SAM Admin Guide 8.0 Rev A

SafeNet Authentication Manager (SAM)
Version 8.0 Revision A Administrators Guide
Copyright 2010 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate. SafeNet, Inc. is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications contained in this document are subject to change without notice. SafeNet and SafeNet Authentication Manager are either registered with the U.S. Patent and Trademark Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in the United States and other countries. All other trademarks referenced in this Manual are trademarks of their respective owners. SafeNet Hardware and/or Software products described in this document may be protected by one or more U.S. Patents, foreign patents, or pending patent applications. Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and UL Notification. Date of publication: September 2010 Last update: Tuesday, September 21, 2010 3:24 pm
iii
Support
Weworkcloselywithourresellerpartnerstoofferthebestworldwide technicalsupportservices.Yourreselleristhefirstlineofsupport whenyouhavequestionsaboutproductsandservices.However,if yourequireadditionalassistanceyoucancontactusdirectlyat: Telephone Youcancallourhelpdesk24hoursaday,sevendaysaweek: USA:18005456608 International:+14109317520 Email Youcansendaquestiontothetechnicalsupportteamatthefollowing emailaddress:
support@safenet-inc.com
Website YoucansubmitaquestionthroughtheSafeNetSupportportal:
http://c3.safenet-inc.com/secure.asp
Additional Documentation
ThefollowingSafeNetpublicationsareavailable:

SafeNetAuthenticationManager8.0UsersGuide SafeNetAuthenticationManager8.0ReadMe
iv
Table of Contents Part I Overview of SafeNet Authentication Manager

1. Introduction................................................................................................ 3
Overview of SafeNet Authentication Manager ......................................................4 SafeNet Authentication Manager 8.0 Core Benefits............................................. 4 New and Enhanced Features in SafeNet Authentication Manager 8.0.................... 5 Cloud support and integration with SaaS providers, Google Apps and Salesforce.com...................................................................................................... 5 Enhanced MobilePASS Software Authentication Solution................................... 6 Integration with SafeNet HSMs for secure key storage........................................ 6 Token History Management .................................................................................. 6 Token Policy Object (TPO) Export and Import...................................................... 7 Additional Platform ................................................................................................ 7 Supported Authenticators.......................................................................................... 7
2. System Requirements.............................................................................. 9
SAM Server System Requirements ....................................................................10 SAM Management Tools System Requirements.................................................... 13 SAM Client System Requirements.......................................................................... 14 SAM External Web Portals...................................................................................... 15
Part II Installation and Configuration

3. User Store Deployment..........................................................................19
Supported User Stores .......................................................................................20 Remote Active Directory.......................................................................................... 21 Configuring a Microsoft SQL Server User Store..................................................... 21 Preparing Microsoft SQL Server Views .............................................................. 22 Indexed Fields..................................................................................................... 25 Preparing an MS SQL Server Authentication dll ................................................ 25
vi
Configuring an LDAP User Store.............................................................................29 Preparing LDAP Authentication Dll .....................................................................29 Supported Authentication Types .........................................................................30
4. Installation and Configuration Checklist .............................................37

Step 1: Perform Pre-Installation Tasks ...............................................................38 Step 2: Install SafeNet Authentication Manager .....................................................38 SafeNet Authentication Client Configuration.......................................................38 OTP Configuration...............................................................................................39 Step 3: Configure SafeNet Authentication Manager ...............................................40
5. Installation ................................................................................................43
Installation Components .....................................................................................44 Silently Installed Component...............................................................................45 Installation Steps in an AD Environment .................................................................46 Installing in a Single Domain Environment .........................................................46 Installing in a Multi Domain Environment............................................................47 Installing SAM in a Multi Forest Environment .....................................................47 Installing and Running Schema Modification Scripts..........................................48 Installing the SafeNet Authentication Manager Server ...........................................52 Installing the SAM Management Tools....................................................................57 Installing SAM Client Using the Installation Wizard ................................................60 Installing SAM Client Using the Command Line .....................................................63 Un-installation ..........................................................................................................64 Removing SAM Server from the Computer ........................................................64 Removing SAM from the Domain........................................................................65 Propagating the SAM Server Name........................................................................66 Duplicating a SAM Server........................................................................................70 Licensing a Duplicate Server...............................................................................71
6. Upgrade and Migration...........................................................................73

Upgrading to SAM 8.0 Server .............................................................................74 Upgrading to SAM 8.0 Client ...................................................................................75 Upgrading to SAM 8.0 Management Tools .............................................................75 Migrating from TMS 2.0 in an OpenLDAP Environment .........................................76 Migrating from TMS 2.0 with a Shadow Domain.....................................................76 Migrating from SafeWord to SafeNet Authentication Manager 8.0.........................77 Exporting Data from the SafeWord Database.....................................................77 Importing SafeWord Data into SAM....................................................................80
vii
7. Basic Configuration................................................................................85
Configuring for Active Directory ..........................................................................86 Configuring for Standalone User Store ................................................................... 94 Configuring for OpenLDAP, Novell eDirectory or Remote AD.............................. 102 Configuring for MS SQL Server .............................................................................115
8. Token Policy Object Links ...................................................................121

Accessing Token Policy Object Links ...............................................................122 Accessing TPO Links in an AD Environment ................................................... 122 Accessing TPO Links in a Non-AD Environment ............................................. 125 Accessing TPO Links in a Standalone User Store Environment ..................... 127 Creating a New TPO Link...................................................................................... 130 Adding a TPO Link ................................................................................................ 132 Deleting a TPO Link .............................................................................................. 133 Specifying the Scope of a TPO Link ..................................................................... 133 TPO Inheritance Behavior................................................................................. 134 Setting No Override and Disabled Options....................................................... 136 Blocking Policy Inheritance ............................................................................... 137 Applying TPO Links to Limited Users and Groups........................................... 138 Importing and Exporting Token Policy Objects ..................................................... 140 Exporting Token Policy Objects ........................................................................ 140 Importing Token Policy Objects......................................................................... 142
9. Token Policy Object Settings ..............................................................145

Using the Token Policy Object Editor to Edit TPOs ..........................................146 General Settings.................................................................................................... 150 Mail Configuration ............................................................................................. 150 SMS Provider Configuration ............................................................................. 151 Connector Settings................................................................................................ 152 Token Settings ....................................................................................................... 152 Token Initialization............................................................................................. 152 Token Password................................................................................................ 153 Password Quality .............................................................................................. 153 Manual Complexity............................................................................................ 155 Initialization Parameters.................................................................................... 157 Initialization Key ................................................................................................ 158 Advanced Settings ............................................................................................ 161
viii
Enrollment Settings................................................................................................162 General Properties ............................................................................................162 SafeNet eToken Virtual Enrollment ...................................................................165 Enrollment Notification.......................................................................................165 Recovery Settings..................................................................................................166 Audit Settings.........................................................................................................170 MobilePASS Settings.............................................................................................170 Backend Service Settings......................................................................................171 Legacy TMS Desktop Agent Settings....................................................................173 Badging Settings....................................................................................................174 Photo Storage....................................................................................................175 Printing Parameters...........................................................................................175
10. SAM Configuration Manager ...............................................................179

Launching the SAM Configuration Manager .....................................................180 Selecting the SAM Instance...................................................................................180 Importing and Exporting the SAM Settings File ....................................................181 Exporting the SAM Settings File........................................................................181 Importing the SAM Settings File........................................................................183 Adding SAM Connectors .......................................................................................183 Configuring Roles ..................................................................................................185 Scheduling the SAM Backend Service..................................................................185 Configuring the License .........................................................................................187 Configuring IIS and Web Services.........................................................................187 Configuring OTP Web Services ........................................................................187 Configuring Features of the SAM Management Center ...................................187 Configuring Features of the SAM Self Service Center .....................................188 Configuring Features of the SAM Rescue Service Center ...............................190 Configuring Features of SAM Web Service API ...............................................190 Configuring Desktop Agent ...............................................................................192 Configuring Server Synchronization..................................................................192 Selecting the Authentication Plug-In......................................................................193 Defining a Failover Configuration ..........................................................................194 Exporting and Importing the Signing Certificate....................................................196 Exporting a Signing Certificate..........................................................................196 Importing a Signing Certificate ..........................................................................197
ix
Changing the SAM Service Account..................................................................... 198
11. Connector Configuration .....................................................................201

Connector for Microsoft CA...............................................................................202 Supported User Stores...................................................................................... 202 Microsoft DLL Files Required for MSCA........................................................... 203 Configuring the Microsoft CA............................................................................ 204 Connector for OTP Authentication ........................................................................ 217 Supported User Stores...................................................................................... 217 Defining TPO Rules .......................................................................................... 217 Connector for Flash Management......................................................................... 221 Supported User Stores...................................................................................... 221 Defining TPO Rules .......................................................................................... 222 Connector for P12 Certificate Import..................................................................... 224 Supported User Stores...................................................................................... 225 Defining TPO Rules .......................................................................................... 225 Connector for SafeNet Network Logon................................................................. 232 Supported User Stores...................................................................................... 233 Defining TPO Rules .......................................................................................... 233 Connector for eToken Anywhere........................................................................... 237 CA Requirements.............................................................................................. 237 Supported User Stores...................................................................................... 238 Defining TPO Rules .......................................................................................... 238 Connector for Check Point Internal CA................................................................. 243 Internal CA vs. External CA .............................................................................. 243 Supported User Stores...................................................................................... 244 Configuring the CP Firewall Management........................................................ 244 Defining TPO Rules .......................................................................................... 254 Connector for Entrust ............................................................................................ 264 Entrust Authority Security Manager .................................................................. 264 SafeNet Authentication Manager - Entrust Integration..................................... 265 Main Features ................................................................................................... 266 Architecture ....................................................................................................... 266 Deployment Recommendations........................................................................ 267 System Requirements....................................................................................... 268 Prerequisites ..................................................................................................... 269 Connector for Entrust Configuration ................................................................. 272 Opening the Connector Policy Object Editor.................................................... 272
Defining the CA Policy.......................................................................................274 Defining the Add User to Security Manager Policy...........................................277 Defining the Security Manager and SAM on Different Domains Policy............278 Defining the Domain Username Policy .............................................................279 Defining the Domain User Password Policy .....................................................280 Defining the User Path Policy............................................................................281 Defining the Username Template Policy...........................................................282 Mapping Attributes.............................................................................................283 Defining the Add User to Security Manager Directory Policy ...........................284 Defining the User Role Policy............................................................................285 Defining the Certificate Type Policy...................................................................286 Defining the Last Security Manager Update Policy ..........................................286 Defining the SafeNet eToken Rescue Support Policy ......................................287 Entrust Security Manager Administration Configuration...................................288 Using SAM with Entrust.....................................................................................290 Behavior and Limitations ...................................................................................292
12. Licensing ................................................................................................293

Licensing Overview...........................................................................................294 Evaluation License.................................................................................................294 Upgrading Licenses from Earlier Versions ............................................................295 Viewing Licenses ...................................................................................................295 Applying a License.................................................................................................296 Multi-Domain Licenses ..........................................................................................298
13. Authorization Manager .........................................................................299

Authorization Management Overview ...............................................................300 Predefined Roles ...................................................................................................301 Defining a New Scope ...........................................................................................301 Defining Roles........................................................................................................303 Defining Tasks........................................................................................................306
14. User Permissions..................................................................................309

Permissions for Basic Administration................................................................310 SAM Service Account Permissions...................................................................310 User Permissions for Installing SAM.................................................................310
xi
Granting Dial-In Permission to the User Account ..................................................311 Granting Permissions for Microsoft CA Templates ............................................... 314 Delegating Password Reset Control ..................................................................... 315
15. Audit Messages and Enrollment Notifications.................................321

Audit Messages ................................................................................................322 Configuring Audit Settings for Viewing in Windows Event Viewer ................... 322 Viewing SAM Events in the Event Viewer ........................................................ 323 Configuring Audit Settings for Sending Notification Messages........................ 325 Enrollment Notification........................................................................................... 332 Configuring Enrollment Notification Messages................................................. 332 Configuring Audit, Enrollment and MobilePASS Activation Notification Templates ... 335 Notification Letter Keywords ............................................................................. 336 Configuring SMS Notification Template ................................................................ 338
16. OTP Configuration ................................................................................339

OTP Web Service Settings ...............................................................................340 Blank Presses ................................................................................................... 340 Blank Presses Resync ...................................................................................... 340 Time Sync.......................................................................................................... 341 Time Resync ..................................................................................................... 341 OTP Web Service Configuration ........................................................................... 342 Configuring SAM IAS Plug-In................................................................................ 345 Configuring IAS for a Non-AD User Store............................................................. 348
17. Backend Service....................................................................................353

Overview of Backend Services .........................................................................354 Controlling SAM Backend Services ...................................................................... 355
Part III Post-Installation Configuration

18. User Management in an ADAM Environment...................................359
ADAM Environment User Store Overview ........................................................360
xii
Opening SafeNet Authentication Manager - Policy Manager ...............................360 Adding a User ........................................................................................................362 Viewing and Editing User Properties.....................................................................364 Adding a Group or OU ...........................................................................................365 Viewing and Editing Group Properties...................................................................367
19. Desktop Agent .......................................................................................371

Overview of the Desktop Agent ........................................................................372 Adding the Desktop Agent Template to the GPO Editor .......................................372 Editing the Desktop Agent Settings in the GPO Editor .........................................377 Desktop Agent Settings .........................................................................................379 Configuring Automatic Download of SafeNet eToken Rescue..............................385 Configuring Attendance Reports ...........................................................................386 Opening the Desktop Agent Settings Window..................................................386 Creating an Attendance Reports MS SQL Server Database ...........................387 Adding a Renamed MDF file to MS SQL Server ..............................................389 Connecting to an Existing MS SQL Server Database through an ODBC Connection.........................................................................................................391 Saving Data for Attendance Reports.................................................................396 Clearing the Token Connection Data History....................................................398 Displaying an Error Message Following Server Error.......................................399 Configuring the Legacy Desktop Agent.................................................................400 SAM Desktop Agent Web Services Settings ....................................................401 Troubleshooting .....................................................................................................401
20. External Portals .....................................................................................403

Overview of SAM External Portals....................................................................404 Deliverables ...........................................................................................................404 Prerequisites ..........................................................................................................404 Installing the SAM External Portals .......................................................................405 Configuring SAM Portals .......................................................................................409 Configuring Roles for SAM Portals ...................................................................409 Adding a Portal Connection...............................................................................410 Configuring Cloud Logon...................................................................................412
xiii
Setting the Logon Credentials in Google Apps..................................................... 416 Setting the Logon Credentials in Force.com......................................................... 417 Configuring the Username Attributes.................................................................... 418
21. Customizing SAM Websites................................................................421

Customizing Text ..............................................................................................422 Editing the Text in the Resource Files .............................................................. 422 Implementing Text Changes with the SAM Branding Tool ............................... 423 Customizing Graphic Files .................................................................................... 424
Part IV SAM Management

22. SAM Management Center Main Features..........................................429
Client Requirements .........................................................................................430 Browser Settings ................................................................................................... 430 OTP Tokens........................................................................................................... 430 Temp OTP ......................................................................................................... 431 MobilePASS Tokens.......................................................................................... 431 SafeNet eToken Virtual Products .......................................................................... 432 SafeNet eToken Virtual ..................................................................................... 433 SafeNet eToken Virtual Temp ........................................................................... 433 SafeNet eToken Rescue ................................................................................... 434 SafeNet eToken Rescue Use Case .................................................................. 434 eToken Network Logon.......................................................................................... 435 eToken Network Logon Device Options ........................................................... 436 eToken Network Logon Use Case .................................................................... 436
23. Helpdesk.................................................................................................437
Helpdesk Page Overview..................................................................................438
xiv
Accessing the Helpdesk Page...............................................................................439 Unlocking a User....................................................................................................447 Enabling a Temp Logon.........................................................................................449 Enabling User Access to a SafeNet eToken Rescue............................................452 Resetting the Default User Password ...................................................................455 Revoking a User's Token .......................................................................................455 Unassigning a User's Token ..................................................................................457 Unlocking a User's Token ......................................................................................459 Temporarily Disabling a Token...............................................................................462 Enabling a Token ...................................................................................................464 Replacing a User's Token ......................................................................................465 OTP Options ..........................................................................................................470 Extending an OTP .............................................................................................471 Replacing a Temp OTP with an OTP Token .....................................................473 Replacing an OTP Token with a Temp OTP .....................................................474 Resetting an OTP PIN.......................................................................................477 Validating an OTP Token...................................................................................478 Locking an OTP.................................................................................................480 Unlocking an OTP .............................................................................................482 Certificate Recovery Workflow Options.................................................................483 Requesting a Certificate Recovery Workflow....................................................484 Approving a Certificate Recovery Workflow......................................................486 Cancelling a Certificate Recovery Workflow .....................................................488 Rejecting a Certificate Recovery Workflow.......................................................491 Recovering Certificates .....................................................................................493
24. Deployment ............................................................................................497

Deployment Page Overview .............................................................................498 Accessing the Deployment Page...........................................................................499 Assigning a Token..................................................................................................503 Enrolling a Smartcard or USB Token.....................................................................505 Enrolling an OTP Token.........................................................................................509 MobilePASS Token Enrollment.............................................................................. 511 Preparing the MobilePASS Token Notification Procedure................................512 Enrolling a MobilePASS Token..........................................................................512 Sending a MobilePASS Token to the User........................................................515 Using a MobilePASS Token to Generate an OTP.............................................515
xv
25. Inventory.................................................................................................517
Inventory Page Overview..................................................................................518 Accessing the Inventory Page............................................................................... 519 Initializing a Token ................................................................................................. 523 Adding Tokens to the SAM Inventory.................................................................... 526 Adding a File of Tokens to the SAM Inventory.................................................. 526 Adding a Token to the SAM Inventory .............................................................. 528 Removing a Token from the SAM Inventory ......................................................... 530
26. Reports ...................................................................................................533

SAM Reports Page Overview ...........................................................................534 Accessing the Reports Page................................................................................. 534 Generating a Token Inventory Report ................................................................... 536 Generating a Token History Report....................................................................... 541 Generating a Token Expiration Report.................................................................. 546 Generating a Token Audit Report.......................................................................... 550 Generating an OTP Usage Report........................................................................ 553 Generating a Token Connections Report.............................................................. 555 Generating an Hourly Distribution Chart ............................................................... 559
27. Downloads .............................................................................................563

SAM Downloads Page Overview ......................................................................564 Accessing the SAM Downloads Page................................................................... 564 Downloading SAM Web Client .............................................................................. 565 Downloading MobilePASS Applications................................................................ 569
Part V Appendixes
A. AD Schema Enhancement...................................................................573
Prefixes Registered with Microsoft....................................................................574 Naming Conventions ............................................................................................. 574 Schema Attributes and Classes Tables ................................................................ 574 Attributes ........................................................................................................... 575 Classes.............................................................................................................. 588 Schema extensions for TMS 5.0 and Later ...................................................... 590 Schema Extensions for SAM 8.0 and Later...................................................... 592
xvi
Part I Overview of SafeNet Authentication Manager

ThissectionprovidesanoverviewofSAM,includingthenewfeatures inthisversion.
In this section:

Chapter 1: Introduction (page 3) Chapter 2: System Requirements (page 9)
Chapter 1
Introduction
SafeNetAuthenticationManager(SAM)enablesmanagementofthe completeuserauthenticationlifecycle.SafeNetAuthentication Managerlinkstokenswithusers,organizationalrules,andsecurity applicationstoallowstreamlinedhandlingofusersneedsthroughout thevariousstagesoftheirauthenticatorlifecycle.
In this section:

Overview of SafeNet Authentication Manager New and Enhanced Features in SafeNet Authentication Manager 8.0 Supported Authenticators
SafeNet Authentication Manager Administrators Guide
Overview of SafeNet Authentication Manager

SafeNetAuthenticationManager8.0(formerlyknownaseToken TMS)providesyourorganizationwithacomprehensiveplatformto manageallofyourauthenticationrequirements,acrosstheenterprise andthecloud,inasingle,integratedsystem.Enablingstrong authenticationforcloudapplicationsusingidentityfederation technologyandofferingsupportforSafeNetsportfolioofOTPand certificatebasedauthenticators,SafeNetAuthenticationManager (SAM)isdesignedtoevolvewithyourchangingneedssoyoucan:

MaintainstrongonpremiseauthenticationforcloudbasedSaaS applicationssuchasGoogleAppsandSalesForce.com SeamlesslyenhanceyourauthenticationinfrastructurefromOTP onlyenvironmentstomoreflexibleonesthatsupportbothOTP andcertificatebased(PKI)solutionsandapplications. Deployarangeofsoftwareauthenticationsolutions
SafeNetAuthenticationManagerscapabilitiesincludecentral, delegated,andselfserviceinterfacesthatallowdifferentlevelsof servicetodifferentcommunitiesofusersandadministrators.
SafeNet Authentication Manager 8.0 Core Benefits

Extendyourcurrententerpriseauthenticationinfrastructureto thecloudseamlessly Completesupportforyourentireauthenticationsolution(OTP, CBA,securityapplications)inasinglesystem Extensible,openplatformwithselfserviceandremotesupport forLinux,MacandWindows Flexibilitytoevolveyourauthenticationinfrastructuretoinclude OTPandCBAsolutionsaswellasadvancedsecurityapplications ReducetheworkloadofyourITstaffwithanintegratedIT infrastructure,automatedprocessesandintuitiveuserselfservice tools Controlofyourauthenticatorinventoryandusage Enhanceduserproductivityandremoteaccessfromwherever theyarewithoutcompromisingsecurity Comprehensiveauditingandreportingfeaturesenable compliancewithprivacyregulations
Introduction
New and Enhanced Features in SafeNet Authentication Manager 8.0

ThefollowingfeatureshavebeenincludedinSafeNetAuthentication Manager8.0.
Cloud support and integration with SaaS providers, Google Apps and Salesforce.com
Description:SAMprovidesaseamlessstrongauthentication experienceforenterpriseuserswhowanttoaccessSaaS applicationssuchasGoogleAppsandSalesforce.com(SFDC). Thisisachievedbyfederatingtheirenterpriseidentitytothe cloud,inshort,enablingaSingleCredentialexperienceinwhich theuserlogsintotheSAMportalusingtheiraccesscredentials andisthenautomaticallyredirectedtothespecificcloud application. Howitworks:Userauthenticationfirsthappensintheenterprise (theuserloggingintoSAM),andonlyafterusersaresuccessfully authenticatedaretheyredirectedtothecloudservicethoughthe useofidentityfederationprotocolssuchasSecurityAssertion MarkupLanguage(SAML),anXMLbasedstandardfor exchangingauthenticationandauthorizationdata.SafeNet AuthenticationManagerwillactasthetrustedidentityprovider, givingauthenticateduserspermissiontoaccesstheapplication. TheSaaSapplicationwillbeconfiguredtoallowaccessonlyto thoseusersauthenticatedbytheSafeNetAuthenticationManager. Theenterprisemaintainscontrolofuseraccess,aseveryuseofthe cloudresourceisfirstvalidatedonpremise. Benefits:EnablesenterpriseuserstoaccessSaaSapplications securelyviatwofactorauthenticationfromanywhere.Existing SafeNetTMS/SAMcustomerscanleveragetheircurrenton premiseauthenticationdeploymenttoseamlesslyandcost effectivelyextendthesamestrongauthenticationsolutiontotheir cloudapplications.Thereisnoadditionalhardwareorsoftwareto deployuserscanleveragetheircurrentauthenticators. Comprehensivemanagementofallauthenticationoperationsfor bothonpremiseandcloudcanbeperformedwithinasingle platform.
Enhanced MobilePASS Software Authentication Solution

Overtheairdeploymentcanbeachievedtwoways: Directdownloadlinksenttotheuserviaemail;usingtheir mobiledevice,theuserthenclicksonthelinkandis promptedtoinstalltheapplicationontheirdevice SoftwaredistributionpushviaBlackBerryEnterpriseServer (BES) SimpleRemoteSelfEnrollmentandActivationportalforend users Broadrangeofmobiledevicesupport:BlackBerry(4.2andabove), iPhone(3.0andabove),J2ME,Android

Integration with SafeNet HSMs for secure key storage

Description:SafeNetAuthenticationManagersecuritykeysare storedintheHSM;encryptionanddecryptionofSAMdatais executedontheHSM Benefits:storingtheSAMsecuritykeysintheHSMratherthan locallyinthefilesystemenhancesthesecurityandtheprotection ofstoredsecretssuchasOTPseedsandarchivedprivatekeys fromunauthorizedcopyorleakage;thisisanincreasing requirementamongbothfinancialandgovernmentcustomers SupportedHSMmodels:LunaSA4.4andPCI7000
Token History Management

Storeshistoricaldataoftokensthathavebeenunassignedor removed. Whenausersleavethecompany,theirtokensareinitializedand alldataremoved.However,ifthetokenwasusedtoaccess encryptedcompanydata,forexample,itmightbenecessarylater toretrievetheencryptionkey.SAMnowenablessuchaprocessby keepingahistoryofunassignedtokensenablingcertificateexport forhistoriccertificates.
Introduction
Token Policy Object (TPO) Export and Import

TPOsettingscanbeexportedto,andimportedfrom,apassword protectedfile EnablestheduplicationofthesameTPOsettingsinmultipleSAM installations AssiststheSafeNetsupportteamwhenprovidingassistanceto customers
Additional Platform
WindowsServer2008R2isnowsupported
Supported Authenticators
ThefollowingauthenticatorsaresupportedinSafeNetAuthentication Manager8.0:

SafeNeteTokenPRO SafeNeteTokenNGFlash SafeNeteTokenNGOTP SafeNeteTokenSmartCard SafeNeteTokenAnywhere SafeNeteTokenVirtual SafeNeteTokenVirtualTemp SafeNeteTokenRescue eTokenAnywhere MobilePASS MobliePASSMessaging Alpine Gold3000 Platinum Silver
Chapter 2
System Requirements
BeforeinstallingSAM,ensurethatyoursystemmeetsthe requirementsforeachofthecomponents. SeeInstallationComponentsonpage 44.
In this chapter:

SAM Server System Requirements SAM Management Tools System Requirements SAM Client System Requirements SAM External Web Portals Windows Password
10
SAM Server System Requirements

Component
Operating System
Requirement
One of the following:
Windows Server 2003
Comment
SP2 (32-bit, 64-bit)

Windows Server 2003
R2 (32-bit and 64-bit)

Windows Server 2008
SP2 (32-bit, 64-bit)

Windows Server 2008
R2 (64-bit)
System Requirements Component

Additional Software
11
Requirement
Windows Installer 3.0 or later
Comment (Continued)
The Microsoft Windows Installer is an application installation and configuration service. WindowsInstaller-KB884016-v2x86.exe is the redistributable package for installing or upgrading Windows Installer. http://www.microsoft.com/downloads/de tails.aspx?familyid=5fbc5470-b2594733-a914a956122e08e8&displaylang=en The Microsoft .NET Framework version 2.0 redistributable package installs the .NET Framework runtime and associated files required to run applications developed to target the .NET Framework 2.0. 32-bit: http://www.microsoft.com/downloads/de tails.aspx?familyid=0856EACB-43624B0D-8EDDAAB15C5E04F5&displaylang=en 64-bit: http://www.microsoft.com/downloads/de tails.aspx?familyid=B44A0000-ACF84FA1-AFFB40E78D788B00&displaylang=en
32-bit: Microsoft .NET Framework Version 2.0 SP1(x86) redistributable package or later 64-bit: Microsoft .NET Framework version 2.0 (x64) redistributable package or later

Microsoft SQL Server
Required for producing Attendance Reports only
2005
Microsoft SQL Server
2008
Java Runtime
Required for MobilePASS tokens only
Environment 1.5 or later
12
SafeNet Authentication Manager Administrators Guide Requirement

Active Directory (if Active Directory is to be used as the configuration store).
Component
SAM Configuration Store
Comment (Continued)
See SAM Configuration Store on page 23. Note: If ADAM is to be used as the configuration store, it does not need to be installed separately, as it is installed during the SAM installation. See User Store on page 21. Note: If the integrated configuration of a Standalone user store is used, ADAM is installed during the SAM installation, and a pre-installed user store is not required.
SAM User Store
One of the following, if an external user store is used:

Active Directory
(Windows 2003, 2003R2, 2008, or 2008R2)

MS SQL Server 2005
or 2008
OpenLDAP 2.3.38 or
later
Novell eDirectory
8.7.3 or later PKI Client/SafeNet Authentication Client The following versions are supported:
eToken PKI Client
version 4.55
eToken PKI Client
version 5.1 SP1

SafeNet
Required to work with tokens and with connector configurations. eToken PKI Client or SafeNet Authentication Client should be installed on both the server and the client computers for a fully featured SafeNet Authentication Manager system. Note: Not required for OTP-only implementations.
Authentication Client version 8.0 or later (recommended to ensure support of all new features)
System Requirements
13
SAM Management Tools System Requirements

Component
Operating System
Requirement
Windows Server 2003 SP2
Comment
Use Windows Vista and Windows 7 for nonAD environments only.
(32-bit, 64-bit)
Windows Server 2003 R2
(32-bit, 64-bit)
((32-bit, 64-bit)
(64-bit)
Windows XP SP3 (32-bit,
64-bit)
Windows Vista SP2 (32-bit,
64-bit)
Windows 7 (32-bit, 64-bit)
Additional Software
Windows Installer 3.0 or later Microsoft .NET Framework Version 2.0 SP1 Redistributable or later
See the Windows Installer comment on page 11. See the Microsoft .NET Framework comment on page 11. Required to work with tokens and with connector configurations. eToken PKI Client or SafeNet Authentication Client should be installed on both the server and the client computers for a fully featured SAM system. Note: Not required for OTP-only implementations.
eToken PKI Client or SafeNet Authentication Client
The following versions are supported:

eToken PKI Client version
4.55
5.1 SP1
SafeNet Authentication
Client version 8.0 or later (recommended to ensure support of all new features) Browser Trusted Sites Internet Explorer 6.0, 7.0, or 8.0 SAM Management Center Must be set as a trusted site.
14
SAM Client System Requirements

Component
Operating System
Requirement
Comment
(32-bit, 64-bit)
(32-bit, 64-bit)
((32-bit, 64-bit)
(64-bit)
Windows XP SP3 (32-bit ,
64-bit)
Windows Vista SP2 (32-bit,
64-bit)
Windows 7 (32-bit, 64-bit)
eToken PKI Client or SafeNet Authentication Client
The following versions are supported:

Required to work with tokens and with connector configurations. Note: Not required for OTP-only implementations.
4.55
5.1 SP1
SafeNet Authentication
Client version 8.0 or later (recommended to ensure support of all new features) Note: eToken PKI Client 5.1 SP1 or later is required for a Windows 7 environment Browser Internet Explorer 6.0, 7.0, or 8.0 Firefox 3.6 (OTP operations only) Safari 5 (OTP operations only) SAM Self Service Center Must be set as a trusted site.
Trusted Sites
System Requirements
15
SAM External Web Portals

Component
Browser
Requirement
Internet Explorer 6.0, 7.0, or 8.0 Firefox 3.6 Chrome 5 Safari 5 (Mac)
Comment
16
Part II Installation and Configuration

ThefollowingchaptersdescribehowtoinstallandconfigureSAM.
In this section:

Chapter 4: Installation and Configuration Checklist (page 37) Chapter 3: User Store Deployment (page 19) Chapter 5: Installation (page 43) Chapter 6: Upgrade and Migration (page 73) Chapter 7: Basic Configuration (page 85) Chapter 8: Token Policy Object Links (page 121) Chapter 9: Token Policy Object Settings (page 145) Chapter 10: SAM Configuration Manager (page 179) Chapter 11: Connector Configuration (page 201) Chapter 13: Authorization Manager (page 299) Chapter 15: Audit Messages and Enrollment Notifications (page 321) Chapter 12: Licensing (page 293) Chapter 16: OTP Configuration (page 339) Chapter 17: Backend Service (page 353)
18
Chapter 3
User Store Deployment

Typically,MicrosoftActiveDirectoryisdeployedaspartofthe Windowsoperatingsystem,andisavailablewheninstallingSafeNet AuthenticationManager. Touseadifferentuserstore(MSSQLServer,OpenLDAP,orNovell eDirectory)thatisnotalreadyinstalled,youmustdeployitbefore installingSAM. Alternatively,youcaninstallaStandaloneuserstore,whichisan integratedconfigurationstoreanduserstorebasedonADAM.Inthis case,ADAMisinstalledaspartoftheSAMinstallation. SeeUserandConfigurationStoresonpage 21.
In this section:

Supported User Stores Remote Active Directory Configuring a Microsoft SQL Server User Store Configuring an LDAP User Store
20
Supported User Stores

SafeNetAuthenticationManagercanworkwithanyofthefollowing userstores:
MicrosoftActiveDirectory(WindowsServer2003orWindows Server2008)
Note:
YoucannotworkwithActiveDirectoryandadifferentstore(MS SQLServer,OpenLDAP,Novell,orRemoteAD).However,when workingwithADyoucanuseseveraldomains. WhenworkingwithMSSQLServer,OpenLDAP,Novell,or RemoteAD,youcanuseseveralofthemtogether,butnotwith AD.

ADAM(withStandaloneuserstoreanintegratedconfiguration anduserstore) RemoteActiveDirectory MicrosoftSQLServer2005/2008 OpenLDAP NovelleDirectory
Note:
ForafullyfeaturedSafeNetAuthenticationManagersolution includingSAMDesktopAgent,MicrosoftActiveDirectorymustbe used. InnonADenvironments,SafeNetAuthenticationManagersupports thefollowingconnectors: ConnectorforOTPAuthentication ConnectorforeTokenAnywhere ConnectorforCheckPointInternalCA ConnectorforMicrosoftCA,withofflineCA ConnectorforFlashManagement ConnectorforP12CertificateImport
21
Remote Active Directory

AremoteActiveDirectorycanbeusedasauserstorewhenworking inamultiforestenvironment.Thisavoidsthenecessityofinstallinga SafeNetAuthenticationManagerserverineachforest.Atypicaluse forthiswouldbewhendeployingOTPinamultiforestenvironment. ToenableconnectiontotheremoteActiveDirectory,during configurationSafeNetAuthenticationManagermustbesuppliedwith theusernameandpasswordthatwillenableaccesstothedomain.
Configuring a Microsoft SQL Server User Store

PerformthefollowingtasksbeforeimplementingMSSQLServerasa userstore:

PreparethedataviewssothatSafeNetAuthenticationManager canconnecttothedatabase. Preparetheauthenticationdllfilethatwillenableuserstologon totheSAMManagementCenter,SAMSelfServiceCenter,and SAMRescueServiceCenter.
22
Preparing Microsoft SQL Server Views

TherequiredviewsmustbecreatedinMSSQLServer. ThissetofviewsmustbepreparedasdescribedtoenableSafeNet AuthenticationManagertoconnecttothedatabase.
AksTMSUsers
AksTMSUsersrepresentstheusertable. Field
UserID AccountName PolicyObjectID LogonName AccountEnabled AccountLocked FirstName LastName Initials MiddleName Street POBox City State ZipCode CountryCode
Type
String String String String Boolean Boolean String String String String String String String String String String
Description
The unique user ID The unique user account name The direct organization unit The unique user logon name Used by OTP authentication Used by OTP authentication The users first name The users last name The users initials The users middle name The users address street The users address PO Box number The users address city The users address state The users address zip code The users address country code
Required
Yes Yes Yes (can be null) No No No No No No No No No No No No No
User Store Deployment Field

HomePostalAdr ess Email MobilePhone HomePhone OrganizationNa me Company EmployeeNumb er DepartmentNum ber Office DisplayName
23
Type
String String String String String String String String String String
Description (Continued)
The users home postal address The users email The users mobile phone The users home phone The users organization name The users company The users employee number The users department number The users office The users full display name
Required
No No No No No No No No No No
AksTMSGroups
AksTMSGroupsrepresentsthegrouptable. Field
GroupID GroupName DisplayName
Type
String String String
Description
The unique group ID The unique group name The group full display name
Required
Yes (value required) Yes (value required) No
24
AksTMSUserOfGroup
AksTMSUserOfGrouprepresentsmembershipofusersinthegroups. Field
GroupID UserID
Type
String String
Description
The group unique ID The user belongs to group
Required
Yes (value required) Yes (value required)
AksTMSGroupOfGroup
AksTMSGroupOfGrouprepresentsthegrouphierarchy. Field
GroupID MemberGroupID
Type
String String
Description
The unique group ID The subgroup belongs to group
Required
AksTMSPolicyObjects
AksTMSPolicyObjectsrepresentshierarchyoftheorganization (equivalenttoOU). Field
PolicyID PolicyName
Type
String String
Description
The unique policy object ID The unique policy object name
Required
User Store Deployment Field (Continued)

Root ParentPolicyID DisplayName
25
Type
Boolean String String
Description
Policy object is root The ID of the parent policy object The policys full display name
Required
Yes (value required) Yes (value not required) No
Indexed Fields
Toensureoptimumperformance,allrequiredfieldsintheSQL databaseshouldbeindexed:

AksTMSUsers:UserID,AccountName,PolicyObjectID AksTMSGroups:GroupID,GroupName AksTMSUserOfGroup:GroupID,UserID AksTMSPolicyObjects:PolicyID,PolicyName,Root, ParentPolicyID
Preparing an MS SQL Server Authentication dll

ThissectiondescribeshowtoconfigureMSSQLServerauthentication inSAM.
SQL Authentication Overview

WhenSafeNetAuthenticationManagerisconfiguredtoworkwitha userstorebasedonanSQLdatabase,itmustbeabletoauthenticate theuserswhologontothevariousSafeNetAuthenticationManager applications:SAMManagementCenter,SAMSelfService Center,SAMRescueServiceCenterandSAMPolicyManagement. WhentheadministratorinstallsSafeNetAuthenticationManagerand configuresauserstorebasedonanSQLdatabase,theSafeNet AuthenticationManagerInstallationWizardenforcestheselectionof theauthenticationdllfilethatimplementstheauthenticationprocess.
26
SQLAuthentication.dll Authentication File

AdefaultSQLauthenticationdllisprovidedwithSAM:
SQLAuthentication.dll.
Thisdllfilereadsaspecificconfigurationatruntimewhenthe associatedapplicationisloaded.
SQLAuthentication.dll istypicallylocatedat: C:\Program Files\SafeNet\Authentication\SAM\x32\Bin
SQLAuthentication.dll.config Configuration File

Theconfigurationfilemustbenamed
SQLAuthentication.dll.config,
andmustbelocatedinthesamedirectoryas
SQLAuthentication.dll
TheSQLAuthentication.dll.configfileisanXMLfile.
Note:
AfterupdatingtheSQLAuthentication.dll.configconfiguration file,resettheIISservertoupdateSAM.
Supported Authentication Types

SQLUseristheonlyauthenticationtypesupported. ThisauthenticationtypetakesadvantageoftheSQLServerbuiltin authenticationservice.WhenaSafeNetAuthenticationManageruser authenticationrequestarrives,anappropriateSQLconnectionstring isbuiltatruntimeandisthenusedbyanSQLconnectionobjectto connecttotheserver. Ifaconnectionisestablishedsuccessfully,theauthenticationrequestis accepted.Iftheconnectionfails,theauthenticationrequestisrejected.
27
Sincetheremaybeseveraluserstoredatabasesinanorganization, eachuserstoremaybeconfiguredtotransferausersauthentication requesttoadifferentSQLdatabaseasexplainedinthefollowing <Instance>xmlnode.
Tip:
WerecommendreferringtothesampleSQLAuthentication.dll.config filewhenreadingthissection. Typically,SQLAuthentication.dll.configislocatedat:
C:\Program Files\ SafeNet\Authentication\SAM\x32\AuthPlugin\ <Instance>
Allowsmappingausersauthenticationrequestbytheuserstore uniquenametowhichtheuserbelongs. Forexample,intheaboveconfigurationfileexample,eachuser belongstoorganizationusa.Theuserstorewillbeauthenticated usingtheconnectionstringpointingtoSQLSRVUSAMACHINE, whileeachuserbelongingtoorganizationeuropewillbe authenticatedusingtheconnectionstringpointingtoSQLSRVEUR MACHINE. Ifthereisonlyoneuserstore,onlyone<Instance>sectionshouldbe used(addingdefault=trueattribute).
<TMSUserIdentifier>
IndicateswhichuserpropertyshouldbeusedastheSQLServeruser name.Thevalueatruntimeisinsertedintothe{0}atthe ConnectionStringXMLnode. Userfieldsthatcanbeselectedare:AccountName,LogonName, Email,EmployeeNumber,andName.

<Provider>
Thisvalueholdstheproviderretrievingdatafromthedatabase. Usethefollowingvalue:System.Data.SqlClient
28

<ConnectionString>
Note:
The<ConnectionString>templatedescribedheremustbeformatted accordingtheselectedprovider.Eachproviderdefinestheconnection stringformat. Containsatemplateforthedatabaseconnectionstring.Thetemplate shouldbeformattedaccordingtotheprovidertype,asdescribedin previoussection.

The{0}isreplacedatruntimewiththevalueofTMSUserproperty indicatedinTMSUserIdentifier The{1}isreplacedatruntimewiththevalueofauthentication requestpassword
Thefollowingsampleshowsaconnectionstringforconnectingto MicrosoftSQLServer:
<ConnectionString>Data Source=SQLSRV-MACHINE\ SQLEXPRESS;Initial Catalog=;Integrated Security=False;User ID={0};Password={1}</ConnectionString>
29
Configuring an LDAP User Store

SafeNetAuthenticationManagersupportsOpenLDAPandNovell eDirectoryasuserstores. PerformthefollowingtasksbeforeimplementinganLDAPdirectory asauserstore:
Preparetheauthenticationdllfilethatwillenableuserstologon toSAMManagementCenter,SAMSelfServiceCenter,andSAM RescueServiceCenter. IfyourequireanLDAPschemadifferentfromthedefault,you mustmakethechangesintheSAMConfigurationManager.See ChangingtheSchemaConfigurationonpage 199.
Notes:
IncontrasttoAD,OpenLDAPdoesnotuseaspecificschema definitionforusers,groups,etc.Itusesabasicdefinitionthatis extendedoneachinstallation. NovelleDirectoryhasadefaultschemathatissimilartoAD.
Preparing LDAP Authentication Dll

ThissectiondescribeshowtoconfigureLDAPauthenticationin SafeNetAuthenticationManager.
LDAP Authentication Overview

WhenSafeNetAuthenticationManagerisconfiguredtoworkwitha userstorethatisnotMicrosoftActiveDirectory,itmustbeableto authenticatetheuserswhologontothevariousSafeNet AuthenticationManagerapplications:SAMManagementCenter, SAMSelfServiceCenter,SAMRescueServiceCenter,andSAMPolicy Management. WhentheadministratorinstallsSafeNetAuthenticationManagerand configuresanonActiveDirectoryuserstore,theSafeNet AuthenticationManagerInstallationWizardenforcestheselectionof theauthenticationdllfilethatimplementstheauthenticationprocess.
30
LDAPAuthentication.dll Authentication File

AdefaultLDAPauthenticationdllfileisprovidedwithSafeNet AuthenticationManager:LDAPAuthentication.dll Thisdllfilereadsthespecificconfigurationatruntimewhenthe associatedapplicationisloaded.
LDAPAuthentication.dll istypicallylocatedat: C:\Program Files\SafeNet\Authentication\SAM\x32\Bin
LDAPAuthentication.dll.config Configuration File

Theconfigurationfilemustbenamed
LDAPAuthentication.dll.config,
andmustbelocatedinthesamedirectoryas
LDAPAuthentication.dll
TheLDAPAuthentication.dll.configfileisanXMLfile.
Supported Authentication Types

TherearetwosupportedLDAPauthenticationtypes:

FastBindConfiguration SlowBindConfiguration
BothauthenticationtypestakeadvantageoftheLDAPDirectory serverbuiltinauthenticationservice.
Tip:
UsefastbindauthenticationwhentheusersarestoredinLDAP directoryandyouwishtoauthenticatethemwiththesamedirectory. Useslowbindauthenticationwhentheusersarestoredinone databaseandyouwishtoauthenticatethemwithadifferentdatabase (whichisanLDAPdirectory).
31
Fast Bind Configuration

Themostcommonconfigurationisthefastbindauthentication.Itisa onephaseauthenticationwheretheuserDNanduserpasswordare passedtotheLDAPdirectory,whichinreturnacceptsorrejectsthe authenticationrequest. Inthisconfiguration,bothusersandpasswordsareplacedinthesame store.ThisstoreisalwaysanLDAPdirectorywhereeachuserinthe directorymustbeauthorizedtoperformauthentication. TheXMLfileshouldbeasfollows:
<Configuration> <AuthenticationType>FastBind</AuthenticationType> </Configuration>
ThefilewillalwaysbethesameregardlessoftheLDAPdirectory manufactureroranyothercriteria.
Slow Bind Configuration

Slowbindauthenticationistwophaseauthentication:
FirstphaseissearchingandretrievingtheusersLDAPpath(User DN)fromapreconfiguredLDAPdirectory. Secondphaseisauthenticatingthatuser(asinfastbind). Inthisconfiguration,theuserstoreisusuallylocatedinonedatabase (ofanytype)andthepasswordsarelocatedinanotherdatabasewhich mustbeanLDAPdirectory.Forexample,theuserstoreisanSQL databaseandthepasswordsinanOpenLDAPoreDirectorydatabase. Asinfastbindauthentication,eachuserintheLDAPdirectorymust beauthorizedtoperformauthentication.
32
SafeNet Authentication Manager Administrators Guide TheXMLfileshouldbeasfollows:

<?xml version="1.0" encoding="utf-8" ?> <Configuration> <AuthenticationType>SlowBind</AuthenticationType> <SlowBind> <Instance name="InstanceName1"> <TMSUserIdentifier>AccountName</TMSUserIdentifier> <Server>Server1.com:389</Server> <BaseDN>dc=MyCompany1,dc=com</BaseDN> <FilterTemplate>(&(cn={0})(objectClass=Person) )</FilterTemplate> <UserDN>cn=Admin,dc=MyCompany1,dc=com</UserDN> <Password></Password> </Instance> <Instance default="true"> <TMSUserIdentifier>AccountName</TMSUserIdentifier> <Server>Server1.com:389</Server> <BaseDN>dc=MyCompany1,dc=com</BaseDN> <FilterTemplate>(&(cn={0})(objectClass=Person) )</FilterTemplate> <UserDN>cn=Admin,dc=MyCompany1,dc=com</UserDN> <Password></Password> </Instance> </SlowBind> </Configuration>
Iftherearemultipleuserstoredatabasesinanorganization,theremay beseveralmatchingLDAPdirectoriescontainingthepasswords. Theconfigurationfileallowsthebindingofeachuserstoretoa specificLDAPdirectory. <Instance> AllowsmappingauserstoretoanLDAPdirectory.Ifthereisonlyone LDAPdirectory,onlyone<Instance>sectionshouldbeused(adding default=trueattribute).
33
IfthereareseveralLDAPdirectories,thenameattributeshouldbe usedtomaptheuserstorewithLDAPdirectories,providingtheuser storeuniqueinstancename. <TMSUserIdentifier> HoldstheuserpropertythatisusedtolocatetheuserintheLDAP directory.Thevalueatruntimeisinsertedintothe{0}inthe FilterTemplateXMLnode. Userfieldsthatcanbeselectedare:AccountName,LogonName, Email,EmployeeNumberandName. <Server> IPorDNSoftheLDAPdirectory <BaseDN> TherootLDAPpathforusersearching <FilterTemplate> ThisLDAPquerytemplateisusedtobuildanLDAPsearchstringat runtimeinordertofindtheuserrequestingauthenticationinthe LDAPdirectory. The{0}isreplacedatruntimewiththevalueofuserproperty indicatedinTMSUserIdentifier. <UserDN> TheUserLDAPpathusedtoperformthesearchesintheLDAP directory.ThisentrymusthavepermissionstosearchandreadLDAP entriesintheLDAPdirectory.
34
SafeNet Authentication Manager Administrators Guide <Password> ThepasswordofUserDN
Note:
ThepasswordmustbeencryptedusingtheEncryptPasswordTool (EncryptPassword.exe)andplacedintheconfigurationfile.SeeUsing theEncryptPasswordTool(EncryptPassword.exe)onpage 34.
Using the Encrypt Password Tool (EncryptPassword.exe)

UsetheEncryptPasswordToolwhenLDAPAuthenticationis configuredtoslowbindauthenticationonly. Thetoolgeneratesanencryptedpasswordfromaplaintextpassword. Theencryptedpasswordmustbeplacedinsidethe<Password>Xml nodeoftheconfigurationfile. ThetoolmustberunfromthecomputerwheretheSafeNet AuthenticationManagerServerisinstalled. Bydefault,theEncryptPasswordTool(EncryptPassword.exe)is locatedat:
C:\Program Files\SafeNet\Authentication\SAM\x32\Authentication
Configuration Example - Slow Bind Authentication

Inthisscenario,weassumeacompanyworkswithanLDAPdirectory thatiscurrentlynotsupportedbySafeNetAuthenticationManager. To export users to a database supported by SAM: 1. ExporttheusersfromtheLDAPdirectoryintoaMicrosoftSQL serverdatabasewhichissupportedbySafeNetAuthentication Manager. Afterthisprocesstherearetwoinstalleddatabases: MicrosoftSQLServercontainingonlyusers LDAPdirectorycontainingbothusersandpasswords InstallSAM8.0Serverorlater. SelectSQLServerfromthelistofuserdatabases.
2. 3.
User Store Deployment 4. 5.
35
SelecttheLDAPAuthentication.dllintheauthenticationwindow. Completetheinstallation.
Configuring LDAPAuthentication.dll.config
ConfigureLDAPAuthentication.dllbeforerunninganySAM managementapplication. To configure LDAPAuthentication.dll: 1. 2. OpentheLDAPAuthentication.dll.configfile,locatedinthe SAMinstallationfolder. Createaconfiguration,asinthefollowingexampleofaslowbind configuration:
<?xml version="1.0" encoding="utf-8" ?> <Configuration> <AuthenticationType>SlowBind</AuthenticationType> <SlowBind> <Instance default="true"> <TMSUserIdentifier>AccountName</TMSUserIdentifier> <Server>10.0.0.99:389</Server> <BaseDN>dc=organization,dc=com</BaseDN> <FilterTemplate>(&(cn={0})(objectClass=organiz ationalPerson))</FilterTemplate> <UserDN>cn=Administrator,dc=organization,dc=com</U serDN> <Password> AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAper6yavZzE21ObZafm dDMgQAAAAIAAAAVABNAFMA AAADZgAAqAAAABAAAABAt5/hxHf7tgrMsMX+l+glAAAAAASAAA CgAAAAEAAAAP1sMRXQv93p Tj2fj82oTfcQAAAAq06pe9IwfKx4rSVIZiTbaxQAAACms9JMPx fv1/XNsngjP+PQsC/t1w== </Password> </Instance> </SlowBind> </Configuration>
Thisconfigurationfileassumesthefollowing: TheLDAPdirectoryislocatedat10.0.0.99port389 ThebaseDNisdc=organization,dc=com
36

TheuserobjectintheLDAPdirectoryhasthe organizationalPersonvalueinobjectClassattribute Theuserobjectisuniquelyidentifiedbythecnattribute TheuserthathasreadpermissionsintheLDAPdirectoryis cn=Administrator,dc=organization,dc=com Thepasswordofcn=Administrator,dc=organization,dc=com shouldberetrievedasfollows: RunEncryptPassword.exe EnterthepasswordinthePlaintext>Passwordtextbox (i.e.Pas$word) ClickEncrypt(youshouldseetheencryptedpasswordin theciphertextbox) ClickCopyinordertocopyencryptedpasswordto clipboard Pastetheencryptedpasswordinto<Password>xmlnode
Running an LDAP Management Tool
RunanyLDAPmanagementtoolinordertousethenew configuration.Runiisresetbeforerunningthemanagementtool.
Chapter 4
Installation and Configuration Checklist

Thissectionprovidesachecklistofthemaintasksrequiredtoinstall, configure,anddeploySafeNetAuthenticationManager.
In this chapter:

Step 1: Perform Pre-Installation Tasks Step 2: Install SafeNet Authentication Manager Step 3: Configure SafeNet Authentication Manager
38
Step 1: Perform Pre-Installation Tasks

PerformthefollowingtasksbeforeinstallingSafeNetAuthentication Manager. Order
1.
Action
Check system requirements. Install any prerequisite applications. Deploy user store Note: If you are using a Standalone user store, this is not required. See Configuring for Standalone User Store on page 94
Reference
See Chapter 2: System Requirements, on page 9 System Requirements on page 9 See Chapter 3: User Store Deployment, on page 19 User Store Deployment on page 19
2.
Step 2: Install SafeNet Authentication Manager

PerformthefollowingtaskstoinstallSafeNetAuthentication Manager.
SafeNet Authentication Client Configuration

PerformthefollowingtaskstoinstallSafeNetAuthenticationManager inaSafeNetAuthenticationClientconfiguration. Order
1. 2.
Action
Install SafeNet Authentication Client. Install SafeNet Authentication Manager server component
Reference
See SafeNet Authentication Client Administrators Guide Installing the SafeNet Authentication Manager Server on page 52
Installation and Configuration Checklist Order

3.
39
Action
Configure SafeNet Authentication Manager Server and required connectors Install SafeNet Authentication Manager Management Tools component Install SafeNet Authentication Manager Client component
Reference
See Chapter 7: Basic Configuration, on page 85 Installing the SAM Management Tools on page 57 Installing SAM Client Using the Installation Wizard on page 60
4.
5.
OTP Configuration
PerformthefollowingtaskstoinstallSafeNetAuthenticationManager inanOTPconfiguration. Order
1.
Action
Install SafeNet Authentication Manager server component (selecting the OTP installation option) Configure SafeNet Authentication Manager Server Install and configure the required OTP plug-ins Configure RADIUS server Install SafeNet Authentication Manager Management Tools component
Reference
Installing the SafeNet Authentication Manager Server on page 52 See Chapter 7: Basic Configuration, on page 85 See the eToken OTP Authentication Administrator's Guide Configuring SAM IAS Plug-In on page 345 Installing the SAM Management Tools on page 57
2. 3. 4. 5.
40
Step 3: Configure SafeNet Authentication Manager

AftertheSafeNetAuthenticationManagerserverisinstalled,itmust beconfigured.` Order
1.
Action
Run the SafeNet Authentication Manager Configuration Settings Wizard to set the basic configuration Use the SafeNet Authentication Manager Configuration Manager to configure the following (not necessarily in this order):
Connectors Roles and Tasks Backend Services License Web Services Display Failover Schema Service account Server Synchronization HSM support
Reference
See Chapter 7: Basic Configuration, on page 85 See Chapter 10: SAM Configuration Manager, on page 179
2.
Installation and Configuration Checklist Order

3.
41
Action
Use the GPO Editor to propagate the SafeNet Authentication Manager Server name Use the TPO Editor to configure the following settings:
General Connectors Enrollment Certificate Recovery Workflow Audit SAM Backend Service SAM Desktop Agent MobilePASS Badging
Reference
See Propagating the SAM Server Name on page 66 See Chapter 9: Token Policy Object Settings, on page 145
4.
42
Chapter 5
Installation
ThischapterdescribestheinstallationofSafeNetAuthentication Manager.
Note:
SeeUpgradeandMigrationonpage 73ifSafeNetAuthentication ManagerorTMSisalreadyinstalledonthecomputer. Ifamessagetorestartyourcomputerisdisplayed,eitherbeforeor aftertheinstallationofSafeNetAuthenticationManager,youmust restartyourcomputer.
In this chapter:

Installation Components Installation Steps in an AD Environment Installing the SafeNet Authentication Manager Server Installing the SAM Management Tools Installing SAM Client Using the Installation Wizard Installing SAM Client Using the Command Line Un-installation Propagating the SAM Server Name Duplicating a SAM Server
44
Installation Components
Component
SAM Server
File
SAMServer-x328.0.msi or SAMServer-x648.0.msi
Description
Install SafeNet Authentication Manager on the required server. This must be a member server running IIS on which the SafeNet Authentication Manager web application will be installed. One or more such servers may be installed in the organization. Note: We recommend running a dedicated SafeNet Authentication Manager (IIS) server.
SAM Management Tools
SAMManagementx32-8.0.msi or SAMManagementx64-8.0.msi SAMClient-x328.0.msii or SAMClient-x648.0.msi SAMSchema-x328.0.msi
Install on every workstation from where the administrator will access the TPO editor.
SAM Client
Install on every workstation where the Self Service Center, or Management Center are to be used or any client where the SafeNet Desktop Agent is to be used. If the user installing the SafeNet Authentication Manager Server does not have the permissions required for modifying the AD schema, the schema modification scripts must be installed before SafeNet Authentication Manager is configured. The scripts implement changes to the Active Directory (AD) schema required by SafeNet Authentication Manager. The SAM Portals installation files are supplied separately.
SAM Schema Modification Scripts
SAM Portals
SAMPORTALSx32-8.0.msi or SAMPORTALSx64-8.0.msi
Installation
45
Note:
WerecommendconfiguringSafeNetAuthenticationManager websitesusingSSL. SeeMicrosoftdocumentationforcreatinganSSLprotectedvirtual directoryinIIS.
Silently Installed Component

ASP.NET.AJAXisinstalledtogetherwithSafeNetAuthentication Manager. ASP.NETAJAXisasetoftechnologiestoaddAJAX (AsynchronousJavaScriptAndXML)supporttoASP.NET. AJAXisagroupofinterrelatedwebdevelopmenttechniquesused forcreatinginteractivewebapplicationsorrichinternet applications.WithAJAX,webapplicationscanretrievedatafrom theserverasynchronouslyinthebackgroundwithoutinterfering withthedisplayandbehavioroftheexistingwebpage. ADAMisinstalledwhenaStandaloneuserstore(anintegrated configurationstoreanduserstore)isinstalled,orwhenan externaluserstore,suchasMicrosoftSQLServer,OpenLDAPor NovelleDirectoryisused.
46
Installation Steps in an AD Environment

SafeNetAuthenticationManagercanbeinstalledinasingleormulti domainenvironment.
Installing in a Single Domain Environment

To install in a single domain environment: 1. IfActiveDirectoryisusedastheSafeNetAuthenticationManager ConfigurationStore,andtheuserperformingtheinstallationdoes nothavepermissionstomodifytheADschema,youmustinstall andruntheschemamodificationscriptsonthedomaincontroller. (SeeInstallingandRunningSchemaModificationScriptsonpage 48.) InstalltheSafeNetAuthenticationManagerserveronamember serverinyourdomain.(SeeInstallingtheSafeNetAuthentication ManagerServeronpage 52.) ConfiguretheSafeNetAuthenticationManagerServer.(SeeBasic Configurationonpage 85.) InstallManagementToolsoneveryclientfromwhichthe administratorisrequiredtoaccesstheTPOeditor.(SeeInstalling theSAMManagementToolsonpage 57.) InstallSafeNetAuthenticationManagerClientoneverycomputer fromwhichenrollmentoranyothertokenoperationistobe performedusingSafeNetAuthenticationManager.(SeeInstalling SAMClientUsingtheInstallationWizardonpage 60.)
2.
3. 4.
5.
Installation
47
Installing in a Multi Domain Environment

To install in a multi domain environment: 1. IfActiveDirectoryisusedastheSafeNetAuthenticationManager ConfigurationStore,andtheuserperformingtheSafeNet AuthenticationManagerinstallationdoesnothavepermissionsto modifytheADschema,youmustinstallandruntheschema modificationscriptsonthedomaincontroller.(SeeInstallingand RunningSchemaModificationScriptsonpage 48.) InstalltheSafeNetAuthenticationManagerserveronone memberserverinoneofyourdomains.(SeeInstallingtheSafeNet AuthenticationManagerServeronpage 52.) ConfigureSafeNetAuthenticationManagerforeverydomainin theforestwhereyouwantSAMtobeused. InstallSAMManagementToolsoneveryclientfromwhichthe administratorisrequiredtoaccesstheTPOeditor.(SeeInstalling theSAMManagementToolsonpage 57.) InstallSafeNetAuthenticationManagerClientoneverycomputer fromwhichenrollmentoranyothereTokenoperationistobe performedusingSafeNetAuthenticationManager.(SeeInstalling SAMClientUsingtheInstallationWizardonpage 60.)
2.
3. 4.
5.
Installing SAM in a Multi Forest Environment

To install SAM in a multi domain environment: 1. InstalltheSafeNetAuthenticationManagerserveronone memberserverinoneofyourdomainsinoneoftheforests.(See InstallingtheSafeNetAuthenticationManagerServeronpage 52.) ConfigureSafeNetAuthenticationManager(usingRemoteAD) foreverydomainineveryforestwhereyouwantSafeNet AuthenticationManagertobeused(exceptthedomainwherethe SafeNetAuthenticationManagerserverisinstalled). InstallSafeNetAuthenticationManagerManagementToolson everyclientfromwhichtheadministratorisrequiredtoaccessthe TPOeditor.(SeeInstallingtheSAMManagementToolsonpage 57.)
2.
3.
48
SafeNet Authentication Manager Administrators Guide 4. InstallSafeNetAuthenticationManagerClientoneverycomputer fromwhichenrollmentoranyothertokenoperationistobe performedusingSafeNetAuthenticationManager.(SeeInstalling SAMClientUsingtheInstallationWizardonpage 60.)
Installing and Running Schema Modification Scripts

ActiveDirectory(AD)mustbemodifiedbeforeitcanbeusedasthe SafeNetAuthenticationManagerConfigurationStore. IftheuserwhoinstallsSafeNetAuthenticationManagerhasAD schemamodificationpermissions,thenADismodifiedautomatically duringSafeNetAuthenticationManagerconfiguration. IftheuserwhoinstallsSafeNetAuthenticationManagerdoesnot havethesepermissions,theSchemaModificationScriptsmustbe installedandrunpriortosettingtheconfiguration.
Tip:
Installtheschemamodificationscriptsonlyiftheuserinstalling SafeNetAuthenticationManagerdoesnothavepermissionstomodify theADschema. ThescriptsareinstalledusingtheSafeNetAuthenticationManager SchemaModificationScriptsInstallationWizard.
Installation
49
Installing the Schema Modification Scripts

InstalltheSafeNetAuthenticationManagerSchemaModification ScriptsintherootdomainbeforeSafeNetAuthenticationManageris configured. To install the Schema Modification Scripts: 1. RunSAMSchemax328.0.msi TheWelcometotheSafeNetAuthenticationManagerSchema ModificationScriptsInstallationWizardopens.
2.
ClickNext.
50
SafeNet Authentication Manager Administrators Guide TheLicensesAgreementwindowopens.
3.
AcceptthelicenseagreementandclickNext. TheDestinationFolderwindowopens,displayingthedefault installationfolder.
4.
IftherearenootherSafeNetauthenticationapplicationsorlegacy eTokenapplicationsinstalled,youcanclickBrowsetoselecta differentdestinationfolder.Otherwise,thedestinationfolder cannotbechanged.
Installation Thisfolderwillbeusedastheinstallationlibraryforallfuture SafeNetauthenticationapplicationinstallations.
51
Note:
Thedefaultfolderis:
C:\Program Files\SafeNet\Authentication\SAM\x32\Bin. C:\Program Files\SafeNet\Authentication\SAM\x64\Bin
5.
ClickNext. TheSafeNetAuthenticationManagerSchemaModification Scriptsinstallationbegins. Whentheinstallationprocessiscomplete,theSafeNet AuthenticationManagerSchemaModificationScriptshasbeen successfullyinstalledwindowopens.
6.
ClickFinishtoexittheinstallationwizard. TheinstallationprocesscreatestheVBscriptfile:
C:\Program Files\SafeNet\Authentication\SAM\x32\Bin\schemaInstall. vbs
52
Running the Schema Modification Scripts

Followingtheinstallationoftheschemamodificationscript,thescript mustberun.
Note:
Toruntheschemamodificationscript,thepermissionsmustallow changestobemadetotheschema. To run the schema modification script:
Runthefollowingcommand:
Cscript.exe schemaInstall.vbs [domain name] /AD
For example:
Cscript.exe schemaInstall.vbs production.com /AD
Installing the SafeNet Authentication Manager Server

TheSafeNetAuthenticationManagerservermustbeinstalledbefore theothercomponents.
Note:
SafeNetAuthenticationClientshouldbeinstalledonthecomputer whereSafeNetAuthenticationManagerserverisinstalled.Thisisnot requiredifSafeNetAuthenticationManagerisusedonlyforOTP authentication.SeeSAMManagementToolsSystemRequirementson page 13. TheSafeNetAuthenticationManagerServerInstallationWizardand SafeNetAuthenticationManagerConfigurationSettingsWizardenable youtoinstallSafeNetAuthenticationManagerServerandcreatea basicconfiguration.WhentheSafeNetAuthenticationManagerServer InstallationWizardcompletestheinstallationprocess,itlaunchesthe SafeNetAuthenticationManagerConfigurationSettingsWizard.
Installation To install and configure the SafeNet Authentication Manager Server: 1.
53
DoubleclickSAMServerx328.0.msi(32bit)orSAMServerx64 8.0.msi(64bit). TheSafeNetAuthenticationManagerServerInstallationWizard opens.
2.
ClickNext. TheLicenseAgreementwindowopens.
3.
SelectIacceptthelicenseagreementandclickNext.
54
SafeNet Authentication Manager Administrators Guide TheDestinationFolderwindowopens,displayingthedefault installationfolder.
4.
5.
IftherearenootherSafeNetauthenticationapplicationsorlegacy eTokenapplicationsinstalled,youcanclickBrowsetoselecta differentdestinationfolder.Otherwise,thedestinationfolder cannotbechanged. Thisfolderwillbeusedastheinstallationlibraryforallfuture SafeNetauthenticationapplicationinstallations. ClickNext. Theinstallationprocessstarts.
Installation
55
Oncompletionoftheinstallationprocess,thesuccessfullyinstalled windowopens.
6.
ClickFinish.
Note:
Ifyourantheinstallationfromthecommandline,theSafeNet AuthenticationManagerConfigurationSettingsWizarddoesnot openautomatically. TheSafeNetAuthenticationManagerConfigurationSettingsWizard windowopens.
56
SafeNet Authentication Manager Administrators Guide TheSAMConfigurationSettingsWizardenablesyoutosetupa basicconfigurationthatcanbefinetunedlaterusingtheSafeNet AuthenticationManagerConfigurationManager.
Tip:
WerecommendcompletingtheSafeNetAuthenticationManager configurationatthistimesothatyoucanstartworkingwiththe application.However,theconfigurationcanbeperformedlater usingtheSafeNetAuthenticationManagerConfiguration Manager. 7. TocontinuewiththeSafeNetAuthenticationManager ConfigurationSettingsWizard,clickNext,ortoexit,clickCancel. ForadescriptionoftheSafeNetAuthenticationManager ConfigurationSettingsWizard,seethefollowing: ConfiguringforActiveDirectoryonpage 86 ConfiguringforStandaloneUserStoreonpage 94 ConfiguringforOpenLDAP,NovelleDirectoryorRemoteADon page 102 ConfiguringforMSSQLServeronpage 115
Installation
57
Installing the SAM Management Tools

InstalltheSAMManagementToolsoneveryworkstationwherethe administratorwillneedtousetheTPOEditor. To install SAM Management Tools: 1. DoubleclickSAMManagement-x32-8.0.msi (32-bit) or SAMManagement-x64-8.0.msi(64-bit). TheSAMManagementToolsInstallationWizardopens.
2.
ClickNext.
58
SafeNet Authentication Manager Administrators Guide TheLicenseAgreementwindowopens.
3.
SelectIacceptthelicenseagreementandclickNext. TheDestinationFolderwindowopens,displayingthedefault installationfolder.
4.
5.
IftherearenootherSafeNetauthenticationapplicationsorlegacy eTokenapplicationsinstalled,youcanclickBrowsetoselecta differentdestinationfolder.Otherwise,thedestinationfolder cannotbechanged. Thisfolderwillbeusedastheinstallationlibraryforallfuture SafeNetauthenticationapplicationinstallations. ClickNext.
Installation Theinstallationprocessstarts.
59
6.
ClickFinish. SAMManagementToolshasbeeninstalled. TheSAMManagementToolsmustbeconnectedtotheSAMserver. SeePropagatingtheSAMServerNameonpage 66.
60
Installing SAM Client Using the Installation Wizard

InstallSafeNetAuthenticationManagerClientoneverycomputer fromwhichenrollmentoranyothereTokenoperationistobe performedusingSAM.
Note:
SafeNetAuthenticationManagerServer8.0supportsTMSClient2.0 andlater.However,whentheSafeNetAuthenticationManagerserver isupdated,werecommendupdatingSafeNetAuthentication ManagerClienttothesameversiontoavoidcompatibilityissues. To install SafeNet Authentication Manager Client: 1. DoubleclickSAMClient-x32-8.0.msi (32-bit) or SAMClientx64-8.0.msi (64-bit). TheSafeNetAuthenticationManagerClientInstallationWizard opens.
2.
ClickNext.
Installation TheLicenseAgreementwindowopens.
61
3.
SelectIacceptthelicenseagreementandclickNext. TheDestinationFolderwindowopens,displayingthedefault installationfolder.
4.
5.
IftherearenootherSafeNetauthenticationapplicationsorlegacy eTokenapplicationsinstalled,youcanclickBrowsetoselecta differentdestinationfolder.Otherwise,thedestinationfolder cannotbechanged. Thisfolderwillbeusedastheinstallationlibraryforallfuture SafeNetauthenticationapplicationinstallations. ClickNext.
62
SafeNet Authentication Manager Administrators Guide TheSelectInstallationTypewindowopens.
6.
Selectoneofthefollowinginstallationtypes: TypicalIncludestheSAMDesktopAgent CompleteIncludestheSAMDesktopAgentandthelegacy TMSDesktopAgent.
Note:
ThelegacyTMSDesktopisrequiredforinstallationswhere previousTMSClientinstallationsarestillsupported. 7. ClickNext. Theinstallationproceeds.
Installation
63
8.
ClickFinish. SafeNetAuthenticationManagerClienthasbeeninstalled.
Installing SAM Client Using the Command Line

Toinstall,removeorrepairSafeNetAuthenticationManagerClient usingthecommandline,copythemsifile(SAMClient-x32-8.0.msi or SAMClient-x64-8.0.msi)toanylocationontheclientcomputer andusethestandardWindowsInstallermsiexesyntaxasinthe followingexample:
msiexe /i C:\SAMClient-x32-8.0.msi /qn
where: SAMClient-x32-8.0.msi isthe 32-bit SafeNetAuthentication ManagerClient installation file. For 64-bit, use SAMClient-x64-8.0.msi. Parameters: i=install x=remove
64
SafeNet Authentication Manager Administrators Guide f=repair

qn=displaysnouserinterface(silent)
qb=displaysabasicuserinterface(progressbar)
Un-installation
PerformthefollowingstepstodeleteSafeNetAuthenticationManager fromActiveDirectoryandfromtheservercomputer.
WARNING!
IfyouwanttokeepusingtheSafeNetAuthenticationManager ConfigurationStore,forexample,afterupgradingorreplacingthe SafeNetAuthenticationManagerserver,youmustbackupyour SafeNetAuthenticationManagerSettingsfilebeforeuninstalling.
Removing SAM Server from the Computer

To remove the SafeNet Authentication Manager server from the computer: 1. 2. UninstallSafeNetAuthenticationManagerusingtheWindows Add/RemoveProgramsfeature. IftheSafeNetAuthenticationManagerAuthorization ManagementstorewasintheformatofanXMLfile,deletethe roles.xmlfile.
Note:
Theactualfilenameisbasedontheactualdomainname. 3. DeletetheSAMfolderfromtheSafeNetAuthenticationManager installationfolder. Forexample:C:\Program Files\SafeNet\Authentication\ Intheregistry,browseto
HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\Authentication\SAM
4.
anddeletetheSAMkey.
Installation
65
Removing SAM from the Domain

1. 2. 3. OpenActiveDirectoryUsers&Computers,andselect View>AdvancedFeatures. Expandthedomain,anddeletetheSAM_DBcontainer. TheSafeNetAuthenticationManagerdatabaseisdeleted. DeleteSAM. TheSAMAuthorizationManagementstoreisdeleted(iftheSAM AuthorizationManagementstorewaslocatedinAD). Deletethefollowingtwofiles: schema.demo.xml domain.xml Thefilesarelocatedin:
C:\Documents and Settings\All Users\Application Data\SafeNet\Authentication
4.
5.
Inamultidomainenvironment,performstep 2,step 3,andstep 4 foreachdomainthatismanagedbySafeNetAuthentication Manager.
Note:
Schemachangesareonewayandcannotbedeleted.Thisis determinedbytheADarchitecture.
66
Propagating the SAM Server Name

TheSafeNetAuthenticationManagerServernameshouldbeknown toalldomainusers.ThiscanbedoneusingtheAdministrative Templates(ADM)file.Thisfileallowstheuserstohandlethe registrationkeysoftheentiredomain. SafeNetAuthenticationManagerprovidestheADMfiletopropagate theSAMServernametoallthedomainusers. To propagate the SafeNet Authentication Manager Server name: 1. IntheWindowsControlPanelselectAdministrativeTools>Active DirectoryUsersandComputers. TheActiveDirectoryUsersandComputerswindowopens.
2.
3.
Inthenavigationpane,rightclickthedomainandselect Propertiesfromthedropdownmenu. ThePropertieswindowopens. SelecttheGroupPolicytab.
Installation
67
4.
ClickEdit. TheGPOEditoropens.
68
SafeNet Authentication Manager Administrators Guide 5. RightclickAdministrativeTemplateinthenavigationpaneand clickAdd/RemoveTemplates... TheAdd/RemoveTemplateswindowopens.
6.
ClickAddandnavigatetothefileinwhichtheSafeNet AuthenticationManager(adm)filesarestored. Forexample:

C:\Program Files\SafeNet\Authentication\SAM\x32\Adm\SAM.adm.
7. 8.
ClickOpen. YouarereturnedtotheAdd/RemoveTemplateswindow. ClickClose. TheSafeNetAuthenticationManagerSettingsfolderappearsin theAdministrativeTemplatesfolder.
Installation 9. IntheGPOEditor,selectComputerConfiguration> AdministrativeTemplates>TokenManagementSystem Settings. TheTokenManagerSystemSettingswindowopens.
69
TherightpaneoftheSAMSettingswindowdisplaysalltheserver settings. 10. Tochangeasetting,rightclickthesettingicon,selectProperties, andmaketherequiredchangesasfollows: Settings

Default SAM server
Description
The URL of the default server in the organization. The URL uses the following syntax: http://computername where computername is the computer where IIS and SAM Server are located. The URL of the server running the TPO editor web service. Use this setting only if it differs from the default SAM server. The URL of the server running the SAM Desktop Agent web service. Use this setting only if it differs from the default SAM server. The URL of the server running the SAM Management Center. Use this setting only if it differs from the default SAM server.
TPO server
Desktop Agent server
HelpDesk server
70
SafeNet Authentication Manager Administrators Guide Settings (Continued)

Proxy server
The address/port of the proxy server in the format proxy: port. If port is omitted, the default port will be used (80). If empty, no proxy, ignore all other parameters. If set to <CURRENT_USER>, the settings will be taken from Internet Explorer. Proxy username if required Proxy password if required
Proxy user Proxy Password
Note:
Thesettingsareupdatedduringthenextgrouppolicyupdate.To runagrouppolicyupdateimmediately,runthefollowing command:gpupdate /force
Duplicating a SAM Server

To duplicate a SafeNet Authentication Manager Server: 1. 2. InstallanewSafeNetAuthenticationManagerServer. ExporttheSafeNetAuthenticationManagerSettingsFilefromthe originalSafeNetAuthenticationManagerServertotheduplicate SAMServer.
Notes:

TheSAMServiceAccountmusthavethesamepasswordon allcomputers. WerecommendrestartingIIStoensurethatunrequired cacheddataisremoved. Aftercompletingtheconfiguration,itmightbenecessaryto waitashorttimebeforeloggingontotheSAMManagement CenterorSAMPolicyManagement.
Installation
71
Licensing a Duplicate Server

TheoriginalSafeNetAuthenticationManagerServerfunctionsasthe licensingserver.Eachadditionalserverusesthesamelicensingpool. SeeLicensingonpage 293.
72
Chapter 6
Upgrade and Migration

WARNING!
WestronglyrecommendthatyouperformabackupofallSAMdata beforeupgradingtoSafeNetAuthenticationManager8.0.
In this section:

Upgrading to SAM 8.0 Server Upgrading to SAM 8.0 Client Upgrading to SAM 8.0 Management Tools Migrating from TMS 2.0 in an OpenLDAP Environment Migrating from TMS 2.0 with a Shadow Domain Migrating from SafeWord to SafeNet Authentication Manager 8.0
74
Upgrading to SAM 8.0 Server

SafeNetAuthenticationManager8.0supportsupgradefromTMS2.0 SP4Server. SafeNetAuthenticationManager8.0Servermustbeinstalledona differentcomputertotheTMSversionbeingupgraded,or alternatively,thepreviousversionmustbeuninstalled(TMSdatais notremovedwhenTMS2.0isuninstalled).AfterSafeNet AuthenticationManager8.0Serverisinstalled,runtheconfiguration wizardandconnecttotheexistingTMSUserStoreandConfiguration Store.
WARNING!
WestronglyrecommendthatyouperformabackupofallTMSdata beforeupgradingtoSafeNetAuthenticationManager8.0. WestronglyrecommendinstallingSafeNetAuthenticationManager 8.0onadifferentcomputertotheexistinginstallationofTMS. To upgrade from TMS to SafeNet Authentication Manager 8.0: 1. Dooneofthefollowing: IftherolesarestoredinanXMLfile,copytheXMLfiletoa sharedfolderonthenetworkorcopyittothecomputer whereSafeNetAuthenticationManager8.0istobeinstalled. IfADAMisusedastheconfigurationstore,replicateitonthe newSafeNetAuthenticationManager8.0Servercomputer. InstallSafeNetAuthenticationManager8.0onadifferent computertotheexistinginstallationofTMS2.0. ConfigureSafeNetAuthenticationManager8.0toconnectittothe sameconfigurationanduserstoresusedbyTMS2.0.
2. 3.
Note:
WhenrunningtheSAMConfigurationSettingsWizardforthefirst timeafterinstallingSafeNetAuthenticationManager8.0,youwill bepromptedtoimporttheTMSSettingsFileifitisnotpresenton theSafeNetAuthenticationManager8.0computer.SeeImporting theSAMSettingsFileonpage 183.
Upgrade and Migration 4. ToobtainallrequiredSafeNetAuthenticationManager8.0 features,reconfigureSafeNetAuthenticationManager8.0as required,andifrelevant,reconfiguretheOTPplugins.(See eTokenOTPAuthenticationAdministratorsGuide.)
75
Note:
YoumayneedtoupgradeyourSafeNetAuthenticationManager licensetosupportallfeaturesinSafeNetAuthenticationManager8.0. Toensurethatyourlicenseisvalid,seeViewingLicensesonpage 295. Toaddalicense,seeApplyingaLicenseonpage 296.
Upgrading to SAM 8.0 Client

To upgrade TMS Client 2.0 or 5.0 to SAM 8.0 Client:
InstallSafeNetAuthenticationManager8.0Clientontheclient computer. SeeInstallingSAMClientUsingtheInstallationWizardonpage 60 orInstallingSAMClientUsingtheCommandLineonpage 63. TMSClientversion2.0or5.0isupgradedautomatically.
Upgrading to SAM 8.0 Management Tools

To upgrade TMS Management Tools version 2.0 or 5.0 to SAM 8.0 Management Tools:
InstallSAM8.0ManagementTools. SeeInstallingtheSAMManagementToolsonpage 57 TMSManagementToolsversion2.0or5.0isupgraded automatically.
76
Migrating from TMS 2.0 in an OpenLDAP Environment

WhenmigratingfromTMS2.0toSafeNetAuthenticationManager8.0 inanOpenLDAPenvironment,donotusetheoriginalinstancename. TheinstancenamemustbetakenfromtheSafeNetAuthentication Managerdatabase,suchasdc_mydomain_dc_cominthefollowing example:
Migrating from TMS 2.0 with a Shadow Domain

IfyourinstallationofSAM2.0usesashadowdomain,thismustbe migratedtoADorADAMinSafeNetAuthenticationManager8.0.
Tip:
WerecommendcontactingSafeNetSupportbeforeperformingthis procedure.Forcontactinformation,seeSupportonpage iii.
77
Migrating from SafeWord to SafeNet Authentication Manager 8.0

MigrationofdatafromSafeWordtoSAMisperformedintwostages: 1. 2.
ExportafileofencrypteddatafromtheSafeWorddatabase. ImporttheSafeWorddatafileintoSAM.
Notes:
Beforestartingthemigrationprocess,ensurethattheorderfor enteringtheOTPandthePINisthesameforbothSAMand SafeWord.ThissettingisdeterminedinSAMbyconfiguringthe followingTPO:OTPandOTPPIN/Windowspasswordorder.(SeeTMS OTPAuthenticationConnectoronpage 286.) DuringthemigrationfromSafeWord,alllowercaselettersinuser passwordsareconvertedtouppercaseletters.Instructyourusersto enterlettersintheirpasswordinuppercaseonly.
Exporting Data from the SafeWord Database

WhentheSafeWorddatabaseisActiveDirectory,theexporteddata includesonlytokendata. WhentheSafeWorddatabaseisnotActiveDirectory(forexample, MySQL),theexporteddataincludesbothuserandtokendata. UsetheExportSafeWordDatabaseTool (ExportSafewordDatabase.exe)toexportdatafromSafeWord. Thetoolislocatedat:
C:\Program Files\SafeNet\Authentication\SAM\x32\Bin
ToruntheExportSafeWordDatabaseTool,thefollowingmustbe installed:

JRE1.5orlater MySQL
78
SafeNet Authentication Manager Administrators Guide To export data from the SafeWord database: 1. CopytheExportSafewordDatabase.exe fileto SafeWord/JRE/BIN,andruntheapplication. TheExportSafeWordDatabasewindowopens.
2.
Enterthefieldsasfollows: Field
Server name Port number User name User Password File encrypted password: Confirm password
Description
The name of the SafeWord server The port number of the SafeWord server SafeWord Administrator username SafeWord Administrator password Enter a password for the encrypted file Confirm the password for the encrypted file
3.
ClickExportDatabase. Theexportprocessproceeds.
Upgrade and Migration Whentheprocessiscomplete,theSafeWorddatabaseexported successfullywindowopens.
79
4.
ClickOK. ThelocationoftheexportedfileisdisplayedintheExportdatabase statusfield.
5.
ClickClosetocompletetheprocess.
80
Importing SafeWord Data into SAM

ThefilecontainingdataexportedfromSafeWord (ExportedEncDB.ldif)mustnowbeimportedintoSAMusingthe SAMSafeWordMigrationTool (SAMSafewordMigrationWizard.exe). Thetoolislocatedat:
C:\Program Files\SafeNet\Authentication\SAM\x32\Bin
To import SafeWord data into SafeNet Authentication Manager: 1. 1. PlacetheexportedSafeWorddatafile(ExportedEncDB.ldif)on thecomputerrunningtheSAMServer. RunSAMSafewordMigrationWizard.exe. TheSAMSafeWordMigrationToolopens.
2.
ClickNext.
Upgrade and Migration TheMigrationSourceswindowopens.
81
3. 4.
SelectFullMigrationandbrowsetotheexportedSafeWord databasefile(ExportedEncDB.ldif). IntheFileencryptedpasswordfield,enterthepasswordofthe SafeWorddatabasefile.
Note:
Thepartialmigrationoptionisusedwhensomeofthetokensdid notexportfromSafeWord.Inthiscase,aSafeWordSAM MigrationReportiscreated.Toperformapartialmigration,select PartialMigrationandbrowsetothereportfile. 5. ClickNext.
82
SafeNet Authentication Manager Administrators Guide IftheSafeWorddataincludesaddedattributes(relevantonlyina nonADenvironment)theSafeWordPersonalizationDatawindow opens,displayingtheaddedSafeWordattributes.
6. 7.
InthedropdownboxnexttoeachSafeWordattribute,selectthe equivalentSAMattribute. ClickNext. TheOverrideFlagswindowopens.
8.
Determinetherequiredoverridepolicybyselectingoneofthe followingoptions: Neveroverridetheexistingobject Alwaysoverridetheexistingobject

83
9.
Overridetheexistingobjectwithanewerone ClickNext. TheReportFilewindowopens.
10. Browsetotheappropriatelocationforsavingthereportfile. ThereportfileisusedtostoreSafeWorddatathatisnot successfullymigrated.Thereportfilecanlaterbeusedtomigrate datathatwasnotmigratedsuccessfully,byselectingPartial ImportintheMigrationSourceswindow.Seestep 2onpage 80. 11. ClickNext. TheBeginMigrationwindowopens.
84
SafeNet Authentication Manager Administrators Guide 12. ClickNext. Themigrationproceeds.Whenthemigrationiscomplete,the MigrationCompletedwindowopens.
Ifthemigrationfails,anappropriatemessageisdisplayedinthe MigrationCompletedwindow. 13. ClickFinishtoexitthemigrationwizard.
Chapter 7
Basic Configuration
TheSafeNetAuthenticationManagerConfigurationSettingsWizard enablesyoutocreatethebasicSafeNetAuthenticationManager configuration.Theconfigurationstepsvaryaccordingtotheuserstore beingused. AfterusingtheSafeNetAuthenticationManagerConfigurationSettings Wizardtosetupthebasicconfiguration,youcanmakeadditional changesusingtheSAMConfigurationManager(page 179)andSAM PolicyManagement(page 121).
In this section:

Configuring for Active Directory Configuring for Standalone User Store Configuring for OpenLDAP, Novell eDirectory or Remote AD Configuring for MS SQL Server
86
Configuring for Active Directory

To configure SafeNet Authentication Manager for AD: 1. TheSAMConfigurationSettingsWizardislauncheddirectlyfrom theSAM8.0ServerInstallationWizard.(SeeInstallingtheSafeNet AuthenticationManagerServeronpage 52.) Itcanalsobelaunchedmanually,asfollows: a. SelectStart>Programs>SafeNet>SafeNetAuthentication Manager>ConfigurationManager. TheSafeNetAuthenticationManagerConfigurationManager opens.
b. Ifnoconfigurationexists,theSAMConfigurationSettings Wizardopensautomatically.Otherwise,selectGeneral>New Configuration...
Basic Configuration
87
TheSafeNetAuthenticationManagerConfigurationSettingsWizard windowopens.
2.
ClickNexttostarttheconfiguration. TheSAMUserStoreConfigurationwindowopens.
3.
SelectExternaluserstore.
88
SafeNet Authentication Manager Administrators Guide TheUserStorewindowopens.
4.
SelectMicrosoftActiveDirectory. TheuserstoreisMicrosoftActiveDirectorylocatedinthe productiondomain. TheMicrosoftActiveDirectoryDomainwindowopens.
5.
Enterthedomainwherethetokenswillbemanaged,andclick Next.
Basic Configuration TheDataStoragewindowopens.
89
6.
SelectoneofthefollowingastheSafeNetAuthenticationManager ConfigurationStore,andclickNext: MicrosoftActiveDirectory ADAM TheServiceAccountwindowopens.
90
SafeNet Authentication Manager Administrators Guide 7. IntheUsernamefield,entertheWindowsuseraccounttobeused formanagingSAMoperations.
Note:
Itisnotmandatorythattheaccountbeanadministratoraccount, buttheremustbesufficientpermissionstoruntheconnectors. SeeUserPermissionsonpage 309. 8. InthePasswordandConfirmPasswordfields,enterthepassword fortheaccount,andclickNext. TheConfigurationStoreSecuritywindowopens.
Basic Configuration TheConfigurationTypewindowopens.
91
9.
Selectoneofthefollowing: CompleteconfigurationSelecttocontinuewiththebasic setup SimplifiedOTPonlyconfigurationSelecttocreateatypical configurationformanagingOTPtokensonly

.
Simplified OTP-Only Installation

If you selected Simplified OTP-only configuration, SafeNet Authentication Manager is automatically configured with a typical OTP configuration providing a working SafeNet Authentication Manager OTP solution. The simplified OTP- only configuration is as follows:
Connectors - SAM OTP Authentication Connector is installed. SAM Backend Service - Activated on this server, scheduled to operate every
24 hours.
Attendance reports - Not used (not relevant for OTP tokens). In addition, the SAM default policy is set as follows: Load OTP support (required for OTP) is selected in the token initialization
settings.
The SAM OTP Authentication Connector is set by default to enable
enrolment of OTP tokens without requiring changes in the TPO settings.
TheConfigurationDetailswindowopens.
92
10. Toconfirmtheconfigurationdetails,clickNext. Theinstallationproceeds.
11. Whentheinstallationhasfinished,clickNext. TheConfigurationCompletedwindowopens.
Basic Configuration
93
12. ToconfigureadditionalSAMsettings,openSAMPolicy Management. SeeTokenPolicyObjectLinksonpage 121.
94
Configuring for Standalone User Store

WhenconfiguringSafeNetAuthenticationManagerforaninternal store,anADAMdirectoryisusedforboththeuserstoreand configurationstore.IfADAMisnotinstalledonthecomputer,itis installedduringtheconfigurationprocess. To configure SafeNet Authentication Manager for Standalone user store: 1. TheSAMConfigurationSettingsWizardislauncheddirectlyfrom theSAM8.0ServerInstallationWizard.(SeeInstallingtheSafeNet AuthenticationManagerServeronpage 52.) Itcanalsobelaunchedmanually,asfollows: a. SelectStart>Programs>SafeNet>SafeNetAuthentication Manager>ConfigurationManager. TheSafeNetAuthenticationManagerConfigurationManager opens.
b. Ifnoconfigurationexists,theSAMConfigurationSettings Wizardopensautomatically.Otherwise,selectGeneral>New Configuration...
Basic Configuration TheSAMConfigurationSettingsWizardwindowopens.
95
2.
Tostarttheconfiguration,clickNext. TheUserStoreConfigurationwindowopens.
3.
SelectStandaloneuserstore.
96
SafeNet Authentication Manager Administrators Guide TheInstanceTypewindowopens.
4.
5.
Selectoneofthefollowing: Createanewdatabaseinstanceonthisserver CreateareplicaofanexistingdatabaseinstanceSelect whenyouareinstallingsecondarySAMServers.Tousethis optionyoumustpreviouslyhavecreatedanXMLfileof importsettingsusingtheSAMConfigurationManagementTool. IfyouselectedCreateanewdatabaseinstanceonthisserver,go tostep 7. IfyouselectedCreateareplicaofanexistingdatabaseinstance, theSettingsFilewindowopens.
Basic Configuration
97
6.
ClickBrowsetoselectthefilecontainingtheimportsettings (typicallySAMSettingsExport.xml),enterthepasswordinthe FilePasswordfieldandclickNext. TheServiceAccountwindowopens.
98
SafeNet Authentication Manager Administrators Guide 7. IntheUsernamefield,entertheWindowsuseraccounttobeused formanagingSafeNetAuthenticationManageroperations.
Note:
Itisnotmandatorythattheaccountbeanadministratoraccount, buttheremustbesufficientpermissionstoruntheconnectors. SeeUserPermissionsonpage 309. 8. InthePasswordandConfirmPasswordfieldsenterthepasswordfor theaccountandclickNext.
Note:
SafeNetAuthenticationManagerdoesnotsupportapassword lengthofzero,evenifthecomputerslocalpolicyisconfiguredto acceptaminimumpasswordlengthofzero. TheAuthorizationManagerAccountwindowopens.
9. IntheUsernamefield,enteranamefortheuseraccount. 10. InthePasswordandConfirmPasswordfieldsenterthepasswordfor theaccountandclickNext. TheConfigurationStoreSecuritywindowopens.
Basic Configuration
99
11. Dooneofthefollowing: TostoretheSafeNetAuthenticationManagersecuritykeyson theSafeNetHardwareSecurityManger(HSM),select GenerateandstoresecuritykeysintheSafeNetHSMand clickNext. TostoretheSafeNetAuthenticationManagersecuritykeyson theserverclickNext,withoutselectingGenerateandstore securitykeysintheSafeNetHSM TheConfigurationTypewindowopens.
12. SelectoneofthefollowingandclickNext:
100 SafeNet Authentication Manager Administrators Guide

CompleteconfigurationSelecttocontinuewiththebasic setupofConnectors,RoleManagementandSAMBackend ServiceschedulingandAttendanceReports. SimplifiedOTPonlyconfigurationSelecttocreateatypical configurationforOTP.
TheConfigurationDetailswindowopens.
Basic Configuration
101
Configuring for OpenLDAP, Novell eDirectory or Remote AD

To configure SafeNet Authentication Manager for OpenLDAP, Novell eDirectory or Remote AD: 1. TheSAMConfigurationSettingsWizardislauncheddirectlyfrom theSAM8.0ServerInstallationWizard.(SeeInstallingtheSafeNet AuthenticationManagerServeronpage 52.) Itcanalsobelaunchedmanually,asfollows: a. SelectStart>Programs>SafeNet>SafeNetAuthentication Manager>ConfigurationManager. TheSafeNetAuthenticationManagerConfigurationManager windowopens.
b. Ifnoconfigurationexists,theSAMConfigurationSettings Wizardopensautomatically.Otherwise,selectGeneral>New Configuration.
Basic Configuration TheSAMConfigurationSettingsWizardwindowopens.
103
2.
3.
SelectExternaluserstoreandclickNext.
104 SafeNet Authentication Manager Administrators Guide TheUserStorewindowopens.
4.
SelectOpenLDAPProductionDomain,NovelleDirectoryor MicrosoftRemoteActiveDirectoryDomain. TheOpenLDAPDirectory,NovelleDirectoryorMicrosoftRemote ActiveDirectorywindowopens.(Thewindowsareidenticalexcept forthetitle).
5.
ClickBrowsenexttotheSelectDirectoryfield. TheSelectOpenLDAP,NovelleDirectoryorRemoteADServer windowopens.(Thewindowsareidenticalexceptforthetitle.)
Basic Configuration
105
6.
Server Port Naming Context Simple Binding, using an anonymous user Simple Binding, using the following user Use a secure connection
Description
Enter the IP address of the directory server Enter the directory server port. This is determined when the directory is configured. Click Browse and select the required naming context. Select this option to connect to the directory server without a user and password. This is possible only if this option is enabled in the system. Select this option to connect to the directory server using the User DN and Password. Enter the User DN and Password in the appropriate fields. If OpenLDAP is configured to run in a secure mode, select this option to encrypt the data to be transferred.
7.
ClickOK. YouarereturnedtotheOpenLDAPDirectory/Novell eDirectory/MicrosoftRemoteActiveDirectorywindow.
8.
9.
IntheInstancenamefield,enteraninstancenameandclick Validate. DefineaninstancenamethatisuniqueforeachSafeNet AuthenticationManagerconfigurationonthesameSAMserver. TheconnectiontotheOpenLDAP/eDirectoryisvalidated. Youcanchangetheschemaconfigurationifthedefaultattributes arenotsuitableforyourrequirements.Tomakechangestothe defaultschema,clickEditDefaultSchema. TheEditUserRepositorySchemawindowopens.
Basic Configuration
107
WARNING!
ChangingtheschemacancauseSafeNetAuthenticationManager tobehaveunpredictably.Werecommendagainstchangingthe defaultschemaconfigurationunlessitisabsolutelynecessary. 10. MaketherequiredchangestotheschemaandclickClose. 11. ClickNext. TheAuthenticationPlugInwindowopens.
Note:
TheAuthenticationpluginfileisrequiredtoenabletheuserto logontotheSAMManagementCenter,theSAMSelfService CenterandTPO.ThisisbecauseActiveDirectoryisnotavailable toprovidethemechanismforauthenticatingusernameand password. SeePreparingLDAPAuthenticationDllonpage 29. 12. ClickBrowseandnavigatetotheauthenticationdllfile (LDAPAuthentication.dll)andclickOpen.
Notes:

RemoteADusesthesameauthenticationdllasOpenLDAP Theauthenticationdllfileistypicallylocatedat:C:\Program Files\SafeNet\Autnetication\SAM\x32\AuthPlugin.
Basic Configuration
109
YouarereturnedtotheAuthenticationPlugInwindow. 13. ClickNext. TheADAMInstancewindowopens.
14. TocreateanewADAMinstance,selectSafeNetAuthentication ManagercreatesanewADAMinstanceonthelocalcomputer. 15. TouseanexistingADAMinstancedothefollowing: SelectSafeNetAuthenticationManagerusesanexisting ADAMinstance. IntheADAMserverfield,enterthenameoftheserverwhere ADAMislocated
110
SafeNet Authentication Manager Administrators Guide IntheADAMserviceportnumberfield,entertheADAM portnumber. 16. ClickNext. TheSAMServicesAccountwindowopens.
17. IntheUsernamefield,entertheWindowsuseraccounttobeused formanagingSafeNetAuthenticationManageroperations.
Note:
Itisnotmandatorythattheaccountbeanadministratoraccount, buttheremustbesufficientpermissionstoruntheconnectors. 18. InthePasswordandConfirmPasswordfieldsenterthepasswordfor theaccountandclickNext. TheAuthorizationManagerAccountwindowopens.
Basic Configuration
111
19. IntheUsernamefield,enterauserwhoisauthorizedtomanage SafeNetAuthenticationManagerandclickNext.

If you click the Browse button for the Username field, the Select User or Group window opens. 1. Enter a user name in the Enter the object name to select field and click Check Names. 2. If more than one match is found for the entered name, a list of matching names is displayed. 3. Select the required name and click OK. The selected user is displayed in the Enter the object name to select field. 4. Click OK. The selected user is displayed in the Authorization Manager Account window, Username field. 5. Click Next.
112
SafeNet Authentication Manager Administrators Guide TheConfigurationStoreSecuritywindowopens.
20. Dooneofthefollowing: TostoretheSafeNetAuthenticationManagersecuritykeyson theSafeNetHardwareSecurityManger(HSM),select GenerateandstoresecuritykeysintheSafeNetHSMand clickNext. TostoretheSafeNetAuthenticationManagersecuritykeyson theserverclickNext,withoutselectingGenerateandstore securitykeysintheSafeNetHSM TheConfigurationTypewindowopens.
Basic Configuration
113
21. SelectoneofthefollowingandclickNext: CompleteconfigurationSelecttocontinuewiththebasic setupofConnectors,RoleManagementandSAMBackend ServiceschedulingandAttendanceReports. SimplifiedOTPonlyconfigurationSelecttocreateatypical configurationforOTP SeeSimplifiedOTPOnlyInstallationonpage 91. 22. ClickNext. TheConfigurationDetailswindowopens.
114
Basic Configuration
115
Configuring for MS SQL Server

To configure SafeNet Authentication Manager for MS SQL Server: 1. TheSAMConfigurationSettingsWizardislauncheddirectlyfrom theSAM8.0ServerInstallationWizard.(SeeInstallingtheSafeNet AuthenticationManagerServeronpage 52.) Itcanalsobelaunchedmanually,asfollows: a. SelectStart>Programs>SafeNet>SafeNetAuthentication Manager>ConfigurationManager. TheSafeNetAuthenticationManagerConfigurationManager windowopens.
b.
Ifnoconfigurationexists,theSAMConfigurationSettings Wizardopensautomatically.Otherwise,selectGeneral>New Configuration.
116
SafeNet Authentication Manager Administrators Guide TheSafeNetAuthenticationManagerConfigurationSettingsWizard windowopens.
2.
3.
SelectExternaluserstoreandclickNext.
Basic Configuration TheProductionTypewindowopens.
117
4.
SelectMicrosoftSQLandclickNext. TheMicrosoftSQLwindowopens. YoucanconnecttotheSQLServerbyselectingtheSQLServer nameor,alternatively,youcanconnectthroughanODBC connection.
Tip:
ForinformationaboutcreatinganODBCconnection,referto Microsoftdocumentation. 5. ToconnecttotheSQLServer,selectSQLServerandclickBrowse. TheSQLServerwindowopens.
118
6. 7.
IntheSelectservernamefield,selecttherequiredserverfromthe list. Selectoneofthefollowing: UseWindowsAuthentication UseSQLServerAuthentication(ifselected,enterusername andpassword) IntheSelectadatabasenamefield,selecttherequireddatabase fromthelistandclickOK. YouarereturnedtotheMicrosoftSQLwindow.
8.
To connect through ODBC:

1. Select ODBC and click Browse. The Select ODBC Data Source window opens. 2. Select the required ODBC data source and click OK. You are returned to the Microsoft SQL window.
IntheMicrosoftSQLwindowclickValidate. Thesystemvalidatestheconnectionandreturnstheinstance name. 10. ClickNext. TheAuthenticationPluginwindowopens.
9.
Basic Configuration
119
11. ClickBrowseandnavigatetotheauthenticationdllfile (SQLAuthentication.dll)andclickOpen. TheremainingstepsarethesameasdescribedfortheOpenLDAP configuration. 12. Continuefromstep 12onpage 108.
Chapter 8
Token Policy Object Links

TPOsettingsdeterminetheSafeNetAuthenticationManagerbehavior forusersinspecificorganizationalunits.
In this section:

Accessing Token Policy Object Links Creating a New TPO Link Adding a TPO Link Deleting a TPO Link Specifying the Scope of a TPO Link Importing and Exporting Token Policy Objects
Accessing Token Policy Object Links

DependingonthetypeofSafeNetAuthenticationManageruserstore, theTPOsettingsaremanagedusingtheActiveDirectoryUsersand Computersadministrativetool,orthroughSAMPolicyManagement.
Accessing TPO Links in an AD Environment

IfyouareusingMicrosoftADasyourexternaluserstore,theSafeNet AuthenticationManagerpolicysettingsareaccessedusingtheActive DirectoryUsersandComputersadministrativetool.
Note:
ToaccesstheTPOEditor,youmusthavethenecessarypermissionsto theSafeNetAuthenticationManagerAuthorizationManagement Store. To access a TPO Link in an AD Environment: 1. SelectStart>Programs>AdministrativeTools>ActiveDirectory UsersandComputers. TheActiveDirectoryUsersandComputerswindowopens.
Token Policy Object Links 2.
123
Inthenavigationpane,rightclickthedomainororganizational unitassociatedwiththeTPO,ortowhichyouwanttoassignthe TPO,andselectPropertiesfromthedropdownmenu. ThePropertieswindowopens.
3.
SelecttheTokenPolicytab,andclickOpen.
124 SafeNet Authentication Manager Administrators Guide TheCurrentTokenPolicyObjectLinkswindowopens.
4.

Foravailableoptions: SeeCreatingaNewTPOLinkonpage 130 SeeAddingaTPOLinkonpage 132 SeeDeletingaTPOLinkonpage 133 SeeSpecifyingtheScopeofaTPOLinkonpage 133 SeeUsingtheTokenPolicyObjectEditortoEditTPOsonpage 146
125
Accessing TPO Links in a Non-AD Environment

IfyouareusingMSSQLServer,OpenLDAP,NovelleDirectoryor RemoteADasyourexternaluserstore,orareusingastandaloneuser store,theSafeNetAuthenticationManagerpolicysettingsare accessedusingSafeNetAuthenticationManagerPolicyManager. To open SafeNet Authentication Manager - Policy Manager in a non-AD environment: 1. SelectStart>Programs>SafeNet>SafeNetAuthentication Manager>PolicyManagement. TheSafeNetAuthenticationManagerPolicyManagerwindow opens.
2. 3.
4.
RightclicktheSAMPolicyManagernode,andselectConnectto Instance. Ifprompted,enterthenameofyourSafeNetAuthentication ManagerServer,andclickOK. ThePolicyManagerdisplaysthedomainanditsorganizational units(OU). Rightclicktherootororganizationalunitassociatedwiththe TPO,ortowhichyouwanttoassigntheTPO,andselect Propertiesfromthedropdownmenu. TheCurrentTokenPolicyObjectLinkswindowopens.
5.

127
Accessing TPO Links in a Standalone User Store Environment

Ifyouareusingastandaloneuserstore,theSafeNetAuthentication ManagerpolicysettingsareaccessedusingSafeNetAuthentication ManagerPolicyManager. To open SAM Policy Management in a standalone user store environment: 1. 2. SelectStart>Programs>SafeNet>SafeNetAuthentication Manager>PolicyManagement. SelectAction>Connecttoinstance. SafeNetAuthenticationManagerPolicyManagerconnectstothe SafeNetAuthenticationManagerServer,andtheAuthentication windowopens.
3.
EntertheSafeNetAuthenticationManageradministrator usernameandpassword,andclickOK.
128 SafeNet Authentication Manager Administrators Guide Theinstanceisdisplayed.
4.
Rightclicktherootororganizationalunitassociatedwiththe TPO,ortowhichyouwanttoassigntheTPO.
5.
SelectPropertiesfromthedropdownmenu.
Token Policy Object Links TheCurrentTokenPolicyObjectLinkswindowopens.
129
6.

Creating a New TPO Link

WhenyoucreateanewTPOlink,onlyitsrequiredpoliciesare enabled.Thesearedeterminedbythetypeoftokensthatareavailable totheOUsusers. To create a new TPO link: 1. IntheCurrentTokenPolicyObjectLinkswindow,clickNew(See AccessingTokenPolicyObjectLinksonpage 122). TheTokenTypeSelectionwindowopens.
2.
Selectthetypeoftokentowhichthepolicywillbeapplied: AllTokens:(Default)containsallpolicies MobilePASS:containspoliciesrelevanttoMobilePASSonly SafeNeteTokenVirtualTemp:containspoliciesrelevantto SafeNeteTokenVirtualTemponly MobilePASSMessaging:containspoliciesrelevantto MobilePASSMessagingonly

Note:
Bydefault,theSafeNetAuthenticationManagerconfiguration createsaDefaultpolicyTPO,linkedtotheroot,thatisdefinedas AllTokens.
131
AnewTokenPolicyObjectlinkisaddedtotheTokenPolicyObject Links.
3.
EnteranameforthenewTPOlink,andclickOK.
Note:
ThedefaultnameassignedtoanewTPOlinkisdeterminedby thetokentypetowhichitapplies. WerecommendchangingthenamesofnewTPOlinksto meaningfulnames.
Adding a TPO Link

YoucanaddalinktoanexistingTPO. To add a link to an existing TPO: 1. IntheCurrentTokenPolicyObjectLinkswindow,clickAdd. TheAddTPOLinkwindowopens,displayingtheTPOsfoundin therootorOU.
Note:
AllTPOsaredisplayed,regardlessofwhethertheyarealready linkedtoarootorOU.YoucanlinkthesameTPOtomultiple rootsorOUs. 2. SelecttheTPOtolinktothecurrentOUorroot,andclickOK.
133
Deleting a TPO Link

YoucandeletealinkfromtheOUtoanexistingTPO,andalsodelete theTPOfromtherootorOU. To delete a TPO link: 1. IntheCurrentTokenPolicyObjectLinkswindow,selectthepolicy todelete,andclickDelete. TheDeletewindowopens.
2.
Selectoneofthefollowing,andclickOK. Removethelinkfromthelist:deletesthelinkfromthe currentOUsTPO.Thelinkremainsavailableinthesystem. Removethelinkfromthelist,andpermanentlydeletethe TokenPolicyObject:deletesthelinkentirelyfromthe system.
Specifying the Scope of a TPO Link

ThefollowingdescribesthestandardTPObehavior:

EachpolicysettingappliestoallusersoftherootorOUlinkedto theTPO. IfapolicysettingisnotdefinedforachildOU,theruledefined foritsparentcontainer(OUorroot)applies. SetTPOlinkNoOverrideandDisabledoptions SeeSettingNoOverrideandDisabledOptionsonpage 136.
YoucancontrolthescopeoftheTPOrulesbydoingthefollowing:

Blockpolicyinheritance SeeBlockingPolicyInheritanceonpage 137. ApplyTPOlinksonlytocertainusersandgroups SeeApplyingTPOLinkstoLimitedUsersandGroupsonpage 138.
TPO Inheritance Behavior

YoucandefineuniqueTPOsettingsforeachcontainer. UsetheNoOverridesettingtoforcepolicyinheritance. UsetheBlockpolicyinheritancesettingtorestrictpolicyinheritance. ThefollowingtablesdeterminewhichTPOsettingappliestoachild container. Standard TPO Scope Table shows which setting applies to a child container Setting Defined in Parent Setting Defined in Child Setting Not Defined in Child
Child setting Parent setting
Setting Not Defined in Parent

Child setting SafeNet Authentication Manager default
Options > No Override in Parent TPO Table shows which setting applies to a child container Setting Defined in Parent Setting Defined in Child Setting Not Defined in Child
Parent setting Parent setting

135
Block Policy Inheritance in Child TPO Table shows which setting applies to a child container Setting Defined in Parent Setting Defined in Child Setting Not Defined in Child

Note:
BlockPolicydoesnotapplyifNoOverrideissetintheparentcontainer. Options > Disabled in Parent TPO Table shows which setting applies to a child container Setting Defined in Parent Setting Defined in Child Setting Not Defined in Child

Options > Disabled in Child TPO Table shows which setting applies to a child container Setting Defined in Parent Setting Defined in Child Setting Not Defined in Child

SafeNet Authentication Manager default SafeNet Authentication Manager default
Properties > Deny Group or User in Child TPO Table shows which setting applies to a child container Setting Defined in Parent Setting Defined in Child Setting Not Defined in Child

SafeNet Authentication Manager default SafeNet Authentication Manager default
Setting No Override and Disabled Options

1. IntheCurrentTokenPolicyObjectLinkswindow,selectthe appropriatepolicy,andclickOptions(SeeAccessingTokenPolicy ObjectLinksonpage 122). ThepolicysLinkOptionswindowopens.
2.
Selectoneofthefollowing,andclickOK. NoOverride:PreventsotherTokenPolicyObjectsfrom overridingpolicysetinthisTPO Whenthisoptionisselected,childOUsofthecurrentOU cannotoverrideanyTPOrulesdefinedinthisOU.
Note:
TheNoOverridesettinghasahigherprioritythantheBlockPolicy Inheritancesetting.SeeBlockingPolicyInheritanceonpage 137.
Disabled:TheDefaultpolicyisnotappliedtothiscontainer Whenthisoptionisselected,therulesoftheTPOlinkarenot appliedtotheOUorrootcontainer.Toreestablishthelink, clearthischeckbox.
137
Blocking Policy Inheritance

BlockpolicyinheritanceisasettingdefinedbyMicrosoftforeach OrganizationUnit.TheSafeNetAuthenticationManagerenrollment processsupportsthissetting. SelectthisoptiontopreventusersofthecurrentOUfromgettingTPO definitionsfromanyparentcontainer.
Note:
TheNoOverridesettinghasahigherprioritythantheBlockPolicy Inheritancesetting.SeeSettingNoOverrideandDisabledOptionson page 136. To block policy inheritance: 1. IntheCurrentTokenPolicyObjectLinkswindow,selectthe appropriatepolicy,andselectBlockpolicyinheritance(See AccessingTokenPolicyObjectLinksonpage 122).
2.
ClickOK.
Applying TPO Links to Limited Users and Groups

EachTPOlinkhasasecuritylistthatcanbeusedtolimitits applicationtospecificusersandgroups.IftheApplytostatusofauser orgroupissettoDenyinthepolicyssecuritylist,theeffectisthesame asdisablingtheTPO. EachnewTPOlinkincludesadefaultgroup,Allusersgroup,whose ApplytostatusissettoAllow. Tomanagefilters,dooneofthefollowing:

AddtheusersorgroupstowhichtheTPOshouldnotbeapplied, andsettheirApplytostatustoDeny. RemovethegroupAllusersgroup,andaddonlytheusersor groupstowhichtheTPOshouldbeapplied.SettheirApplyto statustoAllow.
Token Policy Object Links To filter users and groups: 1.
139
IntheCurrentTokenPolicyObjectLinkswindow,selectthe appropriatepolicy,andclickProperties(SeeAccessingTokenPolicy ObjectLinksonpage 122). ThepolicysPropertieswindowopens.
2. 3.
SelecttheApplytotab. IntheUserorGroupbox,selecttheappropriateuserorgroup,and selectoneofthefollowing: Allow:applytheTPOsettings Deny:donotapplytheTPOsettings Toremoveauserorgroupfromthelist,selecttheuserorgroup, andclickRemove. Toaddauserorgrouptothelist,clickAdd.
4. 5.
140 SafeNet Authentication Manager Administrators Guide TheUserorGroupwindowopens.
6. 7.
Entertheuserorgrouptobeaddedtothefilterlist,andclickOK. TheTokenPropertieswindowdisplaysthenewlyaddeduseror group. Selectthenewuserorgroup,andselectAlloworDeny,as required. ClickOK.
Importing and Exporting Token Policy Objects

TheTokenPolicyObjectimportandexportfeatureenablesyouto duplicatethesamesettingsinmultipleinstallationsofSafeNet AuthenticationManager. Also,youmaybeaskedtocreateaanexportfilewhenreceiving assistancefromSafeNetSupport.
Exporting Token Policy Objects

1. IntheCurrentTokenPolicyObjectLinkswindow,selectthe appropriatepolicy,andclickExport(SeeAccessingTokenPolicy ObjectLinksonpage 122). TheExportPolicywindowopens.
141
2.
ClickBrowseandnavigatetothefolderwhereyouwantthe exportedTPOtobesaved.
3.
EnterthefilenameintheFileNamefieldandclickSave. YouarereturnedtotheExportPolicywindow.
4.
EnterapasswordintheFilePasswordfieldandclickOK.
Tip:
Rememberthepassword.Youwillrequireitwhenimportingthe TPOfilebackintoSafeNetAuthenticationManager. Amessageconfirmsthatthepolicywasexportedsuccessfully.
5.
ClickOKtoclosethewindow.
Importing Token Policy Objects

1. IntheCurrentTokenPolicyObjectLinkswindow,ensurethatnone ofthepoliciesareselectedandclickImport(SeeAccessingToken PolicyObjectLinksonpage 122). TheImportPolicywindowopens.
2.
ClickBrowseandnavigatetothelocationoftheTPOfiletobe imported.
3.
SelecttheTPOfiletobeimportedandclickOpen. YouarereturnedtotheImportPolicywindow.
143
4.
IntheFilePasswordfield,enterthepassword(createdwhenthe TPOfilewasexported)andclickOK. Amessageconfirmsthatthepolicywasimportedsuccessfully.
5.
ClickOKtoclosethewindow. TheimportedTPOisdisplayedintheCurrentTokenPolicyObject Linkswindow.
Chapter 9
Token Policy Object Settings

TPOsettingsdeterminehowSafeNetAuthenticationManager controlsandexecutestokenpolicies.
In this section:

Using the Token Policy Object Editor to Edit TPOs General Settings Connector Settings Token Settings Enrollment Settings Recovery Settings Audit Settings MobilePASS Settings Backend Service Settings Legacy TMS Desktop Agent Settings Badging Settings
Using the Token Policy Object Editor to Edit TPOs

EdittheTPOsettingstochangethebehaviorofSafeNet AuthenticationManager.
Note:
AftermakingchangestoTPOsettings,restartthebrowserrunningthe SAMManagementCenterandSAMSelfServiceCentertoapplythe relevantchanges. To edit TPO settings: 1. OpentheCurrentTokenPolicyObjectLinkswindowusingthe appropriatemethod. SeeAccessingTPOLinksinanADEnvironmentonpage 122. SeeAccessingTPOLinksinaNonADEnvironmentonpage 125. SeeAccessingTPOLinksinaStandaloneUserStoreEnvironment onpage 127. Selecttheappropriatepolicyobjectlink,andclickEdit. TheTokenPolicyObjectEditoropens.
2.
3.
Selecttheappropriatenodeintheleftpane. Inthisexample,weselecttheMailConfigurationTPOsettings nodetoedit.
Token Policy Object Settings TheMailConfigurationpoliciesaredisplayedintherightpane. Rightclicktheappropriatepolicyintherightpane,andselect Propertiesfromthedropdownmenu. Inthisexample,weselecttheMailservernamepolicytoedit. TheMailservernamepropertieswindowopens.
147
4.
5.
ThepolicyPropertieswindowcontainsthefollowing: Navigationcontrols(PreviousandNext) Nodename(Inthisexample,MailConfiguration) Policysfunction(Inthisexample,Mailservername) Defaultsetting,appliedifthepolicyisnotdefined(Inthis example,localhost) Definethispolicysettingoption,whichenablesthepolicy Whenappropriate,afieldtoenterinformation(Inthis example,MailservernameorIPaddress) Toenablethepolicy,selecttheDefinethispolicysettingoption,and entertheservernameorIPaddressintheMailservernamefield.
Note:
IftheselectedOrganizationalUnit(OU)isachildofanotherOU orroot,andapolicyisnotdefined,thechildOUinheritsthe settingdefinedintheparentOU.Todisablethepolicysettingso thatitssettingisnotinheritedfromtheparentOU,selectDefine thispolicysetting,andselectDisabled. 6. Dooneofthefollowing: SelectOKtoreturntotheTokenPolicyObjectEditor. SelectNextorPrevioustomovetotheotherpolicyProperties windows.
Token Policy Object Settings ThepolicysettingisdisplayedintheTokenPolicyObjectEditor.
149
General Settings
GeneralsettingscontrolcertainglobalsettingsforSafeNet AuthenticationManager.
Mail Configuration
Policy
Mail server name
Description
Defines the mail server name or address.
Default
localhost
Token Type
All devices including MobilePASS and SafeNet eToken Virtual Temp All devices including MobilePASS and SafeNet eToken Virtual Temp
Mail sender
Defines from who SafeNet Authentication Manager emails are sent. Note: Ensure that the email address is correct. SafeNet Authentication Manager does not check for a valid email address format.
SAM@SAM.com
Mail server user account name Mail server user account password
Defines the account name with which the user logs on to the mail server. Defines the account password with which the user logs on to the mail server.
Empty (No logon required)
Empty (No logon required)
151
SMS Provider Configuration

SafeNetAuthenticationManagersupportssendinganOTPtoausers mobilephoneviaSMS. TheSMSProviderConfigurationprovidesinformationabouttheSMS serviceproviderandaccount. Policy
SMS Provider Name Username
Description
URL of the SMS service provider. Username required for logging on to the SMS account. Password required for logging on to the SMS account.
Default
None None
Token Type
MobilePASS Messaging MobilePASS Messaging MobilePASS Messaging
SMS provider password
None
Connector Settings
Connectorsettingscontroltheconnectorapplicationsontokens.See ConnectorConfigurationonpage 201.
Token Settings
ThetokensettingscontrolhowSafeNetAuthenticationManagersets tokenproperties. Policy
Token name for unassigned tokens Token name template for assigned tokens Enable token naming in the Self Service Center
Description
Defines the default token name for tokens not yet assigned. Defines the template used to create names for assigned tokens. Determines if the user can set or change the token name in the Self Service Center.
Default
My Token
Token Type
All devices excluding MobilePASS All devices excluding MobilePASS
My Token
User can name the token
Token Initialization
Policy
eToken PKI Client 3.65 compatible
Description
Determines if tokens are compatible with eToken PKI Client 3.65.
Default
Tokens are compatible with eToken PKI Client 3.65
Token Type
All devices excluding MobilePASS
153
Token Password
Policy
One-factor logon
Description
Determines if the Token Password is required during logon. If enabled, users authenticate simply by connecting their tokens. If disabled, they are required also to enter the token password. Defines the default Token Password.
Default
Disabled (Token requires a user password)
Token Type
All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Default Token Password
1234567890
Password Quality
Policy
Proxy mode
Description
Determines if the password policy parameters are read from the host (proxy mode). Defines the minimum length of a Token Password. Defines the maximum number of days before a Token Password must be changed.
Default
Proxy mode is not used (Password policy parameters are not read from the host) 4 characters
Token Type
Minimum password length Maximum password usage period
90 days
154 SafeNet Authentication Manager Administrators Guide Policy (Continued)

Minimum password usage period
Description
Defines the minimum number of days before a Token Password can be changed. Determines when users are warned that their Token Password will expire. Defines the number of recent Token Passwords saved to the token that cannot be reused. Determines if users must change their token password on first logon after initialization. Defines the maximum number of times that the same character can be repeated consecutively in a token password. Determines if token passwords must contain at least three character types. Note: This is not applicable if the Apply manual complexity policy is enabled.
Default
No minimum
Token Type
Password expiration warning period
No warning (User will not be warned before password expires) 15 passwords
Password history size
Password must be changed on first logon
Not required
Maximum consecutive character repetitions
3 characters
At least 3 complexity rules
Enabled
155
Manual Complexity
Policy
Apply manual complexity
Description
Determines if the token password must meet manually defined complexity requirements (as opposed to at least 3 complexity rules). Determines if, in token passwords, numerals are permitted, forbidden or mandatory. Note: This policy applies only if the Apply manual complexity policy is enabled.
Default
Disabled
Token Type
Numerals
Permitted
156 SafeNet Authentication Manager Administrators Guide Policy

Upper-case letters
Description
Determines if, in token passwords, uppercase letters are permitted, forbidden or mandatory. Note: This policy applies only if the Apply manual complexity policy is enabled.
Default
Permitted
Token Type
Lower-case letters
Determines if, in token passwords, lower-case letters are permitted, forbidden or mandatory. Note: This policy applies only if the Apply manual complexity policy is enabled.
Permitted
Special characters
Determines if, in token passwords, special characters are permitted, forbidden or mandatory. Note: This policy applies only if the Apply manual complexity policy is enabled.
Permitted
157
Initialization Parameters
Policy
Maximum number of user logon failures Maximum number of administrator logon failures
Description
Defines how many consecutive Token Password failures lock the token. Defines how many consecutive administrator password failures lock the token. Determines if a non-standard amount of space is reserved on tokens for RSA keys. If enabled, set the amount of space to reserve in the Amount of space manually reserved for RSA policy. Defines the amount of space to manually reserve for RSA keys. Note: This setting applies only if the Manually reserve space for RSA keys policy is enabled.
Default
15 consecutive times
Token Type
15 consecutive times
Manually reserve space for RSA keys
Disabled (Standard space reserved)
Manually set number of reserved RSA keys
Standard space reserved

FIPS
Description
Determines if tokens are initialized as FIPS compliant. Determines if tokens are initialized with a PKCS#11 user PIN. Determines if the 2048-bit RSA key is supported. Determines if OTP is supported.
Default
Not FIPS compliant
Token Type
PKCS#11 user PIN initialization
Enabled (PKCS#11 user PIN is initialized) Not supported
2048-bit RSA key support OTP support
Not supported
Initialization Key
Policy
Use standard initialization key for first-time initializations
Description
Defines whether the standard token initialization key is used for first-time initializations. Note: To use a nonstandard initialization key for new tokens, disable this policy and define the initialization key in the First-time initialization key policy.
Default
Use the standard initialization key
Token Type
First-time initialization key
Defines the non-standard first-time initialization key.
Standard initialization key
Token Policy Object Settings Policy

Change initialization key for subsequent initializations
159
Description
Defines whether a new initialization key is used for subsequent initializations. Note: If this policy is enabled, tokens can be re-initialized only by SAM or by someone knowing the subsequent initialization key. To change the initialization key for tokens already initialized, enable this policy, and define the subsequent initialization key in Subsequent initialization key policy.
Default
Do not use a different initialization key
Token Type

Subsequent initialization key
Description
Defines a new initialization key to use for subsequent initializations. Select Define this Policy Setting, then select one of the following:
Standard: use the
Default
Standard initialization key
Token Type
standard initialization key

Random: create a
randomly generated initialization key (known only to SAM)

New initialization
key: create a static initialization key Note: If this policy is defined, tokens can initialized only by SAM or by someone knowing the subsequent initialization key.To create a different initialization key for tokens already initialized, you must define the subsequent initialization key in this policy, and enable the "Change subsequent initialization key" policy.
161
Advanced Settings
Policy
Private data caching
Description
Defines when private data is cached. Select Define this Policy Setting, then select one of the following:
Always While user is
Default
Always
Token Type
logged on
Never
RSA key secondary authentication
Defines how RSA keys secondary authentication is used. Select Define this Policy Setting, then select one of the following:
Never Always prompt
Never
user
Prompt on
application request
Always
Enrollment Settings
EnrollmentsettingscontroltheSafeNetAuthenticationManager tokenenrollmentprocess.
General Properties
Policy
Maximum number of active tokens per user Initialize token on each enrollment
Description
Defines the maximum number of non-revoked tokens per user. Determines if tokens are initialized during each enrollment. Determines if new tokens are initialized during their first enrollment in SafeNet Authentication Manager. Note: The Initialize new token on first enrollment setting is effective only if enrollment is done through the SAM Service Center.
Default
1
Token Type
All devices excluding MobilePASS and SafeNet eToken Virtual Temp All devices excluding MobilePASS and SafeNet eToken Virtual Temp
No initialization
Initialize new token on first enrollment
No initialization

Set random Token Password
163
Description
Determines if a random Token password is set during initialization. Note: If this policy is enabled, ensure that users receive their Token Passwords via enrollment notification settings defined in the TPO.
Default
Random Token Password is not set
Token Type
Random Token Password length
Defines the random token password length.
12 characters
All devices excluding MobilePASS and SafeNet eToken Virtual Temp All devices excluding MobilePASS and SafeNet eToken Virtual Temp All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Random Token Password content
Defines the random Token Password content. Determines if users must change their Token Passwords on first logon after enrollment.
Numerals only
Password must be changed on first logon
Password change not required

Ignore connector incompatibility during enrollment
Description
Determines if the token enrollment fails when a connector is not compatible with the token type. Determines if a SafeNet eToken Virtual may be created during enrollment (instead of enrolling a physical token). Determines if users must complete authentication questionnaires during enrollment.
Default
Do not ignore incompatibility (Enrollment fails) Not enabled
Token Type
Enable SafeNet eToken Virtual creation
eToken Virtual
Require user to complete authentication questionnaire
Not required
165
SafeNet eToken Virtual Enrollment

Policy
SafeNet eToken Virtual locking method
Description
Determines the method for locking SafeNet eToken Virtual authenticators.(See SafeNet eToken Virtual Products on page 432). Select Define this Policy Setting, then select one of the following:
Portable drive
Default
Computer only
Token Type
only
Computer only Portable drive
or computer
Enrollment Notification
EnrollmentNotificationsettingsenable enrollmentnotificationletters configuration.SeeEnrollmentNotificationonpage 332.
Recovery Settings
RecoverySettingssetoptionsfortokensthatcannotbeusedbecause theyhavebeenlost,ortheirpasswordshavebeenforgotten. Policy
Enable token unlock
Description
Determines if an administrator password is created for token unlock. Note: To be unlocked, a token must have an Administrator Password saved to it during initialization.To enable this, enable this policy and define the "Unlock password type " policy. A locked token that does not have an Administrator Password cannot be used for logon until it is reinitialized.
Default
Enabled
Token Type

Unlock password type
167
Description
Defines the administrator password type. Note: To be unlocked, a token must have an Administrator Password saved to it during initialization.To enable this, enable the "Enable token unlock" policy and define this policy. A locked token that does not have an Administrator Password cannot be used for logon until it is reinitialized.
Default
Random password
Token Type
Maximum number of SafeNet eToken Virtual unlocks
Defines how many times a SafeNet eToken Virtual can be unlocked. Note: The number of unlocks includes both successful and unsuccessful attempts.
20 times
All devices excluding SafeNet eToken Virtual Temp
Enable SafeNet eToken Rescue
Determines if users can download a SafeNet eToken Rescue as a replacement token.
Not allowed

Maximum SafeNet eToken Rescue usage period SafeNet eToken Rescue download options
Description
Defines the number of days a SafeNet eToken Rescue can be used Determines when a SafeNet eToken Rescue is downloaded to a users computer; User manually initiates a download, or Automatic download in first logon. Defines the questions to be asked for user authentication.
Default
14 days
Token Type
All devices excluding SafeNet eToken Virtual Temp All devices excluding SafeNet eToken Virtual Temp
User manually initiates download
User authentication questionnaire
No questions (users cannot authenticate to the Rescue Service Center) 0 (No questions asked)
All devices
Number of random questions asked
Defines how many random questions are asked for user authentication. Defines how many incorrect authentication answers lock the user, when attempting to authenticate to the Rescue Service Center. Determines if user authentication is required to access the Helpdesk. Defines the number of days a temporary password can replace a missing token.
All devices
Maximum number of authentication retries
All devices
User authentication for Helpdesk Maximum Temp Logon usage period
Not required
All devices
3 days

Maximum Temp OTP password usage period Enable token history Require certificate recovery workflow
169
Description
Defines the number of days a Temp OTP password can replace a missing OTP token. Enables the token history feature. Determines if a certificate recovery workflow is required.
Default
14 days
Token Type
All devices
Not enabled Not required
Audit Settings
Auditsettingsenable audit information logging and auditnotification lettersconfiguration.SeeAuditMessagesonpage 322.
MobilePASS Settings
MobilePASSsettingsapplytoMobilePASStokens.
General Properties
Policy
Maximum number of active MobilePASS tokens per user
Description
Defines the maximum number of MobilePASS tokens allowed for each user. Determines if MobilePASS Messaging enrollment is enabled. Determines if automatic MobilePASS Messaging enrollment is enabled. Determines if the SMS number is verified on selfenrollment.
Default
1
Token Type
MobilePASS
Enable MobilePASS Messaging
Not enabled
MobilePASS
Enable automatic enrollment of MobilePASS Messaging tokens
Not enabled
MobilePASS
Verify SMS number on self-enrollment
SMS number is verified
MobilePASS
171
Backend Service Settings

SafeNetAuthenticationManagerBackendServicesettingscontrol BackendServiceactivities. Policy
Disallow Temp Logon
Description
Determines if the backend service disallows the use of a temporary password as replacement for a missing password. Determines if an opened SafeNet eToken Rescue is automatically revoked upon expiration. Determines if tokens are automatically revoked when their users are deleted from the user store.
Default
Disallow
Token Type
Revoke opened SafeNet eToken Rescue upon expiration Revoke tokens of users deleted from SAM user store
Revoke
Revoke
All devices

Revoke tokens of users disabled in SAM user store
Description
Determines if tokens are automatically revoked when their users are disabled in the user store. Determines if SAM database integrity is maintained by synchronizing users data. Determines if license counters are automatically calculated and updated. Note: Enable this policy to optimize SAM performance.
Default
Not revoked
Token Type
All devices
Synchronize users data
Synchronize
All devices
Synchronize license data
Synchronize
All devices
173
Legacy TMS Desktop Agent Settings

Legacy Desktop Agent settings control the legacy TMSDesktop Agent capabilities. Policy
Display token update alerts
Description
Defines whether to display alerts to the user if the token content is not aligned with definitions or about to expire. Defines the number of days to show update alert prior to eToken expiration date. Defines the message the user sees in cases of an token update alert. Defines the alert message title the user sees in cases of an token update alert. Determines the action that occurs when the user clicks the alert balloon; No action, Show detailed message or Open website. The message displayed when the user clicks on the balloon. Used only if the Update alert click action policy is set to 'Show detailed message.' The website URL to open when the user clicks on the balloon. Used only if the Update alert click action policy is set to 'Open website.'
Default
Token update alerts are enabled
Update alert period
Expiration alert starts 30 days before token expires Update your token
Update alert text
Update alert title
Token Notification
Update alert click action
No action
Update alert detailed message
Empty
Update alert website URL
Not defined

Update alert interval
Defines the minimum interval in days between two alerts to the same user (for connected tokens). Alerts will be checked whenever an token is inserted or when the specified number of days has passed since the last alert check (even if an token was not inserted). Determines if token insertion and removal events are audited.
Default (Continued)
Minimum alert interval is 4 days
Update check interval
Alert check interval is 14 days
Token connection auditing
Token insertion/removal auditing is enabled
Badging Settings
Badgingsettingscontrolhowbadgesareprinted. Policy
Enable badging
Description
Determines if badging is enabled.
Default
Disabled
Token Type
Expiration date on badge
Determines if an expiration date is printed on the badge, and sets the date.
Empty (No date printed)
175
Photo Storage
Policy
Photo storage method
Description
Determines if the users photos are located on a file system or in the SAM User Store. Determines the location of the photos stored in a file system.
Default
File system
Token Type
File system photo directory
Empty
Note:
Thefilesystemfoldershouldnotbeanetworkfolder.
Printing Parameters
Policy
Print front of badge
Description
Determines if the front of the badge is printed.
Default
Enabled
Token Type
All devices excluding MobilePASS and SafeNet eToken Virtual Temp All devices excluding MobilePASS and SafeNet eToken Virtual Temp All devices excluding MobilePASS and SafeNet eToken Virtual Temp All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Print back of badge
Determines if the back of the badge is printed.
Disabled
Orientation front side
Determines if the badges front side orientation is portrait or landscape. Determines if the badges back side orientation is portrait or landscape.
Portrait
Orientation back side
Landscape

Image generator plug-in
Description
Defines the assembly plugin for generating the badges printing file. Note: Define this setting if you have developed an SDK plugin that uses a custom image generator or printer.
Default
SAM-supplied plugin
Token Type
Template - front side
Determines the template file used for printing the badges front side. Determines the template file used for printing the badges back side. Determines if a protective topcoat is printed on the badges front side.
SAM-supplied generic template SAM-supplied generic template Enabled
All devices excluding MobilePASS and SafeNet eToken Virtual Temp All devices excluding MobilePASS and SafeNet eToken Virtual Temp All devices excluding MobilePASS and SafeNet eToken Virtual Temp
Template - back side
Laminate - front side

Laminate - back side
177
Description
Determines if a protective topcoat is printed on the badges back side. Determines if a printing plugin is used for printing the badge image. Note: Define this setting if you have developed an SDK plugin that uses a custom image generator or printer.
Default
Enabled
Token Type
Printing plug-in
SAM-supplied plugin
Enable duplex printing
Determines if two-sided printing is enabled.
Enabled
Chapter 10
SAM Configuration Manager

UsetheSafeNetAuthenticationManagerConfigurationManagerto changethedefaultsettingsinaccordancewithyourorganizations policies.
In this section:

Launching the SAM Configuration Manager Selecting the SAM Instance Importing and Exporting the SAM Settings File Adding SAM Connectors Configuring Roles Scheduling the SAM Backend Service Configuring the License Configuring IIS and Web Services Selecting the Authentication Plug-In Defining a Failover Configuration Exporting and Importing the Signing Certificate Changing the SAM Service Account
Launching the SAM Configuration Manager

Note:
InWindowsServer2008andWindowsServer2008R2,theSAM ConfigurationManagermustberunasAdministrator. To launch the SAM Configuration Manager:
SelectStart>Programs>SafeNet>SafeNetAuthentication ManagerConfigurationManager. TheSAMConfigurationManagerwindowopens,displayingdetails oftheSAMinstance.
Selecting the SAM Instance

IfmorethanoneSafeNetAuthenticationManagerinstancehasbeen configured,selecttherequiredinstance. To select the SAM instance: 1. 2. LaunchtheSAMConfigurationManager(SeeLaunchingtheSAM ConfigurationManageronpage 180). FromtheGeneralmenu,selectSelectConfiguration,andselect theappropriateSafeNetAuthenticationManagerconfiguration nameassignedintheSafeNetAuthenticationManagerConfiguration SettingsWizard.
181
Importing and Exporting the SAM Settings File

TheSafeNetAuthenticationManagerSettingsFilecontainsdataused forSafeNetAuthenticationManagerprocesses,includingsecurity keysusedforSafeNetAuthenticationManagerdataencryptioninthe ActiveDirectory.TheSafeNetAuthenticationManagerSettingsFile canbeexportedforbackuporsharing,andimportedlater. ImporttheSafeNetAuthenticationManagerSettingsFilefromthe backupfilewhenyouneedtorestoreadamagedcomputer,orwhen youaresettingupanadditionalSafeNetAuthenticationManager Serverthatusesthesamesettings. EachSafeNetAuthenticationManagerSettingsFilecontainsaglobal securitykey,andasecuritykeyforeachconnector.Ifthereismore thanoneinstanceofSAMServeronacomputer,eachinstancehasits ownSAMSettingsFile.
Notes:
TheSafeNetAuthenticationManagerSettingsFileshouldbe exportedafterinstallation. WerecommendexportingtheSafeNetAuthenticationManager SettingsFilewheneveraconnectorisadded. Thesearetypicallyconfiguredforrenewaleveryyear.TheSettings FileoptionsintheActiondropdownmenuareenabledonlywhen therearekeysdueforrenewal.
Exporting the SAM Settings File

To export the SAM Settings File: 1. 2. LaunchtheSAMConfigurationManager(SeeLaunchingtheSAM ConfigurationManageronpage 180). FromtheActionmenu,selectSettingsFile>Export.
182 SafeNet Authentication Manager Administrators Guide TheExportSettingsFilewindowopens.
3.
Enterapathfortheexportedsettingsfile,andcreateandconfirm apasswordforthenewfile. Thedefaultpathis

C:\Documents and Settings\Administrator\My Documents\SAMSettingsExport.xm
Tip:
Rememberthefilepassword.Youmustprovideitwhen importingthefile. 4. ClickExport. Thefileisexported,andtheExportCompletedwindowopens.
5.
ClickOK.
183
Importing the SAM Settings File

1. 2. LaunchtheSAMConfigurationManager(SeeLaunchingtheSAM ConfigurationManageronpage 180). FromtheActionmenu,selectSettingsFile>Import. TheImportSettingsFilewindowopens.
3.
Enterthepathandthefilepasswordoftheexportedsettingsfile, andclickImport. Thefileisimported,andtheImportCompletedwindowopens.
4.
ClickOK.
Adding SAM Connectors

Duringtokenenrollment,applicationsfortheSAMconnectors installedonSAMareenabledonthetoken.IfaSAMconnectorisnot installedatthetimeoftokenenrollment,itsconnectorapplicationsare notenabledonthetoken. SeeConnectorConfigurationonpage 201,toconfigureconnectors.
184 SafeNet Authentication Manager Administrators Guide To add a new connector: 1. 2. LaunchtheSAMConfigurationManager(SeeLaunchingtheSAM ConfigurationManageronpage 180). FromtheActionmenu,selectConnectors>AddConnector. TheOpenwindowopens,displayingalltheavailableconnectors files.
3.
SelecttherequiredconnectorandclickOpen. Inthisexample,weinstalltheEntrustConnector.
SAM Configuration Manager TheconnectorisinstalledandisincludedintheSafeNet AuthenticationManagerConfigurationManagerwindow.
185
Note:
WerecommendexportingtheSafeNetAuthenticationManager SettingsFilewheneveraconnectorisadded.
Configuring Roles
SeeAuthorizationManageronpage 299.
Scheduling the SAM Backend Service

To schedule SAM Backend Service: 1. 2. LaunchtheSAMConfigurationManager(SeeLaunchingtheSAM ConfigurationManageronpage 180). FromtheActionmenu,selectBackendService>Change Scheduling. TheBackendServiceSchedulingwindowopens.
3.
ToactivatethescheduledoperationofSAMBackendService, selectEnablescheduling,andselectoneofthefollowing: Periodically:enterthenumberofhoursbetweeneach scheduledoperation Daily:enterthetimewhenscheduledoperationsare performed Weekly:enterthedayoftheweekandthetimewhen scheduledoperationsareperformed ClickOK.
4.
Note:
AfterschedulingtheBackendService,youmustrestarttheBackend Serviceforthechangestotakeeffect.
187
Configuring the License

SeeLicensingonpage 293.
Configuring IIS and Web Services

Configuring OTP Web Services
SeeOTPWebServiceSettingsonpage 340.
Configuring Features of the SAM Management Center

YoucanchangecertaindefaultfeaturesoftheSAMManagement Center. To configure certain features of the SAM Management Center: 1. 2. LaunchtheSAMConfigurationManager(SeeLaunchingtheSAM ConfigurationManageronpage 180). FromtheActionmenu,selectIISandSAMWeb Services>ManagementCenter. TheManagementCenterSettingswindowopens.
188 SafeNet Authentication Manager Administrators Guide 3. CompletethefieldsasfollowsandclickOK: Field

SAM Client download file SAC Client X64 download file Show the user display name Maximum rows per report page Maximum tokens and users search results
Description
Enter the path to the 32-bit SAM Client installation file (msi) Enter the path to the 64-bit SAM Client installation file (msi) Select to show the users display name, instead of the account name Select the number of rows to be displayed on each page of a report Select the number of records to be displayed that match the search criteria. The larger the number, the longer the search time. To display more results, increase this number. Select the format in which the token serial number is displayed: Hexa Decimal or Decimal.
Token Serial Format
Configuring Features of the SAM Self Service Center

YoucanchangecertaindefaultfeaturesoftheSAMSelfService Center.
Note:
ThereisnodefaultvaluefortheSafeNetAuthenticationClient downloadfilelocation.Werecommendthatyoudefinethefiles locationincaseauserdoesnothaveSafeNetAuthenticationClient installed. To configure certain features of the SAM Self Service Center: 1. 2. LaunchtheSAMConfigurationManager(SeeLaunchingtheSAM ConfigurationManageronpage 180). FromtheActionmenu,selectIISandSAMWebServices>Self ServiceCenter. TheSAMSelfServiceCenterConfigurationwindowopens.
189
3.
CompletethefieldsasfollowsandclickOK: Field
SafeNet Authentication Client 32-bit download file SafeNet Authentication Client 64-bit download file
Description
Click Browse to select the path to the SafeNet Authentication Client installation file in the ClientDownload folder. Note: Ensure that the SafeNet Authentication Client file has been copied to the ClientDownload folder where the SafeNet Authentication Manager Client file is located. Enter the path to the SafeNet Authentication Manager Client installation file. Note: By default, the path is entered during the installation process
SafeNet Authentication Manager Client 32-bit download file SafeNet Authentication Manager Client 64-bit download file
Configuring Features of the SAM Rescue Service Center

YoucanchangecertaindefaultfeaturesoftheSAMRescueService Center. To configure certain features of the SAM Remote Service Center: 1. 2. LaunchtheSAMConfigurationManager(SeeLaunchingtheSAM ConfigurationManageronpage 180). FromtheActionmenu,selectIISandSAMWebServices>Rescue ServiceCenter. TheSAMRemoteServiceCenterSettingswindowopens.
3.
EnterthenumberofminutesthataSafeNeteTokenRescueiskept ontheSafeNetAuthenticationManagerServeraftertheuserlogs off.
Configuring Features of SAM Web Service API

TheSAMWebServiceAPIenablesdeveloperstodevelopapplications thatcancontactSafeNetAuthenticationManagerdirectly,withoutthe userbeingrequiredtologonthroughaSafeNetAuthentication Managerwebsite.Thenewapplicationallowstheendusertologon toadifferentapplicationthataccessesSafeNetAuthentication Manager.
Note:
Onlyserverbasedoperationsareavailable.
SAM Configuration Manager To configure certain features of the SAM Web service API: 1. 2.
191
LaunchtheSAMConfigurationManager(SeeLaunchingtheSAM ConfigurationManageronpage 180). FromtheActionmenu,selectIISandSAMWebServices>Web APIService. TheWebAPIServiceSettingswindowopens.
3.
CompletethefieldsasfollowsandclickOK. Field
Sessions do not expire Sessions expire after (in minutes) Delete expired sessions every (in minutes)
Description
Select to enable the session to continue for an unlimited time. To limit the length of time for the session, clear the Sessions do not expire field, and enter, in minutes, the maximum session time permitted. Even when a session is no longer active, it remains open until deleted. Enter an interval, in minutes, between attempts to delete expired sessions from the system. Select to enable an unlimited number of open sessions. To limit the number of open sessions, clear the Unlimited number of concurrent open sessions field, and enter the maximum number of sessions that can be opened concurrently.
Unlimited number of concurrent open sessions Maximum number of concurrent open sessions
Configuring Desktop Agent

SeeDesktopAgentonpage 371.
Configuring Server Synchronization

Inadistributedenvironment,withmorethanoneSafeNet AuthenticationManagerserver,theServerSynchronizationfeatureis usedtosynchronizethetokenanduserrecordsduringtheassignment operation.Thisensuresthattwoormoretokenassignmentsessions willnotbeabletoassignthesametokentwiceortoassignmorethan thepermittednumberoftokensfortheuser. To configure server synchronization: 1. 2. LaunchtheSAMConfigurationManager(SeeLaunchingtheSAM ConfigurationManageronpage 180). FromtheActionmenu,selectIISandSAMWebServices>Server Synchronization. TheServerOperationsSynchronizationSettingswindowopens.
SAM Configuration Manager 3. 4. 5.
193
6.
7.
Toactivateserversynchronization,selectServerSynchronization. Foreachsevertobeincludedinthesynchronizationoperations, clickAdd,typetheserverURL,andclickTesttoverifytheURL. Tochangethedefaultlockingtime,enteranewlockingtime(in milliseconds). Thelockingtimedeterminesthemaximumtimetheuserand userstokenrecordsarelockedduringanassignmentoperation. Tochangethedefaultfailuretimeout,enteranewfailuretimeout (inmilliseconds). Thefailuretimeoutisthetimerequiredforanfailedlock operationtoinitiateanerrorresponse. ClickOK. TheRestartIISApplicationPoolwindowopens.
8.
TosavethechangesandrestarttheIISApplicationPool,clickYes.
Selecting the Authentication Plug-In

WhenSafeNetAuthenticationManagerusesanonADexternaluser store,ActiveDirectorycannotbeusedtoauthenticateusernamesand passwords.Anauthenticationpluginfileisrequiredtoenableusers tologontotheSAMwebsites. TheplugindllwassetintheSAMConfigurationWizard.SeeChapter 7ConfiguringforOpenLDAP,NovelleDirectoryorRemoteAD,step 12on page 108,orConfiguringforMSSQLServerstep 11onpage 119. UsetheSAMConfigurationManagertosetadifferentauthentication plugindll.
194 SafeNet Authentication Manager Administrators Guide To set a different authentication plug-in: 1. 2. LaunchtheSAMConfigurationManager(SeeLaunchingtheSAM ConfigurationManageronpage 180). FromtheActionmenu,selectWebsiteAuthenticationSettings> Change. TheAuthenticationSettingswindowopens. Navigatetotheappropriateauthenticationdllfile,andclickOK.
3.
Defining a Failover Configuration

Thefailoverconfigurationfeatureenablesyoutosetupafailover configurationforLDAPuserstoresthatdonotfollowthestandard ADconfiguration.WhenthestandardADconfigurationisused,a failoverconfigurationisnotrequired. SafeNetAuthenticationManagerwillconnecttothefailoverLDAP userstoreiftheprimaryuserstorestopsresponding. Tocreateafailoverconfiguration: 1. 2. 3. LaunchtheSAMConfigurationManager(SeeLaunchingtheSAM ConfigurationManageronpage 180). SelectGeneral>FailoverConfiguration>New. TheNewFailoverConfigurationwindowopens.
4.
ClickBrowsenexttotheSelectDirectoryfield.
SAM Configuration Manager Inthisexample,theSelectOpenLDAPServerwindowopens.
195
5.
Server Port Naming Context Simple Binding, using an anonymous user Simple Binding, using the following user Use a secure connection
Description
Enter the IP address of the directory server Enter the directory server port. This is determined when the directory is configured. Click Browse and select the required naming context. Select this option to connect to the directory server without a user and password. This is possible only if this option is enabled in the system. Select this option to connect to the directory server using the User DN and Password. Enter the User DN and Password in the appropriate fields. If OpenLDAP is configured to run in a secure mode, select this option to encrypt the data to be transferred.
196 SafeNet Authentication Manager Administrators Guide 6. 7. TheselecteddirectoryisdisplayedintheNewfailoverconfiguration window. ClickSavetosavetheconfiguration,andclickClose.
Exporting and Importing the Signing Certificate

Youcancreateapasswordprotectedfilecontainingthesettingsforthe SafeNetAuthenticationManagersecuritykeys.Thisfilecanlaterbe importedbackintoSafeNetAuthenticationManager.
Exporting a Signing Certificate

To export a signing certificate: 1. 2. LaunchtheSAMConfigurationManager(SeeLaunchingtheSAM ConfigurationManageronpage 180). FromtheActionmenu,selectSigningCertificate>Export. TheExportCertificatewindowopens.
3. 4. 5.
Tochangethedefaultinstallationfolder,clickBrowseand navigatetotherequiredlocation. EnterapasswordintheFilePasswordfield,andconfirminthe ConfirmPasswordfield. ClickExport.
197
Importing a Signing Certificate

To import a signing certificate: 1. 2. LaunchtheSAMConfigurationManager(SeeLaunchingtheSAM ConfigurationManageronpage 180). FromtheActionmenu,selectSigningCertificate>Import. TheImportCertificatewindowopens.
3. 4.
ClickBrowseandnavigatetothefile. EnterthepasswordintheFilePasswordfieldandclickImport.
Tip:
Rememberthefilepassword.Youmustprovideitwhen importingthefile.
Changing the SAM Service Account

TheSAMServiceAccountisusedtomanageSafeNetAuthentication Manageroperations.Itmaybenecessarytochangetheaccountdetails andpasswordthatwereenteredduringinstallation.
Notes:
TheSAMServiceAccountneednotbeanadministratoraccount, butitmusthavesufficientpermissionstoruntheconnectors. SeePermissionsforBasicAdministrationonpage 310. TheSAMServiceAccountcanbechangedonlyiftheuserhasa Windows2000logonname(UPN). To change the Service Account and password: 1. LaunchtheSAMConfigurationManager(SeeLaunchingtheSAM ConfigurationManageronpage 180). TheSAMConfigurationManagerwindowopens. SelectGeneral>ChangeServiceAccount. TheSAMServiceAccountwindowopens.
2.
3.
ClickBrowsenexttotheUsernamefield. TheSelectUserwindowopens.
199
4.
5.
EntertheaccountnameintheEntertheobjectnametoselectfield, andclickOK. TheselectedaccountnameisdisplayedintheChangeSAM ServicesAccountwindow. InthePasswordandConfirmPasswordfieldsenterapasswordfor theaccount,andclickOK.
Chapter 11
Connector Configuration
SafeNetAuthenticationManagerisbasedonanopenstandards architecture,withconfigurableconnectors.Thissupportsintegration withawiderangeofsecurityapplicationsincludingnetworklogon, VPN,webaccess,onetimepasswordauthentication,secureemail, anddataencryption. UsetheTokenPolicyObjectEditortochangetheSafeNet AuthenticationManagerconnectorsdefaultconfigurations.SeeUsing theTokenPolicyObjectEditortoEditTPOsonpage 146.
In this section:

Connector for Microsoft CA Connector for OTP Authentication Connector for Flash Management Connector for P12 Certificate Import Connector for SafeNet Network Logon Connector for Check Point Internal CA Connector for Entrust
Connector for Microsoft CA

TheconnectorforMicrosoftCA(MSCA)enablestheusertogenerate certificatesusingtheMicrosoftCertificateAuthority(CA)services. Twotypesofcertificationauthorities(CAs)areprovidedbyWindows Server2003/2003R2/2008/2008R2CertificateServices:

Standalone:permitsthegenerationofcertificatesforanyone Enterprise:permitsthegenerationofcertificatesforauthenticated usersonly,andrequiresActiveDirectorytobeinstalled
TheSafeNetAuthenticationManagerMicrosoftCAConnector interactswithbothtypesofCAs,enablingcertificatestobegenerated fortheseCAs. FormoreinformationoncertificatesandCAs,seeMicrosoft documentation.

User Store
AD MS SQL Server, OpenLDAP, Novell eDirectory, Remote AD, ADAM
Supported by this Connector?

Yes Only for offline requests where the subject name is provided manually Supported only for a standalone CA
203
Microsoft DLL Files Required for MSCA

TherequiredDLLfilesaresuppliedwiththesupportedoperating systemsandservicepacks.
Windows XP and Windows Server 2003

InWindowsXP,installtheAdminPacktoobtainallrequiredDLLs. DLL Purpose TPO SAM Management Center
Yes Yes No
SAM Self Service Center

Yes No No
xenroll scrdenrl Certadmin
Token side CA and Token CA side configuration and enrollment CA side configuration and enrollment
No No Yes
Certcli
Yes
No
No
Windows Vista, Windows 7 and Windows Server 2008

DLL Purpose TPO SAM Management Center
Yes

Yes
certEnroll
Token side
No
Configuring the Microsoft CA

TheMicrosoftCAmustbeconfiguredbeforeitisconnectedtoSafeNet AuthenticationManager.Thisinvolvesaddingtheappropriate templates,andsettingthesecurityproperties.
Adding a Template to the CA

ThecertificatetemplatemustbedeployedsotheCAcanissue certificatesbasedonit. To add a template to the CA: 1. FromtheWindowsStartmenu,gotoPrograms>Administrative Tools>CertificationAuthority. TheCertificationAuthoritywindowopens.
2.
Inthenavigationpane,expandtheentryunderCertification Authority(Local),andselectCertificateTemplates.
205
TemplatesthatareinthedatabaseandintheCAaredisplayedin therightpane.
3.
RightclicktheCertificateTemplatenode,andfromthesubmenu, selectNew>CertificateTemplatetoIssue. TheEnableCertificateTemplateswindowopens.
4.
Selecttherequiredcertificatetemplate,andclickOK. Theaddedcertificatetemplateisincludedintherightpane.
Setting Template Security Properties

Setthetemplatessecuritypropertiestodefinewhichpermissionsare giventoeachorganizationalgroup.Authorizethoseuserswhoneed toenrollcertificatesintheCAtorequestcertificates.
206 SafeNet Authentication Manager Administrators Guide To set template security properties in Windows Server 2003: 1. FromtheWindowsStartmenu,gotoPrograms>Administrative Tools>CertificationAuthority. TheCertificationAuthoritywindowopens.
2. 3.
Inthenavigationpane,expandtheentryunderCertification Authority(Local). RightclickCertificateTemplates,andfromthesubmenu,select Manage.
Connector Configuration Thetemplatesaredisplayedintherightpane.
207
4.
5.
Rightclickthetemplateoftherequiredcertificate,andfromthe submenu,selectProperties. ThePropertieswindowopens. SelecttheSecuritytab.
6.
Selecttherequiredpermissionsforallrelevantorganizational groups,andclickOK.
Duplicating a Template
Werecommendcreatingaduplicatetemplatetouseasabackup. To create a duplicate template: 1. 2. Selecttherequiredtemplate(SeeSettingTemplateSecurity Propertiesonpage 205). RightclickonthetemplateandselectDuplicateTemplate. ThePropertiesofNewTemplatewindowopens.
3. 4.
Ifrequired,makechangestothepropertiesofthetemplate. ClickOK. AtemplatenamedCopyof<templatename>isaddedtothelistof certificatetemplates
209
Changing the Minimum Key Size

ThedefaultSmartcardLogontemplatehasadefaultkeysizeof512. ForSmartcardlogonwithJavaCard,aminimumkeysizeof1024is required. To change the minimum key size: 1. 2. SelecttheSmartcardUsertemplate(SeeSettingTemplateSecurity Propertiesonpage 205). RightclickonSmartcardUserandselectDuplicateTemplate. ThePropertiesofNewTemplatewindowopens.
3. 4.
IntheMinimumkeysizefieldenter1024or2048asrequired. ClickOK. AtemplatenamedCopyofSmartcarduserisaddedtothelistof certificatetemplates
Setting CA Security Properties

SettheCAssecuritypropertiestodefinewhichpermissionsaregiven toeachorganizationalgroup. To set CA security properties: 1. FromtheStartmenugotoPrograms>AdministrativeTools> ActiveDirectorySitesandServices. TheActiveDirectorySitesandServiceswindowopens. Inthenavigationpane,rightclickCertificateAuthority,andfrom thesubmenu,selectProperties. ThePropertieswindowopens. SelecttheSecuritytab. Settherequiredpermissionsforeachorganizationalgroup,and clickOK.
2.
3. 4.
Defining TPO Rules

UsetheConnectorPolicyObjectEditortosettheSAMconnector policies. To create a new request: 1. 2. OpentheTPOEditor(SeeAccessingTokenPolicyObjectLinkson page 134). Intheleftpane,clicktheConnectorSettings.
211
ThelistofinstalledSafeNetAuthenticationManagerconnectors opensintherightpane.
3.
Intherightpane,rightclickConnectorforMicrosoftCAand selectProperties. TheConnectorforMicrosoftCAPropertieswindowopens.
4.
SelectDefinethispolicysetting,selectEnabled,andclick Definitions.
212 SafeNet Authentication Manager Administrators Guide TheConnectorPolicyObjectEditoropens.
5.
Bydefault,thereisnolimittothenumberofcertificatesthatcan beenrolledtoatoken.Tolimitthemaximumnumberofcertificate onthetokendothefollowing: a. Intherightpane,rightclickonMaximumnumberof certificatesontoken,andselectProperties. b. SelectDefinethispolicysetting. c. Enterthemaximumnumberofcertificatesthatcanbe enrolledonthetokenandclickOK.
6.
RightclickMicrosoftCAConnector,andselectCreatenew request.
Connector Configuration TheCreateNewRequestwindowopens.
213
7.
Foreachrequestenterthefieldsasfollows: Field Name

Request Name
Description
May be any name. If a request with the same request name exists in a different TPO definition, the new parameters are merged with that request's parameters during token enrollment. If the request name does not exist in a TPO relevant to the enrolled user, the request is added. Default: New Request, followed by the next sequential number CA from the list of CAs installed in the AD tree. Default: the first CA in the drop-down list Depends on Active Directory being present.
Standalone: permits the generation of certificates for
Name Type
anyone
Enterprise: permits the generation of certificates for
authenticated users only No default
214 SafeNet Authentication Manager Administrators Guide Field Name

Windows Version
Windows version on the CA computer: Server 2003-(2008) No default Filter used to narrow the selection in the Templates dropdown list. Type of templates to be enrolled:
Smartcard Logon Encryption Signature VPN Other No default
Certificate Usage
Templates
A certificate template from one or both of the template lists appropriate for the Certificate Usage selected:
Administrator-generated certificate template:
used when enrollment is performed by the administrator.

User-generated certificate template: used during
self-service enrollment No default
8.
Oncearequestiscreated,thesefieldscannotbemodified.Ifa changeisrequiredinthefields,therequestmustbedeletedanda newrequestcreated. ClickOK.
Connector Configuration 9. IntheConnectorPolicyObjectEditorwindow,selecttherequest nodetoseeitspolicies.
215
Note:
Thefirstfourpolicesinthelistaresetwhentherequestiscreated. Theycannotbemodified.Ifachangeisrequiredinanyofthese fourpolicies,deletetherequestandcreateanewrequestwiththe appropriatesettings. 10. Configuretherequestpoliciesasfollows: Field Name
Certificate backup
Description
Determines if the requests certificate and keys are backed up in the SafeNet Authentication Manager database Determines if the requests certificate is backed up to a SafeNet eToken Rescue temporary replacement token Determines if the certificate is also removed from the token when it is revoked on the CA Determines if the CA publishes a new certificate revocation list whenever a certificate is revoked
SafeNet eToken Rescue support Key required after revocation Publish CRL
216 SafeNet Authentication Manager Administrators Guide Field Name (Continued)

Store in local computer certificate store
Determines if the certificate is imported to the local computer certificate store Note 1: This is applicable only for certificates generated by users' requests during self-service enrollment for off-line certificates, and not for enrollments done by an administrator. Note 2: Only a user with administrator rights on the local computer can generate or use a key in this store. Determines if the default user department is overridden in the certificate subject of an off-line certificate Defines the department name that overrides the default department in an off-line certificate when Override certificate department is enabled Determines if an expired certificate is automatically renewed on next enrollment Determines if previous keys are reused if a new certificate is generated when Automatic certificate renewal is enabled Sets a random user password unknown to the user, forcing the user to log on with a Smartcard Sets the Account option in the AD user properties to Smartcard is required for interactive logon, forcing the user to log on with a smartcard Determines if the clear function in eToken PKI Client will not delete the certificate and keys on the token
Override certificate department Certificate department
Automatic certificate renewal Reuse keys for renewed certificate Random user password Force smartcard usage for logon Undestroyable certificate and keys on token
11. ClickOKrepeatedlytoclosetheConnectorPolicyObjectEditor windowandtheConnectorforMicrosoftCAPropertieswindow. Theupdatedconnectorsettingshavenowbeenapplied.
217
Connector for OTP Authentication

TheTPOrulesdictatewhichpassword(s)mustbeprovidedbythe userforauthentication:

OTPOnly:theusermustenterthenumberdisplayedontheOTP token OTPPINandOTP:theusermustenterthesecretOTPPIN,as wellasthenumberdisplayedontheOTPtoken WindowspasswordandOTP:theusermustentertheWindows password,aswellasthenumberdisplayedontheOTPtoken (ThisoptionissupportedonlyinADmode)

User Store
AD, MS SQL Server, OpenLDAP, Novell eDirectory, Remote AD, ADAM

Yes
Defining TPO Rules

UsetheConnectorPolicyObjectEditortosettheSAMconnector policies. To open the Connector Policy Object Editor: 1. 2. OpentheTPOEditor(SeeAccessingTokenPolicyObjectLinkson page 134). Intheleftpane,clicktheConnectorSettingsnode.
218 SafeNet Authentication Manager Administrators Guide ThelistofinstalledSafeNetAuthenticationManagerconnectors opensintherightpane.
3.
Intherightpane,rightclickConnectorforOTPAuthentication, andselectProperties. TheConnectorforOTPAuthenticationPropertieswindowopens.
4.
SelectDefinethispolicysetting,selectEnable,andclick Definitions.
Connector Configuration TheConnectorPolicyObjectEditoropens.
219
5.
Editthepoliciesasfollows: Description
Defines which information users must provide to authenticate using an OTP.
OTP only OTP PIN and OTP Windows password and OTP Default: OTP PIN and OTP
Field name
Authentication Code
Authentication Code order
Select from:
OTP first OTP PIN or Windows password first Default: OTP PIN or Windows password first
Allow dial-in access
Determines if the users dial-in permission fields are changed to allow access during OTP token enrollments. Default: Users dial-in property is not changed Defines how the OTP PIN is created during enrollment:
Manual: The user chooses a PIN. Random: During admin enrollment, the connector creates a
OTP PIN type
random PIN. This is not relevant for user enrollment. Default: Manual
220 SafeNet Authentication Manager Administrators Guide Field name

Minimum OTP PIN length
The minimum length of an OTP PIN that a user chooses manually, and the exact length of a random OTP PIN Default: 4 characters Note: An OTP PIN length should not exceed 10 characters When the SAM Self Service Center is used to enroll a new OTP token protected by an OTP PIN, the user creates an OTP PIN. This parameter determines the behavior of subsequent enrollments of the OTP token protected by an OTP PIN.
Enabled: the OTP PIN is reset during each subsequent
Allow OTP PIN reset during enrollment
enrollment of the OTP token

Disabled: the user must provide the current OTP PIN during
each subsequent enrollment Default: Not enabled (Users cannot reset OTP PIN) OTP generation using SafeNet eToken Rescue OTP maximum usage period Temp OTP length Temp OTP content Determines if an OTP can be generated on a SafeNet eToken Rescue replacement token Default: Not enabled (An OTP profile is not enrolled to a SafeNet eToken Rescue) Defines after how many days an OTP token expires Default: Does not expire Defines the length of a Temp OTP Default: 12 characters Defines the content of a Temp OTP:
Letters Numbers Special characters
or
Custom content Default: Numbers only
Apply Authentication Code to Temp OTP
Determines if the Temp OTP alone is used for authentication, or if it replaces an OTP in the method defined in the Authentication Code policy. Default: Not enabled (Authentication Code is Temp OTP only)
Connector Configuration 6. ClickOKrepeatedlytoclosetheConnectorPolicyObjectEditor windowandtheSAMOTPAuthenticationConnectorProperties window. Theupdatedconnectorsettingsareapplied.
221
Connector for Flash Management

WiththeConnectorforFlashManagement,youcancreateaCDROM partitiononaneTokenNGFlashdevice.Thisallowsyoutoinclude applicationsanddataontheCDROMpartitionofthedevicetoshare withalltheusersinthedomain. YoucanalsoincludeanautorunfileontheCDROMpartitionofthe device.Thisinitiatesanautomatedapplicationexecutionwhenever thedeviceisconnectedtoacomputerUSB. ThefilestobeuploadedtothetokenfortheConnectorforFlash Managementmustbeinoneofthefollowing:

AnFTPfolder Anetworkfolderthatcanbeaccessedfordownload
Note:
Duringreenrollment,ifthenameofthefoldercontainingthefilesto uploadhasnotchanged,theCDROMpartitionisnotrecreated,even ifthecontentsofthefolderhavechanged.ToforcetheCDROM partitiontoberecreatedduringreenrollment,changethenameofthe foldercontainingthefiles.

User Store

Yes
Defining TPO Rules

UsetheConnectorPolicyObjectEditortosettheconnectorpolicies. To open the Connector Policy Object Editor: 1. OpentheTPOEditor(SeeAccessingTokenPolicyObjectLinkson page 134).Intheleftpane,clicktheConnectorSettingsnode. Thelistofinstalledconnectorsopensintherightpane.
2.
Intherightpane,rightclickConnectorforFlashManagement, andselectProperties.
Connector Configuration TheConnectorforFlashManagementPropertieswindowopens.
223
3.
SelectDefinethispolicysetting,selectEnable,andclick Definitions. TheConnectorPolicyObjectEditoropens.
224 SafeNet Authentication Manager Administrators Guide 4. Editthepoliciesasfollows: Policy

CD-ROM partition size
Description
The size of the region reserved on the token for the CD-ROM partition Default: size is calculated automatically The name of the file system upload folder containing the files to be uploaded to the CD-ROM partition of the token. This directory must be accessible to every client computer used for enrollment. No default The name or IP address of the FTP server of the files to be uploaded to the CD-ROM partition of the token No default The name of the FTP folder containing the files to be uploaded to the CD-ROM partition of the token No default The FTP logon username Default: anonymous The FTP logon password Default: anonymous
File system upload folder
FTP server
FTP folder
FTP username FTP password
5.
ClickOKrepeatedlytoclosetheConnectorforFlashManagement PropertiesandtheConnectorPolicyObjectEditorwindows. Theupdatedconnectorsettingshavenowbeenapplied.
Connector for P12 Certificate Import

TheConnectorforP12CertificateImportenablestheusertoimport ontotheirsmartcardsandtokens:

PFX(P12)files:filesthatcontainacertificateandaprivatekeyin aP12format CERfiles:filesthatcontainonlythecertificatewithouttheprivate key RootCAcertificatefiles
225
TheConnectorforP12CertificateImportisusedtoimporttwotypes ofcertificatesontoatoken:

Usercertificates CAcertificates
UsetheConnectorforP12CertificateImportinthefollowing situations:
YoualreadyhavePFXfiles,andyouwanttoimportthemontothe token. Forexample,youuseathirdpartyservicetogeneratecertificates foryouremployees,andyoureceivethecertificatesfromthat serviceasagroupofPFXfiles. YouwanttoimportCAcertificatesintoRootCAcertificatesonthe token,andthencopythosetothecertificatestoreonthecomputer whenthetokenisconnected. SafeNetAuthenticationManagercopiesthecertificatetothe token.SafeNetAuthenticationClientcopiesthecertificatefrom thetokentothecertificatestoreonthecomputer.

User Store

Yes
Defining TPO Rules

UsetheConnectorPolicyObjectEditortosettheconnectorpolicies. To open the Connector Policy Object Editor: 1. 2. OpentheTPOEditor(SeeAccessingTokenPolicyObjectLinkson page 134). Intheleftpane,clicktheConnectorSettingsnode.
226 SafeNet Authentication Manager Administrators Guide Thelistofinstalledconnectorsopensintherightpane.
3.
Intherightpane,rightclickConnectorforP12Certificate Import,andselectProperties. TheConnectorforP12CertificateImportPropertieswindowopens.
4.
Connector Configuration TheConnectorPolicyObjectEditoropens.
227
Adding a User Certificate

To add a user certificate: 1. IntheConnectorPolicyObjectEditorwindow,rightclickUser certificates,andselectProperties. TheUsercertificatesPropertieswindowopens.
2.
ClickAdd.
Connector Configuration TheAddnewusercertificatewindowopens.
229
Note:
Youcannotuseanasterisk(*)intheUserfield. 3. 4. IntheUserfield,enteruserdetails. ClickBrowsenexttotheCertificatefield. TheOpenwindowopens.
5.
Navigatetothecertificatefile,selectthecertificate,andclickOK. IntheAddnewusercertificatewindow,dooneofthefollowing:

Iftheusermustenterthepasswordduringenrollment,select Passwordunknown. IfthepasswordofthePFXfileisknown,enterthepassword.
6.
SelectEnrolltoaneTokenRescuetoimportthiscertificatetoa SafeNeteTokenRescueforbackup. 7. ClickAdd. Theusercertificateissaved.Youcanaddanothercertificateif required.
Adding User Certificates from an Index File

UsercertificatesmaybeaddedbyimportinganindexfilelinkingPFX certificatefileswithusers.
Note:
TheindexfilemustbeinUTF8formatifitincludesnonASCII characters. Eachlineoftheindexfilemustcontainthreeparametersseparatedby semicolons:

ADuseraccountname FullpathtothePFXcertificatefile PasswordofthePFXcertificatefile SampleIndexFile:
Foreachcertificate,aseparateindexentryisrequired.Ifauseris linkedtomorethanonecertificate,eachcertificateshouldappearona differentline.
Connector Configuration To import an index file: 1. 2. 3. IntheUsercertificatesPropertieswindow,clickAddfromfile. TheOpenwindowopens. Navigatetotheappropriatefolder,selectthe.txtfile,andclick Open. ClickOKrepeatedlytoclosetheConnectorforP12Certificate ImportPropertieswindow. Theupdatedconnectorsettingshavenowbeenapplied.
231
Adding a CA certificate
ACAcertificateiscommontoallusersinthedomain.Itcontainsthe certificateonly,withoutaprivatekey. To add a CA certificate: 1. IntheConnectorPolicyObjectEditorwindow,rightclickCA certificates,andselectProperties. TheCAcertificatesPropertieswindowopens.
2.
ClickAdd.
232 SafeNet Authentication Manager Administrators Guide TheAddnewCAcertificatewindowopens.
3. 4. 5. 6. 7. 8.
ClickBrowse. TheOpenwindowopens. Navigatetotheappropriatefolder,selectthe.cerCAcertificate file,andclickOpen. SelectEnrolltoaSafeNeteTokenRescuetoimportthiscertificate toaSafeNeteTokenRescueforbackup. ClickAdd. ClickExit. ClickOKrepeatedlytoclosetheSAMP12CertificateImport ConnectorPropertieswindow. Theupdatedconnectorsettingshavenowbeenapplied.
Connector for SafeNetNetwork Logon

Note:
SafeNetAuthenticationManagersupportsenrollmenttoeToken NetworkLogon5.0orlater. Windowsoperatingsystemsenableyoutouseanalternateaccess mechanisminplaceofthedefaultauthenticationmethod. IntheMicrosoftWindowsXPfamily,includingWindows2000, WindowsXPandWindowsServer2003,theidentificationand authenticationsaspectsoftheWindowslogonareimplementedasa replaceabledllcalledGINA(GraphicalIdentificationand Authentication).AnewGINAdllcanreplacethestandardmsgina.dll whenthesystemneedstouseanothermethodofauthenticationin placeoftheWindowsdefaultusername/passwordmechanism.Thus, WindowsandeTokentogetherprovidetheidealsolutionfor corporatenetworksecurity.
233
IntheMicrosoftWindowsVistafamily,includingWindowsVistaand Server2008,theidentificationandauthenticationaspectsofthe WindowslogonareimplementedbytheCredentialsProvider. Dependingonyourorganizationspolicies,itispossiblefortheusers themselvestocreateWindowslogonprofileswhicharestoredontheir tokens. TheConnectorforNetworkLogonprovideseasydeploymentofuser profilesfortheSafeNetNetworkLogonproduct. TheConnectorforNetworkLogonenablesyoutoinitializeeachtoken withalistoflogonprofiles.EachlogonprofilecontainsauserID name,thedomainthattheuserbelongsto,apassword,andasetof options. Tostartworkingwithtokens,configuretheConnectorforNetwork Logonbysettingtheconnectorparameters.

User Store
AD MS SQL Server, OpenLDAP, Novell eDirectory, Remote AD, ADAM

Yes No
Defining TPO Rules

WhentheConnectorforNetworkLogonisdefinedintheTPO,a defaultprofileiscreatedforthedomaininwhichSafeNet AuthenticationManagerisinstalled. UsetheConnectorPolicyObjectEditortosettheconnectorpolicies. To open the Connector Policy Object Editor: 1. 2. OpentheTPOEditor(SeeAccessingTokenPolicyObjectLinkson page 134). Intheleftpane,clicktheConnectorSettingsnode.
234 SafeNet Authentication Manager Administrators Guide Thelistofinstalledconnectorsopensintherightpane.
3.
Intherightpane,rightclickConnectorforNetworkLogon,and selectProperties. TheConnectorforNetworkLogonPropertieswindowopens.
4.
5.
SelectDefinethispolicysetting,selectEnable,andclick Definitions. TheConnectorPolicyObjectEditoropens. Clicktheappropriatenetworklogonprofile(inthisexample, Profile1)inthenavigationpane.
Connector Configuration Theprofilespoliciesaredisplayedintherightpane.
235
6.
Editthepoliciesasfollows: Description
Defines the netbios name of the domain in the Active Directory that the user enters upon logon No default Determines if the profile is saved to a SafeNet eToken Rescue replacement token Default: Not enabled
Policy
Domain netbios name
SafeNet eToken Rescue support

Logon factor
Determines the logon factor:
One-factor: Not supported in NL 5.0.
For one-factor logon, we recommend using a token that is configured for one-factor logon in eToken PKI Client.
Two-factor: requires the token's presence
and a password to log on. Default: Two-factor Password type Determines the password type:
Manual password: requires the system
administrator to provide the user password during enrollment.

Random password: causes the connector
to generate a new random user password during enrollment, to reset the user password in the domain, and to write this new password to the token. Default: Manual password Note: If a manual password is used, when the token is revoked, the password is not removed from the SAM configuration store. If a random password is used, when the token is revoked, the password is removed from the SAM configuration store. Random password length Determines the random password length Default: 14 characters
7.
ClickOKrepeatedlytoclosetheConnectorPolicyObjectEditor windowandtheConnectorforNetworkLogonPropertieswindow. Theupdatedconnectorsettingshavenowbeenapplied.
237
Connector for eToken Anywhere

eTokenAnywhereisaportable,readerlesssmartcardtokenthat enablessecureaccesstotheWeb,authenticationapplications,digital signatures,encryptionanddecryption,andsecureemailfromany computerwithaUSBportandanInternetconnection.Withthe eTokenPROAnywheredevice,userscanaccesstheirnetworksand criticaldata,easily,conveniently,andsecurely,withoutrequiringa clientinstallation.
Tip:
ForinformationaboutinstallingandusingtheeTokenPROAnywhere configurationtool,seetheeTokenPROAnywhereHowToGuide.
CA Requirements
ToenrollUser/ServercertificatesonaneTokenAnywheredevice, SafeNetAuthenticationManagermustbeinstalled,andtheConnector forMicrosoftCAConnectororConnectorforP12CertificateImport mustbeconfigured.SeeConnectorforMicrosoftCAonpage 202or ConnectorforP12CertificateImportonpage 249. WhentheMicrosoftStandaloneRootCAcertificateisinstalledonthe SecuredsiteLocalcomputerTrustedRootCAstore,itisnotnecessaryto installthiscertificateontheeTokenAnywhere(usingtheSAMP12 CertificateImportConnector). To log on with eToken Anywhere when the CA is not installed on the device:
Whenprompted,entertheuserPINandperformalogin. IfauserselectsChooseadigitalcertificate>viewcertificate duringSSLauthentication,amessageisdisplayedindicating thatthecertificateisnottrusted.IftheuserthenclickstheOK buttonintheChooseadigitalcertificatewindow,theusercan enterthePINandauthenticatesuccessfully.

User Store

Yes
Defining TPO Rules

UsetheConnectorPolicyObjectEditortosettheconnectorpolicies. To open the Connector Policy Object Editor: 1. 2. OpentheTPOEditor(SeeAccessingTokenPolicyObjectLinkson page 134). Intheleftpane,clicktheConnectorSettingsnode. Thelistofinstalledconnectorsopensintherightpane.
3.
Intherightpane,rightclickConnectorforeTokenAnywhere, andselectProperties.
Connector Configuration TheConnectorforeTokenAnywherePropertieswindowopens.
239
4.
SelectDefinethispolicysetting,selectEnable,andclick Definitions. TheConnectorPolicyObjectEditoropens.
5.
Intherightpane,rightclickISOfiledefinitions,andselect Properties.
240 SafeNet Authentication Manager Administrators Guide TheISOfiledefinitionspropertieswindowopens.
6.
SelectDefinethispolicysettingandclickLaunch. TheeTokenAnywhereConfigurationToolopens.
Connector Configuration 7. Enterthefieldsasfollows: Description

Enter the URL of the folder on the server that will hold the eToken Anywhere application. Enter the URL of the secured website, for example, SSLVPN. Enter the name of the site. This will be visible when right-clicking the eToken PRO Anywhere tray icon. Default: the website URL Enter the URL of the website to open should the user forget the password Select this option to enable the user to enroll an eToken PRO Anywhere device. Enter the URL used to self-enroll eToken PRO Anywhere devices.
241
Field
eToken Anywhere Application location Application website URL URL display name
Forgot my password URL Enable eToken PRO Anywhere remote enrollment Remote enrollment URL
8.
ClicktheSaveProfileicon. TheeTokenAnywhereConfigurationToolautomaticallydownloads thewebsitecertificateandcreatestheeTokenAnywhere applicationfiles. Aconfirmationmessageisdisplayed.
9. ClickOK. 10. TheeTokenAnywhereConfigurationToolcloses. YouarereturnedtotheISOfiledefinitionpropertieswindow. 11. ToexporttheeTokenAnywhereapplicationfilestothepreviously createdvirtualdirectory,clickExportapp.
242 SafeNet Authentication Manager Administrators Guide TheBrowseForFolderwindowopens.
12. SelectthefolderinwhichtosavetheeTokenAnywhere application,andclickOK. YouarereturnedtotheISOfiledefinitionpropertieswindow. 13. ToexporttheeTokenAnywhereisofile,clickExportiso. TheSaveAswindowopens.
14. SelectthefolderinwhichtosavetheeTokenAnywhereisofile, andclickOK. 15. ClickOKrepeatedlytoclosetheConnectorPolicyObjectEditor windowandtheConnectorforeTokenAnywherePropertieswindow. Theupdatedconnectorsettingshavenowbeenapplied.
243
16. Checkthatthefilesaredownloadablebybrowsingdirectlytothe filesusingawebbrowser,asfollows: https://URL/etanywhereapplication/etany.dat https://URL/etanywhereapplication/etany.sig
Connector forCheck Point Internal CA

CheckPointSoftwareTechnologiesLtdisaleadingproviderof securityapplications.CheckPointsmainproductsareVPNand Firewallapplications.CheckPointprovidesaunifiedsecuritysolution calledNGXwhichincludesbothVPNandFirewall. TheConnectorforCheckPointInternalCAisasoftwarecomponent thatprovidesSafeNetAuthenticationManageruserswiththeability tologintoCheckPointssecurityapplicationsusingSafeNet authenticatorsastheuserauthenticationmethod. TheConnectorforCheckPointInternalCAsupportsCheckPoint FirewallversionsNG(R55)orNGX(R60)andlater. CheckPointsecurityapplicationsprovideasecuredenvironment, allowingonlyauthorized,authenticateduserstologin.CheckPoint applicationssupportspecifictypesofuserauthentication,including digitalcertificatebasedauthentication(PKI). WiththeConnectorforCheckPointInternalCA,theadministrator createscertificatesforCheckPointInternalCAusers,andloadsthe certificatesautomaticallyontotheuserstokens.Theconnectorcan alsobeusedtoaddnewuserstotheFirewallManagement.
Internal CA vs. External CA

Certificatebasedauthenticationrequirestheusertoprovideadigital certificatevalidforloggingintoaCheckPointsecuredenvironment. DigitalcertificatesareissuedbyaCertificationAuthority(CA).CP softwaresupportstwotypesofCAs:

AninternalCA,includedinCheckPointproducts Thistypeofconfigurationisthemostcommon. AnexternalCA,forexample,MicrosoftCA
244 SafeNet Authentication Manager Administrators Guide Thisconfigurationislesscommonandisnotsupportedbythe ConnectorforCheckPointInternalCA.

User Store

Yes
ThefollowingarerequirementsfortheConnectorforCheckPoint InternalCA:

AdministratorrightsforconfigurationandaccesstotheCheck PointSmartDashboardfromthecomputer TokenuserswhoissuelogincertificatesfromtheCheckPoint internalCAmustexistintheCPinternalusersdatabase CheckPointFirewallusersmustbestoredintheCheckPoint internalusersdatabase
Note:
64bitoperatingsystemsarenotsupported.
Configuring the CP Firewall Management

TheConnectorforCheckPointInternalCAmustbeconfiguredto workwiththeCheckPointFirewallManagementasanexternal application.Thisinvolvesthethreeprocedures.

SeeDefiningtheOPSECPropertiesonpage 245 SeeDefiningthePermissionsProfileonpage 247 SeeInstallingthePoliciesonpage 253
245
Defining the OPSEC Properties

To create an OPSEC application: 1. 2. 3. OpentheCPSmartDashboard. Intheleftpane,gotoServersandOPSECApplications>OPSEC Applications>OPSECApplication. RightclickOPSECApplication,andselectNewOPSEC Application. TheOPSECApplicationPropertieswindowopens.
4.
Entertherequiredinformationinthefollowingfields: Name:SAMOpsec Host:thecomputernamewheretheFirewallManagementis located ClientEntities:CPMI
246 SafeNet Authentication Manager Administrators Guide 5. ClickCommunication. TheCommunicationwindowopens.
6. 7.
EnterandconfirmanActivationKey.RecordtheActivationKey forlateruse.SeeDefiningTPORulesonpage 254. ClickInitialize,andthenClose.
Note:
Atthispointintheprocedure,theTruststateisInitializedbuttrustnot established.Trustwillbeestablishedlaterintheconfiguration.
247
IntheOPSECApplicationPropertieswindow,thecommunication informationisdisplayedintheDNfield.
8.
ClickOK.
Defining the Permissions Profile

To define a permissions profile for the application: 1. 2. OpentheCPSmartDashboard. Intheleftpane,gotoServersandOPSECApplications>OPSEC Applications>OPSECApplication.
248 SafeNet Authentication Manager Administrators Guide 3. RightclickthenewOPSECapplication,SAMOpsec,andfromthe submenu,selectEdit.
TheOPSECApplicationPropertieswindowopens.
Connector Configuration 4. SelecttheCPMIPermissionstab.
249
5.
SelectPermissionsProfile,andclickNew.
250 SafeNet Authentication Manager Administrators Guide ThePermissionsProfilePropertieswindowopens.
6.
IntheGeneraltab,enteraNamefortheprofile.
Connector Configuration 7. SelectthePermissionstab.
251
8.
9.
Selecttherequiredpermissions. EnsurethatCheckPointUsersDatabaseisselectedanddefined asRead/Write. ClickOK.
252 SafeNet Authentication Manager Administrators Guide IntheOPSECApplicationPropertieswindow,thenewpermissions profileisselectedinthePermissionsProfiledropdownbox.
10. ClickOK.
253
Installing the Policies

To install the policies: 1. OpentheInstallPolicytoolfromtheCPSmartDashboard. TheInstallPolicywindowopens.
2.
Selecttheinstallationtarget,andclickOK.
254 SafeNet Authentication Manager Administrators Guide TheInstallationProcesswindowopens.
3.
Whentheprocesscompletes,clickClose.
Defining TPO Rules

UsetheConnectorPolicyObjectEditortosettheconnectorpolicies. To open the Connector Policy Object Editor: 1. 2. OpentheTPOEditor(SeeAccessingTokenPolicyObjectLinkson page 134). Intheleftpane,clicktheConnectorSettingsnode.
Connector Configuration Thelistofinstalledconnectorsopensintherightpane.
255
3.
Intherightpane,rightclickConnectorforCheckPointInternal CA,andselectProperties. TheCheckPointInternalCAConnectorpropertieswindowopens.
4.
256 SafeNet Authentication Manager Administrators Guide TheConnectorPolicyObjectEditoropens.
257
Defining the Check Point Server Policy

DefinetheCheckPointServerpolicytoestablishaconnection betweenSafeNetAuthenticationManagerandCheckPointFirewalls, andtomapSafeNetAuthenticationManagerusernamestoCP Firewallusernames. To define the Check Point Server policy: 1. IntherightpaneoftheConnectorPolicyObjectEditorwindow, rightclickCheckPointServer,andselectProperties. TheCheckPointServerPropertieswindowopens.
2. 3.
SelectDefinethispolicysetting. Dooneofthefollowing: Toaddanewfirewall,selectAddFirewall. Tochangeanexistingfirewallssettings,selectthefirewall serverfromtheFirewallServerdropdownlist,andselectEdit FirewallSettings. Toremoveafirewall,selectthefirewallserverfromthe FirewallServerdropdownlist,selectRemoveFirewall,and clickOK.
258 SafeNet Authentication Manager Administrators Guide IfyouselectedAddtheNewFirewallConfigurationwindowopens.
IfyouselectedEdit,thefirewallsettingsaredisplayedinthe FirewallSettingswindowopens.
4.
IntheNewFirewallConfigurationwindowortheFirewallSettings window,dothefollowing: IntheFirewalldisplaynamefield,typeanyname.Thisname willappearintheFirewallServerlist.

259
IntheFirewallnameorIPaddressfield,typethenameorIP addressofthefirewall. SelectImportOPSECCertificatetoimporttheCheckPoint OPSECcertificatetoSAMforauthenticationagainstthe CheckPointFirewall.
TheOPSECActivationKeywindowboxopens.
5.
6.
7.
SeeConfiguringtheCPFirewallManagementonpage 244,andtype theactivationkeyofthecertificatecreated.ClickOK. Ifthecertificatewassuccessfullyimported,AvalidOPSEC certificateexistsmessageisdisplayedbelowtheFirewallnameorIP addressfield. TotesttheconnectionbetweenSAMandtheCheckPointFirewall, clickTestfirewallconnection. Iftheconnectionissuccessful,theTheconnectiontothefirewallwas testedsuccessfullymessageisdisplayed. ClickOK. WhenaSafeNetAuthenticationManageruserismappedtoauser ontheCheckPointFirewalluserdatabase,theSafeNet AuthenticationManageruserattributesarecopiedwhentheuser isaddedtothefirewalluserdatabase.
Note:
OnlyaSafeNetAuthenticationManageruserdefinedinthe MicrosoftADcanbemappedtoauserontheCheckPoint Firewalluserdatabase. 8. TooverridethedefaultmappingofexistingusersintheCheck PointFirewall,selecttheUsersMaptabintheFirewallSettings window. Toseealltheusersdefinedonthefirewalluserdatabase,select Getallfirewallusers.
9.
260 SafeNet Authentication Manager Administrators Guide ThelistofusernamesisdisplayedintheFirewallUsernametable.
10. TolocateaSAMUsernametobemappedtoaspecificFirewall Username,doubleclicktheSAMUsernameblankcolumnonthe rowoftheappropriateFirewallUsername. TheSelectUserwindowopens. 11. SelecttheSafeNetAuthenticationManagerusertobemapped, andclickOK. ThelistofmappedFirewallUsernamesincludestheSAMuser. 12. ClickOKtosavethefirewallsettings.
Defining the Enable Firewall User Creation Policy

Tocreateanewfirewalluserduringenrollment,thispolicysetting mustbeenabled.Ifitisnot,enrollmentofausernotonthefirewall willfail. To set the Enable Firewall User Creation policy: 1. IntherightpaneoftheConnectorPolicyObjectEditorwindow, rightclickEnableFirewallUserCreation,andselectProperties. TheEnableFirewallUserCreationPropertieswindowopens. SelectDefinethispolicysetting,selectEnabled,andclickOK.
2.
261
Defining the Firewall Username Template Policy

DefinetheFirewallUsernameTemplatepolicytocreateamatching relationshipbetweenthefirewallusernameanditsSafeNet AuthenticationManageruserattributes.Thisrelationshipassignsnew firewallusernames,andsearchesforexistingfirewallusers. To set the Firewall Username Template policy: 1. IntherightpaneoftheConnectorPolicyObjectEditorwindow, rightclickFirewallUsernameTemplate,andselectProperties. TheFirewallUsernameTemplatePropertieswindowopens.
2. 3.
4.
SelectDefinethispolicysetting. Tocreateatemplateforfirewallusernames,selectoneormore SAMuserattributesthatensureauniqueusernameforeachuser, andclickAddtotemplateaftereachselection. ClickOK. Whenanewfirewalluseriscreated,thevaluesofitsselecteduser attributesareretrievedfromthedirectoryservice(AD, OpenLDAP,NovelleDirectory,orMSSQLServer).Thesevalues arestrungtogethertoformafirewallusernametowhichthe CheckPointcertificateisissued.
Defining the Firewall User Template Policy

DefinetheFirewallUserTemplatepolicytoenablethecreationofnew usersonthefirewallusersdatabase. To set the Firewall User Template policy: 1. IntherightpaneoftheConnectorPolicyObjectEditorwindow, rightclickFirewallUserTemplate,andselectProperties. TheFirewallUserTemplatePropertieswindowopens.
2.
3. 4.
SelectDefinethispolicysettingandfromthedropdownbox, selectatemplateforinitializingalltheattributefieldsofanew firewalluser. Toviewalistoftemplatesavailableonthefirewall,clickRetrieve templatesfromfirewall. ClickOK.
Note:
CheckPointdoesnotsupportconcurrentwriteaccesstothe internalusersdatabase.Topreventenrollmentfailure,theCheck PointSmartDashboardapplicationmustnotbeopenduringan automaticnewuserenrollment.
263
Defining the Auto Install Policies Policy

AutoInstallPoliciesdetermineshowandwhentoinstallpoliciesonthe firewallgatewayssothatthereissynchronizationwiththeuser database. To install a gateway policy: 1. IntherightpaneoftheConnectorPolicyObjectEditorwindow, rightclickAutoInstallPolicies,andselectProperties. TheAutoInstallPoliciesPropertieswindowopens.
2. 3.
SelectDefinethispolicysetting. FromtheSynchronizescheduledropdownlist,selectoneofthe following: Never Always Onadministratorenrollmentonly Onselfenrollmentonly
264 SafeNet Authentication Manager Administrators Guide 4. FromtheInstallpoliciestodropdownlist,selectoneofthe following: Allgateways Selectedgateways:Toretrievethenamesofgateways,click Retrievenamesfromfirewall,andselectgatewaysfromthe Policyinstallationtargetsbox. ClickOKrepeatedlytoclosetheCheckPointServerPropertiesand theConnectorPolicyObjectEditorwindows. Theupdatedconnectorsettingshavenowbeenapplied.
5.
Defining the SafeNet eToken Rescue Support Policy

ToimporttheCheckPointcertificatetoaSafeNeteTokenRescuefor backup,enabletheSafeNeteTokenRescueSupportpolicy. To set the SafeNet eToken Rescue Support policy: 1. IntherightpaneoftheConnectorPolicyObjectEditorwindow, rightclickSafeNeteTokenRescueSupport,andselect Properties. SelectDefinethispolicysetting,selectEnabled,andclickOK.
2.
Connector for Entrust

Entrust Authority Security Manager
TheEntrustAuthoritypublickeyinfrastructure(PKI)usesEntrust AuthoritySecurityManagerastheCertificationAuthority(CA) systemresponsibleforissuingandmanagingusersdigitalidentities. EntrustAuthoritySecurityManagermanagesthefulllifecycleof DigitalIdentitiesrequiredtoautomateallsecurityrelatedprocessesin anorganization.Itprovidestheunderlyingsecurityinfrastructure thatissues,manages,andadministersuserkeysandcertificates.Itis thecentralized,auditablePolicyManagementthatenforcespolicies automaticallyandinrealtime.
265
AstheorganizationsCAsystem,theEntrustAuthoritySecurity Managersoftwareenablestheuseofdigitalsignature,digitalreceipt, encryption,andpermissionsmanagementservicesacrossawide varietyofapplicationsandsolutions.
Note:
EntrustAuthoritySecurityToolkitfortheJavaPlatformmustbe installed.SeeSystemRequirementsonpage 268.
SafeNet Authentication Manager - Entrust Integration

IntegratingSAMinfrastructurewithEntrustAuthoritySecurity ManagerPKIfunctionalityenablestheseamlessintegrationof Entrustbasedcertificateandkeyslifecyclemanagementinthe SafeNetAuthenticationManagertokenmanagementandenrollment websites. CustomersdeployingtheSafeNetAuthenticationManagerEntrust ConnectorseamlesslymanagethewholeEntrustdigitalIDslifecycle throughtheSAMManagementCenter. The SAM Management Center provides users with:

Notouchselfservicetokeninstallation Entrustscertificateenrollmentandmanagementoperations Automateduserprovisioning Policybasedenrollment Theemployeeontheroadcontinuedfunctionalitysolution
Main Features
The Connector for Entrust does the following:

ProvidesseamlessintegrationbetweenSafeNetAuthentication ManagerandtheEntrustCA.ThroughtheSafeNet AuthenticationManagerinfrastructure,tokenusersenroll certificatesissuedbyEntrust,andgenerateprivatekeysontokens. EnablesEntrustcustomerstomanagePKIlifecycleoperations, includingkeyenrollment,keyrevocation,keyrecovery,andre enrollment,throughtheSAMManagementCenterorSAMSelf ServiceCenter. Allowsautomatedcertificaterenewal,aswellasthechangeand additionofkeypairs,throughtheSAMRemoteServiceCenter, SAMManagementCenter,andSAMSelfServiceCenter. SupportstheSafeNetAuthenticationManageremployeeonthe roadfeature.Thissolutionprovidesauserwithcontinuedaccess tocomputersandnetworksafterlosingordamagingatoken. EnablestheconfigurationofTPOsettingstocontrolthe automatedenrollmentofcertificatestotokensbasedonspecific groupsofusers. AllowsautomateduserprovisioningintotheEntrustCA,ifthe userdoesnotalreadyexistforautomatedenrollment. RequiresthatonlytheSafeNetAuthenticationManagerclientbe installed,andnottheEntrustclient,toenrollEntrustcertificatesto atoken. EnablestheauditingofEntrustrelatedPKIoperationsperformed usingtheConnectorforEntrust.
Architecture
Certificaterequestsareprocessedasfollows: 1. TheSafeNetAuthenticationManagerServertransferscertificate requestsfromtheSafeNetAuthenticationManagerclientto EntrustAuthoritySecurityManager. TheEntrustCAissuesthecertificates. EntrustAuthoritySecurityManagerpublishestheissued certificateswithinitsuserdirectory.
2. 3.
267
InonepossibleSafeNetAuthenticationManagerEntrustAuthority SecurityManagerintegrationscenario,userinformationisheldinone commonuserdirectory.
Alternatively,oneuserdirectorymaystoreuserinformationforSAM inonedomain,whileanotherLDAPuserdirectorystoresuser informationforEntrustAuthoritySecurityManagerinanother domain.
Deployment Recommendations
Forsecurity,maintenance,andavailabilityreasons,westrongly recommendthefollowingpractices:
Useaseparateserverfordeployingeachserversidecomponent. TheseincludetheEntrustAuthority,theSafeNetAuthentication ManagerServer,andtheActiveDirectorydomaincontrollers. AlthoughSafeNetAuthenticationManagersupportsthe installationoftheEntrustAuthoritysoftwareonthesameserver astheSafeNetAuthenticationManagerServer,thistypeof deploymentisrecommendedfortestinganddemonstration purposesonly.

Createandenforcearegularbackuppolicyofallservers, includingtheActiveDirectorydomaincontrollers,theSafeNet AuthenticationManagerServer,andtheEntrustAuthority. Backupsshouldbesavedinaseparateofflinestorageoron backuptapes,preferablyinalocationseparatefromtheservers. Failuretomaintainupdatedbackupsoftheservercomponents mayresultinlostdataintheeventofanunexpectedhardwareor softwarefailure.
System Requirements
Server
Component
TMS or SafeNet Authentication Manager Server Entrust Authority Security Manager Entrust Authority Security Manager Administration Entrust Authority Security Runtime Components Java Runtime Environment (JRE) Entrust Authority Security Toolkit for the Java Platform
Supported Version(s)
2.0 SP3 or later 7.1 7.1 7.1 1.5
Note:
JREisrequiredonlyifSafeNeteTokenRescuetokensareused.
269
Administrator Workstation
Component
TMS or SafeNet Authentication Manager Management Tools Java Runtime Environment (JRE)
2.0 SP3 or later 1.5
Non-Administrator Workstation
Component
TMS or SafeNet Authentication Manager Client Java Runtime Environment (JRE)
2.0 SP2 or later 1.5
Note:
JREisrequiredonlyifyoudonotenrollyourtokenscentrally,orif youwanttoprovideEntrustselfserviceoperationstoyourclients.
Prerequisites
Installing the Entrust Java Toolkit
To install the Entrust Java Toolkit: 1. AfterinstallingtheSafeNetAuthenticationManagerServer,create afoldernamedEntrustJavaToolkitintheX32orX64 folderinthe SafeNetAuthenticationManagerinstallationfolder. EnsurethatyouhavealicensedversionoftheEntrustAuthority SecurityToolkitfortheJavaPlatforminstalled.
2.
270 SafeNet Authentication Manager Administrators Guide 3. CopytheEntrustAuthoritySecurityToolkitfortheJavaPlatformfile (enttoolkit.jar)tothenewlycreatedEntrustJavaToolkitfolder inSAM.
Tip:
Formoreinformation,contactSafeNetSupport.SeeSupporton page iii.
Installing JRE
SunMicrosystemsJavaRuntimeEnvironment(JRE)version1.5must beinstalledoneachSafeNetAuthenticationManagerclientcomputer andserverthatperformsenrollment,update,revocation,andother tokenandcertificateoperations.
Note:
JREisnotrequiredonusersworkstationsifyouenrolltokens centrally,orifyoudonotprovideEntrustselfserviceoperationsto yourclients. TheConnectorforEntrustfunctionalitydoesNOTsupportversionsof JREotherthan1.5. IfyourinstallationrequiresclientcomputerstorunaJREversion otherthan1.5,installandconfigureasidebysideinstallation.See InstallingMultipleVersionsofJREonpage 270. Otherwise,downloadJRE1.5fromSunMicrosystemswebsiteat
http:/java.sun.comandinstallitontheclientcomputersthatrequireit.
Installing Multiple Versions of JRE

YoucaninstallasidebysideinstallationofJRE1.5bycopyingaJRE folderfromadifferentcomputer.Dothisifyouhaveother applicationsontheclientcomputerthatrequireotherversionsofJRE.
Connector Configuration To copy JRE from another computer: 1. DownloadJRE1.5fromSunMicrosystemswebsiteat
271
http:/java.sun.com,andinstallitonacomputerthatisnotrequired
2. 3.
asaSafeNetAuthenticationManagerclientorserverinthe SafeNetAuthenticationManagerEntrustimplementation. ThisinstallstheJREfolderwhichistypicallylocatedat: C:\ProgramFiles\Java\JRE1.5.0_xx CopytheJREfoldertoeachSafeNetAuthenticationManager serverandclientcomputer. CreatetheJRE1.5registrykeyoneachcomputerwheretheJRE folderhasbeencopied.
Creating a JRE 1.5 Registry Key

IfyouinstallJRE1.5byrunningthestandardinstaller,theConnector forEntrustisautomaticallydirectedtoJRE1.5andyoudonotneedto edittheregistry. However,inthefollowingcircumstancesyoumustcreateanew registrykeytodirecttheConnectorforEntrusttoJRE1.5:

InadditiontoJRE1.5,youhaveinstalledadifferentversionofJRE ontheclientcomputer. YouinstalledJRE1.5bycopyingtheJREfolderfromadifferent computer.SeeInstallingMultipleVersionsofJREonpage 270.
To create a new registry key: 1. 2. ToopentheRegistryEditor,gotoStart>RunandenterRegedit. IntheRegistryEditor,navigateto HKEY_LOCAL_MACHINE>SOFTWARE>SafeNet>Authenticati on>SAM. RightclickSAM,andselectNew>Key. ReplacetheNewKeynamewithConnectors. RightclickthenewConnectorsfolder,andselectNew>Key. ReplacetheNewKeynamewithEntrust. RightclickthenewEntrustfolder,andselectNew>StringValue. Intherightpane,replacetheNewValuenamewithRuntimeLib.
3. 4. 5. 6. 7. 8.
272 SafeNet Authentication Manager Administrators Guide 9. RightclickRuntimeLib,andselectModify. TheEditStringwindowopens.
10. IntheValuedatafield,enterthepathtothejvm.dllfile,andclick OK. Thejvm.dllistypicallylocatedat: C:\ProgramFiles\Java\jre1.5.0_xx\bin\client
Connector for Entrust Configuration

TheConnectorforEntrustisincludedintheConnectorsSettingsnode intheTPOEditor,enablingthedefinitionofanenrollmentpolicy. TosettheConnectorforEntrustpolicies,opentheConnectorPolicy ObjectEditor,andthendefineeachpolicysetting.
Opening the Connector Policy Object Editor

To open the Connector Policy Object Editor: 1. 2. OpentheTPOEditor(SeeAccessingTokenPolicyObjectLinkson page 134). Intheleftpane,clicktheConnectorSettingsnode.
Connector Configuration Thelistofinstalledconnectorsopensintherightpane.
273
3.
Intherightpane,rightclickConnectorforEntrust,andselect Properties. TheConnectorforEntrustPropertieswindowopens.
4.
SelectDefinethispolicysetting,selectEnable,andclick Definitions. TheConnectorPolicyObjectEditorwindowopens.
Defining the CA Policy

To define the policy: 1. IntherightpaneoftheConnectorPolicyObjectEditorwindow, doubleclickCA. TheCAPropertieswindowopens.
275
2.
SelectDefinethispolicysetting.
276 SafeNet Authentication Manager Administrators Guide 3. Enterthefieldsasfollows: Field

Select Security Manager Administration .ini file
Description
The UNC (network) path to Entrust Authority Security Manager Administration .ini file. Full read and write permissions to the destination folder are required. The UNC (network) path to a security officer's Entrust profile file (.epf). Tip: During the Entrust Authority Security Manager installation, an .epf was created for the initial user, First Officer. The file is typically located at: C:authdata/manager/epf The password of the .epf's officer. The IP address or server name of the Entrust Authority Security Manager. Entrust Authority Security Manager port is typically 829. To see the port number, open the Entrust Authority Security Manager Administration .ini file, typically located at: C:\Program Files\entrust\Security Manager Administration, and look in the Entrust Settings section for the following line: Authority=<computer name>+<port number> The IP address of the Security Manager domain's user directory.
Select security officer's .epf file
Enter security officer's password Enter IP address of Security Manager Enter port of Security Manager
Enter IP address of Security Manager domain directory
Note:
Thepolicysettingsforthe.epffileandthesecurityofficers passwordareappliedtotheentiredomain.OncetheCA propertiesaredefined,theyareappliedtoallEntrustTPOs createdafterwards.AnychangestotheCAsettingsforoneTPO areappliedtoallTPOsinthedomain.
Connector Configuration 4.
277
5.
ClickValidatetocheckthatEntrustAuthoritySecurityManager Administration.inifile,thesecurityofficers.epf,andthe passwordarevalid. ClickOK.
Defining the Add User to Security Manager Policy

ToenrollnewusersthatarenotyetontheEntrustAuthoritySecurity Managerinternaluserlist,enabletheAddUsertoSecurityManager policy. To define the policy: 1. IntherightpaneoftheConnectorPolicyObjectEditorwindow, doubleclickAddUsertoSecurityManager. TheAddUsertoSecurityManagerPropertieswindowopens.
2.
SelectDefinethispolicysetting,selectoneofthefollowing,and clickOK. Enabled:Uponenrollment,SafeNetAuthenticationManager automaticallyaddstheusertotheEntrustAuthoritySecurity Managerinternaluserlistiftheuserisnotfoundonthelist.

Disabled:UsersarenotaddedtotheEntrustAuthority SecurityManagerinternaluserlist.Ifenrollmentisrequested forausernotfoundontheEntrustAuthoritySecurity Managerinternaluserlist,theenrollmentfails.
Note:
IftheSecurityManagerandSafeNetAuthenticationManagerarenot inthesamedomain,usersareaddedtotheEntrustAuthoritySecurity ManagerinternaluserlistonlyiftheSecurityManagerandSafeNet AuthenticationManageronDifferentDomainspolicyisenabled.
Defining the Security Manager and SAM on Different Domains Policy

SettheSecurityManagerandSafeNetAuthenticationManageron DifferentDomainspolicytoTrueonlyiftheSecurityManagerand SafeNetAuthenticationManagerarenotinthesamedomain. IfthispolicyissettoTrue,thefollowingpoliciesmustbedefined:

UsernameforSecurityManagerDomainDirectory UserPasswordforSecurityManagerDomainDirectory UserPathonSecurityManagerDomainDirectory UsernameTemplate
To define the policy: 1. IntherightpaneoftheConnectorPolicyObjectEditorwindow, doubleclickSecurityManagerandSAMonDifferentDomains. TheSecurityManagerandSAMondifferentdomainsProperties windowopens.
279
2.
SelectDefinethispolicysetting,selectoneofthefollowing,and clickOK. Enabled:Uponenrollment,SafeNetAuthenticationManager mapstheuserdefinedintheSafeNetAuthenticationManager domaindirectorytotheEntrustAuthoritySecurityManager domainuserdirectory. SelectthisoptiononlyiftheSecurityManagerandSafeNet AuthenticationManagerarenotinthesamedomain. Disabled:Usersarenotmappedtoadifferentdomain.If SecurityManagerandSafeNetAuthenticationManagerare notinthesamedomain,andanenrollmentisrequested,the enrollmentfails.
Defining the Domain Username Policy

DefinetheUsernameforSecurityManagerDomainDirectorypolicyifthe SecurityManagerandSAMonDifferentDomainspolicyisenabled. To define the policy: 1. IntherightpaneoftheConnectorPolicyObjectEditorwindow, doubleclickUsernameforSecurityManagerDomainDirectory. TheUsernameforSecurityManagerDomainDirectoryProperties windowopens.
2.
3.
SelectDefinethispolicysetting,andenterausernamethathas connectpermissionstotheEntrustAuthoritySecurityManager domaindirectory. ClickOK.
Defining the Domain User Password Policy

DefinetheUserPasswordforSecurityManagerDomainDirectorypolicy iftheSecurityManagerandSAMonDifferentDomainspolicyisenabled. To define the policy: 1. IntherightpaneoftheConnectorPolicyObjectEditorwindow, doubleclickUserPasswordforSecurityManagerDomain Directory. TheUserPasswordforSecurityManagerDomainDirectoryProperties windowopens.
281
2.
3. 4.
SelectDefinethispolicysetting,andenterthepasswordofthe administratororuserdefinedintheUsernameforSecurityManager DomainDirectorypolicysetting. Confirmthepassword. ClickOK.
Defining the User Path Policy

DefinetheUserPathonSecurityManagerDomainDirectorypolicyif theSecurityManagerandSAMonDifferentDomainspolicyisenabled. To define the policy: 1. IntherightpaneoftheConnectorPolicyObjectEditorwindow, doubleclickUserPathonSecurityManagerDomainDirectory. TheUserPathonSecurityManagerDomaindirectoryProperties windowopens.
2.
3.
SelectDefinethispolicysetting,andenterthedomainpathtothe EntrustusersOUorgroupintheSecurityManagerdomain directory. ClickOK.
Defining the Username Template Policy

DefinetheUsernameTemplatepolicyiftheSecurityManagerandSAM onDifferentDomainspolicyisenabled. To define the policy: 1. IntherightpaneoftheConnectorPolicyObjectEditorwindow, doubleclickUsernameTemplate. TheUsernameTemplatePropertieswindowopens.
283
2. 3.
4.
SelectDefinethispolicysetting. TocreatetheappropriateDirectoryusernametemplate,selectoneor moreattributesintheSafeNetAuthenticationManageruserlist,and clickAddtotemplateaftereachselection. ClickOK.
Mapping Attributes
AttributesfromtheEntrustuserstoremustbemappedtothe attributesontheSafeNetAuthenticationManageruserstore. To define the policy: 1. IntherightpaneoftheConnectorPolicyObjectEditorwindow, doubleclickAttributeMapping. TheAttributemappingPropertieswindowopens.
2.
SelectDefinethispolicysettingandmaptheattributes.
Defining the Add User to Security Manager Directory Policy

EnabletheAddUsertoSecurityManagerDirectorypolicyonlyifthe followingpoliciesareenabled:

AddUsertoSecurityManager SecurityManagerandSAMonDifferentDomains
To define the policy: 1. IntherightpaneoftheConnectorPolicyObjectEditorwindow, doubleclickAddUsertoSecurityManagerDirectory. TheAddUsertoSecurityManagerDirectoryPropertieswindow opens.
Connector Configuration 2.
285
SelectDefinethispolicysetting,selectoneofthefollowing,and clickOK. Enabled:Uponenrollment,SAMaddstheusertotheuser directoryintheEntrustAuthoritySecurityManagerdomain, if: TheAddUsertoSecurityManagerpolicyisenabled TheSecurityManagerandSAMondifferentdomainspolicy isenabled Theuserdoesnotyetexistintheuserdirectoryinthe EntrustAuthoritySecurityManagerdomain UserscanbeaddedonlytoanADorgeneralLDAP directory. Disabled:Usersarenotaddedtotheuserdirectoryinthe EntrustAuthoritySecurityManagerdomain.Ifenrollmentis requestedforausernotfoundintheuserdirectoryinthe EntrustAuthoritySecurityManagerdomain,theenrollment fails.
Defining the User Role Policy

To define the policy: 1. IntherightpaneoftheConnectorPolicyObjectEditorwindow, doubleclickUserRole. TheUserRolePropertieswindowopens. SelectDefinethispolicysetting. IntheSelecttheuserroledropdownlist,selectarolefromthelist ofrolesdefinedinEntrustAuthoritySecurityManager Administration. ClickOK.
2. 3.
4.
Note:
IftheuniquenameoftheselecteduserroleischangedinEntrust AuthoritySecurityManagerAdministration,youmustselectthe renameduserroleinTPOsothatthenameremainsthesamein bothEntrustandSafeNetAuthenticationManager.Ifthisisnot done,enrollmentwillfail.
Defining the Certificate Type Policy

To define the policy: 1. IntherightpaneoftheConnectorPolicyObjectEditorwindow, doubleclickCertificateType. TheCertificateTypePropertieswindowopens. SelectDefinethispolicysetting. IntheSelectthecertificatetypedropdownlist,selectacertificate typefromthelistofcertificatetypesdefinedinEntrustAuthority SecurityManagerAdministration.
2. 3.
Note:
ThecertificatetypeselectedhereoverridesthesettinginEntrust AuthoritySecurityManager. 4. ClickOK.
Defining the Last Security Manager Update Policy

To define the policy: 1. IntherightpaneoftheConnectorPolicyObjectEditorwindow, doubleclickLastSecurityManagerUpdate. TheLastSecurityManagerUpdatePropertieswindowopens. SelectDefinethispolicysetting.
2.
Note:
TheLastSecurityManagerUpdatepolicycontrolstheupdate behavioroftheEntrustcontentonthetokens.Whenthisdateis updated,alltokenscontrolledbythisTPOwillbeconsideredout ofdate.TheEntrustcontentonatokenwillbeupdatedthenext timetheuseraccessestheSAMSelfServiceCenter. 3. 4. Selectthedatewhenyoulastchangedthepolicysettingsin EntrustAuthoritySecurityManager. ClickOK.
287
Defining the SafeNet eToken Rescue Support Policy

To define the policy: 1. IntherightpaneoftheConnectorPolicyObjectEditorwindow, doubleclickSafeNeteTokenRescueSupport. TheSafeNeteTokenRescueSupportPropertieswindowopens. SelectDefinethispolicysetting. Selectoneofthefollowing,andclickOK. Enabled:EntrustcertificatesareaddedtoaSafeNeteToken Rescue Disabled:EntrustcertificatesarenotaddedtoaSafeNet eTokenRescue Tocompletetheconnectorconfiguration,clickOK.
2. 3.
4.
Entrust Security Manager Administration Configuration

Creating a Certificate with Backup
To create a certificate with backup: 1. IntheEntrustSecurityManagerAdministration,navigateto SecurityPolicy>UserPolicies.
2. 3. 4. 5.
Selecttherequiredsecuritypolicy. IntheGeneralInformationtab,inthePolicyAttributesarea,select Backupprivatekey. MakesurethatGeneratekeyatclientisnotselected. ClickApply.
289
Working with Java Card

To work with Java Card, the following steps must be performed before enrollment: 1. 2. 3. 4. IntheEntrustSecurityManagerAdministration,navigateto SecurityPolicy>UserPolicies. SelectEndUserPolicy. IntheGeneralInformationtab,inthePolicyAttributesarea,select PublicTokenCerts. ClickApply.
Working with SafeNet eToken Rescue

To work with SafeNet eToken Rescue, the following steps must be performed before enrollment: 1. 2. 3. 4. IntheEntrustSecurityManagerAdministration,navigateto SecurityPolicy>UserPolicies. SelectEndUserPolicy. IntheGeneralInformationtab,inthePolicyAttributesarea,select PublicTokenCertsandPrivatekeyexportfromCAPI. ClickApply.
Using SAM with Entrust

SafeNetAuthenticationManageroffersstandardfeatureswhenused withanycertificationauthorityanddeploymentmode,including EntrustAuthority.However,somefunctionsarespecifictotheEntrust SafeNetAuthenticationManagerintegration.
SAM Remote Service Center

Receiving a Virtual Token to Replace a Lost or Damaged Token
TheConnectorforEntrustsupportstheSafeNetAuthentication Manageremployeeontheroadfeature.Thisfeatureenablesauser continuedaccesstocomputersandnetworksafterlosingordamaging theirtoken. IfaneTokendeviceislostwhenawayfromtheoffice,theusershould accesstheSAMRemoteServiceCenterwebsite.Afteransweringthe requiredpersonalauthenticationquestions,theuserreceivesavirtual (softwarebased)tokenthatcontainsacopyoftheirpreviously enrolledEntrustkeys.Uponreturningtotheoffice,theuseraccesses theSAMSelfServiceCenterwebsite,andenrollsareplacement physicaltoken.Duringthisprocess,theoriginalkeysarerevoked(if soconfiguredinEntrust),theEntrustCRLisupdatedtoreflectthis change,andanEntrustrecoveryprocessisperformedsilently.In addition,keysmarkedtobeavailableafterrevocationarealsoplaced onthenewtokentoallowcontinuedaccesstodataprotectedbythose keys.
Note:
KeyrecoverywithSafeNeteTokenRescueusingSAMrequiresthe enablingofkeybackupinEntrust.

Enrolling Entrust Certificates
UserscanusetheSAMSelfServiceCentertoenrolltokenswith Entrustcertificates,eveniftheSafeNetAuthenticationManagerClient orEntrustClientisnotinstalledonthelocalcomputer.
291
IftheTPOissetcorrectlytoaddusersinEntrustuponenrollment, userenrollmentinSafeNetAuthenticationManagerwillsucceed, regardlessofwhetherornottheuserwaspreviouslyenabledin Entrust.TheuserisautomaticallyenrolledinEntrustaccordingtothe TPOrulesassignedtotheuser.Activationkeysarenotrequiredand theuserstokenisenrolledwiththecertificatesasdefinedbytheTPO rules. IftheTPOrulesdeterminethattheusercannotbeautomatically enrolledinEntrust,orifaTPOfortheuserdoesnotexist,theuseris promptedtocontacttheHelpDesk.
SAM Management Center

Viewing Error Messages, Audits, and Reports
TheorganizationssecurityofficercanusetheHelpDeskfeaturein theSAMManagementCentertovieweTokenEntrustrelated information.Thisincludesauditlogsforcertificaterelatedoperations performedinEntrustfromSafeNetAuthenticationManager,suchas configurationchanges,enrollment,andrevocation. To display Connector for Entrust information: 1. InHelpDesk,searchfortherequiredtoken. Thetokenisdisplayed,andtheApplicationFielddisplaysthe ConnectorforEntrust. ClicktheDetailslink. TheApplicationDetailswindowopens. ErrormessagesshowingfailedoperationsrelatingtoEntrust AuthoritySecurityManageraredisplayedinthedefault applicationeventlog.Theerrormessagesshowtheaction attempted,andthespecificEntrustAuthoritySecurityManager error.
2.
Behavior and Limitations

Thefollowinginformationprovidesclarificationaboutexpected behaviorandknownlimitationsoftheSAMEntrustConnector.

OnlyoneEntrustCAissupported. WhengeneratingaSafeNeteTokenRescuecontaininganEntrust certificatetosupporttheIlostmytokenscenario,akey recoveryoperationisperformedbytheEntrustAuthority.Thisis becauseSafeNetAuthenticationManagerdoesnotkeepcopiesof Entrustkeypairsforrecoverypurposes.Thisisdifferentfromthe behaviorofConnectorforMicrosoftCA. TheConnectorforEntrustdoesnotincludesupportforsupplying orusingactivationcodesmanually.Allactivationandenrollment processesareautomated.Ifyouattempttoenrollauserforwhich activationcodeshavealreadybeengeneratedthroughtheEntrust AuthoritySecurityAdministration,theuserwillbesilently enrolled,andtheactivationcodeswillbeignored. WhenenrollinginEntrustAuthoritySecurityManagerusing SafeNetAuthenticationManager,theEntrustuserroleand certificatetypedefinedinEntrustAuthoritySecurityManagerare ignored,andthesettingsfromtheSafeNetAuthentication ManagerTPOareusedinstead. UserconfigurationchangesdoneonEntrustAuthoritySecurity Managersidedonottakeeffectautomatically.Toapply configurationchanges,performtheconfigurationintheSafeNet AuthenticationManagerTPO. SafeNetAuthenticationManagerTPOconfigurationchangestake effectonlywhenthelastconfigurationupdatedateontheTPOis modified. IntheEntrustAuthoritySecurityManager,thespillover parametermustbedisabled.
Chapter 12
Licensing
SAMlicensesareissuedaccordingtotokentypeandSafeNet Authenticationapplications. Licensescanbeaccumulated;whenyoupurchaseanadditional licenseitisaddedtoyourexistingone.
In this section:

Licensing Overview Evaluation License Upgrading Licenses from Earlier Versions Viewing Licenses Applying a License Multi-Domain Licenses
Licensing Overview
YoucanaccumulateSafeNetAuthenticationManagerlicensesby addingnewlicensestoyourexistingone.Thesumofallowedusers andtokensisthesumofallaccumulatedlicenses. ASafeNetAuthenticationManagerlicensecountsthefollowingitems separately:

Auserwithanytypeoftoken AMobilePASStoken AnSafeNeteTokenVirtualauthenticator AtokenwithSafeNetSSOprofiles AtokenwithSafeNetNetworkLogonprofiles
Eachlicenserelatedaction,suchastokenassignmentorMobilePASS enrollment,incrementsordecrementstheappropriatelicensecounter. Themaximumnumberallowedforeachcounterisdeterminedbythe license(s)purchased.
Evaluation License
NewSafeNetAuthenticationManagerinstallationsmaybeassigned anevaluationlicense.ASafeNetAuthenticationManagerevaluation licensehasthefollowingfeatures:

Allowsamaximumof10tokenusers Allowsamaximumof10ofeachofthefollowingtokens: AMobilePASStoken AnSafeNeteTokenVirtualauthenticator AtokenwithSafeNetSSOprofiles AtokenwithSafeNetNetworkLogonprofiles Hasanexpirationdate
SafeNetAuthenticationManagerevaluationlicensescanbe accumulated.Thelatestexpirationdateofallthelicensesisapplied. TheSafeNetAuthenticationManagerevaluationlicenseiscancelled whenastandardlicenseisadded.
Licensing
295
Upgrading Licenses from Earlier Versions

WhendataismigratedfromTMSversion2.0orlatertoSafeNet AuthenticationManager8.0,theearlierversionslicensesremain valid. YoumayneedtoupgradeyourSafeNetAuthenticationManager licensefornewfeatures,suchasSafeNeteTokenVirtualor MobilePASS,ortousecertainconnectors,suchasSAMConnectorfor SafeNetSSO. Toensurethatyourlicenseisvalid,seeViewingLicensesonpage 295. Toaddalicense,seeApplyingaLicenseonpage 296.
Viewing Licenses
YoucanviewyourlicensesintheSafeNetAuthenticationManager ConfigurationManager. To view licenses: 1. LaunchtheSAMConfigurationManager(SeeLaunchingtheSAM ConfigurationManageronpage 192). TheSAMConfigurationManagerwindowopens.
Note:
Inthefollowingsituations,awarningmessageisdisplayedinthe bottomframeoftheSAMConfigurationManagerwindow: Yourlicensehasreachednearlyallofitscapacity Yourlicensehasanexpirationdate 2. FromtheActionmenu,selectLicense>View.
296 SafeNet Authentication Manager Administrators Guide TheLicenseDetailswindowdisplaysthedetailsofthecurrent license.
3.
ClickClosetoexitthewindow.
Applying a License
UsetheSAMConfigurationManagertoaddanewlicenseorapplyan existinglicensefromadifferentdomainoruserstore. To add or apply a license: 1. LaunchtheSAMConfigurationManager(SeeLaunchingtheSAM ConfigurationManageronpage 192). TheSAMConfigurationManagerwindowopens. FromtheActionmenu,selectLicense>Add.
2.
Licensing TheAddLicensewindowopens.
297
3.
: Toaddanewlicense,dothefollowing: a. SelectIncreasethelicenseallowancebyaddinganewSAM licensetotheprimarylicense. b. CopythenewlicensestringprovidedbySafeNet. Toapplyanexistinglicense,dothefollowing: a. SelectUsetheprimarylicensealreadyconfiguredforthe followingdomain. b. ClickBrowse. c. Selectthedomaincontainingthecurrentlicense. ClickAddLicenseandthenclickClosetoexitthewindow.
4.
5.
Multi-Domain Licenses
Thesamelicensecanbeusedinamultidomainenvironmentand withmultipleuserstores.Theprimarylicenseisinstalledonone server,andsecondarylicensesareinstalledonadditionalservers.The secondaryserversmustbeconfiguredastheprimary. Forexample,ifyouneedSafeNetAuthenticationManagerinstalled ontwodomains,eachhaving1,000usersand200tokenswithSafeNet SSOprofiles,youcaninstallalicensefor2,000usersand400tokens withSafeNetSSOprofilesononeofthedomains.Whenconfiguring theotherSafeNetAuthenticationManagerinstance,selectthedomain onwhichthelicensefileisinstalled.
Note:
Sincethesamelicensecanbeusedformultipledomains,thelicensing countercanbecomeinaccurateduetoreplicationorfailedoperations. UsetheSAMBackendServicetoensurethatlicensingdatafromall domainsremainssynchronized. SeeControllingSAMBackendServicesonpage 355tomanuallyinitiate theSAMBackendServiceSynchronizelicensesprocess.
Chapter 13
Authorization Manager
UsetheSafeNetAuthenticationManagerAuthorizationManagerto manageroles,tasks,operations,androleassignments.
Note:
InSafeNetAuthenticationManager,theauthorizationmanagement settings(roles)arestoredintheconfigurationstore.
In this section:

Authorization Management Overview Predefined Roles Defining a New Scope Defining Roles Defining Tasks
Authorization Management Overview

SafeNetAuthenticationManagerencompassesthreelevelsof assignments,builtintoahierarchicalstructure:

Role:Level1activity(groupofoneormoretasks) Task:Level2activity(groupofoneormoreoperations) Operation:Level3activity(singleaction)
ThelowestlevelinthehierarchyisOperation.ATaskconsistsofone ormoreOperationsandmayincludeotherTasks.ARoleismadeup ofanumberofTasksandOperations. Inaddition,aScopemaybedeterminedforeachrole,todetermine whichDomain,OU,orGrouptheroleappliesto. UsetheAuthorizationManagerto:

Definerolesandtasks Allocateroleassignments Createadditionalroles,tasks,operationsandroleassignments
301
Predefined Roles
SafeNetAuthenticationManagerisconfiguredwiththefollowing predefinedroles: Predefined Role
Administrator Helpdesk Certificate Recovery First Tier Approvers Second Tier Approvers User
Website(s) Assigned
SAM Management Center SAM Management Center SAM Management Center SAM Management Center SAM Management Center SAM Self Service Center SAM Rescue Service Center
Tasks Allowed
All SAM tasks All SAM tasks except modifying TPOs Certificate Recovery First tier approval of certificate recovery Second tier approval of certificate recovery All self service options on the SAM Remote Service Center and the SAM Self Service Center
Defining a New Scope

YoucanassignanewscopefortheSAMManagementCenter.This determinesiftherolesapplytothedomain,toanorganizationalunit (OU)oragroup. Ascopeenablesyoutodefinelocaladministratorsorhelpdeskstaff withresponsibilityforonlyasectionoftheuserstore,suchasanOU oragroupofusers.Somecommonexampleswouldbetodefinelocal administratorsinaspecificlocation(OUscope)ortodefineaspecial administratorforseniormanagers(groupscope).
302 SafeNet Authentication Manager Administrators Guide To define a new scope for the SAM Management Center: 1. 2. LaunchtheSAMConfigurationManager(SeeLaunchingtheSAM ConfigurationManageronpage 192). FromtheActionmenu,selectAuthorizationManager>EditRoles. TheSafeNetAuthenticationManagerAuthorizationManageropens.
3.
IntheSAMAuthorizationManagerleftpane,rightclickSAM ManagementCenter,andselectNewScope. TheNewScopewindowopens.
4.
Selectoneofthefollowingcontainersforwhichtherolewill apply: Domain
303
OU(OrganizationalUnit) ClickBrowse.TheOUwindowopens.SelecttherequiredOU, andclickOK. Group ClickBrowse.TheUserorGroupwindowopens.Enterthe requiredgroupname,andclickOK.
5.
Typeadescription,andclickOK.
Defining Roles
Note:
IfyouchangethenameofaRole,theUsersassignedtothatRoleare removed. To define a new role definition: 1. IntheSAMAuthorizationManagerleftpane,expandthe appropriatenodetoDefinitions>RoleDefinitions.
2.
RightclickRoleDefinitionsandselectNewroledefinition.
304 SafeNet Authentication Manager Administrators Guide TheRoleDefinitionwindowopens.
3.
4.
EntertheNameandDescriptionofthenewroledefinition,and clickAdd. TheAddDefinitionwindowopens. SelecttheRolestab.
5. 6.
Ifrequired,selectaroletobeaddedasasubroletothenewrole. SelecttheTaskstab.
305
7. 8.
Selectthetaskstoincludeinthenewrole. SelecttheOperationstab.
9.
Selecttheoperationstoincludeinthenewrole,andclickOK. Thenewroleiscreated.
Defining Tasks
To define a new task definition: 1. 2. IntheSAMAuthorizationManagerleftpane,expandthe appropriatenodetoDefinition>TaskDefinitions. RightclickTaskDefinitionsandselectNewtaskdefinition. TheNewTaskwindowopens.
3.
4.
EntertheNameandDescriptionofthenewtaskdefinition,and clickAdd. TheAddDefinitionwindowopens. SelecttheTaskstab.
307
5. 6.
Ifrequired,selectatasktobeaddedasasubtasktothenewtask. SelecttheOperationstab.
7.
Selecttheoperationstoincludeinthetask,andclickOK. Thenewtaskiscreated.
Chapter 14
User Permissions
Theadministratorcanconfiguretheuserspermissions,andchange themasrequired.
In this section:

Permissions for Basic Administration Granting Dial-In Permission to the User Account Granting Permissions for Microsoft CA Templates Delegating Password Reset Control
Permissions for Basic Administration

SAM Service Account Permissions
Operation
Managing eToken Network Logon Managing the SAM OTP Authentication Connector
Permission Required
Permission to change other domain users' passwords Permission to change the dial-in properties of the user account See Granting Dial-In Permission to the User Account on page 311 Read and enroll permissions for the templates to be used, such as: enrollment agent, and smartcard logon See Granting Permissions for Microsoft CA Templates on page 314 Read permissions to the libraries where the pfx files and the password index files are stored No additional permissions Delegate the task to the required group, for example, Helpdesk group See Delegating Password Reset Control on page 315
Managing the SAM Microsoft CA Connector
Managing the SAM P12 Certificate Import Connector Managing the SAM Check Point Internal CA Connector Resetting passwords
User Permissions for Installing SAM

Operation
Installing SafeNet Authentication Manager Managing SAM websites
Permission Required
In AD/AD installations, must be a member of the Schema Administrator group and the Domain Administrator group Read permissions to the SAM website directory on the IIS server
User Permissions
311
Granting Dial-In Permission to the User Account

DialinpermissionsarerequiredfortheusermanagingtheSAMOTP AuthenticationConnector.SeePermissionsforBasicAdministrationon page 310. To grant dial-in permission to the user account: 1. OpenADSIEdit.
Tip:

InWindowsServer2003,ADSIEditispartoftheWindows SupportToolsinstalledfromtheserverinstallationmedia. InWindowsServer2008,theWindowsSupportToolsare includedintheRSAT(RemoteServerAdministrationTools). ADSIEditispartoftheActiveDirectoryDomainController Toolsfeature.
TheConsole1windowopens.
2.
Intheleftpane,expandtheappropriatedomain.
312 SafeNet Authentication Manager Administrators Guide 3. RightclicktheusertobetheSafeNetAuthenticationManager Helpdeskadministrator,andselectProperties. TheusersPropertieswindowopens.
4.
SelecttheSecuritytab,andclickAdd. TheSelectUsers,Computers,orGroupswindowopens.
5.
EnterthenameoftheSafeNetAuthenticationManagerHelpdesk user,andclickOK.
User Permissions TheHelpdeskuserisaddedtothelist.
313
6.
ClickAdvanced. TheAdvancedSecuritySettingswindowopens.
7.
SelecttheHelpdeskuserfromthelist,andclickEdit.
314 SafeNet Authentication Manager Administrators Guide ThePermissionEntrywindowopens.
8. 9.
SelectthePropertiestab. SelectAllowforthefollowingattributes: ReadmsNPAllowDialin WritemsNPAllowDialin
10. ClickOK.
Granting Permissions for Microsoft CA Templates

CArelatedpermissionsarerequiredfortheusermanagingtheSAM MicrosoftCAConnector.SeePermissionsforBasicAdministrationon page 310. To grant permissions for Microsoft CA templates: 1. 2. 3. 4. OpentheCAsnapin. RightclickCertificateTemplates,andselectManage. Fromthecertificatelist,doubleclickthecertificateforSafeNet AuthenticationManagertoenroll. Inthesecuritytab,assigntheHelpdeskuserthepermissionsto ReadandEnroll.
User Permissions 5. 6.
315
IntheCAsnapin,rightclicktheCAname,andselectProperties. IntheSecuritytab,assigntheHelpdeskuserthepermissionto IssueandManageCertificates.
Delegating Password Reset Control

TheSAMServiceAccountisusedtomanageSafeNetAuthentication Manageroperations.SeeChangingtheSAMServiceAccounton page 198tosetadifferentSAMServiceAccount.
Note:
WerecommendusingaSAMServiceAccountwithastrongnon expiringpassword.Certainfunctions,suchastheTPOEditor,may stoprespondingwhentheSAMServiceAccountpasswordexpires. To delegate control of password resets to the SAM Service Account: 1. IntheActiveDirectoryUsersandComputerssnapin,selecttheSAM domain.
2.
Intherightpane,rightclickUsers,andselectDelegateControl.
316 SafeNet Authentication Manager Administrators Guide TheDelegationofControlWizardopens.
3.
ClickNext. TheUsersorGroupswindowopens.
4.
ClickAdd.
User Permissions TheSelectUserswindowopens.
317
5.
ClickAdvanced. TheadvancedSelectUserswindowopens.
6.
ClickFindNow.
318 SafeNet Authentication Manager Administrators Guide ThesearchresultsaredisplayedintheSelectUserswindow.
7. 8.
DoubleclicktheSAMServiceAccount. TheusernameappearsintheSelectUserswindow. ClickOK.
User Permissions TheusernameappearsintheUsersorGroupswizardwindow.
319
9.
ClickNexttocontinue. TheTaskstoDelegatewindowopens.
10. SelectDelegatethefollowingcommontasks,andselectResetuser passwordsandforcepasswordchangeatnextlogon. 11. ClickNexttocontinue.
320 SafeNet Authentication Manager Administrators Guide TheCompletingtheDelegationofControlWizardwindowopens.
12. Onthesummarypage,reviewtheproposedsettings,andthen clickFinish.
Chapter 15
Audit Messages and Enrollment Notifications

YoucanconfigureTPOsettingsforthefollowingactivities:

ViewingthedetailsofSafeNetAuthenticationManager administrationeventsusingtheWindowsEventViewer SettingupauditnotificationlettersforSafeNetAuthentication Manageruserandadministratorevents SettingupenrollmentnotificationlettersandSMSmessagesfor tokenenrollments
In this section:

Audit Messages Enrollment Notification Configuring Audit, Enrollment and MobilePASS Activation Notification Templates Configuring SMS Notification Template
Audit Messages
YoucanviewSafeNetAuthenticationManagerauditmessagesinthe WindowsEventViewerorsendthembyemail.
Configuring Audit Settings for Viewing in Windows Event Viewer

Audit Settings policies control audit information logging so that the events can be viewed using the Windows Event Viewer.
Toenable audit information logging, definetheTPOAuditSettings policies. SeeUsingtheTokenPolicyObjectEditortoEditTPOson page 146toedittheTPOsettings. Audit Settings Policy
Audit log server name Audit log name Audit source name
Description
Defines the server address of the audit log Defines the name of the audit log Determines the source name displayed in the Windows Event Viewer
Default
localhost Application SAMAudit
Token Type
All devices All devices All devices
323
Viewing SAM Events in the Event Viewer

To view audited SAM events in the Event Viewer: 1. RightclickMyComputer,andselectManage. TheComputerManagementwindowopens.
2.
3.
Intheleftpane,selectEventViewer>Application. Alistofeventsisdisplayedintherightpane. Bydefault,SAMeventsareindicatedbySAMAuditinthesource columnofthetable. Doubleclicktherequiredevent.
324 SafeNet Authentication Manager Administrators Guide TheEventPropertieswindowopens.
TheEventPropertieswindowdisplaysthefollowinginformation: Date:thedatetheeventoccurred Source:theeventsource Time:thetimetheeventoccurred Category:theeventcategory Type:theeventtype(forexample,Information) EventID:auniqueIDforeachevent User:userinformation Computer:thecomputeronwhichtheeventisrecorded Description:abriefdescriptionoftheevent
325
Configuring Audit Settings for Sending Notification Messages

Tosetupandconfigureauditnotificationletters,performthe followingsteps:

ConfiguretheTPOauditsettings. Edittheauditnotificationlettertemplates.SeeConfiguringAudit, EnrollmentandMobilePASSActivationNotificationTemplateson page 335. ActivatetheNotificationfunctionforusersand/orthe administrator. SelecttheHTMLtemplatefileforuserand/oradministrator notification.
TheAuditNotificationSettingsinTPOenableyoutodothefollowing:

Audit Notification Policies

Policy
Administrator notification
Description
Defines if the administrator is notified of audit events Defines the administrator notification configuration Defines if users are notified of audit events related to their tokens Defines the user notification configuration
Default
No notification
Token Type
All devices
Administrator notification configuration User notification
Empty (Administrator is not notified) No notification
All devices
All devices
User notification configuration
Empty (User is not notified)
All devices
Configuring Administrator Audit Notification Settings

To configure the administrator audit notification settings: 1. 2. 3. OpentheTokenPolicyObjectEditor(SeeAccessingTokenPolicy ObjectLinksonpage 122). Intheleftpane,selectAuditSettings>AuditNotification Settings. Intherightpane,rightclickAdministrationnotification,and selectPropertiesfromthedropdownmenu. TheAdministrationnotificationPropertieswindowopens.
4. 5.
SelecttheDefinethispolicysettingoption,selectEnabledand clickOK. IntherightpaneoftheTokenPolicyObjectEditor,rightclick Administrationnotificationconfiguration,andselectProperties fromthedropdownmenu.
Audit Messages and Enrollment Notifications TheAdministrationnotificationconfigurationPropertieswindow opens.
327
6.
SelectDefinethispolicysetting,clickAdd,andenteranamefor anewrule.
7.
Todefinearule,selectit,andclickEdit.
328 SafeNet Authentication Manager Administrators Guide TheAdministratornotificationrulewindowopens.
8. IntheEventstab,selecttheeventsrequiringnotification 9. Selectforwhicheventlevelstosendnotifications:Information, Error,Warning. 10. Toconfigureemailnotificationfortheadministrator,selectthe Emailstab.
11. ClickAdd,andentertheappropriateemailaddress. 12. IntheSubjectfield,enterthecontentoftheemailsubjectline. 13. IntheTemplatefield,enterthepathtotheemailtemplate. SeeConfiguringAudit,EnrollmentandMobilePASSActivation NotificationTemplatesonpage 335.
329
14. Toselectanexternalprogramtosendthenotification,selectthe ExternalProgramtab.
15. SelectBrowseandnavigatetotheexternalapplicationfile(.exe). 16. Clickontherequiredkeywords. Theselectedkeywordsaredisplayedintheboxaftertheexternal applicationfile. 17. ClickOKtosavethechangestotheAdministrationnotification configurationpolicy.
Configuring User Audit Notification Settings

To configure the user audit notification settings: 1. 2. 3. OpentheTokenPolicyObjectEditor(SeeAccessingTokenPolicy ObjectLinksonpage 122). Intheleftpane,selectAuditSettings>AuditNotification Settings. Intherightpane,rightclickUsernotification,andselect Propertiesfromthedropdownmenu.
330 SafeNet Authentication Manager Administrators Guide TheUsernotificationPropertieswindowopens.
4. 5.
6.
SelecttheDefinethispolicysettingoption,selectEnabledand clickOK. IntherightpaneoftheTokenPolicyObjectEditor,rightclickUser notificationconfiguration,andselectPropertiesfromthe dropdownmenu. TheUsernotificationconfigurationPropertieswindowopens. SelectDefinethispolicysetting,clickAdd,andenteranamefor thenewrule.
Audit Messages and Enrollment Notifications 7. Todefinearule,selectit,andclickEdit. TheUsernotificationrulewindowopens.
331
8. 9.
Selecttheeventsrequiringnotification. Selectoneorbothofthefollowing: Notifytheuserabouteventsperformedforthembyothers Notifytheuserabouteventsperformedbythemselves
10. Selectforwhicheventlevelstosendnotifications:Information, Error,Warning. 11. IntheSubjectfield,enterthecontentoftheemailsubjectline. 12. IntheTemplatefield,enterthepathtotheemailtemplate. SeeConfiguringAudit,EnrollmentandMobilePASSActivation NotificationTemplatesonpage 335. 13. ClickOKtodefinetheUsernotificationconfigurationpolicy.
Enrollment Notification
Configuring Enrollment Notification Messages
SafeNetAuthenticationManagercangenerateenrollmentnotification lettersandemailthemtothetokenusers. Notificationscanincludetextandvariables,suchaspasswordsand serialnumberswhicharederivedfromSafeNetAuthentication Managerthroughtheuseofkeywords. Tosetupandconfigureenrollmentnotificationletters,performthe followingsteps:

ConfiguretheTPOenrollmentnotificationsettings. Edittheenrollmentnotificationlettertemplates.SeeConfiguring Audit,EnrollmentandMobilePASSActivationNotificationTemplates onpage 335.
Enrollment Notification Policies

Policy
User notification
Description
Determines if user notification letters are prepared when their tokens are enrolled through the SAM Management Center Defines the HTML template file to use as a template for enrollment notification letters Determines if enrollment notification letters are saved
Default
No notification
Token Type
All devices including MobilePASS and SafeNet eToken Virtual Temp All devices including MobilePASS and SafeNet eToken Virtual Temp All devices including MobilePASS and SafeNet eToken Virtual Temp
HTML template file
Empty
Save notification letters
Not saved
Audit Messages and Enrollment Notifications Policy

Notification letters storage location
333
Description
Defines where enrollment notification letters are saved
Default
Empty
Token Type
All devices including MobilePASS and SafeNet eToken Virtual Temp All devices including MobilePASS and SafeNet eToken Virtual Temp All devices including MobilePASS and SafeNet eToken Virtual Temp All devices including MobilePASS and SafeNet eToken Virtual Temp All devices including MobilePASS and SafeNet eToken Virtual Temp
Send notification letters by email
Determines if enrollment notification letters are sent by email Defines the enrollment notification email subject
No email notification
Notification email subject
Empty
Print notification letters
Determines if enrollment notification letters are printed
Not printed
Use external program
Determines if an external notification program is used Note: This can include any application that performs an action not supported by the standard SafeNet Authentication Manager settings, such as updating a database upon notification.
No external program

External program and keywords
Description
Defines which external program to use if Use an external program is selected, and its keywords Determines if a notification is send via SMS Note: To use SMS notification, you must enable this policy and define the SMS notification template policy
Default
Empty (No external program is used)
Token Type
Notify via SMS
SMS notification is not used
SMS notification template
Determines the file that contains the text for the SMS message. See Configuring SMS Notification Template on page 338. Note: To use an external enrollment notification application, enable the Use external program policy, and define this policy
Not defined
All devices including MobilePASS and SafeNet eToken Virtual Temp
335
Configuring Audit, Enrollment and MobilePASS Activation Notification Templates

Eachtemplatecontainstextandkeywords.Tocustomizeatemplate, replaceitstext,andaddkeywordsasrequired. SampletemplatesareprovidedintheMailTemplatesfolder,typically locatedat:
C:\Program Files\SafeNet\Authentication\SAM\x32\Templates
Audit Notification Templates

Template
Audit Event Notification (administrator) Audit Event Notification (user)
Description
Informs administrator of audit event Informs users of audit events
File Name
Default_SAM_Admin_Audit_Notifica tion_Letter.htm Default_SAM_User_Audit_Notificati on_Letter.htm
Enrollment Notification Templates

Template
Enrollment Notification Enrollment Notification (Complex password)
Description
Informs user of new token and supplies the password Informs user of new token and supplies the password This option allows the Token Password to contain special characters, using a different HTML syntax. Note: This template is not supported by Outlook 2007
File Name
Default_SAM_Enrollment_Notificatio n_Letter.htm Default_SAM_Enrollment_Notificatio n_Letter_Complex_Password.htm
Notification Letter Keywords

VariablesusedinnotificationlettersareretrievedbySafeNet AuthenticationManagerfromdataintheuserstore.Ifthedatadoes notexistintheuserstore,itwillnotappearinthenotificationletter; thekeywordswillbedisplayedinstead. Ifchangeshavebeenmadetodataintheuserstore,runtheSAM BackendServicesSynchronizeUserDataprocessbeforegenerating enrollmentletterstoensurethatthedataisavailableforinclusionin theusernotificationletter. SeeBackendServiceonpage 353.
General Keywords
Thegeneralkeywordcanbeusedinallnotificationlettertemplates (Audit,EnrollmentNotificationandMobilePASSActivation). Keyword
$Office $User_Email $User_First_Name $User_Last_Name $City $Country_Region $State_Province $Street $PO_Box $Zip_Postal_Code $Company
Description
User's office location User's email address User's first name Users last name City Country or region State or province Street name Post Office box number Zip code Name of company
Audit Messages and Enrollment Notifications Keyword (Continued)

$Department $User_Logon_Name $User_Account_Name
337
Name of department The name the user uses to log on to a domain. Uses the syntax: user@domain.com The user's name in the pre-Windows 2000 syntax: domainname\username
Audit Keywords
TheAuditKeywordscanbeusedonlyintheAuditNotification templates:

AuditEventNotification(administrator) (Default_SAM_Admin_Audit_Notification_Letter.htm) AuditEventNotification(user) (Default_SAM_User_Audit_Notification_Letter.htm)
ThekeysofeventsastheyappearintheWindowsEventViewercanbe usedinauditnotificationletters. Keyword

$Audit_Category
Description
The application creating the event. For example: SAM Self Service Center, SAM Management Center, SAM Remote Service Center, or Management Tools The time and date of the event The name of the event The message describing the event The event level: Information, Error, or Warning
$Audit_Date_Time $Audit_Event $Audit_Message $Audit_Type
Enrollment Keywords
TheEnrollmentKeywordscanbeusedonlyintheEnrollment Notificationtemplates:

EnrollmentNotification (Default_SAM_Enrollment_Notification_Letter.htm) EnrollmentNotification(Complexpassword) (Default_SAM_Enrollment_Notification_Letter_Complex_Pas sword.htm) Description

Date token was enrolled Time token was enrolled The OTP PIN to be sent to the user during enrollment, or the Token Password (if its random).
Keyword
$Enrollment_Date $Enrollment_Time $otp_pin
Configuring SMS Notification Template

IftheNotifyviaSMSpolicyisactivated,atemplatemustbecreatedto determinethecontentofthemessage(SeeEnrollmentNotification Policiesonpage 332). Thetemplateisatext(.txt)file.TheSMSmessageconsistsofthetext asitappearsinthetemplate;keywordsarenotsupported.
Chapter 16
OTP Configuration
OneTimePassword(OTP)behaviorcanbeconfiguredintheweb serviceslocatedontheSafeNetAuthenticationManagerServer,and intheOTPpluginontheIAS(RADIUS)server.
In this section:

OTP Web Service Settings OTP Web Service Configuration Configuring SAM IAS Plug-In Configuring IAS for a Non-AD User Store
OTP Web Service Settings

TofacilitateOTPauthentication,thesystemsavesthefollowing values:

theOTPprovidedbytheuserduringthelastOTPtoken enrollmentorsuccessfulauthentication theOTPprovidedbytheuserduringthelastauthentication attempt,regardlessofwhetherornotitsuccessfullymatchedany ofthevaluescalculatedbythesystemwithintheBlankPresses range
Blank Presses
DuringeachOTPauthenticationattempt,thesystemcalculatesthe OTPvaluethatshouldfollowtheOTPsavedfromthelastsuccessful authentication. WhenausergeneratesanOTPonthetokenwithoutsubmittingitfor authentication,theOTPgenerationisconsideredablankpress. Theadministratordetermineshowmanyblankpressesaretolerated bysettingtherangeofOTPvaluestobecheckedduringOTP authentication. Blank Presses setting
0
OTP Authentication Behavior

The OTP provided by the user must match the OTP value that the system calculates to follow the last OTP successfully used for authentication. The OTP provided by the user must match one of the next 31 OTP values that the system calculates to follow the last OTP successfully used for authentication.
30
Blank Presses Resync

IftheOTPprovidedbytheuserdoesnotmatchanyoftheOTPvalues withintheBlankPressesrange,adifferentmethodmayallowtheuser toauthenticatesuccessfully.
OTP Configuration
341
IftheBlankPressesResyncsettingislargerthantheBlankPresses setting,thesystemcomparesthelasttwoOTPsprovidedtheOTP savedduringthelastauthenticationattempt,andtheOTPjustentered withallthepairsofOTPvaluescalculatedbythesystemwithinthe BlankPressesResyncrange.
Time Sync
SomesystemscalculateOTPsusingaformulabasedonthecurrent time. Theremaybeaminordifferencebetweenthetimesettingsonthe systemandontheOTPtoken.Theadministratordeterminesthe amountoftimedifferencethatistoleratedbydefiningtheTimeSync rangetobecheckedduringOTPauthentication. Time Sync setting
0
OTP Authentication Behavior

The OTP provided by the user must match the OTP value that the system calculates based on the systems current time. The OTP provided by the user must match one of the OTP values that the system calculates within 31 increments of the systems current time.
30
Time Resync
IftheOTPprovidedbytheuserdoesnotmatchanyoftheOTPvalues withintheTimeSyncrange,adifferentmethodmayallowtheuserto authenticatesuccessfully. IftheTimeResyncsettingislargerthantheTimeSyncsetting,the systemcomparesthelasttwoOTPsprovidedtheOTPsavedduring thelastauthenticationattempt,andtheOTPjustenteredwithallthe pairsofOTPvaluescalculatedbythesystemwithintheTimeResync range.
OTP Web Service Configuration

To configure the OTP Web Service: 1. 2. OpentheSAMConfigurationManager(SeeLaunchingtheSAM ConfigurationManageronpage 180. FromtheActionmenu,selectIISandWebServices>OTPWeb Service. TheOTPWebServiceSettingswindowopens.
OTP Configuration 3. Completethefieldsasfollows,andclickOK: Field

Blank Presses
343
Description
The range of OTP values to check during authentication (The number of blank presses tolerated before the OTP token must be validated.) Which authentication events to include in an audit:
OnFailure: only when
Default
30
Audit Condition
OnFailure
authentication fails
Always: all authentication
attempts
Never: do not audit
Blank Presses Resync.
The range of OTP value pairs to check if the OTP did not match a value within the Blank Presses range The maximum number of update entries accumulated before they must be written to the SAM database. Saves system resources during times of peak activity. The time difference tolerated between the system and the OTP token, in increments The range of OTP value pairs to check if the OTP did not match a value within the Time Sync range The number of failed authentication attempts before the token is locked
100
Max Delayed DB Updates
Time Sync.
30
Time Resync.
100
Authentication Retries
344 SafeNet Authentication Manager Administrators Guide Field (Continued)

Exclude Group Check
The behavior of the Exclude Group check:
Disabled: The check for
Default
Default
Exclude Groups is disabled.

Default: Exclude all
members of the Exclude Groups and their child groups. All groups above the user are checked during each authentication attempt.
DefaultFlat: Exclude all
members of the Exclude Groups, but not of their child groups.

Preload: Exclude members
of the Exclude Groups already in the SAM Configuration Store, but do not refresh the list. (See also Preload Groups Refresh.)
Token: Exclude all tokens
marked in the SAM Configuration Store as being a member of an Exclude Group. This information is updated by the SAM Backend Service, scheduled to run every 24 hours, by default. Exclude Groups Click New to add an Exclude Group. OTP authentication is not enabled for members of Exclude Groups. They must use standard authentication. None
OTP Configuration Field (Continued)

Preload Groups Refresh
345
If Exclude Group Check is set to Preload, this determines the time interval, in minutes, between Exclude Groups refreshes in the OTP Web Service Click New to map between a NetBios name and a DNS name
Default
120
Netbios
Configuring SAM IAS Plug-In

TheIASplugin,locatedontheIAS(RADIUS)server,canbe configuredtodetermineOTPauthenticationbehavior. Theconfigurationsettingsareaddedtothe
<ias_plugin_configuration>sectioninthe otp_plugin_config.xml file.
SAM IAS Plug-In Settings Key

enable_otp_authentication
Value Type
Boolean
Description
Determines whether OTP authentication is used. Values:
True: OTP authentication False: Standard (non-OTP)
authentication Default: True otp_web_service_url String Defines the SafeNet Authentication Web Service URL
346 SafeNet Authentication Manager Administrators Guide Key

no_otp_token_behavior
Value Type
Enumerator
Description
Determines behavior when there is no OTP. Values:
Reject: Reject authentication request Pass: Allow MS IAS standard
authentication
Fail: Discard the authentication request
Default: Reject user_not_found_behavior Enumerator Determines behavior when the user is not found. Values:
authentication
Default: Reject protocol_not_supported_b ehavior Enumerator Determines behavior when the protocol is not supported. Values:
authentication
Default: Pass Note: The value should be changed to Reject to ensure that its not possible to authenticate without a RADIUS secret key. return_pap_cred Boolean Determines if the RADIUS server returns the password as an attribute of the RADIUS response. Default: False Specifies the Radius attribute number of the returned password. For example, "2" is for ratUserPassword Default: 2
return_pap_cred_attribute _number
Numeric
OTP Configuration Key

web_service_request_tim eout web_service_comm_error _behavior
347
Value Type
Time in seconds Enumerator
Description
Specifies the timeout period when calling the OTP Web Service from the IAS Plug-in. Default: 15 Determines how to handle an OTP Web Service communication failure. Values:
authentication
Fail: Discard the authentication request Default: Fail
TMS_db_offline_behavior
Enumerator
Determines how to handle the exception when the SAM database is not available. Values:
authentication
Fail: Discard the authentication request Default: Fail
Example of otp_plugin_config.xml
<?xml version="1.0" ?> - <ias_plugin_configuration> <enable_otp_authentication>true</enable_otp_authenticat ion> <otp_web_service_url>http://localhost/OTPAuthentication /Service.asmx</otp_web_service_url> <no_otp_token_behavior>reject</no_otp_token_behavior> <user_not_found_behavior>reject</user_not_found_behavio r> <protocol_not_supported_behavior>pass</protocol_not_sup ported_behavior> <return_pap_cred>false</return_pap_cred> <return_pap_cred_attribute_number>2</return_pap_cred_at tribute_number> <web_service_request_timeout>15</web_service_request_ti meout> <web_service_comm_error_behavior>fail</web_service_comm _error_behavior> <TMS_db_offline_behavior>fail</SAM_db_offline_behavior> </ias_plugin_configuration>
Configuring IAS for a Non-AD User Store

IfyouareusingauserstoreotherthanActiveDirectory,IASmustbe configuredtoacceptuserswithoutvalidatingcredentials.
Note:
Thefollowingconfigurationmustbesettopreventusersbeingableto authenticatewithoutapassword:
<protocol_not_supported_behavior>fail</protocol_not_suppor ted_behavior>
OTP Configuration To configure IAS to accept users without validating credentials: 1.
349
FromtheWindowsStartmenu,selectPrograms>Administrative Tools>InternetAuthenticationService. TheInternetAuthenticationServicewindowopens.
2. 3.
SelectConnectionRequestProcessing>ConnectionRequest Polices. Intherightpane,rightclickUseWindowsauthenticationforall users,andselectProperties.
350 SafeNet Authentication Manager Administrators Guide TheUseWindowsauthenticationforallusersPropertieswindow opens.
4.
ClickEditProfile.
OTP Configuration TheEditProfilewindowopens.
351
5. 6.
OntheAuthenticationtab,selectAcceptuserswithoutvalidating credentials. ClickOKrepeatedlyuntilyoureturntotheInternetAuthentication Servicemainwindow.
Chapter 17
Backend Service
TheSafeNetAuthenticationManagerBackendServiceworksinthe background,performingthedifferentservicesconfiguredbythe administrator.
In this section:

Overview of Backend Services Controlling SAM Backend Services
Overview of Backend Services

YoucanchangetheschedulingofservicesintheSAMConfiguration Manager.SeeSchedulingtheSAMBackendServiceonpage 185. TheactionscontrolledbytheBackendServiceare:

Disabletemporarypasswordlogon RevokeopenSafeNeteTokenRescues Automaticallyrevoketokenswithmissingusers Automaticallyrevoketokenswithdisabledusers Synchronizeusersdata Synchronizelicensedata StartProcess StartService StopService PauseService ContinueService
ControltheSAMBackendServiceusingthefollowingoptions:

Backend Service
355
Controlling SAM Backend Services

To control SAM Backend Services: 1. Inthetaskbar,rightclicktheBackendServicesicon: TheBackendServicesmenuopens.
2. 3.
4.
Toselectadomain,clickServices,andselecttheappropriate domain. TocontroltheBackendServiceprocess,selectoneofthe following: StopBackendService PauseBackendService ContinueBackendService StartBackendService ToinitiatetheSAMBackendServiceprocess,selectStartprocess. TheStartprocessoptionsaredisplayed.
5.
Selecttherequiredactiontoruninthebackground:

All:runsalltasks Synchronizeuserdata:updatesuserpropertiesthathave changedsincethelastupdate Automaticrevocationwhen:automaticallyrevokesatokenif theselectedeventoccurred: Userisdeletedfromtheuserstore:theemployeeleftthe company Userisdisabledintheuserstore:theemployeehasan extendedabsence RevokeopenedSafeNeteTokenRescue:revokesallexpired SafeNeteTokenRescues DisableTempLogon:disablesallexpiredtemporarylogon passwords Synchronizelicenses:updateslicenseinformationthathas changedsincethelastupdate.ThisisrequiredwhenSafeNet AuthenticationManagerisimplementedovermultidomains orwheneverthelicensingcounterbecomesinaccuratedueto replicationorfailedoperations.SeeMultiDomainLicenseson page 298.
6.
ClickExit.
Part III Post-Installation Configuration

Afterinstallation,SAMneedstobeconfiguredaccordingtothe requirementsofyourorganization. ForOTPspecificconfiguration,seeChapter16:OTPConfiguration (page339)
In this section:

Chapter 18: User Management in an ADAM Environment (page 359) Chapter 19: Desktop Agent (page 371) Chapter 21: Customizing SAM Websites (page 421)
358
Chapter 18
User Management in an ADAM Environment

IfyouareusingaStandaloneuserstore,useSafeNetAuthentication ManagerPolicyManagertomanageusers,groups,andOUs.
In this section:

ADAM Environment User Store Overview Opening SafeNet Authentication Manager - Policy Manager Adding a User Viewing and Editing User Properties Adding a Group or OU Viewing and Editing Group Properties
ADAM Environment User Store Overview

DuringSafeNetAuthenticationManagerinstallationinanADAM environment,theStandaloneuserstoreisinitializedintheSafeNet AuthenticationManager.Auseraccountwithuserstore administratorrightsiscreatedontheserver Afterinstallation,theadministratorusesSAMPolicyManagementto adduserstotheappropriategroupsintheuserstore.
Opening SafeNet Authentication Manager - Policy Manager

To open SAM Policy Management: 1. SelectStart>Programs>SafeNet>SafeNetAuthentication Manager>PolicyManagement. SafeNetAuthenticationManagerPolicyManagerconnectstothe SafeNetAuthenticationManagerServer,andtheAuthentication windowopens.
2.
EntertheSAMadministratorusernameandpassword,andclick OK.
User Management in an ADAM Environment TheSafeNetAuthenticationManagerPolicyManagerwindow opens.
361
3.
Intheleftpane,selecttheappropriatecontainer. Theusersandgroupsinsidetheselectedcontaineraredisplayed intherightpane.
Adding a User
To add a user to the Standalone user store: 1. OpenSafeNetAuthenticationManagerPolicyManager.SeeOpening SafeNetAuthenticationManagerPolicyManageronpage 360. TheSafeNetAuthenticationManagerPolicyManagerwindow opens. Intheleftpane,rightclicktheappropriatecontainer,andselect New>User.
2.
TheNewObjectUserwindowopens.
3.
CompletetheinformationandclickNext.
User Management in an ADAM Environment ThePasswordwindowopens.
363
4.
Createapasswordfortheuser,confirmit,andclickNext. TheClickFinishwindowopens.
Reviewtheinformationdisplayed,andclickFinish. ThenewuserappearsintherightpaneoftheSAMPolicy Managementwindow. SeeViewingandEditingUserPropertiesonpage 364toaddmore informationabouttheusertotheuserstore.
5.
Viewing and Editing User Properties

To view and edit user information: 1. OpenSafeNetAuthenticationManagerPolicyManager.SeeOpening SafeNetAuthenticationManagerPolicyManageronpage 360. TheSafeNetAuthenticationManagerPolicyManagerwindow opens. Intherightpane,rightclicktheappropriateuser,andfromthe dropdownmenu,selectProperties. TheusersPropertieswindowopens.
2.
User Management in an ADAM Environment 3. Selecteachtabtoviewormodifyitsinformation.
365
Note:
IntheAccounttab,itisnotpossibletochangetheUser logon name
or the Account name of the SAM Administrator.
4.
ClickOKtosavethechanges.
Adding a Group or OU
To add a group or OU to the Standalone user store: 1. OpenSafeNetAuthenticationManagerPolicyManager.SeeOpening SafeNetAuthenticationManagerPolicyManageronpage 360. TheSafeNetAuthenticationManagerPolicyManagerwindow opens.
366 SafeNet Authentication Manager Administrators Guide 2. Intheleftpane,rightclicktheappropriatecontainer,selectNew, andselectthetypeofobjecttoadd.
3.
Whenaddingagroup,theNewObjectGroupwindowopens.
AssignaGroupname,andclickOK.
Note:
Donotincludeanampersandsymbol,&,intheassignedname.
User Management in an ADAM Environment 4.
367
WhenaddinganOU,theNewObjectOrganizationalUnitwindow opens.
AssignaName,andclickOK.
Note:
Donotincludeanampersandsymbol,&,intheassignedname.
Viewing and Editing Group Properties

To view and edit the properties of a group: 1. OpenSafeNetAuthenticationManagerPolicyManager.SeeOpening SafeNetAuthenticationManagerPolicyManageronpage 360. TheSafeNetAuthenticationManagerPolicyManagerwindow opens. Intherightpane,rightclicktheappropriategroup,andfromthe dropdownmenu,selectProperties. Inthisexample,thegroupUsersisselected.
2.
368 SafeNet Authentication Manager Administrators Guide TheobjectsPropertieswindowopenstotheGeneraltab.
3. 4.
Tomodifytheobjectsdescription,changetheDescription,and clickOK. Toviewormodifythelistofmembers,selecttheMemberstab.
5. 6.
Toremoveamember,selectthemember,andclickRemove. Toaddamember,clickAdd.
User Management in an ADAM Environment TheUserorGroupwindowopens.
369
7. 8. 9.
Entertheuserorgroupnameand,toverifythattheobjectexists, clickChecknames. ClickOK. Toviewormodifythelistofgroupsofwhichtheobjectisa member,selecttheMemberoftab.
10. Toremoveanobjectfromthelist,selecttheobject,andclick Remove. 11. Toaddanobjecttothelist,clickAdd.
370 SafeNet Authentication Manager Administrators Guide TheUserorGroupwindowopens.
12. Enterthenameand,toverifythattheobjectexists,clickCheck names. 13. ClickOKtosavethechanges.
Chapter 19
Desktop Agent
TheDesktopAgentcanbeusedforsendingexpirationalertsto administratorsandusers,toaudittheremovalandconnectionof tokens,andtodownloadSafeNeteTokenRescuefilesautomatically fromthewebsitetotheuserscomputer.
Note:
TheDesktopAgentworksonlywhenActiveDirectory(AD)or ADAMisusedastheuserstore.
In this section:

Overview of the Desktop Agent Adding the Desktop Agent Template to the GPO Editor Editing the Desktop Agent Settings in the GPO Editor Desktop Agent Settings Configuring Automatic Download of SafeNet eToken Rescue Configuring Attendance Reports Configuring the Legacy Desktop Agent Troubleshooting
Overview of the Desktop Agent

TheDesktopAgentisanapplicationusedtoperformoperationssetby theadministrator. TheDesktopAgent,alsoknownastheSAMAgent,canbeinstalledasa SAMClientcomponentonthedesktopsofSAMusers.Itfunctionsas afeatureofSafeNetAuthenticationClient. UsersofeTokenPKIClientusethelegacyTMSDesktopAgent. UserslogontoSAMautomaticallywhentheyconnecttheirtokentoa computeronthenetwork.DependingonyourSafeNetAuthentication Managerconfiguration,theDesktopAgentdoesthefollowing:

Sendsalertstouserswhentheirtokencontentisabouttoexpireor isnotuptodate EnablesautomaticdistributionofSafeNeteTokenRescuefilesto userscomputers Keepsarecordofthetotalnumberoftokensloggedonatany giventime;thistokenconnectionandremovalauditcanbeused foranHourlyDistributionofTokenConnectionsreport
OpentheDesktopAgentStatuswindowfromtheSafeNetAuthentication ClienttraymenuorfromtheeTokenPKIClienttraymenu.Fora descriptionoftheDesktopAgentStatuswindow,seetheSafeNet AuthenticationManagerUsersGuide.
Adding the Desktop Agent Template to the GPO Editor

ConfiguretheDesktopAgentusingtheGroupPolicyObjectEditor (GPOEditor).TheconfigurationusesanAdministratorTemplate (ADM)file,whichmustbeaddedtotheGPOEditor.
Desktop Agent To add the ADM file to the GPO Editor: 1.
373
FromtheStartmenu,gotoStart>Programs>Administrative Tools>ActiveDirectoryUsersandComputers.
2.
Rightclickthedomain,andclickProperties.
Note:
TheADMcanbeconfiguredeitherontheOUoronthedomain level,anditcanbelimitedtospecificgroupsorusers. Inthisexample,theADMisconfiguredonthedomainlevel. ThedomainsPropertieswindowopens.
374 SafeNet Authentication Manager Administrators Guide 3. SelecttheGroupPolicytab.
4.
SelecttheappropriateGroupPolicyObjectname,andclickEdit. TheGroupPolicyObjectEditorwindowopens.
5.
Inthenavigationpane,rightclickAdministrativeTemplates,and fromthedropdownmenu,selectAdd/RemoveTemplates.
Desktop Agent TheAdd/RemoveTemplateswindowopens.
375
6.
ClickAdd,andnavigatetotheappropriateADMfile. Thedefaultpathis: In32bitenvironments:

C:\Program Files\SafeNet\Authentication\SAM\x32\Adm
In64bitenvironments:
C:\Program Files\SafeNet\Authentication\SAM\x64\Adm
ThePolicyTemplateswindowdisplaystheSAMtemplateoptions.
7.
SelecttheappropriateDesktopAgenttemplateforyour installation: SAC_Desktop_Agent.adm:forenvironmentsrunningSafeNet AuthenticationClient8.0orlater PKI_Desktop_Agent.adm:forenvironmentsrunninglegacy eTokenPKIClient
376 SafeNet Authentication Manager Administrators Guide Inthisexample,SAC_Desktop_Agent.adm isselected. ClickOpen. TheSAC_Desktop_Agenttemplateisaddedtothelistof administrativetemplatesintheAdd/RemoveTemplateswindow.
8.
9.
ClickClose. IntheGroupPolicyObjectEditorwindowsnavigationpane,SAM DesktopAgentSettingsisdisplayedunderAdministrativeTemplates.
Desktop Agent
377
Editing the Desktop Agent Settings in the GPO Editor

BeforeeditingtheDesktopAgent,theDesktopAgentadministrative templatemustbeaddedtotheGPOEditor.Formoreinformation,see AddingtheDesktopAgentTemplatetotheGPOEditoronpage 372.
Note:
Inthisexample,theSAMDesktopAgentisinstalled.Whenusingthe legacyDesktopAgent,substituteTMSforSAM. To edit the Desktop Agent Settings: 1. InthenavigationpaneoftheGPOEditorwindow,select ComputerConfiguration> AdministrativeTemplates>SAMDesktopAgentSettings. SAMDesktopAgentSettingscontainsthefollowingtemplates: SAMDesktopAgentGeneralSettings eTokenUpdateAlerts eTokenRescueAutomaticDownloads eTokenAttendanceReports
2.
Clickonatemplateinthenavigationpaneorintherightpane. Inthisexample,eTokenUpdateAlertsisselected.
3.
Therightpanedisplaysthesettingscontainedintheselected template. Tochangeasetting,doubleclickonthesetting(forexample, Checkserverforexpirationdate)intherightpane. ThePropertieswindowfortheselectedsettingopens.
Desktop Agent
379
Note:
TheExplaintabcontainsadescriptionofthesetting. 4. MaketherequiredchangesintheSettingtab: NotConfigured:thedefaultvalueisused Enabled:enablesyoutoselectorenteravalueinthebox(see theExplaintabfordetails) Disabled:donotuse,thisisnotactivatedforDesktopAgent settings ClickOK,orclickNexttogotothenextsetting. Editthesettings.Formoreinformation,seeDesktopAgentSettings onpage 379. Tosavethechanges,runStart>Run>gpupdate,andclickOK.
5.
6.
Desktop Agent Settings

Note:
Inthisexample,theSAMDesktopAgentisinstalled.Somesetting namesdifferslightlyinthelegacyDesktopAgent.
Template
SAM Desktop Agent General Settings
Setting
SAM Servers
Description
Defines the list of SAM Servers used for the SAM Desktop Agent. Note: The list must be in URL format, separated by ';'. The full path must be used. For example, http://netbios1/SAMagent/service.asmx; http://netbios2/SAMagent/service.asmx
380 SafeNet Authentication Manager Administrators Guide Template (Continued)

Setting (Continued)
Load balance SAM servers
Determines the load balance of the servers listed in the 'SAM Servers' setting. Values:
1 (True) - Each client randomly selects a
server from the list, and then roundrobins to the next server listed for each subsequent request.
0 (False) - The first server on the list is
always accessed, and the next servers are used for failover only.
Default is 0
Communication error retry period
Defines the number of minutes to wait before the next communication attempt following a communication error.
Default is 10 minutes.
eToken Update Alerts
Ignore certificate expiration alert
Determines if already expired certificates are part of the expiry date computation. Values: 1 (True) - Ignore expired certificates 0 (False)- Don't ignore expired certificates - Default is 0 (False)
Desktop Agent Template (Continued)

381
Setting (Continued)
Check server for expiration dates
Determines if the server is checked for expiration dates of token data, such as certificates or OTP. Notes:
Set this value to 0 if tokens do not
contain time-limited data.

If the 'Check token for expiration dates'
setting is set to 1, data on the token is checked before data on the server.
It is recommended to use frequent
periodic checks for expirable content. Values:

1 (True) - The server is checked 0 (False)- The server is not checked Default is 1 (True)
Check token content
Determines if the server is checked for TPO changes that apply to the token. Note: It is recommended to minimize the frequency of the periodic checks to reduce server overload. Co-ordinate the frequency of the checks with changes to the TPO settings. Values:
1 (True) - The server is checked 0 (False)- The server is not checked Default is 1 (True)

Setting (Continued)
Check token for expiration dates (For installations running eToken PKI Client only)
Determines if physical tokens are checked for expiration dates of data, such as certificates and profiles.
Note:
Set this value to 0 if tokens do not contain time-limited data. If the 'Check server for expiration dates' setting is set to 1, data on the token is checked before data on the server. Values:
1 (True) - The token is checked 0 (False) - The token is not checked Default is 0 (False)
Important: Even if the Check token for expiration dates setting is set as true, the Check server for expiration date and/or Check token content settings must be enabled for the Verify Token Content feature to appear in the SafeNet Authentication Client tray icon menu. eToken Update Alerts Pre-expiration alert period Defines the number of days before token data expires that an alert is displayed.
Note: An alert is displayed only after

verification of expiration dates on the token or server.
Default is 30 days
Alert text
Defines the text to display in the alert balloon upon token data expiration or when the token content must be updated.
Default message is Your token content
must be updated.
When 'Alert message click action' is set
to 1 or 2 - the message prompts the user to click the balloon

383
Setting (Continued)
Pre-expiration alert text
Defines the text to display in the alert balloon within the time defined in the 'Pre-expiration alert period' setting. The following keywords can be included in the text, and will be replaced by their actual values.
$EXPIRY_DATE - the token data's
expiration date
$EXPIRE_IN_DAYS - the number of
days until expiration.

Default message is Data on your token
expires in $EXPIRE_IN_DAYS. eToken Update Alerts eToken Update Alerts Alert title Alert message click action Defines the title of the alert balloon.
Default title is eToken Notification
Defines the action performed if the user clicks the alert balloon. Values:
0 No action 1 Show the detailed message defined in
the 'Alert detailed message' setting

2 Open the website defined in the 'Alert
website URL' setting

Default is 0 (No action)
Alert detailed message
Defines the message displayed if the user clicks the alert balloon when the 'Alert message click action' setting is set to 1.
Default is empty string
Alert website URL
Defines the website URL opened if the user clicks the alert balloon when the 'Alert message click action' setting is set to 2.
Default is empty string

Setting (Continued)
Update alert minimum interval
If the 'Check token content' or 'Check server for expiration dates' setting is activated (set to 1), defines the number of days to wait before the next server check following a successful server verification.
Default is 14 days
Note: We recommend setting the alert

minimum interval to as long an interval as possible, to avoid server overload. SafeNet eToken Rescue Automatic Download Download SafeNet eToken Rescue Automatically Determines if a SafeNet eToken Rescue replacement token is automatically downloaded when change to the token content is detected. Values:
1 (True) - Automatically download 0 (False)- Do not automatically download Default is 0 (False)
If automatic download is activated, the file is downloaded to: XP: C:\Documents and Settings\username \My Documents\eTokenRescue VISTA: %USERPROFILE%\Documents\eTokenRes c SafeNet eToken Rescue Automatic Download Download check minimum interval If the 'Download SafeNet eToken Rescue automatically' setting is set to 1, this defines the number of days between checks of the SAM database to determine if the token content has changed.
Default is 14 days

eToken Attendance Reports
385
Setting (Continued)
Enable token auditing
Determines if token auditing is enabled. Values:
1 (True) - Enabled 0 (False)- Not enabled Default is 0 (False)
Configuring Automatic Download of SafeNet eToken Rescue

ToenabletheautomaticdownloadofSafeNeteTokenRescuetousers computers,theSAMServersmustbepartoftheLocalIntranetzone (ToseetheInternetExplorersecuritysettingsfortheLocalIntranet zone,inInternetExplorerselectTools>InternetOptions>Security tab>LocalIntranet). TherearetwowaysofincludingtheSAMServersintheLocalIntranet zone:
Bydefault,IEassumesthatasiteisanintranetsiteiftheserver namedoesnotcontainperiods(forexample: http://mySAM/SAMagent) ConfigureGPOtocontainthenamesofallSAMServersinthe URLinthezonemapping.Thefollowingmethodscanbeusedto updateGPO:
To configure the Intranet Zone for computers: 1. AddtheURLstothefollowingsettinginGPOEditor: ComputerConfiguration\AdministrativeTemplates\Windows Components\InternetExplorer\InternetControlPanel\Security Page\SitetoZoneAssignmentList Settheauthenticationmodetoautomaticlogononlywhenin IntranetZoneinthefollowingsettinginGPOEditor:
2.
386 SafeNet Authentication Manager Administrators Guide ComputerConfiguration\AdministrativeTemplates\Windows Components\InternetExplorer\InternetControlPanel\Security Page\{zonename}\LogonOptions To configure the Intranet Zone for Users: 1. AddtheURLstothefollowingsettinginGPOEditor: UserConfiguration\AdministrativeTemplates\Windows Components\InternetExplorer\InternetControlPanel\Security Page\SitetoZoneAssignmentList Settheauthenticationmodetoautomaticlogononlywhenin IntranetZoneinthefollowingsettinginGPOEditor: UserConfiguration\AdministrativeTemplates\Windows Components\InternetExplorer\InternetControlPanel\Security Page\{zonename}\LogonOptions
2.
Configuring Attendance Reports

AttendanceReportslisttokenconnectionandremovalevents, enablingthesystemadministratortokeeprecordsofwhentokensare inuse,atwhattimethemaximumnumberoftokensareinuse,the daysoftheweekwhenthemaximumworkisdone,andother information.
Opening the Desktop Agent Settings Window

To open the Desktop Agent Settings window: 1. 2. FromWindowsdesktopselectStart>Programs>SafeNet> SafeNetAuthenticationManager>ConfigurationManager. IntheSAMConfigurationManager,selectAction>IISandWeb Services>DesktopAgent.
Desktop Agent TheDesktopAgentSettingswindowopens.
387
Creating an Attendance Reports MS SQL Server Database

To create an MS SQL Server Attendance Reports database, do one of the following:

CreateanMDFFilefromthesuppliedSQLscriptandthenattach ittoanMSSQLServer. CopytheSQLscripttotheclipboardanduseitinanexternaltool CreatethedatabasewhenmakingaconnectiontotheMSSQL Server
388 SafeNet Authentication Manager Administrators Guide To connect to an existing MS SQL Server database through an MS SQL Server connection: 1. 1. OpentheDesktopAgentSettingswindow.Formoreinformation, seeOpeningtheDesktopAgentSettingsWindowonpage 386. ClickEditConnection. TheTokenConnectionAuditDatabasewindowopens.
2.
SelectSQLServer,andclickOK. TheSQLServerwindowopens.
Desktop Agent 3.
389
IntheSelectaservernamefield,selectaserverfromthedropdown list.
Note:
ForthefullnameoftheservertobedisplayedintheSelectaserver namefield,theSQLServerBrowserservicemustberunning. Toactivatetheservice,selectStart>Programs>Administrative Tools>Services.RightclickSQLServerBrowser,andselect Start. 4. SelectoneofthefollowingAuthenticationtypes: UseWindowsauthentication UseSQLServerauthentication (EnterUsernameandPassword)
Note:
IftheWindowsauthenticationoptionisselected,ensurethatthe SAMSystemAccounthaspermissionstotheMSSQLServer database.ThisisnotrequiredifSQLServerauthenticationis selected. 5. 6. IntheDatabasearea,clickSelect,andselecttherequireddatabase. ClickOK.
Adding a Renamed MDF file to MS SQL Server

Bydefault,theMDFfileissavedwiththefilename SAMAttendanceReports.mdf Also,logfileisalsosavedwiththedefaultfilename SAMAttendanceReports_log.ldf Ifyouchangethenameofoneofthefiles,whenyouattempttoadd thefiletoMSSQLServer,thefileisnotfound.
Toattachtherenamedfile,intheMSSQLServerAttachDatabases windowinthedatabasedetailslist,clickonthebrowsebuttoninthe CurrentFilePathfield,navigatetotherenamedfieldandselectit.It willnowbeaddedcorrectly.
390 SafeNet Authentication Manager Administrators Guide To save the SQL script to the Clipboard: ClickCopytoClipboard. To create a new MS SQL Database while creating a new connection: 1. 1. OpentheDesktopAgentSettingswindow.Formoreinformation, seeOpeningtheDesktopAgentSettingsWindowonpage 386. ClickEditConnection. TheTokenConnectionAuditDatabasewindowopens.
2.
SelectSQLServer,andclickOK. TheSQLServerwindowopens.
Desktop Agent 3.
391
IntheSelectaservernamefield,selectaserverfromthedropdown list.
Note:
ForthefullnameoftheservertobedisplayedintheSelectaserver namefield,theSQLServerBrowserservicemustberunning. Toactivatetheservice,selectStart>Programs>Administrative Tools>Services.RightclickSQLServerBrowser,andselect Start. 4. IntheDatabasearea,clickNew. TheCreateDatabasewindowopens.
5.
6.
Selecttherequiredauthenticationtype,enterthenewdatabase name,andclickOK. Thenewdatabaseiscreated. ClickOK.
Connecting to an Existing MS SQL Server Database through an ODBC Connection

ToconnectusinganODBCconnection,dothefollowing:

CreateanODBCconnector. ConnecttoanexistingMSSQLServerdatabasethroughanODBC connection.
392 SafeNet Authentication Manager Administrators Guide To create an ODBC Connector: 1. SelectStart>Programs>AdministrativeTools>DataSources (ODBC). TheODBCDataSourceAdministratorwindowopens.
2.
IntheSystemDSNtab,clickAdd. TheCreateNewDataSourcewindowopens.
3.
SelectSQLServer,andclickFinish.
Desktop Agent TheCreateaNewDatabasetoSQLServerwindowopens.
393
4.
Enteranameforthedatasource,enteradescription,selectthe servertoconnectto,andclickNext.
5.
Selecttherequiredauthenticationoptions,andclickNext.
6.
Selecttherequiredoptions,andclickNext.
7.
Selecttherequiredoptions,andclickFinish.
Desktop Agent TheODBCMicrosoftSQLServerSetupwindowopens.
395
8.
ClickOK.
To connect to an existing MS SQL Server database through an ODBC connection: 1. 2. OpentheDesktopAgentSettingswindow.Formoreinformation, seeOpeningtheDesktopAgentSettingsWindowonpage 386. ClickEditConnection. TheAttendanceConfigurationwindowopens.
3.
SelectODBC,andclickOK.
396 SafeNet Authentication Manager Administrators Guide TheSelectODBCSourcewindowopens. OntheSystemDSNtab,selecttherequiredODBCconnector,and clickOK.
4.
Note:
AfterconnectingtoMSSQLServerthroughanODBCconnection, theSQLServerServicemustberestarted.Torestarttheservice, selectStart>Programs>AdministrativeTools>Services.Right clickSQLServerservice,andselectRestart.
Saving Data for Attendance Reports

Attendancereportscontainaselectedsubsetoftokenconnectiondata. ByselectingSaveTokenConnectionData,afullsetoftokenconnection dataiscreatedinanMSSQLServerdatatable.Eachtokenconnection isrepresentedasanentryinthetable.Thismakesthecompletesetof dataavailableforexaminationandanalysis.
Note:
Werecommendusingthisfeatureonlywhenitisrequiredfor analyticalpurposesastheadditionaldataimposesanextraloadon thesystem.
Desktop Agent To save the token connection data on the client: 1.
397
OpentheDesktopAgentSettingswindow.Formoreinformation, seeOpeningtheDesktopAgentSettingsWindowonpage 386.
2.
SelectSaveTokenConnectiondata,andclickOK.
Clearing the Token Connection Data History

To clear the token connection data: 1. OpentheDesktopAgentSettingswindow.Formoreinformation, seeOpeningtheDesktopAgentSettingsWindowonpage 386.
2. 3.
4. 5.
SelectadateintheClearTokenConnectiondatacreatedbeforefield. Toclearthedataevenofopenconnections,selectIncludeopen connections. Anopenconnectionoccurswhenaconnectionhasastartdatebut noenddate.Thiscanoccurwhenthecomputerisshutdown withouttheconnectionsbeingclosed,orwhenthereisatechnical fault. ClickClearHistory. ClickOK.
Desktop Agent
399
Displaying an Error Message Following Server Error

To write an error to the log on the client computer following a server error: 1. OpentheDesktopAgentSettingswindow.Formoreinformation, seeOpeningtheDesktopAgentSettingsWindowonpage 386.
2.
SelectNotifyclientuponservererror,andclickOK.
Note:
Werecommendusingthisfeatureonlywhenitisrequiredfor analyticalpurposesorrequestedbysupportstaff,toavoidan additionalloadonthesystem.
Configuring the Legacy Desktop Agent

ThelegacyDesktopAgentwassupersededbytheupdatedDesktop AgentintroducedinTMS2.0SP4,butisstillavailableinSAM8.0to supportbackwardcompatibility. ThelegacyDesktopAgentisconfiguredusingtheSAMDesktop AgentWebServices,locatedontheSAMServer.Itcanbeconfigured todeterminethefollowing:

ThepathwhereSafeNeteTokenRescueistemporarilysaved IfthetemporarySafeNeteTokenRescueisremovedfromthe server Thetimeintervalformessagesarrivingfromtokens,usedto determineiftokensareconnected.
Theconfigurationsaresetintheweb.configfile,typicallylocatedat:
C:\Program Files\SafeNet\Authentication\ SAM\x32\Web\SAMAgentlegacy
Theconfigurationsettingsareaddedtothe<appSettings>sectionin theWeb.configfileusingthesyntaxshowninthefollowingexample:
<add key="SoftTokenTempFolder" value="C:\Documents and Settings\Administrator\Local Settings\Temp">
Desktop Agent
401
SAM Desktop Agent Web Services Settings

Key
SoftTokenTemp Folder DeleteSoftToke nTempFile
Value Type
Path
Description
The path where SafeNet eToken Virtual is saved temporarily Determines if the temporary SafeNet eToken Virtual is removed from the server Sets the time that if a message is not received from the server that the token is considered removed.
Default
System Temp directory
Boolean
True
MaxTokenAliveI ntervalSeconds
Integer
Troubleshooting
Theexpirationalertisdisplayedtotheuseronceintheperiodoftime definedintheDesktopAgentsettings.Afterthealerthasbeen displayedonce,thenextalertwillbeshownonlyaftertheperiodof timehaselapsed. Toforceanappropriateexpirationalerttobedisplayedbeforethe definedperiodoftime,cleartheDesktopAgentcache. To clear the Desktop Agent cache: 1. 2. RunStart>Run>regedit,andclickOK. Browsetothefollowingregistrykey: HKEY_CURRENT_USER\Software\SafeNet\Authentication\ SAM\DesktopAgentII\TokenUpdateAlerts\VerificationTracking DeletethekeydefinedastypeREG_DWORD. Logoffandthenlogon. Theappropriateexpirationalertisdisplayed.
3. 4.
Chapter 20
External Portals
SafeNetAuthenticationManagerissuppliedwithexternalportals, whichareinstalledandconfiguredseparatelyfromthemainSafeNet AuthenticationManagerinstallationandconfiguration.
In this section:

Overview of SAM External Portals Deliverables Prerequisites Installing the SAM External Portals Configuring SAM Portals Setting the Logon Credentials in Google Apps Setting the Logon Credentials in Force.com Logging on to the Cloud Changing the OTP PIN in Google Apps Configuring the Username Attributes
Overview of SAM External Portals

Thefollowingexternalportalsareavailable:

eTokenAnywhereEnrollment MobilePASSEnrollment MobliePASSMessaging CloudAuthentication
Inaddition,theportalsourcecodeisavailable,toenable customizationoftheportals.
Deliverables
ThefollowingSAMExternalPortalsinstallationfilesareprovided:

SAMPORTALSx328.0.msi(32bit) SAMPORTALSx648.0.msi(64bit)
Prerequisites
ThefollowingmustbeinstalledbeforeinstallingtheSAMExternal Portals:

IIS asp.net
External Portals
405
Installing the SAM External Portals

TheSAMExternalPortalsaredeliveredseparatelyfromthemain SafeNetAuthenticationManagerapplication. To install SAM External Portals: 1. Doubleclicktheappropriateinstallationfile: SAMPORTALSx328.0.msi(32bit) SAMPORTALSx648.0.msi(64bit) TheSafeNetAuthenticationManagerPortalsInstallationWizard opens.
2.
ClickNext. TheLicenseAgreementwindowopens.
3.
SelectIacceptthelicenseagreementandclickNext. TheDestinationFolderwindowopens.
External Portals 4. Tochangethedefaultdestinationfolder,clickBrowseand navigatetotherequiredfolder.
407
Note:
IfSafeNetauthenticationapplicationsorlegacyeTokenproducts werepreviouslyinstalledonthecomputer,itisnotpossibleto selectadifferentdestinationfolder. 5. ClickNext. TheSelectInstallationTypewindowopens.
6.
Selectoneofthefollowingoptions: Typical:Installsallportals Complete:Installsallportalsandsourcecodes Custom:Enablesyoutoselectwhichportalstoinstall ClickNext. TheReadytoInstalltheApplicationwindowopens.
7.
8.
ClickNext. Theinstallationprecedes.
Whentheinstallationiscomplete,theSafeNetAuthentication ManagerPortalshasbeensuccessfullyinstalledwindowopens.
External Portals
409
9.
ClickFinishtocompletethewizard.
Configuring SAM Portals

TheportalsareconfiguredusingtheSafeNetAuthenticationManager PortalsConfiguration.
Configuring Roles for SAM Portals

Beforeconfiguringtheaddingportalconnections,anoperationmust beaddedtotheAdministratorroleinSafeNetAuthentication ManagerAuthorizationManager. To configure the Administrator Role: 1. 2. 3. 4. LaunchtheSAMConfigurationManager(Formoreinformation, seeLaunchingtheSAMConfigurationManageronpage 180). FromtheActionmenu,selectAuthorizationManager>EditRoles. TheSafeNetAuthenticationManagerAuthorizationManageropens. NavigatetoManagementCenter>Definitions>RoleDefinitions. RightclickAdministratorandselectProperties.
410 SafeNet Authentication Manager Administrators Guide TheAdministratorDefinitionPropertieswindowopens. IntheDefinitiontab,clickAdd TheAddDefinitionwindowopens. IntheOperationstab,selectop_web_service_api_accessandclick OK. YouarereturnedtotheAdministratorDefinitionPropertieswindow. ClickOKandexittheSafeNetAuthenticationManager AuthorizationManager.
5. 6.
7.
Adding a Portal Connection

Aconnectionmustbeaddedforeachrequiredportal:

eTokenAnywhereEnrollment MobilePASSEnrollment MobliePASSMessaging CloudAuthentication
To add a portal connection: 1. SelectStart>Programs>SafeNet>SafeNetAuthentication Manager>PortalsConfiguration. TheSafeNetAuthenticationManagerPortalsConfigurationwindow opens.
External Portals
411
2.
OpentheConnectionstabandClickAdd. TheConnectionDetailswindowopens.
412 SafeNet Authentication Manager Administrators Guide 3. Completethefieldsasfollows: Field

Connection Name SAM Server URL Username Password Instance Name
Description
Enter a name for the connection Enter the URL of the SAM Server, according to the following format: http://hostname Enter the username (this is the username used for logging on to SAM) Enter the password (this is the password used for logging on to SAM) 1. Click Select; the Select SAM instance window opens. 2. Select the instance name of the SAM database.
4.
ClickOK. TheconnectionisaddedtothelistofconnectionsintheSafeNet AuthenticationManagerPortalsConfigurationwindow.
Configuring Cloud Logon

To configure cloud logon: 1. SelectStart>Programs>SafeNet>SafeNetAuthentication Manager>PortalsConfiguration. TheSafeNetAuthenticationManagerPortalsConfigurationwindow opens. OpentheCloudConfigurationtabandClickAdd. TheAddConfigurationwindowopens.
2.
External Portals
413
3.
Completethefieldsasfollows: Field
Configuration Name Service Provider
Description
Enter any name for the configuration Select one of the following service providers:
Google Apps Force.com
Note: The user must have an account at the service provider

Username Passed to the Service Provider Select one of the following:
Username entered in the cloud portal - The
SAM username is the same as the username in Google or Sales Force

Use attribute in the user store - if selected,
select the Attribute name from the drop-down list. For more information, see Configuring the Username Attributes on page 418
414 SafeNet Authentication Manager Administrators Guide Field (Continued)

Authentication Initiator
Select one of the following:
Authentication Requests must be initiated
by the Service Provider only - URL provided by Google (Google only). Important: Even though this option is not supported by Force.com, the field is not disabled when Force.com is selected.
Authentication requests can be initiated by
the Identity Provider- Force.com only. URL is provided during configuration of Force.com
4.
Toselectlogonpageoptions,clickLogonPage. TheCloudLogonPageOptionswindowopens.
5.
Selectthelinksthatyourequireinthecloudlogonpage(youcan selectone,bothornone): SendmetheOTPinamessage:Selectthisoptionwhenyou haveaMobilePASSenrolled SendmeaChallengeCodeformytoken:Selectthisoption whenusingatokenwithachallenge/response ClickOK. YouarereturnedtotheAddConfigurationwindow. ClickOK. YouarereturnedtotheSafeNetAuthenticationManagerPortals Configurationwindow,CloudConfigurationtab. Theconfigurationisaddedtothelist. SelecttherequiredconfigurationfromthelistandclickInfo. TheDomainURLwindowopens.
6. 7.
8.
External Portals
415
9.
EnteryourcompanysURLandclickOK. TheCloudConfigurationInfowindowopens.
10. Thefieldsaredisplayedasfollows: Field

Domain URL Sign-in page URL
Description
Displays the domain URL Displays the sign-in page URL
Note: This URL is used for logging onto Sales Force, following configuration
Sign-out page URL Change password URL Issuer Name Displays the sign-in page URL (Google Apps only) Displays the change password URL (Google Apps only) The computer where the SafeNet Authentication Manager External Portals are installed
11. Toexportthecertificate,clickExportCertificate.
416 SafeNet Authentication Manager Administrators Guide TheSaveAswindowopens.
12. EnterafilenameandclickSave.
Note:
ThecertificateisimportedintotheGoogleAppsorForce.com portalswhenconfiguringthelogon. YouarereturnedtotheCloudConfigurationInfowindow. 13. ClickClose.
Setting the Logon Credentials in Google Apps

AfterconfiguringtheSAMportals,thelogonsettingsmustbeentered intoGoogleApps To configure the logon settings in Google Apps: 1. 2. InGoogleApps,selectAdvancedTools>Authentication>Setup SingleSignon(SSO). SelectEnableSingleSignon.
External Portals 3.
417
EnterthefollowingfieldsasdisplayedintheCloudConfiguration Infowindow(SeetheCloudConfigurationInfowindowon page 415). SigninpageURL SignoutpageURL ChangepasswordURL IntheVerificationCertificatefield,clickBrowse,navigatetothe verificationcertificate,andselectthecertificate. TheverificationcertificateisthatexportedfromtheCloud ConfigurationInfowindow(SeetheCloudConfigurationInfo windowonpage 415).
4.
Setting the Logon Credentials in Force.com

To set the logon credentials in Force.com: 1. 2. 3. 4. 5. LogontoForce.com SelectSetup>Securitycontrols>Singlesignonsettings. SelectSAMLEnabled SelectSAMLversion2.0. NexttotheIdentityProviderCertificatefield,clickBrowseand navigatetothecertificate(Thecertificateisthecloudcertificate exportedintheCloudConfigurationInfowindow). IntheIssuerfield,entertheIssuerfromtheCloudConfiguration Infowindow. ClickSave. Thesalesforce.comloginURLisdisplayed. Copythesalesforce.comloginURLsuppliedintotheService providersdomainURLfieldintheEditConfigurationwindow.
6. 7. 8.
Configuring the Username Attributes

IntheAddConfigurationwindow,thereisanoptiontoselectthe contentofanfieldintheuserstoreastheusernameforloggingonto thecloud.Formoreinformation,seeConfiguringCloudLogonon page 412. AnyfieldinanActiveDirectory(AD)usercanbeselectedfromthelist ofattributes.Theselectedfieldcontainstheusernameforthecloud logon. Also,youcancreatenewfieldstocontaintheusernameattributes.
Note:
IISmustberestartedafterchangingtheUsernameAttributes.Thisis because,whenyouchangetheUsernameAttributes,theURLisalso changed(Formoreinformation,seeConfiguringCloudLogonon page 412). To create new username attributes in AD: 1. OpentheSafeNetAuthenticationManagerConfiguration Manager(Formoreinformation,seeLaunchingtheSAM ConfigurationManageronpage 180). SelectAction>CloudMapping. TheCloudMappingwindowopens.
2.
External Portals 3. Enterinafield(forexample,AdditionalName1)therequired usernameandclickOK.
419
Tip:
InAD,theusernamemustexistintheADschema.Toseethe availableusernamesintheADSchema,runthefollowing:
regsvr32 C:\windows\system32\schmngmt.dll
Thefield(inthisexample,AdditionalName1)appearsasinthe AddConfigurationwindowintheattributelist. To create new username attributes in ADAM: 1. 2. OpentheSafeNetAuthenticationManagerPolicyManager. RightClickontheuserandselectProperties. ThePropertieswindowopens.
3.
IntheCloudtab,entertherequiredusernameinafield(for example,AdditionalName1)andclickOK. Thefield(inthisexample,AdditionalName1)appearsasinthe AddConfigurationwindowintheattributelist.
Chapter 21
Customizing SAM Websites

YoucanchangethetextinSAMSelfServiceCenterandSAMRescue ServiceCenter,andcanreplacethegraphicfilesinSAMManagement Center,SAMSelfServiceCenterandSAMRescueServiceCenter.
In this section:

Customizing Text Customizing Graphic Files
Customizing Text
TochangethetextintheSAMSelfServiceCenterandtheSAMRescue ServiceCenter,carryoutthefollowingtwosteps:

Editthetextintheresourcefiles ImplementthechangesusingtheSAMBrandingTool
Editing the Text in the Resource Files

Thetextiscontainedintheresourcefiles(.resx)locatedat: C:\ProgramFiles\SafeNet\Authentication\ SAM\x32\Branding\Resources Tochangethetext,openeachresourcefile(forexampleResource.en US.resx)anduseatexteditorsuchasNotebooktomaketherequired changes.Theresourcefilesareinxmlformat. Thefilesarecontainedinthreefolders: Folder
AppFramework (Contains resources files with text that is common to both websites) SAMRescue (Contains resources files with text for the SAM Rescue Service Center SAMService (Contains resources files with text for the SAM Self Service Center)
Subfolder enUS
(English, USA)
File
AuditMessages.en-US.resx Resource.en-US.resx WebControlsResources.en-US.resx
enUS
Resource.en-US.resx
(English, USA)
enUS
Resource.en-US.resx
(English, USA)
Customizing SAM Websites
423
Implementing Text Changes with the SAM Branding Tool

Afterchangingthetextintheresourcesfiles,thechangesare implementedintheSAMSelfServiceCenterand/orSAMRescue ServiceCenterusingtheSAMBrandingTool. To implement the text changes: 1. SelectStart>Programs>SafeNet>SafeNetAuthentication Manager>BrandingTool. TheResourceCompilationToolwindowopens.
2.
Completethefieldsasfollows: Field
ResGen.exe Path
Description
The path to the ResGen.exe file (typically: C:\Program Files\SafeNet\Authentication\ SAM\x32\Branding\SDK) The path to the al.exe file (typically: C:\Program Files\SafeNet\Authentication\ SAM\x32\Branding\SDK) The path to the SAM installation folder
al.exe path
SafeNet Authentication Manager Path
424 SafeNet Authentication Manager Administrators Guide Field

Update SAMService Update SAMRescue Compile resources Deploy compiled files
Description
Select to update the SAM Self Service Center Select to update the SAM Rescue Service Center Select to compile the resource files Select to update the compiled files to the SAM Self Service Center and/or SAM Rescue Service Center Select the required localization from the list
Culture
3. 4.
ToupdatetheSAMSelfServiceCenterand/orSAMRescue ServiceCenterwiththechanges,clickUpdateWebsite. ToreverttotheSAMSelfServiceCenterand/orSAMRescue ServiceCenterbeforethechanges,clickRestoreWebsite.
Customizing Graphic Files

YoucanreplacethegraphicfilesintheSAMManagementCenter, SAMServiceCenterandSAMRescueServiceCenter. Todothis,replacemanuallythegraphicfileslocatedintheimage folderofeachofthewebsites.Thereplacementfilesmusthave dimensionsthatareidenticaltothefilestheyarereplacing. Theimagefoldersaretypicallylocatedasfollows: SAM Management Center
C:\Program Files\ SafeNet\Authentication\SAM\x32\Web\SAMManage\Images

C:\Program Files\ SafeNet\Authentication\SAM\x32\Web\SAMService
Customizing SAM Websites SAM Rescue Center

C:\Program Files\ SafeNet\Authentication\SAM\x32\Web\SAMRescue\images
425
Part IV SAM Management

ThefollowingchaptersdescribehowtomanageSafeNet AuthenticationManagerusingtheSAMManagementCenter.
In this section:

Chapter 22: SAM Management Center Main Features (page 429) Chapter 23: Helpdesk (page 437) Chapter 24: Deployment (page 497) Chapter 25: Inventory (page 517) Chapter 26: Reports (page 533) Chapter 27: Downloads (page 563)
428
Chapter 22
SAM Management Center Main Features

TheSAMManagementCenterisawebbasedapplicationthatenables theadministratortocontrolallSafeNetAuthenticationManager activities.
In this section:

Client Requirements Browser Settings OTP Tokens SafeNet eToken Virtual Products eToken Network Logon
Client Requirements
Toperformactivitiesrequiringaccesstoaconnectedtoken,the followingclientapplicationsmustbeinstalledontheSAM ManagementCentercomputer:

SafeNetAuthenticationClient SAMClient
Iftheclientapplicationsarenotinstalled,onlyactivitiesrelatingtothe SAMinventorycanbecontrolled.
Browser Settings
Werecommendassigningyourbrowserthefollowingsettings:
FortheSAMManagementCenterwebsitetodisplaycorrectly,set thebrowsersTextSizetoMedium. Onthebrowsertoolbar,selectView>TextSize>Medium. SettheSAMManagementCenterasaLocalIntranetSite. Onthebrowsertoolbar,selectInternetOptions>Security>Local Intranet.
OTP Tokens
OTPauthenticationrequiresausertosubmitaOneTimePassword. ThefollowingtokensprovideanOTPforauthentication:

HardwaretokensonwhichanOTPisgeneratedanddisplayed TempOTP,astaticvalueprovidedtoauserfortemporaryuse untilanOTPgeneratingdeviceisavailable MobilebasedplatformsrunningaMobilePASSclientsoftware application MobilePASSMessagingapplicationsthatsendgeneratedOTPsas SMS(Short Message Service) messagestotheusersmobile device,orasmessagestotheusersemailaddress SafeNeteTokenVirtualproducts
431
Temp OTP
Ifauserstokenislostordamaged,andtemporarilycannotbe replaced,theusercanrequestaTempOTPtoreplacethetokensOTP function.ATempOTPisastaticvaluetouseinplaceofagenerated OTPforalimitedtime.Sinceitsvaluedoesnotchange,itprovides onlyalowlevelofsecurity.
MobilePASS Tokens
TherearetwotypesofMobilePASStokens:

MobilePASSTokenEnrolledonaMobileDevice MobilePASSMessagingToken
MobilePASS Token Enrolled on a Mobile Device

AMobilePASSclientsoftwareapplicationcanbeenrolledontheusers mobiledevicetogenerateanOTPwithouttheneedforaphysical token. AfteraMobilePASStokenisenrolled,instructtheusertodothe followingwheneveranOTPisrequired: a. b. c. OpentheMobilePASSapplicationonthemobiledevice. EntertheMobilePASSPIN,ifrequired,togenerateanOTP. CopythegeneratedOTPintotheapplication,togetherwithother authenticationdata,suchastheOTPPINorWindowspassword, ifrequired.
MobilePASS Messaging Token

AMobilePASSMessagingtokenisassociatedwithausersmobiledevice numberoremailaddress. AfteraMobilePASSMessagingtokenisenrolled,instructtheuserto dothefollowingwheneveranOTPisrequired: a. b. OpentheMobilePASSMessagingPortalandentertheusername andpassword. EntertheMobilePASSPIN,ifrequired,togenerateanOTP.
432 SafeNet Authentication Manager Administrators Guide AgeneratedOTPissentasanSMS(Short Message Service) messagetotheusersmobiledevice,orasamessagetotheusers emailaddress. CopythegeneratedOTPintotheapplication,togetherwithother authenticationdata,suchastheOTPPINorWindowspassword, ifrequired.
c.
SafeNet eToken Virtual Products

ASafeNeteTokenVirtualproductisasoftwaretokenthatfunctionslikea physicalsmartcarddevice.Itcancontainallprivateandpublicdata normallyfoundonahardwaretoken,suchasSSOprofiles,OTP generationfacilities,andcertificates. Dependingonwhoperformstheenrollment,aSafeNeteTokenVirtual productcanbeenrolledoneitherofthefollowing:

anexternalstoragedevice anycomputerrunningSafeNetAuthenticationClient SafeNet eToken Virtual Storage: External storage device Computer
No Yes, depending on the SAM configuration See SafeNet eToken Virtual locking method on page 165.
Enrolled by administrator Enrolled by user
Yes Yes, depending on the SAM configuration See SafeNet eToken Virtual locking method on page 165.
ASafeNeteTokenVirtualorSafeNeteTokenVirtualTempenrolledon acomputerisstoredinthepersonalDocumentsfolder,inthe eTokenVirtualsubfolder.Itsfilenameextensionis.etvp.
Note:
TheSAMManagementCentercannotbeusedtomanageSafeNet eTokenVirtualproductslockedtoacomputer.
433
SafeNet eToken Virtual

ASafeNeteTokenVirtualisasoftwaretokenwithnolimitations. TheadministratorusestheSAMManagementCentertoenrolla SafeNeteTokenVirtualtoanexternalstoragedevice.TheSafeNet eTokenVirtualenrollmentprocessdoesthefollowing: CreatesaSafeNeteTokenVirtualontheexternalstoragedevice connectedtotheadministratorsPC. b. SetsaninitialTokenPassword. c. Optionallygeneratesanenrollmentletter. d. LockstheSafeNeteTokenVirtualtotheexternalstoragedevice. Theexternalstoragedeviceisdeliveredtotheuserinalockedstate. a.
Note:
Theusermustauthenticateusingtheexternalstoragedeviceonwhich theSafeNeteTokenVirtualwasenrolled.ASafeNeteTokenVirtual cannotbeusedtoauthenticateifitiscopiedtoacomputerortoa differentdevice.
SafeNet eToken Virtual Temp

ASafeNeteTokenVirtualTempisaSafeNeteTokenVirtualthatcanbe usedforalimitedperiodoftime.Itreplacesanenrolledphysical token.Itscontentcanincludetimelimitedcertificatesandtime limitedOTPprofiles. Foreachenrolledphysicaltoken,oneSafeNeteTokenVirtualTemp canbeenrolled. ASafeNeteTokenVirtualTempisenrolledthesamewayasaSafeNet eTokenVirtual.
SafeNet eToken Rescue

Auserstokencontentcanbesavedasasecurebackupfile,knownas aSafeNeteTokenRescue.TheusercanstoretheSafeNeteTokenRescue oneitherofthefollowing:

anexternalstoragedevice acomputer
Iftheuserlosesordamagesthetokenwhileontheroad,theusercan requesttousetheSafeNeteTokenRescueasatimelimitedemergency softwaretoken,enablinguninterruptedproductivityuntila replacementtokenisavailable. ASafeNeteTokenRescuecanbeusedinplaceofanenrolledtokenfor alimitedtime.ThedefaultSafeNeteTokenRescueexpirationperiodis 14daysfromthedatethefilewasactivatedtobeusedasasoftware token.
SafeNet eToken Rescue Use Case

ThefollowingdescribeshowaSafeNeteTokenRescueisused: Sarah,auser,downloadsaSafeNeteTokenRescuebeforeshe leavesonatrip,sothattheuptodatecontentonhertokenis backedup. b. Sarahdiscoversthathertokenislost,butsheisawayfromthe office,andcannotreplaceitwithanewphysicaltoken. c. ShereportsthetokenaslostthroughtheSAMRescueService Centerordirectlytothesystemadministrator,andrequestsaccess tothedownloadedSafeNeteTokenRescue. d. ASafeNeteTokenRescuepasswordisdisclosedtoSarahbythe SAMRescueServiceCenterorbythesystemadministrator. e. Sarahauthenticatestoherapplicationsusingthetokencontent savedontheSafeNeteTokenRescue,accessedbySafeNeteToken Rescuepassword. a.
435
eToken Network Logon

eTokenNetworkLogonusesinformationstoredonadeviceorona SafeNeteTokenVirtualproducttoidentifyandauthenticateauserto thenetworkortoalocalcomputer.Theauthenticationcredentials maybe:

Aprofile,consistingofauserID,adomaintowhichtheuser belongs,apassword,andasetofoptions Asmartcardlogoncertificate
Sincenetworklogoncredentialsaremappedfromthetokenordevice totheusersaccount,usersneedrememberonlytheirToken Password. eTokenNetworkLogonenables:

Strongtwofactoruserauthentication Securegenerationanduseoflongandcomplexnetwork passwords,withoutrequiringuserstorememberthem Tokenpasswordpolicystoredonthetokenitself
YoucaninitializeeTokenNetworkLogonprofilesonuserstokensfor allusersinanOrganizationalUnit(OU)byattachingaSAMConnector forNetworkLogonruletotheOU. UsetheSAMConnectorforMicrosoftCAtocreatesmartcardlogon certificates. Setkeystodeterminenetworklogonbehavior,suchas:

iftheusercandecidewhichlogonmethodtouse,orifpriorityis giventoaspecificlogonmethod ifallusers,includingtheadministrator,mustuseatokentologon tothespecificcomputer tokenremovalbehavior
eToken Network Logon Device Options

ThefollowingtokenscanbeusedtoauthenticatewithaneToken NetworkLogonprofile: Authentication Method Device Type
USB token or smartcard SafeNet eToken Virtual product Temp Logon
Profile
X X
Certificate
X X
Static Value
eToken Network Logon Use Case

Thefollowingdescribestheprocessofauthenticatingtoanetwork usingeTokenNetworkLogon: TheadministratorortheusercreatesaneTokenNetworkLogon profileontheuserstoken. b. Eachtimetheuserwantstoinitiateanetworklogon,theyconnect theirtokentothecomputer. ApromptappearsaskingfortheTokenPassword. c. TheuserenterstheTokenPasswordandisauthenticatedbySAM. d. eTokenNetworkLogonusesthelogoninformationstoredonthe tokentoidentifyandauthenticatetheusertothenetwork. a.
Chapter 23
Helpdesk
UsetheSAMHelpdesktomanagetokens,andtounlockauser.
Note:
TheSAMManagementCentercannotbeusedtomanageSafeNet eTokenVirtualproductslockedtoacomputer.
In this section:

Helpdesk Page Overview Accessing the Helpdesk Page Unlocking a User Enabling a Temp Logon Enabling User Access to a SafeNet eToken Rescue Resetting the Default User Password Revoking a User's Token Unassigning a User's Token Unlocking a User's Token Temporarily Disabling a Token Enabling a Token Replacing a User's Token OTP Options Certificate Recovery Workflow Options
Helpdesk Page Overview
Theleftpanelcontainsthefollowing:

TabsforselectingthedifferentSAMManagementCenterpages Searchparameters:Theadministratorselectsthedomain,the tokenfilter,anduptotwodifferentsearchcriteriatobecombined inasinglesearch RelevantSAMsystemnotifications Atthetoprightofthepanel:Thenumberofrecordsmatchingthe searchcriteria,andpagingoperations Inthemiddlesection:Detailsofeachtokenmatchingthesearch criteria Belowthedisplayedtokens:Applicationsenrolledontheselected token,ifpresent
Searchresultsaredisplayedintherightpanel.

Atthebottomoftherightpanel,theadministratorselectsanoption.
BelowtheApplicationbox,ifdisplayed:OTPoptions Alongthebottomofthepanel:Tokenrelatedoptions Appropriateoptionsareenabledforeachselectedtoken.Placethe cursoronanenabledoptiontoviewitstooltip.
Helpdesk
439
Accessing the Helpdesk Page

Logontoyourcompanyslocalnetwork,andaccesstheSAMHelpdesk throughtheSAMManagementCenter.
Note:
EachcompanyhasitsownSAMServer.Thisguideusesthename localhosttorepresentyourcompanysSAMServer.Whenfollowing thestepsintheprocedure,replace<localhost>withthenameofyour companysSAMServer. To access the Helpdesk page: 1. Openyourwebbrowser,andgotohttp://<localhost>/SAMmanage where<localhost>isthenameofyourcompanysSAMServer.
Note:
Forthewebsitetodisplayproperly,ensurethatthebrowsersText SizeissettoMedium. a. Onthebrowsertoolbar,clickView. b. Fromthedropdownmenu,selectTextSize>Medium. 2. Dependingonyouruserstore,alogonwindowmayopen.
Youmayberequiredtoprovidelogoncredentials,suchas Domain,Username,andPassword.

YoumayhaveanoptiontoselectKeepmesignedin,which enablesyoutoreopentheSAMManagementCenterwithina predefinedtimeperiodwithoutneedingtologonagain. TheSAMManagementCenteropenstotheHelpdeskpage.
3.
Intheleftpanel,selectthedomain,anduptotwodifferentsearch criteriatodeterminewhichtokensaredisplayed.
Helpdesk 4. Search for Filter

Connected tokens Tokens by serial no
441
Search criteria Options

None Enter a character string to search for all token serial numbers beginning with that character string. The length of a tokens serial number is determined by the token type:
USB tokens: 8 characters eToken PASS devices: 12 characters SafeNet eToken Virtual products: 16 characters MobilePASS tokens: 16 characters
Note: The serial number of a physical token is the rightmost hexadecimal digit string printed on the token case. Tokens by user Enter a character string to search for all usernames beginning with that character string. Note: Usernames are not case-sensitive Tokens by status Select from a list of token status types. Content Status:
Disabled Empty Enabled Revoked SafeNet eToken Rescue Physical Status: Damaged Lost Normal
Tokens by approval
Select the appropriate approval status:

Awaiting approval-Tier 1 Awaiting approval-Tier 2 Approved
442 SafeNet Authentication Manager Administrators Guide Search for Filter

Tokens by user group

Enter a character string to search for all users in the group name beginning with that character string. Note: User group names are not case-sensitive
In a non-Active Directory environment, enter an OU
Tokens by user OU
in the format: <instance name>/<OU name>/ followed by names of lower level OUs, separated by slashes, if required For example: MyCompany/Marketing/Advertising where MyCompany is the unique instance name
In an Active Directory environment, enter an OU in
the format: <domain>.<extension>/<OU name>/ followed by names of lower level OUs, separated by slashes, if required For example: DName1.com/Marketing/Advertising Tokens by model Unassigned tokens Token history by user Select from a list of token models in the SAM inventory None If the History Tokens feature is enabled in your TPO, enter a character string to search for all tokens whose history includes usernames beginning with that character string. Note: Usernames are not case-sensitive Token history by approval If the History Tokens feature is enabled in your TPO, select the appropriate approval status in the token history:
5.
ClickGo.
Helpdesk ThefollowingisanexampleofaHelpdeskwindowfollowinga successfulsearch.
443
Detailsofthetokensmatchingyoursearchcriteriaaredisplayed intherightpanel.
Note:
Thenumberoftokensfoundineachsearchislimited.See ConfiguringFeaturesoftheSAMManagementCenteronpage 187.
Label
Account Name Type Serial Number
Description
Users account name Icon and description of the token model Token serial number printed on the token case of a physical token, or associated with a SafeNet eToken Virtual product or MobilePASS token
444 SafeNet Authentication Manager Administrators Guide Label

Status
Description
1. Content Status:
Disabled Empty Enabled SafeNet eToken Rescue No connectors Revoked
2. Physical Status:
Damaged Lost Normal
6. 7.
ClicktheSelectbuttonoftheappropriatetoken. Iftheselectedtokencontainsoneormoreconnectorapplications, anApplicationboxisdisplayed.
a.
IntheApplicationbox,clickanapplicationsDetaillinkto openanApplicationDetailsdialogbox. b. Ifthereismorethanoneapplication,clicktheSelectbuttonof therequiredconnectorapplicationtoseeitsdetails.
Helpdesk
445
c. 8.
ClickClosetoclosethedialogbox.
Dooneofthefollowing: IftheselectedtokenisanOTPtoken,selectoneoftheenabled OTPoptions. SeeOTPOptionsonpage 470. IftheselectedtokeniseligiblefortheCertificateRecovery workflow,selectoneoftheCertificateRecoveryoptions. SeeCertificateRecoveryWorkflowOptionsonpage 483.

Selectoneoftheenabledoptionsatthebottomofthepanel. Button
Reset Pwd
Option Type
Token-related options
Description
Reset the Token Password to the token default password. See Resetting the Default User Password on page 455. Permanently revoke the certificates on the token, and make the token unusable. See Revoking a User's Token on page 455. Disassociate the token from any user, and erase its content from the SAM inventory. See Unassigning a User's Token on page 457. Unlock the token after the allotted number of unsuccessful authentication attempts is exceeded. See Unlocking a User's Token on page 459. Disable the token temporarily so that it cannot be used. See Temporarily Disabling a Token on page 462. Enable the disabled token so that it can be used. See Enabling a Token on page 464. Revoke the token if it is not yet revoked, and load a new token with its content. See Replacing a User's Token on page 465.
Revoke
Unassign
Unlock
More Actions > Disable More Actions > Enable More Actions > Replace
Helpdesk Option Type

User-related options
447
Button
More Actions > Unlock User
Description
Unlock the user after non-matching authentication questionnaire answers were entered more than the allotted number of times. See Unlocking a User on page 447. Assign the user a temporary password to use for network logon. See Enabling a Temp Logon on page 449. Enable user access to a SafeNet eToken Rescue backup file. See Enabling User Access to a SafeNet eToken Rescue on page 452.
More Actions > Temp Logon More Actions > eT Rescue
Unlocking a User
ToauthenticatetotheSAMRescueServiceCenterortocertainSAM Helpdeskservices,usersmustenterthesameauthentication questionnaireanswersthattheyenteredintheSAMSelfService Center.Auserbecomeslockedifnonmatchinganswersareentered morethantheallottednumberoftimes. UnlockalockedusertoallowtheusertoaccesstheSAMRescue ServiceCenter.
Tip:
Iftheuserdoesnotremembertheauthenticationquestionnaire answers,instructtheusertocompletetheauthentication questionnaireagainintheSAMSelfServiceCenter. To unlock a locked user: 1. 2. UsetheSAMHelpdeskpagetosearchfortheappropriateuser. ClicktheSelectbuttonofoneofthelockeduserstokens,andin theMoreActionsdropdownmenu,selectUnlockUser.
3.
TheUnlockUserAccesswindowopens.
4.
ClickRun.
Helpdesk AUsersuccessfullyunlockedmessageisdisplayed.
449
5.
ClickDone.
Enabling a Temp Logon

Ifauserstokenislostordamaged,andtheusersaccountis configuredforsmartcardlogoninActiveDirectory,youcangrantthe useratemporarylogonpasswordtousefornetworklogon. To enable a Temp Logon for a user: 1. 2. 3. UsetheSAMHelpdeskpagetosearchfortheappropriateuser. ClicktheSelectbuttonofoneoftheuserstokens,andintheMore Actionsdropdownmenu,selectTempLogon. DependingonyourSAMconfiguration,TheAuthentication Questionswindowopens.
4.
EnterthesameanswerstheuserenteredintheSAMSelfService Centerauthenticationquestionnaire,andclickContinue. TheEnableaTemporaryUserLogonPasswordwindowopens.
5.
Dothefollowing:
Helpdesk a.
451
b. c.
IntheTemporaryLogonPasswordfield,enteracharacter stringthatmeetsthepasswordcomplexityrequirements definedinyourSAMconfiguration. IntheValiduntilfield,enterorselectanexpirationdatefor theTempLogon. ClickRun.
ATemporarylogonsuccessfullyenabledmessageisdisplayed.
6. 7. 8.
InformtheuserofthenewTempLogonpasswordandits expirationdate. ClickDone. Arrangeforthedeliveryofanewtokentotheuser.
Enabling User Access to a SafeNet eToken Rescue

DependingonyourcompanysSAMconfiguration,userscansave theirtokencontenttoaSafeNeteTokenRescue,asecurebackupfileon theircomputerorexternalstoragedevice.ASafeNeteTokenRescueis notaccessibletotheuseruntilitisactivated. Ifausersenrolledtokenissubsequentlylostordamaged,accessto theSafeNeteTokenRescueisenabledbyoneofthefollowing methods:

UsingtheSAMManagementCenter,theadministratorenables useraccess. UsingtheSAMRescueServiceCenter,theuserrequestsaccess.
ASafeNeteTokenRescueisusedasatemporarytokenreplacement.It isaccessibleforalimitedtimeonly,andonlythroughapasswordthat isdisclosedwhenthetokenisreportedaslostordamaged. DependingonyourSAMconfiguration,aSafeNeteTokenRescuemay includethefollowingcontentthatwasonthetoken:

Certificates NetworkLogonprofiles OTPgeneration
Iftheuserneedsothertokencontent,suchasWSOprofiles,instruct theusertorestorethemtotheSafeNeteTokenRescuefrombackup files. To enable user access to a SafeNet eToken Rescue: 1. 2. 3. UsetheSAMHelpdeskpagetosearchforthetokenforwhicha SafeNeteTokenRescuehasbeendownloaded. ClicktheSelectbuttonoftheappropriatetoken,andintheMore Actionsdropdownmenu,selecteT Rescue. DependingonyourSAMconfiguration,TheAuthentication Questionswindowopens.
Helpdesk
453
4.
EnterthesameanswerstheuserenteredintheSAMSelfService Centerauthenticationquestionnaire,andclickContinue. TheActivateUserAccesstoaSafeNeteTokenRescuewindowopens.
5.
Dothefollowing:
454 SafeNet Authentication Manager Administrators Guide a. IntheWhathappenedtothetokenfield,selectoneofthe following: Thetokenislost Thetokenisdamaged
b. IntheValiduntilfield,enterorselectanexpirationdatefor theSafeNeteTokenRescue
Note:
SinceaSafeNeteTokenRescueprovidesalowerlevelofsecurity thanastandardtoken,werecommendlimitingitsusetothe numberofdaysneededtodeliveranewphysicaltoken. c. ClickRun.
Thefollowingnewinformationisdisplayed: theSafeNeteTokenRescuepassword aUseraccesssuccessfullyactivatedmessage
6.
Copythefollowinginformation,andsendittotheuser: theSafeNeteTokenRescuepassword theSafeNeteTokenRescueexpirationdate ClickDone. Arrangeforthedeliveryofanewtokentotheuser.
7. 8.
Helpdesk
455
Resetting the Default User Password

SAMcancreateanadministratorpasswordduringtokeninitialization andsaveittothetoken.Shouldthetokenbecomelocked,SAMuses theadministratorpasswordtounlockit. TheAllowtokenunlockTPOsettingdeterminesifanadministrator passwordissavedtothetoken.SeeRecoverySettingsonpage 166. IfatokenwasinitializedinSAMwithanadministratorpassword,the tokensuserpasswordcanberesettothecompanysdefaultpassword atanytime. Afterthetokensuserpasswordisreset,yourcompanysSAM configurationdeterminesiftheuserisrequiredtochangethe password. To reset the user password to the default password: 1. 2. UsetheSAMHelpdeskpagetosearchfortheappropriatetoken. ClicktheSelectbuttonoftheappropriatetoken,andclick Reset Pwd. TheResetTokenPasswordwindowopens. ClickRun. ATokenPasswordsuccessfullyresetmessageisdisplayed. ClickDone.
3. 4.
Revoking a User's Token

Forsecurityreasons,revokealostordamagedtokenassoonas possible.
Note:
DependingonyourSAMconfiguration,whenauserisdeletedfrom theADdomain,theuserstokensareautomaticallyunassigned. Whenatokenisrevoked,thefollowingoccurs:

ThetokensstatusissettoRevokedintheSAMinventory. Thetokenremainsassociatedwithitsuser.

Thefollowingtokencontentcanneverbeusedagainfor authentication,andisphysicallydeletedfromthetokenshould thetokenbesubsequentlyconnected: Certificates NetworkLogonprofiles(witharandompassword) OTPgeneration
Note:
Personaltokencontent,suchasWSOandSSOprofiles,isnotdeleted, butbecomesunusable. To revoke a token: 1. 2. UsetheSAMHelpdeskpagetosearchfortheappropriatetoken. ClicktheSelectbuttonoftheappropriatetoken,andclick Revoke. TheRevokeaTokenwindowopens.
3.
IntheReasonforrevocationdropdownbox,selecttheappropriate reason: Damaged Lost Upgrade
Helpdesk 4. ClickRun. ATokensuccessfullyrevokedmessageisdisplayed.
457
5.
ClickDone. RemovethetokenfromtheSAMinventory. Formoreinformation,seeChapter25:RemovingaTokenfromthe SAMInventory,onpage530. Initializethetokentodeleteitsuserspecifictokencontent. Formoreinformation,seeChapter25:InitializingaToken,on page523.
Toreusearevokedtoken,dooneofthefollowing:
Unassigning a User's Token

Forsecurityreasons,unassignallofauserstokenswhentheuser leavesthecompany.
Note:
DependingonyourSAMconfiguration,whenauserisdeletedfrom theADdomain,theuserstokensmaybeautomaticallyunassigned.
458 SafeNet Authentication Manager Administrators Guide Theunassigningprocessrevokesthetoken,andalsodisassociatesit fromitsuser. To unassign a token: 1. 2. UsetheSAMHelpdeskpagetosearchfortheappropriateuser. ClicktheSelectbuttonoftheuserstoken,andclickUnassign. TheUnassignaTokenwindowopens.
3.
ClickRun.
Helpdesk ATokensuccessfullyunassignedmessageisdisplayed.
459
4. ClickDone. Repeatthisprocessforalloftheuserstokens.
Unlocking a User's Token

IfauserconsecutivelyentersanincorrectTokenPasswordmorethan theallottednumberoftimes,thetokenbecomeslocked. UsetheChallengeResponsesystemtounlockthetoken,andtoenable theusertosetanewTokenPassword. Ifatokenislocked,theusermustselectUnlockTokeninoneofthe followingSafeNetapplications:

SafeNetAuthenticationClientTools eTokenNetworkLogon
460 SafeNet Authentication Manager Administrators Guide To enable a user to unlock a locked token: 1. Aftertheusercontactsyouthatthetokenislocked,instructthe usertofollowtheUnlockTokeninstructionsintheSafeNet applicationuntilaChallengeCodeisgenerated. UsetheSAMHelpdeskpagetosearchfortheappropriatetoken. ClicktheSelectbuttonoftheappropriatetoken,andclickUnlock. DependingonyourSAMconfiguration,TheAuthentication Questionswindowopens.
2. 3. 4.
EnterthesameanswerstheuserenteredintheSAMSelfService Centerauthenticationquestionnaire,andclickContinue.
Helpdesk 5. TheUnlockaTokenwindowopens.
461
6.
7.
Asktheusertosendyouthe16characterChallengeCode displayedintheSafeNetapplication,andpasteorenteritinthe ChallengeCodefield. ClickRun. Thefollowinginformationisdisplayed: a16characterResponseCode aResponseCodesuccessfullygeneratedmessage
8. 9.
CopythegeneratedResponseCode,andsendittotheuser. InstructtheusertocompletetheUnlockTokeninstructionsinthe SafeNetapplicationusingthegeneratedResponseCode. 10. ClickDone.
Temporarily Disabling a Token

Forsecurityreasons,temporarilydisableanenrolledtokenthatisnot neededforanextendedperiod. Ifatokenisdisabled,itmustbeenabledbeforeitcanbeusedagain. To temporarily disable a token: 1. 2. UsetheSAMHelpdeskpagetosearchfortheappropriatetoken. ClicktheSelectbuttonoftheappropriatetoken,andintheMore Actionsdropdownmenu,selectDisable.
Helpdesk TheDisableaTokenwindowopens.
463
3.
ClickRun. ATokensuccessfullydisabledmessageisdisplayed.
4.
ClickDone. ThetokensstatusischangedtoDisabled.
Enabling a Token
Ifatokenisdisabled,itmustbeenabledbeforeitcanbeusedagain. To enable a token: 1. 2. UsetheSAMHelpdeskpagetosearchfortheappropriatetoken. ClicktheSelectbuttonoftheappropriatetoken,andintheMore Actionsdropdownmenu,selectEnable. TheEnableaTokenwindowopens.
3.
ClickRun.
Helpdesk ATokensuccessfullyenabledmessageisdisplayed.
465
4.
ClickDone. ThetokensstatusischangedtoEnabled.
Replacing a User's Token

Replaceauserstokenforoneofthefollowingreasons:

Tomeetthedemandsofnewtechnology,anoutdatedtokenmust bereplacedwithanewmodel. Theuserstokenisrevoked. Theuserstokenislostordamaged.
466 SafeNet Authentication Manager Administrators Guide Whenupgradingtokenstonewermodels,instructuserstodothe following: a. b. Beforetheirtokensareupgraded,usersshouldbackuptheir personaltokencontent,suchasWSOprofiles. Aftertheirnewtokensareenrolled,usersshouldrestorethesaved datafromthebackupfilestotheirtokens.
Tip:
PersonaltokencontentnotsavedbySAMshouldberoutinelybacked upbyallusers,sothatiftheirtokenislostordamaged,thebackedup datacanberestoredtoareplacementtoken. Whenyoureplaceatoken,thefollowingactivitiesoccur: a. b. Revoke:revokestheoriginaltokenifisnotyetrevoked. Add:addsthereplacementtokentotheSAMinventoryifitisnot alreadythere. c. Initialize,dependingonyourSAMconfiguration:deletesall userspecifictokencontentonthereplacementtokenandapplies theTPOsettings. d. Assign:associatesthereplacementtokenwithaspecificuser. e. Enroll:loadsthereplacementtokenwithdataneededforuser authentication.DependingonyourSAMconfiguration,this contentmayinclude: Certificates NetworkLogonprofiles eTokenSSOprofiles OTPgeneration
To replace a users token: 1. 2. UsetheSAMHelpdeskpagetosearchforthetokentobereplaced. ClicktheSelectbuttonoftheappropriatetoken,andintheMore Actionsdropdownmenu,selectReplace.
Helpdesk TheReplacetokenwindowopens.
467
3.
Ifthetokenhasnotyetbeenrevoked,theReasonforreplacement dropdownboxisdisplayed. Openthedropdownbox,andselecttheappropriatereason: Damaged Lost Upgrade DependingonyourSAMconfiguration,selectInitializetokento initializethetoken. DependingonyourSAMconfiguration,clickCustomize replacementtoenrollonlysomeofthedefaultconnector applicationsontothetoken.
4. 5.
468 SafeNet Authentication Manager Administrators Guide TheApplicationstoEnrolldialogboxopens,displayingthe availableconnectors.
6.
7. 8.
Selecttheappropriateconnectorstoenroll,andclickOK. Dooneofthefollowing: Ifthenewtokenisaphysicaltoken,connectit,anddisconnect allothertokensnotyetassigned. DependingonyourSAMconfiguration,ifthenewtokenisa SafeNeteTokenVirtual,connectanexternalstoragedevice, andselectCreateanewSafeNeteTokenVirtual. ClickRun. Dependingontheconnectorsenrolled,anauthenticationwindow opens.
Helpdesk a.
469
Youmayberequiredtodothefollowing: FortheConnectorforOTPAuthentication,enteranOTP PIN,andconfirmit. FortheConnectorforNetworkLogon,enteralogon password,andconfirmit. ClickContinue.
b. 9.
ATokensuccessfullyenrolledmessageisdisplayed.
10. ClickDone.
OTP Options
IftheselectedtokenontheSAMHelpdeskpagecontainsaConnectorfor OTPAuthenticationapplication,clicktheSelectbuttonofthe applicationtodisplayappropriatetokenOTPoptions. Button
Extend OTP OTP Token
Description
Extend the expiration date of a Temp OTP or of a time-limited OTP token. See Extending an OTP on page 471. Cancel the Temp OTP, and require the user to authenticate using an OTP that is generated on the selected token. See Replacing a Temp OTP with an OTP Token on page 473. Create a temporary OTP value for the user to submit for OTP authentication in place of the selected token. See Replacing an OTP Token with a Temp OTP on page 474. Reset the OTP PIN. See Resetting an OTP PIN on page 477. Validate the tokens OTP generator. See Validating an OTP Token on page 478. Temporarily disable OTP authentication To enable OTP authentication again, select Unlock OTP. See Locking an OTP on page 480. Enable OTP authentication after it has been temporarily disabled. See Unlocking an OTP on page 482.
Temp OTP
OTP PIN Validate OTP Lock OTP
Unlock OTP
Helpdesk
471
Extending an OTP
YoucandelaytheexpirationdateofaTempOTPorofatimelimited OTPtokenbysettingalaterexpirationdate. To extend an OTP expiration date: 1. UsetheSAMHelpdeskpagetosearchfortheappropriatetoken whoseOTPhasanexpirationdate.
2. 3. 4.
ClicktheSelectbuttonoftheappropriatetoken. ClicktheSelectbuttonoftheConnectorforOTPAuthentication application. ClickExtendOTP.
472 SafeNet Authentication Manager Administrators Guide TheExtendtheOTPExpirationDatewindowopens,andthe currentexpirationdateisdisplayed.
5.
Enterorselectanewexpirationdate,andclickRun. Anextendedsuccessfullymessageisdisplayed.
6.
ClickDone.
Helpdesk
473
Replacing a Temp OTP with an OTP Token

UsetheOTPTokenoptiontocancelaTempOTPassoonasanew OTPtokenisavailabletoreplaceit. To replace a Temp OTP with an OTP token: 1. 2. 3. 4. UsetheSAMHelpdeskpagetosearchfortheappropriatetoken. ClicktheSelectbuttonoftheappropriatetoken. ClicktheSelectbuttonoftheConnectorforOTPAuthentication application. ClickOTPToken. TheUnlockanOTPOnlyTokenwindowopens.
5.
ClickRun.
474 SafeNet Authentication Manager Administrators Guide ATempOTPusagecancelledmessageisdisplayed.
6. ClickDone. TheTempOTPiscancelled,andtheuserisrequiredtouseanOTP generatedonthetokentoauthenticate.
Replacing an OTP Token with a Temp OTP

IfanOTPtokenislostordamaged,enableaTempOTPtoreplacethe OTPfunction. ATempOTPisastaticvaluetouseinplaceofageneratedOTP.Its valuedoesnotchange,andsoitprovidesonlyalowlevelofsecurity. Itisvalidforalimitedtime. To replace an OTP token with a Temp OTP: 1. 2. 3. 4. UsetheSAMHelpdeskpagetosearchfortheappropriatetoken. ClicktheSelectbuttonoftheappropriatetoken. ClicktheSelectbuttonoftheConnectorforOTPAuthentication application. ClickTemp OTP.
Helpdesk TheGenerateaTemporaryPasswordwindowopens.
475
Note:
IfaTempOTPisalreadyenabled,amessageisdisplayedthatit willbecancelled.ThenewTempOTPwillreplaceit. 5. EnterorselectanexpirationdatefortheTempOTP,andclick Run.
476 SafeNet Authentication Manager Administrators Guide Thefollowinginformationisdisplayed: theTempOTPvaluetouseinsteadofanOTP asuccessfullygeneratedmessage
6. 7. 8.
WritedowntheTempOTPvalue. ClickDone. SendtheTempOTPvaluetotheuser,togetherwiththefollowing instructions: a. RecordtheTempOTPvalueinasafeplace. b. ProvidetheTempOTPvalueinplaceofavaluegeneratedon theOTPtoken. c. Contactthesystemadministratortorequestareplacement TempOTPifyoususpecttheTempOTPvaluehasbeen compromised.
d. WhenanewOTPtokenisavailable,theTempOTPwillbe cancelled. UsetheOTPTokenoptiontocanceltheTempOTPassoonasanew OTPtokenisavailabletoreplaceit.
Helpdesk
477
Resetting an OTP PIN

ResettheOTPPINiftheuserforgotit. To reset an OTP PIN: 1. 2. 3. 4. UsetheSAMHelpdeskpagetosearchfortheappropriatetoken. ClicktheSelectbuttonoftheappropriatetoken. ClicktheSelectbuttonoftheConnectorforOTPAuthentication application. ClickOTP PIN. TheResetOTPPINwindowopens.
5.
EnteranewOTPPIN,confirmit,andclickRun.
478 SafeNet Authentication Manager Administrators Guide Asuccessfullyresetmessageisdisplayed.
6. 7.
ClickDone. SendthenewOTPPINtotheuser.
Validating an OTP Token

IftheuserrepeatedlygeneratesanOTPwithoutsubmittingonefor authentication,orifthetimefunctionofanOTPtokenhasdeviated, theOTPtokenlosesitssynchronizationwiththesystem.Validatethe OTPtokensothatSAMcanauthenticateasubsequentlygenerated OTP. To validate an OTP token: 1. 2. 3. 4. UsetheSAMHelpdeskpagetosearchfortheappropriatetoken. ClicktheSelectbuttonoftheappropriatetoken. ClicktheSelectbuttonoftheConnectorforOTPAuthentication application. ClickValidateOTP.
Helpdesk TheValidateanOTPTokenwindowopens.
479
5.
6. 7.
Dooneofthefollowing: IftheuserhastheOTPtoken,asktheusertogenerateanOTP valueandtosendittoyou. GenerateanOTPonthedevice. EntertheOTPvalue,togetherwithanyotherrequired information,intothefield,andclickRun. Amessagemaybedisplayedtorepeatstep 5andstep 6.
480 SafeNet Authentication Manager Administrators Guide 8. Asuccessfullyvalidatedmessageisdisplayed.
9.
ClickDone.
Locking an OTP
LockanOTPtotemporarilydisableitsuseforOTPauthentication. To lock an OTP: 1. 2. 3. 4. UsetheSAMHelpdeskpagetosearchfortheappropriatetoken. ClicktheSelectbuttonoftheappropriatetoken. ClicktheSelectbuttonoftheConnectorforOTPAuthentication application. ClickLock OTP.
Helpdesk TheLockOTPUsewindowopens.
481
5.
ClickRun. Asuccessfullylockedmessageisdisplayed.
6. ClickDone. ToenableitsuseforOTPauthenticationagain,unlocktheOTP.
Unlocking an OTP
ThefollowingactionslockanOTP:

TheadministratorusestheSAMHelpdeskpagetolocktheOTP. TheuserexceedstheallottednumberofunsuccessfulOTP authenticationattemptsusingthetoken.
UnlockalockedOTPtoenableitsuseforOTPauthentication. To unlock an OTP: 1. 2. 3. 4. UsetheSAMHelpdeskpagetosearchfortheappropriatetoken. ClicktheSelectbuttonoftheappropriatetoken. ClicktheSelectbuttonoftheConnectorforOTPAuthentication application. ClickUnlockOTP. TheUnlockOTPUsewindowopens.
5.
ClickRun.
Helpdesk Asuccessfullyunlockedmessageisdisplayed.
483
6.
ClickDone.
Certificate Recovery Workflow Options

Certificatesontokens,includingHistoryTokens,containingaConnector forMicrosoftCAapplicationcanberecoveredifthecertificaterecovery workflowsettingsareenabledintheTPO. ClicktheSelectbuttonoftheConnectorforMicrosoftCAapplicationto displayappropriatecertificaterecoveryworkflowoptions. Button
Request Certificate Recovery Approve Certificate Recovery
Description
Initiate a certificate recovery workflow request. See Requesting a Certificate Recovery Workflow on page 484. Approve the initiated certificate recovery workflow request. See Approving a Certificate Recovery Workflow on page 486.
484 SafeNet Authentication Manager Administrators Guide Button

Reject Request Cancel Request Recover Certificates
Description
The certificate recovery workflow request can be rejected by the user who has roles permissions to approve it. See Rejecting a Certificate Recovery Workflow on page 491. The certificate recovery workflow request can be cancelled by the user who initiated it. See Cancelling a Certificate Recovery Workflow on page 488. Select and recover certificates after the certificate recovery workflow request has been approved. See Recovering Certificates on page 493.
Requesting a Certificate Recovery Workflow

Initiateacertificaterecoveryworkflowtorecovercertificatesfromthe token. To request a certificate recovery workflow: 1. UsetheSAMHelpdeskpagetosearchfortheappropriatetoken,or HistoryToken,whosecertificatesmustberecovered.
Helpdesk 2. 3. 4. ClicktheSelectbuttonoftheappropriatetoken. ClicktheSelectbuttonoftheConnectorforMicrosoftCA application. ClickRequestCertificateRecovery. TheInitiateaCertificateRecoveryWorkflowwindowopens.
485
5.
ClickRun. Asuccessfullyinitiatedmessageisdisplayed.
486 SafeNet Authentication Manager Administrators Guide 6. ClickDone.
Approving a Certificate Recovery Workflow

DependingonyourSAMconfiguration,thefollowingmaybe requiredafteracertificaterecoveryworkflowisinitiated:

Approvalbyafirsttieruserwiththeappropriaterolesdefinition Approvalbyasecondtieruserwiththeappropriateroles definition
To approve a certificate recovery workflow: 1. UsetheSAMHelpdeskpagetosearchfortheappropriatetoken,or HistoryToken,whosecertificatesmustberecovered.
2. 3. 4.
ClicktheSelectbuttonoftheappropriatetoken. ClicktheSelectbuttonoftheConnectorforMicrosoftCA application. ClickApproveCertificateRecovery.
Helpdesk TheApprovewindowopens,displayingtheappropriatetier.
487
5.
ClickRun. Arequestapprovedmessageisdisplayed.
6. ClickDone. IfyourSAMconfigurationrequirestwotierapprovalforworkflow requests,theuserwithTier2rolespermissionrepeatsthisprocedure.
488 SafeNet Authentication Manager Administrators Guide Anunqualifiedrequestapprovedmessageisdisplayed.
Cancelling a Certificate Recovery Workflow

Acertificaterecoveryworkflowcanbecancelledbyauserwhohas thesamerolespermissionsastheuserwhoinitiatedtheworkflow.If theworkflowiscancelled,thecertificatescannotberecoveredfrom thetokenunlessanewworkflowisinitiatedandapproved.
Helpdesk To cancel a certificate recovery workflow: 1.
489
UsetheSAMHelpdeskpagetosearchfortheappropriatetoken,or HistoryToken,whosecertificatesmustberecovered.
2. 3. 4.
ClicktheSelectbuttonoftheappropriatetoken. ClicktheSelectbuttonoftheConnectorforMicrosoftCA application. ClickCancelRequest.
490 SafeNet Authentication Manager Administrators Guide TheCancelRequestwindowopens.
5.
ClickRun. Arequestcancelledmessageisdisplayed.
6.
ClickDone.
Helpdesk
491
Rejecting a Certificate Recovery Workflow

Acertificaterecoveryworkflowcanberejectedbyauserwhohas rolespermissionstoapprovetheworkflow.Iftheworkflowis rejected,thecertificatescannotberecoveredfromthetokenunlessa newworkflowisinitiatedandapproved. To reject a certificate recovery workflow: 1. UsetheSAMHelpdeskpagetosearchfortheappropriatetoken,or HistoryToken,whosecertificatesmustberecovered.
2. 3. 4.
ClicktheSelectbuttonoftheappropriatetoken. ClicktheSelectbuttonoftheConnectorforMicrosoftCA application. ClickRejectRequest.
492 SafeNet Authentication Manager Administrators Guide TheRejectRequestwindowopens.
5.
ClickRun. Arequestrejectedmessageisdisplayed.
6.
ClickDone.
Helpdesk
493
Recovering Certificates
Afterallrequiredapprovalshavebeengranted,youcanrecoverthe certificatesonthetoken. To recover the certificates following approval: 1. UsetheSAMHelpdeskpagetosearchfortheappropriatetoken,or HistoryToken,whosecertificaterecoveryworkflowhasbeen approved.
2. 3. 4.
ClicktheSelectbuttonoftheappropriatetoken. ClicktheSelectbuttonoftheConnectorforMicrosoftCA application. ClickRecoverCertificates.
494 SafeNet Authentication Manager Administrators Guide TheRecoverCertificateswindowopens.
5.
6.
EnterandconfirmanewPFXfilepasswordtosecurethe certificatedata. Recordthefilepasswordinasafeplace. ClicktheSelectcertificateslink. TheSelectcertificatestorecoverwindowopens.
7. 8.
ClickacertificatesSelectbuttontoseeitsdetails. Selectallcertificatestoberecovered,andclickOK.
Helpdesk Asuccessfullyrecoveredmessageisdisplayed.
495
9.
ClicktheDownloadcertificatefilelink. TheFileDownloadwindowopens.
10. ClickSave,andsavethefile.
496 SafeNet Authentication Manager Administrators Guide OntheRecoverCertificateswindow,anpromptisdisplayedfor confirmationthatthecertificatedatahasbeendownloaded.
11. SelectThecertificatedatahasbeendownloadedtoafile,and clickNext. Aworkflowcompletedsuccessfullymessageisdisplayed.
12. ClickDone. Thecertificatedatahasbeenrecovered.
Chapter 24
Deployment
UsetheDeploymentpagetoassignorenrolltokensforusers.
In this section:

Deployment Page Overview Accessing the Deployment Page Assigning a Token Enrolling a Smartcard or USB Token Enrolling an OTP Token MobilePASS Token Enrollment
Deployment Page Overview
SAMManagementCentertabs,searchparameters,andsystem messagesaredisplayedintheleftpanel.

Searchcriteria:Theadministratorselectsuptotwodifferent searchcriteriatobecombinedinasinglesearch SAMsystemnotificationsaredisplayedatthebottomoftheleft panel,ifrelevant Atthetoprightofthepanel:Thenumberofrecordsmatchingthe searchcriteria,andpagingoperations Inthemiddlesection:Detailsofeachusermatchingthesearch criteria Atthebottomofthepanel:Userrelatedandtokenrelatedoptions

Atthebottomoftherightpanel,theadministratorselectsanoption. Appropriateoptionsareenabledforeachselecteduser.Placethe cursoronanenabledoptiontoviewitstooltip.
Deployment
499
Option Type
Token-related options
Options
Assign Enroll MobilePASS Messaging OTP Token
Accessing the Deployment Page

Logontoyourenterpriseslocalnetwork,andaccesstheDeployment pagethroughtheSAMManagementCenter.
Note:
EachenterprisehasitsownSAMServer.Thisguideusesthename localhosttorepresentyourenterprisesSAMServer.Whenfollowing thestepsintheprocedure,replace<localhost>withthenameofyour enterprisesSAMServer. To access the Deployment page: 1. 2. Openyourwebbrowser,andgotohttp://<localhost>/SAMmanage where<localhost>isthenameofyourcompanysSAMServer. Dependingonyouruserstore: Youmayberequiredtoprovidelogoncredentials,suchas Domain,Username,andPassword. YoumayhaveanoptiontoselectKeepmesignedin,which enablesyoutoreopentheSAMManagementCenterwithina predefinedtimeperiodwithoutneedingtologonagain. TheSAMManagementCenteropenstotheHelpdeskpage. Atthetopoftheleftpanel,selectDeployment.
3.
500 SafeNet Authentication Manager Administrators Guide TheDeploymentpageopens.
4.
Intheleftpanel,selectoneortwosearchfilterstodeterminethe userstobedisplayed.
Deployment
501
Search for Filter

Users by username

Enter a character string to search for all usernames beginning with that character string. Note: Usernames are not case-sensitive A list of groups defined on the user store
Users by direct group Users by OU
the format: <domain>.<extension>/<OU name>/ followed by names of lower level OUs, separated by slashes, if required For example: DName1.com/Marketing/Advertising Users without connectors Users with no tokens None None
5.
ClickGo. Detailsofthetokensassignedtotheusersmatchingyoursearch criteriaaredisplayedintherightpanel.
Note:
Thenumberofusersfoundineachsearchislimited.See ConfiguringFeaturesoftheSAMManagementCenteronpage 187.
Label
Account Name Type Serial Number
Description
Users account name Description of the token model One of the following:
Token serial number Printed on the token case of a physical token Associated with a SafeNet eToken Virtual product or
MobilePASS token
Total number of tokens, if more than one is assigned to the
user Status 1. Content Status:

No token Disabled Empty Enabled SafeNet eToken Rescue No connectors Revoked
2. Physical Status:
Damaged Lost Normal
6. 7.
ClickSelectAll,orselectoneormoreAccountNames. Selectoneoftheenabledoptionsatthebottomofthepanel. Button

Assign Enroll MobilePASS
Description
Associate a token with each selected user Assign a token and load it with user data for each selected user Enroll a MobilePASS token for each selected user
Deployment Button
Messaging OTP Token Take Picture Print Badge
503
Description
Enroll a MobilePASS Messaging token for each selected user Enroll an OTP token for each selected user Not in use Not in use
Assigning a Token
Whenyouassignatoken,thefollowingactivitiesoccur: Add:addsthetokentotheSAMinventoryifitisnotalready there. b. Initialize,dependingonyourSAMconfiguration:deletesall userspecifictokencontentonthetokenandappliestheTPO settings. c. Assign:associatesthetokenwithaspecificuser. Userscancontroltheactivitiesoftokensassignedtothemselvesvia theSAMSelfServiceCenter. To assign tokens: 1. 2. 3. UsetheSAMDeploymentpagetosearchfortheappropriateusers. ClickSelectAll,orselectoneormoreAccountNamestowhichthe tokenswillbeassigned. ClickAssign. a.
504 SafeNet Authentication Manager Administrators Guide TheAssignaTokenwindowopens.
4.
Dooneofthefollowing: Toassignatokenthatcanbeconnected,selectAssigna connectedtoken,connectthetoken,andclickRun. Toassignatokenbyserialnumber,selectAssigntokenbyits serialnumber,enterthetokenserialnumber,andclickRun. ATokensuccessfullyassignedmessageisdisplayed.
Deployment 5. Repeatstep 4untilalltheselectedAccountNameshavebeen assignedtokens. TheAssignaTokenoptionsarenolongerdisplayed.
505
6.
ClickDone.
Enrolling a Smartcard or USB Token

Whenyouenrollatoken,thefollowingactivitiesoccur: Add:addsthetokentotheSAMinventoryifitisnotalready there. b. Initialize,dependingonyourSAMconfiguration:deletesall userspecifictokencontentonthereplacementtokenandapplies theTPOsettings. c. Assign:associatesthetokenwithaspecificuser. d. Enroll:loadsthetokenwithdataneededforuserauthentication. DependingonyourSAMconfiguration,thiscontentmayinclude: Certificates NetworkLogonprofiles eTokenSSOprofiles OTPgeneration a.
506 SafeNet Authentication Manager Administrators Guide UserscancontroltheactivitiesoftheirenrolledtokensviatheSAM SelfServiceCenter. To enroll a smartcard or USB token: 1. 2. 3. UsetheSAMDeploymentpagetosearchfortheappropriateusers. ClickSelectAll,orselectoneormoreAccountNamestowhichthe tokenswillbeenrolled. ClickEnroll. TheEnrollaTokenwindowopens.
4. 5.
DependingonyourSAMconfiguration,selectInitializetokento initializethetoken. DependingonyourSAMconfiguration,clickCustomize enrollmenttoenrollonlysomeofthedefaultconnector applicationsontothetoken.
Deployment TheApplicationstoEnrolldialogboxopens,displayingthe availableconnectors.
507
6.
7. 8.
Selecttheappropriateconnectorstoenroll,andclickOK. Dooneofthefollowing: Ifthenewtokenisaphysicaltoken,connectit,anddisconnect allothertokensnotyetassigned. DependingonyourSAMconfiguration,ifthenewtokenisa SafeNeteTokenVirtual,connectanexternalstoragedevice, andselectCreateanewSafeNeteTokenVirtual. ClickRun. Dependingontheconnectorsenrolled,anauthenticationwindow opens.
508 SafeNet Authentication Manager Administrators Guide a. Youmayberequiredtodothefollowing: FortheConnectorforOTPAuthentication,enteranOTP PIN,andconfirmit. FortheConnectorforNetworkLogon,enteralogon password,andconfirmit.
b. ClickContinue. 9. Atokensuccessfullyenrolledmessageisdisplayed.
10. Repeatstep 4throughstep 9untilalltheselectedAccountNames havebeenassignedtokens.
Deployment Theenrollmentoptionsarenolongerdisplayed.
509
11. ClickDone.
Enrolling an OTP Token

EnrollanOTPtokentoassociateitwithaspecificuserintheSAM inventory. ToenrollanOTPtoken,youmustknowitsserialnumber.Haveeach OTPtokendeviceinfrontofyousothatyoucanseetheserialnumber printedonthelabeloftheOTPtokencase. IftheserialnumberprintedonlabelofaneTokenPASSdeviceisnot readable,dothefollowing: a. WhenthedisplaypaneloftheeTokenPASSdeviceisclear,press thedevicebuttonandkeepitdepressedforthreeseconds. Thevalue888888appearsinthedisplaypanel. Releasethedevicebutton,andwithintwoseconds,pressthe devicebuttonagain.
b.
510 SafeNet Authentication Manager Administrators Guide Thefirstfourcharactersoftheserialnumberappearinthedisplay panel.
Note:
Thedisplaypanelclearsautomaticallyafter15seconds. c. Writethemdown,andpressthedevicebuttonagain. Thenextfourcharactersoftheserialnumberappearinthe displaypanel. d. Writethemdown,andpressthedevicebuttonagain. Thelastfourcharactersoftheserialnumberappearinthedisplay panel. e. Writethemdown. ThestringyouwrotedownistheeTokenPASSdevices12 characterserialnumber.
To enroll OTP tokens: 1. EnsurethattheOTPtokenfilehasbeenloaded. Formoreinformation,seeChapter25:AddingaFileofTokensto theSAMInventory,onpage526. UsetheSAMDeploymentpagetosearchfortheappropriateusers. ClickSelectAll,orselectoneormoreAccountNamestowhichthe OTPtokendeviceswillbeenrolled. ClickOTPToken.
2. 3. 4.
Deployment TheEnrollanOTPOnlyTokenwindowopens.
511
5. 6. 7.
8.
IntheOTPTokenSerialNumberfield,enterthe12character serialnumberprintedonthelabeloftheOTPdevicecase. ClickRun. ATokensuccessfullyenrolledmessageisdisplayed. Repeatstep 5throughstep 6untilalltheselectedAccountNames havebeenassignedOTPtokendevices. TheOTPTokenSerialNumberfieldisnolongerdisplayed. ClickDone.
MobilePASS Token Enrollment

TheadministratorusestheSAMManagementCentertoenrolla MobilePASSclientsoftwareapplicationfortheusersmobiledevice.
Note:
DependingonyourSAMconfiguration,usersmayenrolla MobilePASStokenusingtheSAMSelfServiceCenter.
Preparing the MobilePASS Token Notification Procedure

DependingonyourSAMconfiguration,theMobilePASStoken enrollmentmayassignthetokenaMobilePASSPIN.Ifassigned,the usermustprovidethisMobilePASSPINwhenusingtheMobilePASS token. YourSAMconfigurationdeterminestheprocedurefornotifyingthe useroftheMobilePASSPIN,aswellasothernecessaryinformation generatedduringtheMobilePASStokenenrollment. ToensurethataMobilePASSnotificationprocedureisenabledinyour SAMconfiguration,dothefollowing:

Defineanotificationtemplatefile Defineoneofthefollowingmethodstotransmitthenotification informationtotheuser: Sendbyemailtotheuser Printatyourfacilityformailingtotheuser
Note:
IfyourSAMconfigurationdoesnotrequiretheusertohavea MobilePASSPIN,theadministratorcancopytheinformationfromthe screenduringtheMobilePASStokenenrollment,anduseanymethod tosendtheusertheinformation.
Enrolling a MobilePASS Token

To enroll a MobilePASS token: 1. Ensurethatthefollowingconditionsaremet: OTPauthenticationisenabledfortheappropriateusers theMobilePASSapplicationhasbeendownloadedtothe SAMServer SeeDownloadingMobilePASSApplicationsonpage 569.
2. 3.
UsetheSAMDeploymentpagetosearchfortheappropriateusers. ClickSelectAll,orselectoneormoreAccountNamestowhicha MobilePASStokenwillbeenrolled.
Deployment 4. 5. ClickMobilePASS. TheEnrollaMobilePASStokenwindowopens.
513
6. 7.
EntertheMobilePASSActivationCode. DependingonyourSAMconfiguration,youmayberequiredto setanOTPPINfortheMobilePASStoken.
514 SafeNet Authentication Manager Administrators Guide EnteranOTPPIN,confirmit,thenclickContinue.
Note:
TheusermustprovidethisOTPPINwhenauthenticatingwithan OTPgeneratedontheMobilePASSdevice. 8. ATokensuccessfullyenrolledmessageisdisplayed.
9.
Repeatstep 5throughstep 8untilaMobilePASStokenhasbeen enrolledforeachoftheselectedAccountNames.
Deployment
515
ThePleaseentertheActivationCodemessageisnolongerdisplayed.
10. ClickDone.
Sending a MobilePASS Token to the User

IfaMobilePASSPINisrequired,itissentviatheNotificationMethod configuredinSAM. DependingonyourSAMconfiguration,ifanOTPPINisrequired,it canbesentbytheadministrator,orviatheNotificationMethod configuredinSAM.
Using a MobilePASS Token to Generate an OTP

InstructtheusertodothefollowingwhenanOTPisrequired: a. b. c. EntertheOTPPIN,ifrequired. OpentheMobilePASSapplicationonthemobiledevice. IntheMobilePASSapplication,entertheMobilePASSPIN,if required,togenerateanOTP. d. UsethegeneratedOTPtoauthenticatetotheapplication.
Chapter 25
Inventory
YourcompanystokeninventoryinformationisstoredintheSAM database. UsetheInventorypageforthefollowingactivities:

Initializetokens. UploadfilesoftokenserialnumberstoaddthetokenstotheSAM inventory. AddtokenstotheSAMinventory. RemovetokensfromtheSAMinventory.
Note:
AddingatokentotheSAMinventoryisalsoknownasregisteringa token.
In this section:

Inventory Page Overview Accessing the Inventory Page Initializing a Token Adding Tokens to the SAM Inventory Removing a Token from the SAM Inventory
Inventory Page Overview
SAMManagementCentertabs,searchparameters,andsystem messagesaredisplayedintheleftpanel.
Note:
Nosearchparametersareneededtouploadafileoftokens.

Searchcriteria:Theadministratorselectsuptotwodifferent searchcriteriatobecombinedinasinglesearch SAMsystemnotificationsaredisplayedatthebottomoftheleft panel,ifrelevant Atthetoprightofthepanel:Thenumberofrecordsmatchingthe searchcriteria,andpagingoperations Inthemiddlesection:Detailsofeachtokenmatchingthesearch criteria Atthebottomofthepanelarethefollowing:options: Initialize TokenFile Add Remove

Inventory Appropriateoptionsareenabledforeachselectedtoken.Placethe cursoronanenabledoptiontoviewitstooltip.
519
Accessing the Inventory Page

Logontoyourcompanyslocalnetwork,andaccesstheInventory pagethroughtheSAMManagementCenter.
Note:
EachcompanyhasitsownSAMServer.Thisguideusesthename localhosttorepresentyourcompanysSAMServer.Whenfollowing thestepsintheprocedure,replace<localhost>withthenameofyour companysSAMServer. To access the Inventory page: 1. 2. Openyourwebbrowser,andgotohttp://<localhost>/SAMmanage where<localhost>isthenameofyourcompanysSAMServer. Dependingonyouruserstore: Youmayberequiredtoprovidelogoncredentials,suchas Domain,Username,andPassword. YoumayhaveanoptiontoselectKeepmesignedin,which enablesyoutoreopentheSAMManagementCenterwithina predefinedtimeperiodwithoutneedingtologonagain. TheSAMManagementCenteropenstotheHelpdeskpage. Atthetopoftheleftpanel,selectInventory.
3.
520 SafeNet Authentication Manager Administrators Guide TheInventorypageopens.
4.
Intheleftpanel,selectoneortwosearchfilterstodeterminethe tokenstobedisplayed.
Note:
Nosearchparametersareneededtouploadafileoftokens.
Search for Filter

Connected tokens Tokens by serial no

None Enter a character string to search for all token serial numbers beginning with that character string. The length of a tokens serial number is determined by the token type:
USB tokens: 8 characters eToken PASS devices: 12 characters SafeNet eToken Virtual products: 16 characters MobilePASS tokens: 16 characters
Note: The serial number of a physical token is the rightmost hexadecimal digit string printed on the token case.
Inventory Search for Filter

Tokens by user
521

Enter a character string to search for all usernames beginning with that character string. Note: Usernames are not case-sensitive Content Status:
Disabled Empty Enabled SafeNet eToken Rescue Revoked
Tokens by status
Physical Status:
Damaged Lost Normal
Tokens by approval
Select the appropriate approval status:

Tokens by user group Tokens by user OU
A list of groups defined on the user store

the format: <domain>.<extension>/<OU name>/ followed by names of lower level OUs, separated by slashes, if required For example: DName1.com/Marketing/Advertising
522 SafeNet Authentication Manager Administrators Guide Search for Filter

Tokens by model Unassigned tokens

A list of token models in the SAM inventory None
5.
ClickGo. Detailsofthetokensmatchingyoursearchcriteriaaredisplayed intherightpanel.
Note:
Thenumberoftokensfoundineachsearchislimited.See ConfiguringFeaturesoftheSAMManagementCenteronpage 187.
Label
Account Name
Description
Users account name to which the token is assigned Unassigned
Type Serial Number
Description of the token model Token serial number printed on the token case of a physical token, or associated with a SafeNet eToken Virtual product or MobilePASS token 1. Content Status:
Disabled Empty Enabled SafeNet eToken Rescue No connectors Revoked Not registered: connected, but not in the SAM inventory
Status
2. Physical Status:
Damaged Lost Normal
Inventory 6.
523
7.
Intherightpanel,selectoneormoretokens.Toselectallthe tokensdisplayed,clickSelectAll.Toundoyourselection,click ClearAll. Selectoneoftheenabledoptionsatthebottomofthepanel. Button

Initialize Token File Add Remove
Description
Delete all user-specific token content on the selected token and apply the TPO settings Add token and OTP token devices to the SAM inventory by uploading a file of the devices serial numbers Add the selected token to the SAM inventory Remove the selected token from the SAM inventory
Initializing a Token
Whenyouinitializeatoken,thefollowingoccurs:
ThetokenisaddedtotheSAMinventoryifitisnotalreadythere. Itsuserspecifictokencontentisdeleted. TheTPOsettingsareapplied. Thetokenmustbeconnectedsothatitscontentcanbemodified. To initialize a token: 1. 2. 3. Connectthetokenstobeinitialized. OpentheSAMInventorypage. IntheSearchfordropdownbox,selectConnectedtokens.
524 SafeNet Authentication Manager Administrators Guide Theconnectedtokensaredisplayed.
Note:
Intheexampleshown,theStatusfieldreflectsthefollowing: ThefirsttokenisalreadyregisteredintheSAMinventory,but isnotassignedtoanyuser. ThesecondtokenisnotyetregisteredintheSAMinventory. 4. 5. ClickSelectAll,orselectoneormoretokenstoinitialize. ClickInitialize.
Inventory TheInitializeaTokenwindowopens.
525
6.
ClickRun. ATokenssuccessfullyinitializedmessageisdisplayed.
7.
ClickDone.
526 SafeNet Authentication Manager Administrators Guide AlloftheinitializedtokensarenowregisteredintheSAM inventory.
Adding Tokens to the SAM Inventory

WhenatokenisaddedtotheSAMinventory,thedeviceinformation, suchasserialnumber,isstoredintheinventory. AddnewtokenstotheSAMinventoryforthefollowingpurposes:

Tofacilitatethemanagementofyourtotaltokenstock,including tokensnotyetassigned. TorestrictuserenrollmentofnewtokensusingtheSAMSelf ServiceCentertoonlythosetokenstheadministratorhasadded.
Adding a File of Tokens to the SAM Inventory

AddphysicaltokenstotheSAMinventorybyuploadingafileofthe devicesserialnumbers.
Inventory To upload a file of token devices: 1. 2. OpentheSAMInventorypage. ClickTokenFile. TheImportaTokenSerialNumberFilewindowopens.
527
3. 4.
ClickBrowse,browsetothefileoftokenserialnumbers,andclick Open. ClickUpload. Thefileoftokenserialnumbersisuploaded.
528 SafeNet Authentication Manager Administrators Guide AFilesuccessfullyimportedmessageisdisplayed.
5.
6.
ClickRuntoaddthetokenslistedinthefiletotheSAM inventory. AFilesuccessfullyuploadedmessageisdisplayed. ClickDone.
Adding a Token to the SAM Inventory

To add a token: 1. 2. 3. 4. 5. Connectthetokenstobeadded. OpentheSAMInventorypage. IntheSearchfordropdownbox,selectConnectedtokens. Theconnectedtokensaredisplayed. ClickSelectAll,orselectoneormoretokenstoaddtotheSAM inventory. ClickAdd.
Inventory TheAddTokenswindowopens.
529
6.
ClickRun. ATokenssuccessfullyaddedmessageisdisplayed.
7.
ClickDone.
Removing a Token from the SAM Inventory

RemovetokensfromtheSAMinventoryforthefollowingpurposes:

Discontinuemanagementoverheadforunusedtokens DeleteacorruptedentryfromtheSAMinventory
WhenatokenisremovedfromtheSAMinventory,thefollowing activitiesoccur: a. b. c. Revoke:revokesthetokenifisnotyetrevoked. Unassign:disassociatesthetokenfromallusers. Delete:deletesthetokenentryfromtheSAMinventory.
To remove a token: 1. 2. 3. UsetheSAMInventorypagetosearchfortheappropriatetokens. ClickSelectAll,orselectoneormoretokenstoremove. ClickRemove. TheRemoveTokenswindowopens.
4.
ClickRun.
Inventory ATokenssuccessfullyremovedmessageisdisplayed.
531
5.
ClickDone.
Chapter 26
Reports
UsetheSAMReportspagetogeneratevariousonlinereportsusing theinformationintheSAMinventory.
In this section:

SAM Reports Page Overview Accessing the Reports Page Generating a Token Inventory Report Generating a Token History Report Generating a Token Expiration Report Generating a Token Audit Report Generating an OTP Usage Report Generating a Token Connections Report Generating an Hourly Distribution Chart
SAM Reports Page Overview

ToproduceaSAMreport,dothefollowing: a. b. IntheleftpaneloftheSAMReportspage,selectthereportto produce. Intheleftpanelofthespecificreportpage,selectfiltersto determinewhichitemstodisplayinthereport.
Thereportisdisplayedintherightpanel.
Accessing the Reports Page

Logontoyourcompanyslocalnetwork,andaccesstheReportspage throughtheSAMManagementCenter. To access the Reports page: 1. 2. Openyourwebbrowser,andgotohttp://<localhost>/SAMmanage where<localhost>isthenameofyourcompanysSAMServer. Dependingonyouruserstore: Youmayberequiredtoprovidelogoncredentials,suchas Domain,Username,andPassword. YoumayhaveanoptiontoselectKeepmesignedin,which enablesyoutoreopentheSAMManagementCenterwithina predefinedtimeperiodwithoutneedingtologonagain. TheSAMManagementCenteropenstotheHelpdeskpage. Atthetopoftheleftpanel,selectReports.
3.
Reports TheSafeNetAuthenticationManagerReportspageopens.
535
4.
Intheleftpanel,clickHometoreturntotheHelpdeskpage,orclick theappropriatereport. Report

Token Inventory Token History Token Expiration Token Audit OTP Usage Token Connections Hourly Distribution
Description
Tokens that are included in the SAM inventory Historical data of tokens that have been unassigned or removed Tokens that are assigned an expiration date Audit information of SAM operations OTP authentication events; the OTP web service configuration determines which operations to audit Physical tokens connected at the time of the last refresh Average number of physical tokens connected per hour
Generating a Token Inventory Report

ATokenInventoryReportlistsdetailsoftokensthatareincludedin theSAMinventory. To generate a Token Inventory Report: 1. OpentheReportspage,andclickTokenInventory. TheTokenInventoryReportwindowopens.
2.
Intheleftpanel,selectoneormoresearchfilterstodeterminethe tokenstodisplayinthereport.
Reports
537
Filter
Token Status
Options
Any Status Revoked Enabled Disabled SafeNet eToken Rescue Empty
Certificate Approval
Any Status Awaiting approval-Tier 1 Awaiting approval-Tier 2 Approved
Creation Date
Any Date Today Yesterday This Week Last Week This Month Last Month Specific Dates - allows input of specific dates
Modification Date
User Group
None Enter a character string to search for all groups
beginning with those characters
538 SafeNet Authentication Manager Administrators Guide Filter

Organizational Unit
Options
None In a non-Active Directory environment, enter an OU in
the format: <instance name>/<OU name>/ followed by names of lower level OUs, separated by slashes, if required For example: MyCompany/Marketing/Advertising where MyCompany is the unique instance name
In an Active Directory environment, enter an OU in the
format: <domain>.<extension>/<OU name>/ followed by names of lower level OUs, separated by slashes, if required For example: DName1.com/Marketing/Advertisin User Group
beginning with those characters Sort By

Serial Number Model User Name Modification Date
3.
ClickGo.
Reports
539
Detailsofthetokensmatchingyoursearchcriteriaaredisplayed intherightpanelofthereport.
Label
Serial Number
Description
Token serial number printed on the token case of a physical token, or associated with a SafeNet eToken Virtual product or MobilePASS token Specific token model in the SAM inventory 1. Content Status:
Model Status
2. Physical Status:
Damaged Lost Normal
Assigned User Created Modified Applications
Users account name May be in the format: Display Name(Account Name) Date the token entry was added to the SAM inventory Date the token entry was last modified in the SAM inventory Applications enrolled on the token
4.
Intheleftpanel,clickSelectReporttoproduceanotherreport,or HometoreturntotheHelpdeskpage.
Reports
541
Generating a Token History Report

IftheHistoryTokensfeatureisenabledinyourTPO,theTokenHistory Reportliststhehistoricaldataoftokensthathavebeenunassignedor removed. To generate a Token History Report: 1. OpentheReportspage,andclickTokenHistory. TheTokenHistoryReportwindowopens.
2.
Filter
Token Status
Options
Any Status Revoked Enabled Disabled SafeNet eToken Rescue Empty
Certificate Approval
Any Status Awaiting approval-Tier 1 Awaiting approval-Tier 2 Approved
Creation Date
Modification Date
User Group
Reports Filter
Organizational Unit
543
Options
format: <domain>.<extension>/<OU name>/ followed by names of lower level OUs, separated by slashes, if required For example: DName1.com/Marketing/Advertising User Group
beginning with those characters Sort By

Serial Number Model User Name Modification Date
3.
ClickGo.
544 SafeNet Authentication Manager Administrators Guide Detailsofthetokensmatchingyoursearchcriteriaaredisplayed intherightpanelofthereport.
Reports
545
Label
Serial Number
Description
Token serial number printed on the token case of a physical token, or associated with a SafeNet eToken Virtual product or MobilePASS token Specific token model in the SAM inventory 1. Content Status:
Model Status
2. Physical Status:
Damaged Lost Normal
Assigned User Created Modified Applications
Users account name May be in the format: Display Name(Account Name) Date the token entry was added to the SAM inventory Date the token entry was last modified in the SAM inventory Applications enrolled on the token
4.
Generating a Token Expiration Report

ATokenExpirationReportliststokenshavinganexpirationdate. To generate a Token Expiration Report: 1. OpentheReportspage,andclickTokenExpiration. TheTokenExpirationReportwindowopens.
2.
Reports
547
Filter
Expiration Period
Options
Any Date Today Next Week This Week Next Month This Month Yesterday Last Week Last Month Specific Dates - allows input of specific dates
User Group
beginning with those characters Organizational Unit

format: <domain>.<extension>/<OU name>/ followed by names of lower level OUs, separated by slashes, if required For example: DName1.com/Marketing/Advertisin Show Disabled Tokens Show Revoked Tokens
Selected Not selected Selected Not selected
548 SafeNet Authentication Manager Administrators Guide 3. ClickGo. Detailsofthetokensmatchingyoursearchcriteriaaredisplayed intherightpanelofthereport.
Label
Serial Number
Description
Token serial number printed on the token case of a physical token, or associated with a SafeNet eToken Virtual product or MobilePASS token Users account name May be in the format: Display Name(Account Name) Date the token content expires Number of days remaining before the expiration date
Assigned User Expires On Days to Expiration
Reports Label
Status
549
Description
1. Content Status:
2. Physical Status:
Damaged Lost Normal
4.
Generating a Token Audit Report

ATokenAuditReportlistsdetailsofeachSAMoperation. To generate a Token Audit Report: 1. OpentheReportspage,andclickTokenAudit. TheTokenAuditReportwindowopens.
2.
Intheleftpanel,selectoneormoresearchfilterstodeterminethe eventstodisplayinthereport.
Reports
551
Filter
Event Type
Options
Any Type Information Warning Error
Event Date
Category
Any Category SAM Management Center SAM Rescue Service Center SAM Self Service Center SAM Management Tools SAM Backend Service SAM OTP Authentication SAM Web Service API
Event ID Operator
Any Events Specific event defined by SAM None Enter a character string to search for all operators
beginning with that character string User

None Enter a character string to search for all usernames
beginning with that character string Log Server

Any Log Specific log used by SAM
552 SafeNet Authentication Manager Administrators Guide 3. ClickGo. Detailsoftheeventsmatchingyoursearchcriteriaaredisplayed intherightpanelofthereport.
Label
Date Time Event ID Event Type
Description
Event date, in MM/DD/YY format, and time Event time, in seconds Event code defined in SAM
ERROR INFORMATION WARNING
Token Serial
Token serial number printed on the token case of a physical token, or associated with a SafeNet eToken Virtual product or MobilePASS token
Reports Label
Assigned User Operator Category
553
Description
Username to whom the token is assigned May be in the format: Display Name(Account Name)
SAM operator during the event

Any Category
SAM Management Center SAM Rescue Service Center SAM Self Service Center SAM Management Tools SAM Backend Service SAM OTP Authentication SAM Web Service API
4.
Generating an OTP Usage Report

AnOTPUsageReportlistseachauditedOTPoperationinwhicha tokenisused.
Note:
TheSAMOTPserviceconfigurationdetermineswhichOTP operationsareaudited.
554 SafeNet Authentication Manager Administrators Guide To generate an OTP Usage Report: 1. OpentheReportspage,andclickOTPUsage. TheOTPUsageReportwindowopens.
2.
Intheleftpanel,selectoneormoresearchfilterstodeterminethe eventstodisplayinthereport. Filter

User
Options
beginning with that character string Time Period

3.
ClickGo.
Reports
555
Detailsoftheeventsmatchingyoursearchcriteriaaredisplayed intherightpanelofthereport. Label

Date Time Event ID Event Type
Description
Event date, in MM/DD/YY format Event time, in seconds Event code defined in SAM
ERROR INFORMATION WARNING
Token Serial
Token serial number printed on the token case of a physical token, or associated with a SafeNet eToken Virtual product or MobilePASS token Username to whom the token is assigned May be in the format: Display Name(Account Name)
User
4.
Generating a Token Connections Report

ATokenConnectionsReportliststheinformationforeachphysical tokenconnectedatthetimeofthelastrefresh. TheTokenConnectionsReportfeaturerequiresthefollowing:

AconnectiontoMicrosoftSQLServerorMicrosoftSQLExpress TheSAMDesktopAgentmustbeinstalledoneveryclient computer
556 SafeNet Authentication Manager Administrators Guide To generate a Token Connections Report: 1. OpentheReportspage,andclickTokenConnections. TheTokenConnectionsReportwindowopens.
2.
Intheleftpanel,selectoneormoresearchfilterstodeterminethe tokenstodisplayinthereport. Filter

User
Options
Reports Filter
Organizational Unit
557
Options
format: <domain>.<extension>/<OU name>/ followed by names of lower level OUs, separated by slashes, if required For example: DName1.com/Marketing/Advertisin Connection Date
Connection Status
Connected Disconnected Any Status
3.
4.
TochangetheAutoRefreshstatus,dooneofthefollowing: ClickStartAutoRefreshtorefreshthelistofphysicaltokens connectedordisconnectedsothatthelistisalwaysupto date. ClickStopAutoRefreshtodisplaythelistofphysicaltokens connectedatthetimeofthelastsystemrefresh. ClickGo.
558 SafeNet Authentication Manager Administrators Guide Detailsofthetokenconnectionsmatchingyoursearchcriteriaare displayed.
Thenumberofconnectedusersandconnectedphysicaltokensis displayedatthebottomoftheleftpanel. Detailsofthetokensmatchingyoursearchcriteriaaredisplayed inthereportintherightpanel. Label

User Token Owner Connection Start Duration OU Host Token Serial
Description
User logged on to a client computer with a connected token Users name to whom the token is assigned May be in the format: Display Name(Account Name) Date and time token was connected Duration of token connection, in HH:MM format OU of user logged on Client computer name Token serial number printed on the token case
Reports 5.
559
Generating an Hourly Distribution Chart

AnHourlyDistributionchartliststheaveragenumberofphysical tokensconnectedperhour. TheHourlyDistributionchartfeaturerequiresthefollowing:

AconnectiontoMicrosoftSQLServerorMicrosoftSQLExpress TheSAMDesktopAgentmustbeinstalledoneveryclient computer TheSAMDesktopAgentEnabletokenauditingsettingmustbe enabled.SeeDesktopAgentSettingsonpage 379.
ToenableHourlyDistributionchartgeneration,seeChapter19: ConfiguringAttendanceReports,onpage386. To generate an Hourly Distribution chart: 1. OpentheReportspage,andclickHourlyDistribution. TheHourlyDistributionwindowopens.
560 SafeNet Authentication Manager Administrators Guide 2. Intheleftpanel,selectoneormoresearchfilterstodeterminethe tokenstodisplayinthereport. Parameter

Connection Date
Options
Today Yesterday This Week Last Week This Month Last Month Specific Dates - allows input of specific dates
Days
Each day of the week

Selected Not selected
3.
ClickGo. Detailsofphysicaltokensconnectionsforthedaysselectedare displayedinthereportintherightpanel.
Reports
561
4.
Thechartdisplaystheaveragenumberoftokensconnectedeach hour,startingfrommidnight(0),inmilitaryhourformat(023). Intheleftpanel,clickSelectReporttoproduceanotherreport,or HometoreturntotheHelpdeskpage.
Chapter 27
Downloads
UsetheSAMDownloadspagetodownloadcomponents.
In this section:

SAM Downloads Page Overview Accessing the SAM Downloads Page Downloading SAM Web Client Downloading MobilePASS Applications
SAM Downloads Page Overview

UsetheSAMDownloadspagetodownloadthefollowingcomponents:

SAMWebClientcomponents MobilePASSapplications
Accessing the SAM Downloads Page

Logontoyourcompanyslocalnetwork,andaccesstheSAM DownloadspagethroughtheSAMManagementCenter. To access the SAM Downloads page: 1. 2. Openyourwebbrowser,andgotohttp://<localhost>/SAMmanage where<localhost>isthenameofyourcompanysSAMServer. Dependingonyouruserstore: Youmayberequiredtoprovidelogoncredentials,suchas Domain,Username,andPassword. YoumayhaveanoptiontoselectKeepmesignedin,which enablesyoutoreopentheSAMManagementCenterwithina predefinedtimeperiodwithoutneedingtologonagain. TheSAMManagementCenteropenstotheHelpdeskpage. Intheleftpanel,selectDownloads.
3.
Downloads TheDownloadspageopens.
565
4.
Intherightpanel,clickthecomponenttodownload. SAMWebClientforx32 SAMWebClientforx64 MobilePASSapplicationsfromtheSafeNetdownloadpage
Downloading SAM Web Client

SafeNetAuthenticationManagerClientmustbeinstalledonallclient computersusedforenrollingUSBtokens,smartcards,orSafeNet eTokenVirtualproducts. To install SafeNet Authentication Manager Client on your computer: 1. 2. OpentheDownloadspage. Dooneofthefollowing: For32bitenvironments,clickDownloadSAMWebClient forx32. For64bitenvironments,clickDownloadSAMWebClient forx64.
566 SafeNet Authentication Manager Administrators Guide TheFileDownloadwindowopens.
3.
ClickRun. ASecurityWarningwindowopens,identifyingthenameofthe program.
4.
ClickRun. DependingonyourSafeNetAuthenticationManager configuration,aninstallationwizardmaybeinitiatedtoinstall SafeNetAuthenticationManagerClient. TheSafeNetAuthenticationManagerClientInstallationWizard opens.
5.
ClickNext.
Downloads TheEndUserLicenseAgreementisdisplayed.
567
6. 7.
license agreement.
Readthelicenseagreement,andselecttheoption,I accept the
ClickNext. TheDestinationFolderwindowopens,displayingthedefault installationfolder.
8.
ClickNext.
568 SafeNet Authentication Manager Administrators Guide TheSelectInstallationTypewindowopens.
9.
Dooneofthefollowing: ToinstallthelegacyTMSDesktopAgent,selectComplete. Forstandardinstallations,selectedTypical. 10. ClickNexttobegintheinstallation. Whentheinstallationiscomplete,theSuccessfullyinstalled messageisdisplayed.
11. ClickFinish.
Downloads
569
Downloading MobilePASS Applications

DownloadMobilePASSapplicationstoenrollMobilePASStokens. MobilePASStokensgenerateOTPsonmobiledeviceswithoutthe needforphysicaltokens.MobilePASStokensworkindependentlyof mobilenetworkconnectivity. To download MobilePASS applications: OpentheDownloadspage,andclickOpenMobilePASS applicationsdownloadpage. TheSafeNetwebsiteopenstotheMobilePASSAuthenticators DownloadPage. 2. UsethelinkontheSafeNetwebsitetodownloadtheappropriate MobilePASSapplicationforeachmobiledevice. AftertheMobilePASSapplicationisdownloadedtoamobiledevice,a MobilePASStokencanbeenrolledonit.SeeMobilePASSToken Enrollmentonpage 511. 1.
Part V Appendixes
In this section:
Appendix A AD Schema Enhancement
572
Appendix A
AD Schema Enhancement
ThissectiondescribestheMicrosoftActiveDirectory(AD)schema changesresultingfromtheinstallationofSafeNetAuthentication Manager.
In this section:

Prefixes Registered with Microsoft Naming Conventions Schema Attributes and Classes Tables
Prefixes Registered with Microsoft

MicrosofthasassignedthefollowingprefixesforSafeNet AuthenticationManageruse:
TheprefixforeachnameisAksTMS. TodistinguishTMS2.0schemasfrompreviousTMSversions,the prefixusedinthisversionisAksTMSV20. Theobjectidentifier(OID)prefixis1.2.840.113556.1.8000.2009. ClassesareassignedtheOIDprefix 1.2.840.113556.1.8000.2009.1. AttributesareassignedtheOIDprefix 1.2.840.113556.1.8000.2009.2.
Naming Conventions
TheconventionsusedforTMS2.0classandattributenamesare:

EachCNnamestartswithaks20. EachldapDisplayNamestartswithAksTMS20.
Schema Attributes and Classes Tables

Thefollowingapplytothetablesinthisdocument:

NamesandOIDsareshownwithoutprefixes. Theexistingflagsare: MultiValued Indexed GlobalCatalog
575
Attributes
Common Attributes
CN LDAP Display Name
Data
Descriptio n
Used to store binary data
Syntax
OID 1.
Flags
Link ID
SchemaID GUID
{369175d7867a-4d8da6d9a17923fd 36} {3160c61f7f8c-42f49c48167d54aee d4a}
data
Octet string (2.5.5.10:4)
1.1
version
Version
Used to store version
Integer (2.5.5.9:2)
1.2
productionO ID
Production OID
Used to link production objects from object holders Used to store connector configuratio n XML
Unicode string (2.5.5.12:64 )
1.3
Container indexed
{6c5d71d0fb0c-4a18836b52a885972 86e} {2777a8026b50-40249e3bed80ef0134 07}
configXML
ConfigXML
3.1
TMS Class Attributes

CN LDAP Display Name Descripti on Syntax OID2. Flags Link ID SchemaID GUID
data version productionO ID
See data attribute in common attributes See version attribute in common attributes See productionOID attribute in common attributes
Application Class Attributes

CN LDAP Display Name Descriptio n Syntax OID 3. Flags Link ID SchemaID GUID
configXML priority
See configXML attribute in common attributes Priority Used to define enrollment priority of application Integer (2.5.5.9:2) 3.2 {f76184908d61-41ad8d40c220731aa e6e}
data
See data attribute in common attributes
577
Policy Class Attributes

ApplyList
Descripti on
Used in Policy class to store list of principals (users and groups) to whom policy applies
Syntax
OID 4.
Flags
Link ID
SchemaIDGUID
applyList
Unicode string (2.5.5.12: 64)
4.1
Multivalued
{818a3143-d7c04e08-aae0ae1c52071d36}
data
See data attribute in common attributes
Token Class Attributes

TokenUser
Descriptio n
Used to store user to whom token is assigned
Syntax
OID 5.
Flags
Link ID
Backw ard link to tokens
SchemaID GUID
{ae7754c9eed8-47be8ede843b18382 576}
tokenUser
Distinguishe d name (2.5.5.1:127 )
5.2
Data
See data attribute in common attributes TokenSlotTy pe Used to store slot type (Reader for SC; Virtual for USB; File for SafeNet eToken Virtual) Used to store product name Used to store token model Integer (2.5.5.9:2) 5.3 {dedd21f9c902-413f958e5c3c809598 ec}
tokenSlotTy pe
tokenProdN ame
TokenProd Name
Unicode string (2.5.5.12:64 ) Unicode string (2.5.5.12:64 )
5.4
{5a2773dce374-42b9964258aa6b33b 00d} {34bb3fbc5c3c-4ed788f4210edfb574 9e}
tokenModel
TokenModel
5.5
AD Schema Enhancement CN LDAP Display Name

ProdDate
579 SchemaID GUID

{790b509c19b5-48dc90db8bfda173ad 87} {66b6d85f517e-4d85b71e616970aa3 257}
Descriptio n
Used to store production date Used to store case model (node, classic, ng1, ng2, ng2-nolcd) Used to store smartcard type (none, OS4)
Syntax
OID 5.
Flags
Link ID
prodDate
Generalized time (2.5.5.11:24 ) Integer (2.5.5.9:2)
5.6
caseModel
CaseModel
5.7
cardType
CardType
Integer (2.5.5.9:2)
5.8
{d0a2d291b422-4c82b53971e6abf381 5c}
version
See version attribute in common attributes (Here, saves the card version) TokenSerial Used to store unique physical token identifier Description Octet string (2.5.5.10:4) 5.9 Global Indexe d {e1c15c884755-485bb00ccb720b070 06c} Link ID SchemaIDG UID
tokenSerial
CN
LDAP Display Name
Syntax
OID 5.
Flags
580 SafeNet Authentication Manager Administrators Guide CN LDAP Display Name

TokenColor
Descriptio n
Used to store token color
Syntax
OID 5.
Flags
Link ID
SchemaID GUID
{fd0f450826d2-413694ff9db603b53 27e} {1a079bb4a4e7-4a65b23f9cbd10b22 4bd} {e6b29a69f6ee-4b0fb469032d75689 b33} {12240b750c9e-4114bc13e74c3c201d aa} {bf7c039a4176-4566ada5b1bb313c2f e7} {86aeae0231eb-4cb2912f17d93dd90 592} {e135eb4dd228-474fa75146238c3e3 90d}
tokenColor
Integer (2.5.5.9:2)
5.10
tokenSOPin
TokenSOPi n
Used to store security officer pin Used to store token size
5.11
tokenSize
TokenSize
Integer (2.5.5.9:2)
5.12
tokenInitKe y
TokenInitKe y
Used to store token init key
5.13
hasBattery
HasBattery
Used to store HasBattery flag Used to store HasLCD flag Used to store HasUser flag
Boolean (2.5.5.8:1)
5.14
hasLCD
HasLCD
Boolean (2.5.5.8:1)
5.15
hasUser
HasUser
Boolean (2.5.5.8:1)
5.16

HasSO
581 SchemaID GUID

{8641b75e476f-465fa12ea21186faeb b0} {dccc9e1790c3-47edbb699daea1a94 86f} {dbee90250993-4c2fb181437bc922b e97} {e3a351957e1f-402ba35ed80ec501bf 10} {1396a43eafc6-4ceeb978b9b4df0c71 73} {35e61d2f9b21-48429f3e227ce887ef 02} {11c4acc07730-42ccb347b9de4037d 14a}
Descriptio n
Used to store HasSO flag
Syntax
OID 5.
Flags
Link ID
hasSO
Boolean (2.5.5.8:1)
5.17
hasFIPS
HasFIPS
Used to store HasFIPS flag Used to store HasStorage flag Used to store IsFipsSupp orted flag Used to store IsHMACSH A1Supporte d flag Used to store IsRSA2048 Supported flag Used to store IsMayInit flag
Boolean (2.5.5.8:1)
5.18
hasStorage
HasStorage
Boolean (2.5.5.8:1)
5.19
isFipsSupp orted
IsFipsSupp orted
Boolean (2.5.5.8:1)
5.20
isHMACSH A1Supporte d
IsHMACSH A1Supporte d
Boolean (2.5.5.8:1)
5.21
isRSA2048 Supported
IsRSA2048 Supported
Boolean (2.5.5.8:1)
5.22
isMayInit
IsMayInit
Boolean (2.5.5.8:1)
5.23

TokenLabel
Descriptio n
Used to store token label
Syntax
OID 5.
Flags
Link ID
SchemaID GUID
{9d39c5a14191-47ea96133334263ba 82a}
tokenLabel
Unicode string (2.5.5.12:64 ) Syntax
5.24
CN
LDAP Display Name TokenPhysi calStatus
Description
OID 5.
Flags
Link ID
SchemaIDG UID {a84d307c26d2-496ca4b649a7991ad b6d} {184df80fb1fa-4653a528dd5d84431 24e} {3b70a923e324-4004b774434489a42 80b} {17141fd3ce15-48f0b1530c1b26de8c 87} {a1cad7ef56a9-4c408db59ecd78a65 574}
tokenPhysic alStatus
Used to store token physical lifetime cycle Used to store token content lifetime cycle Used to store token expiration date Used to store token user's groups Used to store token user's policy linker path
Integer (2.5.5.9:2)
5.25
tokenConte ntStatus
TokenConte ntStatus
Integer (2.5.5.9:2)
5.26
expirationD ate
ExpirationD ate
Generalized time (2.5.5.11:24 ) Unicode string (2.5.5.12:64 ) Unicode string (2.5.5.12:64 )
5.27
tokenUserG roups
TokenUser Groups
5.28
tokenPolicy LinkerPath
TokenPolicy LinkerPath
5.29

TokenUser Name
583 SchemaID GUID

{7f7de6ffa89c-4d45aa9a606efb0483 5a} {971302fe592b-48c6afa3785ed1896 185} {01dc9fcb163e-4970808fc9bf4718f1c 5} {d52c71e56434-4e998d23e511c62c46 0c}
Descriptio n
Used to store token user's name
Syntax
OID 5.
Flags
Link ID
tokenUserN ame
Unicode string (2.5.5.12:64 ) Unicode string (2.5.5.12:64 ) Unicode string (2.5.5.12:64 ) Generalized time (2.5.5.11:24 )
5.30
tokenUserD isplayName
TokenUser DisplayNam e
Used to store token user's display name Used to store token user's account name Used to store SafeNet eToken Virtual expiration date
5.31
tokenUserA ccountNam e
TokenUserA ccountNam e
5.32
softTokenEx pirationDate
SoftTokenE xpirationDat e
5.33

SoftTokenPI N
Descriptio n
Used to store SafeNet eToken Virtual password Used to store state when token should be formatted at assignment. Used to determine status of TokenInitKe y attribute.
Syntax
OID 5.
Flags
Link ID
SchemaID GUID
{a6d64efe1382-4e32bf4046f730479b d6} {064addc84381-47579a8b50c74638a 930} {4f8ff264f761-47f98988948a52ad9 1c0}
softTokenPI N
Octets string (2.5.5.10:4)
5.34
InitReqired
InitReqired
Boolean (2.5.5.8:1)
5.35
isInitKeySet
IsInitKeySet
Boolean (2.5.5.8:1)
5.36
585
Profile Class Attributes

CN LDAP Displa y Name
Creator
Description
Syntax
OID 6.
Fla gs
Link ID
SchemaIDGUID
creator
Used to store link to correspondin g Application object
Distingui shed name (2.5.5.1: 127)
6.1
{178b3001-a973-486c8cf8-33dd156e8230}
data profileTy pe
See data attribute in common attributes ProfileT ype Used to define profile type Integer (2.5.5.9: 2) 6.2 {01e84908-6cb8-4030b400-ba03cfc48859}
UserHolder Class Attributes

CN LDAP Display Name Descriptio n Syntax OID 7. Flags Link ID SchemaIDGUID
data produ ctionO ID tokens
See data attribute in common attributes See productionOID attribute in common attributes
Tokens
Used to store tokens assigned to user tokens
DnWithStri ng (2.5.5.14:1 27) +2A86 4886 F714 0101 010C
7.1
Multivalued
Forwar d link to tokenU ser
{4d889717-2ad44d8a-9e9995bff5fa896c}

AllowPas swordLog in
Descriptio n
Used to store flag to enable user to log in without token Used to store expiration date of allowPassw ordLogin flag Used to store number of failed logins to eToken Remote Help Center
Syntax
OID 7.
Flags
Link ID
SchemaIDGUID
allowP asswo rdLogi n
Boolean (2.5.5.8:1)
7.2
{4b0a133a-2b63-48fbaab6-d697c66c71c4}
passw ordLo ginEx piratio nDate
Password LoginExpi rationDat e
Generalize d time (2.5.5.11:2 4)
7.3
{6af14a40-8a19-41248321-7489599eff47}
TMS
Login Failur esCou nt
TMSLo ginFailure sCount
Integer (2.5.5.9:2)
7.4
{8C45D094-AD734129-91BC728DE61A0F59}
587
PolicyLinkerHolder Class Attributes

TPLink
Descriptio n
Used to store linked TPOs
Syntax
OID 8.
Flag s
Link ID
SchemaID GUID
{5bdacad6a5a7-455fb09e1ee758f283 a1} {06bac9d2e11c-417180842bc9bfdeb4 3c}
tpLink
Unicode string (2.5.5.12:64 ) Integer (2.5.5.9:2)
8.1
tpOptions
TPOptions
Used to store Block policy inheritance flag
8.2
productionO ID
See productionOID attribute in common attributes
Classes
TMSClasses
CN LDAP Display Name Descriptio n Parent Class OID May Include (In Addition to Standard Classes)
Profile Workflow
SchemaID GUID
tms
TMS
Main object of TMS; represents TMS database for one production domain Represents application object in TMS Represents policy object in TMS Represents token object in TMS
Container
{c87841c911e7-45daaee7bd6ba12e6 39c}
application
Application
Top
Workflow
{144fd95ba1f7-45c5bb48e2d1dbb7d 200} {f237dc2a9f79-4d2086ef90b560297 92c} {873737e9e949-4b05a4219bb4b8463 e5e}
policy
Policy
Top
Profile Workflow
token
Token
Container
Profile Workflow
AD Schema Enhancement CN LDAP Display Name Descriptio n Parent Class OID May Include (In Addition to Standard Classes)
Workflow
589
SchemaID GUID
profile
Profile
Represents different profiles and license objects in TMS Represents user holder object in TMS Represents PolicyLinker Holder object (For AD, represents its OUs and DomainDns objects)
Top
{f08a78b2eefc-4c57907a4b7360af21 c1} {dc15e12c7f58-4063a13a6e465f6777 7a} {4f9b820b2d11-49fd845c244305e35 9c2}
userHolder
UserHolder
Container
Profile Workflow
policyLinker Holder
PolicyLinker Holder
Top
Workflow
Schema extensions for TMS 5.0 and Later

Attributes added to Token class in TMS 5.0 and later
TokenAppD eviceType
Descriptio n
Used to store token's application device type. Used to store token's application device type ID. Used to store token temporary state. Used to store connection with temporary token. Used to store connection with primary token.
Syntax
OID 8.
Flag s
Link ID
SchemaID GUID
{c9df7d19bb94-494e950ff2d7c0265a b9} { 4147791601eb-40fd869f2e100fbf1d 30} {DB013EA6 -14C9-4b8f841A3BF7FBFF6 2D0}
tokenAppD eviceType
Integer (2.5.5.9:2)
5.37
tokenAppD eviceTypeI D
TokenAppD eviceTypeI D
5.39
temporaryT oken
TemporaryT oken
Boolean (2.5.5.8:1)
5.40
TemporaryT okenLink
TemporaryT okenLink
5.41
Forward link to PrimaryTok enLink
{C0F6DBC9 -4BE3418d-B55DC9F813664 31F} {DF1107B523DC-416eB6A7ED23BF465 B88}
PrimaryTok enLink
PrimaryTok enLink
5.42
Backward link toTemporar yTokenLink

HasUnblock
591 SchemaID GUID

{A7D5EB26 -1C8740b2-AF3D52B77749A ACC} {3F744B9AFFF3-41b49DD4C00335C9 DF60} {F151729538C2-49eeBDD3CF31EB5F A2F5}
Descriptio n
Used to store HasUnblock flag. Used to store HasClientle ss flag. Used to store lock mode of software tokens.
Syntax
OID 8.
Flag s
Link ID
hasUnblock
Boolean (2.5.5.8:1)
5.43
hasClientles s
HasClientle ss
Boolean (2.5.5.8:1)
5.44
softTokenLo ckMode
SoftTokenL ockMode
Integer (2.5.5.9:2)
5.45
appDeviceType Class Attributes for TMS 5.0 and later

CN LDAP Display Name Descriptio n Synt ax OID 3. Flags Link ID SchemaID GUID
configXML Data
See configXML attribute in common attributes See data attribute in common attributes
Classes to create for TMS 5.0 and later

CN LDAP Display Name Descriptio n Parent Class OID May Include (In Addition to Standard Classes)
Workflow
SchemaID GUID
appDeviceT ype
AppDeviceT ype
Represent application device type object in TMS
Top
{89fb852a054f-4289acab0e966a044 0e2}
Schema Extensions for SAM 8.0 and Later

Attributes added to Token Class in SAM 8.0 and later
Workflows
Descriptio n
Used to store workflow data of token's profiles Used to identify History Tokens
Syntax
OID 5.
Flag s
Multivalue d
Link ID
SchemaID GUID
{2574700876B8-4b0cBF34DD0FF7EC FF43} {2ADCCC4 5-FAC8452b-AC76A7FB35D9 B50B}
workflows
5.46
IsHistoryTok en
IsHistoryTok en
Boolean (2.5.5.8:1)
5.47
593
Workflow Class Attributes for SAM 8.0 and Later

WorkflowNa me
Descriptio n
Used to store workflow name Used to store workflow status
Syntax
OID 10.
Flag s
Link ID
SchemaID GUID
{EB9818DB -12B0456b-9E17D2F617593 AA4} {9574B7B459F7-46a2B4B36481A823B 997}
workflowNa me
Unicode string (2.5.5.12:64 ) Integer (2.5.5.9:2)
10.1
workflowSta tus
WorkflowSt atus
10.2
Classes to Create for SAM 8.0 and Later

Workflow
Descriptio n
Parent Class
OID
May include (in addition to standard classes)
Link ID
SchemaID GUID
workflow
Represent workflow status of operation
Top
10

SAM Admin Guide 8.0 Rev A

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SAM Admin Guide 8.0 Rev A

Hochgeladen von

Copyright:

Verfügbare Formate

SafeNet Authentication Manager (SAM)

Version 8.0 Revision A Administrators Guide

Table of Contents Part I Overview of SafeNet Authentication Manager

Part II Installation and Configuration

4. Installation and Configuration Checklist .............................................37

6. Upgrade and Migration...........................................................................73

8. Token Policy Object Links ...................................................................121

9. Token Policy Object Settings ..............................................................145

10. SAM Configuration Manager ...............................................................179

Changing the SAM Service Account..................................................................... 198

11. Connector Configuration .....................................................................201

12. Licensing ................................................................................................293

13. Authorization Manager .........................................................................299

14. User Permissions..................................................................................309

15. Audit Messages and Enrollment Notifications.................................321

16. OTP Configuration ................................................................................339

17. Backend Service....................................................................................353

Part III Post-Installation Configuration

19. Desktop Agent .......................................................................................371

20. External Portals .....................................................................................403

21. Customizing SAM Websites................................................................421

Part IV SAM Management

24. Deployment ............................................................................................497

26. Reports ...................................................................................................533

27. Downloads .............................................................................................563

Part I Overview of SafeNet Authentication Manager

Chapter 1: Introduction (page 3) Chapter 2: System Requirements (page 9)

SafeNet Authentication Manager Administrators Guide

Overview of SafeNet Authentication Manager

SafeNetAuthenticationManagerscapabilitiesincludecentral, delegated,andselfserviceinterfacesthatallowdifferentlevelsof servicetodifferentcommunitiesofusersandadministrators.

SafeNet Authentication Manager 8.0 Core Benefits

New and Enhanced Features in SafeNet Authentication Manager 8.0

SafeNet Authentication Manager Administrators Guide

Enhanced MobilePASS Software Authentication Solution

Integration with SafeNet HSMs for secure key storage

Token History Management

Token Policy Object (TPO) Export and Import

TPOsettingscanbeexportedto,andimportedfrom,apassword protectedfile EnablestheduplicationofthesameTPOsettingsinmultipleSAM installations AssiststheSafeNetsupportteamwhenprovidingassistanceto customers

SafeNet Authentication Manager Administrators Guide

SafeNet Authentication Manager Administrators Guide

SAM Server System Requirements

SP2 (32-bit, 64-bit)

R2 (32-bit and 64-bit)

SP2 (32-bit, 64-bit)

System Requirements Component

One of the following:

Required for producing Attendance Reports only

Required for MobilePASS tokens only

Environment 1.5 or later

SafeNet Authentication Manager Administrators Guide Requirement

SAM User Store

One of the following, if an external user store is used:

(Windows 2003, 2003R2, 2008, or 2008R2)

version 5.1 SP1

SAM Management Tools System Requirements

eToken PKI Client or SafeNet Authentication Client

The following versions are supported:

SafeNet Authentication Manager Administrators Guide

SAM Client System Requirements

eToken PKI Client or SafeNet Authentication Client

The following versions are supported:

SAM External Web Portals

SafeNet Authentication Manager Administrators Guide