IBM® Security Access Manager for Enterprise Single Sign ......IBM ® Security Access Mana ger for Enterprise Single Sign-On V ersion 8.2.1 AccessAgent on T erminal Ser ver and Citrix

IBM® Security Access Manager for Enterprise SingleSign-OnVersion 8.2.1

AccessAgent on Terminal Server andCitrix Server Guide

SC27-5668-01

IBM

IBM® Security Access Manager for Enterprise SingleSign-OnVersion 8.2.1

AccessAgent on Terminal Server andCitrix Server Guide

SC27-5668-01

IBM

NoteBefore using this information and the product it supports, read the information in “Notices” on page 19.

Edition notice

Note: This edition applies to version 8.2.1 of IBM Security Access Manager for Enterprise Single Sign-On,(product number 5724–V67) and to all subsequent releases and modifications until otherwise indicated in neweditions.

© Copyright IBM Corporation 2002, 2014.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

About this publication . . . . . . . . vAccess to publications and terminology . . . . . vAccessibility . . . . . . . . . . . . . . viiiTechnical training . . . . . . . . . . . . viiiSupport information . . . . . . . . . . . viiiStatement of Good Security Practices . . . . . . ix

Chapter 1. AccessAgent on Citrix andTerminal Servers . . . . . . . . . . . 1

Chapter 2. Deployment models . . . . . 3Deployment model selection guidelines . . . . . 3

Chapter 3. Model 1: Basic configuration 5Deploying basic configuration . . . . . . . . 5Single sign-on experience . . . . . . . . . . 5

Chapter 4. Model 2: Virtual ChannelConnector configuration . . . . . . . 7Standard mode and lightweight mode . . . . . . 8Deploying Virtual Channel Connector configuration 8

Deploying Virtual Channel Connector on Citrixserver . . . . . . . . . . . . . . . 10Deploying Virtual Channel Connector on Citrixclient . . . . . . . . . . . . . . . 10

Single sign-on experience . . . . . . . . . . 11

Chapter 5. Model 3: Generic terminalsession . . . . . . . . . . . . . . 13Deploying generic terminal session . . . . . . 13Single sign-on experience . . . . . . . . . . 14

Chapter 6. Model 4: Two-tierAccessAgent configuration . . . . . . 15Deploying two-tier AccessAgent configuration. . . 16

Single sign-on experience . . . . . . . . . . 16

Chapter 7. Customizing AccessAgenton Citrix and Terminal Servers . . . . 17

Notices . . . . . . . . . . . . . . 19

Glossary . . . . . . . . . . . . . . 23A . . . . . . . . . . . . . . . . . . 23B . . . . . . . . . . . . . . . . . . 24C . . . . . . . . . . . . . . . . . . 24D . . . . . . . . . . . . . . . . . . 25E . . . . . . . . . . . . . . . . . . 26F . . . . . . . . . . . . . . . . . . 26G . . . . . . . . . . . . . . . . . . 26H. . . . . . . . . . . . . . . . . . 26I . . . . . . . . . . . . . . . . . . 27J . . . . . . . . . . . . . . . . . . 27K . . . . . . . . . . . . . . . . . . 27L . . . . . . . . . . . . . . . . . . 27M . . . . . . . . . . . . . . . . . 27N. . . . . . . . . . . . . . . . . . 28O . . . . . . . . . . . . . . . . . . 28P . . . . . . . . . . . . . . . . . . 28R . . . . . . . . . . . . . . . . . . 29S . . . . . . . . . . . . . . . . . . 29T . . . . . . . . . . . . . . . . . . 31U . . . . . . . . . . . . . . . . . . 31V . . . . . . . . . . . . . . . . . . 31W . . . . . . . . . . . . . . . . . 32

Index . . . . . . . . . . . . . . . 33

© Copyright IBM Corp. 2002, 2014 iii

iv IBM® Security Access Manager for Enterprise Single Sign-On: AccessAgent on Terminal Server and Citrix Server Guide

About this publication

IBM Security Access Manager for Enterprise Single Sign-On AccessAgent on TerminalServer and Citrix Server Guide provides information about the requiredconfigurations and supported workflows in the Terminal and Citrix Servers.

Access to publications and terminologyThis section provides:v A list of publications in the “IBM Security Access Manager for Enterprise Single

Sign-On library.”v Links to “Online publications” on page viii.v A link to the “IBM Terminology website” on page viii.

IBM® Security Access Manager for Enterprise Single Sign-Onlibrary

The following documents are available in the IBM Security Access Manager forEnterprise Single Sign-On library:v IBM Security Access Manager for Enterprise Single Sign-On Quick Start Guide,

CF3T3MLIBM Security Access Manager for Enterprise Single Sign-On Quick Start Guideprovides a quick start on the main installation and configuration tasks to deployand use IBM Security Access Manager for Enterprise Single Sign-On.

v IBM Security Access Manager for Enterprise Single Sign-On Planning and DeploymentGuide, SC23995206IBM Security Access Manager for Enterprise Single Sign-On Planning and DeploymentGuide contains information about planning your deployment and preparing yourenvironment. It provides an overview of the product features and components,the required installation and configuration, and the different deploymentscenarios. It also describes how to achieve high availability and disasterrecovery. Read this guide before you do any installation or configuration tasks.

v IBM Security Access Manager for Enterprise Single Sign-On Installation Guide,GI11930904IBM Security Access Manager for Enterprise Single Sign-On Installation Guideprovides detailed procedures on installation, upgrade, or uninstallation of IBMSecurity Access Manager for Enterprise Single Sign-On.This guide helps you to install the different product components and theirrequired middleware. It also includes the initial configurations that are requiredto complete the product deployment. It covers procedures for using WebSphere®

Application Server Base editions, and Network Deployment.v IBM Security Access Manager for Enterprise Single Sign-On Configuration Guide,

GC23969204IBM Security Access Manager for Enterprise Single Sign-On Configuration Guideprovides information about configuring the IMS Server settings, the AccessAgentuser interface, and its behavior.

v IBM Security Access Manager for Enterprise Single Sign-On Administrator Guide,SC23995105

© Copyright IBM Corp. 2002, 2014 v

This guide is intended for the Administrators. It covers the differentAdministrator tasks. IBM Security Access Manager for Enterprise Single Sign-OnAdministrator Guide provides procedures for creating and assigning policytemplates, editing policy values, generating logs and reports, and backing up theIMS Server and its database. Use this guide together with the IBM SecurityAccess Manager for Enterprise Single Sign-On Policies Definition Guide.

v IBM Security Access Manager for Enterprise Single Sign-On Policies Definition Guide,SC23969404IBM Security Access Manager for Enterprise Single Sign-On Policies Definition Guideprovides detailed descriptions of the different user, machine, and system policiesthat Administrators can configure in AccessAdmin. Use this guide along withthe IBM Security Access Manager for Enterprise Single Sign-On AdministratorGuide.

v IBM Security Access Manager for Enterprise Single Sign-On Help Desk Guide,SC23995304This guide is intended for Help desk officers. IBM Security Access Manager forEnterprise Single Sign-On Help Desk Guide provides Help desk officers informationabout managing queries and requests from users usually about theirauthentication factors. Use this guide together with the IBM Security AccessManager for Enterprise Single Sign-On Policies Definition Guide.

v IBM Security Access Manager for Enterprise Single Sign-On User Guide, SC23995005This guide is intended for the users. IBM Security Access Manager for EnterpriseSingle Sign-On User Guide provides instructions for using AccessAgent and WebWorkplace.

v IBM Security Access Manager for Enterprise Single Sign-On Troubleshooting andSupport Guide, GC23969303IBM Security Access Manager for Enterprise Single Sign-On Troubleshooting andSupport Guide provides information about issues with regards to installation,upgrade, and product usage. This guide covers the known issues and limitationsof the product. It helps you determine the symptoms and workaround for theproblem. It also provides information about fixes, knowledge bases, andsupport.

v IBM Security Access Manager for Enterprise Single Sign-On Error Message ReferenceGuide, GC14762402IBM Security Access Manager for Enterprise Single Sign-On Error Message ReferenceGuide describes all the informational, warning, and error messages that areassociated with IBM Security Access Manager for Enterprise Single Sign-On.

v IBM Security Access Manager for Enterprise Single Sign-On AccessStudio Guide,SC23995605IBM Security Access Manager for Enterprise Single Sign-On AccessStudio Guideprovides information about creating and using AccessProfiles. This guideprovides procedures for creating and editing standard and advancedAccessProfiles for different application types. It also covers information aboutmanaging authentication services and application objects, and information aboutother functions and features of AccessStudio.

v IBM Security Access Manager for Enterprise Single Sign-On AccessProfile WidgetsGuide, SC27444401IBM Security Access Manager for Enterprise Single Sign-On AccessProfile WidgetsGuide provides information about creating and using widgets.

v IBM Security Access Manager for Enterprise Single Sign-On Tivoli® Endpoint ManagerIntegration Guide, SC27562000

vi IBM® Security Access Manager for Enterprise Single Sign-On: AccessAgent on Terminal Server and Citrix Server Guide

IBM Security Access Manager for Enterprise Single Sign-On Tivoli Endpoint ManagerIntegration Guide provides information about how to create and deploy Fixletsfor AccessAgent installation, upgrade or patch management. It also includestopics about using and customizing the dashboard to view information aboutAccessAgent deployment on the endpoints.

v IBM Security Access Manager for Enterprise Single Sign-On Provisioning IntegrationGuide, SC23995704IBM Security Access Manager for Enterprise Single Sign-On Provisioning IntegrationGuide provides information about the different Java™ and SOAP API forprovisioning. It also covers procedures for installing and configuring theProvisioning Agent.

v IBM Security Access Manager for Enterprise Single Sign-On Web API for CredentialManagement Guide, SC14764601IBM Security Access Manager for Enterprise Single Sign-On Web API for CredentialManagement Guide provides information about installing and configuring theWeb API for credential management.

v IBM Security Access Manager for Enterprise Single Sign-On Serial ID SPI Guide,SC14762601IBM Security Access Manager for Enterprise Single Sign-On Serial ID SPI Guidedescribes how to integrate any device with serial numbers and use it as a secondauthentication factor with AccessAgent.

v IBM Security Access Manager for Enterprise Single Sign-On Epic Integration Guide,SC27562300IBM Security Access Manager for Enterprise Single Sign-On Epic Integration Guideprovides information about the IBM Security Access Manager for EnterpriseSingle Sign-On and Epic integration, including supported workflows,configurations, and deployment.

v IBM Security Access Manager for Enterprise Single Sign-On Context ManagementIntegration Guide, SC23995404IBM Security Access Manager for Enterprise Single Sign-On Context ManagementIntegration Guide provides information about installing, configuring, and testingthe Context Management integrated solution in each client workstation.

v IBM Security Access Manager for Enterprise Single Sign-On AccessAgent on MobileGuide, SC27562101IBM Security Access Manager for Enterprise Single Sign-On AccessAgent on MobileGuide provides information about the deployment and use of single sign-on onmobile devices.

v IBM Security Access Manager for Enterprise Single Sign-On AccessAgent on VirtualDesktop Infrastructure Guide, SC27562201IBM Security Access Manager for Enterprise Single Sign-On AccessAgent on VirtualDesktop Infrastructure Guide provides information about setting up single sign-onsupport on a Virtual Desktop Infrastructure, and the different user workflowsfor accessing the virtual desktop.

v IBM Security Access Manager for Enterprise Single Sign-On AccessAgent on TerminalServer and Citrix Server Guide, SC27566801IBM Security Access Manager for Enterprise Single Sign-On AccessAgent on TerminalServer and Citrix Server Guide provides information about the requiredconfigurations and supported workflows in the Terminal and Citrix Servers.

About this publication vii

Online publications

IBM posts product publications when the product is released and when thepublications are updated at the following locations:

IBM Security Access Manager for Enterprise Single Sign-On libraryThe product documentation site (http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itamesso.doc_8.2.1/kc-homepage.html) displays the welcome page and navigation for the library.

IBM Security Systems Documentation CentralIBM Security Systems Documentation Central provides an alphabetical listof all IBM Security Systems product libraries and links to the onlinedocumentation for specific versions of each product.

IBM Publications Center IBM Publications Center offers customized search functions to help youfind all the IBM publications you need.

IBM Terminology website

The IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology.

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

For additional information, see "Accessibility features" in the IBM Security AccessManager for Enterprise Single Sign-On Planning and Deployment Guide.

Technical trainingFor technical training information, see the following IBM Education website athttp://www.ibm.com/software/tivoli/education.

Support informationIBM Support provides assistance with code-related problems and routine, shortduration installation or usage questions. You can directly access the IBM SoftwareSupport site at http://www.ibm.com/software/support/probsub.html.

IBM Security Access Manager for Enterprise Single Sign-On Troubleshooting and SupportGuide provides details about:v What information to collect before contacting IBM Support.v The various methods for contacting IBM Support.v How to use IBM Support Assistant.v Instructions and problem-determination resources to isolate and fix the problem

yourself.

viii IBM® Security Access Manager for Enterprise Single Sign-On: AccessAgent on Terminal Server and Citrix Server Guide

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itamesso.doc_8.2.1/kc-homepage.html



https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/IBM%20Security%20Systems%20Documentation%20Central/page/Welcome

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/software/tivoli/education

http://www.ibm.com/software/support/probsub.html

Note: The Community and Support tab on the product information center canprovide additional support resources.

Statement of Good Security PracticesIT system security involves protecting systems and information throughprevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered, destroyed,misappropriated or misused or can result in damage to or misuse of your systems,including for use in attacks on others. No IT system or product should beconsidered completely secure and no single product, service or security measurecan be completely effective in preventing improper use or access. IBM systems,products and services are designed to be part of a comprehensive securityapproach, which will necessarily involve additional operational procedures, andmay require other systems, products or services to be most effective. IBM DOESNOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES AREIMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THEMALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

About this publication ix

x IBM® Security Access Manager for Enterprise Single Sign-On: AccessAgent on Terminal Server and Citrix Server Guide

Chapter 1. AccessAgent on Citrix and Terminal Servers

IBM Security Access Manager for Enterprise Single Sign-On supports singlesign-on and authentication services for applications that are hosted on Citrix andTerminal Servers – Citrix XenApp Servers or Terminal Services.

You must install AccessAgent on each Citrix or Terminal Server.

For every remote session on Citrix or Terminal Server, there is a runningAccessAgent instance. AccessAgent helps users single sign-on to their applicationson the particular remote session. Users can later reconnect to the same remotesession on the Citrix or Terminal Server through any client computer.

See the following topics:v Chapter 2, “Deployment models,” on page 3v Chapter 3, “Model 1: Basic configuration,” on page 5v Chapter 4, “Model 2: Virtual Channel Connector configuration,” on page 7v Chapter 5, “Model 3: Generic terminal session,” on page 13v Chapter 6, “Model 4: Two-tier AccessAgent configuration,” on page 15

© Copyright IBM Corp. 2002, 2014 1

2 IBM® Security Access Manager for Enterprise Single Sign-On: AccessAgent on Terminal Server and Citrix Server Guide

Chapter 2. Deployment models

You can choose an AccessAgent deployment model that is based on your terminalservices requirements and on your terminal services environment.

The single sign-on experience on a Citrix or Terminal Server varies, depending onthe following factors:v How you deployed AccessAgentv How you configured the policies

The deployment model type that you choose from depends on the following setupconsiderations:v Are you using Terminal Services or Citrix XenApp Servers?v Are you using Citrix XenApp Server or Citrix XenDesktop 7.0?v Is Active Directory password synchronization enabled?v Are you using thin clients, workstations, or both?

Note: Thin clients refer to machines without AccessAgent. Workstations refer tomachines with AccessAgent.

v Are you using two-factor authentication on your server?

Deployment model selection guidelinesThere are four deployment models for Citrix and Terminal Servers. You mustidentify the directory services and single sign-on requirements for thin clients,workstations, or both. You must also identify the type of authentication factors youexpect to deploy in a terminal services environment.

Use the following guidelines to help you select the best deployment model for aterminal services environment.


After you choose a deployment model, complete the configuration tasks for themodel:v Chapter 3, “Model 1: Basic configuration,” on page 5v Chapter 4, “Model 2: Virtual Channel Connector configuration,” on page 7v Chapter 5, “Model 3: Generic terminal session,” on page 13v Chapter 6, “Model 4: Two-tier AccessAgent configuration,” on page 15

Active

Directory-Sync

AccessAgent on

workstations

2 FA 2 FA 2 FA1 FA

Legend

1 FA: 1 factor authentication

2 FA: 2 factor authentication

1 FA 1 FA

Mix of thin clients

and workstations

Non Active

Directory-Sync

AccessAgent on

workstations

2 FA1 FA

Mix of thin clients

and workstations

Terminal

Server

Citrix

2

1 or 2

2

2 1 or 2 4 2 2 4 4

2 4 2 2 2 or 4 4Deployment

Model

Selection

Figure 1. Deployment model selection guidelines on Citrix and Terminal Servers environments


Chapter 3. Model 1: Basic configuration

The basic configuration model consists of deploying Server AccessAgent on theCitrix or Terminal Server and enabling the ESSO Network Provider.

In this configuration, the Server AccessAgent automatically logs on the user to theWallet upon logon to the Citrix or Terminal Server remote session.

Any Wallet changes in the Client AccessAgent or Server AccessAgent are notimmediately synchronized between the Client AccessAgent and ServerAccessAgent.

Deploying basic configurationYou can deploy basic configuration on Terminal or Citrix Server. Configure theAccessAgent and the Citrix or Terminal Server to deploy Model 1.

Before you begin

To specify the single sign-on options for Model 1, you must modify theSetupHlp.ini file before you install the Server AccessAgent. You can access this filein the Config folder of the AccessAgent installation package. Modify the followingoptions on the SetupHlp.ini file:

Option Description

EncentuateNetworkProviderEnabled Set to 1 to enable the ESSO NetworkProvider.

EncentuateCredentialProviderEnabled andEnginaEnabled

Set to 0 to disable the ESSO GINA and ESSOCredential Provider.

Procedure1. Complete the following tasks on the Citrix or Terminal Server:

a. Install the AccessAgent on the Citrix or Terminal Server.b. Log on to AccessAdmin and set the pid_en_network_provider_enabled

policy to 1.2. Client machine configuration. There is no required installation and

configuration on the client machine.3. Optional configuration. There is no optional configuration for Model 1.

Single sign-on experienceThe user single sign-on experience varies, depending on how you deploy theAccessAgent. If you deploy the basic configuration, users can automatically log onto the Wallet, single sign-on to profiled applications, and manage credentials.

In this configuration, the user can:v Log on to the Citrix or Terminal Server remote session with Active Directory

credentials. The user is automatically logged on to the Wallet.v Access published applications in seamless mode. The Server AccessAgent tray

icon is added to the client taskbar.


v Single sign-on to profiled applications.v Manage the Wallet through Server AccessAgent.


Chapter 4. Model 2: Virtual Channel Connector configuration

The Server AccessAgent connects to the Client AccessAgent through a VirtualChannel Connector to retrieve the user credentials and authenticate the user.

You must install AccessAgent on your server and client.

Virtual Channel Connector

The Virtual Channel Connector between the Client AccessAgent and the ServerAccessAgent is built on top of the Virtual Channel Connector SDK from Citrix orMicrosoft.

The following diagram illustrates the communication between the terminal serverand the client machine.

Terminal server

IBMSecurity Access

Manager forEnterprise

Single Sign-OnComponents

TSVCServer

Server VirtualChannel Connector

Client machine

Terminal ServicesClient Application

Client VirtualChannel Connector

Virtual Channel

IBMSecurity Access

Manager forEnterprise

Single Sign-OnComponents

Figure 2. Communication between the terminal server and the client machine


Standard mode and lightweight modeIn Virtual Channel Connector configuration, you can set the Server AccessAgent torun in lightweight mode.

Running in lightweight mode can reduce the memory footprint of AccessAgent ona Citrix or Terminal Server and can improve the single sign-on startup duration.

See the following table for a comparison of the two AccessAgent modes.

FeaturesStandard mode (with virtualchannel) Lightweight mode

Performance Normal Better

User experience Automatic logon to ServerAccessAgent with ClientAccessAgent credentials

Automatic logon to ServerAccessAgent with ClientAccessAgent credentials

Supported authenticationfactors on ClientAccessAgent

RFID All authentication factors

Synchronize changesbetween Client AccessAgentand Server AccessAgent

Yes (through IMS Server) Yes

AccessAgent Wallet cachedon the Server

Yes Never

Behavior of AccessAgentwhen users log on and logoff from AccessAgent

Logs off remote AccessAgentand disconnects the remotesession

Disconnects remote session

Deploying Virtual Channel Connector configurationYou can deploy Virtual Channel Connector configuration on Citrix or TerminalServer. Configure the AccessAgent and the Citrix or Terminal Server to deployModel 2.

Before you begin

To specify the installation and single sign-on options for Model 2, you mustmodify the SetupHlp.ini file before you install the Server AccessAgent. Modify thefollowing options on the SetupHlp.ini file:

Option Description

EncentuateNetworkProviderEnabled Set to 0 to disable the ESSO NetworkProvider.


Set to 0 to disable the ESSO GINA and ESSOCredential Provider.


Option Description

CitrixVirtualChannelConnectorMode Applicable only for Citrix serverdeployment.

Set to 2 to enable the Virtual ChannelConnector from the server and runAccessAgent in standard mode.

Set to 3 to enable theVirtual ChannelConnector from the server and runAccessAgent in lightweight mode.

Set to 4 to enable the Virtual ChannelConnector from the server and runAccessAgent in enforced lightweight mode.

You must also modify the SetupHlp.ini file before you install the ClientAccessAgent on Citrix client machine. Modify the following options on theSetupHlp.ini file:

Option Description

CitrixVirtualChannelConnectorMode Set to 1 to enable the Virtual ChannelConnector on the client computer.

ICAClientInstallDir Specify the installation directory for theCitrix ICA Client.

Note: There are no required changes in the SetupHlp.ini file before you install theClient AccessAgent on Terminal Server client machine.

Procedure1. On the Citrix or Terminal Server, install the Server AccessAgent. If you

encounter an error in deploying the Virtual Channel Connector on the Citrixserver, see “Deploying Virtual Channel Connector on Citrix server” on page 10.

2. On the client machine, install the Client AccessAgent. If you encounter an errorin deploying the Virtual Channel Connector on the Citrix client machine,deploy the Virtual Channel Connector manually. See “Deploying VirtualChannel Connector on Citrix client” on page 10.

3. Optional: Change the Server AccessAgent to run in lightweight mode orstandard mode after installation. To change the Server AccessAgent mode,modify the TSLightweight Mode policy in the root\DeploymentOptions.

Table 1. TSLightweight Mode policy value

TSLightweight Mode policy value Description

0 Deploys the Server AccessAgent in standardmode.

1 (default) Deploys the Server AccessAgent inlightweight mode.

2 Enforces lightweight mode. The ServerAccessAgent always operates in lightweightmode. The session in the Server AccessAgentdoes not start when there is no ClientAccessAgent.

Chapter 4. Model 2: Virtual Channel Connector configuration 9

Deploying Virtual Channel Connector on Citrix serverYou can deploy the Virtual Channel Connector on Citrix server by modifying theSetupHlp.ini file and installing the Server AccessAgent. If you encounter an errorduring installation, you can manually deploy Virtual Channel Connector on yourCitrix server.

Procedure

Register the server connector file with AccessAgent.1. On your Windows desktop, click Start > Run.2. In the Open field, enter regedit and click OK. The Registry Editor is

displayed.3. Open HKLM\SOFTWARE\IBM\ISAM ESSO.4. Create the HKLM\SOFTWARE\IBM\ISAM ESSO\AccessAgent\Integration\

TerminalServices\ServerSPI key.5. In the HKLM\SOFTWARE\IBM\ISAM ESSO\AccessAgent\Integration\

TerminalServices\ServerSPI key, create the following string values:

Value Name Value Data

ICA ICAVCServer.dll

Deploying Virtual Channel Connector on Citrix clientYou can deploy Virtual Channel Connector on Citrix client by modifying theSetupHlp.ini file and installing the Client AccessAgent. If you encounter an errorduring installation, you can manually deploy Virtual Channel Connector on yourCitrix client.

Procedure1. Copy the client connector DLL file. For example: ICAVCClient.dll, from the

AccessAgent Program Files folder to the Citrix XenApp Plug-in installationfolder.

2. Copy the EncVcClient.dll file from the AccessAgent Program Files folder tothe Citrix XenApp Plug-in installation folder.

3. Configure the Citrix client registry for the client connector DLL file.a. On your Windows desktop, click Start > Run.b. In the Open field, enter regedit and click OK. The Registry Editor is

displayed.

Note:

v For a Windows 32-bit operating system, the Citrix registry hive isHKEY_LOCAL_MACHINE\SOFTWARE\Citrix.

v For a Windows x64 operating system, the Citrix registry hive isHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\.

c. Modify the VirtualDriverEx.1) Select <Citrix registry hive>\ICA Client\Engine\Configuration\

Advanced\Modules\ICA 3.0\.2) Double-click VirtualDriverEx.3) In the Value data field, add ICAVCClient.4) Click OK.


d. Create an ICAVCClient.1) Open <Citrix registry hive>\ICA Client\Engine\Configuration\

Advanced\Modules\.2) Create the <Citrix registry hive>\ICA Client\Engine\Configuration\

Advanced\Modules\ICAVCClient key.3) In the <Citrix registry hive>\ICA Client\Engine\Configuration\

Advanced\Modules\ICAVCClient\ key, create the following string values:

Value Name Value Data

DriverName ICAVCClient.dll

DriverNameWin16 ICAVCClient.dll

DriverNameWin32 ICAVCClient.dll

Single sign-on experienceThe user single sign-on experience varies, depending on how you deploy theAccessAgent. If you deploy theVirtual Channel Connector, users are automaticallylogged on to the remote sessions after users log on to Client AccessAgent.

In this configuration, the user can:v Log on to the Client AccessAgent.v Start a Citrix or Terminal Server session. The Client AccessAgent logs on the

user to the remote session.v In the standard mode,

– Server AccessAgent starts and Server AccessAgent and Client AccessAgentare synchronized.

– User is automatically logged on to the AccessAgent by using the ClientAccessAgent credential.

– The Server AccessAgent tray icon is added to the client taskbar when the useraccess published applications in seamless mode.

– User can single sign-on to profiled applications.– User can manage the Wallet through Client AccessAgent.

Note: If the terminal server policy for displaying new options on remoteAccessAgent is enabled, the user can manage the Wallet through the ClientAccessAgent and Server AccessAgent.

v In the lightweight mode,– Server AccessAgent is not started.– User can single sign-on to profiled applications.– User can manage the Wallet through Client AccessAgent.

Chapter 4. Model 2: Virtual Channel Connector configuration 11


Chapter 5. Model 3: Generic terminal session

A generic terminal configuration consists of a Server AccessAgent deployed on ageneric terminal session.

A generic desktop session is hosted on a dedicated tier of the Citrix or TerminalServer. Different users can share access to applications hosted in the remote sessionfrom a thin client machine.

Important: This configuration is intended for thin client users.

In this configuration, thin client machines are constantly connected to the remoteterminal session that is logged on to a generic low-privileged Active Directoryaccount.

Server AccessAgent is configured to run in Shared Desktop mode on each terminalsession. Users unlock into the terminal session by logging in through the ServerAccessAgent ESSO GINA or ESSO Credential Provider.

This configuration is useful for scenarios where:v Applications are active in each terminal session because of long startup times.v AccessAgent automatically logs on and logs off different users from applications.

In this configuration, the users can unlock the remote session and log on to aWallet with either a password or an RFID card.

Model 3 limitations

Consider the following single sign-on limitations in a terminal services deploymentwith generic terminal sessions:v Users can use only RFID as the second authentication factor device.v Users cannot roam terminal session.

Deploying generic terminal sessionYou can deploy single sign-on services on a generic terminal session. Configure theAccessAgent and the Citrix or Terminal Server to deploy Model 3.

Before you begin

The following settings are the required generic terminal server configurations toimplement Model 3. These terminal servers are dedicated to serve thin clientmachines only.v Configure the generic terminal server to automatically log on to the Citrix or

Terminal Server with a single designated low-privilege generic Active Directorycredential.

v Configure the generic terminal server to allow unlimited terminal sessions forthe generic Active Directory credential.

v Do not enable roaming for the terminal client session. If an idle session timesout, the desktop screen must be locked.


To specify the single sign-on options for Model 3, you must modify theSetupHlp.ini file before you install the Server AccessAgent. Modify the followingoptions on the SetupHlp.ini file:

Option Description

EncentuateNetworkProviderEnabled Set to 0 to disable the ESSO NetworkProvider.


Set to 1 to enable the ESSO GINA and ESSOCredential Provider.

Procedure1. Complete the following tasks on the Citrix or Terminal Server:

a. Install the AccessAgent on the Citrix or Terminal Server.b. Assign a shared desktop policy template at Server AccessAgent.

2. Configure the thin client to automatically log on to the Citrix or TerminalServer with a single designated low-privilege generic Active Directorycredential. The credential is the same account as the one setup for auto-logonon the generic terminal server.

3. Optional: If you are using RFID as the authentication factor, you must completethe following tasks:a. Enable serial port redirection at the thin client and target terminal server.b. Enforce two-factor authentication by setting the user authentication policy

at AccessAdmin.c. Enable the RFID authentication if required. See Chapter 7, “Customizing

AccessAgent on Citrix and Terminal Servers,” on page 17.

Single sign-on experienceThe user single sign-on experience varies, depending on how you deploy theAccessAgent. If you deploy the generic terminal session configuration, the userlogs on to a lock screen to start a session.

In this configuration, the user can do the following tasks:v Log on to the ESSO GINA or ESSO Credential Provider lock screen to start a

session. User can log on to the Server AccessAgent with password or RFID.v Single sign-on to profiled applications.v Manage the Wallet through the Server AccessAgent.


Chapter 6. Model 4: Two-tier AccessAgent configuration

A two-tier AccessAgent configuration is a combination of deploying a VirtualChannel Connector and a generic remote desktop. This configuration is intendedfor deployments that require mixed-client two-factor authentication.

A two-tier AccessAgent configuration involves two terminal servers:v A generic terminal server for deployment with thin clientsv Target Citrix or Terminal Server for deployment with workstations

A generic terminal server hosts a generic remote desktop. The server accepts thinclient connections and automatically connects to the target Citrix or TerminalServer acting as a proxy.

The target Citrix or Terminal Server hosts the Terminal Server sessions and Citrixapplications.

The following diagram illustrates the communication between the terminal serversand the client machines.

The thin client users connect to the generic terminal server by using the Model 3configuration. The generic terminal server then connects to the target Citrix orTerminal Server through Virtual Channel Connector, or by using the Model 2configuration.

The workstation client users connect to the target Citrix or Terminal Server throughVirtual Channel Connector, or by using the Model 2 configuration.

ES

SO

GIN

Ao

rE

SS

OC

red

en

tia

lP

rovid

er

Vir

tua

lC

ha

nn

el

Co

nn

ecto

r

Terminal client

Terminal client

Terminal applicationTerminal client

AccessAgent

Thin client Generic terminal server

Target Citrix or Terminal ServerWorkstation

Model 3

Model 2

Model 2

Vir

tua

lC

ha

nn

el

Co

nn

ecto

r

Vir

tua

lC

ha

nn

el

Co

nn

ecto

r

AccessAgent

AccessAgent

Figure 3. Communication between the terminal servers and client machines


Deploying two-tier AccessAgent configurationYou can deploy a two-tier AccessAgent configuration on Citrix or Terminal Server.Configure the target Citrix or Terminal Server, generic terminal server, thin clients,and workstations to deploy Model 4.

Procedure1. On the target Citrix or Terminal Server, complete the tasks for configuring the

Citrix or Terminal Server as enumerated in Model 2 configuration. See“Deploying Virtual Channel Connector configuration” on page 8.

2. On the generic terminal server, you must complete the following tasks:a. Complete the tasks in configuring the generic terminal server in Model 3

configuration except the installation of AccessAgent. See “Deploying genericterminal session” on page 13.

b. Configure the generic terminal server as a client machine. Complete thetasks in configuring a client machine as discussed in Model 2 configuration.See “Deploying Virtual Channel Connector configuration” on page 8.

c. Configure the generic server to automatically log on to the target Citrix orTerminal Server.

3. On the thin client machine, configure the thin client to automatically log on tothe Citrix or Terminal Server with a single designated low-privilege genericActive Directory credential. This credential is the same as the one setup forauto-logon on the generic terminal server.

4. On the workstation client machine, complete the tasks for configuring the clientmachine as stated in Model 2 configuration. See “Deploying Virtual ChannelConnector configuration” on page 8.

Single sign-on experienceThe user single sign-on experience varies, depending on how you deploy theAccessAgent. If you deploy the two-tier AccessAgent configuration, the singlesign-on experience is similar when you deploy the Model 2 and Model 3configurations.

Workstation users

In this configuration, the single sign-on experience for workstation users is thesame as the single sign-on experience for Virtual Channel Connector configuration.See Model 2 “Single sign-on experience” on page 11.

Thin client users

In this configuration, the single sign-on experience for thin client users is the sameas the single sign-on experience for generic terminal session configuration. SeeModel 3 “Single sign-on experience” on page 14.


Chapter 7. Customizing AccessAgent on Citrix and TerminalServers

You can customize the behavior of AccessAgent when users log on to a session ona Citrix or Terminal Server.

Procedure1. Log on to AccessAdmin.2. Go to Machine Policy Templates > Template assignments.3. Click a policy template.4. Go to AccessAgent Policies > Terminal Server Policies.5. Complete the following fields:

Option Description

Enable auto-launching of AccessAgent logonprompt

Identifies whether to launch theAccessAgent logon dialog if AccessAgent isnot logged on when a Citrix application or aTerminal Server session is launched.

Use ESSO GINA or ESSO CredentialProvider logon when there is no localAccessAgent session

Whether to use ESSO GINA or ESSOCredential Provider logon or MicrosoftGINA logon for the Terminal Server session,when there is no local AccessAgent session.

Log off remote AccessAgent whenreconnecting from workstation without localAccessAgent session

Whether to log off remote AccessAgentwhen user, with no local AccessAgentsession, reconnects to an existing session onCitrix or Terminal Server.

Option for displaying menu options onremote AccessAgent

Whether to display menu options onAccessAgent user interface in a Citrix orTerminal Server session.

6. Complete the following fields only if you want RFID to be enabled for thinclients:

Option Description

Enable COM port redirection Identifies whether the device monitoringmechanism must redirect the COM portfrom the client computer to the Citrix orTerminal Server.

Virtual COM port on Citrix or TerminalServer

Virtual COM port on the Citrix or TerminalServer to which data from the client COMport gets redirected to.

Physical COM port on client machine Physical COM port on the client to whichthe authentication device, or the RFIDreader, is connected to. The redirection takesplace from this port to the virtual COM portof the Citrix or Terminal Server.

7. Click Update.8. Assign the updated machine policy template to the Citrix or Terminal Server.



Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte character set (DBCS) information,contact the IBM Intellectual Property Department in your country or sendinquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subjectto change without notice. Dealer prices may vary.

This information is for planning purposes only. The information herein is subject tochange before the products described become available.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment to


IBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment toIBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM's application programming interfaces.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

Trademarks

IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at Copyright andtrademark information; at www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Notices 21

Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in theUnited States, other countries, or both and is used under license therefrom.

Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo aretrademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.

Other company, product, and service names may be trademarks or service marksof others.

Privacy Policy Considerations

IBM Software products, including software as a service solutions, (“SoftwareOfferings”) may use cookies or other technologies to collect product usageinformation, to help improve the end user experience, to tailor interactions withthe end user or for other purposes. In many cases no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offeringscan help enable you to collect personally identifiable information. If this SoftwareOffering uses cookies to collect personally identifiable information, specificinformation about this offering’s use of cookies is set forth below.

This Software Offering uses other technologies that collect each user's user name,password or other personally identifiable information for purposes of sessionmanagement, authentication, single sign-on configuration or other usage trackingor functional purposes. These technologies can be disabled, but disabling them willalso eliminate the functionality they enable.

If the configurations deployed for this Software Offering provide you as customerthe ability to collect personally identifiable information from end users via cookiesand other technologies, you should seek your own legal advice about any lawsapplicable to such data collection, including any requirements for notice andconsent.

For more information about the use of various technologies, including cookies, forthese purposes, see IBM’s Privacy Policy at http://www.ibm.com/privacy andIBM’s Online Privacy Statement at http://www.ibm.com/privacy/details/us/ensections entitled “Cookies, Web Beacons and Other Technologies” and “SoftwareProducts and Software-as-a Service”.


http://www.ibm.com/privacy

http://www.ibm.com/privacy/details/us/en

Glossary

This glossary includes terms and definitions forIBM Security Access Manager for EnterpriseSingle Sign-On.

The following cross-references are used in thisglossary:v See refers you from a term to a preferred

synonym, or from an acronym or abbreviationto the defined full form.

v See also refers you to a related or contrastingterm.

To view glossaries for other IBM products, go towww.ibm.com/software/globalization/terminology (opens in new window).

Aaccount data

The logon information required to verifyan authentication service. It can be theuser name, password, and theauthentication service which the logoninformation is stored.

account data bagA data structure that holds usercredentials in memory while singlesign-on is performed on an application.

account data itemThe user credentials required for logon.

account data item templateA template that defines the properties ofan account data item.

account data templateA template that defines the format ofaccount data to be stored for credentialscaptured using a specific AccessProfile.

action In profiling, an act that can be performedin response to a trigger. For example,automatic filling of user name andpassword details as soon as a sign-onwindow displays.

Active Directory (AD)A hierarchical directory service thatenables centralized, secure management

of an entire network, which is a centralcomponent of the Microsoft Windowsplatform.

Active Directory credentialThe Active Directory user name andpassword.

Active Directory password synchronizationAn IBM Security Access Manager forEnterprise Single Sign-On feature thatsynchronizes the ISAM ESSO passwordwith the Active Directory password.

active radio frequency identification (activeRFID) A second authentication factor and

presence detector. See also radiofrequency identification.

active RFIDSee active radio frequency identification.

AD See Active Directory.

administratorA person responsible for administrativetasks such as access authorization andcontent management. Administrators canalso grant levels of authority to users.

API See application programming interface.

applicationA system that provides the user interfacefor reading or entering the authenticationcredentials.

application policyA collection of policies and attributesgoverning access to applications.

application programming interface (API)An interface that allows an applicationprogram that is written in a high-levellanguage to use specific data or functionsof the operating system or anotherprogram.

audit A process that logs the user,Administrator, and Helpdesk activities.

authentication factorThe device, biometrics, or secrets requiredas a credentials for validating digitalidentities. Examples of authentication


http://www-306.ibm.com/software/globalization/terminology/

http://www-306.ibm.com/software/globalization/terminology/

factors are passwords, smart card, RFID,biometrics, and one-time passwordtokens.

authentication serviceA service that verifies the validity of anaccount; applications authenticate againsttheir own user store or against acorporate directory.

authorization codeAn alphanumeric code generated foradministrative functions, such aspassword resets or two-factorauthentication bypass.

auto-captureA process that allows a system to collectand reuse user credentials for differentapplications. These credentials arecaptured when the user entersinformation for the first time, and thenstored and secured for future use.

automatic sign-onA feature where users can log on to thesign-on automation system and thesystem logs on the user to all otherapplications.

Bbase distinguished name

A name that indicates the starting pointfor searches in the directory server.

base imageA template for a virtual desktop.

bidirectional languageA language that uses a script, such asArabic and Hebrew, whose general flowof text proceeds horizontally from right toleft, but numbers, English, and otherleft-to-right language text are writtenfrom left to right.

bind distinguished nameA name that specifies the credentials forthe application server to use whenconnecting to a directory service. Thedistinguished name uniquely identifies anentry in a directory.

biometricsThe identification of a user based on aphysical characteristic of the user, such asa fingerprint, iris, face, voice, orhandwriting.

CCA See certificate authority.

CAPI See cryptographic applicationprogramming interface.

Card Serial Number (CSN)A unique data item that identifies ahybrid smart card. It has no relation tothe certificates installed in the smart card

CCOWSee Clinical Context Object Workgroup.

cell A group of managed processes that arefederated to the same deploymentmanager and can include high-availabilitycore groups.

certificateIn computer security, a digital documentthat binds a public key to the identity ofthe certificate owner, thereby enabling thecertificate owner to be authenticated. Acertificate is issued by a certificateauthority and is digitally signed by thatauthority. See also certificate authority.

certificate authority (CA)A trusted third-party organization orcompany that issues the digitalcertificates. The certificate authoritytypically verifies the identity of theindividuals who are granted the uniquecertificate. See also certificate.

CLI See command-line interface.

Clinical Context Object Workgroup (CCOW)A vendor independent standard, for theinterchange of information betweenclinical applications in the healthcareindustry.

clusterA group of application servers thatcollaborate for the purposes of workloadbalancing and failover.

command-line interface (CLI)A computer interface in which the inputand output are text based.

credentialInformation acquired duringauthentication that describes a user, groupassociations, or other security-relatedidentity attributes, and that is used toperform services such as authorization,auditing, or delegation. For example, a


user ID and password are credentials thatallow access to network and systemresources.

cryptographic application programming interface(CAPI)

An application programming interfacethat provides services to enabledevelopers to secure applications usingcryptography. It is a set ofdynamically-linked libraries that providesan abstraction layer which isolatesprogrammers from the code used toencrypt the data.

cryptographic service provider (CSP)A feature of the i5/OS operating systemthat provides APIs. The CCACryptographic Service Provider enables auser to run functions on the 4758Coprocessor.

CSN See Card Serial Number.

CSP See cryptographic service provider.

Ddashboard

An interface that integrates data from avariety of sources and provides a unifieddisplay of relevant and in-contextinformation.

database serverA software program that uses a databasemanager to provide database services toother software programs or computers.

data sourceThe means by which an applicationaccesses data from a database.

deployment managerA server that manages and configuresoperations for a logical group or cell ofother servers.

deployment manager profileA WebSphere Application Server runtimeenvironment that manages operations fora logical group, or cell, of other servers.

deprovisionTo remove a service or component. Forexample, to deprovision an accountmeans to delete an account from aresource. See also provision.

desktop poolA collection of virtual desktops of similar

configuration intended to be used by adesignated group of users.

directoryA file that contains the names andcontrolling information for objects orother directories.

directory serviceA directory of names, profile information,and machine addresses of every user andresource on the network. It manages useraccounts and network permissions. Whena user name is sent, it returns theattributes of that individual, which mightinclude a telephone number, as well as anemail address. Directory services usehighly specialized databases that aretypically hierarchical in design andprovide fast lookups.

disaster recoveryThe process of restoring a database,system, policies after a partial or completesite failure that was caused by acatastrophic event such as an earthquakeor fire. Typically, disaster recoveryrequires a full backup at another location.

disaster recovery siteA secondary location for the productionenvironment in case of a disaster.

distinguished name (DN)The name that uniquely identifies anentry in a directory. A distinguished nameis made up of attribute:value pairs,separated by commas. For example,CN=person name and C=country orregion.

DLL See dynamic link library.

DN See distinguished name.

DNS See domain name server.

domain name server (DNS)A server program that suppliesname-to-address conversion by mappingdomain names to IP addresses.

dynamic link library (DLL)A file containing executable code and databound to a program at load time or runtime, rather than during linking. The codeand data in a DLL can be shared byseveral applications simultaneously.

Glossary 25

Eenterprise directory

A directory of user accounts that defineIBM Security Access Manager forEnterprise Single Sign-On users. Itvalidates user credentials during sign-upand logon, if the password issynchronized with the enterprise directorypassword. An example of an enterprisedirectory is Active Directory.

enterprise single sign-on (ESSO)A mechanism that allows users to log onto all applications deployed in theenterprise by entering a user ID and othercredentials, such as a password.

ESSO See enterprise single sign-on.

event codeA code that represents a specific eventthat is tracked and logged into the auditlog tables.

Ffailover

An automatic operation that switches to aredundant or standby system or node inthe event of a software, hardware, ornetwork interruption.

fast user switchingA feature that allows users to switchbetween user accounts on a singleworkstation without quitting and loggingout of applications.

Federal Information Processing Standard (FIPS)A standard produced by the NationalInstitute of Standards and Technologywhen national and international standardsare nonexistent or inadequate to satisfythe U.S. government requirements.

FIPS See Federal Information ProcessingStandard.

fix packA cumulative collection of fixes that isreleased between scheduled refresh packs,manufacturing refreshes, or releases. A fixpack updates the system to a specificmaintenance level.

FQDNSee fully qualified domain name.

fully qualified domain name (FQDN)In Internet communications, the name ofa host system that includes all of thesubnames of the domain name. Anexample of a fully qualified domain nameis rchland.vnet.ibm.com. See also hostname.

GGINA See graphical identification and

authentication.

GPO See group policy object.

graphical identification and authentication(GINA)

A dynamic link library that provides auser interface that is tightly integratedwith authentication factors and providespassword resets and second factor bypassoptions.

group policy object (GPO)A collection of group policy settings.Group policy objects are the documentscreated by the group policy snap-in.Group policy objects are stored at thedomain level, and they affect users andcomputers contained in sites, domains,and organizational units.

HHA See high availability.

high availability (HA)The ability of IT services to withstand alloutages and continue providingprocessing capability according to somepredefined service level. Covered outagesinclude both planned events, such asmaintenance and backups, and unplannedevents, such as software failures,hardware failures, power failures, anddisasters.

host nameIn Internet communication, the namegiven to a computer. The host namemight be a fully qualified domain namesuch as mycomputer.city.company.com, orit might be a specific subname such asmycomputer. See also fully qualifieddomain name, IP address.

hot keyA key sequence used to shift operations


between different applications or betweendifferent functions of an application.

hybrid smart cardAn ISO-7816 compliant smart card whichcontains a public key cryptography chipand an RFID chip. The cryptographic chipis accessible through contact interface. TheRFID chip is accessible throughcontactless (RF) interface.

Iinteractive graphical mode

A series of panels that prompts forinformation to complete the installation.

IP addressA unique address for a device or logicalunit on a network that uses the InternetProtocol standard. See also host name.

JJava Management Extensions (JMX)

A means of doing management of andthrough Java technology. JMX is auniversal, open extension of the Javaprogramming language for managementthat can be deployed across all industries,wherever management is needed.

Java runtime environment (JRE)A subset of a Java developer kit thatcontains the core executable programsand files that constitute the standard Javaplatform. The JRE includes the Javavirtual machine (JVM), core classes, andsupporting files.

Java virtual machine (JVM)A software implementation of a processorthat runs compiled Java code (applets andapplications).

JMX See Java Management Extensions.

JRE See Java runtime environment.

JVM See Java virtual machine.

Kkeystore

In security, a file or a hardwarecryptographic card where identities andprivate keys are stored, for authentication

and encryption purposes. Some keystoresalso contain trusted or public keys. Seealso truststore.

LLDAP See Lightweight Directory Access

Protocol.

Lightweight Directory Access Protocol (LDAP)An open protocol that uses TCP/IP toprovide access to directories that supportan X.500 model. An LDAP can be used tolocate people, organizations, and otherresources in an Internet or intranetdirectory.

lightweight modeA Server AccessAgent mode. Running inlightweight mode reduces the memoryfootprint of AccessAgent on a Terminal orCitrix Server and improves the singlesign-on startup duration.

linked cloneA copy of a virtual machine that sharesvirtual disks with the parent virtualmachine in an ongoing manner.

load balancingThe monitoring of application servers andmanagement of the workload on servers.If one server exceeds its workload,requests are forwarded to another serverwith more capacity.

lookup userA user who is authenticated in theEnterprise Directory and searches forother users. IBM Security Access Managerfor Enterprise Single Sign-On uses thelookup user to retrieve user attributesfrom the Active Directory or LDAPenterprise repository.

Mmanaged node

A node that is federated to a deploymentmanager and contains a node agent andcan contain managed servers. See alsonode.

mobile authenticationAn authentication factor which allowsmobile users to sign-on securely tocorporate resources from anywhere on thenetwork.

Glossary 27

Nnetwork deployment

The deployment of an IMS™ Server on aWebSphere Application Server cluster.

node A logical group of managed servers. Seealso managed node.

node agentAn administrative agent that manages allapplication servers on a node andrepresents the node in the managementcell.

Oone-time password (OTP)

A one-use password that is generated foran authentication event, and is sometimescommunicated between the client and theserver through a secure channel.

OTP See one-time password.

OTP tokenA small, highly portable hardware devicethat the owner carries to authorize accessto digital systems and physical assets, orboth.

Ppassword aging

A security feature by which the superusercan specify how often users must changetheir passwords.

password complexity policyA policy that specifies the minimum andmaximum length of the password, theminimum number of numeric andalphabetic characters, and whether toallow mixed uppercase and lowercasecharacters.

personal identification number (PIN)In Cryptographic Support, a uniquenumber assigned by an organization to anindividual and used as proof of identity.PINs are commonly assigned by financialinstitutions to their customers.

PIN See personal identification number.

pinnable stateA state from an AccessProfile widget that

can be combined to the mainAccessProfile to reuse the AccessProfilewidget function.

PKCS See Public Key Cryptography Standards.

policy templateA predefined policy form that helps usersdefine a policy by providing the fixedpolicy elements that cannot be changedand the variable policy elements that canbe changed.

portal A single, secure point of access to diverseinformation, applications, and people thatcan be customized and personalized.

presence detectorA device that, when fixed to a computer,detects when a person moves away fromit. This device eliminates manuallylocking the computer upon leaving it fora short time.

primary authentication factorThe IBM Security Access Manager forEnterprise Single Sign-On password ordirectory server credentials.

private keyIn computer security, the secret half of acryptographic key pair that is used with apublic key algorithm. The private key isknown only to its owner. Private keys aretypically used to digitally sign data andto decrypt data that has been encryptedwith the corresponding public key.

provisionTo provide, deploy, and track a service,component, application, or resource. Seealso deprovision.

provisioning APIAn interface that allows IBM SecurityAccess Manager for Enterprise SingleSign-On to integrate with userprovisioning systems.

provisioning bridgeAn automatic IMS Server credentialdistribution process with third partyprovisioning systems that uses APIlibraries with a SOAP connection.

provisioning systemA system that provides identity lifecyclemanagement for application users inenterprises and manages their credentials.


Public Key Cryptography Standards (PKCS)A set of industry-standard protocols usedfor secure information exchange on theInternet. Domino® Certificate Authorityand Server Certificate Administrationapplications can accept certificates inPKCS format.

published applicationAn application installed on Citrix XenAppserver that can be accessed from CitrixICA Clients.

published desktopA Citrix XenApp feature where usershave remote access to a full Windowsdesktop from any device, anywhere, atany time.

Rradio frequency identification (RFID)

An automatic identification and datacapture technology that identifies uniqueitems and transmits data using radiowaves. See also active radio frequencyidentification.

RADIUSSee remote authentication dial-in userservice.

random passwordAn arbitrarily generated password usedto increase authentication securitybetween clients and servers.

RDP See remote desktop protocol.

registryA repository that contains access andconfiguration information for users,systems, and software.

registry hiveIn Windows systems, the structure of thedata stored in the registry.

remote authentication dial-in user service(RADIUS)

An authentication and accounting systemthat uses access servers to providecentralized management of access to largenetworks.

remote desktop protocol (RDP)A protocol that facilitates remote displayand input over network connections forWindows-based server applications. RDP

supports different network topologies andmultiple connections.

replicationThe process of maintaining a defined setof data in more than one location.Replication involves copying designatedchanges for one location (a source) toanother (a target) and synchronizing thedata in both locations.

revokeTo remove a privilege or an authorityfrom an authorization identifier.

RFID See radio frequency identification.

root CASee root certificate authority.

root certificate authority (root CA)The certificate authority at the top of thehierarchy of authorities by which theidentity of a certificate holder can beverified.

Sscope A reference to the applicability of a policy,

at the system, user, or machine level.

secret questionA question whose answer is known onlyto the user. A secret question is used as asecurity feature to verify the identity of auser.

secure remote accessThe solution that provides webbrowser-based single sign-on to allapplications from outside the firewall.

Secure Sockets Layer (SSL)A security protocol that providescommunication privacy. With SSL,client/server applications cancommunicate in a way that is designed toprevent eavesdropping, tampering, andmessage forgery.

Secure Sockets Layer virtual private network(SSL VPN)

A form of VPN that can be used with astandard web browser.

Security Token Service (STS)A web service that is used for issuing andexchanging security tokens.

security trust service chainA group of module instances that are

Glossary 29

configured for use together. Each moduleinstance in the chain is called in turn toperform a specific function as part of theoverall processing of a request.

serial ID service provider interfaceA programmatic interface intended forintegrating AccessAgent with third-partySerial ID devices used for two-factorauthentication.

serial numberA unique number embedded in the IBMSecurity Access Manager for EnterpriseSingle Sign-On keys, which is unique toeach key and cannot be changed.

server locatorA locator that groups a related set of webapplications that require authentication bythe same authentication service. InAccessStudio, server locators identify theauthentication service with which anapplication screen is associated.

service provider interface (SPI)An interface through which vendors canintegrate any device with serial numberswith IBM Security Access Manager forEnterprise Single Sign-On and use thedevice as a second factor in AccessAgent.

signatureIn profiling, unique identificationinformation for any application, window,or field.

sign-on automationA technology that works with applicationuser interfaces to automate the sign-onprocess for users.

sign upTo request a resource.

silent modeA method for installing or uninstalling aproduct component from the commandline with no GUI display. When usingsilent mode, you specify the data requiredby the installation or uninstallationprogram directly on the command line orin a file (called an option file or responsefile).

Simple Mail Transfer Protocol (SMTP)An Internet application protocol fortransferring mail among users of theInternet.

single sign-on (SSO)An authentication process in which a usercan access more than one system orapplication by entering a single user IDand password.

smart cardAn intelligent token that is embeddedwith an integrated circuit chip thatprovides memory capacity andcomputational capabilities.

smart card middlewareSoftware that acts as an interface betweensmart card applications and the smartcard hardware. Typically the softwareconsists of libraries that implementPKCS#11 and CAPI interfaces to smartcards.

SMTP See Simple Mail Transfer Protocol.

snapshotA captured state, data, and hardwareconfiguration of a running virtualmachine.

SOAP A lightweight, XML-based protocol forexchanging information in adecentralized, distributed environment.SOAP can be used to query and returninformation and invoke services acrossthe Internet. See also web service.

SPI See service provider interface.

SSL See Secure Sockets Layer.

SSL VPNSee Secure Sockets Layer virtual privatenetwork.

SSO See single sign-on.

stand-alone deploymentA deployment where the IMS Server isdeployed on an independent WebSphereApplication Server profile.

stand-alone serverA fully operational server that is managedindependently of all other servers, usingits own administrative console.

strong authenticationA solution that uses multifactorauthentication devices to preventunauthorized access to confidentialcorporate information and IT networks,both inside and outside the corporateperimeter.


strong digital identityAn online persona that is difficult toimpersonate, possibly secured by privatekeys on a smart card.

STS See Security Token Service.

system modal messageA system dialog box that is typically usedto display important messages. When asystem modal message is displayed,nothing else can be selected on the screenuntil the message is closed.

Tterminal emulator

A program that allows a device such as amicrocomputer or personal computer toenter and receive data from a computersystem as if it were a particular type ofattached terminal.

terminal type (tty)A generic device driver for a text display.A tty typically performs input and outputon a character-by-character basis.

thin clientA client that has little or no installedsoftware but has access to software that ismanaged and delivered by networkservers that are attached to it. A thinclient is an alternative to a full-functionclient such as a workstation.

transparent screen lockAn feature that, when enabled, permitsusers to lock their desktop screens butstill see the contents of their desktop.

triggerIn profiling, an event that causestransitions between states in a statesengine, such as, the loading of a webpage or the appearance of a window onthe desktop.

trust service chainA chain of modules that operate indifferent modes such as validate, map,and issue truststore.

truststoreIn security, a storage object, either a file ora hardware cryptographic card, wherepublic keys are stored in the form oftrusted certificates, for authenticationpurposes in web transactions. In someapplications, these trusted certificates are

moved into the application keystore to bestored with the private keys. See alsokeystore.

tty See terminal type.

two-factor authenticationThe use of two factors to authenticate auser. For example, the use of passwordand an RFID card to log on toAccessAgent.

Uuniform resource identifier

A compact string of characters foridentifying an abstract or physicalresource.

user credentialInformation acquired duringauthentication that describes a user, groupassociations, or other security-relatedidentity attributes, and that is used toperform services such as authorization,auditing, or delegation. For example, auser ID and password are credentials thatallow access to network and systemresources.

user deprovisioningThe process of removing a user accountfrom IBM Security Access Manager forEnterprise Single Sign-On.

user provisioningThe process of signing up a user to useIBM Security Access Manager forEnterprise Single Sign-On.

VVB See Visual Basic.

virtual applianceA virtual machine image with a specificapplication purpose that is deployed tovirtualization platforms.

virtual channel connectorA connector that is used in a terminalservices environment. The virtual channelconnector establishes a virtualcommunication channel to manage theremote sessions between the ClientAccessAgent component and the ServerAccessAgent.

Glossary 31

virtual desktopA user interface in a virtualizedenvironment, stored on a remote server.

virtual desktop infrastructureAn infrastructure that consists of desktopoperating systems hosted within virtualmachines on a centralized server.

Virtual Member Manager (VMM)A WebSphere Application Servercomponent that provides applicationswith a secure facility to access basicorganizational entity data such as people,logon accounts, and security roles.

virtual private network (VPN)An extension of a company intranet overthe existing framework of either a publicor private network. A VPN ensures thatthe data that is sent between the twoendpoints of its connection remainssecure.

Visual Basic (VB)An event-driven programming languageand integrated development environment(IDE) from Microsoft.

VMM See Virtual Member Manager.

VPN See virtual private network.

Wwallet A secured data store of access credentials

of a user and related information, whichincludes user IDs, passwords, certificates,encryption keys.

wallet cachingThe process during single sign-on for anapplication whereby AccessAgentretrieves the logon credentials from theuser credential wallet. The user credentialwallet is downloaded on the usermachine and stored securely on the IMSServer.

wallet managerThe IBM Security Access Manager forEnterprise Single Sign-On GUI componentthat lets users manage applicationcredentials in the personal identity wallet.

web serverA software program that is capable ofservicing Hypertext Transfer Protocol(HTTP) requests.

web serviceA self-contained, self-describing modularapplication that can be published,discovered, and invoked over a networkusing standard network protocols.Typically, XML is used to tag the data,SOAP is used to transfer the data, WSDLis used for describing the servicesavailable, and UDDI is used for listingwhat services are available. See alsoSOAP.

WS-TrustA web services security specification thatdefines a framework for trust models toestablish trust between web services.


Index

AAccessAgent

Citrix and Terminal Serversdeployment considerations 1deployment models 1

customizationRFID authentication 17terminal server policies 17

modelightweight 8standard 8

accessibility viii

Ddeployment models

basic configuration 5considerations 3generic terminal session 13guidelines 3two-tier AccessAgent

configuration 15Virtual Channel Connector

configuration 7

Eeducation viii

Gglossary 23

IIBM

Software Support viiiSupport Assistant viii

ICAVCClient file 10

Llightweight mode 8

Mmodel 1 5

AccessAgent installation 5single sign-on experience 5

model 2 7AccessAgent installation 8single sign-on experience 11



Oonline

publications vterminology v

Pproblem-determination viiipublications

accessing online vlist of for this product vstatement of good security

practices ix

SSetupHlp.ini file 5

CitrixVirtualChannelConnectorModeoption 8

EncentuateCredentialProviderEnabledoption 5, 13

EncentuateNetworkProviderEnabledoption 5, 13

EnginaEnabled option 5, 13ICAClientInstallDir option 8

single sign-on experiencemodel 1 5model 2 11model 3 14model 4 16

Tthin clients 3training viiiTSLightweight Mode policy 8

VVirtual Channel Connector

manual deploymentCitrix client 10Citrix server 10

overview 8

Wworkstations 3



IBM®

Printed in USA

SC27-5668-01

Documents

IBM® Security Access Manager for Enterprise Single Sign ......IBM ® Security Access Mana ger for Enterprise Single Sign-On V ersion 8.2.1 AccessAgent on T erminal Ser ver and Citrix