Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Encentuate was the company that originally developed this application. They were acquired by IBM Tivoli Software and the application was renamed to Tivoli Access Manager for Enterprise Single Sign-On.
ibm.com/redbooks
IMS servers The Integrated Management System (IMS) server provides administrative, reporting, help desk, and password reset functionality, as well as being the repository for user data. AccessAdmin and AccessAssistant are the tools used to provide management and reporting capability. The infrastructure to communicate and manage the AccessAgents (Clients) is also managed through the IMS Server. IMS database The IMS server requires a database to store configuration data, policy data, user data, application profiles, and audit logs. Tivoli Access Manager for Enterprise Single Sign-On currently supports Oracle, Microsoft SQL, and IBM DB2 database servers. AccessAgent The client component is installed on all systems that require single sign-on (SSO) functionality. AccessAgent can be installed on individual Windows clients, as well as Microsoft Terminal Services and Citrix MetaFrame/Xen systems. AccessStudio AccessStudio is a software tool designed for Tivoli Access Manager for Enterprise Single Sign-On administrators to profile applications.
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
The following components are not part of the Tivoli Access Manager for Enterprise Single Sign-On product, but they represent infrastructure components that may or may not be present in the environment. Identity directory Typically an Active Directory or LDAP environment is used by Tivoli Access Manager for Enterprise Single Sign-On to validate users during the registration process for SSO services. Additionally, in the case of using Active Directory, Tivoli Access Manager for Enterprise Single Sign-On can also provide self-service password reset services. Load balancing/high availability for IMS and database services While Tivoli Access Manager for Enterprise Single Sign-On is a client/server architecture, the solution is not dependent on having network connectivity between the AccessAgent and the IMS Server to ensure a functional SSO experience for the users. In fact, given the mobility of laptops and the typical movement of users between office and home, it is typical that the AccessAgent is not in contact with the IMS server. IMS servers can be clustered for load balancing and high availability. A separate session-aware load balancer must be used to channel traffic into an IMS Server cluster. Database servers can be clustered for load balancing and high availability using the individual manufacturers technology. Figure 1 on page 2 also depicts the communication protocols used by Tivoli Access Manager for Enterprise Single Sign-On. Client communication over unsecured HTTP is only used during installation; SSL encrypted communication is used for all production traffic. To find out more about the Tivoli Access Manager for Enterprise Single Sign-On components read the IBM Redbooks publication Deployment Guide Series: IBM Tivoli Access Manager for Enterprise Single Sign-On 8.0, SG24-7350.
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0 Migration Guide for Encentuate 3.4 and 3.5
enterprise directory can be configured to use AD deployment type 1 or 2. In an AD deployment type 1 configuration, all user names must be unique, across domains and even forests. This mode is used for backward compatibility with previous AccessAgent versions. If user names can be duplicated across different domains, the IMS Server should be configured to use AD deployment type 2. IMS Server versions from 3.5.0 onwards support only AD deployment type 2 configurations.
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
2. Go to Basic Settings Enterprise Directories (Figure 3). Select the enterprise directory you have configured for Active Directory (ENCActiveDirectory) and click Update directory.
3. In the next panel scroll down to the Application Connector Configuration section and check whether the connector is Active Directory (ADSI) Connector or the Active Directory (LDAP) Connector. If it is the latter, click the Delete Connector button and then proceed to configure an Active Directory (ADSI) Connector instead. The red frame in Figure 4 on page 6 shows that the Active Directory (ADSI) Connector is configured.
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0 Migration Guide for Encentuate 3.4 and 3.5
4. You can now begin the migration to v3.5. Run the IMS installer v3.5 and proceed to the Select Installation Type dialog. Select Upgrade and click Next.
When proceeding with the update installer make sure to select the correct previous installation folder and the new installation folder and finish the upgrade process. Once the upgrade is complete, the AD deployment type has been automatically changed to type 2 and the users have been migrated as well. 6
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
5. The IMS Server Configuration utility will be automatically launched as shown in Figure 6.
6. Go to Basic settings Enterprise directories, select the enterprise directory you have configured for Active Directory, and click Update directory as shown in Figure 7.
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0 Migration Guide for Encentuate 3.4 and 3.5
7. In the next panel scroll down to Application connector configuration. In the Basic configuration keys section select DNS for the domain type to be shown in AccessAgent, as shown in Figure 8. Scroll all the way to the end of the dialog and click Save and Test.
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
9. Stop the IMS Server by clicking Start All Programs Encentuate IMS Server Stop IMSService (Figure 9).
10.Start the IMS Server by clicking Start All Programs Encentuate IMS Server Start IMSService. 11.Note that the DNS domain (for example, tci.encentuate.com) instead of the NetBIOS domain (for example, tci) will now be shown in the AccessAgent logon prompt, as shown in Figure 10.
Figure 10 The AccessAgent login prompt with the DNS domain name
If you would like to switch back to using a NetBIOS domain, the IMS Server must be upgraded to version 3.5.1 or later, and AccessAgent on all machines must be upgraded to version 3.5.2 or later.
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0 Migration Guide for Encentuate 3.4 and 3.5
Once that is done, you can switch back to using the NetBIOS domain by performing the following steps: 1. Launch the IMS Server Configuration utility. 2. Go to Basic settings Enterprise directories. 3. Select the enterprise directory you have configured for Active Directory and click Update directory. 4. In the next panel scroll down to the Application connector configuration. In the Basic configuration keys section select NetBIOS for the domain type to be shown in AccessAgent. Scroll all the way to the end of the dialog and click Save and Test. 5. Close the IMS Server Configuration utility. 6. Stop the IMS Server by clicking Start All Programs Encentuate IMS Server Stop IMSService. 7. Start the IMS Server by clicking Start All Programs Encentuate IMS Server Start IMSService.
Figure 11 Updating the User Policy Template with the correct authentication policy
10
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
2. Search for a user to whom the policy has to be reapplied. If you search for a particular user, as shown in Figure 12, and that user has been found, you will immediately be presented with the user profile page. If you search with a wildcard you may see a list of users. Once you select a particular user you will be presented with the user profile page.
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0 Migration Guide for Encentuate 3.4 and 3.5
11
3. Scroll down to the bottom of the user profile page, select the appropriate user policy template, in our case Default, and click Update (Figure 13).
Figure 13 Updating a user with a new (or existing updated) user policy template
4. To achieve the same results for a larger number of users, rather than an individual user, search for the users in AccessAdmin, as shown in Figure 14.
12
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
5. In the users found list that is displayed in Figure 15, select the users you want to apply the policy template to. Select the policy template in the drop-down menu, and click Apply to selected results.
Figure 15 Updating a list of users with a new (or existing updated) user policy template
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0 Migration Guide for Encentuate 3.4 and 3.5
13
UPDATE [dbowner].IMSTemplatedSyncRepo SET isDeleted = 1, updateTimeStamp = GETDATE() WHERE (attrName = 'account_data') AND (entityTypeID = 'scp_user') AND (keyValue LIKE '%>' + '[Authentication service ID linked to enterprise directory]' + '<%>' + (SELECT attrValue FROM [dbowner].IMSIdentityUniqueAttribute B WHERE entityID = B.imsID AND attrName = 'Enterprise Login') + '<%') You might need to run the SQL script more than once if multiple authentication services are linked to the enterprise directory. Figure 16 shows an example when using SQL Server as the IMS database.
Note: This SQL script deletes account data used to synchronize with Encentuate passwords for all users by setting the isDeleted flag to 1 and updating the updateTimeStamp.
14
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
2. Use the XML editor in AccessStudio to add the attribute wnd_should_be_enabled="0" to all wnd_xpath_combo_box_indirect_auth_info nodes in the sso_site_gina_winlogon AccessProfile as shown in Figure 17. Upload the AccessProfile to IMS Server.
After upgrading the IMS server, all users who are using RFID as a second factor should only log on to AccessAgent using [domain]\[SAM Account Name] as the user name, as shown in Figure 18.
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0 Migration Guide for Encentuate 3.4 and 3.5
15
Note: When users tap their RFID card before entering their password, they are effectively logging in to AccessAgent with [domain]\[SAMAccountName] as the user name. This will cause account data with the same user name to be saved in the Wallet. If RFID is being used as a second factor authenticator, but at least one application that authenticates with AD does not accept [domain]\[SAMAccountName] as the user name, it is best to enforce no changing of AD and Encentuate passwords until all AccessAgent clients have been upgraded. After all AccessAgent clients have been upgraded, replace [dbowner] and [Authentication service ID linked to enterprise directory] accordingly and run the SQL script shown in Example 2 against the IMS Server database.
Example 2 SQL update script
UPDATE [dbowner].IMSTemplatedSyncRepo SET isDeleted = 1, updateTimeStamp = GETDATE() WHERE (attrName = 'account_data') AND (entityTypeID = 'scp_user') AND (keyValue LIKE '%>' + '[Authentication service ID linked to enterprise directory]' + '<%>' + (SELECT attrValue FROM [dbowner].IMSIdentityUniqueAttribute B WHERE entityID = B.imsID AND attrName = 'Enterprise Login') + '<%') You might need to run the SQL script more than once if multiple authentication services are linked to the enterprise directory. Note: This SQL script deletes duplicate account data used to synchronize with the Encentuate password for all users by setting the isDeleted flag to 1 and updating the updateTimeStamp.
Citrix functionality
In v8.0, there has been a significant change in the Citrix functionality of the AccessAgents. Prior to v8.0, the local AccessAgent installed on the users local PC could communicate with the AccessAgent installed on the Citrix Server. In v8.0, this communication, which is facilitated through the Citrix Virtual Channel, is no longer available by default. If you do require
16
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
this functionality, additional services are needed to implement the virtual channel functionality on-site. The reduced Citrix functionality and corresponding workarounds are summarized in the following paragraphs to help you determine how critical this functionality is for you: A second manual logon to AccessAgent on the Citrix Server is required if the Tivoli Access Manager for Enterprise Single Sign-On Network Provider is not enabled. Workaround 1: If AD password synchronization is disabled, caching of Encentuate logon credentials on the Citrix Server should be enabled by setting pid_ts_logon_cache_enabled to 1. However, a user still has to manually log on to AccessAgent for the first time, and subsequently every time he changes the Tivoli Access Manager for Enterprise Single Sign-On password. Workaround 2: If AD password synchronization is enabled, the Tivoli Access Manager for Enterprise Single Sign-On Network Provider should be enabled by setting pid_en_network_provider_enabled to 1 so that the Windows credentials will be used to log on to AccessAgent. There will be no immediate synchronization between a local AccessAgent on a users PC and a remote AccessAgent on the Citrix Server. There is no workaround for this situation. If you disable automatic sign-on on the local AccessAgent, the remote AccessAgents automatic sign-on functionality will not be disabled automatically. There is no workaround for this situation. Remote AccessAgent will not be informed when the user logs out of the local AccessAgent or locks the computer. This would mean that in Shared Desktop User switch scenarios, the remote AccessAgent will not log off from the user's Citrix session even if the local AccessAgent logs off from the user's session. Workaround: The AccessProfile for Citrix ICA client (wfica32.exe) must be able to close the Citrix client (or graceful logoff) to make sure the remote session also ends. For situations where users lock the computer, AccessAgent lock scripts can be used. AccessAgent on the Citrix Server icon cannot show a different menu based on whether the user is logged into the server via a Citrix session or directly. If a user is logged in to both local and remote AccessAgent, two AccessAgent icons are displayed in the system tray. Currently, the remote AccessAgent will not have the same right-click menu options as the local AccessAgent if pid_ts_aa_menu_option is set to 1. Without ICA channel support, remote AccessAgent does not know whether local AccessAgent exists, and thus will always display the full menu. The user will, however, be able to distinguish between the two AccessAgent icons because the mouse-over text of the remote AccessAgent icon indicates TAM E-SSO AccessAgent on xxx server. There is no workaround for this situation. User is not logged off from Remote AccessAgent when a thin client session is reconnected. If RFID is used for two-factor authentication on thin clients, the Citrix session is a generic machine-specific session to each thin client. This session may be disconnected at times if the network connection is poor. In that case, the thin client may automatically reconnect back to the previous session when the network is available again. The previously open desktop may then show up on the screen. Since the remote AccessAgent does not know whether this is a thin client scenario, it will not automatically perform logoff. There is no workaround for this situation.
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0 Migration Guide for Encentuate 3.4 and 3.5
17
Cannot disable launching of remote AccessAgent even when local AccessAgent is not present. Currently, the launching of remote AccessAgent while a published application is launched through Terminal Server can be disabled if local AccessAgent is not present by setting pid_ts_start_aa_no_local_aa_enabled to 0. Without ICA channel support, remote AccessAgent does not know whether local AccessAgent exists, and thus, will always be launched. There is no workaround for this situation.
These registry settings controlled the behavior of the machine, examples of which are: Desktop inactivity timeout Second factor used to strengthen access to the machine Type of workstation (Shared or Personal) Type of desktop for Shared machines (Private or Shared) These registry settings were distributed along with the AccessAgent installation package. The package consisted of a folder called Reg, which would contain a registry file called DeploymentOptions.reg, which would be responsible for configuring the machine with the correct registry settings.
18
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
In IMS version 3.6 and later, a new scope of policies applicable to machines in an enterprise has been introduced on the IMS Server. These machine policies can be configured via AccessAdmin. As with policies in other scopes, changes in these policies are propagated to clients the next time AccessAgent synchronizes with the IMS Server (for example, usually every 30 minutes). IMS applies machine policies to machines after they join the IMS Server, they are then automatically synchronized with AccessAgent. There can be several machine policy templates defined in IMS. One of these templates is set as default. Through AccessAdmin, machine policies can be modified by an administrator. However, a help desk officer can only view machine policies.
19
caveat to note here is that if the IP address of the machine changes (resulting in a new template assignment), the template assigned to it would have to be changed manually.
Database backup
A complete backup of the database is recommended before proceeding. This ensures that the data and configurations are not lost in the event of an unexpected malfunction.
20
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
For MS SQL server, it is recommended that you store the MDF (data) and LDF (transaction log) files to the backup folder, in addition to taking a standard SQL backup. The SQL files by default are stored in: C:\Program Files\Microsoft SQL Server\MSSQL\Data
21
Summary
While this document presents the details of a standard v3.4 to v8.0 upgrade, it is important to keep in mind that certain environments may or may not have customizations in place that can be affected by this upgrade. As a consequence, the significance of planning for the upgrade and backing up the existing environment cannot be overstated. A typical recommendation would be to have at least one test or development environment. This test environment should be an accurate reflection of the production environment and should take into account, to a reasonable extent, the database size, server hardware, PC configuration (antivirus, and so on) and other variables.
Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.
Copyright International Business Machines Corporation 2009. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
23
This document REDP-4615-00 was created or updated on December 17, 2009. Send us your comments in one of the following ways: Use the online Contact us review Redbooks form found at: ibm.com/redbooks Send your comments in an email to: redbooks@us.ibm.com Mail your comments to: IBM Corporation, International Technical Support Organization Dept. HYTD Mail Station P099 2455 South Road Poughkeepsie, NY 12601-5400 U.S.A.
Redpaper
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. These and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol ( or ), indicating US registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at http://www.ibm.com/legal/copytrade.shtml The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both:
DB2 IBM IMS Redbooks Redpaper Redbooks (logo) Tivoli
The following terms are trademarks of other companies: Oracle, JD Edwards, PeopleSoft, Siebel, and TopLink are registered trademarks of Oracle Corporation and/or its affiliates. Microsoft, Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.
24
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5