Beruflich Dokumente
Kultur Dokumente
6
Software Token User Guide
TRADEMARKS
Quest, Quest Software, the Quest Software logo and iToken are trademarks and registered
trademarks of Quest Software, Inc. in the United States of America and other countries.
Gridsure and the Gridsure logos are trademarks and registered trademarks of Gridlock TS
Limited. All other trademarks and registered trademarks are property of their respective
owners.
Disclaimer
The information in this document is provided in connection with Quest products. No
license, express or implied, by estoppel or otherwise, to any intellectual property right is
granted by this document or in connection with the sale of Quest products. EXCEPT AS SET
FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT
FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY
EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE
FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL
DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS,
BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR
INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with
respect to the accuracy or completeness of the contents of this document and reserves the
right to make changes to specifications and product descriptions at any time without
notice. Quest does not make any commitment to update the information contained in this
document.
Contents
ABOUT THIS GUIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
QUEST ONE IDENTITY SOLUTION . . . . . . . . . . . . . . . . . . . . . . 6
ABOUT THIS GUIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
AUDIENCE AND SCOPE . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
CONVENTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
ABOUT QUEST SOFTWARE . . . . . . . . . . . . . . . . . . . . . . . . . . 8
CONTACTING QUEST SOFTWARE . . . . . . . . . . . . . . . . . . . . . . 9
CONTACTING CUSTOMER SUPPORT . . . . . . . . . . . . . . . . . . 9
CHAPTER 1 DEFENDER TOKEN BASICS . . . . . . . . . . . . . . . . . . . .11
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
DEFENDER NETWORK PROTECTION . . . . . . . . . . . . . . . . . . . . .13
WHAT IS A TOKEN? . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
SOFTWARE TOKENS . . . . . . . . . . . . . . . . . . . . . . . . . . .13
HOW A TOKEN WORKS. . . . . . . . . . . . . . . . . . . . . . . . . . . .15
CHAPTER 2 DEFENDER DESKTOP TOKEN . . . . . . . . . . . . . . . . . . .17
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
SYSTEM HARDWARE AND SOFTWARE REQUIREMENTS . . . . . . . . . .20
FOR A MOBILE DEVICE . . . . . . . . . . . . . . . . . . . . . . . . .20
WHAT YOU NEED FROM THE SECURITY ADMINISTRATOR . . . . .20
INSTALLING THE DEFENDER DESKTOP TOKEN SOFTWARE ON A PC .21
ACTIVATING YOUR DEFENDER DESKTOP TOKEN . . . . . . . . . . . . .24
AUTHENTICATING WITH A DEFENDER DESKTOP TOKEN . . . . . . . . .32
SYNCHRONOUS MODE . . . . . . . . . . . . . . . . . . . . . . . . .32
ASYNCHRONOUS MODE . . . . . . . . . . . . . . . . . . . . . . . .34
SIMPLIFYING THE AUTHENTICATION PROCESS . . . . . . . . . . .37
TOKEN MANAGEMENT OPTIONS . . . . . . . . . . . . . . . . . . . . . . .38
CHANGING THE PASSPHRASE . . . . . . . . . . . . . . . . . . . . .39
iii
iv
Single sign-on
Directory consolidation
Provisioning
Password management
Strong authentication
Auditandcompliance.
About
Quest iToken
Defender Mobile.
Conventions
In order to help you get the most out of this guide, we have used specific
formatting conventions. These conventions apply to procedures, icons,
keystrokes, and cross-references.
ELEMENT
CONVENTION
Select
Bolded text
courier text
Italic text
Blue text
ELEMENT
CONVENTION
Used to highlight additional information pertinent to
the process being described.
Used to provide Best Practice information. A best
practice details the recommended course of action for
the best result.
Used to highlight processes that should be performed
with care.
<version>.<build number>
About
info@quest.com
Web site
www.quest.com
Please refer to our Web site for regional and international office information.
www.quest.com/support
Email at
support@quest.com
Access FAQs
Download patches
1
Defender Token Basics
Introduction
Defender Network Protection
What is a Token?
Software Tokens
How a Token Works
11
Introduction
If you are a remote user who must access a Defender-protected network, you
need a Defender token to access your network. This token is configured for you
by your security administrator. This chapter provides a description of what
tokens are and how they work.
This chapter contains the following information:
What is a token?
After reading this overview, see the following chapters for information on how to
use the different token types:
12
Blackberry
Palm
Quest Soft Token for Android - refer to the Quest Soft Token for
Android Administration and User Guide.
Introduction
What is a Token?
A token implemented in software or hardware helps remote users gain access to
computer resources on a Defender-protected network. The process of gaining
access to a secure network through the use of passwords, challenge/response
methods, and synchronous methods is called authentication.
The Defender solution supports a variety of token options. All provide strong
two-factor authentication.
Before a token can be used, its security record is created in the Defender
Administration Console by the supervisor and then stored in Active Directory.
Some tokens must be initialized by the supervisor, while others can be initialized
remotely by the user.
Software Tokens
This guide describes the software tokens available for use with Defender 5.
13
Defender Electronically Distributed Software Token authentication software installed on the users computer which allows
the remote user to access a Defender-protected network and
authenticate to the Defender Security Server.
The Defender Client Software enables the use of the Defender Software Token,
Defender Electronically Distributed Software Token and Self-Registering
Defender Software Token. It is provided as a self-extracting file which the token
administrator makes accessible to users prior to the distribution of the user
unique token information.
The Defender Electronically Distributed Software Token, Defender Software
Token and the Self-Registering Defender Software Token allow users to
authenticate to the Defender Security Server via an automatic
challenge/response dialog that initiates when the user enters a PIN on his
workstation. If authentication is successful, the Defender Security Server allows
the user to access the corporate network.
For further advice and assistance with token migration, please contact Customer
Support.
14
Introduction
15
2
Defender Desktop Token
Introduction
System Hardware and Software
Requirements
Installing the Defender Desktop Token
Software on a PC
Activating your Defender Desktop Token
Authenticating with a Defender Desktop
Token
Token Management Options
Installing the Defender Desktop Token on a
BlackBerry
Installing the Palm Token Software
Installing the Windows Mobile/iPaq Token
Software
Authenticating with a Defender Token on a
Mobile Device
Installing the Quest iToken software
Activating the Quest iToken
Authenticating with the Quest iToken
17
Introduction
The Defender Desktop Token is software that you install on your Windows PC or
mobile device.
The Defender Desktop Token is supported on:
Windows Desktop
BlackBerry
Windows Mobile/iPaq
Palm
18
19
REQUIREMENT
DESCRIPTION
Memory
32 Mb RAM (minimum)
Hard Drive
Operating System
20
location and name of the file that contains the activation key for your
Defender Desktop Token.
Locate and run the Defender Desktop Token Installer.exe file. The
Defender Desktop Token Installation Wizard starts:
2.
21
Figure 2: Defender Desktop Token Installation Wizard (Install Location) dialog box
3.
22
4.
Figure 4: Defender Desktop Token Installation Wizard (Installation Complete) dialog box
5.
Click Finish.
On completion of the installation a Defender Desktop Token program
group is created.
23
From the Start menu, select Programs, Defender Desktop Token. The
Token Activation Wizard (Welcome) dialog box is displayed:
2.
24
Click Browse to select the required username.txt file. The activation key is
automatically copied from the username.txt file and pasted into the Code
field.
25
Alternatively, you can copy the activation code from the username.txt file
and paste it into the Code field.
4.
Click Next. The Token Activation Wizard - Select Storage dialog box is
displayed:
5.
26
in a different folder, click the Another Folder radio button, then click
Browse to navigate to the required location
6.
If you have more than one active Defender Desktop Token and want this
token to be selected for authentication by default, check the Make this
token the default token checkbox.
If you have more than one active Defender Desktop Token and do not want
to authenticate using the default token, you can specify an alternative
token during logon.
7.
8.
In the New Passphrase field, type the passphrase that you will enter to
unlock the Desktop Token before authentication.
27
9.
28
As you type your passphrase, the strength box indicates the strength of the
passphrase by showing a red (weak) or green (strong) indicator. Quest
recommends the use of a strong passphrase.
A strong passphrase should contain a combination of uppercase and
lowercase letters, numbers and punctuation marks, and be at least eight
characters long.
If you choose a weak passphrase, the following message is displayed:
To use the passphrase you entered in the Token Activation Wizard Select Passphrase dialog box, click Yes.
To return to the Token Activation Wizard - Select Passphrase dialog
box and enter a different passphrase, click No.
Figure 10: Token Activation Wizard (Enter Token Name) dialog box
29
11. In the Token Name field, type a name that will help you identify this
token. If you choose not to give the token a name, the token serial number
will be used as the token name.
12. Click Next. The Token Activation Wizard (Defender Desktop Token
Activation Complete) dialog box is displayed:
Figure 11: Token Activation Wizard (Defender Desktop Token Activation Complete)
dialog box
On completion of the activation procedure, the token can be managed from the
Start menu, Defender Desktop Token program group, shown below:
30
If you specified a default token during the activation procedure, the Enter
Passphrase dialog for the default token will be displayed when you select the
Defender Desktop Token program group from the Start menu. To display the
token management options, or select an alternative token for authentication,
click Tokens.
For authentication information, refer to Authenticating with a Defender Desktop
Token.
31
Synchronous Mode
If you are authenticating to a network that uses a response only method:
1.
2.
When prompted by the Defender Security Server, enter your user ID in your
communications software.
From the Start menu, select Programs, Defender Desktop Token,
Defender Desktop Token.
If you have more than one Defender Desktop Token installed and have
specified one token as your default token, the Enter Passphrase dialog
box is displayed:
32
If you do not want to use your default token for authentication, click
Tokens. The Defender Desktop Tokens dialog box is displayed:
3.
4.
33
5.
6.
7.
8.
Asynchronous Mode
If you are authenticating to a network that uses a challenge/response method:
1.
2.
34
When prompted by the Defender Security Server, enter your user ID in your
communications software.The Defender Security Server displays a
challenge value in your communications software.
3.
have more than one Defender Desktop Token assigned to you, the
Defender Desktop Tokens dialog box is displayed.
4.
5.
35
6.
7.
8.
To automatically copy the token response to the clipboard and close the
Defender Desktop Token Response window, check the box, then click
Get Response.
If you chose not to automatically copy the token response to the clipboard,
click Get Response, then use the copy function to copy the response to
the clipboard. Click Cancel to close the Defender Desktop Token
Response window.
9.
36
37
DESCRIPTION
File
click to display a list of folders that will be searched to
locate Defender Desktop Tokens.
Edit Folders
Close
Token
Activate New Token
Default
Rename
Delete
Move
38
MENU OPTION
DESCRIPTION
Change passphrase
Reset passphrase
Properties
View
Icons
Details
Options
Prompt for username
to unlock token
Centre Window at
Startup
Help
About Defender
Desktop Token
2.
3.
4.
Click Next. You are prompted to enter your current passphrase for this
token. Enter the passphrase.
5.
6.
7.
2.
40
3.
Right-click the token that you want to reset, then select Reset
Passphrase from the list. The Defender Desktop Token Wizard starts:
4.
Click Next.
5.
Tell your Administrator the number displayed in the Challenge field. Your
Administrator will then reply with an unlock code.
6.
7.
8.
9.
42
in Defender 5.6 the BlackBerry Token Software can be downloaded from the
BlackBerry App World. The software can also be installed on the BlackBerry
device using the BlackBerry Enterprise Server.
1.
2.
Download the latest version of the BlackBerry Token Software from the
Defender product pages of the Quest SupportLink site and save to either a
local or shared network drive.
43
3.
44
4.
45
5.
6.
7.
Click Open.
46
8.
Click Apply.
47
9.
48
10. The Defender Token application is now installed and available from the
Downloads folder on your BlackBerry.
49
IIS 6
1.
2.
Select Properties.
3.
4.
50
1.
Extension
jad
cod
MIME Type
text/vnd.sun.j2me.app-descriptor
application/vnd.rim.cod
2.
3.
<html>
<head><title>Quest Soft Token for Blackberry Download</title></head>
<body>
<a href="DefenderBlackBerryToken4.jad">Download
Software</a>
</body>
</html>
4.
IIS 7
1.
2.
3.
Extension
jad
cod
MIME Type
text/vnd.sun.j2me.app-descriptor
application/vnd.rim.cod
4.
5.
6.
51
Use a browser to access the web page that contains the link to the
DefenderBlackBerryToken4.jad file.
2.
3.
4.
52
5.
6.
Click OK.
53
7.
8.
When you select the token software for the first time, an Applications
Permissions prompt may be displayed. Click Yes to continue.
54
9.
The token must be activated with an activation code before it can be used
for authentication. Please refer to Activating the Defender Token on
page 56.
55
2.
3.
2.
3.
Deleting a Token
To de-activate a Defender Token on your BlackBerry:
1.
2.
3.
56
Download the latest version of the Palm Token Software from the Defender
product pages of the Quest SupportLink site.
2.
3.
4.
Connect your Palm device to your PC and press the HotSync button. The
token software is transferred to your Palm device.
The Palm HotSync Manager is required to install the token software on your
Palm device.
On your Palm, select the Defender Token. You are prompted to enter the
Defender Token activation key. The activation key is supplied separately.
2.
3.
57
Connect your Windows Mobile/iPaq device to your PC and place it in the cradle with Microsoft ActivSync running. On your PC, the ActivSync dialog box
displays Connected.
2.
3.
58
Figure 32: Defender Windows Mobile Token (Select Installation Folder) page
4.
5.
If you want the token software for your use only, click the Just me button.
If you want the token to be available to anyone who uses this computer,
click the Everyone button.
59
6.
7.
60
8.
9.
Perform any further steps that may be required by your mobile device to
complete the installation.
2.
3.
Click OK.
4.
Select the Defender Token application from the menu on your device.
2.
3.
61
Connect your device to your PC and place it in the cradle with Microsoft
ActivSync running. On your PC, the ActivSync dialog box displays Connected.
2.
3.
4.
5.
6.
Click Remove.
The Defender Token is removed from your PC and device.
62
Asynchronous Mode
If you are authenticating to a network that uses a challenge/response method:
1.
2.
When prompted by the Defender Security Server, enter your user ID in your
communications software.
The Defender Security Server displays a challenge value in your
communications software.
3.
4.
In the Challenge field, type the challenge issued by the Defender Security
Server.
5.
6.
7.
8.
9.
63
Synchronous Mode
If you are authenticating to a network that uses a response only method:
1.
2.
When prompted by the Defender Security Server, enter your user ID in your
communications software.
The Defender Security Server displays a challenge value in your
communications software.
3.
4.
5.
6.
7.
64
Quest iToken
This section describes how to install, activate and use the iToken on the Apple iPhone.
The picture above shows an example of the Quest iToken displayed on the
iPhone. The token response 555476 is entered as the One Time Password (OTP)
into the authentication login dialog.
65
From the iPhone menu, select App Store to browse to the iTunes App
Store.
2.
66
3.
4.
Select Search.
67
5.
6.
Select Free.
7.
68
Select Install.
8.
9.
69
2.
3.
4.
70
Follow the prompts provided by the App Store to download the iToken
software.
71
5.
Select your iPhone from Devices, then select the Applications tab.
72
6.
Select Apply.
7.
73
To activate the iToken, you need to import the activation code provided to
you by the Defender Administrator onto the iPhone. To do this:
1.
On the iPhone, select the iToken application to display the iToken screen,
as shown in the example below.
2.
Select Activate. You are then prompted to enter the activation code
provided by the Defender Administrator.
75
4.
76
5.
6.
Press OK to continue.
Please ensure that the activation code is entered correctly. If it is not entered
correctly, you will receive incorrect token responses that will not be valid for
authentication to the Defender Server.
77
Press the
The 6 digit value is your One Time Password (OTP). You will be prompted to
enter the OTP during the authentication process.
78
Authentication Procedure
The following example takes you step-by-step through the user authentication
procedure:
1.
2.
The user now enters the OTP response displayed on the iToken, e.g
239174, into the Defender Authentication field.
79
80
81
3
Defender SMS Token
Introduction
System Hardware and Software
Requirements
Authenticating with a Defender SMS Token
83
Introduction
Defender SMS is a low cost, easy to deploy solution that uses your cell phones
to provide secure, two-factor authentication.
Defender SMS is a token backup solution and a simple way to ensure secure
two-factor authentication when accessing the network from multiple remote
locations. Defender SMS works with all devices capable of receiving SMS, from
Cell phones to PDAs.
Defender SMS:
84
2.
3.
When prompted, enter your Defender PIN if required, and token response.
If the information you enter is correct, you are authenticated by Defender
and granted access to the systems/information that you are authorized to
access.
85