Professional Documents
Culture Documents
Single Sign-On
Administration Guide
P2
Table of Contents
Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Chapter 2: Installing ActivIdentity SecureLogin Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Installing Using Installer Command-line Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Windows Installer Command-line Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Windows Installer Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
ActivIdentity SecureLogin Property Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Install Mode Values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Install, Uninstall and Configure Feature Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Administration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Java Application Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Mozilla Firefox Plug-in. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Citrix or Terminal Services Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Group Policy Object Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Smart Card Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
ActivIdentity SecureLogin Installer Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Start-up Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Cache Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
User Interface Install Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Uninstall Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Installer Code Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Mode and Feature Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Installation with User Interface Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Feature Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Silent Citrix Command-line Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Chapter 3: Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
ActivIdentity SecureLogin Personal Management Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Start the Personal Management Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
ActivIdentity SecureLogin Administrative Management Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Start the Administrative Management Utility from the Start Menu . . . . . . . . . . . . . . . . . . . . . . . . . 22
Start the Administrative Management Utility using the Active Directory Snap-in . . . . . . . . . . . . . . 23
Chapter 4: Configuring ActivIdentity SecureLogin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Setting User Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P3
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P4
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P5
Re-Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
External Re-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Installing ActivIdentity SecureLogin for Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Client Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Server-Side Administration Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Minimum Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Supported Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Configuring ActivIdentity SecureLogin for Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
ActivIdentity SecureLogin Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Require Smart Card is present for SSO and Administration Operation . . . . . . . . . . . . . . . . . . . 91
Use AES for SSO Data Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Use Smart Card to Encrypt SSO Data: PKI or Symmetric Key. . . . . . . . . . . . . . . . . . . . . . . . . . 92
Seamless Authentication Method Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
PKI Encryption of Data Store and Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Choosing a Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Certificate Selection Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Current Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Check Certificate Validity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Lost Card Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Lost Card Scenario Preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Require Smart Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Allow Passphrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Default. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Temporary Access Using Passphrases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Access with No Card Management System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Restoring a Smart Card Using a Card Management System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
PKI Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Card Management System (CMS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Chapter 11: Enabling Applications and Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
About Enabling Applications and Web Sites for ActivIdentity SecureLogin . . . . . . . . . . . . . . . . . . .100
Windows Server 2003/2008 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Microsoft Internet Explorer Enhanced Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Disabling Internet Explorer Enhanced Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Enabling Applications Using a Predefined Application Definition . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Enabling Applications (Windows/Java) and Web Sites Using the Application Definition Wizard . . .103
Realm Logon and Credential Sharing between Web Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Enable a Java Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Enable a Terminal Emulator Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Create and Save a Terminal Emulator Session File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P6
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P7
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P8
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P9
List of Tables
Table 2.1: Windows Installer Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Table 2.2: ActivIdentity SecureLogin Install Mode Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Table 2.3: ActivIdentity SecureLogin Feature Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Table 2.4: ActivIdentity SecureLogin REMOVE Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Table 2.5: ActivIdentity SecureLogin User Interface Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Table 5.1: Preferences General Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Table 5.2: Preferences Java Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Table 5.3: Preferences Security Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Table 5.4: Preferences Web Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Table 5.5: Preferences Windows Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Table 7.1: Passphrase Policy Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Table 8.1: Password Policy Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Table 11.1: Terminal Launcher Command-line Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Table 11.2: Terminal Launcher Command-line Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Table 13.1: Multiple Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Table 14.1: ActivIdentity SecureLogin Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Table 14.2: Single Sign-on Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Table 15.1: Save ActivIdentity SecureLogin Data Configuration Options . . . . . . . . . . . . . . . . . . . . . . 150
Table 15.2: Load ActivIdentity SecureLogin Data Configuration Options . . . . . . . . . . . . . . . . . . . . . . 154
Table 16.1: SLAP Tool Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Table B.1: Protocom-SSO-Auth-Data Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Table B.2: Protocom-SSO-Entries Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Table B.3: Protocom-SSO-Entries-Checksum Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Table B.4: Protocom-SSO-Profile Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Table B.5: Protocom-SSO-Security-Prefs Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Table B.6: Protocom-SSO-Security-Prefs-Checksum Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Table B.7: Protocom-SSO-Auth-Data Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Table B.8: Protocom-SSO-Entries Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Table B.9: Protocom-SSO-Entries-Checksum Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Table B.10: Protocom-SSO-Profile Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Table B.11: Protocom-SSO-Security-Prefs Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Table B.12: Protocom-SSO-Security-Prefs-Checksum Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Table B.13: User-based Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Table B.14: Directory Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 10
Chapter 1: Introduction
Chapter Contents
10
Product Overview
Product Overview
This document is for:
System and network
administrators
System integrators
IT support staff with a good
understanding of Windows
operating systems and
management tools (Active
Directory, Management
Console, Group Policy and
LDAP).
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 11
18
19
Uninstall Options
19
Prerequisites
ActivIdentity SecureLogin version 6.2 requires Microsofts Windows Installer
3.0 or later. ActivIdentity recommends that you use version 3.1.
Microsoft Windows Installer 3.0 is available for download from the Microsoft
web site:
http://www.microsoft.com/downloads/
details.aspx?displaylang=en&FamilyID=5fbc5470-b259-4733-a914a956122e08e8
Microsoft Windows Installer 3.1 is available on the ActivIdentity SecureLogin
installation CD (WindowsInstaller-KB893803-v2-x86.exe in the
Product\Extras\Redistributables\Windows Installer folder).
To check the current version of Windows Installer on your workstation, click,
Start, click Run, type msiexec at the command line, click OK.
The Windows Installer page is displayed.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 12
Command
Description
/i
/f
Repairs a product
/a
/x
Uninstalls a product
/p
/q
/help
/quiet
/passive
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 13
Command
Description
/norestart
/forcerestart
/promptrestart
/uninstall
Uninstalls an application
/log
/package
/update
32-bit platforms:
msiexec /i C:\ActivIdentity SecureLogin x86 6.2.msi
64-bit platforms:
msiexec /i C:\ActivIdentity SecureLogin x64 6.2.msi
Private properties
The Installer uses private properties internally and their values must be
authored into the installation database or set to values determined by the
operating environment.
Public properties
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 14
Value
Description
MAD
ADAM
LDAP
STANDALONE
Standalone mode
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
X_INSTALLTYPE=ADAM
Important
The commands are case-sensitive.
P 15
Value
Description
X_INSTALLADMIN
X_INSTALLJAVA
X_INSTALLCITRIX
X_USEGPO
X_SMARTCARD
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 16
Administration Tools
To install the administration tools (SL Manager, SLAP tool) set:
X_INSTALLADMIN="Yes"
To install the MMC plug-in (either in the Microsoft Active Directory or Microsoft
Active Directory Application mode), add one of the following conditions:
X_INSTALLTYPE = "MAD"
X_INSTALLTYPE = ADAM
X_INSTALLTYPE = "MAD"
X_INSTALLTYPE = "ADAM"
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 17
Note
X_SMARTCARD="Yes"
The following private properties are written into the ActivIdentity SecureLogin
installer package (.msi file) and can be used to manually install, configure, or
uninstall ActivIdentity SecureLogin:
"Remove" on page 18
Start-up Properties
X_RUNATSTARTUP controls whether ActivIdentity SecureLogin runs at
system start-up.
For example, to run ActivIdentity SecureLogin at start-up:
msiexec /i E:\Product \ActivIdentity SecureLogin x86
6.2.msi X_RUNATSTARTUP=Yes
Important
ActivIdentity strongly recommends
that customers do not change the
default installation directory setting.
Cache Properties
X_CACHEDIR controls whether ActivIdentity SecureLogin uses a nonstandard cache directory.
X_CACHEDIR must be used in conjunction with X_CHANGECACHEDIR=0
to specify the custom directory option.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 18
For example:
X_CHANGECACHEDIR="0" X_CACHEDIR="C:\My Cache"
Remove
Note
The features available using
REMOVE= are the same as the
options that appear in the Windows
Control Panels Add/Remove
Programs/Change/Modify
Programs.
Value
Description
Admin
Java
Firefox
Citrix
Smartcard
ALL
To remove more than one feature, there must be no spaces between the
feature type and no comma after the last feature.
For example, to remove both the Administration tools and FireFox features:
REMOVE=Admin,Firefox
Value
Description
/qn
Displays no user interface. This option will install and reboot the application and
show nothing to the user to indicate the installation is taking place. A user cannot
cancel the installation
/qb
Displays a basic user interface. This option will install and prompt the user to
reboot the application indicating the installation has taken place. A user can
cancel the installation
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 19
Value
Description
/qr
Displays a reduced user interface with a modal dialog box displayed at the end of
the installation
/qf
Displays the full user interface with a modal dialog box displayed at the end
/qn+
Displays no user interface, except for a modal dialog box displayed at the end
/qb+
Displays a basic user interface with a modal dialog box displayed at the end
/qb-
32-bit platforms:
msiexec.exe /i /qn "C:\ActivIdentity SecureLogin x86
6.2.msi
64-bit platforms:
msiexec.exe /i /qn "C:\ActivIdentity SecureLogin x64
6.2.msi
Uninstall Options
The Windows Installer uninstall option requires /x instead of the /i switch.
The following example uninstalls ActivIdentity SecureLogin. The process is
completely invisible to the user.
32-bit platforms:
msiexec /x /qn "ActivIdentity SecureLogin x86 6.2.msi"
64-bit platforms:
msiexec /x /qn "ActivIdentity SecureLogin x64 6.2.msi"
With the Mozilla Firefox and Group Policy Objects features added.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 20
With the Admin tools, Smart card support (using ActivClient default
settings), Mozilla Firefox and Group Policy Objects features added.
Feature Removal
The following example removes Mozilla Firefox support.
msiexec /i "C:\ActivIdentity SecureLogin x86 6.2.msi"
REMOVE=Firefox
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 21
ActivIdentity SecureLogin
Personal Management Utility
22
ActivIdentity SecureLogin
Administrative Management
Utility
23
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 22
2. In the Object drop-down list, select from or type the full distinguished
name of the user object, container, or organizational unit for
administration. Alternatively, use the browser to navigate to the
appropriate object.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
Important
You must press the Enter key to
submit the entry typed in the Object
field. Clicking OK closes the dialog
box but does not accept the entry
you typed.
P 23
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 24
Note
The Users Properties dialog box
cannot be closed while the
Administrative Management Utility
is open.
4. Click Manage.
The Administrative Management Utility is displayed.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 25
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 26
26
27
28
ActivIdentity SecureLogin
Datastore Object
29
Active Directory Users and Computers snap-in. For more information, see
"Start the Administrative Management Utility using the Active Directory
Snap-in" on page 23.
or
Note
For more information about the
Preference properties, see
"Managing Preferences" on
page 35.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
Note
Some of the value settings are text
fields where you type in a number
and some display dialog boxes.
P 27
2. In the General column, locate the setting you want to change and then, in
the Value column, click the appropriate value from the drop-down list
(Yes, No, or Default).
3. Click OK.
4. Click Yes to save the setting.
The selected value is saved and the Administrative Management Utility
closes.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 28
Legacy Data
The current ActivIdentity SecureLogin client can read data created by all
previous versions of ActivIdentity SecureLogin. However, older versions of
ActivIdentity SecureLogin cannot read data created by version 6.0 and later.
This means that in a mixed corporate environment where some workstations
are running ActivIdentity SecureLogin version 6.0 or later and others an
earlier version, then data compatibility issues arise when a user moves
between different versions of ActivIdentity SecureLogin on different
workstations. This is especially problematic in Citrix environments or in large
enterprise deployments.
Automatic Datastore Detection
When ActivIdentity SecureLogin 6.2 is being installed, it detects that
version 3.5 data is in use and continues to function correctly. While
ActivIdentity SecureLogin 6.2 is operating in this mode all version 3.5
functions will continue to be available. Any new functionality or data available
in ActivIdentity SecureLogin 6.0 or later will not be available.
This notably includes smart card support, PKI and AES encryption of data. If
this new functionality is not required, then there is no impetus to upgrade the
datastore format to version 6.0. However, if this new functionality is required,
then the following processes need to be completed:
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 29
Group
Container
Organization
User
Ensure that all user workstations in that section of the tree have been
upgraded with the ActivIdentity SecureLogin 6.2 client.
The next time those users log on, their data will be converted to
version 6.0 format and the new features will be available.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 30
2. Right-click the desired object (in this example, Users) and click
Properties.
The Properties window is displayed.
4. Click Manage.
The ActivIdentity SecureLogin Administrative Management Utility is
displayed.
5. In the left navigation tree, click Advanced Settings.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 31
7. Select the required version from the Select version drop-down list.
A Warning is displayed.
8. Click Yes.
When a users directory data version is upgraded, the datastore information
displayed in the ActivIdentity SecureLogin About box is not updated until
such time as the user right-clicks the ActivIdentity SecureLogin icon
in the
Windows notification area, points to Advanced and clicks Refresh Cache, or
logs out then logs in again.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 32
Application definitions
Predefined applications
Password policies
Preferences
Recorded (outside
SecureLogin) all user
names, passwords, and
other essential credential
information.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 33
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 34
4. Click Delete.
A Warning message appears.
5. Click Yes.
The Datastore object data is deleted.
The next time the user logs on, they will be asked to set up the
passphrase question and response previously configured and then reenter the credentials for each SSO-enabled application.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 35
About Preferences
36
Preferences Properties
37
General Preferences
42
Java Preferences
43
Security Preferences
47
Web Preferences
48
Windows Preferences
About Preferences
ActivIdentity SecureLogin preferences are tools, options and parameters used
by enterprise administrators to configure the users ActivIdentity SecureLogin
corporate environment. Administrators can restrict a user's access to their
ActivIdentity SecureLogin preferences via centrally-controlled administrative
preferences.
ActivIdentity SecureLogin preferences also include applications permitted to
be SSO-enabled and the tools to enable users to access their own
ActivIdentity SecureLogin management and administration functions.
ActivIdentity SecureLogin version 6.0 introduced several new features and
preferences, including the encryption of the datastore using Public Key
Infrastructure (PKI)-based credentials, and support for the Advanced
Encryption Standard (AES) encryption algorithm. All these new preferences
required changes to the ActivIdentity SecureLogin datastore format to support
them.
Prior to configuring preferences, administrators should also read:
Preference Categories
ActivIdentity SecureLogin preferences are divided into the following
categories:
General
Java
Security
Web
Windows
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 36
Default Preferences
Each ActivIdentity SecureLogin preference has a default value. An alternative
preference value must be manually configured by an administrator or user.
In the following tables, default values are shown in bold.
Inherited Preference Values
In corporate directory hierarchies, preferences are inherited from higher level
objects, while some lower level objects can override preferences set at higher
levels. Preferences set at the user object level override all higher object
values.
Preferences Properties
To access the Preferences properties, open the Administrative
Management Utility through either the:
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 37
General Preferences
Table 5.1 describes the Preferences General properties.
TABLE 5.1: Preferences General Properties
Property
Value
Description
Comment
Yes/ No/
Default
Administrative
Management
Utility preference
only.
Notes:
Yes/ No/
Default
Administrative
Management
Utility preference
only.
Allow credentials to be
deleted by users through
the GUI
Yes/ No/
Default
Administrative
Management
Utility preference
only.
Notes:
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 38
Property
Value
Description
Comment
Allow credentials to be
modified by users through
the GUI
Yes/ No/
Default
Administrative
Management
Utility preference
only.
Yes/ No/
Default
Administrative
Management
Utility preference
only.
Yes/ No/
Default
Administrative
Management
Utility preference
only.
Yes/ No/
Default
Administrative
Management
Utility preference
only.
Yes/ No/
Default
Administrative
Management
Utility preference
only.
Yes/ No/
Default
Administrative
Management
Utility preference
only.
Yes/ No/
Default
Administrative
Management
Utility preference
only.
Yes/ No/
Default
Administrative
Management
Utility preference
only.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 39
Property
Value
Description
Comment
Yes/ No/
Default
Administrative
Management
Utility preference
only.
Notes:
Administrative
Management
Utility preference
only.
Yes/ No/
Default
Enables or disables the user's ability to work offline cache using the
Work Offline option available from the Advanced options from the
ActivIdentity SecureLogin Windows notification area (previously
known as system tray) icon. Default value is Yes.
When set to No, the Work Offline option is not displayed.
Note:
Requires ActivIdentity SecureLogin version 6.0 datastore
if value is changed.
Administrative
Management
Utility preference
only.
Disable ActivIdentity
SecureLogin
Yes/ No/
Default
Administrative
Management
Utility preference
only.
Yes/ No/
Default
Administrative
Management
Utility preference
only.
Yes/ No/
Default
Administrative
Management
Utility preference
only.
Notes:
Yes/ No/
Default
Personal and
Administrative
Management
Utilities.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 40
Property
Value
Description
Comment
Yes/ No/
Default
Administrative
Management
Utility preference
only.
Note:
Yes/ No/
Default
Administrative
Management
Utility preference
only.
Enforce passphrase
enrollment
Yes/ No/
Default
Administrative
Management
Utility preference
only.
Personal and
Administrative
Management
Utilities.
Yes/ No/
Default
Personal and
Administrative
Management
Utilities.
Yes/ No/
Default
Personal and
Administrative
Management
Utilities.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 41
Property
Value
Description
Comment
Defines the time (in minutes) of the synchronization of the user data
and directory on the local workstation. The default value is
5 minutes. However, according to the network traffic and the
number of users, this interval may be set between 240 and 480
minutes (4 and 8 hours).
A user can manually refresh the cache by clicking Refresh Cache
from Advanced on the ActivIdentity SecureLogin Windows
notification area icon menu.
When the interval is set to 0, the cache and directory are only
synchronized when a "force" refresh is performed (that is, when
ActivIdentity SecureLogin starts, or by double-clicking the
notification area icon
, opening the user console, or using the
refresh option from the notification area menu.
Personal and
Administrative
Management
Utilities.
Standalone distributed
settings have priority over
users
Yes/ No/
Default
Administrative
Management
Utility preference
only.
Yes/ No/
Default
Administrative
Management
Utility preference
only.
Notes:
Wizard mode
Administrator
/ User/
Disabled
Administrative
Management
Utility preference
only.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 42
Java Preferences
Table 5.2 describes the Preferences Java properties.
TABLE 5.2: Preferences Java Properties
Property
Value
Description
Comment
Yes/ No/
Default
Personal and
Administrative
Management Utilities.
Yes/ No/
Default
Personal and
Administrative
Management Utilities.
Note
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 43
Security Preferences
Table 5.3 describes the Preferences Security properties.
TABLE 5.3: Preferences Security Properties
Property
Value
Description
Comment
Text field
Administrative
Management Utility
preference only.
Notes:
Yes/No
Administrative
Management Utility
preference only.
Notes:
Current certificate
Administrative
Management Utility
preference only.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 44
Property
Value
Description
Comment
Enable passphrase
security system
Yes/ No/
Hidden
Administrative
Management Utility
preference only.
Notes:
Allow
passphrase/
Require
smart card
Administrative
Management Utility
preference only.
Notes:
Yes/ No/
Default
Administrative
Management Utility
preference only.
Notes:
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 45
Property
Value
Description
Comment
Seamless authentication
method switch
Yes / No/
Default
Administrative
Management Utility
preference only.
Notes:
Yes/ No
Administrative
Management Utility
preference only.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 46
Property
Value
Description
Comment
Yes/No/
Default
Current certificate
Administrative
Management Utility
preference only.
Note:
Yes/No/
Default
Administrative
Management Utility
preference only.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 47
Web Preferences
Table 5.4 describes the Preferences Web properties.
TABLE 5.4: Preferences Web Properties
Property
Value
Description
Comment
Yes/ No/
Default
Selecting No, not this time at the dialog box stops SSOenabling this time but the dialog box is displayed again the next
time the application type is detected.
Personal and
Administrative
Management Utilities.
Yes/ No/
Default
Selecting No, not this time at the dialog box stops SSOenabling this time but the dialog box is displayed again the next
time the application type is detected.
Personal and
Administrative
Management Utilities.
Yes/ No/
Default
Personal and
Administrative
Management Utilities.
Yes/ No/
Default
Personal and
Administrative
Management Utilities.
Yes/ No/
Default
Personal and
Administrative
Management Utilities.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 48
Windows Preferences
Table 5.5 describes the Preferences Windows properties.
TABLE 5.5: Preferences Windows Properties
Property
Value
Description
Comment
Yes/ No/
Default
Selecting No, not this time at the dialog box stops SSOenabling this time but the dialog box is displayed again the next
time the application type is detected.
Personal and
Administrative
Management Utilities.
Yes/ No/
Default
Personal and
Administrative
Management Utilities.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 49
About Passphrases
50
51
51
52
54
Change a Passphrase
About Passphrases
A passphrase is something that the user should always remember and that no
other person would know. It is presented in a question-and-answer format:
Q. What was your first pets name?
A. Fluffy
Passphrases are an important security component in a ActivIdentity
SecureLogin implementation. Passphrases are a unique question-andanswer combination created to verify and authenticate the individual. In a
directory environment, you can create passphrase questions for users to
select and answer. You can also permit users to create their own questionand-answer combinations.
Passphrases protect user credentials from unauthorized use. For example, in
a Microsoft Active Directory environment, administrators can potentially log on
to the network as the user by resetting the users network password. With
ActivIdentity SecureLogin, if someone other than the user resets their network
password, ActivIdentity SecureLogin triggers the passphrase question. An
administrator cannot access the users SSO-enabled applications without
knowing the users passphrase answer.
Note: You can disable the passphrase security system but this removes the
features listed.
When ActivIdentity SecureLogin starts for the first time on the users
workstation, the Passphrase Setup window is displayed.
Passphrases are used to authenticate when:
Someone other than the user has reset the users network password.
When the smart card used to encrypt ActivIdentity SecureLogin data is not
available or a smart card is not required (see Chapter 10, "Managing
Security and Smart Cards," on page 85)
Benefits:
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 50
Use the Active Directory Users and Computers snap-in. For more
information, see "Start the Administrative Management Utility using the
Active Directory Snap-in" on page 23.
Design questions based on facts and avoid prompting the user for a
favorite as the favorite can change over time.
For example: "What was your first car plus your driver's license number?"
Note
The User-defined passphrase
questions option is selected by
default. Clear this option if you do
not want users to create their own
passphrase questions.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
Note
This passphrase question displays
to all users associated with the
selected object.
P 51
2. Click New.
3. In the Corporate passphrase questions field, type a question.
4. Press the Enter key.
The question is displayed in the Corporate passphrase questions
section.
5. Repeat the above steps to create additional passphrases as required.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
Note
You can create, edit, and delete
ActivIdentity SecureLogin
passphrase questions at any time.
P 52
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 53
.
1. In the Administrative Management Utility navigation tree, click Advanced
Settings.
The Advanced Settings pane is displayed.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 54
Change a Passphrase
Depending on how you configure ActivIdentity SecureLogin, users can
change their passphrase answer.
Users who do not have access to the ActivIdentity SecureLogin icon in the
Windows notification area cannot change their passphrases. You can enable
access to the icon temporarily to allow the user to change their passphrase.
1. On the Windows notification area, right-click the ActivIdentity SecureLogin
icon
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 55
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 56
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 57
58
60
63
64
Property
Value
Comment
Minimum length
Whole number
Maximum length
Whole number
Punctuation character
Whole number
Whole number
Whole number
Whole number
Whole number
Whole number
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 58
Property
Value
Comment
Whole number
No / Yes
Yes, case insensitive
No / Yes
Yes, case insensitive
No / Yes
Yes, case insensitive
No / Yes
No / Yes
Prohibited characters.
No / Yes
No / Yes
No / Yes
No / Yes
No / Yes
No / Yes
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 59
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
Note
The passphrase policy now applies
to all users inheriting configuration
from the selected object. You can
change or disable it at any time.
P 60
4. In the Description column, click the policy rule you want to edit, and then
in the Value column, type the required value. In this example, to ensure
lower-case letters are used, the rule Minimum lowercase characters is
selected, and the number 6 is typed.
5. Click Apply.
The new or selected value is added to the Value column.
6. Click OK.
The user chooses both the passphrase question and answer. The
passphrase question can be anything the user decides, as can the
answer.
Once the passphrase is set, a random key is generated and a one-way hash
of the passphrase answer is used to encrypt this key. The new key is then
encrypted using the application key and is used to protect the users
ActivIdentity SecureLogin credentials. This new user-specific key also
protects the users passwords so even administrators with full rights to the
network and access to the Microsoft Management Console are unable to view
a user's passwords.
The next time (and every time after that) a user logs onto the network,
ActivIdentity SecureLogin loads seamlessly. Typically, users are never
prompted with the passphrase question ever again. However, to protect a
users ActivIdentity SecureLogin data from unauthorized use, a user will be
prompted for their passphrase if the user's directory or network password is
reset by an administrator. The next time ActivIdentity SecureLogin loads, the
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 61
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 62
Yes
If this preference is selected, users must select a passphrase question and
answer when they first log on to ActivIdentity SecureLogin. Passphrase
questions can be entered either by the user or predefined by the ActivIdentity
SecureLogin administrator, or a combination of both, depending on what the
administrator allows. With the passphrase system enabled, users will be
prompted to answer their passphrase question if their password has been
reset by the administrator.
Important
With the passphrase security
system set to Hidden, a directory
administrator could potentially reset
a user's directory password, log on
as the user, and access their
ActivIdentity SecureLogin data as
they would not be prompted to
answer a passphrase question.
Note
Supported directory modes for
disabling the passphrase security
system are:
Microsoft Active Directory
LDAP-compatible
If either the Use PKI credentials from smart card to encrypt SSO data or
the Use symmetric key stored on smart card to encrypt SSO data options
are set to Yes, the passphrase can also be used to decrypt ActivIdentity
SecureLogin data if the users smart card is lost or damaged. This setting
must be used in conjunction with the Lost card scenario preference set to
Allow passphrase. These preferences can be toggled by the administrator if
the users smart card is forgotten, providing the users passphrase has
already been set. The user will be prompted to answer their passphrase
question before ActivIdentity SecureLogin will load. Refer to Chapter 10, "Lost
Card Scenarios" on page 95. for additional information.
Hidden
If this preference is selected, users will not be prompted to set a user-defined
passphrase. A user key will be generated automatically without user input.
If users are required to authenticate to the network using passwords, Enable
passphrase security system must be set to Yes or Hidden.
ActivIdentity recommends enterprises discuss their corporate security
requirements with ActivIdentity Professional Services prior to deployment of
their solution.
No
If this preference is selected, the users passphrases are completely disabled
and the users smart card is always required to decrypt ActivIdentity
SecureLogin data.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 63
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 64
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
Note
The passphrase must be answered
(users may have forgotten it) to
prevent administrators from simply
toggling this preference and
providing a possible back door to
start ActivIdentity SecureLogin as
another user.
P 65
OK. Approves the removal of passphrase security system and the user is
prompted for the current passphrase answer that, when provided,
completes the approval.
Cancel. This delays the approval and the user is then prompted at each
subsequent logon until they click OK to approve the change.
OK. After entering a passphrase question and answer, the user has reset
their passphrase question and answer and enabled their workstation.
Cancel. This delays enabling passphrases for the users workstation. The
user is prompted at each subsequent logon until they enter a passphrase
question and answer and clicks OK.
The next time ActivIdentity SecureLogin starts, the user will have to manually
log on and ActivIdentity SecureLogin will detect that a passphrase has not
been set, and will re-prompt the user to enter a new passphrase question and
answer before continuing.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 66
Once the user has set a new passphrase the user is required to re-enter their
application user names and passwords. If this was not the case, an
unauthorized user could breach security by simply clearing your passphrase,
entering a new one and accessing your secrets.
Administrators may have to reset the user's application passwords as they will
probably have forgotten them or ActivIdentity SecureLogin may have
substituted strong passwords when the application requested a new
password (depending on configuration).
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 67
70
70
73
73
74
Linking a Policy to an
Application
Policies set at the container or organizational unit level are inherited by all
associated directory objects.
Password policies set at the user object level override all higher-level
policies.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 68
Property
Value
Description
Minimum length
Number, e.g 7
Maximum length
Numeric, e.g.12
Number, e.g 1
Number, e.g 3
Number, e.g 1
Number, e.g 3
Number, e.g 3
Number, e.g 4
Number, e.g 1
Number, e.g 3
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 69
Property
Value
Description
No / Yes
No / Yes
Prohibited characters
Any characters
No / Yes
No / Yes
No / Yes
No / Yes
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 70
Property
Value
Description
No / Yes
No / Yes
Use the Active Directory Users and Computers snap-in. For more
information, see "Start the Administrative Management Utility using
the Active Directory Snap-in" on page 23.
You can design a password policy by selecting set of policy rules and
adjusting the parameters of each one.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 71
Note
It is important to use a unique name
for all logon, application and
password policies. Password
policies cannot have the same
name as any other ActivIdentity
SecureLogin attribute.
Organizations typically employ the
naming convention
ApplicationName PwdPolicy (for
example, LotusNotesPwdPolicy).
2. Click New.
The New password policy dialog box is displayed.
3. In the Enter a name for the new password policy field, type a name for
the policy (in this example, RestrictServerPwdPolicy).
4. Click OK.
The new policy is added under Password Policies in the navigation tree.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 72
Type in a value, or
Values are either No, Yes, Yes case insensitive, or a whole number:
7. Click Apply.
8. Click OK.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 73
2. In the navigation tree, under Password Policies, click the policy you
want to change (in this example, RestrictServerPwdPolicy).
3. Locate the policy you want to change in the list and then click the
appropriate value from the drop-down list or type a value on the right.
4. Click Apply.
5. Click OK.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 74
2. In the Password Policies pane, click the policy you want to delete.
3. Click Delete.
4. Alternatively, you can delete a password policy by right-clicking it and
clicking Delete.
5. Click Apply.
6. Click OK.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 75
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 76
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 77
About Credentials
77
80
About Credentials
After you have created an application definition and activated it for
ActivIdentity SecureLogin, then the first time a user logs on, they will be
prompted to enter their credentials in a ActivIdentity SecureLogin dialog box.
ActivIdentity SecureLogin then stores and associates these credentials with
the application definition that will be used in subsequent logons.
You can display and manage these credentials in the Logins pane of the
Administrative Management Utility or the My Logins pane of the Personal
Management Utility.
Since individual application requirements determine the credentials that users
must enter when manually logging on, only those credentials are stored and
remembered by ActivIdentity SecureLogin . For example, if a user has an
application that requires their user name and password only, then
ActivIdentity SecureLogin will encrypt and store this information for
subsequent logons. Alternatively, some applications require users to enter
domain and database names, IP addresses and to select check boxes on web
pages ActivIdentity SecureLogin can accommodate and manage these
credentials on behalf of the user.
Credentials stored in a directory environment apply to all associated objects.
For example, if users access an application located on a specific domain, and
they are required to manually select or type the domain address, then you can
configure the domain as a credential in the Logins pane at the organizational
unit level. This removes the requirement for users to manually enter the
domain location when they log on. You can then change the domain at any
time without notifying users.
Application credentials such as email, finance system, HR system, and the
travel system are typically stored for user objects and only apply to (and can
be used by) the particular user. For example, Johns application credentials
are encrypted and stored against Johns user object and are available only to
him. When he starts an application, ActivIdentity SecureLogin retrieves,
decrypts, and enters the credentials on his behalf.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 78
2. Click New.
The Create Login dialog box is displayed.
3. In the Name/Id field, type a name or ID for the logon (for example,
ActivIdentity Server).
4. Click OK.
The logon name or ID is added to the navigation tree under My Logins
and to the My Logins pane.
5. In the navigation tree, click your new credential set (in this example,
ActivIdentity Server).
6. Click New.
The Create Credential dialog box is displayed.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 79
7. In the Name field, type a name for the new credential (for example,
Server Location).
8. Click OK.
The new credential is added to the Login - ActivIdentity Server pane.
9. In the right column, type a value for the credential (for example, the server
IP address).
10. Click Apply.
The credential variable and its value display in the Login - ActivIdentity
Server pane.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 80
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 81
2. Double-click the logon that you want to link an application to (in this
example, ActivIdentity Server).
The Login - ActivIdentity Server pane is displayed.
3. Click Link.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 82
4. Click the application you want to link (in this example, Internet Explorer)
5. Click OK.
The linked application is added to the Login - ActivIdentity Server pane
under Application.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 83
6. Click OK.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 84
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 85
85
Prerequisites
89
Installing ActivIdentity
SecureLogin for Smart Cards
91
Configuring ActivIdentity
SecureLogin for Smart Cards
95
99
ActivIdentity SecureLogin uses a store-and-forward approach to single signon credentials and records user IDs and passwords in a local store. It is likely
that many, if not all, of an individual user's passwords will be stored in this
credential store. Given this architecture, the security controlling the
ActivIdentity SecureLogin credential store is extremely important.
When a smart card is used in conjunction with ActivIdentity SecureLogin, a
number of optional features can be implemented including using the smart
card to encrypt ActivIdentity SecureLogin data, and tying ActivIdentity
SecureLogin availability to the smart card so only users that log on using a
smart card are able to start (and administer) ActivIdentity SecureLogin.
ActivIdentity SecureLogin uses a two-tier encryption process to secure
sensitive user credentials and information. All user passwords are encrypted
using the user key, and all user data, including password fields, are then
encrypted using the master key.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 86
Note
Once the datastore mode version is
upgraded to v6.0, the encryption
algorithm is automatically upgraded
to AES for all users in this
container, providing a higher
encryption standard to the
ActivIdentity SecureLogin data.
Password
Token
Once the user authenticates successfully and the operating system has
loaded, ActivIdentity SecureLogin starts and manages the logon credentials
to all the user's single sign-on enabled applications.
If you wish to enforce biometric, smart card or token authentication, including
at the application (or even transaction) level, ActivIdentity SecureLogin reauthentication features or third party authentication module can be integrated
with ActivIdentity SecureLogin to prompt the user to re-authenticate before
ActivIdentity SecureLogin will retrieve their credentials and log on to single
sign-on enabled applications.
Authentication Client
ActivIdentity Authentication Client (AAC) provides a Smart Card Password
Login (SCPL) feature, enabling a user to log on to Windows with username
and password stored on a PIN-protected smart card. This is designed for
customers that have not deployed a Public Key Infrastructure (PKI) yet and is
specifically designed to simplify a users Windows, network and single sign-on
experience.
ActivIdentity Authentication Client is available as part of the ActivClient
Advanced license.
For more information about installing, using and managing SCPL, see the
ActivIdentity Authentication Client documentation.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 87
Synchronous mode
Synchronous authentication or ActivIdentitys patented time-plus-event
authentication replaces static alpha-numeric passwords with a pseudorandom code that is dynamically generated based on a shared encryption
key and the current time.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 88
Asynchronous mode
Asynchronous authentication or challenge/response authorization
replaces static alpha-numeric passwords with a pseudo-random code (the
response) that is dynamically generated based on a shared encryption
key and a challenge.
If you use the Wizard, you first need to configure from where the
challenge has to be read and then where to pass the new generated
password.
In Asynchronous mode the challenge is passed to the GenerateOTP
command as an argument.
For more information on OTP functionality and specific examples of the
use of application definitions incorporating the GenerateOTP command,
see the ActivIdentity SecureLogin Single Sign-On Application Definition
Guide.
Re-Authentication
As part of the ActivIdentity SecureLogin advanced authentication features,
you can choose whether users are prompted to re-authenticate (with their
network credentials or authentication device) before using an application's
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 89
External Re-authentication
ActivIdentity SecureLogin offers the ability to re-authenticate the user in
conjunction with a third-party authentication module, offering support for
methods such as biometrics. For further information, see the ActivIdentity
SecureLogin Single Sign-On Application Definition Guide.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 90
If you intend to use the Use symmetric key stored on smart card to
encrypt SSO data option, then you need to select a smart card PKCS#11
library during ActivIdentity SecureLogin installation. In all other configurations,
selection of a cryptographic service provider (aka CSP) is sufficient.
Minimum Requirements
For general information about the minimum requirements for using smart
cards with ActivIdentity SecureLogin, see the ActivIdentity SecureLogin
installation guide for your directory environment.
Supported Configurations
ActivIdentity SecureLogin currently supports any smart card middleware with
a CAPI 2.0 compliant CSP (Cryptographic Service Provider).
For the Use symmetric key stored on smart card to encrypt SSO data
preference, ActivIdentity SecureLogin currently supports any smart card
middleware with a PKCS#11 compliant library. It has been tested with
ActivClient, Aladdin, AET SafeSign and Gemalto (formerly Axalto) smart card
middleware.
When deployed with ActivClient, ActivIdentity SecureLogin will automatically
configure the cryptographic service provider and PKCS#11 dynamic link
library file during installation.
If ActivClient is installed after ActivIdentity SecureLogin is installed, then the
registry key settings need to be changed to activate smart card support,
uninstall or re-install ActivIdentity SecureLogin. ActivIdentity recommends that
you modify the ActivIdentity SecureLogin installation using the Add/remove
Programs tool. In the setup wizard, select the smart card option and configure
the CSP and PKCS libraries.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 91
To configure the preferences, use the Microsoft Management Console snapin within Active Directory environments, and ActivIdentity SecureLogin
Manager in LDAP-compliant directories such as Sun, Oracle and IBM.
Notes
There is no message given when
the smart card is removed, only
when the next ActivIdentity
SecureLogin operation occurs.
If the smart card is removed while
the MMC management console,
SLmanager or the Personal
Management Utility is open, the
console closes.
If the smart card is removed after the ActivIdentity SecureLogin session has
started, on re-insertion of the smart card, the card serial number is checked to
validate that the card now being used is the same card used to initiate the
session.
If the Lost card scenario preference is set to:
Allow passphrase, then the Require smart card is present for SSO
and administration operations preference is not available (grayed out).
Require smart card, then the Require smart card is present for SSO
and administration operations preference is available and defaults to
No.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
Note
Administrators can manually
disable inheritance of higher level
preferences by selecting the Yes
option for Stop walking here in the
ActivIdentity SecureLogin
Administrative Management Utility,
Preferences General options.
Notes
The input key for DES is 64 bits
long and includes 8 parity bits.
These 8 parity bits are not used
during the encryption process
resulting in a DES encryption key
length of 56 bits. Therefore the key
strength for triple DES is actually
168 bits.
If an earlier version of ActivIdentity
SecureLogin has been implemented
with passphrase security enabled,
users will need to answer their
passphrase question before data
can be re-encrypted using AES
when this preference is set to Yes.
P 92
If the No option is selected, then the users smart card is not required for
ActivIdentity SecureLogin and administration operations.
If the Yes option is selected, then the users smart card is required for
ActivIdentity SecureLogin and administration operations.
If the Default option is selected, then the user's credentials will inherit the
Require smart card for SSO and administration operations
preference set on a higher-level container. If that preference is not set,
this option is set to No.
You must restart ActivIdentity SecureLogin on the client for any changes to
the Require smart card for SSO and administrative operations preference
to take effect.
Use AES for SSO Data Encryption
This preference determines the level and standard of encryption used to
encrypt ActivIdentity SecureLogin data by allowing the use of AES encryption
instead of triple DES encryption.
If the No option is selected, then a 168-bit key used with triple DES (EDE)
in cipher-block chaining (CBC) mode is used to encrypt the users
credentials.
If the Yes option is selected, then a 256-bit key used with AES (EDE) in
CBC mode is used to encrypt the users credentials.
A key generated automatically based on your smart card (when you login
to Windows with a smart card-based certificate).
If you set Use PKI credentials from smart card to encrypt SSO data to
Yes, ActivIdentity SecureLogin data is encrypted using the user's PKI
credentials. ActivIdentity SecureLogin data stored in the directory and in
the offline cache (if enabled) is encrypted using the public key from the
selected certificate and the private key (stored on a PIN-protected smart
card) is used for decryption.
In this configuration, additional smart card options are enabled, and are
described in the following section.
If you set Use symmetric key stored on smart card to encrypt SSO
data to Yes, ActivIdentity SecureLogin data stored in the directory and in
the offline cache (if enabled) is encrypted using a symmetric key (stored
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 93
Note
This preference is only available if
you set Use PKI credentials from
smart card to encrypt SSO data
and Use symmetric key stored on
smart card to encrypt SSO data
to No.
Important
The following preferences are only available if Use PKI credentials from
smart card to encrypt SSO data is set to Yes.
If PKI credentials are used to encrypt ActivIdentity SecureLogin data with the
passphrase security system off (set to No), you should consider implementing
a key archive/backup and recovery. If key archive/backup and recovery is not
implemented and the passphrases security system is not enabled, the user
will never be able to decrypt their ActivIdentity SecureLogin data if they lose
their smart card because the private key is stored on the lost smart card.
Choosing a Certificate
When a smart card is configured to use PKI credentials to encrypt
ActivIdentity SecureLogin data, ActivIdentity SecureLogin will retrieve the
serial number of the current certificate and locate the certificate in the
certificate store specified in the relevant ActivIdentity SecureLogin
preference. ActivIdentity SecureLogin then loads the associated private key
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 94
(which may cause a PIN prompt) and attempts to decrypt the user key with
the private key.
If the decryption fails or the certificate cannot be located, and a smart card is
present and a certificate that matches the selection criteria can be located,
then ActivIdentity SecureLogin assumes that a recovered smart card is in use.
It then attempts to decrypt the user key with each key pair stored on the card.
Certificate Selection Criteria
Allows administrators to select an encryption or authentication certificate to
encrypt user's ActivIdentity SecureLogin information in the directory.
The certificate selection criteria determines which certificate to select if
multiple certificates are in use (for example if an enterprise has configured an
Entrust certificate for ActivIdentity SecureLogin encryption and a Microsoft
certificate for logon or authentication).
Note
If the certificate selection criteria
relies on the certificates friendly
name, and if you use ActivClient,
you should disable Microsoft
certificate propagation in order to
rely on ActivClient certificate
propagation to set the expected
friendly name. For further
information, see the ActivIdentity
ActivClient documentation.
If only one certificate is used, then the field should be blank and the certificate
will be detected automatically and set to User certificate.
When entering certificate selection criteria, no special formatting is required
and the search string is not case sensitive. Wild cards are not used and a
search will match if the search text is a substring of the certificate subject
field. ActivIdentity SecureLogin will attempt to match against the certificate
Subject, then Issuer and finally Friendly Name in that order.
For example if the certificate subject is:
CN=Neil
Moffat,OU=Users,OU=Accounts,OU=APAC,DC=Protocom,DC=Int
Then Moffat would be a valid search value, as would Accounts, APAC and
Int. The prefixes CN=, OU= or DC= are not required.
Similarly if the certificate issuer is:
CN=IssuingCA1,OU=AD,DC=undiscovered,DC=com
Then IssuingCA1 would be a valid search value, as would AD,
undiscovered and com.
If several certificates match the selection criteria, then the most recent one will
be selected by ActivIdentity SecureLogin.
Current Certificate
This preference displays the certificate that is currently being used by
ActivIdentity SecureLogin to encrypt a users ActivIdentity SecureLogin data.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 95
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
Note
For users upgrading from
ActivIdentity SecureLogin
version 5.5, setting Enable
passphrase security system to
Hidden is equivalent to setting the
old Disable passphrase security
system to Off.
If Enable passphrase security system is set to Yes and the user has
set a passphrase, and Lost card scenario is set to Allow passphrase,
the user will be prompted to answer their passphrase question before
ActivIdentity SecureLogin continues.
Important
If the Lost card scenario
preference is changed to Require
Smartcard while the user is logged
on, refreshing the cache using the
Advanced/Refresh Cache function
from the Windows notification area
will not refresh the preference. The
user will need to log off and on
again or restart ActivIdentity
SecureLogin for the new preference
to take effect.
Important
For the user to decrypt data using
their passphrase, the passphrase
must already have been set.
Administrators cannot simply toggle
the Enable passphrase security
system preference on the day the
user forgets their smart card unless
the user has previously set a
passphrase (or had it randomly
generated using Hidden).
Note
Administrators can manually disable
inheritance of higher level
preferences by selecting the Yes
option for Stop walking here in the
ActivIdentity SecureLogin
Administrative Management Utility,
Preferences General options.
P 96
For other lost or damaged card scenarios, refer to "Card Management System
(CMS)" on page 99.
Require Smart Card
This option will not allow a user to start ActivIdentity SecureLogin without their
smart card. This option is for high security implementations where
organizations wish to tie the use of a users ActivIdentity SecureLogin
credentials to the users smart card. This means that the user cannot access
ActivIdentity SecureLogin by any other method (user name or password)
other than the smart card.
Allow Passphrase
This preference allows the user to start ActivIdentity SecureLogin using their
passphrase if their smart card is not available. The Enable passphrase
security system preference must be set to Yes or Hidden for this to work.
Hidden replaces a user-generated passphrase with a system-generated
passphrase, effectively removing the need for the user to remember the
passphrase answer.
Default
The default preference is to allow the user to start ActivIdentity SecureLogin
using their passphrase, unless it inherits a Lost card scenario preference
from a higher-level container.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 97
user is then required to log on and enter their passphrase, if and only if the
Enable passphrase security system is turned on.
Warning
Deleting the users ActivIdentity
SecureLogin data store will
permanently delete all the users
enabled applications, credentials,
preferences and user policies.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 98
The administrator must then reset the users corporate passwords and issue a
new smart card (with a new key pair) before the user can log on and
reconfigure their single sign-on enabled applications using ActivIdentity
SecureLogin again.
The user will have to re-enter all their application credentials into ActivIdentity
SecureLogin the first time it is used after having them deleted from the
directory.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 99
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 100
ActivIdentity SecureLogin:
Enabling Applications
(Windows/Java) and Web Sites
Using the Application Definition
Wizard
Provides wizards and application definition editors to facilitate single signon (SSO) to almost any new or proprietary application. This helps you
build an application definition for almost any application.
101
102
103
108
109
121
124
Managing Application
Definitions
User name
User ID
Logon ID
Password
PINs
Domain
Database names
Server IP addresses
Logon
Incorrect credentials
Password expiration and reset
Error messages, including non-compliance to
password rules
Account locked
Database unavailable
Note
You can SSO-enable terminal
emulators using the Terminal
Launcher tool.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 101
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 102
Notes
If a Windows application is
already up and running before
ActivIdentity SecureLogin starts,
then wizard proposes to enable
the application or directly run the
script if application is already
defined.
Citrix Applications
The wizard cannot detect Citrix
published applications. Run the
application on your workstation to
create an application definition.
Either:
Click No, not this time to cancel the use of the wizard this time.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 103
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 104
Note
ActivIdentity SecureLogin identifies
the Java web page by its URL or
web address. You can change the
application description, however, it
is important not to change the
application name, as this uniquely
identifies the web page.
Note
The resultant application definition
can be edited or tested using the
wizard if you have been granted
permissions.
Note
This option may be disabled by your
system administrators.
Click No, not at this time to cancel the use of the wizard this time.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 105
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 106
If you click Yes, the Application Definition Wizard will open the
application definition.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 107
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 108
Note
If Java application support option is
selected at installation, ActivIdentity
SecureLogin automatically detects
whether Java is installed and adds
the required component if
permissions are set (write access
the java directory).
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 109
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 110
The session file remains loaded but you have disconnected from the host.
6. On the File menu, click Save [session name] to save changes to the
session file.
7. Exit the terminal emulator application.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 111
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 112
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 113
Note
You must type the screen syntax
accurately in the application
definition editor; otherwise it will fail
to operate. Where possible, cut and
paste the text directly from the
emulator screen into the editor.
9. In this example, for Eicon Aviva, type the following into the text field:
WaitForText "WELCOME TO THE EICON TECHNOLOGY DATA CENTER"
Type @E
WaitForText "ENTER USERID -"
Type $Username
Type @E
WaitForText "Password
===>"
Type $Password
Type @E
WaitForText "Welcome to Eicon Technology"
WaitForText "***"
Delay 1000
Type @E
10. Click the Details tab and make sure the Enabled option is selected.
11. Click OK.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 114
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 115
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 116
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 117
Since Terminal Launcher must start before the terminal emulator application
to successfully SSO, the desktop shortcut includes the command to run
Terminal Launcher first and then the emulator application.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 118
Parameter
Description
/auto
/e[application name]
/q
/s
Suppress errors.
6. Add any additional parameters as required (for more information, see "Set
Terminal Launcher Command-line Parameters" on page 119).
7. Click Create.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 119
The
shortcut is created on the desktop and you can deploy it
to users in the preferred mode for your organization.
8. Click Close to close the Terminal Launcher dialog box.
9. Double-click
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 120
page 117). The following table lists the parameters (also referred to as
switches) you can set in conjunction with commands.
TABLE 11.2: Terminal Launcher Command-line Parameters
Parameter
Description
/auto
C:\<....>\TLaunch.exe /auto /
pApplication1
Note:
/p[platform/application/application
definition name]
C:\<....>\TLaunch.exe /auto /
eEicon Aviva /pApplication1 /
pApplication2
Note:
/b
/e[emulator name]
/k[executable name]
/m
/n
C:\<....>\TLaunch.exe /auto /
n
Note:
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 121
Parameter
Description
/n[number 1-15]
C:\<....>\TLaunch.exe /auto /
n3
Note:
/q
C:\<....>\TLaunch.exe /auto /
q
/s
Suppress errors.
/t
C:\<....>\TLaunch.exe /auto /
eEicon Aviva /pBackground /b /
t /m /hA /s /q
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 122
_isdel.exe
aac_winsso.exe
ac.aac.run.exe
ac.sharedstore.exe
acachsrv.exe
acadvcfm.exe
acautoup.exe
accertutil.exe
accoca.exe
accomacomx.exe
accombsi21.exe
accomcsp.exe
accompiv.exe
accrdsub.exe
acdiagwz.exe
acevents.exe
acnstool.exe
acregcrt.exe
acsagent.exe
acsrcfg.exe
actsinit.exe
actswzdg.exe
acuscons.exe
adamconfig.exe
aicommapi.exe
aipinch.exe
aipinit.exe
ConsoleOne.exe
devenv.exe
loginw32.exe
loginw95.exe
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 123
MMC.exe
modutil.exe
MSDEV.exe
msiexec.exe
nswebsso.exe
Nwadmn32.exe
Nwadmn95.exe
Nwadmnnt.exe
NWTray.exe
ProtocomSysTray.exe
rdbgwiz.exe
scrnlock.scr
setup.exe
SLBroker.exe
SLBroker64.exe
SLLauncher.exe
sllock.scr
SLManager.exe
SLManager64.exe
SLProto.exe
SLProto64.exe
slwinsso.exe
slwinsso64.exe
tlaunch.exe
Note
tlaunch64.exe
To extend the list, create the file exclude.ini in the ActivIdentity SecureLogin
folder and list other application executables that you do not want enabled:
testlogon.exe
trillian.exe
vmware.exe
To ignore the default list, use the command NoDefault in exclude.ini. Only the
applications you list will be excluded. For example, to disable enabling of the
application Trillian only, exclude.ini would read:
NoDefault
trillian.exe
To reverse the exclude list and use it to define the list of applications that can
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 124
be enabled, use the Include command. For example, to allow enabling of the
application only, exclude.ini would read:
Include
trillian.exe
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 125
126
127
Using Scripting
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 126
5. From the Prompt for device reauthentication for this application dropdown list, click Yes.
6. From the Reauthentication Method drop-down list, select either
Password or Smartcard as the method.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 127
You can select the method ActivIdentity SecureLogin should use to reauthenticate from the drop-down list:
Password
The network password. (Only available in Active Directory and ADAM
modes.)
Smart card
A smart card that ActivIdentity SecureLogin checks as belonging to the
user after the PIN has been checked.
Using Scripting
ActivIdentity offers some scripting capability to support re-authentication with
either password, smart card, or other third-party authentication method such
as biometrics. For further information, see the ActivIdentity SecureLogin
Single Sign-On Application Definition Guide.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 128
128
To create additional logons, make a list of user names and passwords with a
name to uniquely identify the logon. The following is an example. When the
list is completed, SSO-enable the first logon in the list following the relevant
procedure.
TABLE 13.1: Multiple Logons
Name
User name
Password
Administrator
admin
123456
Support
help
abcdef
User
test1
xyz123
In this example, we have enabled the Yahoo! Mail account with the
ActivIdentity SecureLogin Application Definition Wizard.
1. SSO-enable the first account. For more information, see "About Enabling
Applications and Web Sites for ActivIdentity SecureLogin" on page 100 or
the ActivIdentity SecureLogin Single Sign-On Application Definition
Wizard Guide.
2. In the Windows notification area, right-click the ActivIdentity SecureLogin
icon
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 129
4. In the Application pane, under Credentials, click New and select Login.
Alternatively, in the Login pane, click New.
5. Right-click the new login and select Rename Login.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 130
7. Enter the username and password for the additional login and click
Apply.
8. Click OK to close the Personal Management Utility.
9. Start the application (in this example, the Yahoo Mail web site).
The [application] login selection dialog box is displayed.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 131
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 132
About Distributing
Configurations
132
138
147
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 133
If...
Then...
Multiple containers or organizational units require
the same ActivIdentity SecureLogin environment,
and you want to manage configuration from one
directory object, or
Inheritance from a higher level than the object
selected for Corporate redirection is not required, or
The container or OUs are on the same directory tree.
Note:
To:
When set to a user, the user does not inherit any ActivIdentity
SecureLogin preferences from their nominal hierarchy but from the other
organizational unit or container.
To get the correct inheritance, users must be granted the correct rights to
inherit from the other object.
The inheritance process stops at the redirected container. There is no
inheritance from the redirected objects hierarchy.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 134
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
Important
To uniquely identify the container or
organizational unit, the full
distinguished name is required.
P 135
Note
You can delete Corporate
redirection at any time by clicking
Remove.
Important
Ensure you do not overwrite
administrator settings when
distributing ActivIdentity
SecureLogin configuration
environments. For example, if you
set the preference Allow users to
view and change settings to No
and then copy this as part of a
ActivIdentity SecureLogin
environment to the container or
organizational unit, including the
Administrator user object, the
administrator cannot view or
change ActivIdentity SecureLogin
settings since they reside in that
organizational unit. To prevent this
from happening, ActivIdentity
recommends that all administrator
user objects are located in a
separate organizational unit, and
administrator preferences are
manually configured.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 136
3. Click Manage.
The Administrative Management Utility is displayed.
4. In the navigation tree, click Distribution.
The Distribution pane is displayed.
5. Click Copy.
The Copy dialog box is displayed.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 137
Configuration
Function
Applications
Credentials
Password Policies
Preferences
Passphrase Question
7. In the Destination Object drop-down list, click the name of the object or
type the full distinguished name in the field (in this example, the Finance
organizational unit).
8. Click OK.
If a predefined application or an application definition currently exists in
the destination object, a confirmation message is displayed. It confirms or
rejects the overwriting of the imported data. For more information on
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 138
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 139
Note
For Windows Vista SP1 or SP2, install the Microsoft Remote Server
Administration Tools snap-in. It can be downloaded from:
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 140
http://www.microsoft.com/downloads/
details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FCD52065DE9960&displaylang=en
For Windows Server 2008, install the Group Policy Management snap-in
in the Server Manager Administrative Tools in server manager.
Alternatively, if your server is running the Active Directory Domain
Services (AD DS) role, the Group Policy Management snap-in is installed
by default.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 141
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 142
c.
Click Open.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 143
c.
Click Add.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 144
d. Select Group Policy Management and click Add, and then Close.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 145
e. Click OK.
The Group Policy Management page is displayed.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 146
Note
The first time GPMC is started it
loads the forest and domain
containing the user object logged on
to the computer. Administrators can
then specify which forests and
domains to display. When the
GPMC is closed it automatically
saves the last view and returns to
that view the next time a user opens
the console.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 147
The result of the settings must follow the rules already defined of inheritance
and precedence:
The precedence rules are respected and follow the rules already defined:
The deepest object in the tree has precedence over any higher level
object.
The group policies have lower precedence than all User and OU objects.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 148
148
152
155
158
Unencrypted.
Digitally signed and encrypted. (For stand-alone mode. This type of file is
useful for users who do not regularly connect to the corporate directory.
The XML file can be distributed via email or downloaded from a web site.)
Create a signing key for secure file distribution (see page 155)
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 149
3. Click Save.
The Save dialog box is displayed.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 150
4. Select or clear the appropriate check boxes. The following table describes
each option.
TABLE 15.1: Save ActivIdentity SecureLogin Data Configuration Options
Configuration
Function
Applications
Credentials
Password Policies
Preferences
Passphrase Question
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 151
Not encrypted.
6. Click OK.
The Select applications to export page is displayed.
7. From the Applications List, expand the nodes and select the individual
applications to export and move to the Applications to export list using
the right arrow. If a node is selected, then all applications under that node
are selected.
8. Click OK.
The Save file as dialog box is displayed.
9. Select the file location.
10. In the File name field, enter a file name.
11. Click Save.
The following confirmation message appears listing ActivIdentity
SecureLogin data saved to the XML file.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 152
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 153
3. Click Load.
The Load dialog box is displayed.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 154
Configuration
Function
Applications
Credentials
Password Policies
Preferences
Passphrase Question
5. Click OK.
The Open file to load dialog box is displayed.
6. Select the exported XML file (in this example, finance.esx on the
Desktop).
7. Click Open.
If the file is encrypted, the Password dialog box is displayed.
8. Enter the password and click OK.
If a predefined application or an application definition currently exists in
the destination object that is also contained in the import file, a
confirmation prompt is displayed.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 155
Click either:
Yes if you are sure that the imported application definition is preferred
over the application definition currently stored, as the application
definition cannot be retrieved.
9. Click OK.
Note
When a digital signing key is
created, the key pair is randomly
generated by ActivIdentity
SecureLogin to increase security.
Preferences
Application definitions
Password rules
Credentials
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 156
Important
Selecting Administrative data will
overwrite users data without
notification results in user data
being overwritten with settings
saved in the .msi file for any items
which are present in both the users
local configuration and the
administrative configuration (.msi
file).
For example, if a user has a locally
configured Yahoo! Mail application
definition and a Yahoo! Mail
application definition is supplied in
the .msi file, the.msi file application
definition will overwrite the users
without notification. If the user has a
locally configured application
definition, and there is no matching
application definition in the .msi file,
the users application definition
remains unchanged.
Clearing the option results in users
being prompted by ActivIdentity
SecureLogin before any data is
overwritten with settings saved in
the.msi file. Users can then choose
to accept the administrative
configuration or retain their existing
settings.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 157
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 158
11. Locate the distribution file (.msi file) in which you want to embed the key.
12. Click Open.
Note
Once keys have been created, they
must not be deleted, as they are
randomly generated. The key used
must correspond to the key that has
been previously packaged with the
distributed installer.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 159
5. Click OK.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 160
161
SLAP Syntax
User variables
Application definitions
Organizational settings
Password policies
Logons
Notes
The SLAP Tool is located in the
ActivIdentity SecureLogin
installation folder.
When the SLAP tool is used for
initial provisioning of ActivIdentity
SecureLogin user accounts,
before any ActivIdentity
SecureLogin data has been
stored for users, the XML file must
include a passphrase question
and response. This question and
answer can be the same for each
user and changed by the user
after deployment.
If the SLAP tool is used to import data into ActivIdentity SecureLogin from
either an encrypted or an unencrypted file, and any preferences are set that
require the ActivIdentity SecureLogin version 6.0 data store format, then the
datastore version must be specified in the file. Preferences that require the
version 6.0 format are:
EncryptionType
NRKeySource
UseEnhancedProtectionByDefault
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 161
</preference>
If the value of this preference is not set to 6, 6.0 or 600000 then an error
message is returned from the SLAP tool: "Cannot import version 6.0
datastore preferences into a lower versioned datastore."
SLAP Syntax
slaptool [-hlaspcPef] -r object_name_file | -o "object"
[file ...]
Commands
Description
-h
Displays help message and exit (all other options are ignored)
-l
-v
-a
Excludes applications
-s
Excludes settings
-p
-c
-P
-e
-r
object_name_file
Specifies a file containing line-delimited object names on which to
perform the operation.
-o
object
Specifies a particular object on which to operate.
-f
Uses the cache file, rather than accessing a directory (cannot be used
with -r or -o, and ActivIdentity SecureLogin must be set to use Dummy
mode - user will be selected interactively at run time).
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 162
Commands
Description
[file...]
Specifies one or more XML files from which to read data (or to write to in
the case of exporting). No file specification reads/writes data from/to
stdin/stdout.
For example:
./slaptool.exe -o
"CN=bernie.O=actividentity.T=DEVTEST"
initial_setup.xml
This reads user IDs, applications, settings and password policies from the
file initial_setup.xml and writes them out to the object:
CN=bernie.O=actividentity.T=DEVTEST
-k [password]
******************************************************
open FILE,"listofnames.txt";
foreach (<FILE>) {
chomp;
# Clean string
@lines = split(/\n/);
# Split up string
foreach $l (@lines) {
@fields = split(/\s/);
$name = $fields[0];
$pass = $fields[1];
open DATAFILE,"source.xml";
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 163
open OUTFILE,">data.xml";
foreach (<DATAFILE>) { # Write up a file specific to
this user
s/\*usernamegoeshere\*/$name/;
s/\*passwordgoeshere\*/$pass/;
# Any other variable substitution can be done here
print OUTFILE "$_";
}
close DATAFILE;
close OUTFILE;
system "slaptool.exe -k \"$pass\" -o
\"CN=$name.O=myorg.T=OURCOMPANY\" data.xml";
}
}
close FILE;
unlink 'data.xml';
****************************************************
Using an XML file called source.xml, run the script with the data that is to be
imported. For example, you can manually export data from a single user
setup with the value for the user name replaced with the string
"*usernamegoeshere*".
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 164
</login>
<login>
<name>notepad.exe</name>
<symbol>
<name>username</name>
<value>asdf</value>
</symbol>
<symbol>
<name>Password</name>
<value>test</value>
</symbol>
</login>
<login>
<name>testlogin</name>
<symbol>
<name>username</name>
<value>ActivIdentity</value>
</symbol>
<symbol>
<name>Password</name>
<value>test</value>
</symbol>
</login>
</logins>
</SecureLogin>
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 165
166
167
168
On Windows XP:
C:\Documents and Settings\<Username>\Application
Data\SecureLogin\Cache
On Windows Vista:
C:\Users\<Username>\AppData\Roaming\SecureLogin\Cache
Note
The default ActivIdentity
SecureLogin cache refresh interval
is five minutes. You can change
this in the Preferences General properties.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 166
user data, including passwords and passphrases, is saved in a passwordprotected encrypted XML file.
Note
The General preference Allow
users to backup/restore must be
set to Yes.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 167
7. Click OK.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 168
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 169
It confirms cache data has been loaded to the local workstation cache.
5. Click OK.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 170
170
Default ActivIdentity
SecureLogin Event Log Alerts
171
Note
Logevent.exe is included in the
Windows 2000 Resource Kit.
Microsoft licensing regulations
apply.
For more information about the use and configuration of logevent.exe, go to:
http://support.microsoft.com
The following events are then audited and tracked in the Windows Event log:
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 171
For further information about the AuditEvent command, see the ActivIdentity
SecureLogin Single Sign-On Application Definition Guide.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 172
Note
Details of the command parameters
and event IDs are available on the
Microsoft web site.
5. After EndDialog, type the LogEvent command for the required alert.
For example:
Run C:\Program Files\Resource Kit\LogEvent.exe m
SecureLogin s e 99Notepad has started
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 173
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 174
174
Additional Documentation
174
If you have trouble with any aspect of ActivIdentity SecureLogin you have
several options for help.
Additional Documentation
Additional documents such as instructional guides and terminal emulation
configuration guides are available on request.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 175
Use this deployment fact sheet as the basis for creating your own information
document for users.
175
175
Deployment Date
175
What is ActivIdentity
SecureLogin?
List the users or groups affected by the deployment. If it will be a phased roll
out, list who will be affected in date order.
175
Deployment Date
175
175
176
Further Information
<Application 1>
<Application 2>
<Application 3>
<Application 4>
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 176
Further Information
If you require any further information, see the company intranet:
<http://intranet.company.com/secureloginhelp>
or contact <IT Support> on <123456>.
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 177
Schema Attributes
177
Active Directory/ADAM/
ADLDS Environments
180
LDAP Environments
181
Schema Attributes
ActivIdentity SecureLogin adds six schema attributes to the directory. The
attributes are added during installation using the appropriate schema
extension tool, depending on your choice of directory for ActivIdentity
SecureLogin data storage.
Note: Each tool is available for both 32-bit and 64-bit platforms.
If you are upgrading from a ActivIdentity SecureLogin version older than 3.5,
you need to extend your schemas.
These attributes are required for the encryption and storage of ActivIdentity
SecureLogin data against directory objects such as user objects and
organizational units. The following descriptions include the type of data stored
for each attribute and the security rights required to save the data for the
ActivIdentity SecureLogin client.
Before installing ActivIdentity SecureLogin, you need to extend the directory
schema. This process is described in:
Attribute name
Protocom-SSO-Auth-Data
Classes assigned to
User
Syntax
Octet string
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 178
Optional flags
Synchronize
X.500 OID
1.2.840.113556.1.8000.60.2
Protocom-SSO-Entries
This attribute contains the following:
Attribute name
Protocom-SSO-Entries
Classes assigned to
Container
Organizational unit
User
Syntax
Octet string
Optional flags
Synchronize
X.500 OID
1.2.840.113556.1.8000.60.1
Protocom-SSO-Entries-Checksum
This attribute stores a checksum so that the ActivIdentity SecureLogin client
can easily determine whether a complete reload of ActivIdentity SecureLogin
adapter information is required.
TABLE B.3: Protocom-SSO-Entries-Checksum Attributes
Attribute name
Protocom-SSO-Entries-Checksum
Classes assigned to
Container
Organizational unit
User
Syntax
Octet string
Optional flags
Synchronize
X.500 OID
1.2.840.113556.1.8000.60.5
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 179
Protocom-SSO-Profile
This attribute stores the address of the organizational unit to be redirected to.
TABLE B.4: Protocom-SSO-Profile Attributes
Attribute name
Protocom-SSO-Profile
Classes assigned to
Container
Organizational unit
User
Syntax
Distinguished name
Optional flags
Synchronize
X.500 OID
1.2.840.113556.1.8000.60.7
Protocom-SSO-Security-Prefs
This attribute stores the data required for advanced passphrase policies. This
data includes administrator-set passphrase questions, passphrase help
information, and settings.
TABLE B.5: Protocom-SSO-Security-Prefs Attributes
Attribute name
Protocom-SSO-Security-Prefs
Classes assigned to
Container
Organizational unit
User
Syntax
Octet string
Optional flags
Synchronize
X.500 OID
1.2.840.113556.1.8000.60.3
Protocom-SSO-Security-Prefs-Checksum
A checksum used to optimize reading of the security preferences attribute.
TABLE B.6: Protocom-SSO-Security-Prefs-Checksum Attributes
Attribute name
Protocom-SSO-Security-Prefs-Checksum
Classes assigned to
Container
Organizational unit
User
Syntax
Octet string
Optional flags
Synchronize
X.500 OID
1.2.840.113556.1.8000.60.6
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 180
LDAP Environments
Protocom-SSO-Auth-Data
This attribute contains all user-specific authentication data, such as the
passphrase.
TABLE B.7: Protocom-SSO-Auth-Data Attributes
Attribute name
Protocom-SSO-Auth-Data
Classes assigned to
User
OID
2.16.840.1.113719.2.26.4.1.1
Protocom-SSO-Entries
This attribute contains the following:
Attribute name
Protocom-SSO-Entries
Classes assigned to
Container
Organizational unit
User
OID
2.16.840.1.113719.2.26.4.2.1
Protocom-SSO-Entries-Checksum
This attribute stores a checksum so that the ActivIdentity SecureLogin client
can easily determine whether a complete reload of ActivIdentity SecureLogin
adapter information is required.
TABLE B.9: Protocom-SSO-Entries-Checksum Attributes
Attribute name
Protocom-SSO-Entries-Checksum
Classes assigned to
Container
Organizational unit
User
OID
2.16.840.1.113719.2.26.4.5.1
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 181
Protocom-SSO-Profile
This attribute stores the address of the organizational unit to be redirected to.
TABLE B.10: Protocom-SSO-Profile Attributes
Attribute name
Protocom-SSO-Profile
Classes assigned to
Container
Organizational unit
User
OID
2.16.840.1.113719.2.26.4.17.1
Protocom-SSO-Security-Prefs
This attribute stores the data required for advanced passphrase policies. This
data includes administrator-set passphrase questions, passphrase help
information, and settings.
TABLE B.11: Protocom-SSO-Security-Prefs Attributes
Attribute name
Protocom-SSO-Security-Prefs
Classes assigned to
Container
Organizational unit
User
OID
2.16.840.1.113719.2.26.4.4.1
Protocom-SSO-Security-Prefs-Checksum
A checksum used to optimize reading of the security preferences attribute.
TABLE B.12: Protocom-SSO-Security-Prefs-Checksum Attributes
Attribute name
Protocom-SSO-Security-Prefs-Checksum
Classes assigned to
Container
Organizational unit
User
OID
2.16.840.1.113719.2.26.4.6.1
Attribute name
Rights required
Protocom-SSO-Auth-Data
Read/Write
Protocom-SSO-Entries
Read/Write
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 182
Attribute name
Rights required
Protocom-SSO-Entries-Checksum
Read/Write
Protocom-SSO-Profile
Read/Write
Protocom-SSO-Security-Prefs
Read/Write
Protocom-SSO-Security-Prefs-Checksum
Read/Write
Container-based Attributes
In addition, users require the following directory attribute rights against all
container objects.
TABLE B.14: Directory Attributes
Attribute name
Rights required
Protocom-SSO-Entries
Read
Protocom-SSO-Entries-Checksum
Read
Protocom-SSO-Profile
Read
Protocom-SSO-Security-Prefs
Read
Protocom-SSO-Security-Prefs-Checksum
Read
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity
P 183
Legal Disclaimer
Americas
+1 510.574.0100
US Federal
+1 571.522.1000
Europe
Asia Pacific
info@actividentity.com
Web
www.actividentity.com
External Use | November 23, 2009 | Product Version 6.2 | 2009 ActivIdentity