ibm® security access manager for enterprise single sign-on: … · 2017-09-29 · ibm security...

IBM® Security Access Manager for Enterprise SingleSign-OnVersion 8.2.1

Epic Integration Guide

SC27-5623-00

IBM

NoteBefore using this information and the product it supports, read the information in “Notices” on page 13.

Edition notice

Note: This edition applies to version 8.2.1 of IBM Security Access Manager for Enterprise Single Sign-On,(product number 5724–V67) and to all subsequent releases and modifications until otherwise indicated in neweditions.

© Copyright IBM Corporation 2002, 2013.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

About this publication . . . . . . . . vAccess to publications and terminology . . . . . vAccessibility . . . . . . . . . . . . . . viiiTechnical training . . . . . . . . . . . . viiiSupport information . . . . . . . . . . . viiiStatement of Good Security Practices . . . . . . ix

Chapter 1. Overview of the productintegration with Epic . . . . . . . . . 1

Chapter 2. Supported workflows andEpic configurations . . . . . . . . . . 3

Chapter 3. Epic support deployment . . 5

Chapter 4. Customization . . . . . . . 7Changing the authentication service in anAccessProfile . . . . . . . . . . . . . . 7Changing the signature in the AccessProfile . . . . 7

Chapter 5. Audit logs for Epic . . . . . 9

Chapter 6. Troubleshooting checklistfor Epic . . . . . . . . . . . . . . 11

Notices . . . . . . . . . . . . . . 13

Glossary . . . . . . . . . . . . . . 17A . . . . . . . . . . . . . . . . . . 17

B . . . . . . . . . . . . . . . . . . 18C . . . . . . . . . . . . . . . . . . 18D . . . . . . . . . . . . . . . . . . 19E . . . . . . . . . . . . . . . . . . 20F . . . . . . . . . . . . . . . . . . 20G . . . . . . . . . . . . . . . . . . 20H. . . . . . . . . . . . . . . . . . 20I . . . . . . . . . . . . . . . . . . 21J . . . . . . . . . . . . . . . . . . 21K . . . . . . . . . . . . . . . . . . 21L . . . . . . . . . . . . . . . . . . 21M . . . . . . . . . . . . . . . . . 21N. . . . . . . . . . . . . . . . . . 22O . . . . . . . . . . . . . . . . . . 22P . . . . . . . . . . . . . . . . . . 22R . . . . . . . . . . . . . . . . . . 23S . . . . . . . . . . . . . . . . . . 23T . . . . . . . . . . . . . . . . . . 25U . . . . . . . . . . . . . . . . . . 25V . . . . . . . . . . . . . . . . . . 25W . . . . . . . . . . . . . . . . . 26

Index . . . . . . . . . . . . . . . 27

© Copyright IBM Corp. 2002, 2013 iii

iv IBM® Security Access Manager for Enterprise Single Sign-On: Epic Integration Guide

About this publication

IBM Security Access Manager for Enterprise Single Sign-On Epic Integration Guideprovides information about the IBM® Security Access Manager for EnterpriseSingle Sign-On and Epic integration, including supported workflows,configurations, and deployment.

Access to publications and terminologyThis section provides:v A list of publications in the “IBM Security Access Manager for Enterprise Single

Sign-On library.”v Links to “Online publications” on page viii.v A link to the “IBM Terminology website” on page viii.

IBM Security Access Manager for Enterprise Single Sign-Onlibrary

The following documents are available in the IBM Security Access Manager forEnterprise Single Sign-On library:v IBM Security Access Manager for Enterprise Single Sign-On Quick Start Guide,

CF3T3MLIBM Security Access Manager for Enterprise Single Sign-On Quick Start Guideprovides a quick start on the main installation and configuration tasks to deployand use IBM Security Access Manager for Enterprise Single Sign-On.

v IBM Security Access Manager for Enterprise Single Sign-On Planning and DeploymentGuide, SC23995206IBM Security Access Manager for Enterprise Single Sign-On Planning and DeploymentGuide contains information about planning your deployment and preparing yourenvironment. It provides an overview of the product features and components,the required installation and configuration, and the different deploymentscenarios. It also describes how to achieve high availability and disasterrecovery. Read this guide before you do any installation or configuration tasks.

v IBM Security Access Manager for Enterprise Single Sign-On Installation Guide,GI11930904IBM Security Access Manager for Enterprise Single Sign-On Installation Guideprovides detailed procedures on installation, upgrade, or uninstallation of IBMSecurity Access Manager for Enterprise Single Sign-On.This guide helps you to install the different product components and theirrequired middleware. It also includes the initial configurations that are requiredto complete the product deployment. It covers procedures for using WebSphere®

Application Server Base editions, and Network Deployment.v IBM Security Access Manager for Enterprise Single Sign-On Configuration Guide,

GC23969204IBM Security Access Manager for Enterprise Single Sign-On Configuration Guideprovides information about configuring the IMS Server settings, the AccessAgentuser interface, and its behavior.

v IBM Security Access Manager for Enterprise Single Sign-On Administrator Guide,SC23995105

© Copyright IBM Corp. 2002, 2013 v

This guide is intended for the Administrators. It covers the differentAdministrator tasks. IBM Security Access Manager for Enterprise Single Sign-OnAdministrator Guide provides procedures for creating and assigning policytemplates, editing policy values, generating logs and reports, and backing up theIMS Server and its database. Use this guide together with the IBM SecurityAccess Manager for Enterprise Single Sign-On Policies Definition Guide.

v IBM Security Access Manager for Enterprise Single Sign-On Policies Definition Guide,SC23969404IBM Security Access Manager for Enterprise Single Sign-On Policies Definition Guideprovides detailed descriptions of the different user, machine, and system policiesthat Administrators can configure in AccessAdmin. Use this guide along withthe IBM Security Access Manager for Enterprise Single Sign-On AdministratorGuide.

v IBM Security Access Manager for Enterprise Single Sign-On Help Desk Guide,SC23995304This guide is intended for Help desk officers. IBM Security Access Manager forEnterprise Single Sign-On Help Desk Guide provides Help desk officers informationabout managing queries and requests from users usually about theirauthentication factors. Use this guide together with the IBM Security AccessManager for Enterprise Single Sign-On Policies Definition Guide.

v IBM Security Access Manager for Enterprise Single Sign-On User Guide, SC23995005This guide is intended for the users. IBM Security Access Manager for EnterpriseSingle Sign-On User Guide provides instructions for using AccessAgent and WebWorkplace.

v IBM Security Access Manager for Enterprise Single Sign-On Troubleshooting andSupport Guide, GC23969303IBM Security Access Manager for Enterprise Single Sign-On Troubleshooting andSupport Guide provides information about issues with regards to installation,upgrade, and product usage. This guide covers the known issues and limitationsof the product. It helps you determine the symptoms and workaround for theproblem. It also provides information about fixes, knowledge bases, andsupport.

v IBM Security Access Manager for Enterprise Single Sign-On Error Message ReferenceGuide, GC14762402IBM Security Access Manager for Enterprise Single Sign-On Error Message ReferenceGuide describes all the informational, warning, and error messages that areassociated with IBM Security Access Manager for Enterprise Single Sign-On.

v IBM Security Access Manager for Enterprise Single Sign-On AccessStudio Guide,SC23995605IBM Security Access Manager for Enterprise Single Sign-On AccessStudio Guideprovides information about creating and using AccessProfiles. This guideprovides procedures for creating and editing standard and advancedAccessProfiles for different application types. It also covers information aboutmanaging authentication services and application objects, and information aboutother functions and features of AccessStudio.

v IBM Security Access Manager for Enterprise Single Sign-On AccessProfile WidgetsGuide, SC27444401IBM Security Access Manager for Enterprise Single Sign-On AccessProfile WidgetsGuide provides information about creating and using widgets.

v IBM Security Access Manager for Enterprise Single Sign-On Tivoli® Endpoint ManagerIntegration Guide, SC27562000

vi IBM® Security Access Manager for Enterprise Single Sign-On: Epic Integration Guide

IBM Security Access Manager for Enterprise Single Sign-On Tivoli Endpoint ManagerIntegration Guide provides information about how to create and deploy Fixletsfor AccessAgent installation, upgrade or patch management. It also includestopics about using and customizing the dashboard to view information aboutAccessAgent deployment on the endpoints.

v IBM Security Access Manager for Enterprise Single Sign-On Provisioning IntegrationGuide, SC23995704IBM Security Access Manager for Enterprise Single Sign-On Provisioning IntegrationGuide provides information about the different Java™ and SOAP API forprovisioning. It also covers procedures for installing and configuring theProvisioning Agent.

v IBM Security Access Manager for Enterprise Single Sign-On Web API for CredentialManagement Guide, SC14764601IBM Security Access Manager for Enterprise Single Sign-On Web API for CredentialManagement Guide provides information about installing and configuring theWeb API for credential management.

v IBM Security Access Manager for Enterprise Single Sign-On Serial ID SPI Guide,SC14762601IBM Security Access Manager for Enterprise Single Sign-On Serial ID SPI Guidedescribes how to integrate any device with serial numbers and use it as a secondauthentication factor with AccessAgent.

v IBM Security Access Manager for Enterprise Single Sign-On Epic Integration Guide,SC27562300IBM Security Access Manager for Enterprise Single Sign-On Epic Integration Guideprovides information about the IBM Security Access Manager for EnterpriseSingle Sign-On and Epic integration, including supported workflows,configurations, and deployment.

v IBM Security Access Manager for Enterprise Single Sign-On Context ManagementIntegration Guide, SC23995404IBM Security Access Manager for Enterprise Single Sign-On Context ManagementIntegration Guide provides information about installing, configuring, and testingthe Context Management integrated solution in each client workstation.

v IBM Security Access Manager for Enterprise Single Sign-On AccessAgent on MobileGuide, SC27562101IBM Security Access Manager for Enterprise Single Sign-On AccessAgent on MobileGuide provides information about the deployment and use of single sign-on onmobile devices.

v IBM Security Access Manager for Enterprise Single Sign-On AccessAgent on VirtualDesktop Infrastructure Guide, SC27562201IBM Security Access Manager for Enterprise Single Sign-On AccessAgent on VirtualDesktop Infrastructure Guide provides information about setting up single sign-onsupport on a Virtual Desktop Infrastructure, and the different user workflowsfor accessing the virtual desktop.

v IBM Security Access Manager for Enterprise Single Sign-On AccessAgent on TerminalServer and Citrix Server Guide, SC27566801IBM Security Access Manager for Enterprise Single Sign-On AccessAgent on TerminalServer and Citrix Server Guide provides information about the requiredconfigurations and supported workflows in the Terminal and Citrix Servers.

About this publication vii

Online publications

IBM posts product publications when the product is released and when thepublications are updated at the following locations:

IBM Security Access Manager for Enterprise Single Sign-On libraryThe product documentation site (http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itamesso.doc_8.2.1/kc-homepage.html) displays the welcome page and navigation for the library.

IBM Security Systems Documentation CentralIBM Security Systems Documentation Central provides an alphabetical listof all IBM Security Systems product libraries and links to the onlinedocumentation for specific versions of each product.

IBM Publications Center IBM Publications Center offers customized search functions to help youfind all the IBM publications you need.

IBM Terminology website

The IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology.

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

For additional information, see "Accessibility features" in the IBM Security AccessManager for Enterprise Single Sign-On Planning and Deployment Guide.

Technical trainingFor technical training information, see the following IBM Education website athttp://www.ibm.com/software/tivoli/education.

Support informationIBM Support provides assistance with code-related problems and routine, shortduration installation or usage questions. You can directly access the IBM SoftwareSupport site at http://www.ibm.com/software/support/probsub.html.

IBM Security Access Manager for Enterprise Single Sign-On Troubleshooting and SupportGuide provides details about:v What information to collect before contacting IBM Support.v The various methods for contacting IBM Support.v How to use IBM Support Assistant.v Instructions and problem-determination resources to isolate and fix the problem

yourself.

viii IBM® Security Access Manager for Enterprise Single Sign-On: Epic Integration Guide

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itamesso.doc_8.2.1/kc-homepage.html



https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/IBM%20Security%20Systems%20Documentation%20Central/page/Welcome

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/software/tivoli/education

http://www.ibm.com/software/support/probsub.html

Note: The Community and Support tab on the product information center canprovide additional support resources.

Statement of Good Security PracticesIT system security involves protecting systems and information throughprevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered, destroyed,misappropriated or misused or can result in damage to or misuse of your systems,including for use in attacks on others. No IT system or product should beconsidered completely secure and no single product, service or security measurecan be completely effective in preventing improper use or access. IBM systems,products and services are designed to be part of a comprehensive securityapproach, which will necessarily involve additional operational procedures, andmay require other systems, products or services to be most effective. IBM DOESNOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES AREIMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THEMALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

About this publication ix

x IBM® Security Access Manager for Enterprise Single Sign-On: Epic Integration Guide

Chapter 1. Overview of the product integration with Epic

Epic is a healthcare software company that offers applications that are related topatient care. You can integrate IBM Security Access Manager for Enterprise SingleSign-On with the Epic application through an Epic-defined interface to providesingle sign-on support.

Design overview

When a user starts the Epic application, the application runs a callback function asa dynamic linked library (DLL). A callback function is an executable code that ispassed as a variable to another code. A dynamic link library is a file that is sharedby executable files and other shared files.

The callback function uses an AccessProfile to retrieve credentials from IBMSecurity Access Manager for Enterprise Single Sign-On. It then passes thecredentials to the Epic application. The Epic application authenticates the user andthen logs on the user.

The callback function and AccessProfile communicate with each other usinginvisible windows. The AccessProfile controls workflows such as capture, injection,and re-authentication.

See the IBM Security Access Manager for Enterprise Single Sign-On AccessStudio Guidefor more information about AccessProfiles.

See the Epic website for more details about the Epic application.

Supported setup

The integration with the Epic application is supported for shared desktop andpersonal desktop, in Windows XP and Windows 7, 34-bit and 64-bit.

© Copyright IBM Corp. 2002, 2013 1

http://www.epic.com

2 IBM® Security Access Manager for Enterprise Single Sign-On: Epic Integration Guide

Chapter 2. Supported workflows and Epic configurations

There are several workflows that are involved with IBM Security Access Managerfor Enterprise Single Sign-On. Some of these workflows are supported in theintegration with the Epic application, but depends on the user repository that isused.

See the following tables for a summary of workflows and configurations that aresupported based on the type of user repository that Epic uses.

Table 1. Supported AccessAgent workflows

WorkflowsEpic uses its ownuser repository

Epic uses ActiveDirectory

Epic uses athird-partyrepository

Password injection Yes Yes No

Capture password Yes Yes No

Change password Yes Yes No

Userre-authentication

Yes Yes No

User authorization(authentication of auser who is differentfrom the user that islogged on toAccessAgent)

No Yes No

Userre-authenticationwith second factor

No No No

User authorizationwith second factor

No No No

The re-authentication workflow is supported whether the Epic application uses itsown user repository or an Active Directory. The AccessProfile bundled with theAccessProfile package takes care of the authorization workflow only. However, theAccessProfile can be easily changed in the field to support re-authentication or anycustomization when the need arises.

The authorization workflow is:v Supported if the Epic application is using an Active Directory. When the

following credentials are synchronized, the AccessProfile prompts for the ActiveDirectory password of the user. This user is the one whose ID is given to thelogin device module of the Epic system.– ISAM ESSO user name and password– Active Directory user name and password– Epic user name and password

v Not supported if the Epic application is using its own user repository.Authorization involves opening another user Wallet and injecting the Epicpassword from that Wallet. The Epic user name must be mapped to the ISAMESSO user name unless these user names are synchronized.


Table 2. Supported Epic configurations

Epic configurationsEpic uses its ownuser repository

Epic uses ActiveDirectory

Epic uses athird-partyrepository

User clicks Securedesktop

No Yes No

Epic applicationautomatically securesdesktop because ofno activity

No Yes No

Epic applicationautomatically logsout the user becauseof no activity

No Yes No

Epic applicationautomatically shutsdown itself becauseof no activity

No Yes No


Chapter 3. Epic support deployment

Deploy the InstallEpicAdapter.bat file to all client computers to install singlesign-on support for the Epic application.

Prerequisite

To deploy single sign-on support for the Epic application, ensure that you have:v An IMS Server installed and configuredv The Epic support package

The package contains the following files:

File Purpose

InstallEpicAdapter.bat Registers the EpicAdapter.dll in theWindows registry.

EpicAdapter.dll Implements the login device interface forIBM Security Access Manager for EnterpriseSingle Sign-On.

Epic AccessProfile Controls the capture, injection,re-authentication, and is used forcustomization workflows.

v AccessAdmin Administrator privilege to upload AccessProfiles in the IMSServer.

Note: If you want to use AccessStudio to edit the Epic AccessProfile, ensure thatyou install AccessAgent before you install AccessStudio.

Deploying single sign-on support

The deployment procedure varies depending on whether AccessAgent is alreadyinstalled.

If AccessAgent is already installed

1. Download the compressed file from the AccessProfile Library to yourcomputer. The compressed file contains the InstallEpicAdapter.bat,EpicAdapter.dll, and AccessProfile files.

2. Deploy the InstallEpicAdapter.bat to all client computers. You canuse software deployment tools like the Active Directory Group PolicyObject (AD GPO).

Note: You must run the file as an Administrator to complete this taskin Windows 7. You must have Administrator privileges to complete thistask in Windows XP.

3. Upload the AccessProfile to the IMS Server with AccessStudio.a. Open the AccessProfile in AccessStudio.b. Select the AccessProfile from the Data type pane.c. Click Upload selected data to IMS from the toolbar.

If AccessAgent is not yet installed


https://www-304.ibm.com/support/docview.wss?uid=swg21470500

1. Download the compressed file from the AccessProfile Library to yourcomputer. The compressed file contains the InstallEpicAdapter.bat,EpicAdapter.dll, and AccessProfile files.

2. Copy InstallEpicAdapter.bat and EpicAdapter.dll.3. Select the Config folder of the AccessAgent installation package. For

example: C:\Downloads\ISAM ESSO\Config.4. Paste the InstallEpicAdapter.bat and EpicAdapter.dll files in the

Config folder.5. Modify the DeploymentScript.vbs in the Config folder.

a. Open the DeploymentScript.vbs.b. Copy the following functions and paste them at the end of the

script.Function RegEpicAdapter’Register Epic adapterDim strCOMCmd : strCOMCmd = """" & INSTALLDIR &"InstallEpicAdapter.bat"" -nc"shell.Run strCOMCmd, 0, falseEnd Function

Function UnregEpicAdapter’Unregister Epic adapterDim strCOMCmd : strCOMCmd = """" & INSTALLDIR &"InstallEpicAdapter.bat"" -u"shell.Run strCOMCmd, 0, falseEnd Function

c. Modify the following functions in the script and add the code thatis shown in bold.sub PostCopy()(Any existing code)’Register Epic adapterRegEpicAdapterend sub

sub PreRemove()(Any existing code)’Unregister Epic adapterUnregEpicAdapterend sub

d. Save the script.6. Install AccessAgent.

Epic server configuration

To configure the Epic Server and to implement the Epic login, contact the EpicSystem Administrator.

Important: In the Epic server configuration, the EpicAdapter.dll programmatic IDis EpicImpl.ISAMESSOIEpicDevice.


https://www-304.ibm.com/support/docview.wss?uid=swg21470500

Chapter 4. Customization

The Epic AccessProfile in the package is a template. Modify the AccessProfile ifthere are changes to the authentication service or signature value of the Epicapplication.

Changing the authentication service in an AccessProfileIf you use another authentication service like Active Directory, change theauthentication service in the AccessProfile to ensure that the AccessProfile retrievesthe correct credentials.

About this task

Make sure that the authentication service in the AccessProfile matches theauthentication service that is used by your organization.

Procedure1. Open the Epic AccessProfile in AccessStudio. The Epic AccessProfile is included

in the Epic application support package. See Chapter 3, “Epic supportdeployment,” on page 5 for more details.

2. Locate an action that requires an authentication service. For example: Injectcredentials.

3. Click the action.4. In the Form Editor tab, select Auth Info > Direct-Authentication Service >

Authentication service id.5. Enter your authentication service id.6. Apply steps 3 - 5 to all actions that require an authentication service.7. Save the AccessProfile.

What to do next

Upload the AccessProfile to the IMS Server.

Changing the signature in the AccessProfileA signature in an AccessProfile contains a unique identification information for anyapplication, window, or field. Change the signature in the Epic AccessProfile sothat the AccessProfile can determine the name of the Epic application where thelogin workflow can run.

Procedure1. Open the AccessProfile in AccessStudio.2. Select the AccessProfile.3. In the General Properties tab, select Signatures identifying web-page or exe

where this is AccessProfile is to be loaded.4. Click Edit.5. Drag the Finder tool and drop it on the Epic application window.6. Click OK.


Note: You must add one signature for each Epic application that needs singlesign-on. See Capturing a signature for more information.


http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itamesso.doc/tasks/AS_Advanced_AP_Creating_Samples_Capturing_Signature.html

Chapter 5. Audit logs for Epic

You can create audit logs using an AccessProfile so that you can view the details ofeach workflow.

You can modify the Epic AccessProfile and add your custom audit log actions.See "Generating custom audit logs" in the IBM Security Access Manager for EnterpriseSingle Sign-On AccessStudio Guide for more information.

You can collect and view the audit logs in AccessAdmin. See "Collecting audit logsin AccessAdmin" in the IBM Security Access Manager for Enterprise Single Sign-OnAdministrator Guide for more information.


Chapter 6. Troubleshooting checklist for Epic

Answer the questions so that you can identify the source of a problem that isoccurring with the Epic application.

Is the Programmatic ID correct? Make sure that the Programmatic ID is EpicImpl.ISAMESSOIEpicDevice inthe server configuration. For more information, see the Epic Administrator.

Is the Epic AccessProfile uploaded in the IMS Server?

You can verify by completing the following steps:1. Open AccessStudio.2. Select File > Import data from IMS.

The AccessProfile is displayed if it is uploaded in the IMS Server.Otherwise, download the AccessProfile again. See Chapter 3, “Epicsupport deployment,” on page 5 for more details.

Is the EpicAdapter.dll registered in the Windows Registry?

You can verify by completing the following steps:1. On your Windows desktop, select Start > Run.2. Type regedit in the Open field.3. Click OK.4. Select Edit > Find.5. Type EpicAdapter.dll in the Find what field.6. Click Find Next.

The EpicAdapter.dll is at My Computer > HKEY_LOCAL_MACHINE> SOFTWARE > Classes > AppID > EpicAdapter.DLL in the WindowsRegistry.

Does the EpicAdapter.dll work properly?

You can verify by displaying the invisible windows.1. On your Windows desktop, select Start > Control Panel > System >

Advanced > Environment Variables.2. Under System variables, click New.3. In the Variable name field, type ISAMESSO_EPIC_WINDOW.4. In the Variable value field, type SHOW.5. Click OK.6. Test the EpicAdapter.dll with the Epic login device host. For more

information, see the Epic Administrator.

After verifying, you must delete the ISAMESSO_EPIC_WINDOWvariable.1. On your Windows desktop, select Start > Control Panel > System >

Advanced > Environment Variables.2. Under System variables, select ISAMESSO_EPIC_WINDOW.3. Click Delete.4. Click OK.

What logs were issued?


You can verify by checking the Observer logs.1. Open the IBM Security Access Manager for Enterprise Single Sign-On

folder location. For example: C:\Program Files\IBM\ISAMESSO\AA\Logs\.2. Open aa_observer.log to verify the result of an activity:v The user is logged in successfully.v The EpicAdapter.dll loaded correctly.v The invisible windows opened successfully.


Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte character set (DBCS) information,contact the IBM Intellectual Property Department in your country or sendinquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subjectto change without notice. Dealer prices may vary.

This information is for planning purposes only. The information herein is subject tochange before the products described become available.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment to


IBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment toIBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM's application programming interfaces.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

Trademarks

IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at Copyright andtrademark information; at www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Notices 15

Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in theUnited States, other countries, or both and is used under license therefrom.

Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo aretrademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.

Other company, product, and service names may be trademarks or service marksof others.

Privacy Policy Considerations

IBM Software products, including software as a service solutions, (“SoftwareOfferings”) may use cookies or other technologies to collect product usageinformation, to help improve the end user experience, to tailor interactions withthe end user or for other purposes. In many cases no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offeringscan help enable you to collect personally identifiable information. If this SoftwareOffering uses cookies to collect personally identifiable information, specificinformation about this offering’s use of cookies is set forth below.

This Software Offering uses other technologies that collect each user's user name,password or other personally identifiable information for purposes of sessionmanagement, authentication, single sign-on configuration or other usage trackingor functional purposes. These technologies can be disabled, but disabling them willalso eliminate the functionality they enable.

If the configurations deployed for this Software Offering provide you as customerthe ability to collect personally identifiable information from end users via cookiesand other technologies, you should seek your own legal advice about any lawsapplicable to such data collection, including any requirements for notice andconsent.

For more information about the use of various technologies, including cookies, forthese purposes, see IBM’s Privacy Policy at http://www.ibm.com/privacy andIBM’s Online Privacy Statement at http://www.ibm.com/privacy/details/us/ensections entitled “Cookies, Web Beacons and Other Technologies” and “SoftwareProducts and Software-as-a Service”.


http://www.ibm.com/privacy

http://www.ibm.com/privacy/details/us/en

Glossary

This glossary includes terms and definitions forIBM Security Access Manager for EnterpriseSingle Sign-On.

The following cross-references are used in thisglossary:v See refers you from a term to a preferred

synonym, or from an acronym or abbreviationto the defined full form.

v See also refers you to a related or contrastingterm.

To view glossaries for other IBM products, go towww.ibm.com/software/globalization/terminology (opens in new window).

Aaccount data

The logon information required to verifyan authentication service. It can be theuser name, password, and theauthentication service which the logoninformation is stored.

account data bagA data structure that holds usercredentials in memory while singlesign-on is performed on an application.

account data itemThe user credentials required for logon.

account data item templateA template that defines the properties ofan account data item.

account data templateA template that defines the format ofaccount data to be stored for credentialscaptured using a specific AccessProfile.

action In profiling, an act that can be performedin response to a trigger. For example,automatic filling of user name andpassword details as soon as a sign-onwindow displays.

Active Directory (AD)A hierarchical directory service thatenables centralized, secure management

of an entire network, which is a centralcomponent of the Microsoft Windowsplatform.

Active Directory credentialThe Active Directory user name andpassword.

Active Directory password synchronizationAn IBM Security Access Manager forEnterprise Single Sign-On feature thatsynchronizes the ISAM ESSO passwordwith the Active Directory password.

active radio frequency identification (activeRFID) A second authentication factor and

presence detector. See also radiofrequency identification.

active RFIDSee active radio frequency identification.

AD See Active Directory.

administratorA person responsible for administrativetasks such as access authorization andcontent management. Administrators canalso grant levels of authority to users.

API See application programming interface.

applicationA system that provides the user interfacefor reading or entering the authenticationcredentials.

application policyA collection of policies and attributesgoverning access to applications.

application programming interface (API)An interface that allows an applicationprogram that is written in a high-levellanguage to use specific data or functionsof the operating system or anotherprogram.

audit A process that logs the user,Administrator, and Helpdesk activities.

authentication factorThe device, biometrics, or secrets requiredas a credentials for validating digitalidentities. Examples of authentication


http://www-306.ibm.com/software/globalization/terminology/

http://www-306.ibm.com/software/globalization/terminology/

factors are passwords, smart card, RFID,biometrics, and one-time passwordtokens.

authentication serviceA service that verifies the validity of anaccount; applications authenticate againsttheir own user store or against acorporate directory.

authorization codeAn alphanumeric code generated foradministrative functions, such aspassword resets or two-factorauthentication bypass.

auto-captureA process that allows a system to collectand reuse user credentials for differentapplications. These credentials arecaptured when the user entersinformation for the first time, and thenstored and secured for future use.

automatic sign-onA feature where users can log on to thesign-on automation system and thesystem logs on the user to all otherapplications.

Bbase distinguished name

A name that indicates the starting pointfor searches in the directory server.

base imageA template for a virtual desktop.

bidirectional languageA language that uses a script, such asArabic and Hebrew, whose general flowof text proceeds horizontally from right toleft, but numbers, English, and otherleft-to-right language text are writtenfrom left to right.

bind distinguished nameA name that specifies the credentials forthe application server to use whenconnecting to a directory service. Thedistinguished name uniquely identifies anentry in a directory.

biometricsThe identification of a user based on aphysical characteristic of the user, such asa fingerprint, iris, face, voice, orhandwriting.

CCA See certificate authority.

CAPI See cryptographic applicationprogramming interface.

Card Serial Number (CSN)A unique data item that identifies ahybrid smart card. It has no relation tothe certificates installed in the smart card

CCOWSee Clinical Context Object Workgroup.

cell A group of managed processes that arefederated to the same deploymentmanager and can include high-availabilitycore groups.

certificateIn computer security, a digital documentthat binds a public key to the identity ofthe certificate owner, thereby enabling thecertificate owner to be authenticated. Acertificate is issued by a certificateauthority and is digitally signed by thatauthority. See also certificate authority.

certificate authority (CA)A trusted third-party organization orcompany that issues the digitalcertificates. The certificate authoritytypically verifies the identity of theindividuals who are granted the uniquecertificate. See also certificate.

CLI See command-line interface.

Clinical Context Object Workgroup (CCOW)A vendor independent standard, for theinterchange of information betweenclinical applications in the healthcareindustry.

clusterA group of application servers thatcollaborate for the purposes of workloadbalancing and failover.

command-line interface (CLI)A computer interface in which the inputand output are text based.

credentialInformation acquired duringauthentication that describes a user, groupassociations, or other security-relatedidentity attributes, and that is used toperform services such as authorization,auditing, or delegation. For example, a


user ID and password are credentials thatallow access to network and systemresources.

cryptographic application programming interface(CAPI)

An application programming interfacethat provides services to enabledevelopers to secure applications usingcryptography. It is a set ofdynamically-linked libraries that providesan abstraction layer which isolatesprogrammers from the code used toencrypt the data.

cryptographic service provider (CSP)A feature of the i5/OS operating systemthat provides APIs. The CCACryptographic Service Provider enables auser to run functions on the 4758Coprocessor.

CSN See Card Serial Number.

CSP See cryptographic service provider.

Ddashboard

An interface that integrates data from avariety of sources and provides a unifieddisplay of relevant and in-contextinformation.

database serverA software program that uses a databasemanager to provide database services toother software programs or computers.

data sourceThe means by which an applicationaccesses data from a database.

deployment managerA server that manages and configuresoperations for a logical group or cell ofother servers.

deployment manager profileA WebSphere Application Server runtimeenvironment that manages operations fora logical group, or cell, of other servers.

deprovisionTo remove a service or component. Forexample, to deprovision an accountmeans to delete an account from aresource. See also provision.

desktop poolA collection of virtual desktops of similar

configuration intended to be used by adesignated group of users.

directoryA file that contains the names andcontrolling information for objects orother directories.

directory serviceA directory of names, profile information,and machine addresses of every user andresource on the network. It manages useraccounts and network permissions. Whena user name is sent, it returns theattributes of that individual, which mightinclude a telephone number, as well as anemail address. Directory services usehighly specialized databases that aretypically hierarchical in design andprovide fast lookups.

disaster recoveryThe process of restoring a database,system, policies after a partial or completesite failure that was caused by acatastrophic event such as an earthquakeor fire. Typically, disaster recoveryrequires a full backup at another location.

disaster recovery siteA secondary location for the productionenvironment in case of a disaster.

distinguished name (DN)The name that uniquely identifies anentry in a directory. A distinguished nameis made up of attribute:value pairs,separated by commas. For example,CN=person name and C=country orregion.

DLL See dynamic link library.

DN See distinguished name.

DNS See domain name server.

domain name server (DNS)A server program that suppliesname-to-address conversion by mappingdomain names to IP addresses.

dynamic link library (DLL)A file containing executable code and databound to a program at load time or runtime, rather than during linking. The codeand data in a DLL can be shared byseveral applications simultaneously.

Glossary 19

Eenterprise directory

A directory of user accounts that defineIBM Security Access Manager forEnterprise Single Sign-On users. Itvalidates user credentials during sign-upand logon, if the password issynchronized with the enterprise directorypassword. An example of an enterprisedirectory is Active Directory.

enterprise single sign-on (ESSO)A mechanism that allows users to log onto all applications deployed in theenterprise by entering a user ID and othercredentials, such as a password.

ESSO See enterprise single sign-on.

event codeA code that represents a specific eventthat is tracked and logged into the auditlog tables.

Ffailover

An automatic operation that switches to aredundant or standby system or node inthe event of a software, hardware, ornetwork interruption.

fast user switchingA feature that allows users to switchbetween user accounts on a singleworkstation without quitting and loggingout of applications.

Federal Information Processing Standard (FIPS)A standard produced by the NationalInstitute of Standards and Technologywhen national and international standardsare nonexistent or inadequate to satisfythe U.S. government requirements.

FIPS See Federal Information ProcessingStandard.

fix packA cumulative collection of fixes that isreleased between scheduled refresh packs,manufacturing refreshes, or releases. A fixpack updates the system to a specificmaintenance level.

FQDNSee fully qualified domain name.

fully qualified domain name (FQDN)In Internet communications, the name ofa host system that includes all of thesubnames of the domain name. Anexample of a fully qualified domain nameis rchland.vnet.ibm.com. See also hostname.

GGINA See graphical identification and

authentication.

GPO See group policy object.

graphical identification and authentication(GINA)

A dynamic link library that provides auser interface that is tightly integratedwith authentication factors and providespassword resets and second factor bypassoptions.

group policy object (GPO)A collection of group policy settings.Group policy objects are the documentscreated by the group policy snap-in.Group policy objects are stored at thedomain level, and they affect users andcomputers contained in sites, domains,and organizational units.

HHA See high availability.

high availability (HA)The ability of IT services to withstand alloutages and continue providingprocessing capability according to somepredefined service level. Covered outagesinclude both planned events, such asmaintenance and backups, and unplannedevents, such as software failures,hardware failures, power failures, anddisasters.

host nameIn Internet communication, the namegiven to a computer. The host namemight be a fully qualified domain namesuch as mycomputer.city.company.com, orit might be a specific subname such asmycomputer. See also fully qualifieddomain name, IP address.

hot keyA key sequence used to shift operations


between different applications or betweendifferent functions of an application.

hybrid smart cardAn ISO-7816 compliant smart card whichcontains a public key cryptography chipand an RFID chip. The cryptographic chipis accessible through contact interface. TheRFID chip is accessible throughcontactless (RF) interface.

Iinteractive graphical mode

A series of panels that prompts forinformation to complete the installation.

IP addressA unique address for a device or logicalunit on a network that uses the InternetProtocol standard. See also host name.

JJava Management Extensions (JMX)

A means of doing management of andthrough Java technology. JMX is auniversal, open extension of the Javaprogramming language for managementthat can be deployed across all industries,wherever management is needed.

Java runtime environment (JRE)A subset of a Java developer kit thatcontains the core executable programsand files that constitute the standard Javaplatform. The JRE includes the Javavirtual machine (JVM), core classes, andsupporting files.

Java virtual machine (JVM)A software implementation of a processorthat runs compiled Java code (applets andapplications).

JMX See Java Management Extensions.

JRE See Java runtime environment.

JVM See Java virtual machine.

Kkeystore

In security, a file or a hardwarecryptographic card where identities andprivate keys are stored, for authentication

and encryption purposes. Some keystoresalso contain trusted or public keys. Seealso truststore.

LLDAP See Lightweight Directory Access

Protocol.

Lightweight Directory Access Protocol (LDAP)An open protocol that uses TCP/IP toprovide access to directories that supportan X.500 model. An LDAP can be used tolocate people, organizations, and otherresources in an Internet or intranetdirectory.

lightweight modeA Server AccessAgent mode. Running inlightweight mode reduces the memoryfootprint of AccessAgent on a Terminal orCitrix Server and improves the singlesign-on startup duration.

linked cloneA copy of a virtual machine that sharesvirtual disks with the parent virtualmachine in an ongoing manner.

load balancingThe monitoring of application servers andmanagement of the workload on servers.If one server exceeds its workload,requests are forwarded to another serverwith more capacity.

lookup userA user who is authenticated in theEnterprise Directory and searches forother users. IBM Security Access Managerfor Enterprise Single Sign-On uses thelookup user to retrieve user attributesfrom the Active Directory or LDAPenterprise repository.

Mmanaged node

A node that is federated to a deploymentmanager and contains a node agent andcan contain managed servers. See alsonode.

mobile authenticationAn authentication factor which allowsmobile users to sign-on securely tocorporate resources from anywhere on thenetwork.

Glossary 21

Nnetwork deployment

The deployment of an IMS™ Server on aWebSphere Application Server cluster.

node A logical group of managed servers. Seealso managed node.

node agentAn administrative agent that manages allapplication servers on a node andrepresents the node in the managementcell.

Oone-time password (OTP)

A one-use password that is generated foran authentication event, and is sometimescommunicated between the client and theserver through a secure channel.

OTP See one-time password.

OTP tokenA small, highly portable hardware devicethat the owner carries to authorize accessto digital systems and physical assets, orboth.

Ppassword aging

A security feature by which the superusercan specify how often users must changetheir passwords.

password complexity policyA policy that specifies the minimum andmaximum length of the password, theminimum number of numeric andalphabetic characters, and whether toallow mixed uppercase and lowercasecharacters.

personal identification number (PIN)In Cryptographic Support, a uniquenumber assigned by an organization to anindividual and used as proof of identity.PINs are commonly assigned by financialinstitutions to their customers.

PIN See personal identification number.

pinnable stateA state from an AccessProfile widget that

can be combined to the mainAccessProfile to reuse the AccessProfilewidget function.

PKCS See Public Key Cryptography Standards.

policy templateA predefined policy form that helps usersdefine a policy by providing the fixedpolicy elements that cannot be changedand the variable policy elements that canbe changed.

portal A single, secure point of access to diverseinformation, applications, and people thatcan be customized and personalized.

presence detectorA device that, when fixed to a computer,detects when a person moves away fromit. This device eliminates manuallylocking the computer upon leaving it fora short time.

primary authentication factorThe IBM Security Access Manager forEnterprise Single Sign-On password ordirectory server credentials.

private keyIn computer security, the secret half of acryptographic key pair that is used with apublic key algorithm. The private key isknown only to its owner. Private keys aretypically used to digitally sign data andto decrypt data that has been encryptedwith the corresponding public key.

provisionTo provide, deploy, and track a service,component, application, or resource. Seealso deprovision.

provisioning APIAn interface that allows IBM SecurityAccess Manager for Enterprise SingleSign-On to integrate with userprovisioning systems.

provisioning bridgeAn automatic IMS Server credentialdistribution process with third partyprovisioning systems that uses APIlibraries with a SOAP connection.

provisioning systemA system that provides identity lifecyclemanagement for application users inenterprises and manages their credentials.


Public Key Cryptography Standards (PKCS)A set of industry-standard protocols usedfor secure information exchange on theInternet. Domino® Certificate Authorityand Server Certificate Administrationapplications can accept certificates inPKCS format.

published applicationAn application installed on Citrix XenAppserver that can be accessed from CitrixICA Clients.

published desktopA Citrix XenApp feature where usershave remote access to a full Windowsdesktop from any device, anywhere, atany time.

Rradio frequency identification (RFID)

An automatic identification and datacapture technology that identifies uniqueitems and transmits data using radiowaves. See also active radio frequencyidentification.

RADIUSSee remote authentication dial-in userservice.

random passwordAn arbitrarily generated password usedto increase authentication securitybetween clients and servers.

RDP See remote desktop protocol.

registryA repository that contains access andconfiguration information for users,systems, and software.

registry hiveIn Windows systems, the structure of thedata stored in the registry.

remote authentication dial-in user service(RADIUS)

An authentication and accounting systemthat uses access servers to providecentralized management of access to largenetworks.

remote desktop protocol (RDP)A protocol that facilitates remote displayand input over network connections forWindows-based server applications. RDP

supports different network topologies andmultiple connections.

replicationThe process of maintaining a defined setof data in more than one location.Replication involves copying designatedchanges for one location (a source) toanother (a target) and synchronizing thedata in both locations.

revokeTo remove a privilege or an authorityfrom an authorization identifier.

RFID See radio frequency identification.

root CASee root certificate authority.

root certificate authority (root CA)The certificate authority at the top of thehierarchy of authorities by which theidentity of a certificate holder can beverified.

Sscope A reference to the applicability of a policy,

at the system, user, or machine level.

secret questionA question whose answer is known onlyto the user. A secret question is used as asecurity feature to verify the identity of auser.

secure remote accessThe solution that provides webbrowser-based single sign-on to allapplications from outside the firewall.

Secure Sockets Layer (SSL)A security protocol that providescommunication privacy. With SSL,client/server applications cancommunicate in a way that is designed toprevent eavesdropping, tampering, andmessage forgery.

Secure Sockets Layer virtual private network(SSL VPN)

A form of VPN that can be used with astandard web browser.

Security Token Service (STS)A web service that is used for issuing andexchanging security tokens.

security trust service chainA group of module instances that are

Glossary 23

configured for use together. Each moduleinstance in the chain is called in turn toperform a specific function as part of theoverall processing of a request.

serial ID service provider interfaceA programmatic interface intended forintegrating AccessAgent with third-partySerial ID devices used for two-factorauthentication.

serial numberA unique number embedded in the IBMSecurity Access Manager for EnterpriseSingle Sign-On keys, which is unique toeach key and cannot be changed.

server locatorA locator that groups a related set of webapplications that require authentication bythe same authentication service. InAccessStudio, server locators identify theauthentication service with which anapplication screen is associated.

service provider interface (SPI)An interface through which vendors canintegrate any device with serial numberswith IBM Security Access Manager forEnterprise Single Sign-On and use thedevice as a second factor in AccessAgent.

signatureIn profiling, unique identificationinformation for any application, window,or field.

sign-on automationA technology that works with applicationuser interfaces to automate the sign-onprocess for users.

sign upTo request a resource.

silent modeA method for installing or uninstalling aproduct component from the commandline with no GUI display. When usingsilent mode, you specify the data requiredby the installation or uninstallationprogram directly on the command line orin a file (called an option file or responsefile).

Simple Mail Transfer Protocol (SMTP)An Internet application protocol fortransferring mail among users of theInternet.

single sign-on (SSO)An authentication process in which a usercan access more than one system orapplication by entering a single user IDand password.

smart cardAn intelligent token that is embeddedwith an integrated circuit chip thatprovides memory capacity andcomputational capabilities.

smart card middlewareSoftware that acts as an interface betweensmart card applications and the smartcard hardware. Typically the softwareconsists of libraries that implementPKCS#11 and CAPI interfaces to smartcards.

SMTP See Simple Mail Transfer Protocol.

snapshotA captured state, data, and hardwareconfiguration of a running virtualmachine.

SOAP A lightweight, XML-based protocol forexchanging information in adecentralized, distributed environment.SOAP can be used to query and returninformation and invoke services acrossthe Internet. See also web service.

SPI See service provider interface.

SSL See Secure Sockets Layer.

SSL VPNSee Secure Sockets Layer virtual privatenetwork.

SSO See single sign-on.

stand-alone deploymentA deployment where the IMS Server isdeployed on an independent WebSphereApplication Server profile.

stand-alone serverA fully operational server that is managedindependently of all other servers, usingits own administrative console.

strong authenticationA solution that uses multifactorauthentication devices to preventunauthorized access to confidentialcorporate information and IT networks,both inside and outside the corporateperimeter.


strong digital identityAn online persona that is difficult toimpersonate, possibly secured by privatekeys on a smart card.

STS See Security Token Service.

system modal messageA system dialog box that is typically usedto display important messages. When asystem modal message is displayed,nothing else can be selected on the screenuntil the message is closed.

Tterminal emulator

A program that allows a device such as amicrocomputer or personal computer toenter and receive data from a computersystem as if it were a particular type ofattached terminal.

terminal type (tty)A generic device driver for a text display.A tty typically performs input and outputon a character-by-character basis.

thin clientA client that has little or no installedsoftware but has access to software that ismanaged and delivered by networkservers that are attached to it. A thinclient is an alternative to a full-functionclient such as a workstation.

transparent screen lockAn feature that, when enabled, permitsusers to lock their desktop screens butstill see the contents of their desktop.

triggerIn profiling, an event that causestransitions between states in a statesengine, such as, the loading of a webpage or the appearance of a window onthe desktop.

trust service chainA chain of modules that operate indifferent modes such as validate, map,and issue truststore.

truststoreIn security, a storage object, either a file ora hardware cryptographic card, wherepublic keys are stored in the form oftrusted certificates, for authenticationpurposes in web transactions. In someapplications, these trusted certificates are

moved into the application keystore to bestored with the private keys. See alsokeystore.

tty See terminal type.

two-factor authenticationThe use of two factors to authenticate auser. For example, the use of passwordand an RFID card to log on toAccessAgent.

Uuniform resource identifier

A compact string of characters foridentifying an abstract or physicalresource.

user credentialInformation acquired duringauthentication that describes a user, groupassociations, or other security-relatedidentity attributes, and that is used toperform services such as authorization,auditing, or delegation. For example, auser ID and password are credentials thatallow access to network and systemresources.

user deprovisioningThe process of removing a user accountfrom IBM Security Access Manager forEnterprise Single Sign-On.

user provisioningThe process of signing up a user to useIBM Security Access Manager forEnterprise Single Sign-On.

VVB See Visual Basic.

virtual applianceA virtual machine image with a specificapplication purpose that is deployed tovirtualization platforms.

virtual channel connectorA connector that is used in a terminalservices environment. The virtual channelconnector establishes a virtualcommunication channel to manage theremote sessions between the ClientAccessAgent component and the ServerAccessAgent.

Glossary 25

virtual desktopA user interface in a virtualizedenvironment, stored on a remote server.

virtual desktop infrastructureAn infrastructure that consists of desktopoperating systems hosted within virtualmachines on a centralized server.

Virtual Member Manager (VMM)A WebSphere Application Servercomponent that provides applicationswith a secure facility to access basicorganizational entity data such as people,logon accounts, and security roles.

virtual private network (VPN)An extension of a company intranet overthe existing framework of either a publicor private network. A VPN ensures thatthe data that is sent between the twoendpoints of its connection remainssecure.

Visual Basic (VB)An event-driven programming languageand integrated development environment(IDE) from Microsoft.

VMM See Virtual Member Manager.

VPN See virtual private network.

Wwallet A secured data store of access credentials

of a user and related information, whichincludes user IDs, passwords, certificates,encryption keys.

wallet cachingThe process during single sign-on for anapplication whereby AccessAgentretrieves the logon credentials from theuser credential wallet. The user credentialwallet is downloaded on the usermachine and stored securely on the IMSServer.

wallet managerThe IBM Security Access Manager forEnterprise Single Sign-On GUI componentthat lets users manage applicationcredentials in the personal identity wallet.

web serverA software program that is capable ofservicing Hypertext Transfer Protocol(HTTP) requests.

web serviceA self-contained, self-describing modularapplication that can be published,discovered, and invoked over a networkusing standard network protocols.Typically, XML is used to tag the data,SOAP is used to transfer the data, WSDLis used for describing the servicesavailable, and UDDI is used for listingwhat services are available. See alsoSOAP.

WS-TrustA web services security specification thatdefines a framework for trust models toestablish trust between web services.


Index

AAccessAdmin 9accessibility viiiAccessProfile

authentication service 7signature 7

audit logs 9authentication service 9

Active Directory 7direct-authentication service 7Epic AccessProfile 7ID 7

Ccredentials

Active Directory user name andpassword 3

Epic user name and password 3ISAM ESSO user name and

password 3

Ddeployment 5Direct-authentication service 7

Eeducation viiiEpic

design overview 1integration overview 1

Epic AccessProfile 9AccessStudio 7authentication service 7signature 7

Epic application 7Epic configurations 3Epic integration

AccessAgent 5AccessProfile 3AccessStudio 5callback function 1DeploymentScript.vbs 5Epic login 5Epic Server 5Epic server configuration 5EpicAdapter.dll 5IMS Server 5InstallEpicAdapter.bat 5repository

Active directory 3third-party repository 3user repository 3

supported configurations 3supported workflows 3

Epic integrationEpicAdapter.dll fileEpicAdapter.dll 5

Epic support package 7

Gglossary 17

IIBM

Software Support viiiSupport Assistant viii

Llogin support 5

Oonline

publications vterminology v

Pproblem-determination viiipublications

accessing online vlist of for this product vstatement of good security

practices ix

Ssecure desktop 3signature 7single sign-on 7

Ttraining viiitroubleshooting

Epic AccessProfile 11EpicAdapter.dll 11logs 11programmatic ID 11server configuration 11

WWorkflows

capture password 3change password 3password injection 3user authorization 3user authorization with second

factor 3user reauthentication 3

Workflows (continued)user reauthentication with second

factor 3


IBM®

Printed in USA

SC27-5623-00

ibm® security access manager for enterprise single sign-on: … · 2017-09-29 · ibm security...

Documents