introduction - ibmpublib.boulder.ibm.com/tividd/td/itamfesso/esso_help/en... · 2006. 6. 26. ·...
TRANSCRIPT
![Page 1: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/1.jpg)
Introduction
���
![Page 2: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/2.jpg)
ii Introduction
![Page 3: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/3.jpg)
Contents
Chapter 1. Introduction . . . . . . . . 1
Introduction . . . . . . . . . . . . . . 1
Introduction . . . . . . . . . . . . . . 2
Product Overview . . . . . . . . . . . . 2
About the Console . . . . . . . . . . . . 3
What’s New in TAM E-SSO . . . . . . . . . 4
Chapter 2. Administrative Procedures . . 7
Considerations Before Deploying TAM E-SSO . . . 7
User Work Modes . . . . . . . . . . . 7
Mobility Configuration . . . . . . . . . . 9
Rollout . . . . . . . . . . . . . . . 10
Administration and Management . . . . . . 10
Configuring TAM E-SSO . . . . . . . . . . 10
Configuring for Windows Authentication . . . 11
Directory Servers: Configuring the Agent . . . 11
File Systems: Configuring the Agent . . . . . 12
Database Synchronization: Configuring the Agent 12
Configuring TAM E-SSO in a Citrix Environment 13
Configuring the Server for TAM E-SSO . . . . . 15
Directory Servers: Configuring the server . . . 15
File Systems: Configuring the Server . . . . . 16
Database Synchronization: Configuring the server 17
Distributing Predefined Application Logons . . . 17
Understanding the Application Configuration
Files . . . . . . . . . . . . . . . . 18
General Guidelines for Setting Up Applications 22
Adding Windows applications . . . . . . . 22
Adding Web Applications . . . . . . . . 23
Adding Host/Mainframe Applications . . . . 24
Adding Java applications and applets . . . . 25
Adding Telnet Applications . . . . . . . . 25
First Time Use (Bulk-Add) . . . . . . . . 28
Using and Creating Templates . . . . . . . 28
Managing User Data . . . . . . . . . . . 29
Setting Password Policies . . . . . . . . . 29
Creating password sharing groups . . . . . . 30
User Credentials and Settings . . . . . . . 31
File-Based Backup/Restore . . . . . . . . 31
Synchronization . . . . . . . . . . . . . 32
Directory Server Synchronization Support . . . 33
File System Synchronization Support . . . . . 34
Database Synchronization Support . . . . . . 35
Multiple Synchronizer Support . . . . . . . 36
Configuration Objects . . . . . . . . . . 36
Event Logging . . . . . . . . . . . . . 37
Event Logging: Agent Configuration . . . . . 38
Event Logging: Server Configuration . . . . . 39
Distributing TAM E-SSO . . . . . . . . . . 39
Microsoft Windows Installer (MSI) Package . . . 39
Deployment Options . . . . . . . . . . 40
Glossary . . . . . . . . . . . . . . . 41
Chapter 3. Using the Console . . . . . 47
Console Main Menu Commands . . . . . . . 47
Applications . . . . . . . . . . . . . . 52
Applications List . . . . . . . . . . . 52
Add Application dialog box . . . . . . . . 53
New Windows/Java application . . . . . . 55
New Web application . . . . . . . . . . 69
New Host/Mainframe application . . . . . . 73
Bulk Add tab . . . . . . . . . . . . . 77
Selected application . . . . . . . . . . 78
Import/Export . . . . . . . . . . . . 84
Manage Templates . . . . . . . . . . . 86
Kiosk Adapter . . . . . . . . . . . . . 88
Applications to Leave Running on Session End 88
Applications to Close on Session End . . . . . 89
Provisioning Adapter . . . . . . . . . . . 90
Provisioning Adapter (for role/group support) 90
Password Generation Policy . . . . . . . . . 90
Add Password Policy . . . . . . . . . . 91
Selected Password Policy . . . . . . . . 91
Password Sharing Groups . . . . . . . . . 93
Add Sharing Group . . . . . . . . . . 93
Domain password group . . . . . . . . . 94
LDAP Password Group . . . . . . . . . 94
Selected Password Sharing Group . . . . . 95
Global Agent Settings . . . . . . . . . . . 95
Add Set of Settings . . . . . . . . . . . 96
Selected Set of Global Agent Settings . . . . . 97
Repository . . . . . . . . . . . . . . 151
Connect to Repository . . . . . . . . . 151
Configure SSO Support . . . . . . . . . 152
Add Locator Object . . . . . . . . . . 153
Chapter 4. SSO Administrative
Console Reference Topics . . . . . . 155
Pre-configured Applications and Templates . . . 159
Directory Server Schema Definition . . . . . . 161
Directory Server Schema Definition . . . . . 161
Directory Server Schema Definition . . . . . 161
Directory Server Schema Definition . . . . . 161
Directory Server Schema Definition . . . . . 162
Configuring Host Emulators to Enable HLLAPI
Short Session Names . . . . . . . . . . . 162
Attachmate EXTRA! / myExtra! . . . . . . 163
G&R Glink . . . . . . . . . . . . . 163
Ericom PowerTerm . . . . . . . . . . 164
Hummingbird HostExplorer . . . . . . . 164
IBM Client Access . . . . . . . . . . . 164
IBM Client Access Express . . . . . . . . 165
IBM Host On-Demand . . . . . . . . . 165
IBM Personal Communications . . . . . . 167
NetManage Rumba . . . . . . . . . . 168
NetManage ViewNow / Chameleon Hostlink 97 168
Novell LAN Workplace . . . . . . . . . 168
Scanpak Aviva for Desktops . . . . . . . 169
WRQ Reflection . . . . . . . . . . . 169
Zephyr PC to Host . . . . . . . . . . 169
iii
![Page 4: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/4.jpg)
Zephyr Web to Host . . . . . . . . . . 169
Command-Line Options . . . . . . . . . . 169
Smartcard Monitor Utility ( ssoSCDetect.exe) . . . 171
Configuring the Windows Event Logging Server 172
Configuring the Windows Event Logging Server 172
Error Loop Quick Reference . . . . . . . . 172
MSI Package Contents . . . . . . . . . . 174
ftulist.ini Keys . . . . . . . . . . . . . 176
Root Keys . . . . . . . . . . . . . 176
Password Windows Section Keys . . . . . . 177
My Logons Section Keys . . . . . . . . 178
Bulk Add Logon Section Keys . . . . . . . 178
Keys for entlist.ini . . . . . . . . . . . . 180
Root Keys . . . . . . . . . . . . . 181
Windows Application Keys . . . . . . . . 186
Host/Mainframe Application Keys . . . . . 214
Web Application Keys . . . . . . . . . 224
Password Policy Keys . . . . . . . . . 233
Global Agent Settings . . . . . . . . . . 235
Global Agent Settings . . . . . . . . . 236
Troubleshooting . . . . . . . . . . . . 299
Regular Expression Syntax . . . . . . . . 301
Installation . . . . . . . . . . . . . 302
Agent Performance . . . . . . . . . . 305
Authentication . . . . . . . . . . . . 306
Application Configuration . . . . . . . . 308
Event Logging . . . . . . . . . . . . 312
Password Sharing Groups . . . . . . . . 312
Synchronizer Extensions . . . . . . . . . 312
Chapter 5. TAM E-SSO Add-On
Modules . . . . . . . . . . . . . 315
Authentication Adapter . . . . . . . . . . 315
TAM E-SSO: Authentication Adapter . . . . 315
TAM E-SSO: Authentication Adapter . . . . 317
Graded Authentication . . . . . . . . . 318
Kiosk Adapter . . . . . . . . . . . . . 320
TAM E-SSO: Kiosk Adapter . . . . . . . 320
TAM E-SSO: Kiosk Adapter - SendKeys Format 321
iv Introduction
![Page 5: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/5.jpg)
Chapter 1. Introduction
IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides users with one
password to logon to every application on both the company network and the Internet. It works
″out-of-the-box″ (without programming or additional network infrastructure) with virtually any
Windows, Web, proprietary, and host-based application, lowering IT and Help Desk costs without the
expense and burden of integration.
TAM E-SSO is intelligent agent software that works by responding to logon requests on behalf of the
user, directly from their desktop. The agent responds to each software applications logon request by
providing the correct credentials (that is, username/ID, password, and other fields) directly and
automatically. A strong authentication mechanism controls access to the agent, ensuring access by only
the designated user.
System Requirements
Collected links
TAM E-SSO: Authentication Adapter
TAM E-SSO: Authentication Adapter
TAM E-SSO: Authentication Adapter
Introduction
IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides users with one
password to logon to every application on both the company network and the Internet. It works
″out-of-the-box″ (without programming or additional network infrastructure) with virtually any
Windows, Web, proprietary, and host-based application, lowering IT and Help Desk costs without the
expense and burden of integration.
TAM E-SSO is intelligent agent software that works by responding to logon requests on behalf of the
user, directly from their desktop. The agent responds to each software applications logon request by
providing the correct credentials (that is, username/ID, password, and other fields) directly and
automatically. A strong authentication mechanism controls access to the agent, ensuring access by only
the designated user.
System Requirements
Collected links
TAM E-SSO: Authentication Adapter
TAM E-SSO: Authentication Adapter
TAM E-SSO: Authentication Adapter
1
![Page 6: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/6.jpg)
Introduction
IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides users with one
password to logon to every application on both the company network and the Internet. It works
″out-of-the-box″ (without programming or additional network infrastructure) with virtually any
Windows, Web, proprietary, and host-based application, lowering IT and Help Desk costs without the
expense and burden of integration.
TAM E-SSO is intelligent agent software that works by responding to logon requests on behalf of the
user, directly from their desktop. The agent responds to each software applications logon request by
providing the correct credentials (that is, username/ID, password, and other fields) directly and
automatically. A strong authentication mechanism controls access to the agent, ensuring access by only
the designated user.
System Requirements
Collected links
TAM E-SSO: Authentication Adapter
TAM E-SSO: Authentication Adapter
TAM E-SSO: Authentication Adapter
Product Overview
IBM Tivoli Access Manager for Enterprise Single Sign-On uses a patented process for detecting
requests for credentials, analyzing the response necessary, responding reliably, logging events, and
administering settings.
Architecture/Modules
The TAM E-SSO component architecture provides maximum flexibility to meet your organizations needs.
[ view diagram ]
The TAM E-SSO architecture consists of seven areas: Authentication; Encryption; Intelligent Agent
Response; Core (including Storage); Credential Synchronization; Event Logging; and Miscellaneous
components. In addition, Administration is facilitated by the Administrative Console.
Common Scenarios
Resources
TAM E-SSO stores all program files, settings, and data in the following places:
v The %ProgramFiles% \Passlogix\v-GO SSO directory contains TAM E-SSO program files. (Default:
C:\Program Files \Passlogix\v-GO SSO)
2 Introduction
![Page 7: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/7.jpg)
v The %ProgramFiles% \Passlogix\v-GO SSO \Console directory contains Administrative Console
program files. (Default: C:\Program Files \Passlogix\v-GO SSO \Console)
v The %ProgramFiles% \ Passlogix\SSO File Sync Service directory contains SSO File Sync Service
program files. (Default: C:\Program Files\ Passlogix\SSO File Sync Service)
v The %AppData% \Passlogix directory contains user data files. (Default: depends on OS; Windows
2000: C:\Documents and Settings\ %UserName%\%AppData% \Passlogix)
v The HKCU registry tree stores user default settings.
v The HLKM registry tree stores overriding setting (settings that override user settings) and TAM E-SSO
defaults.
v The SSOLocator objects on a directory server direct TAM E-SSO to where each users’ credentials are
stored (a SSOConfig object).
v The SSOConfig objects on directory servers and similar objects on File Systems store overriding settings
and user data.. Note: Settings in SSOConfig objects override registry settings. Note: SSOConfig is the
default name, but can be named anything.
Collected links
view diagram
TAM E-SSO: Authentication Adapter
Configuring for Windows Authentication
Settings Controlling Security
Application Configurations Included
Configuring Application Logons
Configuring Host Emulators
Mobility Configuration
Storing User Credentials and Settings
Directory Server Synchronization Support
Database Synchronization Support
File System Synchronization Support
Event Logging
First Time Use (Bulk-Add)
User Work Modes
Settings Controlling Usability
Deploying the Agent
About the Console
The Administrative Console enables both agent and server configuration of most agent options.
Specifically, the Administrative Console enables:
v Easy creation, management, and deployment of:
– Application configurations and application configuration lists
– Password-Sharing Groups
– Password Policies
Chapter 1. Introduction 3
![Page 8: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/8.jpg)
– Bulk-add lists
– Agent configuration settings (through registry settings)v Easy setup and management of synchronizer extensions:
– LDAP Directory Servers, including Tivoli Directory Server, Novell eDirectory, Oracle Directory
Server, Sun Java System Directory Server 5.1, Critical Path Directory Server, And OpenLDAP
Directory Server.
– Microsoft Active Directory Server systems (including Application Mode)
– Relational database systems, including Microsoft SQL Serve, IBM DB2, and Oracle 9i/10g.
– File systems
The Administrative Console obsoletes the need for editing configuration files or the registry by hand,
with the associated risks of errors such as ″fat-fingering″ or providing invalid parameters.
The Administrative Console functionality is divided into the areas, listed below with their associated
topics.
Action Console Feature See topic:
Creating and managing application
configurations
Applications Configuring Application Logons
Creating and managing password
generation policies
Password Generation Policies Setting Password Policies
Creating and managing password
sharing groups
Password Sharing Groups Creating password sharing groups
Creating and managing bulk-add lists Applications, Bulk Add tab First time use
Agent configuration settings Global Agent Settings Configuring Global Agent Settings
Setting up and managing
synchronizer extensions
Synchronization Synchronization
Collected links
Configuring Application Logons
Setting Password Policies
Creating password sharing groups
First time use
Configuring Global Agent Settings
Synchronization
What’s New in TAM E-SSO
TAM E-SSO version 5.0 is the latest edition of TAM E-SSO Agent and the TAM E-SSO Administrative
Console. It includes new enhancements and options for using, deploying, and managing TAM E-SSO.
4 Introduction
![Page 9: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/9.jpg)
Collected links
TAM E-SSO:Authentication Adapter
adding the application logon
adding an application logon
Web
Windows
deployment options
New settings
SSOLauncher
Chapter 1. Introduction 5
![Page 10: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/10.jpg)
6 Introduction
![Page 11: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/11.jpg)
Chapter 2. Administrative Procedures
Considerations Before Deploying TAM E-SSO
The topics in this section discuss important concepts and considerations regarding the deployment and
administration of TAM E-SSO.
User Work Modes Understanding the different ways to set up the agent
side of supporting users working in different
configurations, and how to optimize your configuration
for each set of scenarios.
Configuration Understanding the different ways to set up the server
side of supporting users working in different
configurations, and how to optimize your configuration
for each set of scenarios.
Rollout Understanding the process and issues surrounding
rolling out TAM E-SSO to an organization.
Administration and Management Understanding the post-rollout issues for TAM E-SSO
deployments.
Collected links
User Work Modes
Configuration
Rollout
Administration and Management
User Work Modes
Users access their computers in a variety of work modes:
v Some users are always at a given workstation and are the sole user
v Some users move frequently among a limited number of workstations (for example, nurses in a
department) or s move to a different workstation every day or few hours (for example, a call center).
v Multiple users may share a single workstation, for example, in shifts. Such a workstation may be used
as a kiosk, that is, by multiple users who logon on using a smartcard or other token.
v Some users are not always connected to the network.
TAM E-SSO supports all these scenarios and can be optimized for each user’s most common scenario.
(Default: Users are always at a given workstation, but share with others)
7
![Page 12: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/12.jpg)
One Workstation, One User
When users are always at a given workstation, their credentials can be backed up to a remote location
using an SSO synchronizer extension. See Synchronization for more information.
Alternately the Backup/Restore facility module can store credentials on the workstation without the use
of a remote repository. The Backup/Restore module is not installed by default. Users can perform
backups manually, or the backup can be automated. See File-Based Backup/Restore for more information.
Frequent Movement Among Few Workstations
When users move frequently among a few workstations, but are always on those few workstations, you
have two basic options for supporting their TAM E-SSO credentials.
The recommended option is to utilize a remote SSO repository. Both starting the agent and any change
to credentials forces a record-level comparison ( synchronization) of all records, ensuring that the user
always has the most current credentials possible.
One other option is to configure automated s ilent backup to a network file share. With proper
configuration, the agent will perform a silent backup to a remote store (network drive) with each change
of credentials ( Refresh Task). When the agent first starts, it will see if the remote store is newer than the
local store; if so, it will perform a silent restore; either way, the user will have his current credentials.
Because this is a file-level (as opposed to record-level) comparison, this option is not safe if the user
might ever be logged into more than one computer at the same time.
Frequent Movement Among Many Workstations
When users move frequently among many workstations, you have two basic options for supporting their
credentials.
The recommended option is to utilize a remote SSO synchronization repository. Both starting the agent
and any change to credentials forces a record-level comparison ( synchronization) of all records, ensuring
that the user always has the most current credentials possible. In addition, to increase security and to
reduce disk space use, enable the Delete Local Cache (on Shutdown) option.
Alternately, if your Windows environment is already set up with Windows Roaming Profiles, user data is
automatically available to the user since it is included in the %AppData% file directory. However, due to
the bandwidth-intensive nature of Windows Roaming Profiles, it is not recommended for use with SSO
credentials.
One Workstation, Many Users
A single workstation may be accessed by a number of users, such as a kiosk. A smart card (or other
token) and a PIN can be used to log on to a kiosk (TAM E-SSO: Authentication Adapter only). To enable
these users’ access to the remote SSO repository the ssoSCDetect utility can be used to start the TAM
E-SSO agent and prompt for primary logon whenever a smart card is inserted in the reader. When the
card is removed, the user is automatically logged out of the agent. See ssoSCDetect (smartcard monitor
utility) for more information.
Disconnected
When users use laptops or are in remote locations, they often stay disconnected from the network for
long periods of time.
8 Introduction
![Page 13: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/13.jpg)
The TAM E-SSO agent stores credentials locally, providing full independence for mobile users who cannot
rely on a network connection. TAM E-SSO modules like Storing User Credentials and Settings and Event
Logging support occasional reconnecting, ensuring reliability.
With File-Based Backup/Restore, users can save their own data to a floppy or zip drive. With TAM
E-SSO: Authentication Adapter, users can save their own data to a smart card.
The TAM E-SSO synchronizer extensions are configured for offline users using Synchronization options.
including Disconnected Operation (See Settings Controlling Mobility).
Usability and Security
Other Settings
You can customize TAM E-SSO in many ways, and you can enforce these settings at the user, computer,
or group level. (The ″group″ level can include the entire enterprise.) See Global Agent Settings for
details.
Collected links
Synchronization
File-Based Backup/Restore
synchronization
automated s ilent backup
synchronization
Delete Local Cache (on Shutdown)
ssoSCDetect (smartcard monitor utility)
Storing User Credentials and Settings
Event Logging
File-Based Backup/Restore
TAM E-SSO: Authentication Adapter
Synchronization options
Global Agent Settings
Mobility Configuration
Some organizations configure their SSO repository (e.g., directory servers, relational databases, file system
share) in a very centralized fashion (for example, all user data store objects under one parent object).
Other organizations use a decentralized structure (for example, a parent object for each department,
location, level of employee, and so on). Each has its advantages and disadvantages, depending on your
specific current and future network topology. Below are some general advantages and disadvantages.
Collected links
First Time Use (Bulk-Add)
Configuring Application Logons
Chapter 2. Administrative Procedures 9
![Page 14: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/14.jpg)
Rollout
Collected links
Adding Windows Applications
Adding Mainframe applications
Adding Web applications
Creating password sharing groups
Setting Password Policies
Administration and Management
After the initial deployment, you can continue to manage how TAM E-SSO modules are deployed for
updates and upgrades. You can do this using the Console or your own current deployment method.
Configuring TAM E-SSO
These topics describe how to configure TAM E-SSO to support specific environments.
v for Windows authentication
v For directory servers
v For databases
v For file systems
v For Citrix MetaFrame
[Related Topics]
Global Agent Settings
Collected links
for Windows authentication
For directory servers
For databases
For file systems
For Citrix MetaFrame
Global Agent Settings
10 Introduction
![Page 15: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/15.jpg)
Configuring for Windows Authentication
TAM E-SSO supports Windows Authentication as the Primary Logon Method (Authenticator). This
offers a true single sign-on user experience. The agent can use the Windows logon credentials as its
authentication. In order for TAM E-SSO to support this, the Administrator needs to be aware of two
issues. First, the OS must have 128-bit encryption installed. Second, user-level profiles need to be
enabled. For Microsoft Windows 2000/XP, user-level profile support is part of the base feature set when
installed.
Confirming 128-bit Encryption
To check the encryption strength of the OS, start Microsoft Internet Explorer, and select Help | About.
Cipher Strength should be 128-bit.
If the OS is not 128-bit, you can download the update from Microsoft at this address:
http://www.microsoft.com/windows/ie/download/128bit/default.asp.
Collected links
http://www.microsoft.com/windows/ie/download/128bit/default.asp
Directory Servers: Configuring the Agent
This topic describes the settings needed to configure TAM E-SSO to use a directory server as a repository.
The configuration is essentially similar for all supported directory servers, with explanations of any
differences.
v See Directory Server Synchronization Support for more information about how TAM E-SSO makes use
of directory server resources.
v See Overriding Settings for detailed descriptions of the associated registry entries.
Note: Where the LDAP AUI and LDAP Directory Server extension are both installed, values must exist in
both AUI\LDAP and Extensions\SyncManager\Syncs\%LDAP%.
Collected links
Directory Server Synchronization Support
Overriding Settings
Global Agent Settings
Synchronization
add the appropriate extension
related objects
Required
Advanced
Chapter 2. Administrative Procedures 11
![Page 16: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/16.jpg)
LDAP
Active Directory
LDAP
Active Directory
LDAP
Active Directory
Directory Servers: Configuring the server
Role/Group Support
Add Locator Object
File Systems: Configuring the Agent
This topic describes the settings needed to initially configure the TAM E-SSO Agent to synchronize
application logons, global agent settings, and user credentials with a network file share.
The configuration settings described below can be distributed to the client workstations either as part of
the general deployment of the Agent software (by modifying the MSI installer file) or, after Agent
deployment, by distributing a registry-entries (.REG) file that can be merged with the client workstation’s
registry.
v See Deployment Options for topics about TAM E-SSO Agent rollout.
v See File System Synchronization Support for more information about how TAM E-SSO makes use of
file system resources.
v See Overriding Settings for detailed descriptions of the associated registry entries.
Collected links
Deployment Options
File System Synchronization Support
Overriding Settings
Global Agent Settings
Synchronization
Customize the MSI package
.REG file that you export from the Console
File Systems: Configuring the Server
Database Synchronization: Configuring the Agent
This topic describes the settings needed to configure the TAM E-SSO Agent to use a database server for
synchronization.
12 Introduction
![Page 17: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/17.jpg)
The configuration settings described below can be distributed to the client workstations either as part of
the general deployment of the Agent software (by modifying the MSI installer file) or, after Agent
deployment, by distributing a registry-entries (.REG) file that can be merged with the client workstation’s
registry.
v See Deployment Options for topics about TAM E-SSO Agent rollout.v See Database Synchronization Support for more information about how TAM E-SSO makes use of
database server resources.
v See Overriding Settings for detailed descriptions of the associated registry entries.
Collected links
Deployment Options
Database Synchronization Support
Overriding Settings
AgentSettings
Synchronization
Customize the MSI package
.REG file that you export from the Console
Database Servers: Configuring the server
Configuring TAM E-SSO in a Citrix Environment
Default installation of TAM E-SSO in Citrix MetaFrame:
The TAM E-SSO default installation process automatically detects and installs the components necessary
for TAM E-SSO to function in a Citrix environment. The installation process enables TAM E-SSO support
for every application published on that Citrix server.
Controlling TAM E-SSO for specific applications in Citrix:
The following section explains how to change the from the default installation of TAM E-SSO and to
enable TAM E-SSO for only specific applications in a Citrix environment. There are two steps in this
process. The first step is to remove the global TAM E-SSO support. The second is to specify which
applications are going to be SSO- enabled through their Published application configuration.
Enabling MetaFrame Monitoring
To enable TAM E-SSO to be monitored by Citrix MetaFrame, so that TAM E-SSO will not keep
otherwise-ended sessions alive, go to the following registry tree:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Control\Citrix\Wfshell\TWI
If an entry named LogoffCheckSysModules exists, append to it ,ssoshell.exe. For example, change
app1.exe,app2.exe to app1.exe,app2.exe,ssoshell.exe.
If the entry does not exist, create LogoffCheckSysModules as type STRING and set to ssoshell.exe.
Collected links
Chapter 2. Administrative Procedures 13
![Page 18: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/18.jpg)
SSOLauncher for MetaFrame XP Servers
SSOLauncher for MetaFrame XP Servers
This utility lets you control the delivery of TAM E-SSO with published applications in a Citrix
MetaFrame XP environment.
1. Copy the ssolauncher utility in the WINNT\system32 folder otherwise you must include the full
path to where ssolauncher resides.
2. You can now manage the applications you want TAM E-SSO to run with by utilizing the
ssolauncher utility. By accessing the Citrix Published Application Management console and applying
the ssolauncher command through the Application Definition command line you can make TAM
E-SSO run on an application by application basis.
Note: The ssolauncher command is applied in front of the command line.
Example:
ssolauncher .exe /application ″C:\Program Files\Internet Explorer\EXPLORER.EXE″
The following are the commands for ssolauncher
Command Use *
/application The full path of the application to execute. This is
required.
/command Used to supply command parameters to an application.
This is optional.
/directory Used to supply working to an application. This is
optional.
/wait The number of milliseconds to wait for an application to
shutdown. This is optional. If not specified ssolauncher
will wait forever for the application to terminate.
/verbose This supplies dialog boxes for error message if
ssolauncher has any failures.
/nossoshutdown Prevents shutting down sso when application completes
/SSOCOMMAND LOGON Used to initiate a command to the ″Logon Using TAM
E-SSO″ trigger, located in the system tray icon.
Sample command line to launch aim
ssolauncher.exe /verbose /application ″C:\Program Files\AIM95\aim.exe″ /directory ″C:\Program Files\AIM95″
* The command should begin and end in a quote if it contains \ characters.
14 Introduction
![Page 19: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/19.jpg)
Configuring the Server for TAM E-SSO
The topics below describe how to configure your server for TAM E-SSO deployment and support for
synchronization and event logging:
v Directory server configuration: for LDAP services, including
– IBM Tivoli Directory Server
– Microsoft Active Directory and ADAM
– Novell eDirectory
– Oracle Directory Server
– Sun Java System Directory Server 5.1
– Critical Path Directory Server
– OpenLDAP Directory Serverv Database system configuration: for Microsoft SQL Server, IBM DB2, and Oracle database systems.
v File system configuration: for any UNC (Universal Naming Convention).- compliant network drive or
device.
v Event logging: to configure a Microsoft Windows 2000 or XP server to receive TAM E-SSO Event Log
messages
Collected links
Directory server configuration
Critical Path
Database system configuration:
File system configuration
Event logging
Directory Servers: Configuring the server
This topic describes how to extend directory servers to work with TAM E-SSO. Although this process
simplifies some directory-related tasks, it assumes that the Administrator has knowledge of the planning
and deployment of directory services. This guide only covers concepts specific to TAM E-SSO
deployments.
v See Directory Server Synchronization Support for more information about how TAM E-SSO makes use
of directory server resources.
Configuring a directory server for TAM E-SSO entails using the Console to extend the schema and set up
objects in the directory structure.
When you connect to a directory server, you must provide Administrator-privileged authentication
information. This information includes the directory type, server’s name or IP address (IP address may
not be valid for Microsoft Active Directory Server), port, SSL-use selection, user ID and password.
Chapter 2. Administrative Procedures 15
![Page 20: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/20.jpg)
Your user ID should be in DN format; for example,
uid=yourname,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
Directory operations must be performed from Microsoft Windows 2000XP.
v The ADAM server instance must be installed and running before you begin the following procedure.
v The naming context for the Application Directory Partition (step 2, below) must be an organization unit (ou). The
example given in the ADAM Setup Wizard panel shows a cn (container name).
Collected links
Directory Server Synchronization Support
Configure SSO Support
Administrative Console
Data File
Directory Structure
Add Locator Object
Directory Servers: Configuring the Agent
Add Locator Object
File Systems: Configuring the Server
This topic describes how to extend File Systems to work with TAM E-SSO. Although this process
simplifies some tasks, it assumes that the Administrator has knowledge of the planning and deployment
of file system shares. This guide only covers concepts specific to TAM E-SSO deployments.
v See File System Synchronization Support for more information about how TAM E-SSO makes use of
file system resources.
Configuring a File System share for TAM E-SSO entails using the Administrative Console to set up
objects in the directory structure.
Note: When you connect to a File System, you may need to provide Administrator-privileged
authentication information. This information includes the synchronizer extension type, UNC path, user
ID, and password.
Your user ID should be in domain name format, for example,
yourdomain\yourname
Collected links
File System Synchronization Support
Configure SSO Support
Administrative Console
Data File
File Systems: Configuring the Agent
16 Introduction
![Page 21: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/21.jpg)
Database Synchronization: Configuring the server
This topic describes how to configure a relational database server to work with TAM E-SSO. It assumes
that you have basic knowledge of relational database administration and operation. This guide only
covers concepts specific to TAM E-SSO deployments.
v See Database Synchronization Support for more information about how TAM E-SSO makes use of
database resources.
Configuring TAM E-SSO for database synchronization entails using Administrative Console to extend
the database schema and to create the container objects.
Collected links
Database Synchronization Support
Connect to Repository
Configure SSO Support
Administrative Console
Data File
Database Servers: Configuring the Agent
Distributing Predefined Application Logons
TAM E-SSO can recognize and respond to a wide array of logon scenarios. Users can configure each
logon in advance or as they encounter them. When a user configures a logon, the agent displays a list of
predefined applications. Users can select an application from this list or create a logon for an unlisted
application.
Predefined applications simplify configuration for the user and increase the reliability of both recognizing
and responding to logon and password-change requests.
Preconfigured application logons for many popular Windows applications are included with
Administrative Console in the form of templates that contain all or part of the logon’s configuration.
Predefined logons for network and web pop-up logon dialogs and for many online service providers are
provided in the applist.ini file (located in the installation directory in the Plugin\LogonMgr directory).
Collected links
templates
Export to INI file
Configure SSO Support
synchronization
Location of entlist.ini file
Understanding the Application Configuration Files
Using and Creating Templates
Add Application dialog box
Chapter 2. Administrative Procedures 17
![Page 22: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/22.jpg)
Add Application from Template
Adding Windows Applications
Adding Web applications
Adding Mainframe applications
First Time Use (Bulk-Add)
Understanding the Application Configuration Files
TAM E-SSO stores its application logon instructions in a file named aelist.ini that typically resides in the
each user’s %AppData% \Passlogix directory (C:\Documents and Settings\ username\Application
Data\Passlogix). The Agent creates aelist.ini by merging two component files:
v entlist.ini, which you create using the Administrative Console to provide your organization with
customized logons for Windows, Web site, and mainframe/host applications. The Agent’s synchronizer
extension places entlist.ini in the %AppData% \Passlogix
v applist.ini, which is included in the Agent installation package and contains predefined logons for
network and web pop-up logon dialogs and for many online service providers. The applist.ini file
resides in the Agent’s installation directory.
Notes:
v Beginning with TAM E-SSO version 5.0, preconfigured logons for Windows and Web application are
provided in Console templates, rather than in the Agent’s applist.ini.
v All TAM E-SSO configuration files (including entlist.ini and ftulist.ini) can only be created and edited
using the Administrative Console .
How the Agent uses entlist.ini
The agent merges entlist.ini with applist.ini to create aelist.ini in the %AppData% \Passlogix directory.
The agent overwrites aelist.ini periodically, including at agent startup. The agent then uses aelist.ini to
detect ″known″ applications.
If using a synchronizer extension (for example, Directory Server or File System), a remote object overrides
any local entlist.ini file, and is then merged with applist.ini.
If there is no remote object or local entlist.ini file, the agent will utilize applist.ini without creating the
aelist.ini file.
Note: While the agent is running, you can modify entlist.ini or the SSOentlist object. To force the agent
to re-merge to create a new aelist.ini, select Refresh in Logon Manager.
See the following topics for more information about creating and distributing application logons:
Creating logons from templates: Adding Windows Applications Adding Web Applications Adding
Host/Mainframe Applications Add Application dialog box
Distributing Logons: Distributing Predefined Application Logons Administration and Management
Overriding Settings Objects
18 Introduction
![Page 23: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/23.jpg)
How the Agent uses aelist.ini
The file that results from the merger of, aelist.ini, contains all the information necessary to identify and
respond to logon and password change events for all configured applications. This information
comprises:
v Application-type settings. such as Error Loop settings, for example, how many times the agent will
retry a logon within the specified time period.
v Application-specific configuration information, for example, application executable name or Web Site
URL, password change behavior Password Policies, Error Loop settings, data file extension.
v Scenario-specific configuration information for the Logon and Password Change scenarios, for example,
window dialog title strings, form names, and locations for credentials.
v Dialog-specific matching settings (for example, that a string or control is or is not present).
v Other settings (for example, name of a third or fourth field).
The merged file, aelist.ini, has a hierarchical structure, containing all the information necessary for the
agent to uniquely identify and respond to logon and password change events for each application to
configure. It organizes logons in sections and subsections as follows:
[*Other Apps]
Section1=Application logon 1
Section2=Application logon 2
&
This section references two administrator-defined
Windows applications defined later in the file. See
Adding Windows Applications for details.
[*Mainframe]
Section1=Host logon 1
Section2=Host logon 2
&
This section references two host/mainframe applications
defined later in the file. See Adding Mainframe
applications for details
[*Shared Groups]
Section1=Shared Group 1
Section2=Shared Group 2
&
Section N=Shared Group N
&
This section references two groups used for password
sharing. See Creating password sharing groups for
details.
[*PasswordPolicies]
&
This section enables Password Policies. See Setting
Password Policies for details.
The application configurations in entlist.ini allow the agent to automatically recognize and respond to
logon and password-change requests from applications specific to your organization.
When present as a local file or downloaded from a remote object, the agent downloads an entlist object
(if available) to an entlist.ini file, and combines your downloaded or local entlist.ini with those IBM
supplies in applist.ini to create aelist.ini, the complete list of predefined applications available to users.
(If entlist.ini is not present, the agent utilizes applist.ini.)
Note: Because IBM provides updates to applist.ini, it is strongly recommended that you make no changes
to applist.ini: future TAM E-SSO releases may overwrite your applist.ini changes, and IBM provides no
Chapter 2. Administrative Procedures 19
![Page 24: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/24.jpg)
guarantees that future releases will support changes you make to applist.ini.
Preconfigured Application Templates with TAM E-SSO 5.0
The following table lists the preconfigured application logons that are included with he Administrative
Console and any information that the administrator must supply before deploying the logons to the
Agent.
Application Logon Forms
Microsoft Word v Microsoft Word Logon
v Microsoft Word 2000 Logon
v Microsoft Word 2003 Logon
MS Dial-Up Networking v MS Dial-Up Networking Logon (admin supplies
WindowTitle)
Netscape Mail v Netscape Mail Logon
v Netscape Mail 7.1 Logon
PKZIP v PKZIP Logon
v PKZIP v8 Logon
Siebel Sales v Siebel Sales Logon
v Siebel Sales Change Password
Adobe Acrobat Reader v Adobe Acrobat Unlock
ICQ v ICQ Logon - Registration
v ICQ Logon
Meeting Maker v MM 7.3 Logon
v MM 5.5.2 Logon
v MM 8.0 Logon
WinZip v WinZip Set Password Confirm
v WinZip Set/Use Password
v WinZip 9.0 Decrypt File(s) Password
Yahoo! Messenger v Yahoo! Messenger Logon
Oracle v Oracle Logon
v Oracle 10g SQL*Plus Logon
MS SQL v MS SQL Logon
Novell GroupWise v Novell GroupWise Logon
v Novell GroupWise 6.5 Logon
Microsoft FrontPage v Microsoft FrontPage Logon
Visual SourceSafe v VSS Logon
v VSS Change Password
OpenNetwork Directory Smart v OpenNetwork Directory Smart Logon (admin supplies
URL)
Oblix NetPoint v Oblix NetPoint Logon (admin supplies URL)
Citrix ICA Client/Program Neighborhood (2-field) v CICA2 Logon (admin supplies WindowTitle)
Citrix NFuse Classic (2-field) v CNFC2 Logon (admin supplies URL)
20 Introduction
![Page 25: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/25.jpg)
Act v Act Logon (admin supplies WindowTitle)
v Act Set Password
QuickBooks Pro v QBP Change Password
v QBP Logon
QuickBooks Pro (Password-Only) v QBPPO Change Password
v QBPPO Logon
Lotus Organizer v Lotus Organizer Logon (admin supplies WindowTitle)
Citrix Program Neighborhood Agent (3-field) v CPN3 Logon
GoldMine v GoldMine Logon
v GoldMine Clhange Password
Citrix NFuse Classic (3-field) v CNFC3 Logon (admin supplies URL)
Citrix Program Neighborhood Agent (2-field) v CPN2 Logon
Citrix ICA Client/Program Neighborhood (3-field) v CICA3 Logon (admin supplies WindowTitle)
AIM v AIM Logon
Eudora v Eudora Logon
v Eudora Change
v Eudora Confirm
Lotus Notes v Lotus Notes
Microsoft Outlook v Logon
v Change Password
Microsoft Outlook 2003 v Logon
v Change Password
MSN Messenger v MSN Messenger Logon
Windows Logon v WL MPR Logon
v WL MPR Change Password
v WL WinLogon Logon
v WL WinLogon Change Password
ICQ 4.0 v ICQ 4.0 Logon (Password Only)
Collected links
Console templates
Adding Windows Applications
Adding Web Applications
Adding Host/Mainframe Applications
Add Application dialog box
Distributing Predefined Application Logons
Administration and Management
Overriding Settings Objects
Chapter 2. Administrative Procedures 21
![Page 26: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/26.jpg)
Adding Windows Applications
Adding Mainframe applications
Creating password sharing groups
Setting Password Policies
General Guidelines for Setting Up Applications
Setting up and configuring applications is easiest with the following conditions:
v Have the target applications on the same computer as the Administrative Console.
v Minimize the number of other applications running during configuration.
v To facilitate creating application configurations and testing:
– Configure your computer not to use a synchronizer extension.
– When the application logon request causes the Agent to respond, tell the Agent to ignore it.
– In the Administrative Console, create the application configuration and then use Export Apps to
Agent (on the Tools menu) to overwrite the local entlist.ini file.
– Keep Logon Manager visible, and select Refresh whenever you finish exporting from the Console.
– Bring up the application logon dialog to see if your new configuration works properly within the
agent.
Adding Windows applications
The easiest, and most precise way to configure Windows applications is by using the Windows Form
Wizard.
Before you begin Windows logon configuration, refer to the General Guidelines for configuring
applications.
Collected links
Windows Form Wizard
General Guidelines
Fields tab
Miscellaneous tab
Miscellaneous tab
Understanding the Application Configuration Files
Add Application dialog box
Add Application from Template
Adding Web applications
Adding Mainframe applications
First Time Use (Bulk-Add)
22 Introduction
![Page 27: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/27.jpg)
New Windows application
Windows Form Wizard
General tab
Fields tab
Matching tab
Miscellaneous tab
Adding Web Applications
TAM E-SSO detects and responds to logon and password-change requests for predefined Web
applications. Much like Windows and host/mainframe applications, administrators define Web
applications by including a section in entlist.ini.
The agent recognizes specific strings of data at specified locations within the HTML code of a Web page.
This data tells the agent how to detect the Web sites logon and password-change screen, where to enter
the user credentials, and how to submit those credentials.
The easiest, and most precise way to configure Web applications is by using the Web Form Wizard.
Before you begin this procedure, refer to the General Guidelines for configuring applications.
Notes:
v Web applications can have the logon and password change forms on the same page, on different pages
within the same URL, or at different URLs. Furthermore, logons can be in the same form at different
URLs or on different forms at different URLs.
v If you add a configuration for a site where the user already has added a logon to their local store, your
new configuration will override the user’s. The user will need to re-enter credentials for this
application. Note: The user can still view the old logon in Logon Manager.
[Related Topics]
Collected links
Web Form Wizard
General Guidelines
Understanding the Application Configuration Files
Add Application dialog box
Add Application from Template
Adding Windows Applications
Adding Mainframe applications
First Time Use (Bulk-Add)
New Web application
Web Form Wizard
Web General tab
Web Matching tab
Chapter 2. Administrative Procedures 23
![Page 28: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/28.jpg)
Adding Host/Mainframe Applications
TAM E-SSO provides single sign-on functionality to host/mainframe applications through host emulators
that
v implement HLLAPI (high-level language application programming interface), or
v have a built-in scripting language that can display a dialog.
The host emulator enables an end user to connect the Windows workstation to a mainframe, AS/400,
OS/390, Unix, or other host-based session. TAM E-SSO recognizes a terminal screen by looking for
specific strings of data at specific screen locations.
In order for host emulators to be recognized by , mainframe support must be enabled:
v The Administrator can enable mainframe support as an administrative override by selecting MFEnable
in the Host/Mainframe Apps dialog in the Console.
v If the Administrator has not enabled (or disabled) mainframe support as override, the end user can
enable support within the TAM E-SSO agent by selecting Enable Mainframe Support on the
Mainframe tab of the Settings dialog box. Refer to the TAM E-SSO User Guide for more information.
All host/mainframe applications must be predefined by the Administrator: the TAM E-SSO end user has
no means to define host/mainframe applications. The Administrator must also configure the host
emulators themselves in order for TAM E-SSO to recognize them. An application logon created using one
host emulator is usable by any host emulator. See Configuring Host Emulators for information on
configuring TAM E-SSO-supported emulators.
Notes:
v For multi-screen logons, you must create a application form for each screen.
v Logon creation is easiest using a host emulator that allows you to select text and displays the row and
column coordinates of your selection.
v For information on how to configure an emulator that does not support HLLAPI but does have a
scripting language, please contact IBM.
v For emulators that do not implement HLLAPI or have a scripting language, you can, in some cases,
configure the host/mainframe application as a Windows application (to detect the form by its window
title) and using SendKeys to supply user credentials. See Adding Windows Applications: Special
Issues for more information.
Collected links
MFEnable
Host/Mainframe Apps
Configuring Host Emulators
Adding Windows Applications: Special Issues
Host/Mainframe Form Wizard
General Guidelines
General Guidelines
Configuring Host Emulators
Create a new host/mainframe application logon.
General
Text Matching
24 Introduction
![Page 29: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/29.jpg)
SendKeys (Host/Mainframe)
Options
Password Change
New Host/Mainframe application
Host/Mainframe Form Wizard
Telnet Support
Adding Java applications and applets
You can configure Java application logons and Java applet logons (in Web pages) by using the Windows
Form Wizard. The procedures for creating and deploying are generally identical for Java and Windows
applications.
Before you begin Java logon configuration, refer to the General Guidelines for configuring applications.
Important Note: In order for Agent to detect and use Java application logons, the Java Runtime
Environment (JRE), version 1.3 or later, must be installed on the workstation prior to installing TAM
E-SSO. If JRE is not already present when the TAM E-SSO is installed, then the Agent’s Java Helper
component is not available for installation. [Related Topics]
Collected links
Windows Form Wizard
General Guidelines
New Windows/Java application
Windows Form Wizard
General tab
Fields tab
Matching tab
Miscellaneous tab
Adding Telnet Applications
TAM E-SSO supports Telnet sessions using HLLAPI (high-level language application programming
interface) implemented by a mainframe/host emulator. The emulators TAM E-SSO currently supports
for Telnet with HLLAPI are ScanPak Aviva and NetManage Rumba.
Configuring a logon for a Telnet application is essentially identical to adding host/mainframe
applications generally, but with these exceptions:
v Host applications generally display text captions and data fields in fixed positions, which lets TAM
E-SSO detect a screen as a logon form using text matching and absolute row/column coordinates. By
contrast a Telnet application, including its logon screen, appears in a scrolling text window. The screen
Chapter 2. Administrative Procedures 25
![Page 30: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/30.jpg)
position of the text caption for TAM E-SSO to match (and begin the logon) should be set as a row
number relative to the cursor (negative for above, positive for below) and an absolute column number;
see the example, below. If one or both of the caption’s coordinates are unpredictable, you can use an
asterisk (*) for the row setting to match text in any row (and a fixed column) , for the column setting to
match text in any column (and a row relative to the cursor), or for both settings to match text
anywhere on screen.
v When it supplies credentials for a Telnet logon, TAM E-SSO ignores the row and column coordinate
settings for field-matching. However, the settings must be present in the logon configuration. Use 1 as
the values for both row and column coordinates for all credential fields in a Telnet logon.
v In order to ensure that the Telnet logon credentials are filled in properly, TAM E-SSO is enabled with
timing logic. The Delay Field setting (on the Options tab for configuring a host/mainframe logon
form) indicates the time in milliseconds that the Agent should pause between each action; for example,
when entering value into a field.
See Configuring Host Emulators for additional information on HLLAPI configuration.
To ad a new Telnet application logon
The easiest, and most precise way to configure Telnet applications is by using the Host/Mainframe Form
Wizard. Before you begin this procedure, refer to the General Guidelines for configuring applications.
To configure a Telnet application logon manually
The following procedure describes the steps for manually configuring or modifying a Telnet logon. Refer
to the specific dialogs and controls for more information. Before you begin this procedure, refer to the
General Guidelines for configuring applications.
1. Start the application and configure the host emulator.
2. In the Console, do one of the following
v Create a new host/mainframe application logon.
or
a. In the left pane, click Applications and select a host/mainframe application.
b. Click the General tab in the right pane.
c. Select a logon form from the list and click Edit.
The Host/Mainframe form-configuration dialog appears, displaying the General tab.
3. In the General tab:
a. Specify one or more Text Matching captions, so that this page can be identified uniquely from
other pages. Specify the identifying Text string of the caption and its starting Row and Column
numbers.
v The row numbers should be relative to the current cursor position and can be negative
integers. See the example below.
v The column number is an absolute position.
v You can also use an asterisk (*) for the row or column as a wildcard.
b. Specify the Fields for credentials. Click Edit (under Fields) to display the SendKeys
(Host/Mainframe) dialog box. Select each field, and set the Row and Column for each field to 1.
If needed, specify any additional keystrokes that should follow each field entry.
4. If the terminal response-time requires a pause between credential field entries, select the Options tab
and type the number of milliseconds to pause in Delay Field.
5. Repeat the steps above for each additional logon form.
6. To add Password Change information, repeat the process with the Password Change tab and the
password change dialog(s) in the target application.
26 Introduction
![Page 31: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/31.jpg)
Text matching example
Since the text in a Telnet application scrolls, the row positioning must be set relative to the cursor’s row,
which is always row 1. Therefore the row coordinate for a caption (″Welcome to VAX/VMS_V6.1″) that is
two rows above the cursor is -2. The column setting of the start of the caption text is an absolute
coordinate; in the example here, 9.
Row# Screen text column
1 2 3
12345678
9012345678901234567890123
-4
-3
-2 Welcome_to_VAX/VMS_V6.1_
-1
1 Username:
_
2
3
4
For TAM E-SSO to identify this sample screen, you could set these text matching criteria (using the Text
Matching dialog box):
Match 1
Text Welcome to VAX/VMS V6.1
Row -2
Column 9
Match 2
Text Username:
Row 1
Column 1
[Related Topics]
Host/Mainframe Form Wizard
Collected links
ScanPak Aviva
NetManage Rumba
adding host/mainframe applications
Chapter 2. Administrative Procedures 27
![Page 32: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/32.jpg)
text matching
Options tab
Configuring Host Emulators
Host/Mainframe Form Wizard
General Guidelines
General Guidelines
Create a new host/mainframe application logon.
General
Text Matching
SendKeys (Host/Mainframe)
Options
Password Change
Text Matching
New Host/Mainframe application
Host/Mainframe Form Wizard
Host General tab
Host Options tab
First Time Use (Bulk-Add)
After the initial product installation, the First-Time Use Wizard requests various items of information to
complete the setup process. IF multiple authenticators are installed, the user is prompted to choose a
Primary Logon Method. In addition, TAM E-SSO can also prompt the user for application
usernames/IDs and passwords to quickly populate the user’s store.
The configuration settings for the First-Time Use Wizard are specified in the ftulist.ini file. End-users can
be prompted to provide credentials (username/ID, password, third field) for their existing logons.
Combining first-time use configuration with predefined logons ensures that users reap the benefits of
single sign-on immediately after installation. Alternatively, users can configure their individual logons as
they encounter each application.
Note: All TAM E-SSO configuration files (including entlist.ini and ftulist.ini) can only be created and
edited using the Administrative Console.
Collected links
Select Application
Bulk add tab
Bulk-Add tab
Bulk add tab (for selected application)
Export an ftulist.ini file
Export an ftulist object
Using and Creating Templates
28 Introduction
![Page 33: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/33.jpg)
Preconfigured application logons for many popular Windows applications are included with
Administrative Console in the form of templates that contain all or part of the logon’s configuration.
You can also convert the application logons that you create with Administrative Console into templates.
Templates provide two practical benefits for creating and managing pre-configured logons:
v You can store, share, and reuse a group of specific logon settings as a ″starter set″ for creating new
logons based on the template. Your templates appear as options in the Add Application dialog box.
v If you make changes to a template’s source logon, you can easily apply your changes to any logons
based on that template, by using the Update Applications command on the Tools menu.
You create a template by:
v Selecting an existing application logon with the Manage Templates dialog box (from the Tools menu).
v Choosing the logon settings (for the application and for individual forms) that you want to be able to
override later; use the Overriding Settings tab in the Edit Template dialog box (click Edit in the
Manage Templates dialog). For Web and Windows applications, you can also choose a setting that the
template user must provide in order to complete the logon configuration (on the Supply Info tab).
v Saving the current file to the Templates folder under the Console’s program directory (typically, this is
C:\Program Files\ Passlogix\ Administrative Console\Templates).
You use a template to create a logon by selecting it from the Applications drop-down list in the Add
Application dialog box. You are prompted if additional information is needed to complete the
configuration.
You can update application logons with any changes made in their originating template. Open the
Console XML file containing the applications and choose the Update Applications command from the
Tools menu. [Related Topics]
Collected links
Add Application dialog box
Update Applications
Manage Templates
Overriding Settings
Supply Info
Add Application
Update Applications
Manage Templates
Update Applications (from template)
Managing User Data
Setting Password Policies
Chapter 2. Administrative Procedures 29
![Page 34: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/34.jpg)
TAM E-SSO allows administrators to set policies that control automatic password generation. Password
policies simplify user logons while ensuring the organization’s security.
Most applications have constraints for passwords how long they can or must be, whether you can use
numbers or symbols, and so on. TAM E-SSO’s password-generation feature improves application logon
security by automatically creating passwords made up of random characters according to predefined sets
of constraints, stored as password policies. Each policy can apply to multiple applications, or subscribers.
Using predefined password policies, you can completely automate password changes and implement
sophisticated security schemes, including complex passwords, frequent password changes, and
application-specific passwords unknown to users.
Note: If the policy you create makes a password difficult or impossible, TAM E-SSO will try to create a
password for up to five seconds and then notify the user that it was unable to generate a password. You
can preview the passwords a particular policy generates using the Test Password Policy dialog box.
[Related Topics]
Collected links
Test Password Policy
Password Generation Policy
Password Policy Subscribers tab
Password Change tab (for selected application)
Password Constraints
Creating password sharing groups
Password sharing groups let users automatically apply a password change made in one application to
other specified applications.
When TAM E-SSO handles a password change for any application that is a member of the sharing group,
it automatically applies the password change to all other group members. Any number or combination
of Windows, mainframe/host, and Web applications can share a single password. If the Windows
(Domain) or Directory Server (LDAP) authenticator is used, selected applications can share a single
password with the authenticator as well.
For example, an enterprise might have a new web interface to an old mainframe application. One way
to share the password between these two is to use a password sharing group. Some applications share a
common password (for example, an Intranet application and an E-Mail application). These applications
should be in the same password sharing group.
See Password Sharing Groups for the procedures for creating and managing sharing groups.
Notes:
v The Windows authenticator password is in a predefined group named Domain.
v The LDAP Directory Server authenticator is in a predefined group named LDAP.
The Administrative Console does not currently support adding predefined applications (those included in
the default configuration file applist.ini) to password sharing groups. You will need to do this manually
30 Introduction
![Page 35: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/35.jpg)
by creating identically-named sections in entlist.ini (the custom-application configuration file) that
identifies the sharing group. The following example adds Microsoft Outlook to the password sharing
group OurServer.
Example:
[Microsoft Outlook] Group=OurServer
[Related Topics]
Collected links
Password Sharing Groups
Domain
LDAP
Password Sharing Groups
Selected Password Sharing group
LDAP Password
Domain
User Credentials and Settings
TAM E-SSO stores user credentials locally in the ...\ Application Data \Passlogix folder. Global agent
settings are stored in in the Local Machine registry key ( HKLM); settings modified the user are stored in
the Current User registry key (HKCU).
TAM E-SSO can also perform a complete backup of credentials and settings to a file ( .bkv). The backup
can be performed manually by the user, or automatically by administrative configuration) For details on
this feature, see File-Based Backup/Restore .
TAM E-SSO can also synchronize individual user credentials with these remote sources, including
file-systems, databases, and directory servers. These remote sources can provide the agent with
application logons. first-time-use (setup) information and administrative overrides (global agent settings).
For details on this feature, see Synchronization.
Collected links
File-Based Backup/Restore
Synchronization
Enable Storing Credentials under User Object
Store data under the user objects
Location for storing user credentials
File-Based Backup/Restore
Chapter 2. Administrative Procedures 31
![Page 36: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/36.jpg)
If the backup/restore module is installed, the Administrative Console can perform a complete
backup/restore of user credentials and settings to/from another location. The backup/restore can be
performed manually (by the user) or automatically (by administrative configuration). Also, a selective
backup/restore (writing the newer information over the older information) can be performed
automatically (by administrative configuration).
Note: If the Backup/Restore module is installed, the user can perform a manual backup, store to any
location (even a floppy drive), and select any password (even a one-character password).
Collected links
Default Backup path
Environment
Default Backup path
Environment
When logons change
Special Tasks
Default Backup path
Environment
Default Backup path
Environment
After Agent starts up
Special Tasks
Synchronization
TAM E-SSO synchronizer extensions let you synchronize credentials between an end user’s local store (on
a workstation) and a store in a remote SSO repository (file system share, relational database or directory
server). You can also use these extensions to deploy Administrative Overrides of local Agent settings,
application logon configurations (overriding entlist.ini and to be merged with applist.ini), and bulk-add
lists (overriding ftulist.ini). See Overriding Settings for more information
Synchronizer extensions can communicate with directory servers, database servers, file systems, and other
storage devices. Each type of extension has its own configuration issues. The extensions included with
TAM E-SSO support:
v Microsoft Active Directory server, including Application Mode.
v An LDAP-compliant directory server, including IBM Tivoli Directory Server, Novell eDirectory, Oracle
Directory Server, Sun Java System Directory Server 5.1, Critical Path Directory Server, and OpenLDAP
Directory Server.
v Relational databases, including Microsoft SQL Server. IBM DB2 and Oracle 9i/10g.v Network file systems.
The synchronizer extensions are capable of performing the following tasks:
v Connecting to (or bind with) a destination device/resource/store
v Retrieving any overriding settings (Administrative Overrides, application configuration information,
and first-time use configuration information)
v Synchronizing the local user store (credentials) with the remote store
32 Introduction
![Page 37: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/37.jpg)
TAM E-SSO supports using each extension multiple times, which allows you to support multiple
configurations. For example, if the LDAP Directory Server and File System synchronizer extensions are
installed, the agent will synchronize credentials with, and download overriding settings from, both an
LDAP Directory Server and a File System.) See Multiple Synchronizer Extensions for more information
about the procedures. [Related Topics]
Database Synchronization Support
Collected links
Overriding Settings
Microsoft Active Directory
server
An LDAP-compliant directory server
Relational databases
Network file systems.
Multiple Synchronizer Extensions
Directory Server Synchronization Support
File System Synchronization Support
Database Synchronization Support
Multiple Synchronizer Support
Repository (Connecting)
Configure SSO Support
Synchronization
Directory Server Synchronization Support
Administrative Console supports any LDAP directory server, including:
v IBM Tivoli Directory Server
v Microsoft Active Directory (including Application Mode)
v Novell eDirectory
v Oracle Directory Server
v Sun Java System Directory Server 5.1
v Critical Path Directory Server
v OpenLDAP Directory Server
TAM E-SSO uses directory server resources for administrative configuration, mobility, and backup.
Administrators can deploy configuration overrides to provide new registry, entlist.ini, and ftulist.ini
(bulk-add) settings or to update existing settings. Users can store credentials (for backup) and move
among multiple computers (for mobility). When TAM E-SSO connects to a directory server, it utilizes a
specific directory structure to determine where the user’s credentials and overriding settings reside.
Note: Each Directory Server presents platform-specific configuration issues. These are addressed in
the individual configuration topics.
Chapter 2. Administrative Procedures 33
![Page 38: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/38.jpg)
[Related Topics]
Directory Structure
Within each directory, TAM E-SSO utilizes the following object structure:
[ view diagram ]
When a user first connects to a directory server, the computer is configured to locate a specific path on
the directory tree. Using the process described below, the Agent is able to find the SSOConfig object,
which contains overriding settings and a People object, which contains the user’s settings, preferences,
and credentials.
Collected links
Critical Path
Directory Servers: Configuring the Server
Directory Servers: Configuring the Agent
Add Locator Object
[ view diagram ]
Sync Order
Synchronization
User Paths
Required
Naming Attribute string
Advanced
Database Synchronization Support
File System Synchronization Support
Multiple Synchronizer Support
Repository (Connecting)
Configure SSO Support
Synchronization
File System Synchronization Support
Administrative Console supports file system synchronization with any network drive/device that can be
addressed by UNC (Universal Naming Convention). File system synchronization can also be used to
support a kiosk user scenario, where multiple users share a single workstation. [Related Topics]
File System Structure
Within each file system, TAM E-SSO utilizes the following object structure:
[ view diagram ]
When a user first connects to the file system, the computer is configured to locate a specific path. The
Agent is then directed to find the SSOConfig object, which contains overriding settings and a People
object, which contains the user’s settings, preferences, and credentials.
34 Introduction
![Page 39: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/39.jpg)
[Related Topics]
Database Synchronization Support
Collected links
File Systems: Configuring the Agent
File Systems: Configuring the Server
[ view diagram ]
Directory Server Synchronization Support
Database Synchronization Support
Multiple Synchronizer Support
Repository (Connecting)
Configure SSO Support
Synchronization
Database Synchronization Support
Administrative Console supports synchronization of user credentials, application logons, and global agent
settings between client workstations and a relational database server. Supported servers include
Microsoft SQLServer 2000, IBM DB2, and Oracle 9i/10g.
In this type of synchronization, TAM E-SSO configuration objects and user data containers are stored on
the server as as database records in TAM E-SSO-specific tables:
SSO_ADMIN stores, as records, the configuration objects you create in the Console: EntList
(application logons), FTUList (Setup Wizard configurations), and AdminOverride (Global Agent
Settings) During synchronization, all workstation users read their logons and overrides from this
table; only the administrator, using the Console) can write to it. These configuration object are
depicted in the Console in the same hierarchal layout as for file system and directory server
synchronizers.
SSO_USERS stores user credentials, preferences, and synchronization states as records. During
synchronization, users read and write to their own records; only the record for the user currently
logged in can be accessed. In the Console, the records for each user are depicted within the user
container.
When TAM E-SSO connects to the database server, it reads the configuration objects and overriding
settings (from SSO_ADMIN) and synchronizes the user data (in SS_USERS).
The procedure for configuring database synchronization is similar to that for other synchronization
methods.
v The first step is to extend the database schema to create the two tables described above.
v The second step is to create the container objects: an SSOConfig object, which contains overriding settings
and a People object, which holds the user containers for each user’s settings, preferences, and
credentials.
Chapter 2. Administrative Procedures 35
![Page 40: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/40.jpg)
Refer to the following topics for more information:
[Related Topics]
Collected links
Database Synchronization: Configuring the Agent Database Synchronization
: Configuring the Server
Multiple Synchronizer Support
Repository (Connecting)
Configure SSO Support
Synchronization
Multiple Synchronizer Support
TAM E-SSO supports synchronizing to multiple synchronizer extensions and multiple configurations of
the same extension. In either scenario, the Agent attempts to complete synchronization with the first
extension and then with each subsequent extension.
Overriding settings can exist on each extension. See Handling Multiple Sets of Overriding Settings for
an explanation of how the agent handles multiple extensions with overriding settings.
Note: References to %AD%, %LDAP%, and %File% refer to the respective extensions, and %Extension%
refers to any of those extensions.
Collected links
Handling Multiple Sets of Overriding Settings
TAM E-SSO:Authentication Adapter
Global Agent Settings
Global Agent Settings
Synchronization
Manage Synchronizers
Add
Global Agent Settings
Global Agent Settings
Synchronization
Manage Synchronizers
Add
Configuration Objects
36 Introduction
![Page 41: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/41.jpg)
Synchronizer extensions can download overriding configurations for global agent settings (Administrative
Overrides), application configuration information (EntList), and first-time use scenarios (FTUlist). Each
of these objects has a local equivalent:
Settings Type Local Equivalent Directory Server/ Database
Object Name
File System Object Name
Administrative Overrides Registry entries under
HKLM
SSOAdminOverride AdminOverride
Application logon
configuration information
The entlist.ini file SSOentlist entlist
First-time-use configuration
information (including
bulk-add information)
The ftulist.ini file SSOftulist ftulist
The latter two types of objects are similar in format/layout to their local equivalents, entlist.ini and
ftulist.ini. The first type of object has the following syntax:
[HKLM\Software\ Passlogix]
REQUIRED: RegistryPath\RegistryPath:KeyName=TYPE:Value
This format is exported by TAM E-SSO Console.
Example:
[HKLM\Software\ Passlogix]
Shell:AutoBackupPath=STRING:\\FS\Home
Shell:ShowAccessBtn=DWORD:1
Extensions\AccessManager:ReauthOnReveal=DWORD:0
Note: In directory server installations, this configuration information can be enabled with support for role
group-based access.
Handling Multiple Sets of Overriding Settings
The Agent attempts to retrieve each type of overriding settings from each extension until it finds an
extension that has at least one of each; once an overriding setting is downloaded, the agent does not
queried other extensions for that overriding setting.
Event Logging
The topics in this section describe the Administrative Console Event Logging feature and the associated
setup process. Event Logging monitors a variety of user events including:
Chapter 2. Administrative Procedures 37
![Page 42: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/42.jpg)
v Agent startup/shutdown
v logon
v password changes
v credential addition, change, and deletion
v authenticator changes
v backup and restore
v credential synchronization
v settings changes
v help-system use
The Console lets you control what events are logged, where and when they are logged, and whether to
maintain a local copy of the log. The addition of extensions allows for various log destinations and
formats. [Related Topics]
Event Logging Settings
Collected links
Configuring the Agent
Configuring the Server
Event Logging Settings
Event Logging: Agent Configuration
Event Logging is an optional feature of TAM E-SSO. It does not install by default.
To install Event Logging, choose Custom Install and enable the Event Manager and any Event Logging
extensions you wish to use within the Extensions selection. After installation, certain parameters should
be setup for Event Logging and any installed extensions.
Notes:
v Global settings are set in HKLM\...\Extensions\EventManager.
v Extension-specific settings are set in HKLM\...\Extensions\EventManager\ %Extension%.
v TAM E-SSO ships with the Local (XML) File extension ( LocalStorage) and the Windows Event
Logging extension ( WindowsEvent).
Collected links
LocalStorage
WindowsEvent
Event Manager
Filter
LocalStorage
Filter
WindowsEvent
Filter
38 Introduction
![Page 43: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/43.jpg)
Configuring the Server
EventManager
Event Logging: Server Configuration
Collected links
Configuring the Agent
EventManager
Distributing TAM E-SSO
The topics in this section describe the options for packaging, deploying, and managing TAM E-SSO in a
networked environment,
v Microsoft Windows Installer (MSI) Package
v Deployment Options
v Administration and Management
v Storing User Credentials and Settings
v File-Based Backup/Restore
Collected links
Microsoft Windows Installer (MSI) Package
Deployment Options
Administration and Management
Storing User Credentials and Settings
File-Based Backup/Restore
Microsoft Windows Installer (MSI) Package
TAM E-SSO ships as an MSI package, a standard format used by installers from Microsoft and other
vendors, and many other installers can read MSI files. For information on the contents of the TAM E-SSO
Setup MSI, see MSI Package Contents.
The Microsoft Windows Installer exists as a service (Windows Installer) on all Microsoft Windows
2000/XP computers (refer to Microsoft Knowledgebase article #q255905). You can customize the MSI
package to meet special requirements, such as:
v Providing custom applications and TAM E-SSO agent configurations.
Chapter 2. Administrative Procedures 39
![Page 44: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/44.jpg)
v Deactivating some options or components (for example, different authenticators) before the end users
install the Agent themselves.
v Adding options or components to accommodate a complex environment, for example, one using
biometric security devices or having an unusual network topology.
To meet these needs, there are these options:
v Use a command-line installation
v Customize the installer package
v Include Console-created logons and Global Agent Settings in the installer
v Deploy using a third-party deployment tools
[Related Topics]
Microsoft Windows Installer (MSI) Package Deployment Options Generate MSI package MSI
Package Contents
Collected links
MSI Package Contents
Use a command-line installation
Customize the installer package
Include Console-created logons and Global Agent Settings in the installer
Deploy using a third-party deployment tools
Deployment Options
Generate MSI package
MSI Package Contents
Deployment Options
This section describes using the default MSI package from the following perspectives:
v Performing an installation with the shipped MSI package
v Launching the MSI package from the command line
v Remote installation
v Editing the MSI package
v Adding Console-created logons and settings to the MSI package
v Alternate tools and methods
Collected links
MSI Package Contents
Generate MSI
Microsoft Windows Installer (MSI) Package
Generate MSI package
MSI Package Contents
40 Introduction
![Page 45: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/45.jpg)
Glossary
*nix A common reference to all operating systems that are
similar to Unix. This includes Linux, NetBSD, FreeBSD,
and many others.
Access icon menu Near the minimize button on each application, the agent
can display its logo with a drop-down menu that offers
access to selected menu entries (for example, logon, add
application, and so on).
Access Manager A TAM E-SSO feature, whereby the agent handles
identifying applications and responding with credentials.
Active Directory (AD) Microsoft Active Directory, a Directory Server similar to
LDAP Directory Servers.
applist.ini A file containing configuration information for various
online services and Web/network pop-up logon dialogs
. These configurations are supplied by IBM and should
not be changed.
AUI ( Authentication User Interface) See ″authenticator″.
authenticator An authenticator is the primary logon method to the
system and/or to the agent. If the user uses the
Windows, RSA Keon (TAM E-SSO: Authentication Adapter
only), or Entrust authenticators (TAM E-SSO:
Authentication Adapter only), logging onto the system
unlocks the agent.
auto-enter A TAM E-SSO feature, whereby the agent performs a
logon after the user adds the applications credentials to
the agent. This feature can be enabled/disabled on a
per-user basis.
auto-recognize A TAM E-SSO feature, whereby the agent automatically
performs a logon when it recognizes an application. The
user can turn this feature off for selected credentials as
needed.
Backup/Restore Wizard A TAM E-SSO feature, whereby the agent can save and
restore all user data to a file.
Bulk Add A TAM E-SSO feature, whereby the agent helps the user
select a primary logon method (authenticator) and
(optionally) starts the Bulk Add Wizard.
Part of the FTU scenario, where a user can enter
application credentials into the agent en masse. Also see
″FTU″.
credentials A set of credentials consists of the user-specific
information the agent needs to perform a logon. This
consists of a password and one or more of:
username/ID, third field, fourth field.
DAMA dialog A TAM E-SSO feature, ″Don’t Ask Me Again″, whereby a
user can tell the agent to not prompt the user to add a
Web application.
DAP ″Directory Access Protocol″ See ″LDAP″.
Chapter 2. Administrative Procedures 41
![Page 46: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/46.jpg)
Directory Server schema Structure/definition of objects/classes/attributes.
Directory Server A specialized kind of database supporting a ″tree″
structure rather than tables. The semantic equivalents to
database records are objects and the equivalent to
database fields are attributes.
Disconnected mode When a user is not connected to the network or is
otherwise unable to connect to a server.
DN ″Distinguished Name″ An LDAP Directory Server notation. See ″LDAP.″
entlist.ini A file containing configuration information for
applications specific to an enterprise. This includes
logon, password change, Password Sharing Groups,
Password Policies, and other information.
Error-Loop dialog A TAM E-SSO feature, to help prevent the user from
being locked out of an application. When an application
prompts the user repeatedly for logon credentials, the
agent detects this and asks the user whether to keep
providing credentials, to try a different set of credentials,
or to stop all actions.
Event Logging When the agent performs any action (″event″), such as
starting up or providing logon credentials, that event can
be recorded (″logged″).
Event Viewer A Microsoft tool that view the Windows Event Log.
Start by running eventvwr.exe.
Fourth field See ″Other field.″
FTU ″First-time use″ The scenario when a user first uses the agent. Also see
″Bulk Add.″
ftulist.ini A file containing the steps that are to occur when a user
first uses the agent.
HKCU HKEY_CURRENT_USER\Software\ Passlogix: the
primary key for storing user-specific settings.
HKLM HKEY_LOCAL_MACHINE\Software\ Passlogix: the
primary key for storing computer-specific settings.
HLLAPI ″High Level Language API″ The emulator-provided standard API for an application
(such as TAM E-SSO) to communicate with host
emulators. See ″Host emulator.″
Host emulator A program that enables a user to interact with a host.
See ″Host.″
Host In the context of TAM E-SSO, a host is either a
Mainframe or Unix computer. The agent provides
credentials to a ″host emulator″ that connects to the
host. See ″Host emulator.″
LDAP ″Lightweight Directory Access Protocol″ A Directory Server protocol/standard. A
TCP/IP-compatible subset of ″DAP″, the ″Directory
Access Protocol.″ Refer to RFC 1777 and others.
Logon Chooser A TAM E-SSO feature, whereby the user can select from
two or more sets of credentials for a given logon or
password change request.
Logon Manager A TAM E-SSO feature, whereby the user can manage
(add/delete/modify/copy/review) sets of credentials.
Mainframe High-end computer, running applications on multi-user
operating systems such as AS/400 and OS/390.
42 Introduction
![Page 47: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/47.jpg)
mfrmlist.ini A file containing configuration information for host
emulators. These configurations are supplied by IBM
and should not be changed.
mobility The ability for the agent to access credentials from
multiple desktops, whether via Windows Roaming
Profiles, access to a network drive, use of a floppy, use of
a directory or database, and so on.
Other fields Applications sometimes ask for a password, a
username/ID, and one or two additional fields. These
fields are referred to as the ″Other fields″, or ″Third
field″ and ″Fourth field.″ The most common uses of the
third field are for ″Domain″ or ″Database.″
Password Policies A TAM E-SSO feature, whereby the user or administrator
can define criteria that the agent will use to define a new,
random password when performing an automatic
password change. There can be multiple policies, as
many as one for each predefined application. For
example, one policy might generate a ″PIN″ (a 4-8
character password consisting of just numbers), and
another policy might generate a Windows Domain
password (6-127 characters, including uppercase,
lowercase, numeric, and special characters).
Password Sharing Groups When two or more applications are linked at the back
end, such that changing the password for one changes
the password for all, the agent needs to be configured to
know this.
PKI ″Public Key Infrastructure.″
Predefined Applications Applications with configuration information listed in
applist.ini and/or entlist.ini.
Primary Logon Manager A TAM E-SSO feature, whereby the user can select a
different Primary Logon Method.
reauthentication After using the agent for a period of time, or upon
certain ″important″ events (for example, backup/restore),
the agent will ask the authenticator to confirm the same
user is still using the system. At this time, the
authenticator will prompt the user to authenticate again,
or reauthenticate.
RFC ″Request For Comment″ Documents that define Internet standards such as LDAP,
SNMP, SMTP, POP3, and HTTP.
schema See ″Directory Server schema″
SendKeys The agent has several methods for sending credentials to
applications. The first, safest, most secure, and most
reliable method is directly (via Windows Events, an
embedded COM object, or HLLAPI). The second
method is to send the credential field in a block. The
third method is to send one character at a time (if a
DelayKey is specified). Specifying UseSendKeys
(Windows) or AltTabKey (Host), forces the agent to use
the latter methods.
Settings dialog A TAM E-SSO feature, whereby the user can alter agent
settings.
A TAM E-SSO feature, whereby the agent helps the user
select a primary logon method (authenticator) and
(optionally) starts the Bulk Add Wizard.
Chapter 2. Administrative Procedures 43
![Page 48: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/48.jpg)
SLA (Single Logon Authentication) The Windows authenticator, where the user logs onto
Windows to authenticate to the agent.
SSL ″Secure Sockets Layer″ Protocol for securing and encrypting data over a TCP/IP
connection. TAM E-SSO uses SSL for data exchange
with Directory Servers.
teaching tool If a user wishes to add a Windows application that is not
predefined, the agent provides a wizard-based tool so the
user can ″teach″ the agent where to submit credentials.
This tool is referred to generically as the ″teaching tool.″
It functions similarly to the ″Finder Tool″ in Microsoft
Spy++.
Template A stored specification for a preconfigured application
logon. Some templates require the administrator to
supply application-specific information before the logons
can be distributed to end users Templates for many
popular Windows and Web applications are provided
with TAM E-SSO, and administrators can create
templates from existing application logons.
Telnet A protocol for connecting to nix computers. See ″Host″
and ″nix.″
Third field See ″Other field.″
UNC ″Universal Naming Convention″ The Windows format for defining the full path to a file,
including File System share information.
Share Example: ″\\Server\Share″
Path Example: ″\\Server\Share\Program Files\
Passlogix\v-GO SSO″
Filename Example: ″\\Server\Share\Path\Long Filename.ext.″
URL (Universal Resource Locator) The basic address of anything on the World Wide Web. A
URL can consist of up to seven parts, as in
<https://johns:[email protected]:32/cgi-bin/path/whatever.bin?param1=123¶m2istrue>, where: https
is the case-insensitive protocol name johns is the
usually-case-sensitive username abc123 is the
usually-case-sensitive password www.site.com is the
case-insensitive name (or IP address) of the computer to
connect to 32 is the port to connect to cgi
bin/path/whatever.bin is the path/filename of the
program/page to execute/load (OS determines
case-sensitivity) param1 and param2istrue are parameters
(program determines case-sensitivity of both parameter
names and values), with the first parameter having a
value of 123.
User work modes Users can work in several work modes, including ″one
workstation″ ″one or multiple users.″ ″frequent
movement among few workstations.″ ″frequent
movement among many workstations,″ and
″disconnected.″ The work mode drives how TAM E-SSO
needs to be configured.
Windows Event Viewer See Event Viewer.
44 Introduction
![Page 49: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/49.jpg)
XML ″eXtensible Markup Language″, A text formatting standard like HTML. XML documents
can be viewed with Microsoft Internet Explorer. TAM
E-SSO ships with an XML extension to the Event
Logging API that writes to a UNC-specified file.
Chapter 2. Administrative Procedures 45
![Page 50: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/50.jpg)
46 Introduction
![Page 51: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/51.jpg)
Chapter 3. Using the Console
Console Main Menu Commands
The table below describes the commands available on the Console main menu and the corresponding keyboard and
mouse shortcuts.
When you use Administrative Console as a snap-in to
Microsoft Management Console, you can access these
commands by right-clicking an item in the left pane and
choosing a command from the shortcut menu.
v For File menu commands, right-click TAM E-SSO (the
top-level item) and point to File.
v For Edit menu commands, right-click a specific item
(application logon, policy, group, or set of Settings).
v For Insert menu commands, right- click TAM E-SSO
(the top-level item) and point to New.
v For Repository menu commands, right-click
Repository.
v For Tools menu commands, right- click TAM E-SSO
(the top-level item) and point to Tools.
Command Description Shortcuts
New Start a new configuration. Ctrl+N
Open Open a Console
configuration file (XML).
Ctrl+O
Merge
Merge current
configuration (applications,
password generation
policies, password sharing
groups) with a
configuration file.
v If the merged file
contains items with same
names as those in current
configuration, the
Import/Merge Conflict
dialog box appears.
Select the items to
import and click OK.
Save Save the current
configuration to a file
(XML).
Ctrl+S
Save As Save a copy of the current
configuration to a different
file.
47
![Page 52: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/52.jpg)
Import Import configuration from
an Administrative override
object (INI) file or a
registration-entries (REG)
file as a new set of Global
Agent Settings
Notes:
v If the imported file
contains items
(applications, policies,
groups) with same
names as those in current
configuration, the
Import/Merge Conflict
dialog box appears.
v If the imported file
contains a set Global
Agent Settings with the
same name as an existing
set in the current
configuration, the
imported set is named
″Copy of existing
settings.″
Right-click Applications
and choose Import
or Ctrl+I
Note: Choose Import from
HKLM to import Global
Agent Settings from the
local-machine registry to
the Console as a set named
″Live.″
Export Export selected applications
and all password policies
and groups to an entlist.ini
file- a store of application
logons.
Right-click Applications
and choose Export
or Ctrl+E
Command Description Shortcuts
Delete
Delete the item selected in
the left pane.
Notes:
v If a password policy or
sharing group with
subscribing applications
is selected, a
delete-confirmation
prompt appears. Click
Yes to confirm or No to
cancel.
v There is no
delete-confirmation
prompt for applications,
global agent settings, or
for unsubscribed policies
or groups.
Del
Command Description Shortcuts
48 Introduction
![Page 53: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/53.jpg)
Application Add a new application
configuration; displays the
Add Application dialog
box.
Right-click Applications
and choose
New Windows App,
New Web App or
New Host App.
Password Generation
Policy
Add a new password
generation policy; displays
the Add Password Policy
dialog box.
v Type Policy Name and
click OK.
Right-click Password
Generation Policy and
choose New Policy.
Password Sharing Group Add a new password
sharing group; displays the
Add Sharing Group dialog
box.
v Type Group Name and
click OK.
Right-click Password
Sharing Group and choose
New Group.
Global Agent Settings Add a new group of Global
Agent Settings; displays the
Add Set of Settings dialog
box
v Type Set of Settings
Name and click OK.
Right-click Global Agent
Settings and choose New
Settings.
Synchronizer Add synchronizers or
change search order.
Displays the Synchronizers
dialog box:
Right-click Synchronizers
and choose Manage
Synchronizers.
Command Description Shortcuts
Extend Schema Connect to synchronization
repository and create a new
synchronization schema
(for LDAP and database
sync support). Displays
Connect to Repository
dialog box.
Chapter 3. Using the Console 49
![Page 54: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/54.jpg)
Enable Storing Credentials
under User Object (AD
only)
(Active Directory only)
Allow users’ TAM E-SSO
credential containers to be
stored under their
respective User objects.
This command updates the
directory schema to allow
user-credential containers
as children of user objects,
and it modifies the
directory-root security
settings to grant users the
rights to create the
credential containers.
Note: If you enable this
option, do not enable the
Prepend Domain global
agent setting option (under
Synchronization\Active
Directory\Advanced). If
both this option and
Prepend Domain are
enabled, no synchronization
will occur.
Show User Credential
Containers
Display/hide TAM E-SSO
user-credential containers
in the Repository window
tree view.
Show Users (AD only) (Active Directory only)
Display/hide user objects
in the Repository window
tree view.
Command Description Shortcuts
Export Apps to Agent Add the application logons
in current console session
to the list of pre-configured
logons for the
locally-installed Agent. This
option updates the local
entlist.ini file, and
optionally, the ftulist.ini
(first time use) file.
Write Global Agent
Settings to HKLM
Export Global Agent
Settings to local-machine
registry; displays a
confirmation message.
Edit Passphrase Questions Add or edit the passphrase
questions that appear
during First-Time Use;
displays the Edit
Passphrase Questions
dialog box.
50 Introduction
![Page 55: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/55.jpg)
Generate Customized MSI Create an .msi file for
distributing an Agent
configuration as a Windows
Installer package; displays
the Generate MSI dialog
box.
Manage Templates Create, modify, and remove
templates for application
logons; displays the
Manage Templates dialog
box.
Update Applications Update applications based
on templates that have
been modified since the
application’s creation;
displays the Update
Applications dialog box..
Modify Configuration View or edit the
configuration (INI) files for
the locally-installed TAM
E-SSO Agent. Choose
Applist, EntList, FTUlist or
MfrmList, or open any
Other INI file by name.
Collected links
File menu
Edit menu
Insert menu
Repository menu
Tools menu
Import/Merge Conflict
Import/Merge Conflict
Add Application
Add Password Policy
Add Sharing Group
Add Set of Settings
Synchronizers
Connect to Repository
Prepend Domain
Repository
Repository
First-Time Use
Edit Passphrase Questions
Generate MSI
Manage Templates
Update Applications
Chapter 3. Using the Console 51
![Page 56: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/56.jpg)
Applications
100
Displays application configuration information and provides access to logon settings.
v Click Applications in the left pane to display these tabs in the right pane:
– the Application List displaying currently configured logons.
– the Bulk Add (multiple logon deployment) controlsv Right-click Applications in the left pane to display a shortcut menu with these options:
New Windows App
Configure a new Windows application. Displays the
Add Application dialog box.
New Web App
Configure a new Website application. Displays the
Add Application dialog box.
New Host App
Configure a new mainframe application. Displays the
Add Application dialog box.
Import Open stored application configurations in a .REG or .INI
file.
Export Save one or more application configurations in an INI
file.
When Administrative Console is used as a snap-in to Microsoft Management Console, point to New
on the shortcut menu, then click the item to create.
[Related Topics]
Configuring Application Logons
Collected links
Application List
Bulk Add
Add Application dialog box
Add Application dialog box
Add Application dialog box
Configuring Application Logons
Applications List
110/tab list
52 Introduction
![Page 57: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/57.jpg)
Displays a list of applications with logons configured for use with TAM E-SSO.
v To add new applications, click Add
v To modify a listed application’s logon configuration, click an application, then click Edit
v To delete one or more logon configurations, click an application (use Ctrl+click or Shift+click to select
multiple entries.), then click Delete.
To display this tab:
v Click Applications in the left pane, then click the Applications List tab in the right pane.
[Related Topics]
Configuring Application Logons
Collected links
Add
Edit
Configuring Application Logons
Add Application dialog box
120/dialog
Use the Add Application dialog to begin configuring a new application logon. You can define an
application logon from scratch or you can use a stored template that provides pre-configured values for
some or all logon settings.
1. Type a Name for the new logon.
2. Select an Application Type:
v Windows
v Web
v Host/Mainframe
3. Do one of the following:
v Select a template from the Application drop down list and click Next to provide any additional
information needed to complete the logon.
v Leave the Application selection as New [ type] Application and click Finish to create the logon
from scratch.4. Windows applications only: If this application requires authentication by RSA (SecurID/SoftID) token,
select the RSA secured? check box.
5. Click Finish.
The Form Wizard for the selected A pplication Type begins. See Windows Form Wizard, Web Form
Wizard or Host/Mainframe Form Wizard for more information.
To display the Add Application dialog, do one of the following:
Chapter 3. Using the Console 53
![Page 58: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/58.jpg)
v Right-click Applications in the left pane then choose the application type (Windows, Web or
Host/Mainframe) from the shortcut menu.
or
v Click Add in the Applications List.
[Related Topics]
Collected links
Windows
Web
Host/Mainframe
Next
Windows Form Wizard
Web Form Wizard
Host/Mainframe Form Wizard
Applications
Applications List
Understanding the Application Configuration Files
Add Application from Template
Adding Windows Applications
Adding Web applications
Adding Mainframe applications
First Time Use (Bulk-Add)
Add Application from Template
170
Use this wizard page to supply application logon configuration settings that are not provided by the
application logon template. Settings that must be supplied to complete the logon are marked in the left
pane of the page with a red X.
1. In the left pane of the dialog, click a logon setting item that is marked by a red X. The corresponding
dialog box for supplying the setting appears in the right pane.
2. Enter or choose the requested setting. A green checkmark replaces the red X when the setting is
completed.
3. Click Finish to close the wizard and add the new application.
To display this page:
1. Do one of the following:
v Right-click Applications in the left pane then choose the application type (Windows, Web or
Host/Mainframe) from the shortcut menu.
or
54 Introduction
![Page 59: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/59.jpg)
v Click Add in the Applications List.2. In the New Applications dialog box, select a template from the Application drop down list and click
Next.
[Related Topics]
Collected links
Applications
Applications List
New Applications
Understanding the Application Configuration Files
Add Application dialog box
Adding Windows Applications
Adding Web applications
Adding Mainframe applications
First Time Use (Bulk-Add)
New Windows/Java application
200
Collected links
Add Application
Windows Form Wizard
Adding Windows Applications
Windows Form Wizard
General tab
Fields tab
Matching tab
Miscellaneous tab
Windows Form Wizard
220
Use the Windows Form Wizard to perform any of these tasks:
v configure new logons for Windows applications or for Java applets and applications.
v add new forms to existing logons
v create forms for automatic password changes.
Chapter 3. Using the Console 55
![Page 60: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/60.jpg)
The Windows Form Wizard lets you use the application itself to identify its logon/password-change
forms, the individual fields, and the submit (OK) button.
Before you begin this procedure, refer to the General Guidelines for configuring applications. Also see
Adding Windows Applications for specific information about configuring Windows application logons.
To display the Windows Form Wizard, do one of the following:
v Create a new Windows or Java application logon
or
v In the General tab (Windows), click Wizard
Collected links
General Guidelines
Adding Windows Applications
Create a new Windows or Java application logon
General
New Windows/Java application
General tab
Fields tab
Matching tab
Miscellaneous tab
Application window (Windows Form Wizard):
230
Use this Form Wizard page to select the application’s logon or password/PIN change window.
See Windows Form Wizard for details of the procedure for configuring Windows applications.
Collected links
Windows Form Wizard
Credential field (Windows Form Wizard):
240
Use this Form Wizard page to select the fields of application’s logon or password change window.
56 Introduction
![Page 61: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/61.jpg)
See Windows Form Wizard for details of the procedure for configuring Windows applications.
Credential Fields Displays the fields of the currently selected application
window. Click on the headers ( Class, ID or Text, to sort
the list. Right-click a field in the list to display a shortcut
menu of field types and the submit control:
v UserID
v Password
v Third Field
v Fourth Field
v OK (submit control)
Refresh Updates the field list.
Use ″Send Keys″ for this form, do not use Control IDs Indicates that the Agent should transmit logon data to
this form as a series of keystrokes, rather than by
addressing individual fields by Control ID. See
SendKeys for more information.
Detect Fields Scans the field list and attempts to match them with field
types. Note that although Detect Fields is usually
accurate with typical applications, the fields should be
checked for proper field types.
Refresh Updates the field list.
Back Go back to the previous Wizard page
Next Go forward to the next Wizard page.
Collected links
Windows Form Wizard
SendKeys
Summary:
250/wizard
Displays the results of the Wizard. Do one of the following:
v Click Finish to save your settings and close the Wizard.
or
v Click Back to return to a previous page and modify your settings.
General tab (for configuring a Windows logon form)
Chapter 3. Using the Console 57
![Page 62: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/62.jpg)
210/tab list
Use the General (Windows) tab to modify program and window information about a Windows
application logon configuration
v You can configure a logon manually by adding, editing or deleting entries in the AppPathKeys and
Window Titles list, or
v You can use the Windows Form Wizard to define windows, titles and fields by pointing and clicking.
To display this tab, do one of the following:
v Create a new Windows application logon.
or
1. In the left pane, click Applications and select a Windows application.
2. Click the General tab in the right pane.
3. Select a logon form from the list and click Edit.
The Windows form-configuration dialog appears, displaying the General tab.
Collected links
Windows Form Wizard
Create a new Windows application logon.
Window Titles
Wizard
Form Wizard
Wizard
Select Window
New Windows/Java application
Windows Form Wizard
Fields tab
Matching tab
Miscellaneous tab
Select Window Title:
215/dialog
Use the Select Window dialog to choose the title of an application’s logon or password change window.
v Select the logon or password change window and click OK.
Fields tab (for configuring a Windows logon form)
58 Introduction
![Page 63: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/63.jpg)
300/tab property sheet
Use the Fields (Windows) tab to define how the Agent interacts with the fields of the logon form. You
can identify one of the following for the currently-selected application form:
v Up to four logon fields (user ID, password, etc.), using Control IDs
v A series of keystrokes (with optional timings) that fill-in and submit the logon form, using SendKeys.
To display this tab, do one of the following:
v Create a new Windows application logon.
or
1. In the left pane, click Applications and select a Windows application.
2. Click the General tab in the right pane.
3. Select a logon form from the list and click Edit.
The Windows form-configuration dialog appears, displaying the General tab. Click the Fields tab.
Collected links
Create a new Windows application logon.
Control ID
SendKeys
SendKeys using Journal Hook
Control ID
SendKeys
New Windows/Java application
Windows Form Wizard
General tab
Matching tab
Miscellaneous tab
ControlID
SendKeys
ControlID:
310/dialog
Use the Control ID dialog box to identify the fields and the submit button of a logon form in order to
configure TAM E-SSO’s response.
Collected links
Create a new Windows application logon.
Fields
Matching
SendKeys (for a Windows application logon):
Chapter 3. Using the Console 59
![Page 64: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/64.jpg)
320/dialog
Use the SendKeys dialog box to specify a series of keystrokes that TAM E-SSO should transfer to the
logon form.
Use the SendKeys option for Windows applications that:
v cannot receive credentials from the Windows message queue or by other techniques the Agent
normally uses to send credentials.
v do not use standard Windows controls that have Control IDs.
v dynamically generate controls or do not use Windows controls at all (for example, Flash applications).
The tabs in the right pane of the SendKeys dialog provide the keystroke options. Select or type the
options you need on each tab. Click the Insert button to add the key or action to the series.
Your selections appear in the list in the left pane. To change the order of the series, select an item and
click the up or down arrows to move it. To delete an item, select it, and click Remove.
Collected links
Create a new Windows application logon.
Matching tab (for configuring a Windows logon form)
400/tab list
Use the Matching (Windows) tab to map user credentials of the currently selected logon to other logon,
password-change or password-confirmation forms (referred to here as target forms) within the same
application. The Agent uses the match criteria you supply to distinguish among similar forms that use
the same credential data. This lets the Agent apply a single set of user credentials appropriately to these
multiple forms. You can use also use matching to identify forms that the Agent should ignore.
Do one of the following:
v Click Add to create a new matching criterion.
or
v Select a Match and click Edit.
The Matching dialog box appears.
Note:
The easiest and most efficient way to create match criteria is by using the Control Match Wizard. The
Wizard lets you specify match criteria by selecting elements from the target form itself. You can also
create and modify match criteria manually.
To display this tab, do one of the following:
v Create a new Windows application logon.
60 Introduction
![Page 65: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/65.jpg)
or
1. In the left pane, click Applications and select a Windows application.
2. Click the General tab in the right pane.
3. Select a logon form from the list and click Edit.
The Windows form-configuration dialog appears, displaying the General tab. Click the Matching tab.
Collected links
Matching
Control Match Wizard
Create a new Windows application logon.
Matching dialog box:
410/dialog
Use this dialog box to create match criteria that the Agent can use to distinguish among similar target
forms that use the same credential data. This lets the Agent apply a single set of user credentials
appropriately to these multiple forms.
The easiest and most efficient way to create match criteria is by using the Control Match Wizard. The
Wizard lets you specify match criteria by selecting elements from the target form itself. You can also
create and modify match criteria manually.
Collected links
Control Match Wizard
Wizard
General
Control Matching
Control Matching
Control ID
Control ID
Wizard
Control Match Wizard
Matching
Add/Edit Window Title:
420/prompt
Chapter 3. Using the Console 61
![Page 66: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/66.jpg)
Use this dialog box to add or modify the text string that the Agent uses to detect specific application
windows (e.g., for logon entry or password change) by their window title.
Collected links
regular expressions
Control Matching:
430/dialog
Use the Control Matching dialog box to specify a match criterion based on the properties of a
target-form control (such as a text caption, or a control style).
Control ID dialog box (Windows Fields tab):
440/dialog
Use the Control ID dialog box to identify the fields and the submit button of a logon form in order to
configure the Agent’s response.
Collected links
Windows Form Wizard
Control Match Wizard:
500/Wizard
Use the Control Match Wizard to define match criteria by choosing from the windows and controls of
the target application. Match criteria lets the Agent identify a target form, such as a password-change
dialog, that is similar to the currently-selected logon. The Agent can then supply data to the matched
target form using the same credentials as the original logon. You can also use match criteria to specify
target forms similar to the current logon that the Agent should ignore.
Collected links
Ignore
Logon
Password Change
Password Confirm
Matching
Matching
Matching
Ignore App Window
62 Introduction
![Page 67: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/67.jpg)
Ignore Match Fields
Logon App Window
Logon Match Fields
Logon Credential
Password Change App Window
Password Change Match Fields
Password Change Credential
Password Confirm App Window
Password Confirm Match Fields
Password Confirm Credential
Ignore:
Ignore App Window:
505/wizard
Use this Wizard page to choose the application window that the Agent should recognize.
1. Select the application window that the Agent should ignore from the Window List.
2. Click Next to display the Match Fields page.
Collected links
Match Fields
Control Match Wizard
Ignore Match Fields:
510/wizard
Use this Wizard page to choose a set of match fields: one or more window objects that uniquely identify
the application window that the Agent should recognize. You can identify a match field by its Class (the
type of control, such as Edit or Static), its Style (the aggregate of its properties identified by a number),
or its Text.
1. In the field list, right-click a field and select the match criteria
2. Click Next to display the Summary page.
Collected links
Summary
Control Match Wizard
Logon:
Chapter 3. Using the Console 63
![Page 68: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/68.jpg)
Logon App Window:
515/wizard
Use this Wizard page to choose the application window that the Agent should recognize.
1. Select the application window that the Agent should recognize as a logon form from the Window
List.
2. Click Next to display the Match Fields page.
Window List Displays the windows of currently applications. Click on
the column heads to sort the list.
Show hidden window Select to include hidden windows in the Window list
Refresh Updates the list
Back Go back to the previous Wizard page
Next Go forward to the next Wizard page
[Related Topics]
Control Match Wizard
Collected links
Match Fields
Control Match Wizard
Logon Match Fields:
520/wizard
Use this Wizard page to choose a set of match fields: one or more window objects that uniquely identify
the application window that the Agent should recognize. You can identify a match field by its Class (the
type of control, such as Edit or Static), its Style (the aggregate of its properties identified by a number),
or its Text.
1. In the field list, right-click a field and select the match criteria
2. Click Next to display the Credentials page.
Collected links
Credentials
64 Introduction
![Page 69: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/69.jpg)
Control Match Wizard
Logon Credential:
525/wizard
Use this Wizard page to identify the field in which the Agent should supply credential data.
1. In the field list, right-click a field and select the credentials.
2. Click Next to display the Summary page.
Credential Fields Displays the fields of the currently selected application
window. Click on the headers ( Class, ID, Text or Style)
to sort the list. Right-click a field in the list to display a
shortcut menu of field types:
v None (deselect field)
v UserID
v Password
v Third Field
v Fourth Field
Refresh Updates the list
Back Go back to the previous Wizard page
Next Go forward to the next Wizard page
[Related Topics]
Control Match Wizard
Collected links
Summary
Control Match Wizard
Password Change:
Password Change App Window:
530/wizard
Use this Wizard page to choose the application window that the Agent should recognize.
Chapter 3. Using the Console 65
![Page 70: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/70.jpg)
1. Select the application window that the Agent should recognize as a password-change form from the
Window List.
2. Click Next to display the Match Fields page.
Window List Displays the windows of currently applications. Click on
the column heads to sort the list.
Show hidden window Select to include hidden windows in the Window list
Refresh Updates the list
Back Go back to the previous Wizard page
Next Go forward to the next Wizard page
Collected links
Match Fields
Password Change Match Fields:
535/wizard
Use this Wizard page to choose a set of match fields: one or more window objects that uniquely identify
the application window that the Agent should recognize. You can identify a match field by its Class (the
type of control, such as Edit or Static), its Style (the aggregate of its properties identified by a number),
or its Text.
1. In the field list, right-click a field and select the match criteria
2. Click Next to display the Credentials page.
Collected links
Credentials
Password Change Credential:
540/wizard
Use this Wizard page to identify the field in which the Agent should supply credential data.
1. In the field list, right-click a field and select the credentials.
2. Click Next to display the Summary page.
Collected links
Summary
Password Confirm:
66 Introduction
![Page 71: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/71.jpg)
Password Confirm App Window:
545/wizard
Use this Wizard page to choose the application window that the Agent should recognize.
1. Select the application window that the Agent should recognize as a password-confirmation form
from the Window List.
2. Click Next to display the Match Fields page.
Window List Displays the windows of currently applications. Click on
the column heads to sort the list.
Show hidden window Select to include hidden windows in the Window list
Refresh Updates the list
Back Go back to the previous Wizard page
Next Go forward to the next Wizard page
Collected links
Match Fields
Password Confirm Match Fields:
550/wizard
Use this Wizard page to choose a set of match fields: one or more window objects that uniquely identify
the application window that the Agent should recognize. You can identify a match field by its Class (the
type of control, such as Edit or Static), its Style (the aggregate of its properties identified by a number),
or its Text.
1. In the field list, right-click a field and select the match criteria
2. Click Next to display the Credentials page.
Match Fields Displays the fields of the currently selected application
window. Click on the headers ( Class, ID, Text or Style)
to sort the list. Right-click a field in the list to display a
shortcut menu of match criteria:
v None (deselect field)
v Class
v Style
v Text
Chapter 3. Using the Console 67
![Page 72: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/72.jpg)
Refresh Updates the list
Back Go back to the previous Wizard page
Next Go forward to the next Wizard page
Collected links
Credentials
Password Confirm Credential:
555/wizard
Use this Wizard page to identify the field in which the Agent should supply credential data.
1. In the field list, right-click a field and select the credentials.
2. Click Next to display the Summary page.
Credential Fields Displays the fields of the currently selected application
window. Click on the headers ( Class, ID, Text or Style)
to sort the list. Right-click a field in the list to display a
shortcut menu of field types:
v None (deselect field)
v UserID
v Old Password
v New Password
v Confirm Password
Refresh Updates the list
Back Go back to the previous Wizard page
Next Go forward to the next Wizard page
Collected links
Summary
Miscellaneous tab (for configuring a Windows logon form)
68 Introduction
![Page 73: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/73.jpg)
600/tab property sheet
Use the Miscellaneous (Windows) tab to refine properties of the currently-selected application logon
form for special configurations.
To display this tab, do one of the following:
v Create a new Windows application logon.
or
1. In the left pane, click Applications and select a Windows application.
2. Click the General tab in the right pane.
3. Select a logon form from the list and click Edit.
The Windows form-configuration dialog appears, displaying the General tab. Click the Miscellaneous
tab.
Collected links
Create a new Windows application logon.
Allowable Class
Select Window
Ignore this Window Class
Select Window
New Windows application
Windows Form Wizard
General tab
Fields tab
Matching tab
New Web application
700/dialog
Collected links
Add Application
Web Form Wizard
Adding Web Applications
Web Form Wizard
Web General tab
Web Matching tab
Web Form Wizard
Chapter 3. Using the Console 69
![Page 74: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/74.jpg)
720
The Web Form Wizard lets you browse the Web application itself to capture the identifiers for its
logon/password-change windows, the individual fields, and the submit (OK) button. To display the Web
Form Wizard:
v Create a New Web application.
v In the New Web Application configuration dialog, click Wizard. The Web Form Wizard appears.
Collected links
New Web application
New Web application
Web General tab
Web Matching tab
General tab (for configuring a Web logon form)
710
Use the General (Web) dialog to modify program and window information for a Web application logon
configuration.
v You can configure a logon manually by adding, editing or deleting entries in the URL and Fields list,
or
v You can use the Web Form Wizard to define URLs, forms and fields by pointing and clicking.
To display this tab, do one of the following
v Create a new Web application logon.
or
1. In the left pane, click Applications and select a Web application.
2. Click the General tab in the right pane.
3. Select a form from the list and click Edit.
The Web form-configuration dialog appears, displaying the General tab.
Collected links
Web Form Wizard
Create a new Web application logon.
URL
URL
Fields
Web Fields
Wizard
Form Wizard
New Web application
Web Form Wizard
Web Matching tab
70 Introduction
![Page 75: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/75.jpg)
Matching tab (for configuring a Web application)
750
Use the Web Matching tab to distinguish among logon, password-change or password-confirmation
forms (referred to here as target forms) within the same Web application, typically a multi-form portal
page. The Agent uses the matching criteria you supply here to distinguish among similar forms.
This tab is typically used to refine the detection match criteria: the set of HTML tags and values you use
to identify a specific page. You can then create an offset match that uses a subset of the detection match
to identify the desired logon or password-change form on the page.
To display this tab:
v Create a new Web application logon.
or
1. In the left pane, click Applications and select a Web application.
2. Click the General tab in the right pane.
3. Select a form from the list and click Edit.
The Web form-configuration dialog appears, displaying the General tab. Click the Matching tab.
Collected links
Create a new Web application logon.
Edit Match
Edit Match
New Web application
Web Form Wizard
Web General tab
Edit Match (for a Web Form):
760
Use this dialog box to create or modify matching criteria for the selected Web form.
Tag Type a HTML tag type; for example, ″<TD>″ for a table
cell.
Match Tag Instance Select to match a specific instance of the Tag and select
the instance number; for example 3 for the third table
cell on the page.
Chapter 3. Using the Console 71
![Page 76: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/76.jpg)
Criteria Select one criteria type:
v Text: the plain-text (InnerText) content of the tag
element (for example. ″Enter your password″).
v HTML: the rich-text (InnerHTML) content of the tag
element (for example, ″<b>Enter your
password</b>″).
v Property: an HTML attribute of the tag element (for
example, ″id =password″).
Value Type the text of the Criteria to match
Match Whole Value Select to e nforce strict matching of Value (that is, any
additional text in the tag element will cause the match to
fail).
Operation Select the relationship of this match to any others:
And: This match is one of multiple matches that identify
the form.
Or: This match alone identifies the form.
[Related Topics]
Web Matching tab
Collected links
Web Matching tab
Add/Edit URL:
730/prompt
Use this prompt to specify the URL (or Uniform Resource Locator, commonly called a Web address) of the
logon or password-change form to configure.
v Type the Web address, then click OK.
Web Field:
740/dialog
72 Introduction
![Page 77: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/77.jpg)
Use this dialog box to specify a credential field or submit button on a Web form.
Function Select a credential type:
v UserID
v Password
v Third Field
v Fourth Field
v New Password
v Confirm New Password
v Submit
Frame Type the target name of the browser frame in which the
field appears (specified by the NAME attribute in a
<frame> element in the target’ page’s parent frameset )
Form Type the name of the form in which the field appears
(specified by the NAME attribute in the <form> element
in the target page).
Field Name Type the field name (the NAME attribute of the field’s
<input> element) .
Field Type Select the field type (corresponding to the type attribute
of the field’s <input> element) or a hyperlink anchor tag
(<A HREF=...>) used as a ″submit″ button.
Credential Type <INPUT TYPE=...> Options
UserID
Password
Third Field
Fourth Field
New Password
Confirm New Password
Text
Password
Select-One
Select-Multiple
Submit Submit
Image
Button
Anchor (<A HREF...> tag)
New Host/Mainframe application
800/dialog
Use this dialog box to configure a new logon for a host/mainframe application.
Chapter 3. Using the Console 73
![Page 78: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/78.jpg)
See Adding Mainframe Applications for the full procedure.
Collected links
Adding Mainframe Applications
Add Application
Host/Mainframe Form Wizard
Adding Mainframe Applications
Host General tab
Host Options tab
General Host
Options
Host/Mainframe Form Wizard
855
Use the Host/Mainframe Form Wizard to perform any of these tasks:
v configure new logons for a host/mainframe emulator or Telnet (scrolling-screen) applications
v add new forms to existing logons
v create forms for automatic password changes
The Host/Mainframe Form Wizard lets you use the application itself to identify its logon/password-change windows and the individual username/ID, password, and other fields. The general steps for
creating a logon are as follows:
Start the target emulator or Telnet application
Select the Form Type and Screen Type
Copy the text of the application’s logon/password-change screen and paste it to the Console
Indicate the text and position of onscreen captions that identifies the screen as a
logon/password-change form.
Indicate the position (or, for Telnet applications, the sequence) of the individual username/ID,
password, and other fields.
Review the configuration and make changes as needed, using the Back and Next buttons.
To modify a host/mainframe logon’s settings manually, use the General tab (for configuring a
host/mainframe logon form).
Before you begin this procedure, refer to the General Guidelines for configuring applications. Also see
Adding Host/Mainframe Applications for specific information about creating and configuring
host/mainframe logons.
Collected links
Screen Type
Copy the text
Indicate the text and position of onscreen captions
74 Introduction
![Page 79: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/79.jpg)
position
sequence
Review the configuration
General tab (for configuring a host/mainframe logon form)
General Guidelines
Adding Host/Mainframe Applications
Create a new host/mainframe application logon.
Select an existing host mainframe application
Choose screen type
Paste Text
Cursor Position
Text matching
Field matching - fixed screen
Field matching scrolling screen
Summary
General tab (for configuring a host/mainframe logon form)
810/tab list
Use this dialog to modify information about a Host/Mainframe application logon form.
Note: See Adding Telnet Applications for information about configuring logons for Telnet applications.
To display this tab, do one of the following
v Create a new host/mainframe application logon.
or
1. In the left pane, click Applications and select a host/mainframe application.
2. Click the General tab in the right pane.
3. Select a logon form from the list and click Edit.
The Host/Mainframe form-configuration dialog appears, displaying the General tab.
Collected links
Adding Telnet Applications
Create a new host/mainframe application logon.
Text Matching
Add
Edit
Fields
SendKeys (Host/Mainframe)
Wizard
Host/Mainframe Form Wizard
New Host/Mainframe application
Chapter 3. Using the Console 75
![Page 80: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/80.jpg)
Telnet Support
Host Options tab
Text Matching
SendKeys (Host/Mainframe)
Text Matching (on a host/mainframe logon form):
820/dialog
Use the Text Matching dialog box to specify the text and position of an onscreen caption that identifies
the screen as a logon/password-change form.
You must also specify the location (row and column number) of the first character of the text. Use the
cursor-position indicator in the status bar at the bottom of the session window to find the row and
column numbers of the text.
Note: For Telnet applications, use row coordinates relative to the cursor position. See Adding Telnet
Applications for an example. You can also use an asterisk for wildcard matching of a row, column or
both.
When you have completed your entries for a match, click OK.
Collected links
Telnet
Adding Telnet Applications
Telnet
Telnet
General tab for configuring a host/mainframe logon form
New Host/Mainframe application
Host General tab
Host Options tab
Edit Fields/Actions (for a Host Mainframe application logon):
850/dialog
Use the Edit Fields/Actions dialog box to specify a series of keystrokes that TAM E-SSO should transfer
to the host application’s logon form.
The tabs in the right pane of the Edit Fields/Actions dialog provide the keystroke options. Select or type
the options you need on each tab. Click the Insert button to add the key or action to the series.
Your selections appear in the list in the left pane. To change the order of the series, select an item and
click the up or down arrows to move it. To modify an item select it, and click Edit to display the Fields
dialog. To delete an item, select it, and click Delete.
76 Introduction
![Page 81: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/81.jpg)
Collected links
Fields
Create a new Host/Mainframe application logon.
New Host/Mainframe application
Host General tab
Host Options tab
Options tab (for configuring a host/mainframe logon form)
840/tab property sheet
Use the Host/Mainframe Options tab to set emulator options for a host/mainframe logon.
To display this tab, do one of the following
v Create a new host/mainframe application logon.
or
1. In the left pane, click Applications and select a host/mainframe application.
2. Click the General tab in the right pane.
3. Select a logon form from the list and click Edit.
The Host/Mainframe form-configuration dialog appears, displaying the General tab. Click the Options
tab.
Collected links
Create a new host/mainframe application logon.
New Host/Mainframe application
Host General tab
Bulk Add tab
910/tab list
See First Time Use (Bulk-Add) for more information.
Collected links
First Time Use (Bulk-Add)
To enable a logon for Bulk-Add
Select Application
Miscellaneous tab (for selected application)
First Time Use (Bulk-Add)
Chapter 3. Using the Console 77
![Page 82: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/82.jpg)
Selected application
1000
Represents a configured application. You can use the tabs in the right pane to view or modify this logon’s
properties.
Collected links
Applications
Applications
General
Configuring Application Logons
General tab (for a selected Application)
1010
Use the General tab to add or modify form or field configuration for the selected application.
Description Type an optional text comment to appear in the
Description field of the Agent Logon Manager.
Add Add a new form for the selected application. The
corresponding configuration dialog for the selected
application type appears.
Edit Modify an existing logon form. Select a form from the
Forms window, then click Edit. The corresponding
configuration dialog for the selected application type
appears.
Delete Remove a form. Select a form from the Forms window,
then click Delete. If only one form is listed, deleting it
will remove the application entirely.
Add [Edit] Notes Type or modify optional comments or documentation
To display this tab
1. Do one of the following
v Select an application
or
v Configure a new application.
78 Introduction
![Page 83: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/83.jpg)
2. Click the General tab in the right pane.
[Related Topics]
Configuring Application Logons
Collected links
Select an application
Configure a new application
Configuring Application Logons
Password Change (for a selected logon)
1020
Use the Password Change tab to set or modify options that control how the Agent manages password
changes.
Collected links
password generation policy
Policy Subscribers
password sharing group
Password Sharing Groups
Select an application
Configure a new application
Password Generation Policy
Password Policy Subscribers tab
Password Constraints
Authentication tab (for selected application)
Note: This tab only appears if you have TAM E-SSO: Authentication Adapter installed. TAM E-SSO:
Authentication Adapter is an add-on module to TAM E-SSO available separately from IBM.
Use this tab to set the minimum authentication grade for the selected application. The Primary Logon
Method used must have a Authentication Grade equal to or higher than this value in order for TAM
E-SSO to logon to the selected application.
If the end-user’s Primary Logon Method has an authentication grade lower that the minimum set for this
application, when the application is requested, a message appears requesting the user to authenticate at a
higher grade and they will only gain access if successful.
Chapter 3. Using the Console 79
![Page 84: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/84.jpg)
To set the authenticator grade for primary logon methods, the Authenticator Grade setting.
Minimum Authentication Grade Select or type the numeric value of
the lowest Authentication Grade the
end user’s Primary Logon Method
must have. The default is 1.
To display this tab
1. Do one of the following:
v Select an application
or
v Configure a new application.2. Click the Authentication tab in the right pane.
[Related Topics]
Primary Logon Methods\LDAP\Advanced Primary Logon Methods\LDAP v2\Advanced Primary
Logon Methods\Windows\Advanced Primary Logon Methods\Windows v2\Advanced Primary
Logon Methods\Smart Card\Advanced
Collected links
TAM E-SSO: Authentication Adapter
Authenticator Grade
Select an application
Configure a new application
Primary Logon Methods\LDAP\Advanced
Primary Logon Methods\LDAP v2\Advanced
Primary Logon Methods\Windows\Advanced
Primary Logon Methods\Windows v2\Advanced
Primary Logon Methods\Smart Card\Advanced
Error Loop (for a selected logon)
1030/tab property sheet
Use the Error Loop tab (under a selected application) to control the appearance and behavior of the
Logon Error (Error Loop) dialog f or individual applications.
v To set Error Loop globally, for all applications, use the Error Loop global agent settings (see Error Loop
(End-User Experience - Response)).
v To set Error Loop by application type, use the Error Loop global agent settings for each type ( Windows,
Web, Host/Mainframe).
Note: These application-specific Error Loop settings override the global Agent and application-type
settings, except where the Mask Password setting (in any scope) is set to Yes.
80 Introduction
![Page 85: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/85.jpg)
See Settings Controlling Repeated Logon Attempts for more information.
Collected links
Error Loop
Error Loop (End-User Experience - Response)
Windows
Web
Host/Mainframe
Select an application
Configure a new application
Miscellaneous tab (for a selected application)
1040/tab property sheet
Use this tab for special configurations of the currently-selected application.
Miscellaneous Settings
Allow Reveal Password
Select to enable the Reveal button for password in
Wizards and property pages.
Force Reauthentication
Select to require the user to reauthenticate before
providing credentials to this application.
Auto Submit
Select to have the agent automatically select OK for this
application logon after providing credentials.
Service Logon
Select to let the agent detect an application that runs as a
Windows service (that is, in the System space, rather
than the User space).
ConfigName Click Choose to select the windows and control that
contains the text to use to create the new logon’s initial
configuration name (Windows applications only).
UserID Field Label
Type a text label to be used by the Agent for the
username/ID field.
Password Field Label
Type a text label to be used by the Agent for the
password field.
Third Field Label
Type a text label to be used by the Agent when
displaying a third logon field.
Fourth Field Label
Type a text label to be used by the Agent when
displaying a fourth logon field.
File extension for Icon
Type a Windows file extension associated with a logon;
lets agent to map an icon to the configuration.
Add Logon Event
Chapter 3. Using the Console 81
![Page 86: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/86.jpg)
Run this command when a logon for this application is
added
This setting allows you to define a process (i.e., exe, web,
script, etc.) to be run immediately after the Add Logon
Wizard is completed for an application.
For example, this setting could be used to launch a
password change application right after credentials are
entered into TAM E-SSO, thus allowing TAM E-SSO to
immediately change the application password.
Click the Browse button to locate a command to be
entered.
To display this tab
1. Do one of the following:
v Select an application
or
v Configure a new application.2. Click the Miscellaneous tab in the right pane.
Collected links
ConfigName
Add Logon Wizard
Select an application
Configure a new application
ConfigName:
620/wizard
Use the ConfigName wizard to select a logon window’s text control to use as the initial name of the
application logon. You can use this feature to name a logon (when it is added to the Agent) with a
variable text item (such as an account name) that appears on the logon window.
1. Select the window that contains the text control you want to use, then click Next.
2. Select the control that contains the text item to use as logon’s initial configuration name. Click Finish.
Bulk Add tab (for a selected application)
1050/tab property sheet
82 Introduction
![Page 87: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/87.jpg)
Use this tab for special configurations of the currently-selected application Also see Bulk-Add tab
(general) for more information.
Enable Bulk-Add capability for
this application
Select to enable this application to be
included in a bulk-add.
Confirm UserID during Bulk-Add Select to require the user to confirm
username in order to perform a
bulk-add
Confirm Password during
Bulk-Add
Select to require the user to confirm
password in order to perform a
bulk-add
Confirm Other Field during
Bulk-Add
Select to require the user to confirm
additional field information in order
to perform a bulk-add
To display this tab
1. Do one of the following:
v Select an application
or
v Configure a new application.2. Click the Bulk Add tab in the right pane.
Collected links
Bulk-Add tab
Select an application
Configure a new application
Security tab (for role/group support)
2450
Use this tab to set the access rights for the currently-selected configuration item. You can assign access
rights to these items:
v Application logons (including associated password sharing groups)
v Password generation policies
v Global agent settings
v Passphrase question sets.
Collected links
LDAP
Active Directory
Chapter 3. Using the Console 83
![Page 88: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/88.jpg)
Import/Export
Generate MSI
2000/dialog
Create a new .MSI file (a Windows Installer package), from an existing MSI package, in order to add
configured application logons and/or Agent configuration settings.
Generate MSI is typically used to modify the TAM E-SSO installation package ( \Full\setup.msi on the
TAM E-SSO distribution disk) to include logons or settings in the initial desktop installation of TAM
E-SSO. The MSI file you create can include:
v Selected application logons from an entlist.ini file or from the current Console configuration.
v Agent settings from an Administrative Overrides (.ini) file or from the current Console configuration.
Collected links
Configure Applications
Configure Global Agent Settings
Microsoft Windows Installer (MSI) Package
Deployment Options
Export to INI file
140/dialog
Export selected applications and all password policies and groups to an entlist.ini file- a store of
application logons.
1. Do one of the following:
v Select applications to export (use Ctrl+click or Shift+click to select multiple entries), then click OK
or
v Click Export All to export all listed applications.2. If any applications you have selected are enabled for Bulk-Add, you can select Create First-Time-Use
file to generate a bulk-add (ftulist.ini) file.
3. Click OK. The Export EntList file dialog box appears.
a. Locate and open the folder for the file, name the file, and click Save.
b. If you chose to create a First-Time Use file, the Export First-Time Use dialog appears. Locate and
open the folder for the file (rename the file if desired), and click Save.
To display this dialog:
v Right-click Applications and choose Export from the shortcut menu.
or
v Choose Export from the File menu.
84 Introduction
![Page 89: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/89.jpg)
Collected links
enabled for Bulk-Add
Export EntList file
Export EntList file
150/dialog
Save an exported application configuration file ( enlist.ini) to disk. The Export EntList file dialog
displays when you export application logon information using the Export to INI file dialog.
1. Locate and open the folder for the file, name the file, and click Save.
2. If you chose to create a First-Time Use file, the Export First-Time Use dialog appears. Locate and
open the folder for the file (rename the file if desired), and click Save.
Collected links
Export to INI file
Export First-Time Use
160/dialog
Save a first-time-use file ( ftulist.ini) to disk. The Export First-Time Use dialog appears when you choose
to create a First-Time Use file while exporting application logon information to an enlist.ini file.
v Locate and open the folder for the file (rename the file if desired), and click Save.
Collected links
exporting application logon
Import Merge Conflict
130/dialog
The Import/Merge Conflict dialog box appears if the merged file contains items with same names as
those in current configuration.
v Select the items to import and click OK.
The items you select overwrite the current like-named items.
Chapter 3. Using the Console 85
![Page 90: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/90.jpg)
Manage Templates
2100
Use this dialog to create, modify, and remove templates for application logons.
Do one of the following:
Collected links
Select Applications
Edit Template
Edit Template
Update Applications (from template)
Override Settings tab (Edit Template dialog box)
2120
Use this tab to select the settings that the template updates in all logons that are based on it. You can
choose global overrides that apply to all of the forms in the application logon configuration, and you can
also select specific overrides for individual forms.
The left pane displays the hierarchy of the application and its component forms:
v The global override Settings for applications correspond to the general configuration settings for each
application-type.
v The form-specific Settings correspond to the configuration controls for individual logons.
Both Setting types are listed in the right pane with a Category that corresponds to the application-
configuration dialog in which you make the setting. Refer to the dialog or tab for each information on
each setting.
Applications General
Error Loop
Password Change
Miscellaneous
Windows forms General
Fields
Matching
Miscellaneous
86 Introduction
![Page 91: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/91.jpg)
Web forms General
Matching
Mainframe/Host forms General
Options
To display this tab:
1. Choose Manage Templates from the Tools menu.
2. Do one of the following:
v Add a new template.
or
v Select an existing template and click Edit.3. In the Edit Templates dialog box, click the Overriding Settings tab.
[Related Topics]
Collected links
General
Error Loop
Password Change
Miscellaneous
General
Fields
Matching
Miscellaneous
General
Matching
General
Options
Manage Templates
Add a new template
Supply Info tab (Edit Template dialog box)
2110
Use this tab to specify what information an Administrator must provide in order to complete an
application logon based on this template.
Chapter 3. Using the Console 87
![Page 92: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/92.jpg)
You can choose all items or choose individual items by selecting checkboxes.
Update Applications (from template)
2130
Use this dialog box to update application logons based on a template that has been modified since the
logons were created. Only logons whose templates have been modified appear in the list
Select the applications to update (use shift-click or Ctrl-click for multiple applications), then click Update.
[Related Topics]
Collected links
Manage Templates
Kiosk Adapter
Applications to Leave Running on Session End
210/tab list
Note: This topic applies to TAM E-SSO: Kiosk Adapter only.
Use this dialog to define a list of applications that can be left running when a session ends. A default set
of process names are also available to be added to this list.
Collected links
TAM E-SSO: Kiosk Adapter
default
Defaults
Kiosk Adapter Configuration Settings
Applications to Leave Running on Session End - Advanced
Applications to Close on Session End
Applications to Close on Session End - Advanced
Applications to Leave Running on Session End - Advanced
88 Introduction
![Page 93: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/93.jpg)
210/tab list
Note: This topic applies to TAM E-SSO: Kiosk Adapter only.
Use this dialog to create an advanced list of applications that can be left running on session end.
Collected links
TAM E-SSO: Kiosk Adapter
regular expressions
Kiosk Adapter Configuration Settings
Applications to Leave Running on Session End
Applications to Close on Session End
Applications to Close on Session End - Advanced
Applications to Close on Session End
210/tab list
Note: This topic applies to TAM E-SSO: Kiosk Adapter only.
Use this dialog to create a list of applications to be closed by TAM E-SSO: Kiosk Adapter on session end.
Collected links
TAM E-SSO: Kiosk Adapter
Kiosk Adapter Configuration Settings
Applications to Leave Running on Session End
Applications to Leave Running on Session End - Advanced
Applications to Close on Session End - Advanced
Applications to Close on Session End - Advanced
210/tab list
Note: This topic applies to TAM E-SSO: Kiosk Adapter only.
Use this dialog to create a list of advanced applications to be closed by TAM E-SSO: Authentication
Adapter on session end.
Note: If an application is added to the Applications to Close on Session End list, and is also added to the
Advanced list, the Advanced List takes priority.
Collected links
TAM E-SSO: Kiosk Adapter
Transmission of keystroke sequences to the application
Chapter 3. Using the Console 89
![Page 94: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/94.jpg)
regular expressions
Kiosk Adapter Configuration Settings
Applications to Leave Running on Session End
Applications to Leave Running on Session End - Advanced
Applications to Close on Session End
Provisioning Adapter
Provisioning Adapter (for role/group support)
2450
Use this node to manage provisioning rights for users. There are two tabs to set the rights:
v Default Rights
v Delete SSO User Right
Default Rights
Use this tab to define the provisioning rights for each new application created. This feature sets standard
rights for each application created. Once each application is created, change the rights as needed.
Add User or Group Dialog Box
The Select User or Group dialog varies based on the directory server being used:
v LDAP
v Active Directory/ADAM
LDAP
Use this dialog to select the individual users or user groups that are to be added to the access list for the
current configuration item (Add Logon, Modify Logon, or Delete Logon).
Delete SSO User Right
Use this tab to define the users to grant the Delete SSO User functionality to in the TAM E-SSO:
Provisioning Adapter Administrative Console.
The controls function the same as on the Default Rights tab.
Password Generation Policy
90 Introduction
![Page 95: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/95.jpg)
1100
Displays the currently available password generation policies and provides access to policy settings. Click
Password Generation Policy in the left pane to display the current password policies in the right pane.
See Setting Password Policies for more information.
Collected links
Setting Password Policies
Policy Subscribers
Policy Subscribers
Password Policy Subscribers tab
Password Change tab (for selected application)
Password Constraints
Add Password Policy
1105/dialog
Use this dialog to add and name a new password generation policy
v Type a Policy Name and click OK.
To display this dialog:
v Right-click Password Generation Policy “Password Generation Policy” on page 90and choose New
Policy from the shortcut menu.
or
v Choose Password Generation Policy from the Insert menu.
Collected links
Password Generation Policy
Selected Password Policy
1110
Represents a configured password generation policy. You can use the tabs in the right pane to view or
modify this policy’s properties and add or remove applications that use this policy.
See Setting Password Policies for more information.
Chapter 3. Using the Console 91
![Page 96: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/96.jpg)
Collected links
view or modify this policy’s properties
add or remove applications
Setting Password Policies
Policy Subscribers
Policy Subscribers
Policy Subscribers tab
1120/tab list
Use the Policy Subscribers tab to add or manage the applications that use the selected password
generation policy.
See Setting Password Policies for more information.
Collected links
Setting Password Policies
Select Application
Select a password policy
Create a new password policy
Password Generation Policy
Password Change tab (for selected application)
Password Constraints
Password Constraints tab
1130/tab property sheet
Use the Password Constraints tab to set or modify the allowed type, number, position, and repetition of
characters in passwords. These constraints apply to new passwords that TAM E-SSO automatically
generates for applications that subscribe to the selected policy.
To view a set of test passwords based on the passwords constraints for this policy, click the Test Policy
button.
See Setting Password Policies for more information.
Collected links
Setting Password Policies
Select a password policy
Create a new password policy
Password Generation Policy
92 Introduction
![Page 97: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/97.jpg)
Password Policy Subscribers tab
Password Change tab (for selected application)
Security tab (for role/group support)
2450
Use this tab to set the access rights for the currently-selected configuration item. You can assign access
rights to these items:
v Application logons (including associated password sharing groups)
v Password generation policies
v Global agent settings
v Passphrase question sets.
Collected links
LDAP
Active Directory
Password Sharing Groups
1200/list
Displays the currently available password sharing groups and provides access to group settings.
See Creating password sharing groups for more information.
Collected links
Creating password sharing groups
To add applications to a password group
Selected Password Sharing group
LDAP Password
Domain
Add Sharing Group
1205/dialog
Use this dialog to add and name a new password generation policy
v Type a Group Name and click OK.
Chapter 3. Using the Console 93
![Page 98: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/98.jpg)
To display this dialog:
v Right-click Password Sharing Group and choose New Group from the shortcut menu.
or
v Choose Password Sharing Group from the Insert menu.
Collected links
Password Sharing Group
Domain password group
1210
The predefined password sharing group for the Windows authenticator.
See To add applications to a password group for more information.
To select the Domain password sharing group:
1. Click Password Sharing Groups in the left pane
2. Select Domain from the list in the right pane, then click Edit.
or
1. In the left pane, click the plus sign (+) next to the Password Sharing Groups icon (or double-click
Password Sharing Groups) to display the configured groups.
2. Click Domain.
[Related Topics]
Collected links
password sharing group
To add applications to a password group
Password Sharing Groups
Selected Password Sharing group
LDAP Password
LDAP Password Group
1220
The predefined password sharing group for the Directory Service authenticator.
See To add applications to a password group for more information.
94 Introduction
![Page 99: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/99.jpg)
To select the LDAP password sharing group:
1. Click Password Sharing Groups in the left pane
2. Select LDAP from the list in the right pane, then click Edit.
or
1. In the left pane, click the plus sign (+) next to the Password Sharing Groups icon (or double-click
Password Sharing Groups) to display the configured groups.
2. Click LDAP.
[Related Topics]
Collected links
password sharing group
To add applications to a password group
Password Sharing Groups
Selected Password Sharing group
Domain
Selected Password Sharing Group
1230
Represents a configured password sharing group. Use the list in the right pane to add or remove
applications from the selected group.
Click Add Notes to type notes.
See Creating password sharing groups for more information.
Collected links
Creating password sharing groups
Select Application
Password Sharing Groups
LDAP Password
Domain
Global Agent Settings
1300/list
Displays agent configuration information and provides access to stored sets of Global Agent Settings.
Chapter 3. Using the Console 95
![Page 100: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/100.jpg)
v Click Global Agent Settings in the left pane to display a list of sets of Global Agent Settings in the
right pane.
v Right-click Global Agent Settings in the left pane to display a shortcut menu with these options:
New Settings Create a new set of Global Agent Settings. Displays the Add Set of Settings
dialog box.
Import Import a set of Global Agent Settings from an external source:
From File Import a set of settings from an
administrative override object (INI)
file or a registration-entries (REG)
file. Navigate to the file and click
Open.
From Live HKLM Import the current Agent
configuration from the local-machine
registry (HKLM) as a set of settings
named Live.
Notes:
v If the imported settings have the same name as an existing set in the
current configuration, the imported set is named ″Copy of existing
settings.″
v To import Global Agent Settings from an Administrative Overrides object
in a synchronizer Repository.
v If this version of the console is installed on a foreign OS (any OS other
than English), do not use the New Settings option. Rather, use the
Import option. If the New Settings option is used, the path for
synchronization extension points to an invalid path, which results in a
synchronization failure.
[Related Topics]
Collected links
New Settings
Add Set of Settings
Repository
Add Set of Settings
1305/dialog
Use this dialog to add and name a new set of Global Agent Settings.
v Type Set of Settings Name and click OK.
96 Introduction
![Page 101: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/101.jpg)
To display this dialog:
v Right-click Global Agent Settings and choose New Settings from the shortcut menu.
or
v Choose Global Agent Settings from the Insert menu.
When Administrative Console is used as a snap-in to Microsoft Management Console, point to New
on the shortcut menu, then click the item to create.
Collected links
Global Agent Settings
Selected Set of Global Agent Settings
1310
Represents a stored set of Global Agent Settings: defaults, switches, and other configuration information
that modify the behavior of TAM E-SSO on the desktop. Double-click items in the list in the right pane
to view or modify the individual settings. Click Add Notes to type notes about this set of settings.
Security tab (for role/group support)
2450
Use this tab to set the access rights for the currently-selected configuration item. You can assign access
rights to these items:
v Application logons (including associated password sharing groups)
v Password generation policies
v Global agent settings
v Passphrase question sets.
Collected links
LDAP
Active Directory
End-User Experience
2501
Node path: End-User Experience
Chapter 3. Using the Console 97
![Page 102: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/102.jpg)
The End-User Experience settings control the Agent as a Windows application, including its interactions
with the end-user and with other programs.
Show the Tray Icon This setting determines whether to show the TAM E-SSO
Tray Icon in the System Tray.
Options:
v Do not show
v Show (default)
Reg Node: Shell:ShowTrayIcon
Title Bar Button This setting determines whether to show the TAM E-SSO
Title Bar Button on all window/dialog title bars.
Options:
v Do not show (default)
v Show
Reg Node: Shell:ShowAccessBtn
Title Bar Button Menu This setting determines whether to show the TAM E-SSO
Title Bar Button menu from the Title Bar Button.
Options:
v Do not show
v Show (if the Title Bar Button setting is enabled
[default])
Tray Icon Tooltip Text to provide in the Tray Icon Label. Recommended
use: labeling each Citrix MetaFrame Server session
(default: ″IBM Tivoli Access Manager for Enterprise
Single Sign-On″)
Reg Node: Shell:ShowAccessBtnMenu
Tray Icon Tooltip: Show System Name Show computer name after the Tray Icon Name. A string
consisting of space-dash-space is inserted before the
computer name if either TrayIconName is not set, or if
set and not empty/null.
Options:
v Do not show (default)
v Show
Reg Node: Shell:TrayIconName
98 Introduction
![Page 103: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/103.jpg)
Tray Icon: Use which icon This setting determines whether to show the standard
TAM E-SSO icon or the alternate server icon in the
system tray.
Options:
v Standard (default)
v Server
Reg Node: Shell:TrayIconDisplaySysName
Use strict window detection Enable this setting to control strict window detection. If
this setting is enabled, TAM E-SSO will not respond to
hidden and minimized windows.
Options:
v No (default)
v Yes
Note: This entry is not required.
Advanced (End-User Experience):
2502
Node path: End-User Experience > Advanced
The Advanced End-User Experience settings control the appearance of the Agent when performing a
logon and of the information presented in the Logon Manager and Logon Chooser dialogs.
Logon Manager Refresh button Display the Logon Manager Refresh button.
Options:
v Disable the Refresh button.
v Enable the Refresh button (default).
Reg Node: Extensions\AccessManager:AllowRefresh
Logon Animation’s duration Duration (in milliseconds) the animated spinner appears
(pausing response). A value of 0 (the default) disables the
spinner.
Reg Node: Shell:AutoLogonAnimationTime
Chapter 3. Using the Console 99
![Page 104: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/104.jpg)
Logon Chooser Columns Click ... to display the Edit Columns dialog box to
choose the appearance and order of columns in the
Agent’s Logon Chooser dialog box. The default is
Username/ID, Application Name, Description.
v Username/ID
v Application Name
v Description
Reg Node: Extensions\AccessManager\LogonChooser:Columns
Logon Manager ″Details″ Columns Click ... to display the Edit Columns dialog box to
choose the appearance and order of columns in the
Agent’s Logon Manager.
v Application Name
v URL/Module
v Username/ID
v Password
v Modified
v Last Used
v Description
v Group
v Third Field
v Fourth Field
The default is all columns, except Third Field and Fourth
Field, in the preceding order.
Reg Node: Extensions\AccessManager\LogonManager:Columns
User can shut down from the System Tray Icon Menu When enabled (the default), the end user can shut down
the Agent by selecting ″Shut Down″ from the System
tray Icon Menu. When disabled, this menu item is
unavailable (greyed out).
Options:
v Do not allow shutdown from menu.
v Allow shutdown from menu (default).
Reg Node: Shell\″AllowShutdown
Collected links
Edit Columns
Special Tasks (End-User Experience Advanced):
2503
100 Introduction
![Page 105: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/105.jpg)
Node path: End-User Experience > Advanced > Special Tasks
The Special Tasks settings control the tasks (lists of commands) that should executed when specific
Agent actions occur. For each set of tasks, select the checkbox and click ... to open the Edit List dialog
box. Type one command on each line; end each line by pressing Enter. Do not use any other delimiter
characters.
When logons change (add, delete, copy, modify) Command(s) that will run every time credentials and
user configurations are modified.
Reg Node: Shell\Tasks:RefreshTask
When logons are deleted Command(s) that will run every time a user deletes an
application configuration.
Reg Node: Shell\Tasks:DeletionTask
After Agent starts up Command(s) that will run every time the background
task starts (the taskbar tray icon).
Reg Node: Shell\Tasks:StartupTask
Before Agent starts Command(s) that will run before any agent process
starts. The agent will not continue if any of these tasks
fail (as indicated by the resultant registry value located
at License:PreCheck).
Reg Node: Shell\Tasks:PreTask
Performance (End-User Experience Advanced ):
2546
Node path: End-User Experience > Advanced > Performance
The Advanced Performance settings provide fine-tuning of how and when the Agent stores user
credentials and other data. The first three settings apply only if Store user data on disk in encrypted file
is set to ″Do not store,″ which affords optimal Agent performance; This setting defaults to ″Store user
data in disk file″ for compatibility with previous versions of TAM E-SSO.
Increase user data storage priority Sets processing priority for storing changes to user data
(e.g., credentials). Set to ″Increase processing priority″
only if the workstation’s CPU typically runs at 100%
usage.
Options:
v Increase processing priority
v Do not increase processing priority (default).
Reg Node: Extensions\StorageManager\InMemShr:ThreadPriority
Chapter 3. Using the Console 101
![Page 106: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/106.jpg)
Set delay for updating stored user data (ms) Set an interval to wait (in milliseconds) before writing
changes in user data (e.g., credentials) to the internal
database (default 500ms).
Reg Node:Extensions\StorageManager\InMemShr:ThreadDelay
Set delay for first update (after startup) to stored user
data (ms)
Set an interval (in milliseconds) to wait after TAM E-SSO
starts up before writing changes in user data (e.g.,
credentials) to the internal database (default 5000ms).
Reg Node: Extensions\StorageManager\InMemShr:IntitialThreadDelay
Store user data on disk in encrypted file Store a copy of user data (e.g., credentials) locally in an
encrypted database file in each user’s Application Data
folder.
Options:
v Store user data in a disk file.
v Do not store user data in disk file (default)
Reg Node: Extensions\StorageManager\InMemShr:LocalStorage
Environment (End-User Experience):
2504
Node path: End-User Experience > Environment
The End-User Experience Environment settings control important directory paths used by the Agent and
its language support.
Default Backup path Default backup path for silent backup. If this is not
specified here (and is not specified within the command
line), then the default is the user’s application data
directory, %AppData% \Passlogix.
Reg Node: Shell:AutoBackupPath
Location of entlist.ini file Fully qualified path and filename of the entlist.ini file.
This setting should be set only if synchronization is not
used to deploy pre-configured application logons created
with the Console. See Configuring Application Logons
for more information.
Reg Node: Extensions\AccessManager:EntList
102 Introduction
![Page 107: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/107.jpg)
Language Language to be used. Note: Other values may be
acceptable based on localized versions Note: The display
font should support the desired characters in the
specified language. (default: ENG)
Options:
v ENG English
Reg Node: :Language
SubLanguage Language settings for the language set by Language.
Note: Other values may be acceptable based on localized
versions Note: The display font should support the
desired characters in the specified language. (default:
ENG)
Options:
v ENG Default support
v DBL Extended support
Reg Node: :SubLanguage
Collected links
Configuring Application Logons
Password Change:
Common (End-User Experience - Password Change):
2507
Node path: End-User Experience > Password Change > Common
The Common Password Change setting controls the user interface of the Agent’s Password Change
Wizard.
Chapter 3. Using the Console 103
![Page 108: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/108.jpg)
Default Change Password Wizard behavior Sets the behavior of the Password Change Wizard when
a user encounters a password-change request.
Options:
v Prompt: Prompts user with the Password Change
Wizard (default).
v Manual, offer auto: Prompts user to select a new
password, but also allows the Password Change
Wizard to offer to automatically generate the
password.
v Auto, offer manual: Generates the new password
automatically, but also allows the user to select the
new password.
v Manual only: Prompts user to select a new password,
does not allow Password Change Wizard to
automatically generate the password.
v Auto only: Generates the new password automatically,
does not allow the user to select the new password.
Reg Node: Extensions\AccessManager:CPWFlag
Required (End-User Experience - Password Change):
2508
Node path: End-User Experience > Password Change > Required
The Required Password Change setting controls the sharing of credentials among logons in password
sharing groups. There is one setting that is required for password sharing. See Creating Password Sharing
Groups for more information.
Password Groups Enables password sharing between credentials in a
group.
Notes:
v If you are using the Domain group and the Windows
Authenticator v2 is to be included in the group, then
do not disable Include in ″Domain″ Password
Sharing Group in Primary Logon Methods\Windows
v2\ Advanced.
v If using the LDAP group and the LDAP Authenticator
v2 is to be included in the group, then do not disable
Include in ″LDAP″ Password Sharing group in
Primary Logon Methods\LDAP2\ Advanced.
Options:
v Inform the user about a password change (default).
v Do not inform the user about a password change.
Reg Node: Extensions\AccessManager:PWSEnable
104 Introduction
![Page 109: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/109.jpg)
Collected links
Creating Password Sharing Groups
Include in ″Domain″ Password Sharing Group
Advanced
Include in ″LDAP″ Password Sharing group
Advanced
Change Policies (End-User Experience - Password Change):
2506
Node path: End-User Experience > Password Change > Change Policies
The Password Change Policies settings controls the sets of characters that are used to define
password-change polices and the administrator defined policy that is to be used as a default
password-change policy.
Characters: Numeric List of characters allowed as ″Numeric″ characters in
password policies. (default: 1234567890)
Reg Node: Extensions\AccessManager:NumericChars
Characters: Special List of non-alphanumeric (special) characters allowed for
passwords (default: !@#$^&*()_-+=[]\|,?).
Reg Node: Extensions\AccessManager:SpecialChars
Characters: Uppercase List of characters allowed as ″Uppercase Alphabet″
characters in password policies. (default:
ABCDEFGHIJKLMNOPQRSTUVWXYZ)
Reg Node: Extensions\AccessManager:Uppercase
AlphabetChars
Characters: Lowercase List of characters allowed as ″Lowercase Alphabet″
characters in password policies. (default:
abcdefghijklmnopqrstuvwxyz)
Reg Node: Extensions\AccessManager:Lowercase
AlphabetChars
Default Policy Name of section in entlist.ini that contains the default
password policy. (If no policy is specified in entlist.ini,
the default policy in applist.ini is used.)
Reg Node: Extensions\AccessManager:DefaultPolicy
Chapter 3. Using the Console 105
![Page 110: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/110.jpg)
Advanced (End-User Experience - Password Change):
2505
Node path: End-User Experience > Password Change > Advanced
The Advanced Password Change settings control special-case functions for password-sharing and
automatic password generation.
Allow user to exclude logons from password groups Allows the TAM E-SSO user to exclude an application
logon from the administrator-assigned password sharing
group.
Options:
v Do not allow (default)
v Allow
Reg Node: Extensions\AccessManager:AllowExcludePWSG
Notify Primary Logon Method Apply password sharing to the current authenticator
when credentials in its password-sharing group are
changed.
Options:
v Do not notify the authenticator (default)
v Notify the authenticator
Notes:
v Password sharing is currently supported only for
Windows Authenticator version 2 and LDAP
Authenticator version 2.
v Because the end-user is not notified of the new
password, you should not use automatic password
generation to change the passwords of applications in
the sharing group.
Reg Node: AUI:ShareToAuth
Quietly Change Passwords Quietly generate a random password for a password
change.
Options:
v Inform the user about a password change (default).
v Do not inform the user about a password change.
Reg Node: Extensions\AccessManager:QuietGenerator
Response (End-User Experience):
106 Introduction
![Page 111: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/111.jpg)
2509
Node path: End-User Experience > Response
The general Response settings control the behavior of the Agent when the end-user provides credentials
for new logons and when detecting applications requiring logons. You can also control whether end-users
can create logons for applications not created by the administrator.
Automatically logon to applications Automatically provide credentials to applications.
Options:
v Do not automatically provide credentials.
v Automatically provide credentials (default).
Reg Node: Shell:UseActiveLogin
Delay after Java runtime startup Amount of time (in milliseconds) the JHO should wait
before listening to window events at Java startup.
Adding a delay can resolve timing conflicts during Java
runtime initialization.
Display ″Add another logon″ checkbox Enable/disable display of the ″Add another logon″
checkbox in the Add Wizard.
Options:
v Disable (default)
v Enable
Reg Node: Extensions\AccessManager:ShowAddAdditionalLogon
Limit user to predefined applications Allow user to add credentials for applications that are
not predefined.
Options:
v Do not allow the user to add credentials for unknown
applications (default).
v Allow the user to add credentials for unknown
applications.
Reg Node: Extensions\AccessManager:AllowUnknown
Logon to waiting applications upon agent startup Enable the agent, at startup, to submit credentials to a
Windows or Java application that has already presented
its logon form. Note: The agent always submits
credentials to Web applications and to host/mainframe
application logons that use polling to elicit logon entry.
These applications are not affected by this setting.
Options:
v Do not logon (default)
v Logon at startup
Reg Node: Shell:LogonOnStartup
Chapter 3. Using the Console 107
![Page 112: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/112.jpg)
Prompt user to add new logons Recognize new applications and ask if the user wants to
add a logon.
Options:
v Do not prompt the user to add new applications.
v Prompt the user to add new applications (default).
Reg Node: Shell:UseAutoSense
Time allowed for Java applets to load Maximum time (in seconds) that the Agent waits for a
Java applet to be fully loaded in the browser (default: 6
seconds).
Reg Node: Shell:UseAutoSense
Utilize the just-added Logon Logon to an application after configuring it (adding its
credentials).
Options:
v Do not logon to an application after adding its
credentials.
v Logon to an application after adding its credentials
(default).
Reg Node: Extensions\AccessManager:LogonAfterConfig
Error Loop (End-User Experience - Response):
2510
Node path: End-User Experience > Response > Error Loop
The Error Loop settings control the Agent’s default behavior when it supplies incorrect credentials. A
logon error usually occurs when a user enters the wrong password when creating a logon, or changes
the application password from another computer. When a logon error occurs, The Agent’s displays the
Logon Error dialog box to let the user enter and store the proper credentials.
Notes
v Use the Error Loop controls to set the Error Loop for specific application types:
– Windows
– Web
– Host/Mainframev Application-type, and application-specific Error Loop settings override these global settings, except
where the Mask password field setting is set here (i.e., globally) to Mask.
v To set the Error Loop for a specific application, select the application (under Applications), then select the
Error Loop tab. Application-specific Error Loop settings override the global Agent and application type
settings, except where the Mask password field setting (in any scope) is set to Mask.
108 Introduction
![Page 113: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/113.jpg)
Mask password field(s) Indicate whether to mask the password in the Logon
Error dialog; default is Mask.
Note: If this setting, the application-type setting, or the
application-specific setting is set to mask, then the
password is masked.
Reg Node: Extensions\AccessManager\Dlg:MaskPW
Maximum retries before prompting Maximum number of retries (after first try) allowed
before Logon Error dialog appears; default is 1. This
setting applies for each set of credentials.
Reg Node: Extensions\AccessManager\Dlg:MaxRetry
Maximum time for retries before prompting Maximum time in seconds between successive logon
attempts before Logon Error dialog appears; default is
30. This setting applies for each set of credentials.
Reg Node: Extensions\AccessManager\Dlg:Timeout
Require password confirmation when modifying
password
Indicate whether to display the Confirm Password field
in the Logon Error dialog; the default is to Require
password confirmation.
Reg Node: Extensions\AccessManager\Dlg:HideConfirmPW
Collected links
Windows
Web
Host/Mainframe
Error Loop tab
Host/Mainframe Applications (End-User Experience - Response):
2512
Node path: End-User Experience > Response > Host/Mainframe Apps
The Host/Mainframe Response settings control the behavior of the Agent with host/mainframe
applications.
Host/Mainframe support Enable host /mainframe support. See Adding Mainframe
applications for more information
Options:
v Host/mainframe support disabled (default).
v Host/mainframe support enabled.
Reg Node: Extensions\AccessManager:MFEnable
Chapter 3. Using the Console 109
![Page 114: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/114.jpg)
Polling Interval Interval (in milliseconds) between when the agent checks
the host emulator for changes. Lower values can use
more CPU time, higher values can increase the time
between when a screen appears and when the agent
provides credentials (default: 700).
Reg Node: Extensions\AccessManager\MHO:CycleInterval
Collected links
Adding Mainframe applications
Web Applications (End-User Experience - Response):
2513
Node path: End-User Experience > Response > Web Apps
The Web Applications Response settings control the behavior of the Agent with Web applications.
Applications to ignore
Comma delimited list of applications that BHO should
skip when searching for logons.
Border Appearance Set the default border color, size, and style of Web
credential fields (default setting: red 6px solid). See
Border Appearance for more information.
Reg Node: Extensions\AccessManager:DNLevelsToMatch
Enable disable button Indicates whether or not to enable the ″Disable″ button
on the ″Would you like the Agent to remember your
logon information for this web application?″ dialog.
Reg Node: Extensions\AccessManager\BHO:FeedbackColor
Show Border
Display a highlighted border around the credential fields
of a Web form during logon.
Options:
v Do not enable the border around fields.
v Enable the border around fields (default).
URL Matching Precision Number of levels of the URL to use as the matching
criteria.
Options (for the Web URL http://mail.passlogix.com) :
v Match to *passlogix.com (default)
v Match to *mail.passlogix.com
Collected links
110 Introduction
![Page 115: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/115.jpg)
Border Appearance
Windows Applications (End-User Experience - Response):
2514
Node path: End-User Experience > Response > Windows Apps
The Windows Applications Response settings control the behavior of the Agent with Windows
applications.
Supported Window Classes for Applications The list of window class names that the Agent recognizes
as applications. This setting is provided to improve
performance by restricting the Agent to this list. To
enable support for dynamic window classes, delete the
default settings to set this value to null.
Reg Node: Extensions\AccessManager:AppClasses
Supported Window Classes for Services The list of window class names that the Agent recognizes
as Windows services. This setting is provided to improve
performance by restricting the Agent to this list. To
enable support for dynamic window classes, delete the
default settings to set this value to null.
(default: #32770;Dialog;ThunderRT5FormDC;ThunderRT6FormDC)
Reg Node: Extensions\AccessManager:ServiceClasses
Wait for a Window Title For slow-appearing dialogs/applications, this setting
determines how long (in half-seconds) the Agent should
wait for a window title to appear. If the window title
does not appear in this interval, the dialog is ignored. A
higher value uses more CPU cycles. (default: 6)
Reg Node: Extensions\AccessManager:EmptyTitleRetryCount
Setup Wizard (End-User Experience):
2515
Node path: End-User Experience > Setup Wizard
The Setup Wizard settings control the behavior of the Setup Wizard, which is displayed during
first-time use. See First Time Use for more information.
Chapter 3. Using the Console 111
![Page 116: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/116.jpg)
Enable/disable First-Time-Use (FTU) wizard. Controls whether the Setup Wizard is displayed when
first-time-use is invoked.
Options:
v Do not hide (default).
v Hide.
Note: If more than one authenticator (primary logon
method) is installed, then the first authenticator in the
list is automatically selected as the end user’s primary
logon method.
Reg Node: Extensions\SetUpManager:HideWizard
Selected Primary Logon Enables the selected logon method as the primary logon
method and hides all other installed logon methods. The
default is no selection (i.e., end-users select their own
primary logon method).
Note: To hide the primary logon method selection menu,
use the Enable/Disable First-Time-Use (FTU) Wizard
setting. If the primary logon method selection page is
hidden, and this setting is blank, then the first installed
logon method in the list is automatically selected.
Reg Node: AUI:Selected
Skip ″selection″ page if only one Primary Logon
Method installed
Hide the ″Select Primary Logon Method″ step in the
Setup Wizard if only one authenticator (primary logon
method) is installed.
Options:
v Do not hide/skip the Select step of the Setup Wizard
(default).
v Hide/skip the Select step of the Setup Wizard.
Reg Node: AUI:HideSingleSelection
Collected links
First Time Use
Event Logging
2516
Node path: Event Logging
The Event Logging settings control how the Agent records program events.
v Use the XML File (Event Logging) settings to set different options for local logging.
v Use the Advanced (Event Logging - Windows Event Viewer) settings to set different options for
Windows Event logging.
112 Introduction
![Page 117: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/117.jpg)
Select events to log: Displays the Event Logging Filter to specify which
events to log to log. Click ... to display a checklist of
events.
Reg Node: Extensions\EventManager:Filter
Collected links
Event Logging Filter
Advanced (Event Logging):
2517
Node path: Event Logging > Advanced
The Advanced Event Logging settings let you change the default paths to the logging extension and
event mesage components. You can also modify the retry interval and size of the logging cache.
Event Server Message Library location Path/filename to the event message library,
SSOeventmessage.dll, used for viewing events in
Windows Event Viewer. (Default path: C:\Program File s
\Passlogix\v-GO SSO \Plugin\EventMgr\SSOeventmessage.dll
Reg Node: Extensions\EventManager:EventMessagePath
Extension location The path/filename to the event logging extension,
eventmgr.dll. (Default path : C:\Program Files
\Passlogix\v-GO SSO \Plugin\EventMgr\eventmgr.dll)
Reg Node: Extensions\EventManager:Path
Cache Retry Interval Interval (in minutes) between retries for all Event
Logging extensions. The default is 30 minutes.
Reg Node: Extensions\EventManager:Retry
Cache Limit Maximum number of event log entries to be cached the
default is 200 entries.
Reg Node: Extensions\EventManager:CacheLimit
Windows Event Viewer (Event Logging):
2518
Chapter 3. Using the Console 113
![Page 118: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/118.jpg)
Node path: Event Logging > Windows Event Viewer
The Windows Event Viewer settings enable event logging to be performed on a remote server.
Windows Event Logging Server Server name for the Windows Event Logging extension
(do not provide leading ″\\″ characters). If not provided,
logging is performed on the local computer.
The server should have a trusted relationship with the
user’s account and the user’s computer, depending on
access rights and restrictions.
Reg Node: Extensions\EventManager\WindowsEvent:EventServer
Advanced (Event Logging - Windows Event Viewer):
2519
Node path: Event Logging > Windows Event Viewer > Advanced
The Advanced Windows Event Viewer settings let you specify which events should be logged. You can
also change the default path to the Windows Event logging extension and Windows event message
components, and you can modify the retry interval of the logging cache.
Cache Retry Interval Interval (in minutes) between retries for Windows Event
Logging; the default is 30 minutes.
Reg Node: Extensions\EventManager\WindowsEvent:Retry
Extension location Path/filename to the Windows Event Logging extension,
WindowsEvent.dll.
(Default path: C:\Program Files \Passlogix\v-GO SSO
\Plugin\EventMgr\WindowsEvent.dll)
Reg Node: Extensions\EventManager\Logs:WindowsEvent
Of logged events, limit for Windows server to: Displays the Event Logging Filter to specify which
events to log to the Windows Event Server. Click ... to
display a checklist of events.
Reg Node: Extensions\EventManager\WindowsEvent:Filter
Collected links
Event Logging Filter
114 Introduction
![Page 119: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/119.jpg)
XML File (Event Logging):
2520
Node path: Event Logging > XML File
The XML File Event Logging settings let you specify which events should be logged locally. You can also
change the default path to the local logging extension, and you can modify the retry interval of the
logging cache.
Cache Retry Interval Interval (in minutes) between retries for Local (XML) File
Logging; the default is 30 minutes
Reg Node: Extensions\EventManager\LocalStorage:Retry
Extension location The path/filename to the Local (XML) File Logging
extension, XMLEvent.dll.
(Default path: C:\Program Files \Passlogix\v-GO SSO
\Plugin\EventMgr\XMLEvent.dll)
Reg Node: Extensions\EventManager\Logs:LocalStorage
Of logged events, limit for XML file to: Displays the Event Logging Filter to specify which
events to log to the Local (XML) File Logging extension.
Click ... to display a checklist of events.
Reg Node: Extensions\EventManager\LocalStorage:Filter
Collected links
Event Logging Filter
Kiosk Adapter
TAM E-SSO: Kiosk Adapter:
3000
The TAM E-SSO: Kiosk Adapter settings let you control the operation of the Kiosk Adapter.
Note: These settings apply to TAM E-SSO: Kiosk Adapter only. TAM E-SSO: Kiosk Adapter is an add-on
module to TAM E-SSO available separately from IBM.
Close suspended session after how many seconds Enter the amount of time (in seconds) of inactivity after
which a session should be closed.
Reg Node: SM\Agent:ExpireTerm
Chapter 3. Using the Console 115
![Page 120: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/120.jpg)
Event Log Machine Name Enter the name of the local machine where events should
be logged.
Reg Node: SM\Agent:EventLogMachine
Event Log Name Enter the name of the Windows event log where events
should be logged.
Reg Node: SM\Agent:EventLogName
How should we determine which applications to close This setting controls how applications should be closed.
Options:
v Do not close any applications
v Only close applications configured to be closed on
session end
v Close all applications except those configured to be left
running on session end Note: If this option is selected,
a list of applications to be left running on session end
must been defined and must include all the mandatory
default processes. The list of the default processes can
be found on the Applications to Leave Running on
Session End panel by clicking the Default button.
Please note that this list only contains some suggested
default processes; the actual processes may vary from
machine to machine. If this list is not defined, ″ALL″
running processes will try to be closed and a crash
may occur.
Reg Node: SM\Agent:TermOpType
Lock session when only configured applications are
running
This setting determines whether a session should be
locked (after a specified period of time) if only
applications open are those configured to be left running
on session end. Set the amount of time in the next
setting, Lock the session after how many seconds.
Note: If Yes is selected, at least one application must be
configured to be left running on session end. These
applications are configured in the Kiosk
Adapter\Applications to Leave Running on Session End
list.
Options:
v No
v Yes
Reg Node: SM\Agent:LockonWhite
Lock the session after how many seconds This setting determines the amount of time (in seconds)
after which TAM E-SSO: Kisok Adapter should check for
applications which are configured to be left running on
session end. If only those applications are running, the
session will be locked after the amount of time specified
in this setting. The default is three minutes.
Note: This setting is only needed if Yes is selected on the
above setting, Lock session when only configured
applications are running .
Reg Node: SM\Agent:LockonWhiteTimer
116 Introduction
![Page 121: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/121.jpg)
Number of times to process termination Enter the number of times that the termination of an
application should be processed. This setting instructs
the termination process to loop a certain number of times
(or until it is done), which ever comes first. This allows
TAM E-SSO: Kiosk Adapter to react to an application if it
displays multiple screens during the termination process.
The default is one.
Reg Node: SM\Agent:TerminationIteration
Restart computer This setting determines whether the restart computer
option is enabled on the Desktop Manager.
Note: Even if this setting is enabled, the option may still
be disabled if the Kiosk account does not have sufficient
privileges.
Options:
v Disable
v Enable
Reg Node: SM\Agent:AllowRestart
Show the tray icon This setting determines whether or not to show the Tray
Icon.
Options:
v Show (default)
v Do not show
Reg Node: SM\Agent:ShowTrayIcon
Shutdown computer This setting determines whether the shutdown computer
option is enabled on the Desktop Manager.
Note: Even if this setting is enabled, the option may still
be disabled if the Kiosk account does not have sufficient
privileges.
Options:
v Disable
v Enable
Reg Node: SM\Agent:AllowShutdown
Collected links
TAM E-SSO: Kiosk Adapter
Applications to Leave Running on Session End
Advanced:
Advanced (Kiosk Adapter):
3000
Chapter 3. Using the Console 117
![Page 122: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/122.jpg)
The TAM E-SSO: Kiosk Adapter advanced settings let you control the confirmation messages presented.
Note: These settings apply to TAM E-SSO: Kiosk Adapter only. TAM E-SSO: Kiosk Adapter is an add-on
module to TAM E-SSO available separately from IBM.
Show confirmation message when restarting kiosk This setting determines whether a user should be
prompted with a confirmation message after choosing to
restart the kiosk.
Reg Node: SM\Agent:ConfirmRestart
Show confirmation message when shutting down kiosk This setting determines whether a user should be
prompted with a confirmation message after choosing to
shut down the kiosk.
Reg Node: SM\Agent:ConfirmShutdown
Show confirmation message when starting a new session This setting determines whether a user should be
prompted with a confirmation message after choosing to
start a new session. This message appears only if there is
an existing session open.
Reg Node: SM\Agent:ConfirmNewSession
Special Tasks (Kiosk Adapter\Advanced):
2503
Node path: End-User Experience > Advanced > Special Tasks
The Special Tasks settings control the tasks (lists of commands) that should executed when TAM E-SSO:
Kiosk Adapter actions occur. For each set of tasks, select the checkbox and click ... to open the Edit List
dialog box. Type one command on each line; end each line by pressing Enter. Do not use any other
delimiter characters.
Note: These settings apply to TAM E-SSO: Kiosk Adapter only. TAM E-SSO: Kiosk Adapter is an add-on
module to TAM E-SSO available separately from IBM.
After session is closed Command(s) that will run after a session is closed.
Reg Node: SM\Agent\Tasks:PostTermSessTaskN
Reg Node: Shell\Tasks:RefreshTask
After starting a new session Command(s) that will run after a new session is started.
Reg Node: SM\Agent\Tasks:PostSyncTaskN
Reg Node: Shell\Tasks:StartupTask
118 Introduction
![Page 123: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/123.jpg)
Before starting a new session Command(s) that will run before a new session is
started.
Reg Node: SM\Agent\Tasks:PreSyncTaskN
Reg Node: Shell\Tasks:PreTask
Primary Logon Method
TAM E-SSO: Authentication Manager (Primary Logon Methods):
2547
Node path: Primary Logon Methods > Authentication Manager
The TAM E-SSO: Authentication Manager settings specify the primary logon methods (authenticators)
that are to be used by the Multi-Authenticator primary logon.
Allowed number of logon methods This setting allows you to set the maximum number of
logon methods that will be presented to a user. Once this
number of logon methods have been presented (and
skipped by) the user, a ″Choose Logon″ dialog is
displayed.
Defaults to 1.
This setting is only used for the Multi-Authenticator
primary logon.
Reg Node: AUI\MultiAuth:MaxPreferred
Allow user to change order of primary logon methods? This setting allows you to choose whether a user will
have the ability to change the order in which logon
methods are presented to them. If this is set to Yes, the
user can created a preferred order list.
Defaults to No.
This setting is only used for the Multi-Authenticator
primary logon.
Reg Node: AUI\MultiAuth:ChangeAuthOrder
Collected links
TAM E-SSO: Authentication Manager
Enrollment (Primary Logon Methods\Authentication Manager):
Chapter 3. Using the Console 119
![Page 124: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/124.jpg)
2549
Node path: Primary Logon Methods > Authentication Manager > Enrollment
The Authentication Manager\ Enrollment settings specify the primary logon methods (authenticators)
that can be used by the Multi-Authenticator primary logon.
The settings on this page will determine whether a user will be required to set up a specific logon
method during the First Time Use Wizard, if Authentication Manager is chosen as the primary logon
method.
For each primary logon method, select Optional, Required, or Disabled.
Note: These settings are used in TAM E-SSO: Authentication Adapter only.
Entrust Select whether a user will be required to set up Entrust
as a primary logon method.
Reg Node: AUI\Entrust:AuthState
LDAP Select whether a user will be required to set up LDAP as
a primary logon method.
Reg Node: AUI\LDAP:AuthState
LDAP v2 Select whether a user will be required to set up LDAP v2
as a primary logon method.
Reg Node: AUI\LDAPauth:AuthState
Smart Card Select whether a user will be required to set up Smart
Card as a primary logon method.
Reg Node: AUI\SCauth:AuthState
Windows Select whether a user will be required to set up Windows
as a primary logon method.
Reg Node: AUI\WinAuth:AuthState
Windows v2 Select whether a user will be required to set up Windows
v2 as a primary logon method.
Reg Node: AUI\MSAuth:AuthState
Collected links
First Time Use Wizard
TAM E-SSO: Authentication Adapter
Grade (Primary Logon Methods\Authentication Manager ):
120 Introduction
![Page 125: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/125.jpg)
2550
Node path: Primary Logon Methods > Authentication Manager > Grade
The Authentication Manager\ Grade settings specify an authentication grade for each primary logon
method.
Authentication Grades are numeric values. An authentication grade will automatically default to grade
level 1 if authentication grading is turned on and no grade level is specified. The higher the grade level
specified, the stronger the authentication level that is being requested.
The grading scale can be arbitrarily configured. For example, an expected normal scenario would be a
scale of 1-3, but you have the flexibility to make this 1-5 or 1-n, as required. Any grade less than 1 will be
converted to 1.
The Multi-Authenticator primary logon supports the authentication grades by mapping the grades to the
authentication methods used.
If a user tries to access credentials with a grade level that is too low, they will be asked to authenticate at
a higher grade and only gain access if successful.
Lockouts occur as per normal TAM E-SSO authentication lockout policy. Since graded authentication uses
the core TAM E-SSO authentication process, this will happen naturally.
Set a number grade value (>=1) for each logon method.
Note: These settings are used in TAM E-SSO: Authentication Adapter only.
Entrust This setting assigns an authentication grade to Entrust.
This value is used for Multi-Authenticator primary
logon. Set a number grade value (>=1).
Reg Node: AUI\Entrust:AuthGrade
LDAP This setting assigns an authentication grade to LDAP.
This value is used for Multi-Authenticator primary
logon. Set a number grade value (>=1).
Reg Node: AUI\LDAP:AuthGrade
LDAP v2 This setting assigns an authentication grade to LDAP v2.
This value is used for Multi-Authenticator primary
logon. Set a number grade value (>=1).
Reg Node: AUI\LDAPauth:AuthGrade
Smart Card This setting assigns an authentication grade to Smart
Card. This value is used for Multi-Authenticator primary
logon. Set a number grade value (>=1).
Reg Node: AUI\SCauth:AuthGrade
Windows This setting assigns an authentication grade to Windows.
This value is used for Multi-Authenticator primary
logon. Set a number grade value (>=1).
Reg Node: AUI\WinAuth:AuthGrade
Chapter 3. Using the Console 121
![Page 126: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/126.jpg)
Windows v2 This setting assigns an authentication grade to Windows
v2. This value is used for Multi-Authenticator primary
logon. Set a number grade value (>=1).
Reg Node: AUI\MSAuth:AuthGrade
Collected links
Authentication Grades
TAM E-SSO: Authentication Adapter
Order (Primary Logon Methods\Authentication Manager):
2551
Node path: Primary Logon Methods > Authentication Manager > Order
The Authentication Manager\ Order settings specify the sequence that the installed logon methods will
be presented to the end user during the First Time Use Wizard and the application logon, if
Authentication Manager is chosen as the primary logon method.
For each primary logon method, select or type a number to indicate the logon method’s position in the
FTU/logon order.
Note: These settings are used in TAM E-SSO: Authentication Adapter only.
Allowed number of logon methods This setting allows you to set the maximum number of
logon methods that will be presented to a user. Once this
number of logon methods have been presented (and
skipped by) the user, a ″Choose Logon″ dialog is
displayed.
Defaults to 1.
This setting is only used for the Multi-Authenticator
primary logon.
Reg Node: AUI\MultiAuth:MaxPreferred
Entrust This setting sets the ordered position for Entrust. This
will be the order that Entrust will be presented to the
end user during the First-Time-Use Wizard and
application logons. This setting is only used for
Multi-Authenticator logons.
Defaults to 4.
Reg Node: AUI\Entrust:AuthOrder
122 Introduction
![Page 127: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/127.jpg)
LDAP This setting sets the ordered position for LDAP. This
will be the order that LDAP will be presented to the end
user during the First-Time-Use Wizard and application
logons. This setting is only used for Multi-Authenticator
logons.
Defaults to 3.
Reg Node: AUI\LDAP:AuthOrder
LDAP v2 This setting sets the ordered position for LDAP v2. This
will be the order that Entrust will be presented to the
end user during the First-Time-Use Wizard and
application logons. This setting is only used for
Multi-Authenticator logons.
Defaults to 3.
Reg Node: AUI\LDAPauth:AuthOrder
Smart Card This setting sets the ordered position for Smart Card.
This will be the order that Smart Card will be presented
to the end user during the First-Time-Use Wizard and
application logons. This setting is only used for
Multi-Authenticator logons.
Defaults to 1.
Reg Node: AUI\SCauth:AuthOrder
Windows This setting sets the ordered position for Windows. This
will be the order that Windows will be presented to the
end user during the First-Time-Use Wizard and
application logons. This setting is only used for
Multi-Authenticator logons.
Defaults to 2.
Reg Node: AUI\WinAuth:AuthOrder
Windows v2 This setting sets the ordered position for Windows v2.
This will be the order that Windows v2 will be presented
to the end user during the First-Time-Use Wizard and
application logons. This setting is only used for
Multi-Authenticator logons.
Defaults to 2.
Reg Node: AUI\MSAuth:AuthOrder
Collected links
First Time Use Wizard
TAM E-SSO: Authentication Adapter
LDAP:
Advanced (Primary Logon Methods - LDAP version 2 - Advanced):
Chapter 3. Using the Console 123
![Page 128: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/128.jpg)
2521
Node path: Primary Logon Methods > LDAP v2 > Advanced
The Advanced LDAP Primary Logon Methods settings control special-case options for enabling LDAP
version 2 authentication.
Alternate User ID location Indicates where to locate a user object when the user
validates against an attribute other than the username.
Example:
If users authenticate with an employee ID # for logon
(validation against the empid attribute) and the user
object is in ou=people,dc=computer, then set this location
to
empid=% user,ou= people,dc= computer
instead of to
uid= user,ou= people,dc= computer
Notes:
v For Novell eDirectory, Alternate User ID
locationshould be:
uid=% user, path to the object%.
v If you use Alternate User ID location, do not use
Naming Attribute string or User Paths.
Authenticator Grade Assigns an authentication grade to this primary logon
method. This value is used for multi-level authentication
in which applications may be assigned a minimum grade
that the primary logon method must have in order for
the Agent to log on. See Authentication tab (for selected
application).
BIND Timeout The time (in milliseconds) to time out of LDAP BIND
call (default depends on the operating system).
Reg Node: AUI\LDAPauth:PWSEnable
124 Introduction
![Page 129: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/129.jpg)
Include in ″LDAP″ Password Sharing group Share password changes from the LDAP authenticator to
credentials in the LDAP Password Group. This setting
requires that password sharing be enabled; see the
Password Groups setting
Options:
v Do not share password changes from the LDAPauth
authenticator to credentials in the Group LDAP.
v Share password changes from the LDAPauth
authenticator to credentials in the Group LDAP
(default).
Reg Node: AUI\LDAPauth:UserLocation
Naming Attribute string String to prepend to UserPaths. This is required when
the domain name for a user is in the form:
cn=% UserName%, ou= people, dc= computer&n
bsp;
instead of the form:
namingattribute=% UserName% ,ou= people ,dc=
computer
(where namingattribute can be any string). If
needed, set to cn.
Notes:
v
v Reg Node: AUI\LDAPauth:UserPrepend
Passphrase Enables the passphrase challenge for additional security.
Users must provide a passphrase answer during First
Time Use; this is the default setting.
Options:
v Disable
v Enable (default)
Reg Node: AUI\LDAPauth:ResetEnable
Chapter 3. Using the Console 125
![Page 130: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/130.jpg)
When SSL fails Fallback to an insecure connection when an SSL
connection fails.
Options:
v Do not connect if the SSL connection fails (default).
v Connect without SSL (insecure) if the SSL connection
fails.
Note: If you select SSLFallback and any of the servers
listed in Servers includes a port specification, the
fallback port must also be specified as an additional
Servers entry.
Example:
If the SSL connection is to mycomputer.com:1272 then an
additional entry must point to the fallback port, such as:
Server1=mycomputer.com:1272 ;My secure SSL Port
Server2=mycomputer.com:389 ;My fallback port
Reg Node: AUI\LDAPauth:SSLFallback
Windows Title Name Use this setting to customize the Window title name for
this authenticator.
Note: This entry is not required.
Collected links
User Paths
Authentication tab (for selected application)
LDAP Password Group
Password Groups
Servers
Required (Primary Logon Methods - LDAP version 2- Required):
2522
Node path: Primary Logon Methods > LDAP v2 > Required
The Required LDAP v2 Primary Logon Methods settings are the primary controls for enabling LDAP
version 2 authentication. These settings must be used in order for the Agent to use LDAP v. 2 as a
primary logon method.
126 Introduction
![Page 131: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/131.jpg)
Servers Servers to try, in the format ″computer[:port]″ (one server
per line), where computer is the server name or IP, and
port is assumed to be default (636 for SSL, 389 for no
SSL) if not specified. Example: 127.0.0.1 127.0.0.1:456
somewhereelse.com:8080 anotherplace.com Note: At least
one server must be specified for this extension to work.
Note: If specifying a port value, see SyncManager\Syncs\%LDAP%:SSLFallback.
Reg Node: AUI\LDAPauth\Servers:Server
SSL Select to connect via SSL.
Options:
v Connect without SSL (insecure) (default port #389).
v Connect via SSL (default port #636) (default setting).
Reg Node: AUI\LDAPauth:UseSSL
SSL CertDB location Path\filename of the cert7.db certificate database file.
(Do not change the name of the file from cert7.db.)
Reg Node: AUI\LDAPauth:CertDBPath
User Paths Fully qualified path of where the user account is located.
There can be unlimited paths to search. The extension
searches these in order, looking for the user account. If
not found, the extension will search the directory tree.
Note: A value for either Naming Attribute string or at
least one value for User Paths must be specified for this
extension to work. Note: If using User Paths, do not use
Alternate User ID location.
Reg Node: AUI\LDAPauth:UserPath
Collected links
Naming Attribute string
Alternate User ID location
Advanced (Primary Logon Methods - LDAP - Advanced):
2523
Node path: Primary Logon Methods > LDAP > Advanced
The Advanced LDAP Primary Logon Methods settings control special-case options for enabling
standard LDAP authentication.
Chapter 3. Using the Console 127
![Page 132: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/132.jpg)
Active Directory: Domain name support enabled Enables Active Directory domain-name support. End
users can specify the domain name (e.g., domainname\
username) at primary logon. Alternatively, the
administrator can specify a default domain name (see
Active Directory: Set domain name) to let end users log
on by username alone. If no domain is specified, then the
local workstation’s domain is used.
Options:
v Do not use AD domain names (default)
v Use AD domain names
Reg Node: AUI\LDAP:UsingAD
Active Directory: Set domain name The Active Directory domain name to use for primary
logon if no domain is specified for the username/ID
credential (e.g., domainname\ username). This setting is
used only if Active Directory: Domain name support
enabled is set to ″Use AD domain names.″ If
domain-name support is enabled and this setting is blank
(and the end user does not specify a domain), then local
workstation’s domain is used.
Reg Node: AUI\LDAP:ADDomain
Alternate User ID location Indicates where to locate a user object when the user
validates against an attribute other than the username.
Example:
If users authenticate with an employee ID # for logon
(validation against the empid attribute) and the user
object is in ou=people,dc=computer, then set this location
to:
empid=% user,ou= people,dc= computer
instead of to
uid= user,ou= people,dc= computer
Notes:
v For Novell eDirectory, Alternate User ID location
should be:
uid=% user, path to the object%.
v If you use Alternate User ID location, do not use
Naming Attribute string or User Paths.
Reg Node: AUI\LDAP:UserLocation
Authenticator Grade Assigns an authentication grade to this primary logon
method. This value is used for multi-level authentication
in which applications may be assigned a minimum grade
that the primary logon method must have in order for
the Agent to log on. See Authentication tab (for selected
application).
BIND Timeout The time (in milliseconds) to time out of LDAP BIND
call (default depends on the operating system).
128 Introduction
![Page 133: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/133.jpg)
SSL Fallback Fallback to an insecure connection when an SSL
connection fails.
Options:
v Do not connect if the SSL connection fails (default).
v Connect without SSL (insecure) if the SSL connection
fails.
Note: If you select SSLFallback and any of the servers
listed in Servers includes a port specification, the
fallback port must also be specified as an additional
Servers entry.
Example:
If the SSL connection is to mycomputer.com:1272 then an
additional entry must point to the fallback port, such as:
Server1=mycomputer.com:1272 ;My secure SSL Port
Server2=mycomputer.com:389 ;My fallback port
Reg Node: AUI\LDAP:SSLFallback
Naming Attribute string String to prepend to User Paths. This is required when
the domain name for a user is in the form:
cn=% UserName%, ou= people, dc= computer&n
bsp;
instead of the form:
namingattribute=% UserName% ,ou= people ,dc=
computer
(where namingattribute can be any string). If
needed, set to cn.
Notes:
v This value usually needs to be set to cn for Novell
eDirectory.
v If you use Naming Attribute string, you must use
User Paths and not use Alternate User ID location
Window Title Name Registry Location: AUI\LDAP:WindowTitle
Use this setting to customize the Window title name for
this authenticator.
Note: This entry is not required.
Collected links
User Paths
Authentication tab (for selected application)
Servers
User Paths
Chapter 3. Using the Console 129
![Page 134: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/134.jpg)
User Paths
Required (Primary Logon Methods - LDAP - Required):
2524
Node path: Primary Logon Methods > LDAP > Required
The Required LDAP Primary Logon Methods settings are the primary controls for enabling standard
LDAP authentication. These settings must be used in order for the Agent to use LDAP as a primary
logon method.
Servers Servers to try, in the format ″computer[:port]″ (one server
per line), where computer is the server name or IP, and
port is assumed to be default (636 for SSL, 389 for no
SSL) if not specified. Example: 127.0.0.1 127.0.0.1:456
somewhereelse.com:8080 anotherplace.com Note: At least
one server must be specified for this extension to work.
Note: If specifying a port value, see SyncManager\Syncs\%LDAP%:SSLFallback.
Reg Node: AUI\LDAP\Servers:Server
SSL Select to connect via SSL.
Options:
v Connect without SSL (insecure) (default port #389).
v Connect via SSL (default port #636) (default setting).
Reg Node: AUI\LDAP:UseSSL
SSL CertDB location Path\filename of the cert7.db certificate database file.
(Do not change the name of the file from cert7.db.)
Reg Node: AUI\LDAP:CertDBPath
User Paths Fully qualified path where the user account is located.
There can be unlimited paths to search. The extension
searches these in order, looking for the user account. If
not found, the extension will search the directory tree.
Notes:
v A value for either Naming Attribute string or at least
one value for User Paths must be specified for this
extension to work.
v If using User Paths, do not use Alternate User ID
location.
Reg Node: AUI\LDAP:UserPath
Collected links
Naming Attribute string
Alternate User ID location
130 Introduction
![Page 135: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/135.jpg)
Advanced (Primary Logon Methods - Smart Card):
2525
Node path: Primary Logon Methods > Smart Card > Advanced
The Smart Card Primary Logon Methods settings control special-case options for smart card
authentication.
Authentication Grade Assigns an authentication grade to this primary logon
method. This value is used for multi-level authentication
in which applications may be assigned a minimum grade
that the primary logon method must have in order for
the Agent to log on. See Authentication tab (for selected
application).
Passphrase Enables the passphrase challenge for additional security.
The passphrase can be supplied either by the user
entering the passphrase in a dialog box (the default
setting), or by the newest non-default encryption
certificate on the card itself.
Note: The default setting requires users to provide a
passphrase answer during First Time Use.
Options:
v Disable
v Enable using a dialog box (default)
v Enable using the card’s certificate
Allow the Reset passphrase to be used. (default: 1)
Options:
0 Disable
1 Enable
Reg Node: AUI\SCauth:ResetEnable
Use the default certificate for authentication Use the default logon certificate (provided by the
administrator) on the card for authentication. If not
enabled (the default), use (and create if necessary) the
public/private keys in the SSO container on the card.
Options:
v Use SSO-generated keys (default)
v Use the default logon certificate
Reg Node: AUI\SCauth:UseCertOnCard
Windows Subtitle Name Use this setting to customize the Window subtitle name
for this authenticator.
Note: This entry is not required.
Chapter 3. Using the Console 131
![Page 136: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/136.jpg)
Windows Title Name Use this setting to customize the Window title name for
this authenticator.
Note: This entry is not required.
Whether to store the PIN Whether to store the smart card PIN (and thus the Agent
may prompt for the PIN), or to let the smart card drivers
deal with requesting the PIN.
Options:
v Do not store PIN (default)
v Store PIN
Reg Node: AUI\SCauth:AuthOptions
Collected links
Authentication tab (for selected application)
Windows (Primary Logon Methods):
2527
Node path: Primary Logon Methods > Windows
The Windows Primary Logon Methods settings controls standard Windows authentication.
When user’s Windows password changes... Require the user to enter the old Windows password
when a new one is in use. This setting is disabled by
default.
Options:
v Do not require the old Windows password (default).
v Require the old Windows password
Reg Node: AUI\WinAuth:PWEnable
Advanced (Primary Logon Methods - Windows):
2526
Node path: Primary Logon Methods > Windows > Advanced
132 Introduction
![Page 137: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/137.jpg)
Authenticator Grade Assigns an authentication grade to this primary logon
method. This value is used for multi-level authentication
in which applications may be assigned a minimum grade
that the primary logon method must have in order for
the Agent to log on. See Authentication tab (for selected
application).
Window Subtitle Name Use this setting to customize the Window subtitle name
for this authenticator.
Note: This entry is not required.
Window Title Name Use this setting to customize the Window title name for
this authenticator.
Note: This entry is not required.
Collected links
Authentication tab (for selected application)
Windows v2 (Primary Logon Methods):
2528
Node path: Primary Logon Methods > Windows v2
The Windows v2 Primary Logon Methods settings are the primary controls for the Windows
Authenticator version 2.
Include in ″Domain″ Password Sharing Group Share password changes between the MS Windows
authenticator and credentials in the Domain
password-sharing group. This setting requires that
password sharing be enabled; see the Password Groups
in Required Password Change settings.
Options:
v Password sharing between this authenticator and
group Domain is disabled.
v Password sharing between this authenticator and
group Domain is enabled (default).
Reg Node: AUI\MSauth:PWSEnable
Chapter 3. Using the Console 133
![Page 138: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/138.jpg)
Reauthentication dialog Select which method to use when TAM E-SSO requires
the end-user to reauthenticate.
Options:
v Use TAM E-SSO dialog: reauthenticate using the
Agent’s own dialog; TAM E-SSO functionality is
suspended until authentication is successful (default).
v Use GINA: reauthenticate using Windows GINA
authenticator dialog; the workstation is locked until
authentication is successful.
Reg Node: AUI\MSauth:AuthOptions
Collected links
Domain
Password Groups
Required Password Change
Advanced (Primary Logon Methods - Windows version 2 ):
2529
Node path: Primary Logon Methods > Windows v2 > Advanced
The Advanced Windows v2 Primary Logon Methods settings control special-case options for the
Windows Authenticator version 2.
Authentication Grade Assigns an authentication grade to this primary logon
method. This value is used for multi-level authentication
in which applications may be assigned a minimum grade
that the primary logon method must have in order for
the Agent to log on. See Authentication tab (for selected
application).
MultiAuth: Require setup for multi-authentication Determines whether to require user to set up this logon
method during First Time Use if ″MultiAuth″ is selected
as the primary logon method. This setting is only used
for multi-authenticator primary logon.
Passphrase Enables the passphrase challenge for additional security.
Users must provide a passphrase answer during First
Time Use; this is the default setting.
Options:
v Disable
v Enable (default)
134 Introduction
![Page 139: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/139.jpg)
Passphrase Checkbox Message Use this setting to customize the user agreement style
dialog checkbox.
Note: This checkbox must be checked before the dialog
can be dismissed. The OK button is disabled until this
checkbox is checked.
(Default: I have read and understand the provisions
listed above.)
Passphrase Message Use this setting to display a user agreement style dialog
where the user must check a checkbox to continue. This
is typically used to suggest the importance of the
passphrase that they enter.
Note: This message may contain multiple lines, 180
character maximum. The character sequence ″\n″ will be
replaced with carriage return and newline characters. If
this setting is not set, the dialog is skipped.
Passphrase Message Dialog Title Use this setting to customize the user agreement style
dialog title.
Passphrase Minimum Length Default required length of a passphrase. This setting can
be overridden by setting the required length for a
specific question. Default is 8.
Window Subtitle Name Use this setting to customize the Window subtitle name
for this authenticator.
Note: This entry is not required.
Window Title Name Use this setting to customize the Window title name for
this authenticator.
Note: This entry is not required.
Reg Node: AUI\MSauth:ResetEnable
Collected links
Authentication tab (for selected application)
Security
Common (Security):
2531
Node path: Security > Common
The Common Security setting controls the frequency by which end users must re-enter their primary
logon passwords.
Chapter 3. Using the Console 135
![Page 140: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/140.jpg)
Reauthentication timer Time between reauthentication requests (in milliseconds).
If set to 4,294,967,295 (0xFFFFFFFF), the time will never
expire and the user will never need to reauthenticate,
except in forced authentication scenarios.
Notes:
v Default value for client-side installation is 900000 (15
minutes)
v Default value n a Terminal Services environment is
4,294,967,295 (disabled).
Reg Node: Extensions\AccessManager:AutoLogin
Advanced (Security):
2530
Node path: Security > Advanced
The Advanced Security setting control end-users’ access to view their application logon passwords. You
can also set the preferred encryption provider and strength.
Allow Password Revealing Allow user to reveal passwords in Wizards and on
property pages.
Options:
v Do not allow the user to reveal passwords.
v Allow the user to reveal passwords (default).
Reg Node: Extensions\AccessManager:AllowReveal
Default encryption Select an encryption algorithm and strength:
Options:
v Cobra 128-bit
v Blowfish 448-bit
v Triple-DES 168-bit
v AES 256-bit
v Triple-DES (MS CAPI) (All OSs) (default)
v Triple-DES (MS CAPI) (XP only)
v RC-4 (MS CAPI) (All OSs)
v RC-4 (MS CAPI) (XP only)
v AES (MS CAPI) (XP only)
Note: Setting PreferredCSP with an option that is
supported only on Windows XP/2003 disables a TAM
E-SSO agent running on another operating system.
Reg Node: CSP:PreferredCSP
136 Introduction
![Page 141: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/141.jpg)
Require reauthentication to Reveal passwords Require reauthentication if the user selects Reveal or
Reveal All in Logon Manager and in dialogs.
Options:
v Do not require reauthentication.
v Require reauthentication (default).
Reg Node: Extensions\AccessManager:ReauthOnReveal
Synchronization
2532
Node path: Synchronization
The Synchronization settings are the general options for credential synchronization for all synchronizer
extensions. Use these settings to control the following functions and features:
LDAP:
Required (Synchronization - LDAP):
2540
Node path: Synchronization > %LDAP% > Required
The Required LDAP Synchronization settings must be set for all LDAP synchronizer extensions.
Directory Type The specific type of directory server. If the directory
server is not listed, select ″Unspecified LDAP Directory″
(the default) for backwards compatibility in upgrade
scenarios; otherwise select ″Generic LDAP Directory″
Options:
v Unspecified LDAP Directory (default)
v Novell eDirectory
v Novell NDS
v Generic LDAP Directory
v Sun Java System Directory
v IBM Tivoli Directory Server
v Oracle Directory Server
Reg Node: Extensions\SyncManager\Syncs\%LDAP%:DirectoryType
Chapter 3. Using the Console 137
![Page 142: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/142.jpg)
User Paths Fully qualified path where the user account is located.
There can be unlimited paths to search. The extension
searches these in order, looking for the user account. If
not found, the extension will search the directory tree.
Notes:
v A value for either Naming Attribute string or at least
one value for User Paths must be specified for this
extension to work.
v If using User Paths, do not use Alternate User ID
location.
Reg Node: Extensions\SyncManager\Syncs\%LDAP%:UserPath
Extension location Path\filename of the LDAP Directory Server
synchronizer extension.
(Default path: C:\Program Files \Passlogix\v-GO SSO\
\Plugin\SyncMgr\LDAPEXT\ldapsync.dll)
Reg Node: Extensions\SyncManager\Syncs\%LDAP%:Path
Servers Specify the servers and the order to attempt connection
for synchronization. Select the checkbox and click ... to
open the Edit List dialog box. Type one server on each
line; end each line by pressing Enter. Do not use any
other delimiter characters.
The format is
computer [: port ],
where
computer is the server name or IP, and
port is assumed to be default (636 for SSL, 389 for
no SSL) if not specified.
Example:
127.0.0.1 127.0.0.1:456 somewhereelse.com:8080
anotherplace.com
Notes:
v At least one server must be specified for the extension
to work.
v If you specify a port, see SSLFallback.
Reg Node: Extensions\SyncManager\Syncs\%LDAP%\Servers:Server
138 Introduction
![Page 143: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/143.jpg)
SSL Select to connect via SSL.
Options:
v Connect without SSL (insecure; default port #389)
(default setting).
v Connect via SSL (default port #636) .
Reg Node: Extensions\SyncManager\Syncs\%LDAP%:UseSSL
SSL CertDB location Path\filename of the cert7.db certificate database file.
(Do not change the name of the file from cert7.db.)
Reg Node: Extensions\SyncManager\Syncs\%LDAP%:CertDBPath
Collected links
Naming Attribute string
Alternate User ID location
SSLFallback
Advanced (Synchronization - LDAP):
2539
Node path: Synchronization > %LDAP% > Advanced
The Advanced LDAP Synchronization settings control special-case options for all LDAP synchronizer
extensions.
Logon attempts Number of times to present the retry dialog to the user
(default: 3).
Reg Node: Extensions\SyncManager\Syncs\%LDAP%:RetryLockCount
Chapter 3. Using the Console 139
![Page 144: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/144.jpg)
When SSL fails Fallback to an insecure connection when an SSL
connection fails.
Options:
v Do not connect if the SSL connection fails (default).
v Connect without SSL (insecure) if the SSL connection
fails.
Note: If you select SSLFallback and any of the servers
listed in Servers includes a port specification, the
fallback port must also be specified as an additional
Servers entry.
Example:
If the SSL connection is to mycomputer.com:1272 then an
additional entry must point to the fallback port, such as:
Server1=mycomputer.com:1272 ;My secure SSL
Port
Server2=mycomputer.com:389 ;My fallback port
Reg Node: Extensions\SyncManager\Syncs\%LDAP%:SSLFallback
Security Version Update the ACI with a new AdminGroup value when
this value is higher than SecurityUpgrade.
Reg Node: Extensions\SyncManager\Syncs\%LDAP%:SecurityVersion
Admin Group DN DN for the Administrative group. It is placed this value
in the ACI. Example: cn=configuration
administrators,ou=groups,ou=topologymanagement,o=netscaperoot
Reg Node: Extensions\SyncManager\Syncs\%LDAP%:AdminGroup
Naming Attribute string String to prepend to User Paths. This is required when
the domain name for a user is in the form:
cn=% UserName%, ou= people, dc= computer&n
bsp;
instead of the form:
namingattribute=% UserName% ,ou= people ,dc=
computer
(where namingattribute can be any string). If
needed, set to cn.
Notes:
v This value usually needs to be set to cn for Novell
eDirectory.
v If you use Naming Attribute string, you must use
User Paths and not use Alternate User ID location
Reg Node: Extensions\SyncManager\Syncs\%LDAP%:UserPrepend
140 Introduction
![Page 145: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/145.jpg)
DSAME disabled-account support Recognize disabled accounts on Sun Java System
Directory Server 5.1/6.0, formerly known as iPlanet
Directory Server Access Management Edition (DSAME).
Options:
v The server is not a Sun Java System Directory Server
5.1 (default).
v The server is a Sun Java System Directory Server 5.1.
Reg Node: Extensions\SyncManager\Syncs\%LDAP%:UsingDSAME
Descriptive name Logon dialog title, to help differentiate between multiple
synchronizer extensions having the same name.
Note: This entry is not required.
Reg Node: Extensions\SyncManager\Syncs\%LDAP%:DisplayName
Configuration Objects Base Locations Where to begin the search for role/group-enabled
configuration objects. The search is from the specified
location(s) downward. If there are no entries for this
setting, the search is from the base location.
Reg Node: Extensions\SyncManager\Syncs\%LDAP%\COBaseLocations:Location
BIND Timeout The time (in milliseconds) to time out of LDAP BIND
call (default depends on the operating system).
Reg Node: Extensions\SyncManager\Syncs\%LDAP%:Timeout
Alternate User ID location Indicates where to locate a user object when the user
validates against an attribute other than the username.
Example:
If users authenticate with an employee ID # for logon
(validation against the empid attribute) and the user
object is in ou=people,dc=computer, then set this location
to:
empid=% user,ou= people,dc= computer
instead of to
uid= user,ou= people,dc= computer
Notes:
v For Novell eDirectory, Alternate User ID location
should be:
uid=% user, path to the object%.
v If you use Alternate User ID location, do not use
Naming Attribute string or User Paths.
Reg Node: Extensions\SyncManager\Syncs\%LDAP%:UserLocation
v
Chapter 3. Using the Console 141
![Page 146: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/146.jpg)
Prompt when disconnected Allow the user to work offline without
prompting/notification if a synchronization event fails.
Options:
v Prompt/notify the user (default).
v Do not prompt
Reg Node: Extensions\SyncManager\Syncs\%LDAP%:AllowOffline
Collected links
Servers
User Paths
User Paths
User Paths
Active Directory:
Required (Synchronization - Active Directory):
2534
Node path: Synchronization > %AD% > Required
The Required Active Directory Synchronization settings must be set for all Active Directory
synchronizer extensions.
Extension location Path\filename of the Active Directory synchronizer
extension.
(Default: C:\Program Files \Passlogix\v-GO SSO
\Plugin\SyncMgr\ADEXT\adsync.dll
Reg Node: Extensions\SyncManager\Syncs\%AD%:Path
SSL Connect via SSL.
Options:
v Connect without SSL (insecure), default to port #389
(default).
v Connect via SSL, default to port #636.
Reg Node: Extensions\SyncManager\Syncs\%AD%:UseSSL
Advanced (Synchronization - Active Directory):
142 Introduction
![Page 147: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/147.jpg)
2533
Node path: Synchronization > %AD% > Advanced
The Advanced Active Directory Synchronization settings control special-case options for all Active
Directory synchronizer extensions.
Search for locator and override objects Controls how the Agent searches for locator and override
objects.
Options:
v Search all servers for locator/override.
v Limit locator/override search to the server root
(default).
Reg Node: Extensions\SyncManager\Syncs\%AD%:StopAtRoot
Configuration Objects Base Locations Where to begin the search for role/group-enabled
configuration objects. The search is from the specified
location(s) downward. If no entries, the search is from
the base location.
Reg Node: Extensions\SyncManager\Syncs\%AD%\COBaseLocations:Location
User Paths Fully qualified path of where the user account is located.
There can be unlimited paths to search. The extension
searches these in order, looking for the user account. If
not found, the extension will search the directory tree.
Note: This entry is not required for this extension.
Reg Node: Extensions\SyncManager\Syncs\%AD%:UserPath
When SSL fails Fallback to an insecure connection when an SSL
connection fails. Note: If SSLFallback=1 and any of
Servers includes a port specification, the fallback port
must also be specified as an additional Servers entry. For
example, if the SSL connection is to
mycomputer.com:1272 then an additional entry must
point to the fallback port, for example:
mycomputer.com:1272 ;My secure SSL Port
mycomputer.com:389 ;My fallback port
Options:
v Do not connect if the SSL connection fails.
v Connect without SSL (insecure) if the SSL connection
fails.
Reg Node: Extensions\SyncManager\Syncs\%AD%:SSLFallback
Chapter 3. Using the Console 143
![Page 148: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/148.jpg)
Servers Specify the servers and the order to attempt connection
for synchronization. Select the checkbox and click ... to
open the Edit List dialog box. Type one server name on
each line; end each line by pressing Enter. Do not use
any other delimiter characters.
Valid formats are determined by your network’s DNS
configuration
computername [: port ]
or
[ host. ] domainname. [ tld ][: port ]
Examples:
sales sales:389 ourdomain.net sales.ourdomain.net
sales.ourdomain.net:389
Notes:
v If no Servers are entered for the Active Directory
extension, and the user account is in an Active
Directory domain, TAM E-SSO uses AD domain
resources to discover the server. If one or more Servers
are provided, TAM E-SSO uses the Servers list to
locate the server.
v Unless otherwise configured, TAM E-SSO queries the
domain name server (DNS) for the name of the
preferred domain controller assigned to the local
subnet.
v In Active Directory networks with multiple servers, be
sure to enable replication in order to include the SSO
schema extension and related objects. This assures that
TAM E-SSO will always find SSO information on
every server it connects with.
v Active Directory requires use of computer names (not
IP addresses).
v If specifying a port value, see SSLFallback.
Reg Node: Extensions\SyncManager\Syncs\%AD%\Servers:Server
Prepend Domain when naming objects Enable/disable prepending of the user’s domain to the
username in naming the user’s container. Example: For
the domain ″passlogix″ and user ″jamesk″, the container
is named ″jamesk″ with this flag disabled and
″passlogix.jamesk″ with this flag enabled.
Note: If you enable Prepend Domain, do not enable
Enable Storing Credentials under User Object (in the
Repository menu). If you do enable credential storage in
User Objects, this option must be disabled (the default
setting). If both options are enabled, no synchronization
will occur.
Reg Node: Extensions\SyncManager\Syncs\%AD%:AppendDomain
144 Introduction
![Page 149: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/149.jpg)
Logon attempts Number of times to present the retry dialog to the user
(default: 3).
Reg Node: Extensions\SyncManager\Syncs\%AD%:RetryLockCount
Credentials to use Which credentials to use when authenticating to the
Active Directory Server.
Options:
v Use local computer credentials only
v Use Active Directory server account only
(recommended that User Paths be set)
v Try local computer credentials; if it fails, use Active
Directory server account (default).
Reg Node: Extensions\SyncManager\Syncs\%AD%:AuthType
Descriptive name Logon dialog title, to help differentiate between multiple
synchronizer extensions having the same name.
Note: This entry is not required.
Reg Node: Extensions\SyncManager\Syncs\%AD%:DisplayName
Prompt when disconnected Allow the user to work offline without
prompting/notification if a synchronization event fails.
Options:
v Prompt/notify the user (default).
v Do not prompt.
Reg Node: Extensions\SyncManager\Syncs\%AD%:AllowOffline
Location for storing user credentials Enables storage of user-credential containers under their
respective directory User objects and no locator object is
used. When disabled (the default), credentials are stored
as specified by the locator object.
Note: This setting requires updating the directory
schema and modifying the directory-root security
settings. To do this, use the Enable Storing Credentials
under User Object command on the Repository menu.
Options:
v Store user credentials as specified by locator object
(default)
v Store user credentials under respective directory user
objects
Reg Node: Extensions\SyncManager\Syncs\%AD%:LocateInUser
Collected links
related objects
Enable Storing Credentials under User Object
Chapter 3. Using the Console 145
![Page 150: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/150.jpg)
Enable Storing Credentials under User Object
Required (Synchronization - ADAM):
2536
Node path: Synchronization > %ADAM% > Required
The Required ADAM Synchronization settings must be set for all ADAM synchronizer extensions.
Extension location Path\filename of the Active Directory synchronizer
extension.
(default: C:\Program Files \Passlogix\v-GO SSO
\Plugin\ SyncMgr\ADAMext\ADAMsyncExt.dll)
Reg Node: Extensions\SyncManager\Syncs\%ADAM%:Path
Servers Specify the servers (and ports) and the order to attempt
connection for synchronization. Select the checkbox and
click ... to open the Edit List dialog box. Type one server
name on each line; end each line by pressing Enter. Do
not use any other delimiter characters.
Valid formats are determined by your network’s DNS
configuration. Use the port parameter to specify a
particular instance of ADAM on a target server.
computername [: port ]
or
[ host. ] domainname. [ tld ][: port ]
Examples:
sales sales:389 ourdomain.net sales.ourdomain.net
sales.ourdomain.net:389
Notes:
v At least one server must be specified for the extension
to work.
v ADAM requires use of computer names (not IP
addresses).
Reg Node: Extensions\SyncManager\Syncs\%ADAM%\Servers:Server
Advanced (Synchronization - ADAM):
146 Introduction
![Page 151: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/151.jpg)
2535
Node path: Synchronization > %ADAM% > Advanced
The Advanced ADAM Synchronization settings control special-case options for all Active Directory
synchronizer extensions.
Configuration Objects Base Locations Where to begin the search for role/group-enabled
configuration objects. The search is from the specified
location(s) downward. If no entries, the search is from
the base location.
Reg Node: Extensions\SyncManager\Syncs\%ADAM%\COBaseLocations:Location
Credentials to use Which credentials to use when authenticating to the
ADAM server.
Options:
v Connect to ADAM with current user name
v Use ADAM server account only
v Try local computer credentials; if it fails, use ADAM
server account (default)
Reg Node: Extensions\SyncManager\Syncs\%ADAM%:AuthType
Descriptive Name Logon dialog title, to help differentiate between multiple
synchronizer extensions having the same name.
Note: This entry is not required.
Prepend Domain when naming objects Enables prepending of the user’s domain to the
username in naming the user’s container. Example: For
the domain ″passlogix″ and user ″jamesk″, the container
is named ″jamesk″ with this flag disabled and
″passlogix.jamesk″ with this flag enabled.
Options:
v Disable (default)
v Enable
Reg Node: Extensions\SyncManager\Syncs\%ADAM%:AppendDomain
Prompt when disconnected Allow the user to work offline without
prompting/notification if a synchronization event fails.
Options:
v Prompt/notify the user (default).
v Do not prompt.
Reg Node: Extensions\SyncManager\Syncs\%ADAM%:AllowOffline
Chapter 3. Using the Console 147
![Page 152: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/152.jpg)
User domain name to use Domain name to use in the container name (e.g.,
″DomainName.UserName″) when Prepend Domain
when naming objects is enabled. The user can specify
another domain the in the login dialog.
Example: If User domain is ″MyDomain″ (with Prepend
Domain enabled) and the user logs on as ″jamesk,″ the
container name used is MyDomain.jamesk If the user
logs on as ″AltDomain\jamesk″ the container name used
is AltDomain.jamesk
Reg Node: Extensions\SyncManager\Syncs\%ADAM%:UserDomain
File System:
Required (Synchronization - File System):
2538
Node path: Synchronization > %File% > Required
The Required File System Synchronization settings must be set for all file system synchronizer
extensions.
Extension location Path\filename of the File System synchronizer extension.
(Default: C:\Program Files \Passlogix\v-GO SSO
\Plugin\SyncMgr\FileSyncExt\filesync.dll)
Reg Node: Extensions\SyncManager\Syncs\%File%:Path
Server This is a list of UNC paths to try for synchronization. At
least one server must be specified for this extension to
work.
Examples:
\\FS1\Users \FS2\Extras D:\Backup
Notes:
v The File System extension requires use of proper UNC
paths.
v As of TAM E-SSO 4.0, only one path is supported.
Reg Node: Extensions\SyncManager\Syncs\%File%\Servers:Server1
148 Introduction
![Page 153: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/153.jpg)
Advanced (Synchronization - File System):
2537
Node path: Synchronization > %File% > Advanced
The Advanced File System Synchronization settings control special-case options for all file-system
synchronizer extensions.
Descriptive name Logon dialog title, to help differentiate between multiple
synchronizer extensions having the same name.
Note: This entry is not required.
Reg Node: Extensions\SyncManager\Syncs\%File%:DisplayName
Logon attempts Number of times to present the retry dialog to the user
(default: 3).
Reg Node: Extensions\SyncManager\Syncs\%File%:RetryLockCount
Prompt when disconnected Allow the user to work offline without
prompting/notification if a synchronization event fails.
Options:
v Prompt/notify the user (default).
v Do not prompt.
Reg Node: Extensions\SyncManager\Syncs\%File%:AllowOffline
Prepend Domain when naming user folders Enable/disable prepending of the user’s domain to the
username in naming the user’s container. Example: For
the domain ″passlogix″ and user ″jamesk″, the container
is named ″jamesk″ with this flag disabled and
″passlogix.jamesk″ with this flag enabled.
Reg Node: Extensions\SyncManager\Syncs\%File%:AppendDomain
Database:
Required (Synchronization - Database):
2544
Chapter 3. Using the Console 149
![Page 154: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/154.jpg)
Node path: Synchronization > %DB% > Required
The Required Database Synchronization settings must be set for all database synchronizer extensions.
Extension location Path\filename of the database synchronizer extension.
(Default: C:\Program Files \Passlogix\v-GO SSO
\Plugin\SyncMgr\DBEXT\DBExt.dll)
Reg Node: Extensions\SyncManager\Syncs\%DB%:Path
Servers Specify the database servers and the order to attempt
connection for synchronization. Select the checkbox and
click ... to open the Edit List dialog box. Type the full
connection address ( computerName .d bServerName) for
one database server on each line; end each line by
pressing Enter. Do not use any other delimiter characters.
Note: At least one server must be specified for the
extension to work.
Reg Node: Extensions\SyncManager\Syncs\%DB%\Servers:Server
Note for SQL Server: To connect to a SQL Server that is hosting multiple instances, use the following
connection string (with no manual line break):
Provider=SQLOLEDB; Data Source="SeverName\Instance"; Initial
Catalog="DatabaseName"; Trusted_Connection=Yes
Advanced (Synchronization - Database):
2545
Node path: Synchronization > %DB% > Advanced
The Advanced Database Synchronization settings control special-case options for all database
synchronizer extensions.
Append Domain when naming objects Enables appending of the user’s domain to the username
in naming the user’s container. Example: For the domain
″passlogix″ and user ″jamesk″, the container is named
″jamesk″ with this flag disabled and ″jamesk.passlogix″
with this flag enabled. (default: 0)
Options:
v Disable
v Enable
Reg Node: Extensions\SyncManager\Syncs\%DB%:AppendDomain
150 Introduction
![Page 155: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/155.jpg)
Repository
1900
Displays and provides connection to a synchronization repository.
v Click Repository in the left pane. to display the current SSO synchronization repository.
Or, if no connection is active:
v Right-click Repository in the left pane and choose Connect to... from the short cut menu.
Collected links
Connect to
Configure SSO Support
Add Locator Object
New Container
Configure
View
Import/Merge Conflict
Directory Server Synchronization Support
Database Synchronization Support
File System Synchronization Support
Multiple Synchronizer Support
Configure SSO Support
Synchronization
Connect to Repository
1905/dialog
Connects Administrative Console to a synchronization repository.
Collected links
Repository
Edit List
manually extended
Repository
Repository
Chapter 3. Using the Console 151
![Page 156: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/156.jpg)
Configure SSO Support
Use the Configure SSO Support wizard to deploy Administrative Overrides and application
configurations to end users using file-system, database or directory-service synchronizers. The objects you
can export can include:
v one or more application logons
v a first-time use ( bulk-add) object
v a set of Global Agent Settings
The Configure SSO Support wizard helps you export the overrides, from current Console settings or
from one or more data files, to a selected synchronizer container object.
See Synchronization for more information.
Collected links
bulk-add
Synchronization
Connect to the SSO synchronizer repository.
Administrative Console
Data File
Directory Server Synchronization Support
Database Synchronization Support
File System Synchronization Support
Multiple Synchronizer Support
Repository (Connecting)
Synchronization
Configure SSO Support (from Console)
1930/dialog
Use this wizard page to export an Agent configuration to a selected synchronizer container using the
current Console settings as the source. You can export:
v one or more application logons
v a (first-time use ( bulk-add) object
v a set of Global Agent Settings
Collected links
bulk-add
Select Applications
Connect to the SSO repository.
152 Introduction
![Page 157: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/157.jpg)
Configure SSO Support from Data File
1940/dialog
Use this wizard page to export an Agent configuration to a selected synchronizer container using one or
more data files as the source. You can export:
v one or more application logons
v a (first-time use ( bulk-add) object
v a set Global Agent Settings (from an .ini or .reg file)
Collected links
bulk-add
Connect to the synchronizer repository.
Add Locator Object
1910/dialog
Use the Add Locator Object dialog to create a locator, a directory object that points the Agent to the
container in which user credentials are (or can be) stored. You can create a default locator for all end
users or a locator for a specific end user.
See Directory Servers: Create Locator Objects for more information.
Collected links
Directory Servers: Create Locator Object
Enable Storing Credentials under User Object
Location for storing user credentials
Synchronization\Selected Active Directory sync\Advanced
Connect to the synchronizer directory.
Chapter 3. Using the Console 153
![Page 158: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/158.jpg)
154 Introduction
![Page 159: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/159.jpg)
Chapter 4. SSO Administrative Console Reference Topics
Global Agent Settings
Setting Registry Settings and Admin Overrides
Overriding Settings
Configuring Host Emulators
Telnet Support
Attachmate EXTRA!
G&R Glink
Hummingbird HostExplorer
IBM Client Access
IBM Client Access Express
IBM Host On-Demand
In Microsoft Internet Explorer
In Host On-Demand
IBM Personal Communications
NetManage Rumba
NetManage ViewNow
Scanpak Aviva for Desktops
WRQ Reflection
Command-Line Options
Configuring the Windows Event Logging Server
Windows Event Logging extension
Directory Server Schema Definition
SSOSecret
155
![Page 160: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/160.jpg)
SSOUserData Object
SSOConfig Object
SSOLocatorClass
entlist.ini Keys
Root Keys
Application Type Section Keys
Windows Application Keys
Windows Application Keys for Section N subsection
Windows Application Keys for Match N subsection
Host/Mainframe Application Keys
Host Application Keys for Page N subsection
Web Application Keys
Web Application Keys for Section N subsection
Password Policy Keys
Error Loop
ftulist.ini Keys
Root Keys
Password Windows Section Keys
My Logons Section Keys
Bulk Add Logon Section Keys
MSI Package Contents
Pre-configured Applications and Templates
Troubleshooting
Installation
Authenticators
Synchronizer Extensions
Uninstall
Agent Performance
156 Introduction
![Page 161: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/161.jpg)
Application Response
Authentication
Reauthentication.
Application Configuration
All Applications
Windows Applications
Web Applications
Host Applications
Password Sharing Groups
Synchronizer Extensions
Directory Extensions
File System Server
Event Logging
Collected links
Global Agent Settings
Setting Registry Settings and Admin Overrides
Overriding Settings
Configuring Host Emulators
Telnet Support
Attachmate EXTRA!
G&R Glink
Hummingbird HostExplorer
IBM Client Access
IBM Client Access Express
IBM Host On-Demand
In Microsoft Internet Explorer
In Host On-Demand
IBM Personal Communications
NetManage Rumba
NetManage ViewNow
Scanpak Aviva for Desktops
WRQ Reflection
Command-Line Options
Configuring the Windows Event Logging Server
Chapter 4. SSO Administrative Console Reference Topics 157
![Page 162: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/162.jpg)
Windows Event Logging extension
Directory Server Schema Definition
SSOSecret
SSOUserData Object
SSOConfig Object
SSOLocatorClass
entlist.ini Keys
Root Keys
Application Type Section Keys
Windows Application Keys
Windows Application Keys for Section N subsection
Windows Application Keys for Match N subsection
Host/Mainframe Application Keys
Host Application Keys for Page N subsection
Web Application Keys
Web Application Keys for Section N subsection
Password Policy Keys
Error Loop
ftulist.ini Keys
Root Keys
Password Windows Section Keys
My Logons Section Keys
Bulk Add Logon Section Keys
MSI Package Contents
Pre-configured Applications and Templates
Troubleshooting
Installation
Authenticators
Synchronizer Extensions
Uninstall
Agent Performance
Application Response
Authentication
Reauthentication.
Application Configuration
All Applications
Windows Applications
Web Applications
Host Applications
Password Sharing Groups
Synchronizer Extensions
Directory Extensions
File System Server
Event Logging
158 Introduction
![Page 163: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/163.jpg)
Pre-configured Applications and Templates
Preconfigured logons for Windows and Web application are provided in Console templates.
Configurations for common network/web pop-up logons and for online service logons are stored in the
configuration file applist.ini, which is located in the installation directory.
Note: Predefined application logons that had been stored in applist.ini on the client in previous
TAM E-SSO versions have are now stored as templates in the Administrative Console. See
Compatibility with Previous Product Versions for more information.
The following applications and are included in TAM E-SSO, either as Templates with the Administrative
Console or in applist.ini .
The following applications are configured to work, but need to be added to user configurations. Some of
these require customization to meet your environment (e.g., specifying internal URLs or application
Window Titles).
Application Logon Forms
Microsoft Word v Microsoft Word Logon
v Microsoft Word 2000 Logon
v Microsoft Word 2003 Logon
MS Dial-Up Networking v MS Dial-Up Networking Logon (admin supplies
WindowTitle)
Netscape Mail v Netscape Mail Logon
v Netscape Mail 7.1 Logon
PKZIP v PKZIP Logon
v PKZIP v8 Logon
Siebel Sales v Siebel Sales Logon
v Siebel Sales Change Password
Adobe Acrobat Reader v Adobe Acrobat Unlock
ICQ v ICQ Logon - Registration
v ICQ Logon
Meeting Maker v MM 7.3 Logon
v MM 5.5.2 Logon
v MM 8.0 Logon
WinZip v WinZip Set Password Confirm
v WinZip Set/Use Password
v WinZip 9.0 Decrypt File(s) Password
Yahoo! Messenger v Yahoo! Messenger Logon
Oracle v Oracle Logon
v Oracle 10g SQL*Plus Logon
MS SQL v MS SQL Logon
Chapter 4. SSO Administrative Console Reference Topics 159
![Page 164: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/164.jpg)
Novell GroupWise v Novell GroupWise Logon
v Novell GroupWise 6.5 Logon
Microsoft FrontPage v Microsoft FrontPage Logon
Visual SourceSafe v VSS Logon
v VSS Change Password
OpenNetwork Directory Smart v OpenNetwork Directory Smart Logon (admin supplies
URL)
Oblix NetPoint v Oblix NetPoint Logon (admin supplies URL)
Citrix ICA Client/Program Neighborhood (2-field) v CICA2 Logon (admin supplies WindowTitle)
Citrix NFuse Classic (2-field) v CNFC2 Logon (admin supplies URL)
Act v Act Logon (admin supplies WindowTitle)
v Act Set Password
QuickBooks Pro v QBP Change Password
v QBP Logon
QuickBooks Pro (Password-Only) v QBPPO Change Password
v QBPPO Logon
Lotus Organizer v Lotus Organizer Logon (admin supplies WindowTitle)
Citrix Program Neighborhood Agent (3-field) v CPN3 Logon
GoldMine v GoldMine Logon
v GoldMine Clhange Password
Citrix NFuse Classic (3-field) v CNFC3 Logon (admin supplies URL)
Citrix Program Neighborhood Agent (2-field) v CPN2 Logon
Citrix ICA Client/Program Neighborhood (3-field) v CICA3 Logon (admin supplies WindowTitle)
AIM v AIM Logon
Eudora v Eudora Logon
v Eudora Change
v Eudora Confirm
Lotus Notes v Lotus Notes
Microsoft Outlook v Logon
v Change Password
Microsoft Outlook 2003 v Logon
v Change Password
MSN Messenger v MSN Messenger Logon
Windows Logon v WL MPR Logon
v WL MPR Change Password
v WL WinLogon Logon
v WL WinLogon Change Password
ICQ 4.0 v ICQ 4.0 Logon (Password Only)
160 Introduction
![Page 165: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/165.jpg)
Online Services
v AOL
v Compuserve
v Earthlink
v MSN
v Prodigy
v ATT WorldNet
Internet Explorer logons
Collected links
Console templates
Directory Server Schema Definition
The following are Directory Server Container and Class Objects, their rights, and their attributes.
Directory Server Schema Definition
The following are Directory Server Container and Class Objects, their rights, and their attributes.
Directory Server Schema Definition
The following are Directory Server Container and Class Objects, their rights, and their attributes.
Directory Server Schema Definition
Chapter 4. SSO Administrative Console Reference Topics 161
![Page 166: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/166.jpg)
The following are Directory Server Container and Class Objects, their rights, and their attributes.
Directory Server Schema Definition
The following are Directory Server Container and Class Objects, their rights, and their attributes.
Configuring Host Emulators to Enable HLLAPI Short Session Names
TAM E-SSO provides single sign-on functionality for the following host/terminal emulators using built-in
HLLAPI support (high-level language application programming interface). The topics listed here outline
how to enable HLLAPI support in each emulator.
v Telnet Support
v Attachmate Extra! / myExtra! / Xtra! X-Treme
v Ericom PowerTerm
v G&R Glink
v Hummingbird HostExplorer
v IBM Client Access
v IBM Client Access Express
v IBM Host on-Demand
v IBM Personal Communications
v NetManage Rumba
v NetManage ViewNow / Chameleon Hostlink 97
v Novell LAN Workplace
v Scanpak Aviva for Desktops
v WRQ Reflection
v Zephyr PC to Host
v Zephyr Web to Host
Note: For emulators that do not implement HLLAPI support, you can configure a host/mainframe
application as a Windows application (to detect the form by its window title) and using SendKeys (to
supply user credentials). See Adding Windows Applications: Special Issues for more information.
Collected links
Telnet SupportClick to view
Attachmate Extra! / myExtra! / Xtra! X-TremeClick to view
Ericom PowerTerm
162 Introduction
![Page 167: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/167.jpg)
G&R GlinkClick to view
Hummingbird HostExplorerClick to view
IBM Client AccessClick to view
IBM Client Access ExpressClick to view
IBM Host on-DemandClick to view
IBM Personal CommunicationsClick to view
NetManage RumbaClick to view
NetManage ViewNow / Chameleon Hostlink 97Click to view
Novell LAN Workplace
Scanpak Aviva for DesktopsClick to view
WRQ ReflectionClick to view
Zephyr PC to Host
Zephyr Web to Host
Adding Windows Applications: Special Issues
Attachmate EXTRA! / myExtra!
TAM E-SSO supports Attachmate EXTRA! 6.3/6.4/6.5/2000 and myExtra! 7.0,7.1. To set up each session
of Attachmate EXTRA! 6.3, 6.4, 6.5, 2000, myExtra!, and Extra! X-treme to work with TAM E-SSO :
1. Open the session.
2. Select Global Preferences from the Options menu.
3. Select Advanced, select the Short name (for example, A), select Browse, select the session document,
and click OK.
Notes:
v This setting needs to be saved with each session configuration file.
v Background processes sometimes remain running after a mainframe or host session has ended. This
may disrupt the Auto-Logon process and prevent the session from restarting.
G&R Glink
Chapter 4. SSO Administrative Console Reference Topics 163
![Page 168: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/168.jpg)
TAM E-SSO supports G&R Glink. To set up G&R Glink to work with TAM E-SSO:
Configure short names in the glHLLAPI.ini file, which is found in the GLWin\WHLLAPI directory
within the G&R Glink installation path. This file must be copied to the user’s %WinDir% directory to
take effect. It is recommended that the default values be left as they are, except for those values that
refer to the short names, which take the form of:
[A]
Name=HLLAPI long name
Config=config file name
where ’A’ represents the short name.
Ericom PowerTerm
TAM E-SSO supports the following versions of Ericom PowerTerm:
v PowerTerm InterConnect (see Note below)
v PowerTerm Plus (see Note below)
v PowerTerm Lite (see Note below)
v PowerTerm Pro
v PowerTerm Pro Enterprise
To set up Ericom PowerTerm to work with TAM E-SSO:
Hummingbird HostExplorer
TAM E-SSO supports Hummingbird HostExplorer. To set up Hummingbird HostExplorer 8.0/9.0/10.0 to
work with TAM E-SSO:
1. Select API Settings from the Options menu.
2. Under HLLAPI Options, select Update screen after PS update.
3. Under EHLLAPI Compatibility, select Attachmate
4. Click OK.
IBM Client Access
164 Introduction
![Page 169: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/169.jpg)
TAM E-SSO supports IBM Client Access. No steps are necessary to set up IBM Client Access to work
with TAM E-SSO.
IBM Client Access Express
TAM E-SSO supports IBM Client Access Express. No steps are necessary to set up IBM Client Access
Express to work with TAM E-SSO.
IBM Host On-Demand
TAM E-SSO supports IBM Host On-Demand 4/5. TAM E-SSO support for IBM Host On-Demand is
tested with Microsoft Windows XP/2000/2003 and Microsoft Internet Explorer 5.5 (SP2) and the updated
JVM (Java Virtual Machine). If Microsoft Internet Explorer 5.x is installed, the JVM should not have to
be updated.
Note: One issue with these methods is that clients may not be able to save configured sessions, and
entering the auto-start name each time a session is used is quite tedious. Alternatively, administrators
can replicate the existing sessions that are available to the client, and HLLAPI-enable these sessions as
explained below. Clients can then be offered both standard and HLLAPI-enabled sessions.
To set up IBM Host On-Demand 4 to work with TAM E-SSO:
In Microsoft Internet Explorer
1. Start Microsoft Internet Explorer.
2. Go to http://www-4.ibm.com/software/webservers/hostondemand/downloads.html and download
the Host On-Demand EHLLAPI Bridge Download for the particular version of IBM Host On-Demand.
3. Unzip the downloaded file to the TAM E-SSO installation directory (default: %ProgramFiles%\Passlogix\ v-GO SSO).
4. Select Internet Options from the Tools menu.
5. Select the Advanced tab.
6. Under Microsoft VM, select Java console enabled (requires restart).
7. Click Apply, then OK. If needed, exit Microsoft Internet Explorer.
8. Restart the computer.
In Host On-Demand
1. Configure each individual session to run the HLLAPI enabler through the Host On-Demand applet.
2. Select Properties from the menu.
Chapter 4. SSO Administrative Console Reference Topics 165
![Page 170: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/170.jpg)
3. Select the Advanced tab.
4. Select Applet from the Auto-Start drop-down list box.
5. Type com.ibm.eNetwork.hllbridge.HLLAPIEnabler in the Auto-Start Name text box.
6. Alternatively, the administrator may run this applet after the session has been started by selecting
Assist then Run applet.
Collected links
http://www-4.ibm.com/software/webservers/hostondemand/downloads.html
IBM Host On-Demand
TAM E-SSO supports IBM Host On-Demand 4/5. TAM E-SSO support for IBM Host On-Demand is
tested with Microsoft Windows XP/2000/2003 and Microsoft Internet Explorer 5.5 (SP2) and the updated
JVM (Java Virtual Machine). If Microsoft Internet Explorer 5.x is installed, the JVM should not have to
be updated.
Note: One issue with these methods is that clients may not be able to save configured sessions, and
entering the auto-start name each time a session is used is quite tedious. Alternatively, administrators
can replicate the existing sessions that are available to the client, and HLLAPI-enable these sessions as
explained below. Clients can then be offered both standard and HLLAPI-enabled sessions.
To set up IBM Host On-Demand 4 to work with TAM E-SSO:
In Microsoft Internet Explorer
1. Start Microsoft Internet Explorer.
2. Go to http://www-4.ibm.com/software/webservers/hostondemand/downloads.html and download
the Host On-Demand EHLLAPI Bridge Download for the particular version of IBM Host On-Demand.
3. Unzip the downloaded file to the TAM E-SSO installation directory (default: %ProgramFiles%\Passlogix\ v-GO SSO).
4. Select Internet Options from the Tools menu.
5. Select the Advanced tab.
6. Under Microsoft VM, select Java console enabled (requires restart).
7. Click Apply, then OK. If needed, exit Microsoft Internet Explorer.
8. Restart the computer.
In Host On-Demand
1. Configure each individual session to run the HLLAPI enabler through the Host On-Demand applet.
2. Select Properties from the menu.
3. Select the Advanced tab.
4. Select Applet from the Auto-Start drop-down list box.
5. Type com.ibm.eNetwork.hllbridge.HLLAPIEnabler in the Auto-Start Name text box.
6. Alternatively, the administrator may run this applet after the session has been started by selecting
Assist then Run applet.
Collected links
166 Introduction
![Page 171: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/171.jpg)
http://www-4.ibm.com/software/webservers/hostondemand/downloads.html
IBM Host On-Demand
TAM E-SSO supports IBM Host On-Demand 4/5. TAM E-SSO support for IBM Host On-Demand is
tested with Microsoft Windows XP/2000/2003 and Microsoft Internet Explorer 5.5 (SP2) and the updated
JVM (Java Virtual Machine). If Microsoft Internet Explorer 5.x is installed, the JVM should not have to
be updated.
Note: One issue with these methods is that clients may not be able to save configured sessions, and
entering the auto-start name each time a session is used is quite tedious. Alternatively, administrators
can replicate the existing sessions that are available to the client, and HLLAPI-enable these sessions as
explained below. Clients can then be offered both standard and HLLAPI-enabled sessions.
To set up IBM Host On-Demand 4 to work with TAM E-SSO:
In Microsoft Internet Explorer
1. Start Microsoft Internet Explorer.
2. Go to http://www-4.ibm.com/software/webservers/hostondemand/downloads.html and download
the Host On-Demand EHLLAPI Bridge Download for the particular version of IBM Host On-Demand.
3. Unzip the downloaded file to the TAM E-SSO installation directory (default: %ProgramFiles%\Passlogix\ v-GO SSO).
4. Select Internet Options from the Tools menu.
5. Select the Advanced tab.
6. Under Microsoft VM, select Java console enabled (requires restart).
7. Click Apply, then OK. If needed, exit Microsoft Internet Explorer.
8. Restart the computer.
In Host On-Demand
1. Configure each individual session to run the HLLAPI enabler through the Host On-Demand applet.
2. Select Properties from the menu.
3. Select the Advanced tab.
4. Select Applet from the Auto-Start drop-down list box.
5. Type com.ibm.eNetwork.hllbridge.HLLAPIEnabler in the Auto-Start Name text box.
6. Alternatively, the administrator may run this applet after the session has been started by selecting
Assist then Run applet.
Collected links
http://www-4.ibm.com/software/webservers/hostondemand/downloads.html
IBM Personal Communications
Chapter 4. SSO Administrative Console Reference Topics 167
![Page 172: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/172.jpg)
TAM E-SSO supports IBM Personal Communication 4.3. To set up IBM Personal Communications 4.3 to
work with TAM E-SSO:
NetManage Rumba
TAM E-SSO supports NetManage Rumba 2000 (formerly WallData Rumba 6.0). To set up NetManage
Rumba 2000 to work with TAM E-SSO:
NetManage ViewNow / Chameleon Hostlink 97
TAM E-SSO supports NetManage ViewNow 1.0.5 and Chameleon Hostlink 97. To set up NetManage
ViewNow 1.0.5 to work with TAM E-SSO:
1. Open the Host Access Manager.
2. Select Workspace, then New. Select 3270 Display, 5250 Display, or Telnet from the menu to start a
new session of the specified type.
3. Select Object, then Properties from the menu.
4. Select the Session tab and set the Short name to Any.
5. Select the Advanced tab and set Host graphics display type to PS Graphics, and verify that no
HLLAPI Options are selected.
6. Click OK.
Novell LAN Workplace
In order to enable TAM E-SSO support for Novell LAN Workplace Pro 5.2, the complete and exact path
to the emulator must be specified in the Agent’s host/mainframe-configuration file, MfrmList.ini. The
default path in the mainframe configuration is c:\Program Files\Novell\LAN Workplace Pro
5.2\Terminals\Bin
If the Novell LAN Workplace emulator is installed in any other directory or on any other drive, you must
modify this default path in MfrmList.ini. This file can only be edited using the Administrative Console.
1. On the Tools menu, point to Modify Configuration, then click MfrmList.
2. In the INI editor, select Novell LAN Workplace Pro 5.2 from the Section dropdown list.
3. For ValueName= edit the path to the emulator as needed.
4. Click Save (click OK to restart the Agent if prompted), then Close.
168 Introduction
![Page 173: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/173.jpg)
Scanpak Aviva for Desktops
TAM E-SSO supports Scanpak Aviva for Desktops (formerly Eicon Aviva). To set up Scanpak Aviva for
Desktops to work with TAM E-SSO:
WRQ Reflection
TAM E-SSO supports WRQ Reflection 7/8/9/10. To set up WRQ Reflection 8 to work with TAM E-SSO:
Zephyr PC to Host
TAM E-SSO supports Zephyr PC to Host. To set up Passport to work with TAM E-SSO:
Zephyr Web to Host
TAM E-SSO supports Passport Web to Host. No steps are necessary to setup Web to Host to work with
TAM E-SSO.
Command-Line Options
Chapter 4. SSO Administrative Console Reference Topics 169
![Page 174: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/174.jpg)
TAM E-SSO can be invoked from the command line to perform certain tasks.
Note: Items in [brackets] are optional in this section only.
Task Use / Description
Backup ssoshell.exe /mobility /backup [ path] /silent [confirm]
Example: [ path] The actual path to the directory
where the backup file is placed. (Default: the last
directory a command line backup file was stored, or
where Shell:AutoBackupPath points.)
Example: silent Do not show the Backup/Restore
Wizard when performing the backup.
Example: [confirm] Show all dialog boxes. When
doing a silent backup where the confirm switch is not
present, the user will not see the Yes/No dialog and the
agent will default to Yes. (Example of a confirm dialog:
″Overwrite backup file?″)
Logon Manager ssoshell.exe
Example: Show Logon Manager.
No FTU ssoshell.exe /background /noftu
Description: Prevents the agent from starting twice when
logging on to the computer. This should be enabled in
the Userinit registry key, which is located in
HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon.
Description: The /noftu command should be preceded
by the /background command, as follows:
″c:\winnt\system32\userinit.exe,C:\Program Files
\Passlogix\v-GO SSO\ ssoshell.exe /background
/noftu″
Description: Using /noftu ensures that the agent does
not run for users who do not have it in their Windows
Startup folder. This allows the administrator to roll out
TAM E-SSO to only specific (not all) users of a particular
computer.
Note: This command applies only to Microsoft Windows
2000/XP.
Options ssoshell.exe /options
Example: Show the Settings property
page.
170 Introduction
![Page 175: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/175.jpg)
Restore ssoshell.exe /mobility /restore [ path] /silent [confirm]
Example:[ path] The actual path to the directory
where the backup file exists. (Default: the last directory
a command line backup file was stored, or where
Shell:AutoBackupPath points.)
Example:/silent Do not show the
Backup/Restore Wizard when performing the backup.
Example:[confirm] Show all dialog boxes. When
doing a silent backup and the confirm switch is not
present, the user will not see the Yes/No dialog and the
agent will default to Yes. (Example of a confirm dialog:
″Backup file has been restored″)
Example: Notes: The restore password submitted
by default is the Windows password. The Restore
command is executed with a Startup task (see
Shell\Tasks:StartupTaskN ).
Setup ssoshell.exe /setupmgr
Example: Show the Setup Wizard.
Shutdown ssoshell.exe /shutdown
Startup ssoshell.exe /background
Synchronize ssoshell.exe /syncmgr /sync Execute
synchronization with the first synchronizer in the Sync
Order list (see Synchronization in Global Agent Settings);
displays a logon to connect to the first-listed
synchronizer.
Collected links
Shell\Tasks:StartupTaskN
Sync Order
Synchronization
Smartcard Monitor Utility ( ssoSCDetect.exe)
The utility program ssoSCDetect monitors a workstation’s smartcard reader, making it possible to use as
the workstation as a multiple-user ″kiosk″ that can access and synchronize the remote SSO credential
store of any user authenticated by a smartcard.
When a user inserts a card into the reader, the ssoSCDetect utility starts the Agent and prompts for the
user’s primary logon credentials. It then synchronizes the user’s credentials with the remote repository.
When the user logs out of the workstation (e.g., by removing the card from the reader), ssoSCDetect
shuts down the Agent.
Chapter 4. SSO Administrative Console Reference Topics 171
![Page 176: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/176.jpg)
To run the utility, copy the executable file ssoSCDetect.exe from the Utilities directory of the TAM E-SSO
CD to the TAM E-SSO installation directory ( %ProgramFiles%/Passlogix/v-GO SSO ) then launch the
program.
Recommended global agent settings for SSO kiosk operation
For best performance and security, the following global agent settings should be applied to the TAM
E-SSO agent running on a workstation configured as a kiosk:
User Paths (Active Directory only) For best performance, specify one
or more fully-qualified paths to begin searching for user
accounts See the Advanced options, under
Synchronization\Active Directory.
Collected links
User Paths
Advanced options
Configuring the Windows Event Logging Server
Configuring the Windows Event Logging Server
Error Loop Quick Reference
This section serves as a quick-reference to the basic Error Loop settings. Note: Configure these settings
in the Administrative Console. The table is provided only for reference.
The settings are inherited downward from Global to Application Type to Application. More-specific
settings override more-general (Application Overrides Application Type, which overrides Global). Note:
For security settings (for example, MaskPW), the most-secure setting is used, regardless of whether it set
Globally, for an Application Type, or for an Application.
Place the application-type settings in the entlist.ini [*Root] section.
Example
172 Introduction
![Page 177: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/177.jpg)
[*Root]
AppsTimeout=8
WebMaxRetry=3
Place the Application settings in the specific application’s entlist.ini section.
Example
[Payroll]
WindowTitle1=Payroll
MaxRetry=3
Timeout=30
IDCtrl=203
...
Global (Registry) Application Type
([*Root])
Parameter
Purpose
Extensions\
AccessManager\Dlg
Windows Web Host/Mainframe
Application Default
Max # of
retries (after
first try) before
Error Loop
dialog appears
MaxRetry AppsMaxRetry WebMaxRetry MainframeMaxRetry MaxRetry 1
Max time
between
successive
logon attempts
before Error
Loop dialog
appears
Timeout AppsTimeout WebTimeout MainframeTimeout Timeout 30
Setting to
indicate
whether to
hide the
password
confirmation
field in the
Error Loop
dialog
HideConfirmPW AppsHideConfirmPW WebHideConfirmPW MainframeHideConfirmPW HideConfirmPW 0 (do not hide)
Chapter 4. SSO Administrative Console Reference Topics 173
![Page 178: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/178.jpg)
Setting to
indicate
whether to
mask the
password in
the Error Loop
dialog
MaskPW AppsMaskPW WebMaskPW MainframeMaskPW MaskPW 1 (mask)
MSI Package Contents
This section documents the basic contents of each package feature. The Display Name and Description
are as in the Custom display of the Installer. For the exact feature details, review the package.
Note: Any ″child″ package requires all parent packages. For example, LDAP_Sync requires SyncMgr.
Note: Required features are in bold. In addition, at least one authenticator must be installed, though it
need not be one of the shipped authenticators. All other features are optional; however, IBM
recommends installation of the InternetExplorer component.
Display Name Description Feature Name
Application Required files and settings Core
Authenticators SSO authentication support Authenticators
Windows Domain The Microsoft Windows
Authenticator
SLA
LDAP Authenticator The LDAP Authenticator LDAP
Windows Authenticator v2 The Microsoft Windows
Authenticator version 2
MSauth
GINA authenticator Passlogix GINA (required with
Windows Authenticator v2)
SSOGina
LDAP Authenticator v2 The LDAP Authenticator version 2 LDAPauth
Authentication Manager Multiple authentication support (AM
only)
MultiAuth
Smart Card Smart Card (MS CAPI-compliant)
authenticator (AM only)
SCAuth
Entrust Entrust PKI authentication support
(AM only)
Entrust
SecurID RSA PKI authentication support (AM
only)
SecurID
SecureTec I/O Software PKI authentication
support (AM only)
STAuth
174 Introduction
![Page 179: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/179.jpg)
Extensions SSO Plug-ins Extensions
Setup Manager Plug-in for initial SSO experience
setup
SetupMgr
Logon Manager Plug-in for logon/credential request
events
LogonMgr
Internet Explorer Helper Internet Explorer credential request
integration
InternetExplorer
Mainframe Emulator Helper Mainframe session credential request
emulator integration
MainframeEmulators
DOS Helper Console window support (for
mainframe emulators)
DOSHelper
Java Helper Java virtual machine session
credential request integration
JavaHelper
SSO Terminal Services Support SSO Terminal Services Support vGOwts
Backup/Restore Manager Plug-in for backup/restore of SSO
credentials and settings
BackupMgr
Synchronization Manager Plug-in for synchronization of
credentials and settings to/from
additional data sources
SyncMgr
Active Directory Synchronizer Active Directory synchronization
support
AD_Sync
ADAM Synchronizer Active Directory/Application Mode
synchronization support
ADAM_Sync
LDAP Synchronizer LDAP directory synchronization
support
LDAP_Sync
DB Synchronizer SQL relational database
synchronization support
DB _Sync
File System Synchronizer File System synchronization support File_Sync
Event Manager Plug in for Event Manager EventMgr
XML Plug in for the Local File Extension LocalFileExt
Windows Event Extension Plug in for the Windows Event
Extension
WindowsEventExt
Languages Localized language support files Languages
English English English_Pack
[Related Topics]
Microsoft Windows Installer (MSI) Package Deployment Options Generate MSI package MSI
Package Contents
Collected links
Microsoft Windows Installer (MSI) Package
Deployment Options
Generate MSI package
Chapter 4. SSO Administrative Console Reference Topics 175
![Page 180: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/180.jpg)
ftulist.ini Keys
ftulist.ini determines special actions the agent will take the first time a user starts it. The file can exist as
a local file or as a directory-server or database object. If it is deployed using synchronization, ftulist.ini is
placed in the %AppData/Passlogix% directory.
Note: All TAM E-SSO configuration files (including entlist.ini and ftulist.ini) can only be created and
edited using the Administrative Console. The information in the topics listed below is provided only for
reference.
The tables in the following topics list the keys and acceptable values for each section of ftulist.ini :
v Root Keys for ftulist.ini
v Password Windows Section Keys
v My Logons Section Keys
v Bulk Add Logon Section Keys
Collected links
Root Keys for ftulist.ini
Password Windows Section Keys
My Logons Section Keys
Bulk Add Logon Section Keys
Root Keys
These settings are used strictly within the [FTU] section and are required.
Example
[FTU]
Ver=20020523
Step1=Password Windows
Step2=My Logons
First-Time Use Keys Description Acceptable values
176 Introduction
![Page 181: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/181.jpg)
Ver = %s Required. String of the date of the
last ftulist.ini file. If the value of this
key is higher (newer) than the
decimal value in the user’s registry
(in HKCU\&\Extensions\SetupManager:Completed), then the
user will see the bulk add list the
next time the user starts up the
agent.
Example: 20020523
%s = string representing the decimal
equivalent of a date in yyyymmdd
(year-month-date) format, as in
20020523 for May 23, 2002.
Step1 = %s Required, do not alter. Calls the
section that launches Primary Logon
Method. This module forces the user
to select an authenticator.
%s = ″Password Windows″
Step2 = %s Required, do not alter. Calls the
section that launches Access
Manager. This module enables bulk
adding of credentials.
%s = ″My Logons″
Password Windows Section Keys
These settings are required and used strictly within the [Password Windows] section.
Example
[Password Windows]
ExtensionName=<core>
Action1=Password Window
First-Time Use Keys Description Acceptable values
ExtensionName = %s Required, do not alter. Internal
name of the extension module.
%s = ″<core>″
Action1 = %s Required, do not alter. Launches
Primary Logon Method. This
module forces the user to select an
authenticator.
%s = ″Password Window″
Chapter 4. SSO Administrative Console Reference Topics 177
![Page 182: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/182.jpg)
My Logons Section Keys
These settings are required and used strictly within the [My Logons] section.
Example
[My Logons]
ExtensionName=AccessManager
Section1=Corporate Win App
Section2=Intranet
&
First-Time Use Keys Description Acceptable values
ExtensionName = %s Required, do not alter. Internal
name of the extension module.
%s = ″AccessManager″
Section%d = %s Required, do not alter. Specifies
logons to include in the bulk add
wizard.
%d = consecutive integers
%s = application logon section name;
link to relevant logon class section
Bulk Add Logon Section Keys
These settings are required and used in each bulk add logon section.
Example
[My Logons]
ExtensionName=AccessManager
Section1=Corporate Win App
Section2=Intranet
178 Introduction
![Page 183: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/183.jpg)
[Intranet]
ConfigKey=*Other Webs
ConfigName=Corporate Intranet
FTU_NeedID=0
FTU_NeedOther=0
FTU_NeedPwd=1
FTU_CONFIRMID=0
FTU_CONFIRMOTHER=0
FTU_CONFIRMPASSWORD=1
URL=Corp Intranet
First-Time Use Keys Description Acceptable values
ConfigKey = %s Link to logon configuration in
entlist.ini
%s = application logon section name
in entlist.ini or applist.ini. Use
[*Mainframe] for host/mainframe
logons, [*Other Webs] for Web
logons, [*Online Services] for Online
service logons, and [*Other Apps] for
other Windows application logons.
ConfigName = %s The name to use in the First-Time
Use Wizard to describe the logon.
%s = application logon name
Description = %s The name to use in Logon Manager
to describe the logon.
%s = application logon name
FTU_CONFIRMID = %b Flag indicating if the First-Time Use
Wizard will require the user to
confirm their username/ID
(optional).
%b = 0, user will not have to confirm
username/ID (default)
%b = 1, user will have to confirm
username/ID
FTU_CONFIRMOTHER = %b Flag indicating if the First-Time Use
Wizard will require the user to
confirm a third field, if one exists
(optional).
%b = 0, user will not have to confirm
third field (default)
%b = 1, user will have to confirm
third field
FTU_CONFIRMPASSWORD = %b Flag indicating if the First-Time Use
Wizard will require the user to
confirm their password (optional).
%b = 0, user will not have to confirm
password (default)
%b = 1, user will have to confirm
password
FTU_NeedID = %b Flag to indicate whether the
application requires a username/ID.
%b = 0, application does not require
a username/ID
%b = 1, logon requires a
username/ID (default)
Chapter 4. SSO Administrative Console Reference Topics 179
![Page 184: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/184.jpg)
First-Time Use Keys Description Acceptable values
FTU_NeedOther = %b Flag to indicate whether the
application requires a third field
(optional).
%b = 0, application does not require
a third field (default)
%b = 1, application requires a third
field
FTU_NeedPwd = %b Flag to indicate whether the
application requires a password.
%b = 0, application does not require
a password
%b = 1, logon requires a password
(default)
URL = %s Section name in entlist.ini for a Web
or Host application, or URL for a
Web site that is not predefined in
entlist.ini.
%s = Web/Host section name or Web
URL
Keys for entlist.ini
The entlist.ini file is located in the directory the administrator designates. In most instances, this should
be a subdirectory under the TAM E-SSO program directory.
Note: All TAM E-SSO configuration files (including entlist.ini and ftulist.ini) can only be created and
edited using the Administrative Console. The information in the topics listed below is provided only for
reference.
This is also the format used for synchronizer objects that override local entlist.ini files. Note: A
directory-based object causes the agent to ignore any local entlist.ini file. The remote object (if it exists) is
downloaded over a local entlist.ini file.
Then, entlist.ini is merged with applist.ini to create a new file ( aelist.ini) in the %AppData% \Passlogix
directory. The aelist.ini file is overwritten periodically, including when TAM E-SSO starts, when it
re-merges applist.ini and entlist.ini. The agent then uses aelist.ini to detect ″known″ applications.
The tables in the following topics list the keys and acceptable values for each section of entlist.ini :
v Root Keys for entlist.ini
v Windows Application Keys
v Web Application Keys
v Host/Mainframe Application Keys
v Password Policy Keys
Collected links
180 Introduction
![Page 185: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/185.jpg)
Root Keys for entlist.ini
Windows Application Keys
Web Application Keys
Host/Mainframe Application Keys
Password Policy Keys
Root Keys
These settings are used strictly within the [*Root] section.
Example
[*Root]
Section1=*Other Apps
Section2=*Other Webs
Section3=*Mainframe
AppsMaxRetry=1
WebMaxRetry=3
HostMaxRetry=2
WebTimeout=90
&
Global Application Keys Description Acceptable values
[*Root] Root section, from which application
types (logon classes) are derived.
N/A
AppsHideConfirmPW = %b Indicates whether to hide the
password confirmation field in the
Logon Error dialog for all Windows
applications.
%b = 0; do not hide confirmation
field (default)
%b = 1; hide confirmation field
AppsMaskPW = %b Indicates whether to mask the
password field(s) in the Logon Error
dialog for all Windows applications.
%b = 0; do not mask password
%b = 1; mask password (default)
AppsMaxRetry = %d Indicates the number of logon retries
for all Windows applications the
agent makes before displaying the
Logon Error dialog.
%d = the number of retries (default:
1)
Chapter 4. SSO Administrative Console Reference Topics 181
![Page 186: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/186.jpg)
AppsTimeout = %d Indicates the maximum time between
successive logon attempts that will
trigger Error Loop detection for all
Windows applications.
%d = amount of time in seconds
(default: 30)
MainframeHideConfirmPW = %b Indicates whether to hide the
password confirmation field in the
Logon Error dialog for all Host
applications.
%b = 0; do not hide confirmation
field (default)
%b = 1; hide confirmation field
MainframeMaskPW = %b Indicates whether to mask the
password field(s) in the Logon Error
dialog for all Host applications.
%b = 0; do not mask password
%b = 1; mask password (default)
MainframeMaxRetry = %d Indicates the number of logon retries
for all Host applications the agent
makes before displaying the Logon
Error dialog.
%d = the number of retries (default:
1)
MainframeTimeout = %d Indicates the maximum time between
successive logon attempts that will
trigger Error Loop detection for all
Host applications.
%d = amount of time in seconds
(default: 30)
Section%d = %s Declaration of supported subsections.
Note: Because *Other Webs, *Online
Services, and *Other Apps are
defined in applist.ini, they need not
be defined in [*Root] in entlist.ini.
%d = consecutive integers
%s = *Other Apps (Windows applications)
%s = *Mainframe (Host/Mainframe applications)
%s = *Other Webs (Predefined Web applications)
%s = *Online Services
WebHideConfirmPW = %b
Indicates whether to hide the password confirmation field in the Logon Error dialog for all Web applications.
%b = 0; do not hide confirmation field (default)
%b = 1; hide confirmation field
WebMaskPW = %b
Indicates whether to mask the password field(s) in the Logon Error dialog for all Web applications.
%b = 0; do not mask password
%b = 1; mask password (default)
WebMaxRetry = %d
Indicates the number of logon retries for all Web applications the agent makes before displaying the Logon Error
dialog.
%d = the number of retries (default: 1)
WebTimeout = %d
Indicates the maximum time between successive logon attempts that will trigger Error Loop detection for all Web
applications.
%d = amount of time in seconds (default: 30)
Application Type Section Keys
These settings are used for the Windows, Web, and Host application sections that delineate the list of
predefined applications.
182 Introduction
![Page 187: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/187.jpg)
Example
[*Other Apps]
Section1=Corporate WinApp
&
[*Other Webs]
Section1=Corporate Intranet
&
[*Mainframe]
Section1=Corporate Mainframe
Global Application Keys Description Acceptable values
[%s] Section heading that identifies an
application category section.
%s = [*Other Apps] (Windows applications)
%s = [*Mainframe] (Host/Mainframe applications)
%s = [*Other Webs] (Predefined Web applications)
Section%d = %s
Declaration of application sections.
%d = consecutive integers
%s = section name
Root Keys
These settings are used strictly within the [*Root] section.
Example
[*Root]
Section1=*Other Apps
Chapter 4. SSO Administrative Console Reference Topics 183
![Page 188: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/188.jpg)
Section2=*Other Webs
Section3=*Mainframe
AppsMaxRetry=1
WebMaxRetry=3
HostMaxRetry=2
WebTimeout=90
&
Global Application Keys Description Acceptable values
[*Root] Root section, from which application
types (logon classes) are derived.
N/A
AppsHideConfirmPW = %b Indicates whether to hide the
password confirmation field in the
Logon Error dialog for all Windows
applications.
%b = 0; do not hide confirmation
field (default)
%b = 1; hide confirmation field
AppsMaskPW = %b Indicates whether to mask the
password field(s) in the Logon Error
dialog for all Windows applications.
%b = 0; do not mask password
%b = 1; mask password (default)
AppsMaxRetry = %d Indicates the number of logon retries
for all Windows applications the
agent makes before displaying the
Logon Error dialog.
%d = the number of retries (default:
1)
AppsTimeout = %d Indicates the maximum time between
successive logon attempts that will
trigger Error Loop detection for all
Windows applications.
%d = amount of time in seconds
(default: 30)
MainframeHideConfirmPW = %b Indicates whether to hide the
password confirmation field in the
Logon Error dialog for all Host
applications.
%b = 0; do not hide confirmation
field (default)
%b = 1; hide confirmation field
MainframeMaskPW = %b Indicates whether to mask the
password field(s) in the Logon Error
dialog for all Host applications.
%b = 0; do not mask password
%b = 1; mask password (default)
MainframeMaxRetry = %d Indicates the number of logon retries
for all Host applications the agent
makes before displaying the Logon
Error dialog.
%d = the number of retries (default:
1)
MainframeTimeout = %d Indicates the maximum time between
successive logon attempts that will
trigger Error Loop detection for all
Host applications.
%d = amount of time in seconds
(default: 30)
Section%d = %s Declaration of supported subsections.
Note: Because *Other Webs, *Online
Services, and *Other Apps are
defined in applist.ini, they need not
be defined in [*Root] in entlist.ini.
184 Introduction
![Page 189: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/189.jpg)
%d = consecutive integers
%s = *Other Apps (Windows applications)
%s = *Mainframe (Host/Mainframe applications)
%s = *Other Webs (Predefined Web applications)
%s = *Online Services
WebHideConfirmPW = %b
Indicates whether to hide the password confirmation field in the Logon Error dialog for all Web applications.
%b = 0; do not hide confirmation field (default)
%b = 1; hide confirmation field
WebMaskPW = %b
Indicates whether to mask the password field(s) in the Logon Error dialog for all Web applications.
%b = 0; do not mask password
%b = 1; mask password (default)
WebMaxRetry = %d
Indicates the number of logon retries for all Web applications the agent makes before displaying the Logon Error
dialog.
%d = the number of retries (default: 1)
WebTimeout = %d
Indicates the maximum time between successive logon attempts that will trigger Error Loop detection for all Web
applications.
%d = amount of time in seconds (default: 30)
Application Type Section Keys
These settings are used for the Windows, Web, and Host application sections that delineate the list of
predefined applications.
Example
[*Other Apps]
Section1=Corporate WinApp
&
[*Other Webs]
Section1=Corporate Intranet
&
[*Mainframe]
Section1=Corporate Mainframe
Chapter 4. SSO Administrative Console Reference Topics 185
![Page 190: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/190.jpg)
Global Application Keys Description Acceptable values
[%s] Section heading that identifies an
application category section.
%s = [*Other Apps] (Windows applications)
%s = [*Mainframe] (Host/Mainframe applications)
%s = [*Other Webs] (Predefined Web applications)
Section%d = %s
Declaration of application sections.
%d = consecutive integers
%s = section name
Windows Application Keys
These settings are used within applications delineated in the [*Other Apps] section.
Example
[*Other Apps]
Section1=Corporate WinApp
&
[Corporate WinApp]
(the keys below)
Windows Application Keys Description Acceptable values
AllowReveal = %b Flag that enables or disables the
Reveal button for password in
Wizards and property pages.
%b = 0; disabled
%b = 1; enabled (default)
186 Introduction
![Page 191: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/191.jpg)
AppPathKey%d = %s Windows registry key identifying the
application associated with a logon to
match against running processes.
Used in combination with the
WindowTitle for exact matching of
logon requests. %d is replaced with
a number, starting at 1, so that
multiple registry keys can be
associated with a single logon.
%d = consecutive integers
%s = application name string used in
Windows registry (typically
corresponds to executable name)
AutoOK = %b Flag instructs the agent to
automatically select OK for this
application logon after insertion of
logon data.
%b = 0; disabled
%b = 1; enabled (default)
ChangeTitle%d = %s Text matched against password
change window titles to identify
password change requests. %d is
replaced with a number, starting at 1,
so that multiple windows can be
identified for a single password
change request.
There must be a duplicate
WindowTitle entry for each
ChangeTitle entry.
%d = consecutive integers
%s = window title string
ChgCtrl0 = %d Control ID used to identify the
username/ID field in a
password-change request window.
%d = -1; change request does not
require a username/ID
%d = 1; change request requires a
username/ID, but it will be sent to
the application using Send Keys. If
this value is 1, all other Control IDs (
IDCtrl, PassKeyCtrl, OtherCtrl1,
OtherCtrl2, OKCtrl, ChgCtrl1,
ChgCtrl2, and ChgCtrl3) must also be
1 or -1.
%d = 2 - 99,999; control ID value
ChgCtrl1 = %d Control ID used to identify the old
password field in a password change
request window.
%d = -1; change request does not
require an old password
%d = 1; change request requires a
password, but it will be sent to the
application using Send Keys. If this
value is 1, all other Control IDs must
also be 1 or -1.
%d = 2 - 99,999; control ID value
ChgCtrl2 = %d Control ID used to identify the new
password field in a password change
request window.
%d = -1; change request does not
require a new password.
%d = 1; change request requires a
password, but it will be sent to the
application using Send Keys. If this
value is 1, all other Control IDs must
also be 1 or -1.
%d = 2 - 99,999; control ID value
Chapter 4. SSO Administrative Console Reference Topics 187
![Page 192: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/192.jpg)
ChgCtrl3 = %d Control ID used to identify the
password confirmation field in a
password change request window.
%d = -1; change request does not
require a ″confirm new password″
entry.
%d = 1; change request requires a
″confirm new password″ entry, but it
will be sent to the application using
SendKeys. If this value is 1, all other
Control IDs must also be 1 or -1.
%d = 2 - 99,999; control ID value
ConfigName = %d Control ID identifying the control
that contains the text used to create
the initial configuration name when
the user adds this logon.
%d = 1 - 99,999; control ID value
CPWFlag = %d Determines the behavior of the
Password Change Wizard, for specific
applications, when a user encounters
a password-change request. This key
is specified in the application’s root
section, not in a password-change
subsection.
Note: This setting can also be set
globally, for all applications, via the
Registry. See for instructions.
%d = 1; Prompts user with Password
Change Wizard (default).
%d = 2; Prompts user to manually
enter a new password, but also
provides the option of having the
agent automatically generate the
password.
%d = 4; Generates the new password
automatically, but also provides the
option of manually creating the new
password.
%d = 10; Prompts user to manually
enter a new password, without
providing the option of having the
agent automatically generate the
password.
%d = 12; Generates the new
password automatically, without
providing the option of manually
creating the new password.
188 Introduction
![Page 193: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/193.jpg)
CtrlOrder = %s1, %s2, %s3& Determines the order in which fields
are sent when UseSendKeys is
enabled. For example, specifying
CtrlOrder = OtherCtrl1, IDCtrl,
PassKeyCtrl tells the agent that the
tab order in the dialog box should be
OtherCtrl1, then IDCtrl, followed by
PassKeyCtrl.
For logons, the default order is
IDCtrl, PassKeyCtrl, OtherCtrl1,
OtherCtrl2.
Tony/Drew: What is CtrlOrder
default for password change
scenario?
For password changes, the default
order is ChgCtrl0, ChgCtrl1,
ChgCtrl2, ChgCtrl3.
Note: This setting applies only when
UseSendKeys is enabled and works
only with Windows applications.
%s1 = The first field sent
%s2 = The second field sent
%s3 = The third field sent
etc.
Description = %s Text describing this application, also
stored in the Description field in
Logon Manager.
%s = any string
ExtMap = %s Windows file extension associated
with a logon. Allows the agent to
map an icon to the configuration.
%s = three-character string for file
extension
ForceReauth = %b Force the user to reauthenticate
before providing credentials to this
application.
Note: Applies to all subsections; the
user would have to reauthenticate
multiple times in a multiple-section
password change scenario .
%b = 0; do not require
reauthentication (default)
%b = 1; require reauthentication
Group = %s Group section name that this
application is a part of. Used when
configuring for Password Sharing
Groups. Special values include:
LDAP: Application uses LDAP
Directory Server authenticator
password.
Domain: Application uses the
Windows authenticator password.
Refer to for detailed instructions.
Note: Must set Windows Registry
entry PWSEnable=1 to enable
Groups.
%s = the section name of the
application group that the application
belongs to.
HideConfirmPW = %b Determines whether to hide the
password confirmation field in the
Logon Error dialog.
%b = 0; do not hide confirmation
field (default)
%b = 1; hide confirmation field
Chapter 4. SSO Administrative Console Reference Topics 189
![Page 194: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/194.jpg)
IDCtrl = %d Identifies the username/ID control
field and/or the mechanism to
provide the username/ID data to the
appropriate username/ID control.
%d = 0; the user must use the the
agent’s ″teaching tool″ mechanism
during application setup (default)
%d = -1; application does not require
a username/ID
%d = 1; application requires a
username/ID, but it will be sent to
the application using Send Keys. If
this value is set to 1, all other Control
IDs ( PassKeyCtrl, OtherCtrl1,
OtherCtrl2, OKCtrl, ChgCtrl0,
ChgCtrl1, ChgCtrl2, and ChgCtrl3)
must also be 1 or -1.
%d = 2 - 99,999; username/ID control
ID value
IDCtrlType = %d Identifies the control type of the
username/ID control field.
%d = 0; edit control (default)
%d = 1; combobox control
%d = 2; listbox control
IgnoreClassName = %s Identifies the class name of the logon
or password-change window that
should be ignored when submitting
credentials. Used in cases where an
application contains a second, hidden
logon or password-change window.
%s = class name string
InteractionMode = %b Prevents the agent from attaching to
the application’s window’s message
queue.
%b = 0; disabled (default)
%b = 1; enabled
MaskPW = %b Determines whether to mask the
password in the Logon Error dialog.
%b = 0; do not mask password
%b = 1; mask password (default)
Match%d = %s Maps to a matching section for the
application. Use this method if the
same application has multiple logon
and password change screens. This
is most useful when one set of user
credentials is for multiple screens
within an application. By using this
method, the matching sections could
be set up for logons, password
change (pick and manual), and
ignores.
%d = consecutive integers
%s = application logon name (logon
definition sections)
MaxRetry = %d Determines the number of logon
retries the agent makes before
displaying the Logon Error dialog.
%d = the number of retries (default:
1)
ModuleName%d = %s Application module name associated
with a logon to match against
running processes. Used in
conjunction with WindowTitle key to
identify a specific application logon
or password-change request. %d is
replaced with a number, starting at 1,
so that multiple application modules
can be associated with a single logon.
%d = consecutive integers
%s = application name string
(typically corresponds to executable
name)
190 Introduction
![Page 195: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/195.jpg)
OKCtrl = %d Identifies the control ID of the OK
button for this application.
%d = 1; use the agent’s internal logic
(default)
%d = 2 - 99,999; OK button control
ID
%d = -1; requires the user to
manually select OK
OtherCtrl1 = %d Identifies the control ID of a third
logon field and/or the mechanism to
provide the additional field data to
the appropriate control.
%d = -1; application does not require
a third field
%d = 1; application requires a third
field, but it will be sent to the
application using Send Keys. If this
value is set to 1, all other Control IDs
must also be 1 or -1.
%d = 2 - 99,999; third field control ID
value; can be any value if Send Keys
is used
OtherCtrl1Type = %d Identifies the control type of a third
logon field.
%d = 0; edit control (default)
%d = 1; combobox control
%d = 2; listbox control
OtherCtrl2 = %d Identifies the control ID of a fourth
logon field and/or the mechanism to
provide the additional field data to
the appropriate control.
%d = -1; application does not require
a fourth field
%d = 1; application requires a fourth
field, but it will be sent to the
application using Send Keys. If this
value is set to 1, all other Control IDs
must also be 1 or -1.
%d = 2 - 99,999; fourth field control
ID value; can be any value if Send
Keys is used
OtherCtrl2Type = %d Identifies the control type of a fourth
logon field.
%d = 0; edit control (default)
%d = 1; combobox control
%d = 2; listbox control
OtherLabel1 = %s The text label used by the agent
when displaying a third logon field.
%s = the text the agent will display
OtherLabel2 = %s The text label used by the agent
when displaying a fourth logon field.
%s = the text the agent will display
ParentKey1 = %s Maps a subsection to its parent
section.
%s = parent application/section
name
Chapter 4. SSO Administrative Console Reference Topics 191
![Page 196: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/196.jpg)
PassKeyCtrl = %d Identifies the password control field
and/or the mechanism to provide the
password data to the appropriate
password control.
%d = 0; the user must use the agent’s
″teaching tool″ mechanism during
application setup
%d = -1; application does not require
a password
%d = 1; application requires a
password, but it will be sent to the
application using Send Keys. If this
value is set to 1, all other Control IDs
must also be 1 or -1.
%d = 2 - 99,999; password control ID
value; can be any value if Send Keys
is used
PassKeyCtrlType = %d Identifies the control type of the
password control field.
%d = 0; edit control (default)
%d = 1; combobox control
%d = 2; listbox control
PassPolicy = %s Identifies which password policy
section to associate with this
application logon configuration.
%s = Policy Section Name
PresetFocusAll = %b Specifies whether to set the focus to a
logon field before the agent actually
places data in that field.
%b = 0; disabled (default)
%b = 1; enabled
QuietGenerator = %b When set, this flag instructs the agent
to handle password change requests
automatically and not inform the
user that a password change request
has been handled.
%b = 0; do not use quiet generator,
use standard password change
process with user intervention
(default)
%b = 1; use quiet generator
Section%d = %s Declaration of application
subsections.
%d = consecutive integers
%s = subsection name
SystemLogon = %b RESERVED. Flag identifying if a
logon section is a system logon
section.
%b = 0; not a system logon section
(default)
%b = 1; system logon section
Timeout = %d Determines the maximum time
period between successive logon
attempts that will trigger Error Loop
detection.
%d = amount of time in seconds
(default: 30)
UseSendKeys = %b Send fields via keystrokes to the
application.
If UseSendKeys is selected, then
IDCtrl, PassKeyCtrl, OtherCtrl1,
OtherCtrl2, and (if present) ChgCtrl0,
ChgCtrl1, ChgCtrl2, and ChgCtrl3
variables must all be set to 1, if
needed.
%b = 0; do not use Send Keys; use
control IDs (default)
%b = 1; use Send Keys
192 Introduction
![Page 197: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/197.jpg)
VTabKey%d0 = %d1 Specifies the character/delay
sequence to send before/after each
credential field.
Note: Fields are sent in the order
specified by CtrlOrder.
Note: UseSendKeys must also be
enabled.
Note: To send nothing for the
specified value, specify a value of ``
(two back-quotes in a row).
%d0 = 1; sequence to send before the
first credential field
%d0 = 2; sequence to send after the
first field, before the second
- so on; %d is not bound.
%d1 = Code sequence to send (see)
(default: standard tab key)
VTabKeyPWC%d0 = %d1 Specifies the character/delay
sequence to send before/after each
credential field.
Note: Fields are sent in the order
specified by CtrlOrder.
Note: UseSendKeys must also be
enabled.
Note: To send nothing for the
specified value, specify a value of ``
(two back-quotes).
%d0 = 1; sequence to send before the
first credential field
%d0 = 2; sequence to send after the
first field, before the second
- so on; %d is not bound.
%d1 = Code sequence to send (see)
(default: standard tab key)
WindowTitle%d = %s Text matched against logon window
titles to identify logon requests. %d
is replaced with a number, starting at
1, so that multiple windows can be
identified for a single logon.
%d = consecutive integers
%s = window title string
Windows Application Keys for Section N subsection
These settings are used within subsections delineated by SectionN.
Example
[Corporate WinApp]
Section1=~Corporate WinApp Logon
Section2=~Corporate WinApp Password Change
&
[~Corporate WinApp Logon]
(the keys below)
Windows Application Keys Description Acceptable values
Chapter 4. SSO Administrative Console Reference Topics 193
![Page 198: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/198.jpg)
AppPathKey%d = %s (See in parent section, above) (See in parent section, above)
ChangeTitle%d = %s (See in parent section, above) (See in parent section, above)
ChgCtrl0 = %d (See in parent section, above) (See in parent section, above)
ChgCtrl1 = %d (See in parent section, above) (See in parent section, above)
ChgCtrl2 = %d (See in parent section, above) (See in parent section, above)
ChgCtrl3 = %d (See in parent section, above) (See in parent section, above)
CtrlOrder = %s1, %s2, %s3& (See in parent section, above) (See in parent section, above)
IDCtrl = %d (See in parent section, above) (See in parent section, above)
IDCtrlType = %d (See in parent section, above) (See in parent section, above)
IgnoreClassName = %s (See in parent section, above) (See in parent section, above)
InteractionMode = %b (See in parent section, above) (See in parent section, above)
Match%d = %s (See in parent section, above) (See in parent section, above)
ModuleName%d = %s (See in parent section, above) (See in parent section, above)
OKCtrl = %d (See in parent section, above) (See in parent section, above)
OtherCtrl1 = %d (See in parent section, above) (See in parent section, above)
OtherCtrl1Type = %d (See in parent section, above) (See in parent section, above)
OtherCtrl2 = %d (See in parent section, above) (See in parent section, above)
OtherCtrl2Type = %d (See in parent section, above) (See in parent section, above)
ParentKey1 = %s (See in parent section, above) (See in parent section, above)
PassKeyCtrl = %d (See in parent section, above) (See in parent section, above)
PassKeyCtrlType = %d (See in parent section, above) (See in parent section, above)
VTabKey%d0 = %d1 (See in parent section, above) (See in parent section, above)
VTabKeyPWC%d0 = %d1 (See in parent section, above) (See in parent section, above)
UseSendKeys = %b (See in parent section, above) (See in parent section, above)
WindowTitle%d = %s (See in parent section, above) (See in parent section, above)
Windows Application Keys for Match N subsection
These settings are used within subsections delineated by MatchN.
Example
[Corporate WinApp
Section1=~Whatever subsection
Match1=~Corporate WinApp Logon Match
Match2=~Corporate WinApp Ignore Match
&
[~Corporate WinApp Ignore Match]
194 Introduction
![Page 199: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/199.jpg)
(the keys below)
Match Section Keys Description Acceptable values
ChangeTitle%d = %s (See in parent section, above) (See in parent section, above)
ChgCtrl0 = %d (See in parent section, above) (See in parent section, above)
ChgCtrl1 = %d (See in parent section, above) (See in parent section, above)
ChgCtrl2 = %d (See in parent section, above) (See in parent section, above)
ChgCtrl3 = %d (See in parent section, above) (See in parent section, above)
Field%d0 = %d1,%s1,%s2,%s3 The match criteria for the fields.
%d1 is replaced with a number,
starting at 1, so that multiple
matching criteria could be set up for
one screen. %d2 is replaced with the
control ID of the matching criteria.
%s1 is replaced with the control
type. %s2 is replaced with the
comparison operator. %s3 is
replaced with the compare value.
%d0 = consecutive integers
%d1 = control ID of the matching
criteria
%s1 = the control type could be the
following, with the appropriate value
in %s3:
text actual text from the control
style numeric value for the style of the control
class the class of the control, usually Edit or Static
Edit edit or combobox controls
Static static controls (for example, text labels).
%s2 = the comparison operator could be the following:
EQ equals
NE not equal
%s3 = compared value
Logon logon events
Change password change events
Confirm confirm the new password
Ignore bypass all events for the application
Windows Application Keys
Chapter 4. SSO Administrative Console Reference Topics 195
![Page 200: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/200.jpg)
These settings are used within applications delineated in the [*Other Apps] section.
Example
[*Other Apps]
Section1=Corporate WinApp
&
[Corporate WinApp]
(the keys below)
Windows Application Keys Description Acceptable values
AllowReveal = %b Flag that enables or disables the
Reveal button for password in
Wizards and property pages.
%b = 0; disabled
%b = 1; enabled (default)
AppPathKey%d = %s Windows registry key identifying the
application associated with a logon to
match against running processes.
Used in combination with the
WindowTitle for exact matching of
logon requests. %d is replaced with
a number, starting at 1, so that
multiple registry keys can be
associated with a single logon.
%d = consecutive integers
%s = application name string used in
Windows registry (typically
corresponds to executable name)
AutoOK = %b Flag instructs the agent to
automatically select OK for this
application logon after insertion of
logon data.
%b = 0; disabled
%b = 1; enabled (default)
ChangeTitle%d = %s Text matched against password
change window titles to identify
password change requests. %d is
replaced with a number, starting at 1,
so that multiple windows can be
identified for a single password
change request.
There must be a duplicate
WindowTitle entry for each
ChangeTitle entry.
%d = consecutive integers
%s = window title string
196 Introduction
![Page 201: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/201.jpg)
ChgCtrl0 = %d Control ID used to identify the
username/ID field in a
password-change request window.
%d = -1; change request does not
require a username/ID
%d = 1; change request requires a
username/ID, but it will be sent to
the application using Send Keys. If
this value is 1, all other Control IDs (
IDCtrl, PassKeyCtrl, OtherCtrl1,
OtherCtrl2, OKCtrl, ChgCtrl1,
ChgCtrl2, and ChgCtrl3) must also be
1 or -1.
%d = 2 - 99,999; control ID value
ChgCtrl1 = %d Control ID used to identify the old
password field in a password change
request window.
%d = -1; change request does not
require an old password
%d = 1; change request requires a
password, but it will be sent to the
application using Send Keys. If this
value is 1, all other Control IDs must
also be 1 or -1.
%d = 2 - 99,999; control ID value
ChgCtrl2 = %d Control ID used to identify the new
password field in a password change
request window.
%d = -1; change request does not
require a new password.
%d = 1; change request requires a
password, but it will be sent to the
application using Send Keys. If this
value is 1, all other Control IDs must
also be 1 or -1.
%d = 2 - 99,999; control ID value
ChgCtrl3 = %d Control ID used to identify the
password confirmation field in a
password change request window.
%d = -1; change request does not
require a ″confirm new password″
entry.
%d = 1; change request requires a
″confirm new password″ entry, but it
will be sent to the application using
SendKeys. If this value is 1, all other
Control IDs must also be 1 or -1.
%d = 2 - 99,999; control ID value
ConfigName = %d Control ID identifying the control
that contains the text used to create
the initial configuration name when
the user adds this logon.
%d = 1 - 99,999; control ID value
Chapter 4. SSO Administrative Console Reference Topics 197
![Page 202: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/202.jpg)
CPWFlag = %d Determines the behavior of the
Password Change Wizard, for specific
applications, when a user encounters
a password-change request. This key
is specified in the application’s root
section, not in a password-change
subsection.
Note: This setting can also be set
globally, for all applications, via the
Registry. See for instructions.
%d = 1; Prompts user with Password
Change Wizard (default).
%d = 2; Prompts user to manually
enter a new password, but also
provides the option of having the
agent automatically generate the
password.
%d = 4; Generates the new password
automatically, but also provides the
option of manually creating the new
password.
%d = 10; Prompts user to manually
enter a new password, without
providing the option of having the
agent automatically generate the
password.
%d = 12; Generates the new
password automatically, without
providing the option of manually
creating the new password.
CtrlOrder = %s1, %s2, %s3& Determines the order in which fields
are sent when UseSendKeys is
enabled. For example, specifying
CtrlOrder = OtherCtrl1, IDCtrl,
PassKeyCtrl tells the agent that the
tab order in the dialog box should be
OtherCtrl1, then IDCtrl, followed by
PassKeyCtrl.
For logons, the default order is
IDCtrl, PassKeyCtrl, OtherCtrl1,
OtherCtrl2.
Tony/Drew: What is CtrlOrder
default for password change
scenario?
For password changes, the default
order is ChgCtrl0, ChgCtrl1,
ChgCtrl2, ChgCtrl3.
Note: This setting applies only when
UseSendKeys is enabled and works
only with Windows applications.
%s1 = The first field sent
%s2 = The second field sent
%s3 = The third field sent
etc.
Description = %s Text describing this application, also
stored in the Description field in
Logon Manager.
%s = any string
ExtMap = %s Windows file extension associated
with a logon. Allows the agent to
map an icon to the configuration.
%s = three-character string for file
extension
198 Introduction
![Page 203: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/203.jpg)
ForceReauth = %b Force the user to reauthenticate
before providing credentials to this
application.
Note: Applies to all subsections; the
user would have to reauthenticate
multiple times in a multiple-section
password change scenario .
%b = 0; do not require
reauthentication (default)
%b = 1; require reauthentication
Group = %s Group section name that this
application is a part of. Used when
configuring for Password Sharing
Groups. Special values include:
LDAP: Application uses LDAP
Directory Server authenticator
password.
Domain: Application uses the
Windows authenticator password.
Refer to for detailed instructions.
Note: Must set Windows Registry
entry PWSEnable=1 to enable
Groups.
%s = the section name of the
application group that the application
belongs to.
HideConfirmPW = %b Determines whether to hide the
password confirmation field in the
Logon Error dialog.
%b = 0; do not hide confirmation
field (default)
%b = 1; hide confirmation field
IDCtrl = %d Identifies the username/ID control
field and/or the mechanism to
provide the username/ID data to the
appropriate username/ID control.
%d = 0; the user must use the the
agent’s ″teaching tool″ mechanism
during application setup (default)
%d = -1; application does not require
a username/ID
%d = 1; application requires a
username/ID, but it will be sent to
the application using Send Keys. If
this value is set to 1, all other Control
IDs ( PassKeyCtrl, OtherCtrl1,
OtherCtrl2, OKCtrl, ChgCtrl0,
ChgCtrl1, ChgCtrl2, and ChgCtrl3)
must also be 1 or -1.
%d = 2 - 99,999; username/ID control
ID value
IDCtrlType = %d Identifies the control type of the
username/ID control field.
%d = 0; edit control (default)
%d = 1; combobox control
%d = 2; listbox control
IgnoreClassName = %s Identifies the class name of the logon
or password-change window that
should be ignored when submitting
credentials. Used in cases where an
application contains a second, hidden
logon or password-change window.
%s = class name string
Chapter 4. SSO Administrative Console Reference Topics 199
![Page 204: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/204.jpg)
InteractionMode = %b Prevents the agent from attaching to
the application’s window’s message
queue.
%b = 0; disabled (default)
%b = 1; enabled
MaskPW = %b Determines whether to mask the
password in the Logon Error dialog.
%b = 0; do not mask password
%b = 1; mask password (default)
Match%d = %s Maps to a matching section for the
application. Use this method if the
same application has multiple logon
and password change screens. This
is most useful when one set of user
credentials is for multiple screens
within an application. By using this
method, the matching sections could
be set up for logons, password
change (pick and manual), and
ignores.
%d = consecutive integers
%s = application logon name (logon
definition sections)
MaxRetry = %d Determines the number of logon
retries the agent makes before
displaying the Logon Error dialog.
%d = the number of retries (default:
1)
ModuleName%d = %s Application module name associated
with a logon to match against
running processes. Used in
conjunction with WindowTitle key to
identify a specific application logon
or password-change request. %d is
replaced with a number, starting at 1,
so that multiple application modules
can be associated with a single logon.
%d = consecutive integers
%s = application name string
(typically corresponds to executable
name)
OKCtrl = %d Identifies the control ID of the OK
button for this application.
%d = 1; use the agent’s internal logic
(default)
%d = 2 - 99,999; OK button control
ID
%d = -1; requires the user to
manually select OK
OtherCtrl1 = %d Identifies the control ID of a third
logon field and/or the mechanism to
provide the additional field data to
the appropriate control.
%d = -1; application does not require
a third field
%d = 1; application requires a third
field, but it will be sent to the
application using Send Keys. If this
value is set to 1, all other Control IDs
must also be 1 or -1.
%d = 2 - 99,999; third field control ID
value; can be any value if Send Keys
is used
OtherCtrl1Type = %d Identifies the control type of a third
logon field.
%d = 0; edit control (default)
%d = 1; combobox control
%d = 2; listbox control
200 Introduction
![Page 205: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/205.jpg)
OtherCtrl2 = %d Identifies the control ID of a fourth
logon field and/or the mechanism to
provide the additional field data to
the appropriate control.
%d = -1; application does not require
a fourth field
%d = 1; application requires a fourth
field, but it will be sent to the
application using Send Keys. If this
value is set to 1, all other Control IDs
must also be 1 or -1.
%d = 2 - 99,999; fourth field control
ID value; can be any value if Send
Keys is used
OtherCtrl2Type = %d Identifies the control type of a fourth
logon field.
%d = 0; edit control (default)
%d = 1; combobox control
%d = 2; listbox control
OtherLabel1 = %s The text label used by the agent
when displaying a third logon field.
%s = the text the agent will display
OtherLabel2 = %s The text label used by the agent
when displaying a fourth logon field.
%s = the text the agent will display
ParentKey1 = %s Maps a subsection to its parent
section.
%s = parent application/section
name
PassKeyCtrl = %d Identifies the password control field
and/or the mechanism to provide the
password data to the appropriate
password control.
%d = 0; the user must use the agent’s
″teaching tool″ mechanism during
application setup
%d = -1; application does not require
a password
%d = 1; application requires a
password, but it will be sent to the
application using Send Keys. If this
value is set to 1, all other Control IDs
must also be 1 or -1.
%d = 2 - 99,999; password control ID
value; can be any value if Send Keys
is used
PassKeyCtrlType = %d Identifies the control type of the
password control field.
%d = 0; edit control (default)
%d = 1; combobox control
%d = 2; listbox control
PassPolicy = %s Identifies which password policy
section to associate with this
application logon configuration.
%s = Policy Section Name
PresetFocusAll = %b Specifies whether to set the focus to a
logon field before the agent actually
places data in that field.
%b = 0; disabled (default)
%b = 1; enabled
QuietGenerator = %b When set, this flag instructs the agent
to handle password change requests
automatically and not inform the
user that a password change request
has been handled.
%b = 0; do not use quiet generator,
use standard password change
process with user intervention
(default)
%b = 1; use quiet generator
Chapter 4. SSO Administrative Console Reference Topics 201
![Page 206: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/206.jpg)
Section%d = %s Declaration of application
subsections.
%d = consecutive integers
%s = subsection name
SystemLogon = %b RESERVED. Flag identifying if a
logon section is a system logon
section.
%b = 0; not a system logon section
(default)
%b = 1; system logon section
Timeout = %d Determines the maximum time
period between successive logon
attempts that will trigger Error Loop
detection.
%d = amount of time in seconds
(default: 30)
UseSendKeys = %b Send fields via keystrokes to the
application.
If UseSendKeys is selected, then
IDCtrl, PassKeyCtrl, OtherCtrl1,
OtherCtrl2, and (if present) ChgCtrl0,
ChgCtrl1, ChgCtrl2, and ChgCtrl3
variables must all be set to 1, if
needed.
%b = 0; do not use Send Keys; use
control IDs (default)
%b = 1; use Send Keys
VTabKey%d0 = %d1 Specifies the character/delay
sequence to send before/after each
credential field.
Note: Fields are sent in the order
specified by CtrlOrder.
Note: UseSendKeys must also be
enabled.
Note: To send nothing for the
specified value, specify a value of ``
(two back-quotes in a row).
%d0 = 1; sequence to send before the
first credential field
%d0 = 2; sequence to send after the
first field, before the second
- so on; %d is not bound.
%d1 = Code sequence to send (see)
(default: standard tab key)
VTabKeyPWC%d0 = %d1 Specifies the character/delay
sequence to send before/after each
credential field.
Note: Fields are sent in the order
specified by CtrlOrder.
Note: UseSendKeys must also be
enabled.
Note: To send nothing for the
specified value, specify a value of ``
(two back-quotes).
%d0 = 1; sequence to send before the
first credential field
%d0 = 2; sequence to send after the
first field, before the second
- so on; %d is not bound.
%d1 = Code sequence to send (see)
(default: standard tab key)
WindowTitle%d = %s Text matched against logon window
titles to identify logon requests. %d
is replaced with a number, starting at
1, so that multiple windows can be
identified for a single logon.
%d = consecutive integers
%s = window title string
202 Introduction
![Page 207: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/207.jpg)
Windows Application Keys for Section N subsection
These settings are used within subsections delineated by SectionN.
Example
[Corporate WinApp]
Section1=~Corporate WinApp Logon
Section2=~Corporate WinApp Password Change
&
[~Corporate WinApp Logon]
(the keys below)
Windows Application Keys Description Acceptable values
AppPathKey%d = %s (See in parent section, above) (See in parent section, above)
ChangeTitle%d = %s (See in parent section, above) (See in parent section, above)
ChgCtrl0 = %d (See in parent section, above) (See in parent section, above)
ChgCtrl1 = %d (See in parent section, above) (See in parent section, above)
ChgCtrl2 = %d (See in parent section, above) (See in parent section, above)
ChgCtrl3 = %d (See in parent section, above) (See in parent section, above)
CtrlOrder = %s1, %s2, %s3& (See in parent section, above) (See in parent section, above)
IDCtrl = %d (See in parent section, above) (See in parent section, above)
IDCtrlType = %d (See in parent section, above) (See in parent section, above)
IgnoreClassName = %s (See in parent section, above) (See in parent section, above)
InteractionMode = %b (See in parent section, above) (See in parent section, above)
Match%d = %s (See in parent section, above) (See in parent section, above)
ModuleName%d = %s (See in parent section, above) (See in parent section, above)
OKCtrl = %d (See in parent section, above) (See in parent section, above)
OtherCtrl1 = %d (See in parent section, above) (See in parent section, above)
OtherCtrl1Type = %d (See in parent section, above) (See in parent section, above)
OtherCtrl2 = %d (See in parent section, above) (See in parent section, above)
OtherCtrl2Type = %d (See in parent section, above) (See in parent section, above)
ParentKey1 = %s (See in parent section, above) (See in parent section, above)
PassKeyCtrl = %d (See in parent section, above) (See in parent section, above)
PassKeyCtrlType = %d (See in parent section, above) (See in parent section, above)
VTabKey%d0 = %d1 (See in parent section, above) (See in parent section, above)
VTabKeyPWC%d0 = %d1 (See in parent section, above) (See in parent section, above)
UseSendKeys = %b (See in parent section, above) (See in parent section, above)
Chapter 4. SSO Administrative Console Reference Topics 203
![Page 208: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/208.jpg)
WindowTitle%d = %s (See in parent section, above) (See in parent section, above)
Windows Application Keys for Match N subsection
These settings are used within subsections delineated by MatchN.
Example
[Corporate WinApp
Section1=~Whatever subsection
Match1=~Corporate WinApp Logon Match
Match2=~Corporate WinApp Ignore Match
&
[~Corporate WinApp Ignore Match]
(the keys below)
Match Section Keys Description Acceptable values
ChangeTitle%d = %s (See in parent section, above) (See in parent section, above)
ChgCtrl0 = %d (See in parent section, above) (See in parent section, above)
ChgCtrl1 = %d (See in parent section, above) (See in parent section, above)
ChgCtrl2 = %d (See in parent section, above) (See in parent section, above)
ChgCtrl3 = %d (See in parent section, above) (See in parent section, above)
Field%d0 = %d1,%s1,%s2,%s3 The match criteria for the fields.
%d1 is replaced with a number,
starting at 1, so that multiple
matching criteria could be set up for
one screen. %d2 is replaced with the
control ID of the matching criteria.
%s1 is replaced with the control
type. %s2 is replaced with the
comparison operator. %s3 is
replaced with the compare value.
%d0 = consecutive integers
%d1 = control ID of the matching
criteria
%s1 = the control type could be the
following, with the appropriate value
in %s3:
text actual text from the control
style numeric value for the style of the control
class the class of the control, usually Edit or Static
Edit edit or combobox controls
Static static controls (for example, text labels).
204 Introduction
![Page 209: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/209.jpg)
%s2 = the comparison operator could be the following:
EQ equals
NE not equal
%s3 = compared value
Logon logon events
Change password change events
Confirm confirm the new password
Ignore bypass all events for the application
Windows Application Keys
These settings are used within applications delineated in the [*Other Apps] section.
Example
[*Other Apps]
Section1=Corporate WinApp
&
[Corporate WinApp]
(the keys below)
Windows Application Keys Description Acceptable values
AllowReveal = %b Flag that enables or disables the
Reveal button for password in
Wizards and property pages.
%b = 0; disabled
%b = 1; enabled (default)
AppPathKey%d = %s Windows registry key identifying the
application associated with a logon to
match against running processes.
Used in combination with the
WindowTitle for exact matching of
logon requests. %d is replaced with
a number, starting at 1, so that
multiple registry keys can be
associated with a single logon.
%d = consecutive integers
%s = application name string used in
Windows registry (typically
corresponds to executable name)
Chapter 4. SSO Administrative Console Reference Topics 205
![Page 210: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/210.jpg)
AutoOK = %b Flag instructs the agent to
automatically select OK for this
application logon after insertion of
logon data.
%b = 0; disabled
%b = 1; enabled (default)
ChangeTitle%d = %s Text matched against password
change window titles to identify
password change requests. %d is
replaced with a number, starting at 1,
so that multiple windows can be
identified for a single password
change request.
There must be a duplicate
WindowTitle entry for each
ChangeTitle entry.
%d = consecutive integers
%s = window title string
ChgCtrl0 = %d Control ID used to identify the
username/ID field in a
password-change request window.
%d = -1; change request does not
require a username/ID
%d = 1; change request requires a
username/ID, but it will be sent to
the application using Send Keys. If
this value is 1, all other Control IDs (
IDCtrl, PassKeyCtrl, OtherCtrl1,
OtherCtrl2, OKCtrl, ChgCtrl1,
ChgCtrl2, and ChgCtrl3) must also be
1 or -1.
%d = 2 - 99,999; control ID value
ChgCtrl1 = %d Control ID used to identify the old
password field in a password change
request window.
%d = -1; change request does not
require an old password
%d = 1; change request requires a
password, but it will be sent to the
application using Send Keys. If this
value is 1, all other Control IDs must
also be 1 or -1.
%d = 2 - 99,999; control ID value
ChgCtrl2 = %d Control ID used to identify the new
password field in a password change
request window.
%d = -1; change request does not
require a new password.
%d = 1; change request requires a
password, but it will be sent to the
application using Send Keys. If this
value is 1, all other Control IDs must
also be 1 or -1.
%d = 2 - 99,999; control ID value
ChgCtrl3 = %d Control ID used to identify the
password confirmation field in a
password change request window.
%d = -1; change request does not
require a ″confirm new password″
entry.
%d = 1; change request requires a
″confirm new password″ entry, but it
will be sent to the application using
SendKeys. If this value is 1, all other
Control IDs must also be 1 or -1.
%d = 2 - 99,999; control ID value
206 Introduction
![Page 211: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/211.jpg)
ConfigName = %d Control ID identifying the control
that contains the text used to create
the initial configuration name when
the user adds this logon.
%d = 1 - 99,999; control ID value
CPWFlag = %d Determines the behavior of the
Password Change Wizard, for specific
applications, when a user encounters
a password-change request. This key
is specified in the application’s root
section, not in a password-change
subsection.
Note: This setting can also be set
globally, for all applications, via the
Registry. See for instructions.
%d = 1; Prompts user with Password
Change Wizard (default).
%d = 2; Prompts user to manually
enter a new password, but also
provides the option of having the
agent automatically generate the
password.
%d = 4; Generates the new password
automatically, but also provides the
option of manually creating the new
password.
%d = 10; Prompts user to manually
enter a new password, without
providing the option of having the
agent automatically generate the
password.
%d = 12; Generates the new
password automatically, without
providing the option of manually
creating the new password.
CtrlOrder = %s1, %s2, %s3& Determines the order in which fields
are sent when UseSendKeys is
enabled. For example, specifying
CtrlOrder = OtherCtrl1, IDCtrl,
PassKeyCtrl tells the agent that the
tab order in the dialog box should be
OtherCtrl1, then IDCtrl, followed by
PassKeyCtrl.
For logons, the default order is
IDCtrl, PassKeyCtrl, OtherCtrl1,
OtherCtrl2.
Tony/Drew: What is CtrlOrder
default for password change
scenario?
For password changes, the default
order is ChgCtrl0, ChgCtrl1,
ChgCtrl2, ChgCtrl3.
Note: This setting applies only when
UseSendKeys is enabled and works
only with Windows applications.
%s1 = The first field sent
%s2 = The second field sent
%s3 = The third field sent
etc.
Description = %s Text describing this application, also
stored in the Description field in
Logon Manager.
%s = any string
ExtMap = %s Windows file extension associated
with a logon. Allows the agent to
map an icon to the configuration.
%s = three-character string for file
extension
Chapter 4. SSO Administrative Console Reference Topics 207
![Page 212: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/212.jpg)
ForceReauth = %b Force the user to reauthenticate
before providing credentials to this
application.
Note: Applies to all subsections; the
user would have to reauthenticate
multiple times in a multiple-section
password change scenario .
%b = 0; do not require
reauthentication (default)
%b = 1; require reauthentication
Group = %s Group section name that this
application is a part of. Used when
configuring for Password Sharing
Groups. Special values include:
LDAP: Application uses LDAP
Directory Server authenticator
password.
Domain: Application uses the
Windows authenticator password.
Refer to for detailed instructions.
Note: Must set Windows Registry
entry PWSEnable=1 to enable
Groups.
%s = the section name of the
application group that the application
belongs to.
HideConfirmPW = %b Determines whether to hide the
password confirmation field in the
Logon Error dialog.
%b = 0; do not hide confirmation
field (default)
%b = 1; hide confirmation field
IDCtrl = %d Identifies the username/ID control
field and/or the mechanism to
provide the username/ID data to the
appropriate username/ID control.
%d = 0; the user must use the the
agent’s ″teaching tool″ mechanism
during application setup (default)
%d = -1; application does not require
a username/ID
%d = 1; application requires a
username/ID, but it will be sent to
the application using Send Keys. If
this value is set to 1, all other Control
IDs ( PassKeyCtrl, OtherCtrl1,
OtherCtrl2, OKCtrl, ChgCtrl0,
ChgCtrl1, ChgCtrl2, and ChgCtrl3)
must also be 1 or -1.
%d = 2 - 99,999; username/ID control
ID value
IDCtrlType = %d Identifies the control type of the
username/ID control field.
%d = 0; edit control (default)
%d = 1; combobox control
%d = 2; listbox control
IgnoreClassName = %s Identifies the class name of the logon
or password-change window that
should be ignored when submitting
credentials. Used in cases where an
application contains a second, hidden
logon or password-change window.
%s = class name string
208 Introduction
![Page 213: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/213.jpg)
InteractionMode = %b Prevents the agent from attaching to
the application’s window’s message
queue.
%b = 0; disabled (default)
%b = 1; enabled
MaskPW = %b Determines whether to mask the
password in the Logon Error dialog.
%b = 0; do not mask password
%b = 1; mask password (default)
Match%d = %s Maps to a matching section for the
application. Use this method if the
same application has multiple logon
and password change screens. This
is most useful when one set of user
credentials is for multiple screens
within an application. By using this
method, the matching sections could
be set up for logons, password
change (pick and manual), and
ignores.
%d = consecutive integers
%s = application logon name (logon
definition sections)
MaxRetry = %d Determines the number of logon
retries the agent makes before
displaying the Logon Error dialog.
%d = the number of retries (default:
1)
ModuleName%d = %s Application module name associated
with a logon to match against
running processes. Used in
conjunction with WindowTitle key to
identify a specific application logon
or password-change request. %d is
replaced with a number, starting at 1,
so that multiple application modules
can be associated with a single logon.
%d = consecutive integers
%s = application name string
(typically corresponds to executable
name)
OKCtrl = %d Identifies the control ID of the OK
button for this application.
%d = 1; use the agent’s internal logic
(default)
%d = 2 - 99,999; OK button control
ID
%d = -1; requires the user to
manually select OK
OtherCtrl1 = %d Identifies the control ID of a third
logon field and/or the mechanism to
provide the additional field data to
the appropriate control.
%d = -1; application does not require
a third field
%d = 1; application requires a third
field, but it will be sent to the
application using Send Keys. If this
value is set to 1, all other Control IDs
must also be 1 or -1.
%d = 2 - 99,999; third field control ID
value; can be any value if Send Keys
is used
OtherCtrl1Type = %d Identifies the control type of a third
logon field.
%d = 0; edit control (default)
%d = 1; combobox control
%d = 2; listbox control
Chapter 4. SSO Administrative Console Reference Topics 209
![Page 214: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/214.jpg)
OtherCtrl2 = %d Identifies the control ID of a fourth
logon field and/or the mechanism to
provide the additional field data to
the appropriate control.
%d = -1; application does not require
a fourth field
%d = 1; application requires a fourth
field, but it will be sent to the
application using Send Keys. If this
value is set to 1, all other Control IDs
must also be 1 or -1.
%d = 2 - 99,999; fourth field control
ID value; can be any value if Send
Keys is used
OtherCtrl2Type = %d Identifies the control type of a fourth
logon field.
%d = 0; edit control (default)
%d = 1; combobox control
%d = 2; listbox control
OtherLabel1 = %s The text label used by the agent
when displaying a third logon field.
%s = the text the agent will display
OtherLabel2 = %s The text label used by the agent
when displaying a fourth logon field.
%s = the text the agent will display
ParentKey1 = %s Maps a subsection to its parent
section.
%s = parent application/section
name
PassKeyCtrl = %d Identifies the password control field
and/or the mechanism to provide the
password data to the appropriate
password control.
%d = 0; the user must use the agent’s
″teaching tool″ mechanism during
application setup
%d = -1; application does not require
a password
%d = 1; application requires a
password, but it will be sent to the
application using Send Keys. If this
value is set to 1, all other Control IDs
must also be 1 or -1.
%d = 2 - 99,999; password control ID
value; can be any value if Send Keys
is used
PassKeyCtrlType = %d Identifies the control type of the
password control field.
%d = 0; edit control (default)
%d = 1; combobox control
%d = 2; listbox control
PassPolicy = %s Identifies which password policy
section to associate with this
application logon configuration.
%s = Policy Section Name
PresetFocusAll = %b Specifies whether to set the focus to a
logon field before the agent actually
places data in that field.
%b = 0; disabled (default)
%b = 1; enabled
QuietGenerator = %b When set, this flag instructs the agent
to handle password change requests
automatically and not inform the
user that a password change request
has been handled.
%b = 0; do not use quiet generator,
use standard password change
process with user intervention
(default)
%b = 1; use quiet generator
210 Introduction
![Page 215: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/215.jpg)
Section%d = %s Declaration of application
subsections.
%d = consecutive integers
%s = subsection name
SystemLogon = %b RESERVED. Flag identifying if a
logon section is a system logon
section.
%b = 0; not a system logon section
(default)
%b = 1; system logon section
Timeout = %d Determines the maximum time
period between successive logon
attempts that will trigger Error Loop
detection.
%d = amount of time in seconds
(default: 30)
UseSendKeys = %b Send fields via keystrokes to the
application.
If UseSendKeys is selected, then
IDCtrl, PassKeyCtrl, OtherCtrl1,
OtherCtrl2, and (if present) ChgCtrl0,
ChgCtrl1, ChgCtrl2, and ChgCtrl3
variables must all be set to 1, if
needed.
%b = 0; do not use Send Keys; use
control IDs (default)
%b = 1; use Send Keys
VTabKey%d0 = %d1 Specifies the character/delay
sequence to send before/after each
credential field.
Note: Fields are sent in the order
specified by CtrlOrder.
Note: UseSendKeys must also be
enabled.
Note: To send nothing for the
specified value, specify a value of ``
(two back-quotes in a row).
%d0 = 1; sequence to send before the
first credential field
%d0 = 2; sequence to send after the
first field, before the second
- so on; %d is not bound.
%d1 = Code sequence to send (see)
(default: standard tab key)
VTabKeyPWC%d0 = %d1 Specifies the character/delay
sequence to send before/after each
credential field.
Note: Fields are sent in the order
specified by CtrlOrder.
Note: UseSendKeys must also be
enabled.
Note: To send nothing for the
specified value, specify a value of ``
(two back-quotes).
%d0 = 1; sequence to send before the
first credential field
%d0 = 2; sequence to send after the
first field, before the second
- so on; %d is not bound.
%d1 = Code sequence to send (see)
(default: standard tab key)
WindowTitle%d = %s Text matched against logon window
titles to identify logon requests. %d
is replaced with a number, starting at
1, so that multiple windows can be
identified for a single logon.
%d = consecutive integers
%s = window title string
Chapter 4. SSO Administrative Console Reference Topics 211
![Page 216: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/216.jpg)
Windows Application Keys for Section N subsection
These settings are used within subsections delineated by SectionN.
Example
[Corporate WinApp]
Section1=~Corporate WinApp Logon
Section2=~Corporate WinApp Password Change
&
[~Corporate WinApp Logon]
(the keys below)
Windows Application Keys Description Acceptable values
AppPathKey%d = %s (See in parent section, above) (See in parent section, above)
ChangeTitle%d = %s (See in parent section, above) (See in parent section, above)
ChgCtrl0 = %d (See in parent section, above) (See in parent section, above)
ChgCtrl1 = %d (See in parent section, above) (See in parent section, above)
ChgCtrl2 = %d (See in parent section, above) (See in parent section, above)
ChgCtrl3 = %d (See in parent section, above) (See in parent section, above)
CtrlOrder = %s1, %s2, %s3& (See in parent section, above) (See in parent section, above)
IDCtrl = %d (See in parent section, above) (See in parent section, above)
IDCtrlType = %d (See in parent section, above) (See in parent section, above)
IgnoreClassName = %s (See in parent section, above) (See in parent section, above)
InteractionMode = %b (See in parent section, above) (See in parent section, above)
Match%d = %s (See in parent section, above) (See in parent section, above)
ModuleName%d = %s (See in parent section, above) (See in parent section, above)
OKCtrl = %d (See in parent section, above) (See in parent section, above)
OtherCtrl1 = %d (See in parent section, above) (See in parent section, above)
OtherCtrl1Type = %d (See in parent section, above) (See in parent section, above)
OtherCtrl2 = %d (See in parent section, above) (See in parent section, above)
OtherCtrl2Type = %d (See in parent section, above) (See in parent section, above)
ParentKey1 = %s (See in parent section, above) (See in parent section, above)
PassKeyCtrl = %d (See in parent section, above) (See in parent section, above)
PassKeyCtrlType = %d (See in parent section, above) (See in parent section, above)
VTabKey%d0 = %d1 (See in parent section, above) (See in parent section, above)
VTabKeyPWC%d0 = %d1 (See in parent section, above) (See in parent section, above)
UseSendKeys = %b (See in parent section, above) (See in parent section, above)
212 Introduction
![Page 217: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/217.jpg)
WindowTitle%d = %s (See in parent section, above) (See in parent section, above)
Windows Application Keys for Match N subsection
These settings are used within subsections delineated by MatchN.
Example
[Corporate WinApp
Section1=~Whatever subsection
Match1=~Corporate WinApp Logon Match
Match2=~Corporate WinApp Ignore Match
&
[~Corporate WinApp Ignore Match]
(the keys below)
Match Section Keys Description Acceptable values
ChangeTitle%d = %s (See in parent section, above) (See in parent section, above)
ChgCtrl0 = %d (See in parent section, above) (See in parent section, above)
ChgCtrl1 = %d (See in parent section, above) (See in parent section, above)
ChgCtrl2 = %d (See in parent section, above) (See in parent section, above)
ChgCtrl3 = %d (See in parent section, above) (See in parent section, above)
Field%d0 = %d1,%s1,%s2,%s3 The match criteria for the fields.
%d1 is replaced with a number,
starting at 1, so that multiple
matching criteria could be set up for
one screen. %d2 is replaced with the
control ID of the matching criteria.
%s1 is replaced with the control
type. %s2 is replaced with the
comparison operator. %s3 is
replaced with the compare value.
%d0 = consecutive integers
%d1 = control ID of the matching
criteria
%s1 = the control type could be the
following, with the appropriate value
in %s3:
text actual text from the control
style numeric value for the style of the control
class the class of the control, usually Edit or Static
Edit edit or combobox controls
Static static controls (for example, text labels).
Chapter 4. SSO Administrative Console Reference Topics 213
![Page 218: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/218.jpg)
%s2 = the comparison operator could be the following:
EQ equals
NE not equal
%s3 = compared value
Logon logon events
Change password change events
Confirm confirm the new password
Ignore bypass all events for the application
Host/Mainframe Application Keys
These settings are used within applications delineated in the [*Mainframe] section.
For all keys below that have row/column values, the row/column value starts at 1 (that is, top-left is
1,1).
Note: For Telnet the value must be 1,1.
Example
[*Mainframe]
Section1=Corporate Mainframe
&
[Corporate Mainframe]
(the keys below)
Host Application Keys Description Acceptable values
AllowReveal = %b Flag that enables or disables the
Reveal button for password in
Wizards and property pages.
%b = 0; disabled
%b = 1; enabled (default)
214 Introduction
![Page 219: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/219.jpg)
AltTabKey = %d Flag to indicate how to send
credentials to the host emulator.
Normally, credentials are sent
through a direct HLLAPI call but this
setting specifies using another
method. If this is set to 1, then Enter
is pressed in between two fields.
This is usually used for password
change screens that separate the new
password and confirmation password
into two screens.
Note: %d=1 is usually used for
password-change scenarios that
separate the new-password field and
confirm-password into two screens.
%d = 0; Use HLLAPI to submit
credentials directly to the credential
fields (default).
%d = 1; Replace the Tab key with the
Enter key between two fields.
%d = 2; Use HLLAPI SendKeys and
enable support for CtrlOrder, PreKey,
and TabKey N. This is useful for
logon scenarios with non-standard
credential delimiters.
AutoOK = %b Flag instructs the agent to
automatically send Enter for this
application logon after insertion of
logon data.
%b = 0; disabled
%b = 1; enabled (default)
CPWFlag = %d Determines the behavior of the
Password Change Wizard, for specific
applications, when a user encounters
a password-change request. This key
is specified in the application’s root
section, not in a password-change
subsection.
Note: This setting can also be set
globally, for all applications, via the
Registry. See for instructions.
%d = 1; Prompts user with Password
Change Wizard (default).
%d = 2; Prompts user to manually
enter a new password, but also
provides the option of having the
agent automatically generate the
password.
%d = 4; Generates the new password
automatically, but also provides the
option of manually creating the new
password.
%d = 10; Prompts user to manually
enter a new password, without
providing the option of having the
agent automatically generate the
password.
%d = 12; Generates the new
password automatically, without
providing the option of manually
creating the new password.
CtrlOrder = %s1,%s2,%s3,%s4,%s5 Determines the order in which fields
are sent when AltTabKey=2.
For example, specifying
CtrlOrder=OtherField1,IDField,PassField
tells the agent that the order in the
dialog box should be OtherField1,
then IDField, followed by PassField.
%s1 = The first field sent (default:
IDField)
%s2 = The second field sent (default:
PassField)
%s3 = The third field sent (default:
OtherField1)
%s4 = The fourth field sent (default:
NewPWField)
%s5 = The fifth field sent (default:
NewPWField2)
%s5 = The sixth field sent (default:
OtherField2)
Chapter 4. SSO Administrative Console Reference Topics 215
![Page 220: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/220.jpg)
DelayField = %d Numeric value in milliseconds for the
agent to delay between actions
(entering value into a field).
%d = integer value in milliseconds
Description = %s Text describing this application, also
stored in the Description field in
Logon Manager.
%s = any string
Field%d0 = %d1, %d2, %s Strings to match against text fields as
displayed on the screen for
identifying a host/mainframe logon.
%d0 is replaced with a number,
starting at 1, so that multiple text
strings can be used to uniquely
identify a logon. For Telnet
applications, the values must be 1,1.
%d0 = consecutive integers
%d1 = row of first text string
character
%d2 = column of first text string
character
%s = text string
ForceReauth = %b Force the user to reauthenticate
before providing credentials to this
application.
Note: Applies to all subsections; the
user would have to reauthenticate
multiple times in a multiple-section
password change scenario .
%b = 0; do not require
reauthentication (default)
%b = 1; require reauthentication
Group = %s Group section name that this
application is a part of. Used when
configuring for Password Sharing
Groups. Special values include:
LDAP: Application uses LDAP
Directory Server authenticator
password.
Domain: Application uses the
Windows authenticator password.
Refer to for detailed instructions.
Note: Must set Windows Registry
entry PWSEnable=1 to enable
Groups.
%s = the section name of the
application group that the application
belongs to.
HideConfirmPW = %b Determines whether to hide the
password confirmation field in the
Logon Error dialog.
%b = 0; do not hide confirmation
field (default)
%b = 1; hide confirmation field
IDField = %d1, %d2 Location of first input character of
username/ID field as displayed on a
host/mainframe logon screen. For
Telnet applications, this value is
ignored and is optional. Set to 1,0 if
the field is not present.
%d1 = row of first text string
character
%d2 = column of first text string
character
MaskPW = %b Determines whether to mask the
password in the Logon Error dialog.
%b = 0; do not mask password
%b = 1; mask password (default)
MaxRetry = %d Determines the number of logon
retries the agent makes before
displaying the Logon Error dialog.
%d = the number of retries (default:
1)
216 Introduction
![Page 221: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/221.jpg)
NewPWField = %d1,%d2 This is the key-value pair that
identifies the location of the new
password field.
%d1 = row of first text string
character
%d2 = column of first text string
character
NewPWField2 = %d1,%d2 This is the key-value pair that
identifies the location of the new
password confirmation field. This is
optional. This is not necessary if
only one new password field is
required.
%d1 = row of first text string
character
%d2 = column of first text string
character
OtherField1 = %d1, %d2 Location of first input character of
third logon field as displayed on a
host/mainframe logon screen. For
Telnet applications, this value is
ignored and is optional.
%d1 = row of first text string
character
%d2 = column of first text string
character
OtherField2 = %d1, %d2 Location of first input character of
fourth logon field as displayed on a
host/mainframe logon screen. For
Telnet applications, this value is
ignored and is optional.
%d1 = row of first text string
character
%d2 = column of first text string
character
OtherLabel1 = %s The label presented within the agent
for the third logon field.
%s = text string
OtherLabel2 = %s The label presented within the agent
for the fourth logon field.
%s = text string
Page%d = %s Pointer to subsections used for
multiple pages for one
host/mainframe application. One
application logon may have multiple
pages.
%d = consecutive integers
%s = name of the subsection
ParentKey1 = %s Maps a subsection to its parent
section.
%s = parent application/section
name
PassField = %d1, %d2 Location of first input character of
password field as displayed on a
host/mainframe logon screen. For
Telnet applications, the values must
be 1,1. Set to 1,0 if the field is not
present.
%d1 = row of first text string
character
%d2 = column of first text string
character
PassPolicy = %s Identifies which password policy
section to associate with this
application logon configuration.
%s = Policy Section Name
PreKey = %d A string of characters and mnemonics
defining what should be sent prior to
any credential submission.
Any combination of characters
and/or ASCII mnemonics.
Maximum length is 25 characters.
QuietGenerator = %b When set, this flag instructs the agent
to handle password change requests
automatically and not inform the
user that a password change request
has been handled.
%b = 0; do not use quiet generator,
use standard password change
process with user intervention
(default)
%b = 1; use quiet generator
TabKey1 = %d A string of characters and mnemonics
defining what should be sent after
IDField is submitted.
Any combination of characters
and/or ASCII mnemonics.
Maximum length is 25 characters.
Chapter 4. SSO Administrative Console Reference Topics 217
![Page 222: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/222.jpg)
TabKey2 = %d A string of characters and mnemonics
defining what should be sent after
PassField is submitted.
Any combination of characters
and/or ASCII mnemonics.
Maximum length is 25 characters.
TabKey3 = %d A string of characters and mnemonics
defining what should be sent after
OtherField1 is submitted.
Any combination of characters
and/or ASCII mnemonics.
Maximum length is 25 characters.
TabKey4 = %d A string of characters and mnemonics
defining what should be sent after
NewPWField is submitted.
Any combination of characters
and/or ASCII mnemonics.
Maximum length is 25 characters.
TabKey5 = %d A string of characters and mnemonics
defining what should be sent after
NewPWField2 is submitted.
Any combination of characters
and/or ASCII mnemonics.
Maximum length is 25 characters.
TabKey6 = %d A string of characters and mnemonics
defining what should be sent after
OtherField2 is submitted.
Any combination of characters
and/or ASCII mnemonics.
Maximum length is 25 characters.
Timeout = %d Determines the maximum time
period between successive logon
attempts that will trigger Error Loop
detection.
%d = amount of time in seconds
(default: 30)
Host Applications: Keys for Page N subsection
These settings are used within subsections delineated by PageN.
Example
[Corporate Mainframe]
Page1=~Corporate Mainframe Logon
Page2=~Corporate Mainframe Password Change
[~Corporate Mainframe Logon]
(the keys below)
Host Application Keys Description Acceptable values
AllowReveal = %b (See in parent section, above) (See in parent section, above)
AltTabKey = %d (See in parent section, above) (See in parent section, above)
AutoOK = %b (See in parent section, above) (See in parent section, above)
CPWFlag = %d (See in parent section, above) (See in parent section, above)
CtrlOrder = %s1,%s2,%s3,%s4,%s5 (See in parent section, above) (See in parent section, above)
DelayField = %d (See in parent section, above) (See in parent section, above)
Description = %s (See in parent section, above) (See in parent section, above)
Field%d0 = %d1, %d2, %s (See in parent section, above) (See in parent section, above)
218 Introduction
![Page 223: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/223.jpg)
ForceReauth = %b (See in parent section, above) (See in parent section, above)
Group = %s (See in parent section, above) (See in parent section, above)
HideConfirmPW = %b (See in parent section, above) (See in parent section, above)
IDField = %d1, %d2 (See in parent section, above) (See in parent section, above)
MaskPW = %b (See in parent section, above) (See in parent section, above)
MaxRetry = %d (See in parent section, above) (See in parent section, above)
NewPWField = %d1,%d2 (See in parent section, above) (See in parent section, above)
NewPWField2 = %d1,%d2 (See in parent section, above) (See in parent section, above)
OtherField1 = %d1, %d2 (See in parent section, above) (See in parent section, above)
OtherField2 = %d1, %d2 (See in parent section, above) (See in parent section, above)
OtherLabel1 = %s (See in parent section, above) (See in parent section, above)
OtherLabel2 = %s (See in parent section, above) (See in parent section, above)
Page%d = %s (See in parent section, above) (See in parent section, above)
ParentKey1 = %s (See in parent section, above) (See in parent section, above)
PassField = %d1, %d2 (See in parent section, above) (See in parent section, above)
PassPolicy = %s (See in parent section, above) (See in parent section, above)
PreKey = %d (See in parent section, above) (See in parent section, above)
QuietGenerator = %b (See in parent section, above) (See in parent section, above)
TabKey1 = %d (See in parent section, above) (See in parent section, above)
TabKey2 = %d (See in parent section, above) (See in parent section, above)
TabKey3 = %d (See in parent section, above) (See in parent section, above)
TabKey4 = %d (See in parent section, above) (See in parent section, above)
TabKey5 = %d (See in parent section, above) (See in parent section, above)
Timeout = %d (See in parent section, above) (See in parent section, above)
Host/Mainframe Application Keys
These settings are used within applications delineated in the [*Mainframe] section.
For all keys below that have row/column values, the row/column value starts at 1 (that is, top-left is
1,1).
Note: For Telnet the value must be 1,1.
Example
[*Mainframe]
Section1=Corporate Mainframe
Chapter 4. SSO Administrative Console Reference Topics 219
![Page 224: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/224.jpg)
&
[Corporate Mainframe]
(the keys below)
Host Application Keys Description Acceptable values
AllowReveal = %b Flag that enables or disables the
Reveal button for password in
Wizards and property pages.
%b = 0; disabled
%b = 1; enabled (default)
AltTabKey = %d Flag to indicate how to send
credentials to the host emulator.
Normally, credentials are sent
through a direct HLLAPI call but this
setting specifies using another
method. If this is set to 1, then Enter
is pressed in between two fields.
This is usually used for password
change screens that separate the new
password and confirmation password
into two screens.
Note: %d=1 is usually used for
password-change scenarios that
separate the new-password field and
confirm-password into two screens.
%d = 0; Use HLLAPI to submit
credentials directly to the credential
fields (default).
%d = 1; Replace the Tab key with the
Enter key between two fields.
%d = 2; Use HLLAPI SendKeys and
enable support for CtrlOrder, PreKey,
and TabKey N. This is useful for
logon scenarios with non-standard
credential delimiters.
AutoOK = %b Flag instructs the agent to
automatically send Enter for this
application logon after insertion of
logon data.
%b = 0; disabled
%b = 1; enabled (default)
CPWFlag = %d Determines the behavior of the
Password Change Wizard, for specific
applications, when a user encounters
a password-change request. This key
is specified in the application’s root
section, not in a password-change
subsection.
Note: This setting can also be set
globally, for all applications, via the
Registry. See for instructions.
%d = 1; Prompts user with Password
Change Wizard (default).
%d = 2; Prompts user to manually
enter a new password, but also
provides the option of having the
agent automatically generate the
password.
%d = 4; Generates the new password
automatically, but also provides the
option of manually creating the new
password.
%d = 10; Prompts user to manually
enter a new password, without
providing the option of having the
agent automatically generate the
password.
%d = 12; Generates the new
password automatically, without
providing the option of manually
creating the new password.
220 Introduction
![Page 225: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/225.jpg)
CtrlOrder = %s1,%s2,%s3,%s4,%s5 Determines the order in which fields
are sent when AltTabKey=2.
For example, specifying
CtrlOrder=OtherField1,IDField,PassField
tells the agent that the order in the
dialog box should be OtherField1,
then IDField, followed by PassField.
%s1 = The first field sent (default:
IDField)
%s2 = The second field sent (default:
PassField)
%s3 = The third field sent (default:
OtherField1)
%s4 = The fourth field sent (default:
NewPWField)
%s5 = The fifth field sent (default:
NewPWField2)
%s5 = The sixth field sent (default:
OtherField2)
DelayField = %d Numeric value in milliseconds for the
agent to delay between actions
(entering value into a field).
%d = integer value in milliseconds
Description = %s Text describing this application, also
stored in the Description field in
Logon Manager.
%s = any string
Field%d0 = %d1, %d2, %s Strings to match against text fields as
displayed on the screen for
identifying a host/mainframe logon.
%d0 is replaced with a number,
starting at 1, so that multiple text
strings can be used to uniquely
identify a logon. For Telnet
applications, the values must be 1,1.
%d0 = consecutive integers
%d1 = row of first text string
character
%d2 = column of first text string
character
%s = text string
ForceReauth = %b Force the user to reauthenticate
before providing credentials to this
application.
Note: Applies to all subsections; the
user would have to reauthenticate
multiple times in a multiple-section
password change scenario .
%b = 0; do not require
reauthentication (default)
%b = 1; require reauthentication
Group = %s Group section name that this
application is a part of. Used when
configuring for Password Sharing
Groups. Special values include:
LDAP: Application uses LDAP
Directory Server authenticator
password.
Domain: Application uses the
Windows authenticator password.
Refer to for detailed instructions.
Note: Must set Windows Registry
entry PWSEnable=1 to enable
Groups.
%s = the section name of the
application group that the application
belongs to.
Chapter 4. SSO Administrative Console Reference Topics 221
![Page 226: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/226.jpg)
HideConfirmPW = %b Determines whether to hide the
password confirmation field in the
Logon Error dialog.
%b = 0; do not hide confirmation
field (default)
%b = 1; hide confirmation field
IDField = %d1, %d2 Location of first input character of
username/ID field as displayed on a
host/mainframe logon screen. For
Telnet applications, this value is
ignored and is optional. Set to 1,0 if
the field is not present.
%d1 = row of first text string
character
%d2 = column of first text string
character
MaskPW = %b Determines whether to mask the
password in the Logon Error dialog.
%b = 0; do not mask password
%b = 1; mask password (default)
MaxRetry = %d Determines the number of logon
retries the agent makes before
displaying the Logon Error dialog.
%d = the number of retries (default:
1)
NewPWField = %d1,%d2 This is the key-value pair that
identifies the location of the new
password field.
%d1 = row of first text string
character
%d2 = column of first text string
character
NewPWField2 = %d1,%d2 This is the key-value pair that
identifies the location of the new
password confirmation field. This is
optional. This is not necessary if
only one new password field is
required.
%d1 = row of first text string
character
%d2 = column of first text string
character
OtherField1 = %d1, %d2 Location of first input character of
third logon field as displayed on a
host/mainframe logon screen. For
Telnet applications, this value is
ignored and is optional.
%d1 = row of first text string
character
%d2 = column of first text string
character
OtherField2 = %d1, %d2 Location of first input character of
fourth logon field as displayed on a
host/mainframe logon screen. For
Telnet applications, this value is
ignored and is optional.
%d1 = row of first text string
character
%d2 = column of first text string
character
OtherLabel1 = %s The label presented within the agent
for the third logon field.
%s = text string
OtherLabel2 = %s The label presented within the agent
for the fourth logon field.
%s = text string
Page%d = %s Pointer to subsections used for
multiple pages for one
host/mainframe application. One
application logon may have multiple
pages.
%d = consecutive integers
%s = name of the subsection
ParentKey1 = %s Maps a subsection to its parent
section.
%s = parent application/section
name
PassField = %d1, %d2 Location of first input character of
password field as displayed on a
host/mainframe logon screen. For
Telnet applications, the values must
be 1,1. Set to 1,0 if the field is not
present.
%d1 = row of first text string
character
%d2 = column of first text string
character
222 Introduction
![Page 227: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/227.jpg)
PassPolicy = %s Identifies which password policy
section to associate with this
application logon configuration.
%s = Policy Section Name
PreKey = %d A string of characters and mnemonics
defining what should be sent prior to
any credential submission.
Any combination of characters
and/or ASCII mnemonics.
Maximum length is 25 characters.
QuietGenerator = %b When set, this flag instructs the agent
to handle password change requests
automatically and not inform the
user that a password change request
has been handled.
%b = 0; do not use quiet generator,
use standard password change
process with user intervention
(default)
%b = 1; use quiet generator
TabKey1 = %d A string of characters and mnemonics
defining what should be sent after
IDField is submitted.
Any combination of characters
and/or ASCII mnemonics.
Maximum length is 25 characters.
TabKey2 = %d A string of characters and mnemonics
defining what should be sent after
PassField is submitted.
Any combination of characters
and/or ASCII mnemonics.
Maximum length is 25 characters.
TabKey3 = %d A string of characters and mnemonics
defining what should be sent after
OtherField1 is submitted.
Any combination of characters
and/or ASCII mnemonics.
Maximum length is 25 characters.
TabKey4 = %d A string of characters and mnemonics
defining what should be sent after
NewPWField is submitted.
Any combination of characters
and/or ASCII mnemonics.
Maximum length is 25 characters.
TabKey5 = %d A string of characters and mnemonics
defining what should be sent after
NewPWField2 is submitted.
Any combination of characters
and/or ASCII mnemonics.
Maximum length is 25 characters.
TabKey6 = %d A string of characters and mnemonics
defining what should be sent after
OtherField2 is submitted.
Any combination of characters
and/or ASCII mnemonics.
Maximum length is 25 characters.
Timeout = %d Determines the maximum time
period between successive logon
attempts that will trigger Error Loop
detection.
%d = amount of time in seconds
(default: 30)
Host Applications: Keys for Page N subsection
These settings are used within subsections delineated by PageN.
Example
[Corporate Mainframe]
Page1=~Corporate Mainframe Logon
Page2=~Corporate Mainframe Password Change
[~Corporate Mainframe Logon]
(the keys below)
Chapter 4. SSO Administrative Console Reference Topics 223
![Page 228: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/228.jpg)
Host Application Keys Description Acceptable values
AllowReveal = %b (See in parent section, above) (See in parent section, above)
AltTabKey = %d (See in parent section, above) (See in parent section, above)
AutoOK = %b (See in parent section, above) (See in parent section, above)
CPWFlag = %d (See in parent section, above) (See in parent section, above)
CtrlOrder = %s1,%s2,%s3,%s4,%s5 (See in parent section, above) (See in parent section, above)
DelayField = %d (See in parent section, above) (See in parent section, above)
Description = %s (See in parent section, above) (See in parent section, above)
Field%d0 = %d1, %d2, %s (See in parent section, above) (See in parent section, above)
ForceReauth = %b (See in parent section, above) (See in parent section, above)
Group = %s (See in parent section, above) (See in parent section, above)
HideConfirmPW = %b (See in parent section, above) (See in parent section, above)
IDField = %d1, %d2 (See in parent section, above) (See in parent section, above)
MaskPW = %b (See in parent section, above) (See in parent section, above)
MaxRetry = %d (See in parent section, above) (See in parent section, above)
NewPWField = %d1,%d2 (See in parent section, above) (See in parent section, above)
NewPWField2 = %d1,%d2 (See in parent section, above) (See in parent section, above)
OtherField1 = %d1, %d2 (See in parent section, above) (See in parent section, above)
OtherField2 = %d1, %d2 (See in parent section, above) (See in parent section, above)
OtherLabel1 = %s (See in parent section, above) (See in parent section, above)
OtherLabel2 = %s (See in parent section, above) (See in parent section, above)
Page%d = %s (See in parent section, above) (See in parent section, above)
ParentKey1 = %s (See in parent section, above) (See in parent section, above)
PassField = %d1, %d2 (See in parent section, above) (See in parent section, above)
PassPolicy = %s (See in parent section, above) (See in parent section, above)
PreKey = %d (See in parent section, above) (See in parent section, above)
QuietGenerator = %b (See in parent section, above) (See in parent section, above)
TabKey1 = %d (See in parent section, above) (See in parent section, above)
TabKey2 = %d (See in parent section, above) (See in parent section, above)
TabKey3 = %d (See in parent section, above) (See in parent section, above)
TabKey4 = %d (See in parent section, above) (See in parent section, above)
TabKey5 = %d (See in parent section, above) (See in parent section, above)
Timeout = %d (See in parent section, above) (See in parent section, above)
Web Application Keys
224 Introduction
![Page 229: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/229.jpg)
These settings are used within applications delineated in the [*Other Webs] section.
Example
[*Mainframe]
Section1=Corporate Mainframe
&
[Corporate Mainframe]
(the keys below)
Web Application Keys Description Acceptable values
AllowReveal = %b Flag that enables or disables the
Reveal button for password in
Wizards and property pages.
%b = 0; disabled
%b = 1; enabled (default)
AutoOK = %b Flag instructs the agent to
automatically send Enter for this
application logon after insertion of
logon data.
%b = 0; disabled
%b = 1; enabled (default)
CPWFlag = %d Determines the behavior of the
Password Change Wizard, for specific
applications, when a user encounters
a password-change request. This key
is specified in the application’s root
section, not in a password-change
subsection.
Note: This setting can also be set
globally, for all applications, via the
Registry. See for instructions.
%d = 1; Prompts user with Password
Change Wizard (default).
%d = 2; Prompts user to manually
enter a new password, but also
provides the option of having the
agent automatically generate the
password.
%d = 4; Generates the new password
automatically, but also provides the
option of manually creating the new
password.
%d = 10; Prompts user to manually
enter a new password, without
providing the option of having the
agent automatically generate the
password.
%d = 12; Generates the new
password automatically, without
providing the option of manually
creating the new password.
Description = %s Text describing this application, also
stored in the Description field in
Logon Manager.
%s = any string
Chapter 4. SSO Administrative Console Reference Topics 225
![Page 230: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/230.jpg)
ForceReauth = %b Force the user to reauthenticate
before providing credentials to this
application.
Note: Applies to all subsections; the
user would have to reauthenticate
multiple times in a multiple-section
password change scenario .
%b = 0; do not require
reauthentication (default)
%b = 1; require reauthentication
Group = %s Group section name that this
application is a part of. Used when
configuring for Password Sharing
Groups. Special values include:
LDAP: Application uses LDAP
Directory Server authenticator
password.
Domain: Application uses the
Windows authenticator password.
Refer to for detailed instructions.
Note: Must set Windows Registry
entry PWSEnable=1 to enable
Groups.
%s = the section name of the
application group that the application
belongs to.
HideConfirmPW = %b Determines whether to hide the
password confirmation field in the
Logon Error dialog.
%b = 0; do not hide confirmation
field (default)
%b = 1; hide confirmation field
IDField = %s1,%s2,%s3,%s4 Identification of the field for entering
a username/ID.
Note: If a frame/form/field name
consists solely of digits, the
enumerated value must be used.
%s1 = Frame name/number
%s2 = Form name/number
%s3 = Field name/number
%s4 = Field type (text/password)
MaskPW = %b Determines whether to mask the
password in the Logon Error dialog.
%b = 0; do not mask password
%b = 1; mask password (default)
MaxRetry = %d Determines the number of logon
retries the agent makes before
displaying the Logon Error dialog.
%d = the number of retries (default:
1)
NewPWField = %s1,%s2,%s3,%s4 Identification of the field for entering
a new password.
%s1 = Frame name/number
%s2 = Form name/number
%s3 = Field name/number
%s4 = Field type (text/password)
NewPWField2 = %s1,%s2,%s3,%s4 Identification of the field for
confirming a new password.
%s1 = Frame name/number
%s2 = Form name/number
%s3 = Field name/number
%s4 = Field type (text/password)
226 Introduction
![Page 231: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/231.jpg)
OtherField1 = %s1,%s2,%s3,%s4 Identification of the third logon field. %s1 = Frame name/number
%s2 = Form name/number
%s3 = Field name/number
%s4 = Field type (text/password)
OtherField2 = %s1,%s2,%s3,%s4 Identification of the fourth logon
field.
%s1 = Frame name/number
%s2 = Form name/number
%s3 = Field name/number
%s4 = Field type (text/password)
OtherLabel1 = %s The label presented within the agent
for a third logon field.
%s = text string
OtherLabel2 = %s The label presented within the agent
for a fourth logon field.
%s = text string
ParentKey1 = %s Maps a subsection to its parent
section.
%s = parent application/section
name
PassField = %s1,%s2,%s3,%s4 Identification of the field for entering
the password.
%s1 = Frame name/number
%s2 = Form name/number
%s3 = Field name/number
%s4 = Field type (text/password)
PassPolicy = %s Identifies which password policy
section to associate with this
application logon configuration.
%s = Policy Section Name
QuietGenerator = %b When set, this flag instructs the agent
to handle password change requests
automatically and not inform the
user that a password change request
has been handled.
%b = 0; do not use quiet generator,
use standard password change
process with user intervention
(default)
%b = 1; use quiet generator
Section%d = %s Declaration of application
subsections.
%d = consecutive integers
%s = subsection name
StrictURLCheck = %b Determines whether to require an
exact (case-insensitive) URL match or
to use substring matching.
%b = 0; use substring matching
(default)
%b = 1; use precise matching
SubmitField = %s1,%s2,%s3,%s4 Identification of the Submit button
(or equivalent).
The value format is frame
name/number, form name/number,
field name/number/URL, and Field
type. If the field type is image, the
field name must be the entire/exact
URL.
Note: This entry is optional. If not
specified, the agent uses its own
internal search logic to locate and
press this button.
%s1 = Frame name/number
%s2 = Form name/number
%s3 = Field name/number/URL
%s4 = Field type (submit/image)
Chapter 4. SSO Administrative Console Reference Topics 227
![Page 232: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/232.jpg)
Timeout = %d Determines the maximum time
period between successive logon
attempts that will trigger Error Loop
detection.
%d = amount of time in seconds
(default: 30)
URL%d = %s The address(es) of a Web site’s logon
page(s).
Note: If the web address consists of
spaces or special characters, use the
URL quoting method (RFC 2396) to
define the web address. This means
substituting %20 for each space in the
URL and substituting similar
″%″-escaped ASCII hexadecimal
values for all characters other than
the following: : / , . = ? @
%d = consecutive integers starting
with 1
%s = Web URL
Web Application Keys for Section N subsection
These settings are used within subsections delineated by SectionN.
Example
[Corporate WebApp]
Section1=~Corporate Intranet Logon #1
Section2=~Corporate Intranet Logon #2
&
[~Corporate Intranet Logon #1]
(the keys below)
Web Application Keys Description Acceptable values
IDField = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)
NewPWField = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)
NewPWField2 = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)
OtherField1 = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)
OtherField2 = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)
ParentKey1 = %s (See in parent section, above) (See in parent section, above)
PassField = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)
SubmitField = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)
URL%d = %s (See in parent section, above) (See in parent section, above)
228 Introduction
![Page 233: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/233.jpg)
Web Application Keys
These settings are used within applications delineated in the [*Other Webs] section.
Example
[*Mainframe]
Section1=Corporate Mainframe
&
[Corporate Mainframe]
(the keys below)
Web Application Keys Description Acceptable values
AllowReveal = %b Flag that enables or disables the
Reveal button for password in
Wizards and property pages.
%b = 0; disabled
%b = 1; enabled (default)
AutoOK = %b Flag instructs the agent to
automatically send Enter for this
application logon after insertion of
logon data.
%b = 0; disabled
%b = 1; enabled (default)
Chapter 4. SSO Administrative Console Reference Topics 229
![Page 234: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/234.jpg)
CPWFlag = %d Determines the behavior of the
Password Change Wizard, for specific
applications, when a user encounters
a password-change request. This key
is specified in the application’s root
section, not in a password-change
subsection.
Note: This setting can also be set
globally, for all applications, via the
Registry. See for instructions.
%d = 1; Prompts user with Password
Change Wizard (default).
%d = 2; Prompts user to manually
enter a new password, but also
provides the option of having the
agent automatically generate the
password.
%d = 4; Generates the new password
automatically, but also provides the
option of manually creating the new
password.
%d = 10; Prompts user to manually
enter a new password, without
providing the option of having the
agent automatically generate the
password.
%d = 12; Generates the new
password automatically, without
providing the option of manually
creating the new password.
Description = %s Text describing this application, also
stored in the Description field in
Logon Manager.
%s = any string
ForceReauth = %b Force the user to reauthenticate
before providing credentials to this
application.
Note: Applies to all subsections; the
user would have to reauthenticate
multiple times in a multiple-section
password change scenario .
%b = 0; do not require
reauthentication (default)
%b = 1; require reauthentication
Group = %s Group section name that this
application is a part of. Used when
configuring for Password Sharing
Groups. Special values include:
LDAP: Application uses LDAP
Directory Server authenticator
password.
Domain: Application uses the
Windows authenticator password.
Refer to for detailed instructions.
Note: Must set Windows Registry
entry PWSEnable=1 to enable
Groups.
%s = the section name of the
application group that the application
belongs to.
HideConfirmPW = %b Determines whether to hide the
password confirmation field in the
Logon Error dialog.
%b = 0; do not hide confirmation
field (default)
%b = 1; hide confirmation field
230 Introduction
![Page 235: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/235.jpg)
IDField = %s1,%s2,%s3,%s4 Identification of the field for entering
a username/ID.
Note: If a frame/form/field name
consists solely of digits, the
enumerated value must be used.
%s1 = Frame name/number
%s2 = Form name/number
%s3 = Field name/number
%s4 = Field type (text/password)
MaskPW = %b Determines whether to mask the
password in the Logon Error dialog.
%b = 0; do not mask password
%b = 1; mask password (default)
MaxRetry = %d Determines the number of logon
retries the agent makes before
displaying the Logon Error dialog.
%d = the number of retries (default:
1)
NewPWField = %s1,%s2,%s3,%s4 Identification of the field for entering
a new password.
%s1 = Frame name/number
%s2 = Form name/number
%s3 = Field name/number
%s4 = Field type (text/password)
NewPWField2 = %s1,%s2,%s3,%s4 Identification of the field for
confirming a new password.
%s1 = Frame name/number
%s2 = Form name/number
%s3 = Field name/number
%s4 = Field type (text/password)
OtherField1 = %s1,%s2,%s3,%s4 Identification of the third logon field. %s1 = Frame name/number
%s2 = Form name/number
%s3 = Field name/number
%s4 = Field type (text/password)
OtherField2 = %s1,%s2,%s3,%s4 Identification of the fourth logon
field.
%s1 = Frame name/number
%s2 = Form name/number
%s3 = Field name/number
%s4 = Field type (text/password)
OtherLabel1 = %s The label presented within the agent
for a third logon field.
%s = text string
OtherLabel2 = %s The label presented within the agent
for a fourth logon field.
%s = text string
ParentKey1 = %s Maps a subsection to its parent
section.
%s = parent application/section
name
PassField = %s1,%s2,%s3,%s4 Identification of the field for entering
the password.
%s1 = Frame name/number
%s2 = Form name/number
%s3 = Field name/number
%s4 = Field type (text/password)
PassPolicy = %s Identifies which password policy
section to associate with this
application logon configuration.
%s = Policy Section Name
Chapter 4. SSO Administrative Console Reference Topics 231
![Page 236: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/236.jpg)
QuietGenerator = %b When set, this flag instructs the agent
to handle password change requests
automatically and not inform the
user that a password change request
has been handled.
%b = 0; do not use quiet generator,
use standard password change
process with user intervention
(default)
%b = 1; use quiet generator
Section%d = %s Declaration of application
subsections.
%d = consecutive integers
%s = subsection name
StrictURLCheck = %b Determines whether to require an
exact (case-insensitive) URL match or
to use substring matching.
%b = 0; use substring matching
(default)
%b = 1; use precise matching
SubmitField = %s1,%s2,%s3,%s4 Identification of the Submit button
(or equivalent).
The value format is frame
name/number, form name/number,
field name/number/URL, and Field
type. If the field type is image, the
field name must be the entire/exact
URL.
Note: This entry is optional. If not
specified, the agent uses its own
internal search logic to locate and
press this button.
%s1 = Frame name/number
%s2 = Form name/number
%s3 = Field name/number/URL
%s4 = Field type (submit/image)
Timeout = %d Determines the maximum time
period between successive logon
attempts that will trigger Error Loop
detection.
%d = amount of time in seconds
(default: 30)
URL%d = %s The address(es) of a Web site’s logon
page(s).
Note: If the web address consists of
spaces or special characters, use the
URL quoting method (RFC 2396) to
define the web address. This means
substituting %20 for each space in the
URL and substituting similar
″%″-escaped ASCII hexadecimal
values for all characters other than
the following: : / , . = ? @
%d = consecutive integers starting
with 1
%s = Web URL
Web Application Keys for Section N subsection
These settings are used within subsections delineated by SectionN.
Example
[Corporate WebApp]
Section1=~Corporate Intranet Logon #1
Section2=~Corporate Intranet Logon #2
232 Introduction
![Page 237: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/237.jpg)
&
[~Corporate Intranet Logon #1]
(the keys below)
Web Application Keys Description Acceptable values
IDField = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)
NewPWField = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)
NewPWField2 = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)
OtherField1 = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)
OtherField2 = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)
ParentKey1 = %s (See in parent section, above) (See in parent section, above)
PassField = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)
SubmitField = %s1,%s2,%s3,%s4 (See in parent section, above) (See in parent section, above)
URL%d = %s (See in parent section, above) (See in parent section, above)
Password Policy Keys
These settings are used within subsections delineated by SectionN in the [*PasswordPolicies] section.
Example
[*PasswordPolicies
Section1=A policy
Section2=PIN
Section3=Windows
&
[A policy]
(the keys below)
Chapter 4. SSO Administrative Console Reference Topics 233
![Page 238: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/238.jpg)
Password Policy Keys Description Acceptable values
ALPHA = %s Flag instructing the agent to use
alphabetic characters when
generating a password.
%s = U; use upper case alphabetic
characters only
%s = L; use lower case alphabetic
characters only
%s = UL; use upper and lower
characters (default)
%s = (nothing); use no alphabetic
characters
NAME = %s Descriptive name of this password
policy.
%s = any string
NUMCONSMAX = %d Number of times a character can be
adjacent to itself.
%d =0 - 127 (default: 8)
NUMERIC = %b Flag instructing the agent to use
numeric characters when generating
a password.
%b = 0; do not use numeric
characters (default)
%b = 1; use numeric characters
NUMFLAGFIRST = %b Flag indicating if a numeric character
can start a password.
%b = 0; numeric character cannot
start (default)
%b = 1; numeric character can start
NUMFLAGLAST = %b Flag indicating if a numeric character
can end a password.
%b = 0; numeric character cannot end
(default)
%b = 1; numeric character can end
NUMRPTMAX = %d Number of times a character can be
repeated in a password.
%d =0 - 127 (default: 8)
NUMSIZE = %d Maximum number of numeric
characters.
%d =0 - 128 (default: 0)
NUMSIZEMIN = %d Minimum number of numeric
characters.
%d =0 - 128 (default: 0)
SBYE = %s List of special characters to exclude
when generating this password.
%s = any string of special characters,
to exclude, such as:
!@#$
The Windows registry key pair that
holds the list of special characters
normally used, but which can be
excluded, is
AccessManager:SpecialChars.
SCHARFLAGFIRST = %b Flag specifying if a special character
can start a password.
%b = 0; special character cannot start
(default)
%b = 1; special character can end
SCHARFLAGLAST = %b Flag specifying if a special character
can end a password.
%b = 0; special character cannot end
(default)
%b = 1; special character can start
234 Introduction
![Page 239: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/239.jpg)
SCHARS = %b Flag instructing the agent to use
special characters when generating a
password.
%b = 0; do not use special characters
(default)
%b = 1; use special characters
SCHARSIZE = %d Maximum number of special
characters.
%d =0 - 128 (default: 0)
SCHARSIZEMIN = %d Minimum number of special
characters.
%d =0 - 128 (default: 0)
SIZE = %d Maximum total length of a password. %d = 1 255 (default: 8)
SIZEMIN = %d Minimum total length of a password. %d = 1 255 (default: 8)
Collected links
AccessManager:SpecialChars
Global Agent Settings
Various functions and behaviors of TAM E-SSO can be centrally defined by using the Settings dialog,
setting Windows registry settings on the local workstation, and specifying Administrative Overrides via a
Synchronizer extension. Note: Configure these settings in the Administrative Console. The table is
provided only for reference.
Registry settings can be set by the agent, by the Administrative Console, with the RegEdit Windows
utility and via a centrally managed software distribution mechanism. Registry settings are found in the
following Windows Registry locations:
v HKLM\ ... \ for computer-specific settings
v HKCU\ ... \ for user-specific settings
Administrative Override objects from Synchronizer extensions specify settings that override HKLM\ ... \
Windows Registry settings, which in turn overrides the HKCU\ ... \ Windows Registry settings.
Example:
Synchronizer extension object Extensions\AccessManager:MFEnable=DWORD:0
overrides
Computer-specific Registry Location ( HKLM\...\) HKLM\ ... \Extensions\AccessManager:MFEnable
overrides
User-specific Registry Location ( HKCU\...\) or User
setting in Settings dialog i n TAM E-SSO Mainframe
Enable
HKCU\ ... \Extensions\AccessManager:MFEnable
Collected links
Chapter 4. SSO Administrative Console Reference Topics 235
![Page 240: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/240.jpg)
Global Agent Settings
Agent Settings
Export
Directory Server Support
Database Synchronization Support
File Server Support
Global Agent Settings
Various functions and behaviors of TAM E-SSO can be centrally defined by using the Settings dialog,
setting Windows registry settings on the local workstation, and specifying Administrative Overrides via a
Synchronizer extension. Note: Configure these settings in the Administrative Console. The table is
provided only for reference.
Registry settings can be set by the agent, by the Administrative Console, with the RegEdit Windows
utility and via a centrally managed software distribution mechanism. Registry settings are found in the
following Windows Registry locations:
v HKLM\ ... \ for computer-specific settings
v HKCU\ ... \ for user-specific settings
Administrative Override objects from Synchronizer extensions specify settings that override HKLM\ ... \
Windows Registry settings, which in turn overrides the HKCU\ ... \ Windows Registry settings.
Example:
Synchronizer extension object Extensions\AccessManager:MFEnable=DWORD:0
overrides
Computer-specific Registry Location ( HKLM\...\) HKLM\ ... \Extensions\AccessManager:MFEnable
overrides
User-specific Registry Location ( HKCU\...\) or User
setting in Settings dialog i n TAM E-SSO Mainframe
Enable
HKCU\ ... \Extensions\AccessManager:MFEnable
Collected links
Global Agent Settings
Agent Settings
Export
Directory Server Support
Database Synchronization Support
File Server Support
Overriding Settings: Registry Values
236 Introduction
![Page 241: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/241.jpg)
In the table below, each registry location is listed, followed (where applicable) by:
v The Display Path (the node in the Console’s left pane navigator) and Display Name (the setting in
the right pane property sheet).
v The actual registry path and value name and a description of the setting, defaults, and options (the
actual value and its definition.)
v The Registry Type (DWORD, String, or Binary) and Data Type.
Display Path DisplayName DescriptionText Options Default RegType DataType
End-User
Experience
Show the Tray
Icon
Shell:ShowTrayIcon
Whether to
show the Tray
Icon.
0 Do not
show
1 Show
default: 1 dword
End-User
Experience
Title Bar
Button
Shell:ShowAccessBtn
Whether to
show the Title
Bar Button on
window/dialog title
bars.
0 Do not
show
1 Show
default: 0 dword
End-User
Experience
Title Bar
Button Menu
Shell:ShowAccessBtnMenu
Whether to
show the
menu from the
Title Bar
Button.
0 Do not
show
1 Show
default: 1 dword
End-User
Experience
Tray Icon
tooltip
Shell:TrayIconName
Text to provide
in the Tray
Icon Label.
(Recommended
use: Labeling
each Citrix
Metaframe/Terminal
Services/Remote
server/session.)
default: v-GO
Single Sign-On
string string
Chapter 4. SSO Administrative Console Reference Topics 237
![Page 242: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/242.jpg)
End-User
Experience
Tray Icon
tooltip: Show
System Name
Shell:TrayIconDisplaySysName
Whether to
show
computer
name after the
Tray Icon
Name. A string
consisting of
space-dash-space is
inserted before
the computer
name if either
TrayIconName
is not set, or if
set and not
empty/null.
0 Do not
show
1 Show
default: 0 dword
End-User
Experience\Advanced
Logon
Animation’s
duration
Shell:AutoLogonAnimationTime
Time (in
milliseconds)
the animated
spinner
appears
(pausing
response).
Note: A value
of 0 disables
the spinner..
default: 0 dword int
End-User
Experience\Advanced
Logon Chooser
Columns
Extensions\AccessManager\LogonChooser:Columns
Order of
columns
displayed in
Logon
Chooser.
1
Username/ID
2
Application
Name
3
Description
default: 1,2,3 string
End-User
Experience\Advanced
Logon
Manager
″Details″
Columns
Extensions\AccessManager\LogonManager:Columns
Columns to
display and
order to use in
Logon
Manager in the
″Details″ view.
1
Application
Name
2
URL/Module
3
Username/ID
4 Password
5 Modified
6 Last Used
7
Description
8 Group
9 Third Field
10Fourth Field
default:
1,2,3,4,5,6,7,8
string
238 Introduction
![Page 243: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/243.jpg)
End-User
Experience\Advanced
Logon
Manager
Refresh button
Extensions\AccessManager:AllowRefresh
Enable/disable
the Logon
Manager
Refresh button.
0 Disable
1 Enable
default: 1 dword
End-User
Experience\Advanced
User can shut
down TAM
E-SSO from the
System Tray
Icon Menu
Shell:AllowShutdown
When enabled
(default), end
user can shut
down the
Agent by
selecting ″Shut
Down ″ from
the System
Tray Icon
Menu. When
disabled, this
menu item is
unavailable
(greyed out).
0 Do not
allow
shutdown
from menu
1 Allow
shutdown
from menu
default: 1 dword
End-User
Experience\Advanced\Performance
Increase user
data storage
priority
Extensions\StorageManager\InMemShr:ThreadPriority
Increase
processing
priority for
storing
changes to
user data (e.g.,
credentials).
Set to Increase
only if the
workstation’s
CPU typically
runs at 100%
usage.
1 Increase
processing
priority
0 Do not
increase
processing
priority
default: 0 dword
End-User
Experience\Advanced\Performance
Set delay for
first update
(after startup)
to stored user
data (ms)
Extensions\StorageManager\InMemShr:IntitialThreadDelay
Set an interval
(in
milliseconds)
to wait after
v-GO starts up
before writing
changes in
user data (e.g.,
credentials) to
the internal
database.
default: 5000 dword int
Chapter 4. SSO Administrative Console Reference Topics 239
![Page 244: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/244.jpg)
End-User
Experience\Advanced\Performance
Set delay for
storing user
data (ms)
Extensions\StorageManager\InMemShr:ThreadDelay
Set an interval
to wait (in
milliseconds)
before writing
changes in
user data (e.g.,
credentials) to
the internal
database.
default: 500 dword int
End-User
Experience\Advanced\Performance
Store user data
on disk in
encrypted file
Extensions\StorageManager\InMemShr:LocalStorage
Store a copy of
user data (e.g.,
credentials)
locally in an
encrypted
database file in
each user’s
ApplicationData
folder
1 Store user
data in a disk
file
0 Do not
store user data
in disk file
default: 1 dword
End-User
Experience\Advanced\Special Tasks
After Agent
starts up
Shell\Tasks:StartupTaskN
Command(s)
that will run
every time the
background
task starts (the
Tray Icon
appears).
default: none string
End-User
Experience\Advanced\Special Tasks
Before Agent
starts
Shell\Tasks:PreTaskN
Command(s)
that will run
before any
agent process
starts. Note:
The agent will
not continue if
any of these
tasks fail (as
indicated by
the resultant
registry value
located at
License:PreCheck).
default: none string
End-User
Experience\Advanced\Special Tasks
When logons
are deleted
Shell\Tasks:DeletionTaskN
Command(s)
that will run
every time a
user deletes an
application
configuration.
default: none string
240 Introduction
![Page 245: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/245.jpg)
End-User
Experience\Advanced\Special Tasks
When logons
change (add,
delete, copy,
modify)
Shell\Tasks:RefreshTaskN
Command(s)
that will run
every time
credentials and
user
configurations
are modified.
default: none string
End-User
Experience\Environment
Default Backup
path
Shell:AutoBackupPath
Default backup
path for silent
backup. If this
is not present
and not
specified
within the
command line,
then the user’s
application
data directory
(%AppData%\SSO) is used.
default: none string filename
End-User
Experience\Environment
Language [Root]:Language
Language to be
used. Note:
Other values
may be
acceptable
based on
localized
versions Note:
The display
font should
support the
desired
characters in
the specified
language.
ENG
English
default: ENG string
End-User
Experience\Environment
Location of
entlist.ini file
Extensions\AccessManager:EntList
Fully qualified
path and
filename to the
entlist.ini file.
default: none string filename
Chapter 4. SSO Administrative Console Reference Topics 241
![Page 246: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/246.jpg)
End-User
Experience\Environment
SubLanguage [Root]:SubLanguage
Language
settings for the
language set
by Language.
Note: Other
values may be
acceptable
based on
localized
versions Note:
The display
font should
support the
desired
characters in
the specified
language.
ENG
Default
support
DBL
Extended
support
default: ENG string
End-User
Experience\Password
Change\Advanced
Allow user to
exclude logons
from password
groups
Extensions\AccessManager:AllowExcludePWSG
Allows end
user to exclude
application
logons from an
assigned
password
sharing group.
0 Do not
allow
1 Allow
default: 0 dword
End-User
Experience\Password
Change\Advanced
Notify Primary
Logon Method
AUI:ShareToAuth
Support
Password
Sharing back
to the current
Authenticator
when a
credential in its
share group is
changed. Note:
Currently
supported only
for Windows
Authenticator
v2 and LDAP
Authenticator
v2. Note: Since
the user will
not be made
aware of the
new password,
it is not
advised to use
automatic
password
generation for
password
changes for
applications in
the share
group.
0 Do not
notify the
Authenticator
1 Notify the
Authenticator
default: 0 dword
242 Introduction
![Page 247: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/247.jpg)
End-User
Experience\Password
Change\Advanced
Quietly
Change
Passwords
Extensions\AccessManager:QuietGenerator
Whether to
inform the
user about a
password
change.
0 Inform the
user
1 Do not
inform the
user
default: 0 dword
End-User
Experience\Password
Change\Change
Policies
Characters:
Lowercase
Extensions\AccessManager:LowerAlphaChars
List of
characters
allowed as
″Lowercase
Alphabet″
characters in
password
policies.
default:
abcdefghijklmnopqrstuvwxyz
string UniqueChars
End-User
Experience\Password
Change\Change
Policies
Characters:
Numeric
Extensions\AccessManager:NumericChars
List characters
allowed as
″Numeric″
characters in
password
policies.
default:
1234567890
string UniqueChars
End-User
Experience\Password
Change\Change
Policies
Characters:
Special
Extensions\AccessManager:SpecialChars
List of
characters
allowed as
″Special″
characters in
password
policies.
default:
!@#$^&*_-+=[]\|,?
string UniqueChars
End-User
Experience\Password
Change\Change
Policies
Characters:
Uppercase
Extensions\AccessManager:UpperAlphaChars
List of
characters
allowed as
″Uppercase
Alphabet″
characters in
password
policies.
default:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
string UniqueChars
Chapter 4. SSO Administrative Console Reference Topics 243
![Page 248: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/248.jpg)
End-User
Experience\Password
Change\Change
Policies
Default Policy Extensions\AccessManager:DefaultPolicy
Name of
section in
entlist.ini that
contains the
default
password
policy. (If no
policy is
specified in
entlist.ini, the
default policy
in applist.ini is
used.)
default: none string PasswordPolicy
End-User
Experience\Password
Change\Common
Default
Change
Password
Wizard
behavior
Extensions\AccessManager:CPWFlag
Determines the
behavior of the
Password
Change Wizard
when a user
encounters a
password-change
request.
1 Prompt
2 Manual,
offer auto
4 Auto, offer
manual
10Manual only
12Auto only
default: 1 dword
244 Introduction
![Page 249: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/249.jpg)
End-User
Experience\Password
Change\Required
Password
Groups
Extensions\AccessManager:PWSEnable
Enable/disable
password
sharing
between
credentials in a
group. (If this
setting is not
enabled,
Password
Sharing
Groups are not
used.) Note: If
using the
Domain group
and Windows
Authenticator
v2 is to be
included in the
group, then do
not disable
AUI\Windows
Authenticator
v2:PWSEnable.
Note: If using
the LDAP
group and
LDAP
Authenticator
v2 is to be
included in the
group, then do
not disable
AUI\LDAP
Authenticator
v2:PWSEnable.
0 Disabled
1 Enabled
default: 0 dword
End-User
Experience\Response
Automatically
logon to
applications
Shell:UseActiveLogin
Whether to
automatically
provide
credentials to
applications.
0 Do not
automatically
provide
credentials
1
Automatically
provide
credentials
default: 1 dword
End-User
Experience\Response
Display ″Add
another logon″
checkbox
Extensions\AccessManager:ShowAddAdditionalLogon
Enable/disable
display of the
″Add another
logon″
checkbox in
the Add
Wizard.
0 Disable
1 Enable
default: 0 dword
Chapter 4. SSO Administrative Console Reference Topics 245
![Page 250: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/250.jpg)
End-User
Experience\Response
Limit user to
predefined
applications
Extensions\AccessManager:AllowUnknown
Whether to
allow the user
to add
credentials for
applications
that are not
predefined.
0 Limit
1 Do not
limit
default: 1 dword
End-User
Experience\Response
Logon to
waiting
applications
upon agent
startup
Shell:LogonOnStartup
Enable the
agent, at
startup, to
submit
credentials to a
Windows or
Java
application
that has
already
presented its
logon form.
Note: Web and
host/mainframe
application
logons are not
affected by this
setting.
0 Do not
logon
1 Logon at
startup
default: 0 dword
End-User
Experience\Response
Prompt user to
add new
logons
Shell:UseAutoSense
Whether to
prompt the
user to ask if
the user wants
to add a logon
when a new
application is
detected.
0 Do not
prompt
1 Prompt
default: 1 dword
End-User
Experience\Response
Time allowed
for Java
applets to load
Extensions\AccessManage:MaxAppletLoadTime
Maximum time
(in seconds)
that the Agent
waits for a
Java applet to
be fully loaded
in the browser.
default: 6 dword int
246 Introduction
![Page 251: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/251.jpg)
End-User
Experience\Response
Utilize the
just-added
Logon
Extensions\AccessManager:LogonAfterConfig
Whether to
logon to an
application
after
configuring it
(adding its
credentials).
Note:
Overridden by
application
configuration-specific setting.
0 Do not
logon
1 Logon
default: 1 dword
End-User
Experience\Response\Error Loop
Maximum
retries before
prompting
Extensions\AccessManager\Dlg:MaxRetry
Number of
logon retries
before
displaying the
Error Loop
dialog. Note:
Overridden by
application-type and
application
configuration-specific
settings. Note:
This is for each
set of
credentials.
default: 1 dword int
End-User
Experience\Response\Error Loop
Maximum time
for retries
before
prompting
Extensions\AccessManager\Dlg:Timeout
Maximum
seconds for all
successive
logon attempts
before the
Error Loop
dialog appears.
Note:
Overridden by
application-type and
application
configuration-specific
settings. Note:
This is for each
set of
credentials.
default: 30 dword int
Chapter 4. SSO Administrative Console Reference Topics 247
![Page 252: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/252.jpg)
End-User
Experience\Response\Error Loop
Require
password
confirmation
when
modifying
password
Extensions\AccessManager\Dlg:HideConfirmPW
Indicate
whether to
display the
Confirm
Password field
in the Logon
Error dialog;
the default is
to Require
password
confirmation.
Note:
Overridden by
application-type and
application
configuration-specific
settings.
0 Require
1 Do not
require
default: 0 dword
End-User
Experience\Response\Host/Mainframe
Apps
Host/Mainframe
support
Extensions\AccessManager:MFEnable
Enable/disable
host/mainframe
support.
0 Disable
1 Enable
default: 1 dword
End-User
Experience\Response\Host/Mainframe
Apps
Polling Interval Extensions\AccessManager\MHO:CycleInterval
Interval (in
milliseconds)
between when
the agent
check the host
emulator for
changes.
Lower values
can use more
CPU time,
higher values
can increase
the time
between when
a screen
appears and
when the
agent provides
credentials.
default: 700 dword int
End-User
Experience\Response\Host/Mainframe
Apps\Error
Loop
Maximum
retries before
prompting
Extensions\AccessManager\Dlg:MainframeMaxRetry
Controls the
number of
logon retries
for
host/mainframe
logons.
default: 1 dword int
248 Introduction
![Page 253: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/253.jpg)
End-User
Experience\Response\Host/Mainframe
Apps\Error
Loop
Maximum time
for retries
before
prompting
Extensions\AccessManager\Dlg:MainframeTimeout
Controls the
timeout for
mainframe.
The default is
30 seconds
default: 30 dword int
End-User
Experience\Response\Host/Mainframe
Apps\Error
Loop
Require
password
confirmation
when
modifying
password
Extensions\AccessManager\Dlg:MainframeHideConfirmPW
Indicate
whether to
display the
Confirm
Password field
in the Logon
Error dialog
for
host/mainframe
logons; the
default is to
Require
password
confirmation.
0 Require
1 Do not
require
default: 0 dword
End-User
Experience\Response\Web
Apps
Border
Appearance
Extensions\AccessManager\BHO:FeedbackColor
Default border
color/size/style.
default: red
6px solid
string string
End-User
Experience\Response\Web
Apps
Show Border Extensions\AccessManager\BHO:ShowBorder
Enable/disable
the border
around fields.
0 Disable
1 Enable
default: 1 dword
End-User
Experience\Response\Web
Apps
URL Matching
Precision
Extensions\AccessManager:DNLevelsToMatch
Number of
levels of the
URL that is
used as the
matching
criteria. Note:
Values below 2
are treated as
2. For the Web
URL
http://mail.Passlogix.com:
2=match to
*Passlogix.com
3=match to
*mail.Passlogix.com
default: 2 dword int
End-User
Experience\Response\Web
Apps\Error
Loop
Maximum
retries before
prompting
Extensions\AccessManager\Dlg:WebMaxRetry
Controls the
retry for web.
The default
value is 1
default: 1 dword int
Chapter 4. SSO Administrative Console Reference Topics 249
![Page 254: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/254.jpg)
End-User
Experience\Response\Web
Apps\Error
Loop
Maximum time
for retries
before
prompting
Extensions\AccessManager\Dlg:WebTimeout
Controls the
timeout for
web. The
default is 30
seconds
default: 30 dword int
End-User
Experience\Response\Web
Apps\Error
Loop
Require
password
confirmation
when
modifying
password
Extensions\AccessManager\Dlg:WebHideConfirmPW
Indicate
whether to
display the
Confirm
Password field
in the Logon
Error dialog
for Web
logons; the
default is to
Require
password
confirmation.
0 Require
1 Do not
require
default: 0 dword
End-User
Experience\Response\Windows Apps
Supported
Window
Classes for
Applications
Extensions\AccessManager:AppClasses
Default
Window Class
Names
recognized as
applications.
default:
#32770;Dialog;ThunderRT5FormDC;ThunderRT6FormDC
string string
End-User
Experience\Response\Windows Apps
Supported
Window
Classes for
Services
Extensions\AccessManager:ServiceClasses
Default
Window Class
Names
recognized as
services.
default:
#32770;Dialog;ThunderRT5FormDC;ThunderRT6FormDC
string string
End-User
Experience\Response\Windows Apps
Wait for a
Window Title
Extensions\AccessManager:EmptyTitleRetryCount
For
slow-appearing
dialogs/applications,
this value is
how long (in
half-seconds)
the Agent will
wait for a
window title to
appear. If the
window title
does not
appear in this
time, the
dialog will be
ignored. A
higher value
uses more
CPU cycles.
default: 6 dword int
250 Introduction
![Page 255: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/255.jpg)
End-User
Experience\Response\Windows
Apps\Error
Loop
Maximum
retries before
prompting
Extensions\AccessManager\Dlg:AppsMaxRetry
Controls the
retry for apps
The default
value is 1
default: 1 dword int
End-User
Experience\Response\Windows
Apps\Error
Loop
Maximum time
for retries
before
prompting
Extensions\AccessManager\Dlg:AppsTimeout
Controls the
timeout for
apps. The
default is 30
seconds
default: 30 dword int
End-User
Experience\Response\Windows
Apps\Error
Loop
Require
password
confirmation
when
modifying
password
Extensions\AccessManager\Dlg:AppsHideConfirmPW
Indicate
whether to
display the
Confirm
Password field
in the Logon
Error dialog
for Windows
logons; the
default is to
Require
password
confirmation.
0 Require
1 Do not
require
default: 0 dword
End-User
Experience\Setup Wizard
Enable/disable
First-Time-Use
(FTU) wizard.
Extensions\SetUpManager:HideWizard
Controls
whether the
Setup Wizard
is displayed
when
first-time-use is
invoked. Note:
If more than
one
authenticator
(primary logon
method) is
installed, then
the first
authenticator
in the list is
automatically
selected as the
end user’s
primary logon
method.
0 Do not
hide
1 Hide
default: 0 dword
Chapter 4. SSO Administrative Console Reference Topics 251
![Page 256: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/256.jpg)
End-User
Experience\Setup Wizard
Selected
Primary Logon
AUI:Selected
Enables the
selected logon
method as the
primary logon
method and
hides all other
installed logon
methods. The
default is no
selection (i.e.,
end-users
select their
own primary
logon method).
Note: To hide
the primary
logon method
selection
menu, use the
″Enable/Disable
First-Time-Use
(FTU) Wizard″
setting. If the
primary logon
method
selection page
is hidden, and
this setting is
blank, then the
first installed
logon method
in the list is
automatically
selected.
None
MSauth
Windows v2
WinAuth
Windows
LDAP
LDAP
LDAPauth
LDAP v2
MultiAuth
Authentication Manager
default: none string
End-User
Experience\Setup Wizard
Skip
″selection″
page if only
one Primary
Logon Method
installed
AUI:HideSingleSelection
Hide the
″Select Primary
Logon
Method″ step
in the Setup
Wizard if only
one Primary
Logon Method
is installed.
0 Do not
hide/skip the
Select step of
the Setup
Wizard.
1 Hide/skip
the Select step
of the Setup
Wizard.
default: 0 dword
252 Introduction
![Page 257: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/257.jpg)
Event Logging Select events to
log:
Extensions\EventManager:Filter
Event Logging
filter
delineating
which events
to log.
4 Credential
Edit
8
Credential
Delete
10
Credential
Copy
20
Credential Add
100
Provisioning
200
Startup/Shutdown
400
Help
800
Settings
Change
1000
Reauthentication
20000
Logon Field:
System
Username
40000
Logon Field:
System
Domain
80000
Logon Field:
Third Field
100000
Logon Field:
Username
200000
Logon Field:
Fourth Field
800000
Application
Password
Change
1000000
Primary Logon
Method
Change
4000000
Backup/Restore
40000000
Event Types:
default: 0 dword
Chapter 4. SSO Administrative Console Reference Topics 253
![Page 258: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/258.jpg)
Event
Logging\Advanced
Cache Limit Extensions\EventManager:CacheLimit
Maximum
number of
event log
entries to be
cached before
old events are
discarded.
default: 200 dword int
Event
Logging\Advanced
Cache Retry
Interval
Extensions\EventManager:Retry
Interval (in
minutes)
between retries
for all Event
Logging
extensions.
default: 30 dword int
Event
Logging\Advanced
Event Server
Message
Library
location
Extensions\EventManager:EventMessagePath
Path/filename
to the Event
Message
library
(SSOeventmessage.dll),
used for
viewing events
in Windows
Event Viewer.
default:
C:\Program
Files\Passlogix\v-GO
SSO\Plugin\EventMgr\SSOeventmessage.dll
string filename
Event
Logging\Advanced
Extension
location
Extensions\EventManager:Path
Path/filename
to the Event
Logging
extension
(eventmgr.dll).
default:
C:\Program
Files\Passlogix\v-GO
SSO\Plugin\EventMgr\eventmgr.dll
string filename
254 Introduction
![Page 259: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/259.jpg)
Event
Logging\Windows
Event Viewer
Windows
Event Logging
Server
Extensions\EventManager\WindowsEvent:EventServer
Server name
for the
Windows
Event Logging
extension (do
not provide
leading ″\\″
characters). If
missing,
logged to local
computer. The
server should
have a trusted
relationship
with the user’s
account and
the user’s
computer,
depending on
access rights
and
restrictions.
default: none string string
Event
Logging\Windows
Event
Viewer\Advanced
Cache Retry
Interval
Extensions\EventManager\WindowsEvent:Retry
Interval (in
minutes)
between retries
for the
Windows
Event Logging
extension.
default: 30 dword int
Event
Logging\Windows
Event
Viewer\Advanced
Extension
location
Extensions\EventManager\Logs:WindowsEvent
Path/filename
to the
Windows
Event Logging
extension
(WindowsEvent.dll).
default:
C:\Program
Files\Passlogix\v-GO
SSO\Plugin\EventMgr\WindowsEvent.dll
string filename
Chapter 4. SSO Administrative Console Reference Topics 255
![Page 260: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/260.jpg)
Event
Logging\Windows
Event
Viewer\Advanced
Of logged
events, limit
for Windows
server to:
Extensions\EventManager\WindowsEvent:Filter
Event logging
filter
delineating
which events
(of those
logged by the
root Filter
setting) to log
to the
Windows
Event Logging
extension.
4
Credential Edit
8
Credential
Delete
10
Credential
Copy
20
Credential Add
100
Provisioning
200
Startup/Shutdown
400
Help
800
Settings
Change
1000
Reauthentication
20000
Logon Field:
System
Username
40000
Logon Field:
System
Domain
80000
Logon Field:
Third Field
100000
Logon Field:
Username
200000
Logon Field:
Fourth Field
800000
Application
Password
Change
1000000
Primary Logon
Method
Change
4000000
Backup/Restore
40000000
Event Types:
default: 0 dword
256 Introduction
![Page 261: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/261.jpg)
Event
Logging\XML
File
Cache Retry
Interval
Extensions\EventManager\LocalStorage:Retry
Interval (in
minutes)
between retries
for the Local
(XML) File
Logging
extension.
default: 30 dword int
Event
Logging\XML
File
Extension
location
Extensions\EventManager\Logs:LocalStorage
Path/filename
to the Local
(XML) File
Logging
extension
(XMLEvent.dll).
default:
C:\Program
Files\Passlogix\v-GO
SSO\Plugin\EventMgr\XMLEvent.dll
string filename
Chapter 4. SSO Administrative Console Reference Topics 257
![Page 262: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/262.jpg)
Event
Logging\XML
File
Of logged
events, limit
for XML file
to:
Extensions\EventManager\LocalStorage:Filter
Event Logging
filter
delineating
which events
(of those
logged by the
root Filter
setting) to log
to the Local
(XML) File
Logging
extension.
4
Credential Edit
8
Credential
Delete
10
Credential
Copy
20
Credential Add
100
Provisioning
200
Startup/Shutdown
400
Help
800
Settings
Change
1000
Reauthentication
20000
Logon Field:
System
Username
40000
Logon Field:
System
Domain
80000
Logon Field:
Third Field
100000
Logon Field:
Username
200000
Logon Field:
Fourth Field
800000
Application
Password
Change
1000000
Primary Logon
Method
Change
4000000
Backup/Restore
40000000
Event Types:
default: 0 dword
258 Introduction
![Page 263: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/263.jpg)
Primary Logon
Methods\Authentication
Manager
Allowed
number of
logon methods
AUI\MultiAuth:MaxPreferred
This setting
allows you to
set the
maximum
number of
logon methods
that will be
presented to a
user. Once this
number of
logon methods
have been
presented (and
skipped by)
the user, a
″Choose
Logon″ dialog
is displayed.
Defaults to 1.
This setting is
only used for
the
Multi-Authenticator
primary logon.
Note: This
setting applies
to TAM E-SSO:
Authentication
Adapter only.
default: 1 dword int
Chapter 4. SSO Administrative Console Reference Topics 259
![Page 264: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/264.jpg)
Primary Logon
Methods\LDAP
v2\Advanced
Alternate User
ID location
AUI\LDAPauth:UserLocation
Use to indicate
where to locate
a user object
when the user
validates
against an
attribute other
than the
username.
Example: If
users
authenticate
with an
employee ID #
for logon
(validation
against the
empid
attribute) and
the user object
is in
ou=people,dc=computer,
then set
UserLocation
to
empid=%user,ou=people,dc=computer
instead of to
uid=user,ou=people,dc=computer.
Note: For
Novell
eDirectory,
UserLocation
should be:
uid=%user,path to
the object.
Note: If using
UserLocation,
do not use
UserPrepend
or UserPaths.
default: none string string
Primary Logon
Methods\LDAP
v2\Advanced
Authenticator
Grade
AUI\LDAPauth:AuthGrade
Assigns an
authentication
grade to this
primary logon
method. This
value is used
for multi-level
authentication.
Note: This
setting applies
to TAM E-SSO:
Authentication
Adapter only.
default: 1 dword int
260 Introduction
![Page 265: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/265.jpg)
Primary Logon
Methods\LDAP
v2\Advanced
BIND Timeout AUI\LDAPauth:Timeout
Timeout (in
milliseconds)
of LDAP BIND
call.
default:
Depends on
the operating
system
dword int
Primary Logon
Methods\LDAP
v2\Advanced
Include in
″LDAP″
Password
Sharing group
AUI\LDAPauth:PWSEnable
Enables
password
sharing from
the Primary
Logon Method
to credentials
in the Group
Domain. (Also
requires
AccessManager:PWSEnable
to be enabled.)
0 Disable
1 Enable
default: 1 dword
Primary Logon
Methods\LDAP
v2\Advanced
Naming
Attribute
string
AUI\LDAPauth:UserPrepend
String to
prepend to
UserPaths
when the DN
for a user is in
the form of
cn=%UserName%,ou=people,dc=computer
instead of the
form
namingattribute=%UserName%,ou=people,dc=computer
(where
namingattribute
can be any
string). Note:
This value
usually needs
to be set to cn
for Novell
eDirectory.
Note: If using
UserPrepend,
you must use
UserPathN and
do not use
UserPrepend.
default: none string string
Primary Logon
Methods\LDAP
v2\Advanced
Passphrase AUI\LDAPauth:ResetEnable
Allow the
Reset
passphrase to
be used.
0 Disable
1 Enable
default: 1 dword
Chapter 4. SSO Administrative Console Reference Topics 261
![Page 266: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/266.jpg)
Primary Logon
Methods\LDAP
v2\Advanced
When SSL fails AUI\LDAPauth:SSLFallback
Whether to
fallback to an
insecure
connection
when an SSL
connection
fails. Note: If
set to 1 and
any of Servers
includes a port
specification,
the fallback
port must also
be specified as
an additional
Servers entry.
For example, if
the SSL
connection is
to
mycomputer.com:1272
then an
additional
entry must
point to the
fallback port,
such as:
mycomputer.com:1272
;My secure SSL
Port
mycomputer.com:389
;My fallback
port
0 Do not
connect if the
SSL connection
fails
1 Connect
without SSL
(insecure) if
the SSL
connection
fails
default: 0 dword
262 Introduction
![Page 267: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/267.jpg)
Primary Logon
Methods\LDAP
v2\Required
Servers AUI\LDAPauth\Servers:ServerN
Servers to try,
in the format
″computer[:port]″
(one server per
line), where
computer is
the server
name or IP,
and port is
assumed to be
default (636 for
SSL, 389 for no
SSL) if not
specified.
Example:
127.0.0.1
127.0.0.1:456
somewhereelse.com:8080
anotherplace.com
Note: At least
one server
must be
specified for
this extension
to work. Note:
If specifying a
port value, see
SyncManager\Syncs\%LDAP%:SSLFallback.
default: none string
Primary Logon
Methods\LDAP
v2\Required
SSL AUI\LDAPauth:UseSSL
Connect via
SSL.
0 Connect
without SSL
(insecure)
(default to port
#389)
1 Connect
via SSL
(default to port
#636)
default: 1 dword
Primary Logon
Methods\LDAP
v2\Required
SSL CertDB
location
AUI\LDAPauth:CertDBPath
Path\filename
of the cert7.db
certificate
database file.
(Do not change
the name of
the file from
cert7.db.)
default: none string filename
Chapter 4. SSO Administrative Console Reference Topics 263
![Page 268: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/268.jpg)
Primary Logon
Methods\LDAP
v2\Required
User Paths AUI\LDAPauth:UserPathN
Fully qualified
path of where
the user
account is
located. There
can be
unlimited
paths to
search. The
extension
searches these
in order,
looking for the
user account. If
not found, the
extension will
search the
directory tree.
Note: A value
for either
UserPrepend
or at least one
value for
UserPaths
must be
specified for
this extension
to work. Note:
If using
UserPaths, do
not use
UserLocation.
default: none string
264 Introduction
![Page 269: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/269.jpg)
Primary Logon
Methods\LDAP\Advanced
Active
Directory:
Domain name
support
enabled
AUI\LDAPauth:UsingAD
Enables Active
Directory
domain-name
support. End
users can
specify the
domain name
(e.g.,
domainname\username) at
primary logon.
Alternatively,
the
administrator
can specify a
default domain
name (see the
″Active
Directory: Set
domain name″
setting) to let
end users log
on by
username
alone. If no
domain is
specified, then
the local
workstation’s
domain is
used.
0 Do not use
AD domain
names
1 Use AD
domain names
default: 0 dword
Chapter 4. SSO Administrative Console Reference Topics 265
![Page 270: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/270.jpg)
Primary Logon
Methods\LDAP\Advanced
Active
Directory: Set
domain name
AUI\LDAP:ADDomain
The Active
Directory
domain name
to use for
primary logon
if no domain is
specified for
the
username/ID
credential (e.g.,
domainname\username).
This setting is
used only if
the ″Active
Directory:
Domain name
support
enabled″
setting is set to
″Use AD
domain
names.″ If
domain-name
support is
enabled and
this setting is
blank (and the
end user does
not specify a
domain), then
local
workstation’s
domain is
used.
default: none string string
266 Introduction
![Page 271: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/271.jpg)
Primary Logon
Methods\LDAP\Advanced
Alternate User
ID location
AUI\LDAP:UserLocation
Use to indicate
where to locate
a user object
when the user
validates
against an
attribute other
than the
username.
Example: If
users
authenticate
with an
employee ID #
for logon
(validation
against the
empid
attribute) and
the user object
is in
ou=people,dc=computer,
then set
UserLocation
to
empid=%user,ou=people,dc=computer
instead of to
uid=user,ou=people,dc=computer.
Note: For
Novell
eDirectory,
UserLocation
should be:
uid=%user,path to
the object.
Note: If using
UserLocation,
do not use
UserPrepend
or UserPaths.
default: none string string
Primary Logon
Methods\LDAP\Advanced
Authenticator
Grade
AUI\LDAP:AuthGrade
Assigns an
authentication
grade to this
primary logon
method. This
value is used
for multi-level
authentication.
Note: This
setting applies
to TAM E-SSO:
Authentication
Adapter only.
default: 1 dword int
Chapter 4. SSO Administrative Console Reference Topics 267
![Page 272: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/272.jpg)
Primary Logon
Methods\LDAP\Advanced
BIND Timeout AUI\LDAP:Timeout
Timeout (in
milliseconds)
of LDAP BIND
call.
default:
Depends on
the operating
system
dword int
Primary Logon
Methods\LDAP\Advanced
Naming
Attribute
string
AUI\LDAP:UserPrepend
String to
prepend to
UserPaths
when the DN
for a user is in
the form of
cn=%UserName%,ou=people,dc=computer
instead of the
form
namingattribute=%UserName%,ou=people,dc=computer
(where
namingattribute
can be any
string). Note:
This value
usually needs
to be set to cn
for Novell
eDirectory.
Note: If using
UserPrepend,
you must use
UserPathN and
do not use
UserPrepend.
default: none string string
268 Introduction
![Page 273: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/273.jpg)
Primary Logon
Methods\LDAP\Advanced
SSL Fallback AUI\LDAP:SSLFallback
Fallback to an
insecure
connection
when an SSL
connection
fails. Note: If
set to 1 and
any of Servers
includes a port
specification,
the fallback
port must also
be specified as
an additional
Servers entry.
For example, if
the SSL
connection is
to
mycomputer.com:1272
then an
additional
entry must
point to the
fallback port,
such as:
mycomputer.com:1272
;My secure SSL
Port
mycomputer.com:389
;My fallback
port
0 Do not
connect if the
SSL connection
fails
1 Connect
without SSL
(insecure) if
the SSL
connection
fails
default: 0 dword
Chapter 4. SSO Administrative Console Reference Topics 269
![Page 274: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/274.jpg)
Primary Logon
Methods\LDAP\Required
Servers AUI\LDAP\Servers:ServerN
Servers to try,
in the format
″computer[:port]″
(one server per
line), where
computer is
the server
name or IP,
and port is
assumed to be
default (636 for
SSL, 389 for no
SSL) if not
specified.
Example:
127.0.0.1
127.0.0.1:456
somewhereelse.com:8080
anotherplace.com
Note: At least
one server
must be
specified for
this extension
to work. Note:
If specifying a
port value, see
SyncManager\Syncs\%LDAP%:SSLFallback.
default: none string
Primary Logon
Methods\LDAP\Required
SSL AUI\LDAP:UseSSL
Whether to
connect via
SSL.
0 Connect
without SSL
(insecure)
(default to port
#389)
1 Connect
via SSL
(default to port
#636)
default: 1 dword
Primary Logon
Methods\LDAP\Required
SSL CertDB
location
AUI\LDAP:CertDBPath
Path\filename
of the cert7.db
certificate
database file.
(Do not change
the name of
the file from
cert7.db.)
default: none string filename
270 Introduction
![Page 275: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/275.jpg)
Primary Logon
Methods\LDAP\Required
User Paths AUI\LDAP:UserPathN
Fully qualified
path of where
the user
account is
located. There
can be
unlimited
paths to
search. The
extension
searches these
in order,
looking for the
user account. If
not found, the
extension will
search the
directory tree.
Note: A value
for either
UserPrepend
or at least one
value for
UserPaths
must be
specified for
this extension
to work. Note:
If using
UserPaths, do
not use
UserLocation.
default: none string
Primary Logon
Methods\Windows
When user’s
Windows
password
changes...
AUI\WinAuth:PWEnable
Provide
enhanced
security by
requiring entry
of the old
password
when a new
one is in use.
0 Do not
require the old
Windows
password
1 Require
the old
Windows
password
default: 0 dword
Primary Logon
Methods\Windows v2
Include in
″Domain″
Password
Sharing Group
AUI\MSauth:PWSEnable
Enables
password
sharing from
the Primary
Logon Method
to credentials
in the Group
Domain. (Also
requires
AccessManager:PWSEnable
to be enabled.)
0 Disable
1 Enable
default: 1 dword
Chapter 4. SSO Administrative Console Reference Topics 271
![Page 276: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/276.jpg)
Primary Logon
Methods\Windows v2
Reauthentication
dialog
AUI\MSauth:AuthOptions
Determines
how the user
needs to
reauthenticate.
0 Use TAM
E-SSO dialog
1 Use GINA
default: 0 dword
Primary Logon
Methods\Windows
v2\Advanced
Authenticator
Grade
AUI\MSauth:AuthGrade
Assigns an
authentication
grade to this
primary logon
method. This
value is used
for multi-level
authentication.
Note: This
setting applies
to TAM E-SSO:
Authentication
Adapter only.
default: 1 dword int
Primary Logon
Methods\Windows
v2\Advanced
MultiAuth:
Require set up
for
multi-authentication
AUI\MSauth:AuthState
Determines
whether to
require user to
set up this
logon method
during First
Time Use if
″MultiAuth″ is
selected as the
primary logon
method. This
setting is only
used for
multi-authenticator
primary logon.
0 Disable
this logon
method for
multi-authenticator
use
1 User has
option to set
up this logon
method
2 User is
required to set
up this logon
method
default: 1 dword
Primary Logon
Methods\Windows
v2\Advanced
Passphrase AUI\MSauth:ResetEnable
Allow the
Reset
passphrase to
be used.
0 Disable
1 Enable
default: 1 dword
272 Introduction
![Page 277: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/277.jpg)
Primary Logon
Methods\Windows\Advanced
Authenticator
Grade
AUI\WinAuth:AuthGrade
Assigns an
authentication
grade to this
primary logon
method. This
value is used
for multi-level
authentication.
Note: This
setting applies
to TAM E-SSO:
Authentication
Adapter only.
default: 1 dword int
Provisioning
Manager
Add All
Approval
Extensions\Provisioning\Settings:AddAllApproval
One means we
approve all
and modify
operations at
once. Zero
means we
require
individual
approval. The
default value is
one. This
setting applies
to v-GO
Provisioning
Manager only.
0 Require
Individual
Approval
1 Approve
All
default: 1 dword
Provisioning
Manager
Add Approval Extensions\Provisioning\Settings:AddApproval
One means we
require user
approval for
an add
operation, Zero
means we do
not require
user approval
for an add
operation. The
default value is
0. This setting
applies to
v-GO
Provisioning
Manager only.
0 Do Not
Require
Approval
1 Require
Approval
default: 1 dword
Chapter 4. SSO Administrative Console Reference Topics 273
![Page 278: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/278.jpg)
Provisioning
Manager
If logon does
not exist for a
modify
Extensions\Provisioning\Settings:ModifyNotExist
One means if a
logon does not
exist for a
modify
operation, treat
it as an add.
Zero means if
a logon does
not exist for a
modify
operation, treat
it as a failure.
The default
value is 1. This
setting applies
to v-GO
Provisioning
Manager only.
0 Treat as
failure
1 Treat as
add
default: 1 dword
Provisioning
Manager
If there are
multiple
logons for a
modify
Extensions\Provisioning\Settings:MultipleModify
One means if
there are
multiple
logons for a
modify
operation, then
display to the
user the list
and allow
them to
choose. Zero
means if there
are multiple
logons for
modify
operation then
do not allow
the user a
choice. The
default is 0.
This setting
applies to
v-GO
Provisioning
Manager only.
0 Do not
allow choice
1 Display list
and allow a
choice
default: 1 dword
274 Introduction
![Page 279: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/279.jpg)
Provisioning
Manager
Modify
Approval
Extensions\Provisioning\Settings:ModifyApproval
One means we
approve all
and modify
operations at
once. Zero
means we
require
individual
approval. The
default value is
one. This
setting applies
to v-GO
Provisioning
Manager only.
0 Do Not
Require
Approval
1 Require
Approval
default: 1 dword
Security\Advanced
Allow
Password
Revealing
Extensions\AccessManager:AllowReveal
Whether to
allow users to
reveal
passwords in
Wizards and
on property
pages. Note: If
this setting or
the application
configuration-specific setting
are set to not
allow reveal,
then the
password will
not be
revealed.
0 Do not
allow
1 Allow
default: 1 dword
Chapter 4. SSO Administrative Console Reference Topics 275
![Page 280: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/280.jpg)
Security\Advanced
Default
encryption
CSP:PreferredCSP
Select the
encryption
algorithm/strength for
new/modified
credentials.
Note: Setting
this to a value
supported only
on XP/2003
will disable the
Agent on other
OSs.
0
Cobra 128-bit
512
Cobra 128-bit
(also)
513
Blowfish
448-bit
1028
Triple-DES
168-bit
1285
AES 256-bit
25700
Triple-DES (MS
CAPI) (All
OSs)
25723
Triple-DES (MS
CAPI)
(XP/2003 only)
25956
RC-4 (MS
CAPI) (All
OSs)
25979
RC-4 (MS
CAPI)
(XP/2003 only)
26491
AES (MS
CAPI)
(XP/2003 only)
default: 25700 dword
Security\Advanced
Require
reauthentication
to Reveal
passwords
Extensions\AccessManager:ReauthOnReveal
Whether to
require
reauthentication
if the user
selects Reveal
or Reveal All
in Logon
Manager and
in dialogs.
0 Do not
require
reauthentication
1 Require
reauthentication
default: 1 dword
276 Introduction
![Page 281: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/281.jpg)
Security\Common
Reauthentication
timer
Extensions\AccessManager:AutoLogin
Time (in
milliseconds)
between
reauthentication
requests. If set
to 4,294,967,295
(0xFFFFFFFF),
the time will
never expire
and the user
will never
need to
reauthenticate,
except in
forced
authentication
scenarios.
Note: Default
value for
client-side
installation is
900,000 (15
minutes),
default in a
Terminal
Services
environment is
4,294,967,295
(disabled).
default: 900000 dword int
Chapter 4. SSO Administrative Console Reference Topics 277
![Page 282: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/282.jpg)
Synchronization Aggressive
Synchronization
Extensions\SyncManager:AggressiveSync
Determine
whether to
allow
Aggressive
Sync, which is
to have the
system
perform a
synchronization
whenever a
user performs
any action that
would require
the most
current
credentials or
settings
available (e.g.,
an application
requests
credentials).
Note: There is
a significant
performance
impact on both
the client and
server
computers.
0 Do not
allow
1 Allow
default: 0 dword
Synchronization Delete local
cache
Shell:CleanupOnShutdown
Whether to
delete the
user’s data
files and
registry keys
upon
shutdown of
the agent.
0 Do not
delete
1 Delete
default: 0 dword
Synchronization Deleted-credential
cleanup
Shell:nDelDays
Time (in days)
before a
credential’s
″deleted″ flag
is retained,
after a
credential is
deleted.
default: 30 dword int
278 Introduction
![Page 283: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/283.jpg)
Synchronization Disconnected
Operation
Extensions\SyncManager:AllowDisconnected
Determines
whether TAM
E-SSO executes
first-time-use
setup when it
is unable to
connect to any
synchronizer
extension and
no local cache
is present. This
check occurs
when run with
the
/background
parameter (for
example, at
startup).
0 Do not
continue
running
1 Allow
disconnected
operation
default: 1 dword
Synchronization Enable
role/group
security
support
Extensions\SyncManager:RetrieveCO
Enables
role/group
support for
application
logons,
password
policies, global
agent settings,
and passphrase
question sets.
0 Do not use
role/group
security.
1 Use
role/group
security
default: 0 dword
Synchronization Interval for
automatic
re-sync
Extensions\SyncManager:CycleInterval
Interval (in
minutes)
between
automatic
re-sync. This
occurs whether
a
user-generated
sync event
occurs or not.
A value of 0
disables this
setting.
default: 0 dword int
Chapter 4. SSO Administrative Console Reference Topics 279
![Page 284: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/284.jpg)
Synchronization Optimized
Synchronization
Extensions\SyncManager:OptimizedSync
Enable/disable
Optimized
Sync (using a
checksum to
determine
changed
credentials/settings, rather
than retrieving
all
credentials/settings).
0 Disable
1 Enable
default: 1 dword
Synchronization Re-sync when
network or
connection
status changes
Shell:MonitorNetwork
Enables/disables
monitoring for
changes in the
network
connection
status. When
enabled, the
Agent
performs
re-synchonization
when a status
change occurs
(for example,
re-connectiing
to the
network).
0 Ignore
network status
changes
1 Watch for
and re-sync on
network status
changes
default: 1 dword
Synchronization Sync Order Extensions\SyncManager:SyncOrder
Order to
synchronize to
synchronization
extensions (by
extension
name, not
type).
Examples:
SalesADAM,CorporateLDAP,CorporateAD
FileSync
Remote,AD,FileSync
Local,SomethingElse
CorpDir,CorpADAM,ADRemote
Note: If no
value is
specified then
all extensions
will be used
(in an
unpredictable
order).
default: none string synchronizers
280 Introduction
![Page 285: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/285.jpg)
Synchronization Wait for
synchronization
at startup
Extensions\SyncManager:WaitForStartupSync
Determine
whether to
wait for
synchronization
at startup,
which ensures
that the user’s
data is current.
Note: There is
a minor
performance
impact on the
client
computer.
1 Wait for
sync
0 Do not
wait for sync
default: 1 dword
Synchronization\%AD%\Advanced Configuration
Objects Base
Locations
Extensions\SyncManager\Syncs\%AD%\COBaseLocations:LocationN
Where to begin
the search for
Configuration
Objects. The
search is from
the specified
location(s)
downward. If
no entries, the
search is from
the base
location.
default: none string
Synchronization\%AD%\Advanced Credentials to
use
Extensions\SyncManager\Syncs\%AD%:AuthType
Which
credentials to
use when
authenticating
to the Active
Directory
Server.
0 Use local
computer
credentials
only
1 Use Active
Directory
server account
only
(recommended
that
UserPathN be
set)
2 Try local
computer
credentials; if it
fails, use
Active
Directory
server account
default: 2 dword
Chapter 4. SSO Administrative Console Reference Topics 281
![Page 286: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/286.jpg)
Synchronization\%AD%\Advanced Descriptive
name
Extensions\SyncManager\Syncs\%AD%:DisplayName
Logon dialog
title, to help
differentiate
between
multiple
synchronizer
extensions
having the
same name.
Note: This
entry is not
required.
default: none string string
Synchronization\%AD%\Advanced Location for
storing user
credentials
Extensions\SyncManager\Syncs\%AD%:LocateInUser
Enables
storage of
user-credential
containers
under their
respective
directory User
objects and no
locator object
is used. When
disabled (the
default),
credentials are
stored as
specified by
the locator
object.
0 Store user
credentials as
specified by
locator object
1 Store user
credentials
under
respective
directory user
objects
default: 0 dword
Synchronization\%AD%\Advanced Logon
attempts
Extensions\SyncManager\Syncs\%AD%:RetryLockCount
Number of
times to
present the
retry dialog to
the user.
default: 3 dword int
282 Introduction
![Page 287: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/287.jpg)
Synchronization\%AD%\Advanced Prepend
Domain when
naming objects
Extensions\SyncManager\Syncs\%AD%:AppendDomain
Enables
prepending of
the user’s
domain to the
username in
naming the
user’s
container.
Example: For
the domain
″passlogix″
and user
″jamesk″ the
container is
named
″jamesk″ with
this flag
disabled and
″passlogix.jamesk″
with this flag
enabled. Note:
If you enable
Prepend
Domain, do
not enable
Enable Storing
Credentials
under User
Object (in the
Directory
menu). If you
do enable
credential
storage in User
Objects, this
option must be
disabled (the
default
setting). If both
options are
enabled, no
synchronization
will occur.
0 Disable
1 Enable
default: 0 dword
Synchronization\%AD%\Advanced Prompt when
disconnected
Extensions\SyncManager\Syncs\%AD%:AllowOffline
Allow the user
to work offline
without
prompting/notification if a
synchronization
event fails.
0
Prompt/notify
the user
1 Do not
prompt
default: 0 dword
Chapter 4. SSO Administrative Console Reference Topics 283
![Page 288: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/288.jpg)
Synchronization\%AD%\Advanced Search for
locator and
override
objects
Extensions\SyncManager\Syncs\%AD%:StopAtRoot
Controls how
the Agent
search for
locator and
override
objects.
0 Search all
servers for
locator/override.
1 Limit
locator/override search
to the server
root.
default: 1 string
Synchronization\%AD%\Advanced Servers Extensions\SyncManager\Syncs\%AD%\Servers:ServerN
Servers to try,
in the format
″computer[:port]″
(one server per
line), where
computer is
the server
name, and port
is assumed to
be default (636
for SSL, 389 for
no SSL) if not
specified.
Example:
somewhereclose.com
also.somewhereclose.com
somewhereelse.com:8080
anotherplace.com
Note: At least
one server
must be
specified for
this extension
to work. Note:
Active
Directory
requires use of
computer
names (not IP
addresses).
Note: If
specifying a
port value, see
SyncManager\Syncs\%LDAP%:SSLFallback.
default: none string
284 Introduction
![Page 289: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/289.jpg)
Synchronization\%AD%\Advanced User Paths Extensions\SyncManager\Syncs\%AD%:UserPathN
Fully qualified
path of where
the user
account is
located. There
can be
unlimited
paths to
search. The
extension
searches these
in order,
looking for the
user account. If
not found, the
extension will
search the
directory tree.
Note: This
entry is not
required for
this extension.
default: none string
Chapter 4. SSO Administrative Console Reference Topics 285
![Page 290: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/290.jpg)
Synchronization\%AD%\Advanced When SSL fails Extensions\SyncManager\Syncs\%AD%:SSLFallback
Fallback to an
insecure
connection
when an SSL
connection
fails. Note: If
SSLFallback=1
and any of
Servers
includes a port
specification,
the fallback
port must also
be specified as
an additional
Servers entry.
For example, if
the SSL
connection is
to
mycomputer.com:1272
then an
additional
entry must
point to the
fallback port,
such as:
mycomputer.com:1272
;My secure SSL
Port
mycomputer.com:389
;My fallback
port
0 Do not
connect if the
SSL connection
fails.
1 Connect
without SSL
(insecure) if
the SSL
connection
fails.
default: none dword
Synchronization\%AD%\Required Extension
location
Extensions\SyncManager\Syncs\%AD%:Path
Path\filename
of the Active
Directory
synchronizer
extension.
default:
C:\Program
Files\Passlogix\v-GO
SSO\Plugin\SyncMgr\ADEXT\adsync.dll
string filename
Synchronization\%AD%\Required SSL Extensions\SyncManager\Syncs\%AD%:UseSSL
Connect via
SSL.
0 Connect
without SSL
(insecure)
(default to port
#389).
1 Connect
via SSL
(default to port
#636).
default: 1 dword
286 Introduction
![Page 291: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/291.jpg)
Synchronization\%ADAM%\Advanced Configuration
Objects Base
Locations
Extensions\SyncManager\Syncs\%ADAM%\COBaseLocations:LocationN
Where to begin
the search for
Configuration
Objects. The
search is from
the specified
location(s)
downward. If
no entries, the
search is from
the base
location.
default: none string
Synchronization\%ADAM%\Advanced Credentials to
use
Extensions\SyncManager\Syncs\%ADAM%:AuthType
Which
credentials to
use when
authenticating
to the ADAM
server.
0 Connect to
ADAM with
current user
name
1 Use
ADAM server
account only
2 Try local
computer
credentials; if it
fails, use
ADAM server
account
default: 2 dword
Synchronization\%ADAM%\Advanced Prepend
Domain when
naming objects
Extensions\SyncManager\Syncs\%ADAM%:AppendDomain
Enables
prepending of
the user’s
domain to the
username in
naming the
user’s
container.
Example: For
the domain
″passlogix″
and user
″jamesk″, the
container is
named
″jamesk″ with
this flag
disabled and
″passlogix.jamesk″
with this flag
enabled.
0 Disable
1 Enable
default: 0 dword
Chapter 4. SSO Administrative Console Reference Topics 287
![Page 292: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/292.jpg)
Synchronization\%ADAM%\Advanced Prompt when
disconnected
Extensions\SyncManager\Syncs\%ADAM%:AllowOffline
Allow the user
to work offline
without
prompting/notification if a
synchronization
event fails.
0
Prompt/notify
the user
1 Do not
prompt
default: 0 dword
Synchronization\%ADAM%\Advanced User domain
name to use
Extensions\SyncManager\Syncs\%ADAM%:UserDomain
Domain name
to use in the
container name
(e.g.,
DomainName.UserName)
when Prepend
Domain is
enabled. The
user can
specify another
domain the in
the login
dialog.
Example: If
User Domain
is ″MyDomain″
(with Prepend
Domain
enabled) and
the user logs
on as jamesk,
the container
name used is
MYDOMAIN.jamesk
If the user logs
on as
HISDOMAIN\jamesk the
container name
used is
HISDOMAIN.jamesk.
default: none string string
Synchronization\%ADAM%\Required Extension
location
Extensions\SyncManager\Syncs\%ADAM%:Path
Path\filename
of the Active
Directory
synchronizer
extension.
default:
C:\Program
Files\Passlogix\v-GO
SSO\Plugin\SyncMgr\ADAMext\ADAMsyncExt.dll
string filename
288 Introduction
![Page 293: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/293.jpg)
Synchronization\%ADAM%\Required Servers Extensions\SyncManager\Syncs\%ADAM%\Servers:ServerN
Servers to try,
in the format
″computer[:port]″
(one server per
line), where
computer is
the server
name, and port
is assumed to
be default (636
for SSL, 389 for
no SSL) if not
specified.
Example:
somewhereclose.com
also.somewhereclose.com
somewhereelse.com:8080
anotherplace.com
Note: At least
one server
must be
specified for
this extension
to work. Note:
Active
Directory
requires use of
computer
names (not IP
addresses).
Note: If
specifying a
port value, see
SyncManager\Syncs\%LDAP%:SSLFallback.
default: none string
Chapter 4. SSO Administrative Console Reference Topics 289
![Page 294: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/294.jpg)
Synchronization\%DB%\Advanced Append
Domain when
naming objects
Extensions\SyncManager\Syncs\%DB%:AppendDomain
Enables
appending of
the user’s
domain to the
username in
naming the
user’s
container.
Example: For
the domain
″passlogix″
and user
″jamesk″, the
container is
named
″jamesk″ with
this flag
disabled and
″jamesk.passlogix″
with this flag
enabled.
0 Disable
1 Enable
default: 0 dword
Synchronization\%DB%\Required Extension
location
Extensions\SyncManager\Syncs\%DB%:Path
Path\filename
of the
Database
synchronizer
extension.
default:
C:\Program
Files\Passlogix\v-GO
SSO\Plugin\SyncMgr\DBEXT\DBExt.dll
string filename
Synchronization\%DB%\Required Servers Extensions\SyncManager\Syncs\%DB%\Servers:Server
List of servers
to try, in the
format
″connection
string″ (one
server per line)
Note: At least
one server
must be
specified for
this extension
to work.
default: none string
290 Introduction
![Page 295: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/295.jpg)
Synchronization\%File%\Advanced Descriptive
name
Extensions\SyncManager\Syncs\%File%:DisplayName
Logon dialog
title, to help
differentiate
between
multiple
synchronizer
extensions
having the
same name.
Note: This
entry is not
required.
default: none string string
Synchronization\%File%\Advanced Logon
attempts
Extensions\SyncManager\Syncs\%File%:RetryLockCount
Number of
times to
present the
retry dialog to
the user.
default: 3 dword int
Synchronization\%File%\Advanced Prepend
Domain when
naming user
folders
Extensions\SyncManager\Syncs\%File%:AppendDomain
Enables
prepending of
the user’s
domain to the
username in
naming the
user’s
container.
Example: For
the domain
″passlogix″
and user
″jamesk″, the
container is
named
″jamesk″ with
this flag
disabled and
″passlogix.jamesk″
with this flag
enabled.
0 Disable
1 Enable
default: 1 dword
Chapter 4. SSO Administrative Console Reference Topics 291
![Page 296: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/296.jpg)
Synchronization\%File%\Advanced Prompt when
disconnected
Extensions\SyncManager\Syncs\%File%:AllowOffline
Allow the user
to work offline
without
prompting/notification if a
synchronization
event fails.
0
Prompt/notify
the user
1 Do not
prompt
default: 0 dword
Synchronization\%File%\Required Extension
location
Extensions\SyncManager\Syncs\%File%:Path
Path\filename
of the File
System
synchronizer
extension.
default:
C:\Program
Files\Passlogix\v-GO
SSO\Plugin\SyncMgr\FileSyncExt\filesync.dll
string filename
Synchronization\%File%\Required Server Extensions\SyncManager\Syncs\%File%\Servers:Server1
UNC path to
try. Examples:
\\FS1\Users
\\FS2\Extras
D:\Backup
Note: Server1
must be
specified for
this extension
to work. Note:
The File
System
extension
requires use of
proper UNC
paths. Note: As
of TAM E-SSO
4.0, only one
path is
supported;
failover is not
supported.
default: none string string
Synchronization\%LDAP%\Advanced Admin Group
DN
Extensions\SyncManager\Syncs\%LDAP%:AdminGroup
DN for the
Administrative
group. It is
placed this
value in the
ACI. Example:
cn=configuration
administrators,ou=groups,ou=topologymanagement,o=netscaperoot
default: none string string
292 Introduction
![Page 297: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/297.jpg)
Synchronization\%LDAP%\Advanced Alternate User
ID location
Extensions\SyncManager\Syncs\%LDAP%:UserLocation
Use to indicate
where to locate
a user object
when the user
validates
against an
attribute other
than the
username.
Example: If
users
authenticate
with an
employee ID #
for logon
(validation
against the
empid
attribute) and
the user object
is in
ou=people,dc=computer,
then set
UserLocation
to
empid=%user,ou=people,dc=computer
instead of to
uid=user,ou=people,dc=computer.
Note: For
Novell
eDirectory,
UserLocation
should be:
uid=%user,path to
the object.
Note: If using
UserLocation,
do not use
UserPrepend
or UserPaths.
default: none string string
Synchronization\%LDAP%\Advanced BIND Timeout Extensions\SyncManager\Syncs\%LDAP%:Timeout
Timeout (in
milliseconds)
of LDAP BIND
call.
default:
Depends on
the operating
system
dword int
Chapter 4. SSO Administrative Console Reference Topics 293
![Page 298: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/298.jpg)
Synchronization\%LDAP%\Advanced Configuration
Objects Base
Locations
Extensions\SyncManager\Syncs\%LDAP%\COBaseLocations:LocationN
Where to begin
the search for
Configuration
Objects. The
search is from
the specified
location(s)
downward. If
no entries, the
search is from
the base
location.
default: none string
Synchronization\%LDAP%\Advanced Descriptive
name
Extensions\SyncManager\Syncs\%LDAP%:DisplayName
Logon dialog
title, to help
differentiate
between
multiple
synchronizer
extensions
having the
same name.
Note: This
entry is not
required.
default: none string string
Synchronization\%LDAP%\Advanced DSAME
disabled-account
support
Extensions\SyncManager\Syncs\%LDAP%:UsingDSAME
Recognize
disabled
accounts on a
Sun ONE
Identity Server,
formerly
known as
iPlanet
Directory
Server Access
Management
Edition
(DSAME).
0 The server
is not a Sun
ONE Identity
Server.
1 The server
is a Sun ONE
Identity Server.
default: 0 dword
Synchronization\%LDAP%\Advanced Logon
attempts
Extensions\SyncManager\Syncs\%LDAP%:RetryLockCount
Number of
times to
present the
retry dialog to
the user.
default: 3 dword int
294 Introduction
![Page 299: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/299.jpg)
Synchronization\%LDAP%\Advanced Naming
Attribute
string
Extensions\SyncManager\Syncs\%LDAP%:UserPrepend
String to
prepend to
UserPaths
when the DN
for a user is in
the form of
cn=%UserName%,ou=people,dc=computer
instead of the
form
namingattribute=%UserName%,ou=people,dc=computer
(where
namingattribute
can be any
string). Note:
This value
usually needs
to be set to cn
for Novell
eDirectory.
Note: If using
UserPrepend,
you must use
UserPathN and
do not use
UserPrepend.
default: none string string
Synchronization\%LDAP%\Advanced Prompt when
disconnected
Extensions\SyncManager\Syncs\%LDAP%:AllowOffline
Allow the user
to work offline
without
prompting/notification if a
synchronization
event fails.
0
Prompt/notify
the user
1 Do not
prompt
default: 0 dword
Synchronization\%LDAP%\Advanced Security
Version
Extensions\SyncManager\Syncs\%LDAP%:SecurityVersion
Update the
ACI with a
new
:AdminGroup
value when
this value is
higher than
:SecurityUpgrade.
default: none dword int
Chapter 4. SSO Administrative Console Reference Topics 295
![Page 300: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/300.jpg)
Synchronization\%LDAP%\Advanced When SSL fails Extensions\SyncManager\Syncs\%LDAP%:SSLFallback
Fallback to an
insecure
connection
when an SSL
connection
fails. Note: If
SSLFallback=1
and any of
Servers
includes a port
specification,
the fallback
port must also
be specified as
an additional
Servers entry.
For example, if
the SSL
connection is
to
mycomputer.com:1272
then an
additional
entry must
point to the
fallback port,
such as:
mycomputer.com:1272
;My secure SSL
Port
mycomputer.com:389
;My fallback
port
0 Do not
connect if the
SSL connection
fails.
1 Connect
without SSL
(insecure) if
the SSL
connection
fails.
default: none dword
296 Introduction
![Page 301: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/301.jpg)
Synchronization\%LDAP%\Required Directory Type Extensions\SyncManager\Syncs\%LDAP%:DirectoryType
The specific
type of
directory
server. If the
directory
server is not
listed, select
″Unspecified
LDAP
Directory″ for
backwards
compatibility
in upgrade
scenarios;
otherwise
select ″Generic
LDAP
Directory″
0
Unspecified
LDAP
Directory
3 Novell
eDirectory
4 Novell
NDS
5 Generic
LDAP
Directory
8 Sun ONE
Directory
9 IBM Tivoli
Directory
Server
10Oracle
Internet
Directory
default: 0 dword
Synchronization\%LDAP%\Required Extension
location
Extensions\SyncManager\Syncs\%LDAP%:Path
Path\filename
of the LDAP
Directory
Server
synchronizer
extension.
default:
C:\Program
Files\Passlogix\v-GO
SSO\Plugin\SyncMgr\LDAP\ldapsync.dll
string filename
Chapter 4. SSO Administrative Console Reference Topics 297
![Page 302: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/302.jpg)
Synchronization\%LDAP%\Required Servers Extensions\SyncManager\Syncs\%LDAP%\Servers:ServerN
List of servers
to try, in the
format
″computer[:port]″
(one server per
line), where
computer is
the server
name or IP
,and port is
assumed to be
default (636 for
SSL, 389 for no
SSL) if not
specified.
Example:
127.0.0.1
127.0.0.1:456
somewhereelse.com:8080
anotherplace.com
Note: At least
one server
must be
specified for
this extension
to work. Note:
If specifying a
port value, see
SyncManager\Syncs\%LDAP%:SSLFallback.
default: none string
Synchronization\%LDAP%\Required SSL Extensions\SyncManager\Syncs\%LDAP%:UseSSL
Connect via
SSL.
0 Connect
without SSL
(insecure)
(default to port
#389).
1 Connect
via SSL
(default to port
#636).
default: 1 dword
Synchronization\%LDAP%\Required SSL CertDB
location
Extensions\SyncManager\Syncs\%LDAP%:CertDBPath
Path\filename
of the cert7.db
certificate
database file.
(Do not change
the name of
the file from
cert7.db.)
default: none string filename
298 Introduction
![Page 303: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/303.jpg)
Synchronization\%LDAP%\Required User Paths Extensions\SyncManager\Syncs\%LDAP%:UserPathN
Fully qualified
path of where
the user
account is
located. There
can be
unlimited
paths to
search. The
extension
searches these
in order,
looking for the
user account. If
not found, the
extension will
search the
directory tree.
Note: A value
for either
UserPrepend
or at least one
value for
UserPaths
must be
specified for
this extension
to work. Note:
If using
UserPaths, do
not use
UserLocation.
default: none string
Troubleshooting
Installation
Authenticators
Synchronizer Extensions
Uninstall
Chapter 4. SSO Administrative Console Reference Topics 299
![Page 304: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/304.jpg)
Agent Performance
Application Response
Authentication
Initial Authentication
Reauthentication.
Application Configuration
All Applications
Windows Applications
Web Applications
Host Applications
Event Logging
Windows Event Viewer
Password Sharing Groups
Synchronizer Extensions
Directory Extensions
File System Server
Collected links
Installation
Authenticators
Synchronizer Extensions
Uninstall
Agent Performance
Application Response
Authentication
Initial Authentication
Reauthentication.
Application Configuration
All Applications
Windows Applications
Web Applications
Host Applications
Event Logging
Windows Event Viewer
Password Sharing Groups
300 Introduction
![Page 305: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/305.jpg)
Synchronizer Extensions
Directory Extensions
File System Server
Regular Expression Syntax
The following operators and meta-characters can be used to specify a text string pattern that the Agent
uses to detect specific application windows. See Add Edit Window Title for more information.
The following explanations are adapted for the .NET regular expression reference. The complete
description and syntax of regular expressions can be found on the Microsoft Developer Network website
(msdn.microsoft.com).
Grouping
[ ] Indicates a character class that matches any character
inside the brackets. Example: [abc] matches ″a″, ″b″, and
″c″.
( ) Indicates a character grouping operator. Example:
(\d+,)*\d+ matches a list of numbers separated by
commas (such as ″1″ or ″1,23,456″).
{ } Indicates a match class.
| Separates two expressions, exactly one of which matches
(for example, T|the matches ″The″ or ″the″).
Matching
. Matches any single character.
^ If ^ occurs at the start of a character class, it negates the
character class. A negated character class matches any
character except those inside the brackets. Example,
[^abc] matches all characters except ″a″, ″b″, and ″c″).
If ^ is at the beginning of the regular expression, it
matches the beginning of the input (for example, ^[abc]
will only match input that begins with ″a″, ″b″, or ″c″).
$ At the end of a regular expression, $ matches the end of
the input. Example: [0-9]$ matches a digit at the end of
the input.
- In a character class, a hyphen indicates a range of
characters. Example: [0-9] matches any of the digits ″0″
through ″9″.
Repeat operators
! Negates the expression that follows.
? Indicates that the preceding expression is optional: it
matches once or not at all. Example: [0-9][0-9]?
matches ″2″ and ″12″).
+ Indicates that the preceding expression matches one or
more times. Example: [0-9]+ matches ″1″, ″13″, ″666″,
and so on.
Chapter 4. SSO Administrative Console Reference Topics 301
![Page 306: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/306.jpg)
* Indicates that the preceding expression matches zero or
more times.
??, +?, *? ″Non-greedy″ versions of ?, +, and *. These match as
little as possible, unlike the greedy versions which match
as much as possible. Example: given the input
″<abc><def>″, <.*?> matches ″<abc>″ while <.*> matches
″<abc><def>″.
Escape and abbreviation
\
Escape character that forces the next character to be
interpreted literally. Example: [0-9]+ matches one or
more digits, but [0-9]\+ matches a digit followed by a
plus character).
If \ is followed by a number n, it matches the nth match
group (starting from 0). Example: <{.*?}>.*?</\0>
matches ″<head>Contents</head>″.
The \ is also used for abbreviations as described in the
following table.
Abbreviation Meaning Matches
\a Any alphanumeric character [a-z A-Z 0-9]
\b White space (blank) [ \\t]
\c Any alphabetic character [a-z A-Z]
\d Any decimal digit [0-9]
\h Any hexadecimal digit [0-9 a-f A-F]
\n New line \r|\r?\n
\q A quoted string \″[^\″]*\″|\’[^\’]*\’
\w A simple word [a-z A-Z]+
\z An integer [0-9]+
Collected links
Add Edit Window Title
Microsoft Developer Network website
Installation
Authenticators
An authenticator is not installed when selected.
v By default, the installer does not install authenticators that will not work on the system. For example,
if the Entrust Entelligence client is not installed, then the authenticator for the Entrust PKI will not be
installed (Entrust Entelligence is available with TAM E-SSO: Authentication Adapter only).
302 Introduction
![Page 307: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/307.jpg)
Synchronizer Extensions
The Microsoft Active Directory extension is not installed when selected.
v By default, the installer does not install synchronizer extensions that will not work on the system. For
example, if the Microsoft Active Directory client is not installed, then the synchronizer extension for the
Microsoft Active Directory Server will not be installed.
Uninstall
User credentials remain after uninstall.
v Only the current user’s credentials can be removed by the standard uninstall. A simple batch file can
handle removing other credentials. For Windows 2000, for example:
CD /D %UsersProfile%
CD ..
For /D %Z in (*.*) do Del /F/S/Q ″%Z\Application Data\SSO″
v You will need to manually delete registry entries for other users. This can be done in RegEdit or
RegEdit32 ( RegEdt32.exe), or you can push the following *.reg file to each user:
Windows Registry Editor Version 5.00
[-HKey_Current_User\Software\ Passlogix]
Installation
Authenticators
An authenticator is not installed when selected.
v By default, the installer does not install authenticators that will not work on the system. For example,
if the Entrust Entelligence client is not installed, then the authenticator for the Entrust PKI will not be
installed (Entrust Entelligence is available with TAM E-SSO: Authentication Adapter only).
Synchronizer Extensions
The Microsoft Active Directory extension is not installed when selected.
v By default, the installer does not install synchronizer extensions that will not work on the system. For
example, if the Microsoft Active Directory client is not installed, then the synchronizer extension for the
Microsoft Active Directory Server will not be installed.
Uninstall
User credentials remain after uninstall.
v Only the current user’s credentials can be removed by the standard uninstall. A simple batch file can
handle removing other credentials. For Windows 2000, for example:
Chapter 4. SSO Administrative Console Reference Topics 303
![Page 308: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/308.jpg)
CD /D %UsersProfile%
CD ..
For /D %Z in (*.*) do Del /F/S/Q ″%Z\Application Data\SSO″
v You will need to manually delete registry entries for other users. This can be done in RegEdit or
RegEdit32 ( RegEdt32.exe), or you can push the following *.reg file to each user:
Windows Registry Editor Version 5.00
[-HKey_Current_User\Software\ Passlogix]
Installation
Authenticators
An authenticator is not installed when selected.
v By default, the installer does not install authenticators that will not work on the system. For example,
if the Entrust Entelligence client is not installed, then the authenticator for the Entrust PKI will not be
installed (Entrust Entelligence is available with TAM E-SSO: Authentication Adapter only).
Synchronizer Extensions
The Microsoft Active Directory extension is not installed when selected.
v By default, the installer does not install synchronizer extensions that will not work on the system. For
example, if the Microsoft Active Directory client is not installed, then the synchronizer extension for the
Microsoft Active Directory Server will not be installed.
Uninstall
User credentials remain after uninstall.
v Only the current user’s credentials can be removed by the standard uninstall. A simple batch file can
handle removing other credentials. For Windows 2000, for example:
CD /D %UsersProfile%
CD ..
For /D %Z in (*.*) do Del /F/S/Q ″%Z\Application Data\SSO″
v You will need to manually delete registry entries for other users. This can be done in RegEdit or
RegEdit32 ( RegEdt32.exe), or you can push the following *.reg file to each user:
304 Introduction
![Page 309: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/309.jpg)
Windows Registry Editor Version 5.00
[-HKey_Current_User\Software\ Passlogix]
Installation
Authenticators
An authenticator is not installed when selected.
v By default, the installer does not install authenticators that will not work on the system. For example,
if the Entrust Entelligence client is not installed, then the authenticator for the Entrust PKI will not be
installed (Entrust Entelligence is available with TAM E-SSO: Authentication Adapter only).
Synchronizer Extensions
The Microsoft Active Directory extension is not installed when selected.
v By default, the installer does not install synchronizer extensions that will not work on the system. For
example, if the Microsoft Active Directory client is not installed, then the synchronizer extension for the
Microsoft Active Directory Server will not be installed.
Uninstall
User credentials remain after uninstall.
v Only the current user’s credentials can be removed by the standard uninstall. A simple batch file can
handle removing other credentials. For Windows 2000, for example:
CD /D %UsersProfile%
CD ..
For /D %Z in (*.*) do Del /F/S/Q ″%Z\Application Data\SSO″
v You will need to manually delete registry entries for other users. This can be done in RegEdit or
RegEdit32 ( RegEdt32.exe), or you can push the following *.reg file to each user:
Windows Registry Editor Version 5.00
[-HKey_Current_User\Software\ Passlogix]
Agent Performance
Chapter 4. SSO Administrative Console Reference Topics 305
![Page 310: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/310.jpg)
Application Response
The agent responds slowly, applications are slowed, or specific functions within applications are slowed,
when the agent is running.
v Some antiviral software programs check agent modules too aggressively. To resolve this, disable
checks of ssoshell.exe and/or of the %ProgramFiles% \Passlogix\v-GO SSO directory tree.
v Some antiviral software programs check *.mdb files too aggressively. The agent stores user credentials
in *.mdb files. To resolve this, disable checks of *.mdb files, of the file %UserName% aml.mdb,
and/or of files in the %AppData% \Passlogix directory.
Agent Performance
Application Response
The agent responds slowly, applications are slowed, or specific functions within applications are slowed,
when the agent is running.
v Some antiviral software programs check agent modules too aggressively. To resolve this, disable
checks of ssoshell.exe and/or of the %ProgramFiles% \Passlogix\v-GO SSO directory tree.
v Some antiviral software programs check *.mdb files too aggressively. The agent stores user credentials
in *.mdb files. To resolve this, disable checks of *.mdb files, of the file %UserName% aml.mdb,
and/or of files in the %AppData% \Passlogix directory.
Authentication
All Authenticators
Windows Authentication
LDAP Directory Server Authentication
Entrust PKI Authentication (TAM E-SSO: Authentication Adapter only)
RSA Keon Authentication (TAM E-SSO: Authentication Adapter only)
Initial Authentication
User logs onto a computer with different domain/workgroup accounts but sees the same credentials.
306 Introduction
![Page 311: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/311.jpg)
v The problem is that the local computer’s Windows account provides the user’s Registry Hive ( HKCU),
not the domain/workgroup account. There are two workarounds: use the CleanupOnShutdown
feature or use a different Windows account for each domain/workgroup logon.
Reauthentication.
Users are never asked to reauthenticate.
v Make sure Extensions\AccessManager:AutoLogin is set to the desired value. The value is in
milliseconds; a value of 900000 (default for client-side installations) is 15 minutes.
Users have to reauthenticate too frequently.
v Make sure Extensions\AccessManager:AutoLogin is set to the desired value. The value is in
milliseconds; a value of 900000 (default for client-side installations) is 15 minutes.
v Make sure other force-reauth settings are set appropriately. These settings include:
– Overriding settings: Extensions\AccessManager:ReauthOnReveal
– Application configuration settings: ForceReauth
Authentication
All Authenticators
Windows Authentication
LDAP Directory Server Authentication
Entrust PKI Authentication (TAM E-SSO: Authentication Adapter only)
RSA Keon Authentication (TAM E-SSO: Authentication Adapter only)
Initial Authentication
User logs onto a computer with different domain/workgroup accounts but sees the same credentials.
v The problem is that the local computer’s Windows account provides the user’s Registry Hive ( HKCU),
not the domain/workgroup account. There are two workarounds: use the CleanupOnShutdown
feature or use a different Windows account for each domain/workgroup logon.
Reauthentication.
Users are never asked to reauthenticate.
v Make sure Extensions\AccessManager:AutoLogin is set to the desired value. The value is in
milliseconds; a value of 900000 (default for client-side installations) is 15 minutes.
Users have to reauthenticate too frequently.
v Make sure Extensions\AccessManager:AutoLogin is set to the desired value. The value is in
milliseconds; a value of 900000 (default for client-side installations) is 15 minutes.
v Make sure other force-reauth settings are set appropriately. These settings include:
– Overriding settings: Extensions\AccessManager:ReauthOnReveal
Chapter 4. SSO Administrative Console Reference Topics 307
![Page 312: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/312.jpg)
– Application configuration settings: ForceReauth
Authentication
All Authenticators
Windows Authentication
LDAP Directory Server Authentication
Entrust PKI Authentication (TAM E-SSO: Authentication Adapter only)
RSA Keon Authentication (TAM E-SSO: Authentication Adapter only)
Initial Authentication
User logs onto a computer with different domain/workgroup accounts but sees the same credentials.
v The problem is that the local computer’s Windows account provides the user’s Registry Hive ( HKCU),
not the domain/workgroup account. There are two workarounds: use the CleanupOnShutdown
feature or use a different Windows account for each domain/workgroup logon.
Reauthentication.
Users are never asked to reauthenticate.
v Make sure Extensions\AccessManager:AutoLogin is set to the desired value. The value is in
milliseconds; a value of 900000 (default for client-side installations) is 15 minutes.
Users have to reauthenticate too frequently.
v Make sure Extensions\AccessManager:AutoLogin is set to the desired value. The value is in
milliseconds; a value of 900000 (default for client-side installations) is 15 minutes.
v Make sure other force-reauth settings are set appropriately. These settings include:
– Overriding settings: Extensions\AccessManager:ReauthOnReveal
– Application configuration settings: ForceReauth
Application Configuration
308 Introduction
![Page 313: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/313.jpg)
All Applications
After an upgrade of the Agent to version 5.0, users report that application logons for which they have
previously provided credentials no longer function. Instead, a message box appears, advising that the
credentials do not correspond to configured logons. The applications appear in Logon Manager in grey,
italicized text.
v Create a Bulk Add list to update the user’s entlist.ini. Also note that in TAM E-SSO version 5.0,
preconfigured logons for Windows and Web applications are provided in Console templates, rather
than in the Agent’s applist.ini. Create the required application logons, using Console templates. then
create the Bulk Add list to update the user’s entlist.ini.
An application is not available in the list of predefined applications when you add credentials.
v Shutdown the agent making sure that no ssoshell.exe processes are running, and restart the agent.
The agent can be started and Logon Manager can be opened without the user authenticating.
v Shutdown the agent, kill any running ssoshell.exe or SSObho.exe processes, and restart the agent.
Windows Applications
Web Applications
Host Applications
Collected links
Bulk Add
Console templates
General tab
form configuration dialog
Application Configuration
All Applications
After an upgrade of the Agent to version 5.0, users report that application logons for which they have
previously provided credentials no longer function. Instead, a message box appears, advising that the
credentials do not correspond to configured logons. The applications appear in Logon Manager in grey,
italicized text.
v Create a Bulk Add list to update the user’s entlist.ini. Also note that in TAM E-SSO version 5.0,
preconfigured logons for Windows and Web applications are provided in Console templates, rather
than in the Agent’s applist.ini. Create the required application logons, using Console templates. then
create the Bulk Add list to update the user’s entlist.ini.
An application is not available in the list of predefined applications when you add credentials.
v Shutdown the agent making sure that no ssoshell.exe processes are running, and restart the agent.
The agent can be started and Logon Manager can be opened without the user authenticating.
v Shutdown the agent, kill any running ssoshell.exe or SSObho.exe processes, and restart the agent.
Windows Applications
Chapter 4. SSO Administrative Console Reference Topics 309
![Page 314: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/314.jpg)
Web Applications
Host Applications
Collected links
Bulk Add
Console templates
General tab
form configuration dialog
Application Configuration
All Applications
After an upgrade of the Agent to version 5.0, users report that application logons for which they have
previously provided credentials no longer function. Instead, a message box appears, advising that the
credentials do not correspond to configured logons. The applications appear in Logon Manager in grey,
italicized text.
v Create a Bulk Add list to update the user’s entlist.ini. Also note that in TAM E-SSO version 5.0,
preconfigured logons for Windows and Web applications are provided in Console templates, rather
than in the Agent’s applist.ini. Create the required application logons, using Console templates. then
create the Bulk Add list to update the user’s entlist.ini.
An application is not available in the list of predefined applications when you add credentials.
v Shutdown the agent making sure that no ssoshell.exe processes are running, and restart the agent.
The agent can be started and Logon Manager can be opened without the user authenticating.
v Shutdown the agent, kill any running ssoshell.exe or SSObho.exe processes, and restart the agent.
Windows Applications
Web Applications
Host Applications
Collected links
Bulk Add
Console templates
General tab
form configuration dialog
Application Configuration
310 Introduction
![Page 315: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/315.jpg)
All Applications
After an upgrade of the Agent to version 5.0, users report that application logons for which they have
previously provided credentials no longer function. Instead, a message box appears, advising that the
credentials do not correspond to configured logons. The applications appear in Logon Manager in grey,
italicized text.
v Create a Bulk Add list to update the user’s entlist.ini. Also note that in TAM E-SSO version 5.0,
preconfigured logons for Windows and Web applications are provided in Console templates, rather
than in the Agent’s applist.ini. Create the required application logons, using Console templates. then
create the Bulk Add list to update the user’s entlist.ini.
An application is not available in the list of predefined applications when you add credentials.
v Shutdown the agent making sure that no ssoshell.exe processes are running, and restart the agent.
The agent can be started and Logon Manager can be opened without the user authenticating.
v Shutdown the agent, kill any running ssoshell.exe or SSObho.exe processes, and restart the agent.
Windows Applications
Web Applications
Host Applications
Collected links
Bulk Add
Console templates
General tab
form configuration dialog
Application Configuration
All Applications
After an upgrade of the Agent to version 5.0, users report that application logons for which they have
previously provided credentials no longer function. Instead, a message box appears, advising that the
credentials do not correspond to configured logons. The applications appear in Logon Manager in grey,
italicized text.
v Create a Bulk Add list to update the user’s entlist.ini. Also note that in TAM E-SSO version 5.0,
preconfigured logons for Windows and Web applications are provided in Console templates, rather
than in the Agent’s applist.ini. Create the required application logons, using Console templates. then
create the Bulk Add list to update the user’s entlist.ini.
An application is not available in the list of predefined applications when you add credentials.
v Shutdown the agent making sure that no ssoshell.exe processes are running, and restart the agent.
The agent can be started and Logon Manager can be opened without the user authenticating.
v Shutdown the agent, kill any running ssoshell.exe or SSObho.exe processes, and restart the agent.
Windows Applications
Chapter 4. SSO Administrative Console Reference Topics 311
![Page 316: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/316.jpg)
Web Applications
Host Applications
Collected links
Bulk Add
Console templates
General tab
form configuration dialog
Event Logging
Collected links
Event Logging Filter
Windows Event Logging extension
Password Sharing Groups
Password Sharing Groups are not working.
v Make sure Extensions\AccessManager:PWSEnable=1.
A Password Change within an application in the Domain or LDAP groups does not notify the
authenticator of the change.
v Make sure AUI:ShareToAuth=1.
Synchronizer Extensions
All Synchronizer Extensions
Directory Extensions
File System Server
Synchronizer Extensions
312 Introduction
![Page 317: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/317.jpg)
All Synchronizer Extensions
Directory Extensions
File System Server
Synchronizer Extensions
All Synchronizer Extensions
Directory Extensions
File System Server
Chapter 4. SSO Administrative Console Reference Topics 313
![Page 318: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/318.jpg)
314 Introduction
![Page 319: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/319.jpg)
Chapter 5. TAM E-SSO Add-On Modules
TAM E-SSO has add-on modules available separately from IBM.
Authentication Adapter
TAM ESSO: Authentication Adapter provides strong
authentication support and multiple authenticator
support. An administrator can define “grades” or levels
to restrict access to applications based upon the
authenticator used.
Kiosk Adapter
TAM E-SSO: Kiosk Adapter manages user sessions in a
Kiosk environment.
Collected links
Authentication Adapter
Kiosk Adapter
Authentication Adapter
TAM E-SSO: Authentication Adapter
IBM Tivoli Access Manager Enterprise Single Sign-On: Authentication Adapter (TAM E-SSO:
Authentication Adapter), part of the TAM E-SSO Platform, enables organizations to seamlessly bridge
strong authentication to all of their applications, including smart cards and entrust authenticators. Users
can employ different authenticators at different times and application access can be controlled based
upon the authenticator used.
Note: TAM E-SSO: Authentication Adapter is an add-on module to TAM E-SSO available separately from
IBM.
TAM E-SSO: Authentication Adapter adds three capabilities to TAM E-SSO:
v Strong authentication support from a variety of strong authenticators, including smart cards, for all
authentication events: initial authentication, re-authentication and forced authentication.
v Multiple Authenticator support allows multiple logon methods to be used to authenticate an end-user
and provides an authenticator that is capable of supporting graded authentication as well as alternative
logon methods. This allows end-users the ability to mix and match multiple logon methods on-the-fly.
315
![Page 320: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/320.jpg)
v Administrators can define “ grades” or levels to authentication methods and to applications. This
provides the ability to control what functions users can execute based upon the type of authenticator
presented.
Multiple Authenticator Support
Multiple Authentication supports the use of multiple logon methods to authenticate an end-user. This
feature provides an authenticator that is capable of supporting graded authentication as well as
alternative authentication methods.
TAM E-SSO: Authentication Adapter’s Multiple Authenticator:
v Accepts authentication using different authenticators.
v Supports Graded Authentication.
v Allows multiple authenticators to be used interchangeably during a user session, i.e. between the initial
logon and the logout.
v Allows multiple authenticators to be used interchangeably between sessions.
v Provides administrators the ability to:1. Allow or disallow the use of multiple authenticators.
2. Specify which authenticator is the default primary authenticator.
3. Specify which authenticators are mandatory or required for enrollment.
4. Restrict access to applications based upon the strength of the authenticator used.
5. Allow or disallow the use of multiple authenticators interchangeably during a single session.
6. Allow or disallow the use of multiple authenticators interchangeably between sessions.
[Related Topics]
Graded Authentication
Authentication Manager
Enrollment
Grade
Order
Collected links
grades
Graded Authentication
enrollment
Graded Authentication
Authentication Manager
Enrollment
Grade
Order
316 Introduction
![Page 321: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/321.jpg)
TAM E-SSO: Authentication Adapter
IBM Tivoli Access Manager Enterprise Single Sign-On: Authentication Adapter (TAM E-SSO:
Authentication Adapter), part of the TAM E-SSO Platform, enables organizations to seamlessly bridge
strong authentication to all of their applications, including smart cards and entrust authenticators. Users
can employ different authenticators at different times and application access can be controlled based
upon the authenticator used.
Note: TAM E-SSO: Authentication Adapter is an add-on module to TAM E-SSO available separately from
IBM.
TAM E-SSO: Authentication Adapter adds three capabilities to TAM E-SSO:
v Strong authentication support from a variety of strong authenticators, including smart cards, for all
authentication events: initial authentication, re-authentication and forced authentication.
v Multiple Authenticator support allows multiple logon methods to be used to authenticate an end-user
and provides an authenticator that is capable of supporting graded authentication as well as alternative
logon methods. This allows end-users the ability to mix and match multiple logon methods on-the-fly.
v Administrators can define “ grades” or levels to authentication methods and to applications. This
provides the ability to control what functions users can execute based upon the type of authenticator
presented.
Multiple Authenticator Support
Multiple Authentication supports the use of multiple logon methods to authenticate an end-user. This
feature provides an authenticator that is capable of supporting graded authentication as well as
alternative authentication methods.
TAM E-SSO: Authentication Adapter’s Multiple Authenticator:
v Accepts authentication using different authenticators.
v Supports Graded Authentication.
v Allows multiple authenticators to be used interchangeably during a user session, i.e. between the initial
logon and the logout.
v Allows multiple authenticators to be used interchangeably between sessions.
v Provides administrators the ability to:1. Allow or disallow the use of multiple authenticators.
2. Specify which authenticator is the default primary authenticator.
3. Specify which authenticators are mandatory or required for enrollment.
4. Restrict access to applications based upon the strength of the authenticator used.
5. Allow or disallow the use of multiple authenticators interchangeably during a single session.
6. Allow or disallow the use of multiple authenticators interchangeably between sessions.
[Related Topics]
Graded Authentication
Chapter 5. TAM E-SSO Add-On Modules 317
![Page 322: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/322.jpg)
Authentication Manager
Enrollment
Grade
Order
Collected links
grades
Graded Authentication
enrollment
Graded Authentication
Authentication Manager
Enrollment
Grade
Order
Graded Authentication
Graded Authentication lets you define “grades” or levels to authentication in TAM E-SSO: Authentication
Manager. Graded Authentication controls what functions of TAM E-SSO: Authentication Adapter users
can execute based upon the type of authenticator presented. Levels, or grades, can be applied and used
to ensure the correct level of authentication has been performed for specific events/activities.
Configuring Application-level Authentication Grades
How does TAM E-SSO: Authentication Adapter work with Graded Authentication?
v TAM E-SSO: Authentication Adapter controls application logons, which can be initiated by the user,
based upon the authenticator used by the end user on the most recent authentication request. The most
recent authentication request may be the initial logon, the last re-authentication, or the forced
authentication requested by TAM E-SSO: Authentication Adapter.
v TAM E-SSO: Authentication Adapter has an authentication grading scheme to which different
authenticators are mapped and, separately, to which application logons are mapped. TAM E-SSO:
Authentication Adapter only allows users to logon to an application when the grade of the
authenticator used equals or exceeds that of the application logon.
v When a user does not respond to an authentication request with an authenticator of sufficiently high
grade, TAM E-SSO: Authentication Adapter prompts the use to either re-authenticate with an
authenticator of sufficiently high grade or cancel the requested logon.
v If a user repeatedly attempts to initiate a logon or function with an authenticator of insufficient grade,
TAM E-SSO: Authentication Adapter locks out the user, logs an event in the Event Manager, and
notifies the user and administrator.
318 Introduction
![Page 323: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/323.jpg)
v If a user does not have TAM E-SSO: Authentication Adapter installed, but their application logons have
been configured to require strong authentication, the user will not have access to those applications (i.e.
strong authentication is deployed in the enterprise, but not to that user).v Logon Manager only displays the application logons that are currently available, based upon the
authenticator used in the most recent authentication request.
v The following TAM E-SSO: Authentication Adapter functions can be configured to be accessible or
inaccessible based upon the grade of authenticator used in the most recent authentication request:
a. System Tray: Logon Manager
b. Logon Manager: Delete, Properties, and Reveal All functions
c. Logon Manager | Properties Page: Reveal Password function
d. If the Reveal All function is accessible based upon a grade of authentication used, it only reveals
passwords for those applications whose grade is equal to or lower than the grade used to authenticate for
that function.
[Related Topics]
Authentication Manager General
Authentication Manager
Enrollment
Grade
Order
Collected links
TAM E-SSO: Authentication Manager
Application Configuration
Global Agent Settings
End User Experience
Setup Wizard
Selected Primary Logon
per application
grade
per-application
Authentication Manager General
Authentication Manager
Enrollment
Grade
Order
Chapter 5. TAM E-SSO Add-On Modules 319
![Page 324: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/324.jpg)
Kiosk Adapter
TAM E-SSO: Kiosk Adapter
3000
IBM Tivoli Access Manager Enterprise Single Sign-On: Kiosk Adapter (TAM E-SSO: Kiosk Adapter)
manages user sessions in a Kiosk environment. The following settings are configured through the TAM
E-SSO Administrative Console:
v Applications to leave running on session end
v Applications to close on session end
v General operation settings
v Confirmation messages
v Special Tasks to execute when kiosk actions occur
Note: TAM E-SSO: Kiosk Adapter is an add-on module to TAM E-SSO available separately from IBM. For
more detailed information on TAM E-SSO: Kiosk Adapter, please refer to the TAM E-SSO: Kiosk Adapter
product documentation.
TAM E-SSO: Kiosk Adapter adds the following capabilities to TAM E-SSO:
v System Logon Two modes of system logon are supported:
v
– Automatic – when kiosk boots up, it automatically logs on to a generic user account, and all
subsequent logons/logouts into Windows are disabled
– Manual – when kiosk boots up, it prompts the user to log inv Session Suspend and Un-suspend A session is suspended upon either of two events:
v
– Current session has been inactive for a predefined period of time
– User logs out of current session
A session is resumed when the user re-authenticates to the suspended session
v Session Logoff A suspended session is automatically logged off upon either of two events:
v
– The session has been suspended for a predefined period of time
– A new user initiates a new session at the kiosk
Applications can be closed using multiple methods, including:
v Transmission of keystroke sequences to the application
v Window messages (application closure requests)
v Process termination
[Related Topics]
Kiosk Adapter Configuration Settings Applications to Leave Running on Session End Applications
to Close on Session End SendKeys Format
320 Introduction
![Page 325: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/325.jpg)
Collected links
Applications to leave running on session end
Applications to close on session end
General operation settings
Confirmation messages
Special Tasks to execute when kiosk actions occur
Transmission of keystroke sequences to the application
Kiosk Adapter Configuration Settings
Applications to Leave Running on Session End
Applications to Close on Session End
SendKeys Format
TAM E-SSO: Kiosk Adapter - SendKeys Format
Note: When using keystroke sequences to terminate an application, a visual flicker occurs on the end
users screen. This flicker is a function of using sendkeys to terminate an application.
210/tab list
Each key is represented by one or more characters. To specify a single keyboard character, use the
character itself. For example, to represent the letter A, pass in the string ″A″ to the method. To represent
more than one character, append each additional character to the one preceding it. To represent the letters
A, B, and C, specify the parameter as ″ABC″.
The plus sign (+), caret (^), percent sign (%), tilde (~), and parentheses () have special meanings to
SendKeys. To specify one of these characters, enclose it within braces ({}). For example, to specify the plus
sign, use ″{+}″. To specify brace characters, use ″{{}″ and ″{}}″. Brackets ([ ]) have no special meaning to
SendKeys, but you must enclose them in braces. In other applications, brackets do have a special
meaning that might be significant when dynamic data exchange (DDE) occurs.
To specify characters that aren’t displayed when you press a key, such as ENTER or TAB, and keys that
represent actions rather than characters, use the codes in the following table.
Key Code
BACKSPACE {BACKSPACE}, {BS}, or {BKSP}
BREAK {BREAK}
CAPS LOCK {CAPSLOCK}
DEL or DELETE {DELETE} or {DEL}
DOWN ARROW {DOWN}
END {END}
ENTER {ENTER}or ~
Chapter 5. TAM E-SSO Add-On Modules 321
![Page 326: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/326.jpg)
ESC {ESC}
HELP {HELP}
HOME {HOME}
INS or INSERT {INSERT} or {INS}
LEFT ARROW {LEFT}
NUM LOCK {NUMLOCK}
PAGE DOWN {PGDN}
PAGE UP {PGUP}
PRINT SCREEN {PRTSC} (reserved for future use)
RIGHT ARROW {RIGHT}
SCROLL LOCK {SCROLLLOCK}
TAB {TAB}
UP ARROW {UP}
F1 {F1}
F2 {F2}
F3 {F3}
F4 {F4}
F5 {F5}
F6 {F6}
F7 {F7}
F8 {F8}
F9 {F9}
F10 {F10}
F11 {F11}
F12 {F12}
F13 {F13}
F14 {F14}
F15 {F15}
F16 {F16}
Keypad add {ADD}
Keypad subtract {SUBTRACT}
Keypad multiply {MULTIPLY}
Keypad divide {DIVIDE}
To specify keys combined with any combination of the SHIFT, CTRL, and ALT keys, precede the key code
with one or more of the following codes.
Key Code
SHIFT +
CTRL ^
ALT %
322 Introduction
![Page 327: Introduction - IBMpublib.boulder.ibm.com/tividd/td/ITAMfESSO/esso_help/en... · 2006. 6. 26. · Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) provides](https://reader033.vdocuments.site/reader033/viewer/2022051902/5ff12b0fcca2144900047fcb/html5/thumbnails/327.jpg)
To specify that any combination of SHIFT, CTRL, and ALT should be held down while several other keys
are pressed, enclose the code for those keys in parentheses. For example, to specify to hold down SHIFT
while E and C are pressed, use ″+(EC)″. To specify to hold down SHIFT while E is pressed, followed by
C without SHIFT, use ″+EC″.
To specify repeating keys, use the form {key number}. You must put a space between key and number.
For example, {LEFT 42} means press the LEFT ARROW key 42 times; {h 10} means press H 10 times.
Note: In addition to the above SendKeys, there is also a wait command. The wait command is in the
format {WAIT number} where the number is the number of milliseconds delay. The wait can be anywhere
in the string (i.e. beginning, middle, end} and can be used as many times as needed.
For example, if you want to send Ctrl+Shift+F7, then wait for 5 seconds, and then send Alt+F4, the
format should be as follows:
^+{F7}{WAIT 5000}%{F4}
© 2001-2002 Microsoft Corporation. All rights reserved.
Chapter 5. TAM E-SSO Add-On Modules 323