1 etoken TMS (Token Management System) Frequently Asked Questions Make your strong authentication solution a reality with etoken TMS (Token Management System). etoken TMS provides you with full solution life-cycle management, linking your security devices with all your users, organizational rules, and associated security applications in a single automated and fully configurable system.
2 Table of Contents 1. Why do I need a token management system? What is etoken TMS? What makes etoken TMS different? What authenticator life-cycle stages does etoken TMS support? Can users enroll their authenticators themselves? Which authenticators does etoken TMS support? What is the difference between MobilePASS and SoftOTP? How does etoken TMS help if a user forgets their password? How do software authenticators enable easy deployment? How does etoken TMS help if a user loses or damages their authenticator? How does etoken TMS help when a user leaves the organization? How does etoken TMS help me in my regulatory compliance efforts? What security applications does etoken TMS support? What if I use a security application that etoken TMS does not currently support? Is it possible to assign different etoken TMS management roles and access rights to different individuals? I m a managed services provider. How can etoken TMS help me offer etoken authentication as a service to my customers? Which user repositories currently integrate with etoken TMS? How does etoken TMS integrate with Active Directory? Can I use etoken with Active Directory, without installing etoken TMS on my Active Directory production domain? What if I have more than one domain in my organization? What resources are needed in order to install TMS?... 14
3 1. Why do I need a token management system? Make your authentication solution operational and effective In order to enjoy the numerous benefits of strong authentication such as secure network connectivity, laptop and data protection, password management, and many more, it is necessary that your solution will not only be secure, but also manageable. Managing a strong authentication solution without a token (authenticator) management system can be highly complex and timeconsuming, leading to high implementation costs and high probability of errors. A management system allows you to deploy and manage your solution with automatic easy-to-use tools, not only reducing costs, but also helping you to make the most out of your solution. An authenticator management system integrates and manages the entire authentication solution by providing centralized authenticator and credential management, user self-service tools, and integration with existing user identity management systems, policies, and security applications in the organization. The system accompanies the security solution management of each user throughout the user s full life cycle in the organization. With an open, robust, and flexible management system you can continuously expand your scope of supported security solutions, strengthening and broadening the authenticator solution offering. With a management system in place you can: Control your authenticator inventory and usage Reduce the workload of your IT staff with automated processes and user self-service tools Reduce administrative errors by streamlining processes Enhance user productivity Increase compliance with regulations And in short make your authentication solution operational and effective.
4 2. What is etoken TMS? Your system for life-cycle management of authenticators and supported applications etoken TMS (Token Management System) is a robust system that provides full life-cycle management of the etoken solution within an organization. TMS links authenticators with users, organizational rules, and the associated security applications in a single automated and fully configurable system. With etoken TMS you get: A means for cost-effective and convenient authenticator life-cycle management, including hardware and software authenticator deployment, assignment and revocation User and administrator web-based tools, enabling user self-service authenticator enrollment and password reset, automatic backup and restore of user credentials, handling of lost and damaged authenticators including a solution for user on the road lost my authenticator situations, and much more Integration with Microsoft Active Directory, OpenLDAP, Microsoft SQL, and Novell edirectory An open, standards-based architecture, enabling integration with a wide variety of security applications including disk encryption applications, certification authorities, and more Built-in support for several security applications including Microsoft CA, Check Point VPN, Entrust, Windows Logon, and Single Sign-On (SSO) Comprehensive auditing and reporting capabilities for tracking of the authenticator inventory and usage In short etoken TMS is your key to a successful and operational strong authentication solution.
5 3. What makes etoken TMS different? TMS is a versatile authentication server SafeNet etoken TMS offers distinct advantages such as: Full life-cycle management of the entire solution in a single system support for all authentication devices in all form factors and all related security application in a single, flexible, and modular system, including etoken hardware authenticators, etoken Virtual and MobilePASS software authenticators. o Notification Facility that allows completely programmable/scriptable notification mechanism via , SMS or other home grown mechanism for authenticator lifecycle events Open User Repository Architecture The user repository of TMS is architected to be external to the system and separate from the system s authenticator database. This enables a synchronization-free integration with Active Directory, Microsoft SQL, LDAP and Novell edirectory user repositories. o TMS utilizes the existing organizational environment to manage authenticators so the system is smoothly assimilated in the organization's existing IT infrastructure, administrators can perform authenticator management functions in a manner similar to how group policies are created and managed, ensuring also a short learning curve for administrators, and what s more - because the users and authenticators are managed from the same management system, no additional user repository is required! Open, extensible architecture All SafeNet authentication solutions work out the box using standard interfaces. For non-standard interfaces, SafeNet provides a number of SDKs and web services APIs for integration. By using the TMS connectors server-based, configurable plug-ins, it is easy to manage authenticator usage with third-party security applications. The number of supported applications is unlimited - with the TMS Connector SDK offered by SafeNet all security solution providers can add management-level support to their integration with etoken by creating their own TMS connectors. o TMS is architected for extensibility and already today offers the following extension mechanisms. These are already in use today by business partners and customers to extend the functionally and extend TMS to easily integrate with their existing IT infrastructure. Key integration technologies include: TMS Connectors SDK Provide the ability to add a provisioning target system (such as additional CA, Disk Encryption or other user and key management system provisioning systems). TMS Connectors enable a full integration with the entire authenticator life cycle, from issuance to termination, including key recovery and unlocking, suspension etc. TMS Card Printer SDK (from TMS 5.0 only) Provides the ability to add support for card printing systems for smartcard issuance. TMS OTP SDK Provide a set of APIs and Web Services to allow an external agent/application to perform OTP authentication.
6 4. What authenticator life-cycle stages does etoken TMS support? Full life-cycle management from enrollment to revocation TMS manages all stages of the authenticator life cycle, including: Assignment associating an authenticator with a user Enrollment preparing an authenticator with the needed credentials and settings Update modifying authenticator content, for example when an employee s role changes Password reset or change if the authenticator password is forgotten or needs to be changed Replacement enrolling a new authenticator and revoking the current one Disablement/revocation temporarily disabling or permanently revoking an authenticator that has been lost or damaged, or when a user leaves the organization With TMS, authenticator life-cycle management functions can be performed either by the user, through the self-service site, or by the administrator. 5. Can users enroll their authenticators themselves? Certainly! With TMS user self-service tools The TMS Self-service website allows your users to manage their own authenticators according to the security policies you set. Your users can enroll their authenticators, update their authenticators, and even upgrade their old authenticators with new devices without any help, just through the provided intuitive self-service web tools. 6. Which authenticators does etoken TMS support? TMS supports all etoken authenticators TMS provides full support for all etoken hardware authenticators in all form factors and all related security application in a single, flexible, and modular system. From TMS 5.0 (CA), support is also provided for certificate and OTP-based software authenticators, namely etoken Virtual and MobilePASS. Note: Note: MobilePASS appears under the name SoftOTP in the current etoken TMS 5.0 CA release. The name will be updated to MobilePASS in the upcoming etoken TMS 5.1 GA release.
7 7. What is the difference between MobilePASS and SoftOTP? OTP-based software authentication in etoken TMS MobilePASS appears under the name SoftOTP in the current etoken TMS 5.0 CA release. The name will be updated to MobilePASS in the upcoming etoken TMS 5.1 GA release. MobilePASS is also supported by SafeWord 2008 with the Enterprise Solution Pack. 8. How does etoken TMS help if a user forgets their password? Password reset in the user self-service website To ensure the administration burden is truly reduced to minimum TMS is equipped with secure webbased user self-service tools. For maximum security, TMS divides the user self-service authenticator password reset to two different scenarios: 1. The user forgets their password and is in the office all they have to do is enter an internal selfservice website, authenticate using Windows authentication, and reset the password. 2. The user forgets their password and is out of the office the user can enter an external website, authenticate by answering a set of predefined questions and reset the password. The process is simple and intuitive, involves no help-desk calls, and minimizes password related costs. But this is only one option; for organizations that prefer the help desk approach, TMS provides the answer. Administrators can easily reset user authenticator passwords using the TMS web-based administration tool. 9. How do software authenticators enable easy deployment? Software authenticators can be deployed with ease For global organizations with centralized IT functions, etoken TMS offers a solution to smooth deployment and distribution of authenticators. etoken Virtual Temp is a time limited temporary authenticator which can be used for a limited period of time instead of a permanent authenticator For each authenticator, the user can enroll one temporary virtual authenticator.
8 10. How does etoken TMS help if a user loses or damages their authenticator? User or administrator can disable or revoke the authenticator When an authenticator is missing there s always the risk that some malicious doer has found or even stole it and will try to use it to do some harm. Even though our devices include several security features that make sure your personal credentials remain safe (depends on the specific authenticator) such as your etoken password, an automatic etoken lock mechanism, and credential storage on-board a secured smart card TMS allows you to do even more. With TMS selfservice and administration tools you can easily render the lost authenticator useless, and quickly eliminate all the relevant security risks. TMS supports two possible scenarios: 1. The authenticator is believed to be temporarily missing for example, your user got to the office and cannot find their authenticator but believes it may have been forgotten at home. In this case, it is possible to disable the authenticator this means that the authenticator cannot be used, but the certificates are still not revoked. The user can do it herself from the user selfservice website, or the help desk can do it for them from the TMS management website. If at the end of the day the user does find the authenticator at home, the user or the help desk can then enable the authenticator. 2. The authenticator is lost if your user is certain that the authenticator is lost, the authenticator and certificates stored on it should be revoked. Once the authenticator is revoked it cannot be used by anyone, and there is no risk that it will ever pose a significant security threat. An authenticator can be revoked either by the user from the user self-service website, or by the help desk from the TMS management website. One of the challenges when implementing an authentication solution is to enable users to continue working, even if they are on the road and forgot or lost their token. Not doing so might have very serious implications: the user might not be able to access their computer, or company network, and suffer from significant productivity loss which may also lead to loss of income. For example, a user might arrive at a potential customer site only to find out he/she cannot access an important presentation and consequently lose an important deal. etoken Rescue is one of etoken TMS key features, enabling an on-the-spot, immediate solution for users who lose or damage their authenticator on the road. A user who finds him/herself without a working authenticator in hand can easily regain access to the network and critical applications using etoken TMS web-based self-recovery service. In only a few short steps, the user is provided with etoken Rescue a temporary software token that includes all the certificates and keys of their physical token. With etoken TMS s etoken Rescue, there are no idle employees and no productivity loss as a result of a disabled token. etoken Rescue keeps users securely connected to enterprise digital assets, by ensuring access at all times. SafeNet offers etoken Rescue, a software-based solution which allows your users to temporarily continue using their credentials without their physical authenticator while they re out of the office.
9 Once they return, and have reinstated their authenticator or been issued a new one, their etoken Rescue expires. TMS supports a number of methods for securely retrieving and activating etoken Rescue when such exceptions occur. For example, etoken Rescue may be securely stored on the user s local machine when the user is issued an authenticator, and then updated regularly. etoken Rescue is encrypted with a long and complex encryption key using the AES encryption algorithm so that the authenticator content is very strongly protected. To activate etoken Rescue, the user can retrieve the encryption key either from the secured TMS self-service website or from the help desk. Another possibility is to download the encrypted etoken Rescue from the secured website as well as retrieve the key at the time the exception occurs. The end user specifies the validity period when requesting the authenticator. When the validity period expires, the etoken Rescue and profiles are automatically revoked. In addition, enrolling a new token for the user automatically revokes the etoken Rescue. With etoken, each organization can choose the methods that best fit its needs and security policies. 11. How does etoken TMS help when a user leaves the organization? You can automatically and immediately revoke the authenticator Whenever someone leaves the company, or a user is no longer part of a group or organization, it is vital to ensure that neither they nor anyone else can use her credentials and keys. TMS provides you with an easy-to-use wizard that can automatically and immediately un-assign the authenticator from the user and revoke all credentials, ensuring you are secure. 12. How does etoken TMS help me in my regulatory compliance efforts? With enhanced data security, auditing and reporting With regulatory compliance at the forefront of organizations concerns, TMS was designed to facilitate the organization s compliance efforts with full auditing and reporting capabilities. TMS is equipped with a set of built-in reports such as token usage, connected tokens, token inventory and status, and attendance reports. TMS also supports external reporting tools so you can generate any other reports you may need. In addition, TMS auditing tools include fully customizable alerts so you can track any irregular or problematic usage right when it happens. As numerous regulations also require internal data controls and protection of individuals privacy, TMS enables you to manage your solution in a secure fashion. Access to TMS is based on a rolebased authorization method, allowing you to completely control the scope of each administrator s ability to view and modify user data and to perform management functions, starting from a particular domain and down to the level of specific users. Furthermore, all TMS user data in the domains with which TMS is associated can be encrypted with a different key for each domain.
10 13. What security applications does etoken TMS support? Broad application support with modular connectors TMS manages security application using TMS connectors server-based, configurable plug-ins. Built-in connectors available from SafeNet include: TMS Windows Logon (GINA) Connector provides easy deployment of user profiles for the etoken Windows Logon (GINA) application, providing strong user authentication for local network logon TMS OTP Authentication connector enables the enrollment and deployment of tokens for OTP authentication throughout the organization TMS Microsoft CA connector facilitates the deployment of PKI within the organization by enabling users to automatically enroll their tokens with certificates provided by Microsoft Certification Authority services TMS P12 Certificate Import Connector enables users to import P12 and root CA certificate files onto their etoken smart-card-based devices TMS PFX Certificate Import Connector enables users to import PFX and root CA certificate files onto their etoken smart-card-based devices TMS Check Point Internal CA connector creates a direct link between TMS and the Check Point internal CA, enabling enterprise-wide management of Check Point internal CA certificates using TMS etoken Anywhere Connector TMS Flash Management Connector manages etoken NG-FLASH flash memory partitioning and configuration of an auto-run area Entrust Connector Even though the connectors already cover a wide variety of security needs, you are by no means limited only to these connectors. Additional connectors are available according to the organization s needs such as TMS Single Sign-On (SSO) connector provides enterprise-level backup & restore capabilities for user application logon credentials Thanks to the system s open and modular architecture and a robust TMS connector SDK, etoken customers and application developers can create their own connectors. Several etoken solution partners now offer connectors for management-level integration of their solutions.
11 14. What if I use a security application that etoken TMS does not currently support? TMS offers flexible, modular integration In order to integrate third-party security applications with TMS, SafeNet offers the TMS Connector SDK. With this SDK you, or your application provider, can develop your own TMS connector and add management-level support to the security application that you use. TMS open and modular architecture is designed to ensure that you can manage and deploy the solution that exactly fits your security needs. 15. Is it possible to assign different etoken TMS management roles and access rights to different individuals? Definitely! TMS was designed with security in mind TMS is equipped with a role-based access mechanism for security. It allows you to ensure that individuals accessing TMS can modify only the user data stored on the system which is relevant to them, and perform only allowed actions. The following examples illustrate how this important feature can be used in an organizational setting: Managed services providers or large corporations with independent business units allow administrators access only to domains under their control, e.g. belonging to a specific customer account or geographical region Dispersed authenticator management responsibilities an organization may wish to allow certain individuals access to only portions of TMS functionality. For example: o Human resources may be allowed to enroll or upgrade authenticators for users o Upper management may be allowed to view token usage reports o Low-level help desk personnel may be able to perform basic help desk functions, but not to modify the authenticator inventory or which authenticators are assigned to which users
12 16. I m a managed services provider. How can etoken TMS help me offer etoken authentication as a service to my customers? Secure solution management with a single system A number of key features in TMS make the etoken solution a strong choice for managed services providers wishing to offer authentication services. Your customers can rest assured that their data is secure, and you can save valuable time and money. Management of multiple domains from the same server multiple domains can be managed in one system, from a single web-based interface, simplifying administration Role-based authorization permissions can be assigned to administrators for specific domains, OUs, groups, and tasks Data security different encryption keys can be used for different domains (belonging to different customers), meaning you can effectively manage the etoken solution for numerous customers in a single system without compromising your customers data Support for high availability using well-known and commonly-used clustering and redundancy capabilities available with Microsoft Windows Server 2003 and IAS Management tools for the customer the TMS administrator and user self-service websites can be used by the customer for local management Auditing TMS provides tamper-proof auditing and event-based notification by Reporting Reports can be viewed by the service provider as well as by the customer via the TMS management website. Data is stored in a separate database for each domain so you can easily aggregate a specific customer s data and export it to the customer, to be analyzed using TMS report or external reporting tools 17. Which user repositories currently integrate with etoken TMS? Microsoft Active Directory, Microsoft SQL Server, OpenLDAP and Novell edirectory In order to provide you and your administrators with the flexibility to deploy etoken TMS with the user repository you desire, etoken TMS is fully integrated with Microsoft Active Directory, Microsoft SQL Server, OpenLDAP and Novell edirectory.
13 18. How does etoken TMS integrate with Active Directory? By extending the Active Directory schema TMS extends the Active Directory (AD) schema to include TPOs Token Policy Objects, which contain all the relevant information regarding TMS supported security applications and solutions. The schema extension is done according to Microsoft guidelines, and all extensions are registered with Microsoft. The TPOs are handled and managed just like Active Directory s GPOs, which are already well familiar to all administrators. So with minimal changes to AD, TMS gives maximum results. The many benefits of seamless integration with AD include: Familiar and intuitive usage for administrators Direct link with user data no need for database replication Full integration with AD user rules and policies All user data are located and managed in one place 19. Can I use etoken with Active Directory, without installing etoken TMS on my Active Directory production domain? Use ADAM TMS by default can be installed in two different modes: on the production domain, and on Active Directory Application Mode (ADAM). This means you can use TMS without making any modifications to your production domain. 20. What if I have more than one domain in my organization? Manage all your domains from one etoken TMS etoken TMS supports the management of multiple domains allowing you to truly manage your entire solution with a single system. How does it work? Very simple When entering TMS a window opens with a list of all the domains the administrator is authorized to access. All the administrator has to do is pick a domain from the list and start working.
14 21. What resources are needed in order to install TMS? Installation is according to your environment Active Directory users: TMS can be installed on Windows 2003 on the same computer as Active Directory. TMS does not require a dedicated server or a unique user repository. MS SQL Server users: TMS supports MS SQL Server as a user store, with ADAM as the TMS Configuration Store. Prior to installing TMS, certain views should be created in MS SQL Server. OpenLDAP: TMS supports the use of OpenLDAP as a user store, with ADAM as the TMS Configuration Store. An XML file should be provided to match TMS aware entities. Novell edirectory: TMS supports the use of edirectory as a user store, with ADAM as the TMS Configuration Store Copyright & Trademark Notice: 2009, SafeNet. All rights reserved. All text, images, graphics and other materials which are part of this document are subject to copyrights and other intellectual property rights of SafeNet, and nothing contained herein may be reproduced for commercial use or distribution, modified or transmitted in any form or by any means, other than for the specific purpose for which they were provided herein or with the express written consent of SafeNet. Nothing in this document may be construed as granting any proprietary rights of SafeNet whatsoever. All trademarks, service marks, logos and trade names mentioned herein with respect to SafeNet's products and/or services (collectively, the "Marks"), whether registered or not, are proprietary to SafeNet, or other respective owners, who have granted SafeNet the right and license to use such Marks and are subject to trademark rights of SafeNet.