Tivoli Access Manager for Enterprise Single Sign-On Version 6.0 Web Viewer Installation and Setup Guide SC32-1991-03
Tivoli Access Manager for Enterprise Single Sign-On Version 6.0 Web Viewer Installation and Setup Guide SC32-1991-03
Note: Before using this information and the product it supports, read the information in Notices, on page 13. This edition applies to version 6.0 of this adapter and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright International Business Machines Corporation 2005, 2007. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
TAM E-SSO Web Viewer Installation and Setup Guide Table of Contents Welcome to TAM E-SSO Web Viewer... 6 Installation Overview... 7 System Requirements... 8 Minimum System Requirements... 8 Installation Steps... 9 5
TAM E-SSO Web Viewer Installation and Setup Guide Welcome to TAM E-SSO Web Viewer TAM E-SSO Web Viewer is an adaptation of TAM E-SSO s "Logon Manager" for the Web. TAM E-SSO Web Viewer enables users to retrieve passwords when they are using a Web-enabled machine on which TAM E-SSO is not available. The functionality is similar to the TAM E-SSO Logon Manager for viewing credentials. The most significant difference is that it is placed in a web browser, and focuses on security without sacrificing convenience to the user. 6
TAM E-SSO Web Viewer Installation and Setup Guide Installation Overview TAM E-SSO Web Viewer may be installed as an add-on component to TAM E-SSO. TAM E-SSO does not need to be installed prior to installing TAM E-SSO Web Viewer. However, if TAM E-SSO Agent is configured on the machine, some extra configuration steps have already been performed. The following is a brief overview of the steps that must be taken in order to successfully install TAM E-SSO Web Viewer. Each step is explained in detail later in this guide, Installation Steps. Review System Requirements Install TAM E-SSO Web Viewer Configure Internet Information Server settings Configure settings in the Windows Registry (if TAM E-SSO is not installed) Configure settings in the TAM E-SSO Administrative Console Accessing TAM E-SSO Web Viewer 7
TAM E-SSO Web Viewer Installation and Setup Guide System Requirements In order for TAM E-SSO Web Viewer to install and function properly, your system must meet at least the following requirements. Minimum System Requirements TAM E-SSO Administrative Console and Agent v6.0 or later. A Microsoft Active Directory or Microsoft ADAM Synchronizer must be installed and configured, with Windows Authentication v1. Microsoft Internet Information Server (IIS), version 5.0 or later. Microsoft Windows 2000 (SP3+), Windows Server 2003 For security reasons, this server machine should not be the Domain Controller, and TAM E-SSO should not be installed on this machine. Microsoft.NET 2.0 Windows Installer 3.1 Internet Explorer 6.0 or higher with 128-bit encryption on client machines Pentium III 733 MHz 128 MB RAM ~ 1 MB disk space 8
TAM E-SSO Web Viewer Installation and Setup Guide Installation Steps Follow these steps to install and configure TAM E-SSO Web Viewer. Step 1: Review System Requirements Make sure you have carefully reviewed the system requirements. Step 2: Install TAM E-SSO Web Viewer Follow these steps to install and configure the TAM E-SSO Web Viewer Client Agent. 1. Close all programs. 2. Place the TAM E-SSO installation CD in your CD-ROM drive and the TAM E- SSO Main Menu appears automatically (or start the installation from a shared network drive). 3. Click Web Viewer to begin the installation. 4. The Welcome Panel appears. Click [Next>]. 5. The License Agreement panel appears. Read the license agreement carefully. Select I accept the terms in the license agreement and click [Next>] to continue. 6. Select the Standard setup type and click [Next>]. (Custom setup is an option, if the Web Viewer must be installed to a non-default directory; the same components are installed in either case.) 7. TAM E-SSO Web Viewer is ready to be installed. Click [Install>]. 8. Wait for the installation to complete. When it is done, click [Finish]. 9
TAM E-SSO Web Viewer Installation and Setup Guide Step 3: Configure security settings for IIS As part of installation, TAM E-SSO Web Viewer is set to operate as the default IIS user. This account generally has insufficient permission to accomplish its tasks, however, and it is therefore suggested that this user be replaced with an administrative account on the domain. This can be accomplished by opening the Internet Information Services applet in Control Panel (Control Panel/Administrative Tools/Internet Information Services), locating the entry for the TAM E-SSO Web Viewer, installed as a Default Web Site with the name SSOWebViewer. View the Properties (available from the Context Menu on right-click), and select the Directory Security tab. Edit the Anonymous access and authentication control items, uncheck Allow IIS to control password, and type the Username and Password for the account into the appropriate boxes. Windows will ask you to confirm this password. Be sure that this user has logged into the machine at least once. When in use, the Web Viewer stores temporary content under this user s profile, which will not exist until the user logs in. Software or settings should also be set to not delete this profile on logoff if it has been set otherwise in the past. Step 4: Configure settings in the Windows Registry After you install TAM E-SSO Web Viewer, you must configure some settings in the Windows registry so that Web Viewer has access to the credential repository. If TAM E-SSO Agent is running on the machine, this configuration already exists and you do not need to change anything in the registry. If TAM E-SSO Agent is not installed, this configuration (a simplification of TAM E- SSO s SyncManager configuration) must be applied manually. If preferred, this information can also be copied from an existing TAM E-SSO installation and/or may be set through the TAM E-SSO Administrative Console. This configuration should match that of a working TAM E-SSO installation on the network. For example, in the absence of any other TAM E-SSO products and a simple example configuration (no Configuration Objects, vgolocators used), the following would be appropriate. 1. Open the Windows Registry and drill down to the following node:, HKEY_LOCAL_MACHINE\SOFTWARE\Passlogix\Extensions\SyncManager\Syncs\<subkey> <subkey> Underneath the Syncs key, you must create a subkey for the server of interest. The subkey name should correspond with the server name (many TAM E-SSO installations call it ADEXT, the default Active Directory name from TAM E-SSO). In each of these subkeys, the following values must be added: 10
TAM E-SSO Web Viewer Installation and Setup Guide Value Name Type Description UserPath1 String The user path on this server. For example, ou=users,dc=company,dc=com. Path String Set to the path of ADSync.dll on your system. UseSSL DWORD If the repository server accepts SSL connections from the TAM E-SSO Agent, set to 1. Otherwise, set to 0. 2. In the server subkey, a Servers subkey must be created, with a single value inside it: Value Name Type Description Server1 String The address of the server in question. For example, webviewermachine.company.com. 3. Finally, higher up the tree, underneath the Syncs key, you must supply another value: Value Name Type Description SyncOrder String The list of server keys created above, commadelimited, in order of usage. For example, if one server exists, webviewermachine, or for multiple servers, server1,server2,server3. Step 5: Configuring Settings in the TAM E-SSO Administrative Console Configuration settings specific to the TAM E-SSO Web Viewer are located in the TAM E-SSO Administrative Console. Open the console by pointing to Start > Programs > TAM E-SSO > TAM E-SSO Console. Right-click Global Agent Settings, point to Import, click From Live HKLM. Expand Live. Click Web Viewer. Adjust the following settings to your preference: Setting Password Reveal Timeout Session Timeout Description Controls the time (in seconds) until the Credential Detail screen removes a revealed password. The default is 45 seconds. Controls the timeout for Web Viewer. After this amount of time of inactivity, the user will automatically be logged out. The default is 5 minutes. 11
TAM E-SSO Web Viewer Installation and Setup Guide Step 6: Accessing TAM E-SSO Web Viewer To access the Web Viewer: 1. Open a Web Browser and enter this address: http://localhost/ssowebviewer/login.aspx where localhost is replaced with the actual server machine s IP address, if this is set up on a server where users will be accessing it from remote sites. 2. Log onto Web Viewer using the Active Directory username and password for the user. 12
Appendix. Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user s responsibility to evaluate and verify the operation of any non-ibm product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Copyright IBM Corp. 2005, 2007 13
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact: IBM Corporation 2ZA4/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. Trademarks The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both: AIX DB2 developerworks eserver IBM iseries Lotus Passport Advantage pseries RACF Rational Redbooks Tivoli WebSphere zseries Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. 14 IBM Tivoli Access Manager for Enterprise Single Sign-On: Web Viewer Installation and Setup Guide
Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a trademark of Linus Torvalds in the U.S., other countries, or both. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others. Appendix. Notices 15
16 IBM Tivoli Access Manager for Enterprise Single Sign-On: Web Viewer Installation and Setup Guide
Printed in USA SC32-1991-03