IBM. Security Access Manager for Enterprise Single Sign-On ... · Security Access Manager for Enterprise Single Sign-On Policies Definition Guide. v IBM Security Access Manager for

IBM® Security Access Manager for Enterprise SingleSign-OnVersion 8.2

User Guide

SC23-9950-03

��

IBM® Security Access Manager for Enterprise SingleSign-OnVersion 8.2

User Guide

SC23-9950-03

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 31.

Edition notice

Note: This edition applies to version 8.2 of IBM Security Access Manager for Enterprise Single Sign-On,(product number 5724–V67) and to all subsequent releases and modifications until otherwise indicated in neweditions.

© Copyright IBM Corporation 2002, 2012.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

About this publication . . . . . . . . vIntended audience . . . . . . . . . . . . vWhat this publication contains . . . . . . . . vPublications . . . . . . . . . . . . . . v

IBM Security Access Manager for EnterpriseSingle Sign-On library . . . . . . . . . . viAccessing terminology online . . . . . . . viiAccessing publications online . . . . . . . viiOrdering publications . . . . . . . . . viii

Accessibility . . . . . . . . . . . . . . viiiTivoli technical training . . . . . . . . . . viiiTivoli user groups . . . . . . . . . . . . viiiSupport information . . . . . . . . . . . viiiConventions used in this publication . . . . . . ix

Typeface conventions . . . . . . . . . . ixOperating system-dependent variables and paths x

Chapter 1. Using IBM Security AccessManager for Enterprise Single Sign-On . 1About single sign-on. . . . . . . . . . . . 1IBM Security Access Manager for Enterprise SingleSign-On icons . . . . . . . . . . . . . . 3About IMS Server connectivity . . . . . . . . 3Overview on user tasks. . . . . . . . . . . 3Supported desktop scenarios . . . . . . . . . 4About your password . . . . . . . . . . . 4Signing up using your password (AD sync) . . . . 4Signing up using your password (non-AD sync) . . 5Logging on using your password . . . . . . . 5Locking and unlocking your computer . . . . . 6Using other authentication factors . . . . . . . 6

Using passive RFID authentication . . . . . . 6Using active RFID authentication . . . . . . 8Using fingerprint authentication . . . . . . . 9Using smart card authentication . . . . . . 11Using hybrid smart card authentication . . . . 12

Signing up another authentication device . . . . 13Logging on using an OTP . . . . . . . . . 13Logging on using an OTP and MAC . . . . . . 14Signing up with other enterprise identities . . . . 14Using applications in a terminal server . . . . . 14

Chapter 2. Using self-service features 15Managing Wallets . . . . . . . . . . . . 15

Viewing Wallet contents . . . . . . . . . 15Viewing passwords . . . . . . . . . . . 15Password entry options . . . . . . . . . 15Exporting passwords stored in the Wallet . . . 16Setting applications to remember passwords . . 16Adding new credentials to authenticationservices. . . . . . . . . . . . . . . 17

Searching for credentials in the Wallet Manager 17Deleting credentials from an authenticationservice . . . . . . . . . . . . . . . 17Editing passwords . . . . . . . . . . . 17Editing application settings . . . . . . . . 17

Changing passwords . . . . . . . . . . . 18Resetting passwords without IMS Serverconnectivity . . . . . . . . . . . . . . 18Resetting passwords with IMS Server connectivity 19Setting self-service secrets in AccessAgent . . . . 19Bypassing strong authentication . . . . . . . 19

Chapter 3. Using AccessAssistant . . . 21Signing up to AccessAssistant . . . . . . . . 21Logging on to AccessAssistant . . . . . . . . 22Logging in using two-factor authentication . . . . 22Managing applications in AccessAssistant . . . . 22

Adding accounts to applications . . . . . . 22Editing application passwords . . . . . . . 23Deleting accounts from applications . . . . . 23

Resetting secrets . . . . . . . . . . . . . 23Resetting passwords . . . . . . . . . . . 23Retrieving passwords . . . . . . . . . . . 24

Chapter 4. Using Web Workplace . . . 25Signing up to Web Workplace . . . . . . . . 25Logging on to Web Workplace . . . . . . . . 25Logging on using OTP or MAC . . . . . . . 26Managing applications in Web Workplace . . . . 26

Logging on to applications . . . . . . . . 26Capturing user names and passwords . . . . 26Setting application logon preferences . . . . . 27Setting the default application account . . . . 27Adding accounts to applications . . . . . . 27Editing application passwords . . . . . . . 27Deleting accounts from applications . . . . . 28

Resetting secrets . . . . . . . . . . . . . 28Resetting passwords with authorization codes . . . 28Unlocking an Active Directory account . . . . . 29Resetting OATH-based OTP tokens inAccessAssistant or Web Workplace . . . . . . 29

Notices . . . . . . . . . . . . . . 31

Glossary . . . . . . . . . . . . . . 35

Index . . . . . . . . . . . . . . . 43

© Copyright IBM Corp. 2002, 2012 iii

iv IBM® Security Access Manager for Enterprise Single Sign-On: User Guide

About this publication

The IBM® Security Access Manager for Enterprise Single Sign-On provides sign-onand sign-off automation, authentication management, and user tracking to providea seamless path to strong digital identity. The IBM Security Access Manager forEnterprise Single Sign-On User Guide provides information about setting up andunderstanding the main functionalities of the product.

Intended audienceThis publication is for new and experienced users of IBM Security Access Managerfor Enterprise Single Sign-On AccessAgent, AccessAssistant, and Web Workplace.

This publication is for users who must perform the following tasks:v Usage workflow setupv Password and authentication setupv Self-service tasks, such as resetting passwords and logging on using

AccessAssistant

Readers must be familiar with the following topics:v Installing and setting up authentication factorsv The workflow preferences of the organization (for example, for tasks such as

sign-up, logon, logoff, and unlock workstations)

What this publication containsThis publication contains the following sections:v Chapter 1, “Using IBM Security Access Manager for Enterprise Single Sign-On,”

on page 1Provides step-by-step instructions for signing up with AccessAgent, logging onto AccessAgent, locking your computer, and unlocking your computer. Theprocedures depend on the type of desktop or workstation setup and additionalauthentication used.

v Chapter 2, “Using self-service features,” on page 15Describes some of the self-service functions in IBM Security Access Manager forEnterprise Single Sign-On, which are functions that can be managed by userswith minimal assistance from an Administrator or Help desk officer.

v Chapter 3, “Using AccessAssistant,” on page 21Describes the different features of AccessAssistant and step-by-step instructionson how to use it.

v Chapter 4, “Using Web Workplace,” on page 25Provides step-by-step instructions on using Web Workplace and logging onsuccessfully to Web-based applications from another computer.

PublicationsThis section lists publications in the IBM Security Access Manager for EnterpriseSingle Sign-On library. The section also describes how to access Tivoli®

publications online and how to order Tivoli publications.

© Copyright IBM Corp. 2002, 2012 v

IBM Security Access Manager for Enterprise Single Sign-Onlibrary

The following documents are available in the IBM Security Access Manager forEnterprise Single Sign-On library:v IBM Security Access Manager for Enterprise Single Sign-On Quick Start Guide,

CF38DMLRead this guide for a quick start on the main installation and configuration tasksto deploy and use IBM Security Access Manager for Enterprise Single Sign-On.

v IBM Security Access Manager for Enterprise Single Sign-On Planning and DeploymentGuide, SC23995203Read this guide before you do any installation or configuration tasks. This guidehelps you to plan your deployment and prepare your environment. It providesan overview of the product features and components, the required installationand configuration, and the different deployment scenarios. It also describes howto achieve high availability and disaster recovery.

v IBM Security Access Manager for Enterprise Single Sign-On Installation Guide,GI11930901Read this guide for the detailed procedures on installation, upgrade, oruninstallation of IBM Security Access Manager for Enterprise Single Sign-On.This guide helps you to install the different product components and theirrequired middleware, and also do the initial configurations required to completethe product deployment. It covers procedures for using virtual appliance,WebSphere® Application Server Base editions, and Network Deployment.

v IBM Security Access Manager for Enterprise Single Sign-On Configuration Guide,GC23969201Read this guide if you want to configure the IMS Server settings, theAccessAgent user interface, and its behavior.

v IBM Security Access Manager for Enterprise Single Sign-On Administrator Guide,SC23995103This guide is intended for the Administrators. It covers the differentAdministrator tasks. This guide provides procedures for creating and assigningpolicy templates, editing policy values, generating logs and reports, and backingup the IMS Server and its database. Use this guide together with the IBMSecurity Access Manager for Enterprise Single Sign-On Policies Definition Guide.

v IBM Security Access Manager for Enterprise Single Sign-On Help Desk Guide,SC23995303This guide is intended for Help desk officers. The guide helps Help desk officersto manage queries and requests from users usually about their authenticationfactors. Use this guide together with the IBM Security Access Manager forEnterprise Single Sign-On Policies Definition Guide.

v IBM Security Access Manager for Enterprise Single Sign-On Policies Definition Guide,SC23969401Read this guide for the detailed descriptions of the different user, machine, andsystem policies that Administrators can configure in AccessAdmin. Use thisguide along with the IBM Security Access Manager for Enterprise SingleSign-On Administrator Guide.

v IBM Security Access Manager for Enterprise Single Sign-On Troubleshooting andSupport Guide, GC23969301Read this guide if you have any issues with regards to installation, upgrade, andproduct usage. This guide covers the known issues and limitations of the

vi IBM® Security Access Manager for Enterprise Single Sign-On: User Guide

product. It helps you determine the symptoms and workaround for the problem.It also provides information about fixes, knowledge bases, and support.

v IBM Security Access Manager for Enterprise Single Sign-On AccessStudio Guide,SC23995603Read this guide if you want to create or edit profiles. This guide providesprocedures for creating and editing standard and advanced AccessProfiles fordifferent application types. It also covers information about managingauthentication services and application objects, and information about otherfunctions and features of AccessStudio.

v IBM Security Access Manager for Enterprise Single Sign-On Provisioning IntegrationGuide, SC23995703Read this guide for information about the different Java™ and SOAP API forprovisioning. It also covers procedures for installing and configuring theProvisioning Agent.

v IBM Security Access Manager for Enterprise Single Sign-On Web API for CredentialManagement Guide, SC14764600Read this guide if you want to install and configure the Web API for credentialmanagement.

v IBM Security Access Manager for Enterprise Single Sign-On Lightweight AccessAgentmode on Terminal Server SDK Guide, SC14765700Read this guide for the details on how to develop a virtual channel connectorthat integrates AccessAgent with Terminal Services applications.

v IBM Security Access Manager for Enterprise Single Sign-On Serial ID SPI Guide,SC14762600IBM Security Access Manager for Enterprise Single Sign-On has a ServiceProvider Interface (SPI) for devices that contain serial numbers, such as RFID.See this guide to know how to integrate any device with serial numbers and useit as a second authentication factor with AccessAgent.

v IBM Security Access Manager for Enterprise Single Sign-On Context ManagementIntegration Guide, SC23995403Read this guide if you want to install and configure the Context Managementsolution.

v IBM Security Access Manager for Enterprise Single Sign-On User Guide, SC23995003This guide is intended for the end users. This guide provides instructions forusing AccessAgent and Web Workplace.

v IBM Security Access Manager for Enterprise Single Sign-On Error Message ReferenceGuide, GC14762400This guide describes all the informational, warning, and error messagesassociated with IBM Security Access Manager for Enterprise Single Sign-On.

Accessing terminology onlineThe IBM Terminology Web site consolidates the terminology from IBM productlibraries in one convenient location. You can access the Terminology Web site at thefollowing Web address:

http://www.ibm.com/software/globalization/terminology

Accessing publications onlineIBM posts publications for this and all other Tivoli products, as they becomeavailable and whenever they are updated, to the Tivoli Information Center Website at http://www.ibm.com/tivoli/documentation.

About this publication vii

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/tivoli/documentation

Note: If you print PDF documents on other than letter-sized paper, set the optionin the File > Print window that allows Adobe Reader to print letter-sized pages onyour local paper.

Ordering publicationsYou can order many Tivoli publications online at http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.

You can also order by telephone by calling one of these numbers:v In the United States: 800-879-2755v In Canada: 800-426-4968

In other countries, contact your software account representative to order Tivolipublications. To locate the telephone number of your local representative, performthe following steps:1. Go to http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.2. Select your country from the list and click Go.3. Click About this site in the main panel to see an information page that

includes the telephone number of your local representative.

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

For additional information, see "Accessibility features" in the IBM Security AccessManager for Enterprise Single Sign-On Planning and Deployment Guide.

Tivoli technical trainingFor Tivoli technical training information, see the following IBM Tivoli EducationWeb site at http://www.ibm.com/software/tivoli/education.

Tivoli user groupsTivoli user groups are independent, user-run membership organizations thatprovide Tivoli users with information to assist them in the implementation ofTivoli Software solutions. Through these groups, members can share informationand learn from the knowledge and experience of other Tivoli users. Tivoli usergroups include the following members and groups:v 23,000+ membersv 144+ groups

Access the link for the Tivoli Users Group at www.tivoli-ug.org.

Support informationIf you have a problem with your IBM software, you want to resolve it quickly. IBMprovides the following ways for you to obtain the support you need:

viii IBM® Security Access Manager for Enterprise Single Sign-On: User Guide

http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss

http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss

http://www.ibm.com/software/tivoli/education

http://www.tivoli-ug.org

OnlineGo to the IBM Software Support site at http://www.ibm.com/software/support/probsub.html and follow the instructions.

IBM Support AssistantThe IBM Support Assistant is a free local software serviceability workbenchthat helps you resolve questions and problems with IBM softwareproducts. The IBM Support Assistant provides quick access tosupport-related information and serviceability tools for problemdetermination. To install the IBM Support Assistant software, go tohttp://www.ibm.com/software/support/isa.

Troubleshooting GuideFor more information about resolving problems, see the IBM Security AccessManager for Enterprise Single Sign-On Troubleshooting and Support Guide.

Conventions used in this publicationThis publication uses several conventions for special terms and actions, operatingsystem-dependent commands and paths, and margin graphics.

Typeface conventionsThis publication uses the following typeface conventions:

Bold

v Lowercase commands and mixed case commands that are otherwisedifficult to distinguish from surrounding text

v Interface controls (check boxes, push buttons, radio buttons, spinbuttons, fields, folders, icons, list boxes, items inside list boxes,multicolumn lists, containers, menu choices, menu names, tabs, propertysheets) and labels (such as Tip: and Operating system considerations:)

v Keywords and parameters in text

Italic

v Citations (examples: titles of publications, diskettes, and CDs)v Words defined in text (example: a nonswitched line is called a

point-to-point line)v Emphasis of words and letters (words as words example: "Use the word

that to introduce a restrictive clause."; letters as letters example: "TheLUN address must start with the letter L.")

v New terms in text (except in a definition list): a view is a frame in aworkspace that contains data.

v Variables and values you must provide: ... where myname represents....

Monospace

v Examples and code examplesv File names, programming keywords, and other elements that are difficult

to distinguish from surrounding textv Message text and prompts addressed to the userv Text that the user must typev Values for arguments or command options

About this publication ix

http://www.ibm.com/software/support/probsub.html

http://www.ibm.com/software/support/probsub.html

http://www.ibm.com/software/support/isa

Operating system-dependent variables and pathsThis publication uses the UNIX convention for specifying environment variablesand for directory notation.

When using the Windows command line, replace $variable with % variable% forenvironment variables and replace each forward slash (/) with a backslash (\) indirectory paths. The names of environment variables are not always the same inthe Windows and UNIX environments. For example, %TEMP% in Windowsenvironments is equivalent to $TMPDIR in UNIX environments.

Note: You can use the UNIX conventions if you are using the bash shell on aWindows system.

x IBM® Security Access Manager for Enterprise Single Sign-On: User Guide

Chapter 1. Using IBM Security Access Manager for EnterpriseSingle Sign-On

IBM Security Access Manager for Enterprise Single Sign-On is a fortified singlesign-on that uses automation technology to augment security.

See the following topics for more information.v “About single sign-on”v “Overview on user tasks” on page 3v “Supported desktop scenarios” on page 4v “Signing up with other enterprise identities” on page 14v “Using other authentication factors” on page 6

About single sign-onYou can enter one user ID and password to access multiple applications withsingle sign-on.

IBM Security Access Manager for Enterprise Single Sign-On is fortified because:v The solution enhances security for enterprises by choosing from several

authentication factors to provide two-factor authentication.v Passwords for different applications can be strengthened by automating the

periodic change of AccessAgent passwords. You can avoid leaking passwordsthrough social engineering.

How single sign-on works

After logging in AccessAgent, it automatically captures and auto-fills yourapplication credentials from and to the application clients that you launch.

Whenever an application is launched, AccessAgent monitors for single sign-onevents and performs capture and auto-fill of logon credentials, which are saved ina Wallet.

When performing single sign-on into an application, AccessAgent retrieves thelogon credentials from the wallet. This wallet is stored securely at the IBM SecurityAccess Manager for Enterprise Single Sign-On server.

You can still access your wallet even when you use a different machine later. Thewallet is also cached in encrypted form in your machine. Therefore, you can stillenjoy single sign-on even if the server is offline. Access to the wallet is protectedby a password and other authentication factors.

AccessAgent information

You can now view all components installed by AccessAgent and its correspondingversion numbers. Do the following steps:1. Click the AccessAgent icon in the system tray.2. Select About ISAM ESSO AccessAgent.3. Click the Export button to download the information in a text file.

© Copyright IBM Corp. 2002, 2012 1

IBM Security Access Manager for Enterprise Single Sign-On iconsThe following icons are used in IBM Security Access Manager for Enterprise SingleSign-On.

Visible when user is logged on

Icon Description

AccessAgent is operating normally.

When the icon is flashing, AccessAgent is:

v synchronizing an authentication factor with the IMSServer

v logging the user on

AccessAgent on the desktop and in the Start Menu

Cancel ESSO GINA

Change your password

Access help

Session information

Launch the application

Lock your computer

Log off fromAccessAgent

Log on toAccessAgent

Reset your password

IMS Server connection is not available. For moreinformation, see “About IMS Server connectivity” onpage 3.

IMS Server connection is available. For moreinformation, see “About IMS Server connectivity” onpage 3.

Set your secrets

Shut down your computer

Sign up to IBM Security Access Manager for EnterpriseSingle Sign-On

2 IBM® Security Access Manager for Enterprise Single Sign-On: User Guide

Visible when user is logged on

Icon Description

Switch users in the desktop

Unlock your computer

Go to Windows GINA to log on

Go to Windows GINA to unlock

Manage your Wallet

Visible when fingerprint readers are detected

Icon Description

Fingerprint reader is not ready

Fingerprint reader is ready

About IMS Server connectivityThis topic provides information about the AccessAgent and IMS Server connection.

If the IMS Server is offline or the connection between AccessAgent and the IMSServer is not available, you can still log on as long as you have a cached Wallet.

The IMS Server is online when you click Sign up or Log on in the AccessAgentnavigational panel. The IMS Server connection also refreshes every 30 minutes, oras determined by your Administrator.

Overview on user tasksAfter installing IBM Security Access Manager for Enterprise Single Sign-On, youcan begin setting up the different ways to use the product.

What to do Where to find information

Understand how IBM Security AccessManager for Enterprise Single Sign-Onworks.

Chapter 1, “Using IBM Security AccessManager for Enterprise Single Sign-On,” onpage 1

Know how to use self-service features. Chapter 2, “Using self-service features,” onpage 15

Know how to use Web Workplace. Chapter 4, “Using Web Workplace,” on page25

Know how to use AccessAssistant. Chapter 3, “Using AccessAssistant,” on page21

Chapter 1. Using IBM Security Access Manager for Enterprise Single Sign-On 3

Supported desktop scenariosIBM Security Access Manager for Enterprise Single Sign-On works in differentdesktop scenarios.v Personal workstation is owned and customized by one user only.v Shared desktops have multiple users who share a generic Windows desktop.v Private desktops have multiple users who have their own customized Microsoft

Windows desktops in a workstation.

About your passwordYour password secures access to your Wallet.

The length of the password ranges from 6 to 20 characters, depending on thepreference of your organization. When you sign up with AccessAgent, you mustspecify a password. You can use the enterprise directory password as yourpassword.

Signing up with AccessAgent entails registering with the IMS Server and creating aWallet. All application credentials are stored in your Wallet. Signing up ensuresthat your credentials are backed up on the server and are retrievable when needed.

You can associate your Wallet with a second authentication factor such as a smartcard, an Active Proximity Badge, an RFID card, and other devices. The secondauthentication factor reinforces your password and protects the contents of yourWallet.

Use the following guidelines for specifying an ISAMESSO password:v Choose a password that is lengthy, unique, and a combination of uppercase

letters, lowercase letters, and numbers.v Do not use any of these words as passwords: dictionary words, the name of

your pet, the name of your spouse or friend, or important dates.v Never tell anyone your password, not even to the Help desk officer or

Administrator.v Never write down your password.v Change your password as often as possible.

AccessAgent locks your Wallet after you attempt to log on five times with a wrongpassword. The number of logon attempts is set by your organization.

See the following topics for more information.v “Signing up using your password (AD sync)”v “Logging on using your password” on page 5

Signing up using your password (AD sync)When you sign up, be sure to have an enterprise identity or a user name assignedto you by your organization. Your enterprise identity can be your e-mail address,your Active Directory user name, or SAP user name, or any other enterprisedirectory user name. IBM Security Access Manager for Enterprise Single Sign-Ontakes your enterprise identity and uses it to label your Wallet.


Procedure1. In the AccessAgent navigation panel, click Sign up.2. Enter your enterprise directory user name and password.3. Click Next.4. Optional: If secrets are enabled, you are prompted to select a question and

enter the answer.If you forget your password, use your secret to retrieve your Wallet contents.

Note: You can use all the characters in the ISO Latin-1 character set in creatingor resetting secrets, except for the following characters:v µv ß

5. Click Next.6. If prompted again, select another question and enter the answer.

v Mark Hide if you do not want to show your answer.v Mark Register more questions for additional secrets.

Signing up using your password (non-AD sync)Verify with your administrator if you are in an Active Directory synchronizationdeployment. If not, follow this procedure.

Procedure1. In the AccessAgent navigation panel, click Sign up.2. Enter your enterprise directory user name and password.3. Click Next.4. Enter a password for your Wallet.

The new password must match the specified requirements.5. Confirm your password by entering the new password again in the Confirm

password field.6. Click Next.7. Optional: If secrets are enabled, you are prompted to select a question and

enter the answer.If you forget your password, use your secret to retrieve your Wallet contents.


8. Click Next.9. If prompted again, select another question and enter the answer.

v Mark Hide if you do not want to show your answer.v Mark Register more questions for additional secrets.

Logging on using your passwordUse your password to log on to AccessAgent.


Procedure1. Turn on the computer.2. Click Log on in the AccessAgent navigation panel.3. Enter your enterprise directory user name and password.

Locking and unlocking your computerIf you are moving away from your computer, lock it using AccessAgent to preventunauthorized access to your computer.

Locking your computer

To lock your computer, you can do one of the following tasks:v Right-click on the AccessAgent icon. From the menu, select Lock this computer.v Press Ctrl+Alt+Del on your keyboard and click Lock computer.v Double-click the AccessAgent icon. When the Session information window is

displayed, click Lock this computer.

Unlocking your computer

To unlock your computer, perform the following steps:1. Click Unlock this computer in the navigation panel.2. Enter your user name and password.3. Click Next.

Using other authentication factorsAside from your password, you can use another authentication factor such asRFID, fingerprint, and smart card to ensure strong authentication for yourorganization.

See the following topics for more information.v “Using passive RFID authentication”v “Using active RFID authentication” on page 8v “Using fingerprint authentication” on page 9v “Using smart card authentication” on page 11

Using passive RFID authenticationPassive RFID devices have no internal power source. Passive RFID devicestransmit radio signals from the radio frequency signals they receive, and are onlyactive when a reader is nearby to power them. The lack of an internal powersource enables passive RFID devices to be small enough to be embedded into thinidentification cards.

An RFID card is an example of a passive RFID device. The combination of an RFIDcard and a password ensures a secure, two-factor authentication process. You canuse an RFID card to access computers, doors, or elevators.

See the following topics for more information.v “Signing up” on page 7v “Unlocking your computer” on page 7


Signing upYou must initiate the sign up process with your RFID card when you are using itas your second factor authentication method.

Before you begin

Before you sign up, make sure that:v The passive RFID reader is attached to the USB port of your computer.v Your passive RFID card is available.

Procedure1. When you see the AccessAgent welcome screen, tap your RFID card on the

reader.2. Click No when AccessAgent asks if you already have an IBM Security Access

Manager for Enterprise Single Sign-On user name and password.3. Enter your enterprise directory user name and password.4. Click Next.5. If prompted, enter your new password. Otherwise, proceed to step 8.


password field.7. Click Next.8. Select a question and enter the answer.

The answer is your secret, which you use in case you forget your password.9. Click Next.

10. Click Finish. If sign-up is successful, the AccessAgent icon is displayed in thenotification area of Windows Desktop.

Unlocking your computerYou can lock and unlock your computer by using your RFID card.

Before you begin

Make sure that you have a cached wallet in the workstation that you are loggingin using RFID. A wallet holds the user credentials that are required for singlesign-on.

Procedure1. Tap your RFID card on the reader.

Note: If you leave your computer locked in a specified time, you can unlock itby tapping your RFID card on its reader without entering your password. Thetime limit is set by your Administrator.

2. Enter your password.3. Click OK.

Locking your computer:Procedure

v Right-click the AccessAgent icon located in the system tray. Select Lock thiscomputer.


v Double-click the AccessAgent icon. When the Session information window isdisplayed, click Lock this computer.

v Press Ctrl+Alt+Del on your keyboard and click Lock computer.

Using active RFID authenticationAn active RFID device has an internal power source that powers the integratedcircuits and broadcast the radio signal to the reader. The active RFID devicetransmits at a higher power level than a passive device. The higher power level oftransmission enables the device to broadcast at longer distances, and can beapplied in various scenarios.

Active RFID devices are bigger and more expensive to produce. The ActiveProximity Badge is an example of an active RFID device.

The Active Proximity Badge works when the badge is in a certain range from thereader. When you walk away from the reader, the computer locks. When yourbadge is in the range of the reader, the computer unlocks. This scenario is truegiven that no obstacles are blocking the area between your badge and the reader.

Your badge automatically switches off after nine hours of use. When the badge isswitched off, the reader does not detect it. It must be switched on.

See the following topics for more information.v “Signing up”v “Unlocking your computer” on page 9

Signing upWhen you are using an active RFID card or active proximity badge as your secondauthentication factor, use it to initiate the sign-up process.

Before you begin

Before you sign up, make sure that:v The Active Proximity Badge reader is attached to the USB port of your

computer.v Your Active Proximity Badge card is available.

Procedure1. Turn on and present your Active Proximity Badge to the reader. The

AccessAgent window displays all the badges detected by the reader.2. Click the ID number of the badge you want to sign up with.3. Click Register Badge.

Note: There might be several badges detected. Make sure that you select theone that you are authorized to register. The badge ID is printed on the back ofyour Active Proximity Badge.

4. Click No when AccessAgent asks if you already have an IBM Security AccessManager for Enterprise Single Sign-On user name and password.

5. Enter your enterprise directory user name and password.6. Click Next.7. Enter your new password.

The new password must match the specified criteria.


If your password has not fulfilled all the criteria, it is not accepted.8. Enter the new password in the Confirm password field.9. Click Next.

10. Select a question.11. Enter the answer.

The answer is your secret, which you use in case you forget your password.12. Click Finish. If sign-up is successful, the AccessAgent icon in the notification

area of Windows Desktop is displayed.

Unlocking your computerYou can unlock your computer by using your Active Proximity Badge without apassword in a specified time. Contact your Administrator for information aboutthe duration. In this procedure, the Active Proximity Badge is used as the activeRFID authentication factor.

Before you begin

Make sure that your badge is on.

Procedure1. Move in the frequency range of the reader.2. Select your user name from the list of available badges.3. Enter your password.4. Click OK.

Locking your computer:Procedure

To lock your computer with active RFID, follow any of these steps:v Move out of the frequency range of the reader.v Turn off your badge.

Using fingerprint authenticationThe fingerprint identification system recognizes your fingerprint as anauthentication factor. The fingerprint reader translates your fingerprint intoencrypted codes, which logs you on to AccessAgent.

IBM Security Access Manager for Enterprise Single Sign-On 8.2 supports thesebiometric service provider and fingerprint readers:v BIO-key Biometric Service Provider (BSP)v DigitalPersonav UPEK

BIO-key Biometric Service Provider (BSP) is a biometric middleware that enablesIBM Security Access Manager for Enterprise Single Sign-On to work with anyfingerprint reader that is already supported by BIO-key. See http://www.bio-key.com.

See the following topics for more information.v “Signing up” on page 10v “Signing up more than one fingerprint” on page 10v “Locking and unlocking your computer” on page 10


http://www.bio-key.com

http://www.bio-key.com

Signing upBefore you sign up, make sure that the fingerprint reader is attached to the USBport of your computer.

Procedure1. From the AccessAgent welcome screen, place your finger on the fingerprint

reader.2. Click No when AccessAgent asks if you already have an IBM Security Access

Manager for Enterprise Single Sign-On user name and password.3. If prompted, enter your Windows user name and password. Otherwise,

proceed to the next step.4. Click Next.5. Place your finger on the fingerprint reader.6. Click Finish. If sign-up is successful, the AccessAgent icon in the notification

area of the Windows Desktop is displayed.

Signing up more than one fingerprintDepending on the deployment options of your organization, you can use morethan one fingerprint under the same user name. Before you sign up anotherfingerprint, make sure that the fingerprint reader is attached to the USB port ofyour computer.

Procedure1. Lock your computer.

For more information about locking your computer, see “Locking andunlocking your computer.”

2. Place the new finger on the fingerprint reader.3. Enter your enterprise directory user name when prompted.4. Click Next.5. Click Register Fingerprint.6. Enter your user name and password.7. Click OK.8. Select the finger to sign up from the diagram.9. Click Next.

10. Scan your finger five or four more times, depending on the reader. After thefinger has been successfully scanned for five times, you can now use thatfinger to log on to AccessAgent.

Locking and unlocking your computerBefore you lock or unlock your computer, make sure that the fingerprint reader isattached to the USB port of your computer. Perform either of the following tasks inthis procedure to lock or unlock your computer.

Procedurev Lock your computer by placing your registered finger on the fingerprint reader.v To unlock your computer with your fingerprint, scan your fingerprint on the

fingerprint reader.


Using smart card authenticationA smart card is a pocket-sized card that has an embedded microprocessor. Smartcards can do cryptographic operations, store, and process the digital credentials ofthe users securely.

A smart card can be used as an authentication factor. IBM Security Access Managerfor Enterprise Single Sign-On provides certificate-based strong authentication whenusers access their Credential Wallet by using smart cards.

For smart cards to work in IBM Security Access Manager for Enterprise SingleSign-On, they must have cryptographic credentials. Smart cards must also have thecorresponding certificate issued by either a corporate PKI or a trusted external PKI.

See the following topics for more information.v “Signing up”v “Locking and unlocking your computer”

Signing upInsert your smart card in the reader to initiate the sign-up process.

Before you begin

Make sure that:v The smart card reader is attached to your computer.v Your smart card is available.

Procedure1. From the AccessAgent welcome screen, insert your smart card in the smart

card reader.2. Enter your smart card PIN.3. Click OK. A message to register the smart card is displayed.4. Click Next.5. Click No when AccessAgent asks if you have an IBM Security Access

Manager for Enterprise Single Sign-On user name and password.6. Enter your enterprise directory user name and password.7. Click Next.8. If prompted, enter your new password. Otherwise, proceed to 11.


password field.10. Click Next.11. Select a secret question and enter the answer.

The answer is your secret, which you use in case you forget your password.12. Click Next.13. Click Finish. If sign-up is successful, the AccessAgent icon in the notification

area of the Windows Desktop is displayed.

Locking and unlocking your computerTo lock or unlock your computer, remove or insert your smart card.


Before you begin

Make sure that:v The smart card reader is attached to your computer.v Your smart card is available.

Procedure

Perform either of the following tasks in this procedure to lock or unlock yourcomputer.v To lock your computer, remove your smart card from the reader. The

AccessAgent lock screen is displayed and the computer is locked.v To unlock your computer, insert the smart card in the reader. When prompted,

enter the smart card PIN, and click OK.

Using hybrid smart card authenticationA hybrid smart card must be dual-chip. It consists of an embedded PKImicroprocessor and an RFID chip with contact and contactless interface.

See the following topics for more information.v “Signing up”v “Locking and unlocking your computer”

Signing upInsert your hybrid smart card in the reader to initiate the sign-up process.

Before you begin

Make sure that:v The hybrid smart card reader is attached to your computer.v Your hybrid smart card is available.

About this task

A grace period can be configured by your Administrator so that you can log onwithout providing a PIN. For more information, consult your Administrator.

Procedure1. From the AccessAgent welcome screen, tap your hybrid smart card in the

hybrid smart card reader.2. Insert your hybrid smart card.3. Enter your hybrid smart card PIN.

Results

AccessAgent creates a cached wallet.

Locking and unlocking your computerRemove or insert your hybrid smart card to lock or unlock your computer.


Before you begin

Make sure that:v The hybrid smart card reader is attached to your computer.v Your hybrid smart card is available.

Procedure

Perform either of the following tasks in this procedure to lock or unlock yourcomputer.v To lock your computer, remove your hybrid smart card from the reader. The

AccessAgent lock screen is displayed and the computer is locked.v To unlock your computer, tap the hybrid smart card in the reader.

Signing up another authentication deviceYou can sign up for the second time if you lost the first authentication device or ifyou want to have two authentication devices.

Before you begin

Contact the Help desk for an authorization code.

Procedure1. Present or tap the device you want to register.

Example: If you are registering an Active Proximity Badge, select the Badgeyou want to register by clicking on the badge number.

2. Click Register. AccessAgent displays a dialog box and verifies if you alreadyhave an IBM Security Access Manager for Enterprise Single Sign-On user nameand password.

3. Click Yes to confirm.4. Enter the authorization code from Help desk.5. Optional: If prompted, enter your secret.6. Click Next.7. Enter your password.8. Click Finish.

Logging on using an OTPYou can log on to applications by using a one time password or OTP forauthentication.

Procedure1. Launch the application.2. Enter the user name and password.3. Press your OTP token.4. Enter the OTP provided by the OTP token.5. Optional: If you lost the OTP token, call the Help desk for an authorization

code.6. Optional: Enter the authorization code followed by a secret.


Logging on using an OTP and MACYou can log on to applications by using both Mobile ActiveCode or MAC and aone-time password or OTP for authentication.

Procedure1. Launch the application.2. Enter a user name and password.3. Enter the MAC received by mobile phone or e-mail, or the OTP provided by

the OTP token.4. Optional: If you lost both the mobile phone and the OTP token, call Help desk

for an authorization code.5. Optional: Enter the authorization code followed by a secret.

Signing up with other enterprise identitiesYour organization might not use Active Directory as its enterprise identity. In thiscase, the IBM Security Access Manager for Enterprise Single Sign-On identity isbound to an enterprise application directory service, such as Tivoli DirectoryServer.

Your IBM Security Access Manager for Enterprise Single Sign-On user name andpassword are the same as your enterprise application user name and password.The sign-up sequence for other Enterprise IDs varies according to the deploymentpreference of your organization. Ensure that you follow the on-screen instructions.

Using applications in a terminal serverYou can use AccessAgent when using applications in a terminal server ifAccessAgent is installed on the terminal server.

If you are logged on to AccessAgent from a local computer, then AccessAgent onterminal server uses lightweight mode. This mode enhances performance by usinga smaller memory footprint.


Chapter 2. Using self-service features

With these features, you can perform basic tasks, such as resetting passwords andsecrets with minimal assistance from the Help desk or your Administrator.

Important: Log on using your password if you want to view, change, and exportpasswords.

See the following topics for more information.v “Managing Wallets”v “Changing passwords” on page 18v “Resetting passwords without IMS Server connectivity” on page 18v “Resetting passwords with IMS Server connectivity” on page 19v “Setting self-service secrets in AccessAgent” on page 19v “Bypassing strong authentication” on page 19

Managing WalletsThe Wallet Manager manages the passwords stored in your Wallet. Use it toconfigure the settings for the passwords based on your needs and personalpreferences.

Viewing Wallet contentsThese options are only available if you are logged on. Choose either of thefollowing options to access your Wallet.

Procedurev Right-click on the AccessAgent icon in the notification area, then select Manage

Wallet.OR

v Access your Wallet by using the Manage Wallet link in the AccessAgentnavigation panel.

Viewing passwordsYou cannot show the password in the Wallet Manager if you are using smart cardor fingerprint for second factor authentication.

Procedure1. From your Wallet, click an entry.2. Select Actions > Show password.

You can also right-click on the entry and select Show password.3. Enter your password. The password from the application selected in the Wallet

is displayed.

Password entry optionsThe Password Entry column consists of a drop-down menu with the options toapply to a password. These options are useful if you have multiple credentials forthe same authentication service. See this table for more information.


Table 1. Password entry options

Password entry options Description

Automatic Logon AccessAgent automatically enters the selected user name andpassword and logs you on to the application.

Always AccessAgent automatically enters your user name andpassword.

To log on to an application, press Enter on your keyboard orclick OK.

Ask AccessAgent asks you to select the stored user name andpassword for the application before logging on.

If you have more than one account stored, use this option tochoose the credentials to use for logging on to the application.

Never AccessAgent never uses the selected user name and password.

Exporting passwords stored in the WalletYou cannot export passwords in the Wallet Manager if you are using smart card orfingerprint for second factor authentication.

Procedure1. Select File > Export passwords.

You can also click the Export passwords button.2. Mark the appropriate export password option.3. Click Browse to specify the folder that contains the exported passwords.4. Enter the file name and select the file type of the exported passwords.5. Click Save.

Setting applications to remember passwordsAfter entering an application user name and password for an application,AccessAgent prompts you to store the user name and password for thatapplication.

About this task

Select any of the following options in the procedure for your applicationpasswords:v Store the credentials in your Wallet.v Not store the credentials in your Wallet, but intend to store them at a later date.v Never store the credentials in your Wallet.

Procedurev Click Yes to store the user name and password in your Wallet.v Click No if you do not want the user name and password to be stored yet.

The next time you log on to the application, AccessAgent displays the samedialog box for confirmation.

v Click Never if you do not want your user name and password to be stored forthis application.The next time you log on to the application, AccessAgent no longer displays thedialog box for confirmation.


Adding new credentials to authentication servicesYou can add new credentials to an authentication service in your Wallet.

Procedure1. In the Manage Wallet window, click the authentication service from the list.2. Click Actions > New Credential.3. Enter the user name and password.4. Click OK.

Searching for credentials in the Wallet ManagerWhen searching for credentials, use the search box in the Wallet Manager.

Procedure1. Use the Credential Search field to find credential details in the Wallet Manager.2. Enter any of the following details:

v authentication service namev user namev typev password entry

As you enter the credential in the field, entries that match the search item arehighlighted on the list.

Deleting credentials from an authentication serviceYou can delete credentials from an authentication service in the Wallet.

Procedure1. In the Manage Wallet window, click the user name of an authentication service.2. Delete the user by performing either of the following steps:

v Click Delete.v Right-click on the entry and select Delete Credential.

The entry is removed from the list of authentication services in your Wallet.

Editing passwordsYou can modify the passwords of authentication services in your Wallet.

Procedure1. In the Manage Wallet window, click the user name of an authentication service.2. Click Edit Password, or right-click on the user name and select Edit Password.3. Enter the new password.4. Click OK to confirm the change.

Editing application settingsYou can change the application settings for an authentication service.

Procedure1. Click the authentication service.2. Click Application Settings.

Chapter 2. Using self-service features 17

You can also right-click on the entry and select Edit application settings.3. In the Password Entry column, provide the necessary changes.4. Click Close to confirm the changes.

Changing passwordsTo ensure that the password is not compromised, your organization mightschedule compulsory password changes. Your organization can also request usersto change passwords for the Wallet based on a specified duration.

Procedure1. In the notification area, double-click on the AccessAgent icon, or right-click on

the AccessAgent icon and select Change password from the menu. The Sessioninformation window is displayed.

2. Click Change password.3. Enter your Old password.4. Enter your New password.

The new password must match the specified requirements.5. Enter the new password again in the Confirm password field.6. Click Next.7. Click OK. AccessAgent notifies you if the password change is successful.8. Click Close to return to your desktop.

Resetting passwords without IMS Server connectivityThis procedure assumes you cannot connect to the IMS Server. In this scenario,you need both a request code and an authorization code to reset your password.

Procedure1. In the AccessAgent navigation panel, click Reset password.2. Enter your user name.3. Click Next. AccessAgent displays a dialog box, indicating that there is no IMS

Server connectivity. You must create a temporary password on the computerto continue to use AccessAgent.

4. Click OK to close the dialog box. AccessAgent displays a request code.5. Copy the request code displayed on the window.6. Contact Help desk for an authorization code.7. Enter the authorization code.8. Click Next.9. Enter the answer to the secret question.

10. Click Next.11. Enter the new password.

The new password must match the specified requirements.12. Enter the new password again in the Confirm password field.13. Click Finish.14. Click OK to close the dialog box.


Resetting passwords with IMS Server connectivityThis procedure assumes that you are successfully connected to the IMS Server. Inthis scenario, you need an authorization code to reset your password. If aself-service password reset is enabled, users can also reset their passwords withoutcalling Help desk by answering two or more secret questions.

Procedure1. In the AccessAgent navigation panel, click Reset password.2. Contact Help desk for an authorization code.3. Enter the authorization code.4. Click Next.5. Enter the answer to the secret question.6. Click Next.7. Enter the new password.

The new password must match the specified requirements.8. Enter the new password again in the Confirm password field.9. Click Finish.

10. Click OK to close the dialog box.

Setting self-service secrets in AccessAgentYou can specify additional secret questions and secret answers.

Procedure1. Double-click the AccessAgent icon in the system tray. The Session information

window is displayed.2. Select Set self-service secrets.3. Select a new secret question from the drop-down list.4. Enter the secret answer.

v Mark Hide if you do not want the answer to be visible.v To register more questions, mark Register more questions.

Note: You can use all the characters in the ISO Latin-1 character set in creatingand resetting secrets, except for the following characters:v µv ß

5. Click Next.6. Select another secret question from the drop-down list and enter the

corresponding secret answer.7. Click Next.

v If you chose to register more questions, select another secret question andenter the corresponding secret answer. Click Finish.

v If you chose not to register more questions, the AccessAgent panel closes andyour new secret is saved.

Bypassing strong authenticationYou can temporarily log on to AccessAgent without your second factorauthentication device such as a smart card, RFID Card, or Active Proximity Badge.

Chapter 2. Using self-service features 19

About this task

If there is an IMS Server connection and a self-service bypass is enabled, a user canbypass strong authentication by answering two or more secret questions.

If there is no IMS Server connection, contact your Help desk for an authorizationcode.

Your temporary access expires when you receive a new second factorauthentication device, or when the temporary access validity period ends.

Procedure1. Turn on the computer.2. Press Ctrl+Alt+Del to log on, or click Log on from the AccessAgent navigation

panel.3. Enter your user name and password.4. Answer your secret questions.5. Optional: If there is no IMS Server connection, contact Help desk for an

authorization code.

Note: If you do not have Internet connectivity, a request code is displayed inthe AccessAgent window. Provide the request code to the Help desk officer.The Help desk officer then provides an authorization code.

6. Optional: Enter the authorization code.7. Click Next. You are now logged on to AccessAgent.


Chapter 3. Using AccessAssistant

AccessAssistant is a Web-based interface that provides password self-help.v With the Web automatic sign-on feature, you can log on to enterprise Web

applications by clicking on the links from AccessAssistant, Web Workplace, orenterprise portals. Use the IBM Security Access Manager for Enterprise SingleSign-On password to log on to all applications.

v To use AccessAssistant, you must log on with the IBM Security Access Managerfor Enterprise Single Sign-On Password. If the password is set up to synchronizewith the Windows password, you can also use your Windows password to logon.

v Use AccessAssistant to obtain the latest credentials to log on to applications.

When logged on, you can also use the following features of AccessAssistant:v Web automatic sign-onv User sign-upv Application credential management (only applications that have AccessProfiles

for Web automatic sign-on are listed)v Secret resetv Password resetv User profile modificationv Optional two-factor authenticationv Synchronization of Wallets, AccessProfiles, and policies

See the following topics for more information.v “Signing up to AccessAssistant”v “Logging on to AccessAssistant” on page 22v “Managing applications in AccessAssistant” on page 22v “Retrieving passwords” on page 24v “Resetting secrets” on page 23v “Resetting passwords” on page 23

Signing up to AccessAssistantUse AccessAssistant to retrieve passwords if AccessAgent cannot be used.AccessAssistant lets you access enterprise applications through SSL VPN fromhome computers or Internet cafes. AccessAssistant can also automatically log on toWeb-based enterprise applications.

Procedure1. Navigate to AccessAssistant.

v If you are using a load balancer, access https://<loadbalancer_hostname>:<ihs_ssl_port>/aawwp.

v If you are not using a load balancer, access https://<ims_hostname>:<ihs_ssl_port>/aawwp.

For example: http://server1:80/aawwp.

Note: For more information, check with your administrator.


2. In the AccessAssistant left navigation panel, click Sign up.3. Enter your Windows user name and password which you normally use to log

on to your computer every day up to this point.4. Click Next.

If you do not want the answers displayed, mark Hide answer.5. Select a secret question.

The answer to this question must be at least three characters long.6. Click Finish.

Logging on to AccessAssistantWhen you are logged on, you have full access to all the application user namesand passwords stored in your Wallet.

Procedure1. In the AccessAssistant left navigation panel, click Log on.2. Enter your IBM Security Access Manager for Enterprise Single Sign-On user

name and password.3. Click Next. You now have access to AccessAssistant features.

Logging in using two-factor authenticationYou can log on to AccessAssistant by using two-factor authentication.

Procedure1. Launch AccessAssistant and log on.2. If two-factor authentication is turned on, supply one of the following to log on,

in addition to your IBM Security Access Manager for Enterprise Single Sign-Onpassword:v Authorization code issued by Help desk.v Mobile ActiveCode, which can be sent to user through mobile phone or

email.v One-time Password (OTP) provided by an OTP token. For example: VASCO

Digipass.

Managing applications in AccessAssistantWhen logged on, the enterprise and personal Web applications available for youare listed in the panel of the AccessAssistant page.

Click on the application name on the list. A new browser page opens with therequested application.

See the following topics for more information.v “Adding accounts to applications”v “Editing application passwords” on page 23v “Deleting accounts from applications” on page 23

Adding accounts to applicationsIf the application to log on is not in your Wallet, it means that AccessAssistant hasnot captured your user name and password.


Procedure1. Click Add in the Manage logon accounts page to add one or more user names

for the application.2. Select an application from the drop-down list.3. Enter your user name and password.4. Enter your password again to confirm.5. Click Save.

Editing application passwordsYou can change your application passwords in AccessAssistant.

Procedure1. Click Edit password next to the corresponding user name in the My Wallet

page.2. In the Edit password window, enter the new password.3. Enter the new password again to confirm.4. Click Save.

Deleting accounts from applicationsYou can delete your application accounts that are not needed from your Wallet.

Procedure1. Select the check box next to the corresponding application.2. Click Delete.

Resetting secretsAccessAssistant offers a host of self-service capabilities to the users, such as theability to reset their secret questions and answers. You can reset passwords byproviding a subset of previously specified secret questions.

Procedure1. In the AccessAssistant left navigation panel, click Reset secrets.2. Select a new secret question from the drop-down list.3. Enter the secret answer.

Note: You can use all the characters in the ISO Latin-1 character set in creatingand resetting secrets, except for the following characters:v µv ßMark Hide answer if you do not want the answer to be visible.

4. You can specify an optional second secret question and secret answer.5. Click Reset.

Resetting passwordsYou must provide the correct answer to the verification question before you canreset the password in AccessAssistant.

Chapter 3. Using AccessAssistant 23

Procedure1. In the AccessAssistant navigation panel, click Reset password.2. Enter your IBM Security Access Manager for Enterprise Single Sign-On user

name.3. Click Next.4. Select a question from the Question drop-down list.5. Enter the secret answer.6. Click Next.7. Enter your new IBM Security Access Manager for Enterprise Single Sign-On

password.The new password must meet the requirements listed on the right panel.

8. Enter the new password again to confirm.9. Click Next.

Retrieving passwordsYou can select an option on how you can retrieve your passwords inAccessAssistant.

About this task

The two password retrieval options are:v Display the password on the browserv Copy the password to the clipboard and paste it in the Password field.

Procedure1. Select a password retrieval option.2. Select the application check box.3. Click Get password. If you select Display password on the browser, the

password displays in the monitor. Make sure that you have some privacybefore displaying the password.


Chapter 4. Using Web Workplace

You can perform AccessAgent tasks from a Web browser by using Web Workplace.It is an automatic sign-on feature without installing AccessAgent on yourcomputer.

You must remember one password to log on to all applications. Combined withthe reverse proxy feature, Web automatic sign-on can support a large variety ofWeb applications.

Web Workplace authenticates the password. If the password is set up tosynchronize with the Windows password, users can use their Windows passwordto log on.

See the following topics for more information.v “Signing up to Web Workplace”v “Logging on to Web Workplace”v “Managing applications in Web Workplace” on page 26v “Resetting secrets” on page 28v “Resetting passwords with authorization codes” on page 28v “Unlocking an Active Directory account” on page 29

Signing up to Web WorkplaceWeb Workplace is especially useful when you cannot install AccessAgent. Forexample, there are users who must access enterprise applications through SecureSockets Layer virtual private network from home computers or Internet cafes. WebWorkplace can automatically log the user on to Web-based enterprise applications.

Procedure1. Navigate to https://<imsserver_url>/aawwp?isWwp=true.

Note: For more information, check with your administrator.2. In the Web Workplace navigation panel, click Sign up.3. Enter your Windows user name and password.4. Click Next.5. Select a question.

The answer to this question must be at least three characters long.

Note: Mark Hide answer if you do not want the answers displayed.6. Click Finish.

Logging on to Web WorkplaceAfter logging on, you have full access to all the application user names andpasswords stored in your Wallet. When logged on, you can also use all the featuresof Web Workplace.


Procedure1. In the Web Workplace navigation panel, click Log on.2. Enter your IBM Security Access Manager for Enterprise Single Sign-On user

name and password.3. Click Next.

Logging on using OTP or MACYou can log on using an OTP or MAC if AccessAssistant or Web Workplace isenabled for both OTP and MAC authentication.

Procedure1. Launch AccessAssistant or Web Workplace.2. Enter your IBM Security Access Manager for Enterprise Single Sign-On user

name and password.3. Enter the MAC received by mobile phone or email, or enter the OTP provided

by the OTP token.4. Optional: If you lost both the mobile phone and OTP token, call Help desk for

an authorization code.5. Optional: Enter the authorization code to log on.

Managing applications in Web WorkplaceManaging Web Workplace applications include adding, editing, and deletingapplication accounts. It also includes setting the application logon preferences anddefault application account.

See the following topics for more information.v “Logging on to applications”v “Capturing user names and passwords”v “Setting application logon preferences” on page 27v “Adding accounts to applications” on page 27v “Editing application passwords” on page 27v “Deleting accounts from applications” on page 28

Logging on to applicationsWhen you are logged on to Web Workplace, all the enterprise and personal Webapplications are listed in the right panel of the Web Workplace page.

Procedure

Click the application name. A new browser page opens with the requestedapplication, and you are automatically signed on to the application.

Capturing user names and passwordsIf the user name for automatic logon field is empty, it means that Web Workplacehas not captured the user name and password for that application.

Procedure1. Click the application name.2. Enter your user name and password for the application.


3. Enter your password again to confirm.4. Click Save.

Setting application logon preferencesYou can set your logon preferences for an application. For example, you can setautomatic logon to an application.

Procedure1. Click Manage from the My Web Workplace screen panel to set your

application logon preferences.If there is only one profile in the application, the Automatic logon check box isselected by default.If there are two or more applications, you can disableautomatic logon for each application.

Note: If there are multiple profiles for one application, you cannot clear theAutomatic logon check box for the first profile set for automatic logon.However, you can select another profile and set it for automatic logon.

2. Click Update.

Setting the default application accountIf you have two accounts for the same application, you can set Web Workplace toselect the default application account for automatic logon.

Procedure1. Select the check box of the account to be assigned as the default account.2. Click Update.

Adding accounts to applicationsYou can add more accounts to applications in Web Workplace.

Procedure1. In the Manage logon accounts page, click Add user name to add more than

one user name for an application. The Add user account window is displayed.2. Select an application from the list.3. Enter the new user name.4. Enter a password.5. Enter the password again to confirm.6. Click Save.

Editing application passwordsYou can edit your application password in Web Workplace.

Procedure1. In the Manage logon accounts page, click Edit password next to the user name.

The Edit password window is displayed.2. Enter the new password.3. Enter the new password again to confirm.4. Click Update.

Chapter 4. Using Web Workplace 27

Deleting accounts from applicationsYou can delete accounts from applications in Web Workplace.

Procedure1. Select the check box next to the corresponding account.2. Click Delete.3. In the Manage logon accounts page, click Delete next to the user name.

Resetting secretsYou can reset your passwords by specifying answers to secret questions in WebWorkplace.

Procedure1. In the Web Workplace navigation panel, click Reset my secrets.2. Select a new secret question from the drop-down list.3. Enter the secret answer.

If you do not want the answer to be visible, mark Hide answer.


4. Specify an optional second secret question and answer.5. Click Reset to save the new secret question and answer.

Resetting passwords with authorization codesContact the Help desk to request for an authorization code. The contactinformation is available on your Web Workplace page.

Procedure1. In the Web Workplace navigation panel, click Reset password.2. Enter your IBM Security Access Manager for Enterprise Single Sign-On user

name.3. Click Next.4. Enter the secret answer.5. Provide the secret answers to the other secret questions.6. Contact the Help desk to request for an authorization code.7. Enter the authorization code.

The authorization code is not case sensitive.8. Click Next.9. Enter a new password.

10. Enter the new password again.11. Click Next.


Unlocking an Active Directory accountUse an authorization code and secret to unlock your Active Directory account andWallet.

Procedure1. Click the Unlock account link in Web Workplace.2. Enter a user name.3. Select a domain.4. Click Next.5. Contact Help desk to request for an authorization code.6. Enter the authorization code.7. Click Next.8. Enter one secret answer.9. Click Next.

Resetting OATH-based OTP tokens in AccessAssistant or WebWorkplace

Use AccessAssistant or Web Workplace to reset OATH-based OTP tokens.

About this task

The OTP might be out-of-sync with the IMS Server because the A-Key uses OATHOTP, which is event-based. The OTP can be out-of-sync if the user presses thetoken button too many times without using the displayed OTP for authentication.

Procedure1. Log on to AccessAssistant or Web Workplace.2. Click the Reset OTP token.3. Select the serial number of the token.4. Generate three consecutive OTPs by using the token and enter each of them in

the appropriate text boxes.5. Click Reset.

Chapter 4. Using Web Workplace 29


Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.1623-14, Shimotsuruma, Yamato-shiKanagawa 242-8502 Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subjectto change without notice. Dealer prices may vary.

This information is for planning purposes only. The information herein is subject tochange before the products described become available.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment to


IBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment toIBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM's application programming interfaces.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

Trademarks

IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at Copyright andtrademark information; at www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Notices 33

Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in theUnited States, other countries, or both and is used under license therefrom.

Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo aretrademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.

Other company, product, and service names may be trademarks or service marksof others.


Glossary

AccessAdmin. A web-based management console thatAdministrators and Helpdesk officers use to administerthe IMS Server and to manage users and policies.

AccessAgent plug-in. A piece of script, written inVBscript or Javascript, that is embedded within anAccessProfile to perform custom checking of conditionsor to execute custom actions. It is used for extendingthe capability of an AccessProfile beyond the built-intriggers and actions.

AccessAgent. The client software that manages theidentity of the user, authenticates the user, andautomates single sign-on and sign-off.

AccessAssistant. The web-based interface that helpsusers to reset their passwords and retrieve theirapplication credentials.

AccessProfile widget / widget. An independentAccessProfile that consists of pinnable states, which canbe used to build another AccessProfile.

AccessProfiles. AccessAgent uses these XMLspecifications to identify application screens that it canperform single sign-on and automation.

AccessStudio. An application used by Administratorsfor creating and maintaining AccessProfiles.

Account data bag. A data structure that holds usercredentials in memory while single sign-on isperformed on an application.

Account data item template. A template that definesthe properties of an account data item.

Account data item. The user credentials required forlogon.

Account data template. A template that defines theformat of account data to be stored for credentialscaptured by using a specific AccessProfile.

Account data. The logon information required toverify an authentication service. It can be the username, password, and the authentication service whichthe logon information is stored.

Action. In profiling, an act that can be performed inresponse to a trigger. For example, automatic filling ofuser name and password details as soon as a sign-onwindow displays.

Active Directory (AD). A hierarchical directory servicethat enables centralized, secure management of anentire network, which is a central component of theMicrosoft Windows platform.

Active Directory credentials. The Active Directoryuser name and password.

Active Directory password synchronization. An IBMSecurity Access Manager for Enterprise Single Sign-Onfeature that synchronizes the ISAM ESSO passwordwith the Active Directory password.

Active RFID (ARFID). ARFID is both a secondauthentication factor and a presence detector. It candetect the presence of a user and AccessAgent can beconfigured to perform specific actions. In previousreleases, it is called Active Proximity Badge.

ActiveCode. Short-lived authentication codes that aregenerated and verified by IBM Security AccessManager for Enterprise Single Sign-On. There are twotypes of ActiveCodes: Mobile ActiveCodes andPredictive ActiveCodes.

Mobile ActiveCodes are generated by IBM SecurityAccess Manager for Enterprise Single Sign-On anddispatched to the mobile phone or email account of theuser. Predictive ActiveCodes, or One Time Passwords,are generated from OTP tokens when a user presses itsbutton.

Combined with alternative channels or devices,ActiveCodes provide effective second-factorauthentication.

Administrator. A person responsible foradministrative tasks such as access authorization andcontent management. Administrators can also grantlevels of authority to users.

Application policies. A collection of policies andattributes governing access to applications.

Application programming interface (API). Aninterface that allows an application program written ina high-level language to use specific data or functionsof the operating system or another program.

Application. One or more computer programs orsoftware components that provide a function in directsupport of a specific business process or processes. InAccessStudio, it is the system that provides the userinterface for reading or entering the authenticationcredentials.

Audit. A process that logs the user, Administrator, andHelpdesk activities.

Authentication factor. The different devices,biometrics, or secrets required as credentials forvalidating digital identities. Examples of authentication


factors are passwords, smart card, RFID, biometrics,and one-time password tokens.

Authentication service. In IBM Security AccessManager for Enterprise Single Sign-On, a service thatverifies the validity of an account against their ownuser store or against a corporate directory. Identifies theauthentication service associated with a screen. Accountdata saved under a particular authentication service isretrieved and auto-filled for the logon screen that isdefined. Account data captured from the logon screendefined is saved under this authentication service.

Authorization code. An alphanumeric code generatedfor administrative functions, such as password resets ortwo-factor authentication bypass with AccessAgent,AccessAssistant, and Web Workplace.

Auto-capture. A process that allows a system to collectand reuse user credentials for different applications.These credentials are captured when the user entersinformation for the first time, and then stored andsecured for future use.

Automatic sign-on. A feature where users can log onto the sign-on automation system and the system logson the user to all other applications.

Base distinguished name. A name that indicates thestarting point for searches in the directory server.

Bidirectional language. A language that uses a script,such as Arabic and Hebrew, whose general flow of textproceeds horizontally from right to left, but numbers,English, and other left-to-right language text arewritten from left to right.

Bind distinguished name. A name that specifies thecredentials for the application server to use whenconnecting to a directory service. The distinguishedname uniquely identifies an entry in a directory. Seealso Distinguished name.

Biometrics. The identification of a user based on aphysical characteristic of the user, such as a fingerprint,iris, face, voice, or handwriting.

Card Serial Number (CSN). A unique data item thatidentifies a hybrid smart card. It has no relation to thecertificates installed in the smart card

Cell. In WebSphere Application Server, a cell is avirtual unit that consists of a deployment manager andone or more nodes.

Certificate authority (CA). A trusted organization orcompany that issues the digital certificates. Thecertificate authority typically verifies the identity of theindividuals who are granted the unique certificate.

IMS Server Certificate. Used in IBM Security AccessManager for Enterprise Single Sign-On. The IMS ServerCertificate allows clients to identify and authenticate anIMS Server.

Client AccessAgent. AccessAgent installed andrunning on the client machine.

Client workstation, client machine, client computers.Computers where AccessAgent installed.

Clinical Context Object Workgroup (CCOW). Avendor independent standard, for the interchange ofinformation between clinical applications in thehealthcare industry.

Clustering. In WebSphere Application Server,clustering is the ability to group application servers.

Clusters. A group of application servers thatcollaborate for the purposes of workload balancing andfailover.

Command line interface. A computer interface inwhich the input command is a string of text characters.

Credentials. Information acquired duringauthentication that describes a user, group associations,or other security-related identity attributes, and that isused to perform services such as authorization,auditing, or delegation. For example, a user ID andpassword are credentials that allow access to networkand system resources.

Cryptographic application programming interface(CAPI). An application programming interface thatprovides services to enable developers to secureapplications using cryptography. It is a set ofdynamically-linked libraries that provides anabstraction layer which isolates programmers from thecode used to encrypt the data.

Cryptographic Service Provider (CSP). A feature ofthe i5/OS® operating system that provides APIs. TheCCA Cryptographic Service Provider enables a user torun functions on the 4758 Coprocessor.

Data source. The means by which an applicationaccesses data from a database.

Database (DB) server. A software program that uses adatabase manager to provide database services tosoftware programs or computers.

DB2®. A family of IBM licensed programs forrelational database management.

Deployment manager profiles. A WebSphereApplication Server runtime environment that managesoperations for a logical group, or cell, of other servers.

Deployment manager. A server that manages andconfigures operations for a logical group or cell ofother servers.


Deprovision. To remove a service or component. Forexample, to deprovision an account means to delete anaccount from a resource.

Desktop application. Application that runs in adesktop.

Desktop Manager. Manages concurrent user desktopson a single workstation

Direct auth-info. In profiling, direct auth-info is adirect reference to an existing authentication service.

Directory service. A directory of names, profileinformation, and computer addresses of every user andresource on the network. It manages user accounts andnetwork permissions. When a user name is sent, itreturns the attributes of that individual, which mightinclude a telephone number, or an email address.Directory services use highly specialized databases thatare typically hierarchical in design and provide fastlookups.

Directory. A file that contains the names andcontrolling information for objects or other directories.

Disaster recovery site. A secondary location for theproduction environment in case of a disaster.

Disaster recovery. The process of restoring a database,system, policies after a partial or complete site failurethat was caused by a catastrophic event such as anearthquake or fire. Typically, disaster recovery requiresa full backup at another location.

Distinguished name. The name that uniquelyidentifies an entry in a directory. A distinguished nameis made up of attribute:value pairs, separated bycommas. For example, CN=person name andC=country or region.

Distributed IMS Server. The IMS Servers aredeployed in multiple geographical locations.

Domain name server (DNS). A server program thatsupplies name-to-address conversion by mappingdomain names to IP addresses.

Dynamic link library (DLL). A file containingexecutable code and data bound to a program at loadtime or run time, rather than during linking. The codeand data in a DLL can be shared by severalapplications simultaneously.

Enterprise directory. A directory of user accounts thatdefine IBM Security Access Manager for EnterpriseSingle Sign-On users. It validates user credentialsduring sign-up and logon, if the password issynchronized with the enterprise directory password.An example of an enterprise directory is ActiveDirectory.

Enterprise Single Sign-On (ESSO). A mechanism thatallows users to log on to all applications deployed inthe enterprise by entering a user ID and othercredentials, such as a password.

Enterprise user name. The user name of a useraccount in the enterprise directory.

ESSO audit logs. A log file that contains a record ofsystem events and responses. ESSO audit logs arestored in the IMS Database.

ESSO Credential Provider. Previously known as theEncentuate Credential Provider (EnCredentialProvider),this is the IBM Security Access Manager for EnterpriseSingle Sign-On GINA for Windows Vista and Windows7.

ESSO credentials. The ISAM ESSO user name andpassword.

ESSO GINA. Previously known as the EncentuateGINA (EnGINA). IBM Security Access Manager forEnterprise Single Sign-On GINA provides a userinterface that is integrated with authentication factorsand provide password resets and second factor bypassoptions.

ESSO Network Provider. Previously known as theEncentuate Network Provider (EnNetworkProvider).An AccessAgent module that captures the ActiveDirectory server credentials and uses these credentialsto automatically log on the users to their Wallet.

ESSO password. The password that secures access tothe user Wallet.

Event code. A code that represents a specific eventthat is tracked and logged into the audit log tables.

Failover. An automatic operation that switches to aredundant or standby system in the event of asoftware, hardware, or network interruption.

Fast user switching. A feature that allows users toswitch between user accounts on a single workstationwithout quitting and logging out of applications.

Federal Information Processing Standard (FIPS). Astandard produced by the National Institute ofStandards and Technology when national andinternational standards are nonexistent or inadequate tosatisfy the U.S. government requirements.

Fix pack. A cumulative collection of fixes that is madeavailable between scheduled refresh packs,manufacturing refreshes, or releases. It is intended toallow customers to move to a specific maintenancelevel.

Fully qualified domain name (FQDN). In Internetcommunications, the name of a host system that

Glossary 37

includes all of the subnames of the domain name. Anexample of a fully qualified domain name isrchland.vnet.ibm.com.

Graphical Identification and Authentication (GINA).A dynamic link library that provides a user interfacethat is tightly integrated with authentication factors andprovides password resets and second factor bypassoptions.

Group Policy Object (GPO). A collection of grouppolicy settings. Group policy objects are the documentscreated by the group policy snap-in. Group policyobjects are stored at the domain level, and they affectusers and computers contained in sites, domains, andorganizational units.

High availability (HA). The ability of IT services towithstand all outages and continue providingprocessing capability according to some predefinedservice level. Covered outages include both plannedevents, such as maintenance and backups, andunplanned events, such as software failures, hardwarefailures, power failures, and disasters.

Host name. In Internet communication, the namegiven to a computer. The host name might be a fullyqualified domain name such asmycomputer.city.company.com, or it might be a specificsubname such as mycomputer.

Hot key. A key sequence used to shift operationsbetween different applications or between differentfunctions of an application.

Hybrid smart card. An ISO-7816 compliant smart cardwhich contains a public key cryptography chip and anRFID chip. The cryptographic chip is accessible throughcontact interface. The RFID chip is accessible throughcontactless (RF) interface.

IBM HTTP server. A web server. IBM offers a webserver, called the IBM HTTP Server, that acceptsrequests from clients and forward to the applicationserver.

IMS Bridge. A module embedded in third-partyapplications and systems to call to IMS APIs forprovisioning and other purposes.

IMS Configuration Utility. A utility of the IMS Serverthat allows Administrators to manage lower-levelconfiguration settings for the IMS Server.

IMS Configuration wizard. Administrators use thewizard to configure the IMS Server during installation.

IMS Connector. A module that connects IMS toexternal systems to dispatch a mobile active code to amessaging gateway.

IMS data source. A WebSphere Application Serverconfiguration object that defines the location andparameters for accessing the IMS database.

IMS Database. The relational database where the IMSServer stores all ESSO system, machine, and user dataand audit logs.

IMS Root CA. The root certificate authority that signscertificates for securing traffic between AccessAgentand IMS Server.

IMS Server. An integrated management system forISAM ESSO that provides a central point of secureaccess administration for an enterprise. It enablescentralized management of user identities,AccessProfiles, authentication policies, provides lossmanagement, certificate management, and auditmanagement for the enterprise.

Indirect auth-info. In profiling, indirect auth-info is anindirect reference to an existing authentication service.

Interactive graphical mode. A series of panels thatprompts for information to complete the installation.

IP address. A unique address for a device or logicalunit on a network that uses the Internet Protocolstandard.

Java Management Extensions (JMX). A means ofdoing management of and through Java technology.JMX is a universal, open extension of the Javaprogramming language for management that can bedeployed across all industries, wherever management isneeded.

Java runtime environment (JRE). A subset of a Javadeveloper kit that contains the core executableprograms and files that constitute the standard Javaplatform. The JRE includes the Java virtual machine(JVM), core classes, and supporting files.

Java virtual machine (JVM). A softwareimplementation of a processor that runs compiled Javacode (applets and applications).

Keystore. In security, a file or a hardwarecryptographic card where identities and private keysare stored, for authentication and encryption purposes.Some keystores also contain trusted, or public, keys.

Lightweight Directory Access Protocol (LDAP). Anopen protocol that uses TCP/IP to provide access todirectories that support an X.500 model. An LDAP canbe used to locate people, organizations, and otherresources in an Internet or intranet directory.

Lightweight mode. A Server AccessAgent mode.Running in lightweight mode reduces the memoryfootprint of AccessAgent on a Citrix/Terminal Serverand improves the single sign-on startup duration.


Load balancing. The monitoring of application serversand management of the workload on servers. If oneserver exceeds its workload, requests are forwarded toanother server with more capacity.

Lookup user. A user who is authenticated in theEnterprise Directory and searches for other users. IBMSecurity Access Manager for Enterprise Single Sign-Onuses the lookup user to retrieve user attributes from theActive Directory or LDAP enterprise repository.

Main AccessProfile. The AccessProfile that containsone or more AccessProfile widgets

Managed node. A node that is federated to adeployment manager and contains a node agent andcan contain managed servers.

Microsoft Cryptographic application programminginterface (CAPI). An interface specification fromMicrosoft for modules that provide cryptographicfunctionality and that allow access to smart cards.

Mobile ActiveCode (MAC). A one-time password thatis used by users for two-factor authentication in WebWorkplace, AccessAssistant, and other applications.This OTP is randomly generated and dispatched touser through SMS or email.

Mobile authentication. An authentication factorwhich allows mobile users to sign-on securely tocorporate resources from anywhere on the network.

Network deployment. Also known as a clustereddeployment. A type of deployment where the IMSServer is deployed on a WebSphere Application Servercluster.

Node agent. An administrative agent that manages allapplication servers on a node and represents the nodein the management cell.

Nodes. A logical group of managed servers.

One-Time Password (OTP). A one-use passwordgenerated for an authentication event, sometimescommunicated between the client and the serverthrough a secure channel.

OTP token. A small, highly portable hardware devicethat the owner carries to authorize access to digitalsystems and physical assets.

Password aging. A security feature by which thesuperuser can specify how often users must changetheir passwords.

Password complexity policy. A policy that specifiesthe minimum and maximum length of the password,the minimum number of numeric and alphabeticcharacters, and whether to allow mixed uppercase andlowercase characters.

Personal applications. Windows and web-basedapplications where AccessAgent can store and entercredentials.

Some examples of personal applications are web-basedmail sites such as Company Mail, Internet bankingsites, online shopping sites, chat, or instant messagingprograms.

Personal desktop. The desktop is not shared with anyother users.

Personal Identification Number (PIN). InCryptographic Support, a unique number assigned byan organization to an individual and used as proof ofidentity. PINs are commonly assigned by financialinstitutions to their customers.

Pinnable state. A state from the AccessProfile widgetthat is declared as 'Can be pinned in anotherAccessProfile'.

Pinned state. A pinnable state that is attached to astate in the main AccessProfile.

Policy template. A predefined policy form that helpsusers define a policy by providing the fixed policyelements that cannot be changed and the variablepolicy elements that can be changed.

Portal. A single, secure point of access to diverseinformation, applications, and people that can becustomized and personalized.

Presence detector. A device that, when fixed to acomputer, detects when a person moves away from it.This device eliminates manually locking the computerupon leaving it for a short time.

Primary authentication factor. The IBM SecurityAccess Manager for Enterprise Single Sign-Onpassword or directory server credentials.

Private desktop. Under this desktop scheme, usershave their own Windows desktops in a workstation.When a previous user return to the workstation andunlocks it, AccessAgent switches to the desktop sessionof the previous user and resumes the last task.

Private key. In computer security, the secret half of acryptographic key pair that is used with a public keyalgorithm. The private key is known only to its owner.Private keys are typically used to digitally sign dataand to decrypt data that has been encrypted with thecorresponding public key.

Provisioning API. An interface that allows IBMSecurity Access Manager for Enterprise Single Sign-Onto integrate with user provisioning systems.

Provisioning bridge. An automatic IMS Servercredential distribution process with third partyprovisioning systems that uses API libraries with aSOAP connection.

Glossary 39

Provisioning system. A system that provides identitylifecycle management for application users inenterprises and manages their credentials.

Provision. To provide, deploy, and track a service,component, application, or resource.

Public Key Cryptography Standards. A set ofindustry-standard protocols used for secure informationexchange on the Internet. Domino® CertificateAuthority and Server Certificate Administrationapplications can accept certificates in PKCS format.

Published application. Application installed on CitrixXenApp server that can be accessed from Citrix ICAClients.

Published desktop. A Citrix XenApp feature whereusers have remote access to a full Windows desktopfrom any device, anywhere, at any time.

Radio Frequency Identification (RFID). An automaticidentification and data capture technology thatidentifies unique items and transmits data using radiowaves.

Random password. An arbitrarily generated passwordused to increase authentication security between clientsand servers.

Registry hive. In Windows systems, the structure ofthe data stored in the registry.

Registry. A repository that contains access andconfiguration information for users, systems, andsoftware.

Remote Authentication Dial-In User Service(RADIUS). An authentication and accounting systemthat uses access servers to provide centralizedmanagement of access to large networks.

Remote Desktop Protocol (RDP). A protocol thatfacilitates remote display and input over networkconnections for Windows-based server applications.RDP supports different network topologies andmultiple connections.

Replication. The process of maintaining a defined setof data in more than one location. Replication involvescopying designated changes for one location (a source)to another (a target) and synchronizing the data in bothlocations.

Revoke. To remove a privilege or an authority froman authorization identifier.

Root certificate authority (CA). The certificateauthority at the top of the hierarchy of authorities bywhich the identity of a certificate holder can beverified.

Scope. A reference to the applicability of a policy, atthe system, user, or machine level.

Secret question. A question whose answer is knownonly to the user. A secret question is used as a securityfeature to verify the identity of a user.

Secure Remote Access. The solution that providesweb browser-based single sign-on to all applicationsfrom outside the firewall.

Secure Sockets Layer (SSL). A security protocol thatprovides communication privacy. With SSL,client/server applications can communicate in a waythat is designed to prevent eavesdropping, tampering,and message forgery.

Secure Sockets Layer virtual private network (SSLVPN). A form of VPN that can be used with astandard web browser.

Security Token Service (STS). A web service used forissuing and exchanging of security tokens.

Security trust service chain. A group of moduleinstances that are configured for use together. Eachmodule instance in the chain is called in turn toperform a specific function as part of the overallprocessing of a request.

Self-service features. Features in IBM Security AccessManager for Enterprise Single Sign-On which users canuse to perform basic tasks such as resetting passwordsand secrets with minimal assistance from Help desk oryour Administrator.

Serial ID Service Provider Interface (SPI). Aprogrammatic interface intended for integratingAccessAgent with third-party Serial ID devices used fortwo-factor authentication.

Serial number. A unique number embedded in theIBM Security Access Manager for Enterprise SingleSign-On Keys, which is unique to each Key and cannotbe changed.

Server AccessAgent. AccessAgent deployed on aMicrosoft Windows Terminal Server or a Citrix server.

Server locator. A locator that groups a related set ofweb applications that require authentication by thesame authentication service. In AccessStudio, serverlocators identify the authentication service with whichan application screen is associated.

Service Provider Interface (SPI). An interface throughwhich vendors can integrate any device with serialnumbers with IBM Security Access Manager forEnterprise Single Sign-On and use it as a second factorin AccessAgent.

Session management. Management of user session onprivate desktops and shared desktops.

Shared desktop. A desktop configuration wheremultiple users share a generic Windows desktop.


Shared workstation. A workstation shared amongusers.

Sign up. To request a resource.

sign-on automation. A technology that works withapplication user interfaces to automate the sign-onprocess for users.

sign-on information. Information required to provideaccess to users to any secure application. Thisinformation can include user names, passwords,domain information, and certificates.

Signature. In profiling, unique identificationinformation for any application, window, or field.

Silent mode. A method for installing or uninstalling aproduct component from the command line with noGUI display. When using silent mode, you specify thedata required by the installation or uninstallationprogram directly on the command line or in a file(called an option file or response file).

Simple Mail Transfer Protocol (SMTP). An Internetapplication protocol for transferring mail among usersof the Internet.

Simple Object Access Protocol (SOAP). Alightweight, XML-based protocol for exchanginginformation in a decentralized, distributedenvironment. SOAP can be used to query and returninformation and invoke services across the Internet.

Single sign-on. An authentication process in which auser can access more than one system or application byentering a single user ID and password.

Smart card middleware. Software that acts as aninterface between smart card applications and thesmart card hardware. Typically the software consists oflibraries that implement PKCS#11 and CAPI interfacesto smart cards.

Smart card. An intelligent token that is embeddedwith an integrated circuit chip that provides memorycapacity and computational capabilities.

Stand-alone deployment. A deployment where theIMS Server is deployed on an independent WebSphereApplication Server profile.

Stand-alone server. A fully operational server that ismanaged independently of all other servers, and it usesits own administrative console.

Strong authentication. A solution that usesmulti-factor authentication devices to preventunauthorized access to confidential corporateinformation and IT networks, both inside and outsidethe corporate perimeter.

Strong digital identity. An online persona that isdifficult to impersonate, possibly secured by privatekeys on a smart card.

System modal message. A system dialog box that istypically used to display important messages. When asystem modal message is displayed, nothing else canbe selected on the screen until the message is closed.

Terminal emulator. A program that allows a devicesuch as a microcomputer or personal computer to enterand receive data from a computer system as if it were aparticular type of attached terminal

Thin client. A client machine that has little or noinstalled software. It has access to applications anddesktop sessions that is running on network serversthat are connected to it. A thin client machine is analternative to a full-function client such as aworkstation.

Tivoli Common Reporting tool. A reportingcomponent that you can use to create, customize, andmanage reports.

Tivoli Identity Manager adapter. An intermediarysoftware component that allows IBM Security AccessManager for Enterprise Single Sign-On to communicatewith Tivoli Identity Manager.

Transparent screen lock. A feature that, whenenabled, permits users to lock their desktop screens butstill see the contents of their desktop.

Trigger. In profiling, an event that causes transitionsbetween states in a states engine, such as, the loadingof a web page or the appearance of window on thedesktop.

Trust service chain. A chain of modules operating indifferent modes. For example: validate, map and issue.

Truststore. In security, a storage object, either a file ora hardware cryptographic card, where public keys arestored in the form of trusted certificates, forauthentication purposes in web transactions. In someapplications, these trusted certificates are moved intothe application keystore to be stored with the privatekeys.

TTY (terminal type). A generic device driver for a textdisplay. A tty typically performs input and output on acharacter-by-character basis.

Two-factor authentication. The use of two factors toauthenticate a user. For example, the use of passwordand an RFID card to log on to AccessAgent.

Uniform resource identifier. A compact string ofcharacters for identifying an abstract or physicalresource.

Glossary 41

User credential. Information acquired duringauthentication that describes a user, group associations,or other security-related identity attributes, and that isused to perform services such as authorization,auditing, or delegation. For example, a user ID andpassword are credentials that allow access to networkand system resources.

User deprovisioning. Removing the user account fromIBM Security Access Manager for Enterprise SingleSign-On.

User provisioning. The process of signing up a userto use IBM Security Access Manager for EnterpriseSingle Sign-On.

Virtual appliance. A virtual machine image with aspecific application purpose that is deployed tovirtualization platforms.

Virtual channel connector. A connector that is used ina terminal services environment. The virtual channelconnector establishes a virtual communication channelto manage the remote sessions between the ClientAccessAgent component and the Server AccessAgent.

Virtual Member Manager (VMM). A WebSphereApplication Server component that providesapplications with a secure facility to access basicorganizational entity data such as people, logonaccounts, and security roles.

Virtual Private Network (VPN). An extension of acompany intranet over the existing framework of eithera public or private network. A VPN ensures that thedata that is sent between the two endpoints of itsconnection remains secure.

Visual Basic (VB). An event-driven programminglanguage and integrated development environment(IDE) from Microsoft.

Wallet caching. When performing single sign-on foran application, AccessAgent retrieves the logoncredentials from the user credential Wallet. The usercredential Wallet is downloaded on the user machineand stored securely on the IMS Server. So users canaccess their Wallet even when they log on to IBMSecurity Access Manager for Enterprise Single Sign-Onfrom a different machine later.

Wallet manager. The IBM Security Access Manager forEnterprise Single Sign-On GUI component that userscan use to manage application credentials in thepersonal identity Wallet.

Wallet Password. A password that secures access tothe Wallet.

Wallet. A secured data store of access credentials of auser and related information, which includes user IDs,passwords, certificates, encryption keys.

Web server. A software program that is capable ofservicing Hypertext Transfer Protocol (HTTP) requests.

Web service. A self-contained, self-describing modularapplication that can be published, discovered, andinvoked over a network using standard networkprotocols. Typically, XML is used to tag the data, SOAPis used to transfer the data, WSDL is used fordescribing the services available, and UDDI is used forlisting what services are available.

Web Workplace. A web-based interface that users canlog on to enterprise web applications by clicking linkswithout entering the passwords for individualapplications. This interface can be integrated with theexisting portal or SSL VPN of the customer.

WebSphere Administrative console. A graphicaladministrative Java application client that makesmethod calls to resource beans in the administrativeserver to access or modify a resource within thedomain.

WebSphere Application Server profile. TheWebSphere Application Server administrator user nameand profile. Defines the runtime environment.

WebSphere Application Server. Software that runs ona web server and that can deploy, integrate, execute,and manage e-business applications.

Windows logon screen, Windows logon UI mode.The screen where users enter their user name andpassword to log on to the Windows desktop.

Windows native fast user switching. A Windows XPfeature which allows users to quickly switch betweenuser accounts.

Windows Terminal Services. A Microsoft Windowscomponent that users use to access applications anddata on a remote computer over a network.

WS-Trust. A web services security specification thatdefines a framework for trust models to establish trustbetween web services.


Index

Aabout 4AccessAgent

logging in 6resetting secrets 19signing up 5

AccessAgent information 1AccessAssistant 21

adding accounts 23authenticating with MAC 26authenticating with OTP 26deleting accounts 23editing passwords 23logging on 22managing 22resetting OATH-based OTP

tokens 29resetting passwords 24resetting secrets 23retrieving passwords 24signing up 21two-factor authentication 22

accessibility viiiactive proximity badge 8

See ARFIDactive RFID

See ARFIDARFID

active proximity badge 9locking 9signing up 8unlocking 9

authentication, bypassing 20

Bbiometric 6

See fingerprintbooks

See publicationsbypassing authentication 20

Ccomputer

locking 6unlocking 6

conventionstypeface ix

credentialsadding 17deleting 17searching 17

Ddesktop 4directory names, notation x

Eeducation

See Tivoli technical trainingenterprise directory 14environment variables, notation x

Ffingerprint 6, 9

locking 10signing up 10signing up more 10unlocking 10

Hhybrid smart card 12

locking 13signing up 12unlocking 13

IIBM Security Access Manager for

Enterprise Single Sign-On 1IBM Security Access Manager for

Enterprise Single Sign-On icons 2icons 2IMS Server connectivity 3IMS Server offline 3IMS Server online 3ISAM ESSO

See IBM Security Access Manager forEnterprise Single Sign-On

MMAC and OTP 14manuals

See publications

Nnotation

environment variables xpath names xtypeface x

Oonline publications

accessing viiordering publications viiiOTP 13

Ppassive RFID 6


passwords 4changing 18editing 17exporting 16remembering 16resetting

no IMS Server connection 18with IMS Server connection 19

storing 16viewing 15

path names, notation xpublications v

accessing online viiordering viii

RRFID 6RFID, active 8RFID, passive 6

Sself-service 15signing up another card 13single sign-on 1smart card 6, 11


Ttasks, user 3terminal server 14Tivoli Information Center viiTivoli technical training viiiTivoli user groups viiitraining, Tivoli technical viiitypeface conventions ix

Uuser groups, Tivoli viiiuser tasks 3

Vvariables, notation for x


WWallets

editing 17managing 15viewing 15

Web Workplace 25adding accounts 27authenticating with MAC 26authenticating with OTP 26capturing credentials 26deleting accounts 28editing passwords 27logging on 26logging on to applications 26managing 26resetting OATH-based OTP

tokens 29resetting passwords 28resetting secrets 28setting default account 27setting preferences 27signing up 25unlocking Active Directory

account 29


��

Printed in USA

SC23-9950-03

Documents

IBM. Security Access Manager for Enterprise Single Sign-On ... · Security Access Manager for Enterprise Single Sign-On Policies Definition Guide. v IBM Security Access Manager for