2.0 Operating System Support
2.1 Policy Manager
2.2 SSO Client
2.3 Authentication Agents
2.4 One-Time Password Agent
2.5 Password Synchronization Agents
2.6 User Data Stores - eTrust CA-Top Secret or eTrust CA-ACF2
2.7 Smart Cards Supported by Certificate Authentication Agent
3.0 System Requirements
3.1 Policy Manager
3.2 SSO Client
3.3 Authentication Agents
3.4 One-Time Password Agents
3.5 Password Synchronization Agents
4.0 Installation Considerations
4.1 Policy Server Installation Considerations
4.2 Policy Manager Installation Considerations
4.3 Authentication Agents Installation Considerations
4.4 SSO Client Installation Considerations
5.0 General Considerations
5.1 eTrust IAM
5.2 Logging
8.0 Known Issues
8.1 Policy Server
8.2 Policy Manager
8.3 SSO Client
8.4 Authentication Agents
8.5 Password Synchronization Agents
8.6 One Time Password Agent
8.7 Web Agents
Welcome to eTrust™ Single Sign-On (eTrust SSO). This document explains operating system support, system requirements, installation considerations and any known issues not covered in the current documentation for eTrust SSO r8.
eTrust SSO is now part of the eTrust IAM suite of products. You should use the eTrust IAM Common Components CD to install the central architecture before you install any eTrust SSO components. For more information about the eTrust IAM Common Components see the Readme file for eTrust IAM Common Components CD.
You can run eTrust Single Sign-On components across a variety of operating system environments.
Note: You can find information about the Policy Server in the eTrust™ Identity and Access Management r8 Readme.
To run the Policy Manager you must have one of the following operating systems installed on the Windows computer:
To run the SSO Client you must have one of the following operating systems installed on the computer:
If you plan to use Citrix Application Migration you must run the SSO Client on a Citrix computer and you must have one of the following operating systems.
The SSO Client works with the following Citrix Clients:
The SSO Client works with the following Citrix Server:
Certificate Authentication
To run the Certificate Authentication Agent on Windows you must have one of the following operating systems installed on the computer:
Entrust Authentication
To run the Entrust Authentication Agent on Windows you must have one of the following operating systems installed on the computer:
Note: If you plan to use the Entrust authentication method, you must also have the Entrust Authority Server version 6.0 installed on a computer on the same network.
LDAP Authentication
To run the LDAP Authentication Agent on Windows you must have one of the following operating systems installed on the computer:
Netware Authentication
To run the Netware Authentication Agent you must have one of the following operating systems installed on the Novell server computer:
Novell Authentication
If you use the Novell authentication method for the SSO Client, you must use the correct version of the Novell Client on the SSO Client computer:
RSA SecureID Authentication
To run the RSA SecurID Authentication Agent on Windows you must have one of the following operating systems installed on the computer:
To run the RSA SecurID Authentication Agent on UNIX you must have one of the following operating systems installed on the computer:
Note: If you plan to use the RSA SecurID authentication method, you must also have the RSA ACE/Server version 5.1 installed on a computer on the same network.
SafeWordAuthentication
To run the SafeWord Authentication Agent on UNIX you must have one of the following operating systems installed on the computer:
Note: If you plan to use the SafeWord authentication method, you must also have the SafeWord server version 3.1.1 installed on a computer on the same network.
Windows Authentication
To run the Windows Authentication Agent you must have one of the following operating systems installed on the computer:
To run the One-Time Password Agent on UNIX you must have one of the following operating systems installed on the computer:
To run the Password Synchronization Agent on Windows you must have one of the following operating systems installed on the computer:
The Mainframe Password Synchronization Agent works with the following mainframe systems:
If you plan to use an eTrust CA-Top Secret or eTrust CA-ACF2 directory as your user data store, you must also have eTrust LDAP Server for OS/390 and z/OS Version 2.0.
The following third-party smartcards and libraries are supported by the Certificate Authentication Agent. While the Certificate Authentication Agent should work with any PKCS#11 library and reader, CA will only support what is represented in this list.
| Token/Smart Card Name | PKCS#11 DLL | PKCS#11 DLL Version |
|---|---|---|
| ActivCard Gold | acpkcs201.dll | 3.0.62.0 (ActivCard PKCS#11 2.01 API) |
| Aladdin eToken | etpkcs11.dll | 3.0.46.0 (eTPKCS11) |
| A-Trust | asignp11.dll | 1.0.4.9 |
| Axalto Cryptoflex e-gate (formerly Schlumberger) |
slbCk.dll | 4.4.14.0 (Axalto PKCS #11 v2.01) |
| Axalto Cyberflex e-gate 32K (formerly Schlumberger) |
slbCk.dll | 4.4.14.0 (Axalto PKCS #11 v2.01) |
| Datakey 10SR | dkck201.dll | 1.10.116.0 (Datakey Cryptoki DLL - Version 2.01) |
| Datakey 330M / Biometrics | dkck201.dll | 4.7.0.53 (Datakey Cryptoki DLL - Version 2.01) (Special Description: Maintenance Update 11.1) |
| Eutron Cryptoidentity 2048 USB token | sadaptor.dll | 3.4.4.0 (Smart Adaptor - PKCS11 Implementation) |
| Eutron Cryptoidentity 5 USB token | sadaptor.dll | 3.4.4.0 (Smart Adaptor - PKCS11 Implementation) |
| G&D | aetpkss1.dll | 1.0.9.93 (PKCS #11 Cryptoki Library) |
| Gemplus 410 with GemSAFE 8k card | pk2priv.dll | 3.0.0.6 (PKCS#11 v2.0 - Gemplus Private Cryptoki) |
| Gemplus 410 with GemSAFE 8k card | gclib.dll | 4.0.0.8 (PKCS#11 v2.01 - Gemplus Cryptoki) |
| Gemplus 430 with GemSAFE 8k card | gclib.dll | 4.0.0.8 (PKCS#11 v2.01 - Gemplus Cryptoki) |
| GemSafe Libraries v3.2 | gclib.dll | 4.0.0.8 (PKCS#11 v2.01 - Gemplus Cryptoki) |
| Rainbow iKey 2000 | dkck201.dll | 1.10.116.0 (Datakey Cryptoki DLL - Version 2.01) |
| Rainbow iKey 3000 | aetpkss1.dll | 1.0.9.44 (PKCS #11 Library) |
| Smartrust / Nexus | SmartP11.dll | 3.2.0.9 (PKCS 11 v2.11 implementation) |
The following sections list the hardware and software needed to install the eTrust Single Sign-On components. How you configure the host machines for your site depends on the number of users and applications, their level of activity, and your survivability requirements. To ensure high security and performance, the host machines should be dedicated to the Policy Servers. Ideally, since the servers maintain sensitive information, their hosts should be in physically protected locations and should be secured against attempts to login from remote stations.
Note: You can find information about the Policy Server in the eTrust™ Identity and Access Management r8 Readme.
You need the following hardware to install the Policy Manager:
You need the following hardware to install the eTrust Single Sign-On Client:
You need the following hardware to install any of the Authentication Agents:
You need the following hardware to install the UNIX One Time Password Agent:
Mainframe PSA
You need the following hardware to install the Mainframe Password Synchronization Agents:
Windows PSA
You need the following hardware to install the Windows Password Synchronization Agents:
Before installing any eTrust SSO components, you must install the eTrust IAM Common Components from the eTrust IAM Common Components Installation CD. Only the Windows Policy Server is available for this release.
The Product Explorer automatically runs when the eTrust SSO CD is inserted as long as you have autorun enabled, allowing you to select the product components to be installed. If autorun is not enabled, navigate to your CD ROM drive and double-click on PE_i386.EXE.
This CD contains SSO Client r8, Policy Manager and a number of agents. The various agents are built to work natively with SSO Client r8, they are not intended to function with previous versions of the eTrust SSO Client. The agents are also intended to only function with the latest version of the Policy Server which is included on the Common Components CD. Previous versions of the Policy Server or eTrust SSO Server are not supported.
Additional installation considerations are arranged by component.
Install the Policy Server from the Common Components CD. Follow the instructions in the Common Components install.
Note: You can find all other installation information about the Policy Server in the eTrust™ Identity and Access Management r8 Readme.
If you plan to install the Policy Manager on a computer with eTrust Access Control installed, you must have eTrust Access Control Version 5.1 SP2 or later.
If you have eTrust Access Control running on your computer prior to installing the Policy Manager, installation of the Policy Manager restarts the eTrust Access Control services.
If you install the Policy Manager on a computer that is running eTrust Access Control, you should have administrative privileges in eTrust Access Control.
If you plan to install the Policy Server and the Policy Manager on the same computer, install the Policy Server first. The Policy Server is part of the eTrust IAM Common Components and can be installed from the eTrust IAM Common Components Installation CD.
If the Policy Server and the Policy Manager are installed on the same computer, and you need to uninstall them, uninstall the Policy Manager first and the eTrust IAM Common Components (Policy Server) afterwards.
You cannot install the Policy Manager to a location containing the % character in the folder path.
If you plan to install the RSA Authentication Agent you will need to register the host as an 'Agent Host' with the RSA ACE Server. Once this is done you must copy/create a sdconf.rec configuration file for the RSA Authentication Agent host computer and copy it into the host's system folder. This must be done before the RSA Authentication Agent can be started.
If you install the Entrust Authentication Agent you must also have the following DLLs on the host computer, in a folder that is included in the system's PATH environmental variable: etfile32.dll, entapi32.dll and enterr.dll
For the UNIX versions of the Safeword and RSA Authentication Agents, there are now installation scripts in the directory where the installation files (.tar.Z) are located. For Safeword, this would be install_swec and for RSA this is install_rsa. You can find these files in the appropriate install dir on the r8 cd: SSO\Agents\SWEC\Unix for Safeword and SSO\Agents\RSA\Unix for RSA.
The UNIX authentication agents tar packages contain files with group-write permissions. For example, the .genlevel, ssoswd files will be group writeable. Permissions can be changed wherever the administrator finds it appropriate.
If you are performing a silent install of the SSO Client software the following should be taken into account and followed:
If you are upgrading, be aware that the SsoClnt.ini file has changed. For more information, see the "Upgrading" chapter of the Implementation Guide.
If you are upgrading, be aware that the CacheTickets token has been removed from the SsoClnt.ini file and its functionality is not available in r8.
If you are upgrading, a copy of your existing SsoClnt.ini file will be saved to %temp%\SsoClnt.original.
If you are installing the SSO Client with Citrix support enabled, ensure that the Citrix components (MetaFrame Server or ICA Client) are installed before the eTrust SSO Client.
The web-based Session Administrator is now part of the IA Manager. To access this you must install the GUI Server from the eTrust IAM Common Components CD and access the IA Manager using your web browser.
The SSO Client install updates the following system files but will not overwrite a more recent version of the file if it already exists:
All Platforms
Win NT
This product is now part of a suite of products called eTrust Identity and Access Management (eTrust IAM). eTrust IAM is designed to give you a common architecture and user interface for all products within the eTrust IAM suite.
This means that we have changed the product infrastructure to make it integrate more easily with the other products in the eTrust IAM suite, and we have provided a new management interface called the eTrust Identity and Access Manager (eTrust IA Manager).
eTrust IA Manager is a web-based interface that lets you administer the eTrust IAM suite of products, which includes:
The default logging format for SSO has changed. If you were using automated scripts to parse the SSO Client or Authentication Agent log files, be aware that the default Log4cplus FileAppender ConversionPattern is now "%D %t [%x] %c %p - %m%n". For more information on this format, refer to the Log4cplus documentation: <http://log4cplus.sourceforge.net/>
eTrust Single Sign-On documentation can be found and installed from the eTrust IAM Documentation CD. For a full list of the available guides in the eTrust Single Sign-On documentation set, see the Readme file for eTrust IAM Common Components on the eTrust IAM Common Components CD.
This English version of eTrust Single Sign-On has been certified to run on computers designed to use English only. This certification means that this English version may not run on non-English operating systems.
This section describes all the known issues in the eTrust SSO product.
This section contains all Policy Server Known Issues that have been found since the last official release or update of eTrust IAM. For all Known Issues for the Policy Server, found before the last eTrust IAM release, see the eTrust™ Identity and Access Management r8 Readme.
Psbgc paging issue with eTrust Directory. When you are using the paging option with an eTrust Directory datastore, you will encounter problems if the number of users exceeds the "max-op-size" configuration setting. The max-op-size is set to 200 by default during the installation. Increase the number to more than the number of users or set it to 0 for unlimited users.
Psbgc Authhost issue. You cannot specify which authentication host the SSO authentication method will use to verify the administrator. The Policy Server will select the authentication host.
Psbgc LDAP authentication issue. You cannot use the LDAP authentication method to verify the psbgc administrator.
Psbgc MsgFilePath or MsgFileName issue. You cannot specify your own MsgFilePath or MsgFileName. The default path and name are used.
Psbgc WebACPath issue. You cannot specify your own WebACPath. The default path is used.
You cannot upgrade from a previous Policy Manager version to r8. You must first uninstall the older version of the Policy Manager and install the r8 version.
In certain graphical configurations the Policy Manager will display white text on a white background for the button labels. To solve this open Display properties, Appearance, Advanced in the Windows Control Panel and change the item "inactive title bar" Color 1 from white to a dark color.
The Policy Manager will display an error if it tries to display a user list that exceeds the datastore limit. For this reason you are encouraged to use the filter.
An error will be generated on the SSO Client if a container application with more than 255 characters in its name is created.
The Policy Manager incorrectly handles application names containing the '?' character.
The PWPOLICY Resource - Policy Extended Attributes Dialog help topic description for the Password Interval should read, Password Interval - Indicates the number of days that a password is used before requiring a new password.
Here is a list of known issues for the SSO Client.
If both the GINA Passthrough and autologon options are set to yes, the Client will not automatically logon. When using GINA Passthrough, autologon should be set to "No".
With Session Management enabled and HeartbeatInterval set to 0, if the ticket for an application expires, upon reauthentication the application may not run. To work around this, the user should log out and log back in.
When modifying an existing installation, if the SSO GINA was not installed and is selected in the 'modify' option, the additional lock option questions will not appear.
When using the SSO Client in Toolbar mode, when two (or more) windows are opened, pressing 'Alt-tab' will only show one application icon; there should be one for every SSO Client window you have open. You will not be able to 'Alt-tab' to the window with the missing icon.
Installing SSO as a Power User on Windows 2003 fails due to a Windows issue. You can still install as an Administrator. On Windows NT, 2K, 2Kserver and XP, installing as a Power User works as expected. However, on Windows NT if the system DLLs need to be updated this will fail.
When the user logs onto their machine using the SSO GINA, and Session Management is enabled, and the SSO Client is in Toolbar mode, the user will be fully logged into SSO and the toolbar will go to a logged on state. This happens regardless of whether the SsoClnt.ini file setting autologon is set to yes or no.
If there are two authentication methods defined in a server set, i.e. ENTS SWEC and the user decides to change authentication methods to the second method defined (in this example, SWEC), after ticket expiration, the user is presented with an authentication dialog for the first authentication method (ENTS).
An error is returned to the SSO Client if the username entered into the Learn Mode dialog is longer than 48 characters.
On Windows 98, a password expiration message box does not appear when the users' password has expired and logon is attempted. Logon will still be refused.
When using 'shared workstation' mode the workstation cannot be locked by one user and then unlocked by another unless "multiuser=yes" is set in the "stationlock" section of the SsoClnt.ini file. See the eTrust SSO Administrator's Guide "Working with the eTrust SSO Client" chapter.
Automatic NT network authentication is not successful if session management is enabled.
The close window button at the top right of the SSO Client authentication window, indicated by a black 'X' is disabled when the 'Tasks' tab is selected. Select a tab other than the 'Tasks' tab and the 'X' button will close the SSO Client when clicked.
The silent install leaves an msiexec.exe process running for a few minutes before successfully terminating the process. This has no effect on the installation.
Uninstalling the SSO Client while it is running causes the installer to leave the empty "Auth" folder and the SsoClnt.ini and SsoAgent.log files in the Client directory. This folder can be deleted after uninstallation. This applies when the SSO Client is on Windows 98 or NT 4.0 platforms only.
If you uninstall the SSO Client and it has had the SSO GINA functionality installed, an empty eTrust SSO directory will be left behind and must be deleted manually.
When EnableOsUnlock=yes, the Authentication dialog contains the "Windows" tab and the "Windows Unlock" button as specified, but clicking the "Windows Unlock" button has no effect.
On Windows XP with the Novell Client installed the computer reboots during station unlock if the station lock was initiated by a timeout.
A container application with a long name, or within a few container levels, will not display or create the shortcuts directly. This is because there is a path length (container name + contained application, all the way up to the root level, comprise an application's path) restriction of 260 chars.
On Windows XP, with the SSO GINA installed and the Windows Remote Desktop running, if the user is not logged in, they may be prompted to log on twice. The first logon does nothing while the second logon successfully unlocks the workstation.
For logging to a file to be successful, the NT user that is logged on must have write access to the area that the log file is being written to. If the user doesn't have the correct access, move the logfile to a directory that they do have access to or change their access privileges.
Users will sometimes get an error when they unlock a workstation that was automatically locked beucase their smartcard was removed. If the Pkcs11TokenAbsenceBehavior is set to 1 and the user has authenticated using the Smartcard, then removed the Smartcard, the workstation is automatically locked. When the user re-inserts their card they may get either a PIN dialog or an error message from the MS GINA. To correct this, the user should leave their Smartcard in the reader, dismiss the dialog then press Ctrl+Alt+Del to unlock.
On Windows XP sp2, if the Windows Firewall is turned on, you must mark the SSO Client as excepted for it to be able to communicate with the Policy Server. The first time you run the SSO Client after installation on Windows XP SP2, you will be asked if you want to mark the SSO Client (r7 and r8) as an "excepted" application.
If you are running the SSO Client on Windows XP with Service Pack 2 and you have Session Management enabled, you should narrow the port range for Session Management. You should use the "Add Port" option to define the ports for session management. The default range for Session Management is 20001-20201, but you can manually edit the port range in the SsoClnt.ini file [SessionManagement] ClientPortRange to be a much smaller subset of the default values, so that you only need to manually add the correspondingly small sub-section of these ports, for example, 20001 – 20010 for session management to work correctly.
Once the eTrust SSO Client is installed on the machine, the existing installation can be modified (usually via Add/Remove Programs, select eTrust SSO Client, click Change button). If, during such modification, the SSO GINA component is selected to be installed, the end-user will not be presented with the dialog to configure the unlock station mode (this dialog can usually be seen when doing a 'clean' install, and selecting SSO GINA component). As a remedy, please refer to the documentation of the SsoClnt.ini file settings for the description of the 'UnlockStationMode' token and the possible values it can take, to configure the unlock station mode manually.
When logging on to Windows using the SSO Client auto-logon functionality in conjunction with the SSO Gina, users may be asked to re-authenticate when they logon to WAC-protected web pages This is because the ETWAC Cookie is generated for system@domainname rather than username@domainname.
If the SSO GINA is deployed and a user's SSO ticket expires while the workstation is locked, the user must enter their credentials twice: first to unlock the workstation and second to re-authenticate and to create a new SSO ticket.
The Tcl extension 'sso getscrape' will not work if the target window is minimized.
This is a list of known issues for the Authentication Agents.
The repair option for all authentication agents has been disabled. We recommend instead for the authentication agents to be reinstalled.
Certificate Authentication Agent
If an invalid directory is entered in the 'Select Trusted Certificate Files' dialog of the Certificate Authentication Agent, for example 'abc', the installation will abort and must be restarted.
The Datakey smart card biometrics implementation notifications (Datakey 330M) will not work properly when used with the SSO GINA. This is because it is implemented as a Windows service and cannot interact with the winlogon desktop. It works when the SSO GINA is not installed. The effect of this is that messages from the Datakey software will not be displayed to the user.
Entrust and Certificate Authentication Agents
You should not install the Certificate and Entrust Authentication Agents on the same computer because they both use the same default port (13987) for listening to incoming requests. If you do install these agents on the same computer, configure one to listen on a different port number.
Entrust Authentication Agent
When you uninstall the Entrust Authentication Agent, some of the registry keys are left behind. This means that the Entrust service still appears in the Services Manager. This happens when the Entrust Dlls (entapi32.dll, enterr.dll, etfile32.dll) are not in the Entrust Authentication Agent's installation directory or a directory mentioned in the value of the PATH environment variable.
For the service to be removed, delete the following registry key and reboot the computer:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sso_tga_ents_Agent1
If more services were created, i.e. by running tgaents.exe -install Foo or tgaents.exe -install Bar, then those will be under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sso_tga_ents_Foo and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sso_tga_ents_Bar and so on.
LDAP Authentication Agent
The LDAP Authentication Agent hangs when attempting to use a BaseDN consisting of domain-component attributes only, connecting to Active Directory. This only happens when the LDAP Authentication Agent is installed on an Active Directory machine and name mapping is set to "Search". To avoid this problem, do either of the following:
a) Do not use Active Directory root as the BaseDN when specifying "Search" name mapping type.
b) Do not install the LDAP Authentication Agent on the same machine as Active Directory.
NT (Windows) Authentication Agent
If you pause the Windows Authentication Agent service, SSO Clients will timeout during authentication requests rather than return an error immediately.
RSA SecurID Authentication Agent
It is not possible to authenticate via the RSA authentication method, if you are using a username with non-English characters.
Windows Password Synchronization Agent
Here is a list of known issues for the Windows Password Synchronization Agent.
Uninstall requires the computer to be rebooted in order to fully uninstall the Password Synchronization Agent from Windows. Until this reboot, the agent will still be actively synchronizing passwords.
If the Password Synchronization Agent is connecting to a Server Farm, the servers will need to be listed in the registry of the Password Synchronization Agent computer. Failover for Policy Servers in a server farm will not function correctly.
A password change request for a user who doesn't exist will result in a misleading "success" message.
A password set request for an application that the user doesn't have in their application list will result in a misleading "success" message.
Due to Windows handling of password changes, you may notice several errors listed in the event log for one password change error.
Mainframe Password Synchronization Agent
Here is a list of known issues for the Mainframe Password Synchronization Agent.
To uninstall the Mainframe Password Synchronization Agent, you must go to the Windows Control Panel, select Add or Remove programs, select eTrust Single Sign-on Mainframe Password Synchronization Agent. Do not use the "uninstall" option in installation wizard.
When you are in repair mode for the Mainframe Password Synchronization Agent, the progress bar will stay at 50% then jump straight to 100% when it is complete.
Unicenter Software Delivery (USD) package for the Mainframe Password Synchronization Agent (PSA) cannot be registered.
After the USD package has been processed, an error messagebox indicates that "Procedure doesn't exist at provided path [A000134]". As a result, the Mainframe PSA cannot be deployed from USD. Local installations will still run successfully.
When the OTP password expires due to low-water, the SSO password will not match the UNIX password for one application execution (when the expiration occurs). After this, the passwords will match as usual.
IIS 6.0 log creation issue. As part of the changes Microsoft has made to optimize resources in IIS 6.0, the ISAPI filter is not loaded until a request is made to a web site that requires this. The effect of this is that the SSO Web Agent logs will not be created until the ISAPI filter is loaded. It is possible to configure IIS 6 to work in IIS 5 isolation mode. For more information, see the Microsoft site.
NT authentication for IIS 6.0 web agent. When configuring NT or NTLM authentication for the web agent, make sure that the domain name is specified correctly in the backwards compatibility section for the authhost (eg NT-AuthHost or NTLM-AuthHost). If this is not specified and you attempt to authenticate to a WebAgent using NT or NTLM, you will get the following error: "One of the Authentication credentials is missing".
For technical assistance with this product, contact Technical Support at http://ca.com/ for a complete list of locations and phone numbers. Technical support is available 24 hours a day, 7 days a week.