SAM Admin Guide 8.0 Rev A

SafeNet Authentication Manager (SAM)Version 8.0 Revision A

Administrators Guide

Copyright 2010 SafeNet, Inc. All rights reserved.

All attempts have been made to make the information in this document complete and accurate.

SafeNet, Inc. is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications contained in this document are subject to change without notice.

SafeNet and SafeNet Authentication Manager are either registered with the U.S. Patent and Trademark Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in the United States and other countries. All other trademarks referenced in this Manual are trademarks of their respective owners.

SafeNet Hardware and/or Software products described in this document may be protected by one or more U.S. Patents, foreign patents, or pending patent applications.

Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and UL Notification.

Date of publication: September 2010Last update: Tuesday, September 21, 2010 3:24 pm

iiiSupport

Weworkcloselywithourresellerpartnerstoofferthebestworldwidetechnicalsupportservices.Yourreselleristhefirstlineofsupportwhenyouhavequestionsaboutproductsandservices.However,ifyourequireadditionalassistanceyoucancontactusdirectlyat:

Telephone

Youcancallourhelpdesk24hoursaday,sevendaysaweek:USA:18005456608International:+14109317520

Email

Youcansendaquestiontothetechnicalsupportteamatthefollowingemailaddress:[email protected]

Website

YoucansubmitaquestionthroughtheSafeNetSupportportal:http://c3.safenet-inc.com/secure.asp

Additional Documentation

ThefollowingSafeNetpublicationsareavailable: SafeNetAuthenticationManager8.0UsersGuide SafeNetAuthenticationManager8.0ReadMe

Configuring a Microsoft SQL Server User Store.Preparing Microsoft SQL Server Views ..........Indexed Fields .................................................Preparing an MS SQL Server Authentication .................................................... 21

.................................................... 22

.................................................... 25Table of Contents

Part I Overview of SafeNet Authentication Manager1. Introduction................................................................................................ 3

Overview of SafeNet Authentication Manager ......................................................4SafeNet Authentication Manager 8.0 Core Benefits............................................. 4

New and Enhanced Features in SafeNet Authentication Manager 8.0.................... 5Cloud support and integration with SaaS providers, Google Apps and Salesforce.com...................................................................................................... 5Enhanced MobilePASS Software Authentication Solution................................... 6Integration with SafeNet HSMs for secure key storage........................................ 6Token History Management .................................................................................. 6Token Policy Object (TPO) Export and Import...................................................... 7Additional Platform ................................................................................................ 7

Supported Authenticators.......................................................................................... 72. System Requirements.............................................................................. 9

SAM Server System Requirements ....................................................................10SAM Management Tools System Requirements.................................................... 13SAM Client System Requirements.......................................................................... 14SAM External Web Portals...................................................................................... 15

Part II Installation and Configuration3. User Store Deployment..........................................................................19

Supported User Stores .......................................................................................20Remote Active Directory.......................................................................................... 21dll ................................................ 25

viConfiguring an LDAP User Store.............................................................................29Preparing LDAP Authentication Dll .....................................................................29Supported Authentication Types .........................................................................30

4. Installation and Configuration Checklist .............................................37Step 1: Perform Pre-Installation Tasks ...............................................................38Step 2: Install SafeNet Authentication Manager .....................................................38

SafeNet Authentication Client Configuration.......................................................38OTP Configuration...............................................................................................39

Step 3: Configure SafeNet Authentication Manager ...............................................405. Installation ................................................................................................43

Installation Components .....................................................................................44Silently Installed Component...............................................................................45

Installation Steps in an AD Environment .................................................................46Installing in a Single Domain Environment .........................................................46Installing in a Multi Domain Environment............................................................47Installing SAM in a Multi Forest Environment .....................................................47Installing and Running Schema Modification Scripts..........................................48

Installing the SafeNet Authentication Manager Server ...........................................52Installing the SAM Management Tools ....................................................................57Installing SAM Client Using the Installation Wizard ................................................60Installing SAM Client Using the Command Line .....................................................63Un-installation ..........................................................................................................64

Removing SAM Server from the Computer ........................................................64Removing SAM from the Domain........................................................................65

Propagating the SAM Server Name........................................................................66Duplicating a SAM Server........................................................................................70

Licensing a Duplicate Server...............................................................................716. Upgrade and Migration...........................................................................73

Upgrading to SAM 8.0 Server .............................................................................74Upgrading to SAM 8.0 Client ...................................................................................75Upgrading to SAM 8.0 Management Tools .............................................................75Migrating from TMS 2.0 in an OpenLDAP Environment .........................................76Migrating from TMS 2.0 with a Shadow Domain.....................................................76Migrating from SafeWord to SafeNet Authentication Manager 8.0.........................77

Exporting Data from the SafeWord Database.....................................................77Importing SafeWord Data into SAM....................................................................80

vii7. Basic Configuration................................................................................85Configuring for Active Directory ..........................................................................86Configuring for Standalone User Store ................................................................... 94Configuring for OpenLDAP, Novell eDirectory or Remote AD.............................. 102Configuring for MS SQL Server .............................................................................115

8. Token Policy Object Links ...................................................................121Accessing Token Policy Object Links ...............................................................122

Accessing TPO Links in an AD Environment ................................................... 122Accessing TPO Links in a Non-AD Environment ............................................. 125Accessing TPO Links in a Standalone User Store Environment ..................... 127

Creating a New TPO Link...................................................................................... 130Adding a TPO Link ................................................................................................ 132Deleting a TPO Link .............................................................................................. 133Specifying the Scope of a TPO Link ..................................................................... 133

TPO Inheritance Behavior................................................................................. 134Setting No Override and Disabled Options....................................................... 136Blocking Policy Inheritance ............................................................................... 137Applying TPO Links to Limited Users and Groups........................................... 138

Importing and Exporting Token Policy Objects ..................................................... 140Exporting Token Policy Objects ........................................................................ 140Importing Token Policy Objects......................................................................... 142

9. Token Policy Object Settings ..............................................................145Using the Token Policy Object Editor to Edit TPOs ..........................................146General Settings.................................................................................................... 150

Mail Configuration ............................................................................................. 150SMS Provider Configuration ............................................................................. 151

Connector Settings................................................................................................ 152Token Settings ....................................................................................................... 152

Token Initialization............................................................................................. 152Token Password................................................................................................ 153Password Quality .............................................................................................. 153Manual Complexity............................................................................................ 155Initialization Parameters.................................................................................... 157Initialization Key ................................................................................................ 158Advanced Settings ............................................................................................ 161

viiiEnrollment Settings................................................................................................162General Properties ............................................................................................162SafeNet eToken Virtual Enrollment ...................................................................165Enrollment Notification.......................................................................................165

Recovery Settings..................................................................................................166Audit Settings.........................................................................................................170MobilePASS Settings.............................................................................................170Backend Service Settings......................................................................................171Legacy TMS Desktop Agent Settings....................................................................173Badging Settings....................................................................................................174

Photo Storage....................................................................................................175Printing Parameters...........................................................................................175

10. SAM Configuration Manager ...............................................................179Launching the SAM Configuration Manager .....................................................180Selecting the SAM Instance...................................................................................180Importing and Exporting the SAM Settings File ....................................................181

Exporting the SAM Settings File........................................................................181Importing the SAM Settings File........................................................................183

Adding SAM Connectors .......................................................................................183Configuring Roles ..................................................................................................185Scheduling the SAM Backend Service..................................................................185Configuring the License .........................................................................................187Configuring IIS and Web Services.........................................................................187

Configuring OTP Web Services ........................................................................187Configuring Features of the SAM Management Center ...................................187Configuring Features of the SAM Self Service Center .....................................188Configuring Features of the SAM Rescue Service Center ...............................190Configuring Features of SAM Web Service API ...............................................190Configuring Desktop Agent ...............................................................................192Configuring Server Synchronization..................................................................192

Selecting the Authentication Plug-In......................................................................193Defining a Failover Configuration ..........................................................................194Exporting and Importing the Signing Certificate....................................................196

Exporting a Signing Certificate ..........................................................................196Importing a Signing Certificate ..........................................................................197

ixChanging the SAM Service Account..................................................................... 19811. Connector Configuration .....................................................................201

Connector for Microsoft CA...............................................................................202Supported User Stores...................................................................................... 202Microsoft DLL Files Required for MSCA........................................................... 203Configuring the Microsoft CA............................................................................ 204

Connector for OTP Authentication ........................................................................ 217Supported User Stores...................................................................................... 217Defining TPO Rules .......................................................................................... 217

Connector for Flash Management......................................................................... 221Supported User Stores...................................................................................... 221Defining TPO Rules .......................................................................................... 222

Connector for P12 Certificate Import..................................................................... 224Supported User Stores...................................................................................... 225Defining TPO Rules .......................................................................................... 225

Connector for SafeNet Network Logon................................................................. 232Supported User Stores...................................................................................... 233Defining TPO Rules .......................................................................................... 233

Connector for eToken Anywhere........................................................................... 237CA Requirements.............................................................................................. 237Supported User Stores...................................................................................... 238Defining TPO Rules .......................................................................................... 238

Connector for Check Point Internal CA................................................................. 243Internal CA vs. External CA .............................................................................. 243Supported User Stores...................................................................................... 244Configuring the CP Firewall Management........................................................ 244Defining TPO Rules .......................................................................................... 254

Connector for Entrust ............................................................................................ 264Entrust Authority Security Manager .................................................................. 264SafeNet Authentication Manager - Entrust Integration..................................... 265Main Features ................................................................................................... 266Architecture ....................................................................................................... 266Deployment Recommendations........................................................................ 267System Requirements....................................................................................... 268Prerequisites ..................................................................................................... 269Connector for Entrust Configuration ................................................................. 272Opening the Connector Policy Object Editor .................................................... 272

xDefining the CA Policy.......................................................................................274Defining the Add User to Security Manager Policy...........................................277Defining the Security Manager and SAM on Different Domains Policy............278Defining the Domain Username Policy .............................................................279Defining the Domain User Password Policy .....................................................280Defining the User Path Policy............................................................................281Defining the Username Template Policy ...........................................................282Mapping Attributes.............................................................................................283Defining the Add User to Security Manager Directory Policy ...........................284Defining the User Role Policy............................................................................285Defining the Certificate Type Policy...................................................................286Defining the Last Security Manager Update Policy ..........................................286Defining the SafeNet eToken Rescue Support Policy ......................................287Entrust Security Manager Administration Configuration...................................288Using SAM with Entrust.....................................................................................290Behavior and Limitations ...................................................................................292

12. Licensing ................................................................................................293Licensing Overview...........................................................................................294Evaluation License.................................................................................................294Upgrading Licenses from Earlier Versions ............................................................295Viewing Licenses ...................................................................................................295Applying a License.................................................................................................296Multi-Domain Licenses ..........................................................................................298

13. Authorization Manager .........................................................................299Authorization Management Overview...............................................................300Predefined Roles ...................................................................................................301Defining a New Scope ...........................................................................................301Defining Roles........................................................................................................303Defining Tasks........................................................................................................306

14. User Permissions..................................................................................309Permissions for Basic Administration................................................................310

SAM Service Account Permissions...................................................................310User Permissions for Installing SAM.................................................................310

xiGranting Dial-In Permission to the User Account ..................................................311Granting Permissions for Microsoft CA Templates ............................................... 314Delegating Password Reset Control ..................................................................... 315

15. Audit Messages and Enrollment Notifications.................................321Audit Messages ................................................................................................322

Configuring Audit Settings for Viewing in Windows Event Viewer ................... 322Viewing SAM Events in the Event Viewer ........................................................ 323Configuring Audit Settings for Sending Notification Messages........................ 325

Enrollment Notification........................................................................................... 332Configuring Enrollment Notification Messages................................................. 332

Configuring Audit, Enrollment and MobilePASS Activation Notification Templates ...335

Notification Letter Keywords ............................................................................. 336Configuring SMS Notification Template ................................................................ 338

16. OTP Configuration ................................................................................339OTP Web Service Settings ...............................................................................340

Blank Presses ................................................................................................... 340Blank Presses Resync ...................................................................................... 340Time Sync.......................................................................................................... 341Time Resync ..................................................................................................... 341

OTP Web Service Configuration ........................................................................... 342Configuring SAM IAS Plug-In................................................................................ 345Configuring IAS for a Non-AD User Store............................................................. 348

17. Backend Service....................................................................................353Overview of Backend Services .........................................................................354Controlling SAM Backend Services ...................................................................... 355

Part III Post-Installation Configuration18. User Management in an ADAM Environment...................................359

ADAM Environment User Store Overview ........................................................360

xiiOpening SafeNet Authentication Manager - Policy Manager ...............................360Adding a User ........................................................................................................362Viewing and Editing User Properties .....................................................................364Adding a Group or OU...........................................................................................365Viewing and Editing Group Properties...................................................................367

19. Desktop Agent .......................................................................................371Overview of the Desktop Agent ........................................................................372Adding the Desktop Agent Template to the GPO Editor .......................................372Editing the Desktop Agent Settings in the GPO Editor .........................................377Desktop Agent Settings .........................................................................................379Configuring Automatic Download of SafeNet eToken Rescue..............................385Configuring Attendance Reports ...........................................................................386

Opening the Desktop Agent Settings Window..................................................386Creating an Attendance Reports MS SQL Server Database ...........................387Adding a Renamed MDF file to MS SQL Server ..............................................389Connecting to an Existing MS SQL Server Database through an ODBC Connection.........................................................................................................391Saving Data for Attendance Reports.................................................................396Clearing the Token Connection Data History....................................................398Displaying an Error Message Following Server Error.......................................399

Configuring the Legacy Desktop Agent.................................................................400SAM Desktop Agent Web Services Settings ....................................................401

Troubleshooting .....................................................................................................40120. External Portals .....................................................................................403

Overview of SAM External Portals....................................................................404Deliverables ...........................................................................................................404Prerequisites ..........................................................................................................404Installing the SAM External Portals .......................................................................405Configuring SAM Portals .......................................................................................409

Configuring Roles for SAM Portals ...................................................................409Adding a Portal Connection...............................................................................410Configuring Cloud Logon...................................................................................412

xiiiSetting the Logon Credentials in Google Apps..................................................... 416Setting the Logon Credentials in Force.com......................................................... 417Configuring the Username Attributes.................................................................... 418

21. Customizing SAM Websites................................................................421Customizing Text ..............................................................................................422

Editing the Text in the Resource Files .............................................................. 422Implementing Text Changes with the SAM Branding Tool ............................... 423

Customizing Graphic Files .................................................................................... 424

Part IV SAM Management22. SAM Management Center Main Features..........................................429

Client Requirements .........................................................................................430Browser Settings ................................................................................................... 430OTP Tokens........................................................................................................... 430

Temp OTP ......................................................................................................... 431MobilePASS Tokens.......................................................................................... 431

SafeNet eToken Virtual Products .......................................................................... 432SafeNet eToken Virtual ..................................................................................... 433SafeNet eToken Virtual Temp ........................................................................... 433SafeNet eToken Rescue ................................................................................... 434SafeNet eToken Rescue Use Case .................................................................. 434

eToken Network Logon.......................................................................................... 435eToken Network Logon Device Options ........................................................... 436eToken Network Logon Use Case .................................................................... 436

23. Helpdesk.................................................................................................437Helpdesk Page Overview..................................................................................438

xivAccessing the Helpdesk Page...............................................................................439Unlocking a User....................................................................................................447Enabling a Temp Logon.........................................................................................449Enabling User Access to a SafeNet eToken Rescue............................................452Resetting the Default User Password ...................................................................455Revoking a User's Token .......................................................................................455Unassigning a User's Token ..................................................................................457Unlocking a User's Token ......................................................................................459Temporarily Disabling a Token...............................................................................462Enabling a Token ...................................................................................................464Replacing a User's Token ......................................................................................465OTP Options ..........................................................................................................470

Extending an OTP .............................................................................................471Replacing a Temp OTP with an OTP Token .....................................................473Replacing an OTP Token with a Temp OTP .....................................................474Resetting an OTP PIN.......................................................................................477Validating an OTP Token...................................................................................478Locking an OTP.................................................................................................480Unlocking an OTP .............................................................................................482

Certificate Recovery Workflow Options.................................................................483Requesting a Certificate Recovery Workflow....................................................484Approving a Certificate Recovery Workflow......................................................486Cancelling a Certificate Recovery Workflow .....................................................488Rejecting a Certificate Recovery Workflow.......................................................491Recovering Certificates .....................................................................................493

24. Deployment ............................................................................................497Deployment Page Overview .............................................................................498Accessing the Deployment Page...........................................................................499Assigning a Token..................................................................................................503Enrolling a Smartcard or USB Token.....................................................................505Enrolling an OTP Token.........................................................................................509MobilePASS Token Enrollment.............................................................................. 511

Preparing the MobilePASS Token Notification Procedure ................................512Enrolling a MobilePASS Token..........................................................................512Sending a MobilePASS Token to the User........................................................515Using a MobilePASS Token to Generate an OTP.............................................515

xv25. Inventory.................................................................................................517Inventory Page Overview..................................................................................518Accessing the Inventory Page............................................................................... 519Initializing a Token ................................................................................................. 523Adding Tokens to the SAM Inventory.................................................................... 526

Adding a File of Tokens to the SAM Inventory.................................................. 526Adding a Token to the SAM Inventory .............................................................. 528

Removing a Token from the SAM Inventory ......................................................... 53026. Reports ...................................................................................................533

SAM Reports Page Overview ...........................................................................534Accessing the Reports Page................................................................................. 534Generating a Token Inventory Report ................................................................... 536Generating a Token History Report....................................................................... 541Generating a Token Expiration Report.................................................................. 546Generating a Token Audit Report.......................................................................... 550Generating an OTP Usage Report........................................................................ 553Generating a Token Connections Report.............................................................. 555Generating an Hourly Distribution Chart ............................................................... 559

27. Downloads .............................................................................................563SAM Downloads Page Overview ......................................................................564Accessing the SAM Downloads Page................................................................... 564Downloading SAM Web Client .............................................................................. 565Downloading MobilePASS Applications................................................................ 569

Part V AppendixesA. AD Schema Enhancement...................................................................573

Prefixes Registered with Microsoft....................................................................574Naming Conventions ............................................................................................. 574Schema Attributes and Classes Tables ................................................................ 574

Attributes ........................................................................................................... 575Classes.............................................................................................................. 588Schema extensions for TMS 5.0 and Later ...................................................... 590Schema Extensions for SAM 8.0 and Later...................................................... 592

Part I Overview of SafeNet Authentication Manager

ThissectionprovidesanoverviewofSAM,includingthenewfeaturesinthisversion.

In this section:

Chapter 1: Introduction (page 3) Chapter 2: System Requirements (page 9)

Chapter 1

IntroductionSafeNetAuthenticationManager(SAM)enablesmanagementofthecompleteuserauthenticationlifecycle.SafeNetAuthenticationManagerlinkstokenswithusers,organizationalrules,andsecurityapplicationstoallowstreamlinedhandlingofusersneedsthroughoutthevariousstagesoftheirauthenticatorlifecycle.

In this section:

Overview of SafeNet Authentication Manager New and Enhanced Features in SafeNet Authentication Manager 8.0 Supported Authenticators

4 SafeNet Authentication Manager Administrators GuideOverview of SafeNet Authentication ManagerSafeNetAuthenticationManager8.0(formerlyknownaseTokenTMS)providesyourorganizationwithacomprehensiveplatformtomanageallofyourauthenticationrequirements,acrosstheenterpriseandthecloud,inasingle,integratedsystem.EnablingstrongauthenticationforcloudapplicationsusingidentityfederationtechnologyandofferingsupportforSafeNetsportfolioofOTPandcertificatebasedauthenticators,SafeNetAuthenticationManager(SAM)isdesignedtoevolvewithyourchangingneedssoyoucan: MaintainstrongonpremiseauthenticationforcloudbasedSaaS

applicationssuchasGoogleAppsandSalesForce.com SeamlesslyenhanceyourauthenticationinfrastructurefromOTP

onlyenvironmentstomoreflexibleonesthatsupportbothOTPandcertificatebased(PKI)solutionsandapplications.

DeployarangeofsoftwareauthenticationsolutionsSafeNetAuthenticationManagerscapabilitiesincludecentral,delegated,andselfserviceinterfacesthatallowdifferentlevelsofservicetodifferentcommunitiesofusersandadministrators.

SafeNet Authentication Manager 8.0 Core Benefits Extendyourcurrententerpriseauthenticationinfrastructureto

thecloudseamlessly Completesupportforyourentireauthenticationsolution(OTP,

CBA,securityapplications)inasinglesystem Extensible,openplatformwithselfserviceandremotesupport

forLinux,MacandWindows Flexibilitytoevolveyourauthenticationinfrastructuretoinclude

OTPandCBAsolutionsaswellasadvancedsecurityapplications ReducetheworkloadofyourITstaffwithanintegratedIT

infrastructure,automatedprocessesandintuitiveuserselfservicetools

Controlofyourauthenticatorinventoryandusage Enhanceduserproductivityandremoteaccessfromwherever

theyarewithoutcompromisingsecurity Comprehensiveauditingandreportingfeaturesenable

compliancewithprivacyregulations

Introduction 5New and Enhanced Features in SafeNet Authentication Manager 8.0

ThefollowingfeatureshavebeenincludedinSafeNetAuthenticationManager8.0.

Cloud support and integration with SaaS providers, Google Apps and Salesforce.com Description:SAMprovidesaseamlessstrongauthentication

experienceforenterpriseuserswhowanttoaccessSaaSapplicationssuchasGoogleAppsandSalesforce.com(SFDC).Thisisachievedbyfederatingtheirenterpriseidentitytothecloud,inshort,enablingaSingleCredentialexperienceinwhichtheuserlogsintotheSAMportalusingtheiraccesscredentialsandisthenautomaticallyredirectedtothespecificcloudapplication.

Howitworks:Userauthenticationfirsthappensintheenterprise(theuserloggingintoSAM),andonlyafterusersaresuccessfullyauthenticatedaretheyredirectedtothecloudservicethoughtheuseofidentityfederationprotocolssuchasSecurityAssertionMarkupLanguage(SAML),anXMLbasedstandardforexchangingauthenticationandauthorizationdata.SafeNetAuthenticationManagerwillactasthetrustedidentityprovider,givingauthenticateduserspermissiontoaccesstheapplication.TheSaaSapplicationwillbeconfiguredtoallowaccessonlytothoseusersauthenticatedbytheSafeNetAuthenticationManager.Theenterprisemaintainscontrolofuseraccess,aseveryuseofthecloudresourceisfirstvalidatedonpremise.

Benefits:EnablesenterpriseuserstoaccessSaaSapplicationssecurelyviatwofactorauthenticationfromanywhere.ExistingSafeNetTMS/SAMcustomerscanleveragetheircurrentonpremiseauthenticationdeploymenttoseamlesslyandcosteffectivelyextendthesamestrongauthenticationsolutiontotheircloudapplications.Thereisnoadditionalhardwareorsoftwaretodeployuserscanleveragetheircurrentauthenticators.Comprehensivemanagementofallauthenticationoperationsforbothonpremiseandcloudcanbeperformedwithinasingleplatform.

6 SafeNet Authentication Manager Administrators GuideEnhanced MobilePASS Software Authentication Solution Overtheairdeploymentcanbeachievedtwoways:

Directdownloadlinksenttotheuserviaemail;usingtheirmobiledevice,theuserthenclicksonthelinkandispromptedtoinstalltheapplicationontheirdevice

SoftwaredistributionpushviaBlackBerryEnterpriseServer(BES)

SimpleRemoteSelfEnrollmentandActivationportalforendusers

Broadrangeofmobiledevicesupport:BlackBerry(4.2andabove),iPhone(3.0andabove),J2ME,Android

Integration with SafeNet HSMs for secure key storage Description:SafeNetAuthenticationManagersecuritykeysare

storedintheHSM;encryptionanddecryptionofSAMdataisexecutedontheHSM

Benefits:storingtheSAMsecuritykeysintheHSMratherthanlocallyinthefilesystemenhancesthesecurityandtheprotectionofstoredsecretssuchasOTPseedsandarchivedprivatekeysfromunauthorizedcopyorleakage;thisisanincreasingrequirementamongbothfinancialandgovernmentcustomers

SupportedHSMmodels:LunaSA4.4andPCI7000

Token History Management Storeshistoricaldataoftokensthathavebeenunassignedor

removed. Whenausersleavethecompany,theirtokensareinitializedand

alldataremoved.However,ifthetokenwasusedtoaccessencryptedcompanydata,forexample,itmightbenecessarylatertoretrievetheencryptionkey.SAMnowenablessuchaprocessbykeepingahistoryofunassignedtokensenablingcertificateexportforhistoriccertificates.

Introduction 7Token Policy Object (TPO) Export and Import TPOsettingscanbeexportedto,andimportedfrom,apassword

protectedfile EnablestheduplicationofthesameTPOsettingsinmultipleSAM

installations AssiststheSafeNetsupportteamwhenprovidingassistanceto

customers

Additional Platform WindowsServer2008R2isnowsupported

Supported AuthenticatorsThefollowingauthenticatorsaresupportedinSafeNetAuthenticationManager8.0: SafeNeteTokenPRO SafeNeteTokenNGFlash SafeNeteTokenNGOTP SafeNeteTokenSmartCard SafeNeteTokenAnywhere SafeNeteTokenVirtual SafeNeteTokenVirtualTemp SafeNeteTokenRescue eTokenAnywhere MobilePASS MobliePASSMessaging Alpine Gold3000 Platinum Silver

8 SafeNet Authentication Manager Administrators Guide

Chapter 2

System RequirementsBeforeinstallingSAM,ensurethatyoursystemmeetstherequirementsforeachofthecomponents.SeeInstallationComponentsonpage 44.

In this chapter:

SAM Server System Requirements SAM Management Tools System Requirements SAM Client System Requirements SAM External Web Portals Windows Password

10 SafeNet Authentication Manager Administrators GuideSAM Server System Requirements

Component Requirement Comment

Operating System One of the following: Windows Server 2003

SP2 (32-bit, 64-bit) Windows Server 2003

R2 (32-bit and 64-bit) Windows Server 2008

SP2 (32-bit, 64-bit) Windows Server 2008

R2 (64-bit)

System Requirements 11Additional Software Windows Installer 3.0 or later

The Microsoft Windows Installer is an application installation and configuration service. WindowsInstaller-KB884016-v2-x86.exe is the redistributable package for installing or upgrading Windows Installer.http://www.microsoft.com/downloads/details.aspx?familyid=5fbc5470-b259-4733-a914-a956122e08e8&displaylang=en

32-bit:Microsoft .NET Framework Version 2.0 SP1(x86) redistributable package or later

64-bit:Microsoft .NET Framework version 2.0 (x64) redistributable package or later

The Microsoft .NET Framework version 2.0 redistributable package installs the .NET Framework runtime and associated files required to run applications developed to target the .NET Framework 2.0.

32-bit:http://www.microsoft.com/downloads/details.aspx?familyid=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en

64-bit:http://www.microsoft.com/downloads/details.aspx?familyid=B44A0000-ACF8-4FA1-AFFB-40E78D788B00&displaylang=en

One of the following: Microsoft SQL Server

2005 Microsoft SQL Server

2008

Required for producing Attendance Reports only

Java Runtime Environment 1.5 or later

Required for MobilePASS tokens only

Component Requirement Comment (Continued)

12 SafeNet Authentication Manager Administrators GuideSAM Configuration Store

Active Directory (if Active Directory is to be used as the configuration store).

See SAM Configuration Store on page 23.Note: If ADAM is to be used as the configuration store, it does not need to be installed separately, as it is installed during the SAM installation.

SAM User Store One of the following, if an external user store is used: Active Directory

(Windows 2003, 2003R2, 2008, or 2008R2)

MS SQL Server 2005 or 2008

OpenLDAP 2.3.38 or later

Novell eDirectory 8.7.3 or later

See User Store on page 21.Note: If the integrated configuration of a Standalone user store is used, ADAM is installed during the SAM installation, and a pre-installed user store is not required.

PKI Client/SafeNet Authentication Client

The following versions are supported: eToken PKI Client

version 4.55 eToken PKI Client

version 5.1 SP1 SafeNet

Authentication Client version 8.0 or later (recommended to ensure support of all new features)

Required to work with tokens and with connector configurations. eToken PKI Client or SafeNet Authentication Client should be installed on both the server and the client computers for a fully featured SafeNet Authentication Manager system.Note: Not required for OTP-only implementations.

Component Requirement Comment (Continued)

System Requirements 13SAM Management Tools System RequirementsComponent Requirement Comment

Operating System One of the following: Windows Server 2003 SP2

(32-bit, 64-bit) Windows Server 2003 R2

(32-bit, 64-bit) Windows Server 2008 SP2

((32-bit, 64-bit) Windows Server 2008 R2

(64-bit) Windows XP SP3 (32-bit,

64-bit) Windows Vista SP2 (32-bit,

64-bit) Windows 7 (32-bit, 64-bit)

Use Windows Vista and Windows 7 for non-AD environments only.

Additional Software Windows Installer 3.0 or later See the Windows Installer comment on page 11.

Microsoft .NET Framework Version 2.0 SP1 Redistributable or later

See the Microsoft .NET Framework comment on page 11.

eToken PKI Client or SafeNet Authentication Client

The following versions are supported: eToken PKI Client version

4.55 eToken PKI Client version

5.1 SP1 SafeNet Authentication

Client version 8.0 or later (recommended to ensure support of all new features)

Required to work with tokens and with connector configurations. eToken PKI Client or SafeNet Authentication Client should be installed on both the server and the client computers for a fully featured SAM system.Note: Not required for OTP-only implementations.

Browser Internet Explorer 6.0, 7.0, or 8.0

Trusted Sites SAM Management Center Must be set as a trusted site.

14 SafeNet Authentication Manager Administrators GuideSAM Client System RequirementsComponent Requirement Comment

Operating System One of the following: Windows Server 2003 SP2

(32-bit, 64-bit) Windows Server 2003 R2

(32-bit, 64-bit) Windows Server 2008 SP2

((32-bit, 64-bit) Windows Server 2008 R2

(64-bit) Windows XP SP3 (32-bit ,

64-bit) Windows Vista SP2 (32-bit,

64-bit) Windows 7 (32-bit, 64-bit)

eToken PKI Client or SafeNet Authentication Client

The following versions are supported: eToken PKI Client version

4.55 eToken PKI Client version

5.1 SP1 SafeNet Authentication

Client version 8.0 or later (recommended to ensure support of all new features)

Note: eToken PKI Client 5.1 SP1 or later is required for a Windows 7 environment

Required to work with tokens and with connector configurations.Note: Not required for OTP-only implementations.

Browser Internet Explorer 6.0, 7.0, or 8.0Firefox 3.6 (OTP operations only)Safari 5 (OTP operations only)

Trusted Sites SAM Self Service Center Must be set as a trusted site.

System Requirements 15SAM External Web PortalsComponent Requirement Comment

Browser Internet Explorer 6.0, 7.0, or 8.0Firefox 3.6Chrome 5Safari 5 (Mac)

Part II Installation and ConfigurationThefollowingchaptersdescribehowtoinstallandconfigureSAM.

In this section:

Chapter 4: Installation and Configuration Checklist (page 37) Chapter 3: User Store Deployment (page 19) Chapter 5: Installation (page 43) Chapter 6: Upgrade and Migration (page 73) Chapter 7: Basic Configuration (page 85) Chapter 8: Token Policy Object Links (page 121) Chapter 9: Token Policy Object Settings (page 145) Chapter 10: SAM Configuration Manager (page 179) Chapter 11: Connector Configuration (page 201) Chapter 13: Authorization Manager (page 299) Chapter 15: Audit Messages and Enrollment Notifications (page 321) Chapter 12: Licensing (page 293) Chapter 16: OTP Configuration (page 339) Chapter 17: Backend Service (page 353)

Chapter 3

User Store DeploymentTypically,MicrosoftActiveDirectoryisdeployedaspartoftheWindowsoperatingsystem,andisavailablewheninstallingSafeNetAuthenticationManager.Touseadifferentuserstore(MSSQLServer,OpenLDAP,orNovelleDirectory)thatisnotalreadyinstalled,youmustdeployitbeforeinstallingSAM.Alternatively,youcaninstallaStandaloneuserstore,whichisanintegratedconfigurationstoreanduserstorebasedonADAM.Inthiscase,ADAMisinstalledaspartoftheSAMinstallation.SeeUserandConfigurationStoresonpage 21.

In this section:

Supported User Stores Remote Active Directory Configuring a Microsoft SQL Server User Store Configuring an LDAP User Store

20 SafeNet Authentication Manager Administrators GuideSupported User StoresSafeNetAuthenticationManagercanworkwithanyofthefollowinguserstores: MicrosoftActiveDirectory(WindowsServer2003orWindows

Server2008)

Note:YoucannotworkwithActiveDirectoryandadifferentstore(MSSQLServer,OpenLDAP,Novell,orRemoteAD).However,whenworkingwithADyoucanuseseveraldomains.WhenworkingwithMSSQLServer,OpenLDAP,Novell,orRemoteAD,youcanuseseveralofthemtogether,butnotwithAD.

ADAM(withStandaloneuserstoreanintegratedconfigurationanduserstore)

RemoteActiveDirectory MicrosoftSQLServer2005/2008 OpenLDAP NovelleDirectory

Note:ForafullyfeaturedSafeNetAuthenticationManagersolutionincludingSAMDesktopAgent,MicrosoftActiveDirectorymustbeused.InnonADenvironments,SafeNetAuthenticationManagersupportsthefollowingconnectors: ConnectorforOTPAuthentication ConnectorforeTokenAnywhere ConnectorforCheckPointInternalCA ConnectorforMicrosoftCA,withofflineCA ConnectorforFlashManagement ConnectorforP12CertificateImport

User Store Deployment 21Remote Active DirectoryAremoteActiveDirectorycanbeusedasauserstorewhenworkinginamultiforestenvironment.ThisavoidsthenecessityofinstallingaSafeNetAuthenticationManagerserverineachforest.AtypicaluseforthiswouldbewhendeployingOTPinamultiforestenvironment.ToenableconnectiontotheremoteActiveDirectory,duringconfigurationSafeNetAuthenticationManagermustbesuppliedwiththeusernameandpasswordthatwillenableaccesstothedomain.

Configuring a Microsoft SQL Server User StorePerformthefollowingtasksbeforeimplementingMSSQLServerasauserstore: PreparethedataviewssothatSafeNetAuthenticationManager

canconnecttothedatabase. Preparetheauthenticationdllfilethatwillenableuserstologon

totheSAMManagementCenter,SAMSelfServiceCenter,andSAMRescueServiceCenter.

22 SafeNet Authentication Manager Administrators GuidePreparing Microsoft SQL Server ViewsTherequiredviewsmustbecreatedinMSSQLServer.ThissetofviewsmustbepreparedasdescribedtoenableSafeNetAuthenticationManagertoconnecttothedatabase.

AksTMSUsersAksTMSUsersrepresentstheusertable.

Field Type Description Required

UserID String The unique user ID Yes

AccountName String The unique user account name

Yes

PolicyObjectID String The direct organization unit Yes (can be null)

LogonName String The unique user logon name No

AccountEnabled Boolean Used by OTP authentication No

AccountLocked Boolean Used by OTP authentication No

FirstName String The users first name No

LastName String The users last name No

Initials String The users initials No

MiddleName String The users middle name No

Street String The users address street No

POBox String The users address PO Box number

No

City String The users address city No

State String The users address state No

ZipCode String The users address zip code No

CountryCode String The users address country code

No

User Store Deployment 23AksTMSGroupsAksTMSGroupsrepresentsthegrouptable.

HomePostalAdress

String The users home postal address

No

Email String The users email No

MobilePhone String The users mobile phone No

HomePhone String The users home phone No

OrganizationName

String The users organization name

No

Company String The users company No

EmployeeNumber

String The users employee number

No

DepartmentNumber

String The users department number

No

Office String The users office No

DisplayName String The users full display name No

Field Type Description (Continued) Required


GroupID String The unique group ID Yes (value required)

GroupName String The unique group name Yes (value required)

DisplayName String The group full display name No

24 SafeNet Authentication Manager Administrators GuideAksTMSUserOfGroupAksTMSUserOfGrouprepresentsmembershipofusersinthegroups.

AksTMSGroupOfGroupAksTMSGroupOfGrouprepresentsthegrouphierarchy.

AksTMSPolicyObjectsAksTMSPolicyObjectsrepresentshierarchyoftheorganization(equivalenttoOU).


GroupID String The group unique ID Yes (value required)

UserID String The user belongs to group

Yes (value required)


GroupID String The unique group ID


MemberGroupID String The subgroup belongs to group



PolicyID String The unique policy object ID


PolicyName String The unique policy object name


User Store Deployment 25Indexed FieldsToensureoptimumperformance,allrequiredfieldsintheSQLdatabaseshouldbeindexed: AksTMSUsers:UserID,AccountName,PolicyObjectID AksTMSGroups:GroupID,GroupName AksTMSUserOfGroup:GroupID,UserID AksTMSPolicyObjects:PolicyID,PolicyName,Root,

ParentPolicyID

Preparing an MS SQL Server Authentication dllThissectiondescribeshowtoconfigureMSSQLServerauthenticationinSAM.

SQL Authentication OverviewWhenSafeNetAuthenticationManagerisconfiguredtoworkwithauserstorebasedonanSQLdatabase,itmustbeabletoauthenticatetheuserswhologontothevariousSafeNetAuthenticationManagerapplications:SAMManagementCenter,SAMSelfServiceCenter,SAMRescueServiceCenterandSAMPolicyManagement.WhentheadministratorinstallsSafeNetAuthenticationManagerandconfiguresauserstorebasedonanSQLdatabase,theSafeNetAuthenticationManagerInstallationWizardenforcestheselectionoftheauthenticationdllfilethatimplementstheauthenticationprocess.

Root Boolean Policy object is root Yes (value required)

ParentPolicyID String The ID of the parent policy object

Yes (value not required)

DisplayName String The policys full display name

No

Field (Continued) Type Description Required

26 SafeNet Authentication Manager Administrators GuideSQLAuthentication.dll Authentication FileAdefaultSQLauthenticationdllisprovidedwithSAM:SQLAuthentication.dll.Thisdllfilereadsaspecificconfigurationatruntimewhentheassociatedapplicationisloaded.SQLAuthentication.dll istypicallylocatedat:C:\Program Files\SafeNet\Authentication\SAM\x32\Bin

SQLAuthentication.dll.config Configuration FileTheconfigurationfilemustbenamed SQLAuthentication.dll.config,andmustbelocatedinthesamedirectoryasSQLAuthentication.dllTheSQLAuthentication.dll.configfileisanXMLfile.

Note:AfterupdatingtheSQLAuthentication.dll.configconfigurationfile,resettheIISservertoupdateSAM.

Supported Authentication TypesSQLUseristheonlyauthenticationtypesupported.ThisauthenticationtypetakesadvantageoftheSQLServerbuiltinauthenticationservice.WhenaSafeNetAuthenticationManageruserauthenticationrequestarrives,anappropriateSQLconnectionstringisbuiltatruntimeandisthenusedbyanSQLconnectionobjecttoconnecttotheserver.Ifaconnectionisestablishedsuccessfully,theauthenticationrequestisaccepted.Iftheconnectionfails,theauthenticationrequestisrejected.

User Store Deployment 27Sincetheremaybeseveraluserstoredatabasesinanorganization,eachuserstoremaybeconfiguredtotransferausersauthenticationrequesttoadifferentSQLdatabaseasexplainedinthefollowingxmlnode.

Tip:WerecommendreferringtothesampleSQLAuthentication.dll.configfilewhenreadingthissection.

Typically,SQLAuthentication.dll.configislocatedat:C:\Program Files\SafeNet\Authentication\SAM\x32\AuthPlugin\

Allowsmappingausersauthenticationrequestbytheuserstoreuniquenametowhichtheuserbelongs.Forexample,intheaboveconfigurationfileexample,eachuserbelongstoorganizationusa.TheuserstorewillbeauthenticatedusingtheconnectionstringpointingtoSQLSRVUSAMACHINE,whileeachuserbelongingtoorganizationeuropewillbeauthenticatedusingtheconnectionstringpointingtoSQLSRVEURMACHINE.Ifthereisonlyoneuserstore,onlyonesectionshouldbeused(addingdefault=trueattribute).

IndicateswhichuserpropertyshouldbeusedastheSQLServerusername.Thevalueatruntimeisinsertedintothe{0}attheConnectionStringXMLnode.Userfieldsthatcanbeselectedare:AccountName,LogonName,Email,EmployeeNumber,andName.

Thisvalueholdstheproviderretrievingdatafromthedatabase.Usethefollowingvalue:System.Data.SqlClient


Note:Thetemplatedescribedheremustbeformattedaccordingtheselectedprovider.Eachproviderdefinestheconnectionstringformat.

Containsatemplateforthedatabaseconnectionstring.Thetemplateshouldbeformattedaccordingtotheprovidertype,asdescribedinprevioussection. The{0}isreplacedatruntimewiththevalueofTMSUserproperty

indicatedinTMSUserIdentifier The{1}isreplacedatruntimewiththevalueofauthentication

requestpasswordThefollowingsampleshowsaconnectionstringforconnectingtoMicrosoftSQLServer:Data Source=SQLSRV-MACHINE\SQLEXPRESS;Initial Catalog=;Integrated Security=False;User ID={0};Password={1}

User Store Deployment 29Configuring an LDAP User StoreSafeNetAuthenticationManagersupportsOpenLDAPandNovelleDirectoryasuserstores.PerformthefollowingtasksbeforeimplementinganLDAPdirectoryasauserstore: Preparetheauthenticationdllfilethatwillenableuserstologon

toSAMManagementCenter,SAMSelfServiceCenter,andSAMRescueServiceCenter.

IfyourequireanLDAPschemadifferentfromthedefault,youmustmakethechangesintheSAMConfigurationManager.SeeChangingtheSchemaConfigurationonpage 199.

Notes: IncontrasttoAD,OpenLDAPdoesnotuseaspecificschemadefinitionforusers,groups,etc.Itusesabasicdefinitionthatisextendedoneachinstallation. NovelleDirectoryhasadefaultschemathatissimilartoAD.

Preparing LDAP Authentication DllThissectiondescribeshowtoconfigureLDAPauthenticationinSafeNetAuthenticationManager.

LDAP Authentication OverviewWhenSafeNetAuthenticationManagerisconfiguredtoworkwithauserstorethatisnotMicrosoftActiveDirectory,itmustbeabletoauthenticatetheuserswhologontothevariousSafeNetAuthenticationManagerapplications:SAMManagementCenter,SAMSelfServiceCenter,SAMRescueServiceCenter,andSAMPolicyManagement.WhentheadministratorinstallsSafeNetAuthenticationManagerandconfiguresanonActiveDirectoryuserstore,theSafeNetAuthenticationManagerInstallationWizardenforcestheselectionoftheauthenticationdllfilethatimplementstheauthenticationprocess.

30 SafeNet Authentication Manager Administrators GuideLDAPAuthentication.dll Authentication FileAdefaultLDAPauthenticationdllfileisprovidedwithSafeNetAuthenticationManager:LDAPAuthentication.dllThisdllfilereadsthespecificconfigurationatruntimewhentheassociatedapplicationisloaded.LDAPAuthentication.dll istypicallylocatedat:C:\Program Files\SafeNet\Authentication\SAM\x32\Bin

LDAPAuthentication.dll.config Configuration FileTheconfigurationfilemustbenamedLDAPAuthentication.dll.config,andmustbelocatedinthesamedirectoryasLDAPAuthentication.dllTheLDAPAuthentication.dll.configfileisanXMLfile.

Supported Authentication TypesTherearetwosupportedLDAPauthenticationtypes: FastBindConfiguration SlowBindConfigurationBothauthenticationtypestakeadvantageoftheLDAPDirectoryserverbuiltinauthenticationservice.

Tip: UsefastbindauthenticationwhentheusersarestoredinLDAPdirectoryandyouwishtoauthenticatethemwiththesamedirectory. Useslowbindauthenticationwhentheusersarestoredinonedatabaseandyouwishtoauthenticatethemwithadifferentdatabase(whichisanLDAPdirectory).

User Store Deployment 31Fast Bind ConfigurationThemostcommonconfigurationisthefastbindauthentication.ItisaonephaseauthenticationwheretheuserDNanduserpasswordarepassedtotheLDAPdirectory,whichinreturnacceptsorrejectstheauthenticationrequest.Inthisconfiguration,bothusersandpasswordsareplacedinthesamestore.ThisstoreisalwaysanLDAPdirectorywhereeachuserinthedirectorymustbeauthorizedtoperformauthentication.TheXMLfileshouldbeasfollows:

FastBind

ThefilewillalwaysbethesameregardlessoftheLDAPdirectorymanufactureroranyothercriteria.

Slow Bind ConfigurationSlowbindauthenticationistwophaseauthentication: FirstphaseissearchingandretrievingtheusersLDAPpath(User

DN)fromapreconfiguredLDAPdirectory. Secondphaseisauthenticatingthatuser(asinfastbind).Inthisconfiguration,theuserstoreisusuallylocatedinonedatabase(ofanytype)andthepasswordsarelocatedinanotherdatabasewhichmustbeanLDAPdirectory.Forexample,theuserstoreisanSQLdatabaseandthepasswordsinanOpenLDAPoreDirectorydatabase.Asinfastbindauthentication,eachuserintheLDAPdirectorymustbeauthorizedtoperformauthentication.

32 SafeNet Authentication Manager Administrators GuideTheXMLfileshouldbeasfollows:

SlowBind

AccountNameServer1.com:389dc=MyCompany1,dc=com(&(cn={0})(objectClass=Person))cn=Admin,dc=MyCompany1,dc=com

AccountNameServer1.com:389dc=MyCompany1,dc=com(&(cn={0})(objectClass=Person))cn=Admin,dc=MyCompany1,dc=com

Iftherearemultipleuserstoredatabasesinanorganization,theremaybeseveralmatchingLDAPdirectoriescontainingthepasswords.TheconfigurationfileallowsthebindingofeachuserstoretoaspecificLDAPdirectory.

AllowsmappingauserstoretoanLDAPdirectory.IfthereisonlyoneLDAPdirectory,onlyonesectionshouldbeused(addingdefault=trueattribute).

User Store Deployment 33IfthereareseveralLDAPdirectories,thenameattributeshouldbeusedtomaptheuserstorewithLDAPdirectories,providingtheuserstoreuniqueinstancename.

HoldstheuserpropertythatisusedtolocatetheuserintheLDAPdirectory.Thevalueatruntimeisinsertedintothe{0}intheFilterTemplateXMLnode.Userfieldsthatcanbeselectedare:AccountName,LogonName,Email,EmployeeNumberandName.

IPorDNSoftheLDAPdirectory

TherootLDAPpathforusersearching

ThisLDAPquerytemplateisusedtobuildanLDAPsearchstringatruntimeinordertofindtheuserrequestingauthenticationintheLDAPdirectory.The{0}isreplacedatruntimewiththevalueofuserpropertyindicatedinTMSUserIdentifier.

TheUserLDAPpathusedtoperformthesearchesintheLDAPdirectory.ThisentrymusthavepermissionstosearchandreadLDAPentriesintheLDAPdirectory.


ThepasswordofUserDN

Note:ThepasswordmustbeencryptedusingtheEncryptPasswordTool(EncryptPassword.exe)andplacedintheconfigurationfile.SeeUsingtheEncryptPasswordTool(EncryptPassword.exe)onpage 34.

Using the Encrypt Password Tool (EncryptPassword.exe)UsetheEncryptPasswordToolwhenLDAPAuthenticationisconfiguredtoslowbindauthenticationonly.Thetoolgeneratesanencryptedpasswordfromaplaintextpassword.TheencryptedpasswordmustbeplacedinsidetheXmlnodeoftheconfigurationfile.ThetoolmustberunfromthecomputerwheretheSafeNetAuthenticationManagerServerisinstalled.Bydefault,theEncryptPasswordTool(EncryptPassword.exe)islocatedat:C:\Program Files\SafeNet\Authentication\SAM\x32\Authentication

Configuration Example - Slow Bind AuthenticationInthisscenario,weassumeacompanyworkswithanLDAPdirectorythatiscurrentlynotsupportedbySafeNetAuthenticationManager.

To export users to a database supported by SAM:

1. ExporttheusersfromtheLDAPdirectoryintoaMicrosoftSQLserverdatabasewhichissupportedbySafeNetAuthenticationManager.Afterthisprocesstherearetwoinstalleddatabases: MicrosoftSQLServercontainingonlyusers LDAPdirectorycontainingbothusersandpasswords

2. InstallSAM8.0Serverorlater.3. SelectSQLServerfromthelistofuserdatabases.

User Store Deployment 354. SelecttheLDAPAuthentication.dllintheauthenticationwindow.5. Completetheinstallation.

Configuring LDAPAuthentication.dll.configConfigureLDAPAuthentication.dllbeforerunninganySAMmanagementapplication.

To configure LDAPAuthentication.dll:

1. OpentheLDAPAuthentication.dll.configfile,locatedintheSAMinstallationfolder.

2. Createaconfiguration,asinthefollowingexampleofaslowbindconfiguration:

SlowBind

AccountName10.0.0.99:389dc=organization,dc=com(&(cn={0})(objectClass=organizationalPerson))cn=Administrator,dc=organization,dc=com AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAper6yavZzE21ObZafmdDMgQAAAAIAAAAVABNAFMA AAADZgAAqAAAABAAAABAt5/hxHf7tgrMsMX+l+glAAAAAASAAACgAAAAEAAAAP1sMRXQv93p Tj2fj82oTfcQAAAAq06pe9IwfKx4rSVIZiTbaxQAAACms9JMPxfv1/XNsngjP+PQsC/t1w==

Thisconfigurationfileassumesthefollowing: TheLDAPdirectoryislocatedat10.0.0.99port389 ThebaseDNisdc=organization,dc=com

36 SafeNet Authentication Manager Administrators Guide TheuserobjectintheLDAPdirectoryhastheorganizationalPersonvalueinobjectClassattribute

Theuserobjectisuniquelyidentifiedbythecnattribute TheuserthathasreadpermissionsintheLDAPdirectoryis

cn=Administrator,dc=organization,dc=com Thepasswordofcn=Administrator,dc=organization,dc=com

shouldberetrievedasfollows: RunEncryptPassword.exe EnterthepasswordinthePlaintext>Passwordtextbox

(i.e.Pas$word) ClickEncrypt(youshouldseetheencryptedpasswordin

theciphertextbox) ClickCopyinordertocopyencryptedpasswordto

clipboard Pastetheencryptedpasswordintoxmlnode

Running an LDAP Management ToolRunanyLDAPmanagementtoolinordertousethenewconfiguration.Runiisresetbeforerunningthemanagementtool.

Chapter 4

Installation and Configuration ChecklistThissectionprovidesachecklistofthemaintasksrequiredtoinstall,configure,anddeploySafeNetAuthenticationManager.

In this chapter:

Step 1: Perform Pre-Installation Tasks Step 2: Install SafeNet Authentication Manager Step 3: Configure SafeNet Authentication Manager

38 SafeNet Authentication Manager Administrators GuideStep 1: Perform Pre-Installation TasksPerformthefollowingtasksbeforeinstallingSafeNetAuthenticationManager.

Step 2: Install SafeNet Authentication ManagerPerformthefollowingtaskstoinstallSafeNetAuthenticationManager.

SafeNet Authentication Client ConfigurationPerformthefollowingtaskstoinstallSafeNetAuthenticationManagerinaSafeNetAuthenticationClientconfiguration.

Order Action Reference

1. Check system requirements.Install any prerequisite applications.

See Chapter 2: System Requirements, on page 9 System Requirements on page 9

2. Deploy user store Note: If you are using a Standalone user store, this is not required. See Configuring for Standalone User Store on page 94

See Chapter 3: User Store Deployment, on page 19 User Store Deployment on page 19


1. Install SafeNet Authentication Client. See SafeNet Authentication Client Administrators Guide

2. Install SafeNet Authentication Manager server component

Installing the SafeNet Authentication Manager Server on page 52

Installation and Configuration Checklist 39OTP ConfigurationPerformthefollowingtaskstoinstallSafeNetAuthenticationManagerinanOTPconfiguration.

3. Configure SafeNet Authentication Manager Server and required connectors

See Chapter 7: Basic Configuration, on page 85

4. Install SafeNet Authentication Manager Management Tools component

Installing the SAM Management Tools on page 57

5. Install SafeNet Authentication Manager Client component

Installing SAM Client Using the Installation Wizard on page 60



1. Install SafeNet Authentication Manager server component (selecting the OTP installation option)

Installing the SafeNet Authentication Manager Server on page 52

2. Configure SafeNet Authentication Manager Server


3. Install and configure the required OTP plug-ins

See the eToken OTP Authentication Administrator's Guide

4. Configure RADIUS server Configuring SAM IAS Plug-In on page 345

5. Install SafeNet Authentication Manager Management Tools component

Installing the SAM Management Tools on page 57

40 SafeNet Authentication Manager Administrators GuideStep 3: Configure SafeNet Authentication ManagerAftertheSafeNetAuthenticationManagerserverisinstalled,itmustbeconfigured.`


1. Run the SafeNet Authentication Manager Configuration Settings Wizard to set the basic configuration


2. Use the SafeNet Authentication Manager Configuration Manager to configure the following (not necessarily in this order): Connectors Roles and Tasks Backend Services License Web Services Display Failover Schema Service account Server Synchronization HSM support

See Chapter 10: SAM Configuration Manager, on page 179

Installation and Configuration Checklist 413. Use the GPO Editor to propagate the SafeNet Authentication Manager Server name

See Propagating the SAM Server Name on page 66

4. Use the TPO Editor to configure the following settings: General Connectors Enrollment Certificate Recovery Workflow Audit SAM Backend Service SAM Desktop Agent MobilePASS Badging

See Chapter 9: Token Policy Object Settings, on page 145


Chapter 5

InstallationThischapterdescribestheinstallationofSafeNetAuthenticationManager.

Note:SeeUpgradeandMigrationonpage 73ifSafeNetAuthenticationManagerorTMSisalreadyinstalledonthecomputer.

Ifamessagetorestartyourcomputerisdisplayed,eitherbeforeoraftertheinstallationofSafeNetAuthenticationManager,youmustrestartyourcomputer.

In this chapter:

Installation Components Installation Steps in an AD Environment Installing the SafeNet Authentication Manager Server Installing the SAM Management Tools Installing SAM Client Using the Installation Wizard Installing SAM Client Using the Command Line Un-installation Propagating the SAM Server Name

Duplicating a SAM Server

44 SafeNet Authentication Manager Administrators GuideInstallation Components

Component File Description

SAM Server SAMServer-x32-8.0.msi orSAMServer-x64-8.0.msi

Install SafeNet Authentication Manager on the required server. This must be a member server running IIS on which the SafeNet Authentication Manager web application will be installed. One or more such servers may be installed in the organization.Note: We recommend running a dedicated SafeNet Authentication Manager (IIS) server.

SAM Management Tools

SAMManagement-x32-8.0.msiorSAMManagement-x64-8.0.msi

Install on every workstation from where the administrator will access the TPO editor.

SAM Client SAMClient-x32-8.0.msiiorSAMClient-x64-8.0.msi

Install on every workstation where the Self Service Center, or Management Center are to be used or any client where the SafeNet Desktop Agent is to be used.

SAM Schema Modification Scripts

SAMSchema-x32-8.0.msi

If the user installing the SafeNet Authentication Manager Server does not have the permissions required for modifying the AD schema, the schema modification scripts must be installed before SafeNet Authentication Manager is configured. The scripts implement changes to the Active Directory (AD) schema required by SafeNet Authentication Manager.

SAM Portals SAMPORTALS-x32-8.0.msiorSAMPORTALS-x64-8.0.msi

The SAM Portals installation files are supplied separately.

Installation 45Note:WerecommendconfiguringSafeNetAuthenticationManagerwebsitesusingSSL.SeeMicrosoftdocumentationforcreatinganSSLprotectedvirtualdirectoryinIIS.

Silently Installed Component ASP.NET.AJAXisinstalledtogetherwithSafeNetAuthentication

Manager.ASP.NETAJAXisasetoftechnologiestoaddAJAX(AsynchronousJavaScriptAndXML)supporttoASP.NET.AJAXisagroupofinterrelatedwebdevelopmenttechniquesusedforcreatinginteractivewebapplicationsorrichinternetapplications.WithAJAX,webapplicationscanretrievedatafromtheserverasynchronouslyinthebackgroundwithoutinterferingwiththedisplayandbehavioroftheexistingwebpage.

ADAMisinstalledwhenaStandaloneuserstore(anintegratedconfigurationstoreanduserstore)isinstalled,orwhenanexternaluserstore,suchasMicrosoftSQLServer,OpenLDAPorNovelleDirectoryisused.

46 SafeNet Authentication Manager Administrators GuideInstallation Steps in an AD EnvironmentSafeNetAuthenticationManagercanbeinstalledinasingleormultidomainenvironment.

Installing in a Single Domain Environment

To install in a single domain environment:

1. IfActiveDirectoryisusedastheSafeNetAuthenticationManagerConfigurationStore,andtheuserperformingtheinstallationdoesnothavepermissionstomodifytheADschema,youmustinstallandruntheschemamodificationscriptsonthedomaincontroller.(SeeInstallingandRunningSchemaModificationScriptsonpage 48.)

2. InstalltheSafeNetAuthenticationManagerserveronamemberserverinyourdomain.(SeeInstallingtheSafeNetAuthenticationManagerServeronpage 52.)

3. ConfiguretheSafeNetAuthenticationManagerServer.(SeeBasicConfigurationonpage 85.)

4. InstallManagementToolsoneveryclientfromwhichtheadministratorisrequiredtoaccesstheTPOeditor.(SeeInstallingtheSAMManagementToolsonpage 57.)

5. InstallSafeNetAuthenticationManagerClientoneverycomputerfromwhichenrollmentoranyothertokenoperationistobeperformedusingSafeNetAuthenticationManager.(SeeInstallingSAMClientUsingtheInstallationWizardonpage 60.)

Installation 47Installing in a Multi Domain Environment

To install in a multi domain environment:

1. IfActiveDirectoryisusedastheSafeNetAuthenticationManagerConfigurationStore,andtheuserperformingtheSafeNetAuthenticationManagerinstallationdoesnothavepermissionstomodifytheADschema,youmustinstallandruntheschemamodificationscriptsonthedomaincontroller.(SeeInstallingandRunningSchemaModificationScriptsonpage 48.)

2. InstalltheSafeNetAuthenticationManagerserverononememberserverinoneofyourdomains.(SeeInstallingtheSafeNetAuthenticationManagerServeronpage 52.)

3. ConfigureSafeNetAuthenticationManagerforeverydomainintheforestwhereyouwantSAMtobeused.

4. InstallSAMManagementToolsoneveryclientfromwhichtheadministratorisrequiredtoaccesstheTPOeditor.(SeeInstallingtheSAMManagementToolsonpage 57.)

5. InstallSafeNetAuthenticationManagerClientoneverycomputerfromwhichenrollmentoranyothereTokenoperationistobeperformedusingSafeNetAuthenticationManager.(SeeInstallingSAMClientUsingtheInstallationWizardonpage 60.)

Installing SAM in a Multi Forest Environment

To install SAM in a multi domain environment:

1. InstalltheSafeNetAuthenticationManagerserverononememberserverinoneofyourdomainsinoneoftheforests.(SeeInstallingtheSafeNetAuthenticationManagerServeronpage 52.)

2. ConfigureSafeNetAuthenticationManager(usingRemoteAD)foreverydomainineveryforestwhereyouwantSafeNetAuthenticationManagertobeused(exceptthedomainwheretheSafeNetAuthenticationManagerserverisinstalled).

3. InstallSafeNetAuthenticationManagerManagementToolsoneveryclientfromwhichtheadministratorisrequiredtoaccesstheTPOeditor.(SeeInstallingtheSAMManagementToolsonpage 57.)

48 SafeNet Authentication Manager Administrators Guide4. InstallSafeNetAuthenticationManagerClientoneverycomputerfromwhichenrollmentoranyothertokenoperationistobeperformedusingSafeNetAuthenticationManager.(SeeInstallingSAMClientUsingtheInstallationWizardonpage 60.)

Installing and Running Schema Modification ScriptsActiveDirectory(AD)mustbemodifiedbeforeitcanbeusedastheSafeNetAuthenticationManagerConfigurationStore.IftheuserwhoinstallsSafeNetAuthenticationManagerhasADschemamodificationpermissions,thenADismodifiedautomaticallyduringSafeNetAuthenticationManagerconfiguration.IftheuserwhoinstallsSafeNetAuthenticationManagerdoesnothavethesepermissions,theSchemaModificationScriptsmustbeinstalledandrunpriortosettingtheconfiguration.

Tip:InstalltheschemamodificationscriptsonlyiftheuserinstallingSafeNetAuthenticationManagerdoesnothavepermissionstomodifytheADschema.

ThescriptsareinstalledusingtheSafeNetAuthenticationManagerSchemaModificationScriptsInstallationWizard.

Installation 49Installing the Schema Modification ScriptsInstalltheSafeNetAuthenticationManagerSchemaModificationScriptsintherootdomainbeforeSafeNetAuthenticationManagerisconfigured.

To install the Schema Modification Scripts:

1. RunSAMSchemax328.0.msiTheWelcometotheSafeNetAuthenticationManagerSchemaModificationScriptsInstallationWizardopens.

2. ClickNext.

50 SafeNet Authentication Manager Administrators GuideTheLicensesAgreementwindowopens.

3. AcceptthelicenseagreementandclickNext.TheDestinationFolderwindowopens,displayingthedefaultinstallationfolder.

4. IftherearenootherSafeNetauthenticationapplicationsorlegacyeTokenapplicationsinstalled,youcanclickBrowsetoselectadifferentdestinationfolder.Otherwise,thedestinationfoldercannotbechanged.

Installation 51ThisfolderwillbeusedastheinstallationlibraryforallfutureSafeNetauthenticationapplicationinstallations.

Note:Thedefaultfolderis:C:\Program Files\SafeNet\Authentication\SAM\x32\Bin. C:\Program Files\SafeNet\Authentication\SAM\x64\Bin

5. ClickNext.TheSafeNetAuthenticationManagerSchemaModificationScriptsinstallationbegins.Whentheinstallationprocessiscomplete,theSafeNetAuthenticationManagerSchemaModificationScriptshasbeensuccessfullyinstalledwindowopens.

6. ClickFinishtoexittheinstallationwizard.TheinstallationprocesscreatestheVBscriptfile:C:\Program Files\SafeNet\Authentication\SAM\x32\Bin\schemaInstall.vbs

52 SafeNet Authentication Manager Administrators GuideRunning the Schema Modification ScriptsFollowingtheinstallationoftheschemamodificationscript,thescriptmustberun.

Note:Toruntheschemamodificationscript,thepermissionsmustallowchangestobemadetotheschema.

To run the schema modification script:

Runthefollowingcommand:Cscript.exe schemaInstall.vbs [domain name] /AD

For example:Cscript.exe schemaInstall.vbs production.com /AD

Installing the SafeNet Authentication Manager ServerTheSafeNetAuthenticationManagerservermustbeinstalledbeforetheothercomponents.

Note:SafeNetAuthenticationClientshouldbeinstalledonthecomputerwhereSafeNetAuthenticationManagerserverisinstalled.ThisisnotrequiredifSafeNetAuthenticationManagerisusedonlyforOTPauthentication.SeeSAMManagementToolsSystemRequirementsonpage 13.

TheSafeNetAuthenticationManagerServerInstallationWizardandSafeNetAuthenticationManagerConfigurationSettingsWizardenableyoutoinstallSafeNetAuthenticationManagerServerandcreateabasicconfiguration.WhentheSafeNetAuthenticationManagerServerInstallationWizardcompletestheinstallationprocess,itlaunchestheSafeNetAuthenticationManagerConfigurationSettingsWizard.

Installation 53To install and configure the SafeNet Authentication Manager Server:

1. DoubleclickSAMServerx328.0.msi(32bit)orSAMServerx648.0.msi(64bit).TheSafeNetAuthenticationManagerServerInstallationWizardopens.

2. ClickNext.TheLicenseAgreementwindowopens.

3. SelectIacceptthelicenseagreementandclickNext.

54 SafeNet Authentication Manager Administrators GuideTheDestinationFolderwindowopens,displayingthedefaultinstallationfolder.

4. IftherearenootherSafeNetauthenticationapplicationsorlegacyeTokenapplicationsinstalled,youcanclickBrowsetoselectadifferentdestinationfolder.Otherwise,thedestinationfoldercannotbechanged.ThisfolderwillbeusedastheinstallationlibraryforallfutureSafeNetauthenticationapplicationinstallations.

5. ClickNext.Theinstallationprocessstarts.

Installation 55Oncompletionoftheinstallationprocess,thesuccessfullyinstalledwindowopens.

6. ClickFinish.

Note:Ifyourantheinstallationfromthecommandline,theSafeNetAuthenticationManagerConfigurationSettingsWizarddoesnotopenautomatically.

TheSafeNetAuthenticationManagerConfigurationSettingsWizardwindowopens.

56 SafeNet Authentication Manager Administrators GuideTheSAMConfigurationSettingsWizardenablesyoutosetupabasicconfigurationthatcanbefinetunedlaterusingtheSafeNetAuthenticationManagerConfigurationManager.

Tip:WerecommendcompletingtheSafeNetAuthenticationManagerconfigurationatthistimesothatyoucanstartworkingwiththeapplication.However,theconfigurationcanbeperformedlaterusingtheSafeNetAuthenticationManagerConfigurationManager.

7. TocontinuewiththeSafeNetAuthenticationManagerConfigurationSettingsWizard,clickNext,ortoexit,clickCancel.ForadescriptionoftheSafeNetAuthenticationManagerConfigurationSettingsWizard,seethefollowing: ConfiguringforActiveDirectoryonpage 86 ConfiguringforStandaloneUserStoreonpage 94 ConfiguringforOpenLDAP,NovelleDirectoryorRemoteADon

page 102 ConfiguringforMSSQLServeronpage 115

Installation 57Installing the SAM Management ToolsInstalltheSAMManagementToolsoneveryworkstationwheretheadministratorwillneedtousetheTPOEditor.

To install SAM Management Tools:

1. DoubleclickSAMManagement-x32-8.0.msi (32-bit) or SAMManagement-x64-8.0.msi(64-bit).TheSAMManagementToolsInstallationWizardopens.

2. ClickNext.

58 SafeNet Authentication Manager Administrators GuideTheLicenseAgreementwindowopens.

3. SelectIacceptthelicenseagreementandclickNext.TheDestinationFolderwindowopens,displayingthedefaultinstallationfolder.


5. ClickNext.

Installation 59Theinstallationprocessstarts.

Oncompletionoftheinstallationprocess,thesuccessfullyinstalledwindowopens.

6. ClickFinish.SAMManagementToolshasbeeninstalled.

TheSAMManagementToolsmustbeconnectedtotheSAMserver.SeePropagatingtheSAMServerNameonpage 66.

60 SafeNet Authentication Manager Administrators GuideInstalling SAM Client Using the Installation WizardInstallSafeNetAuthenticationManagerClientoneverycomputerfromwhichenrollmentoranyothereTokenoperationistobeperformedusingSAM.

Note:SafeNetAuthenticationManagerServer8.0supportsTMSClient2.0andlater.However,whentheSafeNetAuthenticationManagerserverisupdated,werecommendupdatingSafeNetAuthenticationManagerClienttothesameversiontoavoidcompatibilityissues.

To install SafeNet Authentication Manager Client:

1. DoubleclickSAMClient-x32-8.0.msi (32-bit) or SAMClient-x64-8.0.msi (64-bit).TheSafeNetAuthenticationManagerClientInstallationWizardopens.

2. ClickNext.

Installation 61TheLicenseAgreementwindowopens.

3. SelectIacceptthelicenseagreementandclickNext.TheDestinationFolderwindowopens,displayingthedefaultinstallationfolder.


5. ClickNext.

62 SafeNet Authentication Manager Administrators GuideTheSelectInstallationTypewindowopens.

6. Selectoneofthefollowinginstallationtypes: TypicalIncludestheSAMDesktopAgent CompleteIncludestheSAMDesktopAgentandthelegacy

TMSDesktopAgent.

Note:ThelegacyTMSDesktopisrequiredforinstallationswherepreviousTMSClientinstallationsarestillsupported.

7. ClickNext.Theinstallationproceeds.

Installation 63Oncompletionoftheinstal

SAM Admin Guide 8.0 Rev A

Documents

Transcript of SAM Admin Guide 8.0 Rev A