Transcription
SafeNet AuthenticationManagerVersion 8.0 Rev AUser’s Guide
Copyright 2010 SafeNet, Inc. All rights reserved.All attempts have been made to make the information in this document complete and accurate.SafeNet, Inc. is not responsible for any direct or indirect damages or loss of business resultingfrom inaccuracies or omissions. The specifications contained in this document are subject tochange without notice.SafeNet and SafeNet Authentication Manager are either registered with the U.S. Patent andTrademark Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in theUnited States and other countries. All other trademarks referenced in this Manual aretrademarks of their respective owners.SafeNet Hardware and/or Software products described in this document may be protected byone or more U.S. Patents, foreign patents, or pending patent applications.Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and ULNotification.Date of publication: September 2010Last update: Monday, September 20, 2010 3:03 pm
iiiSupportWe work closely with our reseller partners to offer the best worldwidetechnical support services. Your reseller is the first line of supportwhen you have questions about products and services. However, ifyou require additional assistance you can contact us directly at:TelephoneYou can call our help‐desk 24 hours a day, seven days a week:USA: 1‐800‐545‐6608International: 1‐410‐931‐7520EmailYou can send a question to the technical support team at the followingemail address:support@safenet-inc.comWebsiteYou can submit a question through the SafeNet Support nal DocumentationWe recommend reading the following SafeNet publications: SafeNet Authentication Manager 8.0 Administrator’s GuideSafeNet Authentication Manager 8.0 ReadMe
iv
Table of ContentsPart I Introduction1. Token Overview. 3Token Uses. 4Certificate-Based Authentication. 4OTP Generation . 4Secure Data Storage. 5Hardware Tokens. 5Software Tokens . 5SafeNet eToken Virtual Products. 5MobilePASS Tokens. 72. SafeNet Authentication Manager Overview. 9SafeNet Authentication Manager User Interfaces . 10SafeNet Authentication Manager Tasks. 10Token Management. 12Associating Your Token with SafeNet Authentication Manager . 12Maintaining Your Token. 13Setting Your Token Password or OTP PIN . 13Handling a Forgotten Token Password. 14Handling a Forgotten OTP PIN. 14Preparing to Take Your Token On-the-Road. 15Resolving a Lost Token Locally. 15Resolving a Lost Token On-the-Road. 15Part II Self Service Center3. Self Service Center.19Self Service Center Overview . 20Before Any Tokens are Enrolled . 20After Tokens are Enrolled. 22
viAccessing the Self Service Center Main Menu.25Installing Software Components for Enrollment .27Enabling ActiveX Components for Token Enrollment .27Installing Client Components.304. Self Service Center User Activities.41Enrolling a New Smartcard or USB Token .42Enrolling a New OTP Token.47Enrolling a New MobilePASS Token.48Generating an OTP on Your Mobile Device.50Enabling a New MobilePASS Messaging Token.51Enrolling a New SafeNet eToken Virtual.53Completing Your Authentication Questionnaire.57Changing Your SafeNet Authentication Manager User Password.595. Self Service Center Token Management.61Updating Your Token Content.62Changing and Resetting Your Token Password.66Enabling and Temporarily Disabling Your Token.67Revoking Your Lost or Damaged Token.69Replacing or Upgrading Your Token.75Downloading a SafeNet eToken Rescue.82Changing and Resetting Your OTP PIN .85Validating Your OTP Token.86Enrolling a New SafeNet eToken Virtual Temp .876. Self Service Center Rescue Token Management .93Main Menu .94Re-enrolling a Lost Token .94Replacing a Lost Token .98Downloading a Backup SafeNet eToken Rescue .104Part III Rescue Service Center7. Rescue Service Center.107Rescue Service Center Overview.108Accessing the Rescue Service Center Main Menu.1088. Rescue Service Center Token Activities.113Main Menu . 114
viiRetrieving a Response Code to Unlock Your Token.115Managing Your Lost or Damaged Token.117Reporting and Temporarily Replacing Your Lost or Damaged Token . 118Replacing Your Token with a New Token. 125Generating an OTP Using Your SafeNet eToken Rescue. 125Enabling and Temporarily Disabling Your Token. 126Resetting Your OTP PIN. 127Validating Your OTP Token. 1289. Rescue Service Center Rescue Token Management.131Main Menu. 132Recovering Your SafeNet eToken Rescue Password . 133Replacing Your SafeNet eToken Rescue. 134Closing Your SafeNet eToken Rescue. 137Part IV SAM Agent10. SAM Agent .141SAM Agent Overview . 142Viewing the SAM Agent Status . 142Verifying Your Token Content . 144Downloading a SafeNet eToken Rescue . 145
viii
Part I IntroductionThe following chapters provide an overview of the SafeNetAuthentication Manager and the SafeNet tokens that it supports.In this section: Chapter 1: Token Overview (page 3) Chapter 2: SafeNet Authentication Manager Overview (page 9)
2
Chapter 1Token OverviewThis chapter describes various types of tokens and their uses.In this chapter: Token Uses Hardware Tokens Software Tokens
4Token UsesTokens, also known as authenticators, are used primarily for some orall of the following purposes: Certificate‐Based AuthenticationOTP GenerationSecure Data StorageCertificate-Based AuthenticationA certificate is a signed document approving the identity of the privatekey on a token. The private key acts as a unique identifier for each user.It enables users to securely access networks or protected websites, orto digitally sign data and transactions, providing proof of authenticity.OTP GenerationOne‐Time Password (OTP) authentication is based on a system inwhich the token and the backend authentication service share aunique algorithm used for generating a sequence of passwords. Sincethe server and the token generate exactly the same passwords in thesame sequence, the server can authenticate the user when the token’sOTP value is submitted.OTP authentication enables secure access to networks from anycomputer with an internet connection. By constantly changing thepassword required for authentication, OTP usage makes it moredifficult to gain unauthorized access to restricted resources.OTP authentication does not require a physical token to be connectedto the computer.
Hardware Tokens5Secure Data StorageA token may be used for secure storage of data such as: User profiles ‐ collections of personal data which identify the userto specific applicationsFlash memory that can be partitioned into a mass storageallocation and a CD‐ROM emulationHardware TokensSafeNet Authentication Manager supports a variety of hardwaretokens, including: SmartcardsUSB tokensOTP tokensSoftware TokensA software token is a set of one or more files stored on a general‐purpose electronic device, such as a computer, portable drive, ormobile phone.The following software tokens are supported by SafeNetAuthentication Manager: SafeNet eToken Virtual ProductsMobilePASS TokensSafeNet eToken Virtual ProductsDepending on the SafeNet eToken Virtual product used, the softwareauthenticator file may be stored on your computer or on a portabledrive. The software authenticator is locked to the device and can beused only on the computer or portable drive on which it was enrolled.
6When you enroll a SafeNet eToken Virtual or SafeNet eToken VirtualTemp on your computer, or, if the SafeNet Authentication ManagerSAM Agent is used to download a SafeNet eToken Rescue, theauthenticator is saved in your personal Documents folder, in theeTokenVirtual subfolder. Its filename extension is .etvp.Note:A file copied from a SafeNet eToken Virtual product is not usable.Your SafeNet Authentication Manager configuration may allow youto enroll the following SafeNet eToken Virtual products: SafeNet eToken Virtual Can contain the same token content as an eToken NG‐OTPdevice, such as eToken SSO profiles, OTP generation facilities,and certificates Depending on your SafeNet Authentication Managerconfiguration, can be saved either to your computer, or to aexternal device SafeNet eToken Virtual Temp Can contain token content similar to an eToken NG‐OTPdevice, but its certificates are valid only for the time perioddefined by your administrator One SafeNet eToken Virtual Temp can be enrolled for eachphysical token already enrolled to you Must be saved to your computer Is usable for a limited period of time SafeNet eToken Rescue Contains a backup of certain token content, such as NetworkLogon profiles, OTP generation facilities, and certificatesNote:You may need other token content, such as your WSO profiles,while using your SafeNet eToken Rescue. Restore them to yourSafeNet eToken Rescue from backup files. Accessible only through a password that is disclosed whenyou report your token as lost or damagedDepending on your SafeNet Authentication Managerconfiguration, can be saved either to your computer, or to aexternal device
Software Tokens 7Depending on your SafeNet Authentication Managerconfiguration, can be downloaded using the Self ServiceCenter, the Rescue Service Center, or the SAM AgentIs usable for a limited period of timeTo generate an OTP using a SafeNet eToken Virtual product:1.2.3.4.5.6.7.If the appropriate SafeNet eToken Virtual authenticator is notconnected, browse to its location, right‐click the filename, andclick Open to define the file to SafeNet Authentication Client.Right‐click the SafeNet Authentication Client tray icon, and from themenu, select the appropriate SafeNet eToken Virtualauthenticator.Right‐click the SafeNet Authentication Client tray icon, and from themenu, select Generate OTP.The Generate OTP window opens.Click Generate OTP.Depending on your SafeNet Authentication Managerconfiguration, you may be required to enter the Token Password.Enter the SafeNet eToken Virtual product’s password.An OTP is generated and displayed.Copy the OTP to your application to authenticate yourself.MobilePASS TokensYour SafeNet Authentication Manager configuration may allow youto enroll a MobilePASS token. A MobilePASS token is an applicationthat can generate an OTP value for authentication.Install the MobilePASS application on your mobile device to use it asan OTP token that works independently of mobile networkconnectivity.Use the MobilePASS Messaging application to receive a generatedOTP as an SMS (Short Message Service) message on your mobiledevice, or as a message sent to your email address.
8
Chapter 2SafeNet Authentication ManagerOverviewSafeNet Authentication Manager provides a framework of interfacesthat enable users to manage their own physical and virtual tokens.In this chapter: SafeNet Authentication Manager User Interfaces SafeNet Authentication Manager Tasks Token Management
10SafeNet Authentication Manager User InterfacesSafeNet Authentication Manager users may have access to thefollowing features: Self Service Center: a web‐based service center for managing yourtokens from within your companyRescue Service Center: a web‐based service center for situations inwhich you are away from your office and are unable to use yourtoken due to a specific problemSAM Agent: a SafeNet Authentication Client feature for verifyingthat your token content and SafeNet eToken Rescue backup fileare up‐to‐dateThe user interfaces do not replace the function of your administrator.SafeNet Authentication Manager TasksIn your SafeNet Authentication Manager configuration, youradministrator has defined which tasks you are authorized to perform.The following table lists the SafeNet Authentication Manager tasksthat can be performed by users, and the features that can be used toperform each one.
SafeNet Authentication Manager TasksTable 2-1. SafeNet Authentication Manager User TasksTaskSelf ServiceCenterRescue ServiceCenterSAM AgentEnroll one of thefollowing: Smartcard or USBtoken OTP token SafeNet eTokenVirtualx SafeNet eTokenVirtual Temp MobilePASS token MobilePASSMessaging tokenCheck that a token’scontent is up-to-datexUpdate token contentxComplete anauthenticationquestionnairexChange a TokenPassword or OTP PINxReset a Token PasswordxRetrieve a ResponseCode to unlock a tokenand reset its TokenPasswordxxIn non-Windowsenvironments onlyxReset an OTP PINxxUpgrade a token byreplacing it with a newermodelx11
12Table 2-1. SafeNet Authentication Manager User Tasks (Continued)Self ServiceCenterRescue ServiceCenterEnable or temporarilydisable a tokenxxReport and revoke a losttokenxxReplace a lost token witha new tokenxTaskReplace a lost OTPdevice with a Temp OTPDownload a SafeNeteToken RescuexxActivate and manageaccess to a SafeNeteToken Rescue toreplace a lost tokenValidate an OTP tokenSAM AgentxxxxxToken ManagementAssociating Your Token with SafeNet AuthenticationManagerUse the Self Service Center when your administrator tells you to doany of the following: Enroll a smartcard or USB tokenEnroll an OTP tokenEnroll a MobilePASS tokenEnroll a MobilePASS Messaging tokenEnroll a SafeNet eToken Virtual
Token Management 13Enroll a SafeNet eToken Virtual TempUpdate your token contentUpgrade your token by replacing it with a more advanced deviceReplace your lost token with a new oneMaintaining Your TokenSafeNet Authentication Manager is designed to help ensure that noone else uses your token. Use a SafeNet Authentication Managerservice center to do the following: Update your token content if you suspect that content was deletedTemporarily disable your token if it is misplaced or if it is notneeded for an extended periodEnable your disabled token when you want to use it againValidate your OTP token if your token has lost its synchronizationwith the system, and you cannot authenticate using a generatedOTPChange your SafeNet Authentication Manager user password ifyou suspect that someone else has seen itSetting Your Token Password or OTP PINIt is your responsibility to remember your Token Password or OTPPIN. Your SafeNet Authentication Manager configuration may requireyou to provide it to gain access to your token content.Change your Token Password or OTP PIN if you suspect it has beencompromised.The default Token Password is 1234567890, unless your administratorhas changed the default. Your SafeNet Authentication Managerconfiguration may require you to change your Token Password fromthe default value.
14Depending on your SafeNet Authentication Manager configuration,your Token Password may be required to meet password qualitycriteria, such as: minimum lengthinclusion or exclusion of lower‐case letters, upper‐case letters,numerals, and/or special charactersdisqualification of password values previously usedSetting a complex Token Password provides added security to yourtoken authentication process.Handling a Forgotten Token PasswordIf you forgot your Token Password, or if you consecutively enteredincorrect password values too many times, you need to unlock yourtoken and set a new password.Depending on your SafeNet Authentication Manager configuration,you can use the Self Service Center to reset your Token Passwordshould you forget it.If your token is locked, and you cannot reset your Token Password, doone of the following: In a non‐Windows environment, use the Self Service Center tounlock your token.Use the Rescue Service Center to enter the Challenge Codedisplayed in the SafeNet Authentication Client Tools or eTokenNetwork Logon application, and then paste the generatedResponse Code to the application.Contact your administrator.Handling a Forgotten OTP PINIf you forgot your OTP PIN, or if you consecutively entered incorrectvalues too many times, you need to unlock your OTP profile and set anew OTP PIN.Depending on your SafeNet Authentication Manager configuration,you can use the Self Service Center to reset your OTP PIN should youforget it.
Token Management15If you cannot reset your OTP PIN using the Self Service Center, andyour OTP profile is locked, contact your administrator.Preparing to Take Your Token On-the-RoadBefore you travel, use the Self Service Center to do the following: Complete an authentication questionnaire to ensure that you willhave access to the Rescue Service Center while you are out of theoffice. The answers you provide will be used to authenticate youto the Rescue Service Center.Download a SafeNet eToken Rescue, a secure backup of your tokencontent, to ensure that you can request access to a backup of yourtoken content while you are out of the office.If you already downloaded a SafeNet eToken Rescue, use the SAMAgent to verify that the file is up‐to‐date.Resolving a Lost Token LocallyIf your token is lost or damaged, do the following:a.b.c.Log on to the Self Service Center, and report your lost or damagedtoken so that it is revoked.Ask your administrator to give you a new token in its place.Log on to the Self Service Center again, and replace your oldtoken with the new one.Resolving a Lost Token On-the-RoadIf you are away from your office when your token is lost or damaged,use the Rescue Service Center to do the following (depending on theoptions available in your SafeNet Authentication Managerconfiguration): Report your token as lost or damaged.If you will need to authenticate yourself using an OTP but will notneed any other token content, request a Temp OTP to replace yourtoken.
16 If you will need access to your token content and do not have aSafeNet eToken Rescue secure backup file, download a SafeNeteToken Rescue.If you will need access to your token content, activate adownloaded SafeNet eToken Rescue to use as a temporary tokenreplacement.If you do not need a Temp OTP or a SafeNet eToken Rescue,revoke or temporarily disable your token.
Part II Self Service CenterThe following chapters describe how to use SafeNet AuthenticationManager’s Self Service Center.In this section: Chapter 3: Self Service Center (page 19) Chapter 4: Self Service Center User Activities (page 41) Chapter 5: Self Service Center Token Management (page 61)
18
Chapter 3Self Service CenterSafeNet Authentication Manager’s Self Service Center is a web‐basedapplication that enables you to manage many user and tokenactivities.In this chapter: Self Service Center Overview Accessing the Self Service Center Main Menu Installing Software Components for Enrollment
20Self Service Center OverviewWhen you open the SafeNet Authentication Manager’s Self ServiceCenter window, a list of your enrolled tokens is displayed in the leftpanel, and a list of options is displayed in the right panel.Note:Your SafeNet Authentication Manager configuration determineswhich options are displayed in the right panel of the Welcome to the SelfService Center window.Before Any Tokens are EnrolledThe following is an example of a Self Service Center window where notokens are enrolled.Left PanelThe following message is displayed in the left panel of the Self ServiceCenter window, below your user name:You have no active tokens
Self Service Center Overview21Right PanelThe right panel may include the following User Account options: Enrolling a New Smartcard or USB TokenToken enrollment adds your smartcard or USB token to theSafeNet Authentication Manager inventory if it is not alreadythere, associates the token with your username, and loads itscontent with the data you need. Enrolling a New OTP TokenOTP (One‐Time Password) token enrollment associates yourphysical OTP token, which is not a smartcard or a USB token, withyour username in the SafeNet Authentication Manager inventory. Enrolling a New MobilePASS TokenMobilePASS token enrollment installs a MobilePASS applicationon your mobile device, enabling you to generate an OTP on thedevice. Enabling a New MobilePASS Messaging TokenMobilePASS Messaging token enrollment enables you to receive agenerated OTP as an email message, or as an SMS (Short MessageService) message on your mobile device. Enrolling a New SafeNet eToken VirtualSafeNet eToken Virtual enrollment enrolls a software token.Depending on your SafeNet Authentication Managerconfiguration, a SafeNet eToken Virtual is stored as a file on yourcomputer, or on a portable drive. Completing Your Authentication QuestionnaireBefore you can authenticate yourself to the Rescue Service Center,you must complete an authentication questionnaire in the SelfService Center. This provides a backup method of identifyingyourself in case you lose your token or forget its password whenyou are out of the office.
22 Changing Your SafeNet Authentication Manager User PasswordUsers in some SafeNet Authentication Manager environmentsauthenticate to SafeNet Authentication Manager using a userpassword. Change your user password if you think someone elsehas seen it.Note:Your SafeNet Authentication Manager configuration determineswhich options are displayed in the right panel.After Tokens are EnrolledThe following is an example of a Self Service Center window where atleast one token is enrolled.
Self Service Center Overview23Left PanelA list of the names of your enrolled tokens is displayed in the leftpanel of the Self Service Center window, below your user name. Animage representing the token type is displayed next to each tokenname. If the token’s status is not Normal, the status is displayed: LostDamagedDisabledRevokedThe selected token is highlighted. If you need to perform an action ona different token, select the appropriate token in the left panel beforeselecting an option in the right panel.Right PanelThe right panel includes messages relating to the selected token,followed by User Account options. For the list of User Account options,see page 21.The Selected Token options displayed in the right panel may include: Updating Your Token ContentIf you accidentally deleted content from your token, or if awarning message is displayed that your token content must beupdated, use this option to update it. Changing and Resetting Your Token PasswordChange your password if it is about to expire, or if you thinksomeone else has seen it.Depending on your SafeNet Authentication Managerconfiguration, you may be able to reset your password should youforget it. Enabling and Temporarily Disabling Your TokenTemporarily disable your token if it is misplaced, or if it is notneeded for an extended period.If your token is disabled, you must enable it before you can use itagain.
24 Revoking Your Lost or Damaged TokenRevoke a lost or damaged token immediately to prevent anyoneelse from using its content. Replacing or Upgrading Your TokenRevoke your token, and load a new one with the same content. Downloading a SafeNet eToken RescuePrepare a backup of your token content in case you lose yourtoken when you are away from your office and cannot replace itwith a new one. Changing and Resetting Your OTP PINChange your OTP PIN if you think someone else has seen it.Depending on your SafeNet Authentication Managerconfiguration, you may be able to reset your OTP PIN should youforget it. Validating Your OTP TokenIf you repeatedly generate an OTP without submitting one forauthentication, or if the time function of your OTP token hasdeviated, your OTP token loses its synchronization with thesystem. You must validate your OTP token so that SafeNetAuthentication Manager can authenticate OTPs that aresubsequently generated. Enrolling a New SafeNet eToken Virtual TempSafeNet eToken Virtual Temp enrollment creates a software tokenon your computer that can be used for a limited period of time inplace of a token that has been enrolled. The SafeNet eTokenVirtual Temp is loaded with token content similar to the contentloaded on your enrolled physical token.Note:Your SafeNet Authentication Manager configuration determineswhich options are displayed in the right panel.
Accessing the Self Service Center Main Menu25Accessing the Self Service Center Main MenuTo access the Self Service Center, you must be logged on to yourcompany’s local network.Access to the Self Service Center requires one of the followingauthentication methods: The standard Windows user authentication methodThe authentication method set by your administratorNote:Each company has its own SafeNet Authentication Manager server.This guide uses the name localhost to represent your company’sSafeNet Authentication Manager server. When following the steps inthe procedure, replace localhost with the name of your company’sSafeNet Authentication Manager server.To access the Self Service Center main menu:1.Open your web browser, and go to http:// localhost /SAMservicewhere localhost is the name of your company’s SafeNetAuthentication Manager server.Note:For the website to display properly, ensure that the browser’s TextSize is set to Medium.a. On the browser toolbar, click View.b. From
SAM Agent: a SafeNet Authentication Client feature for verifying that your token content and SafeNet eToken Rescue backup file are up‐to‐date The user interfaces do not replace the function of your administrator. SafeNet Authentication Manager Tasks In your SafeNet Authentication Manager configuration, your
