded by the updated Desktop Agent introduced in TMS 2.0 SP4, but is still available in SAM 8.0 to support backward compatibility.The legacy Desktop Agent is configured using the SAM Desktop Agent Web Services, located on the SAM Server. It can be configured to determine the following:
The path where SafeNet eToken Rescue is temporarily savedIf the temporary SafeNet eToken Rescue is removed from the serverThe time interval for messages arriving from tokens, used to determine if tokens are connected.
The configurations are set in the web.config file, typically located at:C:\Program Files\SafeNet\Authentication\ SAM\x32\Web\SAMAgentlegacy
The configuration settings are added to the <appSettings> section in the Web.config file using the syntax shown in the following example:<add key="SoftTokenTempFolder" value="C:\Documents and Settings\Administrator\Local Settings\Temp">
Desktop Agent 401
SAM Desktop Agent Web Services Settings
TroubleshootingThe expiration alert is displayed to the user once in the period of time defined in the Desktop Agent settings. After the alert has been displayed once, the next alert will be shown only after the period of time has elapsed.To force an appropriate expiration alert to be displayed before the defined period of time, clear the Desktop Agent cache.
To clear the Desktop Agent cache:
1. Run Start > Run > regedit, and click OK.2. Browse to the following registry key:
HKEY_CURRENT_USER\Software\SafeNet\Authentication\SAM\DesktopAgentII\TokenUpdateAlerts\VerificationTracking
3. Delete the key defined as type REG_DWORD.4. Log off and then log on.
The appropriate expiration alert is displayed.
Key Value Type Description Default
SoftTokenTempFolder
Path The path where SafeNet eToken Virtual is saved temporarily
System Temp directory
DeleteSoftTokenTempFile
Boolean Determines if the temporary SafeNet eToken Virtual is removed from the server
True
MaxTokenAliveIntervalSeconds
Integer Sets the time that if a message is not received from the server that the token is considered removed.
6
402 SafeNet Authentication Manager Administrator’s Guide
Chapter 20
External PortalsSafeNet Authentication Manager is supplied with external portals, which are installed and configured separately from the main SafeNet Authentication Manager installation and configuration.
In this section:
Overview of SAM External PortalsDeliverablesPrerequisitesInstalling the SAM External PortalsConfiguring SAM PortalsSetting the Logon Credentials in Google AppsSetting the Logon Credentials in Force.comLogging on to the CloudChanging the OTP PIN in Google AppsConfiguring the Username Attributes
404 SafeNet Authentication Manager Administrator’s Guide
Overview of SAM External Portals The following external portals are available:
eToken Anywhere EnrollmentMobilePASS EnrollmentMobliePASS MessagingCloud Authentication
In addition, the portal source code is available, to enable customization of the portals.
Deliverables The following SAM External Portals installation files are provided:
SAMPORTALS‐x32‐8.0.msi (32‐bit)SAMPORTALS‐x64‐8.0.msi (64‐bit)
PrerequisitesThe following must be installed before installing the SAM External Portals:
IISasp.net
External Portals 405
Installing the SAM External PortalsThe SAM External Portals are delivered separately from the main SafeNet Authentication Manager application.
To install SAM External Portals:
1. Double click the appropriate installation file:SAMPORTALS‐x32‐8.0.msi (32‐bit)SAMPORTALS‐x64‐8.0.msi (64‐bit)
The SafeNet Authentication Manager‐Portals Installation Wizard opens.
2. Click Next.The License Agreement window opens.
406 SafeNet Authentication Manager Administrator’s Guide
3. Select I accept the license agreement and click Next.The Destination Folder window opens.
External Portals 407
4. To change the default destination folder, click Browse and navigate to the required folder.
Note:If SafeNet authentication applications or legacy eToken products were previously installed on the computer, it is not possible to select a different destination folder.
5. Click Next.The Select Installation Type window opens.
6. Select one of the following options:Typical: Installs all portalsComplete: Installs all portals and source codesCustom: Enables you to select which portals to install
7. Click Next.The Ready to Install the Application window opens.
408 SafeNet Authentication Manager Administrator’s Guide
8. Click Next.The installation precedes.
When the installation is complete, the SafeNet Authentication Manager ‐ Portals has been successfully installed window opens.
External Portals 409
9. Click Finish to complete the wizard.
Configuring SAM PortalsThe portals are configured using the SafeNet Authentication Manager Portals Configuration.
Configuring Roles for SAM PortalsBefore configuring the adding portal connections, an operation must be added to the Administrator role in SafeNet Authentication Manager ‐ Authorization Manager.
To configure the Administrator Role:
1. Launch the SAM Configuration Manager (For more information, see Launching the SAM Configuration Manager on page 180).
2. From the Action menu, select Authorization Manager>Edit Roles.The SafeNet Authentication Manager ‐ Authorization Manager opens.
3. Navigate to Management Center>Definitions>Role Definitions.4. Right click Administrator and select Properties.
410 SafeNet Authentication Manager Administrator’s Guide
The Administrator Definition Properties window opens.5. In the Definition tab, click Add
The Add Definition window opens.6. In the Operations tab, select op_web_service_api_access and click
OK.You are returned to the Administrator Definition Properties window.
7. Click OK and exit the SafeNet Authentication Manager ‐ Authorization Manager.
Adding a Portal ConnectionA connection must be added for each required portal:
eToken Anywhere EnrollmentMobilePASS EnrollmentMobliePASS MessagingCloud Authentication
To add a portal connection:
1. Select Start>Programs>SafeNet>SafeNet Authentication Manager>Portals Configuration.The SafeNet Authentication Manager ‐ Portals Configuration window opens.
External Portals 411
2. Open the Connections tab and Click Add.The Connection Details window opens.
412 SafeNet Authentication Manager Administrator’s Guide
3. Complete the fields as follows:
4. Click OK.The connection is added to the list of connections in the SafeNet Authentication Manager ‐ Portals Configuration window.
Configuring Cloud Logon
To configure cloud logon:
1. Select Start>Programs>SafeNet>SafeNet Authentication Manager>Portals Configuration.The SafeNet Authentication Manager ‐ Portals Configuration window opens.
2. Open the Cloud Configuration tab and Click Add.The Add Configuration window opens.
Field Description
Connection Name Enter a name for the connection
SAM Server URL Enter the URL of the SAM Server, according to the following format: http://hostname
Username Enter the username (this is the username used for logging on to SAM)
Password Enter the password (this is the password used for logging on to SAM)
Instance Name 1. Click Select; the Select SAM instance window opens.
2. Select the instance name of the SAM database.
External Portals 413
3. Complete the fields as follows:
Field Description
Configuration Name Enter any name for the configuration
Service Provider Select one of the following service providers:Google AppsForce.com
Note: The user must have an account at the service provider
Username Passed to the Service Provider
Select one of the following:Username entered in the cloud portal - The SAM username is the same as the username in Google or Sales ForceUse attribute in the user store - if selected, select the Attribute name from the drop-down list. For more information, see Configuring the Username Attributes on page 418
414 SafeNet Authentication Manager Administrator’s Guide
4. To select logon page options, click Logon Page.The Cloud Logon Page Options window opens.
5. Select the links that you require in the cloud logon page (you can select one, both or none):
Send me the OTP in a message: Select this option when you have a MobilePASS enrolledSend me a Challenge Code for my token: Select this option when using a token with a challenge/response
6. Click OK.You are returned to the Add Configuration window.
7. Click OK.You are returned to the SafeNet Authentication Manager ‐ Portals Configuration window, Cloud Configuration tab.The configuration is added to the list.
8. Select the required configuration from the list and click Info.The Domain URL window opens.
Authentication Initiator Select one of the following:Authentication Requests must be initiated by the Service Provider only - URL provided by Google (Google only). Important: Even though this option is not supported by Force.com, the field is not disabled when Force.com is selected.Authentication requests can be initiated by the Identity Provider- Force.com only. URL is provided during configuration of Force.com
Field (Continued) Description (Continued)
External Portals 415
9. Enter your company’s URL and click OK.The Cloud Configuration Info window opens.
10. The fields are displayed as follows:
11. To export the certificate, click Export Certificate.
Field Description
Domain URL Displays the domain URL
Sign-in page URL Displays the sign-in page URL Note: This URL is used for logging onto Sales Force, following configuration
Sign-out page URL Displays the sign-in page URL (Google Apps only)
Change password URL
Displays the change password URL (Google Apps only)
Issuer Name The computer where the SafeNet Authentication Manager External Portals are installed
416 SafeNet Authentication Manager Administrator’s Guide
The Save As window opens.
12. Enter a file name and click Save.
Note:The certificate is imported into the Google Apps or Force.com portals when configuring the logon.
You are returned to the Cloud Configuration Info window.13. Click Close.
Setting the Logon Credentials in Google AppsAfter configuring the SAM portals, the logon settings must be entered into Google Apps
To configure the logon settings in Google Apps:
1. In Google Apps, select Advanced Tools>Authentication>Set up Single Sign‐on (SSO).
2. Select Enable Single Sign‐on.
External Portals 417
3. Enter the following fields as displayed in the Cloud Configuration Info window (See the Cloud Configuration Info window on page 415).
Sign‐in page URLSign‐out page URLChange password URL
4. In the Verification Certificate field, click Browse, navigate to the verification certificate, and select the certificate.The verification certificate is that exported from the Cloud Configuration Info window (See the Cloud Configuration Info window on page 415).
Setting the Logon Credentials in Force.com
To set the logon credentials in Force.com:
1. Log on to Force.com2. Select Setup>Security controls>Single sign‐on settings.3. Select SAML Enabled4. Select SAML version 2.0.5. Next to the Identity Provider Certificate field, click Browse and
navigate to the certificate (The certificate is the cloud certificate exported in the Cloud Configuration Info window).
6. In the Issuer field, enter the Issuer from the Cloud Configuration Info window.
7. Click Save.The salesforce.com login URL is displayed.
8. Copy the salesforce.com login URL supplied into the Service providerʹs domain URL field in the Edit Configuration window.
418 SafeNet Authentication Manager Administrator’s Guide
Configuring the Username AttributesIn the Add Configuration window, there is an option to select the content of an field in the user store as the username for logging on to the cloud. For more information, see Configuring Cloud Logon on page 412.Any field in an Active Directory (AD) user can be selected from the list of attributes. The selected field contains the username for the cloud logon.Also, you can create new fields to contain the username attributes.
Note:IIS must be restarted after changing the Username Attributes. This is because, when you change the Username Attributes, the URL is also changed (For more information, see Configuring Cloud Logon on page 412).
To create new username attributes in AD:
1. Open the SafeNet Authentication Manager ‐ Configuration Manager (For more information, see Launching the SAM Configuration Manager on page 180).
2. Select Action>Cloud Mapping.The Cloud Mapping window opens.
External Portals 419
3. Enter in a field (for example, Additional Name 1) the required username and click OK.
Tip:In AD, the username must exist in the AD schema. To see the available usernames in the AD Schema, run the following:regsvr32 C:\windows\system32\schmngmt.dll
The field (in this example, Additional Name 1) appears as in the Add Configuration window in the attribute list.
To create new username attributes in ADAM:
1. Open the SafeNet Authentication Manager ‐ Policy Manager.2. Right Click on the user and select Properties.
The Properties window opens.
3. In the Cloud tab, enter the required username in a field (for example, Additional Name 1) and click OK.The field (in this example, Additional Name 1) appears as in the Add Configuration window in the attribute list.
420 SafeNet Authentication Manager Administrator’s Guide
Chapter 21
Customizing SAM WebsitesYou can change the text in SAM Self Service Center and SAM Rescue Service Center, and can replace the graphic files in SAM Management Center, SAM Self Service Center and SAM Rescue Service Center.
In this section:
Customizing TextCustomizing Graphic Files
422 SafeNet Authentication Manager Administrator’s Guide
Customizing TextTo change the text in the SAM Self Service Center and the SAM Rescue Service Center, carry out the following two steps:
Edit the text in the resource filesImplement the changes using the SAM Branding Tool
Editing the Text in the Resource FilesThe text is contained in the resource files (.resx) located at:C:\Program Files\SafeNet\Authentication\ SAM\x32\Branding\ResourcesTo change the text, open each resource file (for example Resource.en‐US.resx) and use a text editor such as Notebook to make the required changes. The resource files are in xml format.The files are contained in three folders:
Folder Subfolder File
AppFramework(Contains resources files with text that is common to both websites)
en‐US(English, USA)
AuditMessages.en-US.resx
Resource.en-US.resx
WebControlsResources.en-US.resx
SAMRescue(Contains resources files with text for the SAM Rescue Service Center
en‐US(English, USA)
Resource.en-US.resx
SAMService(Contains resources files with text for the SAM Self Service Center)
en‐US(English, USA)
Resource.en-US.resx
Customizing SAM Websites 423
Implementing Text Changes with the SAM Branding ToolAfter changing the text in the resources files, the changes are implemented in the SAM Self Service Center and/or SAM Rescue Service Center using the SAM Branding Tool.
To implement the text changes:
1. Select Start > Programs > SafeNet>SafeNet Authentication Manager>Branding Tool.The Resource Compilation Tool window opens.
2. Complete the fields as follows:
Field Description
ResGen.exe Path The path to the ResGen.exe file(typically: C:\Program Files\SafeNet\Authentication\ SAM\x32\Branding\SDK)
al.exe path The path to the al.exe file(typically: C:\Program Files\SafeNet\Authentication\ SAM\x32\Branding\SDK)
SafeNet Authentication Manager Path
The path to the SAM installation folder
424 SafeNet Authentication Manager Administrator’s Guide
3. To update the SAM Self Service Center and/or SAM Rescue Service Center with the changes, click Update Website.
4. To revert to the SAM Self Service Center and/or SAM Rescue Service Center before the changes, click Restore Website.
Customizing Graphic FilesYou can replace the graphic files in the SAM Management Center, SAM Service Center and SAM Rescue Service Center.To do this, replace manually the graphic files located in the image folder of each of the websites. The replacement files must have dimensions that are identical to the files they are replacing.The image folders are typically located as follows:
SAM Management Center
C:\Program Files\SafeNet\Authentication\SAM\x32\Web\SAMManage\Images
SAM Self Service Center
C:\Program Files\SafeNet\Authentication\SAM\x32\Web\SAMService
Update SAMService Select to update the SAM Self Service Center
Update SAMRescue Select to update the SAM Rescue Service Center
Compile resources Select to compile the resource files
Deploy compiled files Select to update the compiled files to the SAM Self Service Center and/or SAM Rescue Service Center
Culture Select the required localization from the list
Field Description
Customizing SAM Websites 425
SAM Rescue Center
C:\Program Files\SafeNet\Authentication\SAM\x32\Web\SAMRescue\images
426 SafeNet Authentication Manager Administrator’s Guide
Part IV SAM ManagementThe following chapters describe how to manage SafeNet Authentication Manager using the SAM Management Center.
In this section:
Chapter 22: SAM Management Center Main Features (page 429)Chapter 23: Helpdesk (page 437)Chapter 24: Deployment (page 497)Chapter 25: Inventory (page 517)Chapter 26: Reports (page 533) Chapter 27: Downloads (page 563)
428
Chapter 22
SAM Management Center Main FeaturesThe SAM Management Center is a web‐based application that enables the administrator to control all SafeNet Authentication Manager activities.
In this section:
Client RequirementsBrowser SettingsOTP TokensSafeNet eToken Virtual ProductseToken Network Logon
430 SafeNet Authentication Manager Administrator’s Guide
Client Requirements
To perform activities requiring access to a connected token, the following client applications must be installed on the SAM Management Center computer:
SafeNet Authentication ClientSAM Client
If the client applications are not installed, only activities relating to the SAM inventory can be controlled.
Browser SettingsWe recommend assigning your browser the following settings:
For the SAM Management Center website to display correctly, set the browserʹs Text Size to Medium.On the browser toolbar, select View > Text Size > Medium.Set the SAM Management Center as a Local Intranet Site.On the browser toolbar, select Internet Options > Security > Local Intranet.
OTP TokensOTP authentication requires a user to submit a One‐Time Password.The following tokens provide an OTP for authentication:
Hardware tokens on which an OTP is generated and displayedTemp OTP, a static value provided to a user for temporary use until an OTP generating device is availableMobile‐based platforms running a MobilePASS client software applicationMobilePASS Messaging applications that send generated OTPs as SMS (Short Message Service) messages to the user’s mobile device, or as messages to the user’s email addressSafeNet eToken Virtual products
SAM Management Center Main Features 431
Temp OTPIf a user’s token is lost or damaged, and temporarily cannot be replaced, the user can request a Temp OTP to replace the token’s OTP function. A Temp OTP is a static value to use in place of a generated OTP for a limited time. Since its value does not change, it provides only a low level of security.
MobilePASS TokensThere are two types of MobilePASS tokens:
MobilePASS Token Enrolled on a Mobile DeviceMobilePASS Messaging Token
MobilePASS Token Enrolled on a Mobile DeviceA MobilePASS client software application can be enrolled on the user’s mobile device to generate an OTP without the need for a physical token.After a MobilePASS token is enrolled, instruct the user to do the following whenever an OTP is required:a. Open the MobilePASS application on the mobile device.b. Enter the MobilePASS PIN, if required, to generate an OTP.c. Copy the generated OTP into the application, together with other
authentication data, such as the OTP PIN or Windows password, if required.
MobilePASS Messaging TokenA MobilePASS Messaging token is associated with a user’s mobile device number or email address.After a MobilePASS Messaging token is enrolled, instruct the user to do the following whenever an OTP is required:a. Open the MobilePASS Messaging Portal and enter the user name
and password.b. Enter the MobilePASS PIN, if required, to generate an OTP.
432 SafeNet Authentication Manager Administrator’s Guide
A generated OTP is sent as an SMS (Short Message Service) message to the user’s mobile device, or as a message to the user’s email address.
c. Copy the generated OTP into the application, together with other authentication data, such as the OTP PIN or Windows password, if required.
SafeNet eToken Virtual ProductsA SafeNet eToken Virtual product is a software token that functions like a physical smartcard device. It can contain all private and public data normally found on a hardware token, such as SSO profiles, OTP generation facilities, and certificates.Depending on who performs the enrollment, a SafeNet eToken Virtual product can be enrolled on either of the following:
an external storage deviceany computer running SafeNet Authentication Client
A SafeNet eToken Virtual or SafeNet eToken Virtual Temp enrolled on a computer is stored in the personal Documents folder, in the eTokenVirtual subfolder. Its filename extension is .etvp.
Note:The SAM Management Center cannot be used to manage SafeNet eToken Virtual products locked to a computer.
SafeNet eToken Virtual Storage:
External storage device Computer
Enrolled byadministrator Yes No
Enrolled by user
Yes,depending on the SAMconfigurationSee SafeNet eToken Virtual locking method on page 165.
Yes,depending on the SAMconfigurationSee SafeNet eToken Virtual locking method on page 165.
SAM Management Center Main Features 433
SafeNet eToken VirtualA SafeNet eToken Virtual is a software token with no limitations.The administrator uses the SAM Management Center to enroll a SafeNet eToken Virtual to an external storage device. The SafeNet eToken Virtual enrollment process does the following:a. Creates a SafeNet eToken Virtual on the external storage device
connected to the administrator’s PC.b. Sets an initial Token Password.c. Optionally generates an enrollment letter.d. Locks the SafeNet eToken Virtual to the external storage device.The external storage device is delivered to the user in a locked state.
Note:The user must authenticate using the external storage device on which the SafeNet eToken Virtual was enrolled. A SafeNet eToken Virtual cannot be used to authenticate if it is copied to a computer or to a different device.
SafeNet eToken Virtual TempA SafeNet eToken Virtual Temp is a SafeNet eToken Virtual that can be used for a limited period of time. It replaces an enrolled physical token. Its content can include time‐limited certificates and time‐limited OTP profiles.For each enrolled physical token, one SafeNet eToken Virtual Temp can be enrolled.A SafeNet eToken Virtual Temp is enrolled the same way as a SafeNet eToken Virtual.
434 SafeNet Authentication Manager Administrator’s Guide
SafeNet eToken RescueA user’s token content can be saved as a secure backup file, known as a SafeNet eToken Rescue. The user can store the SafeNet eToken Rescue on either of the following:
an external storage devicea computer
If the user loses or damages the token while on‐the‐road, the user can request to use the SafeNet eToken Rescue as a time‐limited emergency software token, enabling uninterrupted productivity until a replacement token is available.A SafeNet eToken Rescue can be used in place of an enrolled token for a limited time. The default SafeNet eToken Rescue expiration period is 14 days from the date the file was activated to be used as a software token.
SafeNet eToken Rescue Use CaseThe following describes how a SafeNet eToken Rescue is used:a. Sarah, a user, downloads a SafeNet eToken Rescue before she
leaves on a trip, so that the up‐to‐date content on her token is backed up.
b. Sarah discovers that her token is lost, but she is away from the office, and cannot replace it with a new physical token.
c. She reports the token as lost through the SAM Rescue Service Center or directly to the system administrator, and requests access to the downloaded SafeNet eToken Rescue.
d. A SafeNet eToken Rescue password is disclosed to Sarah by the SAM Rescue Service Center or by the system administrator.
e. Sarah authenticates to her applications using the token content saved on the SafeNet eToken Rescue, accessed by SafeNet eToken Rescue password.
SAM Management Center Main Features 435
eToken Network LogoneToken Network Logon uses information stored on a device or on a SafeNet eToken Virtual product to identify and authenticate a user to the network or to a local computer. The authentication credentials may be:
A profile, consisting of a user ID, a domain to which the user belongs, a password, and a set of optionsA smartcard logon certificate
Since network logon credentials are mapped from the token or device to the user’s account, users need remember only their Token Password.eToken Network Logon enables:
Strong two‐factor user authenticationSecure generation and use of long and complex network passwords, without requiring users to remember themToken password policy stored on the token itself
You can initialize eToken Network Logon profiles on usersʹ tokens for all users in an Organizational Unit (OU) by attaching a SAM Connector for Network Logon rule to the OU.Use the SAM Connector for Microsoft CA to create smartcard logon certificates.Set keys to determine network logon behavior, such as:
if the user can decide which logon method to use, or if priority is given to a specific logon methodif all users, including the administrator, must use a token to log on to the specific computertoken removal behavior
436 SafeNet Authentication Manager Administrator’s Guide
eToken Network Logon Device OptionsThe following tokens can be used to authenticate with an eToken Network Logon profile:
eToken Network Logon Use CaseThe following describes the process of authenticating to a network using eToken Network Logon:a. The administrator or the user creates an eToken Network Logon
profile on the user’s token.b. Each time the user wants to initiate a network logon, they connect
their token to the computer.A prompt appears asking for the Token Password.
c. The user enters the Token Password and is authenticated by SAM.d. eToken Network Logon uses the logon information stored on the
token to identify and authenticate the user to the network.
Authentication Method
Device Type Profile Certificate Static Value
USB token or smartcard X X
SafeNet eToken Virtual product X X
Temp Logon X
Chapter 23
HelpdeskUse the SAM Helpdesk to manage tokens, and to unlock a user.
Note:The SAM Management Center cannot be used to manage SafeNet eToken Virtual products locked to a computer.
In this section:
Helpdesk Page OverviewAccessing the Helpdesk PageUnlocking a UserEnabling a Temp LogonEnabling User Access to a SafeNet eToken RescueResetting the Default User PasswordRevoking a User's TokenUnassigning a User's TokenUnlocking a User's TokenTemporarily Disabling a TokenEnabling a TokenReplacing a User's TokenOTP OptionsCertificate Recovery Workflow Options
438 SafeNet Authentication Manager Administrator’s Guide
Helpdesk Page Overview
The left panel contains the following:Tabs for selecting the different SAM Management Center pagesSearch parameters: The administrator selects the domain, the token filter, and up to two different search criteria to be combined in a single searchRelevant SAM system notifications
Search results are displayed in the right panel.At the top right of the panel: The number of records matching the search criteria, and paging operationsIn the middle section: Details of each token matching the search criteriaBelow the displayed tokens: Applications enrolled on the selected token, if present
At the bottom of the right panel, the administrator selects an option.Below the Application box, if displayed: OTP optionsAlong the bottom of the panel: Token‐related options
Appropriate options are enabled for each selected token. Place the cursor on an enabled option to view its tooltip.
Helpdesk 439
Accessing the Helpdesk PageLog on to your company’s local network, and access the SAM Helpdesk through the SAM Management Center.
Note:Each company has its own SAM Server. This guide uses the name localhost to represent your company’s SAM Server. When following the steps in the procedure, replace <localhost> with the name of your company’s SAM Server.
To access the Helpdesk page:
1. Open your web browser, and go to http://<localhost>/SAMmanagewhere <localhost> is the name of your company’s SAM Server.
Note:For the website to display properly, ensure that the browser’s Text Size is set to Medium.a. On the browser toolbar, click View.b. From the dropdown menu, select Text Size > Medium.
2. Depending on your user store, a logon window may open.
You may be required to provide logon credentials, such as Domain, Username, and Password.
440 SafeNet Authentication Manager Administrator’s Guide
You may have an option to select Keep me signed in, which enables you to re‐open the SAM Management Center within a predefined time period without needing to log on again.
The SAM Management Center opens to the Helpdesk page.
3. In the left panel, select the domain, and up to two different search criteria to determine which tokens are displayed.
Helpdesk 441
4.
Search for Filter Search criteria Options
Connected tokens None
Tokens by serial no Enter a character string to search for all token serial numbers beginning with that character string.The length of a token’s serial number is determined by the token type:
USB tokens: 8 characterseToken PASS devices: 12 charactersSafeNet eToken Virtual products: 16 charactersMobilePASS tokens: 16 characters
Note: The serial number of a physical token is the rightmost hexadecimal digit string printed on the token case.
Tokens by user Enter a character string to search for all usernames beginning with that character string.Note: Usernames are not case-sensitive
Tokens by status Select from a list of token status types.Content Status:
DisabledEmptyEnabledRevokedSafeNet eToken Rescue
Physical Status:DamagedLostNormal
Tokens by approval Select the appropriate approval status:Awaiting approval-Tier 1Awaiting approval-Tier 2Approved
442 SafeNet Authentication Manager Administrator’s Guide
5. Click Go.
Tokens by user group Enter a character string to search for all users in the group name beginning with that character string.Note: User group names are not case-sensitive
Tokens by user OU In a non-Active Directory environment, enter an OU in the format:<instance name>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: MyCompany/Marketing/Advertisingwhere MyCompany is the unique instance nameIn an Active Directory environment, enter an OU in the format:<domain>.<extension>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: DName1.com/Marketing/Advertising
Tokens by model Select from a list of token models in the SAM inventory
Unassigned tokens None
Token history by user If the History Tokens feature is enabled in your TPO, enter a character string to search for all tokens whose history includes usernames beginning with that character string.Note: Usernames are not case-sensitive
Token history by approval
If the History Tokens feature is enabled in your TPO, select the appropriate approval status in the token history:
Awaiting approval-Tier 1Awaiting approval-Tier 2Approved
Search for Filter Search criteria Options
Helpdesk 443
The following is an example of a Helpdesk window following a successful search.
Details of the tokens matching your search criteria are displayed in the right panel.
Note:The number of tokens found in each search is limited. See Configuring Features of the SAM Management Center on page 187.
Label Description
Account Name User’s account name
Type Icon and description of the token model
Serial Number Token serial number printed on the token case of a physical token, or associated with a SafeNet eToken Virtual product or MobilePASS token
444 SafeNet Authentication Manager Administrator’s Guide
6. Click the Select button of the appropriate token.7. If the selected token contains one or more connector applications,
an Application box is displayed.
a. In the Application box, click an application’s Detail link to open an Application Details dialog box.
b. If there is more than one application, click the Select button of the required connector application to see its details.
Status 1. Content Status:DisabledEmptyEnabledSafeNet eToken RescueNo connectorsRevoked
2. Physical Status:DamagedLostNormal
Label Description
Helpdesk 445
c. Click Close to close the dialog box.8. Do one of the following:
If the selected token is an OTP token, select one of the enabled OTP options.See OTP Options on page 470.If the selected token is eligible for the Certificate Recovery workflow, select one of the Certificate Recovery options.See Certificate Recovery Workflow Options on page 483.
446 SafeNet Authentication Manager Administrator’s Guide
Select one of the enabled options at the bottom of the panel.
Option Type
Button Description
Token-related options
Reset Pwd Reset the Token Password to the token default password.See Resetting the Default User Password on page 455.
Revoke Permanently revoke the certificates on the token, and make the token unusable.See Revoking a User's Token on page 455.
Unassign Disassociate the token from any user, and erase its content from the SAM inventory.See Unassigning a User's Token on page 457.
Unlock Unlock the token after the allotted number of unsuccessful authentication attempts is exceeded.See Unlocking a User's Token on page 459.
More Actions >Disable
Disable the token temporarily so that it cannot be used.See Temporarily Disabling a Token on page 462.
More Actions >Enable
Enable the disabled token so that it can be used.See Enabling a Token on page 464.
More Actions >Replace
Revoke the token if it is not yet revoked, and load a new token with its content.See Replacing a User's Token on page 465.
Helpdesk 447
Unlocking a UserTo authenticate to the SAM Rescue Service Center or to certain SAM Helpdesk services, users must enter the same authentication questionnaire answers that they entered in the SAM Self Service Center. A user becomes locked if non‐matching answers are entered more than the allotted number of times.Unlock a locked user to allow the user to access the SAM Rescue Service Center.
Tip:If the user does not remember the authentication questionnaire answers, instruct the user to complete the authentication questionnaire again in the SAM Self Service Center.
To unlock a locked user:
1. Use the SAM Helpdesk page to search for the appropriate user.2. Click the Select button of one of the locked user’s tokens, and in
the More Actions dropdown menu, select Unlock User.
User-related options
More Actions >Unlock User
Unlock the user after non-matching authentication questionnaire answers were entered more than the allotted number of times.See Unlocking a User on page 447.
More Actions >Temp Logon
Assign the user a temporary password to use for network logon.See Enabling a Temp Logon on page 449.
More Actions >eT Rescue
Enable user access to a SafeNet eToken Rescue backup file.See Enabling User Access to a SafeNet eToken Rescue on page 452.
Option Type
Button Description
448 SafeNet Authentication Manager Administrator’s Guide
3. The Unlock User Access window opens.
4. Click Run.
Helpdesk 449
A User successfully unlocked message is displayed.
5. Click Done.
Enabling a Temp LogonIf a user’s token is lost or damaged, and the user’s account is configured for smartcard logon in Active Directory, you can grant the user a temporary logon password to use for network logon.
To enable a Temp Logon for a user:
1. Use the SAM Helpdesk page to search for the appropriate user.2. Click the Select button of one of the user’s tokens, and in the More
Actions dropdown menu, select Temp Logon.3. Depending on your SAM configuration, The Authentication
Questions window opens.
450 SafeNet Authentication Manager Administrator’s Guide
Enter the same answers the user entered in the SAM Self Service Center authentication questionnaire, and click Continue.
4. The Enable a Temporary User Logon Password window opens.
5. Do the following:
Helpdesk 451
a. In the Temporary Logon Password field, enter a character string that meets the password complexity requirements defined in your SAM configuration.
b. In the Valid until field, enter or select an expiration date for the Temp Logon.
c. Click Run.A Temporary logon successfully enabled message is displayed.
6. Inform the user of the new Temp Logon password and its expiration date.
7. Click Done.8. Arrange for the delivery of a new token to the user.
452 SafeNet Authentication Manager Administrator’s Guide
Enabling User Access to a SafeNet eToken RescueDepending on your company’s SAM configuration, users can save their token content to a SafeNet eToken Rescue, a secure backup file on their computer or external storage device. A SafeNet eToken Rescue is not accessible to the user until it is activated.If a user’s enrolled token is subsequently lost or damaged, access to the SafeNet eToken Rescue is enabled by one of the following methods:
Using the SAM Management Center, the administrator enables user access.Using the SAM Rescue Service Center, the user requests access.
A SafeNet eToken Rescue is used as a temporary token replacement. It is accessible for a limited time only, and only through a password that is disclosed when the token is reported as lost or damaged.Depending on your SAM configuration, a SafeNet eToken Rescue may include the following content that was on the token:
CertificatesNetwork Logon profilesOTP generation
If the user needs other token content, such as WSO profiles, instruct the user to restore them to the SafeNet eToken Rescue from backup files.
To enable user access to a SafeNet eToken Rescue:
1. Use the SAM Helpdesk page to search for the token for which a SafeNet eToken Rescue has been downloaded.
2. Click the Select button of the appropriate token, and in the More Actions dropdown menu, select eT Rescue.
3. Depending on your SAM configuration, The Authentication Questions window opens.
Helpdesk 453
Enter the same answers the user entered in the SAM Self Service Center authentication questionnaire, and click Continue.
4. The Activate User Access to a SafeNet eToken Rescue window opens.
5. Do the following:
454 SafeNet Authentication Manager Administrator’s Guide
a. In the What happened to the token field, select one of the following:
The token is lostThe token is damaged
b. In the Valid until field, enter or select an expiration date for the SafeNet eToken Rescue
Note:Since a SafeNet eToken Rescue provides a lower level of security than a standard token, we recommend limiting its use to the number of days needed to deliver a new physical token.
c. Click Run.The following new information is displayed:
the SafeNet eToken Rescue passworda User access successfully activated message
6. Copy the following information, and send it to the user:the SafeNet eToken Rescue passwordthe SafeNet eToken Rescue expiration date
7. Click Done.8. Arrange for the delivery of a new token to the user.
Helpdesk 455
Resetting the Default User PasswordSAM can create an administrator password during token initialization and save it to the token. Should the token become locked, SAM uses the administrator password to unlock it.The Allow token unlock TPO setting determines if an administrator password is saved to the token. See Recovery Settings on page 166.If a token was initialized in SAM with an administrator password, the token’s user password can be reset to the company’s default password at any time.After the token’s user password is reset, your company’s SAM configuration determines if the user is required to change the password.
To reset the user password to the default password:
1. Use the SAM Helpdesk page to search for the appropriate token.2. Click the Select button of the appropriate token, and click
Reset Pwd.The Reset Token Password window opens.
3. Click Run.A Token Password successfully reset message is displayed.
4. Click Done.
Revoking a User's TokenFor security reasons, revoke a lost or damaged token as soon as possible.
Note:Depending on your SAM configuration, when a user is deleted from the AD domain, the user’s tokens are automatically unassigned.
When a token is revoked, the following occurs:The token’s status is set to Revoked in the SAM inventory.The token remains associated with its user.
456 SafeNet Authentication Manager Administrator’s Guide
The following token content can never be used again for authentication, and is physically deleted from the token should the token be subsequently connected:
CertificatesNetwork Logon profiles (with a random password)OTP generation
Note:Personal token content, such as WSO and SSO profiles, is not deleted, but becomes unusable.
To revoke a token:
1. Use the SAM Helpdesk page to search for the appropriate token.2. Click the Select button of the appropriate token, and click
Revoke.The Revoke a Token window opens.
3. In the Reason for revocation dropdown box, select the appropriate reason:
DamagedLostUpgrade
Helpdesk 457
4. Click Run.A Token successfully revoked message is displayed.
5. Click Done.To reuse a revoked token, do one of the following:
Remove the token from the SAM inventory.For more information, see Chapter 25:Removing a Token from the SAM Inventory, on page 530.Initialize the token to delete its user‐specific token content.For more information, see Chapter 25:Initializing a Token, on page 523.
Unassigning a User's TokenFor security reasons, unassign all of a user’s tokens when the user leaves the company.
Note:Depending on your SAM configuration, when a user is deleted from the AD domain, the user’s tokens may be automatically unassigned.
458 SafeNet Authentication Manager Administrator’s Guide
The unassigning process revokes the token, and also disassociates it from its user.
To unassign a token:
1. Use the SAM Helpdesk page to search for the appropriate user.2. Click the Select button of the user’s token, and click Unassign.
The Unassign a Token window opens.
3. Click Run.
Helpdesk 459
A Token successfully unassigned message is displayed.
4. Click Done.Repeat this process for all of the user’s tokens.
Unlocking a User's TokenIf a user consecutively enters an incorrect Token Password more than the allotted number of times, the token becomes locked.Use the Challenge ‐ Response system to unlock the token, and to enable the user to set a new Token Password.If a token is locked, the user must select Unlock Token in one of the following SafeNet applications:
SafeNet Authentication Client ToolseToken Network Logon
460 SafeNet Authentication Manager Administrator’s Guide
To enable a user to unlock a locked token:
1. After the user contacts you that the token is locked, instruct the user to follow the Unlock Token instructions in the SafeNet application until a Challenge Code is generated.
2. Use the SAM Helpdesk page to search for the appropriate token.3. Click the Select button of the appropriate token, and click Unlock.4. Depending on your SAM configuration, The Authentication
Questions window opens.
Enter the same answers the user entered in the SAM Self Service Center authentication questionnaire, and click Continue.
Helpdesk 461
5. The Unlock a Token window opens.
6. Ask the user to send you the 16‐character Challenge Code displayed in the SafeNet application, and paste or enter it in the Challenge Code field.
7. Click Run.The following information is displayed:
a 16‐character Response Codea Response Code successfully generated message
462 SafeNet Authentication Manager Administrator’s Guide
8. Copy the generated Response Code, and send it to the user.9. Instruct the user to complete the Unlock Token instructions in the
SafeNet application using the generated Response Code.10. Click Done.
Temporarily Disabling a TokenFor security reasons, temporarily disable an enrolled token that is not needed for an extended period.If a token is disabled, it must be enabled before it can be used again.
To temporarily disable a token:
1. Use the SAM Helpdesk page to search for the appropriate token.2. Click the Select button of the appropriate token, and in the More
Actions dropdown menu, select Disable.
Helpdesk 463
The Disable a Token window opens.
3. Click Run.A Token successfully disabled message is displayed.
4. Click Done.The token’s status is changed to Disabled.
464 SafeNet Authentication Manager Administrator’s Guide
Enabling a TokenIf a token is disabled, it must be enabled before it can be used again.
To enable a token:
1. Use the SAM Helpdesk page to search for the appropriate token.2. Click the Select button of the appropriate token, and in the More
Actions dropdown menu, select Enable.The Enable a Token window opens.
3. Click Run.
Helpdesk 465
A Token successfully enabled message is displayed.
4. Click Done.The token’s status is changed to Enabled.
Replacing a User's TokenReplace a user’s token for one of the following reasons:
To meet the demands of new technology, an outdated token must be replaced with a new model.The user’s token is revoked.The user’s token is lost or damaged.
466 SafeNet Authentication Manager Administrator’s Guide
When upgrading tokens to newer models, instruct users to do the following:a. Before their tokens are upgraded, users should back up their
personal token content, such as WSO profiles.b. After their new tokens are enrolled, users should restore the saved
data from the backup files to their tokens.
Tip:Personal token content not saved by SAM should be routinely backed up by all users, so that if their token is lost or damaged, the backed up data can be restored to a replacement token.
When you replace a token, the following activities occur:a. Revoke: revokes the original token if is not yet revoked.b. Add: adds the replacement token to the SAM inventory if it is not
already there.c. Initialize, depending on your SAM configuration: deletes all
user‐specific token content on the replacement token and applies the TPO settings.
d. Assign: associates the replacement token with a specific user.e. Enroll: loads the replacement token with data needed for user
authentication. Depending on your SAM configuration, this content may include:
CertificatesNetwork Logon profileseToken SSO profilesOTP generation
To replace a user’s token:
1. Use the SAM Helpdesk page to search for the token to be replaced.2. Click the Select button of the appropriate token, and in the More
Actions dropdown menu, select Replace.
Helpdesk 467
The Replace token window opens.
3. If the token has not yet been revoked, the Reason for replacement dropdown box is displayed.Open the dropdown box, and select the appropriate reason:
DamagedLostUpgrade
4. Depending on your SAM configuration, select Initialize token to initialize the token.
5. Depending on your SAM configuration, click Customize replacement to enroll only some of the default connector applications onto the token.
468 SafeNet Authentication Manager Administrator’s Guide
The Applications to Enroll dialog box opens, displaying the available connectors.
Select the appropriate connectors to enroll, and click OK.6. Do one of the following:
If the new token is a physical token, connect it, and disconnect all other tokens not yet assigned.Depending on your SAM configuration, if the new token is a SafeNet eToken Virtual, connect an external storage device, and select Create a new SafeNet eToken Virtual.
7. Click Run.8. Depending on the connectors enrolled, an authentication window
opens.
Helpdesk 469
a. You may be required to do the following:For the Connector for OTP Authentication, enter an OTP PIN, and confirm it.For the Connector for Network Logon, enter a logon password, and confirm it.
b. Click Continue.9. A Token successfully enrolled message is displayed.
10. Click Done.
470 SafeNet Authentication Manager Administrator’s Guide
OTP OptionsIf the selected token on the SAM Helpdesk page contains a Connector for OTP Authentication application, click the Select button of the application to display appropriate token OTP options.
Button Description
Extend OTP Extend the expiration date of a Temp OTP or of a time-limited OTP token.See Extending an OTP on page 471.
OTP Token Cancel the Temp OTP, and require the user to authenticate using an OTP that is generated on the selected token.See Replacing a Temp OTP with an OTP Token on page 473.
Temp OTP Create a temporary OTP value for the user to submit for OTP authentication in place of the selected token.See Replacing an OTP Token with a Temp OTP on page 474.
OTP PIN Reset the OTP PIN.See Resetting an OTP PIN on page 477.
Validate OTP Validate the token’s OTP generator.See Validating an OTP Token on page 478.
Lock OTP Temporarily disable OTP authenticationTo enable OTP authentication again, select Unlock OTP.See Locking an OTP on page 480.
Unlock OTP Enable OTP authentication after it has been temporarily disabled.See Unlocking an OTP on page 482.
Helpdesk 471
Extending an OTPYou can delay the expiration date of a Temp OTP or of a time‐limited OTP token by setting a later expiration date.
To extend an OTP expiration date:
1. Use the SAM Helpdesk page to search for the appropriate token whose OTP has an expiration date.
2. Click the Select button of the appropriate token.3. Click the Select button of the Connector for OTP Authentication
application.4. Click Extend OTP.
472 SafeNet Authentication Manager Administrator’s Guide
The Extend the OTP Expiration Date window opens, and the current expiration date is displayed.
5. Enter or select a new expiration date, and click Run.An extended successfully message is displayed.
6. Click Done.
Helpdesk 473
Replacing a Temp OTP with an OTP TokenUse the OTP Token option to cancel a Temp OTP as soon as a new OTP token is available to replace it.
To replace a Temp OTP with an OTP token:
1. Use the SAM Helpdesk page to search for the appropriate token.2. Click the Select button of the appropriate token.3. Click the Select button of the Connector for OTP Authentication
application.4. Click OTP Token.
The Unlock an OTP‐Only Token window opens.
5. Click Run.
474 SafeNet Authentication Manager Administrator’s Guide
A Temp OTP usage cancelled message is displayed.
6. Click Done.The Temp OTP is cancelled, and the user is required to use an OTP generated on the token to authenticate.
Replacing an OTP Token with a Temp OTPIf an OTP token is lost or damaged, enable a Temp OTP to replace the OTP function.A Temp OTP is a static value to use in place of a generated OTP. Its value does not change, and so it provides only a low level of security. It is valid for a limited time.
To replace an OTP token with a Temp OTP:
1. Use the SAM Helpdesk page to search for the appropriate token.2. Click the Select button of the appropriate token.3. Click the Select button of the Connector for OTP Authentication
application.4. Click Temp OTP.
Helpdesk 475
The Generate a Temporary Password window opens.
Note:If a Temp OTP is already enabled, a message is displayed that it will be cancelled. The new Temp OTP will replace it.
5. Enter or select an expiration date for the Temp OTP, and click Run.
476 SafeNet Authentication Manager Administrator’s Guide
The following information is displayed:the Temp OTP value to use instead of an OTPa successfully generated message
6. Write down the Temp OTP value.7. Click Done.8. Send the Temp OTP value to the user, together with the following
instructions:a. Record the Temp OTP value in a safe place.b. Provide the Temp OTP value in place of a value generated on
the OTP token.c. Contact the system administrator to request a replacement
Temp OTP if you suspect the Temp OTP value has been compromised.
d. When a new OTP token is available, the Temp OTP will be cancelled.
Use the OTP Token option to cancel the Temp OTP as soon as a new OTP token is available to replace it.
Helpdesk 477
Resetting an OTP PINReset the OTP PIN if the user forgot it.
To reset an OTP PIN:
1. Use the SAM Helpdesk page to search for the appropriate token.2. Click the Select button of the appropriate token.3. Click the Select button of the Connector for OTP Authentication
application.4. Click OTP PIN.
The Reset OTP PIN window opens.
5. Enter a new OTP PIN, confirm it, and click Run.
478 SafeNet Authentication Manager Administrator’s Guide
A successfully reset message is displayed.
6. Click Done.7. Send the new OTP PIN to the user.
Validating an OTP TokenIf the user repeatedly generates an OTP without submitting one for authentication, or if the time function of an OTP token has deviated, the OTP token loses its synchronization with the system. Validate the OTP token so that SAM can authenticate a subsequently‐generated OTP.
To validate an OTP token:
1. Use the SAM Helpdesk page to search for the appropriate token.2. Click the Select button of the appropriate token.3. Click the Select button of the Connector for OTP Authentication
application.4. Click Validate OTP.
Helpdesk 479
The Validate an OTP Token window opens.
5. Do one of the following:If the user has the OTP token, ask the user to generate an OTP value and to send it to you.Generate an OTP on the device.
6. Enter the OTP value, together with any other required information, into the field, and click Run.
7. A message may be displayed to repeat step 5 and step 6.
480 SafeNet Authentication Manager Administrator’s Guide
8. A successfully validated message is displayed.
9. Click Done.
Locking an OTPLock an OTP to temporarily disable its use for OTP authentication.
To lock an OTP:
1. Use the SAM Helpdesk page to search for the appropriate token.2. Click the Select button of the appropriate token.3. Click the Select button of the Connector for OTP Authentication
application.4. Click Lock OTP.
Helpdesk 481
The Lock OTP Use window opens.
5. Click Run.A successfully locked message is displayed.
6. Click Done.To enable its use for OTP authentication again, unlock the OTP.
482 SafeNet Authentication Manager Administrator’s Guide
Unlocking an OTPThe following actions lock an OTP:
The administrator uses the SAM Helpdesk page to lock the OTP.The user exceeds the allotted number of unsuccessful OTP authentication attempts using the token.
Unlock a locked OTP to enable its use for OTP authentication.
To unlock an OTP:
1. Use the SAM Helpdesk page to search for the appropriate token.2. Click the Select button of the appropriate token.3. Click the Select button of the Connector for OTP Authentication
application.4. Click Unlock OTP.
The Unlock OTP Use window opens.
5. Click Run.
Helpdesk 483
A successfully unlocked message is displayed.
6. Click Done.
Certificate Recovery Workflow OptionsCertificates on tokens, including History Tokens, containing a Connector for Microsoft CA application can be recovered if the certificate recovery workflow settings are enabled in the TPO.Click the Select button of the Connector for Microsoft CA application to display appropriate certificate recovery workflow options.
Button Description
Request Certificate Recovery
Initiate a certificate recovery workflow request.See Requesting a Certificate Recovery Workflow on page 484.
Approve Certificate Recovery
Approve the initiated certificate recovery workflow request.See Approving a Certificate Recovery Workflow on page 486.
484 SafeNet Authentication Manager Administrator’s Guide
Requesting a Certificate Recovery WorkflowInitiate a certificate recovery workflow to recover certificates from the token.
To request a certificate recovery workflow:
1. Use the SAM Helpdesk page to search for the appropriate token, or History Token, whose certificates must be recovered.
Reject Request
The certificate recovery workflow request can be rejected by the user who has roles permissions to approve it.See Rejecting a Certificate Recovery Workflow on page 491.
Cancel Request
The certificate recovery workflow request can be cancelled by the user who initiated it.See Cancelling a Certificate Recovery Workflow on page 488.
Recover Certificates
Select and recover certificates after the certificate recovery workflow request has been approved.See Recovering Certificates on page 493.
Button Description
Helpdesk 485
2. Click the Select button of the appropriate token.3. Click the Select button of the Connector for Microsoft CA
application.4. Click Request Certificate Recovery.
The Initiate a Certificate Recovery Workflow window opens.
5. Click Run.A successfully initiated message is displayed.
486 SafeNet Authentication Manager Administrator’s Guide
6. Click Done.
Approving a Certificate Recovery WorkflowDepending on your SAM configuration, the following may be required after a certificate recovery workflow is initiated:
Approval by a first‐tier user with the appropriate roles definitionApproval by a second‐tier user with the appropriate roles definition
To approve a certificate recovery workflow:
1. Use the SAM Helpdesk page to search for the appropriate token, or History Token, whose certificates must be recovered.
2. Click the Select button of the appropriate token.3. Click the Select button of the Connector for Microsoft CA
application.4. Click Approve Certificate Recovery.
Helpdesk 487
The Approve window opens, displaying the appropriate tier.
5. Click Run.A request approved message is displayed.
6. Click Done.If your SAM configuration requires two‐tier approval for workflow requests, the user with Tier‐2 roles permission repeats this procedure.
488 SafeNet Authentication Manager Administrator’s Guide
An unqualified request approved message is displayed.
Cancelling a Certificate Recovery WorkflowA certificate recovery workflow can be cancelled by a user who has the same roles permissions as the user who initiated the workflow. If the workflow is cancelled, the certificates cannot be recovered from the token unless a new workflow is initiated and approved.
Helpdesk 489
To cancel a certificate recovery workflow:
1. Use the SAM Helpdesk page to search for the appropriate token, or History Token, whose certificates must be recovered.
2. Click the Select button of the appropriate token.3. Click the Select button of the Connector for Microsoft CA
application.4. Click Cancel Request.
490 SafeNet Authentication Manager Administrator’s Guide
The Cancel Request window opens.
5. Click Run.A request cancelled message is displayed.
6. Click Done.
Helpdesk 491
Rejecting a Certificate Recovery WorkflowA certificate recovery workflow can be rejected by a user who has roles permissions to approve the workflow. If the workflow is rejected, the certificates cannot be recovered from the token unless a new workflow is initiated and approved.
To reject a certificate recovery workflow:
1. Use the SAM Helpdesk page to search for the appropriate token, or History Token, whose certificates must be recovered.
2. Click the Select button of the appropriate token.3. Click the Select button of the Connector for Microsoft CA
application.4. Click Reject Request.
492 SafeNet Authentication Manager Administrator’s Guide
The Reject Request window opens.
5. Click Run.A request rejected message is displayed.
6. Click Done.
Helpdesk 493
Recovering CertificatesAfter all required approvals have been granted, you can recover the certificates on the token.
To recover the certificates following approval:
1. Use the SAM Helpdesk page to search for the appropriate token, or History Token, whose certificate recovery workflow has been approved.
2. Click the Select button of the appropriate token.3. Click the Select button of the Connector for Microsoft CA
application.4. Click Recover Certificates.
494 SafeNet Authentication Manager Administrator’s Guide
The Recover Certificates window opens.
5. Enter and confirm a new PFX file password to secure the certificate data.Record the file password in a safe place.
6. Click the Select certificates link.The Select certificates to recover window opens.
7. Click a certificate’s Select button to see its details.8. Select all certificates to be recovered, and click OK.
Helpdesk 495
A successfully recovered message is displayed.
9. Click the Download certificate file link.The File Download window opens.
10. Click Save, and save the file.
496 SafeNet Authentication Manager Administrator’s Guide
On the Recover Certificates window, an prompt is displayed for confirmation that the certificate data has been downloaded.
11. Select The certificate data has been downloaded to a file, and click Next.A workflow completed successfully message is displayed.
12. Click Done.The certificate data has been recovered.
Chapter 24
DeploymentUse the Deployment page to assign or enroll tokens for users.
In this section:
Deployment Page OverviewAccessing the Deployment PageAssigning a TokenEnrolling a Smartcard or USB TokenEnrolling an OTP TokenMobilePASS Token Enrollment
498 SafeNet Authentication Manager Administrator’s Guide
Deployment Page Overview
SAM Management Center tabs, search parameters, and system messages are displayed in the left panel.
Search criteria: The administrator selects up to two different search criteria to be combined in a single searchSAM system notifications are displayed at the bottom of the left panel, if relevant
Search results are displayed in the right panel.At the top right of the panel: The number of records matching the search criteria, and paging operationsIn the middle section: Details of each user matching the search criteriaAt the bottom of the panel: User‐related and token‐related options
At the bottom of the right panel, the administrator selects an option.Appropriate options are enabled for each selected user. Place the cursor on an enabled option to view its tooltip.
Deployment 499
Accessing the Deployment PageLog on to your enterprise’s local network, and access the Deployment page through the SAM Management Center.
Note:Each enterprise has its own SAM Server. This guide uses the name localhost to represent your enterprise’s SAM Server. When following the steps in the procedure, replace <localhost> with the name of your enterprise’s SAM Server.
To access the Deployment page:
1. Open your web browser, and go to http://<localhost>/SAMmanagewhere <localhost> is the name of your company’s SAM Server.
2. Depending on your user store:You may be required to provide logon credentials, such as Domain, Username, and Password.You may have an option to select Keep me signed in, which enables you to re‐open the SAM Management Center within a predefined time period without needing to log on again.
The SAM Management Center opens to the Helpdesk page.3. At the top of the left panel, select Deployment.
Option Type Options
Token-related options AssignEnrollMobilePASSMessagingOTP Token
500 SafeNet Authentication Manager Administrator’s Guide
The Deployment page opens.
4. In the left panel, select one or two search filters to determine the users to be displayed.
Deployment 501
5. Click Go.Details of the tokens assigned to the users matching your search criteria are displayed in the right panel.
Note:The number of users found in each search is limited. See Configuring Features of the SAM Management Center on page 187.
Search for Filter Search criteria Options
Users by username Enter a character string to search for all usernames beginning with that character string.Note: Usernames are not case-sensitive
Users by direct group A list of groups defined on the user store
Users by OU In a non-Active Directory environment, enter an OU in the format:<instance name>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: MyCompany/Marketing/Advertisingwhere MyCompany is the unique instance nameIn an Active Directory environment, enter an OU in the format:<domain>.<extension>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: DName1.com/Marketing/Advertising
Users without connectors None
Users with no tokens None
502 SafeNet Authentication Manager Administrator’s Guide
6. Click Select All, or select one or more Account Names.7. Select one of the enabled options at the bottom of the panel.
Label Description
Account Name User’s account name
Type Description of the token model
Serial Number One of the following:Token serial number
Printed on the token case of a physical tokenAssociated with a SafeNet eToken Virtual product or
MobilePASS tokenTotal number of tokens, if more than one is assigned to the user
Status 1. Content Status:No tokenDisabledEmptyEnabledSafeNet eToken RescueNo connectorsRevoked
2. Physical Status:DamagedLostNormal
Button Description
Assign Associate a token with each selected user
Enroll Assign a token and load it with user data for each selected user
MobilePASS Enroll a MobilePASS token for each selected user
Deployment 503
Assigning a TokenWhen you assign a token, the following activities occur:a. Add: adds the token to the SAM inventory if it is not already
there.b. Initialize, depending on your SAM configuration: deletes all
user‐specific token content on the token and applies the TPO settings.
c. Assign: associates the token with a specific user.Users can control the activities of tokens assigned to themselves via the SAM Self Service Center.
To assign tokens:
1. Use the SAM Deployment page to search for the appropriate users.2. Click Select All, or select one or more Account Names to which the
tokens will be assigned.3. Click Assign.
Messaging Enroll a MobilePASS Messaging token for each selected user
OTP Token Enroll an OTP token for each selected user
Take Picture Not in use
Print Badge Not in use
Button Description
504 SafeNet Authentication Manager Administrator’s Guide
The Assign a Token window opens.
4. Do one of the following:To assign a token that can be connected, select Assign a connected token, connect the token, and click Run.To assign a token by serial number, select Assign token by its serial number, enter the token serial number, and click Run.
A Token successfully assigned message is displayed.
Deployment 505
5. Repeat step 4 until all the selected Account Names have been assigned tokens.The Assign a Token options are no longer displayed.
6. Click Done.
Enrolling a Smartcard or USB TokenWhen you enroll a token, the following activities occur:a. Add: adds the token to the SAM inventory if it is not already
there.b. Initialize, depending on your SAM configuration: deletes all
user‐specific token content on the replacement token and applies the TPO settings.
c. Assign: associates the token with a specific user.d. Enroll: loads the token with data needed for user authentication.
Depending on your SAM configuration, this content may include:CertificatesNetwork Logon profileseToken SSO profilesOTP generation
506 SafeNet Authentication Manager Administrator’s Guide
Users can control the activities of their enrolled tokens via the SAM Self Service Center.
To enroll a smartcard or USB token:
1. Use the SAM Deployment page to search for the appropriate users.2. Click Select All, or select one or more Account Names to which the
tokens will be enrolled.3. Click Enroll.
The Enroll a Token window opens.
4. Depending on your SAM configuration, select Initialize token to initialize the token.
5. Depending on your SAM configuration, click Customize enrollment to enroll only some of the default connector applications onto the token.
Deployment 507
The Applications to Enroll dialog box opens, displaying the available connectors.
Select the appropriate connectors to enroll, and click OK.6. Do one of the following:
If the new token is a physical token, connect it, and disconnect all other tokens not yet assigned.Depending on your SAM configuration, if the new token is a SafeNet eToken Virtual, connect an external storage device, and select Create a new SafeNet eToken Virtual.
7. Click Run.8. Depending on the connectors enrolled, an authentication window
opens.
508 SafeNet Authentication Manager Administrator’s Guide
a. You may be required to do the following:For the Connector for OTP Authentication, enter an OTP PIN, and confirm it.For the Connector for Network Logon, enter a logon password, and confirm it.
b. Click Continue.9. A token successfully enrolled message is displayed.
10. Repeat step 4 through step 9 until all the selected Account Names have been assigned tokens.
Deployment 509
The enrollment options are no longer displayed.
11. Click Done.
Enrolling an OTP TokenEnroll an OTP token to associate it with a specific user in the SAM inventory.To enroll an OTP token, you must know its serial number. Have each OTP token device in front of you so that you can see the serial number printed on the label of the OTP token case.If the serial number printed on label of an eToken PASS device is not readable, do the following:a. When the display panel of the eToken PASS device is clear, press
the device button and keep it depressed for three seconds.The value 888888 appears in the display panel.
b. Release the device button, and within two seconds, press the device button again.
510 SafeNet Authentication Manager Administrator’s Guide
The first four characters of the serial number appear in the display panel.
Note:The display panel clears automatically after 15 seconds.
c. Write them down, and press the device button again.The next four characters of the serial number appear in the display panel.
d. Write them down, and press the device button again.The last four characters of the serial number appear in the display panel.
e. Write them down.The string you wrote down is the eToken PASS device’s 12‐character serial number.
To enroll OTP tokens:
1. Ensure that the OTP token file has been loaded.For more information, see Chapter 25:Adding a File of Tokens to the SAM Inventory, on page 526.
2. Use the SAM Deployment page to search for the appropriate users.3. Click Select All, or select one or more Account Names to which the
OTP token devices will be enrolled.4. Click OTP Token.
Deployment 511
The Enroll an OTP‐Only Token window opens.
5. In the OTP Token Serial Number field, enter the 12‐character serial number printed on the label of the OTP device case.
6. Click Run.A Token successfully enrolled message is displayed.
7. Repeat step 5 through step 6 until all the selected Account Names have been assigned OTP token devices.The OTP Token Serial Number field is no longer displayed.
8. Click Done.
MobilePASS Token EnrollmentThe administrator uses the SAM Management Center to enroll a MobilePASS client software application for the user’s mobile device.
Note:Depending on your SAM configuration, users may enroll a MobilePASS token using the SAM Self Service Center.
512 SafeNet Authentication Manager Administrator’s Guide
Preparing the MobilePASS Token Notification ProcedureDepending on your SAM configuration, the MobilePASS token enrollment may assign the token a MobilePASS PIN. If assigned, the user must provide this MobilePASS PIN when using the MobilePASS token.Your SAM configuration determines the procedure for notifying the user of the MobilePASS PIN, as well as other necessary information generated during the MobilePASS token enrollment.To ensure that a MobilePASS notification procedure is enabled in your SAM configuration, do the following:
Define a notification template fileDefine one of the following methods to transmit the notification information to the user:
Send by email to the userPrint at your facility for mailing to the user
Note:If your SAM configuration does not require the user to have a MobilePASS PIN, the administrator can copy the information from the screen during the MobilePASS token enrollment, and use any method to send the user the information.
Enrolling a MobilePASS Token
To enroll a MobilePASS token:
1. Ensure that the following conditions are met:OTP authentication is enabled for the appropriate usersthe MobilePASS application has been downloaded to the SAM ServerSee Downloading MobilePASS Applications on page 569.
2. Use the SAM Deployment page to search for the appropriate users.3. Click Select All, or select one or more Account Names to which a
MobilePASS token will be enrolled.
Deployment 513
4. Click MobilePASS.5. The Enroll a MobilePASS token window opens.
6. Enter the MobilePASS Activation Code.7. Depending on your SAM configuration, you may be required to
set an OTP PIN for the MobilePASS token.
514 SafeNet Authentication Manager Administrator’s Guide
Enter an OTP PIN, confirm it, then click Continue.
Note:The user must provide this OTP PIN when authenticating with an OTP generated on the MobilePASS device.
8. A Token successfully enrolled message is displayed.
9. Repeat step 5 through step 8 until a MobilePASS token has been enrolled for each of the selected Account Names.
Deployment 515
The Please enter the Activation Code message is no longer displayed.
10. Click Done.
Sending a MobilePASS Token to the UserIf a MobilePASS PIN is required, it is sent via the Notification Method configured in SAM.Depending on your SAM configuration, if an OTP PIN is required, it can be sent by the administrator, or via the Notification Method configured in SAM.
Using a MobilePASS Token to Generate an OTP Instruct the user to do the following when an OTP is required:a. Enter the OTP PIN, if required.b. Open the MobilePASS application on the mobile device.c. In the MobilePASS application, enter the MobilePASS PIN, if
required, to generate an OTP.d. Use the generated OTP to authenticate to the application.
516 SafeNet Authentication Manager Administrator’s Guide
Chapter 25
InventoryYour company’s token inventory information is stored in the SAM database.Use the Inventory page for the following activities:
Initialize tokens.Upload files of token serial numbers to add the tokens to the SAM inventory.Add tokens to the SAM inventory.Remove tokens from the SAM inventory.
Note:Adding a token to the SAM inventory is also known as registering a token.
In this section:
Inventory Page OverviewAccessing the Inventory PageInitializing a TokenAdding Tokens to the SAM InventoryRemoving a Token from the SAM Inventory
518 SafeNet Authentication Manager Administrator’s Guide
Inventory Page Overview
SAM Management Center tabs, search parameters, and system messages are displayed in the left panel.
Note:No search parameters are needed to upload a file of tokens.
Search criteria: The administrator selects up to two different search criteria to be combined in a single searchSAM system notifications are displayed at the bottom of the left panel, if relevant
Search results are displayed in the right panel.At the top right of the panel: The number of records matching the search criteria, and paging operationsIn the middle section: Details of each token matching the search criteriaAt the bottom of the panel are the following: options:
InitializeToken FileAddRemove
Inventory 519
Appropriate options are enabled for each selected token. Place the cursor on an enabled option to view its tooltip.
Accessing the Inventory PageLog on to your company’s local network, and access the Inventory page through the SAM Management Center.
Note:Each company has its own SAM Server. This guide uses the name localhost to represent your company’s SAM Server. When following the steps in the procedure, replace <localhost> with the name of your company’s SAM Server.
To access the Inventory page:
1. Open your web browser, and go to http://<localhost>/SAMmanagewhere <localhost> is the name of your company’s SAM Server.
2. Depending on your user store:You may be required to provide logon credentials, such as Domain, Username, and Password.You may have an option to select Keep me signed in, which enables you to re‐open the SAM Management Center within a predefined time period without needing to log on again.
The SAM Management Center opens to the Helpdesk page.3. At the top of the left panel, select Inventory.
520 SafeNet Authentication Manager Administrator’s Guide
The Inventory page opens.
4. In the left panel, select one or two search filters to determine the tokens to be displayed.
Note:No search parameters are needed to upload a file of tokens.
Search for Filter Search criteria Options
Connected tokens None
Tokens by serial no Enter a character string to search for all token serial numbers beginning with that character string.The length of a token’s serial number is determined by the token type:
USB tokens: 8 characterseToken PASS devices: 12 charactersSafeNet eToken Virtual products: 16 charactersMobilePASS tokens: 16 characters
Note: The serial number of a physical token is the rightmost hexadecimal digit string printed on the token case.
Inventory 521
Tokens by user Enter a character string to search for all usernames beginning with that character string.Note: Usernames are not case-sensitive
Tokens by status Content Status:DisabledEmptyEnabledSafeNet eToken RescueRevoked
Physical Status:DamagedLostNormal
Tokens by approval Select the appropriate approval status:Awaiting approval-Tier 1Awaiting approval-Tier 2Approved
Tokens by user group A list of groups defined on the user store
Tokens by user OU In a non-Active Directory environment, enter an OU in the format:<instance name>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: MyCompany/Marketing/Advertisingwhere MyCompany is the unique instance nameIn an Active Directory environment, enter an OU in the format:<domain>.<extension>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: DName1.com/Marketing/Advertising
Search for Filter Search criteria Options
522 SafeNet Authentication Manager Administrator’s Guide
5. Click Go.Details of the tokens matching your search criteria are displayed in the right panel.
Note:The number of tokens found in each search is limited. See Configuring Features of the SAM Management Center on page 187.
Tokens by model A list of token models in the SAM inventory
Unassigned tokens None
Label Description
Account Name One of the following:User’s account name to which the token is assignedUnassigned
Type Description of the token model
Serial Number Token serial number printed on the token case of a physical token, or associated with a SafeNet eToken Virtual product or MobilePASS token
Status 1. Content Status:DisabledEmptyEnabledSafeNet eToken RescueNo connectorsRevokedNot registered: connected, but not in the SAM inventory
2. Physical Status:DamagedLostNormal
Search for Filter Search criteria Options
Inventory 523
6. In the right panel, select one or more tokens. To select all the tokens displayed, click Select All. To undo your selection, click Clear All.
7. Select one of the enabled options at the bottom of the panel.
Initializing a TokenWhen you initialize a token, the following occurs:
The token is added to the SAM inventory if it is not already there.Its user‐specific token content is deleted.The TPO settings are applied.
The token must be connected so that its content can be modified.
To initialize a token:
1. Connect the tokens to be initialized.2. Open the SAM Inventory page.3. In the Search for drop‐down box, select Connected tokens.
Button Description
Initialize Delete all user-specific token content on the selected token and apply the TPO settings
Token File Add token and OTP token devices to the SAM inventory by uploading a file of the devices’ serial numbers
Add Add the selected token to the SAM inventory
Remove Remove the selected token from the SAM inventory
524 SafeNet Authentication Manager Administrator’s Guide
The connected tokens are displayed.
Note:In the example shown, the Status field reflects the following:
The first token is already registered in the SAM inventory, but is not assigned to any user.The second token is not yet registered in the SAM inventory.
4. Click Select All, or select one or more tokens to initialize.5. Click Initialize.
Inventory 525
The Initialize a Token window opens.
6. Click Run.A Tokens successfully initialized message is displayed.
7. Click Done.
526 SafeNet Authentication Manager Administrator’s Guide
All of the initialized tokens are now registered in the SAM inventory.
Adding Tokens to the SAM InventoryWhen a token is added to the SAM inventory, the device information, such as serial number, is stored in the inventory.Add new tokens to the SAM inventory for the following purposes:
To facilitate the management of your total token stock, including tokens not yet assigned.To restrict user enrollment of new tokens using the SAM Self Service Center to only those tokens the administrator has added.
Adding a File of Tokens to the SAM InventoryAdd physical tokens to the SAM inventory by uploading a file of the devices’ serial numbers.
Inventory 527
To upload a file of token devices:
1. Open the SAM Inventory page.2. Click Token File.
The Import a Token Serial Number File window opens.
3. Click Browse, browse to the file of token serial numbers, and click Open.
4. Click Upload.The file of token serial numbers is uploaded.
528 SafeNet Authentication Manager Administrator’s Guide
A File successfully imported message is displayed.
5. Click Run to add the tokens listed in the file to the SAM inventory.A File successfully uploaded message is displayed.
6. Click Done.
Adding a Token to the SAM Inventory
To add a token:
1. Connect the tokens to be added.2. Open the SAM Inventory page.3. In the Search for drop‐down box, select Connected tokens.
The connected tokens are displayed.4. Click Select All, or select one or more tokens to add to the SAM
inventory.5. Click Add.
Inventory 529
The Add Tokens window opens.
6. Click Run.A Tokens successfully added message is displayed.
7. Click Done.
530 SafeNet Authentication Manager Administrator’s Guide
Removing a Token from the SAM InventoryRemove tokens from the SAM inventory for the following purposes:
Discontinue management overhead for unused tokensDelete a corrupted entry from the SAM inventory
When a token is removed from the SAM inventory, the following activities occur:a. Revoke: revokes the token if is not yet revoked.b. Unassign: disassociates the token from all users.c. Delete: deletes the token entry from the SAM inventory.
To remove a token:
1. Use the SAM Inventory page to search for the appropriate tokens.2. Click Select All, or select one or more tokens to remove.3. Click Remove.
The Remove Tokens window opens.
4. Click Run.
Inventory 531
A Tokens successfully removed message is displayed.
5. Click Done.
532 SafeNet Authentication Manager Administrator’s Guide
Chapter 26
ReportsUse the SAM Reports page to generate various on‐line reports using the information in the SAM inventory.
In this section:
SAM Reports Page OverviewAccessing the Reports PageGenerating a Token Inventory ReportGenerating a Token History ReportGenerating a Token Expiration ReportGenerating a Token Audit ReportGenerating an OTP Usage ReportGenerating a Token Connections ReportGenerating an Hourly Distribution Chart
534 SafeNet Authentication Manager Administrator’s Guide
SAM Reports Page OverviewTo produce a SAM report, do the following:a. In the left panel of the SAM Reports page, select the report to
produce.b. In the left panel of the specific report page, select filters to
determine which items to display in the report.The report is displayed in the right panel.
Accessing the Reports PageLog on to your company’s local network, and access the Reports page through the SAM Management Center.
To access the Reports page:
1. Open your web browser, and go to http://<localhost>/SAMmanagewhere <localhost> is the name of your company’s SAM Server.
2. Depending on your user store:You may be required to provide logon credentials, such as Domain, Username, and Password.You may have an option to select Keep me signed in, which enables you to re‐open the SAM Management Center within a predefined time period without needing to log on again.
The SAM Management Center opens to the Helpdesk page.3. At the top of the left panel, select Reports.
Reports 535
The SafeNet Authentication Manager Reports page opens.
4. In the left panel, click Home to return to the Helpdesk page, or click the appropriate report.
Report Description
Token Inventory Tokens that are included in the SAM inventory
Token History Historical data of tokens that have been unassigned or removed
Token Expiration Tokens that are assigned an expiration date
Token Audit Audit information of SAM operations
OTP Usage OTP authentication events; the OTP web service configuration determines which operations to audit
Token Connections Physical tokens connected at the time of the last refresh
Hourly Distribution Average number of physical tokens connected per hour
536 SafeNet Authentication Manager Administrator’s Guide
Generating a Token Inventory ReportA Token Inventory Report lists details of tokens that are included in the SAM inventory.
To generate a Token Inventory Report:
1. Open the Reports page, and click Token Inventory.The Token Inventory Report window opens.
2. In the left panel, select one or more search filters to determine the tokens to display in the report.
Reports 537
Filter Options
Token Status Any StatusRevokedEnabledDisabledSafeNet eToken RescueEmpty
Certificate Approval Any StatusAwaiting approval-Tier 1Awaiting approval-Tier 2Approved
Creation Date Any DateTodayYesterdayThis WeekLast WeekThis MonthLast MonthSpecific Dates - allows input of specific dates
Modification Date Any DateTodayYesterdayThis WeekLast WeekThis MonthLast MonthSpecific Dates - allows input of specific dates
User Group NoneEnter a character string to search for all groups beginning with those characters
538 SafeNet Authentication Manager Administrator’s Guide
3. Click Go.
Organizational Unit NoneIn a non-Active Directory environment, enter an OU in the format:<instance name>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: MyCompany/Marketing/Advertisingwhere MyCompany is the unique instance nameIn an Active Directory environment, enter an OU in the format:<domain>.<extension>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: DName1.com/Marketing/Advertisin
User Group NoneEnter a character string to search for all groups beginning with those characters
Sort By Serial NumberModelUser NameModification Date
Filter Options
Reports 539
Details of the tokens matching your search criteria are displayed in the right panel of the report.
540 SafeNet Authentication Manager Administrator’s Guide
4. In the left panel, click Select Report to produce another report, or Home to return to the Helpdesk page.
Label Description
Serial Number Token serial number printed on the token case of a physical token, or associated with a SafeNet eToken Virtual product or MobilePASS token
Model Specific token model in the SAM inventory
Status 1. Content Status:DisabledEmptyEnabledSafeNet eToken RescueNo connectorsRevoked
2. Physical Status:DamagedLostNormal
Assigned User User’s account nameMay be in the format: Display Name(Account Name)
Created Date the token entry was added to the SAM inventory
Modified Date the token entry was last modified in the SAM inventory
Applications Applications enrolled on the token
Reports 541
Generating a Token History ReportIf the History Tokens feature is enabled in your TPO, the Token History Report lists the historical data of tokens that have been unassigned or removed.
To generate a Token History Report:
1. Open the Reports page, and click Token History.The Token History Report window opens.
2. In the left panel, select one or more search filters to determine the tokens to display in the report.
542 SafeNet Authentication Manager Administrator’s Guide
Filter Options
Token Status Any StatusRevokedEnabledDisabledSafeNet eToken RescueEmpty
Certificate Approval Any StatusAwaiting approval-Tier 1Awaiting approval-Tier 2Approved
Creation Date Any DateTodayYesterdayThis WeekLast WeekThis MonthLast MonthSpecific Dates - allows input of specific dates
Modification Date Any DateTodayYesterdayThis WeekLast WeekThis MonthLast MonthSpecific Dates - allows input of specific dates
User Group NoneEnter a character string to search for all groups beginning with those characters
Reports 543
3. Click Go.
Organizational Unit NoneIn a non-Active Directory environment, enter an OU in the format:<instance name>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: MyCompany/Marketing/Advertisingwhere MyCompany is the unique instance nameIn an Active Directory environment, enter an OU in the format:<domain>.<extension>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: DName1.com/Marketing/Advertising
User Group NoneEnter a character string to search for all groups beginning with those characters
Sort By Serial NumberModelUser NameModification Date
Filter Options
544 SafeNet Authentication Manager Administrator’s Guide
Details of the tokens matching your search criteria are displayed in the right panel of the report.
Reports 545
4. In the left panel, click Select Report to produce another report, or Home to return to the Helpdesk page.
Label Description
Serial Number Token serial number printed on the token case of a physical token, or associated with a SafeNet eToken Virtual product or MobilePASS token
Model Specific token model in the SAM inventory
Status 1. Content Status:DisabledEmptyEnabledSafeNet eToken RescueNo connectorsRevoked
2. Physical Status:DamagedLostNormal
Assigned User User’s account nameMay be in the format: Display Name(Account Name)
Created Date the token entry was added to the SAM inventory
Modified Date the token entry was last modified in the SAM inventory
Applications Applications enrolled on the token
546 SafeNet Authentication Manager Administrator’s Guide
Generating a Token Expiration ReportA Token Expiration Report lists tokens having an expiration date.
To generate a Token Expiration Report:
1. Open the Reports page, and click Token Expiration.The Token Expiration Report window opens.
2. In the left panel, select one or more search filters to determine the tokens to display in the report.
Reports 547
Filter Options
Expiration Period Any DateTodayNext WeekThis WeekNext MonthThis MonthYesterdayLast WeekLast MonthSpecific Dates - allows input of specific dates
User Group NoneEnter a character string to search for all groups beginning with those characters
Organizational Unit NoneIn a non-Active Directory environment, enter an OU in the format:<instance name>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: MyCompany/Marketing/Advertisingwhere MyCompany is the unique instance nameIn an Active Directory environment, enter an OU in the format:<domain>.<extension>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: DName1.com/Marketing/Advertisin
Show Disabled Tokens
SelectedNot selected
Show Revoked Tokens
SelectedNot selected
548 SafeNet Authentication Manager Administrator’s Guide
3. Click Go.Details of the tokens matching your search criteria are displayed in the right panel of the report.
Label Description
Serial Number Token serial number printed on the token case of a physical token, or associated with a SafeNet eToken Virtual product or MobilePASS token
Assigned User User’s account nameMay be in the format: Display Name(Account Name)
Expires On Date the token content expires
Days to Expiration
Number of days remaining before the expiration date
Reports 549
4. In the left panel, click Select Report to produce another report, or Home to return to the Helpdesk page.
Status 1. Content Status:DisabledEmptyEnabledSafeNet eToken RescueNo connectorsRevoked
2. Physical Status:DamagedLostNormal
Label Description
550 SafeNet Authentication Manager Administrator’s Guide
Generating a Token Audit ReportA Token Audit Report lists details of each SAM operation.
To generate a Token Audit Report:
1. Open the Reports page, and click Token Audit.The Token Audit Report window opens.
2. In the left panel, select one or more search filters to determine the events to display in the report.
Reports 551
Filter Options
Event Type Any TypeInformationWarningError
Event Date Any DateTodayYesterdayThis WeekLast WeekThis MonthLast MonthSpecific Dates - allows input of specific dates
Category Any CategorySAM Management CenterSAM Rescue Service CenterSAM Self Service CenterSAM Management ToolsSAM Backend ServiceSAM OTP AuthenticationSAM Web Service API
Event ID Any EventsSpecific event defined by SAM
Operator NoneEnter a character string to search for all operators beginning with that character string
User NoneEnter a character string to search for all usernames beginning with that character string
Log Server Any LogSpecific log used by SAM
552 SafeNet Authentication Manager Administrator’s Guide
3. Click Go.Details of the events matching your search criteria are displayed in the right panel of the report.
Label Description
Date Event date, in MM/DD/YY format, and time
Time Event time, in seconds
Event ID Event code defined in SAM
Event Type ERRORINFORMATIONWARNING
Token Serial Token serial number printed on the token case of a physical token, or associated with a SafeNet eToken Virtual product or MobilePASS token
Reports 553
4. In the left panel, click Select Report to produce another report, or Home to return to the Helpdesk page.
Generating an OTP Usage ReportAn OTP Usage Report lists each audited OTP operation in which a token is used.
Note:The SAM OTP service configuration determines which OTP operations are audited.
Assigned User Username to whom the token is assignedMay be in the format: Display Name(Account Name)
Operator SAM operator during the event
Category Any CategorySAM Management CenterSAM Rescue Service CenterSAM Self Service CenterSAM Management ToolsSAM Backend ServiceSAM OTP AuthenticationSAM Web Service API
Label Description
554 SafeNet Authentication Manager Administrator’s Guide
To generate an OTP Usage Report:
1. Open the Reports page, and click OTP Usage.The OTP Usage Report window opens.
2. In the left panel, select one or more search filters to determine the events to display in the report.
3. Click Go.
Filter Options
User NoneEnter a character string to search for all usernames beginning with that character string
Time Period Any DateTodayYesterdayThis WeekLast WeekThis MonthLast MonthSpecific Dates - allows input of specific dates
Reports 555
Details of the events matching your search criteria are displayed in the right panel of the report.
4. In the left panel, click Select Report to produce another report, or Home to return to the Helpdesk page.
Generating a Token Connections ReportA Token Connections Report lists the information for each physical token connected at the time of the last refresh.The Token Connections Report feature requires the following:
A connection to Microsoft SQL Server or Microsoft SQL ExpressThe SAM Desktop Agent must be installed on every client computer
Label Description
Date Event date, in MM/DD/YY format
Time Event time, in seconds
Event ID Event code defined in SAM
Event Type ERRORINFORMATIONWARNING
Token Serial Token serial number printed on the token case of a physical token, or associated with a SafeNet eToken Virtual product or MobilePASS token
User Username to whom the token is assignedMay be in the format: Display Name(Account Name)
556 SafeNet Authentication Manager Administrator’s Guide
To generate a Token Connections Report:
1. Open the Reports page, and click Token Connections.The Token Connections Report window opens.
2. In the left panel, select one or more search filters to determine the tokens to display in the report.
Filter Options
User NoneEnter a character string to search for all usernames beginning with those characters
Reports 557
3. To change the Auto Refresh status, do one of the following:Click Start Auto Refresh to refresh the list of physical tokens connected or disconnected so that the list is always up‐to‐date.Click Stop Auto Refresh to display the list of physical tokens connected at the time of the last system refresh.
4. Click Go.
Organizational Unit NoneIn a non-Active Directory environment, enter an OU in the format:<instance name>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: MyCompany/Marketing/Advertisingwhere MyCompany is the unique instance nameIn an Active Directory environment, enter an OU in the format:<domain>.<extension>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: DName1.com/Marketing/Advertisin
Connection Date Any DateTodayYesterdayThis WeekLast WeekThis MonthLast MonthSpecific Dates - allows input of specific dates
Connection Status ConnectedDisconnectedAny Status
Filter Options
558 SafeNet Authentication Manager Administrator’s Guide
Details of the token connections matching your search criteria are displayed.
The number of connected users and connected physical tokens is displayed at the bottom of the left panel.Details of the tokens matching your search criteria are displayed in the report in the right panel.
Label Description
User User logged on to a client computer with a connected token
Token Owner User’s name to whom the token is assignedMay be in the format: Display Name(Account Name)
Connection Start
Date and time token was connected
Duration Duration of token connection, in HH:MM format
OU OU of user logged on
Host Client computer name
Token Serial Token serial number printed on the token case
Reports 559
5. In the left panel, click Select Report to produce another report, or Home to return to the Helpdesk page.
Generating an Hourly Distribution ChartAn Hourly Distribution chart lists the average number of physical tokens connected per hour.The Hourly Distribution chart feature requires the following:
A connection to Microsoft SQL Server or Microsoft SQL ExpressThe SAM Desktop Agent must be installed on every client computerThe SAM Desktop Agent Enable token auditing setting must be enabled. See Desktop Agent Settings on page 379.
To enable Hourly Distribution chart generation, see Chapter 19:Configuring Attendance Reports, on page 386.
To generate an Hourly Distribution chart:
1. Open the Reports page, and click Hourly Distribution.The Hourly Distribution window opens.
560 SafeNet Authentication Manager Administrator’s Guide
2. In the left panel, select one or more search filters to determine the tokens to display in the report.
3. Click Go.Details of physical tokens connections for the days selected are displayed in the report in the right panel.
Parameter Options
Connection Date TodayYesterdayThis WeekLast WeekThis MonthLast MonthSpecific Dates - allows input of specific dates
Days Each day of the weekSelectedNot selected
Reports 561
The chart displays the average number of tokens connected each hour, starting from midnight (0), in military hour format (0‐23).
4. In the left panel, click Select Report to produce another report, or Home to return to the Helpdesk page.
562 SafeNet Authentication Manager Administrator’s Guide
Chapter 27
DownloadsUse the SAM Downloads page to download components.
In this section:
SAM Downloads Page OverviewAccessing the SAM Downloads PageDownloading SAM Web ClientDownloading MobilePASS Applications
564 SafeNet Authentication Manager Administrator’s Guide
SAM Downloads Page OverviewUse the SAM Downloads page to download the following components:
SAM Web Client componentsMobilePASS applications
Accessing the SAM Downloads PageLog on to your company’s local network, and access the SAM Downloads page through the SAM Management Center.
To access the SAM Downloads page:
1. Open your web browser, and go to http://<localhost>/SAMmanagewhere <localhost> is the name of your company’s SAM Server.
2. Depending on your user store:You may be required to provide logon credentials, such as Domain, Username, and Password.You may have an option to select Keep me signed in, which enables you to re‐open the SAM Management Center within a predefined time period without needing to log on again.
The SAM Management Center opens to the Helpdesk page.3. In the left panel, select Downloads.
Downloads 565
The Downloads page opens.
4. In the right panel, click the component to download.SAM Web Client for x32SAM Web Client for x64MobilePASS applications from the SafeNet download page
Downloading SAM Web ClientSafeNet Authentication Manager Client must be installed on all client computers used for enrolling USB tokens, smartcards, or SafeNet eToken Virtual products.
To install SafeNet Authentication Manager Client on your computer:
1. Open the Downloads page.2. Do one of the following:
For 32‐bit environments, click Download SAM Web Client for x32.For 64‐bit environments, click Download SAM Web Client for x64.
566 SafeNet Authentication Manager Administrator’s Guide
The File Download window opens.
3. Click Run.A Security Warning window opens, identifying the name of the program.
4. Click Run.Depending on your SafeNet Authentication Manager configuration, an installation wizard may be initiated to install SafeNet Authentication Manager Client.The SafeNet Authentication Manager Client Installation Wizard opens.
5. Click Next.
Downloads 567
The End‐User License Agreement is displayed.
6. Read the license agreement, and select the option, I accept the license agreement.
7. Click Next.The Destination Folder window opens, displaying the default installation folder.
8. Click Next.
568 SafeNet Authentication Manager Administrator’s Guide
The Select Installation Type window opens.
9. Do one of the following:To install the legacy TMS Desktop Agent, select Complete.For standard installations, selected Typical.
10. Click Next to begin the installation.When the installation is complete, the Successfully installed message is displayed.
11. Click Finish.
Downloads 569
Downloading MobilePASS ApplicationsDownload MobilePASS applications to enroll MobilePASS tokens. MobilePASS tokens generate OTPs on mobile devices without the need for physical tokens. MobilePASS tokens work independently of mobile network connectivity.
To download MobilePASS applications:
1. Open the Downloads page, and click Open MobilePASS applications download page.The SafeNet website opens to the MobilePASS Authenticators Download Page.
2. Use the link on the SafeNet website to download the appropriate MobilePASS application for each mobile device.
After the MobilePASS application is downloaded to a mobile device, a MobilePASS token can be enrolled on it. See MobilePASS Token Enrollment on page 511.
570 SafeNet Authentication Manager Administrator’s Guide
Part V AppendixesIn this section:
Appendix A AD Schema Enhancement
572
Appendix A
AD Schema EnhancementThis section describes the Microsoft Active Directory (AD) schema changes resulting from the installation of SafeNet Authentication Manager.
In this section:
Prefixes Registered with MicrosoftNaming ConventionsSchema Attributes and Classes Tables
574 SafeNet Authentication Manager Administrator’s Guide
Prefixes Registered with MicrosoftMicrosoft has assigned the following prefixes for SafeNet Authentication Manager use:
The prefix for each name is AksTMS.To distinguish TMS 2.0 schemas from previous TMS versions, the prefix used in this version is AksTMSV20.The object identifier (OID) prefix is 1.2.840.113556.1.8000.2009.
Classes are assigned the OID prefix 1.2.840.113556.1.8000.2009.1.Attributes are assigned the OID prefix 1.2.840.113556.1.8000.2009.2.
Naming ConventionsThe conventions used for TMS 2.0 class and attribute names are:
Each CN name starts with aks20‐.Each ldapDisplayName starts with AksTMS20.
Schema Attributes and Classes TablesThe following apply to the tables in this document:
Names and OIDs are shown without prefixes.The existing flags are:
Multi‐ValuedIndexedGlobal‐Catalog
AD Schema Enhancement 575
maID
75d7--4d8d-
7923fd
c61f-42f4--54aee
71d0-4a18--85972
a802--4024--ef0134
Attributes
Common Attributes
CN LDAP Display Name
Description
Syntax OID 1. Flags Link ID
ScheGUID
data Data Used to store binary data
Octet string(2.5.5.10:4)
1.1 {3691867aa6-d9a136}
version Version Used to store version
Integer(2.5.5.9:2)
1.2 {31607f8c-9c48167dd4a}
productionOID
ProductionOID
Used to link production objects from object holders
Unicode string(2.5.5.12:64)
1.3 Container indexed
{6c5dfb0c-836b52a886e}
configXML ConfigXML Used to store connector configuration XML
Unicode string(2.5.5.12:64)
3.1 {27776b509e3bed8007}
576 SafeNet Authentication Manager Administrator’s Guide
SchemaIDGUID
{f7618490-8d61-41ad-8d40-c220731aae6e}
TMS Class Attributes
Application Class Attributes
CN LDAP Display Name
Description
Syntax OID2. Flags Link ID
SchemaIDGUID
data See data attribute in common attributes
version See version attribute in common attributes
productionOID
See productionOID attribute in common attributes
CN LDAP Display Name
Description
Syntax OID 3. Flags Link ID
configXML See configXML attribute in common attributes
priority Priority Used to define enrollment priority of application
Integer(2.5.5.9:2)
3.2
data See data attribute in common attributes
AD Schema Enhancement 577
D
-
Policy Class Attributes
CN LDAP Display Name
Description
Syntax OID 4. Flags Link ID
SchemaIDGUI
applyList ApplyList Used in Policy class to store list of principals (users and groups) to whom policy applies
Unicode string(2.5.5.12:64)
4.1 Multi-valued
{818a3143-d7c04e08-aae0-ae1c52071d36}
data See data attribute in common attributes
578 SafeNet Authentication Manager Administrator’s Guide
aID
4c9-7be-
382
1f9-13f-
9598
3dc-2b9-
33b
fbc-ed7-
b574
Token Class Attributes
CN LDAP Display Name
Description
Syntax OID 5. Flags Link ID
SchemGUID
tokenUser TokenUser Used to store user to whom token is assigned
Distinguished name (2.5.5.1:127)
5.2 Backward link to tokens
{ae775eed8-48ede-843b18576}
Data See data attribute in common attributes
tokenSlotType
TokenSlotType
Used to store slot type (Reader for SC; Virtual for USB; File for SafeNet eToken Virtual)
Integer (2.5.5.9:2)
5.3 {dedd2c902-4958e-5c3c80ec}
tokenProdName
TokenProdName
Used to store product name
Unicode string (2.5.5.12:64)
5.4 {5a277e374-49642-58aa6b00d}
tokenModel TokenModel Used to store token model
Unicode string (2.5.5.12:64)
5.5 {34bb35c3c-488f4-210edf9e}
AD Schema Enhancement 579
09c-8dc-
73ad
85f-d85-
aa3
291-c82-
f381
c88-85b-
070
aIDG
aID
prodDate ProdDate Used to store production date
Generalized time (2.5.5.11:24)
5.6 {790b519b5-490db-8bfda187}
caseModel CaseModel Used to store case model (node, classic, ng1, ng2, ng2-nolcd)
Integer (2.5.5.9:2)
5.7 {66b6d517e-4b71e-616970257}
cardType CardType Used to store smartcard type (none, OS4)
Integer (2.5.5.9:2)
5.8 {d0a2db422-4b539-71e6ab5c}
version See version attribute in common attributes (Here, saves the card version)
tokenSerial TokenSerial Used to store unique physical token identifier
Octet string (2.5.5.10:4)
5.9 Global Indexed
{e1c154755-4b00c-cb720b06c}
CN LDAP Display Name
Description Syntax OID 5. Flags Link ID SchemUID
CN LDAP Display Name
Description
Syntax OID 5. Flags Link ID
SchemGUID
580 SafeNet Authentication Manager Administrator’s Guide
08-136-
b53
bb4-a65-
b22
a69-b0f-
689
b75-114-
201d
9a-566-
3c2f
e02-cb2-
d90
b4d-74f-
3e3
aID
tokenColor TokenColor Used to store token color
Integer (2.5.5.9:2)
5.10 {fd0f4526d2-494ff-9db60327e}
tokenSOPin TokenSOPin
Used to store security officer pin
Octet string (2.5.5.10:4)
5.11 {1a079a4e7-4b23f-9cbd104bd}
tokenSize TokenSize Used to store token size
Integer (2.5.5.9:2)
5.12 {e6b29f6ee-4b469-032d75b33}
tokenInitKey
TokenInitKey
Used to store token init key
Octet string (2.5.5.10:4)
5.13 {122400c9e-4bc13-e74c3caa}
hasBattery HasBattery Used to store HasBattery flag
Boolean (2.5.5.8:1)
5.14 {bf7c034176-4ada5-b1bb31e7}
hasLCD HasLCD Used to store HasLCD flag
Boolean (2.5.5.8:1)
5.15 {86aea31eb-4912f-17d93d592}
hasUser HasUser Used to store HasUser flag
Boolean (2.5.5.8:1)
5.16 {e135ed228-4a751-46238c90d}
CN LDAP Display Name
Description
Syntax OID 5. Flags Link ID
SchemGUID
AD Schema Enhancement 581
75e-65f-
faeb
e17-7ed-
a94
025-c2f-
22b
195-02b-
01bf
43e-ee-
0c71
d2f-842-
87ef
cc0-2cc-
37d
aID
hasSO HasSO Used to store HasSO flag
Boolean (2.5.5.8:1)
5.17 {8641b476f-4a12e-a21186b0}
hasFIPS HasFIPS Used to store HasFIPS flag
Boolean (2.5.5.8:1)
5.18 {dccc990c3-4bb69-9daea186f}
hasStorage HasStorage Used to store HasStorage flag
Boolean (2.5.5.8:1)
5.19 {dbee90993-4b181-437bc9e97}
isFipsSupported
IsFipsSupported
Used to store IsFipsSupported flag
Boolean (2.5.5.8:1)
5.20 {e3a357e1f-4a35e-d80ec510}
isHMACSHA1Supported
IsHMACSHA1Supported
Used to store IsHMACSHA1Supported flag
Boolean (2.5.5.8:1)
5.21 {1396aafc6-4cb978-b9b4df73}
isRSA2048Supported
IsRSA2048Supported
Used to store IsRSA2048Supported flag
Boolean (2.5.5.8:1)
5.22 {35e619b21-49f3e-227ce802}
isMayInit IsMayInit Used to store IsMayInit flag
Boolean (2.5.5.8:1)
5.23 {11c4a7730-4b347-b9de4014a}
CN LDAP Display Name
Description
Syntax OID 5. Flags Link ID
SchemGUID
582 SafeNet Authentication Manager Administrator’s Guide
5a1-7ea-
3ba
aIDG
07c-96c-
1ad
80f-653-
431
923-004-
a42
fd3-8f0-
de8c
7ef-c40-
a65
aID
tokenLabel TokenLabel Used to store token label
Unicode string (2.5.5.12:64)
5.24 {9d39c4191-49613-33342682a}
CN LDAP Display Name
Description Syntax OID 5. Flags Link ID SchemUID
tokenPhysicalStatus
TokenPhysicalStatus
Used to store token physical lifetime cycle
Integer (2.5.5.9:2)
5.25 {a84d326d2-4a4b6-49a799b6d}
tokenContentStatus
TokenContentStatus
Used to store token content lifetime cycle
Integer (2.5.5.9:2)
5.26 {184dfb1fa-4a528-dd5d8424e}
expirationDate
ExpirationDate
Used to store token expiration date
Generalized time (2.5.5.11:24)
5.27 {3b70ae324-4b774-43448980b}
tokenUserGroups
TokenUserGroups
Used to store token user's groups
Unicode string (2.5.5.12:64)
5.28 {17141ce15-4b153-0c1b2687}
tokenPolicyLinkerPath
TokenPolicyLinkerPath
Used to store token user's policy linker path
Unicode string (2.5.5.12:64)
5.29 {a1cad56a9-48db5-9ecd78574}
CN LDAP Display Name
Description
Syntax OID 5. Flags Link ID
SchemGUID
AD Schema Enhancement 583
6ff-d45-
0483
2fe-8c6-
896
fcb-970-
18f1c
1e5-e99-
2c46
aID
tokenUserName
TokenUserName
Used to store token user's name
Unicode string (2.5.5.12:64)
5.30 {7f7dea89c-4aa9a-606efb5a}
tokenUserDisplayName
TokenUserDisplayName
Used to store token user's display name
Unicode string (2.5.5.12:64)
5.31 {97130592b-4afa3-785ed1185}
tokenUserAccountName
TokenUserAccountName
Used to store token user's account name
Unicode string (2.5.5.12:64)
5.32 {01dc9163e-4808f-c9bf475}
softTokenExpirationDate
SoftTokenExpirationDate
Used to store SafeNet eToken Virtual expiration date
Generalized time (2.5.5.11:24)
5.33 {d52c76434-48d23-e511c60c}
CN LDAP Display Name
Description
Syntax OID 5. Flags Link ID
SchemGUID
584 SafeNet Authentication Manager Administrator’s Guide
efe-e32-
479b
dc8-757-
38a
64-7f9-
ad9
aID
softTokenPIN
SoftTokenPIN
Used to store SafeNet eToken Virtual password
Octets string (2.5.5.10:4)
5.34 {a6d641382-4bf40-46f730d6}
InitReqired InitReqired Used to store state when token should be formatted at assignment.
Boolean(2.5.5.8:1)
5.35 {064ad4381-49a8b-50c746930}
isInitKeySet IsInitKeySet Used to determine status of TokenInitKey attribute.
Boolean (2.5.5.8:1)
5.36 {4f8ff2f761-48988-948a521c0}
CN LDAP Display Name
Description
Syntax OID 5. Flags Link ID
SchemGUID
AD Schema Enhancement 585
Profile Class Attributes
UserHolder Class Attributes
CN LDAP Display Name
Description Syntax OID 6. Flags
Link ID
SchemaIDGUID
creator Creator Used to store link to corresponding Application object
Distinguished name (2.5.5.1:127)
6.1 {178b3001-a973-486c-8cf8-33dd156e8230}
data See data attribute in common attributes
profileType
ProfileType
Used to define profile type
Integer (2.5.5.9:2)
6.2 {01e84908-6cb8-4030-b400-ba03cfc48859}
CN LDAP Display Name
Description
Syntax OID 7. Flags Link ID
SchemaIDGUID
data See data attribute in common attributes
productionOID
See productionOID attribute in common attributes
tokens Tokens Used to store tokens assigned to user tokens
DnWithString (2.5.5.14:127) +2A86 4886 F714 0101 010C
7.1 Multi-valued
Forward link to tokenUser
{4d889717-2ad4-4d8a-9e99-95bff5fa896c}
586 SafeNet Authentication Manager Administrator’s Guide
b-}
4-
allowPasswordLogin
AllowPasswordLogin
Used to store flag to enable user to log in without token
Boolean (2.5.5.8:1)
7.2 {4b0a133a-2b63-48faab6-d697c66c71c4
passwordLoginExpirationDate
PasswordLoginExpirationDate
Used to store expiration date of allowPasswordLogin flag
Generalized time (2.5.5.11:24)
7.3 {6af14a40-8a19-4128321-7489599eff47}
TMSLoginFailuresCount
TMSLoginFailuresCount
Used to store number of failed logins to eToken Remote Help Center
Integer (2.5.5.9:2)
7.4 {8C45D094-AD73-4129-91BC-728DE61A0F59}
CN LDAP Display Name
Description
Syntax OID 7. Flags Link ID
SchemaIDGUID
AD Schema Enhancement 587
aID
d6-5f-
283
d2-71-
eb4
PolicyLinkerHolder Class Attributes
CN LDAP Display Name
Description
Syntax OID 8. Flags
Link ID
SchemGUID
tpLink TPLink Used to store linked TPOs
Unicode string (2.5.5.12:64)
8.1 {5bdacaa5a7-45b09e-1ee758fa1}
tpOptions TPOptions Used to store Block policy inheritance flag
Integer (2.5.5.9:2)
8.2 {06bac9e11c-418084-2bc9bfd3c}
productionOID
See productionOID attribute in common attributes
588 SafeNet Authentication Manager Administrator’s Guide
Classes
TMS Classes
CN LDAP Display Name
Description
Parent Class
OID May Include (In Addition to Standard Classes)
SchemaIDGUID
tms TMS Main object of TMS; represents TMS database for one production domain
Container 2 ProfileWorkflow
{c87841c9-11e7-45da-aee7-bd6ba12e639c}
application Application Represents application object in TMS
Top 3 Workflow {144fd95b-a1f7-45c5-bb48-e2d1dbb7d200}
policy Policy Represents policy object in TMS
Top 4 ProfileWorkflow
{f237dc2a-9f79-4d20-86ef-90b56029792c}
token Token Represents token object in TMS
Container 5 ProfileWorkflow
{873737e9-e949-4b05-a421-9bb4b8463e5e}
AD Schema Enhancement 589
profile Profile Represents different profiles and license objects in TMS
Top 6 Workflow {f08a78b2-eefc-4c57-907a-4b7360af21c1}
userHolder UserHolder Represents user holder object in TMS
Container 7 ProfileWorkflow
{dc15e12c-7f58-4063-a13a-6e465f67777a}
policyLinkerHolder
PolicyLinkerHolder
Represents PolicyLinkerHolder object (For AD, represents its OUs and DomainDns objects)
Top 8 Workflow {4f9b820b-2d11-49fd-845c-244305e359c2}
CN LDAP Display Name
Description
Parent Class
OID May Include (In Addition to Standard Classes)
SchemaIDGUID
590 SafeNet Authentication Manager Administrator’s Guide
emaIDID
f7d19-4-494e-f-c0265a
477916-b-40fd-f-00fbf1d
013EA6C9-4b8f-A-7FBFF6}
F6DBC9E3-d-B55D-813664}
1107B5-C-416e-7-3BF465}
Schema extensions for TMS 5.0 and Later
Attributes added to Token class in TMS 5.0 and later
CN LDAP Display Name
Description
Syntax OID 8. Flags
Link ID SchGU
tokenAppDeviceType
TokenAppDeviceType
Used to store token's application device type.
Integer (2.5.5.9:2)
5.37 {c9dbb9950f2d7b9}
tokenAppDeviceTypeID
TokenAppDeviceTypeID
Used to store token's application device type ID.
Unicode string (2.5.5.12:64)
5.39 { 4101e8692e130}
temporaryToken
TemporaryToken
Used to store token temporary state.
Boolean (2.5.5.8:1)
5.40 {DB-148413BF2D0
TemporaryTokenLink
TemporaryTokenLink
Used to store connection with temporary token.
Distinguished name (2.5.5.1:127)
5.41 Forward link to PrimaryTokenLink
{C0-4B418C9F31F
PrimaryTokenLink
PrimaryTokenLink
Used to store connection with primary token.
Distinguished name (2.5.5.1:127)
5.42 Backward link toTemporaryTokenLink
{DF23DB6AED2B88
AD Schema Enhancement 591
D5EB2687-2-AF3D-77749A}
744B9A-3-41b4-4-335C90}
517295-2-49ee-3-1EB5F5}
emaIDID
aID
appDeviceType Class Attributes for TMS 5.0 and later
hasUnblock HasUnblock Used to store HasUnblock flag.
Boolean (2.5.5.8:1)
5.43 {A7-1C40b52BACC
hasClientless
HasClientless
Used to store HasClientless flag.
Boolean (2.5.5.8:1)
5.44 {3FFFF9DDC00DF6
softTokenLockMode
SoftTokenLockMode
Used to store lock mode of software tokens.
Integer (2.5.5.9:2)
5.45 {F138CBDDCF3A2F
CN LDAP Display Name
Description
Syntax OID 8. Flags
Link ID SchGU
CN LDAP Display Name
Description
Syntax
OID 3. Flags Link ID SchemGUID
configXML See configXML attribute in common attributes
Data See data attribute in common attributes
592 SafeNet Authentication Manager Administrator’s Guide
emaIDID
747008-8-4b0c-4-
0FF7EC3}
DCCC4AC8-b-AC76-B35D9B}
Classes to create for TMS 5.0 and later
Schema Extensions for SAM 8.0 and Later
Attributes added to Token Class in SAM 8.0 and later
CN LDAP Display Name
Description
Parent Class
OID May Include (In Addition to Standard Classes)
SchemaIDGUID
appDeviceType
AppDeviceType
Represent application device type object in TMS
Top 9 Workflow {89fb852a-054f-4289-acab-0e966a0440e2}
CN LDAP Display Name
Description
Syntax OID 5. Flags
Link ID SchGU
workflows Workflows Used to store workflow data of token's profiles
Unicode string (2.5.5.12:64)
5.46 Multi-valued
{2576BBF3DDFF4
IsHistoryToken
IsHistoryToken
Used to identify History Tokens
Boolean (2.5.5.8:1)
5.47 {2A5-F452A7FB50
AD Schema Enhancement 593
emaIDID
9818DBB0-b-9E17-617593}
74B7B4-7-46a2-3-1A823B}
aID
Workflow Class Attributes for SAM 8.0 and Later
Classes to Create for SAM 8.0 and Later
CN LDAP Display Name
Description
Syntax OID 10. Flags
Link ID SchGU
workflowName
WorkflowName
Used to store workflow name
Unicode string (2.5.5.12:64)
10.1 {EB-12456D2FAA4
workflowStatus
WorkflowStatus
Used to store workflow status
Integer (2.5.5.9:2)
10.2 {9559FB4B648997
CN LDAP Display Name
Description
Parent Class
OID May include (in addition to standard classes)
Link ID
SchemGUID
workflow Workflow Represent workflow status of operation
Top 10
594 SafeNet Authentication Manager Administrator’s Guide