Tivoli Access Manager for Enterprise Single Sign-On Version 6.0 Kiosk Adapter Installation and Setup Guide GC23-6353-00
Tivoli Access Manager for Enterprise Single Sign-On Version 6.0 Kiosk Adapter Installation and Setup Guide GC23-6353-00
Note: Before using this information and the product it supports, read the information in Notices, on page 13. First Edition (January 2007) This edition applies to version 6.0 of this adapter and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright International Business Machines Corporation 2007. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
TAM E-SSO: Kiosk Adapter Installation and Setup Guide Table of Contents IBM Tivoli Access Manager for Enterprise Single Sign-On v5.0: Kiosk Adapter... 1 Installation and Setup Guide... 1 Welcome to TAM E-SSO: Kiosk Adapter... 4 Installation Overview... 4 System Requirements... 5 Minimum System Requirements... 5 Installation Steps... 6 Installing a Link to TAM E-SSO: Desktop Password Reset Adapter...11 Event/Audit Logs...11 Bypassing the TAM E-SSO: Kiosk Adapter Agent...11 Uninstalling TAM E-SSO: Kiosk Adapter...12
TAM E-SSO Kiosk Adapter Installation and Setup Guide Welcome to TAM E-SSO: Kiosk Adapter IBM Tivoli Access Manager for Enterprise Single Sign-On: Kiosk Adapter (TAM E-SSO: Kiosk Adapter) delivers a secure and easy to use and administer solution that addresses the needs of traditional Single Sign-Off in a kiosk environment. This solution provides user identification to the kiosk by prompting users to log into an LDAP directory. TAM E-SSO: Kiosk Adapter has a client-side agent that suspends or closes inactive sessions and seamlessly shuts down all applications. Installation Overview TAM E-SSO: Kiosk Adapter is installed as an add-on component to IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) version 5.0. TAM E-SSO v5.0 must be installed prior to installing TAM E-SSO: Kiosk Adapter. TAM E-SSO automatically recognizes TAM E-SSO: Kiosk Adapter once it is installed. The following is a brief overview of the steps that must be taken in order to successfully install TAM E-SSO: Kiosk Adapter. Each step is explained in detail later in this guide, Installation Steps. Review System Requirements Install TAM E-SSO v5.0 with LDAP Authenticator and a Synchronizer Adjust settings in the TAM E-SSO Administrative Console Adjust Windows Screen saver settings Install TAM E-SSO: Kiosk Adapter Restart Computer Install TAM E-SSO: Desktop Password Reset Agent Link (optional) 4
TAM E-SSO: Kiosk Adapter Installation and Setup Guide System Requirements In order for TAM E-SSO: Kiosk Adapter to install and function properly, your system must meet at least the following requirements. Minimum System Requirements TAM E-SSO version 5.0 (installed with LDAP Auth and a Synchronizer) Microsoft Windows 2000 (SP1+), Windows XP, Windows Server 2003 Microsoft.NET 1.1 Internet Explorer 6.0 or higher with 128-bit encryption Pentium III 733 MHz 128 MB RAM ~ 3 MB disk space Make sure the following are installed with TAM E-SSO: A Synchronizer must be installed and set up LDAP v1 Auth must be installed and set up The following are NOT directly supported: TAM E-SSO GINA - the TAM E-SSO: Kiosk Adapter GINA and TAM E-SSO GINA should not be used together. TAM E-SSO: Kiosk Adapter displays a warning and does not install if the TAM E-SSO GINA is installed. TAM E-SSO: Kiosk Adapter does not support TAM E-SSO: Authentication Adapter. TAM E-SSO: Kiosk Adapter does not support the TAM E-SSO backup/restore function. TAM E-SSO: Kiosk Adapter does not support strong authenticators. TAM E-SSO: Kiosk Adapter does not support the following TAM E-SSO specific capabilities: o Windows authentication v1 or v2 o Context-based automatic sync logon
TAM E-SSO Kiosk Adapter Installation and Setup Guide Installation Steps Follow these steps to install and configure TAM E-SSO: Kiosk Adapter. Step 1: Review System Requirements Make sure you have carefully reviewed the system requirements on the previous page. Step 2: Install TAM E-SSO v5.0 TAM E-SSO: Kiosk Adapter works with TAM E-SSO version 5.0. Install TAM E-SSO 5.0 on your system. Any previous versions of TAM E-SSO must be uninstalled first. Please note that you must perform a custom installation. The LDAP Logon Method and any Synchronization Manager of your choice must be installed. Please refer to the TAM E-SSO User Guide for detailed instructions. Step 3: Adjust settings in the TAM E-SSO Administrative Console Before you install TAM E-SSO: Kiosk Adapter, you must adjust some TAM E-SSO Console settings to work with TAM E-SSO: Kiosk Adapter and set up your TAM E- SSO: Kiosk Adapter settings. Open the TAM E-SSO administrative console by pointing to Start > Programs > Passlogix > TAM E-SSO > TAM E-SSO Console. 1. Expand Kiosk Adapter. This is where applications are configured for TAM E- SSO: Kiosk Adapter. You can add, edit and delete all applications from this section. There are two types of applications: Applications to Leave Running on Session End Applications to Close on Session End To add applications to these lists, click Add, enter the Process Path Key, and click OK. Note: Please refer to the TAM E-SSO Console Help for more information about adding applications. 2. Right-click Global Agent Settings, point to Import, click From Live HKLM. Expand Live. 3. Set up LDAP v1 Authenticator. a. Expand Primary Logon Methods, expand LDAP, and click Required. b. Set up the LDAP to work with TAM E-SSO: Kiosk Adapter. SSL may need to be turned on or off. This will vary according to your setup. Please refer to the TAM E-SSO Console Help for detailed instructions on setting up LDAP. 6
TAM E-SSO: Kiosk Adapter Installation and Setup Guide 4. Set up Sync. a. Expand Synchronization and click on the Synchronization Manager you installed. This will vary according to your setup. Please refer to the TAM E-SSO Console Help for detailed instructions on setting up Sync. Note to Active Directory Users: If you will be using LDAP auth against Active Directory sync, perform the following steps: 1. Expand Active Directory and click Advanced. 2. For Credentials to Use, select Use Active Directory server account only. 5. Click on Synchronization. Check the Delete Local Cache and change setting to Delete. This setting deletes user's data files and registry keys upon shutdown of the agent. 6. Expand End User Experience and click Setup Wizard. Check the Enable/disable First Time Use (FTU) wizard and change setting to Hide. This setting hides the FTU wizard. 7. Click Kiosk Adapter. This is where you can set up the TAM E-SSO: Kiosk Adapter settings. Adjust the following settings to your preference: Setting Close suspended sessions after how many seconds Event Log Machine Name Event Log Name How should we determine which applications to close Lock session when only applications open are those configured to be left running on session end Description Determines the amount of time (in seconds) of inactivity after which a session should close. Default is 600 seconds. The name of the local machine where kiosk events should be logged. Enter the name of the Windows event log where kiosk events should be logged. Controls how applications should be closed. The choices are: Do not close any applications Only close applications configured to be closed on session end (Default) Close all applications except those configured to be left running on session end Determines whether a session should lock (after a specified period of time) if only applications open are those configured to be left running on session end. Yes No (Default) Note: If Yes is selected, at least one application must be configured to be left running on session end. These applications are configured in the Kiosk Adapter Applications to Leave Running on Session End list.
TAM E-SSO Kiosk Adapter Installation and Setup Guide Setting Lock the session after how many seconds Number of times to process termination Restart Computer Show the tray icon Shutdown Computer Description Enter the amount of time (in seconds) before TAM E- SSO: Kiosk Adapter should check for applications that are configured to be left running on session end. This setting only needs to be entered if the above setting, Lock session when only applications open are those configured to be left running on session end, is set to Yes. Default is 180 seconds. Enter the number of times that TAM E-SSO: Kiosk Adapter should process the termination of an application. This setting instructs the termination process to loop a certain number of times (or until it is done), which ever comes first. This allows TAM E-SSO: Kiosk Adapter to react to an application if it displays multiple screens during the termination process. Determines whether the restart computer option is enabled on the Desktop Manager. Disable (Default) Enable Note: Even if this setting is enabled, the option may still be disabled if the Kiosk account does not have sufficient privileges. Determines whether the tray icon should be shown. Show (Default) Do not show Determines whether the shutdown computer option is enabled on the Desktop Manager. Disable (Default) Enable Note: Even if this setting is enabled, the option may still be disabled if the Kiosk account does not have sufficient privileges. 8. Expand Kiosk Adapter and click Advanced. This is where you can set up the TAM E-SSO: Kiosk Adapter s Advanced settings. Adjust the following settings to your preference: Setting Show confirmation message when restarting kiosk Show confirmation message when Description This setting determines whether a user should be prompted with a confirmation message after choosing to restart the kiosk. This setting determines whether a user should be prompted with a confirmation message after choosing to 8
TAM E-SSO: Kiosk Adapter Installation and Setup Guide Setting shutting down kiosk Show confirmation message when starting a new session Description shut down the kiosk. This setting determines whether a user should be prompted with a confirmation message after choosing to start a new session. This message appears only if there is an existing session open. 9. Expand Kiosk Adapter, click Advanced, and click Special Tasks. The Special Tasks settings control the tasks (lists of commands) that should be executed when Kiosk Adapter actions occur. For each set of tasks, select the checkbox and click... to open the Edit List dialog box. Type one command on each line; end each line by pressing Enter. Do not use any other delimiter characters. Adjust the following settings to your preference: Setting After session is closed After starting a new session Before starting a new session Description Command(s) that will run after a session is closed. Command(s) that will run after a new session is started. Command(s) that will run before a new session is started. 10. Once all the settings have been configured, they must be exported to the HKLM. Right-click Live and click Write to Live HKLM. A message asks if you are sure you want to apply the global agent settings in Live to the HKLM. Click Yes. 11. It is recommend that CheckForParentProcess to be 0 for LDAPAuth. This is set by default by the TAM E-SSO installer. Step 4: Adjust Windows Screen Saver settings The TAM E-SSO: Kiosk Adapter desktop manager has a lock that is triggered by the normal OS-level session lock timeout (the OS inactivity time value). To change this value, open the desktops Display Properties dialog (right-click on the desktop and click Properties) and click the Screen Saver tab. Select a Screen Saver and change the Wait time (default of 15 minutes) to the desired amount of time (in minutes) a session should be inactive before TAM E-SSO: Kiosk Adapter suspends the session.
TAM E-SSO Kiosk Adapter Installation and Setup Guide Step 5: Install TAM E-SSO: Kiosk Adapter Follow these steps to install and configure the TAM E-SSO: Kiosk Adapter Client Agent. 1. Close all programs. 2. Open the TAM E-SSO KA directory on the CD-ROM. 3. Double-click the TAM E-SSO Kiosk Adapter.exe file to begin the installation. 4. The Choose Setup Language dialog appears. Select your language and click OK. 5. The Welcome Panel appears. Click [Next>]. 6. The License Agreement panel appears. Read the license agreement carefully. Select I accept the terms in the license agreement and click [Next>] to continue. 7. Select the Complete setup type and click [Next>]. 8. TAM E-SSO: Kiosk Adapter is ready to be installed. Click [Install>]. 9. Wait for the installation to complete. When it is done, click [Finish]. 10. TAM E-SSO: Kiosk Adapter prompts you to restart your computer. Step 6: Restart Computer. After completing the installation of TAM E-SSO: Kiosk Adapter, you are prompted to restart your computer. Upon restart, TAM E-SSO: Kiosk Adapter removes the TAM E- SSO task bar menu and replaces it with its own menu, which integrates the TAM E- SSO menu into it. TAM E-SSO: Kiosk Adapter disables the following TAM E-SSO menu options: Change Primary Logon Shut Down Backup/Restore Note: TAM E-SSO: Kiosk Adapter removes the TAM E-SSO userinit entries. If TAM E-SSO: Kiosk Adapter is uninstalled, you will need to run repair your installation of TAM E-SSO through the Add/Remove Programs dialog. See the next section, Uninstalling TAM E-SSO: Kiosk Adapter. 10
TAM E-SSO: Kiosk Adapter Installation and Setup Guide Installing a Link to TAM E-SSO: Desktop Password Reset Adapter A link to TAM E-SSO: Desktop Password Reset Adapter can be installed to the TAM E- SSO: Kiosk Adapter s home page (Desktop Manager). This allows users to reset their own kiosk password (AD via LDAP auth) using TAM E-SSO: Desktop Password Reset Adapter. The TAM E-SSO: Kiosk Adapter Installer installs the two registry keys needed to link to TAM E-SSO: Desktop Password Reset Adapter: REG_RESETURL and REG_CHECKSTATUSURL. Once these registry keys are populated with the appropriate values, the following link will appear on the TAM E-SSO: Kiosk Adapter Desktop Manager: I forgot my password and need to reset it The link to the TAM E-SSO: Desktop Password Reset Adapter Client can be installed as a DOS command, using the following command syntax: msiexec /i [/q] c:\v-go_smagent.msi programurls /q Quiet mode: suppress all installer user interface messages. Refer to the description of other Windows Installer command line options for msiexec at http://msdn.microsoft.com. programurls (required): REG_RESETURL="http://host /vgoselfservicereset/resetclient/default.aspx" REG_CHECKSTATUSURL="http://host /vgoselfservicereset/resetclient/checkstatus.aspx" where: host is the server name (or domain name/ip address) and path of the folder that holds the TAM E-SSO: Desktop Password Reset Adapter service root folder. Event/Audit Logs TAM E-SSO: Kiosk Adapter logs TAM E-SSO: Kiosk Adapter Agent events to Windows Event Log. The Windows Event Log can be on the local machine or on a remote machine. Windows Event Log can be named one of the three known log names, or can be given a custom log name. These settings are configured in the TAM E-SSO Admin Console. Bypassing the TAM E-SSO: Kiosk Adapter Agent If needed, the TAM E-SSO: Kiosk Adapter Agent (SMAgent) can be bypassed when a kiosk is started up. The Agent will not start if you hold the Shift key down while logging into the computer.
TAM E-SSO Kiosk Adapter Installation and Setup Guide Uninstalling TAM E-SSO: Kiosk Adapter Follow these steps to uninstall TAM E-SSO: Kiosk Adapter. 1. Click Start > Settings > Control Panel. 2. Open Add/Remove Programs. 3. Select IBM Tivoli Access Manager for Enterprise Single Sign-On: Kiosk Adapter v5.0 and click [Remove]. 4. Follow the prompts to uninstall TAM E-SSO: Kiosk Adapter. 5. TAM E-SSO: Kiosk Adapter prompts you to restart your computer. Click [No]. 6. Go back into the Add/Remove Programs dialog. Select IBM Tivoli Access Manager for Enterprise Single Sign-On v5.0 and click [Change]. 7. TAM E-SSO Install Shield wizard appears. Click [Next>]. 8. Select Repair and click [Next>]. 9. TAM E-SSO is ready to be installed. Click [Install>]. 10. Wait for the installation to complete. When it is done, click [Finish]. 11. Restart your computer. Note: TAM E-SSO: Kiosk Adapter removes any TAM E-SSO Global Agent Settings that are changed while TAM E-SSO: Kiosk Adapter is installed. If TAM E- SSO: Kiosk Adapter is uninstalled, you will need to re-apply these settings to TAM E-SSO. For example, under Synchronization, change Delete Local Cache back to Do Not Delete. 12
Appendix. Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user s responsibility to evaluate and verify the operation of any non-ibm product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Copyright IBM Corp. 2007 13
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact: IBM Corporation 2ZA4/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. Trademarks The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both: AIX DB2 developerworks eserver IBM iseries Lotus Passport Advantage pseries RACF Rational Redbooks Tivoli WebSphere zseries Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. 14 IBM Tivoli Access Manager for Enterprise Single Sign-On: Kiosk Adapter Installation and Setup Guide
Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a trademark of Linus Torvalds in the U.S., other countries, or both. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others. Appendix. Notices 15
16 IBM Tivoli Access Manager for Enterprise Single Sign-On: Kiosk Adapter Installation and Setup Guide
Printed in USA GC23-6353-00