LightweightAccessAgent mode on Terminal Server SDK · IBM® SecurityAccess Manager for Enterprise...

IBM® Security Access Manager for Enterprise SingleSign-OnVersion 8.2

Lightweight AccessAgent mode onTerminal Server SDK

SC14-7657-00

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 27.

Edition notice

Note: This edition applies to version 8.2 of IBM Security Access Manager for Enterprise Single Sign-On,(product number 5724–V67) and to all subsequent releases and modifications until otherwise indicated in neweditions.

© Copyright IBM Corporation 2002, 2012.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Chapter 1. Overview . . . . . . . . . 1

Chapter 2. Developing a Virtual ChannelConnector . . . . . . . . . . . . . . 3Build prerequisites . . . . . . . . . . . . 3AccessAgent Terminal Services SDK . . . . . . 3Setting up the cross-compiler . . . . . . . . . 4Setting up the build environment . . . . . . . 4Linking dependencies . . . . . . . . . . . 6Virtual Channel Connector DLL . . . . . . . . 6Loading the EncVcClient library . . . . . . . . 7

Chapter 3. Setting up Virtual Channelintegration . . . . . . . . . . . . . 11Integrating Client AccessAgent with Citrix . . . . 11Integrating the Server AccessAgent with CitrixServer . . . . . . . . . . . . . . . . 12

Chapter 4. Verifying the operation . . . 13

Chapter 5. Troubleshooting andSupport . . . . . . . . . . . . . . 15

Appendix A. Terminal Services SDKAPI Details . . . . . . . . . . . . . 23

Appendix B. AccessAgent TerminalServices SDK message exchange . . . 25

Notices . . . . . . . . . . . . . . 27

Glossary . . . . . . . . . . . . . . 31

Index . . . . . . . . . . . . . . . 39

© Copyright IBM Corp. 2002, 2012 iii

iv IBM® Security Access Manager for Enterprise Single Sign-On: Lightweight AccessAgent mode on Terminal Server SDK

About this publication

IBM® Security Access Manager for Enterprise Single Sign-On provides sign-on andsign-off automation, authentication management, and user tracking to provide aseamless path to strong digital identity. The IBM Security Access Manager forEnterprise Single Sign-On Lightweight AccessAgent mode on Terminal Server SDK Guideprovides information about how to develop a virtual channel connector thatintegrates AccessAgent with Terminal Services applications.

Intended audienceThis publication is for the Administrators who need to develop the virtual channelconnector.

Readers must be familiar with the following topics:v Virtual channel connector and integrationv AccessAgent Terminal Services SDKv Vendor SDK

What this publication containsThis publication contains the following sections:v Chapter 1, “Overview,” on page 1

Provides an overview of the Client AccessAgent and Server AccessAgentcommunication.

v Chapter 2, “Developing a Virtual Channel Connector,” on page 3Provides the build prerequisites, and information about the AccessAgentterminal services SDK.

v Chapter 3, “Setting up Virtual Channel integration,” on page 11Provides the procedure for setting up the virtual channel connector for ClientAccessAgent and Server AccessAgent.

v Chapter 4, “Verifying the operation,” on page 13Provides the procedure for verifying if the Virtual Channel Connector is workingproperly.

v Chapter 5, “Troubleshooting and Support,” on page 15Provides the requirements for troubleshooting.

v Appendix A, “Terminal Services SDK API Details,” on page 17Provides the details of the AccessAgent Terminal Services SDK.

v Appendix B, “AccessAgent Terminal Services SDK message exchange,” on page25Provides information about the message exchange scenario between the ClientAccessAgent and Server AccessAgent and descriptions for each message type.

PublicationsThis section lists publications in the IBM Security Access Manager for EnterpriseSingle Sign-On library. The section also describes how to access Tivoli®

publications online and how to order Tivoli publications.

© Copyright IBM Corp. 2002, 2012 v

IBM Security Access Manager for Enterprise Single Sign-Onlibrary

The following documents are available in the IBM Security Access Manager forEnterprise Single Sign-On library:v IBM Security Access Manager for Enterprise Single Sign-On Quick Start Guide,

CF38DMLRead this guide for a quick start on the main installation and configuration tasksto deploy and use IBM Security Access Manager for Enterprise Single Sign-On.

v IBM Security Access Manager for Enterprise Single Sign-On Planning and DeploymentGuide, SC23995203Read this guide before you do any installation or configuration tasks. This guidehelps you to plan your deployment and prepare your environment. It providesan overview of the product features and components, the required installationand configuration, and the different deployment scenarios. It also describes howto achieve high availability and disaster recovery.

v IBM Security Access Manager for Enterprise Single Sign-On Installation Guide,GI11930901Read this guide for the detailed procedures on installation, upgrade, oruninstallation of IBM Security Access Manager for Enterprise Single Sign-On.This guide helps you to install the different product components and theirrequired middleware, and also do the initial configurations required to completethe product deployment. It covers procedures for using virtual appliance,WebSphere® Application Server Base editions, and Network Deployment.

v IBM Security Access Manager for Enterprise Single Sign-On Configuration Guide,GC23969201Read this guide if you want to configure the IMS Server settings, theAccessAgent user interface, and its behavior.

v IBM Security Access Manager for Enterprise Single Sign-On Administrator Guide,SC23995103This guide is intended for the Administrators. It covers the differentAdministrator tasks. This guide provides procedures for creating and assigningpolicy templates, editing policy values, generating logs and reports, and backingup the IMS Server and its database. Use this guide together with the IBMSecurity Access Manager for Enterprise Single Sign-On Policies Definition Guide.

v IBM Security Access Manager for Enterprise Single Sign-On Help Desk Guide,SC23995303This guide is intended for Help desk officers. The guide helps Help desk officersto manage queries and requests from users usually about their authenticationfactors. Use this guide together with the IBM Security Access Manager forEnterprise Single Sign-On Policies Definition Guide.

v IBM Security Access Manager for Enterprise Single Sign-On Policies Definition Guide,SC23969401Read this guide for the detailed descriptions of the different user, machine, andsystem policies that Administrators can configure in AccessAdmin. Use thisguide along with the IBM Security Access Manager for Enterprise SingleSign-On Administrator Guide.

v IBM Security Access Manager for Enterprise Single Sign-On Troubleshooting andSupport Guide, GC23969301Read this guide if you have any issues with regards to installation, upgrade, andproduct usage. This guide covers the known issues and limitations of the

vi IBM® Security Access Manager for Enterprise Single Sign-On: Lightweight AccessAgent mode on Terminal Server SDK

product. It helps you determine the symptoms and workaround for the problem.It also provides information about fixes, knowledge bases, and support.

v IBM Security Access Manager for Enterprise Single Sign-On AccessStudio Guide,SC23995603Read this guide if you want to create or edit profiles. This guide providesprocedures for creating and editing standard and advanced AccessProfiles fordifferent application types. It also covers information about managingauthentication services and application objects, and information about otherfunctions and features of AccessStudio.

v IBM Security Access Manager for Enterprise Single Sign-On Provisioning IntegrationGuide, SC23995703Read this guide for information about the different Java™ and SOAP API forprovisioning. It also covers procedures for installing and configuring theProvisioning Agent.

v IBM Security Access Manager for Enterprise Single Sign-On Web API for CredentialManagement Guide, SC14764600Read this guide if you want to install and configure the Web API for credentialmanagement.

v IBM Security Access Manager for Enterprise Single Sign-On Lightweight AccessAgentmode on Terminal Server SDK Guide, SC14765700Read this guide for the details on how to develop a virtual channel connectorthat integrates AccessAgent with Terminal Services applications.

v IBM Security Access Manager for Enterprise Single Sign-On Serial ID SPI Guide,SC14762600IBM Security Access Manager for Enterprise Single Sign-On has a ServiceProvider Interface (SPI) for devices that contain serial numbers, such as RFID.See this guide to know how to integrate any device with serial numbers and useit as a second authentication factor with AccessAgent.

v IBM Security Access Manager for Enterprise Single Sign-On Context ManagementIntegration Guide, SC23995403Read this guide if you want to install and configure the Context Managementsolution.

v IBM Security Access Manager for Enterprise Single Sign-On User Guide, SC23995003This guide is intended for the end users. This guide provides instructions forusing AccessAgent and Web Workplace.

v IBM Security Access Manager for Enterprise Single Sign-On Error Message ReferenceGuide, GC14762400This guide describes all the informational, warning, and error messagesassociated with IBM Security Access Manager for Enterprise Single Sign-On.

Accessing terminology onlineThe IBM Terminology Web site consolidates the terminology from IBM productlibraries in one convenient location. You can access the Terminology Web site at thefollowing Web address:

http://www.ibm.com/software/globalization/terminology

Accessing publications onlineIBM posts publications for this and all other Tivoli products, as they becomeavailable and whenever they are updated, to the Tivoli Information Center Website at http://www.ibm.com/tivoli/documentation.

About this publication vii

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/tivoli/documentation

Note: If you print PDF documents on other than letter-sized paper, set the optionin the File > Print window that allows Adobe Reader to print letter-sized pages onyour local paper.

Ordering publicationsYou can order many Tivoli publications online at http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.

You can also order by telephone by calling one of these numbers:v In the United States: 800-879-2755v In Canada: 800-426-4968

In other countries, contact your software account representative to order Tivolipublications. To locate the telephone number of your local representative, performthe following steps:1. Go to http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.2. Select your country from the list and click Go.3. Click About this site in the main panel to see an information page that

includes the telephone number of your local representative.

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

For additional information, see "Accessibility features" in the IBM Security AccessManager for Enterprise Single Sign-On Planning and Deployment Guide.

Tivoli technical trainingFor Tivoli technical training information, see the following IBM Tivoli EducationWeb site at http://www.ibm.com/software/tivoli/education.

Tivoli user groupsTivoli user groups are independent, user-run membership organizations thatprovide Tivoli users with information to assist them in the implementation ofTivoli Software solutions. Through these groups, members can share informationand learn from the knowledge and experience of other Tivoli users. Tivoli usergroups include the following members and groups:v 23,000+ membersv 144+ groups

Access the link for the Tivoli Users Group at www.tivoli-ug.org.

Support informationIf you have a problem with your IBM software, you want to resolve it quickly. IBMprovides the following ways for you to obtain the support you need:

viii IBM® Security Access Manager for Enterprise Single Sign-On: Lightweight AccessAgent mode on Terminal Server SDK

http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss

http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss

http://www.ibm.com/software/tivoli/education

http://www.tivoli-ug.org

OnlineGo to the IBM Software Support site at http://www.ibm.com/software/support/probsub.html and follow the instructions.

IBM Support AssistantThe IBM Support Assistant is a free local software serviceability workbenchthat helps you resolve questions and problems with IBM softwareproducts. The IBM Support Assistant provides quick access tosupport-related information and serviceability tools for problemdetermination. To install the IBM Support Assistant software, go tohttp://www.ibm.com/software/support/isa.

Troubleshooting GuideFor more information about resolving problems, see the IBM Security AccessManager for Enterprise Single Sign-On Troubleshooting and Support Guide.

Conventions used in this publicationThis publication uses several conventions for special terms and actions, operatingsystem-dependent commands and paths, and margin graphics.

Typeface conventionsThis publication uses the following typeface conventions:

Bold

v Lowercase commands and mixed case commands that are otherwisedifficult to distinguish from surrounding text

v Interface controls (check boxes, push buttons, radio buttons, spinbuttons, fields, folders, icons, list boxes, items inside list boxes,multicolumn lists, containers, menu choices, menu names, tabs, propertysheets) and labels (such as Tip: and Operating system considerations:)

v Keywords and parameters in text

Italic

v Citations (examples: titles of publications, diskettes, and CDs)v Words defined in text (example: a nonswitched line is called a

point-to-point line)v Emphasis of words and letters (words as words example: "Use the word

that to introduce a restrictive clause."; letters as letters example: "TheLUN address must start with the letter L.")

v New terms in text (except in a definition list): a view is a frame in aworkspace that contains data.

v Variables and values you must provide: ... where myname represents....

Monospace

v Examples and code examplesv File names, programming keywords, and other elements that are difficult

to distinguish from surrounding textv Message text and prompts addressed to the userv Text that the user must typev Values for arguments or command options

About this publication ix

http://www.ibm.com/software/support/probsub.html

http://www.ibm.com/software/support/probsub.html

http://www.ibm.com/software/support/isa

Operating system-dependent variables and pathsThis publication uses the UNIX convention for specifying environment variablesand for directory notation.

When using the Windows command line, replace $variable with % variable% forenvironment variables and replace each forward slash (/) with a backslash (\) indirectory paths. The names of environment variables are not always the same inthe Windows and UNIX environments. For example, %TEMP% in Windowsenvironments is equivalent to $TMPDIR in UNIX environments.

Note: You can use the UNIX conventions if you are using the bash shell on aWindows system.

x IBM® Security Access Manager for Enterprise Single Sign-On: Lightweight AccessAgent mode on Terminal Server SDK

Chapter 1. Overview

IBM Security Access Manager for Enterprise Single Sign-On supports singlesign-on and authentication services for applications hosted on Citrix/TerminalServers – Citrix XenApp Servers or Microsoft Remote Desktop.

You need to build a virtual channel connector for both the client and the server toestablish communication between the Client AccessAgent and Server AccessAgent.

Use Microsoft Visual Studio .NET 2008 with Service Pack 1 to develop VirtualChannel Connectors by using AccessAgent Terminal Services SDK. You candevelop a connector dynamic link library (DLL) file either as a 32-bit or 64-bitapplication depending on the operating system where the DLL file is located.

The following diagram illustrates the communication between the Terminal Serverand the client machine.

Terminal Server

ISAM ESSOComponents

TSVCServer

Server VirtualChannel Connector

Client Machine

ISAM ESSOComponents

Terminal ServicesClient Application

Client VirtualChannel Connector

Virtual Channel

Implements TS SDKServer SPI

Uses TS SDKClient API

Client Virtual Channel Connector

The client virtual channel connector DLL file must be registered with the clientapplication through the registry editor.

When the client application connects to a terminal server, the client applicationloads and initializes the connector DLL file. The DLL file then communicates withits server counterpart over the virtual channel. See Chapter 3, “Setting up VirtualChannel integration,” on page 11.

Server Virtual Channel Connector

The server virtual connector DLL file must be registered with AccessAgent byupdating the AccessAgent configuration. For more information, see Chapter 3,“Setting up Virtual Channel integration,” on page 11.

© Copyright IBM Corp. 2002, 2012 1

At runtime, AccessAgent determines the available virtual channel framework forthe current terminal session. AccessAgent also loads the appropriate connectorDLL file for the virtual channel communication.

2 IBM® Security Access Manager for Enterprise Single Sign-On: Lightweight AccessAgent mode on Terminal Server SDK

Chapter 2. Developing a Virtual Channel Connector

AccessAgent includes the required virtual channel connector DLL files forMicrosoft Remote Desktop Services. For other terminal service products like Citrix,you have to develop the DLL files.

See the following topics for information about developing the DLL files and settingup the virtual channel integration.v “Build prerequisites”v “AccessAgent Terminal Services SDK”v “Setting up the cross-compiler” on page 4v “Setting up the build environment” on page 4v “Linking dependencies” on page 6v “Virtual Channel Connector DLL” on page 6v “Loading the EncVcClient library” on page 7

Build prerequisitesBefore you develop the Virtual Channel Connector, make sure that you comply withthe requirements.

The following are the prerequisites for developing a Virtual Channel Connector DLLfile:v Install the following software:

– Microsoft Visual Studio 2008 .NET 2008 with Service Pack 1 for 32-bit.– AccessAgent Terminal Services SDK. See “AccessAgent Terminal Services

SDK” for more information.– Vendor Virtual Channel SDK. For example, Citrix. See “Vendor SDKs” on

page 4 for more information.v If you are building a 64-bit DLL file, install a 64-bit cross-compiler. See “Setting

up the cross-compiler” on page 4 for more information.

AccessAgent Terminal Services SDKThe AccessAgent Terminal Services SDK is included in the AccessAgent installer.

The Terminal Services SDK is located in <aa_home>\TSSDK\. For example,C:\Program Files\IBM\ISAM ESSO\AA\TSSDK\.

AccessAgent Terminal Services SDK contains the following files:

File Description

EncVcServer.h Header file containing the AccessAgent Server SPI

EncVcClient.h Header file containing the AccessAgent ClientSDK interface

See Appendix A, “Terminal Services SDK API Details,” on page 17 for theAccessAgent Terminal Services SDK API details.


Vendor SDKsv Citrix Virtual Channel SDK includes several sample codes. For example, the

"Ping" project located in VCSDK. The client sample codes can be found at\VCSDK\Win32\src\examples\vc\client\vdping\ while the server sample codescan be found at \VCSDK\Win32\src\examples\vc\server\ctxping\. The requiredCitrix SDKs can be found at the following URLs:

Citrix Virtual Channel SDK (VCSDK) 10.x http://support.citrix.com/article/ctx114196

WinFrame Application Programming InterfaceSDK (WFAPI SDK) 4.5

http://support.citrix.com/article/CTX114195

Setting up the cross-compilerSet up the cross-compiler before you build the DLL file through Microsoft VisualStudio.

Procedure1. Close all the Microsoft Visual Studio 2008 Solutions.2. Insert the Microsoft Visual Studio 2008 CD in your computer.3. Select Repair.4. Select 64-bit cross-compiler.5. Continue with the installation.6. Remove the Microsoft Visual Studio 2008 CD after the installation.7. Insert the Microsoft Visual Studio 2008 Service Pack 1 CD.8. Follow the steps to install Service Pack 1.

Setting up the build environmentSet up the build environment for both 32-bit and 64-bit.

Procedure1. Create two separate Visual C++ Win32 DLL files for both the Client and Server

projects. In this procedure, the client project is called ICAVCClient, while theserver project is called ICAVCServer.

2. For each project, set the Project Properties.a. Select ICAVCClient > Property Pages.b. Select Configuration Properties > General.c. In the Character Set field, select Use Unicode Character Set.d. Select C/C++ > Code Generation.e. In the Runtime Library field, select Multi-threaded DLL.f. Select ICAVCServer > Property Pages.g. Select Configuration Properties > General.h. In the Character Set field, select Use Unicode Character Set.i. Select C/C++ > Code Generation.j. In the Runtime Library field, select Multi-threaded.

3. Define the ENCVCCLIENT_EXPORTS preprocessor macro in the client connectorDLL project. The DLL exports the functions expected by AccessAgent.

4. Define the ENCVCSERVER_EXPORTS preprocessor macro in the server connectorDLL project. The DLL exports the functions expected by AccessAgent.


http://support.citrix.com/article/ctx114196


5. Add linking dependencies for each Virtual Channel Connection framework. Formore information, see “Linking dependencies” on page 6.

6. Optional: Follow these steps for x64 connectors:a. Verify if the x64 cross-compiler installation is successful.b. Open the Project Properties for any project.c. Click the Platform list and check if the x64 operating system is in the list.d. Enable the configuration of the x64 operating system in the new project.

After creating the project, the x64 operating system is not automaticallyadded to the Platform list. There are two options to add x64 in the Platformlist:

Task Steps

Build the project in Win32 first if you have astable Win32 project.

1. Open Project Properties.

2. Click Configuration Manager.

3. Select your project in the list.

4. In the Platform column, select Win32,and then click New. A pop-up windowis displayed.

5. In the New Platform field, select x64.

6. In the Copy Settings From field, selectWin32.

7. Clear the Create New SolutionsPlatform check box.

8. Click OK. All Win32 project settings arecopied to the x64 configuration.

9. In the Project Properties, make thenecessary changes such as InputLibraries.

Modify the Win32 and the x64 operatingsystems in parallel.

1. Open Project Properties.

2. Click Configuration Manager.

3. Select your project in the list.

4. In the Platform column, select Win32,and then click New. A pop-up windowis displayed.

5. In the New Platform field, select x64.

6. In the Copy Settings From field, selectWin32.

7. Clear the Create new solutions platformcheck box.

8. Click OK.

e. If you have already configured the x64 operating system, whenever youchange Project Properties, synchronize these configurations:

Solution configuration Solution platform

Debug Win32

Release Win32

Debug x64

Release x64

Chapter 2. Developing a Virtual Channel Connector 5

Linking dependenciesAdd a linking dependency on the library files to build the Client and Serverconnector DLL files.

When you build a client connector DLL, add a linking dependency for theselibrary files:v For Citrix XenApp plug-in (for 32-bit DLL):

– clibdll.lib (from Citrix Virtual Channel SDK )– vdapi.lib (from Citrix Virtual Channel SDK )

v For Citrix XenApp Server:

– wfapi.lib from WinFrame Application Programming Interface (for 32-bit DLL)– wfapi64.lib from WinFrame Application Programming Interface (for 64-bit

DLL)The required Citrix SDKs can be found at the following URLs:

Citrix Virtual Channel SDK (VCSDK) 10.x http://support.citrix.com/article/ctx114196

WinFrame Application Programming InterfaceSDK (WFAPI SDK) 4.5


Virtual Channel Connector DLLThis topic covers information about the Virtual Channel Client and Serverconnector DLL.

Virtual Channel Client Connector DLL

The Virtual Channel client framework has four abstract functions that:v Opens the Virtual Channel driverv Writes data to Virtual Channelv Reads data from Virtual Channelv Closes the Virtual Channel driver

The following pseudo codes provide an example on where to call the AccessAgentclient SDK API.

DriverOpen()

//This function is called when driver is loaded{Call LoadEncVcClientLib to load EncVcClient library;Perform required initialization based on the specificVC framework for DLL driver;Call InitEncVcClient to initialize EncVcClient;

}

See “Loading the EncVcClient library” on page 7 for instructions on howto load the EncVcClient library.

DriverPoll()

//This function is called whenever driver wants to send a message on theVirtual Channel using vendor API


http://support.citrix.com/article/ctx114196


{Call GetNextClientMessage to retrieve next message to send;Send message via VC;Call ReleaseMessage to wipe message from memory;

}

DataArrival()

//This function is called when driver receives a message on the VirtualChannel{Call ProcessServerMessage to process received message;

}

DriverClose()

//This function is called when the driver is unloaded{Call FinalizeEncVcClient to de-initialize EncVcClient;Call FreeEncVcClientLib to free EncVcClient library;

}

See Appendix A, “Terminal Services SDK API Details,” on page 17 for additionalinformation about the APIs.

Virtual Channel Server Connector DLL

Implement all the wrapper functions within EncVcServer.h. EncVcServer.h islocated in C:\Program Files\IBM\ISAM ESSO\TSSDK\.

Call the corresponding Virtual Channel framework server API.

Loading the EncVcClient libraryThe EncVcClient library is not provided in the AccessAgent Terminal ServicesSDK. The EncVcClient library is dynamically loaded within the client connectorDLL file. Perform a dynamic loading of EncVcClient library for AccessAgent.

Procedure1. Include the following codes in the client connector:

//Typedef of EncVcClient function pointerstypedef E_VCCError (*PF_InitEncVcClient)();typedef E_VCCError (*PF_FinalizeEncVcClient)();typedef E_VCCError (*PF_ProcessServerMessage)(const STsMessage* pMessage);typedef E_VCCError (*PF_GetNextClientMessage)(STsMessage* pMessage);typedef E_VCCError (*PF_ReleaseMessage)(STsMessage* pMessage);typedef void (*PF_AADebugLog)(E_VCCLogLevel logLevel,const wchar_t* wszMethodName, const wchar_t* wszMessage);

HINSTANCE g_hEncVcLib = NULL;PF_InitEncVcClient g_pfInitEncVcClient = NULL;PF_FinalizeEncVcClient g_pfFinalizeEncVcClient = NULL;PF_ProcessServerMessage g_pfProcessServerMessage = NULL;PF_GetNextClientMessage g_pfGetNextClientMessage = NULL;PF_ReleaseMessage g_pfReleaseMessage = NULL;PF_AADebugLog g_pfAADebugLog = NULL;

/*** \brief Initalization of dynamic run time loading for EncVcClient.dll*/BOOL LoadEncVcClientLib(){


g_hEncVcLib = LoadLibrary(L"EncVcClient.dll");if(g_hEncVcLib == NULL){::OutputDebugString(L"::LoadEncVcClientLib ,

Error: EncVcClient.dll NOT found");return FALSE;}

g_pfInitEncVcClient = (PF_InitEncVcClient)::GetProcAddress(g_hEncVcLib, "InitEncVcClient");

g_pfFinalizeEncVcClient = (PF_FinalizeEncVcClient)::GetProcAddress(g_hEncVcLib, "FinalizeEncVcClient");

g_pfProcessServerMessage = (PF_ProcessServerMessage)::GetProcAddress(g_hEncVcLib, "ProcessServerMessage");

g_pfGetNextClientMessage = (PF_GetNextClientMessage)::GetProcAddress(g_hEncVcLib, "GetNextClientMessage");

g_pfReleaseMessage = (PF_ReleaseMessage)::GetProcAddress(g_hEncVcLib, "ReleaseMessage");

g_pfAADebugLog = (PF_AADebugLog)::GetProcAddress(g_hEncVcLib, "AADebugLog");

if(!g_pfInitEncVcClient || !g_pfFinalizeEncVcClient ||!g_pfProcessServerMessage || !g_pfGetNextClientMessage ||!g_pfReleaseMessage || !g_pfAADebugLog){::OutputDebugString(L"::LoadEncVcClientLib ,Error: Required APIs NOT found in EncVcClient.dll");FreeLibrary(g_hEncVcLib);g_hEncVcLib = NULL;return FALSE;}g_pfAADebugLog(E_VCC_LOG_MOREINFO, L"::LoadEncVcClientLib",L"Load library successful");return TRUE;}

/*** \brief Free EncVcClient library*/BOOL FreeEncVcClientLib(){BOOL bRet = FreeLibrary(g_hEncVcLib);g_pfInitEncVcClient = NULL;g_pfFinalizeEncVcClient = NULL;g_pfProcessServerMessage = NULL;g_pfGetNextClientMessage = NULL;g_pfReleaseMessage = NULL;g_pfAADebugLog = NULL;g_hEncVcLib = NULL;return bRet;}/*** \brief Below are API functions for ESSO TS SDK*/

E_VCCError InitEncVcClient(){return g_pfInitEncVcClient();}

E_VCCError FinalizeEncVcClient(){return g_pfFinalizeEncVcClient();}

E_VCCError ProcessServerMessage(const STsMessage* pMessage){return g_pfProcessServerMessage(pMessage);


}

E_VCCError GetNextClientMessage(STsMessage* pMessage){return g_pfGetNextClientMessage(pMessage);}

E_VCCError ReleaseMessage(STsMessage* pMessage){return g_pfReleaseMessage(pMessage);}

void AADebugLog(E_VCCLogLevel logLevel, const wchar_t* wszMethodName,const wchar_t* wszMessage){g_pfAADebugLog(logLevel, wszMethodName, wszMessage);}

2. Call the LoadEncVcClientLib() functionv only once during the opening of the driverv before calling of any of the functions listed

3. Call the FreeEncVcClientLib() functionv only once during the closing of the driverv as the last function call before the driver closes

4. Save and recompile the connector DLL file.

Note: Check the level 3 log. If the loading of library is successful, there is anentry that state LoadEncVcClientLib, Load library successful in theAccessAgent log file. See "Log policies" in the IBM Security Access Manager forEnterprise Single Sign-On Policies Definition Guide.


Chapter 3. Setting up Virtual Channel integration

You can integrate Client AccessAgent with the Citrix XenApp Plug-in and the ServerAccessAgent with terminal services.

See the following topics for more information.v “Integrating Client AccessAgent with Citrix”v “Integrating the Server AccessAgent with Citrix Server” on page 12

Note: AccessAgent already includes the required virtual channel connector DLLfiles for Microsoft Remote Desktop Services.

Integrating Client AccessAgent with CitrixThe Client Connector DLL file has 32-bit Citrix clients, which means it is built in32-bit only. This procedure is required when you install or upgrade the clientAccessAgent version.

Procedure1. Copy the client connector DLL file. For example ICAVCClient.dll, to <Citrix

XenApp Plug-in installation folder>.2. Copy EncVcClient.dll into the <Citrix XenApp Plug-in installation folder>.3. Configure the Citrix client registry for the client connector DLL file.

a. On your Windows desktop, click Start > Run.b. In the Open field, enter regedit and click OK. The Registry Editor is

displayed.

Note:

v For a Windows 32-bit operating system, the Citrix registry hive isHKEY_LOCAL_MACHINE\SOFTWARE\Citrix.

v For a Windows x64 operating system, the Citrix registry hive isHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\.

c. Modify VirtualDriverEx.1) Select <Citrix registry hive>\ICA Client\Engine\Configuration\

Advanced\Modules\ICA 3.0\.2) Double-click VirtualDriverEx.3) In the Value data field, add ICAVCClient.4) Click OK.

d. Create an ICAVCClient.1) Open <Citrix registry hive>\ICA Client\Engine\Configuration\

Advanced\Modules\.2) Right-click and select New > Key. A new folder is created.3) Rename the folder. The new name is ICAVCClient.4) Repeat these steps until you create all the values in the table.

a) In the <Citrix registry hive>\ICA Client\Engine\Configuration\Advanced\Modules\ICAVCClient\ folder, right-click and select New >String Value.

b) Specify the following value names and value data.


Value Name Value Data

DriverName ICAVCClient.dll

DriverNameWin16 ICAVCClient.dll

DriverNameWin32 ICAVCClient.dll

Integrating the Server AccessAgent with Citrix ServerIf the Server AccessAgent is 32-bit, a 32-bit connector DLL file is needed. If theServer AccessAgent is 64-bit, a 64-bit connector DLL file is needed.

Procedure1. Copy the server connector file ICAVCServer.dll into the C:\Program Files\ISAM

ESSO folder.2. Register the server connector file with AccessAgent.

a. On your Windows desktop, click Start > Run.b. In the Open field, enter regedit and click OK. The Registry Editor is

displayed.c. Open HKEY_LOCAL_MACHINE\SOFTWARE\ISAM ESSO.d. Right-click and select New > Key. A new folder is created.e. Rename the folder; the new name is AccessAgent.f. Click the AccessAgent folder.g. Right-click and select New > Key. A new folder is created.h. Rename the folder; the new name is Integration.i. Click the Integration folder.j. Right-click and select New > Key. A new folder is created.k. Rename the folder; the new name is TerminalServices.l. Click the TerminalServices folder.m. Right-click and select New > Key. A new folder is created.n. Rename the folder; the new name is ServerSPI. You can continue to create

new keys until you have created your folder structure.o. In the HKLM/SOFTWARE/IBM/ISAM ESSO/AccessAgent/Integration/

TerminalServices/ServerSPI folder, right-click and select New > StringValue.

p. Set ICA as the Value name.q. In the Value data field, enter the server connector file name. For example,

ICAVCServer.dll.r. Click OK.


Chapter 4. Verifying the operation

After building and compiling the required DLL file for Citrix XenApp, verify if theDLL file is working properly.

Citrix XenApp1. Set the AccessAgent log level to 4.2. Start an application by using the Citrix Online plug-in.3. Connect to the terminal server.4. In the AccessAgent log on the client machine, verify that the log entries

generated by EncVcClient.dll exists.5. In the AccessAgent log on the server machine, verify that the following entries

generated by tsvcserver.exe exists:v [GetTsSpiDllForSession], TsSpi dll [ICAVCServer.dll] found for Session

[ICA],

v [CTSServer::Initialize()], Polling Threadstarted,[CTSServer::Initialize()], Polling Thread started


Chapter 5. Troubleshooting and Support

Troubleshooting is necessary to determine the cause and required solution for theerror encountered. If the virtual channel integration fails, contact IBM support andprovide them the required information.

You must provide the following files for reference:v Client AccessAgent log filesv Server AccessAgent log filesv Client and Server Visual Studio projects

Follow this procedure to ensure that the log data are collected correctly:1. Close unrelated applications.2. Delete all existing logs in the log folder.3. Set the log level to 4.4. Proceed to step through the procedures for collection of log data.5. Set the log level to 1 after the log collection.


Appendix A. Terminal Services SDK API Details

Know the different client SDK API and Server SDK SPI constants, structures, andfunctions. See this topic when developing the code for the Virtual Channel ConnectorDLL file.

Client SDK API

The following are the client SDK functions and their corresponding details.

ConstantsError Types: E_VCCError enum

Error Code Definition

E_VCC_SUCCESS The function is successful.

E_VCC_FAIL An unexpected error occurred.

E_VCC_INVALID_ARG One or more arguments are invalid.

E_VCC_NOT_INITIALIZED InitializeVcClient() has not been calledsuccessfully.

E_VCC_NO_DATA There is no more data available to be sent tothe server.

Log Levels: E_VCCLogLevel enum

v E_VCC_LOG_SEVEREv E_VCC_LOG_BASEINFOv E_VCC_LOG_MOREINFOv E_VCC_LOG_DEBUG

Structurestypedef struct{unsigned char* m_pData;unsigned long m_uLen;}STsMessage; //Structure to hold binary messages handled by Client SDK

FunctionsThe Client SDK provides the following set of functions that the virtualchannel driver can call to communicate with the local AccessAgent.

AADebugLog

Definition Definitionvoid AADebugLog(E_VCCLogLevel logLevel,const wchar_t* wszMethodName,const wchar_t* wszMessage);

Description Produces a debug log line to AccessAgentlog files.


AADebugLog

Parameters v logLevel [in] Log level

v wszMethodName [in] NULL-terminatedname of the module/class/method namegenerating the log statement.

v wszMessage [in] NULL-terminateddescriptive text.

Return Values None

InitEncVcClient

Definition E_VCCError InitEncVcClient();

Description Initializes the EncVcClient modules loadedin the virtual driver. This function must becalled when the terminal client establishes aconnection with the server and creates avirtual channel. The function internally setsup a named pipe server so that it canreceive messages from the localAccessAgent.

Parameters None

Return Values v E_VCC_SUCCESS

v E_VCC_FAIL

FinalizeEncVcClient

Definition E_VCCError FinalizeEncVcClient();

Description Shuts down the EncVcClient modulesloaded in the virtual driver. This functionmust be called when the terminal session isdisconnected and the virtual channel isclosed.

Parameters None

Return Values E_VCC_SUCCESS

ProcessServerMessage

Definition E_VCCError ProcessServerMessage(const STsMessage* pMessage);

Description Processes the data packet received from thevirtual channel server. When a data packet isreceived from the server, the virtual channelconnector calls this function to pass themessage to the local AccessAgent forprocessing.

Parameters pMessage [in] Data packet received from theserver AccessAgent


v E_VCC_NOT_INITIALIZED

v E_VCC_INVALID_ARG


GetNextClientMessage

Definition E_VCCError GetNextClientMessage(STsMessage* pMessage);

Description Returns a data packet, if any, from the localAccessAgent to the server. The functionlooks up the queue in which the packetsfrom the local AccessAgent are put in. Thevirtual driver calls this function periodicallyto check if there are any packets to be sentto the server. The virtual driver calls thisfunction within a period less than onesecond.

Parameters pMessage [out] Data packet from the clientAccessAgent to be sent to the serverAccessAgent


v E_VCC_NOT_INITIALIZED

v E_VCC_INVALID_ARG

v E_VCC_NO_DATA

ReleaseMessage

Definition E_VCCError ReleaseMessage(STsMessage* pMessage);

Description Wipes the memory buffer allocated to thedata packet and frees the memory. A clientmessage is obtained from theGetNextClientMessage function. Aftersending the client message to the virtualchannel server, the virtual driver passes themessage to this function to release theresources.

Parameters pMessage [out] Message whose memorybuffer is to be released.


v E_VCC_INVALID_ARG

Server SDK SPI

The following are the Terminal Services Server SPI specifications.

These specifications are essentially a wrapper around server-side functions ofTerminal Services API for Windows and WinFrame API for Citrix.

The following functions must be implemented by the connector DLL file.

ConstantsError Types: E_VCCError enum

Error Code Definition

E_VCC_SUCCESS The function is successful.

E_VCC_FAIL An unexpected error occurred.

E_VCC_INVALID_ARG One or more arguments are invalid.

Appendix A. Terminal Services SDK API Details 19

Query Types: EN_INFO_CLASS enum

v EnInitialProgramv EnApplicationNamev EnWorkingDirectoryv EnOEMIdv EnSessionIdv EnUserNamev EnWinStationNamev EnDomainNamev EnConnectStatev EnClientBuildNumberv EnClientNamev EnClientDirectoryv EnClientProductIdv EnClientHardwareIdv EnClientAddressv EnClientDisplayv EnClientProtocolType

EN_TS_EVENT - Event flags for EnWaitSystemEvent()Values identical to WTS_EVENT_xxx and WF_EVENT_xxx

Event Description

EN_TS_EVENT_NONE // return no event

EN_TS_EVENT_CREATE // new WinStation created

EN_TS_EVENT_DELETE // existing WinStation deleted

EN_TS_EVENT_RENAME // existing WinStation renamed

EN_TS_EVENT_CONNECT // WinStation connect to client

EN_TS_EVENT_DISCONNECT // WinStation logged on without client

EN_TS_EVENT_LOGON // user logged on to existing WinStation

EN_TS_EVENT_LOGOFF // user logged off from existing WinStation

EN_TS_EVENT_STATECHANGE // WinStation state change

EN_TS_EVENT_LICENSE // license state change

EN_TS_EVENT_ALL // wait for all event types

EN_TS_EVENT_FLUSH // unblock all waiters

Structurestypedef struct _EN_CLIENT_ADDRESS{ //Returned by QueryCurrentSessionInfo(EnClientAddress)

DWORD AddressFamily; // AF_INET, AF_IPX, AF_NETBIOS, AF_UNSPECBYTE Address[20]; // client network address

} EN_CLIENT_ADDRESS, * PEN_CLIENT_ADDRESS;

Functions


EnQueryCurrentSessionInformation

Definition E_VCSError EnQueryCurrentSessionInfo(EN_INFO_CLASS infoClass,LPWSTR * ppBuffer,DWORD * pBytesReturned);

Description Queries information about the currentterminal session. The parameters that can bequeried are:

v EnSessionId (SessionId)

v EnUserName (UserName)

v EnDomainName (DomainName)

v EnConnectState (ConnectionState)

v EnClientName (Client machine name)

v EnClientAddress (Client IP address)

Parameters v infoClass [in] - Specifies the type of theinformation to retrieve.

v ppBuffer [out] - Pointer to a variable thatreceives a pointer to the requestedinformation.

v pbytesReturned [out] - Pointer to avariable that receives the size, in bytes, ofthe data returned ppBuffer.

Return Values v E_VCS_SUCCESS

v E_VCS_FAIL

EnVirtualChannelOpen

Definition HANDLE EnVirtualChannelOpen();

Description Opens a virtual channel with a given name.

Parameters None

Return Values v A valid virtual channel HANDLE onsuccess

v NULL on failure

EnVirtualChannelClose

Definition E_VCSError EnVirtualChannelClose(IN HANDLE hChannelHandle);

Description Closes the virtual channel opened with aprevious call to EnVirtualChannelOpen().

Parameters hChannelHandle [in] - Handle obtainedfrom EnVirtualChannelOpen call


v E_VCS_FAIL


EnVirtualChannelRead

Definition E_VCSError EnVirtualChannelRead(IN HANDLE hChannelHandle,IN ULONG uTimeOut,OUT PCHAR pBuffer,IN ULONG uBufferSize,OUT PULONG puBytesRead);

Description Reads data from a given virtual channel.

Parameters v hChannelHandle [in] - Handle to a virtualchannel opened by thenVirtualChannelOpen() function.

v uTimeOut [in] - Specifies the timeout, inmilliseconds.

v pBuffer [out] - Pointer to a buffer thatreceives a chunk of data read from theserver end of the virtual channel.

v UbufferSize [in]- Specifies the size, inbytes, of pBuffer

v puBytesRead [out] - Pointer to a variablethat receives the number of bytes read.


v E_VCS_FAIL

EnVirtualChannelWrite

Definition E_VCSError EnVirtualChannelWrite(IN HANDLE hChannelHandle,IN PCHAR Buffer,IN ULONG Length,OUT PULONG pBytesWritten);

Description Writes data to a given virtual channel.

Parameters v hChannelHandle [in] - Handle to a virtualchannel opened by theEnVirtualChannelOpen() function.

v Buffer [in] - Pointer to a buffer containingthe data to write to the virtual channel.

v Length [in] - Specifies the size, in bytes, ofthe data to write.

v pBytesWritten [out] - Pointer to a variablethat receives the number of bytes written.


v E_VCS_FAIL

EnDisconnectCurrentSession

Definition E_VCSError EnDisconnectCurrentSession(IN BOOL bWait);

Description Disconnects the current Windows session.

Parameters bWait [in] Indicates whether the operation issynchronous. Specify TRUE to wait for thecompletion of the operation, or FALSE toreturn immediately.


EnDisconnectCurrentSession


v E_VCS_FAIL

EnLogoffCurrentSession

Definition E_VCSError EnLogoffCurrentSession(BOOL bWait);

Description Logs off the current Windows session.

Parameters bWait [in] Indicates whether the operation issynchronous. Specify TRUE to wait for thecompletion of the operation, or FALSE toreturn immediately.


v E_VCS_FAIL

EnWaitSystemEvent

Definition E_VCSError EnWaitSystemEvent(IN DWORD EventMask,OUTDWORD * pEventFlags);

Description Blocks on a system event before returning.The system event can be any one of thefollowing:

v EN_TS_EVENT_CREATE (Sessioncreation)

v EN_TS_EVENT_DELETE (Sessiondeletion)

v EN_TS_EVENT_CONNECT (Sessionconnect)

v EN_TS_EVENT_DISCONNECT (Sessiondisconnect)

v EN_TS_EVENT_LOGON (User log on)

v EN_TS_EVENT_LOGOFF (User log off)

Parameters v EventMask [in] Bitwise OR of the eventsto wait for

v pEventFlags [out] Event that fired


v E_VCS_FAIL

EnFreeMemory

Definition VOID EnFreeMemory(IN PVOID pMemory);

Description Frees memory allocated by other SPIfunctions.

Parameters pMemory [in] Pointer to the memory to befreed

Return Values None


Appendix B. AccessAgent Terminal Services SDK messageexchange

Messages are exchanged between the Client AccessAgent and the Server AccessAgentduring the initialization of the server-side virtual channel application.

The following diagram shows a typical message exchange scenario between theClient AccessAgent and the Server AccessAgent.

The following are the messages that the Client AccessAgent and the ServerAccessAgent can send.

Table 1. Server to Client Messages

Message Type Description

Session Query Queries the client AccessAgent sessionstatus.

Credential Request Requests the user AccessAgent credential.

Full Synchronize Request Request client AccessAgent to perform fullsynchronization with the IMS Server.

Table 2. Client to Server Messages


Session Ready Response to Session Query message.Indicates that the client session is logged on.

Session Not Ready Response to Session Query message.Indicates that the client session is not loggedon.

Credential Data Response to Credential Request whichcontains the user AccessAgent credential.

Start Session Requests the Server AccessAgent to start theuser session.


Table 2. Client to Server Messages (continued)


Logoff Session Requests the Server AccessAgent to log offfrom the user session.

Full Synchronize Request Requests the Server AccessAgent to performfull synchronize with the IMS Server.

Enable Single Sign-on Requests the Server AccessAgent to enablesingle sign-on for the user session.

Disable Single Sign-on Requests the Server AccessAgent to disablesingle sign-on for the user session.

Lock Desktop Requests the Server AccessAgent to lock theuser desktop.

Unlock Desktop Requests the Server AccessAgent to unlockthe user desktop.


Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.1623-14, Shimotsuruma, Yamato-shiKanagawa 242-8502 Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subjectto change without notice. Dealer prices may vary.

This information is for planning purposes only. The information herein is subject tochange before the products described become available.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment to


IBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment toIBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM's application programming interfaces.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

Trademarks

IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at Copyright andtrademark information; at www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Notices 29

Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in theUnited States, other countries, or both and is used under license therefrom.

Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo aretrademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.

Other company, product, and service names may be trademarks or service marksof others.


Glossary

AccessAdmin. A web-based management console thatAdministrators and Helpdesk officers use to administerthe IMS Server and to manage users and policies.

AccessAgent plug-in. A piece of script, written inVBscript or Javascript, that is embedded within anAccessProfile to perform custom checking of conditionsor to execute custom actions. It is used for extendingthe capability of an AccessProfile beyond the built-intriggers and actions.

AccessAgent. The client software that manages theidentity of the user, authenticates the user, andautomates single sign-on and sign-off.

AccessAssistant. The web-based interface that helpsusers to reset their passwords and retrieve theirapplication credentials.

AccessProfile widget / widget. An independentAccessProfile that consists of pinnable states, which canbe used to build another AccessProfile.

AccessProfiles. AccessAgent uses these XMLspecifications to identify application screens that it canperform single sign-on and automation.

AccessStudio. An application used by Administratorsfor creating and maintaining AccessProfiles.

Account data bag. A data structure that holds usercredentials in memory while single sign-on isperformed on an application.

Account data item template. A template that definesthe properties of an account data item.

Account data item. The user credentials required forlogon.

Account data template. A template that defines theformat of account data to be stored for credentialscaptured by using a specific AccessProfile.

Account data. The logon information required toverify an authentication service. It can be the username, password, and the authentication service whichthe logon information is stored.

Action. In profiling, an act that can be performed inresponse to a trigger. For example, automatic filling ofuser name and password details as soon as a sign-onwindow displays.

Active Directory (AD). A hierarchical directory servicethat enables centralized, secure management of anentire network, which is a central component of theMicrosoft Windows platform.

Active Directory credentials. The Active Directoryuser name and password.

Active Directory password synchronization. An IBMSecurity Access Manager for Enterprise Single Sign-Onfeature that synchronizes the ISAM ESSO passwordwith the Active Directory password.

Active RFID (ARFID). ARFID is both a secondauthentication factor and a presence detector. It candetect the presence of a user and AccessAgent can beconfigured to perform specific actions. In previousreleases, it is called Active Proximity Badge.

ActiveCode. Short-lived authentication codes that aregenerated and verified by IBM Security AccessManager for Enterprise Single Sign-On. There are twotypes of ActiveCodes: Mobile ActiveCodes andPredictive ActiveCodes.

Mobile ActiveCodes are generated by IBM SecurityAccess Manager for Enterprise Single Sign-On anddispatched to the mobile phone or email account of theuser. Predictive ActiveCodes, or One Time Passwords,are generated from OTP tokens when a user presses itsbutton.

Combined with alternative channels or devices,ActiveCodes provide effective second-factorauthentication.

Administrator. A person responsible foradministrative tasks such as access authorization andcontent management. Administrators can also grantlevels of authority to users.

Application policies. A collection of policies andattributes governing access to applications.

Application programming interface (API). Aninterface that allows an application program written ina high-level language to use specific data or functionsof the operating system or another program.

Application. One or more computer programs orsoftware components that provide a function in directsupport of a specific business process or processes. InAccessStudio, it is the system that provides the userinterface for reading or entering the authenticationcredentials.

Audit. A process that logs the user, Administrator, andHelpdesk activities.

Authentication factor. The different devices,biometrics, or secrets required as credentials forvalidating digital identities. Examples of authentication


factors are passwords, smart card, RFID, biometrics,and one-time password tokens.

Authentication service. In IBM Security AccessManager for Enterprise Single Sign-On, a service thatverifies the validity of an account against their ownuser store or against a corporate directory. Identifies theauthentication service associated with a screen. Accountdata saved under a particular authentication service isretrieved and auto-filled for the logon screen that isdefined. Account data captured from the logon screendefined is saved under this authentication service.

Authorization code. An alphanumeric code generatedfor administrative functions, such as password resets ortwo-factor authentication bypass with AccessAgent,AccessAssistant, and Web Workplace.

Auto-capture. A process that allows a system to collectand reuse user credentials for different applications.These credentials are captured when the user entersinformation for the first time, and then stored andsecured for future use.

Automatic sign-on. A feature where users can log onto the sign-on automation system and the system logson the user to all other applications.

Base distinguished name. A name that indicates thestarting point for searches in the directory server.

Bidirectional language. A language that uses a script,such as Arabic and Hebrew, whose general flow of textproceeds horizontally from right to left, but numbers,English, and other left-to-right language text arewritten from left to right.

Bind distinguished name. A name that specifies thecredentials for the application server to use whenconnecting to a directory service. The distinguishedname uniquely identifies an entry in a directory. Seealso Distinguished name.

Biometrics. The identification of a user based on aphysical characteristic of the user, such as a fingerprint,iris, face, voice, or handwriting.

Card Serial Number (CSN). A unique data item thatidentifies a hybrid smart card. It has no relation to thecertificates installed in the smart card

Cell. In WebSphere Application Server, a cell is avirtual unit that consists of a deployment manager andone or more nodes.

Certificate authority (CA). A trusted organization orcompany that issues the digital certificates. Thecertificate authority typically verifies the identity of theindividuals who are granted the unique certificate.

IMS Server Certificate. Used in IBM Security AccessManager for Enterprise Single Sign-On. The IMS ServerCertificate allows clients to identify and authenticate anIMS Server.

Client AccessAgent. AccessAgent installed andrunning on the client machine.

Client workstation, client machine, client computers.Computers where AccessAgent installed.

Clinical Context Object Workgroup (CCOW). Avendor independent standard, for the interchange ofinformation between clinical applications in thehealthcare industry.

Clustering. In WebSphere Application Server,clustering is the ability to group application servers.

Clusters. A group of application servers thatcollaborate for the purposes of workload balancing andfailover.

Command line interface. A computer interface inwhich the input command is a string of text characters.

Credentials. Information acquired duringauthentication that describes a user, group associations,or other security-related identity attributes, and that isused to perform services such as authorization,auditing, or delegation. For example, a user ID andpassword are credentials that allow access to networkand system resources.

Cryptographic application programming interface(CAPI). An application programming interface thatprovides services to enable developers to secureapplications using cryptography. It is a set ofdynamically-linked libraries that provides anabstraction layer which isolates programmers from thecode used to encrypt the data.

Cryptographic Service Provider (CSP). A feature ofthe i5/OS® operating system that provides APIs. TheCCA Cryptographic Service Provider enables a user torun functions on the 4758 Coprocessor.

Data source. The means by which an applicationaccesses data from a database.

Database (DB) server. A software program that uses adatabase manager to provide database services tosoftware programs or computers.

DB2®. A family of IBM licensed programs forrelational database management.

Deployment manager profiles. A WebSphereApplication Server runtime environment that managesoperations for a logical group, or cell, of other servers.

Deployment manager. A server that manages andconfigures operations for a logical group or cell ofother servers.


Deprovision. To remove a service or component. Forexample, to deprovision an account means to delete anaccount from a resource.

Desktop application. Application that runs in adesktop.

Desktop Manager. Manages concurrent user desktopson a single workstation

Direct auth-info. In profiling, direct auth-info is adirect reference to an existing authentication service.

Directory service. A directory of names, profileinformation, and computer addresses of every user andresource on the network. It manages user accounts andnetwork permissions. When a user name is sent, itreturns the attributes of that individual, which mightinclude a telephone number, or an email address.Directory services use highly specialized databases thatare typically hierarchical in design and provide fastlookups.

Directory. A file that contains the names andcontrolling information for objects or other directories.

Disaster recovery site. A secondary location for theproduction environment in case of a disaster.

Disaster recovery. The process of restoring a database,system, policies after a partial or complete site failurethat was caused by a catastrophic event such as anearthquake or fire. Typically, disaster recovery requiresa full backup at another location.

Distinguished name. The name that uniquelyidentifies an entry in a directory. A distinguished nameis made up of attribute:value pairs, separated bycommas. For example, CN=person name andC=country or region.

Distributed IMS Server. The IMS Servers aredeployed in multiple geographical locations.

Domain name server (DNS). A server program thatsupplies name-to-address conversion by mappingdomain names to IP addresses.

Dynamic link library (DLL). A file containingexecutable code and data bound to a program at loadtime or run time, rather than during linking. The codeand data in a DLL can be shared by severalapplications simultaneously.

Enterprise directory. A directory of user accounts thatdefine IBM Security Access Manager for EnterpriseSingle Sign-On users. It validates user credentialsduring sign-up and logon, if the password issynchronized with the enterprise directory password.An example of an enterprise directory is ActiveDirectory.

Enterprise Single Sign-On (ESSO). A mechanism thatallows users to log on to all applications deployed inthe enterprise by entering a user ID and othercredentials, such as a password.

Enterprise user name. The user name of a useraccount in the enterprise directory.

ESSO audit logs. A log file that contains a record ofsystem events and responses. ESSO audit logs arestored in the IMS Database.

ESSO Credential Provider. Previously known as theEncentuate Credential Provider (EnCredentialProvider),this is the IBM Security Access Manager for EnterpriseSingle Sign-On GINA for Windows Vista and Windows7.

ESSO credentials. The ISAM ESSO user name andpassword.

ESSO GINA. Previously known as the EncentuateGINA (EnGINA). IBM Security Access Manager forEnterprise Single Sign-On GINA provides a userinterface that is integrated with authentication factorsand provide password resets and second factor bypassoptions.

ESSO Network Provider. Previously known as theEncentuate Network Provider (EnNetworkProvider).An AccessAgent module that captures the ActiveDirectory server credentials and uses these credentialsto automatically log on the users to their Wallet.

ESSO password. The password that secures access tothe user Wallet.

Event code. A code that represents a specific eventthat is tracked and logged into the audit log tables.

Failover. An automatic operation that switches to aredundant or standby system in the event of asoftware, hardware, or network interruption.

Fast user switching. A feature that allows users toswitch between user accounts on a single workstationwithout quitting and logging out of applications.

Federal Information Processing Standard (FIPS). Astandard produced by the National Institute ofStandards and Technology when national andinternational standards are nonexistent or inadequate tosatisfy the U.S. government requirements.

Fix pack. A cumulative collection of fixes that is madeavailable between scheduled refresh packs,manufacturing refreshes, or releases. It is intended toallow customers to move to a specific maintenancelevel.

Fully qualified domain name (FQDN). In Internetcommunications, the name of a host system that

Glossary 33

includes all of the subnames of the domain name. Anexample of a fully qualified domain name isrchland.vnet.ibm.com.

Graphical Identification and Authentication (GINA).A dynamic link library that provides a user interfacethat is tightly integrated with authentication factors andprovides password resets and second factor bypassoptions.

Group Policy Object (GPO). A collection of grouppolicy settings. Group policy objects are the documentscreated by the group policy snap-in. Group policyobjects are stored at the domain level, and they affectusers and computers contained in sites, domains, andorganizational units.

High availability (HA). The ability of IT services towithstand all outages and continue providingprocessing capability according to some predefinedservice level. Covered outages include both plannedevents, such as maintenance and backups, andunplanned events, such as software failures, hardwarefailures, power failures, and disasters.

Host name. In Internet communication, the namegiven to a computer. The host name might be a fullyqualified domain name such asmycomputer.city.company.com, or it might be a specificsubname such as mycomputer.

Hot key. A key sequence used to shift operationsbetween different applications or between differentfunctions of an application.

Hybrid smart card. An ISO-7816 compliant smart cardwhich contains a public key cryptography chip and anRFID chip. The cryptographic chip is accessible throughcontact interface. The RFID chip is accessible throughcontactless (RF) interface.

IBM HTTP server. A web server. IBM offers a webserver, called the IBM HTTP Server, that acceptsrequests from clients and forward to the applicationserver.

IMS Bridge. A module embedded in third-partyapplications and systems to call to IMS APIs forprovisioning and other purposes.

IMS Configuration Utility. A utility of the IMS Serverthat allows Administrators to manage lower-levelconfiguration settings for the IMS Server.

IMS Configuration wizard. Administrators use thewizard to configure the IMS Server during installation.

IMS Connector. A module that connects IMS toexternal systems to dispatch a mobile active code to amessaging gateway.

IMS data source. A WebSphere Application Serverconfiguration object that defines the location andparameters for accessing the IMS database.

IMS Database. The relational database where the IMSServer stores all ESSO system, machine, and user dataand audit logs.

IMS Root CA. The root certificate authority that signscertificates for securing traffic between AccessAgentand IMS Server.

IMS Server. An integrated management system forISAM ESSO that provides a central point of secureaccess administration for an enterprise. It enablescentralized management of user identities,AccessProfiles, authentication policies, provides lossmanagement, certificate management, and auditmanagement for the enterprise.

Indirect auth-info. In profiling, indirect auth-info is anindirect reference to an existing authentication service.

Interactive graphical mode. A series of panels thatprompts for information to complete the installation.

IP address. A unique address for a device or logicalunit on a network that uses the Internet Protocolstandard.

Java Management Extensions (JMX). A means ofdoing management of and through Java technology.JMX is a universal, open extension of the Javaprogramming language for management that can bedeployed across all industries, wherever management isneeded.

Java runtime environment (JRE). A subset of a Javadeveloper kit that contains the core executableprograms and files that constitute the standard Javaplatform. The JRE includes the Java virtual machine(JVM), core classes, and supporting files.

Java virtual machine (JVM). A softwareimplementation of a processor that runs compiled Javacode (applets and applications).

Keystore. In security, a file or a hardwarecryptographic card where identities and private keysare stored, for authentication and encryption purposes.Some keystores also contain trusted, or public, keys.

Lightweight Directory Access Protocol (LDAP). Anopen protocol that uses TCP/IP to provide access todirectories that support an X.500 model. An LDAP canbe used to locate people, organizations, and otherresources in an Internet or intranet directory.

Lightweight mode. A Server AccessAgent mode.Running in lightweight mode reduces the memoryfootprint of AccessAgent on a Citrix/Terminal Serverand improves the single sign-on startup duration.


Load balancing. The monitoring of application serversand management of the workload on servers. If oneserver exceeds its workload, requests are forwarded toanother server with more capacity.

Lookup user. A user who is authenticated in theEnterprise Directory and searches for other users. IBMSecurity Access Manager for Enterprise Single Sign-Onuses the lookup user to retrieve user attributes from theActive Directory or LDAP enterprise repository.

Main AccessProfile. The AccessProfile that containsone or more AccessProfile widgets

Managed node. A node that is federated to adeployment manager and contains a node agent andcan contain managed servers.

Microsoft Cryptographic application programminginterface (CAPI). An interface specification fromMicrosoft for modules that provide cryptographicfunctionality and that allow access to smart cards.

Mobile ActiveCode (MAC). A one-time password thatis used by users for two-factor authentication in WebWorkplace, AccessAssistant, and other applications.This OTP is randomly generated and dispatched touser through SMS or email.

Mobile authentication. An authentication factorwhich allows mobile users to sign-on securely tocorporate resources from anywhere on the network.

Network deployment. Also known as a clustereddeployment. A type of deployment where the IMSServer is deployed on a WebSphere Application Servercluster.

Node agent. An administrative agent that manages allapplication servers on a node and represents the nodein the management cell.

Nodes. A logical group of managed servers.

One-Time Password (OTP). A one-use passwordgenerated for an authentication event, sometimescommunicated between the client and the serverthrough a secure channel.

OTP token. A small, highly portable hardware devicethat the owner carries to authorize access to digitalsystems and physical assets.

Password aging. A security feature by which thesuperuser can specify how often users must changetheir passwords.

Password complexity policy. A policy that specifiesthe minimum and maximum length of the password,the minimum number of numeric and alphabeticcharacters, and whether to allow mixed uppercase andlowercase characters.

Personal applications. Windows and web-basedapplications where AccessAgent can store and entercredentials.

Some examples of personal applications are web-basedmail sites such as Company Mail, Internet bankingsites, online shopping sites, chat, or instant messagingprograms.

Personal desktop. The desktop is not shared with anyother users.

Personal Identification Number (PIN). InCryptographic Support, a unique number assigned byan organization to an individual and used as proof ofidentity. PINs are commonly assigned by financialinstitutions to their customers.

Pinnable state. A state from the AccessProfile widgetthat is declared as 'Can be pinned in anotherAccessProfile'.

Pinned state. A pinnable state that is attached to astate in the main AccessProfile.

Policy template. A predefined policy form that helpsusers define a policy by providing the fixed policyelements that cannot be changed and the variablepolicy elements that can be changed.

Portal. A single, secure point of access to diverseinformation, applications, and people that can becustomized and personalized.

Presence detector. A device that, when fixed to acomputer, detects when a person moves away from it.This device eliminates manually locking the computerupon leaving it for a short time.

Primary authentication factor. The IBM SecurityAccess Manager for Enterprise Single Sign-Onpassword or directory server credentials.

Private desktop. Under this desktop scheme, usershave their own Windows desktops in a workstation.When a previous user return to the workstation andunlocks it, AccessAgent switches to the desktop sessionof the previous user and resumes the last task.

Private key. In computer security, the secret half of acryptographic key pair that is used with a public keyalgorithm. The private key is known only to its owner.Private keys are typically used to digitally sign dataand to decrypt data that has been encrypted with thecorresponding public key.

Provisioning API. An interface that allows IBMSecurity Access Manager for Enterprise Single Sign-Onto integrate with user provisioning systems.

Provisioning bridge. An automatic IMS Servercredential distribution process with third partyprovisioning systems that uses API libraries with aSOAP connection.

Glossary 35

Provisioning system. A system that provides identitylifecycle management for application users inenterprises and manages their credentials.

Provision. To provide, deploy, and track a service,component, application, or resource.

Public Key Cryptography Standards. A set ofindustry-standard protocols used for secure informationexchange on the Internet. Domino® CertificateAuthority and Server Certificate Administrationapplications can accept certificates in PKCS format.

Published application. Application installed on CitrixXenApp server that can be accessed from Citrix ICAClients.

Published desktop. A Citrix XenApp feature whereusers have remote access to a full Windows desktopfrom any device, anywhere, at any time.

Radio Frequency Identification (RFID). An automaticidentification and data capture technology thatidentifies unique items and transmits data using radiowaves.

Random password. An arbitrarily generated passwordused to increase authentication security between clientsand servers.

Registry hive. In Windows systems, the structure ofthe data stored in the registry.

Registry. A repository that contains access andconfiguration information for users, systems, andsoftware.

Remote Authentication Dial-In User Service(RADIUS). An authentication and accounting systemthat uses access servers to provide centralizedmanagement of access to large networks.

Remote Desktop Protocol (RDP). A protocol thatfacilitates remote display and input over networkconnections for Windows-based server applications.RDP supports different network topologies andmultiple connections.

Replication. The process of maintaining a defined setof data in more than one location. Replication involvescopying designated changes for one location (a source)to another (a target) and synchronizing the data in bothlocations.

Revoke. To remove a privilege or an authority froman authorization identifier.

Root certificate authority (CA). The certificateauthority at the top of the hierarchy of authorities bywhich the identity of a certificate holder can beverified.

Scope. A reference to the applicability of a policy, atthe system, user, or machine level.

Secret question. A question whose answer is knownonly to the user. A secret question is used as a securityfeature to verify the identity of a user.

Secure Remote Access. The solution that providesweb browser-based single sign-on to all applicationsfrom outside the firewall.

Secure Sockets Layer (SSL). A security protocol thatprovides communication privacy. With SSL,client/server applications can communicate in a waythat is designed to prevent eavesdropping, tampering,and message forgery.

Secure Sockets Layer virtual private network (SSLVPN). A form of VPN that can be used with astandard web browser.

Security Token Service (STS). A web service used forissuing and exchanging of security tokens.

Security trust service chain. A group of moduleinstances that are configured for use together. Eachmodule instance in the chain is called in turn toperform a specific function as part of the overallprocessing of a request.

Self-service features. Features in IBM Security AccessManager for Enterprise Single Sign-On which users canuse to perform basic tasks such as resetting passwordsand secrets with minimal assistance from Help desk oryour Administrator.

Serial ID Service Provider Interface (SPI). Aprogrammatic interface intended for integratingAccessAgent with third-party Serial ID devices used fortwo-factor authentication.

Serial number. A unique number embedded in theIBM Security Access Manager for Enterprise SingleSign-On Keys, which is unique to each Key and cannotbe changed.

Server AccessAgent. AccessAgent deployed on aMicrosoft Windows Terminal Server or a Citrix server.

Server locator. A locator that groups a related set ofweb applications that require authentication by thesame authentication service. In AccessStudio, serverlocators identify the authentication service with whichan application screen is associated.

Service Provider Interface (SPI). An interface throughwhich vendors can integrate any device with serialnumbers with IBM Security Access Manager forEnterprise Single Sign-On and use it as a second factorin AccessAgent.

Session management. Management of user session onprivate desktops and shared desktops.

Shared desktop. A desktop configuration wheremultiple users share a generic Windows desktop.


Shared workstation. A workstation shared amongusers.

Sign up. To request a resource.

sign-on automation. A technology that works withapplication user interfaces to automate the sign-onprocess for users.

sign-on information. Information required to provideaccess to users to any secure application. Thisinformation can include user names, passwords,domain information, and certificates.

Signature. In profiling, unique identificationinformation for any application, window, or field.

Silent mode. A method for installing or uninstalling aproduct component from the command line with noGUI display. When using silent mode, you specify thedata required by the installation or uninstallationprogram directly on the command line or in a file(called an option file or response file).

Simple Mail Transfer Protocol (SMTP). An Internetapplication protocol for transferring mail among usersof the Internet.

Simple Object Access Protocol (SOAP). Alightweight, XML-based protocol for exchanginginformation in a decentralized, distributedenvironment. SOAP can be used to query and returninformation and invoke services across the Internet.

Single sign-on. An authentication process in which auser can access more than one system or application byentering a single user ID and password.

Smart card middleware. Software that acts as aninterface between smart card applications and thesmart card hardware. Typically the software consists oflibraries that implement PKCS#11 and CAPI interfacesto smart cards.

Smart card. An intelligent token that is embeddedwith an integrated circuit chip that provides memorycapacity and computational capabilities.

Stand-alone deployment. A deployment where theIMS Server is deployed on an independent WebSphereApplication Server profile.

Stand-alone server. A fully operational server that ismanaged independently of all other servers, and it usesits own administrative console.

Strong authentication. A solution that usesmulti-factor authentication devices to preventunauthorized access to confidential corporateinformation and IT networks, both inside and outsidethe corporate perimeter.

Strong digital identity. An online persona that isdifficult to impersonate, possibly secured by privatekeys on a smart card.

System modal message. A system dialog box that istypically used to display important messages. When asystem modal message is displayed, nothing else canbe selected on the screen until the message is closed.

Terminal emulator. A program that allows a devicesuch as a microcomputer or personal computer to enterand receive data from a computer system as if it were aparticular type of attached terminal

Thin client. A client machine that has little or noinstalled software. It has access to applications anddesktop sessions that is running on network serversthat are connected to it. A thin client machine is analternative to a full-function client such as aworkstation.

Tivoli Common Reporting tool. A reportingcomponent that you can use to create, customize, andmanage reports.

Tivoli Identity Manager adapter. An intermediarysoftware component that allows IBM Security AccessManager for Enterprise Single Sign-On to communicatewith Tivoli Identity Manager.

Transparent screen lock. A feature that, whenenabled, permits users to lock their desktop screens butstill see the contents of their desktop.

Trigger. In profiling, an event that causes transitionsbetween states in a states engine, such as, the loadingof a web page or the appearance of window on thedesktop.

Trust service chain. A chain of modules operating indifferent modes. For example: validate, map and issue.

Truststore. In security, a storage object, either a file ora hardware cryptographic card, where public keys arestored in the form of trusted certificates, forauthentication purposes in web transactions. In someapplications, these trusted certificates are moved intothe application keystore to be stored with the privatekeys.

TTY (terminal type). A generic device driver for a textdisplay. A tty typically performs input and output on acharacter-by-character basis.

Two-factor authentication. The use of two factors toauthenticate a user. For example, the use of passwordand an RFID card to log on to AccessAgent.

Uniform resource identifier. A compact string ofcharacters for identifying an abstract or physicalresource.

Glossary 37

User credential. Information acquired duringauthentication that describes a user, group associations,or other security-related identity attributes, and that isused to perform services such as authorization,auditing, or delegation. For example, a user ID andpassword are credentials that allow access to networkand system resources.

User deprovisioning. Removing the user account fromIBM Security Access Manager for Enterprise SingleSign-On.

User provisioning. The process of signing up a userto use IBM Security Access Manager for EnterpriseSingle Sign-On.

Virtual appliance. A virtual machine image with aspecific application purpose that is deployed tovirtualization platforms.

Virtual channel connector. A connector that is used ina terminal services environment. The virtual channelconnector establishes a virtual communication channelto manage the remote sessions between the ClientAccessAgent component and the Server AccessAgent.

Virtual Member Manager (VMM). A WebSphereApplication Server component that providesapplications with a secure facility to access basicorganizational entity data such as people, logonaccounts, and security roles.

Virtual Private Network (VPN). An extension of acompany intranet over the existing framework of eithera public or private network. A VPN ensures that thedata that is sent between the two endpoints of itsconnection remains secure.

Visual Basic (VB). An event-driven programminglanguage and integrated development environment(IDE) from Microsoft.

Wallet caching. When performing single sign-on foran application, AccessAgent retrieves the logoncredentials from the user credential Wallet. The usercredential Wallet is downloaded on the user machineand stored securely on the IMS Server. So users canaccess their Wallet even when they log on to IBMSecurity Access Manager for Enterprise Single Sign-Onfrom a different machine later.

Wallet manager. The IBM Security Access Manager forEnterprise Single Sign-On GUI component that userscan use to manage application credentials in thepersonal identity Wallet.

Wallet Password. A password that secures access tothe Wallet.

Wallet. A secured data store of access credentials of auser and related information, which includes user IDs,passwords, certificates, encryption keys.

Web server. A software program that is capable ofservicing Hypertext Transfer Protocol (HTTP) requests.

Web service. A self-contained, self-describing modularapplication that can be published, discovered, andinvoked over a network using standard networkprotocols. Typically, XML is used to tag the data, SOAPis used to transfer the data, WSDL is used fordescribing the services available, and UDDI is used forlisting what services are available.

Web Workplace. A web-based interface that users canlog on to enterprise web applications by clicking linkswithout entering the passwords for individualapplications. This interface can be integrated with theexisting portal or SSL VPN of the customer.

WebSphere Administrative console. A graphicaladministrative Java application client that makesmethod calls to resource beans in the administrativeserver to access or modify a resource within thedomain.

WebSphere Application Server profile. TheWebSphere Application Server administrator user nameand profile. Defines the runtime environment.

WebSphere Application Server. Software that runs ona web server and that can deploy, integrate, execute,and manage e-business applications.

Windows logon screen, Windows logon UI mode.The screen where users enter their user name andpassword to log on to the Windows desktop.

Windows native fast user switching. A Windows XPfeature which allows users to quickly switch betweenuser accounts.

Windows Terminal Services. A Microsoft Windowscomponent that users use to access applications anddata on a remote computer over a network.

WS-Trust. A web services security specification thatdefines a framework for trust models to establish trustbetween web services.


Index

AAccessAgent Terminal Services SDK 25accessibility viii

Bbooks

See publications

CClient AccessAgent

integration 12conventions

typeface ixcross-compiler 4

Ddirectory names, notation x

Eeducation

See Tivoli technical trainingEncVcClient library

loading 7environment setup

32-bit 4environment variables, notation x

Mmanuals

See publications

Nnotation

environment variables xpath names xtypeface x

Oonline publications

accessing viiordering publications viii

Ppath names, notation xpublications v

accessing online viiordering viii

TTerminal services

API 17SDK 17

Terminal ServicesSDK 3

Tivoli Information Center viiTivoli technical training viiiTivoli user groups viiitraining, Tivoli technical viiitypeface conventions ix

Uuser groups, Tivoli viii

Vvariables, notation for xVirtual Channel

setting up 11virtual channel connector

developing 3DLL 6integration 11linking 6overview 1prerequisites 3troubleshooting and support 15verifying 13


��

Printed in USA

SC14-7657-00

LightweightAccessAgent mode on Terminal Server SDK · IBM® SecurityAccess Manager for Enterprise...

Documents

Transcript of LightweightAccessAgent mode on Terminal Server SDK · IBM® SecurityAccess Manager for Enterprise...