IBM Tivoli Access Manager for Enterprise Single Sign-On: Context ...

Tivoli® Access Manager for Enterprise Single Sign-On
Version 8.1
Context Management Integration Guide
SC23-9954-02

Tivoli® Access Manager for Enterprise Single Sign-On
Version 8.1
Context Management Integration Guide
SC23-9954-02

Note
Before using this information and the product it supports, read the information in “Notices” on page 29.
Edition notice
Note: This edition applies to version 8.1 of IBM Tivoli Access Manager for Enterprise Single Sign-On, (product
number 5724–V67) and to all subsequent releases and modifications until otherwise indicated in new editions.
© Copyright International Business Machines Corporation 2002, 2009. All rights reserved.
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
© Copyright IBM Corporation 2002, 2009.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.

Contents
About this publication . . . . . . . . v
Intended audience . . . . . . . . . . v
What this publication contains . . . . . . v
Publications . . . . . . . . . . . . vi
Tivoli Access Manager for Enterprise Single
Sign-On library . . . . . . . . . . vi
Accessing terminology online . . . . . vii
Accessing publications online . . . . . viii
Ordering publications . . . . . . . viii
Accessibility. . . . . . . . . . . . viii
Tivoli technical training . . . . . . . . viii
Tivoli user groups. . . . . . . . . . viii
Support information . . . . . . . . . ix
Conventions used in this publication . . . . ix
Typeface conventions . . . . . . . . ix
Operating system-dependent variables and
paths. . . . . . . . . . . . . . x
Margin icons . . . . . . . . . . . x
Chapter 1. About Tivoli Access Manager for
Enterprise Single Sign-On . . . . . . . 1
Tivoli Access Manager for Enterprise Single
Sign-On features . . . . . . . . . . . 2
Product components . . . . . . . . . 5
Authentication factors . . . . . . . . . 6
TAM E-SSO Password . . . . . . . . 6
Secrets . . . . . . . . . . . . . 7
Second authentication factors. . . . . . 7
Presence detectors . . . . . . . . . 10
Tivoli Access Manager for Enterprise Single
Sign-On usage . . . . . . . . . . . 11
Personal workstation configuration . . . 11
Shared workstation configuration . . . . 11
Tivoli Access Manager for Enterprise Single
Sign-On program icons . . . . . . . . 14
Policies, certificates, and other product
concepts . . . . . . . . . . . . . 14
Credentials . . . . . . . . . . . 15
Enterprise identity . . . . . . . . . 15
Enterprise applications . . . . . . . 15
Personal applications . . . . . . . . 16
User, system, and machine policies . . . 16
Chapter 2. Tivoli Access Manager for
Enterprise Single Sign-On Context
Management overview . . . . . . . . 19
Chapter 3. About Tivoli Access Manager
for Enterprise Single Sign-On with Context
Management . . . . . . . . . . . 21
Context Management system overview . . . 21
About the Context Management solution . . 22
Chapter 4. Context Management
installation . . . . . . . . . . . . 23
Installing Context Management . . . . . 23
Uninstalling Context Management . . . . 25
Chapter 5. Testing Context Management 27
Testing Context Management functionality . . 27
Additional verifications for testing Context
Management . . . . . . . . . . . . 28
Notices . . . . . . . . . . . . . 29
Trademarks . . . . . . . . . . . . 31
Glossary . . . . . . . . . . . . . 33
Index . . . . . . . . . . . . . . 39
© Copyright IBM Corp. 2002, 2009 iii

iv IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

About this publication
The IBM ® Tivoli ® Access Manager for Enterprise Single Sign-On provides
sign-on and sign-off automation, authentication management, and user
tracking to provide a seamless path to strong digital identity. The IBM Tivoli
Access Manager for Enterprise Single Sign-On Context Management Integration
Guide provides information for installing, configuring, and testing the Context
Management integrated solution in each client workstation.
Intended audience
This publication is for technical users who understand how Tivoli Access
Manager for Enterprise Single Sign-On can be enhanced and customized for a
specific customer's use.
This publication is for Administrators and system programmers who need to
perform the following tasks:
v Installing and Tivoli Access Manager for Enterprise Single Sign-On with
Context Management
v Running command-line tools (CLTs) to register components for the solution
v Mapping application accounts set up in AccessAgent to the Fusionfx
Context Manager (FCM) tool
v Providing sign-on automation to other applications used by the health care
organization
Readers need to be familiar with the following topics:
v Installing and setting up AccessAgent
v Clinical Context Object Workgroup (CCOW) standard
v Using the Fusionfx Context Manager (FCM) tool
What this publication contains
This publication contains the following sections:
v Chapter 1, "About Tivoli Access Manager for Enterprise Single Sign-On"
Provides an overview of the Tivoli Access Manager for Enterprise Single
Sign-On system and its main product components.
v Chapter 2, "Tivoli Access Manager for Enterprise Single Sign-On Context
Management overview
List the tasks to be completed on individual workstations for the Context
Management integration.
© Copyright IBM Corp. 2002, 2009 v

Publications
v Chapter 3, "About Tivoli Access Manager for Enterprise Single Sign-On
with Context Management"
Provides an overview of how Tivoli Access Manager for Enterprise Single
Sign-On integrates with the Context Management system.
v Chapter 4, "Context Management installation"
Contains instructions for a successful installation and uninstallation the
Tivoli Access Manager for Enterprise Single Sign-On with the Context
Management integrated solution.
v Chapter 5, "Testing Context Management"
Provide ways to verify if the integrated solution is working properly after a
deployment.
This section lists publications in the Tivoli Access Manager for Enterprise
Single Sign-On library. The section also describes how to access Tivoli
publications online and how to order Tivoli publications.
Tivoli Access Manager for Enterprise Single Sign-On library
The following documents are available in the Tivoli Access Manager for
Enterprise Single Sign-On library:
v IBM Tivoli Access Manager for Enterprise Single Sign-On Quick Start Guide,
CF2B1ML
Provides steps that summarize major installation and configuration tasks
for Tivoli Access Manager for Enterprise Single Sign-On.
v IBM Tivoli Access Manager for Enterprise Single Sign-On User Guide,
SC23-9950
Provides information about setting up and understanding the main
functionalities of the product.
v IBM Tivoli Access Manager for Enterprise Single Sign-On Administrator Guide,
SC23-9951
Provides the procedures for setting up, administering, and testing the
product and its components. It covers the functionality and setup options of
the product, including internal implementation details.
v IBM Tivoli Access Manager for Enterprise Single Sign-On Deployment Guide,
SC23-9952
Describes how to deploy and test IBM Tivoli Access Manager for Enterprise
Single Sign-On, including other components or external tools.
v IBM Tivoli Access Manager for Enterprise Single Sign-On Help Desk Guide,
SC23-9953
Provides information about providing Help desk services to users.
vi IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

v IBM Tivoli Access Manager for Enterprise Single Sign-On Context Management
Integration Guide, SC23-9954
Provides information for installing, configuring, and testing the Context
Management integrated solution in each client workstation.
v IBM Tivoli Access Manager for Enterprise Single Sign-On AccessStudio Guide,
SC23-9956
Provides information about setting up and maintaining AccessProfiles using
AccessStudio.
v IBM Tivoli Access Manager for Enterprise Single Sign-On Provisioning
Integration Guide, SC23-9957
Provides information for configuring, managing, and troubleshooting the
provisioning integration solutions for the product.
v IBM Tivoli Access Manager for Enterprise Single Sign-On Installation Guide,
GI11-9309
Provides information about installing the different product components.
v IBM Tivoli Access Manager for Enterprise Single Sign-On Setup Guide,
GC23-9692
Provides information about configuring the different components of the
product.
v IBM Tivoli Access Manager for Enterprise Single Sign-On Troubleshooting and
Support Guide, GC23-9693
Provides information about troubleshooting the different components of the
product.
v IBM Tivoli Access Manager for Enterprise Single Sign-On Policies Definition
Guide, SC23-9694
Provides information about the policies that can be set for the product. The
policies can be set using either AccessAdmin or by updating registry
entries.
Accessing terminology online
The Tivoli Software Glossary includes definitions for many of the technical
terms related to Tivoli software. The Tivoli Software Glossary is available at the
following Tivoli software library Web site:
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
The IBM Terminology Web site consolidates the terminology from IBM
product libraries in one convenient location. You can access the Terminology
Web site at the following Web address:
http://www.ibm.com/software/globalization/terminology
About this publication vii

Accessing publications online
IBM posts publications for this and all other Tivoli products, as they become
available and whenever they are updated, to the Tivoli Information Center
Web site at http://www.ibm.com/tivoli/documentation.
Note: If you print PDF documents on other than letter-sized paper, set the
option in the File → Print window that allows Adobe ® Reader to print
letter-sized pages on your local paper.
Ordering publications
You can order many Tivoli publications online at http://
www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.
You can also order by telephone by calling one of these numbers:
v In the United States: 800-879-2755
v In Canada: 800-426-4968
In other countries, contact your software account representative to order Tivoli
publications. To locate the telephone number of your local representative,
perform the following steps:
1. Go to http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.
2. Select your country from the list and click Go.
3. Click About this site in the main panel to see an information page that
includes the telephone number of your local representative.
Accessibility
Accessibility features help users with a physical disability, such as restricted
mobility or limited vision, to use software products successfully.
Tivoli technical training
For additional information, see the Accessibility Appendix in the IBM Tivoli
Access Manager for Enterprise Single Sign-On User Guide.
For Tivoli technical training information, See the following IBM Tivoli
Education Web site at http://www.ibm.com/software/tivoli/education.
Tivoli user groups
Tivoli user groups are independent, user-run membership organizations that
provide Tivoli users with information to assist them in the implementation of
Tivoli Software solutions. Through these groups, members can share
information and learn from the knowledge and experience of other Tivoli
users. Tivoli user groups include the following members and groups:
viii IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

v 23,000+ members
v 144+ groups
Access the link for the Tivoli Users Group at www.tivoli-ug.org.
Support information
If you have a problem with your IBM software, you want to resolve it quickly.
IBM provides the following ways for you to obtain the support you need:
Online
Go to the IBM Software Support site at http://www.ibm.com/
software/support/probsub.html and follow the instructions.
IBM Support Assistant
The IBM Support Assistant is a free local software serviceability
workbench that helps you resolve questions and problems with IBM
software products. The IBM Support Assistant provides quick access
to support-related information and serviceability tools for problem
determination. To install the IBM Support Assistant software, go to
http://www.ibm.com/software/support/isa.
Troubleshooting Guide
For more information about resolving problems, see the IBM Tivoli
Access Manager for Enterprise Single Sign-On Troubleshooting and Support
Guide.
Conventions used in this publication
This publication uses several conventions for special terms and actions,
operating system-dependent commands and paths, and margin graphics.
Typeface conventions
This publication uses the following typeface conventions:
Bold
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs,
property sheets), labels (such as Tip:, and Operating system
considerations:)
v Keywords and parameters in text
Italic
v Citations (examples: titles of publications, diskettes, and CDs)
About this publication ix

v Words defined in text (example: a nonswitched line is called a
point-to-point line)
v Emphasis of words and letters (words as words example: "Use the
word that to introduce a restrictive clause."; letters as letters
example: "The LUN address must start with the letter L.")
v New terms in text (except in a definition list): a view is a frame in a
workspace that contains data.
v Variables and values you must provide: ... where myname
represents....
Monospace
v Examples and code examples
v File names, programming keywords, and other elements that are
difficult to distinguish from surrounding text
v Message text and prompts addressed to the user
v Text that the user must type
v Values for arguments or command options
Operating system-dependent variables and paths
This publication uses the UNIX ® convention for specifying environment
variables and for directory notation.
Margin icons
When using the Windows ® command line, replace $variable with % variable%
for environment variables and replace each forward slash (/) with a backslash
(\) in directory paths. The names of environment variables are not always the
same in the Windows and UNIX environments. For example, %TEMP% in
Windows environments is equivalent to $TMPDIR in UNIX environments.
Note: If you are using the bash shell on a Windows system, you can use the
UNIX conventions.
Many procedures in this publication include icons in the left margin. These
icons provide context for performing a step in a procedure. For example, if
you have to perform a step in a procedure by double-clicking a policy region
icon, that icon is displayed in the left margin next to the step.
x IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

Chapter 1. About Tivoli Access Manager for Enterprise
Single Sign-On
IBM Tivoli Access Manager for Enterprise Single Sign-On automates access to
corporate information, strengthens security, and enforces compliance at the
enterprise endpoints.
With Tivoli Access Manager for Enterprise Single Sign-On, you can:
v Efficiently manage business risks.
v Achieve regulatory compliance.
v Decrease IT costs.
v Increase user efficiency.
Security compromises occur due to weak passwords. To counter such threats,
enterprises must strengthen access control systems. Passwords are not only
the weakest link in the security chain, they are also expensive to support.
Passwords create a security challenge and a management problem. To reduce
password management costs, enterprises might consider conventional single
sign-on solutions.
Conventional single sign-on reduces password management costs. It also can
increase the vulnerability of an organization by replacing multiple application
passwords with a single password to the single sign-on server.
Weak application passwords and conventional single sign-on are not the right
solutions for the enterprise. These solutions simplify access, but weaken
security. Enterprises need an enterprise access security solution that simplifies,
strengthens, and tracks access for all digital and physical assets.
See the following topics for more information.
v “Tivoli Access Manager for Enterprise Single Sign-On features” on page 2
v “Product components” on page 5
v “Authentication factors” on page 6
v “Tivoli Access Manager for Enterprise Single Sign-On usage” on page 11
v “Tivoli Access Manager for Enterprise Single Sign-On program icons” on
page 14
v “Policies, certificates, and other product concepts” on page 14
© Copyright IBM Corp. 2002, 2009 1

Tivoli Access Manager for Enterprise Single Sign-On features
Tivoli Access Manager for Enterprise Single Sign-On delivers the following
capabilities, without changing the existing IT infrastructure.
Enterprise Single Sign-On with workflow automation
You have quick access to all corporate applications such as Web, desktop,
generic computer terminals, legacy applications, and network resources with
the use of a single, strong password on personal and shared workstations.
This feature:
v helps enterprises increase employee productivity.
v lowers IT Help desk costs.
v improves security levels by eliminating passwords and the effort of
managing complex password policies.
Tivoli Access Manager for Enterprise Single Sign-On uses single sign-on and
workflow automation on shared and personal workstations. You can automate
the entire access workflow, such as application login, drive mapping,
application launch, single sign-on, navigation to preferred screens, multistep
logon, and so on.
Single Sign-Off and configurable desktop protection policies ensure protection
of confidential corporate applications from unauthorized access. If you walk
away from a workstation without logging out, Tivoli Access Manager for
Enterprise Single Sign-On can be configured to enforce inactivity timeout
policies. Examples of timeout policies are configurable screen locks,
application logout policies, and graceful logoffs.
Strong authentication for all user groups
Tivoli Access Manager for Enterprise Single Sign-On provides strong
authentication for all user groups (inside and outside the corporate perimeter).
This feature prevents unauthorized access to confidential corporate
information and IT networks.
The solution uses multi-factor authentication devices, such as smart cards,
building access badges, proximity cards, mobile devices, photo badges,
biometrics, and one time password (OTP) tokens.
In addition to comprehensive support for authentication devices, Tivoli Access
Manager for Enterprise Single Sign-On focuses on using existing identification
devices and technologies for authentication.
2 IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

Tivoli Access Manager for Enterprise Single Sign-On also provides iTag, a
patent-pending technology that can convert any photo badge or personal
object into a proximity device, which can be used for strong authentication.
Comprehensive session management capability
As organizations deploy more shared workstations and kiosks, more users can
roam and access information from anywhere without accessing their personal
computers. Shared and roaming scenarios pose severe security threats.
When you walk away without logging off from workstations or share a
generic logon, you risk exposing confidential information to unauthorized
access. Any attempt to tighten security, enforce unique user logon, and
comply with regulations leads being locked out of workstations, which results
in efficiency losses.
Organizations can increase user convenience and improve information
security through session management or fast user switching capabilities,
depending on the access needs user groups. You can quickly sign on and sign
off to shared workstations without using the Windows domain login process.
You can easily resume your work from where you left off.
You can maintain multiple unique user desktops on the same workstation by
switching from one private desktop to another. This feature preserves your
applications, documents, and network drive mappings, including those
belonging to other users sharing the workstation.
If you walk away from a session without logging out, you can set Tivoli
Access Manager for Enterprise Single Sign-On to enforce inactivity timeout
policies. It also supports hybrid desktops where organizations combine
different session management capabilities to meet the needs of your user
community.
User-centric access tracking for audit and compliance
reporting
The audit and compliance reporting feature assists organizations with data
consolidation, user-centric audit log generation, security, and tamper-evident
audit capabilities across all endpoints (for example, personal or shared
workstations, Citrix, Windows Terminal Services, or Web browsers).
Combined with strong authentication capabilities, the user-centric audit logs
ensure secure access to confidential corporate information and accountability
at all times. The logs provide the meta-information that can guide compliance
and IT Administrators to a more detailed analysis – by user, by application, or
by endpoint.
Chapter 1. About Tivoli Access Manager for Enterprise Single Sign-On 3

The information is collated in a central relational database. These logs
facilitate real-time monitoring and separate reporting with third-party
reporting tools.
Your organization can also use the endpoint automation framework to audit
custom access events for any application without modifying the application or
using the native audit functionality.
Secure remote access for easy, secure access anywhere,
anytime
Secure Remote Access provides Web browser-based single sign-on to all
applications such as legacy, desktop, and Web applications from outside the
firewall.
Your organization can effectively and quickly enable secure remote access for
the mobile workforce without installing any desktop software and modifying
application servers.
Remote workers require only one password and an optional second
authentication factor to access corporate information from remote offices,
home computers, and mobile devices. When granted access, you can single
sign-on to corporate applications by clicking the application links available in
the Tivoli Access Manager for Enterprise Single Sign-On portal. Access can be
further protected through a Secure Sockets Layer (SSL) Virtual Private
Network (VPN).
Integration with user provisioning technologies
Tivoli Access Manager for Enterprise Single Sign-On combines with user
provisioning technologies to provide end-to-end identity lifecycle
management.
New employees, partners, or contractors get fast and easy access to corporate
information after being provisioned. When provisioned, you can use single
sign-on to access all your applications on shared and personal workstations
with one password.
You do not have to register each user name and password, as all your
credentials are automatically provisioned.
Use of Federal Information Processing Standards
A new installation of Tivoli Access Manager for Enterprise Single Sign-On
version 8.1 uses FIPS 140-2 compliant cryptographic algorithms using FIPS
compliant security providers such as GSKit and IBMJCEFIPS. Client
4 IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

workstations running on Microsoft ® Windows XP must at least have Service
Pack 3 applied for FIPS 140-2 compliance.
Important: Non-FIPS compliant algorithms are used in version 8.1 only when
it has been upgraded from version 8.0 or 8.0.1.
Product components
This topic describes the main components of Tivoli Access Manager for
Enterprise Single Sign-On.
Table 1 describes each component. A typical installation uses some of these
components.
Table 1. Product components
Component Description
AccessAgent The client software that manages user identity, enables
sign-on and sign-off automation, manages sessions, and
manages authentication.
AccessAdmin The management console that Administrators and the
Help desk officers use to administer the IMS Server, to
manage users, and to manage policies.
AccessAssistant The Web-based interface that provides password
self-help. Use AccessAssistant to obtain the latest
credentials and to log on to applications. Use the Web
automatic sign-on feature to log on to enterprise Web
applications by clicking links instead of entering
passwords.
AccessStudio The interface used for creating AccessProfiles that
enables sign on or sign-off automation and fortified
passwords.
IMS Bridge The IMS Service Modules that enable applications to use
the IMS Server as an authentication server.
IMS Connector Add on modules to the IMS Server that extend its
capabilities with interfaces to other applications.
IMS Server The integrated management system that provides a
central point of secure access administration for an
enterprise. It enables centralized management of user
identities, AccessProfiles, and authentication policies. It
also provides loss management, certificate management,
and audit management for the enterprise.
IMS Service Module Add-on modules that extend the basic services provided
by the IMS Server, such as user management, policy
management, and certificate issuance.
Chapter 1. About Tivoli Access Manager for Enterprise Single Sign-On 5

Authentication factors
Table 1. Product components (continued)
Component Description
Web Workplace The Web-based interface for logging on to enterprise
Web applications by clicking links without entering the
passwords for individual applications. It can be
integrated with your existing portal or SSL VPN.
Note: Antivirus software can interfere with AccessAgent or the IMS Server.
For more information, see the IBM Tivoli Access Manager for Enterprise Single
Sign-On Troubleshooting and Support Guide.
Authentication factors come in different forms and functions. Except for
password and fingerprint, you can access systems and applications with a
device that works like a key.
Smart cards and RFID cards, for example, are about the same size as credit
cards, and can be easily attached to key rings.
See the following topics for more information.
v “TAM E-SSO Password”
v “Secrets” on page 7
v “Second authentication factors” on page 7
v “Presence detectors” on page 10
TAM E-SSO Password
The TAM E-SSO Password secures access to your Wallet. The length of the
password ranges from six to 20 characters, depending on the preference of
your organization. When you sign up with AccessAgent, you must specify a
password. You can use the enterprise directory password as your password.
Signing up with AccessAgent entails registering with the IMS Server and
creating a Wallet. All application credentials are stored in your Wallet. Signing
up ensures that your credentials are backed up on the server and are
retrievable when needed.
You can associate your Wallet with a second authentication factor (such as a
smart card, Active Proximity Badge, RFID card, and other devices). The
second authentication factor reinforces your password and protects the
contents of your Wallet.
Use the following guidelines for specifying a TAM E-SSO Password:
6 IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

v Choose a password that is lengthy, unique, and a combination of upper and
lowercase letters and numbers.
v Do not use any of these as passwords: dictionary words, the name of your
pet, the name of your spouse or friend, or important dates (for example, a
birth date or an anniversary date).
v Never tell anyone your password, not even to the Help desk officer or
Administrator.
v Never write down your password.
v Change your password as often as possible.
AccessAgent locks your Wallet after you attempt to log on five times with an
incorrect password. The number of allowed attempts is set by your
organization.
Secrets
You might be asked to enter a secret after signing up for your Wallet,
depending on the preference of your organization. It is like specifying hints in
case you forget the password for a Web e-mail account.
The secret is something that:
v you would not forget, even if you do not use the secret for a long time.
v is not likely to change.
Note: You can use all the characters in the ISO Latin-1 character set in
creating secrets, except for the following characters:
v µ
v ß
When you sign up, you must select one or more questions from a list and
provide answers. If the self-service feature is enabled, you might need to
specify more than one secret.
In case you forget your password, you can use the secret to set a new
password. You can also use the secret and an authorization code to gain
temporary access to your cached Wallet. The Help desk officer gives you the
authorization code.
Second authentication factors
The TAM E-SSO Password can be fortified by a second authentication factor.
The combination of the password and an RFID, for example, strengthens
security because both authentication factors must be present to access your
computer.
Chapter 1. About Tivoli Access Manager for Enterprise Single Sign-On 7

Based on the security policy of your organization, you might be required to
use one of the following authentication factors.
Important: The USB Key as an authentication factor is no longer supported.
ActiveCode
ActiveCodes are short-term authentication codes controlled by the system.
ActiveCodes enhance the security of traditional password-based
authentication for applications. ActiveCodes are random passwords that can
only be used one time by an authorized user. Combined with alternative
channels and devices, ActiveCodes provide effective second-factor
authentication.
There are two types of ActiveCodes:
v Mobile ActiveCode
A Mobile ActiveCode is a randomly generated, event-based one-time
password (OTP). The Mobile ActiveCode is generated on the IMS Server
and delivered through a secure second channel, such as short message
service (SMS) on mobile phones. It is used for strong authentication.
v Unified ActiveCode
The Unified ActiveCode is a predictive one-time password used for strong
authentication. The Unified ActiveCode generator is built into AccessAgent.
Smart card
A smart card is a pocket-sized card that has an embedded microprocessor.
Smart cards can do cryptographic operations, and are used to store and
process the digital credentials of the users securely.
A smart card can be used as an authentication factor. The product provides
certificate-based strong authentication when you access your Credential Wallet
using a smart card.
Important: The smart card PIN is not related to the TAM E-SSO password.
The product does not manage the smart card PIN.
Radio Frequency Identification (RFID) card
The RFID card is an electronic device that uses radio frequency signals to read
stored identification information. RFID works on the concept of proximity. Tap
the RFID card on the RFID reader to gain access to your credentials.
8 IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

The RFID reader is an additional hardware you need to install on every
machine using the RFID Card for authentication. The RFID Card does not
have any storage capacity.
An RFID card can also be used for unified access, so you can access a
computer and have access to doors or elevators.
Note: Tivoli Access Manager for Enterprise Single Sign-On has a Service
Provider Interface (SPI) for devices that contain serial numbers, like RFID. The
SPI makes it easier for vendors to integrate any device with serial numbers
and use it as a second factor in AccessAgent. For more information, see the
IBM Tivoli Access Manager for Enterprise Single Sign-On Serial ID SPI Guide at
the Tivoli Access Manager for Enterprise Single Sign-On information center.
Active Proximity Badge
The Active Proximity Badge works almost the same way as a typical RFID
card. The Active Proximity Badge has an RFID, and works with a proximity
reader. However, the Active Proximity Badge differs from an RFID card in the
proximity range.
With a typical RFID card, your card must be close to the reader. With an
Active Proximity Badge, your organization can set the distance for detection.
For example, your Active Proximity Badge can be 2 m. away from the reader,
and it is detected from that distance.
Fingerprint identification
The Fingerprint Identification system recognizes your fingerprint as an
authentication factor. The fingerprint reader translates your fingerprint into
encrypted codes, which logs you on to AccessAgent.
Tivoli Access Manager for Enterprise Single Sign-On 8.1 supports the
following biometric service provider and fingerprint readers:
v BIO-key Biometric Service Provider (BSP) 1.9_262
v DigitalPersona 3.2.0
v UPEK 2.0 and UPEK 3.0
The BIO-key Biometric Service Provider (BSP) is a biometric middleware. This
is used so that the product can work with any fingerprint reader that is
already supported by BIO-key. See BIO-key's list of supported devices.
Note: The integration with BIO-key BSP does not support DigitalPersona in
this release.
Chapter 1. About Tivoli Access Manager for Enterprise Single Sign-On 9

Presence detectors
A presence detector is a device that detects your presence in its vicinity. When
affixed to a computer, the device can notify AccessAgent when you are in
front of the computer or when you move away. This feature eliminates your
effort of manually locking the computer when you leave the computer for a
short time.
Sonar device
The sonar-based presence detector is used to lock a workstation immediately
when you walk away without waiting for the desktop inactivity timeout. The
device uses 40 kHz ultrasonic sound waves (frequency too high for people to
hear). It can detect from a range of five in. to five feet. You can move in the
zone without triggering a walk-away event.
The device is attached to the USB port of your computer and is configured by
the system as a keyboard. When you move away from the computer, the
device sends keystrokes to your computer. When you approach the computer,
the device can send a different set of keystrokes to your computer.
You can set AccessAgent to intercept these keystrokes and perform
appropriate actions (for example, to lock the computer). The sonar can be
combined with building badges (for example, RFID cards) to create a
foolproof solution.
The sonar device is not used with Active Proximity Badge since the Active
Proximity Badge is also a presence detector.
Any other supported authentication factors can be used with the
pcProx-Sonar, such as:
v Password only
v RFID
v Fingerprint
v Smart card
The behavior of a sonar-based presence detector can be configured to be like
an Active Proximity Badge. However, sonar-based presence detectors cannot
store a unique ID to identify a user.
Active Proximity Badge as both second factor and presence
detector
The Active Proximity Badge is both a second factor and a presence detector. It
can detect your presence, and you can set AccessAgent to perform specific
actions.
10 IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

Note: The presence detector policies (for example,
pid_presence_detector_enabled) are not applicable to Active Proximity Badge.
Tivoli Access Manager for Enterprise Single Sign-On usage
Tivoli Access Manager for Enterprise Single Sign-On supports two main usage
configurations – personal workstation and shared workstation.
For policy settings based on usage configuration, see the IBM Tivoli Access
Manager for Enterprise Single Sign-On Policies Definition Guide.
Personal workstation configuration
The personal workstation configuration is more applicable for organizations
where users are assigned their own workstations. The smart card is the
common authentication factor for this type of usage configuration. The setup
procedure and workflow are the same, regardless of the selected
authentication factor.
You sign up from EnGINA, desktop, or a locked computer at startup, and use
the appropriate authentication factor.
You can also sign up without an authentication factor and register later. For
example, you can sign up without the smart card and log on to AccessAgent
later with the TAM E-SSO Password, provided it is set in your authentication
policy.
To lock the computer, remove or tap your authentication factor. To unlock the
computer, reinsert or tap your authentication factor.
Shared workstation configuration
The shared workstation configuration is for organizations where users share
common workstations. This usage configuration requires efficient switching
between users.
Authentication factors (except the smart card for private and roaming
desktops) are used for this type of usage configuration.
Tivoli Access Manager for Enterprise Single Sign-On supports fast user
switching through the following desktop schemes or modes.
v “Shared desktops” on page 12
v “Private desktops” on page 12
v “Roaming desktops” on page 13
Note: These schemes do not use the Windows XP Fast User Switching feature.
Chapter 1. About Tivoli Access Manager for Enterprise Single Sign-On 11

Shared desktops
Shared desktops allow multiple users to share a generic Windows desktop.
Switching of users can be done quickly and efficiently.
Without shared desktops, switching from User A to User B, causes the
applications of User A to be lost. User A must launch the applications again.
Set up AccessProfiles to automatically log off enterprise applications when
user switching occurs.
RFID, fingerprint readers, and smart cards are the authentication factor for
this usage configuration.
With shared desktops, you can access a workstation by signing up (for
example, from EnGINA, desktop, or a locked computer) and tapping your
RFID card. You can also sign up without your RFID card and register later
when the cards are already available. After completing the sign-up process,
you can then log on to AccessAgent.
When another user taps an RFID card in your desktop, switching is invoked,
either from the desktop or from the locked computer screen.
After the new user supplies a valid password, AccessAgent unlocks your
computer (if locked), logs you off, and then logs on the new user to the
Wallet. If the new user logged on to other computers with the same RFID and
Password in a set time range during the day, the new user might not be
required to enter a password.
Private desktops
Private desktops allow you to have your own Windows desktop in a
workstation. When a previous user returns to the workstation and unlocks it,
AccessAgent switches to the desktop session of the previous user and resumes
the last task.
Your existing desktop might have to be logged off if the workstation runs out
of resources such as, memory, so that another user can log on. If you log on to
another workstation, restart the application.
To manage multiple desktops on a single workstation, the private desktop
scheme uses the Local User Session Management feature of AccessAgent that
uses a component called Desktop Manager.
Logging on from the EnGINA welcome screen is not supported by Local User
Session Management. Workstations are configured to automatically log on to a
generic Windows account upon startup, and then the computer is locked.
12 IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

Note: This generic Windows account must not be a registered user. Use a
local computer account.
All your users will log on to the workstation from the locked screen. All users
must tap their RFID cards when they sign up. They can also sign up without
the RFID cards and register these second factors later. After completing the
sign-up process, you can then log on to AccessAgent.
Note: You are not logged on to AccessAgent if you are using an auto-admin
account.
When another user taps the RFID card to switch to another desktop, the
current user logs on (if without an existing invisible session) or unlocks the
workstation (if with an existing invisible session).
The following Wallet authentication options are supported:
v Password
v RFID+Password
v Smart card
v Active Proximity Badge+Password
v Fingerprint
If you log on to Windows sessions using your own Active Directory
credentials, Local User Session Management requires that synchronization of
password and Active Directory password must be enabled.
For deployments where smart card logon to Windows is enabled and smart
card logon is enforced, disable Active Directory password synchronization.
Roaming desktops
Roaming desktops have your Windows desktops "roam" to any access point,
from workstation to workstation. You can disconnect from a desktop or
application session at one client, log on to another client, and continue a
desktop or application session at a new client. Roaming desktops give you the
ability to access and preserve your desktops, regardless of which computers
you use.
This scheme requires Terminal Server or Citrix. This setup is especially useful
for a shared workstation environment, where you can roam from one
workstation to another, depending on your current location.
Chapter 1. About Tivoli Access Manager for Enterprise Single Sign-On 13

Tivoli Access Manager for Enterprise Single Sign-On program icons
The following icons are used in Tivoli Access Manager for Enterprise Single
Sign-On.
Application icons
Icon Description
Notification area icons
Icon Description
This icon represents AccessAgent on the desktop.
This icon represents the IMS Server on the desktop.
No one is logged on to AccessAgent.
AccessAgent is operating normally.
Policies, certificates, and other product concepts
When the icon is flashing, AccessAgent is:
v synchronizing an authentication factor with the IMS Server
v logging on the user
Single sign-on or automatic sign-on is currently disabled.
Use this topic to learn more about some of the common terms used by the
product.
Tivoli Access Manager for Enterprise Single Sign-On incrementally moves
enterprise access from password authentication to strong digital identity-based
authentication in the following manner:
v Provide sign-on and sign-off automation to enterprise applications
v Fortify sign-on by using authentication management
v Provide seamless transition from passwords to certificates
See the following sections for definitions of some terms used in Tivoli Access
Manager for Enterprise Single Sign-On.
v “Credentials” on page 15
14 IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

v “Enterprise identity”
v “Enterprise applications”
v “Personal applications” on page 16
v “User, system, and machine policies” on page 16
Credentials
Credentials refer to user names, passwords, certificates, and any other
information required for authentication. An authentication factor can serve as
a credential. In Tivoli Access Manager for Enterprise Single Sign-On,
credentials are stored and secured in your Wallet.
Enterprise identity
In an enterprise, you have multiple user accounts for different types of
applications such as e-mail, portal, human resources system, and Web access.
One of these identities is used to authenticate users, and provide access to the
enterprise network.
For example, you might be required to log on to Windows and access the
network by entering your user name and password. This feature is also called
an enterprise identity.
The solution that an enterprise uses for identity management must be
identified. The solution verifies the identities of users logging on with Tivoli
Access Manager for Enterprise Single Sign-On keys. The solution also links
the IMS Server with the enterprise directory that manages your users.
This policy is set before deployment and sets the foundations of how the
system works. You can change the policy later using AccessAdmin. The
enterprise identity binding must be a system or application that the enterprise
identifies as a long-term investment. The system or application must not be
changed, removed, or replaced soon.
Enterprise applications
The enterprise must select the applications to include in the enterprise
application list.
Enterprise applications are specific to the business of an enterprise and
controlled by an Administrator.
See this list for some characteristics of an enterprise application:
v Managed through the IMS Server by the information technology
department of the enterprise
v Passwords are grouped by authenticating directories
v Audit logs are generated and stored in the IMS Server
v User accounts are pre-created
Chapter 1. About Tivoli Access Manager for Enterprise Single Sign-On 15

v User account entries cannot be deleted in AccessAgent
v Passwords can be fortified
v Password entries cannot be set to Never in AccessAgent
Examples of enterprise applications are:
v Microsoft Windows
v Active Directory
v SAP
v PeopleSoft
v Oracle
v Novell
Enterprise applications can be added or removed after deployment. However,
these applications are implemented in a global policy, which means all users
have access to the same enterprise applications.
Personal applications
The enterprise must specify whether the users can use AccessAgent and Tivoli
Access Manager for Enterprise Single Sign-On keys for personal applications.
Personal applications are applications that users can specify if they want
AccessAgent to store and enter their user names and passwords. Some
examples of personal applications are IBM Lotus Notes ® , IBM Lotus ®
Sametime ® Connect, and online banking sites.
This policy is implemented as a global policy, where users are allowed or not
allowed to use AccessAgent with personal applications. You cannot grant or
deny access to specific users.
User, system, and machine policies
Tivoli Access Manager for Enterprise Single Sign-On uses policies to control
the behavior of the product components.
These policies are configurable through various means, so the product can
meet specific organizational requirements. Policies have different visibilities
and scopes, and are managed by different roles.
Policies might be applicable system-wide, or only to certain groups of users or
machines. The applicability of a policy is determined by the policy scope such
as the system, user, or machine.
v System: Policy is system-wide
v User: Policy affects only a specific user
v Machine: Policy affects only a specific machine
16 IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

System, machine, and user policies can be configured using AccessAdmin.
Changes to these policies are propagated to clients the next time AccessAgent
synchronizes with the IMS Server (for example, in 30 minutes).
Note: Not all user policies are updated in real time. Some policies require the
machine to be restarted for the changes to take effect.
The IMS Server applies machine policies to machines after they join the IMS
Server, which are then automatically synchronized with AccessAgent.
There can be several machine policy templates defined in the IMS Server. One
of these templates is set as the default.
Through AccessAdmin, system policies and machine policies can be modified
by an Administrator. However, a Help desk officer can only view system and
machine policies. User policies can be modified by either an Administrator or
a Help desk officer.
A policy might be defined for different scopes. For example, the desktop
inactivity policy might define the desktop inactivity time out duration for one
machine or for the entire system. If this policy is defined for both scopes, a
priority is defined, in case the time-out value is different for the machine and
for the entire system.
If the policy priority is "machine", only the machine policy would be effective.
A command-line tool (CLT) allows Administrators to view and set policy
priorities. For more information, see IBM Tivoli Access Manager for Enterprise
Single Sign-On Policies Definition Guide.
Policies might be dependent on other policies. For example, the hot key action
policy is only effective if the hot key is enabled. If the latter is disabled, the
setting for the hot key action policy does not affect users.
Some groups of policies have overlapping scopes. For example, these policies
have a system scope, but the range of entities that they affect are different:
v Wallet inject password entry option default policy
(pid_wallet_inject_pwd_entry_option_default )
This policy defines the default password entry option for all authentication
services and applications.
v Authentication inject password entry option default policy
(pid_auth_inject_pwd_entry_option_default)
This policy defines the default password entry option for a specific
authentication service.
v Application inject password entry option default policy
(pid_app_inject_pwd_entry_option_default)
Chapter 1. About Tivoli Access Manager for Enterprise Single Sign-On 17

This policy defines the default password entry option for a specific
application.
In general, application-specific policies override authentication service-specific
policies, which in turn, override general Wallet policies. In this case, the
Wallet inject password entry option default policy
(pid_wallet_inject_pwd_entry_option_default) is used when the other two
policies are not defined for a particular authentication service or application.
However, if the Authentication service inject password entry option default
policy (pid_auth_inject_pwd_entry_option_default) is defined for an
authentication service, it overrides the Wallet inject password entry option
default policy (pid_wallet_inject_pwd_entry_option_default) when a default
password entry option is needed for the authentication service.
Similarly, if the Application inject password entry option default policy
(pid_app_inject_pwd_entry_option_default) is defined for a particular
application, it overrides the other two policies.
User-specific policies generally override system-wide policies, but this setting
also depends on the current policy priority. If a policy has both user and
system scopes, for example, the Authentication accounts maximum policy
(pid_auth_accounts_max), the user scope setting is always effective if it is
defined. If the user scope setting is not defined for a particular user, the
system scope setting becomes effective.
18 IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

Chapter 2. Tivoli Access Manager for Enterprise Single
Sign-On Context Management overview
Install, configure, and test the Tivoli Access Manager for Enterprise Single
Sign-On Context Management integrated solution on individual workstations.
What to do Where to find information
Obtain the Tivoli Access Manager for
Enterprise Single Sign-On Context
Management installation program.
Ensure that the installation prerequisites
are met.
Test the Tivoli Access Manager for
Enterprise Single Sign-On Context
Management integrated solution.
“Installing Context Management” on page
23
“Installing Context Management” on page
23
Chapter 5, “Testing Context
Management,” on page 27
© Copyright IBM Corp. 2002, 2009 19

20 IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

Chapter 3. About Tivoli Access Manager for Enterprise
Single Sign-On with Context Management
See the following topics for information about how the Tivoli Access Manager
for Enterprise Single Sign-On with Context Management is used by the Health
care industry and how its integration with existing solutions can enhance
clinical operations.
v “Context Management system overview”
v “About the Context Management solution” on page 22
Context Management system overview
The Health Level Seven (HL7) Clinical Context Object Workgroup (CCOW) is
a vendor independent standard that allows clinical applications to share
information at the point of care.
Using a technique called "context management", Clinical Context Object
Workgroup provides the clinician with a unified view of the information held
in separate and disparate health care applications referring to the same
patient, encounter, or user.
When a clinician signs on to one application within the group of disparate
applications residing in the Clinical Context Object Workgroup environment,
that same sign-on is simultaneously executed on all other applications within
the group. Similarly, when the clinician selects a patient, the same patient is
selected in all the applications.
Clinical Context Object Workgroup is rapidly gaining popularity in the health
care industry, because it provides clinicians with faster access to patient
records across multiple applications.
Carefx is one of the vendors that provide a CCOW-compliant context
management tool called Fusionfx Context Manager (FCM). IBM integrates its
Context Management solution to provide sign-on automation to all Clinical
Context Object Workgroup and non-Clinical Context Object Workgroup
applications.
AccessAgent sets the Tivoli Access Manager for Enterprise Single Sign-On
user name as context to Carefx FCM after the user logs on to AccessAgent.
Fusionfx Context Manager manages the mapping of individual application
logon accounts for the user name. FCM automates sign-on to individual
Clinical Context Object Workgroup applications using the mapped accounts.
© Copyright IBM Corp. 2002, 2009 21

There is no suitable authentication mechanism between AccessAgent and
Fusionfx Context Manager. Carefx Fusionfx Context Manager assumes that
user authentication is handled by AccessAgent, before the user context is set
to Fusionfx Context Manager.
About the Context Management solution
The Tivoli Access Manager for Enterprise Single Sign-On with Context
Management provides sign-on automation to all Clinical Context Object
Workgroup and non-Clinical Context Object Workgroup applications.
When combined with an SSO product, Carefx uses a model that allows all
user logons to go through the SSO product. When a user logs on, the SSO
product executes a Carefx synchronization process called FccSync that can
integrate effectively with FCC. When FCC is alerted about a logon, it calls the
SSO product through the SSO API to obtain the name of the current user. FCC
then sets the user name into the CCOW context.
FCC does not use a command-line argument containing the user name, which
is not secure. Instead, FCC calls into the SSO product to extract the user
name.
When a user logs out, the SSO product executes the same Carefx
synchronization process (FccSync) to notify FCC that the user has logged out.
The FCC then calls the SSO product, which sets a "null" user name to FCC,
indicating that no user is currently logged on.
AccessAgent uses the user logon and logoff scripts to launch the Carefx
synchronization process (FccSync). Logon and logoff scripts can be defined
per user through AccessAdmin. For an enterprise deployment, the logon and
logoff scripts is included in the policy template, so that all users are enabled
with Carefx automatically after sign up.
22 IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

Chapter 4. Context Management installation
See the instructions provided in these topics to install or uninstall Context
Management in your computer.
v “Installing Context Management”
v “Uninstalling Context Management” on page 25
Installing Context Management
Follow the steps in this procedure to install Context Management in your
computer.
Before you begin
Before you install Context Management, ensure that you meet the following
requirements:
v AccessAgent 2.3.4.1 or a higher version preinstalled in your computer
v Context Management installer package called integrated_installer.zip.
v At least an Intel ® Pentium ® III or equivalent processor
v A minimum of 260 MB of RAM.
Important: If you have a previous version of Context Management, uninstall
the previous version and delete or rename the folder (for example, C:\Program
Files\CareFX). For more information, see “Uninstalling Context Management”
on page 25.
About this task
After Context Management is installed on top of AccessAgent, you can
upgrade AccessAgent to a later version. The upgrade does not affect the
current installation of Context Management.
In some cases, you might have to manually create an FccSynchPath entry in
the Tivoli Access Manager for Enterprise Single Sign-On hive.
Procedure
1. Download the latest installer of your context management system (for
example, Carefx) from the FTP or download site.
If the installer is in a .ZIP file, create a folder in your hard disk drive and
extract the compressed file (for example, ).
2. Navigate to the Integrated_Installer folder.
© Copyright IBM Corp. 2002, 2009 23

3. Select Start → Run and find the path \01 FCM
Enabler\Setup.exe.
Retain the default values for the installation options.
4. Select Start → Run and find the path \02 CfxCrypto\Cfx-
Crypto.exe.
Retain the default values for the installation options.
5. Select Start → Run and find the path

11. Navigate to the \Carefx\cm-sdk\Fusionfx\Context Channel\
folder. Right-click on the fcc.ini file, and click Edit.
12. Add the following lines in the [CCOW] section:
userSubjectSuffix=desktop
patientSubjectSuffix=desktop
encounterSubjectSuffix=
After entering these lines, save the file and close the window.
13. Navigate to the \Launcher folder and copy the contents of
the entire folder to the \Carefx folder.
14. Create a shortcut of \Carefx\CM-sdk\cm-server\startcs.cmd
and paste the shortcut in Start menu → Programs → Startup folder so that
it runs when Windows starts.
15. Enable the logon or logoff script policies in the IMS Server for the Carefx
user.
To know which VBScript to add, see Chapter 5, “Testing Context
Management,” on page 27.
16. Restart your computer.
Uninstalling Context Management
Follow the steps in this procedure to remove Context Management in your
computer.
About this task
See the following procedure to remove the installation of Context
Management in your computer:
You can also uninstall AccessAgent by following standard uninstallation
procedures.
Procedure
1. Use the Control Panel → Add or Remove Programs to remove the
following Carefx-related programs:
v Carefx Crypto Utility
v Carefx Fusionfx Context Channel
v Carefx Fusionfx Context Enabler
2. Go to the Registry Editor (Start → Run..., type regedit, then press Enter on
your keyboard).
3. Delete the following registry entries:
v HKEY_LOCAL_MACHINE\Software\Carefxt
Chapter 4. Context Management installation 25

v HKEY_LOCAL_MACHINE\Software\Encentuate\AccessAgent\Integration\
Carefx
4. Navigate to \Carefx folder, and delete the folder.
5. Remove Carefx-related shortcuts from the Start → All Programs → Startup
menu.
6. Disable the logon or logoff script policies in the IMS Server for the Carefx
users.
Remove the VBScript that was added for the user in the logon and logoff
script sections related to Carefx.
To know which VBScript to remove, see Chapter 5, “Testing Context
Management,” on page 27.
7. Restart your computer.
26 IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

Chapter 5. Testing Context Management
See these topics to verify if Tivoli Access Manager for Enterprise Single
Sign-On with Context Management is functioning as expected.
Testing involves some of the following tasks:
v performing test logons
v performing test logoffs
v successfully launching the executable files installed with the system
See the following topics for more information.
v “Testing Context Management functionality”
v “Additional verifications for testing Context Management” on page 28
Testing Context Management functionality
The context manager is contacted by the logon script, which is defined at the
IMS Server for each user. Similarly, when a user logs off AccessAgent, a logoff
script is executed by AccessAgent to log off the user from the context
manager.
About this task
The following steps are necessary to test the integrated solution.
Procedure
1. Enable logon or logoff script policies in the IMS Server for the user for
whom Carefx is being set, and add the following VBScript for the logon
and logoff script sections.
Logon script:
dim obj
set obj=createobject("wscript.shell")
obj.run("LogonCarefx")
set obj=nothing
Logoff script:
dim obj
set obj=createobject("wscript.shell")
obj.run("LogoffCarefx")
set obj=nothing
2. Log on to AccessAgent as the logon or logoff script user.
The Wallet of the user synchronizes the logon or logoff scripts from the
IMS Server.
© Copyright IBM Corp. 2002, 2009 27

Important: The logon script does not run for the first logon to
AccessAgent after the script has been defined on the IMS Server.
3. For subsequent logons to AccessAgent, the user automatically logs on to
Context Manager through the logon script.
Additional verifications for testing Context Management
When logging on to AccessAgent (not considering the authentication factors),
the user should also be logging on to context manager automatically. The
same is applicable for logging off.
To verify if a user has logged on to context manager, right-click on the
gray-blue icon of the context channel system tray. A successful logon displays
Status:Linked and User: in the context menu.
When the user logs off from AccessAgent, right-clicking the icon displays
Status:Unlinked and User: in the context menu.
Launch any of the executable files from the \Carefx\Launcher
directory. The executable files displays the same user name logged on to the
application.
After the user has logged off from AccessAgent, the user should be logged off
from these other applications automatically.
Important: Note that the applications provided at \Carefx\Launcher
folder are meant for demo purposes only.
28 IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

Notices
This information was developed for products and services offered in the
U.S.A.
IBM may not offer the products, services, or features discussed in this
document in other countries. Consult your local IBM representative for
information on the products and services currently available in your area. Any
reference to an IBM product, program, or service is not intended to state or
imply that only that IBM product, program, or service may be used. Any
functionally equivalent product, program, or service that does not infringe
any IBM intellectual property right may be used instead. However, it is the
user's responsibility to evaluate and verify the operation of any non-IBM
product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant
you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the
IBM Intellectual Property Department in your country or send inquiries, in
writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY
OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow
disclaimer of express or implied warranties in certain transactions, therefore,
this statement may not apply to you.
© Copyright IBM Corp. 2002, 2009 29

This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will
be incorporated in new editions of the publication. IBM may make
improvements and/or changes in the product(s) and/or the program(s)
described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those
Web sites. The materials at those Web sites are not part of the materials for
this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the
purpose of enabling: (i) the exchange of information between independently
created programs and other programs (including this one) and (ii) the mutual
use of the information which has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and
conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer
Agreement, IBM International Program License Agreement or any equivalent
agreement between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments
may vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements
will be the same on generally available systems. Furthermore, some
measurements may have been estimated through extrapolation. Actual results
may vary. Users of this document should verify the applicable data for their
specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available
sources. IBM has not tested those products and cannot confirm the accuracy
of performance, compatibility or any other claims related to non-IBM
30 IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

Trademarks
products. Questions on the capabilities of non-IBM products should be
addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change
or withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include
the names of individuals, companies, brands, and products. All of these
names are fictitious and any similarity to the names and addresses used by an
actual business enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language,
which illustrate programming techniques on various operating platforms. You
may copy, modify, and distribute these sample programs in any form without
payment to IBM, for the purposes of developing, using, marketing or
distributing application programs conforming to the application programming
interface for the operating platform for which the sample programs are
written. These examples have not been thoroughly tested under all conditions.
IBM, therefore, cannot guarantee or imply reliability, serviceability, or function
of these programs.
If you are viewing this information softcopy, the photographs and color
illustrations may not appear.
IBM, the IBM logo, and ibm.com ® are trademarks or registered trademarks of
International Business Machines Corporation in the United States, other
countries, or both. If these and other IBM trademarked terms are marked on
their first occurrence in this information with a trademark symbol ( ® or ),
these symbols indicate U.S. registered or common law trademarks owned by
IBM at the time this information was published. Such trademarks may also be
registered or common law trademarks in other countries. A current list of IBM
trademarks is available on the Web at Copyright and trademark information
(www.ibm.com/legal/copytrade.shtml).
Adobe, the Adobe logo, PostScript ® , and the PostScript logo are either
registered trademarks or trademarks of Adobe Systems Incorporated in the
United States, and/or other countries.
IT Infrastructure Library ® is a registered trademark of the Central Computer
and Telecommunications Agency, which is now part of the Office of
Government Commerce.
Notices 31

Intel, Intel logo, Intel Inside ® , Intel Inside logo, Intel ® Centrino ® , Intel Centrino
logo, Celeron ® , Intel ® Xeon ® , Intel SpeedStep ® , Itanium ® , and Pentium are
trademarks or registered trademarks of Intel Corporation or its subsidiaries in
the United States and other countries.
Linux ® is a registered trademark of Linus Torvalds in the United States, other
countries, or both.
Microsoft, Windows, Windows NT ® , and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
ITIL ® is a registered trademark, and a registered community trademark of the
Office of Government Commerce, and is registered in the U.S. Patent and
Trademark Office.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc.
in the United States, other countries, or both and is used under license
therefrom.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc.
in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and
other countries.
Other company, product, or service names may be trademarks or service
marks of others.
32 IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

Glossary
AccessAdmin. The management used by individuals with the Administrator Role and/or the Help
desk Role to administer IMS Server, and to manage users and policies.
AccessAgent. AccessAgent, or AA, is the client software that manages the user's identity, enabling
sign-on/sign-off automation and authentication management.
AccessAssistant. The Web-based interface used to provide password self-help for users to obtain the
latest credentials to logon to their applications.
AccessProfiles. Short, structured XML files that enable single sign-on or sign-off automation for
applications. AccessStudio can be used to generate AccessProfiles.
AccessStudio. The interface used to create AccessProfiles required to support end-point automation,
including single sign-on, single sign-off, and customizable audit tracking.
action. An act that can be performed in response to a trigger. For example, automatic filling of user
name and password details as soon as a sign-on window displays. See also Trigger.
ActiveCode. Short-lived authentication codes that are controlled by Tivoli Access Manager for
Enterprise Single Sign-On system. There are two types of ActiveCodes: random ActiveCodes and
predictive ActiveCodes.
The generation of ActiveCodes can be triggered in one of two ways: time-based (for example, every
minute or every day) or event-based (for example, pressing a button).
Combined with alternative channels or devices, ActiveCodes provide effective second-factor
authentication.
Active Proximity Badge. Similar to an RFID card, but differs in its ability to be detected by a proximity
reader from a considerably longer distance (such as two meters away).
ARFID (Active RFID). ARFID is both a second factor and a presence detector. It can detect the
presence of a user, and AccessAgent can be configured to perform specific actions.
AD. Microsoft Active Directory
API. Application Programming Interface
application. In AccessStudio, it refers to the system that provides the user interface for reading or
entering the authentication credentials.
authentication factor. The different devices, biometrics, or secrets required as credentials for validating
digital identities (for example, passwords, smart card, RFID, biometrics, and one-time password tokens).
authentication service. Verifies the validity of an account; Applications authenticate against their own
user store or against a corporate directory.
© Copyright IBM Corp. 2002, 2009 33

authorization code. An alphanumeric code generated by an IBM Help desk user for administrative
functions, such as password resets or authentication factors for the Wallet; might be used one or more
times based on policy.
biometrics. The identification of a user based on a physical characteristic of the user, such as a
fingerprint, iris, face, voice or handwriting.
certificate authority (CA). A trusted third-party organization or company that issues the digital
certificates. The certificate authority typically verifies the identity of the individuals who are granted the
unique certificate.
Clinical Context Object Workgroup (CCOW). A vendor-independent standard that clinical applications
use to share information at the point of care.
CLT. Command Line Tool
Command Line Tool (CLT). A tool that Administrators use to view and set policy priorities.
Context management. A technique that provides the clinician with a unified view of the information
held in separate and disparate health care applications referring to the same patient, encounter, or user.
control. Any field on a screen. Examples are a user name text box or an OK button on a Web page.
conventional single sign-on. Refers to Web-based single sign-on systems and typically requires
server-side integration, with a centralized architecture.
credentials. See user names, passwords, certificates, and any other information that is required for
authentication. An authentication factor can serve as a credential. In Tivoli Access Manager for
Enterprise Single Sign-On , credentials are stored and secured in the Wallet.
Desktop Manager. Manages concurrent user desktops on a single workstation
directory. A structured repository of information on people and resources within an organization,
facilitating management and communication.
EnGINA. Tivoli Access Manager for Enterprise Single Sign-On GINA, which replaces the Microsoft
GINA. EnGINA provides a user interface that is tightly integrated with authentication factors and
provide password resets and second factor bypass options.
Enterprise Access Security (EAS). A technology that enables enterprises to simplify, strengthen and
track access to digital assets and physical infrastructure.
Simplifying access means time-to-information, user productivity, and convenience. Strengthening access
allows stronger security and better risk management. Tracking access enables compliance.
EAS solutions are a new generation of identity management security products that reflect the
convergence of logon or logoff automation, authentication management, centralized user access
administration, the unification of logical (information), and physical (building) access control systems.
Enterprise Single Sign-On (E-SSO). A mechanism that allows users to log on to all applications
deployed in the enterprise by entering a user ID and other credentials (such as a password). Many
E-SSO products use sign-on automation technologies to achieve SSO—users logon to the sign-on
automation system and the system logs on the user to all other applications.
34 IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

FCM. Fusionfx Context Manager tool.
FIPS. Federal Information Processing Standard. A standard produced by the National Institute of
Standards and Technology when national and international standards are nonexistent or inadequate to
satisfy the U.S. government requirements.
fortified password. An application password that is automatically changed by the system and not the
user. In Tivoli Access Manager for Enterprise Single Sign-On , passwords might be fortified with Tivoli
Access Manager for Enterprise Single Sign-On ActiveCodes.
hybrid desktop. A term used to describe how organizations combine different session management
capabilities to meet the needs of the user community.
IMS Bridge. For extending functionalities of third party programs, allowing them to communicate with
IMS Server.
IMS Connector. Add-ons to the IMS Server that enable the IMS Server to interface with other
applications as a client, extending the capability of the IMS Server. Examples include IMS Connectors for
password change.
IMS Server. An integrated management system that provides a central point of secure access
administration for an enterprise. It enables centralized management of user identities, AccessProfiles,
authentication policies, provides loss management, certificate management, and audit management for
the enterprise.
IMS Server Certificate. Used in Tivoli Access Manager for Enterprise Single Sign-On. the IMS Server
Certificate is used to identify an IMS Server.
IMS Service Modules. Add-on modules that extend the basic services provided by the IMS Server (for
example, user management, policy management, and certificate issuance).
iTag. A patent-pending technology that can convert any photo badge or personal object into a
proximity device, which can be used for strong authentication
ITAM (IBM Tivoli Access Manager). An integrated solution that provides a wide range of
authorization and management solutions. This product can be used on various operating systems
platforms such as Unix (AIX ® , Solaris, HP-UX), Linux, and Windows.
LUSM. Local User Session Management. A method for managing multiple desktops on a single
workstation.
Mobile ActiveCode (MAC). A one-time password that is randomly generated, event-based, and
delivered through a secure second channel (for example, SMS on mobile phones).
One-Time Password (OTP). A one-use password generated for an authentication event (for example,
password reset), sometimes communicated between the client and the server through a secure channel
(for example, mobile phones).
password. A sequence of characters used to determine that a user requesting access to a system is the
appropriate user.
Glossary 35

personal applications. Windows and Web-based applications that AccessAgent can store and enter
credentials. Some enterprises might not allow the use of a Tivoli Access Manager for Enterprise Single
Sign-On Key with personal applications. Password fortification also does not happen for personal
applications.
Some examples of personal applications are Web-based mail sites such as Company Mail, Internet
banking sites, Online shopping sites, chat or instant messaging programs and the like.
Personal Identification Number (PIN). A password, typically of digits, entered through a telephone
keypad or automatic teller machine.
policy. Governs the operation of Tivoli Access Manager for Enterprise Single Sign-On Enterprise,
comprising of two main sets: machine policies (managed through Windows GPO) and IMS-managed
policies (managed through AccessAdmin).
Policy ID. Each policy is identified by its policy ID with pid in the prefix (for example,
pid_wallet_authentication_option).
policy template. A predefined policy form that helps users define a policy by providing the fixed
policy elements that cannot be changed and the variable policy elements that can be changed.
presence detector. When affixed to a computer, this device detects when a person moves away from it,
thus eliminating the need to manually lock the computer upon leaving it for a short time.
private desktop. Under this desktop scheme, users have their own Windows desktops in a workstation.
When a previous user returns to the workstation and unlocks it, AccessAgent switches to the desktop
session of the previous user and resumes the last task.
private key. An encryption or decryption key that is kept secret by its owner. It is one of a pair of two
keys used for encryption and decryption in public key cryptography.
Radio Frequency Identification (RFID). A wireless technology that transmits product serial numbers
from tags to a scanner, without human intervention.
random passwords. Generated passwords used to increase authentication security between clients and
servers. Random password change is the process of modifying access codes between a client and a
server using a random sequence of characters. This change can only happen when the client and the
server are sharing a secured session as the random sequence has to be communicated between the two
parties. The new random password can then be used to re-establish a secured session the next time the
client needs to access the server.
register. Signing up for a Tivoli Access Manager for Enterprise Single Sign-On account, and registering
a second factor (for example, smart card, RFID) with the IMS Server.
registry. Machine policies are typically configured in AccessAdmin, but can also be configured using
the Windows registry when necessary. This configuration is especially true if the
pid_machine_policy_override_enabled policy is set to Yes, which means Administrators must use the
Windows registry to modify machine policies.
roaming desktops. Under this desktop scheme, a user can disconnect from a desktop or application
session at one client, log on to another client, and continue a desktop or application session at that new
client.
36 IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

scope. A reference to the applicability of a policy, be it at the system, user, or machine level.
secret. Information known only to the user.
Secure Remote Access. The solution that provides Web browser-based single sign-on to all applications
(for example, legacy, desktop, and Web) from outside the firewall.
security officer. An officer that defines the identity Wallet security policies and other application
policies.
serial number. A unique number embedded in the Tivoli Access Manager for Enterprise Single Sign-On
Keys, which is unique to each Key and cannot be changed.
Service Provider Interface (SPI). Designed for devices that contain serial numbers, like RFID, the SPI
makes it easier for vendors to integrate any device with serial numbers and use it as a second factor in
AccessAgent.
session. A logical or virtual connection between two stations, software programs, or devices on a
network that allows the two elements to communicate and exchange data.
shared desktops. Under this desktop scheme, multiple users share a generic Windows desktop.
Switching of users can be done quickly and efficiently.
sign-on automation. A technology that works with application user interfaces to automate the sign-on
process for users. Many ESSO products use this technology to achieve SSO—users log onto the sign-on
automation mechanism and the sign-on automation system takes over from there to log the user onto all
other applications.
sign-up. Requesting for an account with the IMS Server. As part of the process, users are issued an
Wallet. They can subsequently register one or more second factors with the IMS Server.
signature. Unique identification information for any application, window, or field.
single sign-on. A capability that allows a user to enter a user ID and password to access multiple
applications.
smart card. A smart card is a pocket-sized card which is built to handle data using a network of
embedded circuits. Smart cards can receive input from applications, and can also send out information
(such as logon information).
SSL. Secure Sockets Layer
strong authentication. A solution that utilizes multi-factor authentication devices (such as smart cards)
to prevent unauthorized access to confidential corporate information and IT networks, both inside and
outside the corporate perimeter.
strong digital identity. An online persona that is difficult to impersonate, possibly secured by private
keys on a smart card. These identities typically have to be supported by physicalized authentication
factors.
TAM E-SSO Password. The password that secures access to your Wallet. The length of the password
ranges from six to 20 characters, depending on the preference of your organization. The assumption is
that only the authentic user will have the passwords to access their accounts.
Glossary 37

token. A small, highly portable hardware device that the owner carries to authorize access to digital
systems and, or physical assets.
TTY. Terminal emulator, terminal application. A program that emulates a video terminal within some
other display architecture. Though typically synonymous with a command line shell or text terminal, the
term terminal covers all remote terminals, including graphical interfaces. A terminal emulator inside a
graphical user interface is often called a terminal window.
user-centric, server managed. A distributed, agent-based system that provides the user with the
convenience of a user-focused agent, and provides the enterprise with consolidated views and controls
over the distributed agents.
If designed carefully, it can avoid the pitfall of many distributed systems — a single point of failure in
the server.
Tivoli Access Manager for Enterprise Single Sign-On has a user-centric, server-managed architecture in
which the AccessAgent provides access security functions to the users, and is centrally managed through
the IMS Server.
Virtual Private Network (VPN). An extension of a company intranet over the existing framework of
either a public or private network. A VPN ensures that the data that is sent between the two endpoints
of its connection remains secure.
Wallet. An identity Wallet that stores a user's access credentials and related information (including user
IDs, passwords, certificates, encryption keys), each acting as the user's personal meta-directory.
Web Workplace. An identity Wallet that stores a user's access credentials and related information
(including user IDs, passwords, certificates, encryption keys), each acting as the user's personal
meta-directory.A web-based interface that provides the ability to log on to enterprise Web applications
by clicking links without entering the passwords for individual applications. This interface can be
integrated with the existing portal or SSL VPN of the customer.
38 IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

Index
A
accessibility viii
B
books
See publications
C
Context Management
about 22
installation 23
system overview 21
testing 27, 28
uninstallation 25
conventions
typeface ix
credentials 15
D
directory names, notation x
E
education
See Tivoli technical training
enterprise applications 15
enterprise identity 15
environment variables, notation x
I
icons
margin x
M
manuals
See publications
margin icons x
N
notation
environment variables x
path names x
typeface x
O
online publications
accessing viii
ordering publications viii
P
path names, notation x
personal applications 16
personal workstations
about 11
policies 16
private desktops
about 12
publications vi
accessing online viii
ordering viii
R
roaming desktops
about 13
S
shared desktops
about 12
T
Tivoli Access Manager for Enterprise
Single Sign-On 1
authentication factors 6
concepts 14
features 2
product components 5
program icons 14
usage configurations 11
Tivoli Information Center viii
Tivoli technical training viii
Tivoli user groups viii
training, Tivoli technical viii
typeface conventions ix
U
user groups, Tivoli viii
V
variables, notation for x
© Copyright IBM Corp. 2002, 2009 39

40 IBM Tivoli Access Manager for Enterprise Single Sign-On: Context Management Integration Guide

Printed in USA
SC23-9954-02