IBM Tivoli Access Manager for Enterprise Single Sign-On: Context ...
IBM Tivoli Access Manager for Enterprise Single Sign-On: Context ...
IBM Tivoli Access Manager for Enterprise Single Sign-On: Context ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Tivoli</strong>® <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong><br />
Version 8.1<br />
<strong>Context</strong> Management Integration Guide<br />
<br />
SC23-9954-02
<strong>Tivoli</strong>® <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong><br />
Version 8.1<br />
<strong>Context</strong> Management Integration Guide<br />
<br />
SC23-9954-02
Note<br />
Be<strong>for</strong>e using this in<strong>for</strong>mation and the product it supports, read the in<strong>for</strong>mation in “Notices” on page 29.<br />
Edition notice<br />
Note: This edition applies to version 8.1 of <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>, (product<br />
number 5724–V67) and to all subsequent releases and modifications until otherwise indicated in new editions.<br />
© Copyright International Business Machines Corporation 2002, 2009. All rights reserved.<br />
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule<br />
Contract with <strong>IBM</strong> Corp.<br />
© Copyright <strong>IBM</strong> Corporation 2002, 2009.<br />
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract<br />
with <strong>IBM</strong> Corp.
Contents<br />
About this publication . . . . . . . . v<br />
Intended audience . . . . . . . . . . v<br />
What this publication contains . . . . . . v<br />
Publications . . . . . . . . . . . . vi<br />
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong><br />
<strong>Sign</strong>-<strong>On</strong> library . . . . . . . . . . vi<br />
<strong>Access</strong>ing terminology online . . . . . vii<br />
<strong>Access</strong>ing publications online . . . . . viii<br />
Ordering publications . . . . . . . viii<br />
<strong>Access</strong>ibility. . . . . . . . . . . . viii<br />
<strong>Tivoli</strong> technical training . . . . . . . . viii<br />
<strong>Tivoli</strong> user groups. . . . . . . . . . viii<br />
Support in<strong>for</strong>mation . . . . . . . . . ix<br />
Conventions used in this publication . . . . ix<br />
Typeface conventions . . . . . . . . ix<br />
Operating system-dependent variables and<br />
paths. . . . . . . . . . . . . . x<br />
Margin icons . . . . . . . . . . . x<br />
Chapter 1. About <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong><br />
<strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> . . . . . . . 1<br />
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong><br />
<strong>Sign</strong>-<strong>On</strong> features . . . . . . . . . . . 2<br />
Product components . . . . . . . . . 5<br />
Authentication factors . . . . . . . . . 6<br />
TAM E-SSO Password . . . . . . . . 6<br />
Secrets . . . . . . . . . . . . . 7<br />
Second authentication factors. . . . . . 7<br />
Presence detectors . . . . . . . . . 10<br />
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong><br />
<strong>Sign</strong>-<strong>On</strong> usage . . . . . . . . . . . 11<br />
Personal workstation configuration . . . 11<br />
Shared workstation configuration . . . . 11<br />
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong><br />
<strong>Sign</strong>-<strong>On</strong> program icons . . . . . . . . 14<br />
Policies, certificates, and other product<br />
concepts . . . . . . . . . . . . . 14<br />
Credentials . . . . . . . . . . . 15<br />
<strong>Enterprise</strong> identity . . . . . . . . . 15<br />
<strong>Enterprise</strong> applications . . . . . . . 15<br />
Personal applications . . . . . . . . 16<br />
User, system, and machine policies . . . 16<br />
Chapter 2. <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong><br />
<strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Context</strong><br />
Management overview . . . . . . . . 19<br />
Chapter 3. About <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong><br />
<strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> with <strong>Context</strong><br />
Management . . . . . . . . . . . 21<br />
<strong>Context</strong> Management system overview . . . 21<br />
About the <strong>Context</strong> Management solution . . 22<br />
Chapter 4. <strong>Context</strong> Management<br />
installation . . . . . . . . . . . . 23<br />
Installing <strong>Context</strong> Management . . . . . 23<br />
Uninstalling <strong>Context</strong> Management . . . . 25<br />
Chapter 5. Testing <strong>Context</strong> Management 27<br />
Testing <strong>Context</strong> Management functionality . . 27<br />
Additional verifications <strong>for</strong> testing <strong>Context</strong><br />
Management . . . . . . . . . . . . 28<br />
Notices . . . . . . . . . . . . . 29<br />
Trademarks . . . . . . . . . . . . 31<br />
Glossary . . . . . . . . . . . . . 33<br />
Index . . . . . . . . . . . . . . 39<br />
© Copyright <strong>IBM</strong> Corp. 2002, 2009 iii
iv <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
About this publication<br />
The <strong>IBM</strong> ® <strong>Tivoli</strong> ® <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> provides<br />
sign-on and sign-off automation, authentication management, and user<br />
tracking to provide a seamless path to strong digital identity. The <strong>IBM</strong> <strong>Tivoli</strong><br />
<strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Context</strong> Management Integration<br />
Guide provides in<strong>for</strong>mation <strong>for</strong> installing, configuring, and testing the <strong>Context</strong><br />
Management integrated solution in each client workstation.<br />
Intended audience<br />
This publication is <strong>for</strong> technical users who understand how <strong>Tivoli</strong> <strong>Access</strong><br />
<strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> can be enhanced and customized <strong>for</strong> a<br />
specific customer's use.<br />
This publication is <strong>for</strong> Administrators and system programmers who need to<br />
per<strong>for</strong>m the following tasks:<br />
v Installing and <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> with<br />
<strong>Context</strong> Management<br />
v Running command-line tools (CLTs) to register components <strong>for</strong> the solution<br />
v Mapping application accounts set up in <strong>Access</strong>Agent to the Fusionfx<br />
<strong>Context</strong> <strong>Manager</strong> (FCM) tool<br />
v Providing sign-on automation to other applications used by the health care<br />
organization<br />
Readers need to be familiar with the following topics:<br />
v Installing and setting up <strong>Access</strong>Agent<br />
v Clinical <strong>Context</strong> Object Workgroup (CCOW) standard<br />
v Using the Fusionfx <strong>Context</strong> <strong>Manager</strong> (FCM) tool<br />
What this publication contains<br />
This publication contains the following sections:<br />
v Chapter 1, "About <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>"<br />
Provides an overview of the <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong><br />
<strong>Sign</strong>-<strong>On</strong> system and its main product components.<br />
v Chapter 2, "<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Context</strong><br />
Management overview<br />
List the tasks to be completed on individual workstations <strong>for</strong> the <strong>Context</strong><br />
Management integration.<br />
© Copyright <strong>IBM</strong> Corp. 2002, 2009 v
Publications<br />
v Chapter 3, "About <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong><br />
with <strong>Context</strong> Management"<br />
Provides an overview of how <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong><br />
<strong>Sign</strong>-<strong>On</strong> integrates with the <strong>Context</strong> Management system.<br />
v Chapter 4, "<strong>Context</strong> Management installation"<br />
Contains instructions <strong>for</strong> a successful installation and uninstallation the<br />
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> with the <strong>Context</strong><br />
Management integrated solution.<br />
v Chapter 5, "Testing <strong>Context</strong> Management"<br />
Provide ways to verify if the integrated solution is working properly after a<br />
deployment.<br />
This section lists publications in the <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong><br />
<strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> library. The section also describes how to access <strong>Tivoli</strong><br />
publications online and how to order <strong>Tivoli</strong> publications.<br />
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> library<br />
The following documents are available in the <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong><br />
<strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> library:<br />
v <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> Quick Start Guide,<br />
CF2B1ML<br />
Provides steps that summarize major installation and configuration tasks<br />
<strong>for</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>.<br />
v <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> User Guide,<br />
SC23-9950<br />
Provides in<strong>for</strong>mation about setting up and understanding the main<br />
functionalities of the product.<br />
v <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> Administrator Guide,<br />
SC23-9951<br />
Provides the procedures <strong>for</strong> setting up, administering, and testing the<br />
product and its components. It covers the functionality and setup options of<br />
the product, including internal implementation details.<br />
v <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> Deployment Guide,<br />
SC23-9952<br />
Describes how to deploy and test <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong><br />
<strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>, including other components or external tools.<br />
v <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> Help Desk Guide,<br />
SC23-9953<br />
Provides in<strong>for</strong>mation about providing Help desk services to users.<br />
vi <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
v <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Context</strong> Management<br />
Integration Guide, SC23-9954<br />
Provides in<strong>for</strong>mation <strong>for</strong> installing, configuring, and testing the <strong>Context</strong><br />
Management integrated solution in each client workstation.<br />
v <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Access</strong>Studio Guide,<br />
SC23-9956<br />
Provides in<strong>for</strong>mation about setting up and maintaining <strong>Access</strong>Profiles using<br />
<strong>Access</strong>Studio.<br />
v <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> Provisioning<br />
Integration Guide, SC23-9957<br />
Provides in<strong>for</strong>mation <strong>for</strong> configuring, managing, and troubleshooting the<br />
provisioning integration solutions <strong>for</strong> the product.<br />
v <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> Installation Guide,<br />
GI11-9309<br />
Provides in<strong>for</strong>mation about installing the different product components.<br />
v <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> Setup Guide,<br />
GC23-9692<br />
Provides in<strong>for</strong>mation about configuring the different components of the<br />
product.<br />
v <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> Troubleshooting and<br />
Support Guide, GC23-9693<br />
Provides in<strong>for</strong>mation about troubleshooting the different components of the<br />
product.<br />
v <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> Policies Definition<br />
Guide, SC23-9694<br />
Provides in<strong>for</strong>mation about the policies that can be set <strong>for</strong> the product. The<br />
policies can be set using either <strong>Access</strong>Admin or by updating registry<br />
entries.<br />
<strong>Access</strong>ing terminology online<br />
The <strong>Tivoli</strong> Software Glossary includes definitions <strong>for</strong> many of the technical<br />
terms related to <strong>Tivoli</strong> software. The <strong>Tivoli</strong> Software Glossary is available at the<br />
following <strong>Tivoli</strong> software library Web site:<br />
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm<br />
The <strong>IBM</strong> Terminology Web site consolidates the terminology from <strong>IBM</strong><br />
product libraries in one convenient location. You can access the Terminology<br />
Web site at the following Web address:<br />
http://www.ibm.com/software/globalization/terminology<br />
About this publication vii
<strong>Access</strong>ing publications online<br />
<strong>IBM</strong> posts publications <strong>for</strong> this and all other <strong>Tivoli</strong> products, as they become<br />
available and whenever they are updated, to the <strong>Tivoli</strong> In<strong>for</strong>mation Center<br />
Web site at http://www.ibm.com/tivoli/documentation.<br />
Note: If you print PDF documents on other than letter-sized paper, set the<br />
option in the File → Print window that allows Adobe ® Reader to print<br />
letter-sized pages on your local paper.<br />
Ordering publications<br />
You can order many <strong>Tivoli</strong> publications online at http://<br />
www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.<br />
You can also order by telephone by calling one of these numbers:<br />
v In the United States: 800-879-2755<br />
v In Canada: 800-426-4968<br />
In other countries, contact your software account representative to order <strong>Tivoli</strong><br />
publications. To locate the telephone number of your local representative,<br />
per<strong>for</strong>m the following steps:<br />
1. Go to http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.<br />
2. Select your country from the list and click Go.<br />
3. Click About this site in the main panel to see an in<strong>for</strong>mation page that<br />
includes the telephone number of your local representative.<br />
<strong>Access</strong>ibility<br />
<strong>Access</strong>ibility features help users with a physical disability, such as restricted<br />
mobility or limited vision, to use software products successfully.<br />
<strong>Tivoli</strong> technical training<br />
For additional in<strong>for</strong>mation, see the <strong>Access</strong>ibility Appendix in the <strong>IBM</strong> <strong>Tivoli</strong><br />
<strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> User Guide.<br />
For <strong>Tivoli</strong> technical training in<strong>for</strong>mation, See the following <strong>IBM</strong> <strong>Tivoli</strong><br />
Education Web site at http://www.ibm.com/software/tivoli/education.<br />
<strong>Tivoli</strong> user groups<br />
<strong>Tivoli</strong> user groups are independent, user-run membership organizations that<br />
provide <strong>Tivoli</strong> users with in<strong>for</strong>mation to assist them in the implementation of<br />
<strong>Tivoli</strong> Software solutions. Through these groups, members can share<br />
in<strong>for</strong>mation and learn from the knowledge and experience of other <strong>Tivoli</strong><br />
users. <strong>Tivoli</strong> user groups include the following members and groups:<br />
viii <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
v 23,000+ members<br />
v 144+ groups<br />
<strong>Access</strong> the link <strong>for</strong> the <strong>Tivoli</strong> Users Group at www.tivoli-ug.org.<br />
Support in<strong>for</strong>mation<br />
If you have a problem with your <strong>IBM</strong> software, you want to resolve it quickly.<br />
<strong>IBM</strong> provides the following ways <strong>for</strong> you to obtain the support you need:<br />
<strong>On</strong>line<br />
Go to the <strong>IBM</strong> Software Support site at http://www.ibm.com/<br />
software/support/probsub.html and follow the instructions.<br />
<strong>IBM</strong> Support Assistant<br />
The <strong>IBM</strong> Support Assistant is a free local software serviceability<br />
workbench that helps you resolve questions and problems with <strong>IBM</strong><br />
software products. The <strong>IBM</strong> Support Assistant provides quick access<br />
to support-related in<strong>for</strong>mation and serviceability tools <strong>for</strong> problem<br />
determination. To install the <strong>IBM</strong> Support Assistant software, go to<br />
http://www.ibm.com/software/support/isa.<br />
Troubleshooting Guide<br />
For more in<strong>for</strong>mation about resolving problems, see the <strong>IBM</strong> <strong>Tivoli</strong><br />
<strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> Troubleshooting and Support<br />
Guide.<br />
Conventions used in this publication<br />
This publication uses several conventions <strong>for</strong> special terms and actions,<br />
operating system-dependent commands and paths, and margin graphics.<br />
Typeface conventions<br />
This publication uses the following typeface conventions:<br />
Bold<br />
v Lowercase commands and mixed case commands that are otherwise<br />
difficult to distinguish from surrounding text<br />
v Interface controls (check boxes, push buttons, radio buttons, spin<br />
buttons, fields, folders, icons, list boxes, items inside list boxes,<br />
multicolumn lists, containers, menu choices, menu names, tabs,<br />
property sheets), labels (such as Tip:, and Operating system<br />
considerations:)<br />
v Keywords and parameters in text<br />
Italic<br />
v Citations (examples: titles of publications, diskettes, and CDs)<br />
About this publication ix
v Words defined in text (example: a nonswitched line is called a<br />
point-to-point line)<br />
v Emphasis of words and letters (words as words example: "Use the<br />
word that to introduce a restrictive clause."; letters as letters<br />
example: "The LUN address must start with the letter L.")<br />
v New terms in text (except in a definition list): a view is a frame in a<br />
workspace that contains data.<br />
v Variables and values you must provide: ... where myname<br />
represents....<br />
Monospace<br />
v Examples and code examples<br />
v File names, programming keywords, and other elements that are<br />
difficult to distinguish from surrounding text<br />
v Message text and prompts addressed to the user<br />
v Text that the user must type<br />
v Values <strong>for</strong> arguments or command options<br />
Operating system-dependent variables and paths<br />
This publication uses the UNIX ® convention <strong>for</strong> specifying environment<br />
variables and <strong>for</strong> directory notation.<br />
Margin icons<br />
When using the Windows ® command line, replace $variable with % variable%<br />
<strong>for</strong> environment variables and replace each <strong>for</strong>ward slash (/) with a backslash<br />
(\) in directory paths. The names of environment variables are not always the<br />
same in the Windows and UNIX environments. For example, %TEMP% in<br />
Windows environments is equivalent to $TMPDIR in UNIX environments.<br />
Note: If you are using the bash shell on a Windows system, you can use the<br />
UNIX conventions.<br />
Many procedures in this publication include icons in the left margin. These<br />
icons provide context <strong>for</strong> per<strong>for</strong>ming a step in a procedure. For example, if<br />
you have to per<strong>for</strong>m a step in a procedure by double-clicking a policy region<br />
icon, that icon is displayed in the left margin next to the step.<br />
x <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
Chapter 1. About <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong><br />
<strong>Single</strong> <strong>Sign</strong>-<strong>On</strong><br />
<strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> automates access to<br />
corporate in<strong>for</strong>mation, strengthens security, and en<strong>for</strong>ces compliance at the<br />
enterprise endpoints.<br />
With <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>, you can:<br />
v Efficiently manage business risks.<br />
v Achieve regulatory compliance.<br />
v Decrease IT costs.<br />
v Increase user efficiency.<br />
Security compromises occur due to weak passwords. To counter such threats,<br />
enterprises must strengthen access control systems. Passwords are not only<br />
the weakest link in the security chain, they are also expensive to support.<br />
Passwords create a security challenge and a management problem. To reduce<br />
password management costs, enterprises might consider conventional single<br />
sign-on solutions.<br />
Conventional single sign-on reduces password management costs. It also can<br />
increase the vulnerability of an organization by replacing multiple application<br />
passwords with a single password to the single sign-on server.<br />
Weak application passwords and conventional single sign-on are not the right<br />
solutions <strong>for</strong> the enterprise. These solutions simplify access, but weaken<br />
security. <strong>Enterprise</strong>s need an enterprise access security solution that simplifies,<br />
strengthens, and tracks access <strong>for</strong> all digital and physical assets.<br />
See the following topics <strong>for</strong> more in<strong>for</strong>mation.<br />
v “<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> features” on page 2<br />
v “Product components” on page 5<br />
v “Authentication factors” on page 6<br />
v “<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> usage” on page 11<br />
v “<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> program icons” on<br />
page 14<br />
v “Policies, certificates, and other product concepts” on page 14<br />
© Copyright <strong>IBM</strong> Corp. 2002, 2009 1
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> features<br />
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> delivers the following<br />
capabilities, without changing the existing IT infrastructure.<br />
<strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> with workflow automation<br />
You have quick access to all corporate applications such as Web, desktop,<br />
generic computer terminals, legacy applications, and network resources with<br />
the use of a single, strong password on personal and shared workstations.<br />
This feature:<br />
v helps enterprises increase employee productivity.<br />
v lowers IT Help desk costs.<br />
v improves security levels by eliminating passwords and the ef<strong>for</strong>t of<br />
managing complex password policies.<br />
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> uses single sign-on and<br />
workflow automation on shared and personal workstations. You can automate<br />
the entire access workflow, such as application login, drive mapping,<br />
application launch, single sign-on, navigation to preferred screens, multistep<br />
logon, and so on.<br />
<strong>Single</strong> <strong>Sign</strong>-Off and configurable desktop protection policies ensure protection<br />
of confidential corporate applications from unauthorized access. If you walk<br />
away from a workstation without logging out, <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong><br />
<strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> can be configured to en<strong>for</strong>ce inactivity timeout<br />
policies. Examples of timeout policies are configurable screen locks,<br />
application logout policies, and graceful logoffs.<br />
Strong authentication <strong>for</strong> all user groups<br />
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> provides strong<br />
authentication <strong>for</strong> all user groups (inside and outside the corporate perimeter).<br />
This feature prevents unauthorized access to confidential corporate<br />
in<strong>for</strong>mation and IT networks.<br />
The solution uses multi-factor authentication devices, such as smart cards,<br />
building access badges, proximity cards, mobile devices, photo badges,<br />
biometrics, and one time password (OTP) tokens.<br />
In addition to comprehensive support <strong>for</strong> authentication devices, <strong>Tivoli</strong> <strong>Access</strong><br />
<strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> focuses on using existing identification<br />
devices and technologies <strong>for</strong> authentication.<br />
2 <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> also provides iTag, a<br />
patent-pending technology that can convert any photo badge or personal<br />
object into a proximity device, which can be used <strong>for</strong> strong authentication.<br />
Comprehensive session management capability<br />
As organizations deploy more shared workstations and kiosks, more users can<br />
roam and access in<strong>for</strong>mation from anywhere without accessing their personal<br />
computers. Shared and roaming scenarios pose severe security threats.<br />
When you walk away without logging off from workstations or share a<br />
generic logon, you risk exposing confidential in<strong>for</strong>mation to unauthorized<br />
access. Any attempt to tighten security, en<strong>for</strong>ce unique user logon, and<br />
comply with regulations leads being locked out of workstations, which results<br />
in efficiency losses.<br />
Organizations can increase user convenience and improve in<strong>for</strong>mation<br />
security through session management or fast user switching capabilities,<br />
depending on the access needs user groups. You can quickly sign on and sign<br />
off to shared workstations without using the Windows domain login process.<br />
You can easily resume your work from where you left off.<br />
You can maintain multiple unique user desktops on the same workstation by<br />
switching from one private desktop to another. This feature preserves your<br />
applications, documents, and network drive mappings, including those<br />
belonging to other users sharing the workstation.<br />
If you walk away from a session without logging out, you can set <strong>Tivoli</strong><br />
<strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> to en<strong>for</strong>ce inactivity timeout<br />
policies. It also supports hybrid desktops where organizations combine<br />
different session management capabilities to meet the needs of your user<br />
community.<br />
User-centric access tracking <strong>for</strong> audit and compliance<br />
reporting<br />
The audit and compliance reporting feature assists organizations with data<br />
consolidation, user-centric audit log generation, security, and tamper-evident<br />
audit capabilities across all endpoints (<strong>for</strong> example, personal or shared<br />
workstations, Citrix, Windows Terminal Services, or Web browsers).<br />
Combined with strong authentication capabilities, the user-centric audit logs<br />
ensure secure access to confidential corporate in<strong>for</strong>mation and accountability<br />
at all times. The logs provide the meta-in<strong>for</strong>mation that can guide compliance<br />
and IT Administrators to a more detailed analysis – by user, by application, or<br />
by endpoint.<br />
Chapter 1. About <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> 3
The in<strong>for</strong>mation is collated in a central relational database. These logs<br />
facilitate real-time monitoring and separate reporting with third-party<br />
reporting tools.<br />
Your organization can also use the endpoint automation framework to audit<br />
custom access events <strong>for</strong> any application without modifying the application or<br />
using the native audit functionality.<br />
Secure remote access <strong>for</strong> easy, secure access anywhere,<br />
anytime<br />
Secure Remote <strong>Access</strong> provides Web browser-based single sign-on to all<br />
applications such as legacy, desktop, and Web applications from outside the<br />
firewall.<br />
Your organization can effectively and quickly enable secure remote access <strong>for</strong><br />
the mobile work<strong>for</strong>ce without installing any desktop software and modifying<br />
application servers.<br />
Remote workers require only one password and an optional second<br />
authentication factor to access corporate in<strong>for</strong>mation from remote offices,<br />
home computers, and mobile devices. When granted access, you can single<br />
sign-on to corporate applications by clicking the application links available in<br />
the <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> portal. <strong>Access</strong> can be<br />
further protected through a Secure Sockets Layer (SSL) Virtual Private<br />
Network (VPN).<br />
Integration with user provisioning technologies<br />
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> combines with user<br />
provisioning technologies to provide end-to-end identity lifecycle<br />
management.<br />
New employees, partners, or contractors get fast and easy access to corporate<br />
in<strong>for</strong>mation after being provisioned. When provisioned, you can use single<br />
sign-on to access all your applications on shared and personal workstations<br />
with one password.<br />
You do not have to register each user name and password, as all your<br />
credentials are automatically provisioned.<br />
Use of Federal In<strong>for</strong>mation Processing Standards<br />
A new installation of <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong><br />
version 8.1 uses FIPS 140-2 compliant cryptographic algorithms using FIPS<br />
compliant security providers such as GSKit and <strong>IBM</strong>JCEFIPS. Client<br />
4 <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
workstations running on Microsoft ® Windows XP must at least have Service<br />
Pack 3 applied <strong>for</strong> FIPS 140-2 compliance.<br />
Important: Non-FIPS compliant algorithms are used in version 8.1 only when<br />
it has been upgraded from version 8.0 or 8.0.1.<br />
Product components<br />
This topic describes the main components of <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong><br />
<strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>.<br />
Table 1 describes each component. A typical installation uses some of these<br />
components.<br />
Table 1. Product components<br />
Component Description<br />
<strong>Access</strong>Agent The client software that manages user identity, enables<br />
sign-on and sign-off automation, manages sessions, and<br />
manages authentication.<br />
<strong>Access</strong>Admin The management console that Administrators and the<br />
Help desk officers use to administer the IMS Server, to<br />
manage users, and to manage policies.<br />
<strong>Access</strong>Assistant The Web-based interface that provides password<br />
self-help. Use <strong>Access</strong>Assistant to obtain the latest<br />
credentials and to log on to applications. Use the Web<br />
automatic sign-on feature to log on to enterprise Web<br />
applications by clicking links instead of entering<br />
passwords.<br />
<strong>Access</strong>Studio The interface used <strong>for</strong> creating <strong>Access</strong>Profiles that<br />
enables sign on or sign-off automation and <strong>for</strong>tified<br />
passwords.<br />
IMS Bridge The IMS Service Modules that enable applications to use<br />
the IMS Server as an authentication server.<br />
IMS Connector Add on modules to the IMS Server that extend its<br />
capabilities with interfaces to other applications.<br />
IMS Server The integrated management system that provides a<br />
central point of secure access administration <strong>for</strong> an<br />
enterprise. It enables centralized management of user<br />
identities, <strong>Access</strong>Profiles, and authentication policies. It<br />
also provides loss management, certificate management,<br />
and audit management <strong>for</strong> the enterprise.<br />
IMS Service Module Add-on modules that extend the basic services provided<br />
by the IMS Server, such as user management, policy<br />
management, and certificate issuance.<br />
Chapter 1. About <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> 5
Authentication factors<br />
Table 1. Product components (continued)<br />
Component Description<br />
Web Workplace The Web-based interface <strong>for</strong> logging on to enterprise<br />
Web applications by clicking links without entering the<br />
passwords <strong>for</strong> individual applications. It can be<br />
integrated with your existing portal or SSL VPN.<br />
Note: Antivirus software can interfere with <strong>Access</strong>Agent or the IMS Server.<br />
For more in<strong>for</strong>mation, see the <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong><br />
<strong>Sign</strong>-<strong>On</strong> Troubleshooting and Support Guide.<br />
Authentication factors come in different <strong>for</strong>ms and functions. Except <strong>for</strong><br />
password and fingerprint, you can access systems and applications with a<br />
device that works like a key.<br />
Smart cards and RFID cards, <strong>for</strong> example, are about the same size as credit<br />
cards, and can be easily attached to key rings.<br />
See the following topics <strong>for</strong> more in<strong>for</strong>mation.<br />
v “TAM E-SSO Password”<br />
v “Secrets” on page 7<br />
v “Second authentication factors” on page 7<br />
v “Presence detectors” on page 10<br />
TAM E-SSO Password<br />
The TAM E-SSO Password secures access to your Wallet. The length of the<br />
password ranges from six to 20 characters, depending on the preference of<br />
your organization. When you sign up with <strong>Access</strong>Agent, you must specify a<br />
password. You can use the enterprise directory password as your password.<br />
<strong>Sign</strong>ing up with <strong>Access</strong>Agent entails registering with the IMS Server and<br />
creating a Wallet. All application credentials are stored in your Wallet. <strong>Sign</strong>ing<br />
up ensures that your credentials are backed up on the server and are<br />
retrievable when needed.<br />
You can associate your Wallet with a second authentication factor (such as a<br />
smart card, Active Proximity Badge, RFID card, and other devices). The<br />
second authentication factor rein<strong>for</strong>ces your password and protects the<br />
contents of your Wallet.<br />
Use the following guidelines <strong>for</strong> specifying a TAM E-SSO Password:<br />
6 <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
v Choose a password that is lengthy, unique, and a combination of upper and<br />
lowercase letters and numbers.<br />
v Do not use any of these as passwords: dictionary words, the name of your<br />
pet, the name of your spouse or friend, or important dates (<strong>for</strong> example, a<br />
birth date or an anniversary date).<br />
v Never tell anyone your password, not even to the Help desk officer or<br />
Administrator.<br />
v Never write down your password.<br />
v Change your password as often as possible.<br />
<strong>Access</strong>Agent locks your Wallet after you attempt to log on five times with an<br />
incorrect password. The number of allowed attempts is set by your<br />
organization.<br />
Secrets<br />
You might be asked to enter a secret after signing up <strong>for</strong> your Wallet,<br />
depending on the preference of your organization. It is like specifying hints in<br />
case you <strong>for</strong>get the password <strong>for</strong> a Web e-mail account.<br />
The secret is something that:<br />
v you would not <strong>for</strong>get, even if you do not use the secret <strong>for</strong> a long time.<br />
v is not likely to change.<br />
Note: You can use all the characters in the ISO Latin-1 character set in<br />
creating secrets, except <strong>for</strong> the following characters:<br />
v µ<br />
v ß<br />
When you sign up, you must select one or more questions from a list and<br />
provide answers. If the self-service feature is enabled, you might need to<br />
specify more than one secret.<br />
In case you <strong>for</strong>get your password, you can use the secret to set a new<br />
password. You can also use the secret and an authorization code to gain<br />
temporary access to your cached Wallet. The Help desk officer gives you the<br />
authorization code.<br />
Second authentication factors<br />
The TAM E-SSO Password can be <strong>for</strong>tified by a second authentication factor.<br />
The combination of the password and an RFID, <strong>for</strong> example, strengthens<br />
security because both authentication factors must be present to access your<br />
computer.<br />
Chapter 1. About <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> 7
Based on the security policy of your organization, you might be required to<br />
use one of the following authentication factors.<br />
Important: The USB Key as an authentication factor is no longer supported.<br />
ActiveCode<br />
ActiveCodes are short-term authentication codes controlled by the system.<br />
ActiveCodes enhance the security of traditional password-based<br />
authentication <strong>for</strong> applications. ActiveCodes are random passwords that can<br />
only be used one time by an authorized user. Combined with alternative<br />
channels and devices, ActiveCodes provide effective second-factor<br />
authentication.<br />
There are two types of ActiveCodes:<br />
v Mobile ActiveCode<br />
A Mobile ActiveCode is a randomly generated, event-based one-time<br />
password (OTP). The Mobile ActiveCode is generated on the IMS Server<br />
and delivered through a secure second channel, such as short message<br />
service (SMS) on mobile phones. It is used <strong>for</strong> strong authentication.<br />
v Unified ActiveCode<br />
The Unified ActiveCode is a predictive one-time password used <strong>for</strong> strong<br />
authentication. The Unified ActiveCode generator is built into <strong>Access</strong>Agent.<br />
Smart card<br />
A smart card is a pocket-sized card that has an embedded microprocessor.<br />
Smart cards can do cryptographic operations, and are used to store and<br />
process the digital credentials of the users securely.<br />
A smart card can be used as an authentication factor. The product provides<br />
certificate-based strong authentication when you access your Credential Wallet<br />
using a smart card.<br />
Important: The smart card PIN is not related to the TAM E-SSO password.<br />
The product does not manage the smart card PIN.<br />
Radio Frequency Identification (RFID) card<br />
The RFID card is an electronic device that uses radio frequency signals to read<br />
stored identification in<strong>for</strong>mation. RFID works on the concept of proximity. Tap<br />
the RFID card on the RFID reader to gain access to your credentials.<br />
8 <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
The RFID reader is an additional hardware you need to install on every<br />
machine using the RFID Card <strong>for</strong> authentication. The RFID Card does not<br />
have any storage capacity.<br />
An RFID card can also be used <strong>for</strong> unified access, so you can access a<br />
computer and have access to doors or elevators.<br />
Note: <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> has a Service<br />
Provider Interface (SPI) <strong>for</strong> devices that contain serial numbers, like RFID. The<br />
SPI makes it easier <strong>for</strong> vendors to integrate any device with serial numbers<br />
and use it as a second factor in <strong>Access</strong>Agent. For more in<strong>for</strong>mation, see the<br />
<strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> Serial ID SPI Guide at<br />
the <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> in<strong>for</strong>mation center.<br />
Active Proximity Badge<br />
The Active Proximity Badge works almost the same way as a typical RFID<br />
card. The Active Proximity Badge has an RFID, and works with a proximity<br />
reader. However, the Active Proximity Badge differs from an RFID card in the<br />
proximity range.<br />
With a typical RFID card, your card must be close to the reader. With an<br />
Active Proximity Badge, your organization can set the distance <strong>for</strong> detection.<br />
For example, your Active Proximity Badge can be 2 m. away from the reader,<br />
and it is detected from that distance.<br />
Fingerprint identification<br />
The Fingerprint Identification system recognizes your fingerprint as an<br />
authentication factor. The fingerprint reader translates your fingerprint into<br />
encrypted codes, which logs you on to <strong>Access</strong>Agent.<br />
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> 8.1 supports the<br />
following biometric service provider and fingerprint readers:<br />
v BIO-key Biometric Service Provider (BSP) 1.9_262<br />
v DigitalPersona 3.2.0<br />
v UPEK 2.0 and UPEK 3.0<br />
The BIO-key Biometric Service Provider (BSP) is a biometric middleware. This<br />
is used so that the product can work with any fingerprint reader that is<br />
already supported by BIO-key. See BIO-key's list of supported devices.<br />
Note: The integration with BIO-key BSP does not support DigitalPersona in<br />
this release.<br />
Chapter 1. About <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> 9
Presence detectors<br />
A presence detector is a device that detects your presence in its vicinity. When<br />
affixed to a computer, the device can notify <strong>Access</strong>Agent when you are in<br />
front of the computer or when you move away. This feature eliminates your<br />
ef<strong>for</strong>t of manually locking the computer when you leave the computer <strong>for</strong> a<br />
short time.<br />
Sonar device<br />
The sonar-based presence detector is used to lock a workstation immediately<br />
when you walk away without waiting <strong>for</strong> the desktop inactivity timeout. The<br />
device uses 40 kHz ultrasonic sound waves (frequency too high <strong>for</strong> people to<br />
hear). It can detect from a range of five in. to five feet. You can move in the<br />
zone without triggering a walk-away event.<br />
The device is attached to the USB port of your computer and is configured by<br />
the system as a keyboard. When you move away from the computer, the<br />
device sends keystrokes to your computer. When you approach the computer,<br />
the device can send a different set of keystrokes to your computer.<br />
You can set <strong>Access</strong>Agent to intercept these keystrokes and per<strong>for</strong>m<br />
appropriate actions (<strong>for</strong> example, to lock the computer). The sonar can be<br />
combined with building badges (<strong>for</strong> example, RFID cards) to create a<br />
foolproof solution.<br />
The sonar device is not used with Active Proximity Badge since the Active<br />
Proximity Badge is also a presence detector.<br />
Any other supported authentication factors can be used with the<br />
pcProx-Sonar, such as:<br />
v Password only<br />
v RFID<br />
v Fingerprint<br />
v Smart card<br />
The behavior of a sonar-based presence detector can be configured to be like<br />
an Active Proximity Badge. However, sonar-based presence detectors cannot<br />
store a unique ID to identify a user.<br />
Active Proximity Badge as both second factor and presence<br />
detector<br />
The Active Proximity Badge is both a second factor and a presence detector. It<br />
can detect your presence, and you can set <strong>Access</strong>Agent to per<strong>for</strong>m specific<br />
actions.<br />
10 <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
Note: The presence detector policies (<strong>for</strong> example,<br />
pid_presence_detector_enabled) are not applicable to Active Proximity Badge.<br />
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> usage<br />
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> supports two main usage<br />
configurations – personal workstation and shared workstation.<br />
For policy settings based on usage configuration, see the <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong><br />
<strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> Policies Definition Guide.<br />
Personal workstation configuration<br />
The personal workstation configuration is more applicable <strong>for</strong> organizations<br />
where users are assigned their own workstations. The smart card is the<br />
common authentication factor <strong>for</strong> this type of usage configuration. The setup<br />
procedure and workflow are the same, regardless of the selected<br />
authentication factor.<br />
You sign up from EnGINA, desktop, or a locked computer at startup, and use<br />
the appropriate authentication factor.<br />
You can also sign up without an authentication factor and register later. For<br />
example, you can sign up without the smart card and log on to <strong>Access</strong>Agent<br />
later with the TAM E-SSO Password, provided it is set in your authentication<br />
policy.<br />
To lock the computer, remove or tap your authentication factor. To unlock the<br />
computer, reinsert or tap your authentication factor.<br />
Shared workstation configuration<br />
The shared workstation configuration is <strong>for</strong> organizations where users share<br />
common workstations. This usage configuration requires efficient switching<br />
between users.<br />
Authentication factors (except the smart card <strong>for</strong> private and roaming<br />
desktops) are used <strong>for</strong> this type of usage configuration.<br />
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> supports fast user<br />
switching through the following desktop schemes or modes.<br />
v “Shared desktops” on page 12<br />
v “Private desktops” on page 12<br />
v “Roaming desktops” on page 13<br />
Note: These schemes do not use the Windows XP Fast User Switching feature.<br />
Chapter 1. About <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> 11
Shared desktops<br />
Shared desktops allow multiple users to share a generic Windows desktop.<br />
Switching of users can be done quickly and efficiently.<br />
Without shared desktops, switching from User A to User B, causes the<br />
applications of User A to be lost. User A must launch the applications again.<br />
Set up <strong>Access</strong>Profiles to automatically log off enterprise applications when<br />
user switching occurs.<br />
RFID, fingerprint readers, and smart cards are the authentication factor <strong>for</strong><br />
this usage configuration.<br />
With shared desktops, you can access a workstation by signing up (<strong>for</strong><br />
example, from EnGINA, desktop, or a locked computer) and tapping your<br />
RFID card. You can also sign up without your RFID card and register later<br />
when the cards are already available. After completing the sign-up process,<br />
you can then log on to <strong>Access</strong>Agent.<br />
When another user taps an RFID card in your desktop, switching is invoked,<br />
either from the desktop or from the locked computer screen.<br />
After the new user supplies a valid password, <strong>Access</strong>Agent unlocks your<br />
computer (if locked), logs you off, and then logs on the new user to the<br />
Wallet. If the new user logged on to other computers with the same RFID and<br />
Password in a set time range during the day, the new user might not be<br />
required to enter a password.<br />
Private desktops<br />
Private desktops allow you to have your own Windows desktop in a<br />
workstation. When a previous user returns to the workstation and unlocks it,<br />
<strong>Access</strong>Agent switches to the desktop session of the previous user and resumes<br />
the last task.<br />
Your existing desktop might have to be logged off if the workstation runs out<br />
of resources such as, memory, so that another user can log on. If you log on to<br />
another workstation, restart the application.<br />
To manage multiple desktops on a single workstation, the private desktop<br />
scheme uses the Local User Session Management feature of <strong>Access</strong>Agent that<br />
uses a component called Desktop <strong>Manager</strong>.<br />
Logging on from the EnGINA welcome screen is not supported by Local User<br />
Session Management. Workstations are configured to automatically log on to a<br />
generic Windows account upon startup, and then the computer is locked.<br />
12 <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
Note: This generic Windows account must not be a registered user. Use a<br />
local computer account.<br />
All your users will log on to the workstation from the locked screen. All users<br />
must tap their RFID cards when they sign up. They can also sign up without<br />
the RFID cards and register these second factors later. After completing the<br />
sign-up process, you can then log on to <strong>Access</strong>Agent.<br />
Note: You are not logged on to <strong>Access</strong>Agent if you are using an auto-admin<br />
account.<br />
When another user taps the RFID card to switch to another desktop, the<br />
current user logs on (if without an existing invisible session) or unlocks the<br />
workstation (if with an existing invisible session).<br />
The following Wallet authentication options are supported:<br />
v Password<br />
v RFID+Password<br />
v Smart card<br />
v Active Proximity Badge+Password<br />
v Fingerprint<br />
If you log on to Windows sessions using your own Active Directory<br />
credentials, Local User Session Management requires that synchronization of<br />
password and Active Directory password must be enabled.<br />
For deployments where smart card logon to Windows is enabled and smart<br />
card logon is en<strong>for</strong>ced, disable Active Directory password synchronization.<br />
Roaming desktops<br />
Roaming desktops have your Windows desktops "roam" to any access point,<br />
from workstation to workstation. You can disconnect from a desktop or<br />
application session at one client, log on to another client, and continue a<br />
desktop or application session at a new client. Roaming desktops give you the<br />
ability to access and preserve your desktops, regardless of which computers<br />
you use.<br />
This scheme requires Terminal Server or Citrix. This setup is especially useful<br />
<strong>for</strong> a shared workstation environment, where you can roam from one<br />
workstation to another, depending on your current location.<br />
Chapter 1. About <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> 13
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> program icons<br />
The following icons are used in <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong><br />
<strong>Sign</strong>-<strong>On</strong>.<br />
Application icons<br />
Icon Description<br />
Notification area icons<br />
Icon Description<br />
This icon represents <strong>Access</strong>Agent on the desktop.<br />
This icon represents the IMS Server on the desktop.<br />
No one is logged on to <strong>Access</strong>Agent.<br />
<strong>Access</strong>Agent is operating normally.<br />
Policies, certificates, and other product concepts<br />
When the icon is flashing, <strong>Access</strong>Agent is:<br />
v synchronizing an authentication factor with the IMS Server<br />
v logging on the user<br />
<strong>Single</strong> sign-on or automatic sign-on is currently disabled.<br />
Use this topic to learn more about some of the common terms used by the<br />
product.<br />
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> incrementally moves<br />
enterprise access from password authentication to strong digital identity-based<br />
authentication in the following manner:<br />
v Provide sign-on and sign-off automation to enterprise applications<br />
v Fortify sign-on by using authentication management<br />
v Provide seamless transition from passwords to certificates<br />
See the following sections <strong>for</strong> definitions of some terms used in <strong>Tivoli</strong> <strong>Access</strong><br />
<strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>.<br />
v “Credentials” on page 15<br />
14 <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
v “<strong>Enterprise</strong> identity”<br />
v “<strong>Enterprise</strong> applications”<br />
v “Personal applications” on page 16<br />
v “User, system, and machine policies” on page 16<br />
Credentials<br />
Credentials refer to user names, passwords, certificates, and any other<br />
in<strong>for</strong>mation required <strong>for</strong> authentication. An authentication factor can serve as<br />
a credential. In <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>,<br />
credentials are stored and secured in your Wallet.<br />
<strong>Enterprise</strong> identity<br />
In an enterprise, you have multiple user accounts <strong>for</strong> different types of<br />
applications such as e-mail, portal, human resources system, and Web access.<br />
<strong>On</strong>e of these identities is used to authenticate users, and provide access to the<br />
enterprise network.<br />
For example, you might be required to log on to Windows and access the<br />
network by entering your user name and password. This feature is also called<br />
an enterprise identity.<br />
The solution that an enterprise uses <strong>for</strong> identity management must be<br />
identified. The solution verifies the identities of users logging on with <strong>Tivoli</strong><br />
<strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> keys. The solution also links<br />
the IMS Server with the enterprise directory that manages your users.<br />
This policy is set be<strong>for</strong>e deployment and sets the foundations of how the<br />
system works. You can change the policy later using <strong>Access</strong>Admin. The<br />
enterprise identity binding must be a system or application that the enterprise<br />
identifies as a long-term investment. The system or application must not be<br />
changed, removed, or replaced soon.<br />
<strong>Enterprise</strong> applications<br />
The enterprise must select the applications to include in the enterprise<br />
application list.<br />
<strong>Enterprise</strong> applications are specific to the business of an enterprise and<br />
controlled by an Administrator.<br />
See this list <strong>for</strong> some characteristics of an enterprise application:<br />
v Managed through the IMS Server by the in<strong>for</strong>mation technology<br />
department of the enterprise<br />
v Passwords are grouped by authenticating directories<br />
v Audit logs are generated and stored in the IMS Server<br />
v User accounts are pre-created<br />
Chapter 1. About <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> 15
v User account entries cannot be deleted in <strong>Access</strong>Agent<br />
v Passwords can be <strong>for</strong>tified<br />
v Password entries cannot be set to Never in <strong>Access</strong>Agent<br />
Examples of enterprise applications are:<br />
v Microsoft Windows<br />
v Active Directory<br />
v SAP<br />
v PeopleSoft<br />
v Oracle<br />
v Novell<br />
<strong>Enterprise</strong> applications can be added or removed after deployment. However,<br />
these applications are implemented in a global policy, which means all users<br />
have access to the same enterprise applications.<br />
Personal applications<br />
The enterprise must specify whether the users can use <strong>Access</strong>Agent and <strong>Tivoli</strong><br />
<strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> keys <strong>for</strong> personal applications.<br />
Personal applications are applications that users can specify if they want<br />
<strong>Access</strong>Agent to store and enter their user names and passwords. Some<br />
examples of personal applications are <strong>IBM</strong> Lotus Notes ® , <strong>IBM</strong> Lotus ®<br />
Sametime ® Connect, and online banking sites.<br />
This policy is implemented as a global policy, where users are allowed or not<br />
allowed to use <strong>Access</strong>Agent with personal applications. You cannot grant or<br />
deny access to specific users.<br />
User, system, and machine policies<br />
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> uses policies to control<br />
the behavior of the product components.<br />
These policies are configurable through various means, so the product can<br />
meet specific organizational requirements. Policies have different visibilities<br />
and scopes, and are managed by different roles.<br />
Policies might be applicable system-wide, or only to certain groups of users or<br />
machines. The applicability of a policy is determined by the policy scope such<br />
as the system, user, or machine.<br />
v System: Policy is system-wide<br />
v User: Policy affects only a specific user<br />
v Machine: Policy affects only a specific machine<br />
16 <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
System, machine, and user policies can be configured using <strong>Access</strong>Admin.<br />
Changes to these policies are propagated to clients the next time <strong>Access</strong>Agent<br />
synchronizes with the IMS Server (<strong>for</strong> example, in 30 minutes).<br />
Note: Not all user policies are updated in real time. Some policies require the<br />
machine to be restarted <strong>for</strong> the changes to take effect.<br />
The IMS Server applies machine policies to machines after they join the IMS<br />
Server, which are then automatically synchronized with <strong>Access</strong>Agent.<br />
There can be several machine policy templates defined in the IMS Server. <strong>On</strong>e<br />
of these templates is set as the default.<br />
Through <strong>Access</strong>Admin, system policies and machine policies can be modified<br />
by an Administrator. However, a Help desk officer can only view system and<br />
machine policies. User policies can be modified by either an Administrator or<br />
a Help desk officer.<br />
A policy might be defined <strong>for</strong> different scopes. For example, the desktop<br />
inactivity policy might define the desktop inactivity time out duration <strong>for</strong> one<br />
machine or <strong>for</strong> the entire system. If this policy is defined <strong>for</strong> both scopes, a<br />
priority is defined, in case the time-out value is different <strong>for</strong> the machine and<br />
<strong>for</strong> the entire system.<br />
If the policy priority is "machine", only the machine policy would be effective.<br />
A command-line tool (CLT) allows Administrators to view and set policy<br />
priorities. For more in<strong>for</strong>mation, see <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong><br />
<strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> Policies Definition Guide.<br />
Policies might be dependent on other policies. For example, the hot key action<br />
policy is only effective if the hot key is enabled. If the latter is disabled, the<br />
setting <strong>for</strong> the hot key action policy does not affect users.<br />
Some groups of policies have overlapping scopes. For example, these policies<br />
have a system scope, but the range of entities that they affect are different:<br />
v Wallet inject password entry option default policy<br />
(pid_wallet_inject_pwd_entry_option_default )<br />
This policy defines the default password entry option <strong>for</strong> all authentication<br />
services and applications.<br />
v Authentication inject password entry option default policy<br />
(pid_auth_inject_pwd_entry_option_default)<br />
This policy defines the default password entry option <strong>for</strong> a specific<br />
authentication service.<br />
v Application inject password entry option default policy<br />
(pid_app_inject_pwd_entry_option_default)<br />
Chapter 1. About <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> 17
This policy defines the default password entry option <strong>for</strong> a specific<br />
application.<br />
In general, application-specific policies override authentication service-specific<br />
policies, which in turn, override general Wallet policies. In this case, the<br />
Wallet inject password entry option default policy<br />
(pid_wallet_inject_pwd_entry_option_default) is used when the other two<br />
policies are not defined <strong>for</strong> a particular authentication service or application.<br />
However, if the Authentication service inject password entry option default<br />
policy (pid_auth_inject_pwd_entry_option_default) is defined <strong>for</strong> an<br />
authentication service, it overrides the Wallet inject password entry option<br />
default policy (pid_wallet_inject_pwd_entry_option_default) when a default<br />
password entry option is needed <strong>for</strong> the authentication service.<br />
Similarly, if the Application inject password entry option default policy<br />
(pid_app_inject_pwd_entry_option_default) is defined <strong>for</strong> a particular<br />
application, it overrides the other two policies.<br />
User-specific policies generally override system-wide policies, but this setting<br />
also depends on the current policy priority. If a policy has both user and<br />
system scopes, <strong>for</strong> example, the Authentication accounts maximum policy<br />
(pid_auth_accounts_max), the user scope setting is always effective if it is<br />
defined. If the user scope setting is not defined <strong>for</strong> a particular user, the<br />
system scope setting becomes effective.<br />
18 <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
Chapter 2. <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong><br />
<strong>Sign</strong>-<strong>On</strong> <strong>Context</strong> Management overview<br />
Install, configure, and test the <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong><br />
<strong>Sign</strong>-<strong>On</strong> <strong>Context</strong> Management integrated solution on individual workstations.<br />
What to do Where to find in<strong>for</strong>mation<br />
Obtain the <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong><br />
<strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Context</strong><br />
Management installation program.<br />
Ensure that the installation prerequisites<br />
are met.<br />
Test the <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong><br />
<strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Context</strong><br />
Management integrated solution.<br />
“Installing <strong>Context</strong> Management” on page<br />
23<br />
“Installing <strong>Context</strong> Management” on page<br />
23<br />
Chapter 5, “Testing <strong>Context</strong><br />
Management,” on page 27<br />
© Copyright <strong>IBM</strong> Corp. 2002, 2009 19
20 <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
Chapter 3. About <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong><br />
<strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> with <strong>Context</strong> Management<br />
See the following topics <strong>for</strong> in<strong>for</strong>mation about how the <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong><br />
<strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> with <strong>Context</strong> Management is used by the Health<br />
care industry and how its integration with existing solutions can enhance<br />
clinical operations.<br />
v “<strong>Context</strong> Management system overview”<br />
v “About the <strong>Context</strong> Management solution” on page 22<br />
<strong>Context</strong> Management system overview<br />
The Health Level Seven (HL7) Clinical <strong>Context</strong> Object Workgroup (CCOW) is<br />
a vendor independent standard that allows clinical applications to share<br />
in<strong>for</strong>mation at the point of care.<br />
Using a technique called "context management", Clinical <strong>Context</strong> Object<br />
Workgroup provides the clinician with a unified view of the in<strong>for</strong>mation held<br />
in separate and disparate health care applications referring to the same<br />
patient, encounter, or user.<br />
When a clinician signs on to one application within the group of disparate<br />
applications residing in the Clinical <strong>Context</strong> Object Workgroup environment,<br />
that same sign-on is simultaneously executed on all other applications within<br />
the group. Similarly, when the clinician selects a patient, the same patient is<br />
selected in all the applications.<br />
Clinical <strong>Context</strong> Object Workgroup is rapidly gaining popularity in the health<br />
care industry, because it provides clinicians with faster access to patient<br />
records across multiple applications.<br />
Carefx is one of the vendors that provide a CCOW-compliant context<br />
management tool called Fusionfx <strong>Context</strong> <strong>Manager</strong> (FCM). <strong>IBM</strong> integrates its<br />
<strong>Context</strong> Management solution to provide sign-on automation to all Clinical<br />
<strong>Context</strong> Object Workgroup and non-Clinical <strong>Context</strong> Object Workgroup<br />
applications.<br />
<strong>Access</strong>Agent sets the <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong><br />
user name as context to Carefx FCM after the user logs on to <strong>Access</strong>Agent.<br />
Fusionfx <strong>Context</strong> <strong>Manager</strong> manages the mapping of individual application<br />
logon accounts <strong>for</strong> the user name. FCM automates sign-on to individual<br />
Clinical <strong>Context</strong> Object Workgroup applications using the mapped accounts.<br />
© Copyright <strong>IBM</strong> Corp. 2002, 2009 21
There is no suitable authentication mechanism between <strong>Access</strong>Agent and<br />
Fusionfx <strong>Context</strong> <strong>Manager</strong>. Carefx Fusionfx <strong>Context</strong> <strong>Manager</strong> assumes that<br />
user authentication is handled by <strong>Access</strong>Agent, be<strong>for</strong>e the user context is set<br />
to Fusionfx <strong>Context</strong> <strong>Manager</strong>.<br />
About the <strong>Context</strong> Management solution<br />
The <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> with <strong>Context</strong><br />
Management provides sign-on automation to all Clinical <strong>Context</strong> Object<br />
Workgroup and non-Clinical <strong>Context</strong> Object Workgroup applications.<br />
When combined with an SSO product, Carefx uses a model that allows all<br />
user logons to go through the SSO product. When a user logs on, the SSO<br />
product executes a Carefx synchronization process called FccSync that can<br />
integrate effectively with FCC. When FCC is alerted about a logon, it calls the<br />
SSO product through the SSO API to obtain the name of the current user. FCC<br />
then sets the user name into the CCOW context.<br />
FCC does not use a command-line argument containing the user name, which<br />
is not secure. Instead, FCC calls into the SSO product to extract the user<br />
name.<br />
When a user logs out, the SSO product executes the same Carefx<br />
synchronization process (FccSync) to notify FCC that the user has logged out.<br />
The FCC then calls the SSO product, which sets a "null" user name to FCC,<br />
indicating that no user is currently logged on.<br />
<strong>Access</strong>Agent uses the user logon and logoff scripts to launch the Carefx<br />
synchronization process (FccSync). Logon and logoff scripts can be defined<br />
per user through <strong>Access</strong>Admin. For an enterprise deployment, the logon and<br />
logoff scripts is included in the policy template, so that all users are enabled<br />
with Carefx automatically after sign up.<br />
22 <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
Chapter 4. <strong>Context</strong> Management installation<br />
See the instructions provided in these topics to install or uninstall <strong>Context</strong><br />
Management in your computer.<br />
v “Installing <strong>Context</strong> Management”<br />
v “Uninstalling <strong>Context</strong> Management” on page 25<br />
Installing <strong>Context</strong> Management<br />
Follow the steps in this procedure to install <strong>Context</strong> Management in your<br />
computer.<br />
Be<strong>for</strong>e you begin<br />
Be<strong>for</strong>e you install <strong>Context</strong> Management, ensure that you meet the following<br />
requirements:<br />
v <strong>Access</strong>Agent 2.3.4.1 or a higher version preinstalled in your computer<br />
v <strong>Context</strong> Management installer package called integrated_installer.zip.<br />
v At least an Intel ® Pentium ® III or equivalent processor<br />
v A minimum of 260 MB of RAM.<br />
Important: If you have a previous version of <strong>Context</strong> Management, uninstall<br />
the previous version and delete or rename the folder (<strong>for</strong> example, C:\Program<br />
Files\CareFX). For more in<strong>for</strong>mation, see “Uninstalling <strong>Context</strong> Management”<br />
on page 25.<br />
About this task<br />
After <strong>Context</strong> Management is installed on top of <strong>Access</strong>Agent, you can<br />
upgrade <strong>Access</strong>Agent to a later version. The upgrade does not affect the<br />
current installation of <strong>Context</strong> Management.<br />
In some cases, you might have to manually create an FccSynchPath entry in<br />
the <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> hive.<br />
Procedure<br />
1. Download the latest installer of your context management system (<strong>for</strong><br />
example, Carefx) from the FTP or download site.<br />
If the installer is in a .ZIP file, create a folder in your hard disk drive and<br />
extract the compressed file (<strong>for</strong> example, ).<br />
2. Navigate to the Integrated_Installer folder.<br />
© Copyright <strong>IBM</strong> Corp. 2002, 2009 23
3. Select Start → Run and find the path \01 FCM<br />
Enabler\Setup.exe.<br />
Retain the default values <strong>for</strong> the installation options.<br />
4. Select Start → Run and find the path \02 CfxCrypto\Cfx-<br />
Crypto.exe.<br />
Retain the default values <strong>for</strong> the installation options.<br />
5. Select Start → Run and find the path
11. Navigate to the \Carefx\cm-sdk\Fusionfx\<strong>Context</strong> Channel\<br />
folder. Right-click on the fcc.ini file, and click Edit.<br />
12. Add the following lines in the [CCOW] section:<br />
userSubjectSuffix=desktop<br />
patientSubjectSuffix=desktop<br />
encounterSubjectSuffix=<br />
After entering these lines, save the file and close the window.<br />
13. Navigate to the \Launcher folder and copy the contents of<br />
the entire folder to the \Carefx folder.<br />
14. Create a shortcut of \Carefx\CM-sdk\cm-server\startcs.cmd<br />
and paste the shortcut in Start menu → Programs → Startup folder so that<br />
it runs when Windows starts.<br />
15. Enable the logon or logoff script policies in the IMS Server <strong>for</strong> the Carefx<br />
user.<br />
To know which VBScript to add, see Chapter 5, “Testing <strong>Context</strong><br />
Management,” on page 27.<br />
16. Restart your computer.<br />
Uninstalling <strong>Context</strong> Management<br />
Follow the steps in this procedure to remove <strong>Context</strong> Management in your<br />
computer.<br />
About this task<br />
See the following procedure to remove the installation of <strong>Context</strong><br />
Management in your computer:<br />
You can also uninstall <strong>Access</strong>Agent by following standard uninstallation<br />
procedures.<br />
Procedure<br />
1. Use the Control Panel → Add or Remove Programs to remove the<br />
following Carefx-related programs:<br />
v Carefx Crypto Utility<br />
v Carefx Fusionfx <strong>Context</strong> Channel<br />
v Carefx Fusionfx <strong>Context</strong> Enabler<br />
2. Go to the Registry Editor (Start → Run..., type regedit, then press Enter on<br />
your keyboard).<br />
3. Delete the following registry entries:<br />
v HKEY_LOCAL_MACHINE\Software\Carefxt<br />
Chapter 4. <strong>Context</strong> Management installation 25
v HKEY_LOCAL_MACHINE\Software\Encentuate\<strong>Access</strong>Agent\Integration\<br />
Carefx<br />
4. Navigate to \Carefx folder, and delete the folder.<br />
5. Remove Carefx-related shortcuts from the Start → All Programs → Startup<br />
menu.<br />
6. Disable the logon or logoff script policies in the IMS Server <strong>for</strong> the Carefx<br />
users.<br />
Remove the VBScript that was added <strong>for</strong> the user in the logon and logoff<br />
script sections related to Carefx.<br />
To know which VBScript to remove, see Chapter 5, “Testing <strong>Context</strong><br />
Management,” on page 27.<br />
7. Restart your computer.<br />
26 <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
Chapter 5. Testing <strong>Context</strong> Management<br />
See these topics to verify if <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong><br />
<strong>Sign</strong>-<strong>On</strong> with <strong>Context</strong> Management is functioning as expected.<br />
Testing involves some of the following tasks:<br />
v per<strong>for</strong>ming test logons<br />
v per<strong>for</strong>ming test logoffs<br />
v successfully launching the executable files installed with the system<br />
See the following topics <strong>for</strong> more in<strong>for</strong>mation.<br />
v “Testing <strong>Context</strong> Management functionality”<br />
v “Additional verifications <strong>for</strong> testing <strong>Context</strong> Management” on page 28<br />
Testing <strong>Context</strong> Management functionality<br />
The context manager is contacted by the logon script, which is defined at the<br />
IMS Server <strong>for</strong> each user. Similarly, when a user logs off <strong>Access</strong>Agent, a logoff<br />
script is executed by <strong>Access</strong>Agent to log off the user from the context<br />
manager.<br />
About this task<br />
The following steps are necessary to test the integrated solution.<br />
Procedure<br />
1. Enable logon or logoff script policies in the IMS Server <strong>for</strong> the user <strong>for</strong><br />
whom Carefx is being set, and add the following VBScript <strong>for</strong> the logon<br />
and logoff script sections.<br />
Logon script:<br />
dim obj<br />
set obj=createobject("wscript.shell")<br />
obj.run("LogonCarefx")<br />
set obj=nothing<br />
Logoff script:<br />
dim obj<br />
set obj=createobject("wscript.shell")<br />
obj.run("LogoffCarefx")<br />
set obj=nothing<br />
2. Log on to <strong>Access</strong>Agent as the logon or logoff script user.<br />
The Wallet of the user synchronizes the logon or logoff scripts from the<br />
IMS Server.<br />
© Copyright <strong>IBM</strong> Corp. 2002, 2009 27
Important: The logon script does not run <strong>for</strong> the first logon to<br />
<strong>Access</strong>Agent after the script has been defined on the IMS Server.<br />
3. For subsequent logons to <strong>Access</strong>Agent, the user automatically logs on to<br />
<strong>Context</strong> <strong>Manager</strong> through the logon script.<br />
Additional verifications <strong>for</strong> testing <strong>Context</strong> Management<br />
When logging on to <strong>Access</strong>Agent (not considering the authentication factors),<br />
the user should also be logging on to context manager automatically. The<br />
same is applicable <strong>for</strong> logging off.<br />
To verify if a user has logged on to context manager, right-click on the<br />
gray-blue icon of the context channel system tray. A successful logon displays<br />
Status:Linked and User: in the context menu.<br />
When the user logs off from <strong>Access</strong>Agent, right-clicking the icon displays<br />
Status:Unlinked and User: in the context menu.<br />
Launch any of the executable files from the \Carefx\Launcher<br />
directory. The executable files displays the same user name logged on to the<br />
application.<br />
After the user has logged off from <strong>Access</strong>Agent, the user should be logged off<br />
from these other applications automatically.<br />
Important: Note that the applications provided at \Carefx\Launcher<br />
folder are meant <strong>for</strong> demo purposes only.<br />
28 <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
Notices<br />
This in<strong>for</strong>mation was developed <strong>for</strong> products and services offered in the<br />
U.S.A.<br />
<strong>IBM</strong> may not offer the products, services, or features discussed in this<br />
document in other countries. Consult your local <strong>IBM</strong> representative <strong>for</strong><br />
in<strong>for</strong>mation on the products and services currently available in your area. Any<br />
reference to an <strong>IBM</strong> product, program, or service is not intended to state or<br />
imply that only that <strong>IBM</strong> product, program, or service may be used. Any<br />
functionally equivalent product, program, or service that does not infringe<br />
any <strong>IBM</strong> intellectual property right may be used instead. However, it is the<br />
user's responsibility to evaluate and verify the operation of any non-<strong>IBM</strong><br />
product, program, or service.<br />
<strong>IBM</strong> may have patents or pending patent applications covering subject matter<br />
described in this document. The furnishing of this document does not grant<br />
you any license to these patents. You can send license inquiries, in writing, to:<br />
<strong>IBM</strong> Director of Licensing<br />
<strong>IBM</strong> Corporation<br />
North Castle Drive<br />
Armonk, NY 10504-1785<br />
U.S.A.<br />
For license inquiries regarding double-byte (DBCS) in<strong>for</strong>mation, contact the<br />
<strong>IBM</strong> Intellectual Property Department in your country or send inquiries, in<br />
writing, to:<br />
<strong>IBM</strong> World Trade Asia Corporation<br />
Licensing<br />
2-31 Roppongi 3-chome, Minato-ku<br />
Tokyo 106-0032, Japan<br />
The following paragraph does not apply to the United Kingdom or any other<br />
country where such provisions are inconsistent with local law:<br />
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS<br />
PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER<br />
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE<br />
IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY<br />
OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow<br />
disclaimer of express or implied warranties in certain transactions, there<strong>for</strong>e,<br />
this statement may not apply to you.<br />
© Copyright <strong>IBM</strong> Corp. 2002, 2009 29
This in<strong>for</strong>mation could include technical inaccuracies or typographical errors.<br />
Changes are periodically made to the in<strong>for</strong>mation herein; these changes will<br />
be incorporated in new editions of the publication. <strong>IBM</strong> may make<br />
improvements and/or changes in the product(s) and/or the program(s)<br />
described in this publication at any time without notice.<br />
Any references in this in<strong>for</strong>mation to non-<strong>IBM</strong> Web sites are provided <strong>for</strong><br />
convenience only and do not in any manner serve as an endorsement of those<br />
Web sites. The materials at those Web sites are not part of the materials <strong>for</strong><br />
this <strong>IBM</strong> product and use of those Web sites is at your own risk.<br />
<strong>IBM</strong> may use or distribute any of the in<strong>for</strong>mation you supply in any way it<br />
believes appropriate without incurring any obligation to you.<br />
Licensees of this program who wish to have in<strong>for</strong>mation about it <strong>for</strong> the<br />
purpose of enabling: (i) the exchange of in<strong>for</strong>mation between independently<br />
created programs and other programs (including this one) and (ii) the mutual<br />
use of the in<strong>for</strong>mation which has been exchanged, should contact:<br />
<strong>IBM</strong> Corporation<br />
2Z4A/101<br />
11400 Burnet Road<br />
Austin, TX 78758<br />
U.S.A.<br />
Such in<strong>for</strong>mation may be available, subject to appropriate terms and<br />
conditions, including in some cases, payment of a fee.<br />
The licensed program described in this document and all licensed material<br />
available <strong>for</strong> it are provided by <strong>IBM</strong> under terms of the <strong>IBM</strong> Customer<br />
Agreement, <strong>IBM</strong> International Program License Agreement or any equivalent<br />
agreement between us.<br />
Any per<strong>for</strong>mance data contained herein was determined in a controlled<br />
environment. There<strong>for</strong>e, the results obtained in other operating environments<br />
may vary significantly. Some measurements may have been made on<br />
development-level systems and there is no guarantee that these measurements<br />
will be the same on generally available systems. Furthermore, some<br />
measurements may have been estimated through extrapolation. Actual results<br />
may vary. Users of this document should verify the applicable data <strong>for</strong> their<br />
specific environment.<br />
In<strong>for</strong>mation concerning non-<strong>IBM</strong> products was obtained from the suppliers of<br />
those products, their published announcements or other publicly available<br />
sources. <strong>IBM</strong> has not tested those products and cannot confirm the accuracy<br />
of per<strong>for</strong>mance, compatibility or any other claims related to non-<strong>IBM</strong><br />
30 <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
Trademarks<br />
products. Questions on the capabilities of non-<strong>IBM</strong> products should be<br />
addressed to the suppliers of those products.<br />
All statements regarding <strong>IBM</strong>'s future direction or intent are subject to change<br />
or withdrawal without notice, and represent goals and objectives only.<br />
This in<strong>for</strong>mation contains examples of data and reports used in daily business<br />
operations. To illustrate them as completely as possible, the examples include<br />
the names of individuals, companies, brands, and products. All of these<br />
names are fictitious and any similarity to the names and addresses used by an<br />
actual business enterprise is entirely coincidental.<br />
COPYRIGHT LICENSE:<br />
This in<strong>for</strong>mation contains sample application programs in source language,<br />
which illustrate programming techniques on various operating plat<strong>for</strong>ms. You<br />
may copy, modify, and distribute these sample programs in any <strong>for</strong>m without<br />
payment to <strong>IBM</strong>, <strong>for</strong> the purposes of developing, using, marketing or<br />
distributing application programs con<strong>for</strong>ming to the application programming<br />
interface <strong>for</strong> the operating plat<strong>for</strong>m <strong>for</strong> which the sample programs are<br />
written. These examples have not been thoroughly tested under all conditions.<br />
<strong>IBM</strong>, there<strong>for</strong>e, cannot guarantee or imply reliability, serviceability, or function<br />
of these programs.<br />
If you are viewing this in<strong>for</strong>mation softcopy, the photographs and color<br />
illustrations may not appear.<br />
<strong>IBM</strong>, the <strong>IBM</strong> logo, and ibm.com ® are trademarks or registered trademarks of<br />
International Business Machines Corporation in the United States, other<br />
countries, or both. If these and other <strong>IBM</strong> trademarked terms are marked on<br />
their first occurrence in this in<strong>for</strong>mation with a trademark symbol ( ® or ),<br />
these symbols indicate U.S. registered or common law trademarks owned by<br />
<strong>IBM</strong> at the time this in<strong>for</strong>mation was published. Such trademarks may also be<br />
registered or common law trademarks in other countries. A current list of <strong>IBM</strong><br />
trademarks is available on the Web at Copyright and trademark in<strong>for</strong>mation<br />
(www.ibm.com/legal/copytrade.shtml).<br />
Adobe, the Adobe logo, PostScript ® , and the PostScript logo are either<br />
registered trademarks or trademarks of Adobe Systems Incorporated in the<br />
United States, and/or other countries.<br />
IT Infrastructure Library ® is a registered trademark of the Central Computer<br />
and Telecommunications Agency, which is now part of the Office of<br />
Government Commerce.<br />
Notices 31
Intel, Intel logo, Intel Inside ® , Intel Inside logo, Intel ® Centrino ® , Intel Centrino<br />
logo, Celeron ® , Intel ® Xeon ® , Intel SpeedStep ® , Itanium ® , and Pentium are<br />
trademarks or registered trademarks of Intel Corporation or its subsidiaries in<br />
the United States and other countries.<br />
Linux ® is a registered trademark of Linus Torvalds in the United States, other<br />
countries, or both.<br />
Microsoft, Windows, Windows NT ® , and the Windows logo are trademarks of<br />
Microsoft Corporation in the United States, other countries, or both.<br />
ITIL ® is a registered trademark, and a registered community trademark of the<br />
Office of Government Commerce, and is registered in the U.S. Patent and<br />
Trademark Office.<br />
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc.<br />
in the United States, other countries, or both and is used under license<br />
therefrom.<br />
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc.<br />
in the United States, other countries, or both.<br />
UNIX is a registered trademark of The Open Group in the United States and<br />
other countries.<br />
Other company, product, or service names may be trademarks or service<br />
marks of others.<br />
32 <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
Glossary<br />
<strong>Access</strong>Admin. The management used by individuals with the Administrator Role and/or the Help<br />
desk Role to administer IMS Server, and to manage users and policies.<br />
<strong>Access</strong>Agent. <strong>Access</strong>Agent, or AA, is the client software that manages the user's identity, enabling<br />
sign-on/sign-off automation and authentication management.<br />
<strong>Access</strong>Assistant. The Web-based interface used to provide password self-help <strong>for</strong> users to obtain the<br />
latest credentials to logon to their applications.<br />
<strong>Access</strong>Profiles. Short, structured XML files that enable single sign-on or sign-off automation <strong>for</strong><br />
applications. <strong>Access</strong>Studio can be used to generate <strong>Access</strong>Profiles.<br />
<strong>Access</strong>Studio. The interface used to create <strong>Access</strong>Profiles required to support end-point automation,<br />
including single sign-on, single sign-off, and customizable audit tracking.<br />
action. An act that can be per<strong>for</strong>med in response to a trigger. For example, automatic filling of user<br />
name and password details as soon as a sign-on window displays. See also Trigger.<br />
ActiveCode. Short-lived authentication codes that are controlled by <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong><br />
<strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> system. There are two types of ActiveCodes: random ActiveCodes and<br />
predictive ActiveCodes.<br />
The generation of ActiveCodes can be triggered in one of two ways: time-based (<strong>for</strong> example, every<br />
minute or every day) or event-based (<strong>for</strong> example, pressing a button).<br />
Combined with alternative channels or devices, ActiveCodes provide effective second-factor<br />
authentication.<br />
Active Proximity Badge. Similar to an RFID card, but differs in its ability to be detected by a proximity<br />
reader from a considerably longer distance (such as two meters away).<br />
ARFID (Active RFID). ARFID is both a second factor and a presence detector. It can detect the<br />
presence of a user, and <strong>Access</strong>Agent can be configured to per<strong>for</strong>m specific actions.<br />
AD. Microsoft Active Directory<br />
API. Application Programming Interface<br />
application. In <strong>Access</strong>Studio, it refers to the system that provides the user interface <strong>for</strong> reading or<br />
entering the authentication credentials.<br />
authentication factor. The different devices, biometrics, or secrets required as credentials <strong>for</strong> validating<br />
digital identities (<strong>for</strong> example, passwords, smart card, RFID, biometrics, and one-time password tokens).<br />
authentication service. Verifies the validity of an account; Applications authenticate against their own<br />
user store or against a corporate directory.<br />
© Copyright <strong>IBM</strong> Corp. 2002, 2009 33
authorization code. An alphanumeric code generated by an <strong>IBM</strong> Help desk user <strong>for</strong> administrative<br />
functions, such as password resets or authentication factors <strong>for</strong> the Wallet; might be used one or more<br />
times based on policy.<br />
biometrics. The identification of a user based on a physical characteristic of the user, such as a<br />
fingerprint, iris, face, voice or handwriting.<br />
certificate authority (CA). A trusted third-party organization or company that issues the digital<br />
certificates. The certificate authority typically verifies the identity of the individuals who are granted the<br />
unique certificate.<br />
Clinical <strong>Context</strong> Object Workgroup (CCOW). A vendor-independent standard that clinical applications<br />
use to share in<strong>for</strong>mation at the point of care.<br />
CLT. Command Line Tool<br />
Command Line Tool (CLT). A tool that Administrators use to view and set policy priorities.<br />
<strong>Context</strong> management. A technique that provides the clinician with a unified view of the in<strong>for</strong>mation<br />
held in separate and disparate health care applications referring to the same patient, encounter, or user.<br />
control. Any field on a screen. Examples are a user name text box or an OK button on a Web page.<br />
conventional single sign-on. Refers to Web-based single sign-on systems and typically requires<br />
server-side integration, with a centralized architecture.<br />
credentials. See user names, passwords, certificates, and any other in<strong>for</strong>mation that is required <strong>for</strong><br />
authentication. An authentication factor can serve as a credential. In <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong><br />
<strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> , credentials are stored and secured in the Wallet.<br />
Desktop <strong>Manager</strong>. Manages concurrent user desktops on a single workstation<br />
directory. A structured repository of in<strong>for</strong>mation on people and resources within an organization,<br />
facilitating management and communication.<br />
EnGINA. <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> GINA, which replaces the Microsoft<br />
GINA. EnGINA provides a user interface that is tightly integrated with authentication factors and<br />
provide password resets and second factor bypass options.<br />
<strong>Enterprise</strong> <strong>Access</strong> Security (EAS). A technology that enables enterprises to simplify, strengthen and<br />
track access to digital assets and physical infrastructure.<br />
Simplifying access means time-to-in<strong>for</strong>mation, user productivity, and convenience. Strengthening access<br />
allows stronger security and better risk management. Tracking access enables compliance.<br />
EAS solutions are a new generation of identity management security products that reflect the<br />
convergence of logon or logoff automation, authentication management, centralized user access<br />
administration, the unification of logical (in<strong>for</strong>mation), and physical (building) access control systems.<br />
<strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> (E-SSO). A mechanism that allows users to log on to all applications<br />
deployed in the enterprise by entering a user ID and other credentials (such as a password). Many<br />
E-SSO products use sign-on automation technologies to achieve SSO—users logon to the sign-on<br />
automation system and the system logs on the user to all other applications.<br />
34 <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
FCM. Fusionfx <strong>Context</strong> <strong>Manager</strong> tool.<br />
FIPS. Federal In<strong>for</strong>mation Processing Standard. A standard produced by the National Institute of<br />
Standards and Technology when national and international standards are nonexistent or inadequate to<br />
satisfy the U.S. government requirements.<br />
<strong>for</strong>tified password. An application password that is automatically changed by the system and not the<br />
user. In <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> , passwords might be <strong>for</strong>tified with <strong>Tivoli</strong><br />
<strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> ActiveCodes.<br />
hybrid desktop. A term used to describe how organizations combine different session management<br />
capabilities to meet the needs of the user community.<br />
IMS Bridge. For extending functionalities of third party programs, allowing them to communicate with<br />
IMS Server.<br />
IMS Connector. Add-ons to the IMS Server that enable the IMS Server to interface with other<br />
applications as a client, extending the capability of the IMS Server. Examples include IMS Connectors <strong>for</strong><br />
password change.<br />
IMS Server. An integrated management system that provides a central point of secure access<br />
administration <strong>for</strong> an enterprise. It enables centralized management of user identities, <strong>Access</strong>Profiles,<br />
authentication policies, provides loss management, certificate management, and audit management <strong>for</strong><br />
the enterprise.<br />
IMS Server Certificate. Used in <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>. the IMS Server<br />
Certificate is used to identify an IMS Server.<br />
IMS Service Modules. Add-on modules that extend the basic services provided by the IMS Server (<strong>for</strong><br />
example, user management, policy management, and certificate issuance).<br />
iTag. A patent-pending technology that can convert any photo badge or personal object into a<br />
proximity device, which can be used <strong>for</strong> strong authentication<br />
ITAM (<strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong>). An integrated solution that provides a wide range of<br />
authorization and management solutions. This product can be used on various operating systems<br />
plat<strong>for</strong>ms such as Unix (AIX ® , Solaris, HP-UX), Linux, and Windows.<br />
LUSM. Local User Session Management. A method <strong>for</strong> managing multiple desktops on a single<br />
workstation.<br />
Mobile ActiveCode (MAC). A one-time password that is randomly generated, event-based, and<br />
delivered through a secure second channel (<strong>for</strong> example, SMS on mobile phones).<br />
<strong>On</strong>e-Time Password (OTP). A one-use password generated <strong>for</strong> an authentication event (<strong>for</strong> example,<br />
password reset), sometimes communicated between the client and the server through a secure channel<br />
(<strong>for</strong> example, mobile phones).<br />
password. A sequence of characters used to determine that a user requesting access to a system is the<br />
appropriate user.<br />
Glossary 35
personal applications. Windows and Web-based applications that <strong>Access</strong>Agent can store and enter<br />
credentials. Some enterprises might not allow the use of a <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong><br />
<strong>Sign</strong>-<strong>On</strong> Key with personal applications. Password <strong>for</strong>tification also does not happen <strong>for</strong> personal<br />
applications.<br />
Some examples of personal applications are Web-based mail sites such as Company Mail, Internet<br />
banking sites, <strong>On</strong>line shopping sites, chat or instant messaging programs and the like.<br />
Personal Identification Number (PIN). A password, typically of digits, entered through a telephone<br />
keypad or automatic teller machine.<br />
policy. Governs the operation of <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> <strong>Enterprise</strong>,<br />
comprising of two main sets: machine policies (managed through Windows GPO) and IMS-managed<br />
policies (managed through <strong>Access</strong>Admin).<br />
Policy ID. Each policy is identified by its policy ID with pid in the prefix (<strong>for</strong> example,<br />
pid_wallet_authentication_option).<br />
policy template. A predefined policy <strong>for</strong>m that helps users define a policy by providing the fixed<br />
policy elements that cannot be changed and the variable policy elements that can be changed.<br />
presence detector. When affixed to a computer, this device detects when a person moves away from it,<br />
thus eliminating the need to manually lock the computer upon leaving it <strong>for</strong> a short time.<br />
private desktop. Under this desktop scheme, users have their own Windows desktops in a workstation.<br />
When a previous user returns to the workstation and unlocks it, <strong>Access</strong>Agent switches to the desktop<br />
session of the previous user and resumes the last task.<br />
private key. An encryption or decryption key that is kept secret by its owner. It is one of a pair of two<br />
keys used <strong>for</strong> encryption and decryption in public key cryptography.<br />
Radio Frequency Identification (RFID). A wireless technology that transmits product serial numbers<br />
from tags to a scanner, without human intervention.<br />
random passwords. Generated passwords used to increase authentication security between clients and<br />
servers. Random password change is the process of modifying access codes between a client and a<br />
server using a random sequence of characters. This change can only happen when the client and the<br />
server are sharing a secured session as the random sequence has to be communicated between the two<br />
parties. The new random password can then be used to re-establish a secured session the next time the<br />
client needs to access the server.<br />
register. <strong>Sign</strong>ing up <strong>for</strong> a <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> account, and registering<br />
a second factor (<strong>for</strong> example, smart card, RFID) with the IMS Server.<br />
registry. Machine policies are typically configured in <strong>Access</strong>Admin, but can also be configured using<br />
the Windows registry when necessary. This configuration is especially true if the<br />
pid_machine_policy_override_enabled policy is set to Yes, which means Administrators must use the<br />
Windows registry to modify machine policies.<br />
roaming desktops. Under this desktop scheme, a user can disconnect from a desktop or application<br />
session at one client, log on to another client, and continue a desktop or application session at that new<br />
client.<br />
36 <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
scope. A reference to the applicability of a policy, be it at the system, user, or machine level.<br />
secret. In<strong>for</strong>mation known only to the user.<br />
Secure Remote <strong>Access</strong>. The solution that provides Web browser-based single sign-on to all applications<br />
(<strong>for</strong> example, legacy, desktop, and Web) from outside the firewall.<br />
security officer. An officer that defines the identity Wallet security policies and other application<br />
policies.<br />
serial number. A unique number embedded in the <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong><br />
Keys, which is unique to each Key and cannot be changed.<br />
Service Provider Interface (SPI). Designed <strong>for</strong> devices that contain serial numbers, like RFID, the SPI<br />
makes it easier <strong>for</strong> vendors to integrate any device with serial numbers and use it as a second factor in<br />
<strong>Access</strong>Agent.<br />
session. A logical or virtual connection between two stations, software programs, or devices on a<br />
network that allows the two elements to communicate and exchange data.<br />
shared desktops. Under this desktop scheme, multiple users share a generic Windows desktop.<br />
Switching of users can be done quickly and efficiently.<br />
sign-on automation. A technology that works with application user interfaces to automate the sign-on<br />
process <strong>for</strong> users. Many ESSO products use this technology to achieve SSO—users log onto the sign-on<br />
automation mechanism and the sign-on automation system takes over from there to log the user onto all<br />
other applications.<br />
sign-up. Requesting <strong>for</strong> an account with the IMS Server. As part of the process, users are issued an<br />
Wallet. They can subsequently register one or more second factors with the IMS Server.<br />
signature. Unique identification in<strong>for</strong>mation <strong>for</strong> any application, window, or field.<br />
single sign-on. A capability that allows a user to enter a user ID and password to access multiple<br />
applications.<br />
smart card. A smart card is a pocket-sized card which is built to handle data using a network of<br />
embedded circuits. Smart cards can receive input from applications, and can also send out in<strong>for</strong>mation<br />
(such as logon in<strong>for</strong>mation).<br />
SSL. Secure Sockets Layer<br />
strong authentication. A solution that utilizes multi-factor authentication devices (such as smart cards)<br />
to prevent unauthorized access to confidential corporate in<strong>for</strong>mation and IT networks, both inside and<br />
outside the corporate perimeter.<br />
strong digital identity. An online persona that is difficult to impersonate, possibly secured by private<br />
keys on a smart card. These identities typically have to be supported by physicalized authentication<br />
factors.<br />
TAM E-SSO Password. The password that secures access to your Wallet. The length of the password<br />
ranges from six to 20 characters, depending on the preference of your organization. The assumption is<br />
that only the authentic user will have the passwords to access their accounts.<br />
Glossary 37
token. A small, highly portable hardware device that the owner carries to authorize access to digital<br />
systems and, or physical assets.<br />
TTY. Terminal emulator, terminal application. A program that emulates a video terminal within some<br />
other display architecture. Though typically synonymous with a command line shell or text terminal, the<br />
term terminal covers all remote terminals, including graphical interfaces. A terminal emulator inside a<br />
graphical user interface is often called a terminal window.<br />
user-centric, server managed. A distributed, agent-based system that provides the user with the<br />
convenience of a user-focused agent, and provides the enterprise with consolidated views and controls<br />
over the distributed agents.<br />
If designed carefully, it can avoid the pitfall of many distributed systems — a single point of failure in<br />
the server.<br />
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> has a user-centric, server-managed architecture in<br />
which the <strong>Access</strong>Agent provides access security functions to the users, and is centrally managed through<br />
the IMS Server.<br />
Virtual Private Network (VPN). An extension of a company intranet over the existing framework of<br />
either a public or private network. A VPN ensures that the data that is sent between the two endpoints<br />
of its connection remains secure.<br />
Wallet. An identity Wallet that stores a user's access credentials and related in<strong>for</strong>mation (including user<br />
IDs, passwords, certificates, encryption keys), each acting as the user's personal meta-directory.<br />
Web Workplace. An identity Wallet that stores a user's access credentials and related in<strong>for</strong>mation<br />
(including user IDs, passwords, certificates, encryption keys), each acting as the user's personal<br />
meta-directory.A web-based interface that provides the ability to log on to enterprise Web applications<br />
by clicking links without entering the passwords <strong>for</strong> individual applications. This interface can be<br />
integrated with the existing portal or SSL VPN of the customer.<br />
38 <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
Index<br />
A<br />
accessibility viii<br />
B<br />
books<br />
See publications<br />
C<br />
<strong>Context</strong> Management<br />
about 22<br />
installation 23<br />
system overview 21<br />
testing 27, 28<br />
uninstallation 25<br />
conventions<br />
typeface ix<br />
credentials 15<br />
D<br />
directory names, notation x<br />
E<br />
education<br />
See <strong>Tivoli</strong> technical training<br />
enterprise applications 15<br />
enterprise identity 15<br />
environment variables, notation x<br />
I<br />
icons<br />
margin x<br />
M<br />
manuals<br />
See publications<br />
margin icons x<br />
N<br />
notation<br />
environment variables x<br />
path names x<br />
typeface x<br />
O<br />
online publications<br />
accessing viii<br />
ordering publications viii<br />
P<br />
path names, notation x<br />
personal applications 16<br />
personal workstations<br />
about 11<br />
policies 16<br />
private desktops<br />
about 12<br />
publications vi<br />
accessing online viii<br />
ordering viii<br />
R<br />
roaming desktops<br />
about 13<br />
S<br />
shared desktops<br />
about 12<br />
T<br />
<strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong><br />
<strong>Single</strong> <strong>Sign</strong>-<strong>On</strong> 1<br />
authentication factors 6<br />
concepts 14<br />
features 2<br />
product components 5<br />
program icons 14<br />
usage configurations 11<br />
<strong>Tivoli</strong> In<strong>for</strong>mation Center viii<br />
<strong>Tivoli</strong> technical training viii<br />
<strong>Tivoli</strong> user groups viii<br />
training, <strong>Tivoli</strong> technical viii<br />
typeface conventions ix<br />
U<br />
user groups, <strong>Tivoli</strong> viii<br />
V<br />
variables, notation <strong>for</strong> x<br />
© Copyright <strong>IBM</strong> Corp. 2002, 2009 39
40 <strong>IBM</strong> <strong>Tivoli</strong> <strong>Access</strong> <strong>Manager</strong> <strong>for</strong> <strong>Enterprise</strong> <strong>Single</strong> <strong>Sign</strong>-<strong>On</strong>: <strong>Context</strong> Management Integration Guide
Printed in USA<br />
SC23-9954-02