SAM Admin Guide 8.0 Rev A
-
Upload
branislav-ostojic -
Category
Documents
-
view
442 -
download
18
Transcript of SAM Admin Guide 8.0 Rev A
-
SafeNet Authentication Manager (SAM)Version 8.0 Revision A
Administrators Guide
-
Copyright 2010 SafeNet, Inc. All rights reserved.
All attempts have been made to make the information in this document complete and accurate.
SafeNet, Inc. is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications contained in this document are subject to change without notice.
SafeNet and SafeNet Authentication Manager are either registered with the U.S. Patent and Trademark Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in the United States and other countries. All other trademarks referenced in this Manual are trademarks of their respective owners.
SafeNet Hardware and/or Software products described in this document may be protected by one or more U.S. Patents, foreign patents, or pending patent applications.
Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and UL Notification.
Date of publication: September 2010Last update: Tuesday, September 21, 2010 3:24 pm
-
iiiSupport
Weworkcloselywithourresellerpartnerstoofferthebestworldwidetechnicalsupportservices.Yourreselleristhefirstlineofsupportwhenyouhavequestionsaboutproductsandservices.However,ifyourequireadditionalassistanceyoucancontactusdirectlyat:
Telephone
Youcancallourhelpdesk24hoursaday,sevendaysaweek:USA:18005456608International:+14109317520
Email
Youcansendaquestiontothetechnicalsupportteamatthefollowingemailaddress:[email protected]
Website
YoucansubmitaquestionthroughtheSafeNetSupportportal:http://c3.safenet-inc.com/secure.asp
Additional Documentation
ThefollowingSafeNetpublicationsareavailable: SafeNetAuthenticationManager8.0UsersGuide SafeNetAuthenticationManager8.0ReadMe
-
iv
-
Configuring a Microsoft SQL Server User Store.Preparing Microsoft SQL Server Views ..........Indexed Fields .................................................Preparing an MS SQL Server Authentication .................................................... 21
.................................................... 22
.................................................... 25Table of Contents
Part I Overview of SafeNet Authentication Manager1. Introduction................................................................................................ 3
Overview of SafeNet Authentication Manager ......................................................4SafeNet Authentication Manager 8.0 Core Benefits............................................. 4
New and Enhanced Features in SafeNet Authentication Manager 8.0.................... 5Cloud support and integration with SaaS providers, Google Apps and Salesforce.com...................................................................................................... 5Enhanced MobilePASS Software Authentication Solution................................... 6Integration with SafeNet HSMs for secure key storage........................................ 6Token History Management .................................................................................. 6Token Policy Object (TPO) Export and Import...................................................... 7Additional Platform ................................................................................................ 7
Supported Authenticators.......................................................................................... 72. System Requirements.............................................................................. 9
SAM Server System Requirements ....................................................................10SAM Management Tools System Requirements.................................................... 13SAM Client System Requirements.......................................................................... 14SAM External Web Portals...................................................................................... 15
Part II Installation and Configuration3. User Store Deployment..........................................................................19
Supported User Stores .......................................................................................20Remote Active Directory.......................................................................................... 21dll ................................................ 25
-
viConfiguring an LDAP User Store.............................................................................29Preparing LDAP Authentication Dll .....................................................................29Supported Authentication Types .........................................................................30
4. Installation and Configuration Checklist .............................................37Step 1: Perform Pre-Installation Tasks ...............................................................38Step 2: Install SafeNet Authentication Manager .....................................................38
SafeNet Authentication Client Configuration.......................................................38OTP Configuration...............................................................................................39
Step 3: Configure SafeNet Authentication Manager ...............................................405. Installation ................................................................................................43
Installation Components .....................................................................................44Silently Installed Component...............................................................................45
Installation Steps in an AD Environment .................................................................46Installing in a Single Domain Environment .........................................................46Installing in a Multi Domain Environment............................................................47Installing SAM in a Multi Forest Environment .....................................................47Installing and Running Schema Modification Scripts..........................................48
Installing the SafeNet Authentication Manager Server ...........................................52Installing the SAM Management Tools ....................................................................57Installing SAM Client Using the Installation Wizard ................................................60Installing SAM Client Using the Command Line .....................................................63Un-installation ..........................................................................................................64
Removing SAM Server from the Computer ........................................................64Removing SAM from the Domain........................................................................65
Propagating the SAM Server Name........................................................................66Duplicating a SAM Server........................................................................................70
Licensing a Duplicate Server...............................................................................716. Upgrade and Migration...........................................................................73
Upgrading to SAM 8.0 Server .............................................................................74Upgrading to SAM 8.0 Client ...................................................................................75Upgrading to SAM 8.0 Management Tools .............................................................75Migrating from TMS 2.0 in an OpenLDAP Environment .........................................76Migrating from TMS 2.0 with a Shadow Domain.....................................................76Migrating from SafeWord to SafeNet Authentication Manager 8.0.........................77
Exporting Data from the SafeWord Database.....................................................77Importing SafeWord Data into SAM....................................................................80
-
vii7. Basic Configuration................................................................................85Configuring for Active Directory ..........................................................................86Configuring for Standalone User Store ................................................................... 94Configuring for OpenLDAP, Novell eDirectory or Remote AD.............................. 102Configuring for MS SQL Server .............................................................................115
8. Token Policy Object Links ...................................................................121Accessing Token Policy Object Links ...............................................................122
Accessing TPO Links in an AD Environment ................................................... 122Accessing TPO Links in a Non-AD Environment ............................................. 125Accessing TPO Links in a Standalone User Store Environment ..................... 127
Creating a New TPO Link...................................................................................... 130Adding a TPO Link ................................................................................................ 132Deleting a TPO Link .............................................................................................. 133Specifying the Scope of a TPO Link ..................................................................... 133
TPO Inheritance Behavior................................................................................. 134Setting No Override and Disabled Options....................................................... 136Blocking Policy Inheritance ............................................................................... 137Applying TPO Links to Limited Users and Groups........................................... 138
Importing and Exporting Token Policy Objects ..................................................... 140Exporting Token Policy Objects ........................................................................ 140Importing Token Policy Objects......................................................................... 142
9. Token Policy Object Settings ..............................................................145Using the Token Policy Object Editor to Edit TPOs ..........................................146General Settings.................................................................................................... 150
Mail Configuration ............................................................................................. 150SMS Provider Configuration ............................................................................. 151
Connector Settings................................................................................................ 152Token Settings ....................................................................................................... 152
Token Initialization............................................................................................. 152Token Password................................................................................................ 153Password Quality .............................................................................................. 153Manual Complexity............................................................................................ 155Initialization Parameters.................................................................................... 157Initialization Key ................................................................................................ 158Advanced Settings ............................................................................................ 161
-
viiiEnrollment Settings................................................................................................162General Properties ............................................................................................162SafeNet eToken Virtual Enrollment ...................................................................165Enrollment Notification.......................................................................................165
Recovery Settings..................................................................................................166Audit Settings.........................................................................................................170MobilePASS Settings.............................................................................................170Backend Service Settings......................................................................................171Legacy TMS Desktop Agent Settings....................................................................173Badging Settings....................................................................................................174
Photo Storage....................................................................................................175Printing Parameters...........................................................................................175
10. SAM Configuration Manager ...............................................................179Launching the SAM Configuration Manager .....................................................180Selecting the SAM Instance...................................................................................180Importing and Exporting the SAM Settings File ....................................................181
Exporting the SAM Settings File........................................................................181Importing the SAM Settings File........................................................................183
Adding SAM Connectors .......................................................................................183Configuring Roles ..................................................................................................185Scheduling the SAM Backend Service..................................................................185Configuring the License .........................................................................................187Configuring IIS and Web Services.........................................................................187
Configuring OTP Web Services ........................................................................187Configuring Features of the SAM Management Center ...................................187Configuring Features of the SAM Self Service Center .....................................188Configuring Features of the SAM Rescue Service Center ...............................190Configuring Features of SAM Web Service API ...............................................190Configuring Desktop Agent ...............................................................................192Configuring Server Synchronization..................................................................192
Selecting the Authentication Plug-In......................................................................193Defining a Failover Configuration ..........................................................................194Exporting and Importing the Signing Certificate....................................................196
Exporting a Signing Certificate ..........................................................................196Importing a Signing Certificate ..........................................................................197
-
ixChanging the SAM Service Account..................................................................... 19811. Connector Configuration .....................................................................201
Connector for Microsoft CA...............................................................................202Supported User Stores...................................................................................... 202Microsoft DLL Files Required for MSCA........................................................... 203Configuring the Microsoft CA............................................................................ 204
Connector for OTP Authentication ........................................................................ 217Supported User Stores...................................................................................... 217Defining TPO Rules .......................................................................................... 217
Connector for Flash Management......................................................................... 221Supported User Stores...................................................................................... 221Defining TPO Rules .......................................................................................... 222
Connector for P12 Certificate Import..................................................................... 224Supported User Stores...................................................................................... 225Defining TPO Rules .......................................................................................... 225
Connector for SafeNet Network Logon................................................................. 232Supported User Stores...................................................................................... 233Defining TPO Rules .......................................................................................... 233
Connector for eToken Anywhere........................................................................... 237CA Requirements.............................................................................................. 237Supported User Stores...................................................................................... 238Defining TPO Rules .......................................................................................... 238
Connector for Check Point Internal CA................................................................. 243Internal CA vs. External CA .............................................................................. 243Supported User Stores...................................................................................... 244Configuring the CP Firewall Management........................................................ 244Defining TPO Rules .......................................................................................... 254
Connector for Entrust ............................................................................................ 264Entrust Authority Security Manager .................................................................. 264SafeNet Authentication Manager - Entrust Integration..................................... 265Main Features ................................................................................................... 266Architecture ....................................................................................................... 266Deployment Recommendations........................................................................ 267System Requirements....................................................................................... 268Prerequisites ..................................................................................................... 269Connector for Entrust Configuration ................................................................. 272Opening the Connector Policy Object Editor .................................................... 272
-
xDefining the CA Policy.......................................................................................274Defining the Add User to Security Manager Policy...........................................277Defining the Security Manager and SAM on Different Domains Policy............278Defining the Domain Username Policy .............................................................279Defining the Domain User Password Policy .....................................................280Defining the User Path Policy............................................................................281Defining the Username Template Policy ...........................................................282Mapping Attributes.............................................................................................283Defining the Add User to Security Manager Directory Policy ...........................284Defining the User Role Policy............................................................................285Defining the Certificate Type Policy...................................................................286Defining the Last Security Manager Update Policy ..........................................286Defining the SafeNet eToken Rescue Support Policy ......................................287Entrust Security Manager Administration Configuration...................................288Using SAM with Entrust.....................................................................................290Behavior and Limitations ...................................................................................292
12. Licensing ................................................................................................293Licensing Overview...........................................................................................294Evaluation License.................................................................................................294Upgrading Licenses from Earlier Versions ............................................................295Viewing Licenses ...................................................................................................295Applying a License.................................................................................................296Multi-Domain Licenses ..........................................................................................298
13. Authorization Manager .........................................................................299Authorization Management Overview...............................................................300Predefined Roles ...................................................................................................301Defining a New Scope ...........................................................................................301Defining Roles........................................................................................................303Defining Tasks........................................................................................................306
14. User Permissions..................................................................................309Permissions for Basic Administration................................................................310
SAM Service Account Permissions...................................................................310User Permissions for Installing SAM.................................................................310
-
xiGranting Dial-In Permission to the User Account ..................................................311Granting Permissions for Microsoft CA Templates ............................................... 314Delegating Password Reset Control ..................................................................... 315
15. Audit Messages and Enrollment Notifications.................................321Audit Messages ................................................................................................322
Configuring Audit Settings for Viewing in Windows Event Viewer ................... 322Viewing SAM Events in the Event Viewer ........................................................ 323Configuring Audit Settings for Sending Notification Messages........................ 325
Enrollment Notification........................................................................................... 332Configuring Enrollment Notification Messages................................................. 332
Configuring Audit, Enrollment and MobilePASS Activation Notification Templates ...335
Notification Letter Keywords ............................................................................. 336Configuring SMS Notification Template ................................................................ 338
16. OTP Configuration ................................................................................339OTP Web Service Settings ...............................................................................340
Blank Presses ................................................................................................... 340Blank Presses Resync ...................................................................................... 340Time Sync.......................................................................................................... 341Time Resync ..................................................................................................... 341
OTP Web Service Configuration ........................................................................... 342Configuring SAM IAS Plug-In................................................................................ 345Configuring IAS for a Non-AD User Store............................................................. 348
17. Backend Service....................................................................................353Overview of Backend Services .........................................................................354Controlling SAM Backend Services ...................................................................... 355
Part III Post-Installation Configuration18. User Management in an ADAM Environment...................................359
ADAM Environment User Store Overview ........................................................360
-
xiiOpening SafeNet Authentication Manager - Policy Manager ...............................360Adding a User ........................................................................................................362Viewing and Editing User Properties .....................................................................364Adding a Group or OU...........................................................................................365Viewing and Editing Group Properties...................................................................367
19. Desktop Agent .......................................................................................371Overview of the Desktop Agent ........................................................................372Adding the Desktop Agent Template to the GPO Editor .......................................372Editing the Desktop Agent Settings in the GPO Editor .........................................377Desktop Agent Settings .........................................................................................379Configuring Automatic Download of SafeNet eToken Rescue..............................385Configuring Attendance Reports ...........................................................................386
Opening the Desktop Agent Settings Window..................................................386Creating an Attendance Reports MS SQL Server Database ...........................387Adding a Renamed MDF file to MS SQL Server ..............................................389Connecting to an Existing MS SQL Server Database through an ODBC Connection.........................................................................................................391Saving Data for Attendance Reports.................................................................396Clearing the Token Connection Data History....................................................398Displaying an Error Message Following Server Error.......................................399
Configuring the Legacy Desktop Agent.................................................................400SAM Desktop Agent Web Services Settings ....................................................401
Troubleshooting .....................................................................................................40120. External Portals .....................................................................................403
Overview of SAM External Portals....................................................................404Deliverables ...........................................................................................................404Prerequisites ..........................................................................................................404Installing the SAM External Portals .......................................................................405Configuring SAM Portals .......................................................................................409
Configuring Roles for SAM Portals ...................................................................409Adding a Portal Connection...............................................................................410Configuring Cloud Logon...................................................................................412
-
xiiiSetting the Logon Credentials in Google Apps..................................................... 416Setting the Logon Credentials in Force.com......................................................... 417Configuring the Username Attributes.................................................................... 418
21. Customizing SAM Websites................................................................421Customizing Text ..............................................................................................422
Editing the Text in the Resource Files .............................................................. 422Implementing Text Changes with the SAM Branding Tool ............................... 423
Customizing Graphic Files .................................................................................... 424
Part IV SAM Management22. SAM Management Center Main Features..........................................429
Client Requirements .........................................................................................430Browser Settings ................................................................................................... 430OTP Tokens........................................................................................................... 430
Temp OTP ......................................................................................................... 431MobilePASS Tokens.......................................................................................... 431
SafeNet eToken Virtual Products .......................................................................... 432SafeNet eToken Virtual ..................................................................................... 433SafeNet eToken Virtual Temp ........................................................................... 433SafeNet eToken Rescue ................................................................................... 434SafeNet eToken Rescue Use Case .................................................................. 434
eToken Network Logon.......................................................................................... 435eToken Network Logon Device Options ........................................................... 436eToken Network Logon Use Case .................................................................... 436
23. Helpdesk.................................................................................................437Helpdesk Page Overview..................................................................................438
-
xivAccessing the Helpdesk Page...............................................................................439Unlocking a User....................................................................................................447Enabling a Temp Logon.........................................................................................449Enabling User Access to a SafeNet eToken Rescue............................................452Resetting the Default User Password ...................................................................455Revoking a User's Token .......................................................................................455Unassigning a User's Token ..................................................................................457Unlocking a User's Token ......................................................................................459Temporarily Disabling a Token...............................................................................462Enabling a Token ...................................................................................................464Replacing a User's Token ......................................................................................465OTP Options ..........................................................................................................470
Extending an OTP .............................................................................................471Replacing a Temp OTP with an OTP Token .....................................................473Replacing an OTP Token with a Temp OTP .....................................................474Resetting an OTP PIN.......................................................................................477Validating an OTP Token...................................................................................478Locking an OTP.................................................................................................480Unlocking an OTP .............................................................................................482
Certificate Recovery Workflow Options.................................................................483Requesting a Certificate Recovery Workflow....................................................484Approving a Certificate Recovery Workflow......................................................486Cancelling a Certificate Recovery Workflow .....................................................488Rejecting a Certificate Recovery Workflow.......................................................491Recovering Certificates .....................................................................................493
24. Deployment ............................................................................................497Deployment Page Overview .............................................................................498Accessing the Deployment Page...........................................................................499Assigning a Token..................................................................................................503Enrolling a Smartcard or USB Token.....................................................................505Enrolling an OTP Token.........................................................................................509MobilePASS Token Enrollment.............................................................................. 511
Preparing the MobilePASS Token Notification Procedure ................................512Enrolling a MobilePASS Token..........................................................................512Sending a MobilePASS Token to the User........................................................515Using a MobilePASS Token to Generate an OTP.............................................515
-
xv25. Inventory.................................................................................................517Inventory Page Overview..................................................................................518Accessing the Inventory Page............................................................................... 519Initializing a Token ................................................................................................. 523Adding Tokens to the SAM Inventory.................................................................... 526
Adding a File of Tokens to the SAM Inventory.................................................. 526Adding a Token to the SAM Inventory .............................................................. 528
Removing a Token from the SAM Inventory ......................................................... 53026. Reports ...................................................................................................533
SAM Reports Page Overview ...........................................................................534Accessing the Reports Page................................................................................. 534Generating a Token Inventory Report ................................................................... 536Generating a Token History Report....................................................................... 541Generating a Token Expiration Report.................................................................. 546Generating a Token Audit Report.......................................................................... 550Generating an OTP Usage Report........................................................................ 553Generating a Token Connections Report.............................................................. 555Generating an Hourly Distribution Chart ............................................................... 559
27. Downloads .............................................................................................563SAM Downloads Page Overview ......................................................................564Accessing the SAM Downloads Page................................................................... 564Downloading SAM Web Client .............................................................................. 565Downloading MobilePASS Applications................................................................ 569
Part V AppendixesA. AD Schema Enhancement...................................................................573
Prefixes Registered with Microsoft....................................................................574Naming Conventions ............................................................................................. 574Schema Attributes and Classes Tables ................................................................ 574
Attributes ........................................................................................................... 575Classes.............................................................................................................. 588Schema extensions for TMS 5.0 and Later ...................................................... 590Schema Extensions for SAM 8.0 and Later...................................................... 592
-
xvi
-
Part I Overview of SafeNet Authentication Manager
ThissectionprovidesanoverviewofSAM,includingthenewfeaturesinthisversion.
In this section:
Chapter 1: Introduction (page 3) Chapter 2: System Requirements (page 9)
-
2
-
Chapter 1
IntroductionSafeNetAuthenticationManager(SAM)enablesmanagementofthecompleteuserauthenticationlifecycle.SafeNetAuthenticationManagerlinkstokenswithusers,organizationalrules,andsecurityapplicationstoallowstreamlinedhandlingofusersneedsthroughoutthevariousstagesoftheirauthenticatorlifecycle.
In this section:
Overview of SafeNet Authentication Manager New and Enhanced Features in SafeNet Authentication Manager 8.0 Supported Authenticators
-
4 SafeNet Authentication Manager Administrators GuideOverview of SafeNet Authentication ManagerSafeNetAuthenticationManager8.0(formerlyknownaseTokenTMS)providesyourorganizationwithacomprehensiveplatformtomanageallofyourauthenticationrequirements,acrosstheenterpriseandthecloud,inasingle,integratedsystem.EnablingstrongauthenticationforcloudapplicationsusingidentityfederationtechnologyandofferingsupportforSafeNetsportfolioofOTPandcertificatebasedauthenticators,SafeNetAuthenticationManager(SAM)isdesignedtoevolvewithyourchangingneedssoyoucan: MaintainstrongonpremiseauthenticationforcloudbasedSaaS
applicationssuchasGoogleAppsandSalesForce.com SeamlesslyenhanceyourauthenticationinfrastructurefromOTP
onlyenvironmentstomoreflexibleonesthatsupportbothOTPandcertificatebased(PKI)solutionsandapplications.
DeployarangeofsoftwareauthenticationsolutionsSafeNetAuthenticationManagerscapabilitiesincludecentral,delegated,andselfserviceinterfacesthatallowdifferentlevelsofservicetodifferentcommunitiesofusersandadministrators.
SafeNet Authentication Manager 8.0 Core Benefits Extendyourcurrententerpriseauthenticationinfrastructureto
thecloudseamlessly Completesupportforyourentireauthenticationsolution(OTP,
CBA,securityapplications)inasinglesystem Extensible,openplatformwithselfserviceandremotesupport
forLinux,MacandWindows Flexibilitytoevolveyourauthenticationinfrastructuretoinclude
OTPandCBAsolutionsaswellasadvancedsecurityapplications ReducetheworkloadofyourITstaffwithanintegratedIT
infrastructure,automatedprocessesandintuitiveuserselfservicetools
Controlofyourauthenticatorinventoryandusage Enhanceduserproductivityandremoteaccessfromwherever
theyarewithoutcompromisingsecurity Comprehensiveauditingandreportingfeaturesenable
compliancewithprivacyregulations
-
Introduction 5New and Enhanced Features in SafeNet Authentication Manager 8.0
ThefollowingfeatureshavebeenincludedinSafeNetAuthenticationManager8.0.
Cloud support and integration with SaaS providers, Google Apps and Salesforce.com Description:SAMprovidesaseamlessstrongauthentication
experienceforenterpriseuserswhowanttoaccessSaaSapplicationssuchasGoogleAppsandSalesforce.com(SFDC).Thisisachievedbyfederatingtheirenterpriseidentitytothecloud,inshort,enablingaSingleCredentialexperienceinwhichtheuserlogsintotheSAMportalusingtheiraccesscredentialsandisthenautomaticallyredirectedtothespecificcloudapplication.
Howitworks:Userauthenticationfirsthappensintheenterprise(theuserloggingintoSAM),andonlyafterusersaresuccessfullyauthenticatedaretheyredirectedtothecloudservicethoughtheuseofidentityfederationprotocolssuchasSecurityAssertionMarkupLanguage(SAML),anXMLbasedstandardforexchangingauthenticationandauthorizationdata.SafeNetAuthenticationManagerwillactasthetrustedidentityprovider,givingauthenticateduserspermissiontoaccesstheapplication.TheSaaSapplicationwillbeconfiguredtoallowaccessonlytothoseusersauthenticatedbytheSafeNetAuthenticationManager.Theenterprisemaintainscontrolofuseraccess,aseveryuseofthecloudresourceisfirstvalidatedonpremise.
Benefits:EnablesenterpriseuserstoaccessSaaSapplicationssecurelyviatwofactorauthenticationfromanywhere.ExistingSafeNetTMS/SAMcustomerscanleveragetheircurrentonpremiseauthenticationdeploymenttoseamlesslyandcosteffectivelyextendthesamestrongauthenticationsolutiontotheircloudapplications.Thereisnoadditionalhardwareorsoftwaretodeployuserscanleveragetheircurrentauthenticators.Comprehensivemanagementofallauthenticationoperationsforbothonpremiseandcloudcanbeperformedwithinasingleplatform.
-
6 SafeNet Authentication Manager Administrators GuideEnhanced MobilePASS Software Authentication Solution Overtheairdeploymentcanbeachievedtwoways:
Directdownloadlinksenttotheuserviaemail;usingtheirmobiledevice,theuserthenclicksonthelinkandispromptedtoinstalltheapplicationontheirdevice
SoftwaredistributionpushviaBlackBerryEnterpriseServer(BES)
SimpleRemoteSelfEnrollmentandActivationportalforendusers
Broadrangeofmobiledevicesupport:BlackBerry(4.2andabove),iPhone(3.0andabove),J2ME,Android
Integration with SafeNet HSMs for secure key storage Description:SafeNetAuthenticationManagersecuritykeysare
storedintheHSM;encryptionanddecryptionofSAMdataisexecutedontheHSM
Benefits:storingtheSAMsecuritykeysintheHSMratherthanlocallyinthefilesystemenhancesthesecurityandtheprotectionofstoredsecretssuchasOTPseedsandarchivedprivatekeysfromunauthorizedcopyorleakage;thisisanincreasingrequirementamongbothfinancialandgovernmentcustomers
SupportedHSMmodels:LunaSA4.4andPCI7000
Token History Management Storeshistoricaldataoftokensthathavebeenunassignedor
removed. Whenausersleavethecompany,theirtokensareinitializedand
alldataremoved.However,ifthetokenwasusedtoaccessencryptedcompanydata,forexample,itmightbenecessarylatertoretrievetheencryptionkey.SAMnowenablessuchaprocessbykeepingahistoryofunassignedtokensenablingcertificateexportforhistoriccertificates.
-
Introduction 7Token Policy Object (TPO) Export and Import TPOsettingscanbeexportedto,andimportedfrom,apassword
protectedfile EnablestheduplicationofthesameTPOsettingsinmultipleSAM
installations AssiststheSafeNetsupportteamwhenprovidingassistanceto
customers
Additional Platform WindowsServer2008R2isnowsupported
Supported AuthenticatorsThefollowingauthenticatorsaresupportedinSafeNetAuthenticationManager8.0: SafeNeteTokenPRO SafeNeteTokenNGFlash SafeNeteTokenNGOTP SafeNeteTokenSmartCard SafeNeteTokenAnywhere SafeNeteTokenVirtual SafeNeteTokenVirtualTemp SafeNeteTokenRescue eTokenAnywhere MobilePASS MobliePASSMessaging Alpine Gold3000 Platinum Silver
-
8 SafeNet Authentication Manager Administrators Guide
-
Chapter 2
System RequirementsBeforeinstallingSAM,ensurethatyoursystemmeetstherequirementsforeachofthecomponents.SeeInstallationComponentsonpage 44.
In this chapter:
SAM Server System Requirements SAM Management Tools System Requirements SAM Client System Requirements SAM External Web Portals Windows Password
-
10 SafeNet Authentication Manager Administrators GuideSAM Server System Requirements
Component Requirement Comment
Operating System One of the following: Windows Server 2003
SP2 (32-bit, 64-bit) Windows Server 2003
R2 (32-bit and 64-bit) Windows Server 2008
SP2 (32-bit, 64-bit) Windows Server 2008
R2 (64-bit)
-
System Requirements 11Additional Software Windows Installer 3.0 or later
The Microsoft Windows Installer is an application installation and configuration service. WindowsInstaller-KB884016-v2-x86.exe is the redistributable package for installing or upgrading Windows Installer.http://www.microsoft.com/downloads/details.aspx?familyid=5fbc5470-b259-4733-a914-a956122e08e8&displaylang=en
32-bit:Microsoft .NET Framework Version 2.0 SP1(x86) redistributable package or later
64-bit:Microsoft .NET Framework version 2.0 (x64) redistributable package or later
The Microsoft .NET Framework version 2.0 redistributable package installs the .NET Framework runtime and associated files required to run applications developed to target the .NET Framework 2.0.
32-bit:http://www.microsoft.com/downloads/details.aspx?familyid=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en
64-bit:http://www.microsoft.com/downloads/details.aspx?familyid=B44A0000-ACF8-4FA1-AFFB-40E78D788B00&displaylang=en
One of the following: Microsoft SQL Server
2005 Microsoft SQL Server
2008
Required for producing Attendance Reports only
Java Runtime Environment 1.5 or later
Required for MobilePASS tokens only
Component Requirement Comment (Continued)
-
12 SafeNet Authentication Manager Administrators GuideSAM Configuration Store
Active Directory (if Active Directory is to be used as the configuration store).
See SAM Configuration Store on page 23.Note: If ADAM is to be used as the configuration store, it does not need to be installed separately, as it is installed during the SAM installation.
SAM User Store One of the following, if an external user store is used: Active Directory
(Windows 2003, 2003R2, 2008, or 2008R2)
MS SQL Server 2005 or 2008
OpenLDAP 2.3.38 or later
Novell eDirectory 8.7.3 or later
See User Store on page 21.Note: If the integrated configuration of a Standalone user store is used, ADAM is installed during the SAM installation, and a pre-installed user store is not required.
PKI Client/SafeNet Authentication Client
The following versions are supported: eToken PKI Client
version 4.55 eToken PKI Client
version 5.1 SP1 SafeNet
Authentication Client version 8.0 or later (recommended to ensure support of all new features)
Required to work with tokens and with connector configurations. eToken PKI Client or SafeNet Authentication Client should be installed on both the server and the client computers for a fully featured SafeNet Authentication Manager system.Note: Not required for OTP-only implementations.
Component Requirement Comment (Continued)
-
System Requirements 13SAM Management Tools System RequirementsComponent Requirement Comment
Operating System One of the following: Windows Server 2003 SP2
(32-bit, 64-bit) Windows Server 2003 R2
(32-bit, 64-bit) Windows Server 2008 SP2
((32-bit, 64-bit) Windows Server 2008 R2
(64-bit) Windows XP SP3 (32-bit,
64-bit) Windows Vista SP2 (32-bit,
64-bit) Windows 7 (32-bit, 64-bit)
Use Windows Vista and Windows 7 for non-AD environments only.
Additional Software Windows Installer 3.0 or later See the Windows Installer comment on page 11.
Microsoft .NET Framework Version 2.0 SP1 Redistributable or later
See the Microsoft .NET Framework comment on page 11.
eToken PKI Client or SafeNet Authentication Client
The following versions are supported: eToken PKI Client version
4.55 eToken PKI Client version
5.1 SP1 SafeNet Authentication
Client version 8.0 or later (recommended to ensure support of all new features)
Required to work with tokens and with connector configurations. eToken PKI Client or SafeNet Authentication Client should be installed on both the server and the client computers for a fully featured SAM system.Note: Not required for OTP-only implementations.
Browser Internet Explorer 6.0, 7.0, or 8.0
Trusted Sites SAM Management Center Must be set as a trusted site.
-
14 SafeNet Authentication Manager Administrators GuideSAM Client System RequirementsComponent Requirement Comment
Operating System One of the following: Windows Server 2003 SP2
(32-bit, 64-bit) Windows Server 2003 R2
(32-bit, 64-bit) Windows Server 2008 SP2
((32-bit, 64-bit) Windows Server 2008 R2
(64-bit) Windows XP SP3 (32-bit ,
64-bit) Windows Vista SP2 (32-bit,
64-bit) Windows 7 (32-bit, 64-bit)
eToken PKI Client or SafeNet Authentication Client
The following versions are supported: eToken PKI Client version
4.55 eToken PKI Client version
5.1 SP1 SafeNet Authentication
Client version 8.0 or later (recommended to ensure support of all new features)
Note: eToken PKI Client 5.1 SP1 or later is required for a Windows 7 environment
Required to work with tokens and with connector configurations.Note: Not required for OTP-only implementations.
Browser Internet Explorer 6.0, 7.0, or 8.0Firefox 3.6 (OTP operations only)Safari 5 (OTP operations only)
Trusted Sites SAM Self Service Center Must be set as a trusted site.
-
System Requirements 15SAM External Web PortalsComponent Requirement Comment
Browser Internet Explorer 6.0, 7.0, or 8.0Firefox 3.6Chrome 5Safari 5 (Mac)
-
16 SafeNet Authentication Manager Administrators Guide
-
Part II Installation and ConfigurationThefollowingchaptersdescribehowtoinstallandconfigureSAM.
In this section:
Chapter 4: Installation and Configuration Checklist (page 37) Chapter 3: User Store Deployment (page 19) Chapter 5: Installation (page 43) Chapter 6: Upgrade and Migration (page 73) Chapter 7: Basic Configuration (page 85) Chapter 8: Token Policy Object Links (page 121) Chapter 9: Token Policy Object Settings (page 145) Chapter 10: SAM Configuration Manager (page 179) Chapter 11: Connector Configuration (page 201) Chapter 13: Authorization Manager (page 299) Chapter 15: Audit Messages and Enrollment Notifications (page 321) Chapter 12: Licensing (page 293) Chapter 16: OTP Configuration (page 339) Chapter 17: Backend Service (page 353)
-
18
-
Chapter 3
User Store DeploymentTypically,MicrosoftActiveDirectoryisdeployedaspartoftheWindowsoperatingsystem,andisavailablewheninstallingSafeNetAuthenticationManager.Touseadifferentuserstore(MSSQLServer,OpenLDAP,orNovelleDirectory)thatisnotalreadyinstalled,youmustdeployitbeforeinstallingSAM.Alternatively,youcaninstallaStandaloneuserstore,whichisanintegratedconfigurationstoreanduserstorebasedonADAM.Inthiscase,ADAMisinstalledaspartoftheSAMinstallation.SeeUserandConfigurationStoresonpage 21.
In this section:
Supported User Stores Remote Active Directory Configuring a Microsoft SQL Server User Store Configuring an LDAP User Store
-
20 SafeNet Authentication Manager Administrators GuideSupported User StoresSafeNetAuthenticationManagercanworkwithanyofthefollowinguserstores: MicrosoftActiveDirectory(WindowsServer2003orWindows
Server2008)
Note:YoucannotworkwithActiveDirectoryandadifferentstore(MSSQLServer,OpenLDAP,Novell,orRemoteAD).However,whenworkingwithADyoucanuseseveraldomains.WhenworkingwithMSSQLServer,OpenLDAP,Novell,orRemoteAD,youcanuseseveralofthemtogether,butnotwithAD.
ADAM(withStandaloneuserstoreanintegratedconfigurationanduserstore)
RemoteActiveDirectory MicrosoftSQLServer2005/2008 OpenLDAP NovelleDirectory
Note:ForafullyfeaturedSafeNetAuthenticationManagersolutionincludingSAMDesktopAgent,MicrosoftActiveDirectorymustbeused.InnonADenvironments,SafeNetAuthenticationManagersupportsthefollowingconnectors: ConnectorforOTPAuthentication ConnectorforeTokenAnywhere ConnectorforCheckPointInternalCA ConnectorforMicrosoftCA,withofflineCA ConnectorforFlashManagement ConnectorforP12CertificateImport
-
User Store Deployment 21Remote Active DirectoryAremoteActiveDirectorycanbeusedasauserstorewhenworkinginamultiforestenvironment.ThisavoidsthenecessityofinstallingaSafeNetAuthenticationManagerserverineachforest.AtypicaluseforthiswouldbewhendeployingOTPinamultiforestenvironment.ToenableconnectiontotheremoteActiveDirectory,duringconfigurationSafeNetAuthenticationManagermustbesuppliedwiththeusernameandpasswordthatwillenableaccesstothedomain.
Configuring a Microsoft SQL Server User StorePerformthefollowingtasksbeforeimplementingMSSQLServerasauserstore: PreparethedataviewssothatSafeNetAuthenticationManager
canconnecttothedatabase. Preparetheauthenticationdllfilethatwillenableuserstologon
totheSAMManagementCenter,SAMSelfServiceCenter,andSAMRescueServiceCenter.
-
22 SafeNet Authentication Manager Administrators GuidePreparing Microsoft SQL Server ViewsTherequiredviewsmustbecreatedinMSSQLServer.ThissetofviewsmustbepreparedasdescribedtoenableSafeNetAuthenticationManagertoconnecttothedatabase.
AksTMSUsersAksTMSUsersrepresentstheusertable.
Field Type Description Required
UserID String The unique user ID Yes
AccountName String The unique user account name
Yes
PolicyObjectID String The direct organization unit Yes (can be null)
LogonName String The unique user logon name No
AccountEnabled Boolean Used by OTP authentication No
AccountLocked Boolean Used by OTP authentication No
FirstName String The users first name No
LastName String The users last name No
Initials String The users initials No
MiddleName String The users middle name No
Street String The users address street No
POBox String The users address PO Box number
No
City String The users address city No
State String The users address state No
ZipCode String The users address zip code No
CountryCode String The users address country code
No
-
User Store Deployment 23AksTMSGroupsAksTMSGroupsrepresentsthegrouptable.
HomePostalAdress
String The users home postal address
No
Email String The users email No
MobilePhone String The users mobile phone No
HomePhone String The users home phone No
OrganizationName
String The users organization name
No
Company String The users company No
EmployeeNumber
String The users employee number
No
DepartmentNumber
String The users department number
No
Office String The users office No
DisplayName String The users full display name No
Field Type Description (Continued) Required
Field Type Description Required
GroupID String The unique group ID Yes (value required)
GroupName String The unique group name Yes (value required)
DisplayName String The group full display name No
-
24 SafeNet Authentication Manager Administrators GuideAksTMSUserOfGroupAksTMSUserOfGrouprepresentsmembershipofusersinthegroups.
AksTMSGroupOfGroupAksTMSGroupOfGrouprepresentsthegrouphierarchy.
AksTMSPolicyObjectsAksTMSPolicyObjectsrepresentshierarchyoftheorganization(equivalenttoOU).
Field Type Description Required
GroupID String The group unique ID Yes (value required)
UserID String The user belongs to group
Yes (value required)
Field Type Description Required
GroupID String The unique group ID
Yes (value required)
MemberGroupID String The subgroup belongs to group
Yes (value required)
Field Type Description Required
PolicyID String The unique policy object ID
Yes (value required)
PolicyName String The unique policy object name
Yes (value required)
-
User Store Deployment 25Indexed FieldsToensureoptimumperformance,allrequiredfieldsintheSQLdatabaseshouldbeindexed: AksTMSUsers:UserID,AccountName,PolicyObjectID AksTMSGroups:GroupID,GroupName AksTMSUserOfGroup:GroupID,UserID AksTMSPolicyObjects:PolicyID,PolicyName,Root,
ParentPolicyID
Preparing an MS SQL Server Authentication dllThissectiondescribeshowtoconfigureMSSQLServerauthenticationinSAM.
SQL Authentication OverviewWhenSafeNetAuthenticationManagerisconfiguredtoworkwithauserstorebasedonanSQLdatabase,itmustbeabletoauthenticatetheuserswhologontothevariousSafeNetAuthenticationManagerapplications:SAMManagementCenter,SAMSelfServiceCenter,SAMRescueServiceCenterandSAMPolicyManagement.WhentheadministratorinstallsSafeNetAuthenticationManagerandconfiguresauserstorebasedonanSQLdatabase,theSafeNetAuthenticationManagerInstallationWizardenforcestheselectionoftheauthenticationdllfilethatimplementstheauthenticationprocess.
Root Boolean Policy object is root Yes (value required)
ParentPolicyID String The ID of the parent policy object
Yes (value not required)
DisplayName String The policys full display name
No
Field (Continued) Type Description Required
-
26 SafeNet Authentication Manager Administrators GuideSQLAuthentication.dll Authentication FileAdefaultSQLauthenticationdllisprovidedwithSAM:SQLAuthentication.dll.Thisdllfilereadsaspecificconfigurationatruntimewhentheassociatedapplicationisloaded.SQLAuthentication.dll istypicallylocatedat:C:\Program Files\SafeNet\Authentication\SAM\x32\Bin
SQLAuthentication.dll.config Configuration FileTheconfigurationfilemustbenamed SQLAuthentication.dll.config,andmustbelocatedinthesamedirectoryasSQLAuthentication.dllTheSQLAuthentication.dll.configfileisanXMLfile.
Note:AfterupdatingtheSQLAuthentication.dll.configconfigurationfile,resettheIISservertoupdateSAM.
Supported Authentication TypesSQLUseristheonlyauthenticationtypesupported.ThisauthenticationtypetakesadvantageoftheSQLServerbuiltinauthenticationservice.WhenaSafeNetAuthenticationManageruserauthenticationrequestarrives,anappropriateSQLconnectionstringisbuiltatruntimeandisthenusedbyanSQLconnectionobjecttoconnecttotheserver.Ifaconnectionisestablishedsuccessfully,theauthenticationrequestisaccepted.Iftheconnectionfails,theauthenticationrequestisrejected.
-
User Store Deployment 27Sincetheremaybeseveraluserstoredatabasesinanorganization,eachuserstoremaybeconfiguredtotransferausersauthenticationrequesttoadifferentSQLdatabaseasexplainedinthefollowingxmlnode.
Tip:WerecommendreferringtothesampleSQLAuthentication.dll.configfilewhenreadingthissection.
Typically,SQLAuthentication.dll.configislocatedat:C:\Program Files\SafeNet\Authentication\SAM\x32\AuthPlugin\
Allowsmappingausersauthenticationrequestbytheuserstoreuniquenametowhichtheuserbelongs.Forexample,intheaboveconfigurationfileexample,eachuserbelongstoorganizationusa.TheuserstorewillbeauthenticatedusingtheconnectionstringpointingtoSQLSRVUSAMACHINE,whileeachuserbelongingtoorganizationeuropewillbeauthenticatedusingtheconnectionstringpointingtoSQLSRVEURMACHINE.Ifthereisonlyoneuserstore,onlyonesectionshouldbeused(addingdefault=trueattribute).
IndicateswhichuserpropertyshouldbeusedastheSQLServerusername.Thevalueatruntimeisinsertedintothe{0}attheConnectionStringXMLnode.Userfieldsthatcanbeselectedare:AccountName,LogonName,Email,EmployeeNumber,andName.
Thisvalueholdstheproviderretrievingdatafromthedatabase.Usethefollowingvalue:System.Data.SqlClient
-
28 SafeNet Authentication Manager Administrators Guide
Note:Thetemplatedescribedheremustbeformattedaccordingtheselectedprovider.Eachproviderdefinestheconnectionstringformat.
Containsatemplateforthedatabaseconnectionstring.Thetemplateshouldbeformattedaccordingtotheprovidertype,asdescribedinprevioussection. The{0}isreplacedatruntimewiththevalueofTMSUserproperty
indicatedinTMSUserIdentifier The{1}isreplacedatruntimewiththevalueofauthentication
requestpasswordThefollowingsampleshowsaconnectionstringforconnectingtoMicrosoftSQLServer:Data Source=SQLSRV-MACHINE\SQLEXPRESS;Initial Catalog=;Integrated Security=False;User ID={0};Password={1}
-
User Store Deployment 29Configuring an LDAP User StoreSafeNetAuthenticationManagersupportsOpenLDAPandNovelleDirectoryasuserstores.PerformthefollowingtasksbeforeimplementinganLDAPdirectoryasauserstore: Preparetheauthenticationdllfilethatwillenableuserstologon
toSAMManagementCenter,SAMSelfServiceCenter,andSAMRescueServiceCenter.
IfyourequireanLDAPschemadifferentfromthedefault,youmustmakethechangesintheSAMConfigurationManager.SeeChangingtheSchemaConfigurationonpage 199.
Notes: IncontrasttoAD,OpenLDAPdoesnotuseaspecificschemadefinitionforusers,groups,etc.Itusesabasicdefinitionthatisextendedoneachinstallation. NovelleDirectoryhasadefaultschemathatissimilartoAD.
Preparing LDAP Authentication DllThissectiondescribeshowtoconfigureLDAPauthenticationinSafeNetAuthenticationManager.
LDAP Authentication OverviewWhenSafeNetAuthenticationManagerisconfiguredtoworkwithauserstorethatisnotMicrosoftActiveDirectory,itmustbeabletoauthenticatetheuserswhologontothevariousSafeNetAuthenticationManagerapplications:SAMManagementCenter,SAMSelfServiceCenter,SAMRescueServiceCenter,andSAMPolicyManagement.WhentheadministratorinstallsSafeNetAuthenticationManagerandconfiguresanonActiveDirectoryuserstore,theSafeNetAuthenticationManagerInstallationWizardenforcestheselectionoftheauthenticationdllfilethatimplementstheauthenticationprocess.
-
30 SafeNet Authentication Manager Administrators GuideLDAPAuthentication.dll Authentication FileAdefaultLDAPauthenticationdllfileisprovidedwithSafeNetAuthenticationManager:LDAPAuthentication.dllThisdllfilereadsthespecificconfigurationatruntimewhentheassociatedapplicationisloaded.LDAPAuthentication.dll istypicallylocatedat:C:\Program Files\SafeNet\Authentication\SAM\x32\Bin
LDAPAuthentication.dll.config Configuration FileTheconfigurationfilemustbenamedLDAPAuthentication.dll.config,andmustbelocatedinthesamedirectoryasLDAPAuthentication.dllTheLDAPAuthentication.dll.configfileisanXMLfile.
Supported Authentication TypesTherearetwosupportedLDAPauthenticationtypes: FastBindConfiguration SlowBindConfigurationBothauthenticationtypestakeadvantageoftheLDAPDirectoryserverbuiltinauthenticationservice.
Tip: UsefastbindauthenticationwhentheusersarestoredinLDAPdirectoryandyouwishtoauthenticatethemwiththesamedirectory. Useslowbindauthenticationwhentheusersarestoredinonedatabaseandyouwishtoauthenticatethemwithadifferentdatabase(whichisanLDAPdirectory).
-
User Store Deployment 31Fast Bind ConfigurationThemostcommonconfigurationisthefastbindauthentication.ItisaonephaseauthenticationwheretheuserDNanduserpasswordarepassedtotheLDAPdirectory,whichinreturnacceptsorrejectstheauthenticationrequest.Inthisconfiguration,bothusersandpasswordsareplacedinthesamestore.ThisstoreisalwaysanLDAPdirectorywhereeachuserinthedirectorymustbeauthorizedtoperformauthentication.TheXMLfileshouldbeasfollows:
FastBind
ThefilewillalwaysbethesameregardlessoftheLDAPdirectorymanufactureroranyothercriteria.
Slow Bind ConfigurationSlowbindauthenticationistwophaseauthentication: FirstphaseissearchingandretrievingtheusersLDAPpath(User
DN)fromapreconfiguredLDAPdirectory. Secondphaseisauthenticatingthatuser(asinfastbind).Inthisconfiguration,theuserstoreisusuallylocatedinonedatabase(ofanytype)andthepasswordsarelocatedinanotherdatabasewhichmustbeanLDAPdirectory.Forexample,theuserstoreisanSQLdatabaseandthepasswordsinanOpenLDAPoreDirectorydatabase.Asinfastbindauthentication,eachuserintheLDAPdirectorymustbeauthorizedtoperformauthentication.
-
32 SafeNet Authentication Manager Administrators GuideTheXMLfileshouldbeasfollows:
SlowBind
AccountNameServer1.com:389dc=MyCompany1,dc=com(&(cn={0})(objectClass=Person))cn=Admin,dc=MyCompany1,dc=com
AccountNameServer1.com:389dc=MyCompany1,dc=com(&(cn={0})(objectClass=Person))cn=Admin,dc=MyCompany1,dc=com
Iftherearemultipleuserstoredatabasesinanorganization,theremaybeseveralmatchingLDAPdirectoriescontainingthepasswords.TheconfigurationfileallowsthebindingofeachuserstoretoaspecificLDAPdirectory.
AllowsmappingauserstoretoanLDAPdirectory.IfthereisonlyoneLDAPdirectory,onlyonesectionshouldbeused(addingdefault=trueattribute).
-
User Store Deployment 33IfthereareseveralLDAPdirectories,thenameattributeshouldbeusedtomaptheuserstorewithLDAPdirectories,providingtheuserstoreuniqueinstancename.
HoldstheuserpropertythatisusedtolocatetheuserintheLDAPdirectory.Thevalueatruntimeisinsertedintothe{0}intheFilterTemplateXMLnode.Userfieldsthatcanbeselectedare:AccountName,LogonName,Email,EmployeeNumberandName.
IPorDNSoftheLDAPdirectory
TherootLDAPpathforusersearching
ThisLDAPquerytemplateisusedtobuildanLDAPsearchstringatruntimeinordertofindtheuserrequestingauthenticationintheLDAPdirectory.The{0}isreplacedatruntimewiththevalueofuserpropertyindicatedinTMSUserIdentifier.
TheUserLDAPpathusedtoperformthesearchesintheLDAPdirectory.ThisentrymusthavepermissionstosearchandreadLDAPentriesintheLDAPdirectory.
-
34 SafeNet Authentication Manager Administrators Guide
ThepasswordofUserDN
Note:ThepasswordmustbeencryptedusingtheEncryptPasswordTool(EncryptPassword.exe)andplacedintheconfigurationfile.SeeUsingtheEncryptPasswordTool(EncryptPassword.exe)onpage 34.
Using the Encrypt Password Tool (EncryptPassword.exe)UsetheEncryptPasswordToolwhenLDAPAuthenticationisconfiguredtoslowbindauthenticationonly.Thetoolgeneratesanencryptedpasswordfromaplaintextpassword.TheencryptedpasswordmustbeplacedinsidetheXmlnodeoftheconfigurationfile.ThetoolmustberunfromthecomputerwheretheSafeNetAuthenticationManagerServerisinstalled.Bydefault,theEncryptPasswordTool(EncryptPassword.exe)islocatedat:C:\Program Files\SafeNet\Authentication\SAM\x32\Authentication
Configuration Example - Slow Bind AuthenticationInthisscenario,weassumeacompanyworkswithanLDAPdirectorythatiscurrentlynotsupportedbySafeNetAuthenticationManager.
To export users to a database supported by SAM:
1. ExporttheusersfromtheLDAPdirectoryintoaMicrosoftSQLserverdatabasewhichissupportedbySafeNetAuthenticationManager.Afterthisprocesstherearetwoinstalleddatabases: MicrosoftSQLServercontainingonlyusers LDAPdirectorycontainingbothusersandpasswords
2. InstallSAM8.0Serverorlater.3. SelectSQLServerfromthelistofuserdatabases.
-
User Store Deployment 354. SelecttheLDAPAuthentication.dllintheauthenticationwindow.5. Completetheinstallation.
Configuring LDAPAuthentication.dll.configConfigureLDAPAuthentication.dllbeforerunninganySAMmanagementapplication.
To configure LDAPAuthentication.dll:
1. OpentheLDAPAuthentication.dll.configfile,locatedintheSAMinstallationfolder.
2. Createaconfiguration,asinthefollowingexampleofaslowbindconfiguration:
SlowBind
AccountName10.0.0.99:389dc=organization,dc=com(&(cn={0})(objectClass=organizationalPerson))cn=Administrator,dc=organization,dc=com AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAper6yavZzE21ObZafmdDMgQAAAAIAAAAVABNAFMA AAADZgAAqAAAABAAAABAt5/hxHf7tgrMsMX+l+glAAAAAASAAACgAAAAEAAAAP1sMRXQv93p Tj2fj82oTfcQAAAAq06pe9IwfKx4rSVIZiTbaxQAAACms9JMPxfv1/XNsngjP+PQsC/t1w==
Thisconfigurationfileassumesthefollowing: TheLDAPdirectoryislocatedat10.0.0.99port389 ThebaseDNisdc=organization,dc=com
-
36 SafeNet Authentication Manager Administrators Guide TheuserobjectintheLDAPdirectoryhastheorganizationalPersonvalueinobjectClassattribute
Theuserobjectisuniquelyidentifiedbythecnattribute TheuserthathasreadpermissionsintheLDAPdirectoryis
cn=Administrator,dc=organization,dc=com Thepasswordofcn=Administrator,dc=organization,dc=com
shouldberetrievedasfollows: RunEncryptPassword.exe EnterthepasswordinthePlaintext>Passwordtextbox
(i.e.Pas$word) ClickEncrypt(youshouldseetheencryptedpasswordin
theciphertextbox) ClickCopyinordertocopyencryptedpasswordto
clipboard Pastetheencryptedpasswordintoxmlnode
Running an LDAP Management ToolRunanyLDAPmanagementtoolinordertousethenewconfiguration.Runiisresetbeforerunningthemanagementtool.
-
Chapter 4
Installation and Configuration ChecklistThissectionprovidesachecklistofthemaintasksrequiredtoinstall,configure,anddeploySafeNetAuthenticationManager.
In this chapter:
Step 1: Perform Pre-Installation Tasks Step 2: Install SafeNet Authentication Manager Step 3: Configure SafeNet Authentication Manager
-
38 SafeNet Authentication Manager Administrators GuideStep 1: Perform Pre-Installation TasksPerformthefollowingtasksbeforeinstallingSafeNetAuthenticationManager.
Step 2: Install SafeNet Authentication ManagerPerformthefollowingtaskstoinstallSafeNetAuthenticationManager.
SafeNet Authentication Client ConfigurationPerformthefollowingtaskstoinstallSafeNetAuthenticationManagerinaSafeNetAuthenticationClientconfiguration.
Order Action Reference
1. Check system requirements.Install any prerequisite applications.
See Chapter 2: System Requirements, on page 9 System Requirements on page 9
2. Deploy user store Note: If you are using a Standalone user store, this is not required. See Configuring for Standalone User Store on page 94
See Chapter 3: User Store Deployment, on page 19 User Store Deployment on page 19
Order Action Reference
1. Install SafeNet Authentication Client. See SafeNet Authentication Client Administrators Guide
2. Install SafeNet Authentication Manager server component
Installing the SafeNet Authentication Manager Server on page 52
-
Installation and Configuration Checklist 39OTP ConfigurationPerformthefollowingtaskstoinstallSafeNetAuthenticationManagerinanOTPconfiguration.
3. Configure SafeNet Authentication Manager Server and required connectors
See Chapter 7: Basic Configuration, on page 85
4. Install SafeNet Authentication Manager Management Tools component
Installing the SAM Management Tools on page 57
5. Install SafeNet Authentication Manager Client component
Installing SAM Client Using the Installation Wizard on page 60
Order Action Reference
Order Action Reference
1. Install SafeNet Authentication Manager server component (selecting the OTP installation option)
Installing the SafeNet Authentication Manager Server on page 52
2. Configure SafeNet Authentication Manager Server
See Chapter 7: Basic Configuration, on page 85
3. Install and configure the required OTP plug-ins
See the eToken OTP Authentication Administrator's Guide
4. Configure RADIUS server Configuring SAM IAS Plug-In on page 345
5. Install SafeNet Authentication Manager Management Tools component
Installing the SAM Management Tools on page 57
-
40 SafeNet Authentication Manager Administrators GuideStep 3: Configure SafeNet Authentication ManagerAftertheSafeNetAuthenticationManagerserverisinstalled,itmustbeconfigured.`
Order Action Reference
1. Run the SafeNet Authentication Manager Configuration Settings Wizard to set the basic configuration
See Chapter 7: Basic Configuration, on page 85
2. Use the SafeNet Authentication Manager Configuration Manager to configure the following (not necessarily in this order): Connectors Roles and Tasks Backend Services License Web Services Display Failover Schema Service account Server Synchronization HSM support
See Chapter 10: SAM Configuration Manager, on page 179
-
Installation and Configuration Checklist 413. Use the GPO Editor to propagate the SafeNet Authentication Manager Server name
See Propagating the SAM Server Name on page 66
4. Use the TPO Editor to configure the following settings: General Connectors Enrollment Certificate Recovery Workflow Audit SAM Backend Service SAM Desktop Agent MobilePASS Badging
See Chapter 9: Token Policy Object Settings, on page 145
Order Action Reference
-
42 SafeNet Authentication Manager Administrators Guide
-
Chapter 5
InstallationThischapterdescribestheinstallationofSafeNetAuthenticationManager.
Note:SeeUpgradeandMigrationonpage 73ifSafeNetAuthenticationManagerorTMSisalreadyinstalledonthecomputer.
Ifamessagetorestartyourcomputerisdisplayed,eitherbeforeoraftertheinstallationofSafeNetAuthenticationManager,youmustrestartyourcomputer.
In this chapter:
Installation Components Installation Steps in an AD Environment Installing the SafeNet Authentication Manager Server Installing the SAM Management Tools Installing SAM Client Using the Installation Wizard Installing SAM Client Using the Command Line Un-installation Propagating the SAM Server Name
Duplicating a SAM Server
-
44 SafeNet Authentication Manager Administrators GuideInstallation Components
Component File Description
SAM Server SAMServer-x32-8.0.msi orSAMServer-x64-8.0.msi
Install SafeNet Authentication Manager on the required server. This must be a member server running IIS on which the SafeNet Authentication Manager web application will be installed. One or more such servers may be installed in the organization.Note: We recommend running a dedicated SafeNet Authentication Manager (IIS) server.
SAM Management Tools
SAMManagement-x32-8.0.msiorSAMManagement-x64-8.0.msi
Install on every workstation from where the administrator will access the TPO editor.
SAM Client SAMClient-x32-8.0.msiiorSAMClient-x64-8.0.msi
Install on every workstation where the Self Service Center, or Management Center are to be used or any client where the SafeNet Desktop Agent is to be used.
SAM Schema Modification Scripts
SAMSchema-x32-8.0.msi
If the user installing the SafeNet Authentication Manager Server does not have the permissions required for modifying the AD schema, the schema modification scripts must be installed before SafeNet Authentication Manager is configured. The scripts implement changes to the Active Directory (AD) schema required by SafeNet Authentication Manager.
SAM Portals SAMPORTALS-x32-8.0.msiorSAMPORTALS-x64-8.0.msi
The SAM Portals installation files are supplied separately.
-
Installation 45Note:WerecommendconfiguringSafeNetAuthenticationManagerwebsitesusingSSL.SeeMicrosoftdocumentationforcreatinganSSLprotectedvirtualdirectoryinIIS.
Silently Installed Component ASP.NET.AJAXisinstalledtogetherwithSafeNetAuthentication
Manager.ASP.NETAJAXisasetoftechnologiestoaddAJAX(AsynchronousJavaScriptAndXML)supporttoASP.NET.AJAXisagroupofinterrelatedwebdevelopmenttechniquesusedforcreatinginteractivewebapplicationsorrichinternetapplications.WithAJAX,webapplicationscanretrievedatafromtheserverasynchronouslyinthebackgroundwithoutinterferingwiththedisplayandbehavioroftheexistingwebpage.
ADAMisinstalledwhenaStandaloneuserstore(anintegratedconfigurationstoreanduserstore)isinstalled,orwhenanexternaluserstore,suchasMicrosoftSQLServer,OpenLDAPorNovelleDirectoryisused.
-
46 SafeNet Authentication Manager Administrators GuideInstallation Steps in an AD EnvironmentSafeNetAuthenticationManagercanbeinstalledinasingleormultidomainenvironment.
Installing in a Single Domain Environment
To install in a single domain environment:
1. IfActiveDirectoryisusedastheSafeNetAuthenticationManagerConfigurationStore,andtheuserperformingtheinstallationdoesnothavepermissionstomodifytheADschema,youmustinstallandruntheschemamodificationscriptsonthedomaincontroller.(SeeInstallingandRunningSchemaModificationScriptsonpage 48.)
2. InstalltheSafeNetAuthenticationManagerserveronamemberserverinyourdomain.(SeeInstallingtheSafeNetAuthenticationManagerServeronpage 52.)
3. ConfiguretheSafeNetAuthenticationManagerServer.(SeeBasicConfigurationonpage 85.)
4. InstallManagementToolsoneveryclientfromwhichtheadministratorisrequiredtoaccesstheTPOeditor.(SeeInstallingtheSAMManagementToolsonpage 57.)
5. InstallSafeNetAuthenticationManagerClientoneverycomputerfromwhichenrollmentoranyothertokenoperationistobeperformedusingSafeNetAuthenticationManager.(SeeInstallingSAMClientUsingtheInstallationWizardonpage 60.)
-
Installation 47Installing in a Multi Domain Environment
To install in a multi domain environment:
1. IfActiveDirectoryisusedastheSafeNetAuthenticationManagerConfigurationStore,andtheuserperformingtheSafeNetAuthenticationManagerinstallationdoesnothavepermissionstomodifytheADschema,youmustinstallandruntheschemamodificationscriptsonthedomaincontroller.(SeeInstallingandRunningSchemaModificationScriptsonpage 48.)
2. InstalltheSafeNetAuthenticationManagerserverononememberserverinoneofyourdomains.(SeeInstallingtheSafeNetAuthenticationManagerServeronpage 52.)
3. ConfigureSafeNetAuthenticationManagerforeverydomainintheforestwhereyouwantSAMtobeused.
4. InstallSAMManagementToolsoneveryclientfromwhichtheadministratorisrequiredtoaccesstheTPOeditor.(SeeInstallingtheSAMManagementToolsonpage 57.)
5. InstallSafeNetAuthenticationManagerClientoneverycomputerfromwhichenrollmentoranyothereTokenoperationistobeperformedusingSafeNetAuthenticationManager.(SeeInstallingSAMClientUsingtheInstallationWizardonpage 60.)
Installing SAM in a Multi Forest Environment
To install SAM in a multi domain environment:
1. InstalltheSafeNetAuthenticationManagerserverononememberserverinoneofyourdomainsinoneoftheforests.(SeeInstallingtheSafeNetAuthenticationManagerServeronpage 52.)
2. ConfigureSafeNetAuthenticationManager(usingRemoteAD)foreverydomainineveryforestwhereyouwantSafeNetAuthenticationManagertobeused(exceptthedomainwheretheSafeNetAuthenticationManagerserverisinstalled).
3. InstallSafeNetAuthenticationManagerManagementToolsoneveryclientfromwhichtheadministratorisrequiredtoaccesstheTPOeditor.(SeeInstallingtheSAMManagementToolsonpage 57.)
-
48 SafeNet Authentication Manager Administrators Guide4. InstallSafeNetAuthenticationManagerClientoneverycomputerfromwhichenrollmentoranyothertokenoperationistobeperformedusingSafeNetAuthenticationManager.(SeeInstallingSAMClientUsingtheInstallationWizardonpage 60.)
Installing and Running Schema Modification ScriptsActiveDirectory(AD)mustbemodifiedbeforeitcanbeusedastheSafeNetAuthenticationManagerConfigurationStore.IftheuserwhoinstallsSafeNetAuthenticationManagerhasADschemamodificationpermissions,thenADismodifiedautomaticallyduringSafeNetAuthenticationManagerconfiguration.IftheuserwhoinstallsSafeNetAuthenticationManagerdoesnothavethesepermissions,theSchemaModificationScriptsmustbeinstalledandrunpriortosettingtheconfiguration.
Tip:InstalltheschemamodificationscriptsonlyiftheuserinstallingSafeNetAuthenticationManagerdoesnothavepermissionstomodifytheADschema.
ThescriptsareinstalledusingtheSafeNetAuthenticationManagerSchemaModificationScriptsInstallationWizard.
-
Installation 49Installing the Schema Modification ScriptsInstalltheSafeNetAuthenticationManagerSchemaModificationScriptsintherootdomainbeforeSafeNetAuthenticationManagerisconfigured.
To install the Schema Modification Scripts:
1. RunSAMSchemax328.0.msiTheWelcometotheSafeNetAuthenticationManagerSchemaModificationScriptsInstallationWizardopens.
2. ClickNext.
-
50 SafeNet Authentication Manager Administrators GuideTheLicensesAgreementwindowopens.
3. AcceptthelicenseagreementandclickNext.TheDestinationFolderwindowopens,displayingthedefaultinstallationfolder.
4. IftherearenootherSafeNetauthenticationapplicationsorlegacyeTokenapplicationsinstalled,youcanclickBrowsetoselectadifferentdestinationfolder.Otherwise,thedestinationfoldercannotbechanged.
-
Installation 51ThisfolderwillbeusedastheinstallationlibraryforallfutureSafeNetauthenticationapplicationinstallations.
Note:Thedefaultfolderis:C:\Program Files\SafeNet\Authentication\SAM\x32\Bin. C:\Program Files\SafeNet\Authentication\SAM\x64\Bin
5. ClickNext.TheSafeNetAuthenticationManagerSchemaModificationScriptsinstallationbegins.Whentheinstallationprocessiscomplete,theSafeNetAuthenticationManagerSchemaModificationScriptshasbeensuccessfullyinstalledwindowopens.
6. ClickFinishtoexittheinstallationwizard.TheinstallationprocesscreatestheVBscriptfile:C:\Program Files\SafeNet\Authentication\SAM\x32\Bin\schemaInstall.vbs
-
52 SafeNet Authentication Manager Administrators GuideRunning the Schema Modification ScriptsFollowingtheinstallationoftheschemamodificationscript,thescriptmustberun.
Note:Toruntheschemamodificationscript,thepermissionsmustallowchangestobemadetotheschema.
To run the schema modification script:
Runthefollowingcommand:Cscript.exe schemaInstall.vbs [domain name] /AD
For example:Cscript.exe schemaInstall.vbs production.com /AD
Installing the SafeNet Authentication Manager ServerTheSafeNetAuthenticationManagerservermustbeinstalledbeforetheothercomponents.
Note:SafeNetAuthenticationClientshouldbeinstalledonthecomputerwhereSafeNetAuthenticationManagerserverisinstalled.ThisisnotrequiredifSafeNetAuthenticationManagerisusedonlyforOTPauthentication.SeeSAMManagementToolsSystemRequirementsonpage 13.
TheSafeNetAuthenticationManagerServerInstallationWizardandSafeNetAuthenticationManagerConfigurationSettingsWizardenableyoutoinstallSafeNetAuthenticationManagerServerandcreateabasicconfiguration.WhentheSafeNetAuthenticationManagerServerInstallationWizardcompletestheinstallationprocess,itlaunchestheSafeNetAuthenticationManagerConfigurationSettingsWizard.
-
Installation 53To install and configure the SafeNet Authentication Manager Server:
1. DoubleclickSAMServerx328.0.msi(32bit)orSAMServerx648.0.msi(64bit).TheSafeNetAuthenticationManagerServerInstallationWizardopens.
2. ClickNext.TheLicenseAgreementwindowopens.
3. SelectIacceptthelicenseagreementandclickNext.
-
54 SafeNet Authentication Manager Administrators GuideTheDestinationFolderwindowopens,displayingthedefaultinstallationfolder.
4. IftherearenootherSafeNetauthenticationapplicationsorlegacyeTokenapplicationsinstalled,youcanclickBrowsetoselectadifferentdestinationfolder.Otherwise,thedestinationfoldercannotbechanged.ThisfolderwillbeusedastheinstallationlibraryforallfutureSafeNetauthenticationapplicationinstallations.
5. ClickNext.Theinstallationprocessstarts.
-
Installation 55Oncompletionoftheinstallationprocess,thesuccessfullyinstalledwindowopens.
6. ClickFinish.
Note:Ifyourantheinstallationfromthecommandline,theSafeNetAuthenticationManagerConfigurationSettingsWizarddoesnotopenautomatically.
TheSafeNetAuthenticationManagerConfigurationSettingsWizardwindowopens.
-
56 SafeNet Authentication Manager Administrators GuideTheSAMConfigurationSettingsWizardenablesyoutosetupabasicconfigurationthatcanbefinetunedlaterusingtheSafeNetAuthenticationManagerConfigurationManager.
Tip:WerecommendcompletingtheSafeNetAuthenticationManagerconfigurationatthistimesothatyoucanstartworkingwiththeapplication.However,theconfigurationcanbeperformedlaterusingtheSafeNetAuthenticationManagerConfigurationManager.
7. TocontinuewiththeSafeNetAuthenticationManagerConfigurationSettingsWizard,clickNext,ortoexit,clickCancel.ForadescriptionoftheSafeNetAuthenticationManagerConfigurationSettingsWizard,seethefollowing: ConfiguringforActiveDirectoryonpage 86 ConfiguringforStandaloneUserStoreonpage 94 ConfiguringforOpenLDAP,NovelleDirectoryorRemoteADon
page 102 ConfiguringforMSSQLServeronpage 115
-
Installation 57Installing the SAM Management ToolsInstalltheSAMManagementToolsoneveryworkstationwheretheadministratorwillneedtousetheTPOEditor.
To install SAM Management Tools:
1. DoubleclickSAMManagement-x32-8.0.msi (32-bit) or SAMManagement-x64-8.0.msi(64-bit).TheSAMManagementToolsInstallationWizardopens.
2. ClickNext.
-
58 SafeNet Authentication Manager Administrators GuideTheLicenseAgreementwindowopens.
3. SelectIacceptthelicenseagreementandclickNext.TheDestinationFolderwindowopens,displayingthedefaultinstallationfolder.
4. IftherearenootherSafeNetauthenticationapplicationsorlegacyeTokenapplicationsinstalled,youcanclickBrowsetoselectadifferentdestinationfolder.Otherwise,thedestinationfoldercannotbechanged.ThisfolderwillbeusedastheinstallationlibraryforallfutureSafeNetauthenticationapplicationinstallations.
5. ClickNext.
-
Installation 59Theinstallationprocessstarts.
Oncompletionoftheinstallationprocess,thesuccessfullyinstalledwindowopens.
6. ClickFinish.SAMManagementToolshasbeeninstalled.
TheSAMManagementToolsmustbeconnectedtotheSAMserver.SeePropagatingtheSAMServerNameonpage 66.
-
60 SafeNet Authentication Manager Administrators GuideInstalling SAM Client Using the Installation WizardInstallSafeNetAuthenticationManagerClientoneverycomputerfromwhichenrollmentoranyothereTokenoperationistobeperformedusingSAM.
Note:SafeNetAuthenticationManagerServer8.0supportsTMSClient2.0andlater.However,whentheSafeNetAuthenticationManagerserverisupdated,werecommendupdatingSafeNetAuthenticationManagerClienttothesameversiontoavoidcompatibilityissues.
To install SafeNet Authentication Manager Client:
1. DoubleclickSAMClient-x32-8.0.msi (32-bit) or SAMClient-x64-8.0.msi (64-bit).TheSafeNetAuthenticationManagerClientInstallationWizardopens.
2. ClickNext.
-
Installation 61TheLicenseAgreementwindowopens.
3. SelectIacceptthelicenseagreementandclickNext.TheDestinationFolderwindowopens,displayingthedefaultinstallationfolder.
4. IftherearenootherSafeNetauthenticationapplicationsorlegacyeTokenapplicationsinstalled,youcanclickBrowsetoselectadifferentdestinationfolder.Otherwise,thedestinationfoldercannotbechanged.ThisfolderwillbeusedastheinstallationlibraryforallfutureSafeNetauthenticationapplicationinstallations.
5. ClickNext.
-
62 SafeNet Authentication Manager Administrators GuideTheSelectInstallationTypewindowopens.
6. Selectoneofthefollowinginstallationtypes: TypicalIncludestheSAMDesktopAgent CompleteIncludestheSAMDesktopAgentandthelegacy
TMSDesktopAgent.
Note:ThelegacyTMSDesktopisrequiredforinstallationswherepreviousTMSClientinstallationsarestillsupported.
7. ClickNext.Theinstallationproceeds.
-
Installation 63Oncompletionoftheinstal