Tivoli Access Manager for Enterprise Single Sign-On

Tivoli Access Manager for Enterprise Single Sign-On Version 5.0 User Guide

Tivoli Access Manager for Enterprise Single Sign-On Version 5.0 User Guide

Note: Before using this information and the product it supports, read the information in Notices, on page 1. First Edition (March 2006) Copyright International Business Machines Corporation 1996, 2006. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Table of Contents Introduction...4 Program Features... 4 Example: Logging on Automatically... 4 System Requirements... 5 About this guide... 6 Installing TAM E-SSO...7 Custom Installation... 9 Setting up TAM E-SSO... 10 Using TAM E-SSO...13 Starting TAM E-SSO... 13 The System Tray Icon Menu... 13 Shutting Down TAM E-SSO... 14 The Title Bar Button Menu... 14 To show or hide the Title Bar Button... 14 Your Primary Logon Method...15 Creating and Using Logons...16 Logon Manager... 16 Setting up Logons with Logon Manager... 18 To add a logon for a Windows application... 19 To configure a logon for an unlisted Windows application... 20 To add a logon for a Web site... 21 To add a logon for an unlisted Web Site... 22 To add a logon for a host/mainframe application... 22 To add a logon for an online service... 23 Setting Up Logons using Auto-Prompt... 23 Modifying Logon Properties... 24 To modify a logon's properties... 25 Using Logon Chooser... 25 Handling Logon Errors... 26 Setting Logon Options... 26 To view or modify logon settings... 27 Managing Excluded Web Sites... 28 To restore Auto-Prompt for an excluded Web site... 28 Managing Passwords...29 Changing Your Application Password... 29 To change an application's password... 29 Setting Password Options... 30 To view or modify password settings... 31 Backing Up and Restoring...32 To back up your passwords and settings... 32 To restore your passwords and settings... 33 Glossary...34

Introduction Introduction Program Features IBM Tivoli Access Manager for Enterprise Single Sign-On lets you use a single password to logon to any password-protected application on your desktop, your network, and the Internet. It works "out-of-the-box" (without programming or additional network infrastructure) with virtually all applications, including Windows, Web, proprietary, and host/mainframe applications. TAM E-SSO is intelligent agent software. It remembers your credentials your username/id, password, and other information for each application or website and automatically responds to its logon requests. Single sign-on: You use just one password to log on to applications, networks, and Web sites. Auto Prompt: TAM E-SSO can learn your credentials as you work. When it detects a new logon request, the agent prompts you to provide your username/id, password, and other sign-on data. The next time this application asks for your logon, TAM E-SSO recognizes it and logs you on automatically. Automatic backup/restore: TAM E-SSO automatically backs up your credentials, to a floppy disk or to a remote file or directory server - and automatically restores your credentials, if necessary. Custom logon configuration: In addition to logons predefined by your administrator, you can add your own logons to other applications and websites. Mobility support: If you work at multiple workstations TAM E-SSO makes it easy for your administrator to store your credentials on a remote server. That lets you use TAM E-SSO to manage your identity and passwords - with complete security - on any computer on your network. Example: Logging on Automatically TAM E-SSO automatically detects when you've encountered a password-protected application or Web site. If you already provided credentials (username/id, password, and other information) for that application or Web site, TAM E-SSO automatically enters your credentials in the appropriate fields and logs you on. Let's say you've already provided credentials for your Lotus Notes account. As soon as you open Lotus Notes, TAM E-SSO recognizes this logon screen's request for credentials. - 4 -

Introduction TAM E-SSO enters your password in the appropriate field and clicks the [OK] button, logging you on to Lotus Notes. Now let's say you've opened the logon screen for an application or Web site for which you have not yet provided credentials. If the Auto Prompt feature (page 30) is active, TAM E-SSO offers to store your credentials for this application with this message. If you click [Yes], the New Logon Wizard appears, prompting you to set up credentials for this application or Web site. You enter your Username/ID for the application and your password (twice for confirmation), and then click [Finish]. TAM E-SSO logs you on. From now on, whenever you start this application, TAM E-SSO will recognize the application's logon prompt and supply your credentials automatically. System Requirements Minimum Configuration Microsoft Windows 2000 (SP1+), XP (SP1 or SP2), 2003 120 MHz Pentium-compatible processor (233Mhz Pentium-compatible processor recommended) 32 Mb RAM (64Mb RAM recommended) 4-7 Mb hard drive space for the agent (depending on installation options) Microsoft Internet Explorer 5.5SP2/6.0SP1 or above with 128-bit encryption Hard drive space for user data - 5 -

Introduction Optional Components (from other sources) About this guide Entrust PKI support requires Entrust/Entelligence v5.0 (TAM E-SSO: Authentication Adapter only) RSA Keon PKI support requires RSA Keon Desktop v5.5 (TAM E-SSO: Authentication Adapter only) Java Runtime Environment (ver. 1.3 or later) This User Guide is intended for anyone using TAM E-SSO to manage logon credentials for Windows, Web and host/mainframe applications. You should be familiar with Windows conventions (for example, resizing application windows) and with the logon procedures for the applications you'll use with TAM E-SSO. If the TAM E-SSO software is already installed on your workstation, you should begin by following the procedure for Setting Up on page 10. This procedure is performed the first time you start the program. You'll provide your primary logon - the password you'll use for all other logons - and select pre-configured applications, if they are provided. The remainder of this guide covers these topics: Starting and shutting down TAM E-SSO and setting general program preferences (page 13). Configuring and using application logons (page 16). Procedures and options for adding or changing passwords (page 29). Backing up and restoring your passwords and settings (page 32). Note: In a network installation, many features can be activated, deactivated or preset by the SSO administrator. This icon indicates features that depend on or may be affected by administrative settings. - 6 -

Installing TAM E-SSO Installing TAM E-SSO The TAM E-SSO main menu screen appears automatically upon placing the installation CD in your CD-ROM drive (or starting the installation from a shared network drive). 1. Click Install TAM E-SSO to begin installation 2. When the Install Wizard appears, click [Next>] to continue. 3. The License Agreement screen appears. Read the license agreement carefully. Click the I accept the terms in the license agreement button and click [Next>] to continue. 4. Select an installation type and click [Next>]. The remainder of this procedure describes the installation steps for a Standalone installation. For instructions on the Custom installation type, see Custom Installation on page 9. - 7 -

Installing TAM E-SSO 5. Click [Install] to install TAM E-SSO. 6. This gauge appears, showing the progress of the installation. 7. When the installation is complete, click [Finish]. If this is the first time you have installed the program, you'll need to provide your primary logon information the first time you start TAM E-SSO. - 8 -

Installing TAM E-SSO Custom Installation If you selected the Custom installation option in the Install Wizard, TAM E-SSO prompts you to select exactly which features to install and where to install them. The features that are grayed out have additional subfeatures that you can install. To view the sub-features, expand the list by clicking the plus (+) sign. The red x next to a dropdown list signifies a feature that will not be installed. To add this feature to the installed components, click on the x and select This feature, and all sub-features, will be installed on local hard drive from the shortcut menu. To enable LDAP support, expand the Extensions list, expand the Synchronization Manager, Depending on which Synchronizer you will use, click on Active Directory Synchronizer or LDAP Synchronizer, and select This feature, and all sub-features. You can now continue with the installation. If you selected the LDAP synchronizer, you are prompted for your LDAP credentials. Enter your User ID and Password for your directory server account, and select a User Path from the dropdown list. Example: uid=johndoe,ou=marketing,ou=atlanta,dc=ibm,dc=com - 9 -

Installing TAM E-SSO Setting up TAM E-SSO Before you begin using TAM E-SSO, the Setup Wizard checks to make certain that TAM E-SSO has all the information it needs. You must provide the information requested in order to use TAM E-SSO. If you cancel the Setup Wizard, it will reappear each time you try to start TAM E-SSO until you've completed the Wizard. The Setup Wizard may skip any or all of the following tasks, depending on the installation options selected, your network's configuration and the settings your SSO administrator makes. Restore an existing backup? If you've backed up any preexisting TAM E-SSO settings, select the I want to restore an existing backup of my settings check box. If you choose this option, TAM E- SSO will complete the setup process from your stored settings. See Backing Up and Restoring on page 32 for more information. Click [Next>] to continue. Setup tasks to perform This page lists the Setup tasks necessary for your local installation of TAM E-SSO. Click [Next>] to begin setup. - 10 -

Installing TAM E-SSO Choose a logon method From the drop-down list box, choose the authenticator you'll use for your primary logon method. In a typical installation, this is Windows Logon. This means you'll use your Windows password to access password protected applications. Depending on your network resources and administration, you may have other primary logon methods to choose from, such as: LDAP Entrust PKI RSA PKI Smart Card When you have made your selection, click [Next>] to continue. See Your Primary Logon Method on page 15 for more information. Enter your primary logon If you chose Windows Authentication on the previous Wizard page, a Windows network logon prompt appears. Enter your Windows Network password for the displayed username and domain and click [OK]. Enter a passphrase answer If you chose Windows Authentication v.2, one or more passphrase questions appear. This is used for additional security. Type the answer to the displayed question or questions (note the minimum length) and click [OK]. Note: You can change your passphrase anytime later by selecting the Change Passphrase option whenever you confirm your primary logon, see page 15. - 11 -

Installing TAM E-SSO Add applications This page appears if your SSO administrator has provided a list of pre-configured applications. This lets you store your logon credentials for each application. Enter your Username/ID, Password, and any other requested information for each application you use. You may need to retype one or more items to confirm. Click [Next>] to continue. Finishing Up If you want to make changes before completing Setup, click [<Back] to return to a previous Setup Wizard page. Otherwise, click [Finish] to complete setup. You can now begin using TAM E-SSO. See page 13 for more information. - 12 -

Using TAM E-SSO Using TAM E-SSO Starting TAM E-SSO This section provides an introduction to the features and functions available via the TAM E-SSO user interface. For more information on these and other features, see the online help. To access it: Click the [Help] button within any program dialog box. Or, click the program icon on your Windows system tray and select Help from the shortcut menu. Note: The first time you start TAM E-SSO, the Setup Wizard appears to guide you through the procedure for providing your primary logon information. See page 10 for more information. After installing TAM E-SSO, the TAM E-SSO Tray Icon appears on your Windows system tray in the lower-right corner of your screen. If you do not see this icon, start TAM E-SSO: 1. Click Start, then Programs. 2. Point to IBM, then TAM E-SSO. 3. Click TAM E-SSO. The TAM E-SSO Tray Icon now appears in your Windows system tray. The System Tray Icon Menu Click the TAM E-SSO Tray Icon in your Windows system tray to display a shortcut menu of program functions, which are described below. System Tray Menu Options Configuration Displays a submenu of program controls and options. Each of these is detailed in this guide: Logon Manager, page 16 Backing Up and Restoring, page 32 Settings, pages 26, 28, and 30. Shutdown TAM E-SSO Pause TAM E- SSO Shuts down the program. Turns off TAM E-SSO logons, including the Auto-Prompt (page 23) and Auto-Recognize (page 26) features, and the Logon using TAM E-SSO menu option, below. - 13 -

Using TAM E-SSO Help About TAM E- SSO Logon using TAM E-SSO Displays the online help system. Displays version information about the program. Engages TAM E-SSO to supply information to a logon request. You can use this option to engage TAM E-SSO when Auto-Recognize is turned off. Note: If Auto-Recognize (page 26) is enabled, TAM E-SSO automatically recognizes logon requests and supplies your stored logon information. If you have not already set up the application or Web site logon, TAM E-SSO prompts you to do so. Shutting Down TAM E-SSO To shut down TAM E-SSO, click the Tray Icon and select Shut Down from the shortcut menu. The Title Bar Button Menu You can put the TAM E-SSO Title Bar Button on all application window title bars. The Title Bar Button lets you log on quickly to applications and Web sites you've already configured and add new logons as you work. You can set the Title Bar Button to display a shortcut menu for using or adding logons, or you can omit the menu and use the Title Bar Button as a one-click logon command. To show or hide the Title Bar Button 1. Click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu. Point to Configuration, then click Settings. The Settings dialog appears. 2. On the Settings dialog, click the Logons tab Select the Title Bar Button check box to show the Title Bar Button or clear the check box to hide the icon. Click the Display Dropdown check box to activate the Title Bar Button shortcut menu or clear the check box to deactivate the menu. If you clear this option, clicking the Title Bar Button initiates a logon to the active application. 3. Click [OK]. Tip: To hide the Title Bar Button and menu at any time, click the Title Bar Button on any application title bar and select Hide Icon. - 14 -

Your Primary Logon Method Your Primary Logon Method Confirming your primary logon When you first set up TAM E-SSO, you are prompted to choose your primary logon method, also known as an authenticator. The credentials you provide to the authenticator your username/id, password, and other information identify you as an authorized user of your workstation and network. In most cases, your primary logon is Windows, and your primary logon credentials are your Windows username/id, password, and network domain. TAM E-SSO lets you use your primary logon password for any other situation in which you need a password, including most Windows applications, host/mainframe applications, and password-protected Web sites. It uses your primary logon information to verify that you are the same user that initially logged on. Depending on your installation and resources, your primary logon password can be any of the following: Windows password Directory service (LDAP or Sun ONE) password Public key infrastructure (PKI) authenticator logon information (TAM E- SSO: Authentication Adapter only) TAM E-SSO can be configured to periodically check to make sure that you are the same user who initially logged on to this workstation. When you start a password-protected application, if a specific interval has passed since the last automatic logon (the default is 15 minutes), TAM E- SSO asks for your primary logon password. If you are using a smart card as your primary logon (TAM E- SSO: Authentication Adapter only), you are prompted for your personal identification number (PIN). TAM E-SSO also automatically performs this check when you modify your application passwords, perform other logon management tasks, or if the application logon itself requires it. You can change the interval, or turn this feature off, by changing the Timer setting in the Logons tab of the Settings dialog box. See page 26 for more information. Depending on which primary logon you use and the settings your SSO administrator applies, you may be prompted for the passphrase answer you provided when you first set up TAM E-SSO. If are using a passphrase, you have the option of changing your passphrase answer. To do this, select the I want to change the answer to my verification question checkbox. - 15 -

Creating and Using Logons Creating and Using Logons Logon Manager TAM E-SSO provides two ways for you to create application logons: You can also create logons with Logon Manager, which lets you configure, edit and manage logons for most secure applications. See See page 18 for more information. You can create logons on the fly, using the Auto-Prompt feature, which detects an application's logon request and lets you store your credentials as you log on. See page 23 for more information. Logon Manager displays your stored logons. It also lets you modify properties of each logon (for example, your user IDs and passwords) and update your settings with changes applied by your SSO administrator. To display Logon Manager, click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu. Point to Configuration, then click Logon Manager. The Logon Manager dialog appears. As you add or create logons for Windows applications or Web sites, and add logons for host/mainframe applications, the available logons are displayed in Logon Manager. Note: Logons that appear in grey, italicized text require activation by the SSO administrator. See Credentials without a configured logon on page 6. Logon Manager options View Sort by Reveal All Refresh Add Display logons as Icons, as a List, or with full Details (similar to Windows Explorer View options) Sort logons by a selected column; you can also sort the logons by clicking on the column heading itself. In Details View. display username/ids and passwords. (This feature is available if the SSO administrator has activated it.) Update logon settings with changes from your SSO administrator. (This feature is available if the SSO administrator has activated it.) Display the New Logon dialog to set up a new application logon. If pre-configured logons are available the Add Multiple Application option appears. See Adding multiple application logons, below. - 16 -

Creating and Using Logons Properties Copy Delete Close Modify logon settings, including the user ID, password, applications specifics, and automatic behavior for a selected logon. Duplicate a selected logon. Remove a selected logon from Logon Manager. Exit Logon Manager. Applications that share credentials Your SSO administrator may configure two or more applications to share the same username and password in a password group. If the credentials for one application changes, the credentials for the other applications in the group are also changed. In some cases, where you need multiple credentials for a single application (for example having multiple mail accounts in Microsoft Outlook), you may need to exclude those additional "identities" (each with different credentials) from this feature. If this applies to a new logon you are creating for an application you have already added, you will have the option to "Exclude" the new logon. Adding multiple application logons If your SSO administrator has provided a new list of preconfigured application logons, the Logon Manager's [Add] button displays a drop-down option to Add Multiple Applications. Choose this option to add these new logons and supply your credentials. Credentials without a configured logon Some logons may appear in Logon Manager in grey, italicized text with a grey icon. If you attempt to use such a logon or view its properties (by selecting it and clicking [Properties]), this message appears: Credential corresponds to an application that is not currently configured in TAM E-SSO. This message typically appears when TAM E-SSO has been upgraded from a previous version. It means that your credentials are safely stored, but the application logon configuration (that tells TAM E-SSO where to put the credentials) needs to be upgraded as well. Contact your SSO administrator to acquire the updated logons. - 17 -

Creating and Using Logons The Setup Wizard Logons page appears. 1. Enter your username, password, and any other requested information for each application you use. You may need to retype one or more items to confirm. 2. Click [Next>] to continue. then click [Finish] to close the wizard. Setting up Logons with Logon Manager In the Logon Manager, Click [Add] to set up a new logon. The New Logon dialog box appears. The following procedures describe how to use the New Logon dialog box to add logons for each application type. The procedure is similar for each type. You identify the application and then provide your credentials - username/id, password, and any other information the application requires you to enter. If you add a logon for a Windows application that TAM E-SSO is not pre-configured for, you are asked to identify the username/id and password fields by pointing and clicking on the logon fields. You are also given the option to create more than one logon for a single application. This is useful for applications for which you have more than one set of credentials; for example, if you have multiple email accounts from one provider. When TAM E-SSO detects a logon for which you have more than one credential set, it displays Logon Chooser, which lets you select the credentials to use. - 18 -

Creating and Using Logons To add a logon for a Windows application 1. In the New Logon dialog box, select the Windows option and select an application from the drop-down list box. If the application you want to add is not listed, see To configure a logon for an unlisted Windows application, below. 2. Click [Next>]. 3. Type your Username/ID for the application, type your Password, and retype your password in Confirm Password. You can display the password by clicking [Reveal]. Note: Depending on the requirements of the application you're setting up, you may be prompted for additional fields, such as Domain Name for Microsoft Outlook. Similarly, some applications may not require a username/id. In such cases, the Username/ID box will be grayed out. 4. Do one of the following: Click [Finish]. TAM E-SSO returns you to the Logon Manager, which now lists the logon you've just created. or Select Add another set of credentials, then click [Finish]. TAM E-SSO adds the logon to the LogonManager and re-displays the New Logon dialog box. If you are adding a new logon for an existing application that is part of a password group, select Exclude from password sharing group. If this is the first logon you have created for this application, leave this check box unselected. See Applications that share credentials on page 17. - 19 -

Creating and Using Logons To configure a logon for an unlisted Windows application 1. Open the Windows application that you want to set up a logon for. This is the target application. Note: if the target application requires more than two fields for authentication, this procedure requires an SSO administrator to set it up for you. Contact your SSO administrator for assistance. 2. When the target application's logon dialog box displays, switch back to TAM E- SSO. Arrange the windows so that TAM E-SSO and the target application's logon dialog are both visible. 3. In the New Logon dialog box, select the Windows option and select Application not in list (the default) from the drop-down list box. 4. Type the Application Name of the target application and (optionally) a Description. Click [Next>]. The New Logon dialog box displays two icons. 5. Click the Username/ID icon then click in the username or user D field of the target application's logon dialog box. A green check mark appears over the icon. 6. Click the Password icon. then click in the password field of the target application's logon dialog box. A green check mark appears over the icon. 7. Click [Next>]. 8. Type your Username/ID for the application, type your Password, and retype your password in Confirm Password. You can display the password by clicking [Reveal]. 9. Do one of the following: Click [Finish]. TAM E- SSO returns you to the Logon Manager, which now lists the logon you've just created. Select Add another set of credentials, then click [Finish]. TAM E- SSO adds the logon to - 20 -

Creating and Using Logons the LogonManager and re-displays the New Logon dialog box. To add a logon for a Web site 1. In the New Logon dialog box, select the Web option. then select a Web site from the drop-down list box. If the Web site you want to add is not listed, see To add a logon for an unlisted Web Site, below. 2. Click [Next>]. 3. Type the Username/ID for the Web site, type the Password, and retype the password in Confirm Password. You can display the password by clicking [Reveal]. 4. Do one of the following: Click [Finish]. TAM E-SSO returns you to the Logon Manager, which now lists the logon you've just created. or Select Add another set of credentials, then click [Finish]. TAM E-SSO adds the logon to the LogonManager and redisplays the New Logon dialog box. If you are adding a new logon for an existing application that is part of a password group, select Exclude from password sharing group. If this is the first logon you have created for this application, leave this check box unselected. See Applications that share credentials on page 17. - 21 -

Creating and Using Logons To add a logon for an unlisted Web Site 1. In the New Logon dialog box, select the Web option. then select Web application not in list (the default option) from the drop-down list box. A text box for entering a Web address appears. Note: if the target Web site requires more than two fields for authentication, this procedure requires SSO administrator resources. Contact your SSO administrator for assistance. 2. Type the URL (address) of the Web site you want to set up a logon for. 3. Type the Application Name and (optionally) a Description. 4. Click [Next>] 5. Type the Username/ID for the Web site, type the Password, and retype the password in Confirm Password. You can display the password by clicking [Reveal]. 6. Do one of the following: Click [Finish]. TAM E- SSO returns you to the Logon Manager, which now lists the logon you've just created. or Select Add another set of credentials, then click [Finish]. TAM E-SSO adds the logon to the LogonManager and re-displays the New Logon dialog box. To add a logon for a host/mainframe application 1. In the New Logon dialog box, select the Mainframe option. 2. Type the Application Name of the target application and (optionally) a Description. Click [Next>]. 3. Type the Username/ID for the Web site, type the Password, and retype the password in Confirm Password. You can display the password by clicking [Reveal]. 4. Do one of the following: Click [Finish]. TAM E-SSO returns you to the Logon Manager, which now lists the logon you've just created. or - 22 -

Creating and Using Logons Select Add another set of credentials, then click [Finish]. TAM E-SSO adds the logon to the LogonManager and re-displays the New Logon dialog box. To add a logon for an online service Note: if the target Web site requires more than two fields for authentication, this procedure requires SSO administrator resources. Contact your SSO administrator for assistance. 1. In the New Logon dialog box, select the Online Service option. 2. Select an online service from the drop-down list box. If you select Online Service Not in List, see To configure a logon for an unlisted Windows application on page 20. 3. If necessary, edit the name of the online service, enter a description for the online service (optional), then click [Next>]. 4. Type the Username/ID for the Web site, type the Password, and retype the password in Confirm Password. You can display the password by clicking [Reveal]. 5. Do one of the following: Click [Finish]. TAM E-SSO returns you to the Logon Manager, which now lists the logon you've just created. or Select Add Additional Logon, then click [Finish]. TAM E-SSO adds the logon to the LogonManager and re-displays the New Logon dialog box. Setting Up Logons using Auto-Prompt The previous section describes how to set up logons using Logon Manager. This section describes how to set up logons on the fly using Auto-Prompt. To begin using Auto-Prompt, make certain that the feature is activated within Settings: 1. Click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu. 2. Point to Configuration, then click Settings. 3. Click the Password tab and make sure that the Auto-Prompt check box is selected. If not, select it, then click [OK]. The Auto-Prompt feature is enabled by default upon installing TAM E-SSO. Your SSO administrator may enable or disable Auto-Prompt for all users. Let's say you've enabled the Auto-Prompt feature and you open the logon screen for an application or Web site for which you have not set up a logon. TAM E-SSO prompts you to set up a logon for this application or Web site with this message: Would you like TAM E-SSO to remember your logon information for this [web] application? You have these options: Click [Yes] if you want to set up a logon. Click [Not now] (for Web sites only) or [No] (for Windows and host/mainframe applications) if you don't want to set up a logon for this application right now. - 23 -

Creating and Using Logons Click [Disable] (for Web sites only) if you don't want to set up a logon for this application and don't want to be asked again. If you decide in the future that you do want TAM E-SSO to automatically prompt you for your credentials the next time you visit this site, use the Excluded Web Sites tab of the Settings dialog (see page 28). to set up a logon for this application, open the application's logon screen, click the TAM E-SSO Tray Icon from the shortcut menu. Notes: and select Logon using TAM E-SSO The [Not Now] and [Disable] buttons appear only with Web site logon requests. With all other logon requests, the options are [Yes] and [No]. You can also tell TAM E-SSO to set a up a logon by typing +L (on non-windows XP systems only). If the target application requires more than two fields for authentication, this procedure requires SSO administrator resources. Contact your SSO administrator for assistance. If you click [Yes], the New Logon dialog appears, prompting you to set up a new logon for this application or Web site. Enter your username/id, enter your password, and confirm your password. Click [Finish]. TAM E-SSO logs you on to the application or Web site and stores this new logon for future use. See Setting Password Options on page 30 for information on other password and logon settings. Modifying Logon Properties Use Login Manager to modify account information or automatic behavior for individual logons. You can Change the username/id, password or other fields that the logon sends to the application. Restore a previous password. Edit the name and descriptive information for the application as it appears in Login Manager and other dialog boxes. Turn on or off the Auto-Prompt and Auto Recognize features for selected logins. In a network installation, the availability of the Auto Prompt and Auto-Recognize features depends on administrative settings Contact your SSO administrator for details - 24 -

Creating and Using Logons settings. Contact your SSO administrator for details Notes: To modify a logon's properties Using Logon Chooser If you change a logon password, the next time you open the Logon Properties dialog for the logon, the Restore Previous Password button appears. This gives you have the option of reverting to the password used before the most recent change. To turn Auto Prompt on or off for all logons, use the Auto Prompt option in the Passwords tab of the Settings dialog (see Setting Password Options on page 30 for more information). To turn Auto-Recognize on or off for all logons, use the Auto- Recognize option in the Logons tab of the Settings dialog (see Setting Logon Options on page 26 for more information). 1. In the Logon Manager, select an application logon from the list, then click [Properties]. The Properties dialog box for the selected application appears. Note: If the application logon is displayed in grey text, this message appears when you click [Properties] Credential corresponds to an application that is not currently configured in TAM E-SSO. See Credentials without a configured logon on page 6 for more information. 2. Modify the displayed information as needed. 3. When you have completed your changes, click [OK]. You may have two or more different logon accounts for the same application or Web site. If so, you can set TAM E-SSO to recognize all of those accounts, then prompt you to choose which one to log on with. To do this, create a separate TAM E-SSO logon for each account. When you open the application or Web site, TAM E-SSO prompts you with the Logon Chooser dialog box. Select the account you want to log on with and click [OK]. Click [Add] to add another logon for this application. - 25 -

Creating and Using Logons Handling Logon Errors Setting Logon Options When you enable the Auto-Recognize function, TAM E-SSO automatically detects and responds to logon and password-change requests from applications and Web sites you've set up. If you entered the wrong password when you set up the logon, or perhaps changed the application's password from another computer, TAM E- SSO will supply an incorrect password. When this happens, the application repeats the logon request and TAM E-SSO displays the Logon Error dialog. The Logon Error dialog asks you to review the accuracy of your Username/ID, Password and, if necessary, any additional logon fields. You can reveal the password you've entered by clicking [Reveal]. Edit your logon information as needed and click [OK] to try logging on again. Select the Save Changes check box to use the same credentials next time TAM E-SSO logs you on to this application or Web site. Clicking [Cancel] stops any further logon attempts for the application or Web site until you either restart TAM E-SSO or modify the logon in Logon Manager. The Logons tab of the Settings dialog lets you control TAM E-SSO logon features for all logons. To change the settings for individual logons, see Modifying Logon Properties on page 24. Also see Setting Password Options on page 30 for information about password settings. Your SSO administrator may enable, disable or override any of the settings described below Logon Settings Title Bar Button Display Dropdown Select the Title Bar Button check box to display the TAM E-SSO Title Bar Button in the upper-right corner of any new window opened on the desktop. Select the Display Dropdown check box to have a drop-down menu display when you click the TAM E-SSO Title Bar Button. Auto- Recognize Select the Auto-Recognize check box to enable TAM E-SSO to recognize applications and Web sites and log you on automatically. If TAM E-SSO recognizes an application or Web site that you have - 26 -

Creating and Using Logons not already set up, it will then prompt you to do so. Timer Enter a time limit (in minutes); after this interval, TAM E-SSO asks for your password before performing any credential-related task. If the Timer setting is set to zero, TAM E-SSO always asks for your password before each credential-related task. Click [Clear Timer] to enter your password immediately, without waiting for the expiration time. To view or modify logon settings 1. Click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu. Point to Configuration, then click Settings. The Settings dialog box appears. 2. On the Settings dialog, click the Logons tab to display the logon settings. 3. When you have completed your changes, do one of the following. Click [OK] to confirm your changes and close the Settings dialog box. Click [Apply] to confirm your changes (without closing the Settings dialog box), then select another Settings tab. - 27 -

Managing Excluded Web Sites The Excluded Web Sites tab of the Settings dialog lets you review and restore Auto-Prompt capability for Web site logons that you have previously told TAM E- SSO to ignore. When you visit a password-protected Web site that you don't have a TAM E-SSO logon for, TAM E-SSO asks you if you want to create a new logon and gives you the choices Yes (create my logon now), Not Now (ask me next time), and Disable (don't ask me again). If you choose Disable, TAM E-SSO adds the logon page to the Excluded Web Sites list. You can remove a site from this list by clearing its checkbox, and thereby allow TAM E-SSO to prompt you to create a logon the next time you visit the site. Notes: See Setting Up Logons using Auto-Prompt on page 23 for more information about using Auto-Prompt. You can turn Auto-Prompt on or off by its setting in the Password tab of the Settings dialog; see page 30. To restore Auto-Prompt for an excluded Web site 1. Click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu. 2. Point to Configuration, then click Settings. 3. Click the Excluded Web Sites tab to view the list of sites that TAM E- SSO is currently set to ignore. 4. Click to clear the check boxes of the Web sites for which you want Auto- Prompt restored, then click [OK] The next time you visit the logon page of Web site(s) that you cleared, TAM E- SSO will ask if you want to create a logon. - 28 -

Managing Passwords Managing Passwords TAM E-SSO automated password change increases security by eliminating the potential for poor password selection and poor password management. It also increases usability by saving you the trouble of creating, changing, and remembering passwords. TAM E-SSO detects when an application requests a password change, then automatically generates a new password that conforms to a password policy (the rules that govern what a valid password can be) that your administrator sets. When an application like Lotus Notes requests a password change, TAM E-SSO prompts with the Password Change Wizard, unless the administrator has configured TAM E-SSO to perform the change automatically. Simply click [Next>] to generate a new, randomly generated password for the application. You will never need to remember this password because TAM E-SSO will enter it for you automatically the next time you log on. Changing Your Application Password Most applications allow you to change your logon password at any time; some require you to change passwords periodically, for example, every 30 days. You can use TAM E-SSO to apply and keep track of these changes. To change an application's password If your SSO administrator has configured an application logon for automatic password change, TAM E-SSO detects the application's password-change reminder and automatically displays the Password Wizard to help you. 1. Open the application's Change Password window. The Password Wizard appears. 2. Do one of the following: Select the option to generate a new password automatically, then click [Next]. or Select the option to enter a new password manually, then: a. On the next Wizard screen, enter your new password in the New Password and Confirm text boxes. - 29 -

Managing Passwords Tip: Click [Reveal] to see your password. If you want to change your password, click [Back] and reenter it. Note the list of rules under Password Policy Status: Your new password must comply with each of these rules in order to be valid. As you type your password, the rules it complies with are checked. When all of the rules are checked, your password is valid. b. Click [Next]. On the application's password window, TAM E-SSO submits your password change request. 3. Check the application's message to make certain it has accepted the new password. 4. Do one of the following: If the application accepted the new password, click [Next]. or If the application did not accept the new password, click [Back] and either repeat the previous steps or click [Cancel]. 5. When you see the Completed the Password Change Process message, click [Finish]. Setting Password Options The Passwords tab of the Settings dialog lets you control TAM E-SSO password features. Your SSO administrator may enable, disable or override any of the settings described below. Password Settings Auto- Prompt Select the Auto-Prompt check box to have TAM E-SSO automatically recognize password-protected applications and Web sites, and prompt you with this message for Windows applications: and this one for password-protected Web sites: - 30 -

Managing Passwords Note: The [Not Now] and [Disable] buttons appear only with Web site logon requests. With all other logon requests, the options are [Yes] and [No]. Auto-Enter Select the Auto-Enter check box to have TAM E-SSO immediately enter an application or Web site once you have set up a logon for that application or Web site. See Setting Logon Options on page 26 for information about logon settings. To view or modify password settings 1. Click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu. Point to Configuration, then click Settings. The Settings dialog appears. 2. On the Settings dialog, click the Password tab to display the password settings. 3. When you have completed your changes, do one of the following: Click [OK] to confirm your changes and close the Settings dialog box. Click [Apply] to confirm your changes (without closing the Settings dialog box), then select another Settings tab. - 31 -

Backing Up and Restoring Backing Up and Restoring TAM E-SSO allows you to back up your passwords and settings to file and restore them if needed. Note: The Backup and Restore feature is available only if TAM E-SSO is installed using the Complete option or if the Backup/Restore extension is selected using the Custom installation option. To back up your passwords and settings 1. Click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu. Point to Configuration, then click Backup/Restore. The Backup/Restore Wizard appears. 2. Select the Backup radio button and click [Next>]. 6. TAM E-SSO prompts you for your primary logon. Type your primary logon password and click [OK] 7. Click [Browse] to select the location of the backup file and click [Finish]. 8. A confirmation message appears. Click [OK]. - 32 -

Backing Up and Restoring To restore your passwords and settings 1. Click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu. Point to Configuration, then click Backup/Restore. The Backup/Restore Wizard appears: 2. Select the Restore radio button. and click [Next>]. 3. TAM E-SSO prompts you for your primary logon. Type your primary logon password and click [OK] 4. Click [Browse] to select the location of the backup/restore file and click [Finish]. 5. A confirmation message appears. Click [OK]. - 33 -

Glossary Glossary Authenticator Auto-Recognize Auto-Enter Auto-Prompt Backup/Restore Wizard Credentials Directory Server Display Dropdown Host Host Emulator LDAP (Lightweight Directory Access Protocol) Logon Chooser Logon Manager Mainframe PKI See primary logon method. Enables TAM E-SSO to recognize applications and Web sites and log you on automatically. If TAM E-SSO recognizes an application or Web site that you have not already set up, it will then prompt you to do so. Lets TAM E-SSO immediately enter an application or Web site once you have set up a logon for that application or Web site. Lets TAM E-SSO automatically recognize passwordprotected applications and Web sites, and prompt you to supply credentials. Lets you save and restore all user data to a file. The user-specific information TAM E-SSO needs to perform a logon. This usually consists of a username/id, a password, and on occasion, one or more other fields. A specialized kind of database, supporting a tree structure rather than tables, used to manage user accounts and access. Provides a drop-down menu display when you click the TAM E-SSO Title Bar Button. Generally speaking, a computer that provides services or resources to other devices. In this context, host refers to a mainframe or Unix computer connected to your desktop PC. TAM E-SSO provides your credentials through the host emulator software that connects to the host. A program that simulates the user interface (look and feel) of a mainframe/unix computer terminal. This enables a desktop PC user to interact with a remote host computer. A common directory server protocol/standard. A TCP/IPcompatible subset of DAP (Directory Access Protocol). Refer to RFC 1777 and others. A TAM E-SSO feature that lets you select from two or more sets of credentials for a given logon or password change request. A TAM E-SSO feature that lets you manage (add, delete, modify, copy or review) your application logon credentials. A large scale computer, typically running applications on multi-user operating systems such as AS/400 and OS/390. Public Key Infrastructure. - 34 -

Glossary Primary Logon Method Setup Wizard System Tray Telnet Title Bar Button Menu The credentials that identify you as an authorized user of your workstation and network. In most cases, your primary logon, also called an authenticator, is Windows, and your primary logon credentials are your Windows user name, password, and network domain. Other primary logon methods include LDAP, Microsoft Active Directory, RSA Keon (TAM E-SSO: Authentication Adapter only), and Entrust (TAM E-SSO: Authentication Adapter only) as your primary logon method, logging on to the system unlocks TAM E-SSO. Helps you select a primary logon method and (at the administrator's option) provides a list of pre-configured application logons. The area on the right side of the Windows task bar that displays icons for access to frequently-used applications and features, including the TAM E-SSO Tray Icon. A protocol for connecting to remote computers. A TAM E-SSO feature that displays the TAM E-SSO logo in the upper-right corner of any new window opened on the desktop. Clicking the button on each application, displays a drop-down menu that offers access to TAM E-SSO functions (logon, add application, and so on). URL (Universal Resource Locator) The address of anything on the World Wide Web. - 35 -

Appendix. Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user s responsibility to evaluate and verify the operation of any non-ibm product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Copyright IBM Corp. 1996, 2006 1