Tivoli® Access Manager for Enterprise Single Sign-On

Authentication Adapter Release Notes

Version 6.0

GC23-6354-03

���

Tivoli® Access Manager for Enterprise Single Sign-On

Authentication Adapter Release Notes

Version 6.0

GC23-6354-03

���

Note:

Before using this information and the product it supports, read the information in “Notices,” on page 17.

This edition applies to version 6.0 of this adapter and to all subsequent releases and modifications until otherwise

indicated in new editions.

© Copyright International Business Machines Corporation 2005, 2007. All rights reserved.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract

with IBM Corp.

Release Notes

IBM® Tivoli® Access Manager for Enterprise Single Sign-On: Authentication Adapter Version 6.00 Rollup E October, 2007

IBM is releasing version 6.00 Rollup E of IBM Tivoli Access Manager for Enterprise Single Sign-On: Authentication Adapter (TAM E-SSO: Authentication Adapter). These release notes provide important information about this release. The information in this document supplements and supersedes information in the TAM E-SSO: Authentication Adapter product documents.

The following topics are discussed:

What’s New in 6.00 Rollup E ..................................................................................................... 6 Resolved Issues ........................................................................................................................ 7 Open Issues............................................................................................................................... 8 Hardware and Software Requirements ..................................................................................... 9 Technical Notes....................................................................................................................... 13 Product Documentation ........................................................................................................... 16

What’s New in 6.00 Rollup E

6 Release Notes

What’s New in 6.00 Rollup E

TAM E-SSO: Authentication Adapter integrates with most authentication methods and provides support for both primary logon and re-authentication requests (i.e., forced re-authentication, session timeout, or application-specific authentication request) for both connected and disconnected use.

The major new features of this product include support for smart card authenticator PKCS #11, support for HID proximity cards, and support for RSA SecurID SID800 hardware authenticator.

Support for Smart Card Authenticator PKCS #11

Support for the PKCS #11 is now available through TAM E-SSO: Authentication Adapter smart card authenticator functionality.

Support for HID Proximity Cards

Support for the HID proximity cards is now available through the proximity card authenticator functionality of TAM E-SSO: Authentication Adapter. To install support for this authenticator, during installation select HID ISO Proximity Card Auth on the Custom Setup panel.

Notes:

• To configure HID using multi-authentication, you must use the TAM E-SSO 6.00 Rollup F Administrative Console.

• For more information, see the technical notes about HID ISO Proximity Card authenticator.

Support for RSA SecurID SID800 Hardware Authenticator

Support for RSA SecurID SID800 hardware authenticator retrieval and injection is now available through TAM E-SSO: Authentication Adapter's SoftID Helper functionality when the SID800 is in connected mode.

Resolved Issues

7 Release Notes

Resolved Issues

Issues that were reported in earlier releases of TAM E-SSO: Authentication Adapter that have been resolved in this release include:

Tracking Number Description of Issue

a8955 User is not consistently asked to enter their PIN when re-authenticating.

a9222 Smart card: "The parameter is incorrect" error occurs when enrolling with some Schlumberger smart cards.

a9236 Smart card: "The parameter is incorrect" error occurs on a Spanish operating system when a user attempts to enroll with a smart card.

a9465 GemPlus cards with TAM E-SSO: Kiosk Adapter: When using GemPlus cards with TAM E-SSO: Kiosk Adapter, and On Card Storage is installed and Store PIN is turned on in the Administrative Console, the Confirm PIN dialog is presented multiple times before the TAM E-SSO: Kiosk Adapter session unlocks.

a9800 Smart card error: “A general error occurred while reading the smart card. The security token does not have storage space available for an additional container. " This error occurs when switching between any primary logon methods using smart cards or when removing or reinserting smart cards.

a9801 Smart card: Smart card primary logon method does not allow the use of an encryption certificate for the TAM E-SSO passphrase.

Open Issues

8 Release Notes

Open Issues

This section describes issues that remain open in this release.

Tracking Number Description

a9453 Smart card with TAM E-SSO: Kiosk Adapter: When you pull the smart card reader out of a workstation while logged into a TAM E-SSO: Kiosk Adapter session, the session locks. However, when the reader is plugged back into the workstation, TAM E-SSO: Kiosk Adapter may not respond to events.

To work around this issue, a reboot of the workstation may be required and TAM E-SSO: Kiosk Adapter will respond to events again.

a9459 Sphinx with TAM E-SSO: Kiosk Adapter: Kiosk users have to tap proximity card two times on the reader in order to log in to TAM E-SSO: Kiosk Adapter: once to initiate a TAM E-SSO: Kiosk Adapter logon and a second time to read the card.

a10008 Gemplus Libraries 4.20 with TAM E-SSO: Authentication Adapter: Re-authentication events do not display the PIN dialog. When authenticating to TAM E-SSO, the first authentication properly displays a PIN dialog and allows a successful authentication. Subsequent re-authentication events within a short period of time do not display the PIN dialog, preventing authentication from succeeding.

To work around this issue, restart the TAM E-SSO process requesting authentication.

a10009 Netmaker Net iD 4.6 with TAM E-SSO: Kiosk Adapter: When starting a new TAM E-SSO: Kiosk Adapter session, the user’s synchronization credentials are not read off the card. After entering their PIN, users must then manually enter their synchronization credentials to start the session.

a10010 RSA RAC 2.0 / Smartcard Middleware 2.0 with TAM E-SSO: Kiosk Adapter: RSA Middleware reports that no smart cards are present when TAM E-SSO: Kiosk Adapter is locked and a smart card is inserted into a reader. Sessions must be manually started. After TAM E-SSO: Kiosk Adapter is unlocked, authentication to TAM E-SSO with smart cards will work as expected.

Hardware and Software Requirements

9 Release Notes

Hardware and Software Requirements

The TAM E-SSO: Authentication Adapter hardware and software requirements are listed under the following sections:

• Supported Operating Systems

• System Requirements

• Disk Space Requirements

• Memory Requirements

• Processor Requirements

• Software Prerequisites

o TAM E-SSO

o Authenticator Software

o Windows Installer

o Microsoft .NET Framework

• Supported Authenticators

Supported Operating Systems

The TAM E-SSO: Authentication Adapter components are supported on the following operating systems:

Operating System Versions Supported

Microsoft® Windows® 2000 SP4

Microsoft Windows XP SP2

Microsoft Windows Server 2003 SP1

System Requirements

The TAM E-SSO: Authentication Adapter components system requirements are as follows:

Disk Space Requirements

Disk space requirements for the Agent:

Minimum, excluding temporary space and runtime expansion

Temporary disk space (/tmp) needed during installation

For runtime expansion (configuration data and logs)

MSI 15 MB 30 MB 20 MB

EXE 20 MB 40 MB 25 MB

Hardware and Software Requirements

10 Release Notes

Other Disk Space Requirements

The following components require additional disk space requirements:

• Microsoft .NET Framework 2.0: 20 MB hard drive space (if not present)

• Microsoft Windows Installer: 20 MB hard drive space (if not present and if used)

A note about the MSI installer and EXE installer

The disk space requirements are different for the MSI and EXE installers as there are differences in the capabilities of these installers:

• The EXE installer file includes Microsoft .NET Framework version 2.0, which is a requirement for TAM E-SSO: Authentication Adapter.

• The EXE installer file can be run in multiple languages. The MSI file is English-only.

Memory Requirements

Memory requirements for the Agent:

• Minimum: 256 MB RAM

o Recommended: 512 MB RAM

Note: Although this application can run in an environment with the minimum amount of memory installed, the workstation's memory usage should be monitored and additional memory added as needed. A low memory condition can cause this application to fail.

Processor Requirements

Processor requirements for the Agent:

• Minimum: 1 GHz processor

o Recommended: 1.4 GHz processor

Software Prerequisites

The TAM E-SSO: Authentication Adapter Agent requires the following software prerequisites:

TAM E-SSO

• This release requires the use of TAM E-SSO 6.00 Rollup E. In order to configure the Authentication Manager enrollment, grade, and order options with HID ISO Prox Card, the 6.00 Rollup F Administrative Console is required.

Hardware and Software Requirements

11 Release Notes

Authenticator Software

• The client software for each authenticator must be installed. Strong authenticator clients are likely to have their own system requirements, which may differ from the requirements of TAM E-SSO: Authentication Adapter. Please refer to the strong authenticator’s documentation to review the system requirements.

Windows Installer

• Windows Installer 2.0 is required for the MSI installer file.

Microsoft .NET Framework

• Microsoft .NET Framework 2.0 is required for the Administrative Console.

Supported Authenticators

TAM E-SSO: Authentication Adapter supports the following applications:

Authenticator Versions Supported

Smart card • GemSafe Libraries 4.2.0

• GemSafe GXPPro-R3.x STD PTS smart cards

• GemSafe GXPPro-R3.x FIPS PTS smart cards

• Schlumberger Cyberflex Access 4.3

• Axalto Access Client Software 5.2

• Cryptoflex e-gate 32K smart cards

• RSA Authentication Client 2.0 / Smartcard Middleware 2.0

• RSA Smart Card 5200 smart cards

• RSA Smart Key 6200

• RSA SecurID SID800 hardware authenticator

• NetMaker Net iD 4.6

• NetMaker Net iD - CardOS 1 smart cards

• SafeSign/RaakSign Standard 2.3

• ORGA JCOP21 v2.2 smart cards

• Microsoft Base Smart Card CSP

• Gemalto Cryptoflex .NET smart cards

Xyloc • Ensure Tech lock

• Ensure Tech Xyloc XC-2 badges

• Xyloc client 8.4.6

• Xyloc Active Directory Schema Extension 4.2.6

• Xyloc Active Directory UI Extension 4.2.0

Sphinx • OmniKey Cardman 5121 reader

• HID iClass 16k CL proximity cards

• Sphinx Logon Manager v3.2.36

• Sphinx CardMaker v3.2.36

Hardware and Software Requirements

12 Release Notes

Authenticator Versions Supported

SAFLink • Precise Biometrics 100 series reader

• SAFsolution(R) Enterprise Edition Version 1.3

DigitalPersona • U.are.U 4000B reader

• DigitalPersona Pro Workstation 3.4.0

Entrust • Entrust Desktop Solutions 6.1

Proximity Card • OmniKey Cardman 5125 reader

• HID ISOProx II proximity cards

SoftID Helper • RSA SecurID Software Token 3.0.3

• RSA Authentication Client 2.0

• RSA SecurID SID800 hardware authenticator

Technical Notes

13 Release Notes

Technical Notes

The technical notes describe important technical information about this release.

TAM E-SSO: Authentication Adapter Console

The TAM E-SSO: Authentication Adapter Administrative Console has been merged with the TAM E-SSO Administrative Console. This new console must be installed to utilize all of the administrative settings available in TAM E-SSO: Authentication Adapter 6.00 Rollup E. The console can be installed from the TAM E-SSO CD; instructions are provided in the TAM E-SSO Installation and Setup Guide.

Ensure Technologies Xyloc and TAM E-SSO: Kiosk Adapter Integration

Configure the following setting when using Xyloc Proximity Badges and integrating with TAM E-SSO: Kiosk Adapter:

• When configuring sync in the TAM E-SSO Administrative Console, the sync order must be set, even if there is only one sync installed. The Sync Order setting is located under Global Agent Settings > Live > Synchronization.

SAFLINK SAFAuthenticator and TAM E-SSO: Kiosk Adapter Integration

The following technical notes apply when using SAFLINK SAFAuthenticator for TAM E-SSO and integrating with TAM E-SSO: Kiosk Adapter:

• When configuring sync in the TAM E-SSO Administrative Console, the sync order must be set, even if there is only one sync installed. This setting, “Sync Order,” can be found under Global Agent Settings > Live > Synchronization.

• The Escape key [Esc] cannot be used to cancel out of the biometric authentication dialog when unlocking TAM E-SSO: Kiosk Adapter with SAFLINK. This happens when a user is starting a new session or logging onto the current one. The reason this happens is because TAM E-SSO: Kiosk Adapter disables the escape key for security reasons. This window can be closed by clicking the X button at the top of the dialog.

DigitalPersona Authenticator

The DigitalPersona service caches credentials for several seconds after an authentication. If a user authenticates through DigitalPersona and then encounters another authentication scenario within 20 seconds, the user is not prompted to supply credentials. The reason is because during the reauthorization scenario, credentials are still being cached by DigitalPersona. This is a function of DigitalPersona and cannot be changed by IBM.

Sphinx Authenticator

• Microsoft Visual C++ 2005 Redistributable Package (x86) is required for the Sphinx authenticator. This can be downloaded from Microsoft’s web site.

• There is a CardID and PIN caching feature in the Sphinx API that has been included since version 3.2.23b+ of Sphinx Logon Manager. The card serial number and PIN used during GINA logon are cached.

Technical Notes

14 Release Notes

When using Sphinx to authenticate the first time after a successful synchronization, the user is not prompted for their proximity card or PIN. The action completes as a successful authentication.

To disable the caching feature, open Sphinx CardMaker. From the Configuration menu, click Card Settings. On the PIN tab, set PIN Verification Timeout to 0.

• When using Sphinx and integrating with TAM E-SSO: Kiosk Adapter, the value of GINADllName located in the Sphinx configuration file must be set to “SMGina.dll". The configuration file, SphinxCfg.in, is located in the C:\Program Files\Sphinx Logon Manager directory.

• To work with TAM E-SSO, the following settings are required to be set in Sphinx CardMaker from the Configuration menu:

Server tab > Program Settings - the following settings must be set to TRUE (selected): - Allow Self Enrollment - Require Windows/Sphinx User Name - Require Windows Password - Apply Initial Windows Logon Data General tab > Card Settings - the following settings must be set to FALSE (cleared): - Automatically Start Logon Manager - Allow Edit of Automatically Start Logon Manager - Start Minimized - Allow Edit of Start Minimized - Allow Pop-up - Allow Edit of Pop-up - Disable Logon Manager Application

Web/App Logon tab > Card Settings - the following settings must be set to FALSE (cleared): - Use Website Logon Auto-Recorder - Allow Edit of Website Logon Auto-Recorder - Use Windows Application Auto-Recorder - Allow Edit of Windows Application Auto-Recorder - Use Auto-Fill - Allow Edit of Auto-Fill

RSA SecurID SID800 Support

RSA Authentication Client supports the use of one RSA SecurID SID800 hardware authenticator at a time.

Technical Notes

15 Release Notes

HID ISO Proximity Card Authenticator

• Microsoft Visual C++ 2005 Redistributable Package (x86) is required for the HID ISO Proximity Card authenticator. This can be downloaded from Microsoft’s web site.

• To use the HID ISO Proximity Card Authenticator with Active Directory, you must enable the storing of credentials under user objects:

1. Open the TAM E-SSO Administrative Console.

2. Connect to the repository.

3. From the Repository menu, select Enable Storing Credentials Under User Objects (AD only).

Smart Card Authenticator

• When SafeSign/RaakSign middleware is used with TAM E-SSO: Authentication Adapter, the following value must be set in the Registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Passlogix\AUI\SCauth

SmartCardAPI = (DWORD) 0x00000001

• Due to technical limitations with the .NET cards, when using .NET smart cards with TAM E-SSO: Kiosk Adapter, inserting the smart card when TAM E-SSO: Kiosk Adapter is locked always causes a new session to start. To unlock an existing session, click the Unlock Existing Session link.

• When the Use default certificate for authentication configuration option (located in the SSO Administrative Console Global Agent Settings > Primary Logon Methods > Smart Card > Advanced) is set to Use SSO-generated keys, users may be prompted to enter their PIN twice during the First Time Use (FTU) enrollment process. This is normal and necessary in order to create the SSO keyset. Subsequent authentications after FTU only prompt the user to enter their PIN once.

Product Documentation

16 Release Notes

Product Documentation

The following documents support this product:

• TAM E-SSO: Authentication Adapter Installation and Setup Guide

• TAM E-SSO Console Help

• TAM E-SSO Agent Help

Appendix. Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in

other countries. Consult your local IBM representative for information on the

products and services currently available in your area. Any reference to an IBM

product, program, or service is not intended to state or imply that only that IBM

product, program, or service may be used. Any functionally equivalent product,

program, or service that does not infringe any IBM intellectual property right may

be used instead. However, it is the user’s responsibility to evaluate and verify the

operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter

described in this document. The furnishing of this document does not give you

any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation

North Castle Drive

Armonk, NY 10504-1785

U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM

Intellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation

Licensing

2-31 Roppongi 3-chome, Minato-ku

Tokyo 106-0032, Japan

The following paragraph does not apply to the United Kingdom or any other

country where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS

PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER

EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS

FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or

implied warranties in certain transactions, therefore, this statement may not apply

to you.

This information could include technical inaccuracies or typographical errors.

Changes are periodically made to the information herein; these changes will be

incorporated in new editions of the publication. IBM may make improvements

and/or changes in the product(s) and/or the program(s) described in this

publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for

convenience only and do not in any manner serve as an endorsement of those Web

sites. The materials at those Web sites are not part of the materials for this IBM

product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it

believes appropriate without incurring any obligation to you.

© Copyright IBM Corp. 2005, 2007 17

Licensees of this program who wish to have information about it for the purpose

of enabling: (i) the exchange of information between independently created

programs and other programs (including this one) and (ii) the mutual use of the

information which has been exchanged should contact:

IBM Corporation

2ZA4/101

11400 Burnet Road

Austin, TX 78758

U.S.A.

Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.

The licensed program described in this information and all licensed material

available for it are provided by IBM under terms of the IBM Customer Agreement,

IBM International Program License Agreement, or any equivalent agreement

between us.

Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may

vary significantly. Some measurements may have been made on development-level

systems and there is no guarantee that these measurements will be the same on

generally available systems. Furthermore, some measurements may have been

estimated through extrapolation. Actual results may vary. Users of this document

should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of

those products, their published announcements or other publicly available sources.

IBM has not tested those products and cannot confirm the accuracy of

performance, compatibility or any other claims related to non-IBM products.

Questions on the capabilities of non-IBM products should be addressed to the

suppliers of those products.

Trademarks

The following terms are trademarks or registered trademarks of International

Business Machines Corporation in the United States, other countries, or both:

AIX

DB2

developerWorks

eServer

IBM

iSeries

Lotus

Passport Advantage

pSeries

RACF

Rational

Redbooks

Tivoli

WebSphere

zSeries

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of

Microsoft Corporation in the United States, other countries, or both.

18 IBM Tivoli Access Manager for Enterprise Single Sign-On: Authentication Adapter Release Notes

Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation

in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other

countries.

Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.

Java and all Java-based trademarks are trademarks of Sun

Microsystems, Inc. in the United States, other countries, or

both.

Other company, product, and service names may be trademarks or service marks

of others.

Appendix. Notices 19

20 IBM Tivoli Access Manager for Enterprise Single Sign-On: Authentication Adapter Release Notes

����

Printed in USA

GC23-6354-03