MobilePASS Software Administration Guide PDF Free Download

2y ago

89 Views

1 Downloads

7.61 MB

108 Pages

Report/dmca

Download PDF

Transcription

SafeNet MobilePASS Software Administration Guide

www.safenet-inc.com4690 Millennium Drive, Belcamp, Maryland 21017 USATelephone: 1 410 931 7500 or 1 800 533 3958 2010 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks ofSafeNet. All other product names are trademarks of their respective owners.

Software Version: All VersionsDocumentation Version: 20120910 2012 SafeNet, Inc. All rights reservedPrefaceAll intellectual property is protected by copyright. All trademarks and product names used or referred to are the copyright oftheir respective owners. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form orby any means, electronic, mechanical, chemical, photocopy, recording or otherwise without the prior written permission ofSafeNet.SafeNet makes no representations or warranties with respect to the contents of this document and specifically disclaims anyimplied warranties of merchantability or fitness for any particular purpose. Furthermore, SafeNet reserves the right to revisethis publication and to make changes from time to time in the content hereof without the obligation upon SafeNet to notify anyperson of organization of any such revisions or changes.SafeNet invites constructive comments on the contents of this document. These comments, together with your personal and/orcompany details, should be sent to the address below.4690 Millennium Drive Belcamp, Maryland 21017, USADisclaimersThe foregoing integration was performed and tested only with specific versions of equipment and software and only in theconfiguration indicated. If your setup matches exactly, you should expect no trouble, and Customer Support can assist with anymissteps. If your setup differs, then the foregoing is merely a template and you will need to adjust the instructions to fit yoursituation. Customer Support will attempt to assist, but cannot guarantee success in setups that we have not tested.This product contains software that is subject to various public licenses. The source code form of such software and allderivative forms thereof can be copied from the following website: http://c3.safenet-inc.com/We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to be perfect.When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in succeedingreleases of the product.Technical SupportIf you encounter a problem while installing, registering or operating this product, please make sure that you have read thedocumentation. If you cannot resolve the issue, please contact your supplier or SafeNet support.SafeNet support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support planarrangements made between SafeNet and your organization. Please consult this support plan for further information aboutyour entitlements, including the hours when telephone support is available to you.Technical Support Contact Information:Phone: 800-545-6608, 410-931-7520Email: support@safenet-inc.comi

CONTENTSCHAPTER 1MobilePASS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2Deploying MobilePASS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2MobilePASS authentication options . . . . . . . . . . . . . . . . . . . . . . . . . . . .4Evaluating MobilePASS tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5CHAPTER 2Deploying MobilePASS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Software token enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Generating and importing MobilePASS software tokens . . . . . . . . . .8Configuring MobilePASS policies(SafeWord PremierAccess 3.2.1.06 only) . . . . . . . . . . . . . . . . . . . .8Assigning software tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Using the MobilePASS Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10Setting up manual self-enrollment for users . . . . . . . . . . . . . . . . . . .10Disabling enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11Using the device nickname feature(SafeWord PremierAccess 3.2.1.06 only) . . . . . . . . . . . . . . . . . . .12Using the Enrollment Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Configuring reenrollment of existing MobilePASS tokens . . . . . . . . .21Using iPhone MobilePASS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23Installing iPhone MobilePASS . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23Activating and enrolling iPhone MobilePASS . . . . . . . . . . . . . . . . . .24Generating passcodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28Resetting the iPhone MobilePASS token . . . . . . . . . . . . . . . . . . . . .28Changing device PINs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29Understanding BlackBerry MobilePASS . . . . . . . . . . . . . . . . . . . . . . .31Deploying BlackBerry MobilePASS . . . . . . . . . . . . . . . . . . . . . . . . .31Authentication policy parameters . . . . . . . . . . . . . . . . . . . . . . . . . . .33Configuring automatic enrollment for BlackBerry users . . . . . . . . . .35Activating MobilePASS BlackBerry . . . . . . . . . . . . . . . . . . . . . . . . . . .40Downloading and installing BlackBerry MobilePASS . . . . . . . . . . . .40Allowing users to automatically authenticate (SafeWord 2008 only) 40Activating BlackBerry MobilePASS automatically . . . . . . . . . . . . . . .41Generating passcodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44Changing device PINs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45Resetting the token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46v

Table of ContentsUsing J2ME MobilePASS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Deploying J2ME MobilePASS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Downloading and installing J2ME MobilePASS . . . . . . . . . . . . . . . . 47Activating J2ME MobilePASS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Generating passcodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Changing device PINs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Resetting the token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Using Android MobilePASS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Installing Android MobilePASS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Activating Android MobilePASS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Generating passcodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Changing device PINs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Resetting the Android MobilePASS token . . . . . . . . . . . . . . . . . . . . 65Getting token details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66MobilePASS Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67CHAPTER 3Using the Legacy MobilePASS Factory . . . . . . . . . . . . . . . . 69Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Messaging setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71The sccservers.ini file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71The messaging.ini file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Using MobilePASS Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Viewing Messaging end user pages . . . . . . . . . . . . . . . . . . . . . . . . 72Using the stand-alone MobilePASS Factory . . . . . . . . . . . . . . . . . . . . 73MobilePASS Factory device compatibility . . . . . . . . . . . . . . . . . . . . 74Using MobilePASS with SafeWord . . . . . . . . . . . . . . . . . . . . . . . . . 74Evaluating MobilePASS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Installing the MobilePASS Factory . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Downloading and installing the MobilePASS Factory . . . . . . . . . . . 76Confirming the MobilePASS Factory installation . . . . . . . . . . . . . . . 77Viewing and adding MobilePASS licenses . . . . . . . . . . . . . . . . . . . . . 78Viewing the current MobilePASS license . . . . . . . . . . . . . . . . . . . . . 78Adding an additional license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Customizing the MobilePASS Factory . . . . . . . . . . . . . . . . . . . . . . . . 81Changing PIN behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Finalizing custom settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Resetting token serial numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Importing token data to SafeWord . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83What’s Next? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Understanding MobilePASS packages . . . . . . . . . . . . . . . . . . . . . . . . 85Inside the MobilePASS for Windows Desktops package . . . . . . . . . 85Inside the MobilePASS for BlackBerry package . . . . . . . . . . . . . . . 85Inside the MobilePASS for J2ME package . . . . . . . . . . . . . . . . . . . 86Inside the MobilePASS for Smartphones package . . . . . . . . . . . . . 86Inside the MobilePASS for Pocket PCs package . . . . . . . . . . . . . . . 86Deploying the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87vi

Table of ContentsGenerating batches of authenticators . . . . . . . . . . . . . . . . . . . . . . . .87Using the end user authenticator download page . . . . . . . . . . . . . . .90Installing MobilePASS on end user devices . . . . . . . . . . . . . . . . . . . . .91Customizing specific device options . . . . . . . . . . . . . . . . . . . . . . . . . .92Customizing MobilePASS for Windows Desktops . . . . . . . . . . . . . .92Customizing the token appearance . . . . . . . . . . . . . . . . . . . . . . . . .92Customizing additional options . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92Customizing MobilePASS for J2ME devices . . . . . . . . . . . . . . . . . .93Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95vii

Table of Contentsviii

CHAPTER1MobilePASS OverviewIn this chapter.Overview . 2MobilePASS authentication options . 4Evaluating MobilePASS tokens. 51

Chapter 1: MobilePASS OverviewOverviewOverviewThis guide discusses SafeNet MobilePASS Software and Messaging tokens.It includes administrative and end user information. Software and Messagingtokens allow users to generate OTPs (One-Time-Passcodes) on their personalmobile devices and Windows desktops. The Software and Messaging tokensare compatible with SafeWord 2008 and SafeWord PremierAccess (forSolaris), and enable secure remote access to corporate and web-basedapplications. An integrated support feature allows administration directly fromthe SafeWord management interface. The MobilePASS Portal allows users toenroll, activate, and use their tokens without administrative assistance. TheMobilePASS product was integrated into SafeWord 2008 beginning in version2.1.0.03, and in SafeWord PremierAccess (for Solaris) beginning in version3.2.1.05.The administrative information in this guide covers features that are configuredpost token enrollment. Preenrollment administrative information is contained inthe SafeWord 2008 Administration Guide and the SafeWord PremierAccessAdministration Guide. Both documents are available from the SafeWorddocumentation page at xand x respectively.Deploying MobilePASSTo deploy MobilePASS, administrators generate token records, populate thedatabase with users, then notify users about MobilePASS. To generate tokenrecords, refer to the SafeWord 2008 Administration Guide, which is available spx or the SafeWordPremierAccess Administration Guide, version 3.2.1, which is available spx. Figure 1 on page 3illustrates the deployment process.2

Chapter 1: MobilePASS OverviewOverviewFigure 1: IntegratedMobilePASSdeploymentAdministrator1. Use SafeWord to generateand import token records withthe management tools.2. Populate database withusers3. Assign SafeWord databaseusers passphrases throughthe MobilePASS Enrollmentfeature.4. Provide app info andenrollment URLs to users.Give SafeWord databaseusers enrollmentpassphrases.End User5. Download and installMobilePASS on yourdevice6. Generate activationcode from user device. Ifusing auto-enrollment,enroll with an assignedpassphrase.7. Activate MobilePASS viathe MoilePASS Portal.8. Activate device, set devicePIN, generate and testpasscode.9. Use MobilePASS3

Chapter 1: MobilePASS OverviewMobilePASS authentication optionsMobilePASSauthenticationoptionsThe integrated MobilePASS product extends token options with the addition ofMobilePASS Software tokens and MobilePASS Messaging tokens.MobilePASS now allows users to generate passcodes on the following mobiledevices and desktops: iPhone/iPod touch/iPad iOS 4.2.0 and higher devicesBlackBerry OS 4.3 and higher devicesJ2ME (CLDC 1.1/MIDP 2.0 and higher) and higher devicesAndroid OS 1.6 and higher devicesMac OS X 10.6.4 and higherWindows XP, Windows Vista, Windows 2003, Windows 2008Windows Phone version 7.0MobilePASS Messaging’s integrated product allows users stored in ActiveDirectory to receive passcodes in e-mail (SMTP) or text (SMS) messagesdirectly on their desktops or mobile devices. MobilePASS Messaging issupported on Windows Server 2003 and Windows Server 2008.Figure 2: SoftwareAuthenticationOptionsSafeNet’s stand-alone MobilePASS Factory is a product that includes legacysoftware and messaging token functionality. It is generally not advisable to usethis legacy product, but it is available for configuring Messaging users in theinternal SafeWord database. It also provides device-specific software tokenapplications that work with earlier versions of BlackBerry and Windows Mobiledevices, and Windows desktops. For more information about the stand-aloneMobilePASS Factory software, refer to Chapter 3, Using the LegacyMobilePASS Factory Factory.4

Chapter 1: MobilePASS OverviewEvaluating MobilePASS tokensEvaluatingMobilePASStokensSafeWord 2008 installations include four evaluation tokens (two Software andtwo Messaging). SafeWord PremierAccess installations include two evaluationSoftware tokens. The SafeWord 2008 evaluation tokens can be found in twoimport files (SoftwareEvalTokens.dat and MessagingEvalTokens.dat)located in the SafeWord folder, or on a new installation of SafeWord 2008, theyare already present in the database. The SafeWord PremierAccess evaluationtoken file Admin Console Install Dir \SoftwareEvalTokens.dat can beimported after the SafeWord PremierAccess patch is applied. All of theevaluation Software tokens are valid tokens that can be used like any otherlicensed Software tokens. The evaluation Messaging tokens are intended forevaluation purposes only and should not be used in production environments.For details about the evaluation Software and Messaging tokens, refer to theChapter 2 of the SafeWord 2008 Administration Guide or Chapter 4 of theSafeWord PremierAccess Administration Guide.Note: The evaluation Software token records are included in the pool of availabletoken records and will be assigned to users from the pool. If you do not wantevaluation Software tokens assigned, delete the records from your database.5

Chapter 1: MobilePASS OverviewEvaluating MobilePASS tokens6

CHAPTER2Deploying MobilePASSIn this chapter.Software token enrollment. 8Assigning software tokens. 9Using the MobilePASS Portal. 10Using iPhone MobilePASS. 23Understanding BlackBerry MobilePASS . 31Activating MobilePASS BlackBerry . 40Using J2ME MobilePASS. 47Using Android MobilePASS. 57MobilePASS Messaging. 677

Chapter 2: Deploying MobilePASSSoftware token enrollmentSoftware tokenenrollmentBeginning with SafeWord 2008 version 2.1.0.04 and SafeWord PremierAccessversion 3.2.1.06, BlackBerry MobilePASS users can automatically or manuallyactivate and enroll MobilePASS tokens over their wireless network directlyfrom their device. If administrator-driven enrollment is preferred, refer to theSafeWord PremierAccess Administration Guide or the SafeWord 2008Administration Guide for details. These guides are available at x and http://www3.safenetinc.com/safeword/docs/2008.aspx respectively.Generating and importing MobilePASS software tokensBefore enrolling MobilePASS tokens, the token records must be generated.The method for generating MobilePASS records varies depending uponwhether you are using SafeWord 2008 or SafeWord PremierAccess. If you areusing SafeWord 2008, refer to the SafeWord 2008 Administration Guide fordetails. If you are using SafeWord PremierAccess, refer to the SafeWordPremierAccess Administration Guide for details.Configuring MobilePASS policies(SafeWord PremierAccess 3.2.1.06 only)Before assigining MobilePASS tokens to users, or allowing users to self-enroll,you must configure one or more MobilePASS policies. MobilePASS policiescommunicate the specific capabilities of a token device between theMobilePASS clients and the portals and servers. Token capabilities are basedon the device token type, (event synchronous, time synchronous, or challengeresponse). Some types allow you to set a minimum of policy options, whileothers provide an array of options, including passcode and challenge lengths,time sync interval (ticks), allow policy downgrade, secure mode, enabletransaction signing mode, SoftPIN, and device PIN options.SafeWord PremierAccess version 3.2.1.06 supports MobilePASS policies.MobilePASS policies are not supported in earlier versions of SafeWordPremierAccess or in SafeWord 2008 at this time. For details about definingpolicies for SafeWord PremierAccess, refer to Chapter 4 of the SafeWordPremierAccess Administration Guide.8

Chapter 2: Deploying MobilePASSAssigning software tokensAssigningsoftware tokensYou may assign software tokens to users using the Administration Console, oryou may allow users to self-enroll their software tokens using the MobilePASSPortal. If users will enroll their tokens with the Portal, refer to “Using theMobilePASS Portal” on page 10 of this guide.If you are assigning software tokens to users with the Administration Console,enrollment varies slightly depending on which operating system you are using,and where your users are stored. If y

Chapter 2 of the SafeWord 2008 Administration Guide or Chapter 4 of the SafeWord PremierAccess Administration Guide. Note: The evaluation Software token records are included in the pool of available token records and will be assigned to users from the pool. If you do not want evaluation Software tokens assigned, delete the records from your .