tamesso auth factor cookbook

8/9/2019 TAMESSO Auth Factor Cookbook

1/70

IBM TAM E-SSO

Authentication Factor Cookbook

Version 1.1

4 Nov 2010

Abdul Baki ([email protected])

Matthew Boult ([email protected])

TAM E-SSO Authent. Factor Cookbook 1


2/70

Table of Contents

Document Revision Control .................................................................................................. 3Disclaimer ............................................................................................................................. 3Acknowledgements .............................................................................................................. 3Introduction ........................................................................................................................... 3Configuring TAM ESSO to use Smart Cards ....................................................................... 4

Objective .......................................................................................................................... 4Overview .......................................................................................................................... 4Pre-requsite Environment................................................................................................ 41. Testing smart card compatibility............................................................................52. Configure the Certificate Authority.........................................................................53. Import the CA root certificate to the IHS Truststore, part 1.................................104. Import the CA root certificate to the IHS Truststore, part 2.................................135. Enable 2-way SSL on IBM HTTP Server.............................................................196. Create and apply IMS policies for smart card use...............................................217. Assign the new template to the client workstation...............................................238. Modify user default template to accept smart cards for authentication...............249. Issue a certificate to a smart card........................................................................2610. Register smart card to user.................................................................................31

Configuring TAM ESSO to use RFID Cards ....................................................................... 35Objective ........................................................................................................................ 35Overview ........................................................................................................................ 35Environment ................................................................................................................... 351. Create and assign RFID Machine Policy Template.............................................362. Create Authentication Code for user...................................................................413. Register RFID card to user..................................................................................43

Configuring TAM ESSO to use Fingerprint recognition ...................................................... 46

Objective ........................................................................................................................ 46Overview ........................................................................................................................ 46Environment ................................................................................................................... 461. Configure the IMS Server....................................................................................472. Create and assign Fingerprint Machine Policy Template....................................483. Updating the User Template................................................................................504. Enrolling the user's Fingerprint for authentication...............................................53

Configuring TAM ESSO to use Mobile ActiveCode as a One Time Password .................. 57Objective ........................................................................................................................ 57Overview ........................................................................................................................ 57Environment ................................................................................................................... 57

1. Creating the Messaging Connector.....................................................................582. Configuring the AccessAssistant to use MAC as second factor authentication. .623. Configuring the User account for MAC use.........................................................654. Logging on with a Mobile ActiveCode..................................................................68



3/70

Document Revision Control

Version Date Description of changes1 Nov 3 2010 -

1.1 Nov 4 2010 Version control, disclaimer

Disclaimer

The document is provided on an "as-is" basis. It has not been subjected to any formal reviewprocedure and IBM makes no representations or warranties regarding the information it contains.

Acknowledgements

Many thanks to Dimitri Janzen at Charismathics GMbH for providing the middleware,smart cards and card readers used in producing this cookbook.

Introduction

IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM ESSO) automatessign-on and access to enterprise applications, eliminating the need to remember andmanage user names and passwords.

Users log on to TAM ESSO with a special user ID and password and then when theyaccess their secured applications, the TAM ESSO agent enters their stored credentialsautomatically without the user needing to do so.

TAM ESSO provides the usual features associated with password security, e.g. passwordlength, ageing policy etc.

This cookbook is based on a set of exercises that was produced for the European Tivoli Technical Conference 2010. It aims to show how Tivoli Access Manager for EnterpriseSingle Sign-On can be configured to use additional or alternative methods ofauthentication when users log on, in order to provide a greater degree of security(stronger authentication ).

This cookbook is intended to complement the product documentation and should be readin conjunction with it. In particular, you should refer to the Setup Guide.



4/70

Configuring TAM ESSO to use Smart Cards

Objective

The purpose of this section is to show you how to configure an existing Tivoli AccessManager for Enterprise Single Sign-On (TAM ESSO) environment to use smart cards asadditional authentication factors.

Note: a USB token may be used instead of a smart card and reader.

Overview

• Configure the Certificate Authority• Configure TAM ESSO to use smart cards as second authentication factor• Issue a certificate to a smart card•

Register the smart card to a user• Use the smart card as a second authentication factor

Pre-requsite Environment

IMS Server• Microsoft Certificate Server• IIS,• TAM E-SSO 8.1 IMS+ pre-reqs, i.e.

• WebSphere Application Server,• IBM HTTP Server (IHS),• supported database (e.g. DB2).

• Smart card middleware (we used Charismathics Smart Security Interface )

Client• TAM E-SSO 8.1 Access Agent• Smart card middleware as above• Initialized Smart Card and reader OR USB token• Drivers for reader or token.

Active Directory• Domain containing computers and user accounts



5/70

1. Testing smart card compatibility

The Smart Card Compatibility Tool is supplied with TAM E-SSO 8.1installation files. Thedirectory containing the tool is named ScardCompatTool .

Create a mycsp.ini configuration file that contains details of the location of the smart cardmiddleware driver, using the supplied example.ini file for guidance.

Run the following from the command line:

SCardCompatTool.exe -i mycsp.ini -o

A prompt will appear: “Insert smart card you wish to test. Press Enter to proceed”. Insertthe smart card into the reader and press Enter.

See the output file for the results of the test. If successful, continue with the lab.

Note: You smart card or USB token must be initialized first. This is outside the scope ofTAM ESSO and this cookbook. Refer to the smart card middleware documentation onhow to enable new smart cards.

2. Configure the Certificate Authority

On the IMS Server:



6/70

Launch the Microsoft Certificate Authority: Start→ Administrative Tools→ CertificationAuthority.

This will launch a window containing details of the Certificate Authority. From the leftpane, select the CA server and then select the Certificate Templates directory. Theavailable certificate templates are displayed in the right pane.



7/70

You need the following templates: Smartcard User, Smartcard Logon. To install these,right click in the right pane and select New→ Certificate Template to Issue .



8/70

A new window will open with a list of Certificate Templates available. Scroll down andselect Smartcard User and Smartcard Logon (multiple certificate templates can beselected using the Ctrl key). Click OK.



9/70

The smart card templates have now been added to the Certificate Template list on theright and the server is now ready to issue certificates.



10/70

3. Import the CA root certificate to the IHS Truststore, part 1

We need to obtain the Certificate Authority (CA) root certificate. Each CA has its ownmethod of obtaining the root CA certificate. In this case, we are using the MicrosoftCertificate Server, located here:

http://:/certsrv.

To obtain the domain name.

is the name of the Active Directory domain. It can be found via Start→Administrative Tools→ Active Directory Users and Computers.

To obtain the IIS server port number

The IIS port number is by default 80. However, as the IHS already requires port 80, the IISport will have been modified during installation. To find the IIS server port number, go toStart→ Administrative Tools→ Internet Information Services Manager



11/70

To obtain the IIS server port number ctd.

• Click the + sign for the server from the left pane• Open the Web Sites directory• Right click the default websites. If there is more than one, right click on the one that is

available, i.e. without the red dot in the bottom right corner of the icon.



12/70

To obtain the IIS server port number ctd.

• Select properties. This will open another window.• You will notice many parameters displayed, one of which is TCP port. Note the value in

the box next to it. (If it is 80, then change it to 81).



13/70

4. Import the CA root certificate to the IHS Truststore, part 2

Now that the domain name and IIS port number have been obtained, enter the addressfor the certificate server into the browser. This will open the CA server page and allow theissuing of certificates. Click the Download a CA certificate, certificate chain, or CRLlink.



14/70

Enter the administrator's user ID and password at the prompt.

At the next page, you are prompted to select an encoding method. Two standards are

supported: DER and Base 64. The latter standard is used in this case. Select the Base64 option and click Download CA certificate link.



15/70

This opens a confirmation box. Click Save and select the location and name of thecertificate.

Once the root CA certificate has been obtained, it needs to be imported into the IHS truststore as follows: Start→ IBM WebSphere→ Application Server v7.0→ Profiles→AppSrv01→ Administrative Console→ Server→ Server Types→ web servers→ ....

(At the Administrative console, you will need to enter the WAS administrator credentials.)



16/70

...→ plug-in properties

...→ manage keys and certificates



17/70

...→ signer certificates

...→ add. At the next screen, fill in the following information:



18/70

• An alias name of your choice• File Name: full path of CA certificate created earlier• Click OK

Save the changes when prompted (top of web page).

Go to WAS Administrative Console→ Server→ Server Types→ Web servers→→ plug-in properties→ copy to web server key store directory



19/70

Restart the IBM HTTP Server (IHS) :Administrative Console → Server → Server Types → web serversCheck the check box next to the webserver1 link and click the stop button, just above and

to the right of the webserver1 link. Once the Webserver1 stops, check the check boxagain and press the start button.

5. Enable 2-way SSL on IBM HTTP Server

Log on to WAS Administrative Console.

Go to Server→ Server Types→ Web servers→ → Configuration file



20/70

Insert the following text as shown in the screen shot below: SSLClientAuth optional,between SSLProtocolDisable SSLv2 and SSLServerCert default.



21/70

Click OK, then at the next page click OK, then at the next page click Save.

6. Create and apply IMS policies for smart card use

Open a browser and enter the IMS server location. The IMS server page will display 4options on the left side of the page. Click on AccessAdmin.

Enter the login details for the Administrator for the IMS server.

On the Access Admin page, under Machine Policy Templates, click New Template.

At this screen enter:

• Name: name of the template. Assign a meaningful name.•

Criteria: specify the criteria if this template is for specific machines on your domain.Take the default option.• At Authentication Policies, enter Smart card into the text box and click Add.



22/70

Next go to Access Agent Policies and click on Smart card policies.

For Enable Windows smart card logon?, select Yes from the drop-down menu and click

Add.



23/70

7. Assign the new template to the client workstation

Go to Machines→ Search on the left menu.

Click Search. This will bring up the workstations that have been connected to the IMSserver via Access Agent.



24/70

Select the workstation. From the Machine Template Assignment, select the Smart Cardpolicy and click Assign.

8. Modify user default template to accept smart cards for

authentication Click the default user template found under the user policy template heading.

On the new page, click Authentication Policies.

Check the Smart card box.

Click the Update button.

Click the Search link under the search users heading.

Click the Search button.

Select the users that require smart card use by clicking the check boxes. Beneath theApply user policy template heading, select Default user template from the drop-downmenu and click Apply to selected results.

At the confirmation prompt, click OK.



25/70

A status bar will display the progress of applying the user template. Once the task hasbeen completed, restart WAS.



26/70

The Access Agent icon on the client system displays a message for the computer to berestarted due to changes on the IMS server. Restart the computer. The Access Agent isnow ready to allow authentication by smart cards.

9. Issue a certificate to a smart cardNote: for the purposes of this exercise, we show the user logging on and issuing a smartcard to him- or herself, which may not be the case in a real-world scenario.

On the client system, log onto to Windows with the ID of the user requiring the smart card.Do not use Access Agent to log in.

Insert the smart card in the reader, or the token in a spare USB slot, as appropriate.

Go to the certificate server web page:

http://:/certsrv .

Log on using the user's credentials.



27/70

Click on Request a certificate from the Select a task options.

At the next page, select Advanced Certificate Request option.

Select Create and submit a request to this CA.

Change the following parameters only:• Certificate Template: Smartcard UserKey Options/CSP: Select the relevant middleware used within you environment. (We usedCharismathics Smart Security Interface CSP).



28/70

• Additional options/Request Format: PKCS10 (Public Key Cryptography Standard forrequesting certificates).



29/70

Click Submit. If a warning message about a potential scripting violation is displayed, clickYes.

This will open a window for the appropriate smart card middleware CSP. Enter the PIN forthe smart card and click Login

A message will be displayed: “Generating Request”, followed by “Waiting for Serverresponse”. These messages can be displayed for two minutes or so.

When the Certificate Issued page is displayed, click Install this certificate.

A warning message about a potential scripting violation is displayed. Click Yes. Amessage will appear requesting confirmation for the installation of the certificate from the

CA server. Click Yes.



30/70

A prompt to save the CA certificate will be displayed. C lick Yes.

A confirmation message will then be displayed.



31/70

Open the middleware software and read the smart card contents. Check that thecertificate has been installed.

10.Register smart card to user Note: If the user has not registered with TAM ESSO before, then do that step beforeproceeding.

On the client system, insert the smart card at the Access Agent log-on screen. AccessAgent will prompt for smart card registration with the user account.

Enter the PIN that was assigned to the smart card during the certificate request process.



32/70

Click OK.

A prompt to register the smart card with the IMS will be displayed, this will enable use ofthe smart card with Access Agent to logon. Click Next.

At the next screen click Yes if you have already registered the user to use TAM ESSO.(Otherwise click No and Access Agent will enrol the user on to the IMS server).



33/70

Enter the account details and click OK.

The user's credentials will now be inserted automatically into the Windows GINA.

You are now logged on and registration for smart card use for this user is now complete.

What happens when you remove the smart card?



34/70

When logging on again with this account, you will be required to present the smart cardand to enter the PIN.



35/70

Configuring TAM ESSO to use RFID Cards

Objective

The purpose of this section is to show you how to configure an existing Tivoli Access

Manager for Enterprise Single Sign-On (TAM ESSO) environment to use RFID cards asadditional authentication factors.

Overview

• Configure TAM ESSO to use RFID cards as second authentication factors• Register a particular RFID for use with a user''s account• Use the RFID card as a second authentication factor

Environment

Server• As before

Client• As before• RFID card with reader.• Drivers for RFID reader.



36/70

1. Create and assign RFID Machine Policy Template

Create a new Machine Policy template in Access Admin. Give it a meaningful name, suchas RFID Enabled Policy .

Add RFID as an Authentication Policy.



37/70

And then add the policy template.



38/70

Now assign this new template to the client system that will be used when the user with theRFID badge logs on.

Go to Machines→ Search on the left menu. Click Search. This will bring up theworkstations that have been connected to the IMS.



39/70

Select the workstation. From the Machine Template Assignment, select the RFID policyand click Assign.



40/70



41/70

2. Create Authentication Code for user

This step creates an authentication code that will permit a user to use an RFID badge asan authentication factor. In Access Admin (IMS server→ Access Admin), locate theuser who will be using an RFID badge to log on with.

Scroll down to Helpdesk Authorization and select Issue Authorization Code.



42/70

Make a note of the code generated.



43/70

3. Register RFID card to user

On the client system, tap your RFID card on the reader when prompted at the AccessAgent log-on screen. Access Agent will prompt for RFID card registration with the useraccount.

At the next screen click Yes if you have already registered the user to use TAM ESSO.



44/70

(Otherwise click No and Access Agent will enrol the user on to the IMS server).

Enter the account details and click OK.

Now enter the authorization code that was generated earlier.



45/70

The user's credentials will now be inserted automatically into the Windows GINA.

You are now logged on and registration for RFID card use for this user is now complete.

When logging on again with this account, you will be required to present the RFID cardand to enter the password.



46/70

Configuring TAM ESSO to use Fingerprint recognition

Objective

The purpose of this section is to show you how to configure an existing Tivoli Access

Manager for Enterprise Single Sign-On (TAM ESSO) environment to enable the use offingerprint readers for logging on to the AccessAgent.

Note: these instructions can be used for the supported Digital Persona or UPEK readers.For readers that work with Bio-key Biometric Service Provider middleware, refer to theTAM ESSO Setup Guide and adapt these steps as appropriate.

Overview

You will:

• Configure TAM ESSO to use a fingerprint reader for authentication

• Register a particular finger to use with a user's account• Use the fingerprint reader to log on to TAM ESSO.

Environment

Server• As before• Drivers for fingerprint reader

Client• As before• Fingerprint reader• Drivers for fingerprint reader



47/70

1. Configure the IMS Server

The drivers for the fingerprint reader must be already installed on both the IMS servermachine and the client machine before fingerprint authentication can be used. When this

has been done, the following step is needed:

After the drivers have been installed, open the deploymentPack_biometrics_8.1.0.0.xx(xx = version number) directory from the installation CD. There are 3 directories; open theappropriate directory for the reader and run the relevant EnCOM.bat batch file.

Once the batch file has successfully been executed, restart the WAS server.



48/70

2. Create and assign Fingerprint Machine Policy Template

Create a new Machine Policy template in Access Admin. Give it a meaningful name, suchas Fingerprint Enabled Policy .



49/70

Add Fingerprint as a supported second authentication factor, under AuthenticationPolicies. (Use the Add key to do this, as shown in the next screen-shot. Do not pressReturn!)

And then scroll down and Add the policy template, as shown in the next screen-shot.



50/70

Now assign this new template to the client system that requires fingerprint authentication.

3. Updating the User Template

Click on the Default user template link under the User Policy Template heading. This willdisplay the details for the default user policy template.

Expand the Authentication Policies heading and check the Fingerprint check box. Clickthe Update button at the bottom of the policy template details.



51/70

Now click on the Search link under the Search Users heading. Press the Search button inthe “Search for users” page.

This will bring up the list of users registered on the IMS Server. Select the user or userswho will use fingerprint authentication.



52/70

Under “Apply user policy template”, expand the drop down menu and select Default usertemplate. Click the Apply to selected results button. You will be prompted to confirmyour action. Click OK. This will apply the Default user template to the selected users.

You will notice a progress bar. Wait until the task has completed.



53/70

Restart the client machine. You will notice that the display message on the AccessAgentEnGINA now requests a fingerprint to log on.

4. Enrolling the user's Fingerprint for authentication

Scan your finger on the fingerprint reader (you will need to move your finger tip across thereader). The EnGINA will request your user name. Enter the appropriate account name.



54/70

Select Register Fingerprint.

Enter the password associated with the account.



55/70

Then identify the finger that was scanned.

Scan the finger as directed.



56/70

Once fingerprint registration is complete, the user will only need to scan their registeredfinger to log on to their account.



57/70

Configuring TAM ESSO to use Mobile ActiveCode as a One TimePassword

Objective

The purpose of this section is to show you how to configure an existing Tivoli AccessManager for Enterprise Single Sign-On (TAM ESSO) environment to utilise MobileActiveCode (MAC) as a One Time Password (OTP) for non AccessAgent authentication.The authentication is done via AccessAssistant and Web Workplace. AccessAssistant andWeb Workplace offer ESSO without the requirement of an AccessAgent in scenarioswhere the enterprise applications are Web-based. MACs are used to implement secondfactor authentication for AccessAssistant and Web Workplace.

Note: These steps show how to send the OTP via a mail server. If required, SMSmessages can be used instead of e-mails. To do this you will require an SMS gateway andto adapt these instructions as appropriate.

Overview

You will:• Configure TAM ESSO to use MAC as a second factor of authentication• Create a messaging connector for e-mail communication• Configure users to be able to access and utilise AccessAssistant and Web Workplace

Environment

Server• As before

Mail Server• E-mail server and client(Machine must be enrolled in AD domain)

Client• As Lab 1• E-mail client



58/70

1. Creating the Messaging Connector

Navigate to the IMS server, and click on the IMS configuration utility link.

On the left menu, beneath Advanced settings, select Message connectors. This displaysa drop-down menu on the right. Select SMTP Messaging Connector from the menu andclick configure.



59/70

This page will allow your to create an SMTP messaging connector. Enter the followingparameters:

• Message Connector Name: name of your choice ( e.g. mailServer )• Address Attribute Name: emailAddress • SMTP server URL: e.g mailServer. • SMTP from address: e.g administrator@mailServer. • SMTP form friendly name: name of your choice (e.g. Admin )• SMTP port number: 25 • SMTP user name: e.g administrator@mailServer. • SMTP user password: leave blank

Once these parameters have been entered, press Add.



60/70

You will now be able to see the message connector you just created.

Now click on the Activecode deployment link. On the right side there are varioussettings. We want to add the IP address from the mail server and the client to the IMSserver.

Add IP addresses to Allowed Activecode client IPs for• IMS server• client machine• mail server



61/70

Scroll down and enter the name of your SMTP messaging connector in the DefaultMessaging Connector parameter. Scroll to the bottom of the page and click Update.

Restart the IMS server via the Websphere Application Server admin console.



62/70

2. Configuring the AccessAssistant to use MAC as second factor authentication

Navigate to the AccessAdmin page within the IMS server. On the left menu beneath theSystem heading, click the Authentication service policies link.



63/70

This will display a list of applications. In the personal authentication service list, clickAccessAssistant check box and scroll to the bottom of the page. Click the button calledMove to enterprise authentication service. Under the enterprise authentication servicelist, click the AccessAssistant link.



64/70

This will open the “AccessAssistants Authentication service policies” page. Expand theAuthentication Policies menu.

In the “Authentication modes to be supported list”, select Password and MAC. Use theCtrl key for multiple selections. Click Update.

Once the information has been updated, click the back to Authentication Services linkand move AccessAdmin back to the “Personal authentication service” list. Check theAccessAssistant check box and click the move to Personal authentication servicebutton.

Click the System Policies link beneath the System heading on the left side options. Thiswill display a list of expandable menus. Expand the AccessAssistant and WebWorkplace Policies menu.

Select MAC from the drop down list under the “Default second authentication factor for

AccessAssistant and Web Workplace” option.

Click Update.



65/70

3. Configuring the User account for MAC use

Navigate to Access Admin, Search for Users



66/70

and select the user account for which you wish to set up MAC authentication. Enter:

• Mobile ActiveCode email address: the user's email address, to which the MAC is tobe sent.

• Preference: mailServer (this is the name of the of the message connector you created

earlier).

and then click the first Update button (just off the screen above).

Scroll down to Authentication Policies and enable Mobile ActiveCode Authentication.



67/70

Click Update and confirm this action.

Now scroll back up and select Authentication Services.



68/70

Under ActiveCode-enabled Authentication Services, select the AccessAssistantauthentication service and enter the account name to which this service is to be applied,then add the account.

4. Logging on with a Mobile ActiveCode

Log on to Windows GINA with the user account which has been configured to use MACauthentication.

Open a browser and enter URL: /aawwp

(If you get a message about choosing a digital certificate, just cancel it).

Enter the account details for the user. You will then be prompted for a MAC code.



69/70

Do not close this window! To find the MAC, go to the email client and read the relevantemail.

Then enter the MAC into the prompt.



70/70

You will then be presented with AccessAssistant and will be able to view your passwords.

End of Document

tamesso auth factor cookbook

Documents