SAM Admin Guide 8.0 Rev A

SafeNet Authentication Manager (SAM)Version 8.0 Revision A

Administrator’s Guide

Copyright © 2010 SafeNet, Inc. All rights reserved.

All attempts have been made to make the information in this document complete and accurate.

SafeNet, Inc. is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications contained in this document are subject to change without notice.

SafeNet and SafeNet Authentication Manager are either registered with the U.S. Patent and Trademark Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in the United States and other countries. All other trademarks referenced in this Manual are trademarks of their respective owners.

SafeNet Hardware and/or Software products described in this document may be protected by one or more U.S. Patents, foreign patents, or pending patent applications.

Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and UL Notification.

Date of publication: September 2010Last update: Tuesday, September 21, 2010 3:24 pm

iii

Support

We work closely with our reseller partners to offer the best worldwide technical support services. Your reseller is the first line of support when you have questions about products and services. However, if you require additional assistance you can contact us directly at:

Telephone

You can call our help‐desk 24 hours a day, seven days a week:USA: 1‐800‐545‐6608 International: +1‐410‐931‐7520

Email

You can send a question to the technical support team at the following email address:[email protected]

Website

You can submit a question through the SafeNet Support portal:http://c3.safenet-inc.com/secure.asp

Additional Documentation

The following SafeNet publications are available:SafeNet Authentication Manager 8.0 User’s GuideSafeNet Authentication Manager 8.0 ReadMe

iv

Table of Contents

Part I Overview of SafeNet Authentication Manager1. Introduction................................................................................................ 3

Overview of SafeNet Authentication Manager ......................................................4SafeNet Authentication Manager 8.0 Core Benefits............................................. 4

New and Enhanced Features in SafeNet Authentication Manager 8.0.................... 5Cloud support and integration with SaaS providers, Google Apps and Salesforce.com...................................................................................................... 5Enhanced MobilePASS Software Authentication Solution................................... 6Integration with SafeNet HSMs for secure key storage........................................ 6Token History Management .................................................................................. 6Token Policy Object (TPO) Export and Import...................................................... 7Additional Platform ................................................................................................ 7

Supported Authenticators.......................................................................................... 72. System Requirements.............................................................................. 9

SAM Server System Requirements ....................................................................10SAM Management Tools System Requirements.................................................... 13SAM Client System Requirements.......................................................................... 14SAM External Web Portals...................................................................................... 15

Part II Installation and Configuration3. User Store Deployment..........................................................................19

Supported User Stores .......................................................................................20Remote Active Directory.......................................................................................... 21Configuring a Microsoft SQL Server User Store..................................................... 21

Preparing Microsoft SQL Server Views .............................................................. 22Indexed Fields ..................................................................................................... 25Preparing an MS SQL Server Authentication dll ................................................ 25

vi

Configuring an LDAP User Store.............................................................................29Preparing LDAP Authentication Dll .....................................................................29Supported Authentication Types .........................................................................30

4. Installation and Configuration Checklist .............................................37Step 1: Perform Pre-Installation Tasks ...............................................................38Step 2: Install SafeNet Authentication Manager .....................................................38

SafeNet Authentication Client Configuration.......................................................38OTP Configuration...............................................................................................39

Step 3: Configure SafeNet Authentication Manager ...............................................405. Installation ................................................................................................43

Installation Components .....................................................................................44Silently Installed Component...............................................................................45

Installation Steps in an AD Environment .................................................................46Installing in a Single Domain Environment .........................................................46Installing in a Multi Domain Environment............................................................47Installing SAM in a Multi Forest Environment .....................................................47Installing and Running Schema Modification Scripts..........................................48

Installing the SafeNet Authentication Manager Server ...........................................52Installing the SAM Management Tools ....................................................................57Installing SAM Client Using the Installation Wizard ................................................60Installing SAM Client Using the Command Line .....................................................63Un-installation ..........................................................................................................64

Removing SAM Server from the Computer ........................................................64Removing SAM from the Domain........................................................................65

Propagating the SAM Server Name........................................................................66Duplicating a SAM Server........................................................................................70

Licensing a Duplicate Server...............................................................................716. Upgrade and Migration...........................................................................73

Upgrading to SAM 8.0 Server .............................................................................74Upgrading to SAM 8.0 Client ...................................................................................75Upgrading to SAM 8.0 Management Tools .............................................................75Migrating from TMS 2.0 in an OpenLDAP Environment .........................................76Migrating from TMS 2.0 with a Shadow Domain.....................................................76Migrating from SafeWord to SafeNet Authentication Manager 8.0.........................77

Exporting Data from the SafeWord Database.....................................................77Importing SafeWord Data into SAM....................................................................80

vii

7. Basic Configuration................................................................................85Configuring for Active Directory ..........................................................................86Configuring for Standalone User Store ................................................................... 94Configuring for OpenLDAP, Novell eDirectory or Remote AD.............................. 102Configuring for MS SQL Server .............................................................................115

8. Token Policy Object Links ...................................................................121Accessing Token Policy Object Links ...............................................................122

Accessing TPO Links in an AD Environment ................................................... 122Accessing TPO Links in a Non-AD Environment ............................................. 125Accessing TPO Links in a Standalone User Store Environment ..................... 127

Creating a New TPO Link...................................................................................... 130Adding a TPO Link ................................................................................................ 132Deleting a TPO Link .............................................................................................. 133Specifying the Scope of a TPO Link ..................................................................... 133

TPO Inheritance Behavior................................................................................. 134Setting No Override and Disabled Options....................................................... 136Blocking Policy Inheritance ............................................................................... 137Applying TPO Links to Limited Users and Groups........................................... 138

Importing and Exporting Token Policy Objects ..................................................... 140Exporting Token Policy Objects ........................................................................ 140Importing Token Policy Objects......................................................................... 142

9. Token Policy Object Settings ..............................................................145Using the Token Policy Object Editor to Edit TPOs ..........................................146General Settings.................................................................................................... 150

Mail Configuration ............................................................................................. 150SMS Provider Configuration ............................................................................. 151

Connector Settings................................................................................................ 152Token Settings ....................................................................................................... 152

Token Initialization............................................................................................. 152Token Password................................................................................................ 153Password Quality .............................................................................................. 153Manual Complexity............................................................................................ 155Initialization Parameters.................................................................................... 157Initialization Key ................................................................................................ 158Advanced Settings ............................................................................................ 161

viii

Enrollment Settings................................................................................................162General Properties ............................................................................................162SafeNet eToken Virtual Enrollment ...................................................................165Enrollment Notification.......................................................................................165

Recovery Settings..................................................................................................166Audit Settings.........................................................................................................170MobilePASS Settings.............................................................................................170Backend Service Settings......................................................................................171Legacy TMS Desktop Agent Settings....................................................................173Badging Settings....................................................................................................174

Photo Storage....................................................................................................175Printing Parameters...........................................................................................175

10. SAM Configuration Manager ...............................................................179Launching the SAM Configuration Manager .....................................................180Selecting the SAM Instance...................................................................................180Importing and Exporting the SAM Settings File ....................................................181

Exporting the SAM Settings File........................................................................181Importing the SAM Settings File........................................................................183

Adding SAM Connectors .......................................................................................183Configuring Roles ..................................................................................................185Scheduling the SAM Backend Service..................................................................185Configuring the License .........................................................................................187Configuring IIS and Web Services.........................................................................187

Configuring OTP Web Services ........................................................................187Configuring Features of the SAM Management Center ...................................187Configuring Features of the SAM Self Service Center .....................................188Configuring Features of the SAM Rescue Service Center ...............................190Configuring Features of SAM Web Service API ...............................................190Configuring Desktop Agent ...............................................................................192Configuring Server Synchronization..................................................................192

Selecting the Authentication Plug-In......................................................................193Defining a Failover Configuration ..........................................................................194Exporting and Importing the Signing Certificate....................................................196

Exporting a Signing Certificate ..........................................................................196Importing a Signing Certificate ..........................................................................197

ix

Changing the SAM Service Account..................................................................... 19811. Connector Configuration .....................................................................201

Connector for Microsoft CA...............................................................................202Supported User Stores...................................................................................... 202Microsoft DLL Files Required for MSCA........................................................... 203Configuring the Microsoft CA............................................................................ 204

Connector for OTP Authentication ........................................................................ 217Supported User Stores...................................................................................... 217Defining TPO Rules .......................................................................................... 217

Connector for Flash Management......................................................................... 221Supported User Stores...................................................................................... 221Defining TPO Rules .......................................................................................... 222

Connector for P12 Certificate Import..................................................................... 224Supported User Stores...................................................................................... 225Defining TPO Rules .......................................................................................... 225

Connector for SafeNet Network Logon................................................................. 232Supported User Stores...................................................................................... 233Defining TPO Rules .......................................................................................... 233

Connector for eToken Anywhere........................................................................... 237CA Requirements.............................................................................................. 237Supported User Stores...................................................................................... 238Defining TPO Rules .......................................................................................... 238

Connector for Check Point Internal CA................................................................. 243Internal CA vs. External CA .............................................................................. 243Supported User Stores...................................................................................... 244Configuring the CP Firewall Management........................................................ 244Defining TPO Rules .......................................................................................... 254

Connector for Entrust ............................................................................................ 264Entrust Authority Security Manager .................................................................. 264SafeNet Authentication Manager - Entrust Integration..................................... 265Main Features ................................................................................................... 266Architecture ....................................................................................................... 266Deployment Recommendations........................................................................ 267System Requirements....................................................................................... 268Prerequisites ..................................................................................................... 269Connector for Entrust Configuration ................................................................. 272Opening the Connector Policy Object Editor .................................................... 272

x

Defining the CA Policy.......................................................................................274Defining the Add User to Security Manager Policy...........................................277Defining the Security Manager and SAM on Different Domains Policy............278Defining the Domain Username Policy .............................................................279Defining the Domain User Password Policy .....................................................280Defining the User Path Policy............................................................................281Defining the Username Template Policy ...........................................................282Mapping Attributes.............................................................................................283Defining the Add User to Security Manager Directory Policy ...........................284Defining the User Role Policy............................................................................285Defining the Certificate Type Policy...................................................................286Defining the Last Security Manager Update Policy ..........................................286Defining the SafeNet eToken Rescue Support Policy ......................................287Entrust Security Manager Administration Configuration...................................288Using SAM with Entrust.....................................................................................290Behavior and Limitations ...................................................................................292

12. Licensing ................................................................................................293Licensing Overview...........................................................................................294Evaluation License.................................................................................................294Upgrading Licenses from Earlier Versions ............................................................295Viewing Licenses ...................................................................................................295Applying a License.................................................................................................296Multi-Domain Licenses ..........................................................................................298

13. Authorization Manager .........................................................................299Authorization Management Overview...............................................................300Predefined Roles ...................................................................................................301Defining a New Scope ...........................................................................................301Defining Roles........................................................................................................303Defining Tasks........................................................................................................306

14. User Permissions..................................................................................309Permissions for Basic Administration................................................................310

SAM Service Account Permissions...................................................................310User Permissions for Installing SAM.................................................................310

xi

Granting Dial-In Permission to the User Account ..................................................311Granting Permissions for Microsoft CA Templates ............................................... 314Delegating Password Reset Control ..................................................................... 315

15. Audit Messages and Enrollment Notifications.................................321Audit Messages ................................................................................................322

Configuring Audit Settings for Viewing in Windows Event Viewer ................... 322Viewing SAM Events in the Event Viewer ........................................................ 323Configuring Audit Settings for Sending Notification Messages........................ 325

Enrollment Notification........................................................................................... 332Configuring Enrollment Notification Messages................................................. 332

Configuring Audit, Enrollment and MobilePASS Activation Notification Templates ...335

Notification Letter Keywords ............................................................................. 336Configuring SMS Notification Template ................................................................ 338

16. OTP Configuration ................................................................................339OTP Web Service Settings ...............................................................................340

Blank Presses ................................................................................................... 340Blank Presses Resync ...................................................................................... 340Time Sync.......................................................................................................... 341Time Resync ..................................................................................................... 341

OTP Web Service Configuration ........................................................................... 342Configuring SAM IAS Plug-In................................................................................ 345Configuring IAS for a Non-AD User Store............................................................. 348

17. Backend Service....................................................................................353Overview of Backend Services .........................................................................354Controlling SAM Backend Services ...................................................................... 355

Part III Post-Installation Configuration18. User Management in an ADAM Environment...................................359

ADAM Environment User Store Overview ........................................................360

xii

Opening SafeNet Authentication Manager - Policy Manager ...............................360Adding a User ........................................................................................................362Viewing and Editing User Properties .....................................................................364Adding a Group or OU...........................................................................................365Viewing and Editing Group Properties...................................................................367

19. Desktop Agent .......................................................................................371Overview of the Desktop Agent ........................................................................372Adding the Desktop Agent Template to the GPO Editor .......................................372Editing the Desktop Agent Settings in the GPO Editor .........................................377Desktop Agent Settings .........................................................................................379Configuring Automatic Download of SafeNet eToken Rescue..............................385Configuring Attendance Reports ...........................................................................386

Opening the Desktop Agent Settings Window..................................................386Creating an Attendance Reports MS SQL Server Database ...........................387Adding a Renamed MDF file to MS SQL Server ..............................................389Connecting to an Existing MS SQL Server Database through an ODBC Connection.........................................................................................................391Saving Data for Attendance Reports.................................................................396Clearing the Token Connection Data History....................................................398Displaying an Error Message Following Server Error.......................................399

Configuring the Legacy Desktop Agent.................................................................400SAM Desktop Agent Web Services Settings ....................................................401

Troubleshooting .....................................................................................................40120. External Portals .....................................................................................403

Overview of SAM External Portals....................................................................404Deliverables ...........................................................................................................404Prerequisites ..........................................................................................................404Installing the SAM External Portals .......................................................................405Configuring SAM Portals .......................................................................................409

Configuring Roles for SAM Portals ...................................................................409Adding a Portal Connection...............................................................................410Configuring Cloud Logon...................................................................................412

xiii

Setting the Logon Credentials in Google Apps..................................................... 416Setting the Logon Credentials in Force.com......................................................... 417Configuring the Username Attributes.................................................................... 418

21. Customizing SAM Websites................................................................421Customizing Text ..............................................................................................422

Editing the Text in the Resource Files .............................................................. 422Implementing Text Changes with the SAM Branding Tool ............................... 423

Customizing Graphic Files .................................................................................... 424

Part IV SAM Management22. SAM Management Center Main Features..........................................429

Client Requirements .........................................................................................430Browser Settings ................................................................................................... 430OTP Tokens........................................................................................................... 430

Temp OTP ......................................................................................................... 431MobilePASS Tokens.......................................................................................... 431

SafeNet eToken Virtual Products .......................................................................... 432SafeNet eToken Virtual ..................................................................................... 433SafeNet eToken Virtual Temp ........................................................................... 433SafeNet eToken Rescue ................................................................................... 434SafeNet eToken Rescue Use Case .................................................................. 434

eToken Network Logon.......................................................................................... 435eToken Network Logon Device Options ........................................................... 436eToken Network Logon Use Case .................................................................... 436

23. Helpdesk.................................................................................................437Helpdesk Page Overview..................................................................................438

xiv

Accessing the Helpdesk Page...............................................................................439Unlocking a User....................................................................................................447Enabling a Temp Logon.........................................................................................449Enabling User Access to a SafeNet eToken Rescue............................................452Resetting the Default User Password ...................................................................455Revoking a User's Token .......................................................................................455Unassigning a User's Token ..................................................................................457Unlocking a User's Token ......................................................................................459Temporarily Disabling a Token...............................................................................462Enabling a Token ...................................................................................................464Replacing a User's Token ......................................................................................465OTP Options ..........................................................................................................470

Extending an OTP .............................................................................................471Replacing a Temp OTP with an OTP Token .....................................................473Replacing an OTP Token with a Temp OTP .....................................................474Resetting an OTP PIN.......................................................................................477Validating an OTP Token...................................................................................478Locking an OTP.................................................................................................480Unlocking an OTP .............................................................................................482

Certificate Recovery Workflow Options.................................................................483Requesting a Certificate Recovery Workflow....................................................484Approving a Certificate Recovery Workflow......................................................486Cancelling a Certificate Recovery Workflow .....................................................488Rejecting a Certificate Recovery Workflow.......................................................491Recovering Certificates .....................................................................................493

24. Deployment ............................................................................................497Deployment Page Overview .............................................................................498Accessing the Deployment Page...........................................................................499Assigning a Token..................................................................................................503Enrolling a Smartcard or USB Token.....................................................................505Enrolling an OTP Token.........................................................................................509MobilePASS Token Enrollment.............................................................................. 511

Preparing the MobilePASS Token Notification Procedure ................................512Enrolling a MobilePASS Token..........................................................................512Sending a MobilePASS Token to the User........................................................515Using a MobilePASS Token to Generate an OTP.............................................515

xv

25. Inventory.................................................................................................517Inventory Page Overview..................................................................................518Accessing the Inventory Page............................................................................... 519Initializing a Token ................................................................................................. 523Adding Tokens to the SAM Inventory.................................................................... 526

Adding a File of Tokens to the SAM Inventory.................................................. 526Adding a Token to the SAM Inventory .............................................................. 528

Removing a Token from the SAM Inventory ......................................................... 53026. Reports ...................................................................................................533

SAM Reports Page Overview ...........................................................................534Accessing the Reports Page................................................................................. 534Generating a Token Inventory Report ................................................................... 536Generating a Token History Report....................................................................... 541Generating a Token Expiration Report.................................................................. 546Generating a Token Audit Report.......................................................................... 550Generating an OTP Usage Report........................................................................ 553Generating a Token Connections Report.............................................................. 555Generating an Hourly Distribution Chart ............................................................... 559

27. Downloads .............................................................................................563SAM Downloads Page Overview ......................................................................564Accessing the SAM Downloads Page................................................................... 564Downloading SAM Web Client .............................................................................. 565Downloading MobilePASS Applications................................................................ 569

Part V AppendixesA. AD Schema Enhancement...................................................................573

Prefixes Registered with Microsoft....................................................................574Naming Conventions ............................................................................................. 574Schema Attributes and Classes Tables ................................................................ 574

Attributes ........................................................................................................... 575Classes.............................................................................................................. 588Schema extensions for TMS 5.0 and Later ...................................................... 590Schema Extensions for SAM 8.0 and Later...................................................... 592

xvi

Part I Overview of SafeNet Authentication Manager

This section provides an overview of SAM, including the new features in this version.

In this section:

Chapter 1: Introduction (page 3)Chapter 2: System Requirements (page 9)

2

Chapter 1

IntroductionSafeNet Authentication Manager (SAM) enables management of the complete user authentication life cycle. SafeNet Authentication Manager links tokens with users, organizational rules, and security applications to allow streamlined handling of usersʹ needs throughout the various stages of their authenticator lifecycle.

In this section:

Overview of SafeNet Authentication ManagerNew and Enhanced Features in SafeNet Authentication Manager 8.0Supported Authenticators

4 SafeNet Authentication Manager Administrator’s Guide

Overview of SafeNet Authentication ManagerSafeNet Authentication Manager 8.0 (formerly known as eToken TMS) provides your organization with a comprehensive platform to manage all of your authentication requirements, across the enterprise and the cloud, in a single, integrated system. Enabling strong authentication for cloud applications using identity federation technology and offering support for SafeNetʹs portfolio of OTP and certificate‐based authenticators, SafeNet Authentication Manager (SAM) is designed to evolve with your changing needs so you can:

Maintain strong on‐premise authentication for cloud‐based SaaS applications such as Google Apps and SalesForce.comSeamlessly enhance your authentication infrastructure from OTP‐only environments to more flexible ones that support both OTP and certificate‐based (PKI) solutions and applications. Deploy a range of software authentication solutions

SafeNet Authentication Managerʹs capabilities include central, delegated, and self‐service interfaces that allow different levels of service to different communities of users and administrators.

SafeNet Authentication Manager 8.0 Core BenefitsExtend your current enterprise authentication infrastructure to the cloud seamlesslyComplete support for your entire authentication solution (OTP, CBA, security applications) in a single systemExtensible, open platform with self‐service and remote support for Linux, Mac and WindowsFlexibility to evolve your authentication infrastructure to include OTP and CBA solutions as well as advanced security applicationsReduce the workload of your IT staff with an integrated IT infrastructure, automated processes and intuitive user self‐service toolsControl of your authenticator inventory and usageEnhanced user productivity and remote access from wherever they are without compromising securityComprehensive auditing and reporting features enable compliance with privacy regulations

Introduction 5

New and Enhanced Features in SafeNet Authentication Manager 8.0

The following features have been included in SafeNet Authentication Manager 8.0.

Cloud support and integration with SaaS providers, Google Apps and Salesforce.com

Description: SAM provides a seamless strong authentication experience for enterprise users who want to access SaaS applications such as Google Apps and Salesforce.com (SFDC). This is achieved by federating their enterprise identity to the cloud, in short, enabling a Single Credential experience in which the user logs into the SAM portal using their access credentials and is then automatically redirected to the specific cloud application.How it works: User authentication first happens in the enterprise (the user logging into SAM), and only after users are successfully authenticated are they redirected to the cloud service though the use of identity federation protocols such as Security Assertion Markup Language (SAML), an XML‐based standard for exchanging authentication and authorization data. SafeNet Authentication Manager will act as the trusted identity provider, giving authenticated users permission to access the application. The SaaS application will be configured to allow access only to those users authenticated by the SafeNet Authentication Manager. The enterprise maintains control of user access, as every use of the cloud resource is first validated on premise.Benefits: Enables enterprise users to access SaaS applications securely via two‐factor authentication from anywhere. Existing SafeNet TMS/SAM customers can leverage their current on‐premise authentication deployment to seamlessly and cost‐effectively extend the same strong authentication solution to their cloud applications.There is no additional hardware or software to deploy ‐ users can leverage their current authenticators. Comprehensive management of all authentication operations for both on‐premise and cloud can be performed within a single platform.


Enhanced MobilePASS Software Authentication Solution

Over‐the‐air deployment ‐ can be achieved two ways:Direct download link sent to the user via email; using their mobile device, the user then clicks on the link and is prompted to install the application on their deviceSoftware distribution push via BlackBerry Enterprise Server (BES)

Simple Remote Self‐Enrollment and Activation portal for end usersBroad range of mobile device support: BlackBerry (4.2 and above), iPhone (3.0 and above), J2ME, Android

Integration with SafeNet HSMs for secure key storageDescription: SafeNet Authentication Manager security keys are stored in the HSM; encryption and decryption of SAM data is executed on the HSMBenefits: storing the SAM security keys in the HSM rather than locally in the file system enhances the security and the protection of stored secrets such as OTP seeds and archived private keys from unauthorized copy or leakage; this is an increasing requirement among both financial and government customersSupported HSM models: Luna SA 4.4 and PCI 7000

Token History ManagementStores historical data of tokens that have been unassigned or removed. When a users leave the company, their tokens are initialized and all data removed. However, if the token was used to access encrypted company data, for example, it might be necessary later to retrieve the encryption key. SAM now enables such a process by keeping a history of unassigned tokens enabling certificate export for historic certificates.

Introduction 7

Token Policy Object (TPO) Export and ImportTPO settings can be exported to, and imported from, a password protected fileEnables the duplication of the same TPO settings in multiple SAM installationsAssists the SafeNet support team when providing assistance to customers

Additional PlatformWindows Server 2008 R2 is now supported

Supported AuthenticatorsThe following authenticators are supported in SafeNet Authentication Manager 8.0:

SafeNet eToken PROSafeNet eToken NG FlashSafeNet eToken NG OTPSafeNet eToken Smart CardSafeNet eToken AnywhereSafeNet eToken VirtualSafeNet eToken Virtual TempSafeNet eToken RescueeToken AnywhereMobilePASSMobliePASS MessagingAlpineGold 3000 PlatinumSilver


Chapter 2

System RequirementsBefore installing SAM, ensure that your system meets the requirements for each of the components.See Installation Components on page 44.

In this chapter:

SAM Server System RequirementsSAM Management Tools System RequirementsSAM Client System RequirementsSAM External Web PortalsWindows Password


SAM Server System Requirements

Component Requirement Comment

Operating System One of the following:Windows Server 2003 SP2 (32-bit, 64-bit)Windows Server 2003 R2 (32-bit and 64-bit)Windows Server 2008 SP2 (32-bit, 64-bit)Windows Server 2008 R2 (64-bit)

System Requirements 11

Additional Software Windows Installer 3.0 or later

The Microsoft® Windows® Installer is an application installation and configuration service. WindowsInstaller-KB884016-v2-x86.exe is the redistributable package for installing or upgrading Windows Installer.http://www.microsoft.com/downloads/details.aspx?familyid=5fbc5470-b259-4733-a914-a956122e08e8&displaylang=en

32-bit:Microsoft .NET Framework Version 2.0 SP1(x86) redistributable package or later

64-bit:Microsoft .NET Framework version 2.0 (x64) redistributable package or later

The Microsoft .NET Framework version 2.0 redistributable package installs the .NET Framework runtime and associated files required to run applications developed to target the .NET Framework 2.0.

32-bit:http://www.microsoft.com/downloads/details.aspx?familyid=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en

64-bit:http://www.microsoft.com/downloads/details.aspx?familyid=B44A0000-ACF8-4FA1-AFFB-40E78D788B00&displaylang=en

One of the following:Microsoft SQL Server 2005Microsoft SQL Server 2008

Required for producing Attendance Reports only

Java Runtime Environment 1.5 or later

Required for MobilePASS tokens only

Component Requirement Comment (Continued)


SAM Configuration Store

Active Directory (if Active Directory is to be used as the configuration store).

See SAM Configuration Store on page 23.Note: If ADAM is to be used as the configuration store, it does not need to be installed separately, as it is installed during the SAM installation.

SAM User Store One of the following, if an external user store is used:

Active Directory (Windows 2003, 2003R2, 2008, or 2008R2)MS SQL Server 2005 or 2008OpenLDAP 2.3.38 or laterNovell eDirectory 8.7.3 or later

See User Store on page 21.Note: If the integrated configuration of a Standalone user store is used, ADAM is installed during the SAM installation, and a pre-installed user store is not required.

PKI Client/SafeNet Authentication Client

The following versions are supported:

eToken PKI Client version 4.55eToken PKI Client version 5.1 SP1SafeNet Authentication Client version 8.0 or later (recommended to ensure support of all new features)

Required to work with tokens and with connector configurations. eToken PKI Client or SafeNet Authentication Client should be installed on both the server and the client computers for a fully featured SafeNet Authentication Manager system.Note: Not required for OTP-only implementations.

Component Requirement Comment (Continued)


SAM Management Tools System RequirementsComponent Requirement Comment

Operating System One of the following:Windows Server 2003 SP2 (32-bit, 64-bit)Windows Server 2003 R2 (32-bit, 64-bit)Windows Server 2008 SP2 ((32-bit, 64-bit)Windows Server 2008 R2 (64-bit)Windows XP SP3 (32-bit, 64-bit)Windows Vista SP2 (32-bit, 64-bit)Windows 7 (32-bit, 64-bit)

Use Windows Vista and Windows 7 for non-AD environments only.

Additional Software Windows Installer 3.0 or later See the Windows Installer comment on page 11.

Microsoft .NET Framework Version 2.0 SP1 Redistributable or later

See the Microsoft .NET Framework comment on page 11.

eToken PKI Client or SafeNet Authentication Client



Required to work with tokens and with connector configurations. eToken PKI Client or SafeNet Authentication Client should be installed on both the server and the client computers for a fully featured SAM system.Note: Not required for OTP-only implementations.

Browser Internet Explorer 6.0, 7.0, or 8.0

Trusted Sites SAM Management Center Must be set as a trusted site.


SAM Client System RequirementsComponent Requirement Comment

Operating System One of the following:Windows Server 2003 SP2 (32-bit, 64-bit)Windows Server 2003 R2 (32-bit, 64-bit)Windows Server 2008 SP2 ((32-bit, 64-bit)Windows Server 2008 R2 (64-bit)Windows XP SP3 (32-bit , 64-bit)Windows Vista SP2 (32-bit, 64-bit)Windows 7 (32-bit, 64-bit)

eToken PKI Client or SafeNet Authentication Client



Note: eToken PKI Client 5.1 SP1 or later is required for a Windows 7 environment

Required to work with tokens and with connector configurations.Note: Not required for OTP-only implementations.

Browser Internet Explorer 6.0, 7.0, or 8.0Firefox 3.6 (OTP operations only)Safari 5 (OTP operations only)

Trusted Sites SAM Self Service Center Must be set as a trusted site.


SAM External Web PortalsComponent Requirement Comment

Browser Internet Explorer 6.0, 7.0, or 8.0Firefox 3.6Chrome 5Safari 5 (Mac)


Part II Installation and ConfigurationThe following chapters describe how to install and configure SAM.

In this section:

Chapter 4: Installation and Configuration Checklist (page 37) Chapter 3: User Store Deployment (page 19)Chapter 5: Installation (page 43) Chapter 6: Upgrade and Migration (page 73)Chapter 7: Basic Configuration (page 85)Chapter 8: Token Policy Object Links (page 121)Chapter 9: Token Policy Object Settings (page 145)Chapter 10: SAM Configuration Manager (page 179)Chapter 11: Connector Configuration (page 201)Chapter 13: Authorization Manager (page 299)Chapter 15: Audit Messages and Enrollment Notifications (page 321)Chapter 12: Licensing (page 293)Chapter 16: OTP Configuration (page 339)Chapter 17: Backend Service (page 353)

18

Chapter 3

User Store DeploymentTypically, Microsoft Active Directory is deployed as part of the Windows operating system, and is available when installing SafeNet Authentication Manager.To use a different user store (MS SQL Server, OpenLDAP, or Novell eDirectory) that is not already installed, you must deploy it before installing SAM.Alternatively, you can install a Standalone user store, which is an integrated configuration store and user store based on ADAM. In this case, ADAM is installed as part of the SAM installation.See User and Configuration Stores on page 21.

In this section:

Supported User StoresRemote Active DirectoryConfiguring a Microsoft SQL Server User StoreConfiguring an LDAP User Store


Supported User StoresSafeNet Authentication Manager can work with any of the following user stores:

Microsoft Active Directory (Windows Server 2003 or Windows Server 2008)

Note:You cannot work with Active Directory and a different store (MS SQL Server, OpenLDAP, Novell, or Remote AD). However, when working with AD you can use several domains.When working with MS SQL Server, OpenLDAP, Novell, or Remote AD, you can use several of them together, but not with AD.

ADAM (with Standalone user store ‐ an integrated configuration and user store)Remote Active DirectoryMicrosoft SQL Server 2005/2008OpenLDAPNovell eDirectory

Note:For a fully featured SafeNet Authentication Manager solution including SAM Desktop Agent, Microsoft Active Directory must be used.In non‐AD environments, SafeNet Authentication Manager supports the following connectors:

Connector for OTP AuthenticationConnector for eToken AnywhereConnector for Check Point Internal CAConnector for Microsoft CA, with offline CAConnector for Flash ManagementConnector forP12 Certificate Import

User Store Deployment 21

Remote Active DirectoryA remote Active Directory can be used as a user store when working in a multi‐forest environment. This avoids the necessity of installing a SafeNet Authentication Manager server in each forest. A typical use for this would be when deploying OTP in a multi‐forest environment.To enable connection to the remote Active Directory, during configuration SafeNet Authentication Manager must be supplied with the user name and password that will enable access to the domain.

Configuring a Microsoft SQL Server User StorePerform the following tasks before implementing MS SQL Server as a user store:

Prepare the data views so that SafeNet Authentication Manager can connect to the database.Prepare the authentication dll file that will enable users to log on to the SAM Management Center, SAM Self Service Center, and SAM Rescue Service Center.


Preparing Microsoft SQL Server ViewsThe required views must be created in MS SQL Server.This set of views must be prepared as described to enable SafeNet Authentication Manager to connect to the database.

AksTMSUsersAksTMSUsers represents the user table.

Field Type Description Required

UserID String The unique user ID Yes

AccountName String The unique user account name

Yes

PolicyObjectID String The direct organization unit Yes (can be null)

LogonName String The unique user logon name No

AccountEnabled Boolean Used by OTP authentication No

AccountLocked Boolean Used by OTP authentication No

FirstName String The user’s first name No

LastName String The user’s last name No

Initials String The user’s initials No

MiddleName String The user’s middle name No

Street String The user’s address street No

POBox String The user’s address PO Box number

No

City String The user’s address city No

State String The user’s address state No

ZipCode String The user’s address zip code No

CountryCode String The user’s address country code

No


AksTMSGroupsAksTMSGroups represents the group table.

HomePostalAdress

String The user’s home postal address

No

Email String The user’s email No

MobilePhone String The user’s mobile phone No

HomePhone String The user’s home phone No

OrganizationName

String The user’s organization name

No

Company String The user’s company No

EmployeeNumber

String The user’s employee number

No

DepartmentNumber

String The user’s department number

No

Office String The user’s office No

DisplayName String The user’s full display name No

Field Type Description (Continued) Required


GroupID String The unique group ID Yes (value required)

GroupName String The unique group name Yes (value required)

DisplayName String The group full display name No


AksTMSUserOfGroupAksTMSUserOfGroup represents membership of users in the groups.

AksTMSGroupOfGroupAksTMSGroupOfGroup represents the group hierarchy.

AksTMSPolicyObjectsAksTMSPolicyObjects represents hierarchy of the organization (equivalent to OU).


GroupID String The group unique ID Yes (value required)

UserID String The user belongs to group

Yes (value required)


GroupID String The unique group ID


MemberGroupID String The subgroup belongs to group



PolicyID String The unique policy object ID


PolicyName String The unique policy object name



Indexed FieldsTo ensure optimum performance, all required fields in the SQL database should be indexed:

AksTMSUsers: UserID, AccountName, PolicyObjectIDAksTMSGroups: GroupID, GroupNameAksTMSUserOfGroup: GroupID, UserIDAksTMSPolicyObjects: PolicyID, PolicyName, Root, ParentPolicyID

Preparing an MS SQL Server Authentication dllThis section describes how to configure MS SQL Server authentication in SAM.

SQL Authentication OverviewWhen SafeNet Authentication Manager is configured to work with a user store based on an SQL database, it must be able to authenticate the users who log on to the various SafeNet Authentication Manager applications: SAM Management Center, SAM Self Service Center,SAM Rescue Service Center and SAM Policy Management.When the administrator installs SafeNet Authentication Manager and configures a user store based on an SQL database, the SafeNet Authentication Manager Installation Wizard enforces the selection of the authentication dll file that implements the authentication process.

Root Boolean Policy object is root Yes (value required)

ParentPolicyID String The ID of the parent policy object

Yes (value not required)

DisplayName String The policy’s full display name

No

Field (Continued) Type Description Required


SQLAuthentication.dll Authentication FileA default SQL authentication dll is provided with SAM: SQLAuthentication.dll.

This dll file reads a specific configuration at runtime when the associated application is loaded.SQLAuthentication.dll is typically located at:C:\Program Files\SafeNet\Authentication\SAM\x32\Bin

SQLAuthentication.dll.config Configuration FileThe configuration file must be named SQLAuthentication.dll.config,and must be located in the same directory asSQLAuthentication.dll

The SQLAuthentication.dll.config file is an XML file.

Note:After updating the SQLAuthentication.dll.config configuration file, reset the IIS server to update SAM.

Supported Authentication TypesSQL User is the only authentication type supported.This authentication type takes advantage of the SQL Server built‐in authentication service. When a SafeNet Authentication Manager user authentication request arrives, an appropriate SQL connection string is built at runtime and is then used by an SQL connection object to connect to the server.If a connection is established successfully, the authentication request is accepted. If the connection fails, the authentication request is rejected.


Since there may be several user store databases in an organization, each user store may be configured to transfer a userʹs authentication request to a different SQL database as explained in the following <Instance> xml node.

Tip:We recommend referring to the sample SQLAuthentication.dll.config file when reading this section.

Typically,SQLAuthentication.dll.config is located at:C:\Program Files\SafeNet\Authentication\SAM\x32\AuthPlugin\

<Instance>Allows mapping a userʹs authentication request by the user store unique name to which the user belongs.For example, in the above configuration file example, each user belongs to “organization‐usa.” The user store will be authenticated using the connection string pointing to SQLSRV‐USA‐MACHINE, while each user belonging to “organization‐europe” will be authenticated using the connection string pointing to SQLSRV‐EUR‐MACHINE.If there is only one user store, only one <Instance> section should be used (adding default=”true” attribute).

<TMSUserIdentifier>Indicates which user property should be used as the SQL Server user name. The value at runtime is inserted into the {0} at the ConnectionString XML node.User fields that can be selected are: AccountName, LogonName, Email, EmployeeNumber, and Name.

<Provider>This value holds the provider retrieving data from the database. Use the following value: System.Data.SqlClient


<ConnectionString>

Note:The <ConnectionString> template described here must be formatted according the selected provider. Each provider defines the connection string format.

Contains a template for the database connection string. The template should be formatted according to the provider type, as described in previous section.

The {0} is replaced at runtime with the value of TMSUser property indicated in TMSUserIdentifierThe {1} is replaced at runtime with the value of authentication request password

The following sample shows a connection string for connecting to Microsoft SQL Server:<ConnectionString>Data Source=SQLSRV-MACHINE\SQLEXPRESS;Initial Catalog=;Integrated Security=False;User ID={0};Password={1}</ConnectionString>


Configuring an LDAP User StoreSafeNet Authentication Manager supports OpenLDAP and Novell eDirectory as user stores.Perform the following tasks before implementing an LDAP directory as a user store:

Prepare the authentication dll file that will enable users to log on to SAM Management Center, SAM Self Service Center, and SAM Rescue Service Center.If you require an LDAP schema different from the default, you must make the changes in the SAM Configuration Manager. See Changing the Schema Configuration on page 199.

Notes:In contrast to AD, OpenLDAP does not use a specific schema

definition for users, groups, etc. It uses a basic definition that is extended on each installation.

Novell eDirectory has a default schema that is similar to AD.

Preparing LDAP Authentication DllThis section describes how to configure LDAP authentication in SafeNet Authentication Manager.

LDAP Authentication OverviewWhen SafeNet Authentication Manager is configured to work with a user store that is not Microsoft Active Directory, it must be able to authenticate the users who log on to the various SafeNet Authentication Manager applications: SAM Management Center, SAM Self Service Center, SAM Rescue Service Center, and SAM Policy Management.When the administrator installs SafeNet Authentication Manager and configures a non Active Directory user store, the SafeNet Authentication Manager Installation Wizard enforces the selection of the authentication dll file that implements the authentication process.


LDAPAuthentication.dll Authentication FileA default LDAP authentication dll file is provided with SafeNet Authentication Manager: LDAPAuthentication.dllThis dll file reads the specific configuration at runtime when the associated application is loaded.LDAPAuthentication.dll is typically located at:C:\Program Files\SafeNet\Authentication\SAM\x32\Bin

LDAPAuthentication.dll.config Configuration FileThe configuration file must be named LDAPAuthentication.dll.config,and must be located in the same directory asLDAPAuthentication.dll

The LDAPAuthentication.dll.config file is an XML file.

Supported Authentication TypesThere are two supported LDAP authentication types:

Fast Bind ConfigurationSlow Bind Configuration

Both authentication types take advantage of the LDAP Directory server built‐in authentication service.

Tip:Use fast bind authentication when the users are stored in LDAP

directory and you wish to authenticate them with the same directory.Use slow bind authentication when the users are stored in one

database and you wish to authenticate them with a different database (which is an LDAP directory).


Fast Bind ConfigurationThe most common configuration is the fast bind authentication. It is a one‐phase authentication where the user DN and user password are passed to the LDAP directory, which in return accepts or rejects the authentication request.In this configuration, both users and passwords are placed in the same store. This store is always an LDAP directory where each user in the directory must be authorized to perform authentication.The XML file should be as follows:<Configuration>

<AuthenticationType>FastBind</AuthenticationType>

</Configuration>The file will always be the same regardless of the LDAP directory manufacturer or any other criteria.

Slow Bind ConfigurationSlow bind authentication is two‐phase authentication:

First phase is searching and retrieving the userʹs LDAP path (User DN) from a pre‐configured LDAP directory.Second phase is authenticating that user (as in fast bind).

In this configuration, the user store is usually located in one database (of any type) and the passwords are located in another database which must be an LDAP directory. For example, the user store is an SQL database and the passwords in an OpenLDAP or eDirectory database.As in fast bind authentication, each user in the LDAP directory must be authorized to perform authentication.


The XML file should be as follows:<?xml version="1.0" encoding="utf-8" ?><Configuration>

<AuthenticationType>SlowBind</AuthenticationType>

<SlowBind>

<Instance name="InstanceName1">

<TMSUserIdentifier>AccountName</TMSUserIdentifier>

<Server>Server1.com:389</Server>

<BaseDN>dc=MyCompany1,dc=com</BaseDN>

<FilterTemplate>(&(cn={0})(objectClass=Person))</FilterTemplate>

<UserDN>cn=Admin,dc=MyCompany1,dc=com</UserDN>

<Password></Password>

</Instance>

<Instance default="true">


<Server>Server1.com:389</Server>

<BaseDN>dc=MyCompany1,dc=com</BaseDN>

<FilterTemplate>(&(cn={0})(objectClass=Person))</FilterTemplate>

<UserDN>cn=Admin,dc=MyCompany1,dc=com</UserDN>

<Password></Password>

</Instance>

</SlowBind>

</Configuration>

If there are multiple user store databases in an organization, there may be several matching LDAP directories containing the passwords.The configuration file allows the binding of each user store to a specific LDAP directory.

<Instance>

Allows mapping a user store to an LDAP directory. If there is only one LDAP directory, only one <Instance> section should be used (adding default=”true” attribute).


If there are several LDAP directories, the “name” attribute should be used to map the user store with LDAP directories, providing the user store unique instance name.

<TMSUserIdentifier>

Holds the user property that is used to locate the user in the LDAP directory. The value at runtime is inserted into the {0} in the FilterTemplate XML node.User fields that can be selected are: AccountName, LogonName, Email, EmployeeNumber and Name.

<Server>

IP or DNS of the LDAP directory

<BaseDN>

The root LDAP path for user searching

<FilterTemplate>

This LDAP query template is used to build an LDAP search string at runtime in order to find the user requesting authentication in the LDAP directory.The {0} is replaced at runtime with the value of user property indicated in TMSUserIdentifier.

<UserDN>

The User LDAP path used to perform the searches in the LDAP directory. This entry must have permissions to search and read LDAP entries in the LDAP directory.


<Password>

The password of UserDN

Note:The password must be encrypted using the Encrypt Password Tool (EncryptPassword.exe) and placed in the configuration file. See Using the Encrypt Password Tool (EncryptPassword.exe) on page 34.

Using the Encrypt Password Tool (EncryptPassword.exe)Use the Encrypt Password Tool when LDAP Authentication is configured to slow bind authentication only.The tool generates an encrypted password from a plaintext password. The encrypted password must be placed inside the <Password> Xml node of the configuration file.The tool must be run from the computer where the SafeNet Authentication Manager Server is installed.By default, the Encrypt Password Tool (EncryptPassword.exe) is located at:C:\Program Files\SafeNet\Authentication\SAM\x32\Authentication

Configuration Example - Slow Bind AuthenticationIn this scenario, we assume a company works with an LDAP directory that is currently not supported by SafeNet Authentication Manager.

To export users to a database supported by SAM:

1. Export the users from the LDAP directory into a Microsoft SQL server database which is supported by SafeNet Authentication Manager.After this process there are two installed databases:

Microsoft SQL Server containing only users LDAP directory containing both users and passwords

2. Install SAM 8.0 Server or later.3. Select SQL Server from the list of user databases.


4. Select the LDAPAuthentication.dll in the authentication window.5. Complete the installation.

Configuring LDAPAuthentication.dll.configConfigure LDAPAuthentication.dll before running any SAM management application.

To configure LDAPAuthentication.dll:

1. Open the LDAPAuthentication.dll.config file, located in the SAM installation folder.

2. Create a configuration, as in the following example of a slow bind configuration:

<?xml version="1.0" encoding="utf-8" ?><Configuration>

<AuthenticationType>SlowBind</AuthenticationType>

<SlowBind>

<Instance default="true">


<Server>10.0.0.99:389</Server>

<BaseDN>dc=organization,dc=com</BaseDN>

<FilterTemplate>(&(cn={0})(objectClass=organizationalPerson))</FilterTemplate>

<UserDN>cn=Administrator,dc=organization,dc=com</UserDN>

<Password> AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAper6yavZzE21ObZafmdDMgQAAAAIAAAAVABNAFMA AAADZgAAqAAAABAAAABAt5/hxHf7tgrMsMX+l+glAAAAAASAAACgAAAAEAAAAP1sMRXQv93p Tj2fj82oTfcQAAAAq06pe9IwfKx4rSVIZiTbaxQAAACms9JMPxfv1/XNsngjP+PQsC/t1w==

</Password>

</Instance>

</SlowBind>

</Configuration>This configuration file assumes the following:

The LDAP directory is located at 10.0.0.99 port 389The baseDN is dc=organization,dc=com


The user object in the LDAP directory has the organizationalPerson value in objectClass attributeThe user object is uniquely identified by the cn attributeThe user that has read permissions in the LDAP directory is cn=Administrator,dc=organization,dc=comThe password of cn=Administrator,dc=organization,dc=com should be retrieved as follows:

Run EncryptPassword.exeEnter the password in the Plaintext‐>Password textbox (i.e. Pas$word)Click Encrypt (you should see the encrypted password in the cipher textbox)Click Copy in order to copy encrypted password to clipboardPaste the encrypted password into <Password> xml node

Running an LDAP Management ToolRun any LDAP management tool in order to use the new configuration. Run iisreset before running the management tool.

Chapter 4

Installation and Configuration ChecklistThis section provides a checklist of the main tasks required to install, configure, and deploy SafeNet Authentication Manager.

In this chapter:

Step 1: Perform Pre-Installation TasksStep 2: Install SafeNet Authentication ManagerStep 3: Configure SafeNet Authentication Manager


Step 1: Perform Pre-Installation TasksPerform the following tasks before installing SafeNet Authentication Manager.

Step 2: Install SafeNet Authentication ManagerPerform the following tasks to install SafeNet Authentication Manager.

SafeNet Authentication Client ConfigurationPerform the following tasks to install SafeNet Authentication Manager in a SafeNet Authentication Client configuration.

Order Action Reference

1. Check system requirements.Install any prerequisite applications.

See Chapter 2: System Requirements, on page 9 System Requirements on page 9

2. Deploy user store Note: If you are using a Standalone user store, this is not required. See Configuring for Standalone User Store on page 94

See Chapter 3: User Store Deployment, on page 19 User Store Deployment on page 19


1. Install SafeNet Authentication Client. See SafeNet Authentication Client Administrator’s Guide

2. Install SafeNet Authentication Manager server component

Installing the SafeNet Authentication Manager Server on page 52

Installation and Configuration Checklist 39

OTP ConfigurationPerform the following tasks to install SafeNet Authentication Manager in an OTP configuration.

3. Configure SafeNet Authentication Manager Server and required connectors

See Chapter 7: Basic Configuration, on page 85

4. Install SafeNet Authentication Manager Management Tools component

Installing the SAM Management Tools on page 57

5. Install SafeNet Authentication Manager Client component

Installing SAM Client Using the Installation Wizard on page 60



1. Install SafeNet Authentication Manager server component (selecting the OTP installation option)

Installing the SafeNet Authentication Manager Server on page 52

2. Configure SafeNet Authentication Manager Server


3. Install and configure the required OTP plug-ins

See the eToken OTP Authentication Administrator's Guide

4. Configure RADIUS server Configuring SAM IAS Plug-In on page 345

5. Install SafeNet Authentication Manager Management Tools component

Installing the SAM Management Tools on page 57


Step 3: Configure SafeNet Authentication ManagerAfter the SafeNet Authentication Manager server is installed, it must be configured.`


1. Run the SafeNet Authentication Manager Configuration Settings Wizard to set the basic configuration


2. Use the SafeNet Authentication Manager Configuration Manager to configure the following (not necessarily in this order):

ConnectorsRoles and TasksBackend ServicesLicenseWeb ServicesDisplayFailoverSchemaService accountServer SynchronizationHSM support

See Chapter 10: SAM Configuration Manager, on page 179

Installation and Configuration Checklist 41

3. Use the GPO Editor to propagate the SafeNet Authentication Manager Server name

See Propagating the SAM Server Name on page 66

4. Use the TPO Editor to configure the following settings:

General Connectors Enrollment Certificate Recovery WorkflowAudit SAM Backend Service SAM Desktop Agent MobilePASS Badging

See Chapter 9: Token Policy Object Settings, on page 145



Chapter 5

InstallationThis chapter describes the installation of SafeNet Authentication Manager.

Note:See Upgrade and Migration on page 73 if SafeNet Authentication Manager or TMS is already installed on the computer.

If a message to restart your computer is displayed, either before or after the installation of SafeNet Authentication Manager, you must restart your computer.

In this chapter:

Installation ComponentsInstallation Steps in an AD EnvironmentInstalling the SafeNet Authentication Manager ServerInstalling the SAM Management ToolsInstalling SAM Client Using the Installation WizardInstalling SAM Client Using the Command LineUn-installationPropagating the SAM Server NameDuplicating a SAM Server


Installation Components

Component File Description

SAM Server SAMServer-x32-8.0.msi orSAMServer-x64-8.0.msi

Install SafeNet Authentication Manager on the required server. This must be a member server running IIS on which the SafeNet Authentication Manager web application will be installed. One or more such servers may be installed in the organization.Note: We recommend running a dedicated SafeNet Authentication Manager (IIS) server.

SAM Management Tools

SAMManagement-x32-8.0.msiorSAMManagement-x64-8.0.msi

Install on every workstation from where the administrator will access the TPO editor.

SAM Client SAMClient-x32-8.0.msiiorSAMClient-x64-8.0.msi

Install on every workstation where the Self Service Center, or Management Center are to be used or any client where the SafeNet Desktop Agent is to be used.

SAM Schema Modification Scripts

SAMSchema-x32-8.0.msi

If the user installing the SafeNet Authentication Manager Server does not have the permissions required for modifying the AD schema, the schema modification scripts must be installed before SafeNet Authentication Manager is configured. The scripts implement changes to the Active Directory (AD) schema required by SafeNet Authentication Manager.

SAM Portals SAMPORTALS-x32-8.0.msiorSAMPORTALS-x64-8.0.msi

The SAM Portals installation files are supplied separately.

Installation 45

Note:We recommend configuring SafeNet Authentication Manager websites using SSL.See Microsoft documentation for creating an SSL‐protected virtual directory in IIS.

Silently Installed ComponentASP.NET.AJAX is installed together with SafeNet Authentication Manager.ASP.NET AJAX is a set of technologies to add AJAX (Asynchronous JavaScript And XML) support to ASP.NET.AJAX is a group of interrelated web development techniques used for creating interactive web applications or rich internet applications. With AJAX, web applications can retrieve data from the server asynchronously in the background without interfering with the display and behavior of the existing webpage.ADAM is installed when a Standalone user store (an integrated configuration store and user store) is installed, or when an external user store, such as Microsoft SQL Server, OpenLDAP or Novell eDirectory is used.


Installation Steps in an AD EnvironmentSafeNet Authentication Manager can be installed in a single or multi domain environment.

Installing in a Single Domain Environment

To install in a single domain environment:

1. If Active Directory is used as the SafeNet Authentication Manager Configuration Store, and the user performing the installation does not have permissions to modify the AD schema, you must install and run the schema modification scripts on the domain controller. (See Installing and Running Schema Modification Scripts on page 48.)

2. Install the SafeNet Authentication Manager server on a member server in your domain. (See Installing the SafeNet Authentication Manager Server on page 52.)

3. Configure the SafeNet Authentication Manager Server. (See Basic Configuration on page 85.)

4. Install Management Tools on every client from which the administrator is required to access the TPO editor. (See Installing the SAM Management Tools on page 57.)

5. Install SafeNet Authentication Manager Client on every computer from which enrollment or any other token operation is to be performed using SafeNet Authentication Manager. (See Installing SAM Client Using the Installation Wizard on page 60.)

Installation 47

Installing in a Multi Domain Environment

To install in a multi domain environment:

1. If Active Directory is used as the SafeNet Authentication Manager Configuration Store, and the user performing the SafeNet Authentication Manager installation does not have permissions to modify the AD schema, you must install and run the schema modification scripts on the domain controller. (See Installing and Running Schema Modification Scripts on page 48.)

2. Install the SafeNet Authentication Manager server on one member server in one of your domains. (See Installing the SafeNet Authentication Manager Server on page 52.)

3. Configure SafeNet Authentication Manager for every domain in the forest where you want SAM to be used.

4. Install SAM Management Tools on every client from which the administrator is required to access the TPO editor. (See Installing the SAM Management Tools on page 57.)

5. Install SafeNet Authentication Manager Client on every computer from which enrollment or any other eToken operation is to be performed using SafeNet Authentication Manager. (See Installing SAM Client Using the Installation Wizard on page 60.)

Installing SAM in a Multi Forest Environment

To install SAM in a multi domain environment:

1. Install the SafeNet Authentication Manager server on one member server in one of your domains in one of the forests. (See Installing the SafeNet Authentication Manager Server on page 52.)

2. Configure SafeNet Authentication Manager (using Remote AD) for every domain in every forest where you want SafeNet Authentication Manager to be used (except the domain where the SafeNet Authentication Manager server is installed).

3. Install SafeNet Authentication Manager Management Tools on every client from which the administrator is required to access the TPO editor. (See Installing the SAM Management Tools on page 57.)


4. Install SafeNet Authentication Manager Client on every computer from which enrollment or any other token operation is to be performed using SafeNet Authentication Manager. (See Installing SAM Client Using the Installation Wizard on page 60.)

Installing and Running Schema Modification ScriptsActive Directory (AD) must be modified before it can be used as the SafeNet Authentication Manager Configuration Store.If the user who installs SafeNet Authentication Manager has AD schema modification permissions, then AD is modified automatically during SafeNet Authentication Manager configuration.If the user who installs SafeNet Authentication Manager does not have these permissions, the Schema Modification Scripts must be installed and run prior to setting the configuration.

Tip:Install the schema modification scripts only if the user installing SafeNet Authentication Manager does not have permissions to modify the AD schema.

The scripts are installed using the SafeNet Authentication Manager ‐ Schema Modification Scripts Installation Wizard.

Installation 49

Installing the Schema Modification ScriptsInstall the SafeNet Authentication Manager Schema Modification Scripts in the root domain before SafeNet Authentication Manager is configured.

To install the Schema Modification Scripts:

1. Run SAMSchema‐x32‐8.0.msiThe Welcome to the SafeNet Authentication Manager ‐ Schema Modification Scripts Installation Wizard opens.

2. Click Next.


The Licenses Agreement window opens.

3. Accept the license agreement and click Next.The Destination Folder window opens, displaying the default installation folder.

4. If there are no other SafeNet authentication applications or legacy eToken applications installed, you can click Browse to select a different destination folder. Otherwise, the destination folder cannot be changed.

Installation 51

This folder will be used as the installation library for all future SafeNet authentication application installations.

Note:The default folder is:C:\Program Files\SafeNet\Authentication\SAM\x32\Bin. C:\Program Files\SafeNet\Authentication\SAM\x64\Bin

5. Click Next.The SafeNet Authentication Manager Schema Modification Scripts installation begins.When the installation process is complete, the SafeNet Authentication Manager ‐ Schema Modification Scripts has been successfully installed window opens.

6. Click Finish to exit the installation wizard.The installation process creates the VB script file:C:\Program Files\SafeNet\Authentication\SAM\x32\Bin\schemaInstall.vbs


Running the Schema Modification ScriptsFollowing the installation of the schema modification script, the script must be run.

Note:To run the schema modification script, the permissions must allow changes to be made to the schema.

To run the schema modification script:

Run the following command: Cscript.exe schemaInstall.vbs [domain name] /AD

For example:Cscript.exe schemaInstall.vbs production.com /AD

Installing the SafeNet Authentication Manager ServerThe SafeNet Authentication Manager server must be installed before the other components.

Note:SafeNet Authentication Client should be installed on the computer where SafeNet Authentication Manager server is installed. This is not required if SafeNet Authentication Manager is used only for OTP authentication. See SAM Management Tools System Requirements on page 13.

The SafeNet Authentication Manager ‐ Server Installation Wizard and SafeNet Authentication Manager ‐ Configuration Settings Wizard enable you to install SafeNet Authentication Manager Server and create a basic configuration. When the SafeNet Authentication Manager ‐ Server Installation Wizard completes the installation process, it launches the SafeNet Authentication Manager ‐ Configuration Settings Wizard.

Installation 53

To install and configure the SafeNet Authentication Manager Server:

1. Double‐click SAMServer‐x32‐8.0.msi (32‐bit) or SAMServer‐x64‐8.0.msi (64‐bit).The SafeNet Authentication Manager Server Installation Wizard opens.

2. Click Next.The License Agreement window opens.

3. Select I accept the license agreement and click Next.


The Destination Folder window opens, displaying the default installation folder.

4. If there are no other SafeNet authentication applications or legacy eToken applications installed, you can click Browse to select a different destination folder. Otherwise, the destination folder cannot be changed.This folder will be used as the installation library for all future SafeNet authentication application installations.

5. Click Next.The installation process starts.

Installation 55

On completion of the installation process, the successfully installed window opens.

6. Click Finish.

Note:If you ran the installation from the command line, the SafeNet Authentication Manager ‐ Configuration Settings Wizard does not open automatically.

The SafeNet Authentication Manager ‐ Configuration Settings Wizard window opens.


The SAM Configuration Settings Wizard enables you to set up a basic configuration that can be fine‐tuned later using the SafeNet Authentication Manager Configuration Manager.

Tip:We recommend completing the SafeNet Authentication Manager configuration at this time so that you can start working with the application. However, the configuration can be performed later using the SafeNet Authentication Manager Configuration Manager.

7. To continue with the SafeNet Authentication Manager ‐ Configuration Settings Wizard, click Next, or to exit, click Cancel. For a description of the SafeNet Authentication Manager ‐ Configuration Settings Wizard, see the following:

Configuring for Active Directory on page 86Configuring for Standalone User Store on page 94Configuring for OpenLDAP, Novell eDirectory or Remote AD on page 102Configuring for MS SQL Server on page 115

Installation 57

Installing the SAM Management ToolsInstall the SAM Management Tools on every workstation where the administrator will need to use the TPO Editor.

To install SAM Management Tools:

1. Double‐click SAMManagement-x32-8.0.msi (32-bit) or SAMManagement-x64-8.0.msi(64-bit).The SAM Management Tools Installation Wizard opens.

2. Click Next.


The License Agreement window opens.

3. Select I accept the license agreement and click Next.The Destination Folder window opens, displaying the default installation folder.


5. Click Next.

Installation 59

The installation process starts.


6. Click Finish.SAM Management Tools has been installed.

The SAM Management Tools must be connected to the SAM server. See Propagating the SAM Server Name on page 66.


Installing SAM Client Using the Installation WizardInstall SafeNet Authentication Manager Client on every computer from which enrollment or any other eToken operation is to be performed using SAM.

Note:SafeNet Authentication Manager Server 8.0 supports TMS Client 2.0 and later. However, when the SafeNet Authentication Manager server is updated, we recommend updating SafeNet Authentication Manager Client to the same version to avoid compatibility issues.

To install SafeNet Authentication Manager Client:

1. Double‐click SAMClient-x32-8.0.msi (32-bit) or SAMClient-x64-8.0.msi (64-bit).The SafeNet Authentication Manager Client Installation Wizard opens.

2. Click Next.

Installation 61

The License Agreement window opens.

3. Select I accept the license agreement and click Next.The Destination Folder window opens, displaying the default installation folder.


5. Click Next.


The Select Installation Type window opens.

6. Select one of the following installation types:Typical ‐ Includes the SAM Desktop AgentComplete ‐ Includes the SAM Desktop Agent and the legacy TMS Desktop Agent.

Note:The legacy TMS Desktop is required for installations where previous TMS Client installations are still supported.

7. Click Next.The installation proceeds.

Installation 63


8. Click Finish.SafeNet Authentication Manager Client has been installed.

Installing SAM Client Using the Command LineTo install, remove or repair SafeNet Authentication Manager Client using the command line, copy the msi file (SAMClient-x32-8.0.msi or SAMClient-x64-8.0.msi) to any location on the client computer and use the standard Windows Installer msiexe syntax as in the following example:msiexe /i C:\SAMClient-x32-8.0.msi /qn

where:

SAMClient-x32-8.0.msi is the 32-bit SafeNet Authentication Manager Client installation file.

For 64-bit, use SAMClient-x64-8.0.msi.

Parameters:

i = installx = remove


f = repairqn = displays no user interface (“silent”)qb = displays a basic user interface (progress bar)

Un-installationPerform the following steps to delete SafeNet Authentication Manager from Active Directory and from the server computer.

WARNING!If you want to keep using the SafeNet Authentication Manager Configuration Store, for example, after upgrading or replacing the SafeNet Authentication Manager server, you must back up your SafeNet Authentication Manager Settings file before uninstalling.

Removing SAM Server from the Computer

To remove the SafeNet Authentication Manager server from the computer:

1. Uninstall SafeNet Authentication Manager using the Windows Add/Remove Programs feature.

2. If the SafeNet Authentication Manager Authorization Management store was in the format of an XML file, delete the roles.xml file.

Note:The actual file name is based on the actual domain name.

3. Delete the SAM folder from the SafeNet Authentication Manager installation folder. For example: C:\Program Files\SafeNet\Authentication\

4. In the registry, browse to HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\Authentication\SAM and delete the SAM key.

Installation 65

Removing SAM from the Domain1. Open Active Directory Users & Computers, and select

View>Advanced Features.2. Expand the domain, and delete the SAM_DB container.

The SafeNet Authentication Manager database is deleted. 3. Delete SAM.

The SAM Authorization Management store is deleted (if the SAM Authorization Management store was located in AD).

4. Delete the following two files:schema.demo.xmldomain.xml

The files are located in:C:\Documents and Settings\All Users\Application Data\SafeNet\Authentication

5. In a multi‐domain environment, perform step 2, step 3, and step 4 for each domain that is managed by SafeNet Authentication Manager.

Note:Schema changes are one‐way and cannot be deleted. This is determined by the AD architecture.


Propagating the SAM Server NameThe SafeNet Authentication Manager Server name should be known to all domain users. This can be done using the Administrative Templates (ADM) file. This file allows the users to handle the registration keys of the entire domain.SafeNet Authentication Manager provides the ADM file to propagate the SAM Server name to all the domain users.

To propagate the SafeNet Authentication Manager Server name:

1. In the Windows Control Panel select Administrative Tools>Active Directory Users and Computers.The Active Directory Users and Computers window opens.

2. In the navigation pane, right‐click the domain and select Properties from the drop‐down menu.The Properties window opens.

3. Select the Group Policy tab.

Installation 67

4. Click Edit.

The GPO Editor opens.


5. Right‐click Administrative Template in the navigation pane and click Add/Remove Templates…...The Add/Remove Templates window opens.

6. Click Add and navigate to the file in which the SafeNet Authentication Manager (adm) files are stored.For example:C:\Program Files\SafeNet\Authentication\SAM\x32\Adm\SAM.adm.

7. Click Open.You are returned to the Add/Remove Templates window.

8. Click Close.The SafeNet Authentication Manager Settings folder appears in the Administrative Templates folder.

Installation 69

9. In the GPO Editor, select Computer Configuration>Administrative Templates>Token Management System Settings.The Token Manager System Settings window opens.

The right pane of the SAM Settings window displays all the server settings.

10. To change a setting, right‐click the setting icon, select Properties, and make the required changes as follows:

Settings Description

Default SAM server The URL of the default server in the organization. The URL uses the following syntax: http://computername where computername is the computer where IIS and SAM Server are located.

TPO server The URL of the server running the TPO editor web service. Use this setting only if it differs from the default SAM server.

Desktop Agent server The URL of the server running the SAM Desktop Agent web service. Use this setting only if it differs from the default SAM server.

HelpDesk server The URL of the server running the SAM Management Center. Use this setting only if it differs from the default SAM server.


Note:The settings are updated during the next group policy update. To run a group policy update immediately, run the following command: gpupdate /force

Duplicating a SAM Server

To duplicate a SafeNet Authentication Manager Server:

1. Install a new SafeNet Authentication Manager Server.2. Export the SafeNet Authentication Manager Settings File from the

original SafeNet Authentication Manager Server to the duplicate SAM Server.

Notes:The SAM Service Account must have the same password on all computers.We recommend restarting IIS to ensure that un‐required cached data is removed.After completing the configuration, it might be necessary to wait a short time before logging on to the SAM Management Center or SAM Policy Management.

Proxy server The address/port of the proxy server in the format proxy: port. If port is omitted, the default port will be used (80). If empty, no proxy, ignore all other parameters. If set to <CURRENT_USER>, the settings will be taken from Internet Explorer.

Proxy user Proxy username if required

Proxy Password Proxy password if required

Settings (Continued) Description (Continued)

Installation 71

Licensing a Duplicate ServerThe original SafeNet Authentication Manager Server functions as the licensing server. Each additional server uses the same licensing pool. See Licensing on page 293.


Chapter 6

Upgrade and Migration

WARNING!We strongly recommend that you perform a backup of all SAM data before upgrading to SafeNet Authentication Manager 8.0.

In this section:

Upgrading to SAM 8.0 ServerUpgrading to SAM 8.0 ClientUpgrading to SAM 8.0 Management ToolsMigrating from TMS 2.0 in an OpenLDAP EnvironmentMigrating from TMS 2.0 with a Shadow DomainMigrating from SafeWord to SafeNet Authentication Manager 8.0


Upgrading to SAM 8.0 ServerSafeNet Authentication Manager 8.0 supports upgrade from TMS 2.0 SP4 Server.SafeNet Authentication Manager 8.0 Server must be installed on a different computer to the TMS version being upgraded, or alternatively, the previous version must be uninstalled (TMS data is not removed when TMS 2.0 is uninstalled). After SafeNet Authentication Manager 8.0 Server is installed, run the configuration wizard and connect to the existing TMS User Store and Configuration Store.

WARNING!We strongly recommend that you perform a backup of all TMS data before upgrading to SafeNet Authentication Manager 8.0.

We strongly recommend installing SafeNet Authentication Manager 8.0 on a different computer to the existing installation of TMS.

To upgrade from TMS to SafeNet Authentication Manager 8.0:

1. Do one of the following:If the roles are stored in an XML file, copy the XML file to a shared folder on the network or copy it to the computer where SafeNet Authentication Manager 8.0 is to be installed.If ADAM is used as the configuration store, replicate it on the new SafeNet Authentication Manager 8.0 Server computer.

2. Install SafeNet Authentication Manager 8.0 on a different computer to the existing installation of TMS 2.0.

3. Configure SafeNet Authentication Manager 8.0 to connect it to the same configuration and user stores used by TMS 2.0.

Note:When running the SAM Configuration Settings Wizard for the first time after installing SafeNet Authentication Manager 8.0, you will be prompted to import the TMS Settings File if it is not present on the SafeNet Authentication Manager 8.0 computer. See Importing the SAM Settings File on page 183.

Upgrade and Migration 75

4. To obtain all required SafeNet Authentication Manager 8.0 features, re‐configure SafeNet Authentication Manager 8.0 as required, and if relevant, re‐configure the OTP plug‐ins. (See eToken OTP Authentication Administrator’s Guide.)

Note:You may need to upgrade your SafeNet Authentication Manager license to support all features in SafeNet Authentication Manager 8.0.To ensure that your license is valid, see Viewing Licenses on page 295. To add a license, see Applying a License on page 296.

Upgrading to SAM 8.0 Client

To upgrade TMS Client 2.0 or 5.0 to SAM 8.0 Client:

Install SafeNet Authentication Manager 8.0 Client on the client computer.See Installing SAM Client Using the Installation Wizard on page 60 or Installing SAM Client Using the Command Line on page 63.TMS Client version 2.0 or 5.0 is upgraded automatically.

Upgrading to SAM 8.0 Management Tools

To upgrade TMS Management Tools version 2.0 or 5.0 to SAM 8.0 Management Tools:

Install SAM 8.0 Management Tools.See Installing the SAM Management Tools on page 57TMS Management Tools version 2.0 or 5.0 is upgraded automatically.


Migrating from TMS 2.0 in an OpenLDAP EnvironmentWhen migrating from TMS 2.0 to SafeNet Authentication Manager 8.0 in an OpenLDAP environment, do not use the original instance name. The instance name must be taken from the SafeNet Authentication Manager database, such as dc_my‐domain_dc_com in the following example:

Migrating from TMS 2.0 with a Shadow DomainIf your installation of SAM 2.0 uses a shadow domain, this must be migrated to AD or ADAM in SafeNet Authentication Manager 8.0.

Tip:We recommend contacting SafeNet Support before performing this procedure. For contact information, see Support on page iii.


Migrating from SafeWord to SafeNet Authentication Manager 8.0

Migration of data from SafeWord to SAM is performed in two stages:1. Export a file of encrypted data from the SafeWord database.2. Import the SafeWord data file into SAM.

Notes:Before starting the migration process, ensure that the order for

entering the OTP and the PIN is the same for both SAM and SafeWord. This setting is determined in SAM by configuring the following TPO: OTP and OTP PIN / Windows password order. (See TMS OTP Authentication Connector on page 286.)

During the migration from SafeWord, all lower‐case letters in user passwords are converted to upper‐case letters. Instruct your users to enter letters in their password in upper‐case only.

Exporting Data from the SafeWord DatabaseWhen the SafeWord database is Active Directory, the exported data includes only token data.When the SafeWord database is not Active Directory (for example, MySQL), the exported data includes both user and token data.Use the Export SafeWord Database Tool (ExportSafewordDatabase.exe) to export data from SafeWord.The tool is located at:C:\Program Files\SafeNet\Authentication\SAM\x32\Bin

To run the Export SafeWord Database Tool, the following must be installed:

JRE 1.5 or laterMySQL


To export data from the SafeWord database:

1. Copy the ExportSafewordDatabase.exe file to SafeWord/JRE/BIN, and run the application.The Export SafeWord Database window opens.

2. Enter the fields as follows:

3. Click Export Database.The export process proceeds.

Field Description

Server name The name of the SafeWord server

Port number The port number of the SafeWord server

User name SafeWord Administrator username

User Password SafeWord Administrator password

File encrypted password: Enter a password for the encrypted file

Confirm password Confirm the password for the encrypted file


When the process is complete, the SafeWord database exported successfully window opens.

4. Click OK.The location of the exported file is displayed in the Export database status field.

5. Click Close to complete the process.


Importing SafeWord Data into SAMThe file containing data exported from SafeWord (ExportedEncDB.ldif) must now be imported into SAM using the SAM SafeWord Migration Tool (SAMSafewordMigrationWizard.exe).The tool is located at:C:\Program Files\SafeNet\Authentication\SAM\x32\Bin

To import SafeWord data into SafeNet Authentication Manager:

1. Place the exported SafeWord data file (ExportedEncDB.ldif) on the computer running the SAM Server.

1. Run SAMSafewordMigrationWizard.exe.The SAM SafeWord Migration Tool opens.

2. Click Next.


The Migration Sources window opens.

3. Select Full Migration and browse to the exported SafeWord database file(ExportedEncDB.ldif).

4. In the File encrypted password field, enter the password of the SafeWord database file.

Note:The partial migration option is used when some of the tokens did not export from SafeWord. In this case, a SafeWord‐SAM Migration Report is created. To perform a partial migration, select Partial Migration and browse to the report file.

5. Click Next.


If the SafeWord data includes added attributes (relevant only in a non‐AD environment) the SafeWord Personalization Data window opens, displaying the added SafeWord attributes.

6. In the drop‐down box next to each SafeWord attribute, select the equivalent SAM attribute.

7. Click Next.The Override Flags window opens.

8. Determine the required override policy by selecting one of the following options:

Never override the existing objectAlways override the existing object


Override the existing object with a newer one9. Click Next.

The Report File window opens.

10. Browse to the appropriate location for saving the report file.The report file is used to store SafeWord data that is not successfully migrated. The report file can later be used to migrate data that was not migrated successfully, by selecting Partial Import in the Migration Sources window. See step 2 on page 80.

11. Click Next.The Begin Migration window opens.


12. Click Next.The migration proceeds. When the migration is complete, the Migration Completed window opens.

If the migration fails, an appropriate message is displayed in the Migration Completed window.

13. Click Finish to exit the migration wizard.

Chapter 7

Basic ConfigurationThe SafeNet Authentication Manager Configuration Settings Wizard enables you to create the basic SafeNet Authentication Manager configuration. The configuration steps vary according to the user store being used.After using the SafeNet Authentication Manager Configuration Settings Wizard to set up the basic configuration, you can make additional changes using the SAM Configuration Manager (page 179) and SAM Policy Management (page 121).

In this section:

Configuring for Active DirectoryConfiguring for Standalone User StoreConfiguring for OpenLDAP, Novell eDirectory or Remote ADConfiguring for MS SQL Server


Configuring for Active Directory

To configure SafeNet Authentication Manager for AD:

1. The SAM Configuration Settings Wizard is launched directly from the SAM 8.0 Server Installation Wizard. (See Installing the SafeNet Authentication Manager Server on page 52.)It can also be launched manually, as follows:a. Select Start>Programs>SafeNet> SafeNet Authentication

Manager > Configuration Manager.The SafeNet Authentication Manager ‐ Configuration Manager opens.

b. If no configuration exists, the SAM Configuration Settings Wizard opens automatically. Otherwise, select General>New Configuration...

Basic Configuration 87


2. Click Next to start the configuration.The SAM User Store Configuration window opens.

3. Select External user store.


The User Store window opens.

4. Select Microsoft Active Directory.The user store is Microsoft Active Directory located in the production domain.The Microsoft Active Directory Domain window opens.

5. Enter the domain where the tokens will be managed, and click Next.


The Data Storage window opens.

6. Select one of the following as the SafeNet Authentication Manager Configuration Store, and click Next:

Microsoft Active DirectoryADAM

The Service Account window opens.


7. In the Username field, enter the Windows user account to be used for managing SAM operations.

Note:It is not mandatory that the account be an administrator account, but there must be sufficient permissions to run the connectors.See User Permissions on page 309.

8. In the Password and Confirm Password fields, enter the password for the account, and click Next.The Configuration Store Security window opens.


The Configuration Type window opens.

9. Select one of the following:Complete configuration ‐ Select to continue with the basic setupSimplified OTP‐only configuration‐ Select to create a typical configuration for managing OTP tokens only

.

The Configuration Details window opens.

Simplified OTP-Only InstallationIf you selected Simplified OTP-only configuration, SafeNet Authentication Manager is automatically configured with a typical OTP configuration providing a working SafeNet Authentication Manager OTP solution.The simplified OTP- only configuration is as follows:

Connectors - SAM OTP Authentication Connector is installed.SAM Backend Service - Activated on this server, scheduled to operate every 24 hours.Attendance reports - Not used (not relevant for OTP tokens).In addition, the SAM default policy is set as follows:

Load OTP support (required for OTP) is selected in the token initialization settings.

The SAM OTP Authentication Connector is set by default to enable enrolment of OTP tokens without requiring changes in the TPO settings.


10. To confirm the configuration details, click Next.The installation proceeds.

11. When the installation has finished, click Next.The Configuration Completed window opens.


12. To configure additional SAM settings, open SAM Policy Management.See Token Policy Object Links on page 121.


Configuring for Standalone User StoreWhen configuring SafeNet Authentication Manager for an internal store, an ADAM directory is used for both the user store and configuration store. If ADAM is not installed on the computer, it is installed during the configuration process.

To configure SafeNet Authentication Manager for Standalone user store:


Manager > Configuration Manager.The SafeNet Authentication Manager ‐ Configuration Manager opens.

b. If no configuration exists, the SAM Configuration Settings Wizard opens automatically. Otherwise, select General>New Configuration...


The SAM Configuration Settings Wizard window opens.

2. To start the configuration, click Next. The User Store Configuration window opens.

3. Select Standalone user store.


The Instance Type window opens.

4. Select one of the following:Create a new database instance on this serverCreate a replica of an existing database instance ‐ Select when you are installing secondary SAM Servers. To use this option you must previously have created an XML file of import settings using the SAM Configuration Management Tool.

5. If you selected Create a new database instance on this server, go to step 7.If you selected Create a replica of an existing database instance, the Settings File window opens.


6. Click Browse to select the file containing the import settings (typically SAMSettingsExport.xml), enter the password in the File Password field and click Next.The Service Account window opens.


7. In the Username field, enter the Windows user account to be used for managing SafeNet Authentication Manager operations.

Note:It is not mandatory that the account be an administrator account, but there must be sufficient permissions to run the connectors. See User Permissions on page 309.

8. In the Password and Confirm Password fields enter the password for the account and click Next.

Note:SafeNet Authentication Manager does not support a password length of zero, even if the computer’s local policy is configured to accept a minimum password length of zero.

The Authorization Manager Account window opens.

9. In the Username field, enter a name for the user account.10. In the Password and Confirm Password fields enter the password for

the account and click Next.The Configuration Store Security window opens.


11. Do one of the following:To store the SafeNet Authentication Manager security keys on the SafeNet Hardware Security Manger (HSM), select Generate and store security keys in the SafeNet HSM and click Next.To store the SafeNet Authentication Manager security keys on the server click Next, without selecting Generate and store security keys in the SafeNet HSM


12. Select one of the following and click Next:


Complete configuration ‐ Select to continue with the basic setup of Connectors, Role Management and SAM Backend Service scheduling and Attendance Reports.Simplified OTP‐only configuration‐ Select to create a typical configuration for OTP.

The Configuration Details window opens.





Configuring for OpenLDAP, Novell eDirectory or Remote AD

To configure SafeNet Authentication Manager for OpenLDAP, Novell eDirectory or Remote AD:


Manager> Configuration Manager.The SafeNet Authentication Manager ‐ Configuration Manager window opens.

b. If no configuration exists, the SAM Configuration Settings Wizard opens automatically. Otherwise, select General>New Configuration.


The SAM Configuration Settings Wizard window opens.


3. Select External user store and click Next.


The User Store window opens.

4. Select OpenLDAP Production Domain, Novell eDirectory or Microsoft Remote Active Directory Domain. The OpenLDAP Directory, Novell eDirectory or Microsoft Remote Active Directory window opens. (The windows are identical except for the title).

5. Click Browse next to the Select Directory field.The Select OpenLDAP, Novell eDirectory or Remote AD Server window opens. (The windows are identical except for the title.)



7. Click OK.You are returned to the OpenLDAP Directory/Novell eDirectory/Microsoft Remote Active Directory window.

Field Description

Server Enter the IP address of the directory server

Port Enter the directory server port. This is determined when the directory is configured.

Naming Context Click Browse and select the required naming context.

Simple Binding, using an anonymous user

Select this option to connect to the directory server without a user and password. This is possible only if this option is enabled in the system.

Simple Binding, using the following user

Select this option to connect to the directory server using the User DN and Password. Enter the User DN and Password in the appropriate fields.

Use a secure connection

If OpenLDAP is configured to run in a secure mode, select this option to encrypt the data to be transferred.


8. In the Instance name field, enter an instance name and click Validate.Define an instance name that is unique for each SafeNet Authentication Manager configuration on the same SAM server.The connection to the OpenLDAP/eDirectory is validated.

9. You can change the schema configuration if the default attributes are not suitable for your requirements. To make changes to the default schema, click Edit Default Schema.The Edit User Repository Schema window opens.


WARNING!Changing the schema can cause SafeNet Authentication Manager to behave unpredictably. We recommend against changing the default schema configuration unless it is absolutely necessary.

10. Make the required changes to the schema and click Close.11. Click Next.

The Authentication Plug‐In window opens.


Note:The Authentication plug‐in file is required to enable the user to log on to the SAM Management Center, the SAM Self‐Service Center and TPO. This is because Active Directory is not available to provide the mechanism for authenticating user name and password.See Preparing LDAP Authentication Dll on page 29.

12. Click Browse and navigate to the authentication dll file (LDAPAuthentication.dll) and click Open.

Notes:Remote AD uses the same authentication dll as OpenLDAPThe authentication dll file is typically located at: C:\Program Files\SafeNet\Autnetication\SAM\x32\AuthPlugin.


You are returned to the Authentication Plug‐In window.13. Click Next.

The ADAM Instance window opens.

14. To create a new ADAM instance, select SafeNet Authentication Manager creates a new ADAM instance on the local computer.

15. To use an existing ADAM instance do the following:Select SafeNet Authentication Manager uses an existing ADAM instance. In the ADAM server field, enter the name of the server where ADAM is located


In the ADAM service port number field, enter the ADAM port number.

16. Click Next.The SAM Services Account window opens.

17. In the Username field, enter the Windows user account to be used for managing SafeNet Authentication Manager operations.

Note:It is not mandatory that the account be an administrator account, but there must be sufficient permissions to run the connectors.

18. In the Password and Confirm Password fields enter the password for the account and click Next.The Authorization Manager Account window opens.


19. In the Username field, enter a user who is authorized to manage SafeNet Authentication Manager and click Next.

If you click the Browse button for the Username field, the Select User or Group window opens.1. Enter a user name in the Enter the object name to select field and click

Check Names.2. If more than one match is found for the entered name, a list of matching names is

displayed.3. Select the required name and click OK.

The selected user is displayed in the Enter the object name to select field.4. Click OK.

The selected user is displayed in the Authorization Manager Account window, Username field.

5. Click Next.


The Configuration Store Security window opens.

20. Do one of the following:To store the SafeNet Authentication Manager security keys on the SafeNet Hardware Security Manger (HSM), select Generate and store security keys in the SafeNet HSM and click Next.To store the SafeNet Authentication Manager security keys on the server click Next, without selecting Generate and store security keys in the SafeNet HSM



21. Select one of the following and click Next:Complete configuration ‐ Select to continue with the basic setup of Connectors, Role Management and SAM Backend Service scheduling and Attendance Reports.Simplified OTP‐only configuration‐ Select to create a typical configuration for OTPSee Simplified OTP‐Only Installation on page 91.

22. Click Next.The Configuration Details window opens.





Configuring for MS SQL Server

To configure SafeNet Authentication Manager for MS SQL Server:


Manager> Configuration Manager.The SafeNet Authentication Manager ‐ Configuration Manager window opens.

b. If no configuration exists, the SAM Configuration Settings Wizard opens automatically. Otherwise, select General>New Configuration.




3. Select External user store and click Next.


The Production Type window opens.

4. Select Microsoft SQL and click Next.The Microsoft SQL window opens.You can connect to the SQL Server by selecting the SQL Server name or, alternatively, you can connect through an ODBC connection.

Tip:For information about creating an ODBC connection, refer to Microsoft documentation.

5. To connect to the SQL Server, select SQL Server and click Browse.The SQL Server window opens.


6. In the Select server name field, select the required server from the list.

7. Select one of the following:Use Windows AuthenticationUse SQL Server Authentication (if selected, enter user name and password)

8. In the Select a database name field, select the required database from the list and click OK.You are returned to the Microsoft SQL window.

9. In the Microsoft SQL window click Validate.The system validates the connection and returns the instance name.

10. Click Next.The Authentication Plug‐in window opens.

To connect through ODBC:

1. Select ODBC and click Browse.The Select ODBC Data Source window opens.

2. Select the required ODBC data source and click OK.You are returned to the Microsoft SQL window.


11. Click Browse and navigate to the authentication dll file (SQLAuthentication.dll) and click Open.The remaining steps are the same as described for the OpenLDAP configuration.

12. Continue from step 12 on page 108.


Chapter 8

Token Policy Object LinksTPO settings determine the SafeNet Authentication Manager behavior for users in specific organizational units.

In this section:

Accessing Token Policy Object LinksCreating a New TPO LinkAdding a TPO LinkDeleting a TPO LinkSpecifying the Scope of a TPO LinkImporting and Exporting Token Policy Objects


Accessing Token Policy Object LinksDepending on the type of SafeNet Authentication Manager user store, the TPO settings are managed using the Active Directory Users and Computers administrative tool, or through SAM Policy Management.

Accessing TPO Links in an AD EnvironmentIf you are using Microsoft AD as your external user store, the SafeNet Authentication Manager policy settings are accessed using the Active Directory Users and Computers administrative tool.

Note:To access the TPO Editor, you must have the necessary permissions to the SafeNet Authentication Manager Authorization Management Store.

To access a TPO Link in an AD Environment:

1. Select Start>Programs>Administrative Tools>Active Directory Users and Computers.The Active Directory Users and Computers window opens.

Token Policy Object Links 123

2. In the navigation pane, right‐click the domain or organizational unit associated with the TPO, or to which you want to assign the TPO, and select Properties from the dropdown menu.The Properties window opens.

3. Select the Token Policy tab, and click Open.


The Current Token Policy Object Links window opens.

4. For available options:See Creating a New TPO Link on page 130See Adding a TPO Link on page 132See Deleting a TPO Link on page 133See Specifying the Scope of a TPO Link on page 133See Using the Token Policy Object Editor to Edit TPOs on page 146


Accessing TPO Links in a Non-AD EnvironmentIf you are using MS SQL Server, OpenLDAP, Novell eDirectory or Remote AD as your external user store, or are using a standalone user store, the SafeNet Authentication Manager policy settings are accessed using SafeNet Authentication Manager ‐ Policy Manager.

To open SafeNet Authentication Manager - Policy Manager in a non-AD environment:

1. Select Start>Programs>SafeNet>SafeNet Authentication Manager>Policy Management.The SafeNet Authentication Manager ‐ Policy Manager window opens.

2. Right‐click the SAM Policy Manager node, and select Connect to Instance.

3. If prompted, enter the name of your SafeNet Authentication Manager Server, and click OK.The Policy Manager displays the domain and its organizational units (OU).

4. Right‐click the root or organizational unit associated with the TPO, or to which you want to assign the TPO, and select Properties from the dropdown menu.The Current Token Policy Object Links window opens.




Accessing TPO Links in a Standalone User Store EnvironmentIf you are using a standalone user store, the SafeNet Authentication Manager policy settings are accessed using SafeNet Authentication Manager ‐ Policy Manager.

To open SAM Policy Management in a standalone user store environment:

1. Select Start>Programs>SafeNet>SafeNet Authentication Manager>Policy Management.

2. Select Action>Connect to instance.SafeNet Authentication Manager ‐ Policy Manager connects to the SafeNet Authentication Manager Server, and the Authentication window opens.

3. Enter the SafeNet Authentication Manager administrator username and password, and click OK.


The instance is displayed.

4. Right‐click the root or organizational unit associated with the TPO, or to which you want to assign the TPO.

5. Select Properties from the dropdown menu.


The Current Token Policy Object Links window opens.



Creating a New TPO LinkWhen you create a new TPO link, only its required policies are enabled. These are determined by the type of tokens that are available to the OU’s users.

To create a new TPO link:

1. In the Current Token Policy Object Links window, click New (See Accessing Token Policy Object Links on page 122).The Token Type Selection window opens.

2. Select the type of token to which the policy will be applied:All Tokens: (Default) contains all policiesMobilePASS: contains policies relevant to MobilePASS onlySafeNet eToken Virtual Temp: contains policies relevant to SafeNet eToken Virtual Temp onlyMobilePASS Messaging: contains policies relevant to MobilePASS Messaging only

Note:By default, the SafeNet Authentication Manager configuration creates a Default policy TPO, linked to the root, that is defined as All Tokens.


A new Token Policy Object link is added to the Token Policy Object Links.

3. Enter a name for the new TPO link, and click OK.

Note:The default name assigned to a new TPO link is determined by the token type to which it applies.We recommend changing the names of new TPO links to meaningful names.


Adding a TPO LinkYou can add a link to an existing TPO.

To add a link to an existing TPO:

1. In the Current Token Policy Object Links window, click Add.The Add TPO Link window opens, displaying the TPOs found in the root or OU.

Note:All TPOs are displayed, regardless of whether they are already linked to a root or OU. You can link the same TPO to multiple roots or OUs.

2. Select the TPO to link to the current OU or root, and click OK.


Deleting a TPO LinkYou can delete a link from the OU to an existing TPO, and also delete the TPO from the root or OU.

To delete a TPO link:

1. In the Current Token Policy Object Links window, select the policy to delete, and click Delete.The Delete window opens.

2. Select one of the following, and click OK.Remove the link from the list: deletes the link from the current OU’s TPO. The link remains available in the system.Remove the link from the list, and permanently delete the Token Policy Object: deletes the link entirely from the system.

Specifying the Scope of a TPO LinkThe following describes the standard TPO behavior:

Each policy setting applies to all users of the root or OU linked to the TPO.If a policy setting is not defined for a child OU, the rule defined for its parent container (OU or root) applies.

You can control the scope of the TPO rules by doing the following:Set TPO link No Override and Disabled optionsSee Setting No Override and Disabled Options on page 136.


Block policy inheritanceSee Blocking Policy Inheritance on page 137.Apply TPO links only to certain users and groupsSee Applying TPO Links to Limited Users and Groups on page 138.

TPO Inheritance BehaviorYou can define unique TPO settings for each container.Use the No Override setting to force policy inheritance.Use the Block policy inheritance setting to restrict policy inheritance.The following tables determine which TPO setting applies to a child container.

Standard TPO ScopeTable shows which setting applies to a child container

Setting Defined in Parent Setting Not Defined in Parent

Setting Defined in Child

Child setting Child setting

Setting Not Defined in Child

Parent setting SafeNet Authentication Manager default

Options > No Override in Parent TPOTable shows which setting applies to a child container



Parent setting Child setting




Note:Block Policy does not apply if No Override is set in the parent container.

Block Policy Inheritance in Child TPOTable shows which setting applies to a child container





SafeNet Authentication Manager default


Options > Disabled in Parent TPOTable shows which setting applies to a child container







Options > Disabled in Child TPOTable shows which setting applies to a child container







Setting No Override and Disabled Options1. In the Current Token Policy Object Links window, select the

appropriate policy, and click Options (See Accessing Token Policy Object Links on page 122).The policy’s Link Options window opens.

2. Select one of the following, and click OK.No Override: Prevents other Token Policy Objects from overriding policy set in this TPOWhen this option is selected, child OUs of the current OU cannot override any TPO rules defined in this OU.

Note:The No Override setting has a higher priority than the Block Policy Inheritance setting. See Blocking Policy Inheritance on page 137.

Disabled: The Default policy is not applied to this containerWhen this option is selected, the rules of the TPO link are not applied to the OU or root container. To reestablish the link, clear this checkbox.

Properties > Deny Group or User in Child TPOTable shows which setting applies to a child container







Blocking Policy InheritanceBlock policy inheritance is a setting defined by Microsoft for each Organization Unit. The SafeNet Authentication Manager enrollment process supports this setting.Select this option to prevent users of the current OU from getting TPO definitions from any parent container.

Note:The No Override setting has a higher priority than the Block Policy Inheritance setting. See Setting No Override and Disabled Options on page 136.

To block policy inheritance:

1. In the Current Token Policy Object Links window, select the appropriate policy, and select Block policy inheritance(See Accessing Token Policy Object Links on page 122).

2. Click OK.


Applying TPO Links to Limited Users and GroupsEach TPO link has a security list that can be used to limit its application to specific users and groups. If the Apply to status of a user or group is set to Deny in the policy’s security list, the effect is the same as disabling the TPO.Each new TPO link includes a default group, All users group, whose Apply to status is set to Allow.To manage filters, do one of the following:

Add the users or groups to which the TPO should not be applied, and set their Apply to status to Deny.Remove the group All users group, and add only the users or groups to which the TPO should be applied. Set their Apply to status to Allow.


To filter users and groups:

1. In the Current Token Policy Object Links window, select the appropriate policy, and click Properties (See Accessing Token Policy Object Links on page 122).The policy’s Properties window opens.

2. Select the Apply to tab.3. In the User or Group box, select the appropriate user or group, and

select one of the following:Allow: apply the TPO settingsDeny: do not apply the TPO settings

4. To remove a user or group from the list, select the user or group, and click Remove.

5. To add a user or group to the list, click Add.


The User or Group window opens.

Enter the user or group to be added to the filter list, and click OK.The Token Properties window displays the newly added user or group.

6. Select the new user or group, and select Allow or Deny, as required.

7. Click OK.

Importing and Exporting Token Policy ObjectsThe Token Policy Object import and export feature enables you to duplicate the same settings in multiple installations of SafeNet Authentication Manager.Also, you may be asked to create a an export file when receiving assistance from SafeNet Support.

Exporting Token Policy Objects1. In the Current Token Policy Object Links window, select the

appropriate policy, and click Export (See Accessing Token Policy Object Links on page 122).The Export Policy window opens.


2. Click Browse and navigate to the folder where you want the exported TPO to be saved.

3. Enter the file name in the File Name field and click Save.You are returned to the Export Policy window.

4. Enter a password in the File Password field and click OK.

Tip:Remember the password.You will require it when importing the TPO file back into SafeNet Authentication Manager.

A message confirms that the policy was exported successfully.


5. Click OK to close the window.

Importing Token Policy Objects1. In the Current Token Policy Object Links window, ensure that none

of the policies are selected and click Import (See Accessing Token Policy Object Links on page 122).The Import Policy window opens.

2. Click Browse and navigate to the location of the TPO file to be imported.

3. Select the TPO file to be imported and click Open.You are returned to the Import Policy window.


4. In the File Password field, enter the password (created when the TPO file was exported) and click OK.A message confirms that the policy was imported successfully.

5. Click OK to close the window.The imported TPO is displayed in the Current Token Policy Object Links window.


Chapter 9

Token Policy Object SettingsTPO settings determine how SafeNet Authentication Manager controls and executes token policies.

In this section:

Using the Token Policy Object Editor to Edit TPOsGeneral SettingsConnector SettingsToken SettingsEnrollment SettingsRecovery SettingsAudit SettingsMobilePASS SettingsBackend Service SettingsLegacy TMS Desktop Agent SettingsBadging Settings


Using the Token Policy Object Editor to Edit TPOs Edit the TPO settings to change the behavior of SafeNet Authentication Manager.

Note:After making changes to TPO settings, restart the browser running the SAM Management Center and SAM Self Service Center to apply the relevant changes.

To edit TPO settings:

1. Open the Current Token Policy Object Links window using the appropriate method.

See Accessing TPO Links in an AD Environment on page 122.See Accessing TPO Links in a Non‐AD Environment on page 125.See Accessing TPO Links in a Standalone User Store Environment on page 127.

2. Select the appropriate policy object link, and click Edit.The Token Policy Object Editor opens.

3. Select the appropriate node in the left pane.In this example, we select the Mail Configuration TPO settings node to edit.

Token Policy Object Settings 147

The Mail Configuration policies are displayed in the right pane.4. Right‐click the appropriate policy in the right pane, and select

Properties from the dropdown menu.In this example, we select the Mail server name policy to edit.The Mail server name properties window opens.

The policy Properties window contains the following:Navigation controls (Previous and Next)Node name (In this example, Mail Configuration)Policyʹs function (In this example, Mail server name)Default setting, applied if the policy is not defined (In this example, localhost)Define this policy setting option, which enables the policyWhen appropriate, a field to enter information (In this example, Mail server name or IP address)

5. To enable the policy, select the Define this policy setting option, and enter the server name or IP address in the Mail server name field.


Note:If the selected Organizational Unit (OU) is a child of another OU or root, and a policy is not defined, the child OU inherits the setting defined in the parent OU. To disable the policy setting so that its setting is not inherited from the parent OU, select Define this policy setting, and select Disabled.

6. Do one of the following:Select OK to return to the Token Policy Object Editor.Select Next or Previous to move to the other policy Properties windows.


The policy setting is displayed in the Token Policy Object Editor.


General SettingsGeneral settings control certain global settings for SafeNet Authentication Manager.

Mail Configuration

Policy Description Default Token Type

Mail server name

Defines the mail server name or address.

localhost All devices including MobilePASS and SafeNet eToken Virtual Temp

Mail sender Defines from who SafeNet Authentication Manager emails are sent.Note: Ensure that the email address is correct. SafeNet Authentication Manager does not check for a valid email address format.

[email protected] All devices including MobilePASS and SafeNet eToken Virtual Temp

Mail server user account name

Defines the account name with which the user logs on to the mail server.

Empty (No logon required)

All devices including MobilePASS and SafeNet eToken Virtual Temp

Mail server user account password

Defines the account password with which the user logs on to the mail server.

Empty (No logon required)



SMS Provider ConfigurationSafeNet Authentication Manager supports sending an OTP to a users mobile phone via SMS. The SMS Provider Configuration provides information about the SMS service provider and account.


SMS Provider Name

URL of the SMS service provider.

None MobilePASS Messaging

Username Username required for logging on to the SMS account.


SMS provider password

Password required for logging on to the SMS account.



Connector SettingsConnector settings control the connector applications on tokens. See Connector Configuration on page 201.

Token SettingsThe token settings control how SafeNet Authentication Manager sets token properties.

Token Initialization


Token name for unassigned tokens

Defines the default token name for tokens not yet assigned.

My Token All devices excluding MobilePASS

Token name template for assigned tokens

Defines the template used to create names for assigned tokens.

My Token All devices excluding MobilePASS

Enable token naming in the Self Service Center

Determines if the user can set or change the token name in the Self Service Center.

User can name the token


eToken PKI Client 3.65 compatible

Determines if tokens are compatible with eToken PKI Client 3.65.

Tokens are compatible with eToken PKI Client 3.65

All devices excluding MobilePASS


Token Password

Password Quality


One-factor logon Determines if the Token Password is required during logon. If enabled, users authenticate simply by connecting their tokens. If disabled, they are required also to enter the token password.

Disabled (Token requires a user password)

All devices excluding MobilePASS and SafeNet eToken Virtual Temp

Default Token Password

Defines the default Token Password.

1234567890 All devices excluding MobilePASS and SafeNet eToken Virtual Temp


Proxy mode Determines if the password policy parameters are read from the host (proxy mode).

Proxy mode is not used (Password policy parameters are not read from the host)


Minimum password length

Defines the minimum length of a Token Password.

4 characters All devices excluding MobilePASS

Maximum password usage period

Defines the maximum number of days before a Token Password must be changed.

90 days All devices excluding MobilePASS


Minimum password usage period

Defines the minimum number of days before a Token Password can be changed.

No minimum All devices excluding MobilePASS

Password expiration warning period

Determines when users are warned that their Token Password will expire.

No warning (User will not be warned before password expires)


Password history size Defines the number of recent Token Passwords saved to the token that cannot be reused.

15 passwords All devices excluding MobilePASS

Password must be changed on first logon

Determines if users must change their token password on first logon after initialization.

Not required All devices excluding MobilePASS

Maximum consecutive character repetitions

Defines the maximum number of times that the same character can be repeated consecutively in a token password.

3 characters All devices excluding MobilePASS

At least 3 complexity rules

Determines if token passwords must contain at least three character types.Note: This is not applicable if the “Apply manual complexity” policy is enabled.

Enabled All devices excluding MobilePASS

Policy (Continued) Description Default Token Type


Manual Complexity


Apply manual complexity

Determines if the token password must meet manually defined complexity requirements (as opposed to at least 3 complexity rules).

Disabled All devices excluding MobilePASS

Numerals Determines if, in token passwords, numerals are permitted, forbidden or mandatory.Note: This policy applies only if the “Apply manual complexity ” policy is enabled.

Permitted All devices excluding MobilePASS


Upper-case letters Determines if, in token passwords, upper-case letters are permitted, forbidden or mandatory.Note: This policy applies only if the “Apply manual complexity ” policy is enabled.


Lower-case letters Determines if, in token passwords, lower-case letters are permitted, forbidden or mandatory.Note: This policy applies only if the “Apply manual complexity ” policy is enabled.


Special characters Determines if, in token passwords, special characters are permitted, forbidden or mandatory.Note: This policy applies only if the “Apply manual complexity ” policy is enabled.




Initialization Parameters


Maximum number of user logon failures

Defines how many consecutive Token Password failures lock the token.

15 consecutive times


Maximum number of administrator logon failures

Defines how many consecutive administrator password failures lock the token.

15 consecutive times


Manually reserve space for RSA keys

Determines if a non-standard amount of space is reserved on tokens for RSA keys.If enabled, set the amount of space to reserve in the “Amount of space manually reserved for RSA” policy.

Disabled (Standard space reserved)


Manually set number of reserved RSA keys

Defines the amount of space to manually reserve for RSA keys.Note: This setting applies only if the “Manually reserve space for RSA keys” policy is enabled.

Standard space reserved



Initialization Key

FIPS Determines if tokens are initialized as FIPS compliant.

Not FIPS compliant All devices excluding MobilePASS

PKCS#11 user PIN initialization

Determines if tokens are initialized with a PKCS#11 user PIN.

Enabled (PKCS#11 user PIN is initialized)


2048-bit RSA key support

Determines if the 2048-bit RSA key is supported.

Not supported All devices excluding MobilePASS

OTP support Determines if OTP is supported.

Not supported All devices excluding MobilePASS



Use standard initialization key for first-time initializations

Defines whether the standard token initialization key is used for first-time initializations.Note: To use a non-standard initialization key for new tokens, disable this policy and define the initialization key in the “First-time initialization key” policy.

Use the standard initialization key


First-time initialization key

Defines the non-standard first-time initialization key.

Standard initialization key



Change initialization key for subsequent initializations

Defines whether a new initialization key is used for subsequent initializations.Note: If this policy is enabled, tokens can be re-initialized only by SAM or by someone knowing the subsequent initialization key. To change the initialization key for tokens already initialized, enable this policy, and define the subsequent initialization key in “Subsequent initialization key” policy.

Do not use a different initialization key




Subsequent initialization key

Defines a new initialization key to use for subsequent initializations.Select Define this Policy Setting, then select one of the following:

Standard: use the standard initialization keyRandom: create a randomly generated initialization key (known only to SAM)New initialization key: create a static initialization key

Note: If this policy is defined, tokens can initialized only by SAM or by someone knowing the subsequent initialization key.To create a different initialization key for tokens already initialized, you must define the subsequent initialization key in this policy, and enable the "Change subsequent initialization key" policy.

Standard initialization key




Advanced Settings


Private data caching

Defines when private data is cached.

Select Define this Policy Setting, then select one of the following:

AlwaysWhile user is logged onNever

Always All devices excluding MobilePASS

RSA key secondary authentication

Defines how RSA keys secondary authentication is used.Select Define this Policy Setting, then select one of the following:

NeverAlways prompt userPrompt on application requestAlways

Never All devices excluding MobilePASS


Enrollment SettingsEnrollment settings control the SafeNet Authentication Manager token enrollment process.

General Properties


Maximum number of active tokens per user

Defines the maximum number of non-revoked tokens per user.

1 All devices excluding MobilePASS and SafeNet eToken Virtual Temp

Initialize token on each enrollment

Determines if tokens are initialized during each enrollment.

No initialization All devices excluding MobilePASS and SafeNet eToken Virtual Temp

Initialize new token on first enrollment

Determines if new tokens are initialized during their first enrollment in SafeNet Authentication Manager.Note: The Initialize new token on first enrollment setting is effective only if enrollment is done through the SAM Service Center.

No initialization


Set random Token Password

Determines if a random Token password is set during initialization.Note: If this policy is enabled, ensure that users receive their Token Passwords via enrollment notification settings defined in the TPO.

Random Token Password is not set


Random Token Password length

Defines the random token password length.

12 characters All devices excluding MobilePASS and SafeNet eToken Virtual Temp

Random Token Password content

Defines the random Token Password content.

Numerals only All devices excluding MobilePASS and SafeNet eToken Virtual Temp

Password must be changed on first logon

Determines if users must change their Token Passwords on first logon after enrollment.

Password change not required




Ignore connector incompatibility during enrollment

Determines if the token enrollment fails when a connector is not compatible with the token type.

Do not ignore incompatibility (Enrollment fails)


Enable SafeNet eToken Virtual creation

Determines if a SafeNet eToken Virtual may be created during enrollment (instead of enrolling a physical token).

Not enabled eToken Virtual

Require user to complete authentication questionnaire

Determines if users must complete authentication questionnaires during enrollment.

Not required All devices excluding MobilePASS



SafeNet eToken Virtual Enrollment

Enrollment NotificationEnrollment Notification settings enable enrollment notification letters configuration. See Enrollment Notification on page 332.


SafeNet eToken Virtual locking method

Determines the method for locking SafeNet eToken Virtual authenticators.(See SafeNet eToken Virtual Products on page 432).Select Define this Policy Setting, then select one of the following:

Portable drive onlyComputer onlyPortable drive or computer

Computer only All devices excluding MobilePASS and SafeNet eToken Virtual Temp


Recovery SettingsRecovery Settings set options for tokens that cannot be used because they have been lost, or their passwords have been forgotten.


Enable token unlock

Determines if an administrator password is created for token unlock.Note: To be unlocked, a token must have an Administrator Password saved to it during initialization.To enable this, enable this policy and define the "Unlock password type " policy. A locked token that does not have an Administrator Password cannot be used for logon until it is re-initialized.

Enabled All devices excluding MobilePASS


Unlock password type

Defines the administrator password type.Note: To be unlocked, a token must have an Administrator Password saved to it during initialization.To enable this, enable the "Enable token unlock" policy and define this policy. A locked token that does not have an Administrator Password cannot be used for logon until it is re-initialized.

Random password


Maximum number of SafeNet eToken Virtual unlocks

Defines how many times a SafeNet eToken Virtual can be unlocked.Note: The number of unlocks includes both successful and unsuccessful attempts.

20 times All devices excluding SafeNet eToken Virtual Temp

Enable SafeNet eToken Rescue

Determines if users can download a SafeNet eToken Rescue as a replacement token.

Not allowed All devices excluding SafeNet eToken Virtual Temp



Maximum SafeNet eToken Rescue usage period

Defines the number of days a SafeNet eToken Rescue can be used

14 days All devices excluding SafeNet eToken Virtual Temp

SafeNet eToken Rescue download options

Determines when a SafeNet eToken Rescue is downloaded to a user’s computer; User manually initiates a download, or Automatic download in first logon.

User manually initiates download

All devices excluding SafeNet eToken Virtual Temp

User authentication questionnaire

Defines the questions to be asked for user authentication.

No questions (users cannot authenticate to the Rescue Service Center)

All devices

Number of random questions asked

Defines how many random questions are asked for user authentication.

0 (No questions asked)

All devices

Maximum number of authentication retries

Defines how many incorrect authentication answers lock the user, when attempting to authenticate to the Rescue Service Center.

3 All devices

User authentication for Helpdesk

Determines if user authentication is required to access the Helpdesk.

Not required All devices

Maximum Temp Logon usage period

Defines the number of days a temporary password can replace a missing token.

3 days All devices excluding MobilePASS



Maximum Temp OTP password usage period

Defines the number of days a Temp OTP password can replace a missing OTP token.

14 days All devices

Enable token history

Enables the token history feature.

Not enabled

Require certificate recovery workflow

Determines if a certificate recovery workflow is required.

Not required



Audit SettingsAudit settings enable audit information logging and audit notification letters configuration. See Audit Messages on page 322.

MobilePASS SettingsMobilePASS settings apply to MobilePASS tokens.

General PropertiesPolicy Description Default Token Type

Maximum number of active MobilePASS tokens per user

Defines the maximum number of MobilePASS tokens allowed for each user.

1 MobilePASS

Enable MobilePASS Messaging

Determines if MobilePASS Messaging enrollment is enabled.

Not enabled MobilePASS

Enable automatic enrollment of MobilePASS Messaging tokens

Determines if automatic MobilePASS Messaging enrollment is enabled.

Not enabled MobilePASS

Verify SMS number on self-enrollment

Determines if the SMS number is verified on self-enrollment.

SMS number is verified

MobilePASS


Backend Service SettingsSafeNet Authentication Manager Backend Service settings control Backend Service activities.


Disallow Temp Logon

Determines if the backend service disallows the use of a temporary password as replacement for a missing password.

Disallow All devices excluding MobilePASS

Revoke opened SafeNet eToken Rescue upon expiration

Determines if an opened SafeNet eToken Rescue is automatically revoked upon expiration.

Revoke All devices excluding SafeNet eToken Virtual Temp

Revoke tokens of users deleted from SAM user store

Determines if tokens are automatically revoked when their users are deleted from the user store.

Revoke All devices


Revoke tokens of users disabled in SAM user store

Determines if tokens are automatically revoked when their users are disabled in the user store.

Not revoked All devices

Synchronize users data

Determines if SAM database integrity is maintained by synchronizing users’ data.

Synchronize All devices

Synchronize license data

Determines if license counters are automatically calculated and updated.Note: Enable this policy to optimize SAM performance.

Synchronize All devices



Legacy TMS Desktop Agent SettingsLegacy Desktop Agent settings control the legacy TMS Desktop Agent capabilities.

Policy Description Default

Display token update alerts

Defines whether to display alerts to the user if the token content is not aligned with definitions or about to expire.

Token update alerts are enabled

Update alert period Defines the number of days to show update alert prior to eToken expiration date.

Expiration alert starts 30 days before token expires

Update alert text Defines the message the user sees in cases of an token update alert.

Update your token

Update alert title Defines the alert message title the user sees in cases of an token update alert.

Token Notification

Update alert click action Determines the action that occurs when the user clicks the alert balloon; No action, Show detailed message or Open website.

No action

Update alert detailed message

The message displayed when the user clicks on the balloon. Used only if the “Update alert click action” policy is set to 'Show detailed message.'

Empty

Update alert website URL The website URL to open when the user clicks on the balloon. Used only if the “Update alert click action” policy is set to 'Open website.'

Not defined


Badging SettingsBadging settings control how badges are printed.

Update alert interval Defines the minimum interval in days between two alerts to the same user (for connected tokens).

Minimum alert interval is 4 days

Update check interval Alerts will be checked whenever an token is inserted or when the specified number of days has passed since the last alert check (even if an token was not inserted).

Alert check interval is 14 days

Token connection auditing Determines if token insertion and removal events are audited.

Token insertion/removal auditing is enabled

Policy (Continued) Description (Continued) Default (Continued)


Enable badging

Determines if badging is enabled.

Disabled All devices excluding MobilePASS and SafeNet eToken Virtual Temp

Expiration date on badge

Determines if an expiration date is printed on the badge, and sets the date.

Empty (No date printed)



Photo Storage

Note:The file system folder should not be a network folder.

Printing Parameters


Photo storage method

Determines if the users’ photos are located on a file system or in the SAM User Store.

File system All devices excluding MobilePASS and SafeNet eToken Virtual Temp

File system photo directory

Determines the location of the photos stored in a file system.

Empty All devices excluding MobilePASS and SafeNet eToken Virtual Temp


Print front of badge

Determines if the front of the badge is printed.

Enabled All devices excluding MobilePASS and SafeNet eToken Virtual Temp

Print back of badge

Determines if the back of the badge is printed.

Disabled All devices excluding MobilePASS and SafeNet eToken Virtual Temp

Orientation - front side

Determines if the badge’s front side orientation is portrait or landscape.

Portrait All devices excluding MobilePASS and SafeNet eToken Virtual Temp

Orientation - back side

Determines if the badge’s back side orientation is portrait or landscape.

Landscape All devices excluding MobilePASS and SafeNet eToken Virtual Temp


Image generator plug-in

Defines the assembly plugin for generating the badge’s printing file.Note: Define this setting if you have developed an SDK plugin that uses a custom image generator or printer.

SAM-supplied plugin


Template - front side

Determines the template file used for printing the badge’s front side.

SAM-supplied generic template


Template - back side

Determines the template file used for printing the badge’s back side.

SAM-supplied generic template


Laminate - front side

Determines if a protective topcoat is printed on the badge’s front side.




Laminate - back side

Determines if a protective topcoat is printed on the badge’s back side.


Printing plug-in Determines if a printing plugin is used for printing the badge image.Note: Define this setting if you have developed an SDK plugin that uses a custom image generator or printer.

SAM-supplied plugin


Enable duplex printing

Determines if two-sided printing is enabled.




Chapter 10

SAM Configuration ManagerUse the SafeNet Authentication Manager Configuration Manager to change the default settings in accordance with your organization’s policies.

In this section:

Launching the SAM Configuration ManagerSelecting the SAM InstanceImporting and Exporting the SAM Settings FileAdding SAM ConnectorsConfiguring RolesScheduling the SAM Backend ServiceConfiguring the LicenseConfiguring IIS and Web ServicesSelecting the Authentication Plug-InDefining a Failover ConfigurationExporting and Importing the Signing CertificateChanging the SAM Service Account


Launching the SAM Configuration Manager

Note:In Windows Server 2008 and Windows Server 2008 R2, the SAM Configuration Manager must be run as Administrator.

To launch the SAM Configuration Manager:

Select Start>Programs>SafeNet>SafeNet Authentication Manager Configuration Manager.The SAM Configuration Manager window opens, displaying details of the SAM instance.

Selecting the SAM InstanceIf more than one SafeNet Authentication Manager instance has been configured, select the required instance.

To select the SAM instance:

1. Launch the SAM Configuration Manager (See Launching the SAM Configuration Manager on page 180).

2. From the General menu, select Select Configuration, and select the appropriate SafeNet Authentication Manager configuration name assigned in the SafeNet Authentication Manager Configuration Settings Wizard.

SAM Configuration Manager 181

Importing and Exporting the SAM Settings FileThe SafeNet Authentication Manager Settings File contains data used for SafeNet Authentication Manager processes, including security keys used for SafeNet Authentication Manager data encryption in the Active Directory. The SafeNet Authentication Manager Settings File can be exported for backup or sharing, and imported later.Import the SafeNet Authentication Manager Settings File from the backup file when you need to restore a damaged computer, or when you are setting up an additional SafeNet Authentication Manager Server that uses the same settings.Each SafeNet Authentication Manager Settings File contains a global security key, and a security key for each connector. If there is more than one instance of SAM Server on a computer, each instance has its own SAM Settings File.

Notes:The SafeNet Authentication Manager Settings File should be

exported after installation.We recommend exporting the SafeNet Authentication Manager

Settings File whenever a connector is added.

These are typically configured for renewal every year. The Settings File options in the Action dropdown menu are enabled only when there are keys due for renewal.

Exporting the SAM Settings File

To export the SAM Settings File:


2. From the Action menu, select Settings File > Export.


The Export Settings File window opens.

3. Enter a path for the exported settings file, and create and confirm a password for the new file.The default path isC:\Documents and Settings\Administrator\My Documents\SAMSettingsExport.xm

Tip:Remember the file password. You must provide it when importing the file.

4. Click Export.The file is exported, and the Export Completed window opens.

5. Click OK.


Importing the SAM Settings File1. Launch the SAM Configuration Manager (See Launching the SAM

Configuration Manager on page 180).2. From the Action menu, select Settings File>Import.

The Import Settings File window opens.

3. Enter the path and the file password of the exported settings file, and click Import.The file is imported, and the Import Completed window opens.

4. Click OK.

Adding SAM ConnectorsDuring token enrollment, applications for the SAM connectors installed on SAM are enabled on the token. If a SAM connector is not installed at the time of token enrollment, its connector applications are not enabled on the token.See Connector Configuration on page 201, to configure connectors.


To add a new connector:


2. From the Action menu, select Connectors > Add Connector.The Open window opens, displaying all the available connectors files.

3. Select the required connector and click Open.In this example, we install the Entrust Connector.


The connector is installed and is included in the SafeNet Authentication Manager Configuration Manager window.

Note:We recommend exporting the SafeNet Authentication Manager Settings File whenever a connector is added.

Configuring RolesSee Authorization Manager on page 299.

Scheduling the SAM Backend Service

To schedule SAM Backend Service:


2. From the Action menu, select Backend Service > Change Scheduling.The Backend Service Scheduling window opens.


3. To activate the scheduled operation of SAM Backend Service, select Enable scheduling, and select one of the following:

Periodically: enter the number of hours between each scheduled operationDaily: enter the time when scheduled operations are performedWeekly: enter the day of the week and the time when scheduled operations are performed

4. Click OK.

Note:After scheduling the Backend Service, you must restart the Backend Service for the changes to take effect.


Configuring the LicenseSee Licensing on page 293.

Configuring IIS and Web Services

Configuring OTP Web ServicesSee OTP Web Service Settings on page 340.

Configuring Features of the SAM Management CenterYou can change certain default features of the SAM Management Center.

To configure certain features of the SAM Management Center:


2. From the Action menu, select IIS and SAM Web Services>Management Center.The Management Center Settings window opens.


3. Complete the fields as follows and click OK:

Configuring Features of the SAM Self Service CenterYou can change certain default features of the SAM Self Service Center.

Note:There is no default value for the SafeNet Authentication Client download file location. We recommend that you define the file’s location in case a user does not have SafeNet Authentication Client installed.

To configure certain features of the SAM Self Service Center:


2. From the Action menu, select IIS and SAM Web Services>Self Service Center.The SAM Self Service Center Configuration window opens.

Field Description

SAM Client download file Enter the path to the 32-bit SAM Client installation file (msi)

SAC Client X64 download file

Enter the path to the 64-bit SAM Client installation file (msi)

Show the user display name

Select to show the user’s display name, instead of the account name

Maximum rows per report page

Select the number of rows to be displayed on each page of a report

Maximum tokens and users search results

Select the number of records to be displayed that match the search criteria. The larger the number, the longer the search time.To display more results, increase this number.

Token Serial Format Select the format in which the token serial number is displayed: Hexa Decimal or Decimal.


3. Complete the fields as follows and click OK:

Field Description

SafeNet Authentication Client 32-bit download file

SafeNet Authentication Client 64-bit download file

Click Browse to select the path to the SafeNet Authentication Client installation file in the ClientDownload folder.Note: Ensure that the SafeNet Authentication Client file has been copied to the ClientDownload folder where the SafeNet Authentication Manager Client file is located.

SafeNet Authentication Manager Client 32-bit download file

SafeNet Authentication Manager Client 64-bit download file

Enter the path to the SafeNet Authentication Manager Client installation file.Note: By default, the path is entered during the installation process


Configuring Features of the SAM Rescue Service CenterYou can change certain default features of the SAM Rescue Service Center.

To configure certain features of the SAM Remote Service Center:


2. From the Action menu, select IIS and SAM Web Services>Rescue Service Center.The SAM Remote Service Center Settings window opens.

3. Enter the number of minutes that a SafeNet eToken Rescue is kept on the SafeNet Authentication Manager Server after the user logs off.

Configuring Features of SAM Web Service APIThe SAM Web Service API enables developers to develop applications that can contact SafeNet Authentication Manager directly, without the user being required to log on through a SafeNet Authentication Manager website. The new application allows the end‐user to log on to a different application that accesses SafeNet Authentication Manager.

Note:Only server‐based operations are available.


To configure certain features of the SAM Web service API:


2. From the Action menu, select IIS and SAM Web Services>Web API Service.The Web API Service Settings window opens.

3. Complete the fields as follows and click OK.

Field Description

Sessions do not expire Select to enable the session to continue for an unlimited time.

Sessions expire after (in minutes)

To limit the length of time for the session, clear the Sessions do not expire field, and enter, in minutes, the maximum session time permitted.

Delete expired sessions every (in minutes)

Even when a session is no longer active, it remains open until deleted. Enter an interval, in minutes, between attempts to delete expired sessions from the system.

Unlimited number of concurrent open sessions

Select to enable an unlimited number of open sessions.

Maximum number of concurrent open sessions

To limit the number of open sessions, clear the Unlimited number of concurrent open sessions field, and enter the maximum number of sessions that can be opened concurrently.


Configuring Desktop AgentSee Desktop Agent on page 371.

Configuring Server SynchronizationIn a distributed environment, with more than one SafeNet Authentication Manager server, the Server Synchronization feature is used to synchronize the token and user records during the assignment operation. This ensures that two or more token assignment sessions will not be able to assign the same token twice or to assign more than the permitted number of tokens for the user.

To configure server synchronization:


2. From the Action menu, select IIS and SAM Web Services>Server Synchronization.The Server Operations Synchronization Settings window opens.


3. To activate server synchronization, select Server Synchronization.4. For each sever to be included in the synchronization operations,

click Add, type the server URL, and click Test to verify the URL.5. To change the default locking time, enter a new locking time (in

milliseconds).The locking time determines the maximum time the user and user’s token records are locked during an assignment operation.

6. To change the default failure timeout, enter a new failure timeout (in milliseconds).The failure timeout is the time required for an failed lock operation to initiate an error response.

7. Click OK.The Restart IIS Application Pool window opens.

8. To save the changes and restart the IIS Application Pool, click Yes.

Selecting the Authentication Plug-InWhen SafeNet Authentication Manager uses a non‐AD external user store, Active Directory cannot be used to authenticate usernames and passwords. An authentication plug‐in file is required to enable users to log on to the SAM websites.The plug‐in dll was set in the SAM Configuration Wizard. See Chapter 7 Configuring for OpenLDAP, Novell eDirectory or Remote AD, step 12 on page 108, or Configuring for MS SQL Server step 11 on page 119.Use the SAM Configuration Manager to set a different authentication plug‐in dll.


To set a different authentication plug-in:


2. From the Action menu, select Website Authentication Settings > Change.The Authentication Settings window opens.

3. Navigate to the appropriate authentication dll file, and click OK.

Defining a Failover ConfigurationThe failover configuration feature enables you to set up a failover configuration for LDAP user stores that do not follow the standard AD configuration. When the standard AD configuration is used, a failover configuration is not required.SafeNet Authentication Manager will connect to the failover LDAP user store if the primary user store stops responding.To create a failover configuration:1. Launch the SAM Configuration Manager (See Launching the SAM

Configuration Manager on page 180).2. Select General > Failover Configuration > New.3. The New Failover Configuration window opens.

4. Click Browse next to the Select Directory field.


In this example, the Select OpenLDAP Server window opens.


Field Description

Server Enter the IP address of the directory server

Port Enter the directory server port. This is determined when the directory is configured.

Naming Context Click Browse and select the required naming context.

Simple Binding, using an anonymous user

Select this option to connect to the directory server without a user and password. This is possible only if this option is enabled in the system.

Simple Binding, using the following user

Select this option to connect to the directory server using the User DN and Password. Enter the User DN and Password in the appropriate fields.

Use a secure connection

If OpenLDAP is configured to run in a secure mode, select this option to encrypt the data to be transferred.


6. The selected directory is displayed in the New failover configuration window.

7. Click Save to save the configuration, and click Close.

Exporting and Importing the Signing CertificateYou can create a password protected file containing the settings for the SafeNet Authentication Manager security keys. This file can later be imported back into SafeNet Authentication Manager.

Exporting a Signing Certificate

To export a signing certificate:


2. From the Action menu, select Signing Certificate>Export.The Export Certificate window opens.

3. To change the default installation folder, click Browse and navigate to the required location.

4. Enter a password in the File Password field, and confirm in the Confirm Password field.

5. Click Export.


Importing a Signing Certificate

To import a signing certificate:


2. From the Action menu, select Signing Certificate>Import.The Import Certificate window opens.

3. Click Browse and navigate to the file.4. Enter the password in the File Password field and click Import.

Tip:Remember the file password. You must provide it when importing the file.


Changing the SAM Service AccountThe SAM Service Account is used to manage SafeNet Authentication Manager operations. It may be necessary to change the account details and password that were entered during installation.

Notes:The SAM Service Account need not be an administrator account,

but it must have sufficient permissions to run the connectors.See Permissions for Basic Administration on page 310.

The SAM Service Account can be changed only if the user has a Windows 2000 logon name (UPN).

To change the Service Account and password:

1. Launch the SAM Configuration Manager (See Launching the SAM Configuration Manager on page 180).The SAM Configuration Manager window opens.

2. Select General > Change Service Account.The SAM Service Account window opens.

3. Click Browse next to the Username field.The Select User window opens.


4. Enter the account name in the Enter the object name to select field, and click OK.The selected account name is displayed in the Change SAM Services Account window.

5. In the Password and Confirm Password fields enter a password for the account, and click OK.


Chapter 11

Connector ConfigurationSafeNet Authentication Manager is based on an open standards architecture, with configurable connectors. This supports integration with a wide range of security applications including network logon, VPN, web access, one‐time password authentication, secure email, and data encryption.Use the Token Policy Object Editor to change the SafeNet Authentication Manager connectors’ default configurations. See Using the Token Policy Object Editor to Edit TPOs on page 146.

In this section:

Connector for Microsoft CAConnector for OTP AuthenticationConnector for Flash ManagementConnector for P12 Certificate ImportConnector for SafeNet Network LogonConnector for Check Point Internal CAConnector for Entrust


Connector for Microsoft CA The connector for Microsoft CA (MSCA) enables the user to generate certificates using the Microsoft Certificate Authority (CA) services.Two types of certification authorities (CAs) are provided by Windows Server 2003/2003R2/2008/2008R2 Certificate Services:

Standalone: permits the generation of certificates for anyoneEnterprise: permits the generation of certificates for authenticated users only, and requires Active Directory to be installed

The SafeNet Authentication Manager Microsoft CA Connector interacts with both types of CAs, enabling certificates to be generated for these CAs.For more information on certificates and CAs, see Microsoft documentation.

Supported User Stores

User Store Supported by this Connector?

AD Yes

MS SQL Server, OpenLDAP, Novell eDirectory, Remote AD, ADAM

Only for offline requests where the subject name is provided manuallySupported only for a standalone CA

Connector Configuration 203

Microsoft DLL Files Required for MSCAThe required DLL files are supplied with the supported operating systems and service packs.

Windows XP and Windows Server 2003In Windows XP, install the AdminPack to obtain all required DLLs.

Windows Vista, Windows 7 and Windows Server 2008

DLL Purpose TPO SAM Management Center

SAM Self Service Center

xenroll Token side No Yes Yes

scrdenrl CA and Token No Yes No

Certadmin CA side configuration and enrollment

Yes No No

Certcli CA side configuration and enrollment

Yes No No

DLL Purpose TPO SAM Management Center


certEnroll Token side No Yes Yes


Configuring the Microsoft CAThe Microsoft CA must be configured before it is connected to SafeNet Authentication Manager. This involves adding the appropriate templates, and setting the security properties.

Adding a Template to the CAThe certificate template must be deployed so the CA can issue certificates based on it.

To add a template to the CA:

1. From the Windows Start menu, go to Programs > Administrative Tools > Certification Authority.The Certification Authority window opens.

2. In the navigation pane, expand the entry under Certification Authority (Local), and select Certificate Templates.


Templates that are in the database and in the CA are displayed in the right pane.

3. Right‐click the Certificate Template node, and from the sub‐menu, select New > Certificate Template to Issue.The Enable Certificate Templates window opens.

4. Select the required certificate template, and click OK.The added certificate template is included in the right pane.

Setting Template Security PropertiesSet the templateʹs security properties to define which permissions are given to each organizational group. Authorize those users who need to enroll certificates in the CA to request certificates.


To set template security properties in Windows Server 2003:

1. From the Windows Start menu, go to Programs > Administrative Tools > Certification Authority.The Certification Authority window opens.

2. In the navigation pane, expand the entry under Certification Authority (Local).

3. Right‐click Certificate Templates, and from the sub‐menu, select Manage.


The templates are displayed in the right pane.

4. Right‐click the template of the required certificate, and from the sub‐menu, select Properties.The Properties window opens.

5. Select the Security tab.

6. Select the required permissions for all relevant organizational groups, and click OK.


Duplicating a TemplateWe recommend creating a duplicate template to use as a backup.

To create a duplicate template:

1. Select the required template (See Setting Template Security Properties on page 205).

2. Right‐click on the template and select Duplicate Template.The Properties of New Template window opens.

3. If required, make changes to the properties of the template.4. Click OK.

A template named Copy of <template name> is added to the list of certificate templates


Changing the Minimum Key SizeThe default Smartcard Logon template has a default key size of 512. For Smartcard logon with JavaCard, a minimum key size of 1024 is required.

To change the minimum key size:

1. Select the Smartcard User template (See Setting Template Security Properties on page 205).

2. Right‐click on Smartcard User and select Duplicate Template.The Properties of New Template window opens.

3. In the Minimum key size field enter 1024 or 2048 as required.4. Click OK.

A template named Copy of Smartcard user is added to the list of certificate templates


Setting CA Security PropertiesSet the CAʹs security properties to define which permissions are given to each organizational group.

To set CA security properties:

1. From the Start menu go to Programs > Administrative Tools > Active Directory Sites and Services.The Active Directory Sites and Services window opens.

2. In the navigation pane, right‐click Certificate Authority, and from the sub‐menu, select Properties.The Properties window opens.

3. Select the Security tab.4. Set the required permissions for each organizational group, and

click OK.

Defining TPO RulesUse the Connector Policy Object Editor to set the SAM connector policies.

To create a new request:

1. Open the TPO Editor (See Accessing Token Policy Object Links on page 134).

2. In the left pane, click the Connector Settings.


The list of installed SafeNet Authentication Manager connectors opens in the right pane.

3. In the right pane, right‐click Connector for Microsoft CA and select Properties.The Connector for Microsoft CA Properties window opens.

4. Select Define this policy setting, select Enabled, and click Definitions.


The Connector Policy Object Editor opens.

5. By default, there is no limit to the number of certificates that can be enrolled to a token. To limit the maximum number of certificate on the token do the following:a. In the right pane, right‐click on Maximum number of

certificates on token, and select Properties.b. Select Define this policy setting.c. Enter the maximum number of certificates that can be

enrolled on the token and click OK.6. Right‐click Microsoft CA Connector, and select Create new

request.


The Create New Request window opens.

7. For each request enter the fields as follows:

Field Name Description

Request Name May be any name. If a request with the same request name exists in a different TPO definition, the new parameters are merged with that request's parameters during token enrollment. If the request name does not exist in a TPO relevant to the enrolled user, the request is added.Default: New Request, followed by the next sequential number

Name CA from the list of CAs installed in the AD tree.Default: the first CA in the drop-down list

Type Depends on Active Directory being present.Standalone: permits the generation of certificates for anyoneEnterprise: permits the generation of certificates for authenticated users only

No default


Once a request is created, these fields cannot be modified. If a change is required in the fields, the request must be deleted and a new request created.

8. Click OK.

Windows Version Windows version on the CA computer:Server 2003-(2008)No default

Certificate Usage Filter used to narrow the selection in the Templates drop-down list.Type of templates to be enrolled:

Smartcard LogonEncryptionSignatureVPNOther

No default

Templates A certificate template from one or both of the template lists appropriate for the Certificate Usage selected:

Administrator-generated certificate template: used when enrollment is performed by the administrator.User-generated certificate template: used during self-service enrollment

No default

Field Name Description (Continued)


9. In the Connector Policy Object Editor window, select the request node to see its policies.

Note:The first four polices in the list are set when the request is created. They cannot be modified. If a change is required in any of these four policies, delete the request and create a new request with the appropriate settings.

10. Configure the request policies as follows:

Field Name Description

Certificate backup Determines if the request’s certificate and keys are backed up in the SafeNet Authentication Manager database

SafeNet eToken Rescue support

Determines if the request’s certificate is backed up to a SafeNet eToken Rescue temporary replacement token

Key required after revocation Determines if the certificate is also removed from the token when it is revoked on the CA

Publish CRL Determines if the CA publishes a new certificate revocation list whenever a certificate is revoked


11. Click OK repeatedly to close the Connector Policy Object Editor window and the Connector for Microsoft CA Properties window.The updated connector settings have now been applied.

Store in local computer certificate store

Determines if the certificate is imported to the local computer certificate storeNote 1: This is applicable only for certificates generated by users' requests during self-service enrollment for off-line certificates, and not for enrollments done by an administrator. Note 2: Only a user with administrator rights on the local computer can generate or use a key in this store.

Override certificate department

Determines if the default user department is overridden in the certificate subject of an off-line certificate

Certificate department Defines the department name that overrides the default department in an off-line certificate when Override certificate department is enabled

Automatic certificate renewal Determines if an expired certificate is automatically renewed on next enrollment

Reuse keys for renewed certificate

Determines if previous keys are reused if a new certificate is generated when Automatic certificate renewal is enabled

Random user password Sets a random user password unknown to the user, forcing the user to log on with a Smartcard

Force smartcard usage for logon

Sets the Account option in the AD user properties to Smartcard is required for interactive logon, forcing the user to log on with a smartcard

“Undestroyable” certificate and keys on token

Determines if the clear function in eToken PKI Client will not delete the certificate and keys on the token

Field Name (Continued) Description (Continued)


Connector for OTP AuthenticationThe TPO rules dictate which password(s) must be provided by the user for authentication:

OTP Only: the user must enter the number displayed on the OTP tokenOTP PIN and OTP: the user must enter the secret OTP PIN, as well as the number displayed on the OTP tokenWindows password and OTP: the user must enter the Windows password, as well as the number displayed on the OTP token (This option is supported only in AD mode)


Defining TPO RulesUse the Connector Policy Object Editor to set the SAM connector policies.

To open the Connector Policy Object Editor:


2. In the left pane, click the Connector Settings node.


AD, MS SQL Server, OpenLDAP, Novell eDirectory, Remote AD, ADAM

Yes


The list of installed SafeNet Authentication Manager connectors opens in the right pane.

3. In the right pane, right‐click Connector for OTP Authentication, and select Properties.The Connector for OTP Authentication Properties window opens.

4. Select Define this policy setting, select Enable, and click Definitions.



5. Edit the policies as follows:

Field name Description

Authentication Code Defines which information users must provide to authenticate using an OTP.

OTP only OTP PIN and OTPWindows password and OTP

Default: OTP PIN and OTP

Authentication Code order

Select from:OTP firstOTP PIN or Windows password first

Default: OTP PIN or Windows password first

Allow dial-in access Determines if the users’ dial-in permission fields are changed to allow access during OTP token enrollments.Default: User’s dial-in property is not changed

OTP PIN type Defines how the OTP PIN is created during enrollment:Manual: The user chooses a PIN.Random: During admin enrollment, the connector creates a random PIN. This is not relevant for user enrollment.

Default: Manual


Minimum OTP PIN length

The minimum length of an OTP PIN that a user chooses manually, and the exact length of a random OTP PINDefault: 4 charactersNote: An OTP PIN length should not exceed 10 characters

Allow OTP PIN reset during enrollment

When the SAM Self Service Center is used to enroll a new OTP token protected by an OTP PIN, the user creates an OTP PIN.This parameter determines the behavior of subsequent enrollments of the OTP token protected by an OTP PIN.

Enabled: the OTP PIN is reset during each subsequent enrollment of the OTP tokenDisabled: the user must provide the current OTP PIN during each subsequent enrollment

Default: Not enabled (Users cannot reset OTP PIN)

OTP generation using SafeNet eToken Rescue

Determines if an OTP can be generated on a SafeNet eToken Rescue replacement tokenDefault: Not enabled (An OTP profile is not enrolled to a SafeNet eToken Rescue)

OTP maximum usage period

Defines after how many days an OTP token expiresDefault: Does not expire

Temp OTP length Defines the length of a Temp OTPDefault: 12 characters

Temp OTP content Defines the content of a Temp OTP:LettersNumbersSpecial characters

orCustom content

Default: Numbers only

Apply Authentication Code to Temp OTP

Determines if the Temp OTP alone is used for authentication, or if it replaces an OTP in the method defined in the Authentication Code policy.Default: Not enabled (Authentication Code is Temp OTP only)

Field name Description (Continued)


6. Click OK repeatedly to close the Connector Policy Object Editor window and the SAM OTP Authentication Connector Properties window.The updated connector settings are applied.

Connector for Flash ManagementWith the Connector for Flash Management, you can create a CD‐ROM partition on an eToken NG‐Flash device. This allows you to include applications and data on the CD‐ROM partition of the device to share with all the users in the domain.You can also include an autorun file on the CD‐ROM partition of the device. This initiates an automated application execution whenever the device is connected to a computer USB.The files to be uploaded to the token for the Connector for Flash Management must be in one of the following:

An FTP folderA network folder that can be accessed for download

Note:During re‐enrollment, if the name of the folder containing the files to upload has not changed, the CD‐ROM partition is not recreated, even if the contents of the folder have changed. To force the CD‐ROM partition to be recreated during re‐enrollment, change the name of the folder containing the files.




Yes


Defining TPO RulesUse the Connector Policy Object Editor to set the connector policies.


1. Open the TPO Editor (See Accessing Token Policy Object Links on page 134).In the left pane, click the Connector Settings node.The list of installed connectors opens in the right pane.

2. In the right pane, right‐click Connector for Flash Management, and select Properties.


The Connector for Flash Management Properties window opens.

3. Select Define this policy setting, select Enable, and click Definitions.The Connector Policy Object Editor opens.



5. Click OK repeatedly to close the Connector for Flash Management Properties and the Connector Policy Object Editor windows.The updated connector settings have now been applied.

Connector for P12 Certificate ImportThe Connector for P12 Certificate Import enables the user to import onto their smartcards and tokens:

PFX (P12) files: files that contain a certificate and a private key in a P12 formatCER files: files that contain only the certificate without the private keyRoot CA certificate files

Policy Description

CD-ROM partition size The size of the region reserved on the token for the CD-ROM partitionDefault: size is calculated automatically

File system upload folder The name of the file system upload folder containing the files to be uploaded to the CD-ROM partition of the token. This directory must be accessible to every client computer used for enrollment.No default

FTP server The name or IP address of the FTP server of the files to be uploaded to the CD-ROM partition of the tokenNo default

FTP folder The name of the FTP folder containing the files to be uploaded to the CD-ROM partition of the tokenNo default

FTP username The FTP logon usernameDefault: anonymous

FTP password The FTP logon passwordDefault: anonymous


The Connector for P12 Certificate Import is used to import two types of certificates onto a token:

User certificatesCA certificates

Use the Connector for P12 Certificate Import in the following situations:

You already have PFX files, and you want to import them onto the token.For example, you use a third‐party service to generate certificates for your employees, and you receive the certificates from that service as a group of PFX files.You want to import CA certificates into Root CA certificates on the token, and then copy those to the certificate store on the computer when the token is connected.SafeNet Authentication Manager copies the certificate to the token. SafeNet Authentication Client copies the certificate from the token to the certificate store on the computer.








Yes


The list of installed connectors opens in the right pane.

3. In the right pane, right‐click Connector for P12 Certificate Import, and select Properties.The Connector for P12 Certificate Import Properties window opens.





Adding a User Certificate

To add a user certificate:

1. In the Connector Policy Object Editor window, right‐click User certificates, and select Properties.The User certificates Properties window opens.

2. Click Add.


The Add new user certificate window opens.

Note:You cannot use an asterisk (*) in the User field.

3. In the User field, enter user details.4. Click Browse next to the Certificate field.

The Open window opens.

5. Navigate to the certificate file, select the certificate, and click OK.In the Add new user certificate window, do one of the following:


If the user must enter the password during enrollment, select Password unknown.If the password of the PFX file is known, enter the password.

6. Select Enroll to an eToken Rescue to import this certificate to a SafeNet eToken Rescue for backup.

7. Click Add.The user certificate is saved. You can add another certificate if required.

Adding User Certificates from an Index FileUser certificates may be added by importing an index file linking PFX certificate files with users.

Note:The index file must be in UTF8 format if it includes non‐ASCII characters.

Each line of the index file must contain three parameters separated by semi‐colons:

AD user account nameFull path to the PFX certificate filePassword of the PFX certificate file Sample Index File:

For each certificate, a separate index entry is required. If a user is linked to more than one certificate, each certificate should appear on a different line.


To import an index file:

1. In the User certificates Properties window, click Add from file.The Open window opens.

2. Navigate to the appropriate folder, select the .txt file, and click Open.

3. Click OK repeatedly to close the Connector for P12 Certificate Import Properties window.The updated connector settings have now been applied.

Adding a CA certificateA CA certificate is common to all users in the domain. It contains the certificate only, without a private key.

To add a CA certificate:

1. In the Connector Policy Object Editor window, right‐click CA certificates, and select Properties.The CA certificates Properties window opens.

2. Click Add.


The Add new CA certificate window opens.

3. Click Browse.

The Open window opens.4. Navigate to the appropriate folder, select the .cer CA certificate

file, and click Open.5. Select Enroll to a SafeNet eToken Rescue to import this certificate

to a SafeNet eToken Rescue for backup.6. Click Add.7. Click Exit.8. Click OK repeatedly to close the SAM P12 Certificate Import

Connector Properties window.The updated connector settings have now been applied.

Connector for SafeNet Network Logon

Note:SafeNet Authentication Manager supports enrollment to eToken Network Logon 5.0 or later.

Windows operating systems enable you to use an alternate access mechanism in place of the default authentication method.In the Microsoft Windows XP family, including Windows 2000, Windows XP and Windows Server 2003, the identification and authentications aspects of the Windows logon are implemented as a replaceable dll called GINA (Graphical Identification and Authentication). A new GINA dll can replace the standard msgina.dll when the system needs to use another method of authentication in place of the Windows default user name/password mechanism. Thus, Windows and eToken together provide the ideal solution for corporate network security.


In the Microsoft Windows Vista family, including Windows Vista and Server 2008, the identification and authentication aspects of the Windows logon are implemented by the Credentials Provider.Depending on your organizationʹs policies, it is possible for the users themselves to create Windows logon profiles which are stored on their tokens.The Connector for Network Logon provides easy deployment of user profiles for the SafeNet Network Logon product.The Connector for Network Logon enables you to initialize each token with a list of logon profiles. Each logon profile contains a user ID name, the domain that the user belongs to, a password, and a set of options.To start working with tokens, configure the Connector for Network Logon by setting the connector parameters.


Defining TPO RulesWhen the Connector for Network Logon is defined in the TPO, a default profile is created for the domain in which SafeNet Authentication Manager is installed.Use the Connector Policy Object Editor to set the connector policies.





AD Yes

MS SQL Server, OpenLDAP, Novell eDirectory, Remote AD, ADAM

No



3. In the right pane, right‐click Connector for Network Logon, and select Properties.The Connector for Network Logon Properties window opens.


5. Click the appropriate network logon profile (in this example, Profile1) in the navigation pane.


The profile’s policies are displayed in the right pane.


Policy Description

Domain netbios name Defines the netbios name of the domain in the Active Directory that the user enters upon logonNo default

SafeNet eToken Rescue support Determines if the profile is saved to a SafeNet eToken Rescue replacement tokenDefault: Not enabled


7. Click OK repeatedly to close the Connector Policy Object Editor window and the Connector for Network Logon Properties window.The updated connector settings have now been applied.

Logon factor Determines the logon factor:One-factor: Not supported in NL 5.0.For one-factor logon, we recommend using a token that is configured for one-factor logon in eToken PKI Client.Two-factor: requires the token's presence and a password to log on.

Default: Two-factor

Password type Determines the password type:Manual password: requires the system administrator to provide the user password during enrollment.Random password: causes the connector to generate a new random user password during enrollment, to reset the user password in the domain, and to write this new password to the token.

Default: Manual passwordNote: If a manual password is used, when the token is revoked, the password is not removed from the SAM configuration store. If a random password is used, when the token is revoked, the password is removed from the SAM configuration store.

Random password length Determines the random password lengthDefault: 14 characters

Policy (Continued) Description (Continued)


Connector for eToken AnywhereeToken Anywhere is a portable, reader‐less smartcard token that enables secure access to the Web, authentication applications, digital signatures, encryption and decryption, and secure e‐mail from any computer with a USB port and an Internet connection. With the eToken PRO Anywhere device, users can access their networks and critical data, easily, conveniently, and securely, without requiring a client installation.

Tip:For information about installing and using the eToken PRO Anywhere configuration tool, see the eToken PRO Anywhere How To Guide.

CA RequirementsTo enroll User/Server certificates on an eToken Anywhere device, SafeNet Authentication Manager must be installed, and the Connector for Microsoft CA Connector or Connector for P12 Certificate Import must be configured. See Connector for Microsoft CA on page 202 or Connector for P12 Certificate Import on page 249.When the Microsoft Standalone Root CA certificate is installed on the Secured site Local computer ‐Trusted Root CA store, it is not necessary to install this certificate on the eToken Anywhere (using the SAM P12 Certificate Import Connector).

To log on with eToken Anywhere when the CA is not installed on the device:

When prompted, enter the user PIN and perform a login. If a user selects Choose a digital certificate > view certificate during SSL authentication, a message is displayed indicating that the certificate is not trusted.If the user then clicks the OK button in the Choose a digital certificate window, the user can enter the PIN and authenticate successfully.






2. In the left pane, click the Connector Settings node.The list of installed connectors opens in the right pane.

3. In the right pane, right‐click Connector for eToken Anywhere, and select Properties.



Yes


The Connector for eToken Anywhere Properties window opens.


5. In the right pane, right‐click ISO file definitions, and select Properties.


The ISO file definitions properties window opens.

6. Select Define this policy setting and click Launch.The eToken Anywhere Configuration Tool opens.



8. Click the Save Profile icon.The eToken Anywhere Configuration Tool automatically downloads the website certificate and creates the eToken Anywhere application files.A confirmation message is displayed.

9. Click OK.10. The eToken Anywhere Configuration Tool closes.

You are returned to the ISO file definition properties window.11. To export the eToken Anywhere application files to the previously

created virtual directory, click Export app.

Field Description

eToken Anywhere Application location

Enter the URL of the folder on the server that will hold the eToken Anywhere application.

Application website URL Enter the URL of the secured website, for example, SSLVPN.

URL display name Enter the name of the site. This will be visible when right-clicking the eToken PRO Anywhere tray icon.Default: the website URL

“Forgot my password” URL Enter the URL of the website to open should the user forget the password

Enable eToken PRO Anywhere remote enrollment

Select this option to enable the user to enroll an eToken PRO Anywhere device.

Remote enrollment URL Enter the URL used to self-enroll eToken PRO Anywhere devices.


The Browse For Folder window opens.

12. Select the folder in which to save the eToken Anywhere application, and click OK.You are returned to the ISO file definition properties window.

13. To export the eToken Anywhere iso file, click Export iso.The Save As window opens.

14. Select the folder in which to save the eToken Anywhere iso file, and click OK.

15. Click OK repeatedly to close the Connector Policy Object Editor window and the Connector for eToken Anywhere Properties window.The updated connector settings have now been applied.


16. Check that the files are downloadable by browsing directly to the files using a web browser, as follows:

https://URL/etanywhereapplication/etany.dathttps://URL/etanywhereapplication/etany.sig

Connector for Check Point Internal CACheck Point Software Technologies Ltd is a leading provider of security applications. Check Pointʹs main products are VPN and Firewall applications. Check Point provides a unified security solution called NGX which includes both VPN and Firewall.The Connector for Check Point Internal CA is a software component that provides SafeNet Authentication Manager users with the ability to log in to Check Pointʹs security applications using SafeNet authenticators as the user authentication method.The Connector for Check Point Internal CA supports Check Point Firewall versions NG (R55) or NGX (R60) and later.Check Point security applications provide a secured environment, allowing only authorized, authenticated users to log in. Check Point applications support specific types of user authentication, including digital certificate‐based authentication (PKI).With the Connector for Check Point Internal CA, the administrator creates certificates for Check Point Internal CA users, and loads the certificates automatically onto the usersʹ tokens. The connector can also be used to add new users to the Firewall Management.

Internal CA vs. External CACertificate‐based authentication requires the user to provide a digital certificate valid for logging in to a Check Point secured environment.Digital certificates are issued by a Certification Authority (CA). CP software supports two types of CAs:

An internal CA, included in Check Point productsThis type of configuration is the most common.An external CA, for example, Microsoft CA


This configuration is less common and is not supported by the Connector for Check Point Internal CA.


The following are requirements for the Connector for Check Point Internal CA:

Administrator rights for configuration and access to the Check Point SmartDashboard from the computerToken users who issue login certificates from the Check Point internal CA must exist in the CP internal users databaseCheck Point Firewall users must be stored in the Check Point internal users database

Note:64‐bit operating systems are not supported.

Configuring the CP Firewall ManagementThe Connector for Check Point Internal CA must be configured to work with the Check Point Firewall Management as an external application. This involves the three procedures.

See Defining the OPSEC Properties on page 245See Defining the Permissions Profile on page 247See Installing the Policies on page 253



Yes


Defining the OPSEC Properties

To create an OPSEC application:

1. Open the CP SmartDashboard.2. In the left pane, go to Servers and OPSEC Applications > OPSEC

Applications > OPSEC Application.3. Right‐click OPSEC Application, and select New OPSEC

Application.The OPSEC Application Properties window opens.

4. Enter the required information in the following fields:Name: SAMOpsecHost: the computer name where the Firewall Management is locatedClient Entities: CPMI


5. Click Communication.The Communication window opens.

6. Enter and confirm an Activation Key. Record the Activation Key for later use. See Defining TPO Rules on page 254.

7. Click Initialize, and then Close.

Note:At this point in the procedure, the Trust state is Initialized but trust not established. Trust will be established later in the configuration.


In the OPSEC Application Properties window, the communication information is displayed in the DN field.

8. Click OK.

Defining the Permissions Profile

To define a permissions profile for the application:

1. Open the CP SmartDashboard.2. In the left pane, go to Servers and OPSEC Applications > OPSEC

Applications > OPSEC Application.


3. Right‐click the new OPSEC application, SAMOpsec, and from the sub‐menu, select Edit.

The OPSEC Application Properties window opens.


4. Select the CPMI Permissions tab.

5. Select Permissions Profile, and click New.


The Permissions Profile Properties window opens.

6. In the General tab, enter a Name for the profile.


7. Select the Permissions tab.

8. Select the required permissions.Ensure that Check Point Users Database is selected and defined as Read/Write.

9. Click OK.


In the OPSEC Application Properties window, the new permissions profile is selected in the Permissions Profile dropdown box.

10. Click OK.


Installing the Policies

To install the policies:

1. Open the Install Policy tool from the CP SmartDashboard.The Install Policy window opens.

2. Select the installation target, and click OK.


The Installation Process window opens.

3. When the process completes, click Close.







3. In the right pane, right‐click Connector for Check Point Internal CA, and select Properties.The Check Point Internal CA Connector properties window opens.





Defining the Check Point Server PolicyDefine the Check Point Server policy to establish a connection between SafeNet Authentication Manager and Check Point Firewalls, and to map SafeNet Authentication Manager usernames to CP Firewall usernames.

To define the Check Point Server policy:

1. In the right pane of the Connector Policy Object Editor window, right‐click Check Point Server, and select Properties.The Check Point Server Properties window opens.

2. Select Define this policy setting.3. Do one of the following:

To add a new firewall, select Add Firewall.To change an existing firewallʹs settings, select the firewall server from the Firewall Server dropdown list, and select Edit Firewall Settings.To remove a firewall, select the firewall server from the Firewall Server dropdown list, select Remove Firewall, and click OK.


If you selected Add the New Firewall Configuration window opens.

If you selected Edit, the firewall settings are displayed in the Firewall Settings window opens.

4. In the New Firewall Configuration window or the Firewall Settings window, do the following:

In the Firewall display name field, type any name. This name will appear in the Firewall Server list.


In the Firewall name or IP address field, type the name or IP address of the firewall.Select Import OPSEC Certificate to import the Check Point OPSEC certificate to SAM for authentication against the Check Point Firewall.

The OPSEC Activation Key window box opens.

5. See Configuring the CP Firewall Management on page 244, and type the activation key of the certificate created. Click OK.If the certificate was successfully imported, A valid OPSEC certificate exists message is displayed below the Firewall name or IP address field.

6. To test the connection between SAM and the Check Point Firewall, click Test firewall connection.If the connection is successful, the The connection to the firewall was tested successfully message is displayed.

7. Click OK.When a SafeNet Authentication Manager user is mapped to a user on the Check Point Firewall user database, the SafeNet Authentication Manager user attributes are copied when the user is added to the firewall user database.

Note:Only a SafeNet Authentication Manager user defined in the Microsoft AD can be mapped to a user on the Check Point Firewall user database.

8. To override the default mapping of existing users in the Check Point Firewall, select the Users Map tab in the Firewall Settings window.

9. To see all the users defined on the firewall user database, select Get all firewall users.


The list of usernames is displayed in the Firewall Username table.

10. To locate a SAM Username to be mapped to a specific Firewall Username, double‐click the SAM Username blank column on the row of the appropriate Firewall Username.The Select User window opens.

11. Select the SafeNet Authentication Manager user to be mapped, and click OK.The list of mapped Firewall Usernames includes the SAM user.

12. Click OK to save the firewall settings.

Defining the Enable Firewall User Creation PolicyTo create a new firewall user during enrollment, this policy setting must be enabled. If it is not, enrollment of a user not on the firewall will fail.

To set the Enable Firewall User Creation policy:

1. In the right pane of the Connector Policy Object Editor window, right‐click Enable Firewall User Creation, and select Properties.The Enable Firewall User Creation Properties window opens.

2. Select Define this policy setting, select Enabled, and click OK.


Defining the Firewall Username Template PolicyDefine the Firewall Username Template policy to create a matching relationship between the firewall username and its SafeNet Authentication Manager user attributes. This relationship assigns new firewall usernames, and searches for existing firewall users.

To set the Firewall Username Template policy:

1. In the right pane of the Connector Policy Object Editor window, right‐click Firewall Username Template, and select Properties.The Firewall Username Template Properties window opens.

2. Select Define this policy setting.3. To create a template for firewall usernames, select one or more

SAM user attributes that ensure a unique username for each user, and click Add to template after each selection.

4. Click OK.When a new firewall user is created, the values of its selected user attributes are retrieved from the directory service (AD, OpenLDAP, Novell eDirectory, or MS SQL Server). These values are strung together to form a firewall username to which the Check Point certificate is issued.


Defining the Firewall User Template PolicyDefine the Firewall User Template policy to enable the creation of new users on the firewall users database.

To set the Firewall User Template policy:

1. In the right pane of the Connector Policy Object Editor window, right‐click Firewall User Template, and select Properties.The Firewall User Template Properties window opens.

2. Select Define this policy setting and from the drop‐down box, select a template for initializing all the attribute fields of a new firewall user.

3. To view a list of templates available on the firewall, click Retrieve templates from firewall.

4. Click OK.

Note:Check Point does not support concurrent write access to the internal users database. To prevent enrollment failure, the Check Point Smart Dashboard application must not be open during an automatic new user enrollment.


Defining the Auto Install Policies PolicyAuto Install Policies determines how and when to install policies on the firewall gateways so that there is synchronization with the user database.

To install a gateway policy:

1. In the right pane of the Connector Policy Object Editor window, right‐click Auto Install Policies, and select Properties.The Auto Install Policies Properties window opens.

2. Select Define this policy setting.3. From the Synchronize schedule drop‐down list, select one of the

following:NeverAlwaysOn administrator enrollment onlyOn self enrollment only


4. From the Install policies to drop‐down list, select one of the following:

All gatewaysSelected gateways: To retrieve the names of gateways, click Retrieve names from firewall, and select gateways from the Policy installation targets box.

5. Click OK repeatedly to close the Check Point Server Properties and the Connector Policy Object Editor windows.The updated connector settings have now been applied.

Defining the SafeNet eToken Rescue Support PolicyTo import the Check Point certificate to a SafeNet eToken Rescue for backup, enable the SafeNet eToken Rescue Support policy.

To set the SafeNet eToken Rescue Support policy:

1. In the right pane of the Connector Policy Object Editor window, right‐click SafeNet eToken Rescue Support, and select Properties.

2. Select Define this policy setting, select Enabled, and click OK.

Connector for Entrust

Entrust Authority Security ManagerThe Entrust Authority public‐key infrastructure (PKI) uses Entrust Authority Security Manager as the Certification Authority (CA) system responsible for issuing and managing usersʹ digital identities.Entrust Authority Security Manager manages the full lifecycle of Digital Identities required to automate all security‐related processes in an organization. It provides the underlying security infrastructure that issues, manages, and administers user keys and certificates. It is the centralized, auditable Policy Management that enforces policies automatically and in real‐time.


As the organizationʹs CA system, the Entrust Authority Security Manager software enables the use of digital signature, digital receipt, encryption, and permissions management services across a wide variety of applications and solutions.

Note:Entrust Authority Security Toolkit for the Java Platform must be installed. See System Requirements on page 268.

SafeNet Authentication Manager - Entrust IntegrationIntegrating SAM infrastructure with Entrust Authority Security Manager PKI functionality enables the seamless integration of Entrust‐based certificate and keys lifecycle management in the SafeNet Authentication Manager token management and enrollment websites.Customers deploying the SafeNet Authentication Manager Entrust Connector seamlessly manage the whole Entrust digital IDʹs lifecycle through the SAM Management Center.

The SAM Management Center provides users with:

No‐touch self‐service token installationEntrustʹs certificate enrollment and management operationsAutomated user provisioningPolicy‐based enrollmentThe “employee on the road” continued functionality solution


Main Features

The Connector for Entrust does the following:

Provides seamless integration between SafeNet Authentication Manager and the Entrust CA. Through the SafeNet Authentication Manager infrastructure, token users enroll certificates issued by Entrust, and generate private keys on tokens.Enables Entrust customers to manage PKI lifecycle operations, including key enrollment, key revocation, key recovery, and re‐enrollment, through the SAM Management Center or SAM Self Service Center.Allows automated certificate renewal, as well as the change and addition of key pairs, through the SAM Remote Service Center, SAM Management Center, and SAM Self Service Center.Supports the SafeNet Authentication Manager “employee on the road” feature. This solution provides a user with continued access to computers and networks after losing or damaging a token.Enables the configuration of TPO settings to control the automated enrollment of certificates to tokens based on specific groups of users.Allows automated user provisioning into the Entrust CA, if the user does not already exist for automated enrollment.Requires that only the SafeNet Authentication Manager client be installed, and not the Entrust client, to enroll Entrust certificates to a token.Enables the auditing of Entrust‐related PKI operations performed using the Connector for Entrust.

ArchitectureCertificate requests are processed as follows:1. The SafeNet Authentication Manager Server transfers certificate

requests from the SafeNet Authentication Manager client to Entrust Authority Security Manager.

2. The Entrust CA issues the certificates.3. Entrust Authority Security Manager publishes the issued

certificates within its user directory.


In one possible SafeNet Authentication Manager ‐ Entrust Authority Security Manager integration scenario, user information is held in one common user directory.

Alternatively, one user directory may store user information for SAM in one domain, while another LDAP user directory stores user information for Entrust Authority Security Manager in another domain.

Deployment RecommendationsFor security, maintenance, and availability reasons, we strongly recommend the following practices:

Use a separate server for deploying each server side component. These include the Entrust Authority, the SafeNet Authentication Manager Server, and the Active Directory domain controllers.Although SafeNet Authentication Manager supports the installation of the Entrust Authority software on the same server as the SafeNet Authentication Manager Server, this type of deployment is recommended for testing and demonstration purposes only.


Create and enforce a regular backup policy of all servers, including the Active Directory domain controllers, the SafeNet Authentication Manager Server, and the Entrust Authority.Backups should be saved in a separate offline storage or on backup tapes, preferably in a location separate from the servers. Failure to maintain updated backups of the server components may result in lost data in the event of an unexpected hardware or software failure.

System Requirements

Server

Note:JRE is required only if SafeNet eToken Rescue tokens are used.

Component Supported Version(s)

TMS or SafeNet Authentication Manager Server

2.0 SP3 or later

Entrust Authority Security Manager

7.1

Entrust Authority Security Manager Administration

7.1

Entrust Authority Security Runtime Components

7.1

Java Runtime Environment (JRE) 1.5

Entrust Authority Security Toolkit for the Java Platform


Administrator Workstation

Non-Administrator Workstation

Note:JRE is required only if you do not enroll your tokens centrally, or if you want to provide Entrust self service operations to your clients.

Prerequisites

Installing the Entrust Java Toolkit

To install the Entrust Java Toolkit:

1. After installing the SafeNet Authentication Manager Server, create a folder named Entrust Java Toolkit in the X32 or X64 folder in the SafeNet Authentication Manager installation folder.

2. Ensure that you have a licensed version of the Entrust Authority Security Toolkit for the Java Platform installed.


TMS or SafeNet Authentication Manager Management Tools

2.0 SP3 or later



TMS or SafeNet Authentication Manager Client

2.0 SP2 or later



3. Copy the Entrust Authority Security Toolkit for the Java Platform file (enttoolkit.jar) to the newly‐created Entrust Java Toolkit folder in SAM.

Tip:For more information, contact SafeNet Support. See Support on page iii.

Installing JRESun Microsystemsʹ Java Runtime Environment (JRE) version 1.5 must be installed on each SafeNet Authentication Manager client computer and server that performs enrollment, update, revocation, and other token and certificate operations.

Note:JRE is not required on usersʹ workstations if you enroll tokens centrally, or if you do not provide Entrust self service operations to your clients.

The Connector for Entrust functionality does NOT support versions of JRE other than 1.5.If your installation requires client computers to run a JRE version other than 1.5, install and configure a “side by side” installation. See Installing Multiple Versions of JRE on page 270.Otherwise, download JRE 1.5 from Sun Microsystemsʹ website at http:/java.sun.com and install it on the client computers that require it.

Installing Multiple Versions of JREYou can install a “side by side” installation of JRE 1.5 by copying a JRE folder from a different computer. Do this if you have other applications on the client computer that require other versions of JRE.


To copy JRE from another computer:

1. Download JRE 1.5 from Sun Microsystem’s website at http:/java.sun.com , and install it on a computer that is not required as a SafeNet Authentication Manager client or server in the SafeNet Authentication Manager ‐ Entrust implementation.This installs the JRE folder which is typically located at:C:\Program Files\Java\JRE1.5.0_xx

2. Copy the JRE folder to each SafeNet Authentication Manager server and client computer.

3. Create the JRE 1.5 registry key on each computer where the JRE folder has been copied.

Creating a JRE 1.5 Registry KeyIf you install JRE 1.5 by running the standard installer, the Connector for Entrust is automatically directed to JRE 1.5 and you do not need to edit the registry.However, in the following circumstances you must create a new registry key to direct the Connector for Entrust to JRE 1.5:

In addition to JRE 1.5, you have installed a different version of JRE on the client computer.You installed JRE 1.5 by copying the JRE folder from a different computer. See Installing Multiple Versions of JRE on page 270.

To create a new registry key:

1. To open the Registry Editor, go to Start>Run and enter Regedit.2. In the Registry Editor, navigate to

HKEY_LOCAL_MACHINE>SOFTWARE>SafeNet>Authentication>SAM.

3. Right‐click SAM, and select New>Key.4. Replace the New Key name with Connectors.5. Right‐click the new Connectors folder, and select New>Key.6. Replace the New Key name with Entrust.7. Right‐click the new Entrust folder, and select New>String Value.

8. In the right pane, replace the New Value name with RuntimeLib.


9. Right‐click RuntimeLib, and select Modify.The Edit String window opens.

10. In the Value data field, enter the path to the jvm.dll file, and click OK.The jvm.dll is typically located at: C:\Program Files\Java\jre1.5.0_xx\bin\client

Connector for Entrust ConfigurationThe Connector for Entrust is included in the Connectors Settings node in the TPO Editor, enabling the definition of an enrollment policy.To set the Connector for Entrust policies, open the Connector Policy Object Editor, and then define each policy setting.

Opening the Connector Policy Object Editor






3. In the right pane, right‐click Connector for Entrust, and select Properties.The Connector for Entrust Properties window opens.

4. Select Define this policy setting, select Enable, and click Definitions.The Connector Policy Object Editor window opens.


Defining the CA Policy

To define the policy:

1. In the right pane of the Connector Policy Object Editor window, double‐click CA.The CA Properties window opens.


2. Select Define this policy setting.



Note:The policy settings for the .epf file and the security officerʹs password are applied to the entire domain. Once the CA properties are defined, they are applied to all Entrust TPOs created afterwards. Any changes to the CA settings for one TPO are applied to all TPOs in the domain.

Field Description

Select Security Manager Administration .ini file

The UNC (network) path to Entrust Authority Security Manager Administration .ini file.Full read and write permissions to the destination folder are required.

Select security officer's .epf file

The UNC (network) path to a security officer's Entrust profile file (.epf).Tip: During the Entrust Authority Security Manager installation, an .epf was created for the initial user, First Officer.The file is typically located at: C:authdata/manager/epf

Enter security officer's password

The password of the .epf's officer.

Enter IP address of Security Manager

The IP address or server name of the Entrust Authority Security Manager.

Enter port of Security Manager

Entrust Authority Security Manager port is typically 829.To see the port number, open the Entrust Authority Security Manager Administration .ini file, typically located at: C:\Program Files\entrust\Security Manager Administration, and look in the Entrust Settings section for the following line: Authority=<computer name>+<port number>

Enter IP address of Security Manager domain directory

The IP address of the Security Manager domain's user directory.


4. Click Validate to check that Entrust Authority Security Manager Administration .ini file, the security officerʹs .epf, and the password are valid.

5. Click OK.

Defining the Add User to Security Manager PolicyTo enroll new users that are not yet on the Entrust Authority Security Manager internal user list, enable the Add User to Security Manager policy.


1. In the right pane of the Connector Policy Object Editor window, double‐click Add User to Security Manager.The Add User to Security Manager Properties window opens.

2. Select Define this policy setting, select one of the following, and click OK.

Enabled: Upon enrollment, SafeNet Authentication Manager automatically adds the user to the Entrust Authority Security Manager internal user list if the user is not found on the list.


Disabled: Users are not added to the Entrust Authority Security Manager internal user list. If enrollment is requested for a user not found on the Entrust Authority Security Manager internal user list, the enrollment fails.

Note:If the Security Manager and SafeNet Authentication Manager are not in the same domain, users are added to the Entrust Authority Security Manager internal user list only if the Security Manager and SafeNet Authentication Manager on Different Domains policy is enabled.

Defining the Security Manager and SAM on Different Domains PolicySet the Security Manager and SafeNet Authentication Manager on Different Domains policy to True only if the Security Manager and SafeNet Authentication Manager are not in the same domain.If this policy is set to True, the following policies must be defined:

Username for Security Manager Domain DirectoryUser Password for Security Manager Domain DirectoryUser Path on Security Manager Domain DirectoryUsername Template


1. In the right pane of the Connector Policy Object Editor window, double‐click Security Manager and SAM on Different Domains.The Security Manager and SAM on different domains Properties window opens.



Enabled: Upon enrollment, SafeNet Authentication Manager maps the user defined in the SafeNet Authentication Manager domain directory to the Entrust Authority Security Manager domain user directory.Select this option only if the Security Manager and SafeNet Authentication Manager are not in the same domain. Disabled: Users are not mapped to a different domain. If Security Manager and SafeNet Authentication Manager are not in the same domain, and an enrollment is requested, the enrollment fails.

Defining the Domain Username PolicyDefine the Username for Security Manager Domain Directory policy if the Security Manager and SAM on Different Domains policy is enabled.


1. In the right pane of the Connector Policy Object Editor window, double‐click Username for Security Manager Domain Directory.The Username for Security Manager Domain Directory Properties window opens.


2. Select Define this policy setting, and enter a username that has connect permissions to the Entrust Authority Security Manager domain directory.

3. Click OK.

Defining the Domain User Password PolicyDefine the User Password for Security Manager Domain Directory policy if the Security Manager and SAM on Different Domains policy is enabled.


1. In the right pane of the Connector Policy Object Editor window, double‐click User Password for Security Manager Domain Directory.The User Password for Security Manager Domain Directory Properties window opens.


2. Select Define this policy setting, and enter the password of the administrator or user defined in the Username for Security Manager Domain Directory policy setting.

3. Confirm the password.4. Click OK.

Defining the User Path PolicyDefine the User Path on Security Manager Domain Directory policy if the Security Manager and SAM on Different Domains policy is enabled.


1. In the right pane of the Connector Policy Object Editor window, double‐click User Path on Security Manager Domain Directory.The User Path on Security Manager Domain directory Properties window opens.


2. Select Define this policy setting, and enter the domain path to the Entrust usersʹ OU or group in the Security Manager domain directory.

3. Click OK.

Defining the Username Template PolicyDefine the Username Template policy if the Security Manager and SAM on Different Domains policy is enabled.


1. In the right pane of the Connector Policy Object Editor window, double‐click Username Template.The Username Template Properties window opens.


2. Select Define this policy setting.3. To create the appropriate Directory username template, select one or

more attributes in the SafeNet Authentication Manager user list, and click Add to template after each selection.

4. Click OK.

Mapping AttributesAttributes from the Entrust user store must be mapped to the attributes on the SafeNet Authentication Manager user store.


1. In the right pane of the Connector Policy Object Editor window, double‐click Attribute Mapping.The Attribute mapping Properties window opens.


2. Select Define this policy setting and map the attributes.

Defining the Add User to Security Manager Directory PolicyEnable the Add User to Security Manager Directory policy only if the following policies are enabled:

Add User to Security ManagerSecurity Manager and SAM on Different Domains


1. In the right pane of the Connector Policy Object Editor window, double‐click Add User to Security Manager Directory.The Add User to Security Manager Directory Properties window opens.



Enabled: Upon enrollment, SAM adds the user to the user directory in the Entrust Authority Security Manager domain, if:

The Add User to Security Manager policy is enabledThe Security Manager and SAM on different domains policy is enabledThe user does not yet exist in the user directory in the Entrust Authority Security Manager domainUsers can be added only to an AD or general LDAP directory.

Disabled: Users are not added to the user directory in the Entrust Authority Security Manager domain. If enrollment is requested for a user not found in the user directory in the Entrust Authority Security Manager domain, the enrollment fails.

Defining the User Role Policy


1. In the right pane of the Connector Policy Object Editor window, double‐click User Role.The User Role Properties window opens.

2. Select Define this policy setting.3. In the Select the user role dropdown list, select a role from the list

of roles defined in Entrust Authority Security Manager Administration.

4. Click OK.

Note:If the unique name of the selected user role is changed in Entrust Authority Security Manager Administration, you must select the renamed user role in TPO so that the name remains the same in both Entrust and SafeNet Authentication Manager. If this is not done, enrollment will fail.


Defining the Certificate Type Policy


1. In the right pane of the Connector Policy Object Editor window, double‐click Certificate Type.The Certificate Type Properties window opens.

2. Select Define this policy setting.3. In the Select the certificate type dropdown list, select a certificate

type from the list of certificate types defined in Entrust Authority Security Manager Administration.

Note:The certificate type selected here overrides the setting in Entrust Authority Security Manager.

4. Click OK.

Defining the Last Security Manager Update Policy


1. In the right pane of the Connector Policy Object Editor window, double‐click Last Security Manager Update.The Last Security Manager Update Properties window opens.

2. Select Define this policy setting.

Note:The Last Security Manager Update policy controls the update behavior of the Entrust content on the tokens. When this date is updated, all tokens controlled by this TPO will be considered out‐of‐date. The Entrust content on a token will be updated the next time the user accesses the SAM Self Service Center.

3. Select the date when you last changed the policy settings in Entrust Authority Security Manager.

4. Click OK.


Defining the SafeNet eToken Rescue Support Policy


1. In the right pane of the Connector Policy Object Editor window, double‐click SafeNet eToken Rescue Support.The SafeNet eToken Rescue Support Properties window opens.

2. Select Define this policy setting.3. Select one of the following, and click OK.

Enabled: Entrust certificates are added to a SafeNet eToken RescueDisabled: Entrust certificates are not added to a SafeNet eToken Rescue

4. To complete the connector configuration, click OK.


Entrust Security Manager Administration Configuration

Creating a Certificate with Backup

To create a certificate with backup:

1. In the Entrust Security Manager Administration, navigate to Security Policy>User Policies.

2. Select the required security policy.3. In the General Information tab, in the Policy Attributes area, select

Back up private key.4. Make sure that Generate key at client is not selected.5. Click Apply.


Working with Java Card

To work with Java Card, the following steps must be performed before enrollment:


2. Select End User Policy.3. In the General Information tab, in the Policy Attributes area, select

Public Token Certs.4. Click Apply.

Working with SafeNet eToken Rescue

To work with SafeNet eToken Rescue, the following steps must be performed before enrollment:


2. Select End User Policy.3. In the General Information tab, in the Policy Attributes area, select

Public Token Certs and Private key export from CAPI.4. Click Apply.


Using SAM with EntrustSafeNet Authentication Manager offers standard features when used with any certification authority and deployment mode, including Entrust Authority. However, some functions are specific to the Entrust ‐ SafeNet Authentication Manager integration.

SAM Remote Service Center

Receiving a Virtual Token to Replace a Lost or Damaged TokenThe Connector for Entrust supports the SafeNet Authentication Manager “employee on the road” feature. This feature enables a user continued access to computers and networks after losing or damaging their token.If an eToken device is lost when away from the office, the user should access the SAM Remote Service Center website. After answering the required personal authentication questions, the user receives a virtual (software‐based) token that contains a copy of their previously enrolled Entrust keys. Upon returning to the office, the user accesses the SAM Self Service Center website, and enrolls a replacement physical token. During this process, the original keys are revoked (if so configured in Entrust), the Entrust CRL is updated to reflect this change, and an Entrust recovery process is performed silently. In addition, keys marked to be available after revocation are also placed on the new token to allow continued access to data protected by those keys.

Note:Key recovery with SafeNet eToken Rescue using SAM requires the enabling of key backup in Entrust.


Enrolling Entrust CertificatesUsers can use the SAM Self Service Center to enroll tokens with Entrust certificates, even if the SafeNet Authentication Manager Client or Entrust Client is not installed on the local computer.


If the TPO is set correctly to add users in Entrust upon enrollment, user enrollment in SafeNet Authentication Manager will succeed, regardless of whether or not the user was previously enabled in Entrust. The user is automatically enrolled in Entrust according to the TPO rules assigned to the user. Activation keys are not required and the userʹs token is enrolled with the certificates as defined by the TPO rules.If the TPO rules determine that the user cannot be automatically enrolled in Entrust, or if a TPO for the user does not exist, the user is prompted to contact the Help Desk.

SAM Management Center

Viewing Error Messages, Audits, and ReportsThe organizationʹs security officer can use the Help Desk feature in the SAM Management Center to view eToken Entrust‐related information. This includes audit logs for certificate related operations performed in Entrust from SafeNet Authentication Manager, such as configuration changes, enrollment, and revocation.

To display Connector for Entrust information:

1. In Help Desk, search for the required token.The token is displayed, and the Application Field displays the Connector for Entrust.

2. Click the Details link.The Application Details window opens.Error messages showing failed operations relating to Entrust Authority Security Manager are displayed in the default application event log. The error messages show the action attempted, and the specific Entrust Authority Security Manager error.


Behavior and LimitationsThe following information provides clarification about expected behavior and known limitations of the SAM Entrust Connector.

Only one Entrust CA is supported.When generating a SafeNet eToken Rescue containing an Entrust certificate to support the “I lost my token” scenario, a key recovery operation is performed by the Entrust Authority. This is because SafeNet Authentication Manager does not keep copies of Entrust key pairs for recovery purposes. This is different from the behavior of Connector for Microsoft CA.The Connector for Entrust does not include support for supplying or using activation codes manually. All activation and enrollment processes are automated. If you attempt to enroll a user for which activation codes have already been generated through the Entrust Authority Security Administration, the user will be silently enrolled, and the activation codes will be ignored.When enrolling in Entrust Authority Security Manager using SafeNet Authentication Manager, the Entrust user role and certificate type defined in Entrust Authority Security Manager are ignored, and the settings from the SafeNet Authentication Manager TPO are used instead.User configuration changes done on Entrust Authority Security Manager side do not take effect automatically. To apply configuration changes, perform the configuration in the SafeNet Authentication Manager TPO.SafeNet Authentication Manager TPO configuration changes take effect only when the last configuration update date on the TPO is modified.In the Entrust Authority Security Manager, the spillover parameter must be disabled.

Chapter 12

LicensingSAM licenses are issued according to token type and SafeNet Authentication applications.Licenses can be accumulated; when you purchase an additional license it is added to your existing one.

In this section:

Licensing OverviewEvaluation LicenseUpgrading Licenses from Earlier VersionsViewing LicensesApplying a LicenseMulti-Domain Licenses


Licensing OverviewYou can accumulate SafeNet Authentication Manager licenses by adding new licenses to your existing one. The sum of allowed users and tokens is the sum of all accumulated licenses.A SafeNet Authentication Manager license counts the following items separately:

A user with any type of tokenA MobilePASS tokenAn SafeNet eToken Virtual authenticatorA token with SafeNet SSO profilesA token with SafeNet Network Logon profiles

Each license‐related action, such as token assignment or MobilePASS enrollment, increments or decrements the appropriate license counter. The maximum number allowed for each counter is determined by the license(s) purchased.

Evaluation LicenseNew SafeNet Authentication Manager installations may be assigned an evaluation license. A SafeNet Authentication Manager evaluation license has the following features:

Allows a maximum of 10 token usersAllows a maximum of 10 of each of the following tokens:

A MobilePASS tokenAn SafeNet eToken Virtual authenticatorA token with SafeNet SSO profilesA token with SafeNet Network Logon profiles

Has an expiration dateSafeNet Authentication Manager evaluation licenses can be accumulated. The latest expiration date of all the licenses is applied.The SafeNet Authentication Manager evaluation license is cancelled when a standard license is added.

Licensing 295

Upgrading Licenses from Earlier VersionsWhen data is migrated from TMS version 2.0 or later to SafeNet Authentication Manager 8.0, the earlier versions’ licenses remain valid.You may need to upgrade your SafeNet Authentication Manager license for new features, such as SafeNet eToken Virtual or MobilePASS, or to use certain connectors, such as SAM Connector for SafeNet SSO.To ensure that your license is valid, see Viewing Licenses on page 295. To add a license, see Applying a License on page 296.

Viewing LicensesYou can view your licenses in the SafeNet Authentication Manager Configuration Manager.

To view licenses:


Note:In the following situations, a warning message is displayed in the bottom frame of the SAM Configuration Manager window:

Your license has reached nearly all of its capacityYour license has an expiration date

2. From the Action menu, select License >View.


The License Details window displays the details of the current license.

3. Click Close to exit the window.

Applying a LicenseUse the SAM Configuration Manager to add a new license or apply an existing license from a different domain or user store.

To add or apply a license:


2. From the Action menu, select License>Add.

Licensing 297

The Add License window opens.

:3. To add a new license, do the following:

a. Select Increase the license allowance by adding a new SAM license to the primary license.

b. Copy the new license string provided by SafeNet.4. To apply an existing license, do the following:

a. Select Use the primary license already configured for the following domain.

b. Click Browse.c. Select the domain containing the current license.

5. Click Add License and then click Close to exit the window.


Multi-Domain LicensesThe same license can be used in a multi‐domain environment and with multiple user stores. The primary license is installed on one server, and secondary licenses are installed on additional servers. The secondary servers must be configured as the primary.For example, if you need SafeNet Authentication Manager installed on two domains, each having 1,000 users and 200 tokens with SafeNet SSO profiles, you can install a license for 2,000 users and 400 tokens with SafeNet SSO profiles on one of the domains. When configuring the other SafeNet Authentication Manager instance, select the domain on which the license file is installed.

Note:Since the same license can be used for multiple domains, the licensing counter can become inaccurate due to replication or failed operations. Use the SAM Backend Service to ensure that licensing data from all domains remains synchronized.See Controlling SAM Backend Services on page 355 to manually initiate the SAM Backend Service Synchronize licenses process.

Chapter 13

Authorization ManagerUse the SafeNet Authentication Manager Authorization Manager to manage roles, tasks, operations, and role assignments.

Note:In SafeNet Authentication Manager, the authorization management settings (roles) are stored in the configuration store.

In this section:

Authorization Management OverviewPredefined RolesDefining a New ScopeDefining RolesDefining Tasks


Authorization Management OverviewSafeNet Authentication Manager encompasses three levels of assignments, built into a hierarchical structure:

Role: Level 1 activity (group of one or more tasks)Task: Level 2 activity (group of one or more operations)Operation: Level 3 activity (single action)

The lowest level in the hierarchy is Operation. A Task consists of one or more Operations and may include other Tasks. A Role is made up of a number of Tasks and Operations.In addition, a Scope may be determined for each role, to determine which Domain, OU, or Group the role applies to.Use the Authorization Manager to:

Define roles and tasksAllocate role assignmentsCreate additional roles, tasks, operations and role assignments

Authorization Manager 301

Predefined RolesSafeNet Authentication Manager is configured with the following predefined roles:

Defining a New ScopeYou can assign a new scope for the SAM Management Center. This determines if the roles apply to the domain, to an organizational unit (OU) or a group.A scope enables you to define local administrators or help desk staff with responsibility for only a section of the user store, such as an OU or a group of users. Some common examples would be to define local administrators in a specific location (OU scope) or to define a special administrator for senior managers (group scope).

Predefined Role Website(s) Assigned Tasks Allowed

Administrator SAM Management Center All SAM tasks

Helpdesk SAM Management Center All SAM tasks except modifying TPOs

Certificate Recovery

SAM Management Center Certificate Recovery

First Tier Approvers SAM Management Center First tier approval of certificate recovery

Second Tier Approvers

SAM Management Center Second tier approval of certificate recovery

User SAM Self Service CenterSAM Rescue Service Center

All self service options on the SAM Remote Service Center and the SAM Self Service Center


To define a new scope for the SAM Management Center:


2. From the Action menu, select Authorization Manager>Edit Roles.The SafeNet Authentication Manager ‐ Authorization Manager opens.

3. In the SAM Authorization Manager left pane, right‐click SAM Management Center, and select New Scope.The New Scope window opens.

4. Select one of the following containers for which the role will apply:

Domain


OU (Organizational Unit)Click Browse. The OU window opens. Select the required OU, and click OK.GroupClick Browse. The User or Group window opens. Enter the required group name, and click OK.

5. Type a description, and click OK.

Defining Roles

Note:If you change the name of a Role, the Users assigned to that Role are removed.

To define a new role definition:

1. In the SAM Authorization Manager left pane, expand the appropriate node to Definitions > Role Definitions.

2. Right‐click Role Definitions and select New role definition.


The Role Definition window opens.

3. Enter the Name and Description of the new role definition, and

click Add.The Add Definition window opens.

4. Select the Roles tab.

5. If required, select a role to be added as a sub‐role to the new role.6. Select the Tasks tab.


7. Select the tasks to include in the new role.8. Select the Operations tab.

9. Select the operations to include in the new role, and click OK.The new role is created.


Defining Tasks

To define a new task definition:

1. In the SAM Authorization Manager left pane, expand the appropriate node to Definition > Task Definitions.

2. Right‐click Task Definitions and select New task definition.The New Task window opens.

3. Enter the Name and Description of the new task definition, and click Add.The Add Definition window opens.

4. Select the Tasks tab.


5. If required, select a task to be added as a sub‐task to the new task.6. Select the Operations tab.

7. Select the operations to include in the task, and click OK.The new task is created.


Chapter 14

User PermissionsThe administrator can configure the usersʹ permissions, and change them as required.

In this section:

Permissions for Basic AdministrationGranting Dial-In Permission to the User AccountGranting Permissions for Microsoft CA TemplatesDelegating Password Reset Control


Permissions for Basic Administration

SAM Service Account Permissions

User Permissions for Installing SAM

Operation Permission Required

Managing eToken Network Logon

Permission to change other domain users' passwords

Managing the SAM OTP Authentication Connector

Permission to change the dial-in properties of the user accountSee Granting Dial-In Permission to the User Account on page 311

Managing the SAM Microsoft CA Connector

Read and enroll permissions for the templates to be used, such as: enrollment agent, and smartcard logonSee Granting Permissions for Microsoft CA Templates on page 314

Managing the SAM P12 Certificate Import Connector

Read permissions to the libraries where the pfx files and the password index files are stored

Managing the SAM Check Point Internal CA Connector

No additional permissions

Resetting passwords Delegate the task to the required group, for example, Helpdesk groupSee Delegating Password Reset Control on page 315

Operation Permission Required

Installing SafeNet Authentication Manager

In AD/AD installations, must be a member of the Schema Administrator group and the Domain Administrator group

Managing SAM websites Read permissions to the SAM website directory on the IIS server

User Permissions 311

Granting Dial-In Permission to the User AccountDial‐in permissions are required for the user managing the SAM OTP Authentication Connector. See Permissions for Basic Administration on page 310.

To grant dial-in permission to the user account:

1. Open ADSI Edit.

Tip:In Windows Server 2003, ADSI Edit is part of the Windows Support Tools installed from the server installation media.In Windows Server 2008, the Windows Support Tools are included in the RSAT (Remote Server Administration Tools). ADSI Edit is part of the Active Directory Domain Controller Tools feature.

The Console 1 window opens.

2. In the left pane, expand the appropriate domain.


3. Right‐click the user to be the SafeNet Authentication Manager Helpdesk administrator, and select Properties.The user’s Properties window opens.

4. Select the Security tab, and click Add.The Select Users, Computers, or Groups window opens.

5. Enter the name of the SafeNet Authentication Manager Helpdesk user, and click OK.


The Helpdesk user is added to the list.

6. Click Advanced.The Advanced Security Settings window opens.

7. Select the Helpdesk user from the list, and click Edit.


The Permission Entry window opens.

8. Select the Properties tab.9. Select Allow for the following attributes:

Read msNPAllowDialinWrite msNPAllowDialin

10. Click OK.

Granting Permissions for Microsoft CA TemplatesCA‐related permissions are required for the user managing the SAM Microsoft CA Connector. See Permissions for Basic Administration on page 310.

To grant permissions for Microsoft CA templates:

1. Open the CA snap‐in.2. Right‐click Certificate Templates, and select Manage.3. From the certificate list, double‐click the certificate for SafeNet

Authentication Manager to enroll.4. In the security tab, assign the Helpdesk user the permissions to

Read and Enroll.


5. In the CA snap‐in, right‐click the CA name, and select Properties.6. In the Security tab, assign the Helpdesk user the permission to

Issue and Manage Certificates.

Delegating Password Reset ControlThe SAM Service Account is used to manage SafeNet Authentication Manager operations. See Changing the SAM Service Account on page 198 to set a different SAM Service Account.

Note:We recommend using a SAM Service Account with a strong non‐expiring password. Certain functions, such as the TPO Editor, may stop responding when the SAM Service Account password expires.

To delegate control of password resets to the SAM Service Account:

1. In the Active Directory Users and Computers snap‐in, select the SAM domain.

2. In the right pane, right‐click Users, and select Delegate Control.


The Delegation of Control Wizard opens.

3. Click Next.The Users or Groups window opens.

4. Click Add.


The Select Users window opens.

5. Click Advanced.The advanced Select Users window opens.

6. Click Find Now.


The search results are displayed in the Select Users window.

7. Double‐click the SAM Service Account.The username appears in the Select Users window.

8. Click OK.


The username appears in the Users or Groups wizard window.

9. Click Next to continue.The Tasks to Delegate window opens.

10. Select Delegate the following common tasks, and select Reset user passwords and force password change at next logon.

11. Click Next to continue.


The Completing the Delegation of Control Wizard window opens.

12. On the summary page, review the proposed settings, and then click Finish.

Chapter 15

Audit Messages and Enrollment Notifications

You can configure TPO settings for the following activities:Viewing the details of SafeNet Authentication Manager administration events using the Windows Event ViewerSetting up audit notification letters for SafeNet Authentication Manager user and administrator eventsSetting up enrollment notification letters and SMS messages for token enrollments

In this section:

Audit MessagesEnrollment NotificationConfiguring Audit, Enrollment and MobilePASS Activation Notification TemplatesConfiguring SMS Notification Template


Audit MessagesYou can view SafeNet Authentication Manager audit messages in the Windows Event Viewer or send them by email.

Configuring Audit Settings for Viewing in Windows Event ViewerAudit Settings policies control audit information logging so that the events can be viewed using the Windows Event Viewer.To enable audit information logging, define the TPO Audit Settings policies. See Using the Token Policy Object Editor to Edit TPOs on page 146 to edit the TPO settings.

Audit Settings


Audit log server name

Defines the server address of the audit log

localhost All devices

Audit log name Defines the name of the audit log

Application All devices

Audit source name Determines the source name displayed in the Windows Event Viewer

SAMAudit All devices

Audit Messages and Enrollment Notifications 323

Viewing SAM Events in the Event Viewer

To view audited SAM events in the Event Viewer:

1. Right‐click My Computer, and select Manage.The Computer Management window opens.

2. In the left pane, select Event Viewer > Application.A list of events is displayed in the right pane.By default, SAM events are indicated by SAMAudit in the source column of the table.

3. Double‐click the required event.


The Event Properties window opens.

The Event Properties window displays the following information:Date: the date the event occurredSource: the event sourceTime: the time the event occurredCategory: the event categoryType: the event type (for example, Information)Event ID: a unique ID for each eventUser: user informationComputer: the computer on which the event is recordedDescription: a brief description of the event


Configuring Audit Settings for Sending Notification MessagesTo set up and configure audit notification letters, perform the following steps:

Configure the TPO audit settings.Edit the audit notification letter templates. See Configuring Audit, Enrollment and MobilePASS Activation Notification Templates on page 335.

The Audit Notification Settings in TPO enable you to do the following:Activate the Notification function for users and/or the administrator.Select the HTML template file for user and/or administrator notification.

Audit Notification Policies


Administrator notification

Defines if the administrator is notified of audit events

No notification All devices

Administrator notification configuration

Defines the administrator notification configuration

Empty (Administrator is not notified)

All devices

User notification Defines if users are notified of audit events related to their tokens

No notification All devices

User notification configuration

Defines the user notification configuration

Empty (User is not notified)

All devices


Configuring Administrator Audit Notification Settings

To configure the administrator audit notification settings:

1. Open the Token Policy Object Editor (See Accessing Token Policy Object Links on page 122).

2. In the left pane, select Audit Settings>Audit Notification Settings.

3. In the right pane, right‐click Administration notification, and select Properties from the dropdown menu.The Administration notification Properties window opens.

4. Select the Define this policy setting option, select Enabled and click OK.

5. In the right pane of the Token Policy Object Editor, right‐click Administration notification configuration, and select Properties from the dropdown menu.


The Administration notification configuration Properties window opens.

6. Select Define this policy setting, click Add, and enter a name for

a new rule.

7. To define a rule, select it, and click Edit.


The Administrator notification rule window opens.

8. In the Events tab, select the events requiring notification9. Select for which event levels to send notifications: Information,

Error, Warning.10. To configure email notification for the administrator, select the

Emails tab.

11. Click Add, and enter the appropriate email address.12. In the Subject field, enter the content of the email subject line.13. In the Template field, enter the path to the email template.

See Configuring Audit, Enrollment and MobilePASS Activation Notification Templates on page 335.


14. To select an external program to send the notification, select the External Program tab.

15. Select Browse and navigate to the external application file (.exe).16. Click on the required keywords.

The selected keywords are displayed in the box after the external application file.

17. Click OK to save the changes to the Administration notification configuration policy.

Configuring User Audit Notification Settings

To configure the user audit notification settings:

1. Open the Token Policy Object Editor (See Accessing Token Policy Object Links on page 122).

2. In the left pane, select Audit Settings>Audit Notification Settings.

3. In the right pane, right‐click User notification, and select Properties from the dropdown menu.


The User notification Properties window opens.

4. Select the Define this policy setting option, select Enabled and click OK.

5. In the right pane of the Token Policy Object Editor, right‐click User notification configuration, and select Properties from the dropdown menu.The User notification configuration Properties window opens.

6. Select Define this policy setting, click Add, and enter a name for the new rule.


7. To define a rule, select it, and click Edit.The User notification rule window opens.

8. Select the events requiring notification.9. Select one or both of the following:

Notify the user about events performed for them by othersNotify the user about events performed by themselves

10. Select for which event levels to send notifications: Information, Error, Warning.

11. In the Subject field, enter the content of the email subject line.12. In the Template field, enter the path to the email template.

See Configuring Audit, Enrollment and MobilePASS Activation Notification Templates on page 335.

13. Click OK to define the User notification configuration policy.


Enrollment Notification

Configuring Enrollment Notification MessagesSafeNet Authentication Manager can generate enrollment notification letters and email them to the token users.Notifications can include text and variables, such as passwords and serial numbers which are derived from SafeNet Authentication Manager through the use of keywords.To set up and configure enrollment notification letters, perform the following steps:

Configure the TPO enrollment notification settings.Edit the enrollment notification letter templates. See Configuring Audit, Enrollment and MobilePASS Activation Notification Templates on page 335.

Enrollment Notification Policies


User notification Determines if user notification letters are prepared when their tokens are enrolled through the SAM Management Center

No notification All devices including MobilePASS and SafeNet eToken Virtual Temp

HTML template file Defines the HTML template file to use as a template for enrollment notification letters

Empty All devices including MobilePASS and SafeNet eToken Virtual Temp

Save notification letters

Determines if enrollment notification letters are saved

Not saved All devices including MobilePASS and SafeNet eToken Virtual Temp


Notification letters storage location

Defines where enrollment notification letters are saved


Send notification letters by email

Determines if enrollment notification letters are sent by email

No email notification


Notification email subject

Defines the enrollment notification email subject


Print notification letters

Determines if enrollment notification letters are printed

Not printed All devices including MobilePASS and SafeNet eToken Virtual Temp

Use external program

Determines if an external notification program is usedNote: This can include any application that performs an action not supported by the standard SafeNet Authentication Manager settings, such as updating a database upon notification.

No external program




External program and keywords

Defines which external program to use if Use an external program is selected, and its keywords

Empty (No external program is used)


Notify via SMS Determines if a notification is send via SMSNote: To use SMS notification, you must enable this policy and define the SMS notification template policy

SMS notification is not used


SMS notification template

Determines the file that contains the text for the SMS message. See Configuring SMS Notification Template on page 338.Note: To use an external enrollment notification application, enable the “Use external program” policy, and define this policy

Not defined All devices including MobilePASS and SafeNet eToken Virtual Temp



Configuring Audit, Enrollment and MobilePASS Activation Notification Templates

Each template contains text and keywords. To customize a template, replace its text, and add keywords as required.Sample templates are provided in the MailTemplates folder, typically located at:C:\Program Files\SafeNet\Authentication\SAM\x32\Templates

Audit Notification Templates

Enrollment Notification Templates

Template Description File Name

Audit Event Notification (administrator)

Informs administrator of audit event

Default_SAM_Admin_Audit_Notification_Letter.htm

Audit Event Notification (user)

Informs users of audit events Default_SAM_User_Audit_Notification_Letter.htm

Template Description File Name

Enrollment Notification

Informs user of new token and supplies the password

Default_SAM_Enrollment_Notification_Letter.htm

Enrollment Notification (Complex password)

Informs user of new token and supplies the passwordThis option allows the Token Password to contain special characters, using a different HTML syntax.Note: This template is not supported by Outlook 2007

Default_SAM_Enrollment_Notification_Letter_Complex_Password.htm


Notification Letter KeywordsVariables used in notification letters are retrieved by SafeNet Authentication Manager from data in the user store. If the data does not exist in the user store, it will not appear in the notification letter; the keywords will be displayed instead.If changes have been made to data in the user store, run the SAM Backend Services Synchronize User Data process before generating enrollment letters to ensure that the data is available for inclusion in the user notification letter.See Backend Service on page 353.

General KeywordsThe general keyword can be used in all notification letter templates (Audit, Enrollment Notification and MobilePASS Activation).

Keyword Description

$Office User's office location

$User_Email User's email address

$User_First_Name User's first name

$User_Last_Name User’s last name

$City City

$Country_Region Country or region

$State_Province State or province

$Street Street name

$PO_Box Post Office box number

$Zip_Postal_Code Zip code

$Company Name of company


Audit KeywordsThe Audit Keywords can be used only in the Audit Notification templates:

Audit Event Notification (administrator) (Default_SAM_Admin_Audit_Notification_Letter.htm)Audit Event Notification (user) (Default_SAM_User_Audit_Notification_Letter.htm)

The keys of events as they appear in the Windows Event Viewer can be used in audit notification letters.

$Department Name of department

$User_Logon_Name The name the user uses to log on to a domain. Uses the syntax: [email protected]

$User_Account_Name The user's name in the pre-Windows 2000 syntax: domainname\username

Keyword (Continued) Description (Continued)

Keyword Description

$Audit_Category The application creating the event. For example: SAM Self Service Center, SAM Management Center, SAM Remote Service Center, or Management Tools

$Audit_Date_Time The time and date of the event

$Audit_Event The name of the event

$Audit_Message The message describing the event

$Audit_Type The event level: Information, Error, or Warning


Enrollment KeywordsThe Enrollment Keywords can be used only in the Enrollment Notification templates:

Enrollment Notification (Default_SAM_Enrollment_Notification_Letter.htm)Enrollment Notification (Complex password) (Default_SAM_Enrollment_Notification_Letter_Complex_Password.htm)

Configuring SMS Notification TemplateIf the Notify via SMS policy is activated, a template must be created to determine the content of the message (See Enrollment Notification Policies on page 332).The template is a text (.txt) file. The SMS message consists of the text as it appears in the template; keywords are not supported.

Keyword Description

$Enrollment_Date Date token was enrolled

$Enrollment_Time Time token was enrolled

$otp_pin The OTP PIN to be sent to the user during enrollment, or the Token Password (if it’s random).

Chapter 16

OTP ConfigurationOne Time Password (OTP) behavior can be configured in the web services located on the SafeNet Authentication Manager Server, and in the OTP plug‐in on the IAS (RADIUS) server.

In this section:

OTP Web Service SettingsOTP Web Service ConfigurationConfiguring SAM IAS Plug-InConfiguring IAS for a Non-AD User Store


OTP Web Service SettingsTo facilitate OTP authentication, the system saves the following values:

the OTP provided by the user during the last OTP token enrollment or successful authenticationthe OTP provided by the user during the last authentication attempt, regardless of whether or not it successfully matched any of the values calculated by the system within the Blank Presses range

Blank PressesDuring each OTP authentication attempt, the system calculates the OTP value that should follow the OTP saved from the last successful authentication.When a user generates an OTP on the token without submitting it for authentication, the OTP generation is considered a blank press.The administrator determines how many blank presses are tolerated by setting the range of OTP values to be checked during OTP authentication.

Blank Presses ResyncIf the OTP provided by the user does not match any of the OTP values within the Blank Presses range, a different method may allow the user to authenticate successfully.

Blank Presses setting OTP Authentication Behavior

0 The OTP provided by the user must match the OTP value that the system calculates to follow the last OTP successfully used for authentication.

30 The OTP provided by the user must match one of the next 31 OTP values that the system calculates to follow the last OTP successfully used for authentication.

OTP Configuration 341

If the Blank Presses Resync setting is larger than the Blank Presses setting, the system compares the last two OTPs provided ‐ the OTP saved during the last authentication attempt, and the OTP just entered ‐ with all the pairs of OTP values calculated by the system within the Blank Presses Resync range.

Time SyncSome systems calculate OTPs using a formula based on the current time.There may be a minor difference between the time settings on the system and on the OTP token. The administrator determines the amount of time difference that is tolerated by defining the Time Sync range to be checked during OTP authentication.

Time ResyncIf the OTP provided by the user does not match any of the OTP values within the Time Sync range, a different method may allow the user to authenticate successfully.If the Time Resync setting is larger than the Time Sync setting, the system compares the last two OTPs provided ‐ the OTP saved during the last authentication attempt, and the OTP just entered ‐ with all the pairs of OTP values calculated by the system within the Time Resync range.

Time Sync setting OTP Authentication Behavior

0 The OTP provided by the user must match the OTP value that the system calculates based on the system’s current time.

30 The OTP provided by the user must match one of the OTP values that the system calculates within 31 increments of the system’s current time.


OTP Web Service Configuration

To configure the OTP Web Service:

1. Open the SAM Configuration Manager (See Launching the SAM Configuration Manager on page 180.

2. From the Action menu, select IIS and Web Services > OTP Web Service.The OTP Web Service Settings window opens.


3. Complete the fields as follows, and click OK:

Field Description Default

Blank Presses The range of OTP values to check during authentication(The number of blank presses tolerated before the OTP token must be validated.)

30

Audit Condition Which authentication events to include in an audit:

OnFailure: only when authentication failsAlways: all authentication attemptsNever: do not audit

OnFailure

Blank Presses Resync.

The range of OTP value pairs to check if the OTP did not match a value within the Blank Presses range

100

Max Delayed DB Updates

The maximum number of update entries accumulated before they must be written to the SAM database. Saves system resources during times of peak activity.

Time Sync. The time difference tolerated between the system and the OTP token, in increments

30

Time Resync. The range of OTP value pairs to check if the OTP did not match a value within the Time Sync range

100

Authentication Retries

The number of failed authentication attempts before the token is locked

5


Exclude Group Check

The behavior of the Exclude Group check:

Disabled: The check for Exclude Groups is disabled.Default: Exclude all members of the Exclude Groups and their child groups. All groups above the user are checked during each authentication attempt.DefaultFlat: Exclude all members of the Exclude Groups, but not of their child groups.Preload: Exclude members of the Exclude Groups already in the SAM Configuration Store, but do not refresh the list. (See also Preload Groups Refresh.)Token: Exclude all tokens marked in the SAM Configuration Store as being a member of an Exclude Group. This information is updated by the SAM Backend Service, scheduled to run every 24 hours, by default.

Default

Exclude Groups Click New to add an Exclude Group. OTP authentication is not enabled for members of Exclude Groups. They must use standard authentication.

None

Field (Continued) Description (Continued) Default


Configuring SAM IAS Plug-InThe IAS plug‐in, located on the IAS (RADIUS) server, can be configured to determine OTP authentication behavior.The configuration settings are added to the <ias_plugin_configuration> section in the otp_plugin_config.xml file.SAM IAS Plug-In Settings

Preload Groups Refresh

If Exclude Group Check is set to Preload, this determines the time interval, in minutes, between Exclude Groups refreshes in the OTP Web Service

120

Netbios Click New to map between a NetBios name and a DNS name

Field (Continued) Description (Continued) Default

Key Value Type

Description

enable_otp_authentication Boolean Determines whether OTP authentication is used.Values:

True: OTP authenticationFalse: Standard (non-OTP) authentication

Default: True

otp_web_service_url String Defines the SafeNet Authentication Web Service URL


no_otp_token_behavior Enumerator Determines behavior when there is no OTP.Values:

Reject: Reject authentication requestPass: Allow MS IAS standard authenticationFail: Discard the authentication request

Default: Reject

user_not_found_behavior Enumerator Determines behavior when the user is not found.Values:


Default: Reject

protocol_not_supported_behavior

Enumerator Determines behavior when the protocol is not supported.Values:


Default: PassNote: The value should be changed to Reject to ensure that it’s not possible to authenticate without a RADIUS secret key.

return_pap_cred Boolean Determines if the RADIUS server returns the password as an attribute of the RADIUS response.Default: False

return_pap_cred_attribute_number

Numeric Specifies the Radius attribute number of the returned password. For example, "2" is for ratUserPasswordDefault: 2

Key Value Type

Description


web_service_request_timeout

Time in seconds

Specifies the timeout period when calling the OTP Web Service from the IAS Plug-in.Default: 15

web_service_comm_error_behavior

Enumerator Determines how to handle an OTP Web Service communication failure.Values:


Default: Fail

TMS_db_offline_behavior Enumerator Determines how to handle the exception when the SAM database is not available.Values:


Default: Fail

Key Value Type

Description


Example of otp_plugin_config.xml<?xml version="1.0" ?> - <ias_plugin_configuration>

<enable_otp_authentication>true</enable_otp_authentication>

<otp_web_service_url>http://localhost/OTPAuthentication/Service.asmx</otp_web_service_url>

<no_otp_token_behavior>reject</no_otp_token_behavior>

<user_not_found_behavior>reject</user_not_found_behavior>

<protocol_not_supported_behavior>pass</protocol_not_supported_behavior>

<return_pap_cred>false</return_pap_cred>

<return_pap_cred_attribute_number>2</return_pap_cred_attribute_number>

<web_service_request_timeout>15</web_service_request_timeout>

<web_service_comm_error_behavior>fail</web_service_comm_error_behavior>

<TMS_db_offline_behavior>fail</SAM_db_offline_behavior>

</ias_plugin_configuration>

Configuring IAS for a Non-AD User StoreIf you are using a user store other than Active Directory, IAS must be configured to accept users without validating credentials.

Note:The following configuration must be set to prevent users being able to authenticate without a password:<protocol_not_supported_behavior>fail</protocol_not_supported_behavior>


To configure IAS to accept users without validating credentials:

1. From the Windows Start menu, select Programs>Administrative Tools>Internet Authentication Service.The Internet Authentication Service window opens.

2. Select Connection Request Processing>Connection Request Polices.

3. In the right pane, right‐click Use Windows authentication for all users, and select Properties.


The Use Windows authentication for all users Properties window opens.

4. Click Edit Profile.


The Edit Profile window opens.

5. On the Authentication tab, select Accept users without validating credentials.

6. Click OK repeatedly until you return to the Internet Authentication Service main window.


Chapter 17

Backend ServiceThe SafeNet Authentication Manager Backend Service works in the background, performing the different services configured by the administrator.

In this section:

Overview of Backend ServicesControlling SAM Backend Services


Overview of Backend ServicesYou can change the scheduling of services in the SAM Configuration Manager. See Scheduling the SAM Backend Service on page 185.The actions controlled by the Backend Service are:

Disable temporary password logonRevoke open SafeNet eToken RescuesAutomatically revoke tokens with missing usersAutomatically revoke tokens with disabled usersSynchronize users dataSynchronize license data

Control the SAM Backend Service using the following options:Start ProcessStart ServiceStop ServicePause ServiceContinue Service

Backend Service 355

Controlling SAM Backend Services

To control SAM Backend Services:

1. In the taskbar, right‐click the Backend Services icon: The Backend Services menu opens.

2. To select a domain, click Services, and select the appropriate domain.

3. To control the Backend Service process, select one of the following:

Stop Backend ServicePause Backend ServiceContinue Backend ServiceStart Backend Service

4. To initiate the SAM Backend Service process, select Start process.The Start process options are displayed.

5. Select the required action to run in the background:

p


All: runs all tasksSynchronize user data: updates user properties that have changed since the last updateAutomatic revocation when: automatically revokes a token if the selected event occurred:

User is deleted from the user store: the employee left the companyUser is disabled in the user store: the employee has an extended absence

Revoke opened SafeNet eToken Rescue: revokes all expired SafeNet eToken RescuesDisable Temp Logon: disables all expired temporary logon passwordsSynchronize licenses: updates license information that has changed since the last update. This is required when SafeNet Authentication Manager is implemented over multi‐domains or whenever the licensing counter becomes inaccurate due to replication or failed operations. See Multi‐Domain Licenses on page 298.

6. Click Exit.

Part III Post-Installation ConfigurationAfter installation, SAM needs to be configured according to the requirements of your organization.For OTP specific configuration, see Chapter 16: OTP Configuration (page 339)

In this section:

Chapter 18: User Management in an ADAM Environment (page 359)Chapter 19: Desktop Agent (page 371)Chapter 21: Customizing SAM Websites (page 421)

358

Chapter 18

User Management in an ADAM Environment

If you are using a Standalone user store, use SafeNet Authentication Manager‐ Policy Manager to manage users, groups, and OUs.

In this section:

ADAM Environment User Store OverviewOpening SafeNet Authentication Manager - Policy ManagerAdding a UserViewing and Editing User PropertiesAdding a Group or OUViewing and Editing Group Properties


ADAM Environment User Store OverviewDuring SafeNet Authentication Manager installation in an ADAM environment, the Standalone user store is initialized in the SafeNet Authentication Manager. A user account with user store administrator rights is created on the serverAfter installation, the administrator uses SAM Policy Management to add users to the appropriate groups in the user store.

Opening SafeNet Authentication Manager - Policy Manager

To open SAM Policy Management:

1. Select Start>Programs>SafeNet> SafeNet Authentication Manager>Policy Management.SafeNet Authentication Manager ‐ Policy Manager connects to the SafeNet Authentication Manager Server, and the Authentication window opens.

2. Enter the SAM administrator username and password, and click OK.

User Management in an ADAM Environment 361

The SafeNet Authentication Manager ‐ Policy Manager window opens.

3. In the left pane, select the appropriate container.The users and groups inside the selected container are displayed in the right pane.


Adding a User

To add a user to the Standalone user store:

1. Open SafeNet Authentication Manager ‐ Policy Manager. See Opening SafeNet Authentication Manager ‐ Policy Manager on page 360.The SafeNet Authentication Manager ‐ Policy Manager window opens.

2. In the left pane, right‐click the appropriate container, and select New > User.

The New Object ‐ User window opens.

3. Complete the information and click Next.


The Password window opens.

4. Create a password for the user, confirm it, and click Next.The Click Finish window opens.

5. Review the information displayed, and click Finish.The new user appears in the right pane of the SAM Policy Management window.

See Viewing and Editing User Properties on page 364 to add more information about the user to the user store.


Viewing and Editing User Properties

To view and edit user information:


2. In the right pane, right‐click the appropriate user, and from the dropdown menu, select Properties.The user’s Properties window opens.


3. Select each tab to view or modify its information.

Note:In the Account tab, it is not possible to change the User logon name or the Account name of the SAM Administrator.

4. Click OK to save the changes.

Adding a Group or OU

To add a group or OU to the Standalone user store:



2. In the left pane, right‐click the appropriate container, select New, and select the type of object to add.

3. When adding a group, the New Object ‐ Group window opens.

Assign a Group name, and click OK.

Note:Do not include an ampersand symbol, “&”, in the assigned name.


4. When adding an OU, the New Object ‐ Organizational Unit window opens.

Assign a Name, and click OK.

Note:Do not include an ampersand symbol, “&”, in the assigned name.

Viewing and Editing Group Properties

To view and edit the properties of a group:


2. In the right pane, right‐click the appropriate group, and from the dropdown menu, select Properties.In this example, the group Users is selected.


The object’s Properties window opens to the General tab.

3. To modify the object’s description, change the Description, and click OK.

4. To view or modify the list of members, select the Members tab.

5. To remove a member, select the member, and click Remove.6. To add a member, click Add.



7. Enter the user or group name and, to verify that the object exists, click Check names.

8. Click OK.9. To view or modify the list of groups of which the object is a

member, select the Member of tab.

10. To remove an object from the list, select the object, and click Remove.

11. To add an object to the list, click Add.



12. Enter the name and, to verify that the object exists, click Check names.

13. Click OK to save the changes.

Chapter 19

Desktop AgentThe Desktop Agent can be used for sending expiration alerts to administrators and users, to audit the removal and connection of tokens, and to download SafeNet eToken Rescue files automatically from the website to the userʹs computer.

Note:The Desktop Agent works only when Active Directory (AD) or ADAM is used as the user store.

In this section:

Overview of the Desktop AgentAdding the Desktop Agent Template to the GPO EditorEditing the Desktop Agent Settings in the GPO EditorDesktop Agent SettingsConfiguring Automatic Download of SafeNet eToken RescueConfiguring Attendance ReportsConfiguring the Legacy Desktop AgentTroubleshooting


Overview of the Desktop AgentThe Desktop Agent is an application used to perform operations set by the administrator. The Desktop Agent, also known as the SAM Agent, can be installed as a SAM Client component on the desktops of SAM users. It functions as a feature of SafeNet Authentication Client.Users of eToken PKI Client use the legacy TMS Desktop Agent.Users log on to SAM automatically when they connect their token to a computer on the network. Depending on your SafeNet Authentication Manager configuration, the Desktop Agent does the following:

Sends alerts to users when their token content is about to expire or is not up‐to‐dateEnables automatic distribution of SafeNet eToken Rescue files to users’ computersKeeps a record of the total number of tokens logged on at any given time; this token connection and removal audit can be used for an Hourly Distribution of Token Connections report

Open the Desktop Agent Status window from the SafeNet Authentication Client tray menu or from the eToken PKI Client tray menu. For a description of the Desktop Agent Status window, see the SafeNet Authentication Manager User’s Guide.

Adding the Desktop Agent Template to the GPO EditorConfigure the Desktop Agent using the Group Policy Object Editor (GPO Editor). The configuration uses an Administrator Template (ADM) file, which must be added to the GPO Editor.

Desktop Agent 373

To add the ADM file to the GPO Editor:

1. From the Start menu, go to Start > Programs > Administrative Tools > Active Directory Users and Computers.

2. Right‐click the domain, and click Properties.

Note:The ADM can be configured either on the OU or on the domain level, and it can be limited to specific groups or users.In this example, the ADM is configured on the domain level.

The domain’s Properties window opens.


3. Select the Group Policy tab.

4. Select the appropriate Group Policy Object name, and click Edit.The Group Policy Object Editor window opens.

5. In the navigation pane, right‐click Administrative Templates, and from the dropdown menu, select Add/Remove Templates.

Desktop Agent 375

The Add/Remove Templates window opens.

6. Click Add, and navigate to the appropriate ADM file.The default path is:

In 32‐bit environments:C:\Program Files\SafeNet\Authentication\SAM\x32\Adm

In 64‐bit environments:C:\Program Files\SafeNet\Authentication\SAM\x64\Adm

The Policy Templates window displays the SAM template options.

7. Select the appropriate Desktop Agent template for your installation:

SAC_Desktop_Agent.adm: for environments running SafeNet Authentication Client 8.0 or laterPKI_Desktop_Agent.adm: for environments running legacy eToken PKI Client


In this example, SAC_Desktop_Agent.adm is selected.8. Click Open.

The SAC_Desktop_Agent template is added to the list of administrative templates in the Add/Remove Templates window.

9. Click Close.In the Group Policy Object Editor window’s navigation pane, SAM Desktop Agent Settings is displayed under Administrative Templates.

Desktop Agent 377

Editing the Desktop Agent Settings in the GPO EditorBefore editing the Desktop Agent, the Desktop Agent administrative template must be added to the GPO Editor. For more information, see Adding the Desktop Agent Template to the GPO Editor on page 372.

Note:In this example, the SAM Desktop Agent is installed. When using the legacy Desktop Agent, substitute TMS for SAM.

To edit the Desktop Agent Settings:

1. In the navigation pane of the GPO Editor window, select Computer Configuration > Administrative Templates > SAM Desktop Agent Settings.SAM Desktop Agent Settings contains the following templates:

SAM Desktop Agent General SettingseToken Update AlertseToken Rescue Automatic DownloadseToken Attendance Reports

2. Click on a template in the navigation pane or in the right pane.In this example, eToken Update Alerts is selected.


The right pane displays the settings contained in the selected template.

3. To change a setting, double‐click on the setting (for example, Check server for expiration date) in the right pane.The Properties window for the selected setting opens.

Desktop Agent 379

Note: The Explain tab contains a description of the setting.

4. Make the required changes in the Setting tab:Not Configured: the default value is usedEnabled: enables you to select or enter a value in the box (see the Explain tab for details)Disabled: do not use, this is not activated for Desktop Agent settings

5. Click OK, or click Next to go to the next setting.Edit the settings. For more information, see Desktop Agent Settings on page 379.

6. To save the changes, run Start > Run > gpupdate, and click OK.

Desktop Agent Settings

Note:In this example, the SAM Desktop Agent is installed. Some setting names differ slightly in the legacy Desktop Agent.

Template Setting Description

SAM Desktop Agent General Settings

SAM Servers Defines the list of SAM Servers used for the SAM Desktop Agent.Note: The list must be in URL format, separated by ';'. The full path must be used.For example,http://netbios1/SAMagent/service.asmx;http://netbios2/SAMagent/service.asmx



Load balance SAM servers

Determines the load balance of the servers listed in the 'SAM Servers' setting.Values:

1 (True) - Each client randomly selects a server from the list, and then round-robins to the next server listed for each subsequent request.0 (False) - The first server on the list is always accessed, and the next servers are used for failover only.Default is 0


Communication error retry period

Defines the number of minutes to wait before the next communication attempt following a communication error.

Default is 10 minutes.

eToken Update Alerts Ignore certificate expiration alert

Determines if already expired certificates are part of the expiry date computation.

Values:• 1 (True) - Ignore expired certificates• 0 (False)- Don't ignore expired certificates

- Default is 0 (False)

Template (Continued) Setting (Continued) Description (Continued)

Desktop Agent 381

eToken Update Alerts Check server for expiration dates

Determines if the server is checked for expiration dates of token data, such as certificates or OTP.Notes:

Set this value to 0 if tokens do not contain time-limited data.If the 'Check token for expiration dates' setting is set to 1, data on the token is checked before data on the server.It is recommended to use frequent periodic checks for expirable content.

Values:1 (True) - The server is checked0 (False)- The server is not checkedDefault is 1 (True)

eToken Update Alerts Check token content Determines if the server is checked for TPO changes that apply to the token.Note:It is recommended to minimize the frequency of the periodic checks to reduce server overload. Co-ordinate the frequency of the checks with changes to the TPO settings.Values:

1 (True) - The server is checked0 (False)- The server is not checkedDefault is 1 (True)



eToken Update Alerts Check token for expiration dates

(For installations running eToken PKI Client only)

Determines if physical tokens are checked for expiration dates of data, such as certificates and profiles.Note: Set this value to 0 if tokens do not contain time-limited data.If the 'Check server for expiration dates' setting is set to 1, data on the token is checked before data on the server.

Values:1 (True) - The token is checked0 (False) - The token is not checkedDefault is 0 (False)

Important:Even if the Check token for expiration dates setting is set as true, the Check server for expiration date and/or Check token content settings must be enabled for the Verify Token Content feature to appear in the SafeNet Authentication Client tray icon menu.

eToken Update Alerts Pre-expiration alert period

Defines the number of days before token data expires that an alert is displayed.Note: An alert is displayed only after verification of expiration dates on the token or server.

Default is 30 days

eToken Update Alerts Alert text Defines the text to display in the alert balloon upon token data expiration or when the token content must be updated.

Default message is “Your token content must be updated.”When 'Alert message click action' is set to 1 or 2 - the message prompts the user to click the balloon


Desktop Agent 383

eToken Update Alerts Pre-expiration alert text Defines the text to display in the alert balloon within the time defined in the 'Pre-expiration alert period' setting.The following keywords can be included in the text, and will be replaced by their actual values.

$EXPIRY_DATE - the token data's expiration date$EXPIRE_IN_DAYS - the number of days until expiration.Default message is “Data on your token expires in $EXPIRE_IN_DAYS.”

eToken Update Alerts Alert title Defines the title of the alert balloon.Default title is “eToken Notification”

eToken Update Alerts Alert message click action

Defines the action performed if the user clicks the alert balloon.

Values:0 No action1 Show the detailed message defined in the 'Alert detailed message' setting2 Open the website defined in the 'Alert website URL' settingDefault is 0 (No action)

eToken Update Alerts Alert detailed message Defines the message displayed if the user clicks the alert balloon when the 'Alert message click action' setting is set to 1.

Default is empty string

eToken Update Alerts Alert website URL Defines the website URL opened if the user clicks the alert balloon when the 'Alert message click action' setting is set to 2.

Default is empty string



eToken Update Alerts Update alert minimum interval

If the 'Check token content' or 'Check server for expiration dates' setting is activated (set to 1), defines the number of days to wait before the next server check following a successful server verification.

Default is 14 daysNote: We recommend setting the alert minimum interval to as long an interval as possible, to avoid server overload.

SafeNet eToken Rescue Automatic Download

Download SafeNet eToken Rescue Automatically

Determines if a SafeNet eToken Rescue replacement token is automatically downloaded when change to the token content is detected.

Values:1 (True) - Automatically download0 (False)- Do not automatically downloadDefault is 0 (False)

If automatic download is activated, the file is downloaded to:XP:C:\Documents and Settings\username \My Documents\eTokenRescue

VISTA: %USERPROFILE%\Documents\eTokenResc

SafeNet eToken Rescue Automatic Download

Download check minimum interval

If the 'Download SafeNet eToken Rescue automatically' setting is set to 1, this defines the number of days between checks of the SAM database to determine if the token content has changed.

Default is 14 days


Desktop Agent 385

Configuring Automatic Download of SafeNet eToken Rescue

To enable the automatic download of SafeNet eToken Rescue to usersʹ computers, the SAM Servers must be part of the Local Intranet zone (To see the Internet Explorer security settings for the Local Intranet zone, in Internet Explorer select Tools‐>Internet Options‐>Security tab‐>Local Intranet).

There are two ways of including the SAM Servers in the Local Intranet zone:

By default, IE assumes that a site is an intranet site if the server name does not contain periods (for example: http://mySAM/SAMagent)Configure GPO to contain the names of all SAM Servers in the URL in the zone mapping. The following methods can be used to update GPO:

To configure the Intranet Zone for computers:

1. Add the URLs to the following setting in GPO Editor: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List

2. Set the authentication mode to automatic logon only when in Intranet Zone in the following setting in GPO Editor:

eToken Attendance Reports

Enable token auditing Determines if token auditing is enabled.

Values:1 (True) - Enabled0 (False)- Not enabledDefault is 0 (False)



Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\{zone name}\Logon Options

To configure the Intranet Zone for Users:

1. Add the URLs to the following setting in GPO Editor: User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List

2. Set the authentication mode to automatic logon only when in Intranet Zone in the following setting in GPO Editor:User Configuration \Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\{zone name}\Logon Options

Configuring Attendance Reports Attendance Reports list token connection and removal events, enabling the system administrator to keep records of when tokens are in use, at what time the maximum number of tokens are in use, the days of the week when the maximum work is done, and other information.

Opening the Desktop Agent Settings Window

To open the Desktop Agent Settings window:

1. From Windows desktop select Start > Programs > SafeNet > SafeNet Authentication Manager > Configuration Manager.

2. In the SAM Configuration Manager, select Action > IIS and Web Services > Desktop Agent.

Desktop Agent 387

The Desktop Agent Settings window opens.

Creating an Attendance Reports MS SQL Server Database

To create an MS SQL Server Attendance Reports database, do one of the following:

Create an MDF File from the supplied SQL script and then attach it to an MS SQL Server.Copy the SQL script to the clipboard and use it in an external toolCreate the database when making a connection to the MS SQL Server


To connect to an existing MS SQL Server database through an MS SQL Server connection:

1. Open the Desktop Agent Settings window. For more information, see Opening the Desktop Agent Settings Window on page 386.

1. Click Edit Connection.The Token Connection Audit Database window opens.

2. Select SQLServer, and click OK.The SQL Server window opens.

Desktop Agent 389

3. In the Select a server name field, select a server from the dropdown list.

Note:For the full name of the server to be displayed in the Select a server name field, the SQL Server Browser service must be running. To activate the service, select Start > Programs > Administrative Tools > Services. Right‐click SQL Server Browser, and select Start.

4. Select one of the following Authentication types:Use Windows authenticationUse SQL Server authentication(Enter Username and Password)

Note:If the Windows authentication option is selected, ensure that the SAM System Account has permissions to the MS SQL Server database. This is not required if SQL Server authentication is selected.

5. In the Database area, click Select, and select the required database.6. Click OK.

Adding a Renamed MDF file to MS SQL ServerBy default, the MDF file is saved with the filename SAMAttendanceReports.mdfAlso, log file is also saved with the default filename SAMAttendanceReports_log.ldfIf you change the name of one of the files, when you attempt to add the file to MS SQL Server, the file is not found.

To attach the renamed file, in the MS SQL Server Attach Databases window in the database details list, click on the browse button in the Current File Path field, navigate to the renamed field and select it. It will now be added correctly.


To save the SQL script to the Clipboard:

Click Copy to Clipboard.

To create a new MS SQL Database while creating a new connection:


1. Click Edit Connection.The Token Connection Audit Database window opens.

2. Select SQLServer, and click OK.The SQL Server window opens.

Desktop Agent 391

3. In the Select a server name field, select a server from the dropdown list.

Note:For the full name of the server to be displayed in the Select a server name field, the SQL Server Browser service must be running. To activate the service, select Start > Programs > Administrative Tools > Services. Right‐click SQL Server Browser, and select Start.

4. In the Database area, click New.The Create Database window opens.

5. Select the required authentication type, enter the new database name, and click OK.The new database is created.

6. Click OK.

Connecting to an Existing MS SQL Server Database through an ODBC ConnectionTo connect using an ODBC connection, do the following:

Create an ODBC connector.Connect to an existing MS SQL Server database through an ODBC connection.


To create an ODBC Connector:

1. Select Start > Programs > Administrative Tools > Data Sources (ODBC).The ODBC Data Source Administrator window opens.

2. In the System DSN tab, click Add.The Create New Data Source window opens.

3. Select SQL Server, and click Finish.

Desktop Agent 393

The Create a New Database to SQL Server window opens.

4. Enter a name for the data source, enter a description, select the server to connect to, and click Next.

5. Select the required authentication options, and click Next.


6. Select the required options, and click Next.

7. Select the required options, and click Finish.

Desktop Agent 395

The ODBC Microsoft SQL Server Setup window opens.

8. Click OK.

To connect to an existing MS SQL Server database through an ODBC connection:


2. Click Edit Connection.The Attendance Configuration window opens.

3. Select ODBC, and click OK.


The Select ODBC Source window opens.4. On the System DSN tab, select the required ODBC connector, and

click OK.

Note:After connecting to MS SQL Server through an ODBC connection, the SQL Server Service must be restarted. To restart the service, select Start > Programs > Administrative Tools > Services. Right‐click SQL Server service, and select Restart.

Saving Data for Attendance ReportsAttendance reports contain a selected subset of token connection data. By selecting Save Token Connection Data, a full set of token connection data is created in an MS SQL Server data table. Each token connection is represented as an entry in the table. This makes the complete set of data available for examination and analysis.

Note:We recommend using this feature only when it is required for analytical purposes as the additional data imposes an extra load on the system.

Desktop Agent 397

To save the token connection data on the client:


2. Select Save Token Connection data, and click OK.


Clearing the Token Connection Data History

To clear the token connection data:


2. Select a date in the Clear Token Connection data created before field.3. To clear the data even of open connections, select Include open

connections.An open connection occurs when a connection has a start date but no end date. This can occur when the computer is shut down without the connections being closed, or when there is a technical fault.

4. Click Clear History.5. Click OK.

Desktop Agent 399

Displaying an Error Message Following Server Error

To write an error to the log on the client computer following a server error:


2. Select Notify client upon server error, and click OK.

Note:We recommend using this feature only when it is required for analytical purposes or requested by support staff, to avoid an additional load on the system.


Configuring the Legacy Desktop AgentThe legacy Desktop Agent was superseded by the updated Desktop Agent introduced in TMS 2.0 SP4, but is still available in SAM 8.0 to support backward compatibility.The legacy Desktop Agent is configured using the SAM Desktop Agent Web Services, located on the SAM Server. It can be configured to determine the following:

The path where SafeNet eToken Rescue is temporarily savedIf the temporary SafeNet eToken Rescue is removed from the serverThe time interval for messages arriving from tokens, used to determine if tokens are connected.

The configurations are set in the web.config file, typically located at:C:\Program Files\SafeNet\Authentication\ SAM\x32\Web\SAMAgentlegacy

The configuration settings are added to the <appSettings> section in the Web.config file using the syntax shown in the following example:<add key="SoftTokenTempFolder" value="C:\Documents and Settings\Administrator\Local Settings\Temp">

Desktop Agent 401

SAM Desktop Agent Web Services Settings

TroubleshootingThe expiration alert is displayed to the user once in the period of time defined in the Desktop Agent settings. After the alert has been displayed once, the next alert will be shown only after the period of time has elapsed.To force an appropriate expiration alert to be displayed before the defined period of time, clear the Desktop Agent cache.

To clear the Desktop Agent cache:

1. Run Start > Run > regedit, and click OK.2. Browse to the following registry key:

HKEY_CURRENT_USER\Software\SafeNet\Authentication\SAM\DesktopAgentII\TokenUpdateAlerts\VerificationTracking

3. Delete the key defined as type REG_DWORD.4. Log off and then log on.

The appropriate expiration alert is displayed.

Key Value Type Description Default

SoftTokenTempFolder

Path The path where SafeNet eToken Virtual is saved temporarily

System Temp directory

DeleteSoftTokenTempFile

Boolean Determines if the temporary SafeNet eToken Virtual is removed from the server

True

MaxTokenAliveIntervalSeconds

Integer Sets the time that if a message is not received from the server that the token is considered removed.

6


Chapter 20

External PortalsSafeNet Authentication Manager is supplied with external portals, which are installed and configured separately from the main SafeNet Authentication Manager installation and configuration.

In this section:

Overview of SAM External PortalsDeliverablesPrerequisitesInstalling the SAM External PortalsConfiguring SAM PortalsSetting the Logon Credentials in Google AppsSetting the Logon Credentials in Force.comLogging on to the CloudChanging the OTP PIN in Google AppsConfiguring the Username Attributes


Overview of SAM External Portals The following external portals are available:

eToken Anywhere EnrollmentMobilePASS EnrollmentMobliePASS MessagingCloud Authentication

In addition, the portal source code is available, to enable customization of the portals.

Deliverables The following SAM External Portals installation files are provided:

SAMPORTALS‐x32‐8.0.msi (32‐bit)SAMPORTALS‐x64‐8.0.msi (64‐bit)

PrerequisitesThe following must be installed before installing the SAM External Portals:

IISasp.net

External Portals 405

Installing the SAM External PortalsThe SAM External Portals are delivered separately from the main SafeNet Authentication Manager application.

To install SAM External Portals:

1. Double click the appropriate installation file:SAMPORTALS‐x32‐8.0.msi (32‐bit)SAMPORTALS‐x64‐8.0.msi (64‐bit)

The SafeNet Authentication Manager‐Portals Installation Wizard opens.

2. Click Next.The License Agreement window opens.


3. Select I accept the license agreement and click Next.The Destination Folder window opens.


4. To change the default destination folder, click Browse and navigate to the required folder.

Note:If SafeNet authentication applications or legacy eToken products were previously installed on the computer, it is not possible to select a different destination folder.

5. Click Next.The Select Installation Type window opens.

6. Select one of the following options:Typical: Installs all portalsComplete: Installs all portals and source codesCustom: Enables you to select which portals to install

7. Click Next.The Ready to Install the Application window opens.


8. Click Next.The installation precedes.

When the installation is complete, the SafeNet Authentication Manager ‐ Portals has been successfully installed window opens.


9. Click Finish to complete the wizard.

Configuring SAM PortalsThe portals are configured using the SafeNet Authentication Manager Portals Configuration.

Configuring Roles for SAM PortalsBefore configuring the adding portal connections, an operation must be added to the Administrator role in SafeNet Authentication Manager ‐ Authorization Manager.

To configure the Administrator Role:

1. Launch the SAM Configuration Manager (For more information, see Launching the SAM Configuration Manager on page 180).

2. From the Action menu, select Authorization Manager>Edit Roles.The SafeNet Authentication Manager ‐ Authorization Manager opens.

3. Navigate to Management Center>Definitions>Role Definitions.4. Right click Administrator and select Properties.


The Administrator Definition Properties window opens.5. In the Definition tab, click Add

The Add Definition window opens.6. In the Operations tab, select op_web_service_api_access and click

OK.You are returned to the Administrator Definition Properties window.

7. Click OK and exit the SafeNet Authentication Manager ‐ Authorization Manager.

Adding a Portal ConnectionA connection must be added for each required portal:

eToken Anywhere EnrollmentMobilePASS EnrollmentMobliePASS MessagingCloud Authentication

To add a portal connection:

1. Select Start>Programs>SafeNet>SafeNet Authentication Manager>Portals Configuration.The SafeNet Authentication Manager ‐ Portals Configuration window opens.


2. Open the Connections tab and Click Add.The Connection Details window opens.


3. Complete the fields as follows:

4. Click OK.The connection is added to the list of connections in the SafeNet Authentication Manager ‐ Portals Configuration window.

Configuring Cloud Logon

To configure cloud logon:

1. Select Start>Programs>SafeNet>SafeNet Authentication Manager>Portals Configuration.The SafeNet Authentication Manager ‐ Portals Configuration window opens.

2. Open the Cloud Configuration tab and Click Add.The Add Configuration window opens.

Field Description

Connection Name Enter a name for the connection

SAM Server URL Enter the URL of the SAM Server, according to the following format: http://hostname

Username Enter the username (this is the username used for logging on to SAM)

Password Enter the password (this is the password used for logging on to SAM)

Instance Name 1. Click Select; the Select SAM instance window opens.

2. Select the instance name of the SAM database.



Field Description

Configuration Name Enter any name for the configuration

Service Provider Select one of the following service providers:Google AppsForce.com

Note: The user must have an account at the service provider

Username Passed to the Service Provider

Select one of the following:Username entered in the cloud portal - The SAM username is the same as the username in Google or Sales ForceUse attribute in the user store - if selected, select the Attribute name from the drop-down list. For more information, see Configuring the Username Attributes on page 418


4. To select logon page options, click Logon Page.The Cloud Logon Page Options window opens.

5. Select the links that you require in the cloud logon page (you can select one, both or none):

Send me the OTP in a message: Select this option when you have a MobilePASS enrolledSend me a Challenge Code for my token: Select this option when using a token with a challenge/response

6. Click OK.You are returned to the Add Configuration window.

7. Click OK.You are returned to the SafeNet Authentication Manager ‐ Portals Configuration window, Cloud Configuration tab.The configuration is added to the list.

8. Select the required configuration from the list and click Info.The Domain URL window opens.

Authentication Initiator Select one of the following:Authentication Requests must be initiated by the Service Provider only - URL provided by Google (Google only). Important: Even though this option is not supported by Force.com, the field is not disabled when Force.com is selected.Authentication requests can be initiated by the Identity Provider- Force.com only. URL is provided during configuration of Force.com

Field (Continued) Description (Continued)


9. Enter your company’s URL and click OK.The Cloud Configuration Info window opens.

10. The fields are displayed as follows:

11. To export the certificate, click Export Certificate.

Field Description

Domain URL Displays the domain URL

Sign-in page URL Displays the sign-in page URL Note: This URL is used for logging onto Sales Force, following configuration

Sign-out page URL Displays the sign-in page URL (Google Apps only)

Change password URL

Displays the change password URL (Google Apps only)

Issuer Name The computer where the SafeNet Authentication Manager External Portals are installed


The Save As window opens.

12. Enter a file name and click Save.

Note:The certificate is imported into the Google Apps or Force.com portals when configuring the logon.

You are returned to the Cloud Configuration Info window.13. Click Close.

Setting the Logon Credentials in Google AppsAfter configuring the SAM portals, the logon settings must be entered into Google Apps

To configure the logon settings in Google Apps:

1. In Google Apps, select Advanced Tools>Authentication>Set up Single Sign‐on (SSO).

2. Select Enable Single Sign‐on.


3. Enter the following fields as displayed in the Cloud Configuration Info window (See the Cloud Configuration Info window on page 415).

Sign‐in page URLSign‐out page URLChange password URL

4. In the Verification Certificate field, click Browse, navigate to the verification certificate, and select the certificate.The verification certificate is that exported from the Cloud Configuration Info window (See the Cloud Configuration Info window on page 415).

Setting the Logon Credentials in Force.com

To set the logon credentials in Force.com:

1. Log on to Force.com2. Select Setup>Security controls>Single sign‐on settings.3. Select SAML Enabled4. Select SAML version 2.0.5. Next to the Identity Provider Certificate field, click Browse and

navigate to the certificate (The certificate is the cloud certificate exported in the Cloud Configuration Info window).

6. In the Issuer field, enter the Issuer from the Cloud Configuration Info window.

7. Click Save.The salesforce.com login URL is displayed.

8. Copy the salesforce.com login URL supplied into the Service providerʹs domain URL field in the Edit Configuration window.


Configuring the Username AttributesIn the Add Configuration window, there is an option to select the content of an field in the user store as the username for logging on to the cloud. For more information, see Configuring Cloud Logon on page 412.Any field in an Active Directory (AD) user can be selected from the list of attributes. The selected field contains the username for the cloud logon.Also, you can create new fields to contain the username attributes.

Note:IIS must be restarted after changing the Username Attributes. This is because, when you change the Username Attributes, the URL is also changed (For more information, see Configuring Cloud Logon on page 412).

To create new username attributes in AD:

1. Open the SafeNet Authentication Manager ‐ Configuration Manager (For more information, see Launching the SAM Configuration Manager on page 180).

2. Select Action>Cloud Mapping.The Cloud Mapping window opens.


3. Enter in a field (for example, Additional Name 1) the required username and click OK.

Tip:In AD, the username must exist in the AD schema. To see the available usernames in the AD Schema, run the following:regsvr32 C:\windows\system32\schmngmt.dll

The field (in this example, Additional Name 1) appears as in the Add Configuration window in the attribute list.

To create new username attributes in ADAM:

1. Open the SafeNet Authentication Manager ‐ Policy Manager.2. Right Click on the user and select Properties.

The Properties window opens.

3. In the Cloud tab, enter the required username in a field (for example, Additional Name 1) and click OK.The field (in this example, Additional Name 1) appears as in the Add Configuration window in the attribute list.


Chapter 21

Customizing SAM WebsitesYou can change the text in SAM Self Service Center and SAM Rescue Service Center, and can replace the graphic files in SAM Management Center, SAM Self Service Center and SAM Rescue Service Center.

In this section:

Customizing TextCustomizing Graphic Files


Customizing TextTo change the text in the SAM Self Service Center and the SAM Rescue Service Center, carry out the following two steps:

Edit the text in the resource filesImplement the changes using the SAM Branding Tool

Editing the Text in the Resource FilesThe text is contained in the resource files (.resx) located at:C:\Program Files\SafeNet\Authentication\ SAM\x32\Branding\ResourcesTo change the text, open each resource file (for example Resource.en‐US.resx) and use a text editor such as Notebook to make the required changes. The resource files are in xml format.The files are contained in three folders:

Folder Subfolder File

AppFramework(Contains resources files with text that is common to both websites)

en‐US(English, USA)

AuditMessages.en-US.resx

Resource.en-US.resx

WebControlsResources.en-US.resx

SAMRescue(Contains resources files with text for the SAM Rescue Service Center


Resource.en-US.resx

SAMService(Contains resources files with text for the SAM Self Service Center)


Resource.en-US.resx

Customizing SAM Websites 423

Implementing Text Changes with the SAM Branding ToolAfter changing the text in the resources files, the changes are implemented in the SAM Self Service Center and/or SAM Rescue Service Center using the SAM Branding Tool.

To implement the text changes:

1. Select Start > Programs > SafeNet>SafeNet Authentication Manager>Branding Tool.The Resource Compilation Tool window opens.


Field Description

ResGen.exe Path The path to the ResGen.exe file(typically: C:\Program Files\SafeNet\Authentication\ SAM\x32\Branding\SDK)

al.exe path The path to the al.exe file(typically: C:\Program Files\SafeNet\Authentication\ SAM\x32\Branding\SDK)

SafeNet Authentication Manager Path

The path to the SAM installation folder


3. To update the SAM Self Service Center and/or SAM Rescue Service Center with the changes, click Update Website.

4. To revert to the SAM Self Service Center and/or SAM Rescue Service Center before the changes, click Restore Website.

Customizing Graphic FilesYou can replace the graphic files in the SAM Management Center, SAM Service Center and SAM Rescue Service Center.To do this, replace manually the graphic files located in the image folder of each of the websites. The replacement files must have dimensions that are identical to the files they are replacing.The image folders are typically located as follows:

SAM Management Center

C:\Program Files\SafeNet\Authentication\SAM\x32\Web\SAMManage\Images


C:\Program Files\SafeNet\Authentication\SAM\x32\Web\SAMService

Update SAMService Select to update the SAM Self Service Center

Update SAMRescue Select to update the SAM Rescue Service Center

Compile resources Select to compile the resource files

Deploy compiled files Select to update the compiled files to the SAM Self Service Center and/or SAM Rescue Service Center

Culture Select the required localization from the list

Field Description

Customizing SAM Websites 425

SAM Rescue Center

C:\Program Files\SafeNet\Authentication\SAM\x32\Web\SAMRescue\images


Part IV SAM ManagementThe following chapters describe how to manage SafeNet Authentication Manager using the SAM Management Center.

In this section:

Chapter 22: SAM Management Center Main Features (page 429)Chapter 23: Helpdesk (page 437)Chapter 24: Deployment (page 497)Chapter 25: Inventory (page 517)Chapter 26: Reports (page 533) Chapter 27: Downloads (page 563)

428

Chapter 22

SAM Management Center Main FeaturesThe SAM Management Center is a web‐based application that enables the administrator to control all SafeNet Authentication Manager activities.

In this section:

Client RequirementsBrowser SettingsOTP TokensSafeNet eToken Virtual ProductseToken Network Logon


Client Requirements

To perform activities requiring access to a connected token, the following client applications must be installed on the SAM Management Center computer:

SafeNet Authentication ClientSAM Client

If the client applications are not installed, only activities relating to the SAM inventory can be controlled.

Browser SettingsWe recommend assigning your browser the following settings:

For the SAM Management Center website to display correctly, set the browserʹs Text Size to Medium.On the browser toolbar, select View > Text Size > Medium.Set the SAM Management Center as a Local Intranet Site.On the browser toolbar, select Internet Options > Security > Local Intranet.

OTP TokensOTP authentication requires a user to submit a One‐Time Password.The following tokens provide an OTP for authentication:

Hardware tokens on which an OTP is generated and displayedTemp OTP, a static value provided to a user for temporary use until an OTP generating device is availableMobile‐based platforms running a MobilePASS client software applicationMobilePASS Messaging applications that send generated OTPs as SMS (Short Message Service) messages to the user’s mobile device, or as messages to the user’s email addressSafeNet eToken Virtual products

SAM Management Center Main Features 431

Temp OTPIf a user’s token is lost or damaged, and temporarily cannot be replaced, the user can request a Temp OTP to replace the token’s OTP function. A Temp OTP is a static value to use in place of a generated OTP for a limited time. Since its value does not change, it provides only a low level of security.

MobilePASS TokensThere are two types of MobilePASS tokens:

MobilePASS Token Enrolled on a Mobile DeviceMobilePASS Messaging Token

MobilePASS Token Enrolled on a Mobile DeviceA MobilePASS client software application can be enrolled on the user’s mobile device to generate an OTP without the need for a physical token.After a MobilePASS token is enrolled, instruct the user to do the following whenever an OTP is required:a. Open the MobilePASS application on the mobile device.b. Enter the MobilePASS PIN, if required, to generate an OTP.c. Copy the generated OTP into the application, together with other

authentication data, such as the OTP PIN or Windows password, if required.

MobilePASS Messaging TokenA MobilePASS Messaging token is associated with a user’s mobile device number or email address.After a MobilePASS Messaging token is enrolled, instruct the user to do the following whenever an OTP is required:a. Open the MobilePASS Messaging Portal and enter the user name

and password.b. Enter the MobilePASS PIN, if required, to generate an OTP.


A generated OTP is sent as an SMS (Short Message Service) message to the user’s mobile device, or as a message to the user’s email address.

c. Copy the generated OTP into the application, together with other authentication data, such as the OTP PIN or Windows password, if required.

SafeNet eToken Virtual ProductsA SafeNet eToken Virtual product is a software token that functions like a physical smartcard device. It can contain all private and public data normally found on a hardware token, such as SSO profiles, OTP generation facilities, and certificates.Depending on who performs the enrollment, a SafeNet eToken Virtual product can be enrolled on either of the following:

an external storage deviceany computer running SafeNet Authentication Client

A SafeNet eToken Virtual or SafeNet eToken Virtual Temp enrolled on a computer is stored in the personal Documents folder, in the eTokenVirtual subfolder. Its filename extension is .etvp.

Note:The SAM Management Center cannot be used to manage SafeNet eToken Virtual products locked to a computer.

SafeNet eToken Virtual Storage:

External storage device Computer

Enrolled byadministrator Yes No

Enrolled by user

Yes,depending on the SAMconfigurationSee SafeNet eToken Virtual locking method on page 165.

Yes,depending on the SAMconfigurationSee SafeNet eToken Virtual locking method on page 165.


SafeNet eToken VirtualA SafeNet eToken Virtual is a software token with no limitations.The administrator uses the SAM Management Center to enroll a SafeNet eToken Virtual to an external storage device. The SafeNet eToken Virtual enrollment process does the following:a. Creates a SafeNet eToken Virtual on the external storage device

connected to the administrator’s PC.b. Sets an initial Token Password.c. Optionally generates an enrollment letter.d. Locks the SafeNet eToken Virtual to the external storage device.The external storage device is delivered to the user in a locked state.

Note:The user must authenticate using the external storage device on which the SafeNet eToken Virtual was enrolled. A SafeNet eToken Virtual cannot be used to authenticate if it is copied to a computer or to a different device.

SafeNet eToken Virtual TempA SafeNet eToken Virtual Temp is a SafeNet eToken Virtual that can be used for a limited period of time. It replaces an enrolled physical token. Its content can include time‐limited certificates and time‐limited OTP profiles.For each enrolled physical token, one SafeNet eToken Virtual Temp can be enrolled.A SafeNet eToken Virtual Temp is enrolled the same way as a SafeNet eToken Virtual.


SafeNet eToken RescueA user’s token content can be saved as a secure backup file, known as a SafeNet eToken Rescue. The user can store the SafeNet eToken Rescue on either of the following:

an external storage devicea computer

If the user loses or damages the token while on‐the‐road, the user can request to use the SafeNet eToken Rescue as a time‐limited emergency software token, enabling uninterrupted productivity until a replacement token is available.A SafeNet eToken Rescue can be used in place of an enrolled token for a limited time. The default SafeNet eToken Rescue expiration period is 14 days from the date the file was activated to be used as a software token.

SafeNet eToken Rescue Use CaseThe following describes how a SafeNet eToken Rescue is used:a. Sarah, a user, downloads a SafeNet eToken Rescue before she

leaves on a trip, so that the up‐to‐date content on her token is backed up.

b. Sarah discovers that her token is lost, but she is away from the office, and cannot replace it with a new physical token.

c. She reports the token as lost through the SAM Rescue Service Center or directly to the system administrator, and requests access to the downloaded SafeNet eToken Rescue.

d. A SafeNet eToken Rescue password is disclosed to Sarah by the SAM Rescue Service Center or by the system administrator.

e. Sarah authenticates to her applications using the token content saved on the SafeNet eToken Rescue, accessed by SafeNet eToken Rescue password.


eToken Network LogoneToken Network Logon uses information stored on a device or on a SafeNet eToken Virtual product to identify and authenticate a user to the network or to a local computer. The authentication credentials may be:

A profile, consisting of a user ID, a domain to which the user belongs, a password, and a set of optionsA smartcard logon certificate

Since network logon credentials are mapped from the token or device to the user’s account, users need remember only their Token Password.eToken Network Logon enables:

Strong two‐factor user authenticationSecure generation and use of long and complex network passwords, without requiring users to remember themToken password policy stored on the token itself

You can initialize eToken Network Logon profiles on usersʹ tokens for all users in an Organizational Unit (OU) by attaching a SAM Connector for Network Logon rule to the OU.Use the SAM Connector for Microsoft CA to create smartcard logon certificates.Set keys to determine network logon behavior, such as:

if the user can decide which logon method to use, or if priority is given to a specific logon methodif all users, including the administrator, must use a token to log on to the specific computertoken removal behavior


eToken Network Logon Device OptionsThe following tokens can be used to authenticate with an eToken Network Logon profile:

eToken Network Logon Use CaseThe following describes the process of authenticating to a network using eToken Network Logon:a. The administrator or the user creates an eToken Network Logon

profile on the user’s token.b. Each time the user wants to initiate a network logon, they connect

their token to the computer.A prompt appears asking for the Token Password.

c. The user enters the Token Password and is authenticated by SAM.d. eToken Network Logon uses the logon information stored on the

token to identify and authenticate the user to the network.

Authentication Method

Device Type Profile Certificate Static Value

USB token or smartcard X X

SafeNet eToken Virtual product X X

Temp Logon X

Chapter 23

HelpdeskUse the SAM Helpdesk to manage tokens, and to unlock a user.

Note:The SAM Management Center cannot be used to manage SafeNet eToken Virtual products locked to a computer.

In this section:

Helpdesk Page OverviewAccessing the Helpdesk PageUnlocking a UserEnabling a Temp LogonEnabling User Access to a SafeNet eToken RescueResetting the Default User PasswordRevoking a User's TokenUnassigning a User's TokenUnlocking a User's TokenTemporarily Disabling a TokenEnabling a TokenReplacing a User's TokenOTP OptionsCertificate Recovery Workflow Options


Helpdesk Page Overview

The left panel contains the following:Tabs for selecting the different SAM Management Center pagesSearch parameters: The administrator selects the domain, the token filter, and up to two different search criteria to be combined in a single searchRelevant SAM system notifications

Search results are displayed in the right panel.At the top right of the panel: The number of records matching the search criteria, and paging operationsIn the middle section: Details of each token matching the search criteriaBelow the displayed tokens: Applications enrolled on the selected token, if present

At the bottom of the right panel, the administrator selects an option.Below the Application box, if displayed: OTP optionsAlong the bottom of the panel: Token‐related options

Appropriate options are enabled for each selected token. Place the cursor on an enabled option to view its tooltip.

Helpdesk 439

Accessing the Helpdesk PageLog on to your company’s local network, and access the SAM Helpdesk through the SAM Management Center.

Note:Each company has its own SAM Server. This guide uses the name localhost to represent your company’s SAM Server. When following the steps in the procedure, replace <localhost> with the name of your company’s SAM Server.

To access the Helpdesk page:

1. Open your web browser, and go to http://<localhost>/SAMmanagewhere <localhost> is the name of your company’s SAM Server.

Note:For the website to display properly, ensure that the browser’s Text Size is set to Medium.a. On the browser toolbar, click View.b. From the dropdown menu, select Text Size > Medium.

2. Depending on your user store, a logon window may open.

You may be required to provide logon credentials, such as Domain, Username, and Password.


You may have an option to select Keep me signed in, which enables you to re‐open the SAM Management Center within a predefined time period without needing to log on again.

The SAM Management Center opens to the Helpdesk page.

3. In the left panel, select the domain, and up to two different search criteria to determine which tokens are displayed.

Helpdesk 441

4.

Search for Filter Search criteria Options

Connected tokens None

Tokens by serial no Enter a character string to search for all token serial numbers beginning with that character string.The length of a token’s serial number is determined by the token type:

USB tokens: 8 characterseToken PASS devices: 12 charactersSafeNet eToken Virtual products: 16 charactersMobilePASS tokens: 16 characters

Note: The serial number of a physical token is the rightmost hexadecimal digit string printed on the token case.

Tokens by user Enter a character string to search for all usernames beginning with that character string.Note: Usernames are not case-sensitive

Tokens by status Select from a list of token status types.Content Status:

DisabledEmptyEnabledRevokedSafeNet eToken Rescue

Physical Status:DamagedLostNormal

Tokens by approval Select the appropriate approval status:Awaiting approval-Tier 1Awaiting approval-Tier 2Approved


5. Click Go.

Tokens by user group Enter a character string to search for all users in the group name beginning with that character string.Note: User group names are not case-sensitive

Tokens by user OU In a non-Active Directory environment, enter an OU in the format:<instance name>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: MyCompany/Marketing/Advertisingwhere MyCompany is the unique instance nameIn an Active Directory environment, enter an OU in the format:<domain>.<extension>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: DName1.com/Marketing/Advertising

Tokens by model Select from a list of token models in the SAM inventory

Unassigned tokens None

Token history by user If the History Tokens feature is enabled in your TPO, enter a character string to search for all tokens whose history includes usernames beginning with that character string.Note: Usernames are not case-sensitive

Token history by approval

If the History Tokens feature is enabled in your TPO, select the appropriate approval status in the token history:

Awaiting approval-Tier 1Awaiting approval-Tier 2Approved


Helpdesk 443

The following is an example of a Helpdesk window following a successful search.

Details of the tokens matching your search criteria are displayed in the right panel.

Note:The number of tokens found in each search is limited. See Configuring Features of the SAM Management Center on page 187.

Label Description

Account Name User’s account name

Type Icon and description of the token model

Serial Number Token serial number printed on the token case of a physical token, or associated with a SafeNet eToken Virtual product or MobilePASS token


6. Click the Select button of the appropriate token.7. If the selected token contains one or more connector applications,

an Application box is displayed.

a. In the Application box, click an application’s Detail link to open an Application Details dialog box.

b. If there is more than one application, click the Select button of the required connector application to see its details.

Status 1. Content Status:DisabledEmptyEnabledSafeNet eToken RescueNo connectorsRevoked

2. Physical Status:DamagedLostNormal

Label Description

Helpdesk 445

c. Click Close to close the dialog box.8. Do one of the following:

If the selected token is an OTP token, select one of the enabled OTP options.See OTP Options on page 470.If the selected token is eligible for the Certificate Recovery workflow, select one of the Certificate Recovery options.See Certificate Recovery Workflow Options on page 483.


Select one of the enabled options at the bottom of the panel.

Option Type

Button Description

Token-related options

Reset Pwd Reset the Token Password to the token default password.See Resetting the Default User Password on page 455.

Revoke Permanently revoke the certificates on the token, and make the token unusable.See Revoking a User's Token on page 455.

Unassign Disassociate the token from any user, and erase its content from the SAM inventory.See Unassigning a User's Token on page 457.

Unlock Unlock the token after the allotted number of unsuccessful authentication attempts is exceeded.See Unlocking a User's Token on page 459.

More Actions >Disable

Disable the token temporarily so that it cannot be used.See Temporarily Disabling a Token on page 462.

More Actions >Enable

Enable the disabled token so that it can be used.See Enabling a Token on page 464.

More Actions >Replace

Revoke the token if it is not yet revoked, and load a new token with its content.See Replacing a User's Token on page 465.

Helpdesk 447

Unlocking a UserTo authenticate to the SAM Rescue Service Center or to certain SAM Helpdesk services, users must enter the same authentication questionnaire answers that they entered in the SAM Self Service Center. A user becomes locked if non‐matching answers are entered more than the allotted number of times.Unlock a locked user to allow the user to access the SAM Rescue Service Center.

Tip:If the user does not remember the authentication questionnaire answers, instruct the user to complete the authentication questionnaire again in the SAM Self Service Center.

To unlock a locked user:

1. Use the SAM Helpdesk page to search for the appropriate user.2. Click the Select button of one of the locked user’s tokens, and in

the More Actions dropdown menu, select Unlock User.

User-related options

More Actions >Unlock User

Unlock the user after non-matching authentication questionnaire answers were entered more than the allotted number of times.See Unlocking a User on page 447.

More Actions >Temp Logon

Assign the user a temporary password to use for network logon.See Enabling a Temp Logon on page 449.

More Actions >eT Rescue

Enable user access to a SafeNet eToken Rescue backup file.See Enabling User Access to a SafeNet eToken Rescue on page 452.

Option Type

Button Description


3. The Unlock User Access window opens.

4. Click Run.

Helpdesk 449

A User successfully unlocked message is displayed.

5. Click Done.

Enabling a Temp LogonIf a user’s token is lost or damaged, and the user’s account is configured for smartcard logon in Active Directory, you can grant the user a temporary logon password to use for network logon.

To enable a Temp Logon for a user:

1. Use the SAM Helpdesk page to search for the appropriate user.2. Click the Select button of one of the user’s tokens, and in the More

Actions dropdown menu, select Temp Logon.3. Depending on your SAM configuration, The Authentication

Questions window opens.


Enter the same answers the user entered in the SAM Self Service Center authentication questionnaire, and click Continue.

4. The Enable a Temporary User Logon Password window opens.

5. Do the following:

Helpdesk 451

a. In the Temporary Logon Password field, enter a character string that meets the password complexity requirements defined in your SAM configuration.

b. In the Valid until field, enter or select an expiration date for the Temp Logon.

c. Click Run.A Temporary logon successfully enabled message is displayed.

6. Inform the user of the new Temp Logon password and its expiration date.

7. Click Done.8. Arrange for the delivery of a new token to the user.


Enabling User Access to a SafeNet eToken RescueDepending on your company’s SAM configuration, users can save their token content to a SafeNet eToken Rescue, a secure backup file on their computer or external storage device. A SafeNet eToken Rescue is not accessible to the user until it is activated.If a user’s enrolled token is subsequently lost or damaged, access to the SafeNet eToken Rescue is enabled by one of the following methods:

Using the SAM Management Center, the administrator enables user access.Using the SAM Rescue Service Center, the user requests access.

A SafeNet eToken Rescue is used as a temporary token replacement. It is accessible for a limited time only, and only through a password that is disclosed when the token is reported as lost or damaged.Depending on your SAM configuration, a SafeNet eToken Rescue may include the following content that was on the token:

CertificatesNetwork Logon profilesOTP generation

If the user needs other token content, such as WSO profiles, instruct the user to restore them to the SafeNet eToken Rescue from backup files.

To enable user access to a SafeNet eToken Rescue:

1. Use the SAM Helpdesk page to search for the token for which a SafeNet eToken Rescue has been downloaded.

2. Click the Select button of the appropriate token, and in the More Actions dropdown menu, select eT Rescue.

3. Depending on your SAM configuration, The Authentication Questions window opens.

Helpdesk 453


4. The Activate User Access to a SafeNet eToken Rescue window opens.

5. Do the following:


a. In the What happened to the token field, select one of the following:

The token is lostThe token is damaged

b. In the Valid until field, enter or select an expiration date for the SafeNet eToken Rescue

Note:Since a SafeNet eToken Rescue provides a lower level of security than a standard token, we recommend limiting its use to the number of days needed to deliver a new physical token.

c. Click Run.The following new information is displayed:

the SafeNet eToken Rescue passworda User access successfully activated message

6. Copy the following information, and send it to the user:the SafeNet eToken Rescue passwordthe SafeNet eToken Rescue expiration date

7. Click Done.8. Arrange for the delivery of a new token to the user.

Helpdesk 455

Resetting the Default User PasswordSAM can create an administrator password during token initialization and save it to the token. Should the token become locked, SAM uses the administrator password to unlock it.The Allow token unlock TPO setting determines if an administrator password is saved to the token. See Recovery Settings on page 166.If a token was initialized in SAM with an administrator password, the token’s user password can be reset to the company’s default password at any time.After the token’s user password is reset, your company’s SAM configuration determines if the user is required to change the password.

To reset the user password to the default password:

1. Use the SAM Helpdesk page to search for the appropriate token.2. Click the Select button of the appropriate token, and click

Reset Pwd.The Reset Token Password window opens.

3. Click Run.A Token Password successfully reset message is displayed.

4. Click Done.

Revoking a User's TokenFor security reasons, revoke a lost or damaged token as soon as possible.

Note:Depending on your SAM configuration, when a user is deleted from the AD domain, the user’s tokens are automatically unassigned.

When a token is revoked, the following occurs:The token’s status is set to Revoked in the SAM inventory.The token remains associated with its user.


The following token content can never be used again for authentication, and is physically deleted from the token should the token be subsequently connected:

CertificatesNetwork Logon profiles (with a random password)OTP generation

Note:Personal token content, such as WSO and SSO profiles, is not deleted, but becomes unusable.

To revoke a token:

1. Use the SAM Helpdesk page to search for the appropriate token.2. Click the Select button of the appropriate token, and click

Revoke.The Revoke a Token window opens.

3. In the Reason for revocation dropdown box, select the appropriate reason:

DamagedLostUpgrade

Helpdesk 457

4. Click Run.A Token successfully revoked message is displayed.

5. Click Done.To reuse a revoked token, do one of the following:

Remove the token from the SAM inventory.For more information, see Chapter 25:Removing a Token from the SAM Inventory, on page 530.Initialize the token to delete its user‐specific token content.For more information, see Chapter 25:Initializing a Token, on page 523.

Unassigning a User's TokenFor security reasons, unassign all of a user’s tokens when the user leaves the company.

Note:Depending on your SAM configuration, when a user is deleted from the AD domain, the user’s tokens may be automatically unassigned.


The unassigning process revokes the token, and also disassociates it from its user.

To unassign a token:

1. Use the SAM Helpdesk page to search for the appropriate user.2. Click the Select button of the user’s token, and click Unassign.

The Unassign a Token window opens.

3. Click Run.

Helpdesk 459

A Token successfully unassigned message is displayed.

4. Click Done.Repeat this process for all of the user’s tokens.

Unlocking a User's TokenIf a user consecutively enters an incorrect Token Password more than the allotted number of times, the token becomes locked.Use the Challenge ‐ Response system to unlock the token, and to enable the user to set a new Token Password.If a token is locked, the user must select Unlock Token in one of the following SafeNet applications:

SafeNet Authentication Client ToolseToken Network Logon


To enable a user to unlock a locked token:

1. After the user contacts you that the token is locked, instruct the user to follow the Unlock Token instructions in the SafeNet application until a Challenge Code is generated.

2. Use the SAM Helpdesk page to search for the appropriate token.3. Click the Select button of the appropriate token, and click Unlock.4. Depending on your SAM configuration, The Authentication

Questions window opens.


Helpdesk 461

5. The Unlock a Token window opens.

6. Ask the user to send you the 16‐character Challenge Code displayed in the SafeNet application, and paste or enter it in the Challenge Code field.

7. Click Run.The following information is displayed:

a 16‐character Response Codea Response Code successfully generated message


8. Copy the generated Response Code, and send it to the user.9. Instruct the user to complete the Unlock Token instructions in the

SafeNet application using the generated Response Code.10. Click Done.

Temporarily Disabling a TokenFor security reasons, temporarily disable an enrolled token that is not needed for an extended period.If a token is disabled, it must be enabled before it can be used again.

To temporarily disable a token:

1. Use the SAM Helpdesk page to search for the appropriate token.2. Click the Select button of the appropriate token, and in the More

Actions dropdown menu, select Disable.

Helpdesk 463

The Disable a Token window opens.

3. Click Run.A Token successfully disabled message is displayed.

4. Click Done.The token’s status is changed to Disabled.


Enabling a TokenIf a token is disabled, it must be enabled before it can be used again.

To enable a token:

1. Use the SAM Helpdesk page to search for the appropriate token.2. Click the Select button of the appropriate token, and in the More

Actions dropdown menu, select Enable.The Enable a Token window opens.

3. Click Run.

Helpdesk 465

A Token successfully enabled message is displayed.

4. Click Done.The token’s status is changed to Enabled.

Replacing a User's TokenReplace a user’s token for one of the following reasons:

To meet the demands of new technology, an outdated token must be replaced with a new model.The user’s token is revoked.The user’s token is lost or damaged.


When upgrading tokens to newer models, instruct users to do the following:a. Before their tokens are upgraded, users should back up their

personal token content, such as WSO profiles.b. After their new tokens are enrolled, users should restore the saved

data from the backup files to their tokens.

Tip:Personal token content not saved by SAM should be routinely backed up by all users, so that if their token is lost or damaged, the backed up data can be restored to a replacement token.

When you replace a token, the following activities occur:a. Revoke: revokes the original token if is not yet revoked.b. Add: adds the replacement token to the SAM inventory if it is not

already there.c. Initialize, depending on your SAM configuration: deletes all

user‐specific token content on the replacement token and applies the TPO settings.

d. Assign: associates the replacement token with a specific user.e. Enroll: loads the replacement token with data needed for user

authentication. Depending on your SAM configuration, this content may include:

CertificatesNetwork Logon profileseToken SSO profilesOTP generation

To replace a user’s token:

1. Use the SAM Helpdesk page to search for the token to be replaced.2. Click the Select button of the appropriate token, and in the More

Actions dropdown menu, select Replace.

Helpdesk 467

The Replace token window opens.

3. If the token has not yet been revoked, the Reason for replacement dropdown box is displayed.Open the dropdown box, and select the appropriate reason:

DamagedLostUpgrade

4. Depending on your SAM configuration, select Initialize token to initialize the token.

5. Depending on your SAM configuration, click Customize replacement to enroll only some of the default connector applications onto the token.


The Applications to Enroll dialog box opens, displaying the available connectors.

Select the appropriate connectors to enroll, and click OK.6. Do one of the following:

If the new token is a physical token, connect it, and disconnect all other tokens not yet assigned.Depending on your SAM configuration, if the new token is a SafeNet eToken Virtual, connect an external storage device, and select Create a new SafeNet eToken Virtual.

7. Click Run.8. Depending on the connectors enrolled, an authentication window

opens.

Helpdesk 469

a. You may be required to do the following:For the Connector for OTP Authentication, enter an OTP PIN, and confirm it.For the Connector for Network Logon, enter a logon password, and confirm it.

b. Click Continue.9. A Token successfully enrolled message is displayed.

10. Click Done.


OTP OptionsIf the selected token on the SAM Helpdesk page contains a Connector for OTP Authentication application, click the Select button of the application to display appropriate token OTP options.

Button Description

Extend OTP Extend the expiration date of a Temp OTP or of a time-limited OTP token.See Extending an OTP on page 471.

OTP Token Cancel the Temp OTP, and require the user to authenticate using an OTP that is generated on the selected token.See Replacing a Temp OTP with an OTP Token on page 473.

Temp OTP Create a temporary OTP value for the user to submit for OTP authentication in place of the selected token.See Replacing an OTP Token with a Temp OTP on page 474.

OTP PIN Reset the OTP PIN.See Resetting an OTP PIN on page 477.

Validate OTP Validate the token’s OTP generator.See Validating an OTP Token on page 478.

Lock OTP Temporarily disable OTP authenticationTo enable OTP authentication again, select Unlock OTP.See Locking an OTP on page 480.

Unlock OTP Enable OTP authentication after it has been temporarily disabled.See Unlocking an OTP on page 482.

Helpdesk 471

Extending an OTPYou can delay the expiration date of a Temp OTP or of a time‐limited OTP token by setting a later expiration date.

To extend an OTP expiration date:

1. Use the SAM Helpdesk page to search for the appropriate token whose OTP has an expiration date.

2. Click the Select button of the appropriate token.3. Click the Select button of the Connector for OTP Authentication

application.4. Click Extend OTP.


The Extend the OTP Expiration Date window opens, and the current expiration date is displayed.

5. Enter or select a new expiration date, and click Run.An extended successfully message is displayed.

6. Click Done.

Helpdesk 473

Replacing a Temp OTP with an OTP TokenUse the OTP Token option to cancel a Temp OTP as soon as a new OTP token is available to replace it.

To replace a Temp OTP with an OTP token:

1. Use the SAM Helpdesk page to search for the appropriate token.2. Click the Select button of the appropriate token.3. Click the Select button of the Connector for OTP Authentication

application.4. Click OTP Token.

The Unlock an OTP‐Only Token window opens.

5. Click Run.


A Temp OTP usage cancelled message is displayed.

6. Click Done.The Temp OTP is cancelled, and the user is required to use an OTP generated on the token to authenticate.

Replacing an OTP Token with a Temp OTPIf an OTP token is lost or damaged, enable a Temp OTP to replace the OTP function.A Temp OTP is a static value to use in place of a generated OTP. Its value does not change, and so it provides only a low level of security. It is valid for a limited time.

To replace an OTP token with a Temp OTP:


application.4. Click Temp OTP.

Helpdesk 475

The Generate a Temporary Password window opens.

Note:If a Temp OTP is already enabled, a message is displayed that it will be cancelled. The new Temp OTP will replace it.

5. Enter or select an expiration date for the Temp OTP, and click Run.


The following information is displayed:the Temp OTP value to use instead of an OTPa successfully generated message

6. Write down the Temp OTP value.7. Click Done.8. Send the Temp OTP value to the user, together with the following

instructions:a. Record the Temp OTP value in a safe place.b. Provide the Temp OTP value in place of a value generated on

the OTP token.c. Contact the system administrator to request a replacement

Temp OTP if you suspect the Temp OTP value has been compromised.

d. When a new OTP token is available, the Temp OTP will be cancelled.

Use the OTP Token option to cancel the Temp OTP as soon as a new OTP token is available to replace it.

Helpdesk 477

Resetting an OTP PINReset the OTP PIN if the user forgot it.

To reset an OTP PIN:


application.4. Click OTP PIN.

The Reset OTP PIN window opens.

5. Enter a new OTP PIN, confirm it, and click Run.


A successfully reset message is displayed.

6. Click Done.7. Send the new OTP PIN to the user.

Validating an OTP TokenIf the user repeatedly generates an OTP without submitting one for authentication, or if the time function of an OTP token has deviated, the OTP token loses its synchronization with the system. Validate the OTP token so that SAM can authenticate a subsequently‐generated OTP.

To validate an OTP token:


application.4. Click Validate OTP.

Helpdesk 479

The Validate an OTP Token window opens.

5. Do one of the following:If the user has the OTP token, ask the user to generate an OTP value and to send it to you.Generate an OTP on the device.

6. Enter the OTP value, together with any other required information, into the field, and click Run.

7. A message may be displayed to repeat step 5 and step 6.


8. A successfully validated message is displayed.

9. Click Done.

Locking an OTPLock an OTP to temporarily disable its use for OTP authentication.

To lock an OTP:


application.4. Click Lock OTP.

Helpdesk 481

The Lock OTP Use window opens.

5. Click Run.A successfully locked message is displayed.

6. Click Done.To enable its use for OTP authentication again, unlock the OTP.


Unlocking an OTPThe following actions lock an OTP:

The administrator uses the SAM Helpdesk page to lock the OTP.The user exceeds the allotted number of unsuccessful OTP authentication attempts using the token.

Unlock a locked OTP to enable its use for OTP authentication.

To unlock an OTP:


application.4. Click Unlock OTP.

The Unlock OTP Use window opens.

5. Click Run.

Helpdesk 483

A successfully unlocked message is displayed.

6. Click Done.

Certificate Recovery Workflow OptionsCertificates on tokens, including History Tokens, containing a Connector for Microsoft CA application can be recovered if the certificate recovery workflow settings are enabled in the TPO.Click the Select button of the Connector for Microsoft CA application to display appropriate certificate recovery workflow options.

Button Description

Request Certificate Recovery

Initiate a certificate recovery workflow request.See Requesting a Certificate Recovery Workflow on page 484.

Approve Certificate Recovery

Approve the initiated certificate recovery workflow request.See Approving a Certificate Recovery Workflow on page 486.


Requesting a Certificate Recovery WorkflowInitiate a certificate recovery workflow to recover certificates from the token.

To request a certificate recovery workflow:

1. Use the SAM Helpdesk page to search for the appropriate token, or History Token, whose certificates must be recovered.

Reject Request

The certificate recovery workflow request can be rejected by the user who has roles permissions to approve it.See Rejecting a Certificate Recovery Workflow on page 491.

Cancel Request

The certificate recovery workflow request can be cancelled by the user who initiated it.See Cancelling a Certificate Recovery Workflow on page 488.

Recover Certificates

Select and recover certificates after the certificate recovery workflow request has been approved.See Recovering Certificates on page 493.

Button Description

Helpdesk 485

2. Click the Select button of the appropriate token.3. Click the Select button of the Connector for Microsoft CA

application.4. Click Request Certificate Recovery.

The Initiate a Certificate Recovery Workflow window opens.

5. Click Run.A successfully initiated message is displayed.


6. Click Done.

Approving a Certificate Recovery WorkflowDepending on your SAM configuration, the following may be required after a certificate recovery workflow is initiated:

Approval by a first‐tier user with the appropriate roles definitionApproval by a second‐tier user with the appropriate roles definition

To approve a certificate recovery workflow:



application.4. Click Approve Certificate Recovery.

Helpdesk 487

The Approve window opens, displaying the appropriate tier.

5. Click Run.A request approved message is displayed.

6. Click Done.If your SAM configuration requires two‐tier approval for workflow requests, the user with Tier‐2 roles permission repeats this procedure.


An unqualified request approved message is displayed.

Cancelling a Certificate Recovery WorkflowA certificate recovery workflow can be cancelled by a user who has the same roles permissions as the user who initiated the workflow. If the workflow is cancelled, the certificates cannot be recovered from the token unless a new workflow is initiated and approved.

Helpdesk 489

To cancel a certificate recovery workflow:



application.4. Click Cancel Request.


The Cancel Request window opens.

5. Click Run.A request cancelled message is displayed.

6. Click Done.

Helpdesk 491

Rejecting a Certificate Recovery WorkflowA certificate recovery workflow can be rejected by a user who has roles permissions to approve the workflow. If the workflow is rejected, the certificates cannot be recovered from the token unless a new workflow is initiated and approved.

To reject a certificate recovery workflow:



application.4. Click Reject Request.


The Reject Request window opens.

5. Click Run.A request rejected message is displayed.

6. Click Done.

Helpdesk 493

Recovering CertificatesAfter all required approvals have been granted, you can recover the certificates on the token.

To recover the certificates following approval:

1. Use the SAM Helpdesk page to search for the appropriate token, or History Token, whose certificate recovery workflow has been approved.


application.4. Click Recover Certificates.


The Recover Certificates window opens.

5. Enter and confirm a new PFX file password to secure the certificate data.Record the file password in a safe place.

6. Click the Select certificates link.The Select certificates to recover window opens.

7. Click a certificate’s Select button to see its details.8. Select all certificates to be recovered, and click OK.

Helpdesk 495

A successfully recovered message is displayed.

9. Click the Download certificate file link.The File Download window opens.

10. Click Save, and save the file.


On the Recover Certificates window, an prompt is displayed for confirmation that the certificate data has been downloaded.

11. Select The certificate data has been downloaded to a file, and click Next.A workflow completed successfully message is displayed.

12. Click Done.The certificate data has been recovered.

Chapter 24

DeploymentUse the Deployment page to assign or enroll tokens for users.

In this section:

Deployment Page OverviewAccessing the Deployment PageAssigning a TokenEnrolling a Smartcard or USB TokenEnrolling an OTP TokenMobilePASS Token Enrollment


Deployment Page Overview

SAM Management Center tabs, search parameters, and system messages are displayed in the left panel.

Search criteria: The administrator selects up to two different search criteria to be combined in a single searchSAM system notifications are displayed at the bottom of the left panel, if relevant

Search results are displayed in the right panel.At the top right of the panel: The number of records matching the search criteria, and paging operationsIn the middle section: Details of each user matching the search criteriaAt the bottom of the panel: User‐related and token‐related options

At the bottom of the right panel, the administrator selects an option.Appropriate options are enabled for each selected user. Place the cursor on an enabled option to view its tooltip.

Deployment 499

Accessing the Deployment PageLog on to your enterprise’s local network, and access the Deployment page through the SAM Management Center.

Note:Each enterprise has its own SAM Server. This guide uses the name localhost to represent your enterprise’s SAM Server. When following the steps in the procedure, replace <localhost> with the name of your enterprise’s SAM Server.

To access the Deployment page:


2. Depending on your user store:You may be required to provide logon credentials, such as Domain, Username, and Password.You may have an option to select Keep me signed in, which enables you to re‐open the SAM Management Center within a predefined time period without needing to log on again.

The SAM Management Center opens to the Helpdesk page.3. At the top of the left panel, select Deployment.

Option Type Options

Token-related options AssignEnrollMobilePASSMessagingOTP Token


The Deployment page opens.

4. In the left panel, select one or two search filters to determine the users to be displayed.

Deployment 501

5. Click Go.Details of the tokens assigned to the users matching your search criteria are displayed in the right panel.

Note:The number of users found in each search is limited. See Configuring Features of the SAM Management Center on page 187.


Users by username Enter a character string to search for all usernames beginning with that character string.Note: Usernames are not case-sensitive

Users by direct group A list of groups defined on the user store

Users by OU In a non-Active Directory environment, enter an OU in the format:<instance name>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: MyCompany/Marketing/Advertisingwhere MyCompany is the unique instance nameIn an Active Directory environment, enter an OU in the format:<domain>.<extension>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: DName1.com/Marketing/Advertising

Users without connectors None

Users with no tokens None


6. Click Select All, or select one or more Account Names.7. Select one of the enabled options at the bottom of the panel.

Label Description

Account Name User’s account name

Type Description of the token model

Serial Number One of the following:Token serial number

Printed on the token case of a physical tokenAssociated with a SafeNet eToken Virtual product or

MobilePASS tokenTotal number of tokens, if more than one is assigned to the user

Status 1. Content Status:No tokenDisabledEmptyEnabledSafeNet eToken RescueNo connectorsRevoked


Button Description

Assign Associate a token with each selected user

Enroll Assign a token and load it with user data for each selected user

MobilePASS Enroll a MobilePASS token for each selected user

Deployment 503

Assigning a TokenWhen you assign a token, the following activities occur:a. Add: adds the token to the SAM inventory if it is not already

there.b. Initialize, depending on your SAM configuration: deletes all

user‐specific token content on the token and applies the TPO settings.

c. Assign: associates the token with a specific user.Users can control the activities of tokens assigned to themselves via the SAM Self Service Center.

To assign tokens:

1. Use the SAM Deployment page to search for the appropriate users.2. Click Select All, or select one or more Account Names to which the

tokens will be assigned.3. Click Assign.

Messaging Enroll a MobilePASS Messaging token for each selected user

OTP Token Enroll an OTP token for each selected user

Take Picture Not in use

Print Badge Not in use

Button Description


The Assign a Token window opens.

4. Do one of the following:To assign a token that can be connected, select Assign a connected token, connect the token, and click Run.To assign a token by serial number, select Assign token by its serial number, enter the token serial number, and click Run.

A Token successfully assigned message is displayed.

Deployment 505

5. Repeat step 4 until all the selected Account Names have been assigned tokens.The Assign a Token options are no longer displayed.

6. Click Done.

Enrolling a Smartcard or USB TokenWhen you enroll a token, the following activities occur:a. Add: adds the token to the SAM inventory if it is not already

there.b. Initialize, depending on your SAM configuration: deletes all

user‐specific token content on the replacement token and applies the TPO settings.

c. Assign: associates the token with a specific user.d. Enroll: loads the token with data needed for user authentication.

Depending on your SAM configuration, this content may include:CertificatesNetwork Logon profileseToken SSO profilesOTP generation


Users can control the activities of their enrolled tokens via the SAM Self Service Center.

To enroll a smartcard or USB token:


tokens will be enrolled.3. Click Enroll.

The Enroll a Token window opens.

4. Depending on your SAM configuration, select Initialize token to initialize the token.

5. Depending on your SAM configuration, click Customize enrollment to enroll only some of the default connector applications onto the token.

Deployment 507

The Applications to Enroll dialog box opens, displaying the available connectors.

Select the appropriate connectors to enroll, and click OK.6. Do one of the following:

If the new token is a physical token, connect it, and disconnect all other tokens not yet assigned.Depending on your SAM configuration, if the new token is a SafeNet eToken Virtual, connect an external storage device, and select Create a new SafeNet eToken Virtual.

7. Click Run.8. Depending on the connectors enrolled, an authentication window

opens.


a. You may be required to do the following:For the Connector for OTP Authentication, enter an OTP PIN, and confirm it.For the Connector for Network Logon, enter a logon password, and confirm it.

b. Click Continue.9. A token successfully enrolled message is displayed.

10. Repeat step 4 through step 9 until all the selected Account Names have been assigned tokens.

Deployment 509

The enrollment options are no longer displayed.

11. Click Done.

Enrolling an OTP TokenEnroll an OTP token to associate it with a specific user in the SAM inventory.To enroll an OTP token, you must know its serial number. Have each OTP token device in front of you so that you can see the serial number printed on the label of the OTP token case.If the serial number printed on label of an eToken PASS device is not readable, do the following:a. When the display panel of the eToken PASS device is clear, press

the device button and keep it depressed for three seconds.The value 888888 appears in the display panel.

b. Release the device button, and within two seconds, press the device button again.


The first four characters of the serial number appear in the display panel.

Note:The display panel clears automatically after 15 seconds.

c. Write them down, and press the device button again.The next four characters of the serial number appear in the display panel.

d. Write them down, and press the device button again.The last four characters of the serial number appear in the display panel.

e. Write them down.The string you wrote down is the eToken PASS device’s 12‐character serial number.

To enroll OTP tokens:

1. Ensure that the OTP token file has been loaded.For more information, see Chapter 25:Adding a File of Tokens to the SAM Inventory, on page 526.


OTP token devices will be enrolled.4. Click OTP Token.

Deployment 511

The Enroll an OTP‐Only Token window opens.

5. In the OTP Token Serial Number field, enter the 12‐character serial number printed on the label of the OTP device case.

6. Click Run.A Token successfully enrolled message is displayed.

7. Repeat step 5 through step 6 until all the selected Account Names have been assigned OTP token devices.The OTP Token Serial Number field is no longer displayed.

8. Click Done.

MobilePASS Token EnrollmentThe administrator uses the SAM Management Center to enroll a MobilePASS client software application for the user’s mobile device.

Note:Depending on your SAM configuration, users may enroll a MobilePASS token using the SAM Self Service Center.


Preparing the MobilePASS Token Notification ProcedureDepending on your SAM configuration, the MobilePASS token enrollment may assign the token a MobilePASS PIN. If assigned, the user must provide this MobilePASS PIN when using the MobilePASS token.Your SAM configuration determines the procedure for notifying the user of the MobilePASS PIN, as well as other necessary information generated during the MobilePASS token enrollment.To ensure that a MobilePASS notification procedure is enabled in your SAM configuration, do the following:

Define a notification template fileDefine one of the following methods to transmit the notification information to the user:

Send by email to the userPrint at your facility for mailing to the user

Note:If your SAM configuration does not require the user to have a MobilePASS PIN, the administrator can copy the information from the screen during the MobilePASS token enrollment, and use any method to send the user the information.

Enrolling a MobilePASS Token

To enroll a MobilePASS token:

1. Ensure that the following conditions are met:OTP authentication is enabled for the appropriate usersthe MobilePASS application has been downloaded to the SAM ServerSee Downloading MobilePASS Applications on page 569.

2. Use the SAM Deployment page to search for the appropriate users.3. Click Select All, or select one or more Account Names to which a

MobilePASS token will be enrolled.

Deployment 513

4. Click MobilePASS.5. The Enroll a MobilePASS token window opens.

6. Enter the MobilePASS Activation Code.7. Depending on your SAM configuration, you may be required to

set an OTP PIN for the MobilePASS token.


Enter an OTP PIN, confirm it, then click Continue.

Note:The user must provide this OTP PIN when authenticating with an OTP generated on the MobilePASS device.

8. A Token successfully enrolled message is displayed.

9. Repeat step 5 through step 8 until a MobilePASS token has been enrolled for each of the selected Account Names.

Deployment 515

The Please enter the Activation Code message is no longer displayed.

10. Click Done.

Sending a MobilePASS Token to the UserIf a MobilePASS PIN is required, it is sent via the Notification Method configured in SAM.Depending on your SAM configuration, if an OTP PIN is required, it can be sent by the administrator, or via the Notification Method configured in SAM.

Using a MobilePASS Token to Generate an OTP Instruct the user to do the following when an OTP is required:a. Enter the OTP PIN, if required.b. Open the MobilePASS application on the mobile device.c. In the MobilePASS application, enter the MobilePASS PIN, if

required, to generate an OTP.d. Use the generated OTP to authenticate to the application.


Chapter 25

InventoryYour company’s token inventory information is stored in the SAM database.Use the Inventory page for the following activities:

Initialize tokens.Upload files of token serial numbers to add the tokens to the SAM inventory.Add tokens to the SAM inventory.Remove tokens from the SAM inventory.

Note:Adding a token to the SAM inventory is also known as registering a token.

In this section:

Inventory Page OverviewAccessing the Inventory PageInitializing a TokenAdding Tokens to the SAM InventoryRemoving a Token from the SAM Inventory


Inventory Page Overview

SAM Management Center tabs, search parameters, and system messages are displayed in the left panel.

Note:No search parameters are needed to upload a file of tokens.

Search criteria: The administrator selects up to two different search criteria to be combined in a single searchSAM system notifications are displayed at the bottom of the left panel, if relevant

Search results are displayed in the right panel.At the top right of the panel: The number of records matching the search criteria, and paging operationsIn the middle section: Details of each token matching the search criteriaAt the bottom of the panel are the following: options:

InitializeToken FileAddRemove

Inventory 519

Appropriate options are enabled for each selected token. Place the cursor on an enabled option to view its tooltip.

Accessing the Inventory PageLog on to your company’s local network, and access the Inventory page through the SAM Management Center.

Note:Each company has its own SAM Server. This guide uses the name localhost to represent your company’s SAM Server. When following the steps in the procedure, replace <localhost> with the name of your company’s SAM Server.

To access the Inventory page:



The SAM Management Center opens to the Helpdesk page.3. At the top of the left panel, select Inventory.


The Inventory page opens.

4. In the left panel, select one or two search filters to determine the tokens to be displayed.

Note:No search parameters are needed to upload a file of tokens.


Connected tokens None

Tokens by serial no Enter a character string to search for all token serial numbers beginning with that character string.The length of a token’s serial number is determined by the token type:

USB tokens: 8 characterseToken PASS devices: 12 charactersSafeNet eToken Virtual products: 16 charactersMobilePASS tokens: 16 characters

Note: The serial number of a physical token is the rightmost hexadecimal digit string printed on the token case.

Inventory 521

Tokens by user Enter a character string to search for all usernames beginning with that character string.Note: Usernames are not case-sensitive

Tokens by status Content Status:DisabledEmptyEnabledSafeNet eToken RescueRevoked

Physical Status:DamagedLostNormal

Tokens by approval Select the appropriate approval status:Awaiting approval-Tier 1Awaiting approval-Tier 2Approved

Tokens by user group A list of groups defined on the user store

Tokens by user OU In a non-Active Directory environment, enter an OU in the format:<instance name>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: MyCompany/Marketing/Advertisingwhere MyCompany is the unique instance nameIn an Active Directory environment, enter an OU in the format:<domain>.<extension>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: DName1.com/Marketing/Advertising



5. Click Go.Details of the tokens matching your search criteria are displayed in the right panel.

Note:The number of tokens found in each search is limited. See Configuring Features of the SAM Management Center on page 187.

Tokens by model A list of token models in the SAM inventory

Unassigned tokens None

Label Description

Account Name One of the following:User’s account name to which the token is assignedUnassigned

Type Description of the token model


Status 1. Content Status:DisabledEmptyEnabledSafeNet eToken RescueNo connectorsRevokedNot registered: connected, but not in the SAM inventory



Inventory 523

6. In the right panel, select one or more tokens. To select all the tokens displayed, click Select All. To undo your selection, click Clear All.

7. Select one of the enabled options at the bottom of the panel.

Initializing a TokenWhen you initialize a token, the following occurs:

The token is added to the SAM inventory if it is not already there.Its user‐specific token content is deleted.The TPO settings are applied.

The token must be connected so that its content can be modified.

To initialize a token:

1. Connect the tokens to be initialized.2. Open the SAM Inventory page.3. In the Search for drop‐down box, select Connected tokens.

Button Description

Initialize Delete all user-specific token content on the selected token and apply the TPO settings

Token File Add token and OTP token devices to the SAM inventory by uploading a file of the devices’ serial numbers

Add Add the selected token to the SAM inventory

Remove Remove the selected token from the SAM inventory


The connected tokens are displayed.

Note:In the example shown, the Status field reflects the following:

The first token is already registered in the SAM inventory, but is not assigned to any user.The second token is not yet registered in the SAM inventory.

4. Click Select All, or select one or more tokens to initialize.5. Click Initialize.

Inventory 525

The Initialize a Token window opens.

6. Click Run.A Tokens successfully initialized message is displayed.

7. Click Done.


All of the initialized tokens are now registered in the SAM inventory.

Adding Tokens to the SAM InventoryWhen a token is added to the SAM inventory, the device information, such as serial number, is stored in the inventory.Add new tokens to the SAM inventory for the following purposes:

To facilitate the management of your total token stock, including tokens not yet assigned.To restrict user enrollment of new tokens using the SAM Self Service Center to only those tokens the administrator has added.

Adding a File of Tokens to the SAM InventoryAdd physical tokens to the SAM inventory by uploading a file of the devices’ serial numbers.

Inventory 527

To upload a file of token devices:

1. Open the SAM Inventory page.2. Click Token File.

The Import a Token Serial Number File window opens.

3. Click Browse, browse to the file of token serial numbers, and click Open.

4. Click Upload.The file of token serial numbers is uploaded.


A File successfully imported message is displayed.

5. Click Run to add the tokens listed in the file to the SAM inventory.A File successfully uploaded message is displayed.

6. Click Done.

Adding a Token to the SAM Inventory

To add a token:

1. Connect the tokens to be added.2. Open the SAM Inventory page.3. In the Search for drop‐down box, select Connected tokens.

The connected tokens are displayed.4. Click Select All, or select one or more tokens to add to the SAM

inventory.5. Click Add.

Inventory 529

The Add Tokens window opens.

6. Click Run.A Tokens successfully added message is displayed.

7. Click Done.


Removing a Token from the SAM InventoryRemove tokens from the SAM inventory for the following purposes:

Discontinue management overhead for unused tokensDelete a corrupted entry from the SAM inventory

When a token is removed from the SAM inventory, the following activities occur:a. Revoke: revokes the token if is not yet revoked.b. Unassign: disassociates the token from all users.c. Delete: deletes the token entry from the SAM inventory.

To remove a token:

1. Use the SAM Inventory page to search for the appropriate tokens.2. Click Select All, or select one or more tokens to remove.3. Click Remove.

The Remove Tokens window opens.

4. Click Run.

Inventory 531

A Tokens successfully removed message is displayed.

5. Click Done.


Chapter 26

ReportsUse the SAM Reports page to generate various on‐line reports using the information in the SAM inventory.

In this section:

SAM Reports Page OverviewAccessing the Reports PageGenerating a Token Inventory ReportGenerating a Token History ReportGenerating a Token Expiration ReportGenerating a Token Audit ReportGenerating an OTP Usage ReportGenerating a Token Connections ReportGenerating an Hourly Distribution Chart


SAM Reports Page OverviewTo produce a SAM report, do the following:a. In the left panel of the SAM Reports page, select the report to

produce.b. In the left panel of the specific report page, select filters to

determine which items to display in the report.The report is displayed in the right panel.

Accessing the Reports PageLog on to your company’s local network, and access the Reports page through the SAM Management Center.

To access the Reports page:



The SAM Management Center opens to the Helpdesk page.3. At the top of the left panel, select Reports.

Reports 535

The SafeNet Authentication Manager Reports page opens.

4. In the left panel, click Home to return to the Helpdesk page, or click the appropriate report.

Report Description

Token Inventory Tokens that are included in the SAM inventory

Token History Historical data of tokens that have been unassigned or removed

Token Expiration Tokens that are assigned an expiration date

Token Audit Audit information of SAM operations

OTP Usage OTP authentication events; the OTP web service configuration determines which operations to audit

Token Connections Physical tokens connected at the time of the last refresh

Hourly Distribution Average number of physical tokens connected per hour


Generating a Token Inventory ReportA Token Inventory Report lists details of tokens that are included in the SAM inventory.

To generate a Token Inventory Report:

1. Open the Reports page, and click Token Inventory.The Token Inventory Report window opens.

2. In the left panel, select one or more search filters to determine the tokens to display in the report.

Reports 537

Filter Options

Token Status Any StatusRevokedEnabledDisabledSafeNet eToken RescueEmpty

Certificate Approval Any StatusAwaiting approval-Tier 1Awaiting approval-Tier 2Approved

Creation Date Any DateTodayYesterdayThis WeekLast WeekThis MonthLast MonthSpecific Dates - allows input of specific dates

Modification Date Any DateTodayYesterdayThis WeekLast WeekThis MonthLast MonthSpecific Dates - allows input of specific dates

User Group NoneEnter a character string to search for all groups beginning with those characters


3. Click Go.

Organizational Unit NoneIn a non-Active Directory environment, enter an OU in the format:<instance name>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: MyCompany/Marketing/Advertisingwhere MyCompany is the unique instance nameIn an Active Directory environment, enter an OU in the format:<domain>.<extension>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: DName1.com/Marketing/Advertisin


Sort By Serial NumberModelUser NameModification Date

Filter Options

Reports 539

Details of the tokens matching your search criteria are displayed in the right panel of the report.


4. In the left panel, click Select Report to produce another report, or Home to return to the Helpdesk page.

Label Description


Model Specific token model in the SAM inventory



Assigned User User’s account nameMay be in the format: Display Name(Account Name)

Created Date the token entry was added to the SAM inventory

Modified Date the token entry was last modified in the SAM inventory

Applications Applications enrolled on the token

Reports 541

Generating a Token History ReportIf the History Tokens feature is enabled in your TPO, the Token History Report lists the historical data of tokens that have been unassigned or removed.

To generate a Token History Report:

1. Open the Reports page, and click Token History.The Token History Report window opens.



Filter Options

Token Status Any StatusRevokedEnabledDisabledSafeNet eToken RescueEmpty

Certificate Approval Any StatusAwaiting approval-Tier 1Awaiting approval-Tier 2Approved

Creation Date Any DateTodayYesterdayThis WeekLast WeekThis MonthLast MonthSpecific Dates - allows input of specific dates

Modification Date Any DateTodayYesterdayThis WeekLast WeekThis MonthLast MonthSpecific Dates - allows input of specific dates


Reports 543

3. Click Go.

Organizational Unit NoneIn a non-Active Directory environment, enter an OU in the format:<instance name>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: MyCompany/Marketing/Advertisingwhere MyCompany is the unique instance nameIn an Active Directory environment, enter an OU in the format:<domain>.<extension>/<OU name>/followed by names of lower level OUs, separated by slashes, if requiredFor example: DName1.com/Marketing/Advertising


Sort By Serial NumberModelUser NameModification Date

Filter Options


Details of the tokens matching your search criteria are displayed in the right panel of the report.

Reports 545


Label Description


Model Specific token model in the SAM inventory




Created Date the token entry was added to the SAM inventory

Modified Date the token entry was last modified in the SAM inventory

Applications Applications enrolled on the token


Generating a Token Expiration ReportA Token Expiration Report lists tokens having an expiration date.

To generate a Token Expiration Report:

1. Open the Reports page, and click Token Expiration.The Token Expiration Report window opens.


Reports 547

Filter Options

Expiration Period Any DateTodayNext WeekThis WeekNext MonthThis MonthYesterdayLast WeekLast MonthSpecific Dates - allows input of specific dates



Show Disabled Tokens

SelectedNot selected

Show Revoked Tokens

SelectedNot selected


3. Click Go.Details of the tokens matching your search criteria are displayed in the right panel of the report.

Label Description



Expires On Date the token content expires

Days to Expiration

Number of days remaining before the expiration date

Reports 549




Label Description


Generating a Token Audit ReportA Token Audit Report lists details of each SAM operation.

To generate a Token Audit Report:

1. Open the Reports page, and click Token Audit.The Token Audit Report window opens.

2. In the left panel, select one or more search filters to determine the events to display in the report.

Reports 551

Filter Options

Event Type Any TypeInformationWarningError

Event Date Any DateTodayYesterdayThis WeekLast WeekThis MonthLast MonthSpecific Dates - allows input of specific dates

Category Any CategorySAM Management CenterSAM Rescue Service CenterSAM Self Service CenterSAM Management ToolsSAM Backend ServiceSAM OTP AuthenticationSAM Web Service API

Event ID Any EventsSpecific event defined by SAM

Operator NoneEnter a character string to search for all operators beginning with that character string

User NoneEnter a character string to search for all usernames beginning with that character string

Log Server Any LogSpecific log used by SAM


3. Click Go.Details of the events matching your search criteria are displayed in the right panel of the report.

Label Description

Date Event date, in MM/DD/YY format, and time

Time Event time, in seconds

Event ID Event code defined in SAM

Event Type ERRORINFORMATIONWARNING

Token Serial Token serial number printed on the token case of a physical token, or associated with a SafeNet eToken Virtual product or MobilePASS token

Reports 553


Generating an OTP Usage ReportAn OTP Usage Report lists each audited OTP operation in which a token is used.

Note:The SAM OTP service configuration determines which OTP operations are audited.

Assigned User Username to whom the token is assignedMay be in the format: Display Name(Account Name)

Operator SAM operator during the event

Category Any CategorySAM Management CenterSAM Rescue Service CenterSAM Self Service CenterSAM Management ToolsSAM Backend ServiceSAM OTP AuthenticationSAM Web Service API

Label Description


To generate an OTP Usage Report:

1. Open the Reports page, and click OTP Usage.The OTP Usage Report window opens.

2. In the left panel, select one or more search filters to determine the events to display in the report.

3. Click Go.

Filter Options

User NoneEnter a character string to search for all usernames beginning with that character string

Time Period Any DateTodayYesterdayThis WeekLast WeekThis MonthLast MonthSpecific Dates - allows input of specific dates

Reports 555

Details of the events matching your search criteria are displayed in the right panel of the report.


Generating a Token Connections ReportA Token Connections Report lists the information for each physical token connected at the time of the last refresh.The Token Connections Report feature requires the following:

A connection to Microsoft SQL Server or Microsoft SQL ExpressThe SAM Desktop Agent must be installed on every client computer

Label Description

Date Event date, in MM/DD/YY format

Time Event time, in seconds

Event ID Event code defined in SAM

Event Type ERRORINFORMATIONWARNING

Token Serial Token serial number printed on the token case of a physical token, or associated with a SafeNet eToken Virtual product or MobilePASS token

User Username to whom the token is assignedMay be in the format: Display Name(Account Name)


To generate a Token Connections Report:

1. Open the Reports page, and click Token Connections.The Token Connections Report window opens.


Filter Options

User NoneEnter a character string to search for all usernames beginning with those characters

Reports 557

3. To change the Auto Refresh status, do one of the following:Click Start Auto Refresh to refresh the list of physical tokens connected or disconnected so that the list is always up‐to‐date.Click Stop Auto Refresh to display the list of physical tokens connected at the time of the last system refresh.

4. Click Go.


Connection Date Any DateTodayYesterdayThis WeekLast WeekThis MonthLast MonthSpecific Dates - allows input of specific dates

Connection Status ConnectedDisconnectedAny Status

Filter Options


Details of the token connections matching your search criteria are displayed.

The number of connected users and connected physical tokens is displayed at the bottom of the left panel.Details of the tokens matching your search criteria are displayed in the report in the right panel.

Label Description

User User logged on to a client computer with a connected token

Token Owner User’s name to whom the token is assignedMay be in the format: Display Name(Account Name)

Connection Start

Date and time token was connected

Duration Duration of token connection, in HH:MM format

OU OU of user logged on

Host Client computer name

Token Serial Token serial number printed on the token case

Reports 559


Generating an Hourly Distribution ChartAn Hourly Distribution chart lists the average number of physical tokens connected per hour.The Hourly Distribution chart feature requires the following:

A connection to Microsoft SQL Server or Microsoft SQL ExpressThe SAM Desktop Agent must be installed on every client computerThe SAM Desktop Agent Enable token auditing setting must be enabled. See Desktop Agent Settings on page 379.

To enable Hourly Distribution chart generation, see Chapter 19:Configuring Attendance Reports, on page 386.

To generate an Hourly Distribution chart:

1. Open the Reports page, and click Hourly Distribution.The Hourly Distribution window opens.



3. Click Go.Details of physical tokens connections for the days selected are displayed in the report in the right panel.

Parameter Options

Connection Date TodayYesterdayThis WeekLast WeekThis MonthLast MonthSpecific Dates - allows input of specific dates

Days Each day of the weekSelectedNot selected

Reports 561

The chart displays the average number of tokens connected each hour, starting from midnight (0), in military hour format (0‐23).



Chapter 27

DownloadsUse the SAM Downloads page to download components.

In this section:

SAM Downloads Page OverviewAccessing the SAM Downloads PageDownloading SAM Web ClientDownloading MobilePASS Applications


SAM Downloads Page OverviewUse the SAM Downloads page to download the following components:

SAM Web Client componentsMobilePASS applications

Accessing the SAM Downloads PageLog on to your company’s local network, and access the SAM Downloads page through the SAM Management Center.

To access the SAM Downloads page:



The SAM Management Center opens to the Helpdesk page.3. In the left panel, select Downloads.

Downloads 565

The Downloads page opens.

4. In the right panel, click the component to download.SAM Web Client for x32SAM Web Client for x64MobilePASS applications from the SafeNet download page

Downloading SAM Web ClientSafeNet Authentication Manager Client must be installed on all client computers used for enrolling USB tokens, smartcards, or SafeNet eToken Virtual products.

To install SafeNet Authentication Manager Client on your computer:

1. Open the Downloads page.2. Do one of the following:

For 32‐bit environments, click Download SAM Web Client for x32.For 64‐bit environments, click Download SAM Web Client for x64.


The File Download window opens.

3. Click Run.A Security Warning window opens, identifying the name of the program.

4. Click Run.Depending on your SafeNet Authentication Manager configuration, an installation wizard may be initiated to install SafeNet Authentication Manager Client.The SafeNet Authentication Manager Client Installation Wizard opens.

5. Click Next.

Downloads 567

The End‐User License Agreement is displayed.

6. Read the license agreement, and select the option, I accept the license agreement.

7. Click Next.The Destination Folder window opens, displaying the default installation folder.

8. Click Next.


The Select Installation Type window opens.

9. Do one of the following:To install the legacy TMS Desktop Agent, select Complete.For standard installations, selected Typical.

10. Click Next to begin the installation.When the installation is complete, the Successfully installed message is displayed.

11. Click Finish.

Downloads 569

Downloading MobilePASS ApplicationsDownload MobilePASS applications to enroll MobilePASS tokens. MobilePASS tokens generate OTPs on mobile devices without the need for physical tokens. MobilePASS tokens work independently of mobile network connectivity.

To download MobilePASS applications:

1. Open the Downloads page, and click Open MobilePASS applications download page.The SafeNet website opens to the MobilePASS Authenticators Download Page.

2. Use the link on the SafeNet website to download the appropriate MobilePASS application for each mobile device.

After the MobilePASS application is downloaded to a mobile device, a MobilePASS token can be enrolled on it. See MobilePASS Token Enrollment on page 511.


Part V AppendixesIn this section:

Appendix A AD Schema Enhancement

572

Appendix A

AD Schema EnhancementThis section describes the Microsoft Active Directory (AD) schema changes resulting from the installation of SafeNet Authentication Manager.

In this section:

Prefixes Registered with MicrosoftNaming ConventionsSchema Attributes and Classes Tables


Prefixes Registered with MicrosoftMicrosoft has assigned the following prefixes for SafeNet Authentication Manager use:

The prefix for each name is AksTMS.To distinguish TMS 2.0 schemas from previous TMS versions, the prefix used in this version is AksTMSV20.The object identifier (OID) prefix is 1.2.840.113556.1.8000.2009.

Classes are assigned the OID prefix 1.2.840.113556.1.8000.2009.1.Attributes are assigned the OID prefix 1.2.840.113556.1.8000.2009.2.

Naming ConventionsThe conventions used for TMS 2.0 class and attribute names are:

Each CN name starts with aks20‐.Each ldapDisplayName starts with AksTMS20.

Schema Attributes and Classes TablesThe following apply to the tables in this document:

Names and OIDs are shown without prefixes.The existing flags are:

Multi‐ValuedIndexedGlobal‐Catalog

AD Schema Enhancement 575

maID

75d7--4d8d-

7923fd

c61f-42f4--54aee

71d0-4a18--85972

a802--4024--ef0134

Attributes

Common Attributes

CN LDAP Display Name

Description

Syntax OID 1. Flags Link ID

ScheGUID

data Data Used to store binary data

Octet string(2.5.5.10:4)

1.1 {3691867aa6-d9a136}

version Version Used to store version

Integer(2.5.5.9:2)

1.2 {31607f8c-9c48167dd4a}

productionOID

ProductionOID

Used to link production objects from object holders

Unicode string(2.5.5.12:64)

1.3 Container indexed

{6c5dfb0c-836b52a886e}

configXML ConfigXML Used to store connector configuration XML


3.1 {27776b509e3bed8007}


SchemaIDGUID

{f7618490-8d61-41ad-8d40-c220731aae6e}

TMS Class Attributes

Application Class Attributes


Description

Syntax OID2. Flags Link ID

SchemaIDGUID

data See data attribute in common attributes

version See version attribute in common attributes

productionOID

See productionOID attribute in common attributes


Description


configXML See configXML attribute in common attributes

priority Priority Used to define enrollment priority of application

Integer(2.5.5.9:2)

3.2



D

-

Policy Class Attributes


Description


SchemaIDGUI

applyList ApplyList Used in Policy class to store list of principals (users and groups) to whom policy applies


4.1 Multi-valued

{818a3143-d7c04e08-aae0-ae1c52071d36}



aID

4c9-7be-

382

1f9-13f-

9598

3dc-2b9-

33b

fbc-ed7-

b574

Token Class Attributes


Description


SchemGUID

tokenUser TokenUser Used to store user to whom token is assigned

Distinguished name (2.5.5.1:127)

5.2 Backward link to tokens

{ae775eed8-48ede-843b18576}

Data See data attribute in common attributes

tokenSlotType

TokenSlotType

Used to store slot type (Reader for SC; Virtual for USB; File for SafeNet eToken Virtual)

Integer (2.5.5.9:2)

5.3 {dedd2c902-4958e-5c3c80ec}

tokenProdName

TokenProdName

Used to store product name

Unicode string (2.5.5.12:64)

5.4 {5a277e374-49642-58aa6b00d}

tokenModel TokenModel Used to store token model


5.5 {34bb35c3c-488f4-210edf9e}


09c-8dc-

73ad

85f-d85-

aa3

291-c82-

f381

c88-85b-

070

aIDG

aID

prodDate ProdDate Used to store production date

Generalized time (2.5.5.11:24)

5.6 {790b519b5-490db-8bfda187}

caseModel CaseModel Used to store case model (node, classic, ng1, ng2, ng2-nolcd)

Integer (2.5.5.9:2)

5.7 {66b6d517e-4b71e-616970257}

cardType CardType Used to store smartcard type (none, OS4)

Integer (2.5.5.9:2)

5.8 {d0a2db422-4b539-71e6ab5c}

version See version attribute in common attributes (Here, saves the card version)

tokenSerial TokenSerial Used to store unique physical token identifier

Octet string (2.5.5.10:4)

5.9 Global Indexed

{e1c154755-4b00c-cb720b06c}


Description Syntax OID 5. Flags Link ID SchemUID


Description


SchemGUID


08-136-

b53

bb4-a65-

b22

a69-b0f-

689

b75-114-

201d

9a-566-

3c2f

e02-cb2-

d90

b4d-74f-

3e3

aID

tokenColor TokenColor Used to store token color

Integer (2.5.5.9:2)

5.10 {fd0f4526d2-494ff-9db60327e}

tokenSOPin TokenSOPin

Used to store security officer pin


5.11 {1a079a4e7-4b23f-9cbd104bd}

tokenSize TokenSize Used to store token size

Integer (2.5.5.9:2)

5.12 {e6b29f6ee-4b469-032d75b33}

tokenInitKey

TokenInitKey

Used to store token init key


5.13 {122400c9e-4bc13-e74c3caa}

hasBattery HasBattery Used to store HasBattery flag

Boolean (2.5.5.8:1)

5.14 {bf7c034176-4ada5-b1bb31e7}

hasLCD HasLCD Used to store HasLCD flag

Boolean (2.5.5.8:1)

5.15 {86aea31eb-4912f-17d93d592}

hasUser HasUser Used to store HasUser flag

Boolean (2.5.5.8:1)

5.16 {e135ed228-4a751-46238c90d}


Description


SchemGUID


75e-65f-

faeb

e17-7ed-

a94

025-c2f-

22b

195-02b-

01bf

43e-ee-

0c71

d2f-842-

87ef

cc0-2cc-

37d

aID

hasSO HasSO Used to store HasSO flag

Boolean (2.5.5.8:1)

5.17 {8641b476f-4a12e-a21186b0}

hasFIPS HasFIPS Used to store HasFIPS flag

Boolean (2.5.5.8:1)

5.18 {dccc990c3-4bb69-9daea186f}

hasStorage HasStorage Used to store HasStorage flag

Boolean (2.5.5.8:1)

5.19 {dbee90993-4b181-437bc9e97}

isFipsSupported

IsFipsSupported

Used to store IsFipsSupported flag

Boolean (2.5.5.8:1)

5.20 {e3a357e1f-4a35e-d80ec510}

isHMACSHA1Supported

IsHMACSHA1Supported

Used to store IsHMACSHA1Supported flag

Boolean (2.5.5.8:1)

5.21 {1396aafc6-4cb978-b9b4df73}

isRSA2048Supported

IsRSA2048Supported

Used to store IsRSA2048Supported flag

Boolean (2.5.5.8:1)

5.22 {35e619b21-49f3e-227ce802}

isMayInit IsMayInit Used to store IsMayInit flag

Boolean (2.5.5.8:1)

5.23 {11c4a7730-4b347-b9de4014a}


Description


SchemGUID


5a1-7ea-

3ba

aIDG

07c-96c-

1ad

80f-653-

431

923-004-

a42

fd3-8f0-

de8c

7ef-c40-

a65

aID

tokenLabel TokenLabel Used to store token label


5.24 {9d39c4191-49613-33342682a}


Description Syntax OID 5. Flags Link ID SchemUID

tokenPhysicalStatus

TokenPhysicalStatus

Used to store token physical lifetime cycle

Integer (2.5.5.9:2)

5.25 {a84d326d2-4a4b6-49a799b6d}

tokenContentStatus

TokenContentStatus

Used to store token content lifetime cycle

Integer (2.5.5.9:2)

5.26 {184dfb1fa-4a528-dd5d8424e}

expirationDate

ExpirationDate

Used to store token expiration date


5.27 {3b70ae324-4b774-43448980b}

tokenUserGroups

TokenUserGroups

Used to store token user's groups


5.28 {17141ce15-4b153-0c1b2687}

tokenPolicyLinkerPath

TokenPolicyLinkerPath

Used to store token user's policy linker path


5.29 {a1cad56a9-48db5-9ecd78574}


Description


SchemGUID


6ff-d45-

0483

2fe-8c6-

896

fcb-970-

18f1c

1e5-e99-

2c46

aID

tokenUserName

TokenUserName

Used to store token user's name


5.30 {7f7dea89c-4aa9a-606efb5a}

tokenUserDisplayName

TokenUserDisplayName

Used to store token user's display name


5.31 {97130592b-4afa3-785ed1185}

tokenUserAccountName

TokenUserAccountName

Used to store token user's account name


5.32 {01dc9163e-4808f-c9bf475}

softTokenExpirationDate

SoftTokenExpirationDate

Used to store SafeNet eToken Virtual expiration date


5.33 {d52c76434-48d23-e511c60c}


Description


SchemGUID


efe-e32-

479b

dc8-757-

38a

64-7f9-

ad9

aID

softTokenPIN

SoftTokenPIN

Used to store SafeNet eToken Virtual password

Octets string (2.5.5.10:4)

5.34 {a6d641382-4bf40-46f730d6}

InitReqired InitReqired Used to store state when token should be formatted at assignment.

Boolean(2.5.5.8:1)

5.35 {064ad4381-49a8b-50c746930}

isInitKeySet IsInitKeySet Used to determine status of TokenInitKey attribute.

Boolean (2.5.5.8:1)

5.36 {4f8ff2f761-48988-948a521c0}


Description


SchemGUID


Profile Class Attributes

UserHolder Class Attributes


Description Syntax OID 6. Flags

Link ID

SchemaIDGUID

creator Creator Used to store link to corresponding Application object


6.1 {178b3001-a973-486c-8cf8-33dd156e8230}


profileType

ProfileType

Used to define profile type

Integer (2.5.5.9:2)

6.2 {01e84908-6cb8-4030-b400-ba03cfc48859}


Description


SchemaIDGUID


productionOID


tokens Tokens Used to store tokens assigned to user tokens

DnWithString (2.5.5.14:127) +2A86 4886 F714 0101 010C

7.1 Multi-valued

Forward link to tokenUser

{4d889717-2ad4-4d8a-9e99-95bff5fa896c}


b-}

4-

allowPasswordLogin

AllowPasswordLogin

Used to store flag to enable user to log in without token

Boolean (2.5.5.8:1)

7.2 {4b0a133a-2b63-48faab6-d697c66c71c4

passwordLoginExpirationDate

PasswordLoginExpirationDate

Used to store expiration date of allowPasswordLogin flag


7.3 {6af14a40-8a19-4128321-7489599eff47}

TMSLoginFailuresCount

TMSLoginFailuresCount

Used to store number of failed logins to eToken Remote Help Center

Integer (2.5.5.9:2)

7.4 {8C45D094-AD73-4129-91BC-728DE61A0F59}


Description


SchemaIDGUID


aID

d6-5f-

283

d2-71-

eb4

PolicyLinkerHolder Class Attributes


Description

Syntax OID 8. Flags

Link ID

SchemGUID

tpLink TPLink Used to store linked TPOs


8.1 {5bdacaa5a7-45b09e-1ee758fa1}

tpOptions TPOptions Used to store Block policy inheritance flag

Integer (2.5.5.9:2)

8.2 {06bac9e11c-418084-2bc9bfd3c}

productionOID



Classes

TMS Classes


Description

Parent Class

OID May Include (In Addition to Standard Classes)

SchemaIDGUID

tms TMS Main object of TMS; represents TMS database for one production domain

Container 2 ProfileWorkflow

{c87841c9-11e7-45da-aee7-bd6ba12e639c}

application Application Represents application object in TMS

Top 3 Workflow {144fd95b-a1f7-45c5-bb48-e2d1dbb7d200}

policy Policy Represents policy object in TMS

Top 4 ProfileWorkflow

{f237dc2a-9f79-4d20-86ef-90b56029792c}

token Token Represents token object in TMS


{873737e9-e949-4b05-a421-9bb4b8463e5e}


profile Profile Represents different profiles and license objects in TMS

Top 6 Workflow {f08a78b2-eefc-4c57-907a-4b7360af21c1}

userHolder UserHolder Represents user holder object in TMS


{dc15e12c-7f58-4063-a13a-6e465f67777a}

policyLinkerHolder

PolicyLinkerHolder

Represents PolicyLinkerHolder object (For AD, represents its OUs and DomainDns objects)

Top 8 Workflow {4f9b820b-2d11-49fd-845c-244305e359c2}


Description

Parent Class


SchemaIDGUID


emaIDID

f7d19-4-494e-f-c0265a

477916-b-40fd-f-00fbf1d

013EA6C9-4b8f-A-7FBFF6}

F6DBC9E3-d-B55D-813664}

1107B5-C-416e-7-3BF465}

Schema extensions for TMS 5.0 and Later

Attributes added to Token class in TMS 5.0 and later


Description

Syntax OID 8. Flags

Link ID SchGU

tokenAppDeviceType

TokenAppDeviceType

Used to store token's application device type.

Integer (2.5.5.9:2)

5.37 {c9dbb9950f2d7b9}

tokenAppDeviceTypeID

TokenAppDeviceTypeID

Used to store token's application device type ID.


5.39 { 4101e8692e130}

temporaryToken

TemporaryToken

Used to store token temporary state.

Boolean (2.5.5.8:1)

5.40 {DB-148413BF2D0

TemporaryTokenLink

TemporaryTokenLink

Used to store connection with temporary token.


5.41 Forward link to PrimaryTokenLink

{C0-4B418C9F31F

PrimaryTokenLink

PrimaryTokenLink

Used to store connection with primary token.


5.42 Backward link toTemporaryTokenLink

{DF23DB6AED2B88


D5EB2687-2-AF3D-77749A}

744B9A-3-41b4-4-335C90}

517295-2-49ee-3-1EB5F5}

emaIDID

aID

appDeviceType Class Attributes for TMS 5.0 and later

hasUnblock HasUnblock Used to store HasUnblock flag.

Boolean (2.5.5.8:1)

5.43 {A7-1C40b52BACC

hasClientless

HasClientless

Used to store HasClientless flag.

Boolean (2.5.5.8:1)

5.44 {3FFFF9DDC00DF6

softTokenLockMode

SoftTokenLockMode

Used to store lock mode of software tokens.

Integer (2.5.5.9:2)

5.45 {F138CBDDCF3A2F


Description

Syntax OID 8. Flags

Link ID SchGU


Description

Syntax

OID 3. Flags Link ID SchemGUID

configXML See configXML attribute in common attributes

Data See data attribute in common attributes


emaIDID

747008-8-4b0c-4-

0FF7EC3}

DCCC4AC8-b-AC76-B35D9B}

Classes to create for TMS 5.0 and later

Schema Extensions for SAM 8.0 and Later

Attributes added to Token Class in SAM 8.0 and later


Description

Parent Class


SchemaIDGUID

appDeviceType

AppDeviceType

Represent application device type object in TMS

Top 9 Workflow {89fb852a-054f-4289-acab-0e966a0440e2}


Description

Syntax OID 5. Flags

Link ID SchGU

workflows Workflows Used to store workflow data of token's profiles


5.46 Multi-valued

{2576BBF3DDFF4

IsHistoryToken

IsHistoryToken

Used to identify History Tokens

Boolean (2.5.5.8:1)

5.47 {2A5-F452A7FB50


emaIDID

9818DBB0-b-9E17-617593}

74B7B4-7-46a2-3-1A823B}

aID

Workflow Class Attributes for SAM 8.0 and Later

Classes to Create for SAM 8.0 and Later


Description

Syntax OID 10. Flags

Link ID SchGU

workflowName

WorkflowName

Used to store workflow name


10.1 {EB-12456D2FAA4

workflowStatus

WorkflowStatus

Used to store workflow status

Integer (2.5.5.9:2)

10.2 {9559FB4B648997


Description

Parent Class

OID May include (in addition to standard classes)

Link ID

SchemGUID

workflow Workflow Represent workflow status of operation

Top 10


Date post:	27-Dec-2015
Category:	Documents
Upload:	branislav-ostojic
View:	124 times
Download:	9 times