Академический Документы
Профессиональный Документы
Культура Документы
Copyright 2007 Entrust. All rights reserved. Entrust is a trademark or a registered trademark of Entrust, Inc. in certain countries. All Entrust product names and logos are trademarks or registered trademarks of Entrust, Inc. in certain countries. All other company and product names and logos are trademarks or registered trademarks of their respective owners in certain countries. This information is subject to change as Entrust reserves the right to, without notice, make changes to its products as progress in engineering or manufacturing methods or circumstances may warrant. Export and/or import of cryptographic products may be restricted by various regulations in various countries. Export and/or import permits may be required.
Table of contents
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Revision information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Documentation conventions Note and Attention text Related documentation Obtaining documentation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Downloading Entrust IdentityGuard software Preparing your repository Preparing your VPN network Installation worksheet Installing the token support patch
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
CHAPTER 2 Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX . 31
Creating the UNIX group and user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Installing Entrust IdentityGuard Server
Table of contents
Configuring the primary Entrust IdentityGuard Server Starting the Entrust IdentityGuard configuration
. . . . . . . . . . . . . . . . . . . . . . . 36 . . . . . . . . . . . . . . . . . . . . . . . 36 . . . . . . . . . . . . . . . . . . 37 . . . . . . . . . . . . . . . . . . 42 . . . . . . . . . . . . . . . . . . . . 43
Adding Directory information to Entrust IdentityGuard Adding Database information to Entrust IdentityGuard Completing the Entrust IdentityGuard configuration Initializing the primary Entrust IdentityGuard Server What initialization does If initialization fails
. . . . . . . . . . . . . . . . . . . . . . . . 47
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Initializing the primary server Running the scripts manually Testing your installation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 . 63 . . . . . . . . . . . . 64
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Starting and stopping Entrust IdentityGuard with the UNIX service command Enabling and disabling individual Entrust IdentityGuard services
CHAPTER 3 Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Installing Entrust IdentityGuard Server Using the Configuration Panel Selecting your repository settings Selecting your system host name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 . . . . . . . . . . . . . . . . . . . . . . . 70 . . . . . . . . . . . . . . . . . 70 Configuring the primary Entrust IdentityGuard Server
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 . . . . . . . . . . . . . . . . . . . . . . . . . . 79 . . . . . . . . . . . . . . . . . . . . . . . 82 . . . . . . . . . . . . . . . . . . . . . . . . 83 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Starting the Entrust IdentityGuard Configuration wizard Selecting Entrust IdentityGuard service ports
Completing Entrust IdentityGuard configuration Initializing the primary Entrust IdentityGuard Server What initialization does If initialization fails
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 . . . . . . . . . . . . . . . . . . 84 . . . . . . . . . . . . . . . . . . 87
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Running the Entrust IdentityGuard Initialization wizard Configuring the sample application on Microsoft Windows Testing your installation Installation troubleshooting
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Configuring the primary Entrust IdentityGuard Server Starting the Entrust IdentityGuard configuration
Adding Directory information to Entrust IdentityGuard Completing the Entrust IdentityGuard configuration Initializing the primary Entrust IdentityGuard Server What initialization does If initialization fails
. . . . . . . . . . . . . . . . . . . . . . . 118
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
. . . . . . . . . . . . . . . . . . . . . . . . 142 . . . . . . . . . . . . . . 155
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Table of contents
Stopping Entrust IdentityGuard Services on WebLogic 8.1 Stopping Entrust IdentityGuard Services on WebLogic 9.1 Stopping Entrust IdentityGuard Services on WebSphere 6.0
Radius server example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 External authentication example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Matching a group to a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 . . . . . . . . . . . 187 Using the Radius proxy with a Radius server Configuring the VPN server
Using the Radius proxy with a domain controller or LDAP directory Configuring a Radius server for first-factor authentication Configuring Radius server failover Managing the Radius proxy
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Disabling the non-SSL port on the Authentication service Enabling the non-SSL port on the Administration service
Disabling the SSL port on the Administration service Securing the LDAP connection with SSL Creating self-signed certificates Importing CA-signed certificates Updating certificates Enabling system binding Changing the Entrust IdentityGuard certificate
. . . . . . . . . . . . . . . . . . . . . . 231
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Enabling the authentication success audit Configuring additional search bases Configuring LDAP directory properties Configuring database properties Enabling cached challenges Caching policies Changing log configuration
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Configuring the Entrust IdentityGuard Radius proxy properties Configuring external authentication properties Configuring token properties
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Table of contents
Configuring the Administration interface properties for bulk operations Configuring the Administration interface to control the output format
. . . . . . . . 296 . . . . . . . . . 297
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Using machine authentication to log in Using generic authentication to log in Using step-up authentication
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Using temporary PIN authentication to log in Using one-step grid authentication to log in Using two-step grid authentication to log in
Appendix A Configuring the Entrust IdentityGuard Server properties file provides guidelines to reconfigure your installation by editing or adding settings to the identityguard.properties file. Appendix B Upgrading Entrust IdentityGuard Server on Linux describes steps to upgrade to Entrust IdentityGuard from a previous installation of IdentityGuard 7.2 or 8.0. Appendix C Using the sample Web application provides instructions for using the Any Bank sample Web application. Appendix D Uninstalling Entrust IdentityGuard Server provides instructions for uninstalling Entrust IdentityGuard from your system.
10
Revision information
Table 1: Revisions in this document Revision Section Description
Document issue 3.0 Preparing for installation Expands the chapter introduction to on page 19 describe the various installation scenarios available to users. Downloading Entrust IdentityGuard software on page 21 Adds steps for downloading and extracting the token patch file.
Installing the token Adds instructions for installing the patch support patch on page 30 that supports Entrust tokens. Changes the instructions (Step 11) to Defining and deploying shared library settings on include adding Entrust tokens to the page 142 WebSphere shared library. Configuring the Radius proxy for groups on page 175 Configuring the Entrust IdentityGuard Radius proxy properties on page 282 Configuring external authentication on page 202. Configuring token properties on page 295 Document Issue 2.0 Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX on page 31 Adds an explanation of how you can configure the Radius proxy to convert names with the form name@group or group\name to group/name, which is the form used by Entrust IdentityGuard.
Describes a problem that can occur with the Kerberos protocol if LDAP user names are in mixed case. Adds a section that explains new token-related properties added to the identityguard.properties file. Adds a section on required preinstallation steps if using Linux Red Hat Enterprise 4.
11
Document Issue 1.0, Preparing WebSphere for Adds instructions on installing Entrust IdentityGuard on an AIX server with IBM patch 108508 installation of Entrust WebSphere 6.0. IdentityGuard on page 100 Modifies instructions for configuring Deploying Entrust external authentication with a domain IdentityGuard services on controller. This patch removed the WebSphere 6.0 application identityguard.externalauth.kerb server on page 142 eros.kdc property and replaced it with a igkrb5.conf file instead. Configuring the Radius proxy for groups on For more information, see External page 175 authentication example on page 177. Configuring Entrust IdentityGuard for external authentication on page 202
12
Documentation conventions
Following are documentation conventions which appear in this guide: Table 2: Typographic conventions Convention Bold text (other than headings) Italicized text Blue text Purpose Indicates graphical user interface elements and wizards Used for book or document titles Used for hyperlinks to other sections in the document Used for Web links Example Click Next.
Entrust TruePass 7.0 Deployment Guide Entrust TruePass supports the use of many types of digital ID. For more information, visit our Web site at www.entrust.com.
Use the entrust-configuration.xml file Indicates installation paths, file names, to change certain options for Verification Server. Windows registry keys, commands, and text you must enter Indicates variables (text you must replace with your organizations correct values) Indicates optional parameters By default, the entrust.ini file is located in <install_path>/conf/security/entrust. ini. dsa passwd [-ldap]
Attention: Issues that, if ignored, may seriously affect performance, security, or the operation of your Entrust product.
13
Related documentation
Entrust IdentityGuard is supported by a complete documentation suite: For instructions on installing and configuring Entrust IdentityGuard on UNIX and Microsoft Windows, see the Entrust IdentityGuard Installation Guide. For instructions on administering Entrust IdentityGuard users and groups, see the Entrust IdentityGuard Administration Guide. For information on deploying Entrust IdentityGuard, see the Entrust IdentityGuard Deployment Guide. For information on configuring Entrust IdentityGuard to work with a supported LDAP repositoryMicrosoft Active Directory, Microsoft Active Directory Application Mode, Critical Path InJoin Directory, IBM Tivoli Directory, Novell eDirectory, or Sun ONE Directorysee the Entrust IdentityGuard Directory Configuration Guide. For information on configuring Entrust IdentityGuard to work with a supported databaseIBM DB2 Universal Database, Microsoft SQL Server, or Oracle Databasesee the Entrust IdentityGuard Database Configuration Guide. For information on Entrust IdentityGuard error messages, see the Entrust IdentityGuard Error Messages. For information on new features, limitations and known issues in the latest release, see the Entrust IdentityGuard Release Notes. For information on integrating the authentication and administration processes of your applications with Entrust IdentityGuard, see the Entrust IdentityGuard Programming Guide that applies to your development platform (either Java Platform or C#). For Entrust IdentityGuard product information and a data sheet, go to http://www.entrust.com/strong-authentication/identityguard/index.htm For information on identity theft protection seminars, go to http://www.entrust.com/events/identityguard.htm
14
Obtaining documentation
Entrust product documentation, white papers, technical notes, and a comprehensive Knowledge Base are available through Entrust TrustedCare Online. If you are registered for our support programs, you can use our Web-based Entrust TrustedCare Online support services at: https://www.entrust.com/trustedcare
Documentation feedback
You can rate and provide feedback about Entrust product documentation by completing the online feedback form. You can access this form by clicking the Feedback on guide link located in the footer of Entrusts PDF documents (see bottom of this page). following this link: http://sottwebdev2.entrust.com/products/feedback/index.cfm
Feedback concerning documentation can also be directed to the Customer Support email address. support@entrust.com
15
Technical support
Entrust offers a variety of technical support programs to help you keep Entrust products up and running. To learn more about the full range of Entrust technical support services, visit our Web site at: http://www.entrust.com/ If you are registered for our support programs, you can use our Web-based support services. Entrust TrustedCare Online offers technical resources including Entrust product documentation, white papers and technical notes, and a comprehensive Knowledge Base at: https://www.entrust.com/trustedcare If you contact Entrust Customer Support, please provide as much of the following information as possible: Your contact information Product name, version, and operating system information Your deployment scenario Description of the problem Copy of log files containing error messages Description of conditions under which the error occurred Description of troubleshooting activities you have already performed
Telephone numbers
For support assistance by telephone call one of the numbers below: 1-877-754-7878 in North America 1-613-270-3700 outside North America
Email address
The email address for Customer Support is: support@entrust.com
16
Professional Services
The Entrust team assists e-businesses around the world to deploy and maintain secure transactions and communications with their partners, customers, suppliers and employees. We offer a full range of professional services to deploy our e-business solutions successfully for wired and wireless networks, including planning and design, installation, system integration, deployment support, and custom software development. Whether you choose to operate your Entrust solution in-house or subscribe to hosted services, Entrust Professional Services will design and implement the right solution for your e-business needs. For more information about Entrust Professional Services please visit our Web site at: http://www.entrust.com
17
18
Attention: Complete the steps in this chapter before you install Entrust IdentityGuard Server. This chapter contains the following sections: Preinstallation overview on page 20 Preinstallation on page 21 Installation worksheet on page 25 Installing the token support patch on page 30
19
Preinstallation overview
The following flowchart outlines the high level preinstallation steps you must complete before doing a full install of Entrust IdentityGuard Server, including an install on AIX. Figure 1: Preinstallation overview
Download the Entrust IdentityGuard software
Create UNIX group and UNIX user (if you are installing on UNIX)
JDBC
Create database user and table spaces Install schema file Install JDBC driver Gather configuration data
VPN
Determine the group names to use, if applicable
Radius
Gather addresses and shared secrets for your VPN and Radius servers
External
Decide if you will use a domain controller or LDAP directory for primary authentication
20
Preinstallation
Complete the following procedures before you install Entrust IdentityGuard Server. Topics in this section: Downloading Entrust IdentityGuard software on page 21 Preparing your repository on page 22 Preparing your VPN network on page 23
Note: Some versions of Solaris may not have ZIP. If required, download ZIP from Suns Web site at http://www.sun.com/software/solaris/freeware. You will need ZIP for some procedures later in this document.
For a full install, download one of the following files (depending on the operating system you are using) by clicking the Download link: IG_81_Linux.tar IG_81_Solaris.tar IG_81_Windows.zip IG_81_WebLogic_WebSphere.tar IG_81_WebSphere_AIX.tar
Save the .tar or .zip file to any directory on the computer you want to use to run Entrust IdentityGuard.
21
For the patch that adds support for Entrust tokens, download either IG_81_129366.zip (for Windows) or IG_81_129366.tar (for Linux or Solaris). If a newer patch is available, download it instead. For a full install, extract the files to a temporary directory. To do so: On UNIX, enter the command, tar -xvf IG_81_<your_version>.tar where <your_version> is the file you have downloaded for your specific installation. On Microsoft Windows, locate the IG_81_Windows.zip file and extract the files using a utility such as WinZip.
Extracting the file for a full install creates a subdirectory called IG_81 that contains all the Entrust IdentityGuard files and subdirectories. 5 For patch 129366 or a later patch, extract the files to the existing Entrust IdentityGuard 8.1 root directory.
If an error occurs, try the download again. If the problem persists, contact Entrust Customer Support. To install patch 129366 or a later patch, skip to Installing the token support patch on page 30. For a full install (including an AIX install), continue with the preinstallation instructions in this chapter, and then follow the applicable installation instructions in later chapters.
22
If you are configuring Entrust IdentityGuard to add multifactor authentication to VPN connections, ensure that the following are already installed: an external Radius server installed using the instructions provided by the vendor, if you plan to use a Radius server for first-factor authentication For details, see the Technical Integration Guide that applies to your VPN platform. a VPN client and server installed using the instructions provided by the vendor
Note: If you want to configure your VPN servers to recognize Entrust IdentityGuard groups, ensure that you create the groups (or at least know what you are going to name the groups) before installing and configuring the Entrust IdentityGuard Radius proxy. For more information, see Configuring the Radius proxy for groups on page 175. The details of Radius use and implementation vary with the platform and provider. Entrust supports several authentication protocols with Radius for grid authentication: Challenge Handshake Authentication Protocol (CHAP) Microsoft Challenge Handshake Authentication Protocol versions 1 and 2 (MS-CHAP and MS-CHAPv2) Password Authentication Protocol (PAP)
For token authentication, Entrust IdentityGuard supports only PAP. If you configure the Radius proxy to use external authentication, you must use PAP.
23
PAP supports the cell replacement properties in the card specification attributes (cardspec) and temporary PIN attributes (pinspec) of the Entrust IdentityGuard policies; however, CHAP and MS-CHAP do not. This means that, for example, user entries are treated as case-sensitive in CHAP.
24
Installation worksheet
For a full install, ensure you have the following information before installing Entrust IdentityGuard. Attention: If you choose to record passwords on this worksheet, remember to always keep passwords secure. Store this worksheet in a secure place. Table 3: Installation worksheet Required information Which type of install of Entrust IdentityGuard? Value Entrust IdentityGuard Server with embedded Tomcat application server on UNIX Entrust IdentityGuard Server with embedded Tomcat application server on Microsoft Windows Entrust IdentityGuard Server with an existing application server on Solaris or AIX Entrust IdentityGuard Server host name UNIX user and group that owns Entrust IdentityGuard (on embedded Tomcat application server on UNIX install only) Group: Name: Password:
Application server user and group Complete Creating the UNIX group and user on page 32 that owns the application server (for installation with embedded Tomcat) (for installations with an existing application server only). Entrust IdentityGuard installation directory. The default is: on UNIX /opt/entrust; on Windows c:\Program Files\Entrust\IdentityGua rd) Radius proxy required? Location of server trust store (installs with existing application server only) yes or no Complete Radius proxy information on page 28
25
Table 3: Installation worksheet (continued) Required information Location of Java directory (installs with existing application server only) Database, Active Directory, or LDAP directory? Entrust IdentityGuard Authentication Web service port number (8080) Entrust IdentityGuard Administration Web service port number (8443) Installation key Activation key Master1 password Master2 password Master3 password Enable sample application? yes or no If yes, complete one of: Configuring the sample application on Microsoft Windows on page 87 if you are installing on Windows with the embedded Tomcat server Configuring the sample application on UNIX on page 51 if you are installing on UNIX with the embedded Tomcat server Configuring the sample application on an existing application server on page 121 if you are installing on an existing application server Sample application administrator1 Name: Password:
1. If you are using a Directory as your repository, you need to create this user in the Directory prior to installation.
Value
DB, AD, or LDAP Complete Database information on page 27 or Directory information on page 27
26
Table 4: Database information Database required information Database driver .jar files. (Ensure they are copied to the Entrust IdentityGuard computer.) Database driver class name Database URL Database user Schema name For a list of applicable .jar files for your database, the JDBC class name, and related details, see the Entrust IdentityGuard Database Configuration Guide. For details related to your Directory type, see the Entrust IdentityGuard Directory Configuration Guide. Table 5: Directory information Directory required information Using the LDAP or LDAPS protocol? LDAP host name LDAP port number LDAP base DN LDAP user DN LDAP policy RDN LDAP user ID attribute DN: Password: Value LDAP or LDAPS If using LDAPS, copy the certificate to the Entrust IdentityGuard computer. Name: Password: Value
27
Table 6: Radius proxy information Radius proxy required information Radius proxy ports VPN server information Label: Host name/IP address: Port: Shared secret: Should VPN servers recognize Entrust IdentityGuard groups? Entrust IdentityGuard groups for VPN servers Will the Radius proxy connect to a Radius server, domain controller or LDAP directory? If the Radius proxy will use a Radius server, what is the unique Radius server name? Unique name: Host name/IP address: Port: Shared secret: yes or no Value
Will Entrust IdentityGuard use an yes or no LDAP directory or Windows If yes, answer one of the next two questions. domain controller for first-factor authentication? For a Windows domain controller, Kerberos realm server: what server will host the Kerberos Kerberos KDC server: realm and the Kerberos Key Distribution Center (KDC)?
28
yes or no For an LDAP directory, Entrust IdentityGuard must be configured to use an LDAP repository. Is that configuration complete?
29
Examine the instructions in the Installation notes section of the readme.txt file included with the download. It includes instructions that may be specific to your system or environment. For example, these instructions include: Deployment instructions for WebSphere and WebLogic. Fixing performance problems that can occur with preproduced cards stored in a database repository. Instructions on using Oracle Internet Directory as a repository.
The patch automatically sets properties in the identityguard.properties file related to tokens.
To reset the property to use Entrust tokens, change the setting to this:
identityguard.token.impl= com.entrust.identityGuard.common.token.activIdentity.ActivIdentity TokenManager
Restart Entrust IdentityGuard for this setting to take effect. You can configure Entrust IdentityGuard to use Entrust tokens or Vasco tokens, but not both.
30
Chapter 2 Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX
This chapter provides all the necessary steps to install Entrust IdentityGuard Server (with the Apache Tomcat application server embedded) on UNIX. Complete the instructions in this chapter to install, configure, initialize, and test a full install of the Entrust IdentityGuard Server. Once you complete the full installation, install the latest patch. To install the patch that supports Entrust tokens, see Installing the token support patch on page 30. This chapter contains the following sections: Creating the UNIX group and user on page 32 Installing Entrust IdentityGuard Server on page 33 Configuring the primary Entrust IdentityGuard Server on page 36 Initializing the primary Entrust IdentityGuard Server on page 47 Configuring the sample application on UNIX on page 51 Running the scripts manually on page 53 Testing your installation on page 58 Managing the Entrust IdentityGuard service on page 62
31
Note: On Solaris, use lowercase for creating groups and users. For example, use iggroup and iguser, instead of IGgroup and IGuser.
To create a new UNIX group and user 1 As root, create a new UNIX group. For example, IGgroup: 2 on Linux and Solaris, groupadd iggroup As root, create a new UNIX user. For example, IGuser. The user is a member of IGgroup and has a password: on Linux, useradd -g iggroup -s /bin/bash -p password123 IGuser on Solaris if using c-shell, useradd -g iggroup -s /usr/bin/csh iguser passwd iguser on Solaris if using b-shell,
useradd -g iggroup -s /usr/bin/bsh iguser passwd iguser When you run passwd, enter your password at the prompt. For example, password123. You have created a UNIX group and user. Note: Ensure that the user and group that you create here have permissions to access the directory to which you extracted the IG_81_Linux.tar or the IG_81_Solaris.tar file.
32
Note: Before installing Entrust IdentityGuard, ensure that you have completed the tasks in Preparing for installation on page 19. If you are upgrading your version of Linux, you should do so before installing Entrust IdentityGuard 8.1.
33
Note: Replace the file name with the one you downloaded from the Red Hat Web site.
To install Entrust IdentityGuard 1 As root, change to the directory that you extracted the IG_81_Linux.tar or IG_81_Solaris.tar file to (<download_dir>/IG_81), and run install.sh by entering:
./install.sh
Note: Cancel out of the script at any time by pressing Ctrl + C. 2 Read through the license carefully, pressing Enter until you reach the end. The following message appears:
Do you agree to the above license terms? [yes or no]
Type yes and press Enter to accept the terms. Otherwise, if you do not agree with the license, type no and press Enter. The installation will cancel. Contact Entrust (Obtaining technical assistance on page 16). The following message appears:
Enter the UNIX user name that will own the installation:
Type the user name for the UNIX user you created in Step 2 of Creating the UNIX group and user on page 32 and press Enter. Note: You cannot specify root as the owner. The following message appears:
Enter the UNIX group name that will own the installation:
Enter the name for the UNIX group you created in Step 1 of Creating the UNIX group and user on page 32 and press Enter. The following message appears:
Enter the install directory (default /opt/entrust):
Press Enter to accept the default, or type in another directory location. Note: If you have a previous installation of Entrust IdentityGuard, the installation detects the older version and prompts you to upgrade. If you are installing an upgrade, see the section Upgrading Entrust IdentityGuard Server on Linux on page 299.
34
The Java Runtime license agreement appears. 7 8 Read through the license carefully, pressing Enter until you reach the end. You are asked to accept the Java Runtime license agreement.
Do you agree to the above license terms? [yes or no]
Type yes and press Enter to accept the terms. Otherwise, if you do not agree with the license, type no and press Enter. The installation will cancel. Contact Entrust (Obtaining technical assistance on page 16). The JRE, Java policy files, and the Application server are installed in the installation directory you entered in Step 6. The identityguard.zip file is automatically extracted into the directory $IDENTITYGUARD_HOME, where $IDENTITYGUARD_HOME is usually /opt/entrust/identityguard81. 9 The installation creates the Entrust IdentityGuard Radius service.
Creating igradius service... Do you want the Entrust IdentityGuard Radius proxy to start automatically when the host starts after reboot? [yes or no]
Note: If you want to configure your VPN servers to recognize Entrust IdentityGuard groups, you must first install Entrust IdentityGuard and define the groups. In this case, enter no. See Configuring the Entrust IdentityGuard Radius proxy on page 171 for further details. 10 When the initial install steps are complete, you are prompted to respond to the following message:
Installation complete. Do you want to configure the application now? [yes or no]
Answer yes and press Enter to start the configuration tasks. Proceed to Configuring the primary Entrust IdentityGuard Server on page 36. If you answer no, you must run the configure.sh script manually from the $IDENTITYGUARD_HOME/bin directory before you can use Entrust IdentityGuard. To do so, proceed to To run the primary Entrust IdentityGuard Server configuration manually on page 53.
35
Primary. If this is your first Entrust IdentityGuard Server installation, answer primary and continue on with the steps in this procedure.
Note: There can only be one primary server. Replica. If you have already installed an Entrust IdentityGuard Server, and you want to install more instances, answer replica. To configure and initialize a replica server, proceed to Adding Entrust IdentityGuard replica servers on page 210. 2 You are asked to indicate whether the user information is stored in an Active Directory (AD), LDAP, or database (DB) repository.
What type of repository will you use to store Entrust IdentityGuard information?
36
AD - Microsoft(R) Active Directory or Microsoft Active Directory in Application Mode LDAP - LDAP-compliant Directory DB - Database (AD, LDAP or DB):
If you are using an LDAP repository, proceed to To add LDAP directory information to Entrust IdentityGuard on page 37. If you are using an Active Directory or Active Directory Application Mode (ADAM) repository, proceed to To add Active Directory (or ADAM) information to Entrust IdentityGuard on page 39. If you are using a database repository, proceed to To add Database information to Entrust IdentityGuard on page 42.
Note: You can cancel the script at any time by pressing Ctrl + C.
Note: For more information on LDAP and Active Directory configuration, see the Entrust IdentityGuard Directory Configuration Guide.
To add LDAP directory information to Entrust IdentityGuard 1 Respond to the following prompt:
LDAP CONFIGURATION Do you wish to use SSL to connect to the LDAP server? [yes or no]
37
Type yes and press Enter to add the SSL certificate. If you answer no, proceed to Step 3 on page 38. Note: You can enable LDAPS after installation. For instructions, see Securing the LDAP connection with SSL on page 233. 2 If you answered yes, complete the following steps: a The following message appears:
In order to verify the SSL connection to the LDAP server, Entrust IdentityGuard requires that the LDAP server's SSL certificate or the certificate of the CA that issued it be imported into its trust store. The Entrust IdentityGuard trust If
store already contains several public root CA certificates. the server's certificate was not issued by a public root you must import the certificate. If Entrust IdentityGuard cannot
trust the server's certificate, it will be unable to connect to the LDAP server causing operations including initialization to fail. Do you wish to import the LDAP server's SSL certificate? [yes or no]
Answer yes and press Enter to import the certificate. For manual instructions on importing the certificate, see To import the LDAP SSL certificate on page 233. The following message appears:
Enter the filename of the certificate:
b c
Enter the path and file name of the LDAPS certificate. The installer displays the details of the certificate. If they are correct, respond with yes to the prompt that asks if you wish to trust the certificate.
<certificate information> Trust this certificate? [no]: yes
At the following prompt, enter the host name or IP address of the computer hosting the directory.
Enter the LDAP host (ex: identityguard.anycorp.com):
38
The default port for LDAPS is 636. 5 Enter the LDAP base DN (the DN under which all Entrust IdentityGuard entries are found).
Enter the LDAP base DN (ex: dc=anycorp,dc=com):
Note: See the Entrust IdentityGuard Directory Configuration Guide for more information on directory configuration. It includes information on setting the DN, RDN, and LDAP user name for several popular directories. 6 Enter the LDAP user DN information at the following prompts. The LDAP user DN and password define the credentials used by Entrust IdentityGuard to connect to the repository.
Enter the LDAP user DN (ex: cn=Directory Manager):
This is an existing LDAP password. 7 At the following prompt, enter the RDN of the entry that Entrust IdentityGuard should use to store its policy information.
The LDAP policy RDN defines the entry in the LDAP repository used to store Entrust IdentityGuard policy information. The entry must already exist. Enter the LDAP policy RDN (ex: uid=policy):
The RDN is the prefix that when joined with the base DN, comprises the full DN of the policy object. 8 At the following prompt, enter the attribute that uniquely identifies Entrust IdentityGuard users.
The LDAP user name is the attribute that uniquely identifies Entrust IdentityGuard users. Entrust IdentityGuard uses this attribute to find entries in the repository. Enter the LDAP user name attribute (ex: uid):
Proceed to To complete the configuration script on page 43. To add Active Directory (or ADAM) information to Entrust IdentityGuard 1 Respond to the following prompt:
39
MICROSOFT ACTIVE DIRECTORY CONFIGURATION Do you wish to use SSL to connect to the Microsoft Active Directory server? [yes or no]
Type yes and press Enter to add the SSL certificate. If you answer no, proceed to Step 3 on page 40. 2 If you answered yes, complete the following steps: The following message appears:
In order to verify the SSL connection to the Microsoft Active Directory server, Entrust IdentityGuard requires that the Microsoft Active Directory server's SSL certificate or the certificate of the CA that issued it be imported into its trust store. The Entrust IdentityGuard trust store already contains If the server's certificate
was not issued by a public root you must import the certificate. If Entrust IdentityGuard cannot trust the server's certificate, it will be unable to connect to the Microsoft Active Directory server causing operations including initialization to fail. Do you wish to import the Microsoft Active Directory server's SSL certificate? [yes or no]
Answer yes and press Enter to import the certificate. The following message appears:
Enter the filename of the certificate:
b c
Enter the path and file name of the Active Directory certificate. The installer displays the details of the certificate. If they are correct, respond with yes to the prompt that asks if you wish to trust the certificate.
<certificate information> Trust this certificate? [no]: yes
At the following prompt, enter the host name or IP address of the computer hosting the directory.
Enter the Microsoft Active Directory host (ex: identityguard.anycorp.com):
40
Enter the Active Directory base DN (the DN under which all Entrust IdentityGuard entries are found).
Enter the Microsoft Active Directory base DN (ex: dc=anycorp,dc=com):
Note: Entrust IdentityGuard configuration automatically converts spaces in the Active Directory base DN to %20. If you edit the Active Directory base DN after installation in the identityguard.properties file, remember to replace spaces with %20. 6 Enter the Active Directory user DN information at the following prompts. The Active Directory user DN and password define the credentials used by Entrust IdentityGuard to connect to the repository.
Enter the Microsoft Active Directory user DN (ex: cn=Administrator,cn=Users,dc=anycorp,dc=com):
This is an existing Active Directory password. 7 At the following prompt, enter the RDN of the entry that Entrust IdentityGuard should use to store its policy information.
The policy RDN defines the entry in the Microsoft Active Directory repository used to store Entrust IdentityGuard policy information. The entry must already exist. Enter the Microsoft Active Directory policy RDN (ex: cn=igpolicy,cn=Users):
The RDN is the prefix that when joined with the base DN, comprises the full DN of the policy object. 8 At the following prompt, enter the attribute that uniquely identifies Entrust IdentityGuard users.
The Microsoft Active Directory user name is the attribute that identifies Entrust IdentityGuard users. Entrust IdentityGuard uses this attribute to find entries in the repository. Enter the Microsoft Active Directory user name attribute (ex: sAMAccountName):
41
Note: Use sAMAccountName for Active Directory. Use CN (common name) or uid for ADAM. See the Entrust IdentityGuard Directory Configuration Guide for more information on Active Directory and Active Directory Application Mode configuration.
Type the database you are using and press Enter. The following message appears:
Enter the JDBC driver JAR file name:
Enter the path of the JDBC driver file (for example, /temp/ojdbc14.jar). Ensure the file permissions on this file allow the Entrust IdentityGuard user (Creating the UNIX group and user on page 32) to read and execute it. Note: Some databases require multiple .jar files. You can add other files in a later step.
At the following prompt, enter the JDBC driver class that Entrust IdentityGuard should use, (for example, oracle.jdbc.driver.OracleDriver).
Enter the JDBC driver class name:
42
If your database requires multiple JDBC driver files, type yes and press Enter. You are prompted to enter more file names. If your database only requires one file, type no and press Enter to continue. The following message appears:
Enter the DB URL:
5 6
Type the database URL Entrust IdentityGuard requires to connect to the database server and press Enter. Provide Entrust IdentityGuard with the database administrator information. This database administrator was created to own the Entrust IdentityGuard database and schema. a b At the following prompt, type the database administrator user name:
Enter the DB user name:
At the following prompts, type and confirm the database administrator password:
Enter the DB password: Confirm:
Type the schema name for your database. In some databases (for example, Oracle), the schema is automatically named with the user name associated with it. For these databases, type the database administrator user name.
43
a b
Enter the Authentication Service HTTP port number (default is 8080): Enter the Authentication Service HTTPS port number (default is 8443): The Entrust IdentityGuard Authentication service and the Entrust IdentityGuard sample application are deployed at both the HTTP and HTTPS ports.
Enter the Administration Service HTTPS port number (default is 8444): This is the port that administration applications use to connect to the Administration service when using SSL (HTTPS). This port is only used for remote administration of Entrust IdentityGuard. A self-signed SSL certificate and private key are created to protect the HTTPS connections to the Authentication service and Administration service. This certificate includes the host name of the Entrust IdentityGuard Server in its distinguished name (DN) and uses the RSA-1024 algorithm. Optionally, you can replace this certificate after configuration. See the section Changing the Entrust IdentityGuard certificate on page 235 for instructions.
Note: Ensure the host name that you use in the service URLs matches the host name in the SSL certificate. 2 You are prompted to confirm the host name used in the service URLs and the SSL certificate:
Entrust IdentityGuard will create a self-signed certificate for SSL communication. The hostname to be used in the service URLs and the SSL certificate is <hostname>. Do you want to use this hostname? [yes or no]
Enter yes to use this host name or enter no to choose another host name. a You are prompted to set the lifetime of the self-signed certificate:
Enter the lifetime in days of the certificate (default is 365):
Enter a new value, or leave it blank and press Enter to accept the default value of 365 days. The location of the certificate appears after you press Enter. Entrust IdentityGuard automatically exports a copy of the self-signed certificate to a file. The name and location of the file appears after you press Enter. Within
44
the keystore, the self-signed certificate and private key are stored under the alias tomcat. 4 You are prompted to configure Entrust IdentityGuard logs:
LOG CONFIGURATION
If you answer file, Entrust IdentityGuard displays the location of the files and configuration is complete. b If you answer syslog, logs are logged to Syslog. Entrust IdentityGuard prompts you for the host name.
Enter the syslog host name (default is localhost):
Ensure that Syslog on this host is configured to accept Entrust IdentityGuard logs. For more information, see the section Configuring Syslog for remote logging on UNIX on page 226. The following message appears:
Do you want to configure the Entrust IdentityGuard Radius Proxy? [yes or no]
Do one of the following: If you plan to use a Radius server for first-factor authentication and are not using VPN groups, enter yes. Proceed to Step 4 in To configure the Radius proxy on UNIX on page 180. If you plan to use a Radius server for first-factor authentication and you want to configure your VPN servers to recognize Entrust IdentityGuard groups, you need to first complete the configuration and initialization of Entrust IdentityGuard and define the groups. In this case, enter no. If you plan to use a Windows domain controller or LDAP directory for first-factor authentication, enter yes. Follow the instructions under Using Entrust IdentityGuard groups with a VPN server on page 175. Otherwise, enter no.
When you finish the configuration procedure, respond to the following message:
Configuration complete. Do you wish to initialize the primary system? [yes or no]
Enter yes and press Enter to start the initialization tasks. Proceed to Initializing the primary Entrust IdentityGuard Server on page 47. If you enter no, you must run the init command in the supersh command shell from the $IDENTITYGUARD_HOME/bin directory before you can use
45
Entrust IdentityGuard. Proceed to To initialize the primary Entrust IdentityGuard Server manually on page 53.
46
The contents of the master keys file can be unlocked by a master user. The contents of the key protection file provide access to the master user passwords. This access can then be used to unlock the master keys file.
If initialization fails
The most likely causes of an initialization failure are: The Entrust IdentityGuard properties file contains invalid values. To resolve this, go to $IDENTITYGUARD_HOME/etc/identityguard.properties and edit the file. Your repository is not configured correctly to work with Entrust IdentityGuard. The repository is not running.
For more information on Entrust IdentityGuard error messages, see Entrust IdentityGuard Error Messages included with your documentation package.
47
Attention: If you are using an LDAP repository, and you run init -overwrite, you must first manually remove the fpcr folder located at $IDENTITYGUARD_HOME/etc/fpcr/ and the ftkr folder located at $IDENTITYGUARD_HOME/etc/ftkr.
Attention: If you reinitialize an Entrust IdentityGuard system by running init -overwrite, you must first replace any encrypted values in the identityguard.properties file with cleartext values because Entrust IdentityGuard cannot decrypt the old values once the reinitialization is performed. See the section Editing property values on page 257. When you answer y, the command init -overwrite runs automatically. The init command: generates a new master key and stores it in the master keys file generates the key protection file initializes default policy settings
48
If you answer n, or if initialization fails, you must run the init command in the master user shell (supersh) at a later time. For steps for initializing manually, see the section To initialize the primary Entrust IdentityGuard Server manually on page 53. Note: Cancel out of the script at any time by pressing Ctrl + C. The following messages appear:
Enter install key: Enter activation key:
Enter the installation key and the activation key you received from Entrust. Once the activation key is validated, masters keys are then generated. Attention: The two master keys files are created in $IDENTITYGUARD_HOME/etc. After initialization, back up masterkeys.enc. If this file is lost, the system cannot be recovered. See the system restore procedure in Restoring Entrust IdentityGuard from a backup on page 250. Do not back up the key protection file (masterkeys.kpf). The masterkeys.kpf file is unique to each server.
Type the three master user passwords for the user namesMaster1, Master2, and Master3. The passwords must meet the following criteria: be over eight characters in length contain upper and lowercase characters contain a numerical value
When you have finished creating passwords, the following message appears:
49
System initialized. Do you wish to setup the sample application [yes or no]
Enter yes to configure the sample application. Proceed to Configuring the sample application on UNIX on page 51. If you enter no, you can optionally configure the sample application later. Proceed to Testing your installation on page 58.
50
If you are configuring the sample application manually, see To enable the sample application manually on page 52. To configure the sample application 1 2 You are prompted to enter the user name for the sample administrator:
Enter adminid for sample administrator:
The password must meet the following criteria: 3 be over eight characters in length contain upper and lowercase characters contain a numerical value
Log in as a master user to complete the setup. You are prompted for a master user name and password:
51
Userid: Password:
4 5
When you are finished setting up the sample, the following message appears:
Setup of Entrust IdentityGuard sample successful.
If you answer yes, the sample is enabled. If you answer no, the sample is disabled. You can manually enable the sample later. 6 Once you have enabled the sample application, it is running and you can use it. Proceed to Using the sample Web application on page 305 to start Entrust IdentityGuard and test your installation. To enable the sample application manually 1 From $IDENTITYGUARD_HOME, enter
. ./env_settings.sh
52
(Include a space between the two periods in the command.) 4 Run the configure.sh script. If you have previously configured Entrust IdentityGuard, the following message appears:
An identityguard.properties file exists. If you continue, this file will be overwritten. Do you want to continue? [yes or no]
Type yes and continue from Step 1 of the To start the Entrust IdentityGuard configuration on page 36.
To initialize the primary Entrust IdentityGuard Server manually 1 2 3 Log in as the UNIX user that belongs to the UNIX group that was specified during the installation. See To install Entrust IdentityGuard on page 34. Change to $IDENTITYGUARD_HOME (usually /opt/entrust/identityguard81). From $IDENTITYGUARD_HOME, source the environment settings file by entering
. ./env_settings.sh
(Include a space between the two periods in the command.) 4 Enter the following command to start the master user shell:
supersh
Copyright information and the Entrust IdentityGuard version number appear, followed by a command prompt.
53
Note: You can view copyright and version information at any time by entering version at the command prompt. 5 Enter
init <optionalvalues>
where <optionalvalues> are listed in the table below: Values -sernum Description To start card serial numbers at a specific number, enter: init -sernum <num> where <num> is a positive integer. Defaults to 1 if not specified. Use this option if you are adding additional cards to your system. For example, if you have previously loaded 350 cards, enter: init -sernum 351 -overwrite If the system was initialized previously, this command overwrites the existing data. You are prompted to confirm that you want existing data to be overwritten. Attention: If you are using an LDAP repository, and you run init -overwrite, you must first manually remove the fpcr folder located at $IDENTITYGUARD_HOME/etc/fpcr/. Attention: If you reinitialize an Entrust IdentityGuard system by running init -overwrite, you must first replace any encrypted values in the identityguard.properties file with cleartext values because Entrust IdentityGuard cannot decrypt the old values once the reinitialization is performed. See the section Editing property values on page 257. -force If you use the -force option, you are not prompted for confirmation.
6 7 8
Complete Step 2 and Step 3 on page 49. Type exit to leave the command shell. Check the log files for errors. If you chose to log to files when you installed Entrust IdentityGuard, the logs are stored in $IDENTITYGUARD_HOME/logs.
Document issue: 3.0
Feedback on guide
54
To configure the sample application 1 2 3 Log in as the UNIX user that belongs to the UNIX group that was specified during the installation. See To install Entrust IdentityGuard on page 34. Change to $IDENTITYGUARD_HOME (usually /opt/entrust/identityguard81). From $IDENTITYGUARD_HOME, source the environment settings file by entering:
. ./env_settings.sh
(Include a space between the two periods in the command.) 4 5 6 Run the configsample.sh script. You are prompted to enter the user name for the sample administrator:
Enter adminid for sample administrator:
The password must meet the following criteria: 7 be over eight characters in length contain upper and lowercase characters contain a numerical value
Log in as a master user to complete the setup. You are prompted for a master user name and password:
Userid: Password:
When you are finished setting up the sample, the following message appears:
Setup of Entrust IdentityGuard sample successful.
If you answer yes, the sample is enabled. If you answer no, the sample is disabled. You can manually enable the sample later. Once you have enabled the sample application, it is running and you can use it. To make changes to the sample Web application configuration 1 Log in as the UNIX user that belongs to the UNIX group that was specified during the installation. See To install Entrust IdentityGuard on page 34.
55
2 3
Change to $IDENTITYGUARD_HOME (usually /opt/entrust/identityguard81). From $IDENTITYGUARD_HOME, source the environment settings file by entering
. ./env_settings.sh
(Include a space between the two periods in the command.) 4 Enter the following command to start the master user shell:
supersh
Copyright information and the Entrust IdentityGuard version number appear, followed by a command prompt. 5 6 Log in as a master user. For example,
Master1
If you have previously configured the sample, delete each of the following individually: a sample administrator sample group sample role sample policy Run the delete command for each. For example,
admin delete sample/SampleAdmin1
To do so:
Note: Use the list command to list sample administrators, groups, roles, and policies, so that you can see which ones to delete. For example, use admin list to list all the sample administrators that have already been created. Use group list to list the sample groups that exist, and so on. b 7 8 Answer yes to confirm the delete. Are you sure you wish to delete the admin? (y/n) [n]: Type exit to exit the master user shell and return to the command-line. Enter the following command to start configuring the sample:
configsample.sh
You are warned that the igsample.properties file already exists. For example:
/opt/entrust/identityguar81/etc/igsample.properties file already exists. Do you wish to continue? [yes or no]
9 56
Answer yes.
Document issue: 3.0
Feedback on guide
57
The following is an example of the status report when all services are running:
Entrust IdentityGuard (pid 1247) is running... Authentication V1 service at http://<hostname>:8080/IdentityGuardAuthService/ services/AuthenticationService is available. Authentication V2 service at http://<hostname>:8080/IdentityGuardAuthService/ services/AuthenticationServiceV2 is available. Sample application is enabled. Sample application at https://<hostname>:8444/IdentityGuardSampleApp is available. Administration V1 service at https://<hostname>:8444/IdentityGuardAdminService/ services/AdminService is available. Administration V2 service at https://<hostname>:8444/IdentityGuardAdminService/ services/AdminServiceV2
58
is available. Administration interface at https://<hostname>:8444/IdentityGuardAdmin is available. Entrust IdentityGuard Radius (pid 1275) is running...
The following is an example of the output when there are no services running (only the sample application is enabled):
Entrust IdentityGuard (pid 13267) is not running... Sample application is enabled. Entrust IdentityGuard Radius (pid 1275) is not running...
Ensure that you can log in to the Administration webservice. a Create an administrator account or use the sample administrator account, if you have configured the sample application. For information on creating an administrator, see the Entrust IdentityGuard Administration Guide. b Open a browser and enter the following URL:
https://<FQDN>:<port>/IdentityGuardAdmin
where: <FQDN> is the Entrust IdentityGuard host name. <port> is the Administration webservice port (default 8444). Note: If you cannot access the Entrust IdentityGuard services (administration or authentication), verify that firewall rules are not blocking the HTTPS ports (by default 8443 and 8444).
59
At the login page, enter the administrator user name and password. Optionally, enter the group name, if the user does not belong to the default group.
You are prompted to change the administrator password. (There will be no prompt if you are using an account that has already logged in, such as the sample account created earlier in To configure the sample application on page 51.) Follow the rules on the screen to change the administrator password.
60
Optionally, test the sample application. To do so, follow the steps in Using the sample Web application on page 305.
You have completed testing of the Entrust IdentityGuard installation. You can now: complete various advanced configuration tasks (Postinstall configuration options for Entrust IdentityGuard Server on page 201 and Configuring the Entrust IdentityGuard Server properties file on page 255) such as adding replica Entrust IdentityGuard Servers to your system set up Entrust IdentityGuard by adding policies, groups, users, authentication methods, and so on (see the Entrust IdentityGuard Administration Guide)
61
To start and stop Entrust IdentityGuard using identityguard.sh 1 2 3 Log in as the UNIX user that belongs to the UNIX group that was specified during the installation. See To install Entrust IdentityGuard on page 34. From $IDENTITYGUARD_HOME, enter
. ./env_settings.sh
To start, stop, restart, or query the status of the Entrust IdentityGuard service, enter
identityguard.sh
62
Table 8: Starting and stopping Entrust IdentityGuard Command start Description Starts the Entrust IdentityGuard service. You can also start the Entrust IdentityGuard service by entering igstartup.sh Entrust IdentityGuard generates audits that indicate if the services have started successfully or failed to start. You will not see an error message if the service fails to start. stop Stops the Entrust IdentityGuard service. You can also stop the Entrust IdentityGuard service by entering igservice.sh identityguard stop status restart Tells you if the Entrust IdentityGuard service is running. If the service is running, the process ID number appears. Stops and restarts the Entrust IdentityGuard service. When you change some settings in the identityguard.properties file, you must restart the service so that the server recognizes the new settings.
Note: Once IdentityGuard is installed, the service is started automatically when you reboot.
Starting and stopping Entrust IdentityGuard with the UNIX service command
You can also start and stop the Entrust IdentityGuard services using the UNIX service command. If these commands are run as root, they start the service as the UNIX user ID that installed Entrust IdentityGuard. To start and stop Entrust IdentityGuard with the Linux service command 1 To start, stop, restart, or query the status of the Entrust IdentityGuard service, enter
service identityguard
63
Table 9: Linux service command Command start Description Starts the Entrust IdentityGuard service. IdentityGuard generates audits that indicate if the services have started successfully or failed to start. You will not see an error message if the service fails to start. stop status restart Stops the Entrust IdentityGuard service. Tells you if the Entrust IdentityGuard service is running. If the service is running, the process ID number appears. Stops and restarts the Entrust IdentityGuard service. Changes to some settings in identityguard.properties require a restart so that the server recognizes the new settings.
To disable the Entrust IdentityGuard manually using identityguard.sh 1 From $IDENTITYGUARD_HOME, enter
64
. ./env_settings.sh
You can also use the Entrust IdentityGuard igsvcconfig.sh command to enable or disable Entrust identityGuard. To enable Entrust IdentityGuard manually using igsvcconfig.sh As root in $IDENTITYGUARD_HOME/bin enter
./igsvccongif.sh identityguard enable
65
66
Chapter 3 Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
This chapter provides all the necessary steps to install Entrust IdentityGuard Server (with Apache Tomcat application server embedded) on Microsoft Windows. Complete the instructions in this chapter to unzip and run the Entrust IdentityGuard Installation wizard. Once you complete the full installation, install the latest patch. To install the patch that supports Entrust tokens, see Installing the token support patch on page 30. This chapter contains the following information: Installing Entrust IdentityGuard Server on page 68. Configuring the primary Entrust IdentityGuard Server on page 70 Initializing the primary Entrust IdentityGuard Server on page 83 Configuring the sample application on Microsoft Windows on page 87 Testing your installation on page 89 Managing the Entrust IdentityGuard service on page 94
67
Note: Before installing Entrust IdentityGuard, ensure that you have completed the tasks in Preparing for installation on page 19. Also, exit all Windows programs before running the Entrust IdentityGuard Installation wizard to prevent any conflicts in resources.
To install Entrust IdentityGuard Server 1 2 3 Change to the directory in which you extracted the Entrust IdentityGuard Server for Windows installation package. Double-click the IG_81_Windows.msi installer. The Entrust IdentityGuard Installation wizard opens. Click Next on the Entrust IdentityGuard Installation wizard Welcome page to begin installation. Note: If you are not prepared to install, click Cancel at any time to exit. Click Back to re-enter previous information. 4 Read the license agreement for Entrust IdentityGuard software carefully, select I accept the licence agreement, and then click Next. If you do not agree with the license, select I do not accept the license agreement. The installation cannot continue. Contact Entrust (Obtaining technical assistance on page 16). 5 Read the licence agreement for Sun Microsystems, Inc. carefully, select I accept the licence agreement, and then click Next. If you do not agree with the license, select I do not accept the license agreement. The installation cannot continue. Contact Entrust (Obtaining technical assistance on page 16). 6 Click Next to accept the default destination folder for the Entrust IdentityGuard installation (C:\Program Files\Entrust\IdentityGuard\). Alternatively,
68
click Browse to select your own destination location and then click Next to accept it. 7 8 Click Next to install Entrust IdentityGuard. Click Finish to exit the installation. The Entrust IdentityGuard Configuration Panel appears. Proceed to Configuring the primary Entrust IdentityGuard Server on page 70.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
69
70
To start the Entrust IdentityGuard Configuration wizard 1 Launch the Entrust IdentityGuard Configuration Panel, if it is not open. Open the Configuration Panel by clicking Start > All Programs > Entrust > IdentityGuard > Configuration Panel. 2 From the Entrust IdentityGuard Configuration Panel, select Primary as your system type. Attention: You can only have one primary Entrust IdentityGuard Server. If you are configuring another Entrust IdentityGuard Server as a replica, see Adding Entrust IdentityGuard replica servers on page 210. 3 Select Configure Entrust IdentityGuard to start the Entrust IdentityGuard Configuration wizard. The Entrust IdentityGuard Configuration wizard Welcome page appears.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
71
Note: Click Back if you need to re-enter information on a previous page. No information will be lost. You may click Cancel or close the Entrust IdentityGuard Configuration wizard window at any time to exit the configuration process; however, all configurations will be lost.
To select your repository settings 1 On the Repository Settings page, select the repository. There are three choices: Microsoft Active Directory. Proceed to To use Active Directory as your repository on page 73 for the configuration procedure. See the Entrust IdentityGuard Directory Configuration Guide before you begin this process. It contains detailed information on the DN, RDN, and user attribute. LDAP. Proceed to To use an LDAP directory as your repository on page 75 for the configuration procedure. See the Entrust IdentityGuard Directory Configuration Guide before you begin this process.
72
Database. Proceed to To use a database as your repository on page 77 for the configuration procedure. See the Entrust IdentityGuard Database Configuration Guide before you begin this process.
Click Next.
To use Active Directory as your repository 1 Under Microsoft Active Directory Server SSL Configuration, select Yes or No depending on whether you want to secure Entrust IdentityGuards communications with your Active Directory server by using SSL. If you select Yes, click Browse to import your SSL certificate and then click Next. Entrust IdentityGuard verifies your SSL connection to the Active Directory server by adding your imported certificate to its trust store. If the certificate cannot be trusted, Entrust IdentityGuard cannot connect to the directory. If you select No, click Next.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
73
Enter the following information into the respective fields: Microsoft Active Directory host name Microsoft Active Directory server port Microsoft Active Directory user DN Microsoft Active Directory password Confirm password Once you enter this information, click Test Connection. Entrust IdentityGuard performs a query and informs you if there is a successful connection to the repository.
Note: If the connection attempt fails, you can still proceed to the next step in the configuration process by clicking Next. However, all fields must be filled and passwords must match. b Click Next to perform the host name validation check. If the host name cannot be validated, a warning message gives you the option to proceed with the configuration or enter the server connection information.
74
Enter the following information into the respective fields: Microsoft Active Directory base DN Policy RDN Microsoft Active Directory userid attribute See the Entrust IdentityGuard Directory Configuration Guide for detailed information on the DN, RDN, and user attribute.
b 4
Click Next.
Proceed to Selecting Entrust IdentityGuard service ports on page 79 to continue your Entrust IdentityGuard configuration.
To use an LDAP directory as your repository 1 Under LDAP Server SSL Configuration, select Yes or No depending on whether you want to secure Entrust IdentityGuards communications with your LDAP server by using SSL.
If you select Yes, click Browse to import your SSL certificate and then click Next. Entrust IdentityGuard verifies your SSL connection to the LDAP server by adding your imported certificate to its trust store. If you select Yes when you browse for and select a certificate, a warning message displays the certificate details and prompts you to proceed.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
75
Note: If the certificate cannot be trusted, Entrust IdentityGuard cannot connect to the server. 2 If you select No, click Next.
Under LDAP Server Connection Information (see the Entrust IdentityGuard Directory Configuration Guide for more information), do the following:
Enter the following information into the respective fields: LDAP server host name LDAP server port (SSL default 636, non-SSL default 389) LDAP user DN LDAP password Confirm password Once you enter this information, click Test Connection. Entrust IdentityGuard performs a query and informs you if there is a successful connection to the repository.
Note: If the connection attempt fails, you can still proceed to the next step in the configuration process by clicking Next. However, all fields must be filled and passwords must match.
76
Click Next to perform the host name validation check. If the host name cannot be validated, a warning message gives you the option to proceed with the configuration or enter the server connection information. Enter the following information into the respective fields: LDAP base DN Policy RDN LDAP userid attribute See the Entrust IdentityGuard Directory Configuration Guide for detailed information on the DN, RDN, and user attribute.
b 4
Click Next.
Proceed to Selecting Entrust IdentityGuard service ports on page 79 to continue your Entrust IdentityGuard configuration.
To use a database as your repository 1 Under Database Settings, select your database from the drop-down list.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
Note: Use Other only if you are instructed to do so by Entrust Support. 2 Under JDBC Driver Information: a b c Click Browse to import your JDBC driver .jar file. Enter your JDBC driver class name. Click Add to include any additional JDBC .jar files (optional). Alternatively, to remove any additional JDBC .jar files that you have added, highlight the .jar file in the Additional JDBC JAR files list, and click Remove. If your JDBC driver does not require additional .jar files, leave this field blank. 3 4 Click Next. Under Database Connection Information:
Enter the following information into the respective fields: Database URL in driver-specific format See the vendor-specific driver documentation for additional details on URL format.
78
Database user name Database password Confirm database password Database schema name Once you enter this information, click Test Connection. Entrust IdentityGuard performs a query and informs you if there is a successful connection to the database. Note: If the connection test fails, you may still proceed to the next step in the configuration process by clicking Next; however, all fields on this page must be filled and passwords must match. b 5 Click Next.
Proceed to Selecting Entrust IdentityGuard service ports on page 79 to continue your Entrust IdentityGuard configuration.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
79
Note: Ensure the ports for each Entrust IdentityGuard service are unique for that computer.
To select Entrust IdentityGuard service ports 1 Under Authentication Service, enter a port number: in the Authentication Service HTTP port number field (default 8080) in the Authentication Service HTTPS port number field (default 8443)
Note: You can always disable the HTTP port later to enhance security. See Disabling the non-SSL port on the Authentication service on page 228. 2 3 4 Under Administration Service, enter a port number in the Administration service HTTPS port number field (default 8444). Click Next. Proceed to Selecting your system host name on page 81.
80
To select your system host name 1 From the System host name page, a Validate the system host name in the Enter the host name to be used in the self-signed certificate and service URLs field. The self-signed certificate secures outside communication with Entrust IdentityGuards services using HTTPS. b Validate the certificate lifetime in the Self-signed SSL certificate lifetime (in days) field. Optionally, change the lifetime value. Default is 365.
Note: Optionally, you can choose to reconfigure the LDAP repository connection later. For instructions, see To import the LDAP SSL certificate on page 233 c 2 Click Next.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
81
To complete Entrust IdentityGuard Server configuration 1 On the Configuration Summary page, click Confirm and Save if all the information in the summary list is complete and correct. Note: If you choose to cancel, all information will be lost.
Note: If the system has already been initialized, when you click Initialize Entrust IdentityGuard a warning message explains the consequences of reinitializing an existing system. 2 Click Finish to complete the configuration process. You can now initialize the server. Go to Initializing the primary Entrust IdentityGuard Server on page 83.
82
The contents of the master keys file can be unlocked by a master user. The contents of the key protection file provide access to the master user passwords. This access can then be used to unlock the master keys file.
If initialization fails
Review the sytem.log file to identify the cause of failure. The log file is in <IG_Install_Dir>\identityguard81\logs\system.log. By default <IG_Install_Dir> is C:\Program Files\Entrust\IdentityGuard. Some possible causes of an initialization failure are: The Entrust IdentityGuard properties file contains invalid values. To resolve this, go to <IG_Install_Dir>\etc\identityguard.properties and edit the file.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
83
Your repository is not configured correctly. The repository is not running. Your Entrust IdentityGuard Server service is running. See, To check the status of Entrust IdentityGuard on page 94.
For more information on Entrust IdentityGuard error messages, see Entrust IdentityGuard Error Messages included with your documentation package.
84
Note: If you cancel at any time, all information will be lost. 4 Under License Information: a b 5 Type your Entrust IdentityGuard installation key in the Entrust IdentityGuard Installation Key field. Type your Entrust IdentityGuard activation key in the Entrust IdentityGuard Activation Key field.
Click Validate. The master user information fields are enabled as soon as the licence information is validated.
Under Master User Information, enter passwords for each one of the three master users (Master1, Master2, and Master3), and confirm each password. The passwords must meet the following criteria: be over 8 characters in length contain upper and lowercase characters
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
85
7 8
Click Initialize. The Entrust IdentityGuard Server initializes. Click OK. You can now configure the sample application or test your installation. Go to one of: Configuring the sample application on Microsoft Windows on page 87 Testing your installation on page 89
86
Attention: The sample administrator password is stored in clear text in the <IG_INSTALL_DIR>\identityguard81\ect\igsamples.properties file. For security reasons, disable the sample application when you are not using it. If you have previously configured the sample, delete each of the following individually to reconfigure the sample: sample administrator sample group sample role sample policy
You can only disable or enable the sample application after initial configuration, using the Entrust IdentityGuard Web interface and Application Manager located on the Entrust IdentityGuard Configuration Panel. To configure the sample application 1 2 If the Entrust IdentityGuard Configuration Panel is not open, open it by clicking Start > All Programs > Entrust > IdentityGuard > Configuration Panel. Under Sample Application Setup, select Set Up the Sample Application to run the utility.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
87
The Master User Login page appears. 3 Enter your master user name and master user password in the applicable fields. Use any one of the three master users set up in Initializing the primary Entrust IdentityGuard Server on page 83. The Entrust IdentityGuard Sample Web Application Setup page appears.
Under Configure Web Sample Administrator, type the following information: Administrator user name. If you are using an LDAP or Active Directory repository, enter the ID of a user that already exists in the directory. Administrator password. The password must be over 8 characters in length, contain upper and lower case characters, and contain a numerical value. Confirm password. Re-enter the password entered in the field above.
Click Save to configure the sample application. The sample application is configured and by default, enabled.
88
2 3
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
89
Administration service Authentication service Administration interface Sample Web application If the status of any of these is offline, see Installation troubleshooting on page 92. If the status of any of these is Error, ensure that the URLs correspond to valid svcs/apps in IdentityGuard.properties. To edit the URLs, go to <IG_Install_Dir>\etc\identityguard.properties. 4 Ensure that you can log in to the Administration Web interface. a Create an administrator account or use the sample administrator account, if you have configured the sample application. For information on creating an administrator, see the Entrust IdentityGuard Administration Guide. b Once you have created an administrator, do one of the following: In Windows, click Start > All Programs > Entrust > IdentityGuard >Administration Interface. This opens the interface in your default browser. In a Web browser, enter the URL of your Administration interface.
https://<hostname>:<port>/IdentityGuardAdmin
Where: <hostname> is the server host name you selected during configuration. <port> is the administration port you selected during configuration (default 8444). Note: If you cannot access the Entrust IdentityGuard services (Administration or Authentication), verify that firewall rules are not blocking the HTTPS ports (by default 8443 and 8444).
90
At the login page, enter the administrator user name and password. Optionally, enter the group name, if the user does not belong to the default group.
Optionally, test the sample application. To do so, follow the steps in Using the sample Web application on page 305.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
91
You can now: Complete various advanced configuration tasks (Postinstall configuration options for Entrust IdentityGuard Server on page 201 and Configuring the Entrust IdentityGuard Server properties file on page 255) such as adding replica Entrust IdentityGuard Servers to your system. Set up your Entrust IdentityGuard system by adding policies, groups, users, authentication methods, and so on (see the Entrust IdentityGuard Administration Guide).
Installation troubleshooting
When you reinstall Entrust IdentityGuard, its Windows services may need to be restarted. If one or more services is marked as Offline on the Status tab of the Web Service and Application Manager page, restart the services. See Managing the Entrust IdentityGuard service on page 94. If the Administration interface does not appear, but you know the services are running, you need to check if it is disabled. To enable the Administration interface and service 1 Select Launch Web Service and Application Manager on the Entrust IdentityGuard Configuration Panel. The Web Service and Application Manager page appears. 2 3 4 5 Click the Controls tab. Under Administration Service, select Enabled. Under Administration Interface, select Enabled. Click Apply Changes. The interface is enabled. To enable the sample application 1 Select Launch Web Service and Application Manager on the Entrust IdentityGuard Configuration Panel.
92
2 3 4
Click the Controls tab. Under Sample Application, select Enabled. Click Apply Changes. The sample application is enabled and the IdentityGuard service is restarted.
To disable the sample application Note: Only a configured sample application can be disabled. 1 2 3 4 Select Launch Web Service and Application Manager on the Entrust IdentityGuard Configuration Panel. Click the Controls tab. Under Sample Application, select Disabled. Click Apply Changes. The sample application is disabled.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
93
To check the status of Entrust IdentityGuard 1 2 Go to Start > All Programs > Control Panel > Administrative Tools > Services. The Services window appears. Locate Entrust IdentityGuard Server and check the status column to view the status. The status tells you if the Entrust IdentityGuard Server is running.
94
95
Attention: Arrange to have a dedicated user account and group created on the servers that will host Entrust IdentityGuard. You must use the same account for any future upgrades and patches.
To prepare for install 1 Download and install the unlimited strength cryptography policy files for the Java Development Kit (JDK) being used to run WebLogic from the Sun Java Web site http://java.sun.com/j2se/1.4.2/download.html, and depending on the JRE you are using, install them in $WEBLOGIC/<java>/jre/lib/security where <java> is the directory for the Java version used by the application server. Note: It is important that you install the policy files specific to your Java Development Kit (JDK). 2 Extract the policy files.
96
The files are extracted to a new directory called jce. You must move the two .jar files from the jce directory to the security directory. 3 To move the jar files enter:
mv local_policy.jar $WEBLOGIC/<java>/jre/lib/security mv US_export_policy.jar $WEBLOGIC/<java>/jre/lib/security
Note: It is recommended that you backup the existing versions of the policy files.
If you want an SSL certificate from a public CA, use the Java keytool to create a certificate signing request (CSR). Then, follow the instructions on the public CA Web site to create a certificate. Once the certificate is created, import it and the CA certificate into your keystore using the Java keytool. For detailed instructions on configuring SSL on WebLogic, refer to http://edocs.bea.com/wls/docs91/secmanage/ssl.html. Additional steps are required if you are using a self-signed certificate. To set up a self-signed certificate you configure the Java Virtual Machine (JVM) property to javax.net.ssl.trustStore by following To set up a self-signed certificate on page 97 below. To set up a self-signed certificate 1 2 Edit $DOMAIN/startWebLogic.sh. Move to the line where JAVA_OPTIONS are specified and set the argument -Djavax.net.ssl.trustStore=<$TRUST_STORE>.JKS <$TRUST_STORE>.JKS refers to the file that contains the trusted certificates.
97
To prepare for install 1 Download the unlimited strength cryptography policy files for Java 1.5.0 from the Sun Java Web site at http://java.sun.com/j2se/1.5.0/download.jsp, and depending on the JRE you are using, install them in $WEBLOGIC/<java>/jre/lib/security, where <java> is the directory for the Java version used by the application server. Note: It is important that you install the policy files specific to your Java Development Kit (JDK). 2 Extract the policy files. The files are extracted to a new directory called jce. You must move the two .jar files from the jce directory to the security directory: 3 To move the jar files enter:
mv local_policy.jar $WEBLOGIC/<java>/jre/lib/security mv US_export_policy.jar $WEBLOGIC/<java>/jre/lib/security
where <java> is the directory for the Java version used by the application server. Note: It is recommended that you back up the existing versions of the policy files.
Have a secure connection between administration services and Web administration128+ bit strength algorithms are recommended.
If you want an SSL certificate from a public CA, use the Java keytool to create a certificate signing request (CSR). Then, follow the instructions on the public CA Web site to create a certificate. Once the certificate is created, import it and the CA certificate into your keystore using the Java keytool. For detailed instructions on configuring SSL on WebLogic, refer to http://edocs.bea.com/wls/docs81/index.html. Additional steps are required if you are using a self-signed certificate. You must update the command line options to start the domain. To set up a self-signed certificate 1 2 Edit $DOMAIN/setDomainEnv.sh. Move to the line where JAVA_OPTIONS are specified and set the following argument:
-Djavax.net.ssl.trustStore=<$trustStore>.jks
where <$trustStore> refers to the file that contains the trusted certificates.
99
To prepare for installation on Solaris 1 Download and install the unlimited strength cryptography policy files for the Java Development Kit (JDK) being used to run WebSphere from the Sun Java Web site http://java.sun.com/j2se/1.4.2/download.html, and depending on the JRE you are using, install them in $WEBSPHERE/<java>/jre/lib/security where <java> is the directory for Java version used by the application server. Note: It is important that you install the policy files specific to your Java Development Kit (JDK) if you are not using J2SE 1.4.2. 2 Extract the policy files. The files are extracted to a new directory called jce. You must move the two jar files from the jce directory to the security directory. 3 To move the jar files to the security directory enter:
mv local_policy.jar $WEBSPHERE/<java>/jre/lib/security mv US_export_policy.jar $WEBSPHERE/<java>/jre/lib/security
Repeat Step 2 and Step 3 for each JRE on your computer. Note: It is recommended that you back up the existing versions of the policy files.
To prepare for installation on AIX 1 Download the following RPMs from AIX Toolkit for Linux applications (http://www-03.ibm.com/servers/aix/products/aixos/linux/download.html): bash unzip
100
zip
Install each package on your AIX server. To do so, run the following command as root:
rpm -i <package file>
Download and install the unlimited strength cryptography policy files for the Java Development Kit (JDK) being used to run WebSphere. You can download the policy files by browsing to https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jce sdk and selecting Unrestricted JCE Policy files for SDK 1.4.2. Install them in $WEBSPHERE/<java>/jre/lib/security, where <java> is the directory for Java version used by the application server. For example, $WEBSPHERE/AppServer/java/jre/lib/security. For further instructions, refer to http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/topic/com.ibm.websp here.base.doc/info/aes/ae/tsec_egs.html. Note: It is recommended that you back up the existing versions of the policy files.
If you want an SSL certificate from a public CA, use the key management utility to create a certificate signing request (CSR). Then, follow the instructions on the public CA Web site to create a certificate. Once the certificate is created, import it and the CA certificate into your keystore using the key management utility. For detailed instructions on configuring SSL on WebSphere, refer to http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm. websphere.base.doc/info/aes/ae/tsec_ssl.html. Additional steps are required if you are using a self-signed certificate. To set up a self-signed certificate you can do one of the following: Import the self-signed certificate into the root store for the JRE, in $WEBSPHERE/AppServer/java/jre/lib/security/cacerts.
101
Set the Java Virtual Machine (JVM) property to javax.net.ssl.trustStore by following To set up a self-signed certificate by setting the JVM property on page 102 below.
To set up a self-signed certificate by setting the JVM property 1 Start your WebSphere server from $WEBSPHERE/AppServer/bin by entering
./startServer.sh <server_name>
where server_name is the name of the server you are starting. 2 3 Start the administration console for your server. The default URL is http://localhost:9060/ibm/console. Log in to your server. The WebSphere main page appears.
From the WebSphere main page, select Servers > Application servers.
102
Click the server name on which you want to deploy Entrust IdentityGuard services from the Application servers list. The Server page appears.
103
Under Server Infrastructure, select Java and Process Management > Process Definition > Java Virtual machine > Custom Properties.
Document issue: 3.0
Feedback on guide
104
Name the new property javax.net.ssl.trustStore and set the value to <$trustStore>.jks where <$trustStore> is the name of the file that contains the trusted certificates. Click OK.
105
To install Entrust IdentityGuard 1 2 As root, change to the IG_81 directory. This directory was created when you extracted the download package. Run install.sh by entering:
./install.sh
Note: Cancel out of the script at any time by pressing Ctrl + C or Ctrl + @. 3 Read through the license carefully, pressing Enter until you reach the end. The following message appears:
Do you agree to the above license terms? [yes or no]
Enter yes to accept the terms. Otherwise, if you do not agree with the license, type no and press Enter. The installation will cancel. Contact Entrust (Obtaining technical assistance on page 16). The following message appears:
Enter the UNIX user name that will own the installation:
Enter the user name already created for your WebLogic or WebSphere application server. The following message appears:
Enter the UNIX group name that will own the installation:
Enter the name for the group already created for your WebLogic or WebSphere application server. The following message appears:
Enter the install directory (default /opt/entrust):
106
Note: The installer will create this directory. If someone has already created the installation directory, you must ensure that the directory permissions allow the installer to write to that directory. 7 Press Enter to accept the default, or type in another directory location. After pressing Enter, the identityguard.zip file is automatically extracted into the directory $IDENTITYGUARD_HOME, where $IDENTITYGUARD_HOME is usually /opt/entrust/identityguard81. To continue Java must already be installed. It is recommended that you use the version of Java installed on your application server. The following message appears:
Enter the Java directory:
Enter the full directory path of the Java directory where the JCE policy files were installed. The following message appears:
Entrust IdentityGuard uses the trust store of the application server. Enter the file name of the application server trust store:
Enter the full directory path and file name of the application server trust store. See Configuring SSL for WebSphere 6.0 on page 101. This file sets environment variables needed to run Entrust IdentityGuard.
Creating igradius service... Do you wish the Entrust IdentityGuard Radius proxy to start automatically when the host starts after reboot? [yes or no]
Note: If you want to configure your VPN servers to recognize Entrust IdentityGuard groups, you must first install Entrust IdentityGuard and define the groups. In this case, enter no. See Configuring the Entrust IdentityGuard Radius proxy on page 171 for further details. 11 When the initial installation steps are complete, you must respond to the following prompt:
107
Installation complete. Do you wish to configure the application now? [yes or no]
Answer yes and press Enter to start the configuration tasks. Proceed to Configuring the primary Entrust IdentityGuard Server on page 109. If you answer no, you must run the configure.sh script manually from the $IDENTITYGUARD_HOME/bin directory before you can use Entrust IdentityGuard. To do so, proceed to To run the primary Entrust IdentityGuard Server configuration manually on page 123.
108
Primary. If this is your first Entrust IdentityGuard Server installation, answer primary and continue with the steps in this procedure.
Note: There can only be one primary server. Replica. If you have already installed an Entrust IdentityGuard Server, and you want to install more instances, answer replica. To configure and initialize a replica server, proceed toAdding Entrust IdentityGuard replica servers on page 210. 2 You are asked to indicate whether the user information is stored in an Active Directory (AD), LDAP, or database (DB) repository.
109
What type of repository will you use to store Entrust IdentityGuard information? AD - Microsoft(R) Active Directory or Microsoft Active Directory in Application Mode LDAP - LDAP-compliant Directory DB - Database (AD, LDAP or DB):
If you are using an LDAP repository, proceed to To add LDAP Directory information to Entrust IdentityGuard on page 110. If you are using an Active Directory or Active Directory Application Mode (ADAM) repository, proceed to To add Active Directory (or ADAM) information to Entrust IdentityGuard on page 112. If you are using a database repository, proceed to To add Database information to Entrust IdentityGuard on page 114.
Note: You can cancel the script at any time by pressing Ctrl + C.
Note: See the Entrust IdentityGuard Directory Configuration Guide for more information on LDAP and Active Directory configuration.
To add LDAP Directory information to Entrust IdentityGuard 1 Respond to the following prompt:
LDAP CONFIGURATION
110
Do you wish to use SSL to connect to the LDAP server? [yes or no]
Note: You can enable LDAPS after installation. For instructions, see Securing the LDAP connection with SSL on page 233. 2 If you answered yes, the following message appears:
Make sure that SSL certificate of the LDAP server is installed into the application server trust store.
If you answer no, no further message appears. 3 At the following prompt, enter the host name or IP address of the computer hosting the Directory:
Enter the LDAP host (ex: identityguard.anycorp.com):
The default port for LDAPS is 636. 5 Enter the LDAP base DN (the DN under which all Entrust IdentityGuard entries are found):
Enter the LDAP base DN (ex: dc=anycorp,dc=com):
Note: Entrust IdentityGuard configuration automatically converts spaces in the Active Directory base DN to %20. If you edit the Active Directory base DN after installation in the identityguard.properties file, remember to replace spaces with %20. 6 Enter the LDAP user DN information at the following prompts. The LDAP user DN and password define the credentials used by Entrust IdentityGuard to connect to the repository.
Enter the LDAP user DN (ex: cn=Directory Manager):
This is an existing LDAP password. 7 At the following prompt, enter the RDN of the entry that Entrust IdentityGuard should use to store its policy information:
111
The LDAP policy RDN defines the entry in the LDAP repository used to store Entrust IdentityGuard policy information. The entry must already exist. Enter the LDAP policy RDN (ex: uid=policy):
The RDN is the prefix that, when joined with the base DN, comprises the full DN of the policy object. 8 At the following prompt, enter the attribute that uniquely identifies Entrust IdentityGuard users:
The LDAP user name is the attribute that uniquely identifies Entrust IdentityGuard users. Entrust IdentityGuard uses this attribute to find entries in the repository. Enter the LDAP user name attribute (ex: uid):
Proceed to To complete the configuration script on page 115. To add Active Directory (or ADAM) information to Entrust IdentityGuard 1 Respond to the following prompt:
MICROSOFT ACTIVE DIRECTORY CONFIGURATION Do you wish to use SSL to connect to the Microsoft Active Directory server? [yes or no]
If you answer no, no further message appears. 3 At the following prompt, enter the host name or IP address of the computer hosting the Directory:
Enter the Microsoft Active Directory host (ex: identityguard.anycorp.com):
If you do not use SSL to connect to ADAM, the default port is 389. 5 Enter the Active Directory base DN (the DN under which all Entrust IdentityGuard entries are found):
Enter the Microsoft Active Directory base DN (ex: dc=anycorp,dc=com):
112
Note: Entrust IdentityGuard configuration automatically converts spaces in the Active Directory base DN to %20. If you edit the Active Directory base DN after installation in the identityguard.properties file, remember to replace spaces with %20. 6 Enter the Active Directory user DN information at the following prompts. The Active Directory user DN and password define the credentials used by Entrust IdentityGuard to connect to the repository.
Enter the Microsoft Active Directory user DN (ex: cn=Administrator,cn=Users,dc=anycorp,dc=com):
This is an existing Active Directory password. 7 At the following prompt, enter the RDN of the entry that Entrust IdentityGuard should use to store its policy information:
The policy RDN defines the entry in the Microsoft Active Directory repository used to store Entrust IdentityGuard policy information. The entry must already exist. Enter the Microsoft Active Directory policy RDN (ex: cn=igpolicy,cn=Users):
The RDN is the prefix that when joined with the base DN, comprises the full DN of the policy object. 8 At the following prompt, enter the attribute that uniquely identifies Entrust IdentityGuard users:
The Microsoft Active Directory user name is the attribute that identifies Entrust IdentityGuard users. Entrust IdentityGuard uses this attribute to find entries in the repository. Enter the Microsoft Active Directory user name attribute (ex: sAMAccountName):
113
Enter the type of database you are using. The following message appears:
Enter the JDBC driver JAR file name:
Enter the path of the JDBC driver file (for example, /temp/ojdbc14.jar). Ensure that the file permissions on this file allow the Entrust IdentityGuard user to read and execute it. Note: Some databases require multiple .jar files. You can add other files in a later step.
At the following prompt, enter the JDBC driver class that Entrust IdentityGuard should use. For example, oracle.jdbc.driver.OracleDriver.
Enter the JDBC driver class name:
Press Enter. 4 If your database requires multiple JDBC driver files, type yes and press Enter. You are prompted to enter more file names. If your database only requires one file, type no and press Enter to continue. The following message appears:
Enter the DB URL:
Enter the database URL Entrust IdentityGuard requires to connect to the database server.
114
Provide Entrust IdentityGuard with the database administrator information. This database administrator was created to own the Entrust IdentityGuard database and schema. a b At the following prompt, enter the database administrator user name:
Enter the DB userid:
At the following prompts, enter and confirm the database administrator password:
Enter the DB password: Confirm:
Enter the schema name for your database. In some databases (for example, Oracle), the schema is automatically named with the user name associated with it. For these databases, type the database administrator user name.
To complete the configuration script 1 You are prompted for the ports that the Application server should use. Client applicationsthrough the use of the IdentityGuardAuthAPI client toolkitcommunicate with the Entrust IdentityGuard Authentication service to perform challenge retrieval and response validation. The client toolkit communicates with Entrust IdentityGuard using SOAP over HTTP/HTTPS. The following prompts define the ports that Entrust IdentityGuard services listen on. Enter a value for each. Note: The http and https ports should be the ones used by your application server.
APPLICATION SERVER CONFIGURATION
115
a b
Enter the Authentication Service HTTP port number: Enter the Authentication Service HTTPS port number: The Entrust IdentityGuard Authentication service and the Entrust IdentityGuard sample application are deployed at both the HTTP and HTTPS ports.
Enter the Administration Service HTTPS port number: This is the port that administration applications use to connect to the Administration service when using SSL (HTTPS).
Note: The Authentication Service HTTPS and Administration Service HTTPS port numbers can be the same. 2 You are prompted to confirm the host name used in the service URLs.
The hostname to be used in the service URLs is <hostname>. Do you want to use this hostname? [yes or no]
Enter yes to use this host name or enter no to choose another host name. 3 You are prompted to configure Entrust IdentityGuard logs:
LOG CONFIGURATION
If you answer file, Entrust IdentityGuard displays the location of the files and configuration is complete. b If you answer syslog, logs are logged to Syslog. Entrust IdentityGuard prompts you for the host name.
Enter the syslog host name (default is localhost):
Ensure that Syslog on this host is configured to accept Entrust IdentityGuard logs. For more information, see the section Configuring Syslog for remote logging on UNIX on page 226. 4 The following message appears:
Do you want to configure the Entrust IdentityGuard Radius Proxy? [yes or no]
Do one of the following: If you plan to use a Radius server for first-factor authentication and are not using VPN groups, enter yes. Proceed to Step 4 in To configure the Radius proxy on UNIX on page 180.
116
If you plan to use a Radius server for first-factor authentication and you want to configure your VPN servers to recognize Entrust IdentityGuard groups, you need to first complete the configuration and initialization of Entrust IdentityGuard and define the groups. In this case, enter no. If you plan to use a Windows domain controller or LDAP directory for first-factor authentication, enter yes. Follow the instructions under Using Entrust IdentityGuard groups with a VPN server on page 175. Otherwise, enter no.
Configuration complete. Do you wish to initialize the primary system? [yes or no]
Enter yes to start the initialization tasks. Proceed to Initializing the primary Entrust IdentityGuard Server on page 118. If you enter no you must run the init command in the supersh command shell from the $IDENTITYGUARD_HOME/bin directory before you can use Entrust IdentityGuard. Proceed to To initialize the primary Entrust IdentityGuard Server manually on page 123.
117
The contents of the master keys file can be unlocked by a master user. The contents of the key protection file provide access to the master user passwords. This access can then be used to unlock the master keys file.
If initialization fails
The most likely causes of an initialization failure are: The Entrust IdentityGuard properties file contains invalid values. To resolve this, go to $IDENTITYGUARD_HOME/etc/identityguard.properties and edit the file. Your repository is not configured correctly to work with Entrust IdentityGuard. The repository is not running.
For more information on Entrust IdentityGuard error messages, see Entrust IdentityGuard Error Messages included with your documentation package.
118
Attention: If you are using an LDAP repository, and you run init -overwrite, you must first manually remove the fpcr directory located at $IDENTITYGUARD_HOME/etc/fpcr/ as well as the ftkr directory located at $IDENTITYGUARD_HOME/etc/ftkr.
Attention: If you reinitialize an Entrust IdentityGuard system by running init -overwrite, you must first replace any encrypted values in the identityguard.properties file with cleartext values because Entrust IdentityGuard cannot decrypt the old values once the reinitialization is performed. See the section Editing property values on page 257. When you answer y, the command init -overwrite runs automatically. The init command: generates a new master key and stores it in the master keys file generates the key protection file initializes default policy settings
If you answer n or if initialization fails, you must run the init command in the master user shell (supersh) at a later time. For steps for initializing manually, see the section To initialize the primary Entrust IdentityGuard Server manually on page 123. Note: You can cancel the script at any time by pressing Ctrl + C. The following messages appear:
Enter install key:
119
Enter the installation key and the activation key you received from Entrust. Once the activation key is validated, master keys are then generated. Attention: The two master keys files are created in $IDENTITYGUARD_HOME/etc. After initialization, back up masterkeys.enc. If this file is lost, the system cannot be recovered. See the system restore procedure in Restoring Entrust IdentityGuard from a backup on page 250. Do not back up the key protection file (masterkeys.kpf). The masterkeys.kpf file is unique to each server.
Type the three master user passwords for the user namesMaster1, Master2, and Master3. The passwords must meet the following criteria: be over eight characters in length contain upper and lowercase characters contain a numerical value
When you have finished creating passwords, the following message is displayed:
System initialized. Do you wish to setup the sample application [yes or no]
Enter yes to configure the sample application. Proceed to Configuring the sample application on an existing application server on page 121. If you enter no you can optionally configure the sample application later. Proceed to Deploying Entrust IdentityGuard services on an existing application server on page 127.
120
If you are configuring the sample application manually, refer to To configure the Entrust IdentityGuard Server sample application manually on page 125. To configure the sample application 1 2 You are prompted to enter the user name for the sample administrator. Enter adminid for sample administrator: You are prompted to enter and confirm a password: Enter password for sample administrator: Confirm: The password must meet the following criteria: 3 be over eight characters in length contain upper and lowercase characters contain a numerical value
Log in as a master user to complete the setup. You are prompted for a master user name and password:
121
Userid: Password:
When you are finished setting up the sample, the following message appears:
Setup of Entrust IdentityGuard sample successful.
You can now deploy the sample Web application from your application server (see Deploying Entrust IdentityGuard services on an existing application server on page 127).
122
(Include a space between the two periods in the command.) 4 Run the configure.sh script. If you have previously configured Entrust IdentityGuard, the following message appears:
An identityguard.properties file exists. file will be overwritten. Do you want to continue? [yes or no] If you continue, this
Enter yes and continue from Step 1 of the To start the Entrust IdentityGuard configuration on page 109.
To initialize the primary Entrust IdentityGuard Server manually 1 2 3 Log in as the UNIX user that belongs to the UNIX group that was specified during the installation. See To install Entrust IdentityGuard on page 106. Go to $IDENTITYGUARD_HOME. From $IDENTITYGUARD_HOME, source the environment settings file by entering
. ./env_settings.sh
(Include a space between the two periods in the command.) 4 Enter the following command to start the master user shell:
supersh
Copyright information and the Entrust IdentityGuard version number appear, followed by a command prompt.
123
Note: You can view copyright and version information at any time by entering version at the command prompt. 5 Enter
init <optionalvalues>
where <optionalvalues> are listed in Table 10: Table 10: Initialization optional values Values -sernum Description To start card serial numbers at a specific number, enter init -sernum <num> where <num> is a positive integer. Defaults to 1 if not specified. Use this option if you are adding additional cards to your system. For example, if you have previously loaded 350 cards, enter: init -sernum 351 -overwrite If the system was initialized previously, this command overwrites the existing data. You are prompted to confirm that you want existing data to be overwritten. Attention: If you are using an LDAP repository, and you run init -overwrite, you must first manually remove the fpcr folder located at $IDENTITYGUARD_HOME/etc/fpcr/. Attention: If you reinitialize an Entrust IdentityGuard system by running init -overwrite, you must first replace any encrypted values in the identityguard.properties file with cleartext values because Entrust IdentityGuard cannot decrypt the old values once the reinitialization has been performed. See the section Editing property values on page 257. -force If you use the -force option, you are not prompted for confirmation.
6 7
Complete Step 2 and Step 3 on page 120. Type exit to leave the command shell.
124
Check the log files for errors. If you chose to log to files when you installed Entrust IdentityGuard, the logs are stored in $IDENTITYGUARD_HOME/logs.
To configure the Entrust IdentityGuard Server sample application manually 1 2 3 Log in as the UNIX user that belongs to the UNIX group that was specified during the installation. See To install Entrust IdentityGuard on page 106. Change to $IDENTITYGUARD_HOME (usually /opt/entrust/identityguard81). From $IDENTITYGUARD_HOME, source the environment settings file by entering
. ./env_settings.sh
(Include a space between the two periods in the command.) 4 5 6 Run the configsample.sh script. You are prompted to enter the user name for the sample administrator. Enter adminid for sample administrator: You are prompted to enter and confirm a password: Enter password for sample administrator: Confirm: The password must meet the following criteria: 7 be over eight characters in length contain upper and lowercase characters contain a numerical value
Log in as a master user to complete the setup. You are prompted for a master user name and password:
Userid: Password:
When you are finished setting up the sample, the following message is displayed:
Setup of Entrust IdentityGuard sample successful.
To make changes to the sample Web application configuration 1 2 3 Log in as the UNIX user that belongs to the UNIX group that was specified during the installation. See To install Entrust IdentityGuard on page 106. Change to $IDENTITYGUARD_HOME (usually /opt/entrust/identityguard81). From $IDENTITYGUARD_HOME, source the environment settings file by entering
125
. ./env_settings.sh
(Include a space between the two periods in the command.) 4 Enter the following command to start the master user shell:
supersh
Copyright information and the Entrust IdentityGuard version number appear, followed by a command prompt. 5 6 Log in as a master user. For example,
Master1
If you have previously configured the sample, delete each of the following individually: a sample administrator sample group sample role sample policy Run the delete command for each. For example,
admin delete sample/SampleAdmin1
To do so:
Note: Use the list command to list sample administrators, groups, roles, and policies, so that you can see which ones to delete. For example, use admin list to list all the sample administrators that have already been created. Use group list, to list the sample groups that exist, and so on. b 7 8 9 Answer yes to confirm the delete.
Are you sure you wish to delete the admin? (y/n) [n]:
Type exit to exit the master user shell and return to the command-line. Enter the following command to start configuring the sample:
configsample.sh
You are warned that the igsample.properties file already exists. For example:
/opt/entrust/identityguar81/etc/igsample.properties file already exists. Do you wish to continue? [yes or no]
Answer yes. 10 Follow the steps in To configure the sample application on page 121.
126
127
Note: In the following, $WEBLOGIC is the directory in which the WebLogic server was installed. $DOMAIN is the directory of the WebLogic domain where Entrust IdentityGuard is being installed, for example /bea/weblogic81/samples/domains/wl_server.
To install Entrust IdentityGuard services 1 Install the native libraries libaal2sdk.so and libualjni.so required by Entrust IdentityGuard to one of the directories listed in the LD_LIBRARY_PATH environment variable. The native libraries are located in $IDENTITYGUARD_HOME/lib/solaris. Enter at the command line:
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/entrust/identityguard81/lib/ solaris/;export LD_LIBRARY_PATH
Note: Substitute the correct installation directory if it is different from the default /opt/entrust.
128
Edit the domain startup script $DOMAIN/startWebLogic.sh and add enttoolkit.jar, log4j-1.2.14.jar and any database driver .jar files to the line that sets the CLASSPATH environment variable. Still in $DOMAIN/startWebLogic.sh, move to the line where it sets JAVA_OPTIONS, and at the end add
-Didentityguard.home=/opt/entrust/identityguard81
Note: Substitute the correct install directory if it is different from the default /opt/entrust and add the line if there is currently no setting of JAVA_OPTIONS. 4 5 6 7 At the command line, go to (cd) to $IDENTITYGUARD_HOME/services/auth. Create a directory named IdentityGuardAuthService. Go to (cd) to the IdentityGuardAuthService directory. Using the jar tool from the WebLogic JDK ($WEBLOGIC/jdk_141_05/bin/jar), extract the file IdentityGuardAuthService.war by entering the following at the command line:
jar xvf ../IdentityGuardAuthService.war
A new directory called WEB-INF is created. 8 Go to (cd) to the WEB-INF directory, and create a file named weblogic.xml and give it the following content: Note: The file name is case-sensitive.
<!DOCTYPE weblogic-web-app PUBLIC "-//BEA Systems, Inc.//DTD Web Application 8.1//EN" "http://www.bea.com/servers/wls810/ dtd/weblogic810-web-jar.dtd"> <weblogic-web-app> <container-descriptor> <prefer-web-inf-classes>true</prefer-web-inf-classes> </container-descriptor> </weblogic-web-app>
129
12 Repeat Step 8. 13 In $IDENTITYGUARD_HOME/services/admin, create a directory named IdentityGuardAdminService. 14 Change to the IdentityGuardAdminService directory. 15 Extract IdentityGuardAdminService.war by entering the following at the command line:
jar xvf ../IdentityGuardAdminService.war
16 Repeat Step 8. 17 Optionally, deploy the sample application: a b c In $IDENTITYGUARD_HOME/services/auth, create a directory named IdentityGuardSampleApp. Change to the IdentityGuardSampleApp directory. Extract IdentityGuardSampleApp.war by entering the following at the command line: Repeat Step 8.
To deploy Entrust IdentityGuard services 1 2 Start your WebLogic domain from $DOMAIN by entering
./startWeblogic.sh
Start the administration console for your server (default URL http://localhost:7001/console) and log in. The WebLogic 8.1 main page appears.
130
From the WebLogic 8.1 main page, select Deployments > Web Application Modules. The Deploy a Web Application Module page appears.
131
Click the Deploy a New Web Application link. The Select the archive for this Web application module page appears.
Browse through the location link to locate the directory where authentication service WAR file, was extracted. The directory is $IDENTITYGUARD_HOME/services/auth/IdentityGuardAuthService The Select the archive for this Web application module page appears.
132
Click the radio button to the left of the directory IdentityGuardAuthService and then click Target Module. The Review your choices and deploy page appears.
After reviewing your choices, click Deploy. A deployment status page appears showing the status of the Web application deployment.
Repeat Step 3 through Step 7 to install the Administration service from $IDENTITYGUARD_HOME/services/admin/IdentityGuardAdminService
133
Repeat Step 3 through Step 7 to install the Administration interface from $IDENTITYGUARD_HOME/services/admin/IdentityGuardAdmin
10 Optionally, repeat Step 3 through Step 7 to enable the sample application from $IDENTITYGUARD_HOME/services/auth/IdentityGuardSampleApp.
Note: In the following, $WEBLOGIC is the directory in which the WebLogic server was installed, and $DOMAIN is the directory of the WebLogic domain where Entrust IdentityGuard is being installed, for example /opt/bea/weblogic91/samples/domains/wl_server.
To install and deploy Entrust IdentityGuard services 1 Install the native libraries libaal2sdk.so and libualjni.so required by Entrust IdentityGuard to one of the directories listed in the LD_LIBRARY_PATH environment variable. The native libraries are located in $IDENTITYGUARD_HOME/lib/solaris. Install them by entering at the command line:
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/entrust/identityguard81/lib/ solaris/;export LD_LIBRARY_PATH
Note: Substitute the correct installation directory if it is different than the default /opt/entrust. 2 Copy enttoolkit.jar, log4j-1.2.14.jar found in $IDENTITYGUARD_HOME/lib and any database driver .jar files to $DOMAIN/lib. All .jar files in this directory are added to the Classpath environment when the server starts. 3 Edit the domain startup script that sets the environment variables, $DOMAIN/bin/setDomainEnv.sh. Move to the line that sets JAVA_OPTIONS
134
and add -Didentityguard.home=/opt/entrust/identityguard81 to the end of the line. Note: Your installation directory may be different. 4 5 Start your WebLogic server from $DOMAIN/bin by typing:
./startWebLogic.sh
Start the administration console for your server (the default URL is http://localhost:7001/console) and log in. The WebLogic main page appears.
135
Under Domain Configurations, click Deployments. The Summary of Deployments page appears.
Click Upload your file(s) located in the Note paragraph. The Install Application Assistant appears prompting you to upload a deployment to the administration server.
136
10 Click Browse to the right of Deployment Archive to locate the authentication service WAR file, IdentityGuardAuthService.war and click Open. The file is located in
$IDENTITYGUARD_HOME/services/auth/IdentityGuardAuthService.war
11 Click Next on the Install Applications Assistant page to upload a deployment to the administration server. The Install Applications Assistant page updates so that you can locate the deployment to install and prepare for deployment.
137
12 Click the radio button to the left of the file name IdentityGuardAuthService.war to locate the deployment to install and prepare for deployment. 13 Click Next. The Install Applications Assistant page updates and prompts you to choose a targeting style.
14 Select Install this deployment as an application, and then click Next. The Install Applications Assistant page updates with optional settings.
138
15 Accept the default optional settings and click Next. The Install Applications Assistant page updates to enable you to review your choices.
139
16 Review the choices, and click Finish. The Settings for IdentityGuardAuthService page appears. 17 Under Change Center in the top left of the page, click Activate Changes to accept the changes. 18 Repeat Step 6 through Step 17 to install the Administration service ($IDENTITYGUARD_HOME/services/admin/IdentityGuardAdminServic e.war). 19 Repeat Step 6 through Step 17 to install the Administration interface ($IDENTITYGUARD_HOME/services/admin/IdentityGuardAdmin.war). 20 Optionally, repeat Step 6 through Step 17 to enable the sample application ($IDENTITYGUARD_HOME1/services/auth/IdentityGuardSampleApp.w ar). 21 Under Domain Structure on the main page, click Deployments. 140
IdentityGuard 8.1 Installation Guide Document issue: 3.0
Feedback on guide
The IdentityGuard deployments display in a prepared state, but they are not running yet.
22 Select the checkbox for each Entrust IdentityGuard application. 23 Click the Start drop-down menu. 24 Select Start servicing all requests. The Start Application Assistant page appears.
141
where server_name is the name of the server you are starting. 2 3 Start the administration console for your server. The default URL is http://localhost:9060/ibm/console. Log in to your server. The WebSphere main page appears.
142
From the WebSphere main page, click Environment > Shared Libraries. The Shared Libraries page appears.
143
5 6
Click the Node scope for the library and click Apply. Under Preferences, click New. The New Shared Libraries page appears prompting you to define the settings for the shared library. These are the settings for the Security Toolkit for Java Platform.
144
Define the Shared Library settings: a b c d e In the Name field, type Security Toolkit for Java Platform Leave the Description field blank. Set the Classpath to the enttoolkit.jar file to /opt/entrust/identityguard81/lib/enttoolkit.jar If the log4j-1.2.14.jar file is not already a shared library, also add /opt/entrust/identityguard81/lib/log4j-1.2.14.jar Set the Native library path to /opt/entrust/identityguard81/lib/solaris or /opt/entrust/identityguard81/lib/aix
Click OK. You are returned to the Shared Libraries page. Security Toolkit for Java Platform appears in the preferences list and a message displays indicating that changes have been made to your local configuration and that the server may need to be restarted for the changes to take place.
145
Click Save to save the changes, but do not restart the server at this time. The Shared Libraries Save page appears prompting you to click Save to update the master repository with changes.
146
10 Click Save to return to the Shared Libraries page. 11 If your installation will uses Vasco tokens, repeat Step 6 to Step 10 to define a shared token library. Add a Classpath for each of the following: /opt/entrust/identityguard81/lib/aal2wrap.jar The library path is /opt/entrust/identityguard81/lib/solaris 12 If using a database, repeat Step 6 to Step 10 to define the database driver library file. 13 Click Save. To deploy shared libraries 1 From the WebSphere server main page, click Servers > Application Servers. The Application servers page appears.
Click the server name on which you want to deploy Entrust IdentityGuard services from the Application servers list.
147
Under Server Infrastructure, click Java and Process Management > Class loader.
148
Select the class loader from the list. If there are no class loaders defined: a b c Click New to create a new class. The Class loader configuration page appears. Select Class loader mode Parent First. Click OK. You are returned to the Server page and a Class Loader appears in the preferences list. d Select the Class loader. The Class loader configuration page appears.
149
Under Additional Properties, select Libraries. The Application servers Library Reference page appears.
Click Add. The Application server Library Reference General Properties page appears.
150
7 8
Under Library name, select Security Toolkit for Java Platform. Click OK. The Library Reference page updates with Security Toolkit for Java Platform listed in the preferences list.
Repeat Step 6 to Step 8 for the Entrust token library and, optionally, the database driver library.
10 Return to the server page from Step 2. You can do this by clicking the server name from the Library Reference page. 11 From the server page, click Java and Process Management > Process Definition > Java Virtual Machine > Custom Properties. The Custom Properties page appears.
151
13 Name the new property identityguard.home. 14 Set the value to the install directory of Entrust IdentityGuard to /opt/entrust/identityguard81 15 Click OK.
152
Note: When using the default JDK on Solaris, applications running in WebSphere do not understand the HTTPS protocol. To resolve this issue, you must define another custom property with the name java.protocol.handler.pkgs and value com.ibm.net.ssl.www.protocol. 16 Click Save followed by Save on the Custom Properties Save page. 17 Repeat Step 12 to Step 16 to define the java.protocol.handler.pkgs custom property. Note: Ensure that you have also set up the javax.net.ssl.trustStore custom property if you are using self-signed certificates (see Configuring SSL for WebSphere 6.0 on page 101). 18 If you are using AIX, complete this step. On Solaris, proceed to Step 19 on page 155. a b Return to the server page from Step 2. From the server page, click Java and Process Management > Environment Entries. The Application server Custom Properties page opens.
153
Set Name to LIBPATH (all caps) and Value to the path of the native libraries. For example, /opt/entrust/identityguard81/lib/aix.
154
155
Click Browse under Specify path to locate the authentication service WAR file, IdentityGuardAuthService.war, which is most likely in /opt/entrust/identityguard81/services/auth/. Type /IdentityGuardAuthService in the Context Root text box. Click Next. The Preparing for the application installation page updates prompting you to choose to generate default bindings and mappings.
3 4
5 156
An Application Security Warnings page appears warning about contents of the was.policy file.
Accept the warning and click Continue. The Install New Application page updates prompting you to select your installation options.
157
Select the installation options. You can select to keep the default settings or, optionally in the Directory to install application text box, specify an installation directory and remove _war from the Application name.
158
On the Map Modules to Servers page, select the server(s) on which to deploy the Entrust IdentityGuard authentication service. Note: You must select at least one server.
10 Click Next. The Map virtual hosts for Web modules page appears.
11 On the Map Virtual Hosts for Web Modules page, select the virtual host to deploy the Entrust IdentityGuard authentication service. 12 Click Next. The Summary page appears.
159
13 Review the details on the Summary page, and click Finish. WebSphere attempts to load the Entrust IdentityGuard authentication service. If this fails, consult the WebSphere logs for the domain to see why. When installation completes the following message appears:
Application IdentityGuardAuthServices installed successfully. To start the application, first save changes to the master configuration.
14 Click Save to Master Configuration. The Save page appears. 15 Click Save. 16 Repeat Step 1 through Step 15 to install the administration service from /opt/entrust/identityguard81/services/admin/IdentityGuardAdm inService.war 17 Repeat Step 1 through Step 15 to install the Web interface from /opt/entrust/identityguard81/services/admin/IdentityGuardAdm in.war. 18 Optionally, repeat Step 1 through Step 15 to install the sample applicationfrom opt/entrust/identityguard81/services/auth/IdentityGuardSampl eApp.war.
160
To start Entrust IdentityGuard services 1 From the WebSphere main menu, select Applications > Enterprise Applications. The Enterprise Applications page appears.
Select the box next to Entrust IdentityGuard service(s), and then click Start. A message appears indicating that the services have started successfully. Note: You can select to start multiple services simultaneously.
161
Enter
igservice.sh all status
The following shows part of the status report generated when all services are running:
Authentication V1 service at http://<hostname>/IdentityGuardAuthService/services/Authenticat ionService is available. Authentication V1 service at https://<hostname>/IdentityGuardAuthService/services/Authentica tionService is available. Authentication V2 service at http://<hostname>/IdentityGuardAuthService/services/Authenticat ionServiceV2 is available. Authentication V2 service at https://<hostname>/IdentityGuardAuthService/services/Authentica tionServiceV2 is available. Sample application at http://<hostname>/IdentityGuardSampleApp is available.
162
Administration V1 service at https://<hostname>/IdentityGuardAdminService/services/AdminServ ice is available. Administration V2 service at https://<hostname>/IdentityGuardAdminService/services/AdminServ iceV2 is available. Administration interface at https://<hostname>/IdentityGuardAdmin is available.
Ensure that you can log in to the Administration Web interface. a Create an administrator account or use the sample administrator account, if you have configured the sample application. For information on creating an administrator, refer to the Entrust IdentityGuard Administration Guide. b Open a browser and enter the following URL:
https://<FQDN>:<port>/IdentityGuardAdmin
where: <FQDN> is the Entrust IdentityGuard host name. <port> is the Administration interface service port. Note: If you cannot access the Entrust IdentityGuard services (administration or authentication), verify that firewall rules are not blocking the HTTP and HTTPS ports.
163
At the login page, enter the administrator user name and password. Optionally, enter the group name, if the user does not belong to the default group.
d e
You are prompted to change the administrator password. Follow the rules on the screen to change the administrator password. The Entrust IdentityGuard Administration interface appears:
164
Optionally, test the sample application. To do so, follow the steps in Using the sample Web application on page 305.
You have now completed testing of the Entrust IdentityGuard installation. You can now: complete various advanced configuration tasks (Postinstall configuration options for Entrust IdentityGuard Server on page 201 and Configuring the Entrust IdentityGuard Server properties file on page 255) such as adding replica Entrust IdentityGuard Servers to your system set up Entrust IdentityGuard by adding policies, groups, users, authentication methods, and so on (see the Entrust IdentityGuard Administration Guide)
165
To query the status of Entrust IdentityGuard 1 2 3 Log in as the UNIX user that belongs to the UNIX group that was specified during the installation. From $IDENTITYGUARD_HOME, enter
. ./env_settings.sh
Note: Once Entrust IdentityGuard is installed, the service is started automatically when you reboot.
166
Click the application name, for example, IdentityGuardAdmin. The Deployment status page appears.
Click Stop.
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
167
Repeat Step 1 to Step 3 for each Entrust IdentityGuard service you want to stop.
To stop Entrust IdentityGuard Services 1 Under Domain Structure on the left of the main page click Deployments. The Deployment Summary Page appears with a list of Entrust IdentityGuard services.
168
2 3
Select the checkbox for the service(s) you want to stop. From the Stop drop-down menu select the desired stop option. The Stop Application Assistant page appear.
Click Yes to stop the application. You are returned to the Summary of Deployments page.
169
2 3
Select the service(s) you want to stop. Click Stop. A message appears indicating that the service was stopped successfully.
170
171
Once your VPN server uses the Radius proxy for first-factor authentication, you can configure Entrust IdentityGuard to add the grid, token, or temporary PIN multifactor authentication methods to the first-factor authentication performed by the Radius proxy. You can configure some VPN servers to use a Radius server and some to use a different first-factor authentication resource. You can take advantage of the Entrust IdentityGuard groups feature to organize users into different groups for authentication purposes. This way you can direct the users of some groups to one first-factor authentication resource and other users to other resources. For details, see Configuring the Radius proxy for groups on page 175. Note: When you configure the Entrust IdentityGuard Radius proxy, the program stores the results in the identityguard.properties file. You can edit this file to change settings or to add additional VPN servers and their first-factor authentication method later. For information on the property settings, see section Configuring the Entrust IdentityGuard Radius proxy properties on page 282.
172
VPN server
Radius server
Note: In the above diagram and the next, the Entrust IdentityGuard Radius proxy is shown as a separate physical entity just for illustration. In reality, it is a component that resides on the Entrust IdentityGuard Server. VPN authentication through the Entrust IdentityGuard Radius proxy follows these steps: 1 2 3 4 A user enters a user name and password using a VPN client. The VPN server passes this information to the Entrust IdentityGuard Radius proxy. The Entrust IdentityGuard Radius proxy forwards the request to the first-factor authentication resource to verify the user. The first-factor authentication resource responds with an accept or reject message to the Entrust IdentityGuard Radius proxy. If the Radius proxy receives a reject message, the Radius proxy forwards it unchanged to the VPN server. 5 6 7 8 9 If the Radius proxy receives an accept message, it requests either a grid or token challenge from Entrust IdentityGuard and sends it to the VPN server. The VPN server forwards this to the VPN client. The challenge requires a temporary PIN or a response from a users card or token. The VPN server sends the users response to the challenge back to the Entrust IdentityGuard Radius proxy. The Radius proxy forwards the response to Entrust IdentityGuard. Entrust IdentityGuard checks the response and the Radius proxy sends an accept or reject message to the VPN server.
173
10 An accept message indicates that the user has passed second-factor authentication. Figure 3: Radius proxy integrated with a VPN and external authentication
VPN client Entrust IdentityGuard Server
VPN server
First-factor authentication resource: domain controller or LDAP directory Entrust IdentityGuard Radius proxy
Authentication using a Windows domain controller or LDAP directory follows these steps: 1 2 3 4 5 6 7 8 9 A user enters a user name and password in the VPN client. The VPN server passes the data to the Entrust IdentityGuard Radius proxy. The Radius proxy forwards the request to the Entrust IdentityGuard Server to verify the user. Entrust IdentityGuard checks the first-factor authentication resource to verify the user. Entrust IdentityGuard sends a success or fail message to the Radius proxy. If the Radius proxy receives a fail message, the Radius proxy generates a reject message and sends it to the VPN server. If the Radius proxy receives a success message, it requests a challenge from Entrust IdentityGuard and sends the challenge to the VPN server. The VPN server forwards this to the VPN client. The challenge requires a temporary PIN or a response from a users card or token. The VPN server sends the response to the Radius proxy. The Radius proxy forwards the information to Entrust IdentityGuard for authentication.
10 Entrust IdentityGuard authenticates the response (or not) and the Radius proxy sends an accept or reject message to the VPN server. 11 An accept message indicates the user has now passed second-factor authentication.
174
175
The default is all the ports you entered in Step 1. Enter a specific port only when you want the current VPN configuration to apply to a predefined group. 4 5 When asked to enter the VPN server secret, enter the applicable secret for the VPN server. You are asked for the Entrust IdentityGuard group name. Enter the group you plan to associate with the port number entered above in Step 3. 6 7 You are asked to select Radius or external authentication. For a Radius server, enter RADIUS; otherwise, enter EXTERNAL. If you choose Radius in Step 6, you are asked to enter the Radius server name. You can use the same Radius server for all VPN servers or use different servers.
Once you complete the configuration for one VPN server, the installation program prompts you to define an additional VPN server. Answer yes at the prompt to complete a configuration for another group. Alternatively, you can edit the identityguard.properties file to add values for the properties related to the prompts listed above.
176
You can follow the prompts in the Radius proxy configuration script twice to achieve these results or you can edit the identityguard.properties file directly.
identityguard.externalauth.impl=com.entrust.identityGuard.au thenticationManagement.external.ldap.LdapAuthentication If you use a domain controller as an external authentication resource, the last section would look like this:
# external authentication
177
identityguard.externalauth.kerberos.realm=ENTRUST.COM Also, if you are using a domain controller, you will need to map each realm to its KDC in the igkrb5.conf file. For more information, see To set the external authentication properties for a domain controller on page 203. Note: This patch removes the identityguard.externalauth.kerberos.kdc property that existed in previous Entrust IdentityGuard releases and replaces it with the igkrb5.conf file. You can follow the prompts in the Radius proxy configuration script twice to achieve these results or you can edit the identityguard.properties file directly. The identityguard.externalauth.impl and Kerberos-related properties must always be added manually. The identityguard.externalauth.impl property can include a group name. When it does not, as in the above example, the property creates a default entry for all users. When you include an Entrust IdentityGuard group name in the identityguard.externalauth.impl property, it limits the authentication resource to just members of that group. For more details, see Using groups with external authentication on page 209. Also see Configuring Entrust IdentityGuard for external authentication on page 202 for more information on the identityguard.externalauth.impl and Kerberos-related properties.
178
179
If you intend to associate specific predefined VPN group names with existing Entrust IdentityGuard group names, read Configuring the Radius proxy for groups on page 175 before you begin to configure the Radius proxy. Attention: Entrust IdentityGuard rejects any VPN server configuration that creates an explicit or implied duplicate VPN server/port combination. An explicit duplicate occurs when you specify the same port more than once for the same VPN server. An implied duplicate occurs if you select the default port (any port in Unix or All in Windows) more than once for the same VPN server.
To configure the Radius proxy on UNIX 1 2 Log in as the UNIX user that belongs to the UNIX group that was specified during the installation. Navigate to the $IDENTITYGUARD_HOME (/opt/entrust/identityguard81) directory and enter:
. ./env_settings.sh
3 4
At the prompt, enter a list of Radius ports for the Radius proxy or accept the default:
Enter a space-separated list of ports used by IdentityGuard Radius (default: 1812):
Each port value must be an integer between 1024 and 65535. Note: If you plan to associate different VPN server groups with separate Radius proxy ports, enter all applicable ports separated by spaces. There can be only one VPN server defined for each port. 5 At the next prompt, define a VPN server.
Do you wish to define a VPN server? [yes or no]
180
If you answer yes, continue with these configuration steps. If you answer no, the configuration will stop. You are asked whether you want to initialize the system. Proceed to Initializing the primary server on page 48. 6 At the next prompt, type a unique VPN server name. This provides a unique string that is used by Entrust IdentityGuard to reference this server. Note: A VPN server name must not include the equals sign (=).
Enter a unique label for the VPN server:
At the next prompt, enter a unique VPN server host, using either a DNS or IP address:
Enter the VPN server host name (or IP address):
Entrust IdentityGuard Radius proxy identifies a VPN server by its host name and the Radius port to which it sends messages. If you do not specify a port in the next step, the Radius proxy treats all requests as coming from the same VPN server regardless of which port receives them. 8 At the next prompt, type the Entrust IdentityGuard Radius port used by the VPN server:
Enter the Entrust IdentityGuard Radius port used by the VPN server:
The default is the ports you set in Step 4. If you enter a specific port, then any communication from this VPN server uses that port only. Enter a specific port if you want the current VPN configuration to apply to an Entrust IdentityGuard group. 9 At the next prompt, type and confirm the VPN server secret. The secret you use for Entrust IdentityGuard Radius proxy must match the server secret already set for the VPN server:
Enter the VPN server shared secret: Confirm:
10 If you have already defined Entrust IdentityGuard user groups, you can set a specific Entrust IdentityGuard group for use with the current VPN server. If you do, the group is included with the user ID when VPN sends requests to Entrust IdentityGuard.
Enter the Entrust IdentityGuard group for the VPN server:
Note: You do not need to enter a group name if the names of users are unique in your system. Entrust IdentityGuard will determine the correct group. See Matching a group to a user on page 179 for an explanation.
181
11 If you want the Radius proxy to use a Radius server for first-factor authentication, enter RADIUS at the next prompt:
Do you want to use External or Radius authentication? (EXTERNAL or RADIUS):
Enter RADIUS and continue with these configuration steps. (If you enter EXTERNAL, the configuration will stop. Proceed to Configuring Entrust IdentityGuard for external authentication on page 202.) 12 Each VPN server needs a corresponding Radius server that performs the first-factor authentication. At the next prompt, enter the server name:
Enter the label of the Radius server for this VPN server:
13 If no Radius server configuration exists for the name you chose in Step 12, enter it at this prompt:
No Radius server is defined with the label <your server name> Do you wish to define a new Radius server? [yes or no]
a b
If you enter no, the configradius.sh script prompts you for another Radius server name. If you enter yes, the configradius.sh script prompts you for the Radius server host name and port:
Enter the Radius server host name (or IP address): Enter the Radius server port (default: 1812):
This provides the address of the Radius server where the Radius proxy sends Radius requests. 14 At the next prompt, enter and confirm the Radius server secret:
Enter the Radius server shared secret: Confirm:
The server secret is the password value the Radius client uses to protect the message. The secret you enter must match the server secret set for the Radius server. The Entrust IdentityGuard Radius proxy is now configured for this VPN server and your Radius server. Answer yes to configure another server or no to exit. To configure the Radius proxy on Microsoft Windows 1 2 If the Entrust IdentityGuard Configuration Panel is not open, open it by clicking Start > All Programs > Entrust > IdentityGuard > Configuration Panel. Select Set Up the Radius Proxy to run the Entrust IdentityGuard Radius Proxy Setup. The Entrust IdentityGuard Radius Proxy Configuration page appears. 182
IdentityGuard 8.1 Installation Guide Document issue: 3.0
Feedback on guide
In the Ports used by the Entrust IdentityGuard Radius Proxy field, specify the ports that the Entrust IdentityGuard Radius Proxy will listen on. Use commas to separate your various ports. Each port value must be an integer between 1 and 65535. The port value entered must be unique to the system.
If you are using a Radius server for first-factor authentication, in the Radius Authentication Servers section, click Add. Alternatively, you can select an existing server definition and click Change to modify it or Remove to remove it. The Add/Change Radius Server page appears.
183
On the Add/Change Radius Server page, enter the connection details for a Radius server. Note: If you plan to use external authentication, skip this step. Radius server label. Enter a unique string that is used by Entrust IdentityGuard to reference this server. Once a label is saved it cannot be changed. Radius server host name. Type a unique Radius server host, using either a DNS or IP address. Radius server port. Type the port on the Radius server where the Radius proxy sends messages. This is the same port that the VPN server uses. Radius server shared secret. Type the shared secret value the client uses to protect the message. The secret you enter must match the shared secret set on the Radius server. Confirm shared secret. Type the shared secret again. Click OK.
In the VPN Servers section, click Add to map your VPN Server to your first-factor Authentication Server. Alternatively, you can select an existing server definition and click Change to modify it or Remove to remove it. The Add/Change VPN Server page appears.
184
On the Add/Change VPN Server page, enter the connection details for a VPN server: VPN server label. This provides a unique string that is used by Entrust IdentityGuard to reference this server. Once the label is saved it cannot be changed. VPN server host name. Enter a VPN server host, using either a FQDN, hostname, or IP address. VPN server shared secret. Enter the VPN server secret. This secret you use for Entrust IdentityGuard Radius proxy must match the server secret already set for the VPN server Confirm shared secret. Enter the VPN server secret again. Entrust IdentityGuard group (optional). If you have already defined Entrust IdentityGuard user groups, you can set a specific Entrust IdentityGuard group for use with the current VPN server.
Note: You do not need to enter a group name if the names of users are unique in your system. Entrust IdentityGuard determines the correct group. See Matching a group to a user on page 179 for an explanation. Radius Proxy port. This drop-down list contains:
185
all port numbers you entered earlier in the Ports used by the Entrust IdentityGuard Radius Proxy field as well as, the all option If you enter a specific port, then any communication from this VPN server uses that port only. Enter a specific port if you want the current VPN configuration to apply to an Entrust IdentityGuard group. Select all if the port used is not important. The Server hostname and Radius proxy port number must be unique. First-factor authentication server. This drop-down list contains the names of all Radius servers you defined on the Add/Change Radius Server page. Select the server to use with this VPN server. Click OK.
The Entrust IdentityGuard Radius proxy is now configured for this VPN server and your Radius server. You can configure additional VPN and Radius servers.
186
Note: When you configure Entrust IdentityGuard Radius proxy, the program stores the results in the identityguard.properties file. You can edit this file to change settings or to add additional VPN servers and their first-factor authentication method later. For information on the property settings, see section Configuring the Entrust IdentityGuard Radius proxy properties on page 282. If you intend to associate specific predefined VPN group names with existing Entrust IdentityGuard group names, read Configuring the Radius proxy for groups on page 175 before you begin to configure the Radius proxy. Attention: Entrust IdentityGuard rejects any VPN server configuration that creates an explicit or implied duplicate VPN server/port combination. An explicit duplicate occurs when you specify the same port more than once for the same VPN server. An implied duplicate occurs if you select the port default (any port in UNIX or All in Windows) more than once for the same VPN server.
To configure Radius proxy on UNIX 1 Log in as the UNIX user that belongs to the UNIX group that was specified during the installation. See Installing Entrust IdentityGuard Server on page 33 for installations with embedded Tomcat or Installing Entrust IdentityGuard Server on page 106 for installation using an existing application server. Navigate to the $IDENTITYGUARD_HOME (/opt/entrust/identityguard81) directory and enter:
. ./env_settings.sh
3 4
At the prompt, enter a list of Radius ports for the Radius proxy or accept the default:
187
Each port value must be an integer between 1024 and 65535. Note: If you plan to associate different VPN server groups with separate Radius proxy ports, enter all applicable ports separated by spaces. There can be only one VPN server defined for each port. 5 At the next prompt, confirm that you want to use a VPN server.
Do you wish to define a VPN server? [yes or no]
If you type no, the configuration stops. You are asked whether you want to initialize the system. Proceed to Initializing the primary server on page 48 for installations with embedded Tomcat or Initializing the primary Entrust IdentityGuard Server on page 118 for installations using an existing application server. 6 At the next prompt, enter a unique VPN server name. This provides a unique string that is used by Entrust IdentityGuard to reference this server. Note: A VPN server name must not include the equal sign (=).
Enter a unique label for the VPN server:
At the next prompt, enter a unique VPN server host, using either a DNS or IP address:
Enter the VPN server host name (or IP address):
The Entrust IdentityGuard Radius proxy identifies a VPN server by its host name, and the port to which it sends messages. If you do not specify a port in the next step, the Radius proxy treats all requests as coming from the same VPN server regardless of which port receives them. 8 At the next prompt, enter the Entrust IdentityGuard port used by the VPN server:
Enter the Entrust IdentityGuard Radius port used by the VPN server:
The default is the ports you set in Step 4. If you enter a specific port, then any communication from this VPN server uses that port only. Enter a specific port if you want the current VPN configuration to apply to an Entrust IdentityGuard group. 9 At the next prompt, enter and confirm the VPN server secret. This secret you use for Entrust IdentityGuard Radius proxy must match the server secret already set for the VPN server:
Enter the VPN server shared secret:
188
Confirm:
10 If you have already defined Entrust IdentityGuard user groups, you can set a specific Entrust IdentityGuard group for use with the current VPN server.
Enter the Entrust IdentityGuard group for the VPN server:
Note: You do not need to enter a group name if the names of users are unique in your system. Entrust IdentityGuard determines the correct group. See Matching a group to a user on page 179 for an explanation. 11 If you want the Radius proxy to use a domain controller or LDAP directory for first-factor authentication, enter EXTERNAL at the next prompt:
Do you want to use External or Radius authentication? (EXTERNAL or RADIUS):
(If you enter RADIUS, the configuration continues. Proceed to To configure the Radius proxy on UNIX on page 180.) When you enter EXTERNAL, the configuration script stop and you see the following message:
Make sure that the Entrust IdentityGuard Server is configured so that External authentication is enabled.
Answer yes to configure another VPN server or no to exit. Go to Configuring Entrust IdentityGuard for external authentication on page 202 to finish this configuration. To configure the Radius proxy on Microsoft Windows 1 2 If the Entrust IdentityGuard Configuration Panel is not open, open it by clicking Start > All Programs > Entrust > IdentityGuard > Configuration Panel. Select Set Up the Radius Proxy to run the Entrust IdentityGuard Radius proxy setup program. The Entrust IdentityGuard Radius Proxy Configuration page appears.
189
In the Ports used by the Entrust IdentityGuard Radius Proxy field, enter a list of Radius ports for the Radius proxy or accept the default. Use commas to separate the port numbers. The port value entered must be unique to the system.
4 5
Skip the Radius Authentication Servers section if you plan to use external authentication. In the VPN Servers section, click Add to configure a VPN server for use with Entrust IdentityGuard. Alternatively, you can select an existing server definition and click Change to modify it or Remove to remove it.
190
On the Add/Change VPN Server page, enter the connection details for a VPN server: VPN server label. This provides a unique string that is used by Entrust IdentityGuard to reference this server. VPN server host name. Enter a unique VPN server host, using either a FQDB, hostname, or IP address. The hostname and Radius proxy port combination must be unique for each VPN server entry. VPN server shared secret. Enter the VPN server secret. This secret you use for Entrust IdentityGuard Radius proxy must match the server secret already set for the VPN server Confirm shared secret. Enter the VPN server secret again. Entrust IdentityGuard group (optional). If you have already defined Entrust IdentityGuard user groups, you can set a specific Entrust IdentityGuard group for use with the current VPN server.
Note: You do not need to enter a group name if the names of users are unique in your system. Entrust IdentityGuard will determine the correct group. See Matching a group to a user on page 179 for an explanation. Radius Proxy port. This drop-down list contains all port numbers you entered earlier in the Ports used by the Entrust IdentityGuard Radius Proxy field plus
191
the all option (the default). If you enter a specific port, then any communication from this VPN server uses that port only. It makes sense to enter a specific port if you want the current VPN configuration to apply to an Entrust IdentityGuard group. Select all if the port used is not important. 7 First-factor authentication server. To use external authentication, select IdentityGuard External. Click OK.
Click Save. A pop-up box appears validating your configuration. The Entrust IdentityGuard Radius proxy is now configured for this VPN server. Add as many VPN servers as required. Go to Configuring Entrust IdentityGuard for external authentication on page 202 to finish this configuration for external authentication.
192
193
194
where the {0} placeholder is replaced by the Radius server name. Use a space to separate each of radius servers in the list. Note: All the Radius servers should use the same secret.
195
To enable/disable automatic restart of the Radius proxy As root in $IDENTITYGUARD_HOME/bin, enable automatic restart by entering:
The Entrust IdentityGuard Radius proxy will start every time the computer reboots. As root in $IDENTITYGUARD_HOME/bin disable automatic restart by entering:
You must start the Entrust IdentityGuard Radius proxy manually. To start and stop the Radius proxy 1 Log in as the UNIX user that belongs to the UNIX group that was specified during the installation. See Installing Entrust IdentityGuard Server on page 33 for installations with embedded Tomcat or Installing Entrust IdentityGuard Server on page 106 for installation using an existing application server. Navigate to the $IDENTITYGUARD_HOME directory and enter:
. ./env_settings.sh
2 3
Enter the following command at the command prompt followed by one of the options in Table 11:
196
igradius.sh
Table 11: Managing the Radius proxy Command start Description Starts the Radius proxy. Entrust IdentityGuard generates audits that you can use to determine if the services started successfully or failed to start. You will not see an error message if the service fails to start. stop status Stops the Radius proxy. Tells you if the Radius proxy is running. If it is running, Entrust IdentityGuard displays the process ID number. Stops and restarts the Radius proxy.
restart
Note: When the Entrust IdentityGuard Radius proxy starts, it checks that at least one VPN client and one resource (external authentication or Radius server) are defined and that each server referred to by a client exists. If that is not the case, it issues an error to the logs and the Radius proxy exits.
To start and stop Entrust IdentityGuard and the Radius proxy together 1 Log in as the UNIX user that belongs to the UNIX group that was specified during the installation. See Installing Entrust IdentityGuard Server on page 33 for installations with embedded Tomcat or Installing Entrust IdentityGuard Server on page 106 for installations using an existing application server. 2 3 Navigate to $IDENTITYGUARD_HOME directory and enter:
. ./env_settings.sh
Enter one of these commands at the command prompt followed by one of the options in Table 12:
igservice.sh identityguard igservice.sh igradius igservice.sh all
197
Table 12: Managing the Radius proxy service Command start Description Starts the specified service. Entrust IdentityGuard does not display an error message if the service fails to start. Check the logs to determine if startup failed. stop status restart Stops the specified service. Tells you if the specified service is running. Stops and restarts the specified service.
For example, to restart Entrust IdentityGuard and the Radius proxy on installations of Entrust IdentityGuard with embedded Tomcat, enter:
igservice.sh all restart
Note: In versions of Entrust IdentityGuard installed on an existing application service, you can use any of these commands for the Radius proxy; however, only the status command is available for Entrust IdentityGuard.
To start and stop the Radius proxy with the Linux service command You can also use the Linux service command to start and stop the Entrust IdentityGuard Radius proxy. 1 Enter this command at the command prompt followed by one of the options in the table below:
service igradius
Command start
Description Starts the specified services. Entrust IdentityGuard does not display an error message if the service fails to start. Check the logs to determine if startup failed.
Stops the specified service. Tells you if the specified service is running. Stops and restarts the specified service.
198
If you run the service igradius command as root, the service automatically switches to the UNIX user ID originally used to install Entrust IdentityGuard.
To enable automatic restart of the Radius proxy 1 2 3 4 Log in as a user that belongs to the group that was specified during the installation as the owner of the installation. Go to Start > Control Panel > Administrative Tools > Services. The Services window appears. Right-click Entrust IdentityGuard Radius Proxy and select Properties. In the Startup type drop-down menu, select Automatic.
To disable automatic restart of the Radius proxy 1 2 3 4 Log in as a user that belongs to the group that was specified during the installation as the owner of the installation. Go to Control Panel > Administrative Tools > Services. The Services window appears. Right-click Entrust IdentityGuard Radius Proxy and select Properties. In the Startup type drop-down menu, select Disabled. (Select Manual if you want to start this Radius proxy service manually.)
To start and stop the Radius proxy 1 2 3 Log in as a user that belongs to the group that was specified during the installation as the owner of the installation. Go to Control Panel > Administrative Tools > Services. The Services window appears. Right-click Entrust IdentityGuard Radius Proxy and select Properties.
199
In the Service status section, click either Start or Stop depending on your requirements. Note: When the Entrust IdentityGuard Radius proxy starts, it checks that at least one VPN client and one service (external authentication or Radius server) are defined and that each server referred to by a client exists. If that is not the case, it issues an error and the Radius proxy exits.
200
Attention: *These sections only apply to versions of Entrust IdentityGuard that use embedded Tomcat.
201
policy userspec set -genericauthtype GRID EXTERNAL policy userspec set -machineauthtype GRID EXTERNAL
Note: This example shows how to add grid and External authentication options. Add all the authentication options that you want to use with this command. For more information, see Modifying, exporting and importing the user specification attributes for a policy in the Entrust IdentityGuard Administration Guide. Edit the identityguard.properties file to set the external authentication properties, as explained:
If you store Entrust IdentityGuard user information in Active Directory, ADAM, or other supported LDAP repository, proceed to To set the external authentication properties for an LDAP directory on page 203. If you want to use the Windows domain controller for first-factor authentication, proceed to To set the external authentication properties for a domain controller on page 203. When you configure external authentication, it applies to all deployment types managed by Entrust IdentityGuard, whether the user is accessing your application through VPN, a Web application, or other method.
202
IdentityGuard service on page 166 for installations using an existing application server, or Managing the Entrust IdentityGuard service on page 94 for Windows. To set the external authentication properties for an LDAP directory 1 Open the identityguard.properties file located: 2 3 on UNIX, $IDENTITYGUARD_HOME/etc/ on Microsoft Windows, <IG_INSTALL_DIR>\identityguard81\etc\
Add the identityguard.externalauth.impl property to the file. Set the property to the correct Java class for an LDAP directory. The entry appears as follows:
identityguard.externalauth.impl=com.entrust.identityGuard.authenti cationManagement.external.ldap.LdapAuthentication
This example creates a global or default setting for all users. This property can also include an Entrust IdentityGuard group name, such as IGSales in this example:
identityguard.externalauth.impl.IGSales=com.entrust.identityGuard. authenticationManagement.external.ldap.LdapAuthentication
See Using groups with external authentication on page 209 for more information using groups with external authentication. During LDAP directory authentication, Entrust IdentityGuard attempts to bind to the users LDAP entry. If the bind succeeds, the user is authenticated. Note: The directory used for external authentication must be the same one used as the Entrust IdentityGuard repository. The Kerberos protocol used for authentication through a domain controller is case-sensitive. If the user enters an ID that does not match the case Kerberos expects, the authentication fails. If you use a Directory repository and user names are stored in mixed case, make sure the user names entered in Entrust IdentityGuard use exactly the same case for all letters. Entrust IdentityGuard and LDAP do not care about the case of user names. They can be uppercase, lowercase or mixed case. While you can specify that Kerberos convert names to uppercase or lowercase, this is no solution for mixed case user names. To set the external authentication properties for a domain controller 1 Open the identityguard.properties file located: on UNIX, $IDENTITYGUARD_HOME/etc/ on Microsoft Windows, <IG_INSTALL_DIR>\identityguard81\etc\
203
2 3
Add the identityguard.externalauth.impl property to the file. Set the property to the correct Java class for a domain controller. The entry looks like this: if you are not using groups:
identityguard.externalauth.impl=com.entrust.identityGuard.authenti cationManagement.external.kerberos.KerberosAuthentication
The above example creates a global or default setting for all users. If you are using groups, for example IGSales:
identityguard.externalauth.impl.IGSales=com.entrust.identityGuard. authenticationManagement.external.kerberos.KerberosAuthentication
Domain controller authentication uses the Kerberos protocol. You must add a property to specify the server acting as the Kerberos realm. For example:
identityguard.externalauth.kerberos.realm=ENTRUST.COM
The realm provides the name the domain controller. Make sure to enter the realm name in uppercase characters. 5 Kerberos authentication is case-sensitive. If the user enters an ID that does not match the case Kerberos expects, the authentication fails. Use this property to convert the user ID to upper or lowercase, for example:
identityguard.externalauth.kerberos.caseconvert=lower
Valid entries are upper or lower. If this property is absent or contains another value, Entrust IdentityGuard does not change the entered user ID. The case should always be set to lower when using a domain controller for external authentication. The Kerberos properties can also include an Entrust IdentityGuard group name, such as IGSales in this example:
identityguard.externalauth.kerberos.realm.IGSales=ENTRUST.COM identityguard.externalauth.kerberos.caseconvert.IGSales=lower
When specified without a group name, they create a global or default setting for users. When specified with an Entrust IdentityGuard group name, they set the realm, KDC and user ID case to use for members of that group. See Using groups with external authentication on page 209 for more information using groups with external authentication. 6 7 Save your changes. Open igkrb5.conf in a text editor, located: on UNIX, $IDENTITYGUARD_HOME/etc/ on Microsoft Windows, <IG_INSTALL_DIR>\identityguard81\etc\
204
Using Kerberos syntax, map each realm to the server hosting the corresponding Kerberos Key Distribution Center (KDC). For example:
[realms] IG1.ENTRUST.COM = { kdc = ig1.entrust.com } IG2.ENTRUST.COM = { kdc = ig2.entrust.com }
Make sure to enter the realm name in uppercase characters. For an example, see the igkrb5.sample file stored in the same location. 9 Add other Kerberos-related settings as required. For example, you may want to change the default encryption key type. For more information on syntax, refer to http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.1/doc/krb5-admin/krb5.conf. html. If you are not using WebSphere, you have finished setting up external authentication properties for a domain controller. If you are using WebSphere, complete the following procedure (To finish setting up external authentication for a domain controller on WebSphere). To finish setting up external authentication for a domain controller on WebSphere 1 2 3 4 Start the administration console for your WebSphere server. The default URL is http://localhost:9060/ibm/console. Select Security > Global Security > JAAS Configuration. In the JAAS Configuration page, click Application Logins. Click New.
205
206
Click Apply. The JAAS login modules link under Additional Properties becomes available.
207
Click Apply.
208
209
210
Note: All files being added should be readable and writable by the user and group selected during installation. Follow the appropriate procedures in this section depending on what type of system you are using to run Entrust IdentityGuard Server: for UNIX, proceed to To add a replica server on UNIX on page 211 for Microsoft Windows, proceed to To add a replica server on Microsoft Windows on page 213
To add a replica server on UNIX 1 As the UNIX user on the existing Entrust IdentityGuard Server, run the partial backup command:
igbackup.sh -partial
For instructions and options (such as creating a partial or full backup file, and naming a backup file), see Backing up your configuration on page 247. 2 Copy the backup onto the computer that will host the new Entrust IdentityGuard replica server. The default location for the backup ZIP file is $IDENTITYGUARD_HOME/backups. Complete the following preinstallation tasks on the computer that will host the replica: a Create a UNIX group and user for Entrust IdentityGuard (Creating the UNIX group and user on page 32) or use the UNIX group already created for your application server. Copy the Entrust IdentityGuard installation package (Downloading Entrust IdentityGuard software on page 21).
b 4
Start the Entrust IdentityGuard installation procedure (Installing Entrust IdentityGuard Server on page 33 for installations with embedded Tomcat or Installing Entrust IdentityGuard Server on page 106 for installations using an existing application server) on the computer that will host the replica until you see the message:
Installation complete Do you wish to configure the application now? [yes or no]
Answer replica. 6 You are prompted to enter the backup file name.
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
211
Type the name of the partial (or full) configuration backup file that you copied in in Step 2 in this procedure. For example, igpartialbackup_20060224150045.zip. 7 You are prompted to select the mode of the Administration service:
How should the administration services be setup? (ENABLED, DISABLED, or PRIMARY)?
Choose one of the three modes: ENABLED enables the Administration service, which the Administration interface uses. The sample will use the local services. DISABLED disables the Administration service and the Administration interface. The sample is also disabled since it uses the local Administration service. PRIMARY disables the Administration service on the replica server and enables it on the primary server.
Note: If you are using file-based repositories, select either disabled or primary. The Administration interface is enabled on the replica server. In this mode, the SSL certificate of the primary must be installed in the local key store. This is done automatically with installations of Entrust IdentityGuard with embedded Tomcat, but you must complete this manually if your installation of Entrust IdentityGuard uses an existing application server. 8 You are prompted for the ports that the Application server should use.
APPLICATION SERVER CONFIGURATION
Complete Step 2 to Step 4 on page 45 for installations with embedded Tomcat or Step 1 on page 115 to Step 3 on page 116 for installations using an existing application server. 9 You are prompted to initialize the replica.
Do you wish to initialize the replica system? [yes or no]
If you want to initialize the system manually later, follow the steps below To initialize the replica manually on UNIX on page 213. 10 All three master users must enter their passwords.
212
11 If you are using a directory, remove the file-based repository settings. See Storing unassigned cards and tokens on page 220. 12 Optionally, if you want to enable system binding on the replica, from the master user shell, run the command system bind to enable system binding. For more information on system binding, see Enabling system binding. 13 To configure and enable the sample application, proceed to the procedure on Configuring the sample application on UNIX on page 51 for installations with embedded Tomcat or Configuring the sample application on an existing application server on page 121 for installations using an existing application server. Your replica server is now installed, configured, and initialized. Proceed to Testing your installation on page 58 for installations with embedded Tomcat or Testing your installation on page 162 for installations using an existing application server. To initialize the replica manually on UNIX 1 2 As the UNIX user on the replica, change to $IDENTITYGUARD_HOME (usually /opt/entrust/identityguard81). From $IDENTITYGUARD_HOME, source the environment settings file by entering: . ./env_settings.sh (Include a space between the two periods in the command.) 3 Enter the following command to start the master user shell: supersh The copyright information and the Entrust IdentityGuard version number appear, followed by a command prompt. 4 Enter the following command: init -replica All three master users must enter their passwords. To add a replica server on Microsoft Windows 1 2 Copy the Entrust IdentityGuard installation package to the computer that will host the replica (Downloading Entrust IdentityGuard software on page 21). On an existing Entrust IdentityGuard Server, create a backup (for more information on creating a backup, see Backing up your configuration on page 247):
213
a b
If the Entrust IdentityGuard Configuration Panel is not open, click Start > All Programs > Entrust > IdentityGuard > Configuration Panel. Select Backup Entrust IdentityGuard Configuration from the Entrust IdentityGuard Configuration Panel. The Backup Type page appears.
c d
Select Partial as the backup type. Partial backups contain enough information to configure a replica system. In the Backup File Location section, click Browse. The backup utility create a file name in the File name field, which includes a date/time stamp.
e f
Click OK to save the backup under the file name with the date/time stamp. Alternatively, rename the file in the File name field and press OK. Click Save. A message appears indicating whether the backup was saved or an error occurred.
Copy the backup onto the computer that will host the new Entrust IdentityGuard replica server.
214
4 5 6 7
Start the Entrust IdentityGuard installation procedure (Installing Entrust IdentityGuard Server on page 68) on the computer that will host the replica. When the Entrust IdentityGuard Configuration Panel appears, select Replica as your system type. Select Configure Entrust IdentityGuard. The Entrust IdentityGuard Configuration wizard Welcome page appears. Click Next to begin configuration. The System Backup File page appears.
8 9
Click Browse to select your Entrust IdentityGuard backup file that you copied in Step 3. Select Next. The Service Settings page appears.
10 Complete Selecting Entrust IdentityGuard service ports on page 79 and Selecting your system host name on page 81. 11 On the Administration Controls page, select the administration state: Enabled. This option enables both the Administration service and interface controls on the replica system. Disabled. This option disables both the Administration service and interface controls on the replica system.
215
Primary. This option disables the Administration service on the replica system and forwards all Administration interface requests to the primary system. The Administration interface is enabled on the replica.
12 Select Next. The Configuration Summary page appears. 13 On the Configuration Summary page, click Confirm and Save if all the information in the summary list is complete and correct. 14 Click Finish to complete the configuration process. The configuration file is extracted from the backup file and updated with the changes made in the Entrust IdentityGuard Configuration wizard. File-based repositories are disabled, as is the Administration service and interface controls (if you selected it to be disabled). A new application server SSL certificate is generated, and the primary servers public key (SSL certificate) and the LDAP SSL certificate (it is exists) are imported to the new key store. To initialize a replica server on Microsoft Windows 1 2 3 4 216 If the Entrust IdentityGuard Configuration Panel is not open, open it by clicking Start > All Programs > Entrust > IdentityGuard > Configuration Panel. On the main page of the Configuration Panel, select Replica as the system type. Select Initialize Entrust IdentityGuard. Each master user must enter their password when prompted.
Document issue: 3.0
Feedback on guide
217
Note: For instructions on configuring the Radius server failover, see Configuring Radius server failover on page 195.
Edit the java.security file and search for the networkaddress.cache.ttl setting. Read the comments surrounding this setting and ensure that any changes that you make to this setting comply with your companys security policy.
Comment out the networkaddress.cache.ttl setting to set the IP address expiration time on the DNS lookup.
218
Specify a positive integer value to define how long, in seconds, the DNS lookup will be cached for. Define an appropriate value for this setting based on your companys failover requirements.
Restart the Entrust IdentityGuard Server. For instructions on restarting, see Managing the Entrust IdentityGuard service on page 62 for UNIX installations and Managing the Entrust IdentityGuard service on page 94 for Windows.
Attention: Type these statements all on the same line separated by a space only. 3 4 If SSL is enabled, import the certificates of all listed directories into the trust store. Save the file and restart Entrust IdentityGuard.
You now have configured failover for your directory. Note: The LDAP credentials and principal specified must work for all directories listed.
219
The type of repository you use (directory or database) determines where Entrust IdentityGuard stores the unassigned cards and tokens. If you are using a database, the unassigned cards and tokens are stored in the database. If you are using a directory, you have a choice of storing the unassigned cards and tokens in a local file or in a separate database. During the installation and configuration you choose between a directory or database to store your user information. When you configure: a directory for your users information, a file-based repository is automatically configured for your preproduced cards and unassigned tokens You can change the defaults using the Configuring the disk files for tokens and cards on page 221 topic. a directory for your users information, and if you want to use a database repository, you must manually configure the database For instructions, see Configuring the database on page 224. Attention: If your organization plans to have a large deployment of 100,000 cards or tokens, it is recommended that you configure a database (instead of the file-based repository). a database for your users information, a database repository for preproduced cards and unassigned tokens is automatically configured
For more information on storing preproduced cards and unassigned tokens, see the Entrust IdentityGuard Administration Guide.
220
221
Table 13: Repository properties for preproduced cards (continued) Property identityguard.preproducedCardRepository.file.name Description The base name of the files that store the preproduced cards. The default is, $IDENTITYGUARD.HOME/etc/fpcr/ fpcr.pcr on UNIX or <IG_INSTALL_DIR>/identityguar d81/etc/fpcr on Microsoft Windows Note: Remove this setting for a replica system. identityguard.preproducedCardRepository.file.maxsize The maximum number of cards in each component file of the file-based card preproduction repository. If you deploy cards for over 100,000 users, and you still want to use LDAP file-based card preproduction, set this setting to a value higher than 200. The value should be the (approximate) number of cards, divided by 500. For example 150,000 cards divided by 500, equals 300. Defaults to 200. Note: The preproduced card repository needs approximately 0.5 KB of memory per card. Therefore, 100,000 cards use about 50 MB of memory. Note: Remove this setting for a replica system. The following token repository settings are configured when you are using an LDAP directory and choose to use file-based repository storage. Use the following information to override the defaults.
222
Table 14: File-based repository properties for unassigned tokens Property identityguard.tokenRepository.impl Description Provides the storage location of unassigned tokens on the primary system. It is set automatically when you configure Entrust IdentityGuard. When using a directory, it is set to: com.entrust.identityGuard.cardManagem ent.dataAccess.file.FileTokenReposito ry When using a database, it is set to: com.entrust.identityGuard.cardManagem ent.dataAccess.jdbc.JdbcTokenReposito ry Note: For any replica system, make sure it is set to: com.entrust.identityGuard.cardManagem ent.dataAccess.notImplemented.NotImpl ementedTokenRepository identityguard.tokenRepository.file.name Specifies the base file used for the file-based repository. The default is, $IDENTITYGUARD_HOME/etc/ftkr/ftkr.pcr on UNIX or <IG_INSTALL_DIR>/identityguard81/etc/ ftkr/ftkr.pcr on Microsoft Windows Applies to an LDAP repository only. Note: Remove this setting for a replica system. identityguard.tokenRepository.file.maxsize Sets the maximum number of tokens the file-based repository can store. The default is 200. Applies to an LDAP repository only. Note: Remove this setting for a replica system.
223
1. The ampersand (&) indicates this setting will be encrypted when Entrust IdentityGuard restarts.
The values used for these database related configuration settings are similar to the settings used if Entrust IdentityGuard was installed with a database repository (instead of an LDAP repository). See the Entrust IdentityGuard Database Configuration Guide for example values for these settings. 3 If you have configured Entrust IdentityGuard to use an LDAP repository and you want to store the preproduced cards in the database instead of the file-based repository, complete the following step: Note: If you are configuring a replica, do not manually set this setting. When you configure the replica, this setting is set automatically. Change the value of identityguard.preproducedCardRepository.impl to the following:
com.entrust.identityGuard.cardManagement.dataAccess.jdbc.JdbcPrepr oducedCardRepository
224
If you have configured Entrust IdentityGuard to use an LDAP repository and you want to store the unassigned tokens in the database instead of the file-based repository, complete the following step: Note: If you are configuring a replica, do not manually set this setting. When you configure the replica, this setting is set automatically. Change the value of identityguard.tokenRepository.impl to the following:
com.entrust.identityGuard.cardManagement.dataAccess.jdbc.JdbcToken Repository
On UNIX install the driver of the database .jar files in $IDENTITYGUARD_HOME/lib/db and $CATALINA_HOME/common/lib. On Microsoft Windows install the driver of the database .jar files in <IG_INSTALL_DIR>\identityguard81\lib\ and <IG_INSTALL_DIR>\jakarta-tomcat-5.0.28\common\lib Attention: Ensure that you synchronize the backups of your LDAP directory or database repositories. Remember that any time you restore Entrust IdentityGuard from a backup, both the LDAP and database repositories must be restored as well.
225
To configure Syslog on Linux 1 As root, edit /etc/syslog.conf and make changes similar to the following: old line:
# *.info;mail.none;authpriv.none;cron.none /var/log/messages
new line:
*.info;local1.*;local2.*;local3.*;mail.none;authpriv.none;cron.non e /var/log/messages
To configure Syslog on Solaris 1 2 As root, edit /etc/syslog.conf and add the following line:
local1.*;local2.* /var/adm/messages
To configure Syslog on AIX 1 As root, edit /etc/syslog.conf and add the following lines:
local1.debug /var/adm/messages local2.debug /var/adm/messages
226
where <pid> is the process identifier of the syslogd process. 3 AIX Syslog will not log to a file unless it already exists. Run the following command:
touch /var/adm/messages
227
228
4 5
Save the server.xml file. Update the identityguard.properties file to direct the sample application to the SSL port by modifying the identityguard.authservice.url property to:
https://<yourhostname>:<SSL_PORT>/IdentityGuardAuthService/service s/AuthenticationServiceV2
For example, using the default port values, the value should appear after modification as:
identityguard.authservice.url=https://igserver.anycorp.com:8443/Id entityGuardAuthService/services/AuthenticationServiceV2
Restart the Entrust IdentityGuard Server. For instructions on restarting, see Managing the Entrust IdentityGuard service on page 62 for UNIX and Managing the Entrust IdentityGuard service on page 94 for Windows. Attention: Update Entrust IdentityGuard clients to use the SSL port for communication with the Authentication service. If clients attempt to access the Entrust IdentityGuard Authentication service at the non-SSL port, they will receive a Connection Refused error.
229
To enable the non-SSL port on the Administration service 1 Open the server.xml file found at: 2 on UNIX, $CATALINA_HOME/conf on Microsoft Windows, <IG_INSTALL_DIR>\jakarta-tomcat-5.0.28\conf Add a new <Connector> element to the second <Service> element (which defines the Administration service). This new <Connector> element should be the same as the first <Connector> element in the first <Service> element, except you must pick a new port (do not use 8080, 8443, 8444). The port number must be greater than 1024. 3 Open the web.xml file found at: on UNIX, $IDENTITYGUARD_HOME/services/admin/IdentityGuardAdminSer vice/WEB-INF/ on Microsoft Windows, <IG_INSTALL_DIR>\Identityguard81\services\admin\Identity GuardAdminService\WEB-INF\ 4 Remove the <security-constraint> element.
230
Locate and make a backup copy of the server.xml file found at:
$CATALINA_HOME/conf/server.xml
Identify and comment out the code between <Service ..> and </Service> that contains <Connector port="8444">. Save the server.xml file. Restart the Entrust IdentityGuard Server. For instructions on restarting, see Managing the Entrust IdentityGuard service on page 62.
To disable the SSL port on Microsoft Windows 1 2 3 4 If Entrust IdentityGuard is currently running, shut it down. See Managing the Entrust IdentityGuard service on page 94 for instructions. Locate and make a backup copy of the server.xml file found at:
<IG_INSTALL_DIR>\jakarta-tomcat-5.0.28\conf\server.xml
Identify and comment out the code between <Service ..> and </Service> that contains <Connector port="8444">. Save the server.xml file.
231
Restart the Entrust IdentityGuard Server. For instructions on restarting, see Managing the Entrust IdentityGuard service on page 94.
232
To reconfigure the connection, update the Entrust IdentityGuard keystore, and then the identityguard.properties file. First ensure that you have: an LDAP repository that supports SSL a user with permissions to update the identityguard.properties file an SSL certificate for your LDAP server access to the Java keytool executable Import the LDAP server's SSL certificate into the Entrust IdentityGuard keystore so that Entrust IdentityGuard can communicate with the LDAP server. Entrust IdentityGuard uses this certificate (when establishing a connection) to verify the identity of the LDAP server. Edit the properties file so that Entrust IdentityGuard will connect to the LDAP server using SSL.
To import the LDAP SSL certificate 1 2 Copy the LDAP server certificate onto the Entrust IdentityGuard Server. From the command line on the Entrust IdentityGuard Server, issue the following command:
keytool -import -alias ldapssl -keystore <path_to_keystore> -file <path_to_ldap_ssl_cert_file> -storepass <password>
Where: <path_to_keystore> is: for UNIX, $IDENTITYGUARD_HOME/etc/keystore for Microsoft Windows, <IG_INSTALL_DIR>\identityguard81\etc\keystore
233
Note: The path to the keystore for versions of Entrust IdentityGuard installed using an existing application server is the location of the trustStore.jks file. 3 <path_to_ldap_ssl_cert_file> is the directory you chose to store the file when you exported the certificate.
When prompted to answer whether or not you trust the certificate, review the displayed details, and if they are correct, answer yes.
To update the Entrust IdentityGuard properties file 1 2 As the Entrust IdentityGuard application owner, open the identityguard.properties file in $IDENTITYGUARD_HOME/etc/ Find the section of the properties file that identifies the LDAP URL:
# URL that will be used to connect to the LDAP server. identityguard.ldap.url=ldap://myldapserver:389/ou=users, dc=myserver,dc=com
Change the URL to use the LDAP SSL port on your LDAP server. The default SSL port for LDAP servers is 636. Update the property with the value appropriate to your environment.
identityguard.ldap.url=ldap://myldapserver:636/ou=users, dc=myserver,dc=com
Find the section of the properties file that identifies the LDAP SSL connections:
# Specify whether this will be a secure SSL connection to the directory. # If set to true, the identityguard.ldap.url must be directed to a # secure ldap port (default: 636). # This property can be true or false, or commented out entirely. identityguard.ldap.sslEnabled=false
5 6
You now have a secure SSL connection between Entrust IdentityGuard and your LDAP repository.
234
Note: The J2SE 1.4 installed with your Entrust IdentityGuard system includes the keytool application. Use it to manage the Java keystore containing private keys and SSL certificates (X.509 chains and public keys). For complete documentation on keytool, see http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html on Solaris, and http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html on Windows. Configure one of the two different types of certificates: self-signed certificate and CA-signed certificate. The following topics provide procedural information for using SSL certificates: Creating self-signed certificates on page 235 Importing CA-signed certificates on page 236 Exporting the certificate to client applications on page 238 Updating certificates on page 238
235
<path_to_keystore> Where <path_to_keystore> is: 2 for UNIX, $IDENTITYGUARD_HOME/etc/keystore for Microsoft Windows, <IG_INSTALL_DIR>\identityguard81\etc\keystore
Where: <path_to_keystore> is: for UNIX, $IDENTITYGUARD_HOME/etc/keystore for Microsoft Windows, <IG_INSTALL_DIR>/identityguard81\etc\keystore
where <path_to_keystore> is: 2 for UNIX, $IDENTITYGUARD_HOME/etc/keystore for Microsoft Windows, <IG_INSTALL_DIR>/identityguard81\etc\keystore
Before generating a certificate request, generate a public/private key pair for your server. To generate the necessary key pair, enter:
236
keytool -genkey -alias tomcat -dname "<required DN>" -keyalg RSA -keysize <value> -keystore <path_to_keystore> -keypass entrust -storepass entrust
Where: <required DN> depends on the CA that will process the certificate request. If you are using a certificate from, for example, the Entrust Certificate Service, you must enter a fully qualified DN. If you are using an Entrust CA with Entrust Authority Enrollment Server for Web to process the request, the DN must be "cn=<refnum>" where <refnum> is the reference number generated by the CA. <value> is the keysize value. Ensure the keysize value is secure, for example, 1024 or 2048. <path_to_keystore> is one of:
for UNIX, $IDENTITYGUARD_HOME/etc/keystore for Microsoft Windows, <IG_INSTALL_DIR>/identityguard81\etc\keystore A Certificate Signing Request (CSR) is used by the CA to generate your SSL certificate. To create a CSR, enter:
keytool -certreq -alias tomcat -file <file to store request in> -keystore <path_to_keystore> -keypass entrust -storepass entrust
Provide the file generated by this command to the CA. The CA takes the request file and creates a certificate. 4 Optionally, once you receive your SSL certificate from the CA, import a chain certificate (if the CA is not already included in the JRE Trusted CA list). To import a CA chain certificate, enter:
keytool -import -alias root -trustcacerts -file <file containing CA certificate> -keystore <path_to_keystore> -keypass entrust -storepass entrust
To import the SSL certificate that was generated by the CA, save the certificate file to a location on the Entrust IdentityGuard Server and enter:
keytool -import -alias tomcat -trustcacerts -file <SSL_cert_file> -keystore <path_to_keystore> -keypass entrust -storepass entrust
237
where <path_to_keystore> is: 2 for UNIX, $IDENTITYGUARD_HOME/etc/keystore for Microsoft Windows, <IG_INSTALL_DIR>/identityguard81\etc\keystore
Updating certificates
Whether you chose a self-signed certificate or a CA-signed certificate, the certificate will eventually expire. It is necessary to update the keystore with the new certificate before expiry. As well, there are other reasons why you might want to replace the self-signed certificate that was created during installation. For example, you may need to modify the lifetime or key type The default self-signed certificate is RSA-1024. a different DN in the certificate The default self-signed certificate has a DN of cn=<hostname>, where <hostname> is the host name of the Entrust IdentityGuard Server. If the client applications connecting to the Entrust IdentityGuard services are not using this host name, you need a new self-signed certificate. additional security
To update the certificate 1 If you are updating a self-signed certificate, use the Java keytool application to issue the following command (on one line):
keytool -selfcert -alias tomcat -validity <number_of_days> -keystore <path_to_keystore> -keypass entrust
238
You should not have to delete the original alias when creating a new self-signed certificate. 2 If Entrust IdentityGuard is using a CA-signed certificate, it is necessary to generate a new signing request and import the response. See Importing CA-signed certificates on page 236.
239
Note: When you initialize Entrust IdentityGuard for the first time, system binding occurs automatically. Perform system unbinding on the master keys to copy a key protection file (.kpf) to another computer. To bind the master keys 1 On UNIX: a b As the UNIX user, change to $IDENTITYGUARD_HOME. From $IDENTITYGUARD_HOME, source the environment settings file by entering: (Include a space between the two periods in the command.) c 2 Enter the following command to start the master user shell: supersh On Windows, click Start > All Programs > Entrust > IdentityGuard > Master User Shell. The copyright information and the Entrust IdentityGuard version number appear, followed by a command prompt. 3 Enter the following command: system bind You are prompted for a user name and password. To unbind the master keys 1 On UNIX: a As the UNIX user, change to $IDENTITYGUARD_HOME.
. ./env_settings.sh
240
From $IDENTITYGUARD_HOME, source the environment settings file by entering: (Include a space between the two periods in the command.)
. ./env_settings.sh c 2
supersh On Windows, click Start > All Programs > Entrust > IdentityGuard > Master User Shell. The copyright information and the Entrust IdentityGuard version number appear, followed by a command prompt. 3 Enter the following command: system unbind You are prompted for a user name and password.
241
242
243
To plan a backup strategy on UNIX Use the following points to help you develop a backup strategy for Entrust IdentityGuard Server and your repository on UNIX. Back up the masterkeys.enc file. Entrust IdentityGuard does not back up your data repository. Ensure that you back up your repository on a regular basis and before installing or upgrading Entrust IdentityGuard. If the data is split over two repositories, back up and restore both repositories together. Back up your logs on a regular basis. If you chose to log to files when you installed Entrust IdentityGuard, the logs are stored in $IDENTITYGUARD_HOME/logs Decide on a backup type from the following two options: Full. Full backups contain all information required to restore the configuration, logs, and file-based repositories. Partial. Partial backups contain enough information to restore a replica system. The following Entrust IdentityGuard files are backed up during a full backup: $IDENTITYGUARD_HOME/etc/masterkeys.enc. This file changes whenever a master user changes a password and should be backed up again after such an operation. $IDENTITYGUARD_HOME/etc/keystore (installations with embedded Tomcat only). This file changes whenever a new SSL key-pair is generated or imported. $IDENTITYGUARD_HOME/etc/identityguard.properties $CATALINA_HOME/conf/server.xml (installations with embedded Tomcat only) 244
IdentityGuard 8.1 Installation Guide Document issue: 3.0
Feedback on guide
$IDENTITYGUARD_HOME/etc/igsample.properties $IDENTITYGUARD_HOME/etc/igkrb5.conf Make sure you back up any files in the following directories: $IDENTITYGUARD_HOME/export/ $IDENTITYGUARD_HOME/etc/fpcr/ $IDENTITYGUARD_HOME/etc/ftkr/ If you use a database repository, save the JDBC driver .jar files you used during installation. You can create a new keystore file but then you must also generate new SSL keys. You can run configure.sh again to recreate the identityguard.properties and server.xml files.
To plan a backup strategy on Microsoft Windows Use the following points to help you develop a backup strategy for Entrust IdentityGuard Server and your repository on Microsoft Windows. Entrust IdentityGuard does not back up your data repository. Ensure that you back up your repository on a regular basis and before installing or upgrading Entrust IdentityGuard. If the data is split over two repositories, back up and restore both repositories together. Back up your logs on a regular basis. The logs are stored in <IG_INSTALL_DIR>\identityguard81\logs Decide on a backup type from the following two options: Full. Full backups contain all information required to restore the configuration, logs, and file based repository. Partial. Partial backups contain enough information to set up a replica system. The following Entrust IdentityGuard files are backed up during a full backup. <IG_INSTALL_DIR>\identityguard81\etc\masterkeys.enc. This file changes whenever a master user changes their password and should be backed up again after such an operation. <IG_INSTALL_DIR>\identityguard81\etc\keystore. This file changes whenever a new SSL key-pair is generated or imported. <IG_INSTALL_DIR>\identityguard81\etc\identityguard.prop erties <IG_INSTALL_DIR>\jakarta-tomcat-5.0.28\conf\server.xml <IG_INSTALL_DIR>\identityguard81\etc\igsample.properties <IG_INSTALL_DIR>\identityguard81\etc\igkrb5.conf
245
Make sure you back up any files in the following directories: <IG_INSTALL_DIR>\identityguard81\export\ <IG_INSTALL_DIR>\identityguard81\etc\fpcr\ <IG_INSTALL_DIR>\identityguard81\etc\ftkr\ If you use a database repository, save copies of the JDBC driver .jar files you used during installation. You cannot recover the masterkeys.enc file. You can create a new keystore file but then you must also generate new SSL keys. You can use the Configuration wizard from the Entrust IdentityGuard Configuration Panel to recreate the identityguard.properties and server.xml files. Make sure you store your backup files on a separate machine from your Entrust IdentityGuard Server.
246
Attention: Backup files contain sensitive information, such as the masterkeys.enc file and export files. The igsample.properties file contains a clear text administrator password. As such, backup files should be stored carefully.
To back up your configuration on UNIX 1 2 Log in as the UNIX user on the existing Entrust IdentityGuard Server. Run the backup command:
igbackup.sh [-partial|-full]
This command creates a backup ZIP file and puts it in the default location, $IDENTITYGUARD_HOME/backups/. The default name includes the type of backup (partial or full), and the current date and time. For example, if you create a partial backup file created on February 24, 2006 at 3:00:45 P.M., the file name is: igpartialbackup_20060224150045.zip. Optionally, you can you can specify a file name by including [-file <file name>] in the backup command. For example,
igbackup.sh -partial -file <file name>
where <file name> is the name you choose for the backup file. The default location is relative to your current working directory. The partial backup ZIP file includes the following files for installations with embedded Tomcat: masterkeys.enc identityguard.properties
247
igsample.properties file (if it exists) igkrb5.conf JDBC .jar files (if they exist) identityguard.cer (contains the SSL certificate of the primary server) LDAP SSL certificate (if the primary server has configured SSL to its LDAP repository)
The partial backup ZIP file includes the following files for installations using an existing application server: masterkeys.enc identityguard.properties igsample.properties file (if it exists) JDBC .jar files (if they exist)
The full backup ZIP file includes the following files (in addition to the files that are backed up in the partial backup): server.xml (installations with embedded Tomcat only) file-based repository files (both preproduced cards and unassigned tokens) keystore log files export files
Note: If you do not specify either -partial or -full with the igbackup.sh command, a full backup is created.
To back up your configuration on Microsoft Windows 1 2 3 4 If the Entrust IdentityGuard Configuration Panel is not open, open it by clicking Start > All Programs > Entrust > IdentityGuard > Configuration Panel. Select Backup Entrust IdentityGuard Configuration. Select the backup type: Full or Partial. In the Backup File Location section, click Browse. A file name including a date/time stamp will automatically be created in the File name field. The default location is relative to your current working directory. 5 Click OK to save the backup under the file name with the date/time stamp. Alternatively, rename the file in the File name field and press OK.
248
Note: If you are selecting your own file name, assure you can recognize which backup is the most recent file, as over time, more than one backup file may exist. 6 7 Click Save. Your backup is saved as a ZIP file. Click Close to exit the Configuration Backup utility. Note: During the Windows uninstall process, Entrust IdentityGuard attempts to create a backup of your Entrust IdentityGuard configuration. If successful, it displays a message listing the location of the backup file. Click OK to continue the uninstall. This occurs only if Entrust IdentityGuard was correctly configured and initialized.
Note: You can also use the command line backup utility, igbackup.exe, located in <IG_INSTALL_DIR>\identityguard81\bin to back up your configuration on Microsoft Windows.
249
Attention: If your backup does not include the masterkeys.enc file, then you cannot restore your system.
To restore Entrust IdentityGuard from a backup on UNIX 1 Copy the full backup ZIP file from your Entrust IdentityGuard Server to the computer that you want to restore Entrust IdentityGuard on. The default location for the file is $IDENTITYGUARD_HOME/backups. Note: All files listed here should be readable and writable by the user and group selected during installation. 2 3 4 If the computer you are restoring to has a copy of the server.xml file, delete it before continuing with the restore. Unzip the full backup ZIP file. For example, on UNIX, unzip igfullbackup_20060324151505.zip Open the files.txt file in a text editor. This file contains a list of all the files copied into the backup ZIP file, and the location they were copied from. 5 6 Copy all the files back to their proper locations. For database repositories: Copy the JDBC driver .jar files you used during the original installation to $CATALINA_HOME/common/lib (installations with embedded Tomcat only) and $IDENTITYGUARD_HOME/lib. Restore the JDBC .jar files to $CATALINA_HOME/common/lib (installations with embedded Tomcat only)
Open the manifest.txt file in a text editor and ensure you are using the correct version of the files.
250
Backups between versions of Entrust IdentityGuard may not be compatible. 8 Open the master user shell. a b Log in as the UNIX user that belongs to the UNIX group and change to $IDENTITYGUARD_HOME (usually /opt/entrust/identityguard81). From $IDENTITYGUARD_HOME, source the environment settings file by entering: . ./env_settings.sh (Include a space between the two periods in the command.) c Enter the following command to start the master user shell: supersh Copyright information and the Entrust IdentityGuard version number appear, followed by a command prompt. 9 Enter the following in the master user shell to initialize the restored system: init -replica All three master users must enter their passwords. 10 It is recommended that you run the command system bind from the master user shell to enable system binding. For more information on system binding, see Enabling system binding on page 240. Entrust IdentityGuard is now restored from backup. 11 Redeploy the Entrust IdentityGuard services: see Enabling and disabling individual Entrust IdentityGuard services on page 64) for installations with embedded Tomcat see Deploying Entrust IdentityGuard services on an existing application server on page 127) for installations using an existing application server
To restore Entrust IdentityGuard from a backup on Windows 1 Copy the full backup ZIP file from your Entrust IdentityGuard Server to the computer that you want to restore Entrust IdentityGuard on. The default location for the file is <IG_INSTALL_DIR>\identityguard81\backups 2 3 4 If the computer you are restoring to has a copy of the server.xml file, delete it before continuing with the restore. Unzip the full backup ZIP file. Open the files.txt file in a text editor. This file contains a list of all the files copied into the backup ZIP file, and the location they were copied from.
Backing up and restoring Entrust IdentityGuard Server
Feedback on guide
251
5 6
Copy all the files back to their proper locations. For database repositories, ensure that copies of the JDBC driver .jar files you used during installation are in these folders: <TOMCAT_INSTALL_DIR>\common\lib <IG_INSTALL_DIR>\identityguard81\lib.
Open the manifest.txt file in a text editor and ensure you are using the correct version of the files. Backups between versions of Entrust IdentityGuard may not be compatible. Click Start > All Programs > Entrust > IdentityGuard > Configuration Panel. Select Initialize Entrust IdentityGuard on the Entrust IdentityGuard Configuration Panel to initialize the restored system. For instructions, see Running the Entrust IdentityGuard Initialization wizard on page 84. All three master users must enter their passwords.
8 9
Entrust IdentityGuard is now restored from backup. Note: The backup file does not contain saved settings for Entrust IdentityGuard services. Check that the Administration service, Administration interface and the sample application are enabled or disabled, as applicable.
252
To restore a file-based card repository on UNIX 1 Back up the files that start with fpcr.pcr (for cards) located in: $IDENTITYGUARD_HOME/etc/fpcr You can override the base file for cards with the identityguard.properties setting:
identityguard.preproduced.cardRepository.file.name
Back up the files that start with ftkr.pcr (for tokens) located in: $IDENTITYGUARD_HOME/etc/ftkr You can override the base file for tokens with the identityguard.properties setting:
identityguard.tokenRepository.file.name
Ensure that the files are owned (and are readable and writable) by the user that owns Entrust IdentityGuard.
To restore a file-based card repository on Windows 1 Back up the files that start with fpcr.pcr (for cards) located in: <IG_INSTALL_DIR>\identityguard81\etc\fpcr You can override the base file for cards with the identityguard.properties setting:
identityguard.preproduced.cardRepository.file.name
Back up the files that start with ftkr.pcr (for tokens) located in: <IG_INSTALL_DIR>\identityguard81\etc\ftkr You can override the base file for tokens with the identityguard.properties setting:
identityguard.tokenRepository.file.name
253
(Include a space between the two periods in the command.) Enter the following command to start the master user shell:
supersh
2 3
Copyright information and the Entrust IdentityGuard version number appear, followed by a command prompt. on Microsoft Windows:
Click Start > All Programs > Entrust > IdentityGuard > Master User Shell. To display the next available serial number, at the command line, enter
system get
254
Reconfigure your installation by editing or adding settings to the identityguard.properties file. Note: With the exception of log settings, you must restart the Entrust IdentityGuard service for changes to Entrust IdentityGuard properties to take effect. See: Managing the Entrust IdentityGuard service on page 62 for installation using embedded Tomcat on UNIX, Managing the Entrust IdentityGuard service on page 166 for installations using existing application servers, or Managing the Entrust IdentityGuard service on page 94 for installation using embedded Tomcat on Microsoft Windows. Topics in this section: Editing property values on page 257 Enabling the authentication success audit on page 258 Enabling a WSDL query on page 259
255
Configuring additional search bases on page 260 Configuring LDAP directory properties on page 261 Configuring database properties on page 267 Enabling cached challenges on page 270 Caching policies on page 272 Changing log configuration on page 273 Changing log locations on UNIX on page 277 Configuring master user shell formatting on page 278 Configuring license auditing on page 281 Configuring the Entrust IdentityGuard Radius proxy properties on page 282 Configuring external authentication properties on page 293 Configuring token properties on page 295 Configuring the Administration interface properties for bulk operations on page 296 Configuring the Administration interface to control the output format on page 297
256
257
258
259
Note: If you are using multiple search bases, each user ID and administrator ID must be unique within a search base. Search bases are defined in the identityguard.properties configuration file. You must manually edit the identityguard.properties file to add, remove, or modify search base definitions. See the identityguard.ldap.searchbase setting description in Table 15 for instructions on editing search bases. For further instructions, see the Entrust IdentityGuard Administration Guide.
260
Table 15: LDAP directory properties Property identityguard.ldap.url Description Required. LDAP URL to use to find and connect to the LDAP directory. This can include the host name, the port number, and initial context prefix to bind to. All lookups are relative to the given context prefix. For example: ldap://myldaphost:389/ou=People, dc=AnyCorp,dc=com binds to port 389 on the computer myldaphost, with ou=People,dc=AnyCorp,dc=com as the initial context prefix. identityguard.ldap.principal Required. Name of the entity binding to the LDAP directory, for example: cn=Directory Manager identityguard.ldap.credentials Required. Password of the entity binding to the LDAP directory.
261
Table 15: LDAP directory properties (continued) Property identityguard.ldap.connecttimeout Description Length of time in milliseconds that Entrust IdentityGuard waits when attempting to connect to the LDAP directory before giving up and returning an error. Defaults to 30000 (30 seconds). identityguard.ldap.useridattribute LDAP directory attribute that contains the unique user identifier. Default is cn. identityguard.ldap.policyentry Required. Specifies the directory that stores policies. It must exist, and be named relative to the context prefix. For example, if the URL is ldap://directory.AnyCorp.com/o= Entrust,c=ca, then the policy entry could be cn=Some Entry, ou=R and D to represent the DN cn=Some Entry,ou=R and D,o=Entrust,c=ca. identityguard.ldap.sslEnabled Specifies if you are using a secure SSL connection to the directory. If set to true, you must direct the identityguard.ldap.url to a secure LDAP port. For more information, see the section To import the LDAP SSL certificate on page 233. identityguard.ldap.addUserObjectClass Indicates whether the Entrust IdentityGuard Server should add the user object class when setting up an Entrust IdentityGuard user, or if it is expected to already be present. Set to false for Active Directory and to true for an LDAP directory. identityguard.ldap.addAdminObjectClass Indicates whether the Entrust IdentityGuard Server should add the admin object class when setting up an Entrust IdentityGuard administrator, or if it is expected to already be present. Set to false for Active Directory and to true for an LDAP directory.
262
Table 15: LDAP directory properties (continued) Property identityguard.ldap.addPolicyObjectClass Description Indicates whether the Entrust IdentityGuard Server should add the policy object class when setting up the Entrust IdentityGuard policy, or if it is expected to already be present. Set to false for Active Directory and to true for an LDAP directory. To edit the remaining LDAP properties in this table (listed below), you must first add them to the identityguard.properties file. If a property is not included in the file, Entrust IdentityGuard uses the default value for that property as given here.
263
Table 15: LDAP directory properties (continued) Property identityguard.ldap.searchbase Description Required. url.<name>= Define one or more search bases where users can be located. See Configuring additional search bases on page 260. For example, a search base called sbase1 looks like this: identityguard.ldap.searchbase.url.sbas e1=ldap://mydirectoryhost:389/ou=Peopl e,dc=AnyCorp,dc=com You cannot name a search base default because that is a reserved search base name. See the Entrust IdentityGuard Administration Guide for more details. Note: Entrust IdentityGuard configuration automatically converts spaces in the LDAP base DN to %20. If you edit the LDAP base DN after installation in the identityguard.properties file, remember to replace spaces with %20. Optional. The following settings are optional and may be configured for each search base: principal.<name>= credentials.<name>= connecttimeout.<name>= searchtimeout.<name>= sizelimit.<name>= sslEnabled.<name>= useridattribute.<name>= userObjectClass.<name>= useridcasesensitive.<name>= addUserObjectClass.<name> adminObjectClass.<name>= addAdminObjectClass.<name>= connectionpool.max.<name>= connectionpool.minIdleCloseTime.<name>= connectionpool.closeSchedule.<name>=
264
Table 15: LDAP directory properties (continued) Property identityguard.ldap.searchbase (continued) Description The identityguard.ldap.searchbase .useridattribute.<name> property defaults to the default value for the identityguard.ldap.useridattribute. The other optional settings default to the corresponding value of the default search base. identityguard.ldap.searchtimeout Length of time in milliseconds that Entrust IdentityGuard waits when searching the LDAP directory before giving up and returning an error. Default is 30000 (30 seconds). identityguard.ldap.sizelimit Maximum number of entries to return in a single LDAP search. Default is 1000. identityguard.ldap.userObjectClass LDAP directory object class used to allow the user attributes to be added to an entry. Default is entrustIGUser. identityguard.ldap.adminObjectClass LDAP directory object class used to allow the administrator attributes to be added to an entry. Default is entrustIGAdmin. identityguard.ldap.policyObjectClass LDAP directory object class used to allow the policy attributes to be added to an entry. Default is entrustIGPolicy. identityguard.ldap.connectionpool.max The maximum number of connections that can be kept in the LDAP directory connection pool. An Entrust IdentityGuard service will not open more connections to the directory than this value. Default is 10. identityguard.ldap.connectionpool. minIdleCloseTime The minimum number of milliseconds a connection to the LDAP directory can be idle for before being closed. Default is 180000 (3 minutes).
265
Table 15: LDAP directory properties (continued) Property identityguard.ldap.connectionpool. closeSchedule Description The number of milliseconds between each check for idle LDAP directory connections and closure of those idle longer than the value set in the minIdleCloseTime setting. Set to 0 to disable closing idle connections. Default is 180000 (3 minutes). identityguard.ldap.GeneralizedTimeWithS Some directories do not support generalized time ubSecs attributes that contain subseconds, while other directories require them. If this value is set to true, generalized time is formatted with subseconds. Default is true. Note: This must be false when using a Novell eDirectory as your repository. identityguard.ldap.useReplace Set this to true only if you use Oracle Internet Directory as your repository.
266
identityguard.jdbc.connectionpool.closeSchedule The number of milliseconds between each check for idle database connections and closure of those idle longer than the value set in the minIdleCloseTime setting. Set to 0 to disable closing idle connections. Default is 180000 (3 minutes). identityguard.jdbc.connectionpool.max The maximum number of connections that can be kept in the database connection pool. An Entrust IdentityGuard service will not open more connections than this value. If the database server cannot accept this number of connections, Entrust IdentityGuard may return errors when trying to open some of its connections. Default is 10. identityguard.jdbc.connectionpool.minIdleClose Time The minimum number of milliseconds a connection to the database can be idle before it is considered for closing. Default is 180000 (3 minutes). identityguard.jdbc.logintimeout Number of seconds that Entrust IdentityGuard will wait for the database login operation to complete. Default is 30 seconds. identityguard.jdbc.querytimeout Number of seconds that Entrust IdentityGuard will wait for the database to perform an operation. A value of 0 means that the connection will never time out. Default is 0.
267
Table 16: JDBC properties (continued) Property identityguard.jdbc.driverClass Description Required. The class name of the JDBC driver. This value is entered during configuration. identityguard.jdbc.password Required. The password of the database user name entered during configuration. identityguard.jdbc.schema Required. The database schema name entered during configuration. identityguard.jdbc.url Required. The database URL entered during configuration. identityguard.jdbc.user Required. The database user name entered during configuration. identityguard.jdbc.needsEscape Indicates whether Entrust IdentityGuard should use escape characters in an SQL Where clause. If you are using a MySQL database, set this to false. Default is true. identityguard.jdbc.timestampDataType Determines how timestamp expressions are formatted in an SQL Where clause. If you set this property to true, the SQL Where clause will include the TIMESTAMP datatype. This setting should be true for Oracle and false for DB2 and SQL Server. Default is true. identityguard.jdbc.blobAccess If you are using SQL Server, set this to false. Default is true.
268
Table 16: JDBC properties (continued) Property identityguard.jdbc.selectLock Description Defines what SQL syntax is used to lock the policy when it is updated. Different databases use different syntaxes. The supported values are: forupdate - Oracle withrr - DB2 withupdlock - SQL Server If not set or an invalid value is provided, it defaults to forupdate.
269
Attention: It is recommended that you back up the identityguard.properties file before you make changes to it. For instructions on backing up files, see Planning a backup strategy on page 244.
To enable cached challenges 1 In identityguard.properties,change the following settings: for an LDAP repository, change
identityguard.challengerepository.impl=com.entrust.identityGuard.c ardManagement.dataAccess.ldap.LdapChallengeRepository
to:
identityguard.challengerepository.impl=com.entrust.identityGuard.c ardManagement.dataAccess.cache.CacheChallengeRepository
identityguard.challengerepository.impl=com.entrust.identityGuard.c ardManagement.dataAccess.jdbc.JdbcChallengeRepository
to:
identityguard.challengerepository.impl=com.entrust.identityGuard.c ardManagement.dataAccess.cache.CacheChallengeRepository
270
for a database:
Optionally, add the following setting, which defines how long (in seconds) a challenge remains in the cache before it is written to the persistent repository. The default value is 180 (3 minutes):
identityguard.challengerepository.cache.timeout=180
Optionally, add the following setting, which controls the maximum size (in number of challenges) of the challenge cache. If the setting is not set, or is an invalid value or a non-positive number, the cache size defaults to infinite.
identityguard.challengerepository.cache.maxsize=1000
271
Caching policies
Edit the identityguard.properties file to control the length of time a policy is cached (before the repository is checked for new policy definitions). The policy caching setting is
identityguard.policyRepository.cacheTimeout=<number of milliseconds>
The default is 30000 milliseconds (30 seconds). Set the value to 0 to disable policy caching and enable the policy to be accessed from the repository on every operation. Note: Disabling policy caching could delay performance.
272
Table 17: UNIX Logging configuration settings Logging configuration setting identityguard.refreshinterval Description Defines how frequently the configuration is checked for changes to the log settings. Default is 10 seconds. identityguard.log.maxstacksize Defines the number of stack frames that are logged for errors. The default value, 0, means that no stack trace is logged. log4j.rootLogger Defines the logging level of the root logger, and the destination of any messages logged by the root logger. The root logger may catch errors not specifically logged by Entrust IdentityGuard, but occur within the application server. The default setting is WARN, and the appender will depend on the choices made during installation. Default is WARN, (other options are: SYSTEM_SYSLOG or SYSTEM_FILELOG). log4j.logger.IG.AUDIT Defines the audit level of Entrust IdentityGuard and the destination of the logged audits. The default setting is ALL, and the appender will depend on the choices made during installation. Default is ALL, (other options are: AUDIT_SYSLOG or AUDIT_FILELOG).
273
Table 17: UNIX Logging configuration settings (continued) Logging configuration setting lo4j.logger.IG.SYSTEM Description By default, all system log levels WARN and above are logged. To reduce system logging, change WARN to ERROR or OFF. To increase system logging (for example, for troubleshooting) change WARN to INFO, DEBUG, or ALL. Default is WARN. log4j.additivity.IG.AUDIT Defines whether Entrust IdentityGuard audits should also be added to the root logger. Leave this value set to the default, false. log4j.additivity.IG.SYSTEM Defines whether Entrust IdentityGuard system logs should also be added to the root logger. This value should remain set to the default, false. log4j.appender.AUDIT_SYSLOG Defines the log4j appender to use for audit logs. This should not be changed. This value should remain set to the default, org.apache.log4j.net.SyslogAppender. log4j.appender.AUDIT_SYSLOG.SyslogHost Defines the Syslog host that logging information is sent to. If using Syslog, the default is localhost. If using file logging, the default is $log_host}. log4j.appender.AUDIT_SYSLOG.Facility Defines the Syslog facility that is used to audit logs. Default is local1. log4j.appender.AUDIT_SYSLOG.layout The log4j class that converts a logging event into a message string to be printed in the logs. Default is org.apache.log4j.PatternLayout. log4j.appender.AUDIT_SYSLOG.layout .ConversionPattern The format of the converted logging event. See the log4j documentation for further information. Default is [%t] [%-5p] [%c] %m%n.
274
Table 17: UNIX Logging configuration settings (continued) Logging configuration setting log4j.appender.SYSTEM_SYSLOG Description Defines the log4j appender to use for system logs. This should not be changed. Default is org.apache.log4j.net.SyslogAppender. log4j.appender.SYSTEM_SYSLOG .SyslogHost log4j.appender.SYSTEM_SYSLOG.Facility Defines the Syslog host to which logging information is sent. Default is localhost. Defines the Syslog facility that is used by Entrust IdentityGuard system logs. Default is local2. log4j.appender.SYSTEM_SYSLOG.layout The log4j class that converts a logging event into a message string to be printed in the logs. Default is org.apache.log4j.PatternLayout. log4j.appender.SYSTEM_SYSLOG.layout .ConversionPattern The format of the converted logging event. Please see the log4j documentation for further information. Default is [%t] [%-5p] [%c] %m%n. log4j.appender.AUDIT_FILELOG Defines the appender that is used if audit events are logged to files. This value should remain set to the default, org.apache.log4j.RollingFileAppender. log4j.appender.AUDIT_FILELOG.File Defines the location of the audit log. Default is: $IDENTITYGUARD.HOME/etc/audit.log log4j.appender.AUDIT_FILELOG.MaxFileSize Defines the maximum size of a log file before rolling over to a new empty file. Default is 1000KB. log4j.appender.AUDIT_FILELOG .MaxBackupIndex Defines the number of previous log files to keep as a history. Default is 10.
275
Table 17: UNIX Logging configuration settings (continued) Logging configuration setting log4j.appender.AUDIT_FILELOG.layout Description The log4j class that converts a logging event into a message string to be printed in the logs. Default is org.apache.log4j.PatternLayout. log4j.appender.AUDIT_FILELOG.layout .ConversionPattern The format of the converted logging event. Please see the log4j documentation for further information. Default is [%d] [%t] [%-5p] [%c] %m%n. log4j.appender.SYSTEM_FILELOG Defines the appender that is used if audit events are logged to files. This value should remain set to the default, org.apache.log4j.RollingFileAppender. log4j.appender.SYSTEM_FILELOG.File Defines the location of the audit log. Default is: $IDENTITYGUARD.HOME/etc/ system.log log4j.appender.SYSTEM_FILELOG .MaxFileSize log4j.appender.SYSTEM_FILELOG .MaxBackupIndex log4j.appender.SYSTEM_FILELOG .layout Defines the maximum size of a log file before rolling over to a new empty file. Default is 1000KB. Defines the number of previous log files to keep as a history. Default is 5. The log4j class that converts a logging event into a message string to be printed in the logs. Default is org.apache.log4j.PatternLayout. log4j.appender.SYSTEM_FILELOG.layout .ConversionPattern The format of the converted logging event. Please see the log4j documentation for further information. Default is [%d] [%t] [%-5p] [%c] %m%n.
276
For example, to switch logging from files to Syslog, change log4j.rootLogger=WARN, SYSTEM_FILELOG to log4j.rootLogger=WARN, SYSTEM_SYSLOG. If you are switching logging from files to Syslog, you will need to edit the following two entries in identityguard.properties and replace ${log_host} with the host name of your Syslog server. Use the value localhost if the Syslog server is running on the local host.
log4j.appender.AUDIT_SYSLOG.SyslogHost=${log_host} log4j.appender.SYSTEM_SYSLOG.SyslogHost=${log_host}
For example, if the Syslog server is running on the localhost, change the two entries to:
log4j.appender.AUDIT_SYSLOG.SyslogHost=localhost log4j.appender.SYSTEM_SYSLOG.SyslogHost=localhost
277
Table 19: User card list column widths Property identityguard.supersh.usercardlist.width.userid identityguard.supersh.usercardlist.width.sernum Description Indicates the width of the user ID field. Default is 14. Indicates the width of the serial number field. Default is 14. identityguard.supersh.usercardlist.width.state identityguard.supersh.usercardlist.width.create Indicates the width of the state field. Default is 9. Indicates the width of the creation date field. Default is 19.
278
Table 19: User card list column widths Property identityguard.supersh.usercardlist.width.expire Description Indicates the width of the expiry date field. Default is -1, meaning the remainder of the width of your screen.
identityguard.supersh.preproducedcardlist.width. Indicates the width of the preproduced card sernum serial number field. Default is 14. identityguard.supersh.preproducedcardlist.width. Indicates the width of the preproduced card create creation date field. Default is -1, meaning the remainder of the width of your screen.
Table 21: Administrator list column width Property identityguard.supersh.adminlist.width.userid Description Indicates the width of the administrator ID field. Default is 20. identityguard.supersh.adminlist.width.state Indicates the width of the administrator state field. Default is -1, meaning the remainder of the width of your screen.
279
Table 22: Token list column width Property identityguard.supersh.tokenlist.width.pinsupport ed Description Indicates the width of the PIN Supported field. Default is 12 for tokens that support token PINs; otherwise false.
280
281
Note: When users see a challenge message through VPN, they must enter their response as one continuous string. There is no user interface form to separate and parse entries as people expect when using Entrust IdentityGuard. For example, if a users card cells A3, H4 and J1 have the numbers 4, 8, and 9, the response to this message Enter a response to the challenge [A3] [H4] [J1] using a card with serial number 1952 must be 489 with no spaces or punctuation.
Table 24: Radius proxy configuration settings Property identityguard.igradius.url Description Provides the URL of the Entrust IdentityGuard server. If not specified, it defaults to http://localhost:8080/IdentityGuard AuthService/services/Authentication Service. If the default is used, Entrust IdentityGuard changes this to the value of identityguard.authservice.https.url during configuration.
282
Table 24: Radius proxy configuration settings (continued) Property identityguard.igradius.port Description Provides the port used by the Entrust IdentityGuard Radius proxy for first-factor authentication. If not specified, it defaults to 1812. If you use a Radius server for first-factor authentication and your VPN server recognizes different groups of users, use this property to specify a series of ports and direct those groups to different ports. For example, if you want requests for one group to be sent to port 1812 and requests for another group to be sent to port 1813, configure the property like this: identityguard.igradius.port=1812 1813 No additional ports are needed for groups for other first-factor authentication methods.
283
Table 24: Radius proxy configuration settings (continued) Property identityguard.igradius.challengestring Description This property sets the contents of the default Radius proxy challenge message for grid authentication. Note: This is one of six properties related to the challenge a user may see. At the very least, this property should be set as a default. Some or all of the other properties may be set to provide greater control over the challenges that apply to users with multiple cards and/or a PIN. The content consists of a string and one to three placeholders. The placeholders are: {0} = the challenge string {1} = the serial number of the first card {2} = the serial number of the second card. The placeholders are filled in when the message appears. For example, this setting Enter a response to the challenge {0} using cards with serial number {1} or {2} would result in a message like this: Enter a response to the challenge [A1] [B2] [C3] using cards with serial number 1234 or 2345. Users never have more than two valid cards: the current card and the pending card. A user may have a PIN and no card, or a PIN with one or two cards. If there is no challenge specified, this property defaults to: Enter the response for IdentityGuard challenge {0}. If there is no value for {0}, no challenge is sent.
284
Table 24: Radius proxy configuration settings (continued) Property identityguard.igradius.challengestring .twocardswithpin Description This is one of six properties related to the challenge a grid user sees. It takes effect when the user has two cards and a valid PIN. The format of the string is tailored to this scenario: Enter a response to the challenge {0} using cards with serial number {1} or {2} or your temporary PIN. If not set, it defaults to the value of igradius.challengestring. identityguard.igradius.challengestring .twocardsnopin This is one of six properties related to the challenge a grid user sees. It takes effect when the user has two cards and no valid PIN. The format of the string is tailored to this scenario: Enter a response to the challenge {0} using cards with serial number {1} or {2}. If not set, it defaults to the value of igradius.challengestring. identityguard.igradius.challengestring .onecardwithpin This is one of six properties related to the challenge a grid user sees. It takes effect when the user has one card and a valid PIN. The format of the string is tailored to this scenario: Enter a response to the challenge {0} using a card with serial number {1} or your temporary PIN. If not set, it defaults to the value of igradius.challengestring. identityguard.igradius.challengestring .onecardnopin This is one of six properties related to the challenge a grid user sees. It takes effect when the user has one card but no valid PIN. The format of the string is tailored to this scenario: Enter a response to the challenge {0} using a card with serial number {1}. If not set, it defaults to the value of igradius.challengestring.
285
Table 24: Radius proxy configuration settings (continued) Property identityguard.igradius.challengestring .nocardwithpin Description This is one of six properties related to the challenge a grid user sees. It takes effect when the user has no cards but has a valid PIN. The format of the string is tailored to this scenario: Enter a response to the challenge {0} using your temporary PIN. If not set, it defaults to the value of igradius.challengestring. identityguard.igradius.tokenchallengestring This property sets the contents of the default Radius proxy challenge message for token authentication. Note: This is one of eight properties related to the challenge a token user may see. At the very least, this property should be set as a default. Some or all of the properties may be set to provide greater control over the challenges that apply to token users. The content consists of a string and one or two placeholders. The placeholders are: {0} = the serial number of the first token {1} = the serial number of the second token. The placeholders are filled in when the message appears. For example, this setting Enter the response to the token with serial number {0}. would result in a message like this: Enter the response to the token with serial number 92776. Users never have more than two valid tokens: the current token and the pending token. A user may have a temporary PIN and no token, or a temporary PIN with one or two tokens. If there is no challenge specified, this property defaults to: Enter the response from your Entrust IdentityGuard token.
286
Table 24: Radius proxy configuration settings (continued) Property identityguard.igradius.tokenchallengestring .twotokenswithpin Description This is one of eight properties related to the challenge a token user sees. It takes effect when the user has two tokens and a valid temporary PIN. The format of the string is tailored to this scenario: Enter the response to the token with serial number {0} or {1} or your temporary PIN. If not set, it defaults to the value of igradius.tokenchallengestring. identityguard.igradius.tokenchallengestring .twotokensnopin This is one of six properties related to the challenge a token user sees. It takes effect when the user has two tokens and no valid temporary PIN. The format of the string is tailored to this scenario: Enter the response to the token with serial number {0} or {1}. If not set, it defaults to the value of igradius.tokenchallengestring. identityguard.igradius.tokenchallengestring .onetokenswithpin This is one of eight properties related to the challenge a token user sees. It takes effect when the user has one token and a valid temporary PIN. The format of the string is tailored to this scenario: Enter the response to the token with serial number {0} or your temporary PIN. If not set, it defaults to the value of igradius.tokenchallengestring. identityguard.igradius.tokenchallengestring .onetokennopin This is one of eight properties related to the challenge a token user sees. It takes effect when the user has one token and no valid temporary PIN. The format of the string is tailored to this scenario: Enter the response to the token with serial number {0}. If not set, it defaults to the value of igradius.tokenchallengestring.
287
Table 24: Radius proxy configuration settings (continued) Property identityguard.igradius.tokenchallengestring .notokenswithpin Description This is one of eight properties related to the challenge a token user sees. It takes effect when the user has no token but has a valid temporary PIN. The format of the string is tailored to this scenario: Enter your temporary PIN. If not set, it defaults to the value of igradius.tokenchallengestring. identityguard.igradius.tokenchallengestring.on This is one of eight properties related to the etokenrequirespinupdate challenge a token user sees and applies only to tokens that support token PINs. Not needed for Entrust tokens. Add this property if you want to alert the user that the static token PIN for a token needs an update. It takes effect when the user has just one token. The message is appended to the token challenge string message. The format of the string is tailored to this scenario: The static PIN for the token with serial number {0} needs to be updated. identityguard.igradius.tokenchallengestring.tw This is one of eight properties related to the otokensrequirespinupdate challenge a token user sees and applies only to tokens that support token PINs. Not needed for Entrust tokens. Add this property if you want to alert the user that the static token PINs for the current and pending token need an update. The message is appended to the token challenge string message. The format of the string is tailored to this scenario: The static PINs for the tokens with serial number {0} and {1} need to be updated.
288
Table 24: Radius proxy configuration settings (continued) Property identityguard.igradius.skipauth.noexist Description Specifies how to deal with users who do not exist in Entrust IdentityGuard. If set to true, the user can log in without being prompted for Entrust IdentityGuard authentication. If set to false, the user login attempt generates an error. If not specified, it defaults to false. identityguard.igradius.skipauth.noactive Sets how to deal with users who exist in Entrust IdentityGuard but who do not have an active card or a temporary PIN. If set to true, the user can log in without being prompted for Entrust IdentityGuard authentication. If set to false, the user login attempt generates an error. If not specified, it defaults to false. identityguard.igradius.msglog.enabled If set to true, Radius messages are logged to the file specified by the property identityguard.igradius.msglog.file (described below). Default is false. Provides the name of the file that logs Radius messages. If the property does not provide an absolute path name, the file is created in: $IDENTITYGUARD_HOME/logs or <IG_INSTALL_DIR>\identityguard81\lo gs If you enable logging on the property identityguard.igradius.msglog.enabl ed (described above) but this property is not set or is not a valid file name, it generates errors and sends them to the system log. identityguard.igradius.vpnrequests Provides the size of the VPN state table, that is, the number of outstanding requests from the VPN. If not specified, it defaults to 1000.
identityguard.igradius.msglog.file
289
Table 24: Radius proxy configuration settings (continued) Property identityguard.igradius.vpnrequiremsgauth Description If this property is set to true, incoming messages from the VPN server must include the Message-Authenticator attribute. If the attribute is not found, the message is ignored. If not specified, it defaults to false. identityguard.igradius.vpntimeout Provides the number of seconds that the Radius proxy will wait for a response from the VPN server. If not specified, it defaults to 180 seconds. identityguard.igradius.radiustimeout Provides the number of seconds that the Radius proxy will wait for a response from the Radius server. If not specified, it defaults to 10 seconds. identityguard.igradius.radiusrequiremsgauth If this property is set to true, incoming messages from the Radius server must include the Message-Authenticator attribute. If the attribute is not found, the message is ignored. If not specified, it defaults to false. identityguard.igradius.vpnincludemsgauth This determines if outgoing messages to the VPN server include the Message-Authenticator attribute. Set this to false if the VPN server does not understand the attribute and rejects messages as a result. If not specified, it defaults to true. identityguard.igradius.radiusincludesmsgauth This determines if outgoing messages to the Radius server include the Message-Authenticator attribute. Set this to false if the Radius server does not understand the attribute and rejects messages as a result. If not specified, it defaults to true. identityguard.igradius.radius.{0}.address This is the Radius server address. It is set when you configure the Radius server. The {0} placeholder is replaced by the Radius server name.
290
Table 24: Radius proxy configuration settings (continued) Property identityguard.igradius.radius.{0}.secret Description This is the Radius server secret set when you configure the Radius server. The value is usually encrypted. The {0} placeholder is replaced by the Radius server name. This specifies the character set used to decode user names sent by the VPN server and encode messages sent back to the server. Allowed values are UTF-8 and ISO-8859-1. If not specified, the Radius proxy expects UTF-8. The character set is only a concern when extended characters are part of the names. The {0} placeholder is replaced by the VPN server label. identityguard.igradius.vpn.{0}.group This optional setting specifies the group the VPN server is associated with. The {0} placeholder is replaced by the VPN server label. For information on using this and other VPN property options, see Configuring the Radius proxy for groups on page 175. identityguard.igradius.vpn.{0}.host This is the host of the VPN server set when you configure the Radius server. The {0} placeholder is replaced by the VPN server label. This optional setting specifies the port the VPN server is associated with. The {0} placeholder is replaced by the VPN server label.
identityguard.igradius.vpn.{0}.charset
identityguard.igradius.vpn.{0}.igport
identityguard.igradius.vpn.{0}.processbackslash Converts group and user name pairs in the form group\name coming through the Radius proxy into the form group/name. identityguard.igradius.vpn.{0}.processat Converts group and user name pairs in the form name@group coming through the Radius proxy into the form group/name. This specifies the Radius server associated with the VPN server. The {0} placeholder is replaced by the VPN server label. This is the VPN server secret set when you configure the Radius server. The value is usually encrypted. The {0} placeholder is replaced by the VPN server label.
identityguard.igradius.vpn.{0}.radius
identityguard.igradius.vpn.{0}.secret
291
Table 24: Radius proxy configuration settings (continued) Property identityguard.igradius.vpn.{0}.useradius Description This stores the results of the prompt for the type of first-factor authentication resource to use. When set to true, Radius is used. When set to false, an external authentication resource is used. The {0} placeholder is replaced by the VPN server label. If not specified, it defaults to true.
292
293
Table 25: Radius proxy configuration settings for external authentication (continued) Property identityguard.externalauth.kerberos.realm Description
If you are using a domain controller, specify the server acting as the Kerberos realm. Give the identityguard.externalauth.kerberos.realm.<gr DNS name in uppercase. oup> When specified without a group name, it creates the global or default setting for users. When specified with an Entrust IdentityGuard group name, it sets the realm to use for members of that group. Note: When you specify this property, you also need to include the server information for the KDC server in igkrb5.conf file located: on UNIX, in $IDENTITYGUARD_HOME/etc/ on Windows, in <IG_INSTALL_DIR>\etc\ For more information, see Configuring Entrust IdentityGuard for external authentication on page 202. identityguard.externalauth.kerberos.kdc identityguard.externalauth.kerberos.kdc.<grou p> Obsolete.
294
Table 26: Token properties Property identityguard.token.impl Description Refers to the class name of the token library. For Entrust tokens, the property either does not exist or is blank. For Entrust tokens, there is an implied default of: com.entrust.identityGuard.common.token. activIdentity.ActiveIdentityTokenManager For other token vendors, add this property and set it to the applicable class name. identityguard.token.configfile Names the token configuration file, if used. Choose a name, such as token.conf, and place it: on UNIX, in $IDENTITYGUARD_HOME/etc/ on Windows, in <IG_INSTALL_DIR>\etc\
295
identityguard.webadmin.bulk.inMemoryThres hold
identityguard.webadmin.url
296
identityguard.export.dir
297
298
Note: When upgrading Entrust IdentityGuard Server from version 7.2, all existing administrators are assigned to the new default role and group in Entrust IdentityGuard 8.1. There were no roles or groups in 7.2. Topics in this appendix: Upgrading Entrust IdentityGuard Server 7.2 to 8.1 on page 299 Upgrading Entrust IdentityGuard Server from 8.0 to 8.1 on page 302
299
either the Entrust IdentityGuard Directory Configuration Guide or the Entrust IdentityGuard Database Configuration Guide. 2 3 4 Download the Entrust IdentityGuard 8.1 software. To do so, complete the steps in Downloading Entrust IdentityGuard software on page 21. Follow the instructions underInstalling Entrust IdentityGuard Server on page 33. The Entrust IdentityGuard installation detects version 7.2 and displays the following prompt:
Entrust IdentityGuard 7.2 is installed. Do you wish to install Entrust IdentityGuard 8.1 and upgrade the 7.2 data? [yes or no]
Enter yes to continue with the upgrade. You are prompted to manually back up your configuration settings. 5 Manually back up your configuration settings if the master key file is not in the default location (default location, $IDENTITYGUARD_HOME/etc/masterkeys.enc). When you upgrade Entrust IdentityGuard, a copy of the existing configuration is made (so you can restore it later in this installation procedure) only if this file is in the default location. Attention: If you want to override the default configuration, do not store the configuration settings under $IDENTITYGUARD_HOME. During an upgrade, this directory is deleted and reinstalled. 6 The Java Runtime Environment is upgraded and you can reinstall the Application server.
Installing Java Runtime Environment... Installing j2re-1_4_2_09-linux-i586.bin... Installing Tomcat... Tomcat has already been installed. Do you wish to reinstall it? [yes or no]
The installation creates the Entrust IdentityGuard service and the Entrust IdentityGuard Radius service:
Creating igradius service...
300
When the installation is complete, Entrust IdentityGuard prompts you to restore your existing configuration data.
Configuration data from the existing installation has been backed up. If you wish, you can configure a new server or restore the If you don't restore the existing
configuration data, all existing data will be removed. Do you wish to restore the existing configuration data? [yes or no]
To retain your Entrust IdentityGuard data, answer yes. This message appears:
Configuration parameters restored.
To configure a new server, answer no. When you answer no, all of your previous configuration data is removed. You must complete the configuration and initialization procedures: Configuring the primary Entrust IdentityGuard Server on page 36 Initializing the primary Entrust IdentityGuard Server on page 47
After initialization is complete, continue to Step 11 in this procedure. 10 You may be prompted to configure the Entrust IdentityGuard Radius proxy. Continue from Step 4 in To configure the Radius proxy on UNIX on page 180. 11 When you are finished, Entrust IdentityGuard displays:
PERFORMING UPGRADE
To complete the upgrade of the first instance of Entrust IdentityGuard Server, answer PRIMARY. Answer REPLICA to upgrade the rest of your instances of Entrust IdentityGuard Server. 12 You are prompted to log in with your master user name and password to complete the upgrade.
A master user must login to complete the upgrade. Userid: Password:
When you have successfully logged in, the following message appears:
301
Upgrade complete.
Note: If the upgrade fails, ensure that your repository schema was upgraded. After you upgrade the repository schema, you can continue with the Entrust IdentityGuard upgrade by running the master user shell (supersh) command system upgrade. 13 You are prompted to save a backup of your configuration data.
Do you wish to keep the backup copy of configuration data? [yes or no]
If you answer yes, Entrust IdentityGuard displays the location of the saved configuration data. Your upgrade is now installed. You are prompted to set up the sample application. Proceed to Configuring the sample application on UNIX on page 51.
2 3 4
Enter yes to continue with the upgrade. 5 The Entrust IdentityGuard installation detects the Java Runtime Environment and displays the following prompt:
302
Installing Java Runtime Environment... Java Runtime Environment has already been installed. Do you wish to reinstall it? [yes or no]
The installation detects the Application server and displays the following prompt:
Installing Tomcat... Tomcat has already been installed. Do you wish to reinstall in? [yes or no]
The installation creates the Entrust IdentityGuard service and the Entrust IdentityGuard Radius service:
Creating igradius service...
If you answer no, you can enable automatic startup later (using chkconfig igradius reset, when logged as root). 9 When the installation is complete, Entrust IdentityGuard prompts you to restore your configuration data.
Installation complete. Configuration data from the existing installation has been backed up. If you wish, you can configure a new server or restore the existing configuration data and upgrade it to 8.1. If you dont restore the existing configuration data, all existing data will be removed. Do you wish to restore the existing configuration data? [yes or no] yes
10 To retain your Entrust IdentityGuard data, answer yes. This message appears:
Configuration parameters restored.
To configure a new server, answer no. When you answer no, all of your previous configuration data is removed. You must complete the configuration and initialization procedures: Configuring the primary Entrust IdentityGuard Server on page 36 Initializing the primary Entrust IdentityGuard Server on page 47
After initialization is complete, continue to Step 12 in this procedure. 11 You may be prompted to configure the Entrust IdentityGuard Radius proxy. Continue from Step 4 in To configure the Radius proxy on UNIX on page 180.
Upgrading Entrust IdentityGuard Server on Linux
Feedback on guide
303
To complete the upgrade of the first instance of Entrust IdentityGuard Server, answer PRIMARY. Answer REPLICA to upgrade the rest of your instances of Entrust IdentityGuard Server. 13 You are prompted to log in with a master user name and password to complete the upgrade. For example, Master1.
A master user must login to complete the upgrade. Userid: Password:
When you have successfully logged in, the following message appears:
Upgrade complete.
Note: If the upgrade fails, ensure that your repository schema was upgraded. After you upgrade the repository schema, you can continue with the Entrust IdentityGuard upgrade by running the master user shell (supersh) command system upgrade. 14 You are prompted to save a backup of your configuration data.
Do you wish to keep the backup copy of the configuration data? [yes or no]
If you answer yes, Entrust IdentityGuard displays the location and the file name of the saved configuration data. Your upgrade is now installed.
304
305
Loading preproduced card Load all preproduced card data before attempting any data card-related operations. For information about loading token data, see the Entrust IdentityGuard Administration Guide. Locating the sample admin ID and password The sample Web application installs with an admin ID and password for the administrator. Use only the admin ID and password. Locate the admin ID and password in igsample.properties in <IDENTITYGUARD_INSTALL>\etc\ or <IG_INSTALL_DIR>\identityguard81\etc Using passwords The password field and user name field simulate the primary authentication mechanism of the sample banks Web site. The password field in the sample Web application is for demonstration purposes only and is nonfunctional. To complete the procedures in this appendix, you must modify the samplepolicys generic and machine authentication-type settings. For information about modifying policy settings using the master user shell, see the Entrust IdentityGuard Administration Guide.
306
Access the configured sample Web application from a Web browser. To access the sample Web application from a URL Enter one of the following URLs: https://<FQDN>:<httpsport>/IdentityGuardSampleApp or http://<FQDN>:<httpport>/IdentityGuardSampleApp where: <FQDN> is the fully qualified domain name for the Entrust IdentityGuard host. <httpsport> is the sample application HTTPS port (default 8443, if using the embedded Tomcat server). <httpport> is the sample application HTTP port (default 8080, if using the embedded Tomcat server).
For example:
https://igserver.mycompany.com:8443/IdentityGuardSampleApp http://igserver.mycompany.com:8080/IdentityGuardSampleApp
To access the sample Web application from the Windows start menu Click Start > All Programs > Entrust > IdentityGuard > Sample Application. The sample Web application opens in your default browser. By default, the interface opens at the User registration Sign in page.
307
Registering as a user
Note: The sample Web applications policy, samplepolicy, installs with the default settings of GRID QA OTP TOKENRO for both the generic and machine authentication-types. The sample Web application uses only the first authentication-type setting listed for both the generic and machine authentication-types. A master user can modify the default settings in the master user shell. For example, to register a sample end user to authenticate using tokens, the master user must modify the policy setting for generic authentication-type to appear as: TOKENRO GRID QA OTP. To access the Any Bank Web site, a sample end user must register an account with Entrust IdentityGuard. The end user must register contact information, a personal image, and a personal caption for use in future authentication challenges. Assuming the role of a sample end user: register your account with Any Bank have a card or token issued to you optionally, configure question-and-answer authentication secrets.
To register as a sample user 1 Select User registration from the main page of the interface. The Sign in page appears.
308
2 3
Enter a user name and password. Click Continue. The Entrust IdentityGuard user creation page appears displaying your user name.
Optionally, enter a valid email address and phone number. Note: The administrator or application uses this information to deliver a one-time password (OTP) to the end user. In a real-life scenario, a valid email address must be entered if the policy setting for generic type is set to OTP and email is used to deliver the OTP.
309
Click Continue to select an image. Optionally, click here to choose another image from the Entrust IdentityGuard image library or to upload an image. The Entrust IdentityGuard image caption page appears.
The previous two pages demonstrate two types of organization authentication: image and message replay authentication. For more information on image and message replay authentication, see the Entrust IdentityGuard Deployment Guide and the Entrust IdentityGuard Administration Guide. 7 8 9 Enter a caption for the image. For example, hammer. Entrust IdentityGuard displays your image and caption at login. Optionally, click Change to select a different image or upload an image. Click Continue. If the policy setting for the generic authorization-type is set to GRID, go to To register with GRID as the policy setting If the policy setting for the generic authorization-type is set to QA, go to To register with QA as the policy setting If the policy setting for the generic authorization-type is set to OTP, go toTo register with OTP as the policy setting If the policy setting for the generic authorization-type is set to TOKENRO, go to To register with TOKENRO as the policy setting
310
To register with GRID as the policy setting Note: The following procedure has generic authentication-type set to GRID in the samplepolicy. The setting appears as: GRID QA OTP TOKENRO. 1 The Entrust IdentityGuard card creation page appears.
This page allows the end user to request a card. Entrust IdentityGuard provides two models for card productionproduce-and-assign and preproduction cards. For more information about card and grid production models, see the Entrust IdentityGuard Deployment Guide. 2 Click Request a card to make Entrust IdentityGuard create the grid for a produced-and-assign card. You can view this grid using the Administration interface or the master user shell. You must activate the card before using the card to authenticate to Entrust IdentityGuard. For more information about card activation, see Activating a card on page 315. A page appears stating that your user account was successfully registered. 3 Click I already have a card if you possess a preproduced card. You must activate the card before using the card to authenticate to Entrust IdentityGuard. For more information about card activation, see Activating a card on page 315. A page appears stating that your user account was successfully registered. To register with QA as the policy setting Note: The following procedure has generic authentication-type set to question and answer in the samplepolicy. The setting appears as: QA OTP TOKENRO GRID.
311
The user can create authentication secrets from a list of predefined questions. The sample Web application installs with six predefined questions; however, Entrust IdentityGuard allows organizations to select a number of authentication secrets for each user and to prompt for all answers or a subset of the answers. For more information about knowledge-based authentication and creating good questions, see the Entrust IdentityGuard Deployment Guide. 2 3 4 Select a different question from each drop-down list. For example, What was the name of your high school? Enter an answer to each question. Click Continue. A page appears stating that your user account was successfully registered.
312
To register with OTP as the policy setting Note: The following procedure has generic authentication-type set to question and answer in the samplepolicy. The setting appears as: OTP TOKENRO GRID QA. A page appears stating that your user account has been successfully registered.
OTP authentication-type does not require any additional user set up or activation. To register with TOKENRO as the policy setting Note: The following procedure has generic authentication-type set to token in the samplepolicy. The setting appears as: TOKENRO GRID QA OTP. The Entrust IdentityGuard token registration page appears.
The user can proceed with token registration or defer token registration. You can configure the policy for the sample Web application to support token PINs or to not support token PINs. 313
For more information on token registration without token PIN support enabled, see To register a token on page 317. For more information on token registration with token PIN support enabled, see To register a token with token PIN support enabled on page 319.
314
Activating a card
A sample end user of the Any Bank Web site must activate a card before accessing a bank account. When a sample end user requests a card, it is assigned to the end user in a hold-pending state. Do not use a card in the hold-pending state to authenticate to Entrust IdentityGuard. An administrator must activate a card by changing the state of the card to current or pending. The end user can then use the card to authenticate to Entrust IdentityGuard. Assuming the role of a sample end user, use the sample Web application to activate your card and access your Any Bank account. Note: If required, use the Administration interface or the master user shell to access the grid information for a card.
To activate a user card 1 Select Card activation from the main menu of the interface. The Sign in page appears.
2 3
Enter your user name and password. Click Continue to begin the card activation process.
315
Enter the serial number of either your preproduced or produced-and-assign card. Optionally, click Request a card to have a produced-and-assign card deployed to you. For more information, see To register as a sample user on page 308.
Click Activate. Another Entrust IdentityGuard card activation page appears displaying the serial number.
Enter the specified grid coordinates. Grid authentication is a second-factor authentication method that challenges the end user to enter a set of grid coordinates on a printed card. For more information on grid authentication, see the Entrust IdentityGuard Deployment Guide and the Entrust IdentityGuard Administration Guide.
Click Continue. A message appears stating that your card has been activated.
316
Registering a token
Attention: Before you can register a token, load the token data and assign the token data to the group, samplegroup. For more information on loading token data, see Preparing to use the sample Web application on page 306.
Note: The following procedure has generic authentication-type set to token in the samplepolicy. The setting appears as TOKENRO GRID QA OTP. A sample end user of the Any Bank Web site may log in using token authentication, a second-factor authentication method that challenges a sample end user to respond using a token-generated dynamic password. Entrust IdentityGuard can be configured to issue challenges requiring end users to respond using a dynamic password or to respond using a token PIN in conjunction with a dynamic password. For more information about configuring token authentication, see the Entrust IdentityGuard Deployment Guide and the Entrust IdentityGuard Administration Guide. Assuming the role of a sample end user, register a token for use in future authentication requests to Entrust IdentityGuard. For tokens that do not support token PINs, see To register a token on page 317. For tokens that support token PINs, see To register a token with token PIN support enabled on page 319.
To register a token 1 Select Token registration from the main menu of the interface.
317
2 3
Enter your user name and password. Click Continue to begin the token registration process. The Entrust IdentityGuard token registration page appears.
4 5
Enter the token serial number. Click Register. A token is assigned to a sample end user in a hold-pending state.
318
6 7
Enter the token-generated dynamic password as the response. Click Continue. A message appears stating that your token has been successfully registered.
To register a token with token PIN support enabled The Entrust IdentityGuard token registration page appears.
1 2
Enter the token serial number. Click Register. A token is assigned to a sample end user in a hold-pending state.
319
Choose and confirm a token PIN between four and eight digits in length. For example, your token PIN could be 1234. This token PIN is used in combination with a dynamic password for future authentication challenges.
Click Continue. The Entrust IdentityGuard token registration page appears requesting the input of a token response.
Enter the token PIN and the token-generated dynamic password. For example, if the token PIN value is 1234, and the token-generated string is 567890, enter 1234567890 as the authentication challenge response.
Click Continue. A message appears stating that your token has been successfully registered.
320
3 4
Be sure to check Remember me on this machine. This initiates machine authentication. Click Continue.
321
The Entrust IdentityGuard Machine registration page appears displaying the serial number of your token.
This page demonstrates a type of machine authentication that uses a token password and token PIN as the default method of authentication. The end user must enter a token PIN and a dynamic password in response to the authentication challenge. If the primary method of authentication was grid, this page would display a grid authentication challenge. For more information on machine authentication, see the Entrust IdentityGuard Deployment Guide and the Entrust IdentityGuard Administration Guide. 5 Enter the token PIN and the dynamic password. For example, if the token PIN value is 1234, and the dynamic password is 567890, you must enter 1234567890 as the authentication challenge response. 6 Click Continue.
322
The Entrust IdentityGuard Application authentication page appears displaying your image and caption.
This page demonstrates image and message replay authentication, a method of organization authentication. For more information on image and message replay authentication, see the Entrust IdentityGuard Deployment Guide and the Entrust IdentityGuard Administration Guide. 7 8 Enter your password. Click Login. Your sample bank account page appears. You have established machine authentication. Future log in attempts will not require you to authenticate to Entrust IdentityGuard. To log in with established machine authentication 1 From a new browser window, select User sign in from the main page of the interface.
323
2 3
Be sure to check Remember me on this machine. Click Continue. The Entrust IdentityGuard Application authentication page appears.
The sample Web application checked that your machine is registered with the Entrust IdentityGuard server. No authentication challenge was issued because your machine was identified as a registered machine. 4 5 Enter your password. Click Login. Your sample bank account page appears. Once machine authentication is established, second-factor authentication is transparent to the end user associated with a particular computer.
324
2 3
Enter your user name. Be sure to disable Remember me on this machine. Uncheck the box to initialize the generic authentication challenge and remove any machine secrets.
Click Continue.
325
Entrust IdentityGuard randomly selects a series of questions. 5 6 Enter your predefined answers. Click Continue. Your sample bank account page appears.
326
327
Enter your one-time password. Note: The one-time password can be viewed using the Administration interface.
5 6
Enter the amount to be transferred and the account numbers. Click Transfer. A page appears stating that the funds were transferred successfully.
328
2 3
329
Uncheck the box to initialize the generic authentication challenge and remove any machine secrets. 4 Click Continue. The Entrust IdentityGuard second-factor authentication page appears.
5 6
Use the Administration interface to issue yourself a temporary PIN. Click Having problems or lost your Entrust IdentityGuard Card? Another Entrust IdentityGuard second-factor authentication page appears.
Enter the temporary PIN issued to you by email or get the PIN from the Administration interface or the master user shell. In this example, a sample end user can call a customer support number and have a temporary PIN issued to them. The telephone number on this second-factor authentication page is for demonstration purposes only.
330
331
Enter your user name, password, and the specified grid coordinates. This step demonstrates grid authentication. For more information on grid authentication, see the Entrust IdentityGuard Administration Guide.
332
2 3
333
The Entrust IdentityGuard second-factor authentication page appears displaying the serial number on your card.
This page demonstrates a type of organization authentication called serial number replay authentication. For more information on serial number replay authentication, see the Entrust IdentityGuard Deployment Guide and the Entrust IdentityGuard Administration Guide. 4 Enter the specified grid coordinates. This step demonstrates grid authentication. For more information on grid authentication, see the Entrust IdentityGuard Deployment Guide and the Entrust IdentityGuard Administration Guide. 5 Click Continue. Your sample bank account page appears.
334
335
Optionally, remove the Entrust IdentityGuard data from the repository. For a database, use the IG_81/sql/drop_v81_schema.sql file in the .tar install package (either IG_81_Linux.tar or the IG_81_Solaris.tar), to remove all Entrust IdentityGuard tables. For a directory, you will need to remove this data manually.
336
Note: During the Windows uninstall process, Entrust IdentityGuard attempts to create a backup of your Entrust IdentityGuard configuration. If successful, it displays a message listing the location of the backup file. Click OK to continue the uninstall. This occurs only if Entrust IdentityGuard was correctly configured and initialized.
337
To uninstall Entrust IdentityGuard on WebLogic 8.1 1 2 Stop the Entrust IdentityGuard services (see Stopping Entrust IdentityGuard Services on WebLogic 8.1 on page 167). Delete the Entrust IdentityGuard services: a From the WebLogic 8.1 main page, select Deployments > Web Application Modules. The Deploy a Web Application Module page appears showing a list of all deployed Web applications.
338
Click the trash can to the right of the Entrust IdentityGuard service. A warning page appears prompting you to confirm that you want to delete the Entrust IdentityGuard service.
Click Yes. A message appears confirming that the Entrust IdentityGuard service has been deleted.
d e
Click Continue. You are returned to the page listing deployed applications. Repeat Step b to Step d to delete the remaining Entrust IdentityGuard services.
339
Optionally, as the application owner, back up the identityguard.properties file and the masterkeys.enc file (but not the masterkeys.kpf). As root: a b in $IDENTITYGUARD_HOME/bin enter: Delete the installation directory (by default /opt/entrust) by entering:
./igsvcconfig.sh igradius uninstall
rm -f -r /opt/entrust
Optionally, remove the Entrust IdentityGuard data from the repository. For a database, use the IG_81/sql/drop_v81_schema.sql file in the .tar installation package to remove all Entrust IdentityGuard tables. For a directory, you will need to remove this data manually.
To uninstall Entrust IdentityGuard on WebLogic 9.1 1 2 Stop the Entrust IdentityGuard services (see Stopping Entrust IdentityGuard Services on WebLogic 9.1 on page 168). Delete the Entrust IdentityGuard services: a b Under Change Center on the WebLogic main page click Lock & Edit. Under Domain Structure on the left of the main page click Deployments. The Deployment Summary Page appears with a list of Entrust IdentityGuard services.
340
c d
Select the check box for the Entrust IdentityGuard Services. Click Delete. The Delete Application Assistant page appears.
e f
Click Yes to delete the application(s). You are returned to the Summary of Deployments page. Under Change Center on the WebLogic main page click Activate Changes.
341
Optionally, as the application owner, back up the identityguard.properties file and the masterkeys.enc file (but not the masterkeys.kpf). As root: a b In $IDENTITYGUARD_HOME/bin enter: Delete the installation directory (by default /opt/entrust) by entering:
./igsvcconfig.sh igradius uninstall
rm -f -r /opt/entrust
Optionally, remove the Entrust IdentityGuard data from the repository. For a database, use the IG_81/sql/drop_v81_schema.sql file in the .tar installation package to remove all Entrust IdentityGuard tables. For a directory, you will need to remove this data manually.
To uninstall Entrust IdentityGuard on WebSphere 6.0 1 2 Stop the Entrust IdentityGuard services (see Stopping Entrust IdentityGuard Services on WebSphere 6.0 on page 169). Delete the Entrust IdentityGuard services: a From the WebSphere main menu click Applications > Enterprise Applications. The Enterprise Applications page appears.
342
Select the service(s) to uninstall and then click Uninstall. The Uninstall Application page appears.
Click OK. A message appears indicating that changes have been made to your local configuration.
Click Save to accept the changes. The Enterprise Applications Save page appears.
343
e 3
Optionally, as the application owner, back up the identityguard.properties file and the masterkeys.enc file (but not the masterkeys.kpf). As root: a b In $IDENTITYGUARD_HOME/bin enter: Delete the installation directory (by default /opt/entrust) by entering:
./igsvcconfig.sh igradius uninstall
rm -f -r /opt/entrust
Optionally, remove the Entrust IdentityGuard data from the repository. For a database, use the IG_81/sql/drop_v81_schema.sql file in the .tar installation package to remove all Entrust IdentityGuard tables. For a directory, you will need to remove this data manually.
344
Glossary
active card or token Administration API Administration interface Administration service The card or token that the end user is presently using for authentication. The Java Platform or C# API that applications can use to integrate with the Administration service. The Web interface used by administrators to manage end users (see end user). The Entrust IdentityGuard Web service responsible for managing administrators, users, cards, tokens, PINs, and so on. The WSDL definition for the Administration service. The Entrust IdentityGuard user who manages the day-to-day activity of end users using the Administration service (see end user). The policy attributes that determine the password rules for an administrator. For example, the password length, expiry date, and so on. An additional unique name for an end user. See also user name. all grouplist anonymous authentication auditor role authentication Authentication API A predefined grouplist that allows an administrator to manage every Entrust IdentityGuard group. See one-step authentication. A predefined role that has read access to operations available through the Administration service. The process of proving your identity, and/or determining the validity of a set of credentials presented to the system. The Java Platform or C# API that applications can use to integrate with the Authentication service.
alias
345
The secrets shared between the organization and the user when organization authentication is configured. The Entrust IdentityGuard Web service used for retrieving challenge requests and authenticating user responses. Also see Authentication API. The WSDL definition for the Authentication service. The state associated with a card or token that a user can no longer use to authenticate. A physical grid that is printed and distributed to users. See card specification attributes. The policy attributes that determine the characteristics of a grid for grid authentication. For example, the characters to use in a grid, its expiry based on duration or use, the number of rows and columns, and so on. A row and column coordinate in a grid. An algorithm used to produce the challenge when using grid authentication. Entrust IdentityGuard has two challenge generation algorithms: least-used cell challenge generation algorithm random challenge generation algorithm
Authentication WSDL Canceled state card cardspec attributes card specification attributes
client application
Any application that uses the Authentication API and/or the Administration API to access Entrust IdentityGuards administration and multifactor authentication capabilities on behalf of the end user. The authentication process whereby users prove their identity to an application, using, for example, Entrust IdentityGuard Server. An Entrust IdentityGuard deployment where the end users are external to the organization (for example, they are customers or partners), and are authenticating to a Web-based application. A set of data (for example, a user name and password, grid, or dynamic password) that defines a user to the system. The state associated with a card or token that is currently in use. A predefined role that has access to most operations available through the Administration service.
client authentication
Consumer deployment
credentials
346
Feedback on guide
The random number displayed by a token that changes automatically at regular intervals. A user who authenticates to Entrust IdentityGuard using one of the available multifactor authentication methods. A deployment of Entrust IdentityGuard where the end users are internal to the organization (for example, employees) and are authenticating to internal services. An Entrust product that provides multifactor authentication to increase the security of an online identity. An Entrust IdentityGuard client that adds second-factor authentication capabilities to the first-factor authentication performed by Microsoft Windows Winlogin and the RAS/IAS servers. See also Entrust IdentityGuard Remote Access Plug-in for Microsoft Windows Servers.
Entrust IdentityGuard Radius proxy An Entrust IdentityGuard client that adds second-factor authentication capabilities to the first-factor authentication performed by a Radius server or using external authentication. Entrust IdentityGuard Remote Access Plug-in for Microsoft Windows Servers external authentication An Entrust IdentityGuard client that installs on the RAS and IAS servers to enable Entrust IdentityGuard second-factor authentication for remote Microsoft Windows users. The first-factor authentication provided by Entrust IdentityGuard in a deployment where remote users connect through VPN and no external Radius server exists. A file containing preproduced cards or unassigned token information that is located on the primary Entrust IdentityGuard Server. Used only when your repository is an LDAP Directory. The first authentication challenge presented to the user. Usually user name and password authentication. The application which performs first-factor authentication and to which Entrust IdentityGuard is added as the second factor of authentication. An assortment or table of characters listed in row and column format. See also card.
file-based repository
Glossary
347
Feedback on guide
A second-factor authentication method that challenges a user for a set of grid coordinates or cells. A type of organization authentication used with grid authentication that requires the organization to display the contents of certain coordinates in the grid once the user has authenticated. A means to organize end users, administrators, tokens, and cards to delegate administrative tasks and assign policy behavior (such as allowed authentication methods). The set of user groups (see group) that an administrator can manage. A master user creates grouplists. See all grouplist and own grouplist. The state associated with an active card or token that an administrator has suspended (because, for example, the user lost the card). While in Hold, a user cannot use the card or token to authenticate. See also Current state. The state associated with a card or token that an administrator has not yet activated. Unlike the Pending state, the end user cannot activate the card and use it for authentication. The Java properties file containing all the configuration settings for a particular Entrust IdentityGuard Server. See message or image replay authentication. A one-time process completed while setting up Entrust IdentityGuard that provides the system with the license keys and creates the master users, and the master key. If repeated, re-initialization replaces the master key, overwrites policy data already stored in the repository, and renders existing user, preproduced card and unassigned token information unusable. See master key.
group
grouplist
Hold state
Hold_pending state
A second-factor authentication method that challenges a user for correct responses to a series of questions. An authentication process in which additional authentication challenges are presented for particular transactions that require stronger authentication than the user presently has.
348
Feedback on guide
least-used cell challenge generation A challenge generation algorithm that uses a configured number of least-used coordinates (cells) when creating algorithm the challenge. machine authentication An authentication process in which a user is associated with a particular computer through the use of a machine secret. After association, second-factor authentication is transparent for the user on that computer. A list of machine authentication methods assigned to a user, based on their policy. One or more nonces and optional application-provided data that uniquely identify a particular computer. The key that Entrust IdentityGuard uses to encrypt information stored in the repository. The file containing the obfuscation key used to access the master key. The Entrust IdentityGuard user that configures how Entrust IdentityGuard will work in your system. Entrust IdentityGuard has three master users. See master user shell. master user shell A command-line interface used by master users to configure Entrust IdentityGuard. See master user. message or image replay authentication multifactor authentication A type of organization authentication in which the organization displays a predefined message or image either before or after the user has authenticated. An authentication process in which two or more authentication methods are used consecutively to verify a user and often an organization. An authentication process in which both the user and the organization verify themselves as legitimate. See also organization authentication and user authentication. nonce A random value generated for security purposes.
machine authentication type list machine secret master key master key protection file master user
mutual authentication
Glossary
349
Feedback on guide
one-step authentication
An authentication process in which first-factor and second-factor authentication challenges are presented to the end user at the same time. Also referred to as anonymous authentication as the system does not know the identity of the user. Available only when using grid authentication. See also two-step authentication.
one-time password
A set of characters provided to a user out-of-band that can only be used once for authentication. See also out-of-band authentication. An authentication process in which the organization verifies itself as authentic to the end user. Entrust IdentityGuard supports the following types: grid location replay authentication message or image replay authentication serial number replay authentication
organization authentication
See one-time password. A second-factor authentication method that challenges a user for a one-time password that is sent (for example) to their mobile phone when the challenge occurs. A predefined grouplist that allows an administrator to manage only the group to which they belong. It is the default grouplist. A list of one-time transaction numbers (TANs) that are distributed to end users (sometimes on a physical card) and used with passcode list authentication. A second-factor authentication method that challenges a user for a passcode that matches a particular number in their passcode list. It is similar to grid authentication. See administrator password attributes. The state associated with a card or token that a user or administrator has not yet activated. Should an end user user a card or token in this state, it automatically changes to the Current state. See temporary PIN attributes.
own grouplist
passcode list
pinspec attributes
350
Feedback on guide
policy
A set of attributes that determines the characteristics for each member in a group. A policy is divided into four subsets: administrator password attributes user specification attributes card specification attributes temporary PIN attributes
preproduction model
A method of creating cards in which they are created anonymously and assigned to users at a later date. See also produce-and-assign model. In a replicated system, this is the Entrust IdentityGuard Server on which the file-based repository is stored. Therefore, it usually also is the Entrust IdentityGuard Server hosting the Administration service to which all instances of the Administration interface connect.
produce-and-assign model
A method of creating cards in which a card is created and assigned to a user in one-step. Also see preproduction model.
question and answer authentication See knowledge-based authentication. Radius Radius proxy random challenge generation algorithm registration See Remote Authentication Dial-In User Service (Radius). See Entrust IdentityGuard Radius proxy. A challenge generation algorithm that picks coordinates in a grid randomly when creating a challenge. The process of adding new users to Entrust IdentityGuard by obtaining their information and setting required attributes such as group association and authentication method.
Remote Authentication Dial-In User Remote Authentication Dial-In User Service. An industry standard authentication protocol used to authenticate Service (Radius) users with Radius clients. A Radius client passes information about a user to a designated Radius server and then acts on the response that the Radius server returns. Transactions between the Radius client and the Radius server are authenticated through a server secret, which is never sent over the network.
Glossary
351
Feedback on guide
repository
The Entrust IdentityGuard information associated with users and administrators stored in a database or directory. A repository contains information such as: group association available authentication methods user name and aliases authentication information such as grids, token data, questions and answers, temporary PINs, one-time passwords, and so on preproduced cards and unassigned token data
replica Entrust IdentityGuard Server In a system with more than one Entrust IdentityGuard Server, any Entrust IdentityGuard Server that does not function as the primary Entrust IdentityGuard Server. Replicas are usually identical to each other. role Defines, for administrators (see administrator), what operations they can perform using the Administration service. A master user creates roles. Entrust IdentityGuard installs with three roles: sample application auditor role default role superuser role
The client Web application installed with the Entrust IdentityGuard Server that demonstrates the various capabilities and authentication methods of Entrust IdentityGuard. The second authentication method in a system that uses two independent mechanisms of authentication. It ensures strong authenticity. See strong authentication.
second-factor authentication
serial number replay authentication A type of organization authentication used with grid authentication that requires the organization to display the cards unique serial number to the user. shared secret A name and value pair associated with an end user and used by a client application only (not Entrust IdentityGuard).
352
Feedback on guide
Simple Object Access Protocol. An XML protocol that governs the exchange of information in a distributed environment. SOAP provides a way for programs running in two different operating systems (such as Windows 2000 and Solaris) or written in different programming languages (such as Java Platform and C#) to exchange information, using HTTP and XML. Refer to http://www.w3.org/2000/xp/Group/. An authentication system in which the user is verified using only one authentication method (usually a user name and password). See also second-factor authentication. See one-step authentication. See Simple Object Access Protocol (SOAP). The lifecycle status that determines what a user can do with a card or token. Entrust IdentityGuard cards and tokens support the following states: Pending state Hold_pending state Current state Hold state Canceled state
single-factor authentication
A numeric value that associates a user with their token. When a user receives a token challenge, they must prefix their response with the static token PIN, thereby enhancing the strength of the authentication. Do not confuse with temporary PIN or dynamic password. A form of client authentication in which users prove their identity by logging in with credentials other than just user name and password (for example, a grid or token). See master user shell. A predefined role that has access to all operations available through the Administration service. See master user shell. Transaction number. See passcode list authentication.
strong authentication
Glossary
353
Feedback on guide
temporary PIN
A character string assigned to a user for a brief period of time or usage duration to substitute for a temporarily unavailable card or token. The policy attributes that determine the characteristics of the temporary PIN. For example, the number of characters in the PIN, its expiry date, and so on. A battery-operated hardware device that provides a user with a dynamic password that changes periodically (for example, every minute). A second-factor authentication method that challenges a user for a token-generated string. The response can include a static token PIN. See static token PIN. An authentication process in which first-factor and second-factor authentication challenges are presented to the end user consecutively. The end user is authenticated and verified using the first-factor authentication method before being challenged with second-factor authentication. See also one-step authentication. See two-step authentication. An authentication process in which the end user is verified as authentic by the organization. Entrust IdentityGuard supports the following types: grid authentication token authentication knowledge-based authentication passcode list authentication out-of-band authentication
token
token authentication
user name
The name of the Entrust IdentityGuard user in their first-factor authentication system. A user name must be unique within its group. See user specification attributes. The globally unique name of an end user or administrator. It includes both the Entrust IdentityGuard group name and the user name of the user in the first-factor authentication system, written as group/username.
354
Feedback on guide
The policy attributes that determine the rules for an end users interaction with Entrust IdentityGuard. For example, the number of aliases a user can have, their authentication methods, and so on. A program that runs within an application server that communicates to other requesting components, often using the Simple Object Access Protocol (SOAP). Web services have two advantages: The SOAP protocol provides a standard way for the Web service and its clients to encode and decode (or "parse") the program data so that programmers don't have to write their own. The standard also means that programs written by different companies can communicate with the Web service. SOAP envelopes are typically sent within HTTP requests so you do not have to open additional ports in your firewall for clients to communicate with the Web service.
Web service
Entrust IdentityGuard has two Web services: Administration service and Authentication service. WSDL Web Services Definition Language. An XML format for describing network services as a set of endpoints operating on messages. WSDL service definitions provide the technical details for describing a Web service that would be required for someone to actually invoke the service (for example, input parameters, output format, and so on).
Glossary
355
Feedback on guide
356
Feedback on guide
Index A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
.wsdl files 259 Authentication WSDL definition 346
A
active card definition 345 active token definition 345 Administration API definition 345 Administration interface definition 345 Administration service definition 345 Administration WSDL definition 345 administrator definition 345 administrator password attributes definition 345 algorithms 97, 99, 101 alias definition 345 all grouplist definition 345 anonymous authentication. See one-step authentication audit integrity check 281 auditor role definition 345 authentication definition 345 domain controller 172 LDAP directory 172 Radius 172 strong definition 353 Authentication API definition 345 authentication secret definition 346 Authentication service definition 346
B
backup UNIX 211, 247 Windows 213 backups backup strategy 244 of LDAP Directory and database 225, 247 restoring file-based card preproduction repository 253 restoring IdentityGuard 250
C
cached challenges 270 Canceled state definition 346 card definition 346 card preproduction configuring 220 database 224 disk files 221 card specification attributes definition 346 cardspec. See card specification attributes cell definition 346 certificate exporting 238 importing the SSL certificate 233 updating 238 challenge cache 271 challenge generation algorithm definition 346 client application definition 346 client authentication definition 346
357
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
commands supersh 53, 56, 123, 126, 251, 254 version 54, 124 configuration during install IdentityGuard 36, 109 Consumer deployment definition 346 credentials definition 346 cryptography policy files 96, 98, 100, 101 Current state definition 346 Customer support 16
F
failover Radius 195 repository 218 file-based preproduction card repository restoring 253 file-based repository definition 347 first-factor authentication definition 347 first-factor authentication application definition 347
G
Getting help Technical Support 16 grid definition 347 grid authentication definition 348 grid location replay authentication definition 348 group definition 348 grouplist definition 348 own definition 350 groups external authentication 178, 209
D
default role definition 346 deployment, Consumer definition 346 deployment, Enterprise definition 347 dynamic password definition 347
E
end user definition 347 Enterprise deployment definition 347 Entrust IdentityGuard Desktop for Microsoft Windows definition 347 Entrust IdentityGuard Radius proxy definition 347 Entrust IdentityGuard Remote Access Plug-in for Microsoft Windows Servers definition 347 Entrust IdentityGuard Server definition 347 external authentication 202 definition 347 groups 209
H
Hold state definition 348 Hold_pending state definition 348
I
IdentityGuard configuration during install 36, 109 configuring to use cached challenges 270 disabling 64, 65 enabling 64, 65 failed initialization 47, 118
358
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
initializing 47, 83, 118 installing 33 installing a replica server 210 querying status 63, 64 restarting 63, 64 sample application 51 starting 63, 64 starting automatically 63, 166 stopping 63, 64 testing 58, 162 uninstalling 336, 338 upgrading 299 WebLogic 8.1 installing 106 WebLogic 9.1 installing 106 WebSphere 6.0 installing 106 identityguard.properties audit.integrity 281 externalauth 293 externalauth.kerberos 294 igradius.challengestring 284 igradius.msglog 289 igradius.port 283 igradius.radius 290 igradius.skipauth 289 igradius.tokenchallengestring 286 tokenrequirespinupdate 288 igradius.url 282 igradius.vpn 290 igradius.vpn.useradius 293 jdbc.blobAccess 268 jdbc.connectionpool 267 jdbc.connectionpool.max 267 jdbc.connectionpool.minIdleClose Time 267 jdbc.driverClass 268 jdbc.logintimeout 267 jdbc.needsEscape 268 jdbc.password 268 jdbc.querytimeout 267 jdbc.schema 268 jdbc.selectLock 269 jdbc.timestampDataType 268 jdbc.url 268 jdbc.user 268 ldap.addAdminObjectClass 262 ldap.addPolicyObjectClass 263 ldap.addUserObjectClass 262 ldap.connectionpool.max 265 ldap.connecttimeout 262 ldap.credentials 261 ldap.GeneralizedTime 266 ldap.policyentry 262 ldap.principal 261 ldap.searchbase 264 ldap.searchtimeout 265 ldap.sizelimit 265 ldap.sslEnabled 262 ldap.url 261 ldap.useridattribute 262 log.maxstacksize 273 refreshinterval 273 supersh.adminlist 279 supersh.preproducedcardlist 279 supersh.tokenlist 280 supersh.usercardlist 278 supersh.userlist 278 tokenRepository 221, 223 webadmin bulk 296 export 297 identityguard.properties file authentication success audit 258 caching policies 272 changing log configuration 273 changing log locations 277 column width formatting 278 configuring 255 configuring to use cached challenges 270 definition 348 enabling cached challenges 270 encrypted properties 257 JDBC properties 267 LDAP properties 261 license audit 281 properties for card preproduction 224 search bases 260 identityguard.sh 52, 63, 64 igkrb5.conf file 204 image replay authentication definition 348, 349 initialization definition 348 initializing IdentityGuard 47, 83, 118 reasons for failure 47, 118
Index
359
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
installing IdentityGuard 33, 106 definition 349 multifactor authentication definition 349 mutual authentication 349
J
Java Development Kit 96, 98, 100
K
keytool 235 documentation 235 knowledge-based authentication definition 348
N
native libraries 128, 134 nonce definition 349
O
one-step authentication definition 350 one-time password definition 350 organization authentication 350 OTP. See one-time password out-of-band authentication definition 350 own grouplist definition 350
L
layered authentication definition 348 least-used cell challenge generation algorithm definition 349 license audit 281 replica servers 281 loadbalancing 210 log locations changing 277 log4j properties 273 logging configuring 45, 116, 273 to Syslog 45, 116, 277
P
passcode list definition 350 passcode list authentication definition 350 password attributes. See administrator password attributes Pending state definition 350 pinspec attributes. See temporary PIN attributes policy definition 351 preproduction model definition 351 primary Entrust IdentityGuard Server definition 351 produce-and-assign model definition 351 Professional Services 17 properties file authentication success audit 258 changing log configuration 273 changing log location 277 column width formatting 278
M
machine authentication definition 349 machine authentication type list definition 349 machine secret definition 349 master key definition 349 master key protection file definition 349 master user definition 349 master user shell 49, 119 configuring formatting 278 definition 349 message replay authentication
360
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
configuring to use cached challenges 270 enabling cached challenges 270 encrypted properties 257 JDBC properties 267 LDAP properties 261 license audit 281
S
sample application configuring 51 definition 352 disabling 52 sample Web application enabling 52 second-factory authentication definition 352 serial number reconfiguring 254 serial number replay authentication definition 352 shared secret definition 352 single-factor authentication definition 353 single-page authentication. See one-step authentication SOAP definition 353 SSL creating a self-signed certificate 235 exporting a certificate 238 importing the SSL certificate 233 ports 228 securing the LDAP repository, after installation 233 state Current definition 346 definition 353 hold definition 348 Hold_pending definition 348 Pending definition 350 static token PIN definition 353 strong authentication definition 353 super shell. See master user shell supersh. See master user shell superuser role definition 353 Syslog configuring 226 logging to 45, 116, 277
Q
question and answer authentication. See knowledge-based authentication
R
Radius definition 351 Radius Proxy automatic restart 35, 107 Radius proxy 171 architecture 173 configuring overview 172 external 187 overview 172 with domain controller 187 with LDAP server 187 with Radius server 180 Radius proxy. See Entrust IdentityGuard Radius proxy random challenge generation algorithm definition 351 registration definition 351 replica definition 352 replica server configuring 210 initializing 210 installing 210 new SSL certificate 210 repository definition 352 preparing 22 restoring IdentityGuard from backup 250 role definition 352
Index
361
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
T
TAN. See passcode list authentication Technical Integration Guides 22 Technical Support 16 temporary PIN definition 354 temporary PIN attributes definition 354 testing IdentityGuard 58, 162 token definition 354 token authentication definition 354 token PIN. See static PIN tokens Entrust 30 two-stage authentication. See two-step authentication two-step authentication definition 354 typographic conventions 13
W
Web service definition 355 WebLogic 8.1 96 configuring SSL 97 deploying IdentityGuard services 128 preparing for installation 96 WebLogic 9.1 98 configuring SSL 98 deploying IdentityGuard services 134 preparing for installation 98 WebSphere 6.0 100 configuring SSL 101 deploying IdentityGuard services 142 preparing for installation 100 shared library settings 142 WSDL definition 355
U
uninstalling IdentityGuard 336, 338 UNIX group and user creating 32 UNIX service command starting and stopping IdentityGuard 63 upgrading IdentityGuard 7.2 to 8.1 299 user authentication definition 354 user ID definition 354 user name definition 354 user specification attributes definition 355 user, end definition 347 userspec attributes. See user specification attributes
V
version command 54, 124 VPN server configure 193
362
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
363
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
364