Tivoli® Access Manager for Enterprise Single Sign-On
Authentication Adapter Release Notes
Version 6.0
GC23-6354-03
���
Tivoli® Access Manager for Enterprise Single Sign-On
Authentication Adapter Release Notes
Version 6.0
GC23-6354-03
���
Note:
Before using this information and the product it supports, read the information in “Notices,” on page 17.
This edition applies to version 6.0 of this adapter and to all subsequent releases and modifications until otherwise
indicated in new editions.
© Copyright International Business Machines Corporation 2005, 2007. All rights reserved.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Release Notes
IBM® Tivoli® Access Manager for Enterprise Single Sign-On: Authentication Adapter Version 6.00 Rollup E October, 2007
IBM is releasing version 6.00 Rollup E of IBM Tivoli Access Manager for Enterprise Single Sign-On: Authentication Adapter (TAM E-SSO: Authentication Adapter). These release notes provide important information about this release. The information in this document supplements and supersedes information in the TAM E-SSO: Authentication Adapter product documents.
The following topics are discussed:
What’s New in 6.00 Rollup E ..................................................................................................... 6 Resolved Issues ........................................................................................................................ 7 Open Issues............................................................................................................................... 8 Hardware and Software Requirements ..................................................................................... 9 Technical Notes....................................................................................................................... 13 Product Documentation ........................................................................................................... 16
What’s New in 6.00 Rollup E
6 Release Notes
What’s New in 6.00 Rollup E
TAM E-SSO: Authentication Adapter integrates with most authentication methods and provides support for both primary logon and re-authentication requests (i.e., forced re-authentication, session timeout, or application-specific authentication request) for both connected and disconnected use.
The major new features of this product include support for smart card authenticator PKCS #11, support for HID proximity cards, and support for RSA SecurID SID800 hardware authenticator.
Support for Smart Card Authenticator PKCS #11
Support for the PKCS #11 is now available through TAM E-SSO: Authentication Adapter smart card authenticator functionality.
Support for HID Proximity Cards
Support for the HID proximity cards is now available through the proximity card authenticator functionality of TAM E-SSO: Authentication Adapter. To install support for this authenticator, during installation select HID ISO Proximity Card Auth on the Custom Setup panel.
Notes:
• To configure HID using multi-authentication, you must use the TAM E-SSO 6.00 Rollup F Administrative Console.
• For more information, see the technical notes about HID ISO Proximity Card authenticator.
Support for RSA SecurID SID800 Hardware Authenticator
Support for RSA SecurID SID800 hardware authenticator retrieval and injection is now available through TAM E-SSO: Authentication Adapter's SoftID Helper functionality when the SID800 is in connected mode.
Resolved Issues
7 Release Notes
Resolved Issues
Issues that were reported in earlier releases of TAM E-SSO: Authentication Adapter that have been resolved in this release include:
Tracking Number Description of Issue
a8955 User is not consistently asked to enter their PIN when re-authenticating.
a9222 Smart card: "The parameter is incorrect" error occurs when enrolling with some Schlumberger smart cards.
a9236 Smart card: "The parameter is incorrect" error occurs on a Spanish operating system when a user attempts to enroll with a smart card.
a9465 GemPlus cards with TAM E-SSO: Kiosk Adapter: When using GemPlus cards with TAM E-SSO: Kiosk Adapter, and On Card Storage is installed and Store PIN is turned on in the Administrative Console, the Confirm PIN dialog is presented multiple times before the TAM E-SSO: Kiosk Adapter session unlocks.
a9800 Smart card error: “A general error occurred while reading the smart card. The security token does not have storage space available for an additional container. " This error occurs when switching between any primary logon methods using smart cards or when removing or reinserting smart cards.
a9801 Smart card: Smart card primary logon method does not allow the use of an encryption certificate for the TAM E-SSO passphrase.
Open Issues
8 Release Notes
Open Issues
This section describes issues that remain open in this release.
Tracking Number Description
a9453 Smart card with TAM E-SSO: Kiosk Adapter: When you pull the smart card reader out of a workstation while logged into a TAM E-SSO: Kiosk Adapter session, the session locks. However, when the reader is plugged back into the workstation, TAM E-SSO: Kiosk Adapter may not respond to events.
To work around this issue, a reboot of the workstation may be required and TAM E-SSO: Kiosk Adapter will respond to events again.
a9459 Sphinx with TAM E-SSO: Kiosk Adapter: Kiosk users have to tap proximity card two times on the reader in order to log in to TAM E-SSO: Kiosk Adapter: once to initiate a TAM E-SSO: Kiosk Adapter logon and a second time to read the card.
a10008 Gemplus Libraries 4.20 with TAM E-SSO: Authentication Adapter: Re-authentication events do not display the PIN dialog. When authenticating to TAM E-SSO, the first authentication properly displays a PIN dialog and allows a successful authentication. Subsequent re-authentication events within a short period of time do not display the PIN dialog, preventing authentication from succeeding.
To work around this issue, restart the TAM E-SSO process requesting authentication.
a10009 Netmaker Net iD 4.6 with TAM E-SSO: Kiosk Adapter: When starting a new TAM E-SSO: Kiosk Adapter session, the user’s synchronization credentials are not read off the card. After entering their PIN, users must then manually enter their synchronization credentials to start the session.
a10010 RSA RAC 2.0 / Smartcard Middleware 2.0 with TAM E-SSO: Kiosk Adapter: RSA Middleware reports that no smart cards are present when TAM E-SSO: Kiosk Adapter is locked and a smart card is inserted into a reader. Sessions must be manually started. After TAM E-SSO: Kiosk Adapter is unlocked, authentication to TAM E-SSO with smart cards will work as expected.
Hardware and Software Requirements
9 Release Notes
Hardware and Software Requirements
The TAM E-SSO: Authentication Adapter hardware and software requirements are listed under the following sections:
• Supported Operating Systems
• System Requirements
• Disk Space Requirements
• Memory Requirements
• Processor Requirements
• Software Prerequisites
o TAM E-SSO
o Authenticator Software
o Windows Installer
o Microsoft .NET Framework
• Supported Authenticators
Supported Operating Systems
The TAM E-SSO: Authentication Adapter components are supported on the following operating systems:
Operating System Versions Supported
Microsoft® Windows® 2000 SP4
Microsoft Windows XP SP2
Microsoft Windows Server 2003 SP1
System Requirements
The TAM E-SSO: Authentication Adapter components system requirements are as follows:
Disk Space Requirements
Disk space requirements for the Agent:
Minimum, excluding temporary space and runtime expansion
Temporary disk space (/tmp) needed during installation
For runtime expansion (configuration data and logs)
MSI 15 MB 30 MB 20 MB
EXE 20 MB 40 MB 25 MB
Hardware and Software Requirements
10 Release Notes
Other Disk Space Requirements
The following components require additional disk space requirements:
• Microsoft .NET Framework 2.0: 20 MB hard drive space (if not present)
• Microsoft Windows Installer: 20 MB hard drive space (if not present and if used)
A note about the MSI installer and EXE installer
The disk space requirements are different for the MSI and EXE installers as there are differences in the capabilities of these installers:
• The EXE installer file includes Microsoft .NET Framework version 2.0, which is a requirement for TAM E-SSO: Authentication Adapter.
• The EXE installer file can be run in multiple languages. The MSI file is English-only.
Memory Requirements
Memory requirements for the Agent:
• Minimum: 256 MB RAM
o Recommended: 512 MB RAM
Note: Although this application can run in an environment with the minimum amount of memory installed, the workstation's memory usage should be monitored and additional memory added as needed. A low memory condition can cause this application to fail.
Processor Requirements
Processor requirements for the Agent:
• Minimum: 1 GHz processor
o Recommended: 1.4 GHz processor
Software Prerequisites
The TAM E-SSO: Authentication Adapter Agent requires the following software prerequisites:
TAM E-SSO
• This release requires the use of TAM E-SSO 6.00 Rollup E. In order to configure the Authentication Manager enrollment, grade, and order options with HID ISO Prox Card, the 6.00 Rollup F Administrative Console is required.
Hardware and Software Requirements
11 Release Notes
Authenticator Software
• The client software for each authenticator must be installed. Strong authenticator clients are likely to have their own system requirements, which may differ from the requirements of TAM E-SSO: Authentication Adapter. Please refer to the strong authenticator’s documentation to review the system requirements.
Windows Installer
• Windows Installer 2.0 is required for the MSI installer file.
Microsoft .NET Framework
• Microsoft .NET Framework 2.0 is required for the Administrative Console.
Supported Authenticators
TAM E-SSO: Authentication Adapter supports the following applications:
Authenticator Versions Supported
Smart card • GemSafe Libraries 4.2.0
• GemSafe GXPPro-R3.x STD PTS smart cards
• GemSafe GXPPro-R3.x FIPS PTS smart cards
• Schlumberger Cyberflex Access 4.3
• Axalto Access Client Software 5.2
• Cryptoflex e-gate 32K smart cards
• RSA Authentication Client 2.0 / Smartcard Middleware 2.0
• RSA Smart Card 5200 smart cards
• RSA Smart Key 6200
• RSA SecurID SID800 hardware authenticator
• NetMaker Net iD 4.6
• NetMaker Net iD - CardOS 1 smart cards
• SafeSign/RaakSign Standard 2.3
• ORGA JCOP21 v2.2 smart cards
• Microsoft Base Smart Card CSP
• Gemalto Cryptoflex .NET smart cards
Xyloc • Ensure Tech lock
• Ensure Tech Xyloc XC-2 badges
• Xyloc client 8.4.6
• Xyloc Active Directory Schema Extension 4.2.6
• Xyloc Active Directory UI Extension 4.2.0
Sphinx • OmniKey Cardman 5121 reader
• HID iClass 16k CL proximity cards
• Sphinx Logon Manager v3.2.36
• Sphinx CardMaker v3.2.36
Hardware and Software Requirements
12 Release Notes
Authenticator Versions Supported
SAFLink • Precise Biometrics 100 series reader
• SAFsolution(R) Enterprise Edition Version 1.3
DigitalPersona • U.are.U 4000B reader
• DigitalPersona Pro Workstation 3.4.0
Entrust • Entrust Desktop Solutions 6.1
Proximity Card • OmniKey Cardman 5125 reader
• HID ISOProx II proximity cards
SoftID Helper • RSA SecurID Software Token 3.0.3
• RSA Authentication Client 2.0
• RSA SecurID SID800 hardware authenticator
Technical Notes
13 Release Notes
Technical Notes
The technical notes describe important technical information about this release.
TAM E-SSO: Authentication Adapter Console
The TAM E-SSO: Authentication Adapter Administrative Console has been merged with the TAM E-SSO Administrative Console. This new console must be installed to utilize all of the administrative settings available in TAM E-SSO: Authentication Adapter 6.00 Rollup E. The console can be installed from the TAM E-SSO CD; instructions are provided in the TAM E-SSO Installation and Setup Guide.
Ensure Technologies Xyloc and TAM E-SSO: Kiosk Adapter Integration
Configure the following setting when using Xyloc Proximity Badges and integrating with TAM E-SSO: Kiosk Adapter:
• When configuring sync in the TAM E-SSO Administrative Console, the sync order must be set, even if there is only one sync installed. The Sync Order setting is located under Global Agent Settings > Live > Synchronization.
SAFLINK SAFAuthenticator and TAM E-SSO: Kiosk Adapter Integration
The following technical notes apply when using SAFLINK SAFAuthenticator for TAM E-SSO and integrating with TAM E-SSO: Kiosk Adapter:
• When configuring sync in the TAM E-SSO Administrative Console, the sync order must be set, even if there is only one sync installed. This setting, “Sync Order,” can be found under Global Agent Settings > Live > Synchronization.
• The Escape key [Esc] cannot be used to cancel out of the biometric authentication dialog when unlocking TAM E-SSO: Kiosk Adapter with SAFLINK. This happens when a user is starting a new session or logging onto the current one. The reason this happens is because TAM E-SSO: Kiosk Adapter disables the escape key for security reasons. This window can be closed by clicking the X button at the top of the dialog.
DigitalPersona Authenticator
The DigitalPersona service caches credentials for several seconds after an authentication. If a user authenticates through DigitalPersona and then encounters another authentication scenario within 20 seconds, the user is not prompted to supply credentials. The reason is because during the reauthorization scenario, credentials are still being cached by DigitalPersona. This is a function of DigitalPersona and cannot be changed by IBM.
Sphinx Authenticator
• Microsoft Visual C++ 2005 Redistributable Package (x86) is required for the Sphinx authenticator. This can be downloaded from Microsoft’s web site.
• There is a CardID and PIN caching feature in the Sphinx API that has been included since version 3.2.23b+ of Sphinx Logon Manager. The card serial number and PIN used during GINA logon are cached.
Technical Notes
14 Release Notes
When using Sphinx to authenticate the first time after a successful synchronization, the user is not prompted for their proximity card or PIN. The action completes as a successful authentication.
To disable the caching feature, open Sphinx CardMaker. From the Configuration menu, click Card Settings. On the PIN tab, set PIN Verification Timeout to 0.
• When using Sphinx and integrating with TAM E-SSO: Kiosk Adapter, the value of GINADllName located in the Sphinx configuration file must be set to “SMGina.dll". The configuration file, SphinxCfg.in, is located in the C:\Program Files\Sphinx Logon Manager directory.
• To work with TAM E-SSO, the following settings are required to be set in Sphinx CardMaker from the Configuration menu:
Server tab > Program Settings - the following settings must be set to TRUE (selected): - Allow Self Enrollment - Require Windows/Sphinx User Name - Require Windows Password - Apply Initial Windows Logon Data General tab > Card Settings - the following settings must be set to FALSE (cleared): - Automatically Start Logon Manager - Allow Edit of Automatically Start Logon Manager - Start Minimized - Allow Edit of Start Minimized - Allow Pop-up - Allow Edit of Pop-up - Disable Logon Manager Application
Web/App Logon tab > Card Settings - the following settings must be set to FALSE (cleared): - Use Website Logon Auto-Recorder - Allow Edit of Website Logon Auto-Recorder - Use Windows Application Auto-Recorder - Allow Edit of Windows Application Auto-Recorder - Use Auto-Fill - Allow Edit of Auto-Fill
RSA SecurID SID800 Support
RSA Authentication Client supports the use of one RSA SecurID SID800 hardware authenticator at a time.
Technical Notes
15 Release Notes
HID ISO Proximity Card Authenticator
• Microsoft Visual C++ 2005 Redistributable Package (x86) is required for the HID ISO Proximity Card authenticator. This can be downloaded from Microsoft’s web site.
• To use the HID ISO Proximity Card Authenticator with Active Directory, you must enable the storing of credentials under user objects:
1. Open the TAM E-SSO Administrative Console.
2. Connect to the repository.
3. From the Repository menu, select Enable Storing Credentials Under User Objects (AD only).
Smart Card Authenticator
• When SafeSign/RaakSign middleware is used with TAM E-SSO: Authentication Adapter, the following value must be set in the Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Passlogix\AUI\SCauth
SmartCardAPI = (DWORD) 0x00000001
• Due to technical limitations with the .NET cards, when using .NET smart cards with TAM E-SSO: Kiosk Adapter, inserting the smart card when TAM E-SSO: Kiosk Adapter is locked always causes a new session to start. To unlock an existing session, click the Unlock Existing Session link.
• When the Use default certificate for authentication configuration option (located in the SSO Administrative Console Global Agent Settings > Primary Logon Methods > Smart Card > Advanced) is set to Use SSO-generated keys, users may be prompted to enter their PIN twice during the First Time Use (FTU) enrollment process. This is normal and necessary in order to create the SSO keyset. Subsequent authentications after FTU only prompt the user to enter their PIN once.
Product Documentation
16 Release Notes
Product Documentation
The following documents support this product:
• TAM E-SSO: Authentication Adapter Installation and Setup Guide
• TAM E-SSO Console Help
• TAM E-SSO Agent Help
Appendix. Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user’s responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
© Copyright IBM Corp. 2005, 2007 17
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
The following terms are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both:
AIX
DB2
developerWorks
eServer
IBM
iSeries
Lotus
Passport Advantage
pSeries
RACF
Rational
Redbooks
Tivoli
WebSphere
zSeries
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
18 IBM Tivoli Access Manager for Enterprise Single Sign-On: Authentication Adapter Release Notes
Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation
in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.
Java and all Java-based trademarks are trademarks of Sun
Microsystems, Inc. in the United States, other countries, or
both.
Other company, product, and service names may be trademarks or service marks
of others.
Appendix. Notices 19
20 IBM Tivoli Access Manager for Enterprise Single Sign-On: Authentication Adapter Release Notes
����
Printed in USA
GC23-6354-03