TW171GV1 StudentGuide

IBM Tivoli Access Manager for Enterprise Single Sign-On 8.
0
Deployment and Administration Workshop
Student’s Training Guide
S150-3032-00
September 2008
Copyright Notice
Copyright © 2008 IBM Corporation, including this documentation and all software. All rights
reserved. May only be used pursuant to a Tivoli Systems Software License Agreement, an IBM Soft-
ware License Agreement, or Addendum for Tivoli Products to IBM Customer or License Agreement.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system,
or translated into any computer language, in any form or by any means, electronic, mechanical,
magnetic, optical, chemical, manual, or otherwise, without prior written permission of IBM Corpora-
tion. IBM Corporation grants you limited permission to make hardcopy or other reproductions of any
machine-readable documentation for your own use, provided that each such reproduction shall carry
the IBM Corporation copyright notice. No other rights under copyright are granted without prior writ-
ten permission of IBM Corporation. The document is not intended for production and is furnished “as
is” without warranty of any kind. All warranties on this document are hereby disclaimed, including the
warranties of merchantability and fitness for a particular purpose.
Note to U.S. Government Users—Documentation related to restricted rights—Use, duplication or
disclosure is subject to restrictions set forth in GSA ADP Schedule Contract with IBM Corporation.
Trademarks
The following are trademarks of IBM Corporation or Tivoli Systems Inc.: IBM, Tivoli, AIX, Cross-Site,
NetView, OS/2, Planet Tivoli, RS/6000, Tivoli Certified, Tivoli Enterprise, Tivoli Ready, TME. In Den-
mark, Tivoli is a trademark licensed from Kjøbenhavns Sommer - Tivoli A/S.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in
the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
C-bus is a trademark of Corollary, Inc. in the United States, other countries, or both.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States,
other countries, or both.
Lotus is a registered trademark of Lotus Development Corporation.
PC Direct is a trademark of Ziff Communications Company in the United States, other countries, or
both and is used by IBM Corporation under license.
ActionMedia, LANDesk, MMX, Pentium, and ProShare are trademarks of Intel Corporation in the
United States, other countries, or both.
SET and the SET Logo are trademarks owned by SET Secure Electronic Transaction LLC. For fur-
ther information, see http://www.setco.org/aboutmark.html.
Other company, product, and service names may be trademarks or service marks of others.
Notices
References in this publication to Tivoli Systems or IBM products, programs, or services do not imply
that they will be available in all countries in which Tivoli Systems or IBM operates. Any reference to
these products, programs, or services is not intended to imply that only Tivoli Systems or IBM prod-
ucts, programs, or services can be used. Subject to valid intellectual property or other legally pro-
tectable right of Tivoli Systems or IBM, any functionally equivalent product, program, or service can
be used instead of the referenced product, program, or service. The evaluation and verification of
operation in conjunction with other products, except those expressly designated by Tivoli Systems or
IBM, are the responsibility of the user. Tivoli Systems or IBM may have patents or pending patent
applications covering subject matter in this document. The furnishing of this document does not give
you any license to these patents. You can send license inquiries, in writing, to the IBM Director of
Licensing, IBM Corporation, North Castle Drive, Armonk, New York 10504-1785, U.S.A.
Printed in Ireland.
IBM Tivoli Access Manager for Enterprise Single Sign-On 8.0 Deployment and Administration Workshop
IBM Tivoli Access Manager for Enterprise

Single Sign-On 8.0 Deployment and
Administration Workshop
© 2008 IBM Corporation
1
©Copyright IBM Corp. 2008 Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
IBM Software Group | Tivoli software
Course Objectives
Upon completion of this course, you will be able to:
• Describe the components of IBM Tivoli Access Manager for
Enterprise Single Sign-On 8.0.
• Install and configure the IBM Tivoli Access Manager for Enterprise
Single Sign-On 8.0 server.
• Configure machine profiles for groups of personal or shared
workstations.
• Deploy the access agent component for desktop single sign-on.
• Use Access Studio to create template-based single sign-on profiles.
• Use Access Studio to create advanced single sign-on profiles.
• View reports and audit information.
• Perform a simple integration with IBM Tivoli Identity Manager 5.0.
2
2
Unit 1: Overview
1-1
Objectives
Upon completion of this unit, you will be able to:

Describe the IBM Tivoli Access Manager for Enterprise Single
Sign-On (TAM E-SSO) solution.
Identify architectural elements of the solution.
1-2
Identity and Access Management
Strong Authentication
ESSO and Password Management

Agent
Session Management and Workflow Automation
Audit and Compliance
Provisioning and Role-Based Access Control

Server
Directory and Meta-Directory Service
1-3
Identity and Access Management Suite

TAM E-SSO
AccessAgent TAM E-SSO
TAM E-SSO AccessAgent
AccessAgent
Web
Desktop Citrix or Terminal
Services Desktop
Strong Enterprise Workflow Session Audit and Context User

Authentication Single Sign-On Automation Management Compliance Management Provisioning
Strong Authentication Enterprise Single Sign-On Workflow Automation Session Management

• Building badge integration • For Windows, Citrix, Terminal Services, • Application launch, drive • Shared desktops
and thin client platforms mapping, single sign-off
• Active RFID • Roaming desktops
• For Web, desktop, mainframe, and TTY
• Fingerprint biometric applications • Automate any presentation • Private desktops
• USB smart cards layer event
• Browser based single sign-on (SSO)
• Cell phone authentication • Automatic generation of SSO • Automate walk away desktop
• One-time password (OTP) AccessProfiles security
• iTag
TAM E-SSO IAM Platform

Profile Centralized Support and Audit Directory SOAP API
Generation Administration Self-Service Reporting DB Mgmt
TAM E-SSO IMS Server
Support and Self-Service Centralized Administration Centralized Audit

• Loss management • Web-based AccessAdmin • Endpoint tracking
• User self-service • Group-based and policy-driven • Centralized SQL reporting
management
1-4
TAM E-SSO Architecture
1-5
AccessAgent Overview
Authentication
Factors
IMS Access Session

Strong Single Audit and
Workflow Management
Authentication Sign-on Tracking
Automation
Central Audit
Central
Administration
AccessAgent
Automated Actions
Plug-ins
Automation Triggers
Wallet
Observer Framework
1-6
Product Components
• TAM E-SSO AccessAgent
Client software that manages user identity
Enables sign-on and sign-off automation
• TAM E-SSO IMS Server
Identity management system that enables centralized management of
user identities, AccessProfiles, and policies
• TAM E-SSO AccessAdmin
Management console for IMS Server
Accessed by administrator and helpdesk users
• TAM E-SSO AccessAssistant
Web-based password self-help
1-7
Product Components (continued)
• TAM E-SSO AccessStudio

User interface for creating AccessProfiles required to support
sign-on and sign-off automation
• TAM E-SSO IMS Service Module

Add-on modules that extend the capabilities of IMS
TAM E-SSO IMS Bridge
– IMS Service Modules that enable applications to use IMS as
authentication server
TAM E-SSO IMS Connector
– IMS Service Modules that enable IMS to interface with applications
1-8
Platform Support
• TAM E-SSO AccessAgent runs on the following client platforms:
Windows 2000
Windows XP
Windows XP Tablet edition
Windows Terminal Services running on Windows Server 2000
Windows Terminal Services running on Windows Server 2003
Citrix Metaframe (XP) FR2 and above
Citrix Metaframe Presentation Server 3.0 and above
• TAM E-SSO also supports thin client platforms. On these platforms,
the TAM E-SSO AccessAgent runs on Citrix or Terminal Services:
Windows CE
Windows XPE
• The TAM E-SSO IMS server runs on any Windows 2000 server and
later.
1-9
Summary
You should now be able to:

Describe the IBM Tivoli Access Manager for Enterprise Single
Sign-On (TAM E-SSO) solution.
Identify architectural elements of the solution.
10
1-10
Unit 2: Server
2-1
Objectives

Install the IMS Server.
Configure the IMS Server with Active Directory.
2-2
IMS Server Installation Checklist
• IMS server fully qualified domain name

• Ports: 80 and 443 by default
• Processor speed: 1.2 GHz CPU (minimum)
• Operating system: Microsoft Windows 2000 or 2003
Server
• RAM: 256 MB (minimum),1 GB (suggested)
• Disk space: 300 MB (minimum)
2-3
Database Options
• Support databases:
IBM DB2 9.5
Microsoft SQL Server 2000 Desktop Engine (MSDE)
Microsoft SQL Server 2000 or SQL Server 2005
Microsoft SQL Express
Oracle 9i, 10g
• IMS Express Install
Installs Microsoft SQL Express
Prerequisites:
– Microsoft Data Access Components (MDAC) 2.8 SP1 or later
– Microsoft Windows Installer 3.1
– Microsoft .NET Framework 2.0
2-4
IMS Server Installation
2-5
IMS Server Installation Options
• Express Install: Select to configure the IMS Server

using the provided database (Microsoft SQL Express
2005).
• Custom Install: Select to configure the IMS Server to
use an existing database (DB2, MSDE, Microsoft SQL
Server, or Oracle).
2-6
Express Installation
2-7
Express Installation Database Settings
2-8
Express Installation Confirmation
2-9
Custom Installation
10
2-10
Custom Installation Path
11
2-11
Custom Installation Server Settings
Specify the fully qualified domain name of the server.
12
2-12
Custom Installation Database Settings
Specify the database option.
13
2-13
Custom Installation DB2 Server Configuration
14
2-14
Custom Installation MS SQL Server Configuration
15
2-15
Custom Installation Oracle Configuration
16
2-16
Custom Installation Confirmation
17
2-17
Installation Completion
18
2-18
IMS Server Active Directory Configuration
The IMS Server Configuration Utility automatically launches.
19
2-19
Password Synchronization
Select this option to use the Active Directory password

as the TAM E-SSO password.
20
2-20
Administrator Credentials
Enter the credentials of an existing domain user to be

configured as the initial IMS administrator.
21
2-21
Complete the Configuration
22
2-22
Restart the IMS Service
23
2-23
Additional IMS Server Configuration
The URL for the IMS Server Configuration Utility is:

http://ims_server_name:8080/ui/main.jsf.
24
2-24
IMS Server Logs
• The IMS server logs are located in the

IMS_Installation_Folder\ims\logs directory.
• To send the logs to support:
1. Right-click folder and select Send To > Compressed (zipped)
Folder.
2. Save as the compressed file as IMSlogs.zip.
3. Mail the IMSlogs.zip to support.
25
2-25
IMS Server Console
• The IMSService loads when the server is started.

• It can be difficult to troubleshoot problems with the
service.
• You can view error messages when the IMS server is
started in console mode:
1. Stop the IMSService using the command net stop IMSService.
2. Run the IMS_Installation_Folder\ims\bin\runserver.bat
command to start the IMS Server in console mode.
26
2-26
OutOfMemory Exceptions
• If you see Java OutOfMemory exceptions in the server log,

you might need to increase the JVM heap size.
• The default JVM heap size is 512 MB.
• You can increase the size by editing the following registry
entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software
Foundation\Procrun 2.0\IMSService\Parameters\Java
27
2-27
Student Exercise
28
2-28
Summary

Install the IMS Server.
Configure the IMS Server with Active Directory.
29
2-29
Unit 3: Policies
3-1
Objectives

Describe the purpose of a policy.
Explain policy scopes.
Create a basic policy.
3-2
Policies
• Control behavior of TAM E-SSO components.

• Enable product to be configured to meet specific
requirements.
• Have different visibility and scope.
• Are managed by different roles.
• Are uniquely identified by policy ID (prefixed with pid).
pid_wallet_authentication_option
• Are listed in the Tivoli Access Manager for Enterprise
Single Sign-on Enterprise Deployment Guide Version
8.0.
3-3
Policy Types and Scope

• System Policy
Global
Configured using AccessAdmin
Can be modified by an administrator
Can be viewed by a helpdesk user
• User Policy
Affects only a specific user
Can be modified by an administrator or helpdesk user
• Machine Policy
Can be modified by an administrator
Can be viewed by a helpdesk user
3-4
Policies with Multiple Scopes
• A policy can have multiple scopes.

• For example, the pid_unlock_option policy can be
defined at the machine and user level.
• If a policy has multiple scopes, you must define which
scope has priority.
3-5
Policy Priority
• To manage priority, use managePolicyPriority.bat.

• To view the priority of a policy, run the command
managePolicyPriority --policyId policyID.
– managepolicypriority --policyId pid_unlock_option
• To set the priority of a policy, run the command

managePolicyPriority --policyId policyID --scope scp_xxx
--templateId templateId.
– managepolicypriority --policyId pid_unlock_option --scope
scp_user --templateId storage_template_id_value_pair
3-6
Policy Dependencies
• Policies can be dependent on other policies.

pid_enc_hot_key_action depends on pid_enc_hot_key_enabled
• Some policies override other policies.

Application specific policies override authentication service specific
policies, which override general wallet policies.
– pid_app_inject_pwd_entry_option_default
– pid_auth_inject_pwd_entry_option_default
– pid_wallet_inject_pwd_entry_option_default
3-7
AccessAdmin
• Open AccessAdmin using one of the following URLs:

https://ims_server_name/ims/jsf/ui/login.jsp
https://ims_server_name and click the AccessAdmin link.
• Log in with administrator or helpdesk credentials.
3-8
Setup Assistant for Initial Configuration
• Defines initial system

policy settings.
• Creates a default user
policy template.
• Creates one or more
machine policy templates
depending on selections.
3-9
Begin the Setup Process
10
3-10
Configure System Settings
11
3-11
Select Allowed Second Factors
12
3-12
Authentication Second Factors
• A unified AccessAgent user interface supports sign up, log on, lock,
and unlock for:
USB Key
RFID
Active RFID (ARFID)
Fingerprint
• A two phase registration is possible.
Users can sign up with a password and an optional second factor.
Users can also register a second factor during a grace period.
After the grace period, all users must log on with a second factor.
• You can revoke second factors using AccessAdmin.
13
3-13
RFID
• Suggested second factor for shared workstations
• Password required, except for RFID-only unlock
• Supported cards:
HID 125kHz Proximity Card
HID iClass
Mifare (Ultralight, 1k, 4k)
• Supported readers:
RF IDeas pcProx Readers (for 125kHz cards)
RF IDeas AIR Contactless Smart Card Readers (iClass and Mifare)
GIGA-TMS Proximity Reader MFR135 (PCMCIA)
Altrus Mifare Desktop Reader Writer A1
14
3-14
ARFID
• Common name is active proximity badge.

• Is a suggested second factor for shared workstations.
• A password is required, except for RFID-only unlock.
• Supported card is Ensure Technologies XyLoc Key XC-2.
• Supported reader is Ensure Technologies XyLoc Lock
NL-2.
• XyLoc service and driver must be installed.
15
3-15
ARFID (continued)
• Hardware from different countries is not interoperable.
• Must be cautious of interference.
Line of sight between key and lock is preferred.
Water can significantly reduce signal strength.
Metallic objects can block radio signal.
900MHz cordless phones can interfere with North American hardware.
• Key turns off automatically after 9 hours.
• Battery:
Can be replaced.
Has an average life of one year.
Maintains constant power until a couple of weeks before it needs to be
replaced.
16
3-16
Fingerprint
• Is a suggested second factor for shared workstations.

• Fingerprint can be used as one-factor authentication.
Users do not need to use a password.
This feature is unique among supported second factors.
• Supported reader is a DigitalPersona U.are.U 4000.

• Installation steps are:
1. Install U.are.U Integrator Gold Sensor Software for Java 2.3.0
on IMS Server.
2. Configure IMS Server for biometrics support.
3. Install U.are.U Integrator Gold Sensor Software 2.3.0 on client.
17
3-17
USB Key
• Is an available second factor for personal workstations.

• Cannot be disabled in authentication policy.
• USB key password is implicitly required.
• The pid_usb_key_wallet_cache_option policy
determines the data storage for smart card, flash, and
hard disk.
18
3-18
Select Workstation Options
19
3-19
Select Desktop Types for Shared Workstations
20
3-20
Enable Citrix and Terminal Server
21
3-21
Create a Default User Template
22
3-22
Select Authentication Factors for the Template
23
3-23
Select RFID Log on Options
24
3-24
Configure the Machine Policies
25
3-25
Name the Machine Template
26
3-26
Select the Second Factors
27
3-27
Select the Type of Screen Lock
28
3-28
Select Logon and Unlock Settings
29
3-29
Specify the Inactivity Settings
30
3-30
Select the Machines
31
3-31
Complete the Configuration for All Templates
32
3-32
Review the Summary
33
3-33
Complete the Setup
34
3-34
Creating New Policy Templates
35
3-35
Modifying Policies
• Updated using IMS entries in AccessAdmin or registry

keys.
• Changes in AccessAdmin only affect new users and
machines.
• Must be applied to existing users and machines.
36
3-36
Student Exercise
37
3-37
Summary

Describe the purpose of a policy.
Explain policy scopes.
Create a basic policy.
38
3-38
Unit 4: Agent
4-1
Objectives

Install the agent manually.
Install the agent using Active Directory group policies.
Customize the banner.
Sign up a user.
4-2
AccessAgent Installer Components
• AccessAgent.msi
• Config folder
• Reg folder
4-3
AccessAgent Installer Folders
• Config folder can contain:

SetupHlp.ini: installation options
DeploymentScript.vbs: code to be installed and run
Any other file to be copied to the TAM E-SSO program files
folder
– Files only, directories are not copied
– Uninstaller does not remove these copied files
• Reg folder contains:
DeploymentOptions.reg: deprecated after 3.6
Any other file is ignored
4-4
SetupHlp.ini Options
• Setup time only options: • Setup time and runtime options

that map to multiple registry
EnginaEnabled
values each :
RebootEnabled
ImsSecurePortDefault
RebootConfirmationEnabled
ImsDownloadPortDefault
EnginaConflictPromptEnabled
ImsDownloadProtocolDefault
UsbKeyPromptEnabled
• Setup time and runtime options
ImsConfigurationEnabled
that map to one registry value
ImsConfigurationPromptEnabled each:
WalletCacheRemovedOnUpgrade WalletTypeSupported
InstallTypeGpo ImsAddressPromptEnabled
JVMInstallationDirectories ImsServerName
Dependency URLs
4-5
AccessAgent Registry Entries
• AccessAgent registry root:

HKEY_LOCAL_MACHINE\SOFTWARE\Encentuate
• Registry values are automatically populated during
installation.
• Top-level registry keys:
Encentuate\DeploymentOptions: Non-IMS machine policies
Encentuate\IMSService\DefaultIMSService: IMS-related
policies
Encentuate\IMSService\GlobalIMSService: URLs to SOAP
services
Encentuate\AccessAgent\Integration: Integration with non-
IBM software
Encentuate\Temp: Unsupported registry values
6
4-6
AccessAgent Banner Customization
• Steps:
1. Prepare a bitmap file with a size of 432x64 pixels.
2. Name the file logon_banner.bmp.
3. Place the file in the installer Config folder.
– The installer will automatically copy the file to the program files
folder.
– The file can also be manually copied if AccessAgent is already
installed.
• Appears on:
TAM E-SSO GINA welcome, logon, lock, and unlock windows.
Desktop AccessAgent window.
4-7
Client Prerequisites
• Processor speed: 600 MHz (minimum)

• RAM: 256 MB (minimum), 512 MB (suggested)
• Operating System: Microsoft Windows 2000, 2003, or XP
SP2
• Disk space: 100 MB
• Browser: Microsoft Internet Explorer 5.0 or higher with
128-bit encryption
4-8
Manual AccessAgent Installation
To begin the installation, double-click setup.exe and

verify the installation path.
4-9
Set the IMS Server Location
10
4-10
Successful Installation
11
4-11
Workstation Restart
Restart the workstation to complete the installation

process.
12
4-12
Remote Installation Using a Group Policy

1. Configure group policy.
a. Create a distribution point that contains the AccessAgent code.
b. Create a group policy object for the remote installation.
c. Apply the group policy object to the appropriate users or computers.
d. Assign the AccessAgent package (.msi file) to the group policy object.
2. Customize the AccessAgent installation.
a. Set the InstallTypeGpo option to enabled (1) in the SetupHlp.ini file.
b. Optionally, modify other setup options.
3. Start the computer or log in as the user assigned to the group
policy.
13
4-13
TAM E-SSO GINA
After the AccessAgent is installed, a new TAM E-SSO

GINA will be inserted in front of the Windows GINA
(chained not replaced).
14
4-14
User Sign-Up
• If Enable automatic signup option is selected in system

settings, users will be automatically enrolled when they log
on.
• Alternatively, a Sign Up option is available on the TAM
E-SSO GINA.
15
4-15
Secrets
• Set by user during sign-up by
selecting questions from the
pid_bind_secret_question_list
policy.
• Should be:
Easy to remember.
Permanent in nature.
Not easily made known to others.
• Used when password is not
available such as during a
password reset.
16
4-16
TAM E-SSO Password
• Primary authentication factor for wallet access except in the following

conditions:
One-factor authentication such as fingerprint or RFID Tap and Go
Temporary password logon
USB key with password different from TAM E-SSO password
• USB key password can be synchronized with TAM E-SSO password
using pid_enc_pwd_is_usb_key_pwd_enabled policy.
Set to True for normal users
– TAM E-SSO password synchronized with last changed USB Key password
– Users can only change password with USB Key plugged in
Set to False for power users with more than one USB Key
17
4-17
Automatic Logon
• By default, the AccessAgent will

inject the credentials, but will
not log the user on.
• The authentication policy can
be modified to change the
behavior to automatic logon.
This change will affect new
users only.
• Existing users can update the
authentication service password
entry in their wallet.
18
4-18
Wallet
Identity storage protected by a set of authentication factors

that stores:
User names
Passwords
Certificates
Encryption keys
19
4-19
Wallet Concepts
• Authentication policy is pid_wallet_authentication_option.
• Stored on the IMS Server. However, some parts can also be stored
in an authentication factor such as a private key on smart card.
• Roams to any point of access.
Accessible with appropriate combination of authentication factors.
• Wallets can be:
In memory (does not contain certificate or one-time password (OTP)
seed).
Cached on hard disk or USB key (for offline access including offline
bypass and password reset).
• Wallets can be revoked by a user with the administrator or helpdesk
role using AccessAdmin.
20
4-20
Wallet Locks
• When the wallet is cached, locks* are created based on:

pid_wallet_authentication_option policy.
pid_second_factors_supported_list policy.
Current set of authentication factors.
• Users access their wallet by opening any of the locks.

• Temporary locks can be created with an authorization code.
– *Lock: Protection mechanism for the wallet which will unlock with defined
authentication factors for the user.
21
4-21
Managing the Wallet
• Double-click the AccessAgent icon in the system tray.

• Click the Manage Wallet link.
22
4-22
Managing Credentials
23
4-23
AccessAgent Program Folders
• Program files:
C:\Program Files\Encentuate
• Logs”
C:\Program Files\Encentuate\logs
To send to support:
– Right-click folder and select Send To > Compressed (zipped)
Folder.
– Save as AAlogs.zip.
• User and machine wallets (hidden files):
C:\Program Files\Encentuate\Cryptoboxes
The machine wallet (machine.wlt) contains system policies and
AccessProfiles downloaded from IMS Server
24
4-24
AccessAgent Log Level
• Debugging:
Useful to increase log level for more debugging information.
Set machine policy pid_log_level.
Log level 3 is suggested.
Can be set to 4 if more detailed logs are needed.
• XML files in the logs folder indicate communications with
IMS Server.
• AccessAgent.log logs internal AccessAgent processes.
• When reporting a problem to support:
Include a compressed file containing the C:\Program
Files\Encentuate\logs folder.
Provide approximate local times at which events occurred.
25
4-25
Certificate Download
• AccessAgent installer should download IMS Server

certificate.
• If the download fails during the installation, perform one
of the following actions on the client:
Run Start > Programs > Encentuate AccessAgent > Set IMS
Server Location.
Run C:\Program Files\Encentuate\SetupCertsDlg.exe.
26
4-26
AccessAgent Cryptoboxes
• User and machine wallets are stored in C:\Program

Files\Encentuate\Cryptoboxes.
• To view the files, ensure Windows explorer is configured to show
hidden files and folders.
• To refresh the user and machine wallets:
1. Log off the AccessAgent.
2. Stop the AccessAgent processes AATray.exe, DataProvider.exe, and
Sync.exe.
3. Stop the SOCIAccess service (net stop sociaccess).
4. Delete the user and machine wallets.
5. Restart the workstation.
27
4-27
Machine Wallet Download
• AccessAgent will create a machine wallet (if it does not

exist) when it starts.
• If the IMS Server is not reachable, policies and
AccessProfiles are obtained from C:\Program
Files\Encentuate\all_sync_data.xml.
• To confirm that a machine wallet is downloaded properly:
Run AccessStudio.
Import data from the AccessAgent.
Open the sso_site_web_ims_admin AccessProfile.
Verify the @domain field is set to the IMS Server name instead
of $hostname.
28
4-28
Synchronization with IMS Server
• The AccessAgent performs periodic synchronization with the IMS

Server.
• Synchronization set using the pid_wallet_sync_mins policy.
• Default synchronization is 30 minutes.
• You can force a manual synchronization when troubleshooting.
Set the pid_wallet_manual_sync_enabled policy to 1 in the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Encentuate\Temp\WalletManual
SyncEnabled.
– This is an unsupported setting.
Right-click the AccessAgent and select Synchronize with IMS.
29
4-29
Logon User Interface Failed to Load
• Can occur if one of the following conditions is met:

TAM E-SSO GINA is not properly installed.
Windows GINA registry entry is set incorrectly after the
AccessAgent is uninstalled.
• Correct by performing the following steps:

1. Restart the computer in Safe Mode.
2. Log on as an administrator.
3. Locate the registry entry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsN
T\CurrentVersion\Winlogon\GinaDLL.
4. If the value is engina.dll, the TAM E-SSO GINA was not
properly uninstalled. Change the value to msgina.dll.
30
4-30
Student Exercise
31
4-31
Summary

Install the agent manually.
Install the agent using Active Directory group policies.
Customize the banner.
Sign up a user.
32
4-32
Unit 5: Roles
5-1
Objectives

Describe the TAM E-SSO roles.
Promote a user to the administrator role.
Assign a user to the helpdesk role.
Perform helpdesk functions.
Configure AccessAssistant and Web Workplace.
Describe recovery workflows.
5-2
Roles
Role Description Examples
Administrator • Manages users, policies, and the IMS • System administrator in IT

Server. department
• Central organization-wide
administrator
Helpdesk • Manages certain groups of users, • IT Helpdesk personnel
performs password resets, issues • Department administrator
authorization codes, and revokes
access rights of users.
User • Uses AccessAgent and • Executives
AccessAssistant for sign-on • Engineers
automation and access to application • Accountants
credentials.
• Doctors
• Nurses
• Home PC user
5-3
Manually Assigning Roles

1. Open AccessAdmin.
2. Search for the user.
3. Click the user_name link.
4. Expand the Administrative Policies section.
5. Select the role.
6. Click the Update button.
5-4
Automatically Assigning Roles Step 1
1. Open the IMS Configuration Utility.

2. Navigate to Advanced Settings > IMS Server >
Miscellaneous.
3. Ensure the automatic role assignment bind task is in the
bind task list.
5-5
Automatically Assigning Roles Step 2

1. Navigate to Advanced Settings > AccessAdmin > User
Attributes.
2. Define the Role assignment attribute name.
3. Define the Role assignment attribute value.
4. Select the IMS role.
5. Select true or false for the automatic assignment of policy
templates option.
6. Click the Update button.
5-6
Automatic Role Assignment Features
• Only applies to new users. Existing users must be manually

assigned.
• The Active Directory attribute for role assignment cannot be nested.
• The automatic assignment of existing policy templates and users to a
new helpdesk user can be configured using the following options:
True assigns all existing policy templates and users to a new helpdesk
user.
False will not assign any policy template or user to a new helpdesk user.
5-7
Administrator Users
• Given access to IMS Server Configuration Utility and AccessAdmin.

• Can perform all configuration and administration tasks.
• If there are no valid administrator accounts, an existing user can be
promoted directly in the database.
1. Launch a command prompt and navigate to the
IMS_Installation_Folder\ims\bin folder.
2. Run the findAcct.bat Enterprise_User_Name command to obtain the
IMS ID:
C:\IMS_Installation_Folder\ims\bin\findAcct.bat tivoli.com\drbob
Config File = C:\IMS_Installation_Folder\ims\bin\..config\ims.xml
IMS Id = ae411be8e5eg77d1acgd6gad16a879f1
3. Use addImsRole.bat IMS ID ImsAdmin to promote user to an

administrator:
C:\IMS_Installation_Folder\ims\bin\addImsRole.bat ae411be8e5eg77d1acgd6gad16a879f1 ImsAdmin
Config File = C:\IMS_Installation_Folder\ims\bin\..config\ims.xml
Adding role [ImsAdmin] to ae411be8e5eg77d1acgd6gad16a879f1
Done.
5-8
Helpdesk Users
• Are part of a defined identity confirmation process.
• Manage users and authentication factors.
• Provide second authentication factors to new employees.
• Replace lost second authentication factors.
• Maintain second authentication factors.
• Help with forgotten passwords.
• De-provision departing employees.
• Promote good security practices.
Choose strong password
Do not forget the secret
Safeguard the desktop
Report loss of a second authentication factor
• Troubleshoot.
5-9
Search for a User or Group of Users
10
5-10
View User Settings
11
5-11
View User Audit Logs
12
5-12
View User Authentication Services
13
5-13
Authorization Code
• System generated code used as a special second factor

• Two types:
Online authorization code
– Online password reset
– Registration of second factors
– Online temporary bypass of second factor
Offline authorization code
– Offline password reset
– Offline temporary bypass of second factor
• Revocation of authorization code:

Prevents user from using same code again
Temporary locks only expire according to original validity period
14
5-14
Online Authorization Code
• Can be used multiple times for multiple purposes until it

expires.
• Has a validity period that is specified using
AccessAdmin.
Available validity periods can be configured in IMS Configuration
Utility.
• Is configurable in length (1 to 32 characters).
• Character set includes 0123456789ABCDEF.
• Is case-insensitive and hyphens are ignored.
15
5-15
Offline Authorization Code
• Temporary password only lock is created, which expires when

authorization code expires.
• Can be used only once, based on a request code, which is provided
by the AccessAgent.
• Request codes are eight characters long and change every minute.
• Has a validity period specified using AccessAdmin.
• Offline authorization codes are 16 characters long.
• Default character set includes Z3467ACEFHJKRWXY.
• Is case-insensitive and hyphens are ignored.
16
5-16
Generating an Authorization Code for a User
• Users will require an authorization code if:

They have lost their second authentication factor or factors.
They have forgotten their TAM E-SSO password.
17
5-17
Viewing Second Factors for a User
User profile > Authentication Factors
18
5-18
Locking or Unlocking a User Wallet
User profile > Wallet Access Control
19
5-19
AccessAssistant and Web Workplace

• TAM E-SSO applications that can be used for:
User sign-up
Self service task
– View enterprise application passwords
– Reset secrets
– Reset TAM E-SSO password
– Modify user profile settings for Mobile ActiveCode (MAC)
Single sign-on for Web applications (in place of the AccessAgent)
• Both can be configured for two-factor authentication.
• Both are fully integrated with the IMS Server to ensure wallets,
access profiles, and policies are synchronized.
20
5-20
AccessAssistant User Interface
AccessAssistant user interface is optimized for password

viewing.
21
5-21
Web Workplace User Interface
Web Workplace user interface is optimized for single sign-on.
22
5-22
AccessAssistant and Web Workplace Policies
23
5-23
Instructor Demonstration
24
5-24
Recovery Workflows
• User
Forgets password
Forgets or loses second factor
Cannot unlock computer
• IMS Server not available

IMS Server crash
Database server crash
25
5-25
User Forgets TAM E-SSO Password
• Online • Offline
1. Click Reset password. 1. Click Reset password.
2. Supply authorization code and 2. Supply authorization code
secret. (based on request code).
3. Specify new TAM E-SSO 3. Supply secret.
password. 4. Specify temporary password.
Note: Cached wallets might still Note: User can log on multiple times
contain old password. using temporary password until
authorization code expires.
26
5-26
Active Directory Password Synchronization Enabled
1. Reset the Active Directory password using Active Directory Users and
Computers.
2. Have the user login to TAM E-SSO with the new Active Directory
password.
3. AccessAgent prompts for the answer to the user’s secret question and
then synchronizes the Active Directory password with TAM E-SSO.
27
5-27
User Forgets or Loses RFID Card

• Online • Offline
1. Click Log on. 1. Click Log on.
2. Supply user name and 2. Supply user name and
password. password.
3. Click …but I do not have my 3. Click …but I do not have my
RFID card with me. RFID card with me.
4. Supply authorization code 4. Supply authorization code
(based on request code).
5. Supply secret.
6. Specify temporary password.
Note: User can log on multiple times Note: User can log on multiple times
without RFID card until authorization using temporary password until
code expires. authorization code expires.
28
5-28
Unlock Computer with Emergency Bypass
• Conditions:
Computer must be a shared workstation with Emergency Bypass
enabled.
– Emergency Bypass is disabled by default.
User might not have cached wallet on computer.
IMS Server is not available.
• Steps:
Press Emergency Bypass key sequence.
Computer unlocks immediately.
Users who are currently logged on will be logged off.
29
5-29
Computer Does Not Have AccessAgent
• Launch AccessAssistant.
• Supply user name and password.
• Depending on the policy, the user might need to supply
authorization code or Mobile ActiveCode.
• User can now obtain enterprise application passwords.
30
5-30
IMS Server Not Available
• IMS Server might be unavailable because:

IMS Server is down.
Database server is down.
Data center is down.
• Users can still log on to computers with cached wallets.

• User can log on to USB key unless the key does not
contain the complete wallet.
31
5-31
IMS Server Failure

• You can verify that IMS Server has failed if there is no response
from https://ims_server_name.
• Restart IMS Server if no files have been lost.
• If executable files, keystores, or configuration files are lost, reinstate
from backup.
• Folders that should be backed up:
IMS_Installation_Folder\ims\certs\keystore
IMS_Installation_Folder\ims\config
• An administrator must repeat the configuration steps performed
between the failure and the last backup.
32
5-32
Database Server Failure
• Store the IMS logs on a database server that is different

from the IMS database so that transactions can be
traced.
• Restart database server if no data has been lost.
• If data is lost, restore database from latest backup.
• Review IMS logs to identify transactions that have
occurred between the failure and the last backup.
• If necessary, repeat the transactions.
33
5-33
Student Exercise
34
5-34
Summary

Describe the TAM E-SSO roles.
Promote a user to the administrator role.
Assign a user to the helpdesk role.
Perform helpdesk functions.
Configure AccessAssistant and Web Workplace.
Describe recovery workflows.
35
5-35
Unit 6: Shared Workstations
6-1
Objectives

Configure shared workstations.
Configure private desktops.
6-2
Shared Workstation Overview
• Used in a kiosk environment, such as at a doctor’s office

or hospital, where multiple users share a workstation.
• Requires efficient switching of users.
• Can be configured for a shared desktop or private
desktops.
• RFID, ARFID, or fingerprint second authentication factors
are suggested.
6-3
Desktop Types for Shared Workstations

• Shared desktop
Uses a generic Windows desktop.
Loses application context when switching.
Must use AccessProfiles that are configured to automatically log off
enterprise applications when user switching occurs.
• Private desktop
Supports multiple users with personal Windows desktops.
Maintains sessions when switching.
Logs off a user when the maximum number of sessions is reached.
• Roaming desktop
Retains Windows desktop when moving from workstation to workstation.
Requires Terminal Services or Citrix.
6-4
Shared Workstation Policy Settings
6-5
Shared Workstation Logon
• User is expected to log on from locked computer screen.

• Tap RFID card or press Ctrl-Alt-Del to log on.
• Logon script, if any, is run.
• A pool of generic user accounts can be used if not all
IMS users have Active Directory accounts.
6-6
Shared Workstation Lock and Unlock
• Lock
User can tap RFID card to lock computer.
Computer is also locked after a period of inactivity.
• Unlock
Tap RFID card or press Ctrl-Alt-Del to unlock.
Computer unlocks without password if user is back within
configurable period.
6-7
Shared Workstation Switching
• Shared desktop
Different user can tap RFID card to invoke switching of user, from
desktop or lock computer screen.
AccessAgent will unlock computer (if locked), log off previous user,
and log on to the wallet of the new user.
• Private desktop
Different user can tap RFID card to invoke switching of user, from
desktop or lock computer screen.
AccessAgent will lock the previous user session (if unlocked), and
log on to the wallet and Windows session of the new user.
Forced log off will occur during user switching if the maximum
number of sessions is exceeded.
6-8
Shared Workstation Logoff
• Shared desktop
Right-click and select Log off AccessAgent or press Ctrl-Alt-Del.
Log off also occurs during switch user.
Automatic log off or closing of applications can be performed.
Logoff script, if any, is run.
• Private desktop
Right-click and select Log off AccessAgent or press Ctrl-Alt-Del.
For a forced log off, one of the previous sessions will be closed
depending on the algorithm selected.
The number of maximum sessions and log off algorithm are
configured in shared workstation policy.
6-9
Preparing a Client for Private Desktop

1. Edit the following registry key:
HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows NT >
CurrentVersion > Winlogon.
2. Add the following strings (or modify if they exist):
AutoAdminLogon set to 1 to enable automatic logon.
DefaultDomainName set to the local computer.
DefaultUserName set to the default user to be logged on.
DefaultPassword set to the password of the default user.
ForceAutoLogon set to 1 to enable a forced automatic logon.
3. Apply policy for shared workstation to the machine.
4. Reboot.
Note: An additional reboot is required to fully implement the policy
changes.
10
6-10
Student Exercise
11
6-11
Summary

Configure shared workstations.
Configure private desktops.
12
6-12
Unit 7: Basic AccessStudio
7-1
Objectives

Explain single sign-on concepts.
Install AccessStudio.
Create basic profiles.
Upload profiles.
View profiles.
Delete profiles.
7-2
Single Sign-On (SSO)
• A capability that allows a user to enter a single set of

credentials to access multiple applications.
• A user first logs on with a TAM E-SSO account.
• Subsequent logins are performed using credentials
retrieved from the user wallet.
7-3
User Credentials
• Refers to user names, passwords, certificates, and any

other information that is required for authentication.
• An authentication factor can serve as a credential.
• Credentials are stored and secured in the TAM E-SSO
wallet.
• Access to the wallet is only permitted with the user's IMS
credentials (no administrator access).
7-4
Application
• In AccessStudio, an application is a logical grouping of

AccessProfiles for a business application.
• An AccessProfile can belong to only one application.
• Policy options for logout and credential injection can be
set for the application.
• Types of applications:
16 and 32-bit Windows
Web pages
TTY
Mainframe
Custom
5
7-5
Authentication Service
• An authentication service is the entity that validates the

logon information for the application.
• Authentication services provide a context under which a
particular credential is stored.
• The authentication service defines the number and types
of credential fields.
• All account data contain an auth-service ID identifying
which authentication service it belongs to.
• It is possible to specify automatic injection and capture
policies for a particular authentication service.
7-6
Relationship Between Application and Authentication

Service
• Many-to-many relationship
• One application can refer to multiple authentication
services, one authentication service can be referred by
multiple applications
Applications Authentication Services
netaddress web page Netaddress auth-service
Outlook express Gmail auth-service
mail.yahoo.com web site Yahoo auth-service
Yahoo! Messenger
7-7
AccessStudio Overview
• A simple yet powerful tool used to create and manage

AccessProfiles.
• Value added features include:
Support for standard and advanced modes for AccessProfiles of
varying complexity.
Graphical user interface and XML editors.
Flexibility in editing AccessProfiles stored in any location.
Ability to import existing AccessProfiles from AccessAgent or IMS
server.
Advanced credential and policy management.
Automatic validation of AccessProfile data.
Ability to test and debug AccessProfiles.
8
7-8
AccessStudio Preinstallation Checklist
• Windows Installer 3.1

• .NET Framework 2.0
• AccessAgent
7-9
AccessStudio Installation and Usage
1. Open the AccessStudio.msi.

2. Run the installation wizard.
3. Log on to the AccessAgent as a user with the
administrator role.
4. Launch the AccessStudio application.
10
7-10
Simple AccessProfiles Generation Wizard

• Used to generate AccessProfiles for applications.
16 and 32 bit windows
Web pages
TTY
Mainframe
Owner Drawn
• Supports the following workflows:
Logon (All types)
Change password (Windows, Web, TTY, Mainframe – cursor based)
Logoff (Windows, Web, Mainframe – cursor based)
Other Tasks Windows, Web, Mainframe – cursor based)
• Can be used when the .exe or Web page refer to only one authentication
service.
• User drags a selector to the relevant Windows or Web elements.
• Automatically creates a new application.
• Authentication service is automatically created, or can use an existing one.
11
7-11
Generating an AccessProfile
Open AccessStudio by navigating to Start > All Programs >

Encentuate AccessStudio > AccessStudio.
12
7-12
Using the Profile Generator
Click New > New AccessProfile (using Assistant).
13
7-13
Creating a Windows Profile
Enter the application name and select Windows for the

application type.
14
7-14
Select the Task to Automate
• Specify the task you will be automating.

• Logon is the default.
15
7-15
Open the Application
Open the application you are creating a profile for.
16
7-16
Identify the Fields
Drag the crosshairs to the relevant fields.
17
7-17
Define the Behavior for Additional Logon Screens
Default is Ask user.
18
7-18
Define Identify a Successful Logon Behavior

If logon is not successful, you
might not want the AccessAgent to
remember the credentials entered.
Option 1: Always remember the
credentials. Do not look for
successful authentication screen.
Option 2: Search for successful
authentication screen. If found,
save credentials.
Option 3: If the logon screen or
box is no longer visible, assume
successful authentication and
save the credentials.
19
7-19
Select or Create Authentication Service

• Typically, you will select Create one for me
automatically.
• If the application being profiled shares an
authentication service with an application that
has already been profiled, select Use a
previously created authentication service.
For example:
If Yahoo Messenger has already been profiled
with an authentication service of Yahoo, you will
select Yahoo as the authentication service when
you create a profile for Yahoo mail.
Active Directory is also a common authentication
service that will make use of the existing
authentication service for applications that
require Active Directory credentials for login.
20
7-20
Testing Generated Profiles

After generating AccessProfiles, you should test them.
1. In AccessStudio, click Test > Start.
– This action replaces the AccessProfiles that were downloaded from the IMS server with
the AccessProfiles currently in AccessStudio and loads them into the test wallet.
– You must be logged in to the AccessAgent for the test function to work.
2. Close any instance of the application to test.
3. Open the application to test.
4. Save the credentials.
5. Restart the application and verify the credentials are inserted.
6. In AccessStudio, click Test > Stop.
– This action restores the wallet to the previous state and removes any test credentials
that were saved during testing.
21
7-21
Start Testing
22
7-22
Close and Open the Application to Test
• Close any instances of the application that were open

before test mode was started.
This step is needed because you must reload the .exe or Web
page signature for the observer framework to monitor the
application.
• Open the application again.

• Enter credentials. For example:
Username: doctor-bob
Password: object00
23
7-23
Save Credentials
• Click Yes when prompted to save credentials to the

wallet.
• Exit and reopen the application to verify that TAM E-SSO

inserts the credentials.
• Test Automatic Logon by changing the password entry
option in the wallet and relaunching the application.
24
7-24
Creating a Web Profile
• Enter a name in the application name field and select

Web for application type.
25
7-25
Identify the Fields
26
7-26
Creating a TTY Profile
• Enter an application name and select TTY as the

application type.
27
7-27
Identify the Fields
• In the AccessProfile Generator, click and drag the

crosshair to the PuTTY window.
28
7-28
Define Additional TTY Properties
• Options on the Identity Successful Logon screen:

No: always capture the credentials.
Yes: check for the configurable text string before capturing.
• On the Select or Create Authentication Service

screen, select Create one for me automatically.
This option is selected if no existing authentication service can be
used.
• Click Finish to complete the profile generation for

PuTTY.
29
7-29
Creating a Mainframe Profile
Enter an application name and select Mainframe

application with HLLAPI support as the application type.
30
7-30
Select the Task to Automate
31
7-31
Define the HLLAPI Information
• On the Provide HLLAPI

Information screen, enter
the path to the HLLAPI .dll.
• For example, select
Attachmate Extra and
specify c:\program
files\extra!\pcshll32.dll as
the .dll filename.
32
7-32
Identify the Screen
In the AccessProfile Generator, click and drag the

crosshair to the AS400 window.
33
7-33
Define the Identify the Screen for Logon Settings
• Enter User and click the Add button.

• Enter Password and click the Add button.
34
7-34
Specify the Sequence of Actions for Logon
35
7-35
Define Additional Mainframe Properties
• On the Identify Successful Logon screen, select No.

Optionally, you can select Yes and enter one or more text strings
to search for.
• On the Select or Create Authentication Service

screen, select Create one for me automatically.
This option is used when an existing authentication service does
not already exist.
36
7-36
Uploading AccessProfiles
• Upload the final AccessProfile to the IMS Server.

• From AccessStudio, right-click the AccessProfile and
select Upload to IMS.
37
7-37
Viewing All AccessProfiles
To download all AccessProfiles from the IMS Server, select

File > Import data from IMS [ims_server_name].
38
7-38
Deleting AccessProfiles
• The profile must have been loaded from the IMS Server.
• Right-click the Profile, select Delete, and answer Yes to
also delete from IMS.
39
7-39
Student Exercise
40
7-40
Summary

Explain single sign-on concepts.
Install AccessStudio.
Create basic profiles.
Upload profiles.
View profiles.
Delete profiles.
41
7-41
Unit 8: Advanced AccessStudio
8-1
Objectives
Explain the purpose of a state machine.

Describe the components of a state machine.
Create advanced AccessProfiles.
Troubleshoot problems with AccessProfiles.
8-2
State Machine
• Functions (logging in to an application, changing passwords, and so
on) modeled as a sequence of steps represented by states and
transitions.
• Consists of states, triggers, and actions.
• The AccessProfile is designed to model these sequences leveraging
its ability to monitor and interpret events on a user’s desktop.
8-3
State Machine Flow
Start State
Trigger: When the login window pops up

Action: Inject username and password
Action: Click the OK button
State After
Injection
8-4
States
• States represent specific situations where the state machine must

look for certain triggers to occur (similar to a flowchart).
A state can have multiple triggers.
– For example, in the after_application_launched state you can look for the
login window to appear or for a change password window to appear.
One trigger can have multiple actions.
– For example, when a login window appears, you can inject user credentials
and press the OK button.
• A profile writer can define as many states in a state machine as
required.
8-5
Triggers
• Triggers are events that cause transitions between states in the
state engine.
• Examples of a trigger:
– wnd_create_trigger: Windows executable window is created.
– web_document_complete_trigger: Web document completes loading.
– web_click_item_trigger: HTML element clicked.
– wnd_command_bn_click_trigger: Windows executable button clicked.
• Each trigger has a next state defined.
For example, when a login window is presented, the state machine
could move to the after_login_window_popped_up state.
• There are approximately 40 predefined triggers.
8-6
Actions
• An action can be performed in response to a trigger.

• Examples of an action:
– acc_data_inject_action: Injection of credentials into defined fields.
– acc_data_capture_action: Capture of credentials from defined fields.
– wnd_click_action: Clicking a button in a Windows application.
– acc_data_save_action: Saving credentials to the wallet.
• There are approximately 30 predefined actions.
8-7
Signatures
• A signature is unique identification information for any

application, window, or field.
Signatures are key elements in triggers as well as in actions.
Examples include user name fields, password fields, login
buttons, login windows, and URLs for Web sites.
• AccessStudio uniquely identifies fields, buttons, and

other object types in Windows and Web applications.
Typically, AccessStudio can generate a valid signature.
– You can create signatures manually using the XML Path Language
(XPath).
You can verify the signature by using the highlight button.
8-8
XPaths
• Signatures are represented as an XPath.

Example: /child::exe[@exe_name=“example.exe"]
The XPath language has a hierarchical structure, or tree
representation, consisting of types, axes, and operators.
• The observer framework identifies everything using

XPaths.
8-9
Supported XPath Types

• Application
exe: Identify executables.
web: Identify Web pages or sites.
task: Identify 16-bit or Java applications.
• Within a Windows application

wnd: Identify windows and widgets (controls).
jwnd: Identify window of a Java application.
• Within a Web application

html: Identify HTML elements inside a Web page, including body and head.
form: Identify HTML forms.
input: Identify input fields in the HTML.
frame: Identify HTML frame containing the document.
document: Identify HTML document containing frameset or body and head.
anchor: Identify HTML anchor element that has a name or ID.
image: Identify HTML images in an HTML document.
10
8-10
Supported Axes for All Application Types
All names are in lowercase

• child::
• parent::
• descendent:: or descendant::
• ancestor::
11
8-11
XPath Operators
• = (right hand side (RHS) can be numeric or string, equals)
• != (RHS must be numeric, not equals)
• ~ (RHS must be a string, regex case-sensitive equals)
• !~ (RHS must be a string, regex case-sensitive not equals)
• # (RHS must be a string, regex case-insensitive equals)
• !# (RHS must be a string, regex case-insensitive not equals)
• & (RHS must be a numeric, binary AND)
• !& (RHS must be numeric, not equals of binary AND)
• and (Logical AND of two booleans)
• or (Logical OR of two booleans)
12
8-12
XPath Attributes for Executables
• @exe_name: The name of the executable

• @file_version: File version of the executable
• 16-bit or Java applications

@wnd_title: The title of the top level window of the application
@class_name: The class name of the top level window of the
application
@task_name: Task name of the application
13
8-13
XPath Attributes for Windows

• @title
• @class_name
• @ctrl_id
• @xpos
• @ypos
• @is_visible (0 or 1)
• @rel_xpos
• @rel_ypos
• @control_name
• @window_ex_style
• @size
• @class_style
14
8-14
XPath Attributes for Web Pages
• @domain: Before the slash after the protocol identifier

• @protocol
• @url: Complete URL
• @query_string: Query string in the URL
• @port
• @path: Part of the URL after domain and before query
string
15
8-15
XPath Attributes for HTML Elements

• @tag_name: Identify the type of HTML element
For example, in the HTML snippet, <img src="abd.gif">, tag_name is img.
• @value: Value attribute of an HTML element
For example, in the HTML snippet, <input value="user name here">, user
name here is the value.
• @inner_text: Inner text of any HTML element
For example, in the HTML snippet, Login, Login is the inner_text.
• @inner_html: Inner HTML of any HTML element
For example, in the HTML snippet, login, the inner_html of
the p element is login.
• @form_name: The name of the form
16
8-16
XPath Attributes for HTML INPUT Element
• @input_name: Name of the input element

• @input_type: Type of the input element
• @className: Identifies the class attribute of the input
element
This element is different than @class_name for windows types.
• @input_index: Index of the input element with respect to

the form
17
8-17
State Engine Flow Example
18
8-18
Enabling SSO for an Executable File or Web Page
• Identify the application the executable file or Web page

belongs to. If the application does not exist, create it.
• Identify the authentication service the executable file or Web
page refers to. If the authentication service does not exist,
create it.
• Create an AccessProfile for the executable file or Web page.
Generate the signatures identifying the executable file or Web page.
Associate the profile with the application.
Write the SSO support portion and refer to the authentication service in
it.
19
8-19
Advanced Profiling for Windows Applications
It helps to know what the user sees and to understand

the login process for the target application.
20
8-20
Visualize the State Engine Flow
When creating an AccessProfile, think about what the

state engine flow might look like.
21
8-21
Add the Application
1. Select View > Applications.

2. Select New > New Application.
22
8-22
Define the Application
• Id: Name of the application (app_name).

• Name: How the application appears in AccessAdmin
(IMS Server) for defining application options.
23
8-23
Add the Authentication Service
1. Select View > Authentication Services.

2. Select New > New Authentication Service.
24
8-24
Define the Authentication Service
• Id: Name of the authentication service (auth_name).

• Display name: How the authentication service appears in
the wallet.
25
8-25
Define the Account Data Template
• An account data item template defines the properties of

individual account data items.
• Account data refers to the user credentials required for
logon.
• This field is important as it determines the case
sensitivity and number of authenticators defined for this
application.
The default ciuser_cspwd defines two fields: case insensitive
username and a case sensitive password.
There are other data templates with multiple user names and
one password or the reverse. Additionally there are various case
sensitivity templates as well.
26
8-26
Create a New Advanced AccessProfile
1. Select View > Access_Profiles.

2. Select New > New Advanced AccessProfile.
27
8-27
Name the Profile
• Rename the ID from profileN to something more

descriptive for the application.
• For example,
profile_wnd_windemo
wnd is used to indicate it is a Windows application as opposed
to a Web application.
– The profiles can be named anything, but using a standard naming
convention is suggested.
28
8-28
Define the Application Signature
1. Click the Add button next to the signature field on the

General Properties tab.
2. Drag the crosshairs to the login window.
29
8-29
Specify the Application ID
On the profile General Properties tab, select the

application in the Application ID field.
30
8-30
Define the Start State
31
8-31
Add a Trigger to the Start State
1. Right-click the Start State.

2. Select Add Trigger > When a window is activated
(Win32).
This trigger is used to detect the login window of a Windows
application.
32
8-32
Define the Trigger Signature
Next you will define the Signature of the window

getting the activate msg by clicking the crosshairs
button.
33
8-33
Use the Finder Tool to Generate the Signature
1. Launch the application.

2. Drag the crosshairs to the Login window of the application to
generate the signature.
34
8-34
Add an Inject Data Action to the Trigger
• This action injects the credentials if they have been

saved to the wallet.
• Right-click the trigger and select Add Action > Auto-fills
user credentials.
35
8-35
Add an Injection Field for the Username Field
1. Click the Auto-fills user credentials action.

2. Expand the Injection fields section.
3. Select Windows control and click the Add button.
36
8-36
Define the Username Field
1. Select aditi_ciuser for the Account data item template id.

2. Click the crosshairs button.
37
8-37
Define the Signature of the Username Field
• Drag the crosshairs to define the signature of the

Username field.
38
8-38
Add an Injection Field for the Password Field
• Expand the Injection fields section.

• Select Windows control and click the Add button.
• Repeat the previous steps, except this time select
aditi_cspwd for the Account data item template id and map it
to the password field of the application.
39
8-39
Define the Password Field
40
8-40
Specify the Authentication Service Information
1. Expand the Authentication-

service info section
2. Select the authentication
service type and click the Add
button.
The Direct Auth Info option
uses a static name that you
define.
The Indirect Auth Info
options use a dynamic name
that can be obtained from the
login screen.
41
8-41
Select the Authentication Service
42
8-42
Add a Clicks a Window Action to the Trigger
• This action clicks the OK button after injecting the

credentials.
• Right-click the When a window is activated (Win32)
trigger and select Add Action > Clicks a window.
43
8-43
Define the OK Button
44
8-44
Set Action to Trigger Only If Autologon is Enabled
• You only want the OK button

pressed if the policy is set to
autologon.
• Under Advanced Options, set
Execute only if autologon is
enabled to Yes.
45
8-45
Next Step in the State Engine Flow
• You are now here in the state engine:
46
8-46
Create the Next State
1. Click the New state button.

2. Enter state_after_inject for the name.
47
8-47
Set Next State ID for the Previous State
This step tells the state engine where to go after the trigger actions
in the Start State are complete.
1. Click the When a window is activated (Win32) trigger.
2. Select state_after_injection for the next state.
48
8-48
Add a Trigger to Detect the OK Button Was Clicked
1. Right-click state_after_injection.
2. Select When a button is clicked trigger.
49
8-49
Define the Button is Clicked Trigger
50
8-50
Add a Capture Credentials Action
• This action will capture the credentials so they can be saved to the
wallet.
• Right-click the trigger and select Add Action > Captures user
credentials.
51
8-51
Add the Capture Fields

1. Click the Captures user credentials action.
2. Expand the Capture fields section.
4. Define the username field.
– Select aditi_ciuser for the account data item template ID.
– Click the crosshairs button.
– Drag the crosshairs to define the signature of user name field.
6. Define the password field.
– Select aditi_cspwd for the account data item template ID.
– Click the crosshairs button.
– Drag the crosshairs to define the signature of user name field.
52
8-52
Specify the Authentication Service Information
53
8-53
Add a Save Credentials Action
• This action saves the credentials to the wallet.

• Right-click the trigger and select Add Action > Saves user
credentials.
54
8-54
Create the Next State
• Click the New state button.

• Enter state_end for the State
name.
• Set the next state ID for the
previous state.
Click the When a left mouse
button is clicked on a window
(Win32) trigger.
Select state_end for the Next
state ID.
55
8-55
Test the Profile
• Test your new AccessProfile

Select Test > Start from the menu.
Close and restart the application if it is already running.
• Test the following functions:

Capture of credentials.
Password Entry (Always).
Password Entry (Automatic Logon).
56
8-56
Advanced Profiling for Web Applications
57
8-57
Web Application State Engine Flow
58
8-58
Advanced Profiling for Mainframe
59
8-59
Mainframe Application State Engine Flow
60
8-60
Troubleshooting Using the State Engine View
Visual representation of what the state engine is doing.
61
8-61
Troubleshooting Using Real Time Logs
• Select View > Messages.

• While troubleshooting advanced AccessProfiles, this utility is useful
for determining where the problem is.
• The messages will show the identification of the application, triggers,
actions, and next state information.
62
8-62
Troubleshooting Using Non-IBM Tools
• Spy++
• Winspector
• Process Explorer
• DOM Inspector
63
8-63
Convert to State Engine Support

• Create AccessProfiles using the AccessProfile Assistant.
• If the AccessProfile created by the wizard does not work:
– Do not discard the wizard based profile.
– Select Enable state editing on the State tab.
– This action converts the wizard based AccessProfile to a state-engine (advanced)
AccessProfile. You can then modify and troubleshoot the AccessProfile.
64
8-64
Suggested Practices
• Back up the AccessProfiles on the IMS server before

making modifications to Profiles stored on the server.
• Use naming conventions to allow you to quickly identify if
a particular application is a Windows application, Web
application, and so on.
Note: You must have administrator privileges on the IMS

server in order to modify AccessProfiles.
65
8-65
Student Exercise
66
8-66
Summary

Explain the purpose of a state machine.
Describe the components of a state machine.
Create advanced AccessProfiles.
Troubleshoot problems with AccessProfiles.
67
8-67
Unit 9: Auditing and Reporting
9-1
Objectives

View audit events.
Generate reports.
Protect audit data.
9-2
Auditing
• TAM E-SSO events are written to the IMS Server

database.
• Audit logs can be:
Viewed, printed, and searched in AccessAdmin.
Integrated with other commercial reporting tools.
Protected against tampering.
9-3
Searching Audit Logs
9-4
Viewing Events by User
9-5
Reporting
• User
• Token
• Application
• Helpdesk
9-6
User Information Reports
9-7
Token Information Reports
9-8
Application Usage Reports
9-9
Access Profile Audit Action
• Add audit action to access profile.

acc_data_audit_log_action
custom_audit_log_action
10
9-10
Helpdesk Activity Reports
11
9-11
Integration with Commercial Reporting Tools
• New user can be created to allow reporting tools to read

the IMS views.
• User can be created using nwRptUsr.bat.
• Batch file usage pattern is nwRptUsr.bat adminUser
adminPass reportsUser reportsPass.
adminUser is the database administrator account.
adminPass is the database administrator password.
reportsUser is the account to be created.
reportsPass is the password for the new user account.
12
9-12
Protection Against Tampering

• The following activity logs can be protected with log-signing.
System management
System operation
User administration
User
User service
• Enable log-signing (hashing of the logs) using the IMS Configuration
Utility > Advanced Settings > IMS Server > Logging >
Log-signing.
• Test for tampering using vrfyLogs.bat.
Text
XML
13
9-13
Housekeeping
• Run using a batch file or scheduled using the IMS

Configuration Utility.
hskpLogs.bat
IMS Configuration > Utility Basic Settings > Housekeeping
• Backs up database and IMS Server files.

• Deletes specified logs.
14
9-14
General Housekeeping
15
9-15
Daily, Weekly, and Monthly Housekeeping
16
9-16
Student Exercise
17
9-17
Summary

View audit events.
Generate reports.
Protect audit data.
18
9-18
Unit 10: Deployment Scenarios
10-1
Objectives

Describe how to use IBM Tivoli Directory Server as the enterprise
directory.
Describe methods of creating a highly-available TAM E-SSO
environment.
Identify components of TAM E-SSO that can be configured for
improved performance.
10-2
Integrating with Tivoli Directory Server
• TAM E-SSO can use enterprise directories other than Active

Directory.
• Connectivity with Tivoli Directory Server is configured using an IMS
LDAP Connector.
• The LDAP schema must contain an attribute that represents the user
ID to be used for the TAM E-SSO account.
• The Tivoli Directory Server credential is only used during sign-up.
• TAM E-SSO user passwords are managed by the IMS server after
sign-up.
• Password synchronization cannot be used.
10-3
Installing IMS Server with Tivoli Directory Server
• Add a dedicated lookup user to LDAP.

• Do not use the setup assistant in the IMS Server Configuration Utility.
• Configure the IMS Server.
Add a new enterprise directory and select to include the new directory in
user validation.
Configure the new enterprise directory.
– Use an LDAP Connector.
– Define containers for lookup ID and regular IMS users.
• Restart the IMS server.
• Provision the IMS administrator.
10-4
Changing IMS Server to Use Tivoli Directory Server
• Add another enterprise directory to the IMS server.

• Select to include this directory in user validation.
Only one directory can be used in user validation. Therefore, the
existing directory is no longer used.
• Update references to the old directory for existing users to
point to the new directory.
If this step is not done, IMS users must sign up for new IMS
accounts on their next login.
• Access to existing cached wallets is retained.
10-5
High Availability
• Components that require redundancy:

1.Windows server 2
2.Database server
3.Directory server
1
10-6
Windows Server High Availability
• Microsoft Network Load Balanced (NLB) cluster can

support a maximum of two cluster members.
• Hardware based load balancers should be used for more
than two cluster members.
• All servers use the same server certificate, which is the
virtual host name of the cluster.
10-7
Windows NLB Cluster Example
• Software cluster (no hardware load balancer)

• 3 IP addresses are used for each cluster member
IP to initially configure cluster member (interface1: 10.0.0.21-22)
IP dedicated for NLB Cluster (interface2: 10.0.0.11-12)
IP of the cluster itself (interface3: tamesso.tivoli.com: 10.0.0.10)
10.0.0.10
10.0.0.11 10.0.0.12
tamesso1 tamesso2
10.0.0.21 10.0.0.22
10-8
How a Windows NLB Cluster Works
• All servers listen for IP packets addressed to cluster IP.

• Load balancing is established at session start based on
priority and current load.
• Servers only respond to session traffic for which they are
assigned by cluster manager.
• Dedicated IP is used to manage cluster members.
10-9
Installing TAM E-SSO in a NLB Cluster
• Install the first cluster member using name of cluster.

Install on tamesso1.tivoli.com using name tamesso.tivoli.com
• Copy the installation to the other cluster members.
• Install IMSService on other cluster members.
IMS_Installation_Dir\bin\installer\installService.bat
• Rename existing TAM E-SSO IMS server to free up
cluster name.
• For database configuration, use the name of the database
cluster.
10
10-10
Database Server High Availability
• The database server cluster is setup and configured

before TAM E-SSO is installed.
• Examples of database high availability solutions:
Oracle RAC
Microsoft SQL Server Failover Cluster
DB2 High Availability Disaster Recovery (HADR)
• This is not a complete list.
11
10-11
High Availability Example with Microsoft SQL Server
Network
SQL Server Virtual Server
MSCS MSCS
Heartbeat
Node 1 Node 2
Shared Disk
12
10-12
High Availability Example with DB2
DB2 Server
Primary Node
IMS Server HADR Synchronization
DB2 Client
Client Reroute Failover Node

DB2 Server
13
10-13
Directory Server High Availability
• If the enterprise directory is not available, new users will

not be able to sign up.
• This example shows how to configure Tivoli Directory
Server for high availability.
• Primary Tivoli Directory Server is always used, unless
there is a failure.
Load Balancer
Primary TDS two-way replication Secondary TDS
14
10-14
IMS Performance Monitoring

• The IMS Tomcat server supports monitoring with JMX.
• Information in the Database category:
Database connections used
Errors since server start
IMS database pool size
Log database pool size
• Information in the Runtime category (sample):
Server uptime
Active IMS sessions
Active threads
Amount of free memory
Number of failed or successful logins
Number of severe or warning log entries
15
10-15
IMS Performance Tuning: Memory
• The default JVM heap size is 512 MB.

• To change the JVM heap size edit following registry key
values:
HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software
Foundation\Procrun 2.0\IMSService\Parameters\Java
– JvmMs: Start or minimum value in MB
– JvmMx: Maximum value in MB
16
10-16
IMS Performance Tuning: Agent Connections
• The following parameters are set in

IMS_Installation_Dir\conf\server.xml.
• acceptCount: Number of connections server will accept
(default: 100)
• minProcessors: Initial number of connection processing
threads (default: 5)
• maxProcessors: Maximum connection processing
threads (default: 75)
• connectionTime-out: Connection timeout in milliseconds
(default: 20000000)
17
10-17
IMS Performance Tuning: Database Connections
• The following parameters are set in

IMS_Installation_Dir\ims\config\ims.xml or IMS
Configuration Utility.
• ds.ims.rdb.pool.maxsize: Maximum number of
concurrent database connections (default: 800)
• ds.ims.rdb.pool.maxwait: Timeout in milliseconds for
database connections (default: 20000)
• Log database settings are set with
ds.ims_log.rdb.pool.maxsize and
ds.ims_log.rdb.pool.maxwait
• Log database defaults are the same.
18
10-18
Summary

Describe how to use IBM Tivoli Directory Server as the enterprise
directory.
Describe methods of creating a highly-available TAM E-SSO
environment.
Identify components of TAM E-SSO that can be configured for
improved performance.
19
10-19
Unit 11: Integration
11-1
Objectives

Configure and use the command-line tools (CLTs) for TAM E-SSO.
Provision IMS accounts with Tivoli Identity Manager using the TAM
E-SSO Adapter.
Describe the method for provisioning wallet credentials using Tivoli
Identity Manager.
11-2
Tivoli Identity Manager Integration

• Tivoli Identity Manager integration with TAM E-SSO
consists of the following components:
IMS Simple Object Access Protocol (SOAP) interface
IMS Provisioning Bridge
Tivoli Identity Manager RMI-based adapter
Tivoli Directory Integrator TAM E-SSO connector
Tivoli Identity Manager workflow extension
11-3
IMS SOAP Interface
• IMS provides a SOAP endpoint that can be accessed for

provisioning of accounts and credentials.
• Sample SOAP requests:
loginByPassword
preProvisionImsUser
createWallet
addAccountCredential
Note: Passwords must be encrypted by the SOAP client when stored

using the SOAP API.
11-4
IMS Provisioning Bridge Overview

• SOAP client that provides a Java API.
• Configured with a simple XML file.
• Provides encryption of passwords.
• Requires configuration in the IMS Server Configuration Utility (bridge name,
password).
• Sample of Java classes:
login, logout
createIMSAccount, revokeIMSAccount, deleteIMSAccount
getRegistrationStatus
addAppAccountData, updateAppAccountData, deleteAppAccountData
getUserAccounts
11-5
IMS Provisioning Bridge Command-line Tools

• The IMS command-line tools (CLTs) are of Java applications that are
invoked from the command line.
• Perl wrapper scripts in Provisioning_Bridge_Dir\tools\perl:
addImsUser.pl
addWalletAccount.pl
deleteWalletAccount.pl
getRegistrationStatus.pl
importImsCertUtil.pl
updateWalletAccount.pl
viewWallet.pl
toolConfig.pl (used to configure the CLT environment)
11-6
Tivoli Identity Manager RMI-based Adapter
• Requires Tivoli Directory Integrator 6.1.1 Fixpack 3.

• The Windows and Linux installers create the RMI adapter
environment in TDI_Installation_Dir\timsol.
• Utilizes a TAMESSOConnector.jar to connect to IMS
using the Provisioning Bridge.
• Tivoli Identity Manager service profile is imported with
TAMESSOProfile.jar.
• Tivoli Identity Manager workflow extension is
TAMESSOWfe500.jar.
11-7
Tivoli Directory Integrator TAM E-SSO Connector
• Standard Tivoli Directory Integrator Connector

IMS Server Name
Bridge Name
Bridge Password
Encryption settings are used internally by the adapter
– Encryption Algorithm
– Encryption Transformation
Requires SSL connection to IMS Server
– Create trust store and key store and import IMS server certificate
11-8
Tivoli Identity Manager Workflow Extension
• Provides wallet credential provisioning.

• Called from operational workflows in Tivoli Identity Manager.
• Implemented as a custom application extension.
• Methods:
encAddAccount
encChangePassword
encDeleteAccount
hasImsAccount
• Example account add operational workflow:
Check for IMS Account.
Add wallet credential for the account type.
11-9
Student Exercise
10
11-10
Summary

Configure and use the command-line tools (CLTs) for TAM E-SSO.
Provision IMS accounts with Tivoli Identity Manager using the TAM
E-SSO Adapter.
Describe the method for provisioning wallet credentials using Tivoli
Identity Manager.
11
11-11

TW171GV1 StudentGuide

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

TW171GV1 StudentGuide

Enviado por

Direitos autorais:

Formatos disponíveis

IBM Tivoli Access Manager for Enterprise Single Sign-On 8.

IBM Tivoli Access Manager for Enterprise

© 2008 IBM Corporation

IBM Software Group | Tivoli software

© 2008 IBM Corporation

IBM Software Group | Tivoli software

Upon completion of this unit, you will be able to:

IBM Software Group | Tivoli software

Identity and Access Management

ESSO and Password Management

Audit and Compliance

Provisioning and Role-Based Access Control

IBM Software Group | Tivoli software

Identity and Access Management Suite

Strong Enterprise Workflow Session Audit and Context User

Strong Authentication Enterprise Single Sign-On Workflow Automation Session Management

TAM E-SSO IAM Platform

TAM E-SSO IMS Server

Support and Self-Service Centralized Administration Centralized Audit

IBM Software Group | Tivoli software

TAM E-SSO Architecture

IBM Software Group | Tivoli software

IMS Access Session

IBM Software Group | Tivoli software

IBM Software Group | Tivoli software

Product Components (continued)

• TAM E-SSO AccessStudio

• TAM E-SSO IMS Service Module

IBM Software Group | Tivoli software

IBM Software Group | Tivoli software

You should now be able to:

© 2008 IBM Corporation

IBM Software Group | Tivoli software

Upon completion of this unit, you will be able to:

IBM Software Group | Tivoli software

IMS Server Installation Checklist

• IMS server fully qualified domain name

IBM Software Group | Tivoli software

IBM Software Group | Tivoli software

IMS Server Installation

IBM Software Group | Tivoli software

IMS Server Installation Options

• Express Install: Select to configure the IMS Server

IBM Software Group | Tivoli software

IBM Software Group | Tivoli software

Express Installation Database Settings

IBM Software Group | Tivoli software

Express Installation Confirmation

IBM Software Group | Tivoli software

IBM Software Group | Tivoli software

Custom Installation Path

IBM Software Group | Tivoli software

Custom Installation Server Settings

Specify the fully qualified domain name of the server.

IBM Software Group | Tivoli software

Custom Installation Database Settings

Specify the database option.

IBM Software Group | Tivoli software

Custom Installation DB2 Server Configuration

IBM Software Group | Tivoli software

Custom Installation MS SQL Server Configuration

IBM Software Group | Tivoli software