Help Desk Guide - IBM · Help Desk Guide SC23-9953-03. IBM® ... Overview on Help desk tasks 1 Verifying user identity ... support-related information and serviceability tools for

IBM® Security Access Manager for Enterprise SingleSign-OnVersion 8.2

Help Desk Guide

SC23-9953-03

��

IBM® Security Access Manager for Enterprise SingleSign-OnVersion 8.2

Help Desk Guide

SC23-9953-03

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 19.

Edition notice

Note: This edition applies to version 8.2 of IBM Security Access Manager for Enterprise Single Sign-On,(product number 5724–V67) and to all subsequent releases and modifications until otherwise indicated in neweditions.

© Copyright IBM Corporation 2002, 2012.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

About this publication . . . . . . . . vIntended audience . . . . . . . . . . . . vWhat this publication contains . . . . . . . . vPublications . . . . . . . . . . . . . . v

IBM Security Access Manager for EnterpriseSingle Sign-On library . . . . . . . . . . viAccessing terminology online . . . . . . . viiAccessing publications online . . . . . . . viiOrdering publications . . . . . . . . . viii

Accessibility . . . . . . . . . . . . . . viiiTivoli technical training . . . . . . . . . . viiiTivoli user groups . . . . . . . . . . . . viiiSupport information . . . . . . . . . . . viiiConventions used in this publication . . . . . . ix

Typeface conventions . . . . . . . . . . ixOperating system-dependent variables and paths x

Chapter 1. Overview on Help desk tasks 1Verifying user identity . . . . . . . . . . . 1Good security practices . . . . . . . . . . . 2Logging on to AccessAdmin . . . . . . . . . 2Checking the IMS Server status . . . . . . . . 2Viewing a user profile . . . . . . . . . . . 3

Chapter 2. Managing authenticationfactors . . . . . . . . . . . . . . . 5Modifying second authentication factor-relatedpolicies . . . . . . . . . . . . . . . . 5

Smart card policies . . . . . . . . . . . 5Hybrid smart card policies. . . . . . . . . 6RFID policies . . . . . . . . . . . . . 6Fingerprint policies . . . . . . . . . . . 7

Generating authorization codes for users . . . . . 8Enabling ActiveCode for the user . . . . . . 9Locking the ActiveCode-enabled authenticationservice for users . . . . . . . . . . . . 9Deleting ActiveCode for users . . . . . . . 9

Revoking authentication factors. . . . . . . . 10

Chapter 3. Modifying policies . . . . . 11Modifying AccessAgent policies . . . . . . . 11

Lock/Unlock policies . . . . . . . . . . 11Roaming session policies . . . . . . . . . 12Logon/Logoff policies . . . . . . . . . . 12

Modifying Wallet policies. . . . . . . . . . 13Setting wallet authentication policies . . . . . 14Revoking cached Wallets . . . . . . . . . 14Locking Wallets . . . . . . . . . . . . 14

Viewing and setting policy priorities . . . . . . 14Viewing policy priorities . . . . . . . . . 15Setting policy priorities . . . . . . . . . 15

Chapter 4. Viewing policies . . . . . . 17Viewing a user or machine policy template . . . . 17Viewing system policies . . . . . . . . . . 17Viewing administrative policies. . . . . . . . 17

Notices . . . . . . . . . . . . . . 19

Glossary . . . . . . . . . . . . . . 23

Index . . . . . . . . . . . . . . . 31

© Copyright IBM Corp. 2002, 2012 iii

iv IBM® Security Access Manager for Enterprise Single Sign-On: Help Desk Guide

About this publication

The IBM® Security Access Manager for Enterprise Single Sign-On provides sign-onand sign-off automation, authentication management, and user tracking to providea seamless path to strong digital identity. The IBM Security Access Manager forEnterprise Single Sign-On Help Desk Guide contains information about providingHelp desk services to users.

Intended audienceThis publication is for Help desk officers supporting the IBM Security AccessManager for Enterprise Single Sign-On AccessAgent and AccessAdmin.

This publication is for Help desk officers who must perform the following tasks:v Verify user identityv Manage second authentication factors and its usersv Promote good security practicesv Search for usersv View and modify policiesv Manage machines

Readers must be familiar with the following topics:v Information specific to the organizationv Security practices for passwordsv Workflows for common tasks

What this publication containsThis publication contains the following sections:v Chapter 1, “Overview on Help desk tasks,” on page 1

Discusses the different tasks of a Help desk officer.v Chapter 2, “Managing authentication factors,” on page 5

Provides instructions on how you can manage users and their authenticationfactors in AccessAdmin.

v Chapter 3, “Modifying policies,” on page 11Provides the different user policies that you can modify in AccessAdmin.

v Chapter 4, “Viewing policies,” on page 17Guides you on how you can view system and machine policies inAccessAdmin.

PublicationsThis section lists publications in the IBM Security Access Manager for EnterpriseSingle Sign-On library. The section also describes how to access Tivoli®

publications online and how to order Tivoli publications.

© Copyright IBM Corp. 2002, 2012 v

IBM Security Access Manager for Enterprise Single Sign-Onlibrary

The following documents are available in the IBM Security Access Manager forEnterprise Single Sign-On library:v IBM Security Access Manager for Enterprise Single Sign-On Quick Start Guide,

CF38DMLRead this guide for a quick start on the main installation and configuration tasksto deploy and use IBM Security Access Manager for Enterprise Single Sign-On.

v IBM Security Access Manager for Enterprise Single Sign-On Planning and DeploymentGuide, SC23995203Read this guide before you do any installation or configuration tasks. This guidehelps you to plan your deployment and prepare your environment. It providesan overview of the product features and components, the required installationand configuration, and the different deployment scenarios. It also describes howto achieve high availability and disaster recovery.

v IBM Security Access Manager for Enterprise Single Sign-On Installation Guide,GI11930901Read this guide for the detailed procedures on installation, upgrade, oruninstallation of IBM Security Access Manager for Enterprise Single Sign-On.This guide helps you to install the different product components and theirrequired middleware, and also do the initial configurations required to completethe product deployment. It covers procedures for using virtual appliance,WebSphere® Application Server Base editions, and Network Deployment.

v IBM Security Access Manager for Enterprise Single Sign-On Configuration Guide,GC23969201Read this guide if you want to configure the IMS Server settings, theAccessAgent user interface, and its behavior.

v IBM Security Access Manager for Enterprise Single Sign-On Administrator Guide,SC23995103This guide is intended for the Administrators. It covers the differentAdministrator tasks. This guide provides procedures for creating and assigningpolicy templates, editing policy values, generating logs and reports, and backingup the IMS Server and its database. Use this guide together with the IBMSecurity Access Manager for Enterprise Single Sign-On Policies Definition Guide.

v IBM Security Access Manager for Enterprise Single Sign-On Help Desk Guide,SC23995303This guide is intended for Help desk officers. The guide helps Help desk officersto manage queries and requests from users usually about their authenticationfactors. Use this guide together with the IBM Security Access Manager forEnterprise Single Sign-On Policies Definition Guide.

v IBM Security Access Manager for Enterprise Single Sign-On Policies Definition Guide,SC23969401Read this guide for the detailed descriptions of the different user, machine, andsystem policies that Administrators can configure in AccessAdmin. Use thisguide along with the IBM Security Access Manager for Enterprise SingleSign-On Administrator Guide.

v IBM Security Access Manager for Enterprise Single Sign-On Troubleshooting andSupport Guide, GC23969301Read this guide if you have any issues with regards to installation, upgrade, andproduct usage. This guide covers the known issues and limitations of the

vi IBM® Security Access Manager for Enterprise Single Sign-On: Help Desk Guide

product. It helps you determine the symptoms and workaround for the problem.It also provides information about fixes, knowledge bases, and support.

v IBM Security Access Manager for Enterprise Single Sign-On AccessStudio Guide,SC23995603Read this guide if you want to create or edit profiles. This guide providesprocedures for creating and editing standard and advanced AccessProfiles fordifferent application types. It also covers information about managingauthentication services and application objects, and information about otherfunctions and features of AccessStudio.

v IBM Security Access Manager for Enterprise Single Sign-On Provisioning IntegrationGuide, SC23995703Read this guide for information about the different Java™ and SOAP API forprovisioning. It also covers procedures for installing and configuring theProvisioning Agent.

v IBM Security Access Manager for Enterprise Single Sign-On Web API for CredentialManagement Guide, SC14764600Read this guide if you want to install and configure the Web API for credentialmanagement.

v IBM Security Access Manager for Enterprise Single Sign-On Lightweight AccessAgentmode on Terminal Server SDK Guide, SC14765700Read this guide for the details on how to develop a virtual channel connectorthat integrates AccessAgent with Terminal Services applications.

v IBM Security Access Manager for Enterprise Single Sign-On Serial ID SPI Guide,SC14762600IBM Security Access Manager for Enterprise Single Sign-On has a ServiceProvider Interface (SPI) for devices that contain serial numbers, such as RFID.See this guide to know how to integrate any device with serial numbers and useit as a second authentication factor with AccessAgent.

v IBM Security Access Manager for Enterprise Single Sign-On Context ManagementIntegration Guide, SC23995403Read this guide if you want to install and configure the Context Managementsolution.

v IBM Security Access Manager for Enterprise Single Sign-On User Guide, SC23995003This guide is intended for the end users. This guide provides instructions forusing AccessAgent and Web Workplace.

v IBM Security Access Manager for Enterprise Single Sign-On Error Message ReferenceGuide, GC14762400This guide describes all the informational, warning, and error messagesassociated with IBM Security Access Manager for Enterprise Single Sign-On.

Accessing terminology onlineThe IBM Terminology Web site consolidates the terminology from IBM productlibraries in one convenient location. You can access the Terminology Web site at thefollowing Web address:

http://www.ibm.com/software/globalization/terminology

Accessing publications onlineIBM posts publications for this and all other Tivoli products, as they becomeavailable and whenever they are updated, to the Tivoli Information Center Website at http://www.ibm.com/tivoli/documentation.

About this publication vii

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/tivoli/documentation

Note: If you print PDF documents on other than letter-sized paper, set the optionin the File > Print window that allows Adobe Reader to print letter-sized pages onyour local paper.

Ordering publicationsYou can order many Tivoli publications online at http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.

You can also order by telephone by calling one of these numbers:v In the United States: 800-879-2755v In Canada: 800-426-4968

In other countries, contact your software account representative to order Tivolipublications. To locate the telephone number of your local representative, performthe following steps:1. Go to http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.2. Select your country from the list and click Go.3. Click About this site in the main panel to see an information page that

includes the telephone number of your local representative.

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

For additional information, see "Accessibility features" in the IBM Security AccessManager for Enterprise Single Sign-On Planning and Deployment Guide.

Tivoli technical trainingFor Tivoli technical training information, see the following IBM Tivoli EducationWeb site at http://www.ibm.com/software/tivoli/education.

Tivoli user groupsTivoli user groups are independent, user-run membership organizations thatprovide Tivoli users with information to assist them in the implementation ofTivoli Software solutions. Through these groups, members can share informationand learn from the knowledge and experience of other Tivoli users. Tivoli usergroups include the following members and groups:v 23,000+ membersv 144+ groups

Access the link for the Tivoli Users Group at www.tivoli-ug.org.

Support informationIf you have a problem with your IBM software, you want to resolve it quickly. IBMprovides the following ways for you to obtain the support you need:

viii IBM® Security Access Manager for Enterprise Single Sign-On: Help Desk Guide

http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss

http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss

http://www.ibm.com/software/tivoli/education

http://www.tivoli-ug.org

OnlineGo to the IBM Software Support site at http://www.ibm.com/software/support/probsub.html and follow the instructions.

IBM Support AssistantThe IBM Support Assistant is a free local software serviceability workbenchthat helps you resolve questions and problems with IBM softwareproducts. The IBM Support Assistant provides quick access tosupport-related information and serviceability tools for problemdetermination. To install the IBM Support Assistant software, go tohttp://www.ibm.com/software/support/isa.

Troubleshooting GuideFor more information about resolving problems, see the IBM Security AccessManager for Enterprise Single Sign-On Troubleshooting and Support Guide.

Conventions used in this publicationThis publication uses several conventions for special terms and actions, operatingsystem-dependent commands and paths, and margin graphics.

Typeface conventionsThis publication uses the following typeface conventions:

Bold

v Lowercase commands and mixed case commands that are otherwisedifficult to distinguish from surrounding text

v Interface controls (check boxes, push buttons, radio buttons, spinbuttons, fields, folders, icons, list boxes, items inside list boxes,multicolumn lists, containers, menu choices, menu names, tabs, propertysheets) and labels (such as Tip: and Operating system considerations:)

v Keywords and parameters in text

Italic

v Citations (examples: titles of publications, diskettes, and CDs)v Words defined in text (example: a nonswitched line is called a

point-to-point line)v Emphasis of words and letters (words as words example: "Use the word

that to introduce a restrictive clause."; letters as letters example: "TheLUN address must start with the letter L.")

v New terms in text (except in a definition list): a view is a frame in aworkspace that contains data.

v Variables and values you must provide: ... where myname represents....

Monospace

v Examples and code examplesv File names, programming keywords, and other elements that are difficult

to distinguish from surrounding textv Message text and prompts addressed to the userv Text that the user must typev Values for arguments or command options

About this publication ix

http://www.ibm.com/software/support/probsub.html

http://www.ibm.com/software/support/probsub.html

http://www.ibm.com/software/support/isa

Operating system-dependent variables and pathsThis publication uses the UNIX convention for specifying environment variablesand for directory notation.

When using the Windows command line, replace $variable with % variable% forenvironment variables and replace each forward slash (/) with a backslash (\) indirectory paths. The names of environment variables are not always the same inthe Windows and UNIX environments. For example, %TEMP% in Windowsenvironments is equivalent to $TMPDIR in UNIX environments.

Note: You can use the UNIX conventions if you are using the bash shell on aWindows system.

x IBM® Security Access Manager for Enterprise Single Sign-On: Help Desk Guide

Chapter 1. Overview on Help desk tasks

As a Help desk officer, you can manage users, manage authentication factors,modify policies, and view system and machine policies in AccessAdmin.

See the following topics for more information.

What to do Where to find information

Manage users

v Verify user identity.

v View user profiles.Note: Only Administrators can revokeusers.

v “Verifying user identity”

v “Viewing a user profile” on page 3

Manage second authentication factors

v Help users with second authenticationfactors.

Chapter 2, “Managing authenticationfactors,” on page 5

Modify policies

v Modify user policies such as Wallet andAccessAgent policies.Note: You can modify user policies exceptadministrative policies.

Chapter 3, “Modifying policies,” on page 11

View system and machine policies

v View machine and system scope policies.

Chapter 4, “Viewing policies,” on page 17

To learn more about the user workflows, see the IBM Security Access Manager forEnterprise Single Sign-On User Guide.

To learn more about common issues and problems, see the IBM Security AccessManager for Enterprise Single Sign-On Troubleshooting and Support Guide.

Verifying user identityYou must verify the identity of the user to prevent unauthorized access toprotected systems.v You might communicate with the user personally, online, or over the telephone.

Set a standard method of verifying the identity of the user in line with yourcorporate policies.

v You might require a user to provide information such as an employee number orthe maiden name of the mother. Make sure that you verify the accuracy of thecredentials information.

There are cases when a user might acquire the identity of a co-worker to gainunauthorized access. If you suspect that the user is committing fraud, request formore information and make sure that you deal with it according to your corporatepolicies.

© Copyright IBM Corp. 2002, 2012 1

Good security practicesYou must advise users on the following security practices so that they can protecttheir data from unauthorized access.

Practice Description

Choose strong passwords and keep themsecureNote: The Administrator can configure therequired password length and maximumnumber of attempts to log on before theWallet is locked.

Advise users to choose passwords that arenot easy to decode. A strong password islonger and is a combination of uppercasecharacters, lowercase characters, numbers,and special characters.

Do not forget the secret Secrets help users set new passwords in casethey forget their passwords.

Safeguard the second authentication factor The second authentication factor fortifies theWallet, and must be kept in a secure place.

Safeguard the desktop If users are leaving their workstations, tellthem to always lock their computer.

Report loss of a second authenticationfactor

Advise the users to immediately informHelp desk if their second authenticationfactor is missing or misplaced.Important: When a user reports a missingsecond authentication factor, revoke thesecond authentication factor immediately.For more information, see “Revokingauthentication factors” on page 10.

Logging on to AccessAdminUse AccessAdmin to manage users, authentication factors, and policies.

Procedure1. Navigate to AccessAdmin.

v If you are using a load balancer, access https://<loadbalancer_hostname>:<ihs_ssl_port>/admin.

v If you are not using a load balancer, access https://<ims_hostname>:<ihs_ssl_port>/admin.

2. Select a language for AccessAgent that is consistent with the location for whichyou want to apply policies.

3. Enter your user name and password.4. Click Log on.

Checking the IMS Server statusWhen you check the status of the IMS Server, you can also view the serveravailability and version number.

Procedure1. Log on to AccessAdmin.2. Select System > Status. The page displays license information and IMS Server

system logs.

2 IBM® Security Access Manager for Enterprise Single Sign-On: Help Desk Guide

Viewing a user profileUse AccessAdmin to view a user profile.

Procedure1. Log on to AccessAdmin.2. Click My users under Search Users.

Note: If no users are displayed, request your Administrator to assign users toyou.

3. Click on the user name. The following links are displayed.

Option Description

Audit logs These logs contain the specific details of useractivity logs. For example: time of theactivity, the type of activity, and the SOCIID.

Authentication service This link contains the different types ofauthentication services enabled for the user.

4. Scroll down the page. Under User Profile, the following details are displayed.You can modify these details except for the Administrative Policies.v Namev Last namev E-mail addressv Enterprise user namev User principle namev Mobile ActiveCode phone numberv Mobile ActiveCode e-mail addressv Mobile AcitveCode preferencesv Helpdesk Authorizationv Authentication Factorsv OTP Token Assignmentv Cached Walletsv Wallet Access Controlv Administrative Policies (for administrators only)v Authentication Policiesv AccessAssistant and Web Workplace Policiesv Wallet Policiesv AccessAgent Policiesv Authentication Service Policies

Chapter 1. Overview on Help desk tasks 3


Chapter 2. Managing authentication factors

Managing second authentication factors involve tasks such as distribution,maintenance, and safekeeping of these authentication factors.

Task Description

Providing second authentication factors tonew employees

Orient each new employee on the basicconcepts of IBM Security Access Managerfor Enterprise Single Sign-On.

Replacing lost second authenticationfactors

The second authentication factor must berevoked when it is lost or stolen to preventunauthorized use.Note: Revocation is permanent within theIBM Security Access Manager for EnterpriseSingle Sign-On system. When a secondauthentication factor is revoked, it cannot bereused unless it is registered again.

Safeguarding unused second authenticationfactors

Second authentication factors are of no valuewithout user credentials, or unless registeredwith the IMS Server.

Only one Help desk officer is required tomonitor the inventory of secondauthentication factors but a contingency planmust be set in case the designated officer isunavailable.

For managing authentication factors using AccessAdmin, see the following topics.v “Modifying second authentication factor-related policies”v “Generating authorization codes for users” on page 8v “Revoking authentication factors” on page 10

Modifying second authentication factor-related policiesSecond authentication factor-specific policies are only applicable to users withmore than one authentication factor. Modify the policies appropriate to the type ofsecond authentication factor that is used by the user.

Smart card policiesSmart card policies are the policies that you can set to define how AccessAgentmust behave when the user use a smart card for authentication.

Procedure1. Log on to AccessAdmin.2. Navigate to the profile of the user.3. Click AccessAgent Policies.4. Under Smart card Policies, complete the following field:


Option Description

Smart card removal actions The action that AccessAgent takes when thesmart card is removed.

5. Click Update.

Hybrid smart card policiesHybrid smart card policies are the policies that you can set to define howAccessAgent must behave when the user use a hybrid smart card forauthentication.

Procedure1. Log on to AccessAdmin.2. Navigate to the profile of the user.3. Click AccessAgent Policies.4. Under Hybrid Smart card Policies, complete the following fields:

Option Description

Enable single factor smart card unlock Specifies whether single factor smart cardunlock is supported.

Time expiry, in seconds, for single factorsmart card unlock

Specifies the expiration indicated in seconds,for single factor smart card unlock.

Time expiry, in minutes, for single factorsmart card logon

Specifies the expiration indicated in minutes,for single factor smart card logon.

Extend single factor smart card logon timeexpiry when user logs on with smart cardand PIN

Specifies whether to extend the single factorsmart card logon time expiry when a userlogs on using a smart card and PIN.

Actions on presenting same smart card ondesktop if user logged on with singlefactor

The action that AccessAgent takes when thesame smart card is presented when the useris logged in with a single factor.

Confirmation countdown duration, inseconds, for presenting the same smart cardon desktop

The countdown time frame for the specifiedaction to take place after tapping the samesmart card.

Actions on presenting different smart cardon desktop if user logged on with singlefactor

The action that AccessAgent takes when adifferent smart card is presented when theuser is logged in with a single factor.

Confirmation countdown duration, inseconds, for presenting a different smartcard on desktop

The countdown time frame for the specifiedaction to take place after tapping a differentsmart card.

5. Click Update.

RFID policiesRFID policies are the policies that you can set to define how AccessAgent mustbehave when the user use an RFID card for authentication.

Procedure1. Log on to AccessAdmin.2. Navigate to the profile of the user.3. Click AccessAgent Policies.4. Under RFID Policies, complete the following fields:


Option Description

Actions on tapping same RFID on desktop Specifies the action that AccessAgentperforms when the logged on user taps theRFID card on the reader again.

Confirmation countdown duration, inseconds, for tapping same RFID ondesktop

Specifies the number of seconds thatAccessAgent displays a message box. Thisbox is displayed when AccessAgent is aboutto perform an action after the same RFIDcard is tapped on the reader.

The message box provides two options forthe user, one of which must be selectedbefore the specified number of secondsexpire.

The user can either click Yes to proceed withthe action, or No to reactivate the desktop.

Enable RFID-only unlock If you set this policy to Yes, then the usercan unlock the RFID card in a specifiedduration that does not require a password.

Time expiry, in seconds, for RFID-onlyunlock

Specifies the number of seconds thatAccessAgent can apply an RFID-only unlockthat does not require a password.

Time expiry, in minutes, for RFID-onlylogon

Specifies the number of minutes thatAccessAgent can apply RFID-only logon thatdoes not require a password.

Actions on tapping different RFID ondesktop

Specifies the actions that AccessAgentperforms when a user taps a different RFIDcard on the reader while another user islogged on.

Confirmation countdown duration, inseconds, for tapping different RFID ondesktop

Specifies the number of seconds thatAccessAgent displays a message box. Thisbox is displayed when AccessAgent is aboutto perform an action after a user taps adifferent RFID card on the reader.


The user can either click Yes to letAccessAgent proceed with the action, or Noto reactivate the desktop.

5. Click Update.

Fingerprint policiesFingerprint policies are the policies that you can set to define how AccessAgentmust behave when the user use a fingerprint for authentication.

Procedure1. Log on to AccessAdmin.2. Navigate to the profile of the user.3. Click AccessAgent Policies.

Chapter 2. Managing authentication factors 7

4. Under Fingerprint Policies, complete the following fields:

Option Description

Actions on tapping same fingerprint ondesktop

Specifies the action that AccessAgentperforms when a logged on user imprintsthe same finger on the fingerprint reader.

Confirmation countdown duration, inseconds, for tapping same finger ondesktop

Specifies the number of seconds thatAccessAgent displays a message box. Thisbox is displayed when AccessAgent is aboutto perform an action after a user imprintedthe same finger on the fingerprint reader.



Actions on tapping different finger ondesktop

Specifies the action that AccessAgentperforms when another user imprints afinger on the reader, even though anotheruser is logged on.

Confirmation countdown duration, inseconds, for tapping different finger ondesktop

Specifies the number of seconds thatAccessAgent displays a message box. Thisbox is displayed when AccessAgent is aboutto perform an action after a different userplaces a finger on the fingerprint reader.



5. Click Update.

Generating authorization codes for usersAn authorization code is a system-generated code used as an authentication factorfor specific scenarios. It can be used for password reset, and temporary bypass ofan authentication factor.

Procedure1. Navigate to the profile of the user.2. Ask the user whether a request code is displayed on screen.

v If there is a request code, click Temporary offline access to the Wallet in theHelp desk Authorization panel, and enter the request code.

Tip: The user has a request code because connectivity to the IMS Servermight not be available.As a security measure, the user must provide a request code before you canissue an authorization code for temporary offline access.


Note: You must inform the user that for temporary offline access, the newpassword is only valid for that computer.

v If there is no request code, click Password reset, unlock account, temporaryonline access or registration of second factors in the Help deskAuthorization panel.

3. Select a validity period from the options in the list.4. Click Issue authorization code.

Enabling ActiveCode for the userActiveCode is a randomly generated, event-based one-time password. Users useActiveCodes to log on to web applications, AccessAssistant or Web Workplace, andapplications supporting RADIUS, such as VPN Servers.

Procedure1. Navigate to the profile of the user.2. Under the user name, click Authentication services.3. In ActiveCode-enabled authentication service, select the ActiveCode-enabled

authentication services of the new user.4. Enter the user name for the ActiveCode-enabled authentication service.5. Click Add Account.

Locking the ActiveCode-enabled authentication service forusers

To temporarily prevent a user from using an ActiveCode-enabled authenticationservice, you can lock the service. You can also set the service to lock a userautomatically after a user enters a wrong ActiveCode several times.

Procedure1. Navigate to the profile of the user.2. Under the user name, click Authentication services.3. In ActiveCode-enabled authentication service, select the user name and the

ActiveCode-enabled authentication service to disable.4. Select Locked from the Status list.5. Click Update status.

Deleting ActiveCode for usersYou can delete the access of a user to an ActiveCode-enabled authentication serviceif the user no longer uses it.

Procedure1. Navigate to the profile of the user.2. Under the user name, click Authentication services.3. In ActiveCode-enabled authentication service, select the user name you want

to delete for an ActiveCode-enabled authentication service account.4. Click Delete account.5. Click OK.

Chapter 2. Managing authentication factors 9

Revoking authentication factorsYou can revoke a second authentication factor or Wallet when the user leaves theorganization or when a second authentication factor is reported lost or stolen.

Procedure1. Navigate to the profile of the user.2. Scroll down to the Authentication Factors panel.3. Select the check box of the Wallet or authentication factor to revoke.4. Click Revoke.


Chapter 3. Modifying policies

As a Help desk officer, you can modify user policies and view system and machinepolicies.

See the table for details about the privileges of an Administrator and Help deskofficer on policies.

Role System Policies Machine Policies User Policies

Administrator can view and modify can view and modify can view and modify

Help desk view only view only can view and modify,except administrativepolicies

See the following topics for more information about modifying and viewingpolicies.v “Modifying AccessAgent policies”v “Modifying Wallet policies” on page 13v “Viewing and setting policy priorities” on page 14

Modifying AccessAgent policiesYou can modify the policies that define the behavioral patterns of AccessAgent ona computer when a user is logged on.

Lock/Unlock policiesLock and unlock policies are the policies that you can set to define when and howAccessAgent locks and unlocks the user session.

Procedure1. Log on to AccessAdmin.2. Navigate to the profile of the user.3. Click AccessAgent Policies.4. Under Lock/Unlock Policies, complete the following fields:

Option Description

Enable lock script during locking of theuser's AccessAgent session

If you select Yes, AccessAgent runs a lockscript when locking an AccessAgent session.

Lock script type Specifies the type of lock script to run whenlocking a session.

Lock script code Specifies the source code of the lock script torun when locking a session.

Enable unlock script when user unlocks anexisting AccessAgent session

If you select Yes, AccessAgent runs anunlock script when unlocking an existingAccessAgent session.

Unlock script type Specifies the type of unlock script to runwhen unlocking a session.


Option Description

Unlock script code Specifies the source code of the unlock scriptto run when unlocking a session.

Unlock computer policy Specifies the type of user who can unlock acomputer after a logged on user has beenlocked.

Same user is the user who locked thecomputer. Admin is the Windows user withAdministrator privileges on the computer.

Confirmation countdown, in seconds, forunlocking by a different user

Specifies the number of seconds a differentuser can unlock the computer.

5. Click Update.

Roaming session policiesRoaming session policies are the policies that you can set to define theAccessAgent action on a remote session when computer is locked or session islogged off.

Procedure1. Under Roaming session policies, complete the following fields:

Option Description

Actions on remote session while lockinglocal computer

Option to disconnect the Terminal serversession or log off the remote AccessAgentwhile locking the local computer.

Actions on remote session before loggingoff local session

Option to disconnect the Terminal serversession or log off the remote AccessAgentbefore logging off the local AccessAgent.

2. Click Update.

Logon/Logoff policiesLogon and logoff policies are the policies that you can set to define how a user islogged on or logged off from a user session.

Procedure1. Under Logon/Logoff Policies, complete the following fields:

Option Description

Enable logon script during user logon If you set this policy to Enabled, a scriptruns whenever the user logs on toAccessAgent.

The logon script specifies various actionsthat AccessAgent performs upon logon, suchas selecting the applications to start, orselecting the connecting network resources.

Logon script type Specifies the types of logon script used withAccessAgent.


Option Description

Logon script code Use this option so that Administrators cancopy the logon script source code in the textbox.

Enable logoff script during user logoff Specifies the running of a script wheneverthe user logs off from AccessAgent.

The logoff script specifies various actionsthat AccessAgent performs upon logoff, suchas selecting the applications to close andselecting the disconnecting networkresources.

Logoff script type Specifies the types of logoff script used withAccessAgent.

Logoff script code Use this option so that Administrators cancopy the logoff script source code in the textbox.

Allow user to manually log offAccessAgent

If you set this policy to Yes, then users canlog off from AccessAgent manually.

Actions on manual logoff by user Specifies the action AccessAgent performswhen the user logs off.

Confirmation countdown duration, inseconds, for manual logoff by user

Specifies the number of seconds thecomputer can request the user to confirmlogoff after a period of inactivity.

2. Click Update.

Modifying Wallet policiesYou can set Wallet policies such as exporting and the display of passwords inAccessAdmin.

Procedure1. Navigate to the profile of the user.2. Under User Profile, click Wallet Policies.3. Complete the following fields:

Option Description

Enable "Never" for enterpriseauthentication services

v If you set the policy to Yes, then a usercan set an enterprise authenticationservices password entry option to Never.

v If you set the policy to No, then thepassword entry option does not have theoption Never.

Enable single sign-on using the automaticsign-on mode for personal authenticationservices

Specifies whether to enable automaticsign-on to authentication services.

Option for displaying of applicationpasswords in AccessAgent

Specifies whether to display applicationpasswords in the Wallet Manager ofAccessAgent through the Show passwordsoption.

Chapter 3. Modifying policies 13

Option Description

Option for exporting of applicationpasswords in AccessAgent

Specifies whether to export applicationpasswords in the Wallet Manager ofAccessAgent through the Export? option.

Allow user to enable/disable single sign-onusing the automatic sign-on mode

If you set the policy to Yes, then the usercan enable automatic sign-on.

List of Wallet items that can be edited bythe user through AccessAgent

Each Wallet item that the user can editthrough AccessAgent is highlighted.

4. Click Update.

Setting wallet authentication policiesA wallet contains credentials of a user, like passwords. Access to the wallet isstrengthened by enforcing the use of additional authentication factors, such asRFID badges, biometrics, and smart card tokens.

Procedure1. Navigate to the profile of the user.2. Under User Profile, click Authentication Policies.3. Select the corresponding Wallet authentication policy.4. Click Update.

Revoking cached WalletsRevoke the cached user Wallets if the machine contains many Wallets that are nolonger needed or if users cannot log on to their cached Wallets. When the cachedWallets are revoked, users can download a new Wallet from the IMS Server.

Procedure1. Navigate to the profile of the user.2. Scroll down to the Cached Wallet panel.3. Select the check box of the Wallet that you want to revoke.4. Click Revoke.

Locking WalletsYou can lock a Wallet to temporarily prevent access to the Wallet of the user. Agood example is when the user goes for an extended holiday or when an employeeleaves the organization.

Procedure1. Navigate to the profile of the user.2. Under User Profile, click Wallet Access Control.3. Click Lock wallet.

Viewing and setting policy prioritiesIf a policy is defined for two scopes, define which takes higher priority. Setting thepriority is useful in case the timeout value for the policy is different for the twoscopes. For example, if the policy priority is a machine, then only the machinepolicy is effective.


Policies can be modified only by Help desk officers and Administrators. Thesepolicies affect the behavior of the whole system and must be modified only whenit is necessary. These policies are set at deployment and followed through. Changesto these policies are propagated to clients the next time AccessAgent synchronizeswith the IMS Server.

Important: Older versions of AccessAgent still use the original policy priorities,and values do not change after upgrading the IMS Server. To change policypriorities, upgrade all installations of AccessAgent to version 8.0 or later, and thenlaunch the command prompt.

Viewing policy prioritiesIf you want to view the current scope and the priority level of a policy, use thecommand managePolPriority --policyId [name of policy].

Before you begin

Run setupCmdLine.bat to configure the path to the WebSphere Application Serverprofile where the IMS Server is installed. Set the value to WAS_PROFILE_HOME.

Procedure1. Launch the Windows command prompt.

a. Click Start > Run.b. Enter cmd in the Open field.c. Click OK. The command prompt window is displayed.

2. Navigate to the batch file folder. Type <IMS installation folder>\bin, thenpress Enter.

3. Type managePolPriority.bat to view the information about executing the batchfile, then press Enter.

4. Type managePolPriority --policyId [name of policy], then press Enter. Thescope and priority of a specific policy are displayed.

5. Type exit to close the command prompt and then press Enter.

Setting policy prioritiesSystem, machine, and user policies each have unique and overlapping policyparameters. Certain policies such as AccessAgent lock and unlock, desktopinactivity, and logon and logoff can be defined in more than one policy type. Indeployments where many policies are defined, several policies can overlap. In thiscase, use the managePolPriority command-line utility to manage policy priorities.

Procedure1. Launch the Windows command prompt.

a. Click Start > Run.b. Enter cmd in the Open field.c. Click OK. The command prompt window is displayed.

2. Navigate to the batch file folder. Type <IMS installation folder>\bin, thenpress Enter.

3. To change the scope of the policy, enter the following information.managePolPriority--policyId [name of policy]--scope [scp ims or scp machine] --templateId[template ID]

Chapter 3. Modifying policies 15

The scope that is given highest priority is assigned a value of 1, the next scopeis assigned with a value of 2, and so on.

Note: Provide a template ID to specify the assigned template of the machine,user, or system.

4. Press Enter.5. Type exit to close the command prompt and then press Enter.


Chapter 4. Viewing policies

If you want to know or verify the values set for a particular user, machine orsystem policy, open AccessAdmin and select the corresponding policy category.

See the following topics for more information.v “Viewing a user or machine policy template”v “Viewing system policies”v “Viewing administrative policies”

Viewing a user or machine policy templateYou can view user and machine policy templates. Only administrators can modifythem.

Procedure1. In the AccessAdmin navigation panel, select your template.

v For user policy templates, select User Policy Templates > [name of thetemplate].

v For machine policy templates, select Machine Policy Templates > Templateassignments > [name of the template].

Take note of the following information.v There is one Default template.

If the Administrator defines the templates, these templates are displayed inthe other templates available under the Policy Templates option in thenavigation panel.

v These other templates are fully configurable and the naming convention isset by the Administrator.

2. Click the policy to view the details.

Viewing system policiesYou can view system policies in AccessAdmin.

Procedure1. In the AccessAdmin navigation panel, select System > System policies.2. Click on the policy to view the details.

Viewing administrative policiesYou can view administrative policies in AccessAdmin.1. Navigate to the profile of the user.2. Under User Profile, click Administrative Policies.

The current role and the Help desk identities are displayed.

The Update, Revoke, and Delete user buttons are disabled because you cannotmodify this setting.



Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.1623-14, Shimotsuruma, Yamato-shiKanagawa 242-8502 Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subjectto change without notice. Dealer prices may vary.

This information is for planning purposes only. The information herein is subject tochange before the products described become available.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment to


IBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment toIBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM's application programming interfaces.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

Trademarks

IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at Copyright andtrademark information; at www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Notices 21

Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in theUnited States, other countries, or both and is used under license therefrom.

Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo aretrademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.

Other company, product, and service names may be trademarks or service marksof others.


Glossary

AccessAdmin. A web-based management console thatAdministrators and Helpdesk officers use to administerthe IMS Server and to manage users and policies.

AccessAgent plug-in. A piece of script, written inVBscript or Javascript, that is embedded within anAccessProfile to perform custom checking of conditionsor to execute custom actions. It is used for extendingthe capability of an AccessProfile beyond the built-intriggers and actions.

AccessAgent. The client software that manages theidentity of the user, authenticates the user, andautomates single sign-on and sign-off.

AccessAssistant. The web-based interface that helpsusers to reset their passwords and retrieve theirapplication credentials.

AccessProfile widget / widget. An independentAccessProfile that consists of pinnable states, which canbe used to build another AccessProfile.

AccessProfiles. AccessAgent uses these XMLspecifications to identify application screens that it canperform single sign-on and automation.

AccessStudio. An application used by Administratorsfor creating and maintaining AccessProfiles.

Account data bag. A data structure that holds usercredentials in memory while single sign-on isperformed on an application.

Account data item template. A template that definesthe properties of an account data item.

Account data item. The user credentials required forlogon.

Account data template. A template that defines theformat of account data to be stored for credentialscaptured by using a specific AccessProfile.

Account data. The logon information required toverify an authentication service. It can be the username, password, and the authentication service whichthe logon information is stored.

Action. In profiling, an act that can be performed inresponse to a trigger. For example, automatic filling ofuser name and password details as soon as a sign-onwindow displays.

Active Directory (AD). A hierarchical directory servicethat enables centralized, secure management of anentire network, which is a central component of theMicrosoft Windows platform.

Active Directory credentials. The Active Directoryuser name and password.

Active Directory password synchronization. An IBMSecurity Access Manager for Enterprise Single Sign-Onfeature that synchronizes the ISAM ESSO passwordwith the Active Directory password.

Active RFID (ARFID). ARFID is both a secondauthentication factor and a presence detector. It candetect the presence of a user and AccessAgent can beconfigured to perform specific actions. In previousreleases, it is called Active Proximity Badge.

ActiveCode. Short-lived authentication codes that aregenerated and verified by IBM Security AccessManager for Enterprise Single Sign-On. There are twotypes of ActiveCodes: Mobile ActiveCodes andPredictive ActiveCodes.

Mobile ActiveCodes are generated by IBM SecurityAccess Manager for Enterprise Single Sign-On anddispatched to the mobile phone or email account of theuser. Predictive ActiveCodes, or One Time Passwords,are generated from OTP tokens when a user presses itsbutton.

Combined with alternative channels or devices,ActiveCodes provide effective second-factorauthentication.

Administrator. A person responsible foradministrative tasks such as access authorization andcontent management. Administrators can also grantlevels of authority to users.

Application policies. A collection of policies andattributes governing access to applications.

Application programming interface (API). Aninterface that allows an application program written ina high-level language to use specific data or functionsof the operating system or another program.

Application. One or more computer programs orsoftware components that provide a function in directsupport of a specific business process or processes. InAccessStudio, it is the system that provides the userinterface for reading or entering the authenticationcredentials.

Audit. A process that logs the user, Administrator, andHelpdesk activities.

Authentication factor. The different devices,biometrics, or secrets required as credentials forvalidating digital identities. Examples of authentication


factors are passwords, smart card, RFID, biometrics,and one-time password tokens.

Authentication service. In IBM Security AccessManager for Enterprise Single Sign-On, a service thatverifies the validity of an account against their ownuser store or against a corporate directory. Identifies theauthentication service associated with a screen. Accountdata saved under a particular authentication service isretrieved and auto-filled for the logon screen that isdefined. Account data captured from the logon screendefined is saved under this authentication service.

Authorization code. An alphanumeric code generatedfor administrative functions, such as password resets ortwo-factor authentication bypass with AccessAgent,AccessAssistant, and Web Workplace.

Auto-capture. A process that allows a system to collectand reuse user credentials for different applications.These credentials are captured when the user entersinformation for the first time, and then stored andsecured for future use.

Automatic sign-on. A feature where users can log onto the sign-on automation system and the system logson the user to all other applications.

Base distinguished name. A name that indicates thestarting point for searches in the directory server.

Bidirectional language. A language that uses a script,such as Arabic and Hebrew, whose general flow of textproceeds horizontally from right to left, but numbers,English, and other left-to-right language text arewritten from left to right.

Bind distinguished name. A name that specifies thecredentials for the application server to use whenconnecting to a directory service. The distinguishedname uniquely identifies an entry in a directory. Seealso Distinguished name.

Biometrics. The identification of a user based on aphysical characteristic of the user, such as a fingerprint,iris, face, voice, or handwriting.

Card Serial Number (CSN). A unique data item thatidentifies a hybrid smart card. It has no relation to thecertificates installed in the smart card

Cell. In WebSphere Application Server, a cell is avirtual unit that consists of a deployment manager andone or more nodes.

Certificate authority (CA). A trusted organization orcompany that issues the digital certificates. Thecertificate authority typically verifies the identity of theindividuals who are granted the unique certificate.

IMS Server Certificate. Used in IBM Security AccessManager for Enterprise Single Sign-On. The IMS ServerCertificate allows clients to identify and authenticate anIMS Server.

Client AccessAgent. AccessAgent installed andrunning on the client machine.

Client workstation, client machine, client computers.Computers where AccessAgent installed.

Clinical Context Object Workgroup (CCOW). Avendor independent standard, for the interchange ofinformation between clinical applications in thehealthcare industry.

Clustering. In WebSphere Application Server,clustering is the ability to group application servers.

Clusters. A group of application servers thatcollaborate for the purposes of workload balancing andfailover.

Command line interface. A computer interface inwhich the input command is a string of text characters.

Credentials. Information acquired duringauthentication that describes a user, group associations,or other security-related identity attributes, and that isused to perform services such as authorization,auditing, or delegation. For example, a user ID andpassword are credentials that allow access to networkand system resources.

Cryptographic application programming interface(CAPI). An application programming interface thatprovides services to enable developers to secureapplications using cryptography. It is a set ofdynamically-linked libraries that provides anabstraction layer which isolates programmers from thecode used to encrypt the data.

Cryptographic Service Provider (CSP). A feature ofthe i5/OS® operating system that provides APIs. TheCCA Cryptographic Service Provider enables a user torun functions on the 4758 Coprocessor.

Data source. The means by which an applicationaccesses data from a database.

Database (DB) server. A software program that uses adatabase manager to provide database services tosoftware programs or computers.

DB2®. A family of IBM licensed programs forrelational database management.

Deployment manager profiles. A WebSphereApplication Server runtime environment that managesoperations for a logical group, or cell, of other servers.

Deployment manager. A server that manages andconfigures operations for a logical group or cell ofother servers.


Deprovision. To remove a service or component. Forexample, to deprovision an account means to delete anaccount from a resource.

Desktop application. Application that runs in adesktop.

Desktop Manager. Manages concurrent user desktopson a single workstation

Direct auth-info. In profiling, direct auth-info is adirect reference to an existing authentication service.

Directory service. A directory of names, profileinformation, and computer addresses of every user andresource on the network. It manages user accounts andnetwork permissions. When a user name is sent, itreturns the attributes of that individual, which mightinclude a telephone number, or an email address.Directory services use highly specialized databases thatare typically hierarchical in design and provide fastlookups.

Directory. A file that contains the names andcontrolling information for objects or other directories.

Disaster recovery site. A secondary location for theproduction environment in case of a disaster.

Disaster recovery. The process of restoring a database,system, policies after a partial or complete site failurethat was caused by a catastrophic event such as anearthquake or fire. Typically, disaster recovery requiresa full backup at another location.

Distinguished name. The name that uniquelyidentifies an entry in a directory. A distinguished nameis made up of attribute:value pairs, separated bycommas. For example, CN=person name andC=country or region.

Distributed IMS Server. The IMS Servers aredeployed in multiple geographical locations.

Domain name server (DNS). A server program thatsupplies name-to-address conversion by mappingdomain names to IP addresses.

Dynamic link library (DLL). A file containingexecutable code and data bound to a program at loadtime or run time, rather than during linking. The codeand data in a DLL can be shared by severalapplications simultaneously.

Enterprise directory. A directory of user accounts thatdefine IBM Security Access Manager for EnterpriseSingle Sign-On users. It validates user credentialsduring sign-up and logon, if the password issynchronized with the enterprise directory password.An example of an enterprise directory is ActiveDirectory.

Enterprise Single Sign-On (ESSO). A mechanism thatallows users to log on to all applications deployed inthe enterprise by entering a user ID and othercredentials, such as a password.

Enterprise user name. The user name of a useraccount in the enterprise directory.

ESSO audit logs. A log file that contains a record ofsystem events and responses. ESSO audit logs arestored in the IMS Database.

ESSO Credential Provider. Previously known as theEncentuate Credential Provider (EnCredentialProvider),this is the IBM Security Access Manager for EnterpriseSingle Sign-On GINA for Windows Vista and Windows7.

ESSO credentials. The ISAM ESSO user name andpassword.

ESSO GINA. Previously known as the EncentuateGINA (EnGINA). IBM Security Access Manager forEnterprise Single Sign-On GINA provides a userinterface that is integrated with authentication factorsand provide password resets and second factor bypassoptions.

ESSO Network Provider. Previously known as theEncentuate Network Provider (EnNetworkProvider).An AccessAgent module that captures the ActiveDirectory server credentials and uses these credentialsto automatically log on the users to their Wallet.

ESSO password. The password that secures access tothe user Wallet.

Event code. A code that represents a specific eventthat is tracked and logged into the audit log tables.

Failover. An automatic operation that switches to aredundant or standby system in the event of asoftware, hardware, or network interruption.

Fast user switching. A feature that allows users toswitch between user accounts on a single workstationwithout quitting and logging out of applications.

Federal Information Processing Standard (FIPS). Astandard produced by the National Institute ofStandards and Technology when national andinternational standards are nonexistent or inadequate tosatisfy the U.S. government requirements.

Fix pack. A cumulative collection of fixes that is madeavailable between scheduled refresh packs,manufacturing refreshes, or releases. It is intended toallow customers to move to a specific maintenancelevel.

Fully qualified domain name (FQDN). In Internetcommunications, the name of a host system that

Glossary 25

includes all of the subnames of the domain name. Anexample of a fully qualified domain name isrchland.vnet.ibm.com.

Graphical Identification and Authentication (GINA).A dynamic link library that provides a user interfacethat is tightly integrated with authentication factors andprovides password resets and second factor bypassoptions.

Group Policy Object (GPO). A collection of grouppolicy settings. Group policy objects are the documentscreated by the group policy snap-in. Group policyobjects are stored at the domain level, and they affectusers and computers contained in sites, domains, andorganizational units.

High availability (HA). The ability of IT services towithstand all outages and continue providingprocessing capability according to some predefinedservice level. Covered outages include both plannedevents, such as maintenance and backups, andunplanned events, such as software failures, hardwarefailures, power failures, and disasters.

Host name. In Internet communication, the namegiven to a computer. The host name might be a fullyqualified domain name such asmycomputer.city.company.com, or it might be a specificsubname such as mycomputer.

Hot key. A key sequence used to shift operationsbetween different applications or between differentfunctions of an application.

Hybrid smart card. An ISO-7816 compliant smart cardwhich contains a public key cryptography chip and anRFID chip. The cryptographic chip is accessible throughcontact interface. The RFID chip is accessible throughcontactless (RF) interface.

IBM HTTP server. A web server. IBM offers a webserver, called the IBM HTTP Server, that acceptsrequests from clients and forward to the applicationserver.

IMS Bridge. A module embedded in third-partyapplications and systems to call to IMS APIs forprovisioning and other purposes.

IMS Configuration Utility. A utility of the IMS Serverthat allows Administrators to manage lower-levelconfiguration settings for the IMS Server.

IMS Configuration wizard. Administrators use thewizard to configure the IMS Server during installation.

IMS Connector. A module that connects IMS toexternal systems to dispatch a mobile active code to amessaging gateway.

IMS data source. A WebSphere Application Serverconfiguration object that defines the location andparameters for accessing the IMS database.

IMS Database. The relational database where the IMSServer stores all ESSO system, machine, and user dataand audit logs.

IMS Root CA. The root certificate authority that signscertificates for securing traffic between AccessAgentand IMS Server.

IMS Server. An integrated management system forISAM ESSO that provides a central point of secureaccess administration for an enterprise. It enablescentralized management of user identities,AccessProfiles, authentication policies, provides lossmanagement, certificate management, and auditmanagement for the enterprise.

Indirect auth-info. In profiling, indirect auth-info is anindirect reference to an existing authentication service.

Interactive graphical mode. A series of panels thatprompts for information to complete the installation.

IP address. A unique address for a device or logicalunit on a network that uses the Internet Protocolstandard.

Java Management Extensions (JMX). A means ofdoing management of and through Java technology.JMX is a universal, open extension of the Javaprogramming language for management that can bedeployed across all industries, wherever management isneeded.

Java runtime environment (JRE). A subset of a Javadeveloper kit that contains the core executableprograms and files that constitute the standard Javaplatform. The JRE includes the Java virtual machine(JVM), core classes, and supporting files.

Java virtual machine (JVM). A softwareimplementation of a processor that runs compiled Javacode (applets and applications).

Keystore. In security, a file or a hardwarecryptographic card where identities and private keysare stored, for authentication and encryption purposes.Some keystores also contain trusted, or public, keys.

Lightweight Directory Access Protocol (LDAP). Anopen protocol that uses TCP/IP to provide access todirectories that support an X.500 model. An LDAP canbe used to locate people, organizations, and otherresources in an Internet or intranet directory.

Lightweight mode. A Server AccessAgent mode.Running in lightweight mode reduces the memoryfootprint of AccessAgent on a Citrix/Terminal Serverand improves the single sign-on startup duration.


Load balancing. The monitoring of application serversand management of the workload on servers. If oneserver exceeds its workload, requests are forwarded toanother server with more capacity.

Lookup user. A user who is authenticated in theEnterprise Directory and searches for other users. IBMSecurity Access Manager for Enterprise Single Sign-Onuses the lookup user to retrieve user attributes from theActive Directory or LDAP enterprise repository.

Main AccessProfile. The AccessProfile that containsone or more AccessProfile widgets

Managed node. A node that is federated to adeployment manager and contains a node agent andcan contain managed servers.

Microsoft Cryptographic application programminginterface (CAPI). An interface specification fromMicrosoft for modules that provide cryptographicfunctionality and that allow access to smart cards.

Mobile ActiveCode (MAC). A one-time password thatis used by users for two-factor authentication in WebWorkplace, AccessAssistant, and other applications.This OTP is randomly generated and dispatched touser through SMS or email.

Mobile authentication. An authentication factorwhich allows mobile users to sign-on securely tocorporate resources from anywhere on the network.

Network deployment. Also known as a clustereddeployment. A type of deployment where the IMSServer is deployed on a WebSphere Application Servercluster.

Node agent. An administrative agent that manages allapplication servers on a node and represents the nodein the management cell.

Nodes. A logical group of managed servers.

One-Time Password (OTP). A one-use passwordgenerated for an authentication event, sometimescommunicated between the client and the serverthrough a secure channel.

OTP token. A small, highly portable hardware devicethat the owner carries to authorize access to digitalsystems and physical assets.

Password aging. A security feature by which thesuperuser can specify how often users must changetheir passwords.

Password complexity policy. A policy that specifiesthe minimum and maximum length of the password,the minimum number of numeric and alphabeticcharacters, and whether to allow mixed uppercase andlowercase characters.

Personal applications. Windows and web-basedapplications where AccessAgent can store and entercredentials.

Some examples of personal applications are web-basedmail sites such as Company Mail, Internet bankingsites, online shopping sites, chat, or instant messagingprograms.

Personal desktop. The desktop is not shared with anyother users.

Personal Identification Number (PIN). InCryptographic Support, a unique number assigned byan organization to an individual and used as proof ofidentity. PINs are commonly assigned by financialinstitutions to their customers.

Pinnable state. A state from the AccessProfile widgetthat is declared as 'Can be pinned in anotherAccessProfile'.

Pinned state. A pinnable state that is attached to astate in the main AccessProfile.

Policy template. A predefined policy form that helpsusers define a policy by providing the fixed policyelements that cannot be changed and the variablepolicy elements that can be changed.

Portal. A single, secure point of access to diverseinformation, applications, and people that can becustomized and personalized.

Presence detector. A device that, when fixed to acomputer, detects when a person moves away from it.This device eliminates manually locking the computerupon leaving it for a short time.

Primary authentication factor. The IBM SecurityAccess Manager for Enterprise Single Sign-Onpassword or directory server credentials.

Private desktop. Under this desktop scheme, usershave their own Windows desktops in a workstation.When a previous user return to the workstation andunlocks it, AccessAgent switches to the desktop sessionof the previous user and resumes the last task.

Private key. In computer security, the secret half of acryptographic key pair that is used with a public keyalgorithm. The private key is known only to its owner.Private keys are typically used to digitally sign dataand to decrypt data that has been encrypted with thecorresponding public key.

Provisioning API. An interface that allows IBMSecurity Access Manager for Enterprise Single Sign-Onto integrate with user provisioning systems.

Provisioning bridge. An automatic IMS Servercredential distribution process with third partyprovisioning systems that uses API libraries with aSOAP connection.

Glossary 27

Provisioning system. A system that provides identitylifecycle management for application users inenterprises and manages their credentials.

Provision. To provide, deploy, and track a service,component, application, or resource.

Public Key Cryptography Standards. A set ofindustry-standard protocols used for secure informationexchange on the Internet. Domino® CertificateAuthority and Server Certificate Administrationapplications can accept certificates in PKCS format.

Published application. Application installed on CitrixXenApp server that can be accessed from Citrix ICAClients.

Published desktop. A Citrix XenApp feature whereusers have remote access to a full Windows desktopfrom any device, anywhere, at any time.

Radio Frequency Identification (RFID). An automaticidentification and data capture technology thatidentifies unique items and transmits data using radiowaves.

Random password. An arbitrarily generated passwordused to increase authentication security between clientsand servers.

Registry hive. In Windows systems, the structure ofthe data stored in the registry.

Registry. A repository that contains access andconfiguration information for users, systems, andsoftware.

Remote Authentication Dial-In User Service(RADIUS). An authentication and accounting systemthat uses access servers to provide centralizedmanagement of access to large networks.

Remote Desktop Protocol (RDP). A protocol thatfacilitates remote display and input over networkconnections for Windows-based server applications.RDP supports different network topologies andmultiple connections.

Replication. The process of maintaining a defined setof data in more than one location. Replication involvescopying designated changes for one location (a source)to another (a target) and synchronizing the data in bothlocations.

Revoke. To remove a privilege or an authority froman authorization identifier.

Root certificate authority (CA). The certificateauthority at the top of the hierarchy of authorities bywhich the identity of a certificate holder can beverified.

Scope. A reference to the applicability of a policy, atthe system, user, or machine level.

Secret question. A question whose answer is knownonly to the user. A secret question is used as a securityfeature to verify the identity of a user.

Secure Remote Access. The solution that providesweb browser-based single sign-on to all applicationsfrom outside the firewall.

Secure Sockets Layer (SSL). A security protocol thatprovides communication privacy. With SSL,client/server applications can communicate in a waythat is designed to prevent eavesdropping, tampering,and message forgery.

Secure Sockets Layer virtual private network (SSLVPN). A form of VPN that can be used with astandard web browser.

Security Token Service (STS). A web service used forissuing and exchanging of security tokens.

Security trust service chain. A group of moduleinstances that are configured for use together. Eachmodule instance in the chain is called in turn toperform a specific function as part of the overallprocessing of a request.

Self-service features. Features in IBM Security AccessManager for Enterprise Single Sign-On which users canuse to perform basic tasks such as resetting passwordsand secrets with minimal assistance from Help desk oryour Administrator.

Serial ID Service Provider Interface (SPI). Aprogrammatic interface intended for integratingAccessAgent with third-party Serial ID devices used fortwo-factor authentication.

Serial number. A unique number embedded in theIBM Security Access Manager for Enterprise SingleSign-On Keys, which is unique to each Key and cannotbe changed.

Server AccessAgent. AccessAgent deployed on aMicrosoft Windows Terminal Server or a Citrix server.

Server locator. A locator that groups a related set ofweb applications that require authentication by thesame authentication service. In AccessStudio, serverlocators identify the authentication service with whichan application screen is associated.

Service Provider Interface (SPI). An interface throughwhich vendors can integrate any device with serialnumbers with IBM Security Access Manager forEnterprise Single Sign-On and use it as a second factorin AccessAgent.

Session management. Management of user session onprivate desktops and shared desktops.

Shared desktop. A desktop configuration wheremultiple users share a generic Windows desktop.


Shared workstation. A workstation shared amongusers.

Sign up. To request a resource.

sign-on automation. A technology that works withapplication user interfaces to automate the sign-onprocess for users.

sign-on information. Information required to provideaccess to users to any secure application. Thisinformation can include user names, passwords,domain information, and certificates.

Signature. In profiling, unique identificationinformation for any application, window, or field.

Silent mode. A method for installing or uninstalling aproduct component from the command line with noGUI display. When using silent mode, you specify thedata required by the installation or uninstallationprogram directly on the command line or in a file(called an option file or response file).

Simple Mail Transfer Protocol (SMTP). An Internetapplication protocol for transferring mail among usersof the Internet.

Simple Object Access Protocol (SOAP). Alightweight, XML-based protocol for exchanginginformation in a decentralized, distributedenvironment. SOAP can be used to query and returninformation and invoke services across the Internet.

Single sign-on. An authentication process in which auser can access more than one system or application byentering a single user ID and password.

Smart card middleware. Software that acts as aninterface between smart card applications and thesmart card hardware. Typically the software consists oflibraries that implement PKCS#11 and CAPI interfacesto smart cards.

Smart card. An intelligent token that is embeddedwith an integrated circuit chip that provides memorycapacity and computational capabilities.

Stand-alone deployment. A deployment where theIMS Server is deployed on an independent WebSphereApplication Server profile.

Stand-alone server. A fully operational server that ismanaged independently of all other servers, and it usesits own administrative console.

Strong authentication. A solution that usesmulti-factor authentication devices to preventunauthorized access to confidential corporateinformation and IT networks, both inside and outsidethe corporate perimeter.

Strong digital identity. An online persona that isdifficult to impersonate, possibly secured by privatekeys on a smart card.

System modal message. A system dialog box that istypically used to display important messages. When asystem modal message is displayed, nothing else canbe selected on the screen until the message is closed.

Terminal emulator. A program that allows a devicesuch as a microcomputer or personal computer to enterand receive data from a computer system as if it were aparticular type of attached terminal

Thin client. A client machine that has little or noinstalled software. It has access to applications anddesktop sessions that is running on network serversthat are connected to it. A thin client machine is analternative to a full-function client such as aworkstation.

Tivoli Common Reporting tool. A reportingcomponent that you can use to create, customize, andmanage reports.

Tivoli Identity Manager adapter. An intermediarysoftware component that allows IBM Security AccessManager for Enterprise Single Sign-On to communicatewith Tivoli Identity Manager.

Transparent screen lock. A feature that, whenenabled, permits users to lock their desktop screens butstill see the contents of their desktop.

Trigger. In profiling, an event that causes transitionsbetween states in a states engine, such as, the loadingof a web page or the appearance of window on thedesktop.

Trust service chain. A chain of modules operating indifferent modes. For example: validate, map and issue.

Truststore. In security, a storage object, either a file ora hardware cryptographic card, where public keys arestored in the form of trusted certificates, forauthentication purposes in web transactions. In someapplications, these trusted certificates are moved intothe application keystore to be stored with the privatekeys.

TTY (terminal type). A generic device driver for a textdisplay. A tty typically performs input and output on acharacter-by-character basis.

Two-factor authentication. The use of two factors toauthenticate a user. For example, the use of passwordand an RFID card to log on to AccessAgent.

Uniform resource identifier. A compact string ofcharacters for identifying an abstract or physicalresource.

Glossary 29

User credential. Information acquired duringauthentication that describes a user, group associations,or other security-related identity attributes, and that isused to perform services such as authorization,auditing, or delegation. For example, a user ID andpassword are credentials that allow access to networkand system resources.

User deprovisioning. Removing the user account fromIBM Security Access Manager for Enterprise SingleSign-On.

User provisioning. The process of signing up a userto use IBM Security Access Manager for EnterpriseSingle Sign-On.

Virtual appliance. A virtual machine image with aspecific application purpose that is deployed tovirtualization platforms.

Virtual channel connector. A connector that is used ina terminal services environment. The virtual channelconnector establishes a virtual communication channelto manage the remote sessions between the ClientAccessAgent component and the Server AccessAgent.

Virtual Member Manager (VMM). A WebSphereApplication Server component that providesapplications with a secure facility to access basicorganizational entity data such as people, logonaccounts, and security roles.

Virtual Private Network (VPN). An extension of acompany intranet over the existing framework of eithera public or private network. A VPN ensures that thedata that is sent between the two endpoints of itsconnection remains secure.

Visual Basic (VB). An event-driven programminglanguage and integrated development environment(IDE) from Microsoft.

Wallet caching. When performing single sign-on foran application, AccessAgent retrieves the logoncredentials from the user credential Wallet. The usercredential Wallet is downloaded on the user machineand stored securely on the IMS Server. So users canaccess their Wallet even when they log on to IBMSecurity Access Manager for Enterprise Single Sign-Onfrom a different machine later.

Wallet manager. The IBM Security Access Manager forEnterprise Single Sign-On GUI component that userscan use to manage application credentials in thepersonal identity Wallet.

Wallet Password. A password that secures access tothe Wallet.

Wallet. A secured data store of access credentials of auser and related information, which includes user IDs,passwords, certificates, encryption keys.

Web server. A software program that is capable ofservicing Hypertext Transfer Protocol (HTTP) requests.

Web service. A self-contained, self-describing modularapplication that can be published, discovered, andinvoked over a network using standard networkprotocols. Typically, XML is used to tag the data, SOAPis used to transfer the data, WSDL is used fordescribing the services available, and UDDI is used forlisting what services are available.

Web Workplace. A web-based interface that users canlog on to enterprise web applications by clicking linkswithout entering the passwords for individualapplications. This interface can be integrated with theexisting portal or SSL VPN of the customer.

WebSphere Administrative console. A graphicaladministrative Java application client that makesmethod calls to resource beans in the administrativeserver to access or modify a resource within thedomain.

WebSphere Application Server profile. TheWebSphere Application Server administrator user nameand profile. Defines the runtime environment.

WebSphere Application Server. Software that runs ona web server and that can deploy, integrate, execute,and manage e-business applications.

Windows logon screen, Windows logon UI mode.The screen where users enter their user name andpassword to log on to the Windows desktop.

Windows native fast user switching. A Windows XPfeature which allows users to quickly switch betweenuser accounts.

Windows Terminal Services. A Microsoft Windowscomponent that users use to access applications anddata on a remote computer over a network.

WS-Trust. A web services security specification thatdefines a framework for trust models to establish trustbetween web services.


Index

AAccessAdmin

logging on 2AccessAgent policies 11accessibility viiiActiveCodes

deleting 9enabling 9locking 9

administrative policies 17authentication factors 2, 5

policies 5, 6, 7revoking 10

authorization codesgenerating 8

Bbooks

See publications

Cconventions

typeface ix

Ddirectory names, notation x

Eeducation

See Tivoli technical trainingenvironment variables, notation x

Ffingerprint policies 7

Hhelp desk duties 2, 5hybrid smart card policies 6

IIMS Server

status 2version 2

Llock/unlock policies 11logon/logoff policies 12

Mmanuals

See publications

Nnotation

environment variables xpath names xtypeface x

Oonline publications

accessing viiordering publications viii

Ppasswords 2path names, notation xpolicies

AccessAgent 11administrative 17fingerprint 7hybrid smart card 6lock/unlock 11logon/logoff 12priorities 15RFID 6roaming session 12second authentication factor 5smart card 5system 17viewing 17Wallet 13Wallet authentication 14

policy templatesmachine 17user 17

publications vaccessing online viiordering viii

RRFID policies 6roaming session policies 12

Ssecurity practices 2smart card policies 5system policies 17

TTivoli Information Center viiTivoli technical training viiiTivoli user groups viiitraining, Tivoli technical viiitypeface conventions ix

Uuser

audit logs 3authentication service 3profile 3searching 3verifying 1viewing 3

user groups, Tivoli viii

Vvariables, notation for xverifying user 1

WWallets

locking 14revoking 14



��

Printed in USA

SC23-9953-03

Documents

Help Desk Guide - IBM · Help Desk Guide SC23-9953-03. IBM® ... Overview on Help desk tasks 1 Verifying user identity ... support-related information and serviceability tools for