Installing Entrust IdentityGuard Server

Transcription

Installing Entrust IdentityGuard Server
Entrust®
Entrust IdentityGuard 8.1
Installation Guide
Document issue: 3.0
Date of Issue: April 2007
Copyright © 2007 Entrust. All rights reserved.
Entrust is a trademark or a registered trademark of Entrust,
Inc. in certain countries. All Entrust product names and
logos are trademarks or registered trademarks of Entrust,
Inc. in certain countries. All other company and product
names and logos are trademarks or registered trademarks
of their respective owners in certain countries.
This information is subject to change as Entrust reserves
the right to, without notice, make changes to its products
as progress in engineering or manufacturing methods or
circumstances may warrant.
Export and/or import of cryptographic products may be
restricted by various regulations in various countries.
Export and/or import permits may be required.
2
Entrust IdentityGuard 8.1 Installation Guide
Table of contents
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Revision information
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Documentation conventions
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Note and Attention text
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Related documentation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Obtaining documentation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Documentation feedback
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Obtaining technical assistance
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Technical support
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Telephone numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Email address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Professional Services
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
CHAPTER 1
Preparing for installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Preinstallation overview
Preinstallation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Downloading Entrust IdentityGuard software
Preparing your repository
Preparing your VPN network
Installation worksheet
. . . . . . . . . . . . . . . . . . . . . . . . . 21
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Installing the token support patch
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Reconfiguring for third-party tokens
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
CHAPTER 2
Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX .
31
Creating the UNIX group and user
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Installing Entrust IdentityGuard Server
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Linux Red Hat Enterprise 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table of contents
3
Configuring the primary Entrust IdentityGuard Server
Starting the Entrust IdentityGuard configuration
. . . . . . . . . . . . . . . . . . . . . . . 36
. . . . . . . . . . . . . . . . . . . . . . . 36
Adding Directory information to Entrust IdentityGuard
. . . . . . . . . . . . . . . . . . 37
Adding Database information to Entrust IdentityGuard
. . . . . . . . . . . . . . . . . . 42
Completing the Entrust IdentityGuard configuration
Initializing the primary Entrust IdentityGuard Server
What initialization does
If initialization fails
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Initializing the primary server
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Configuring the sample application on UNIX
Running the scripts manually
Testing your installation
. . . . . . . . . . . . . . . . . . . . 43
. . . . . . . . . . . . . . . . . . . . . . . . 47
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Managing the Entrust IdentityGuard service
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Starting and stopping Entrust IdentityGuard
. . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Starting and stopping Entrust IdentityGuard with the UNIX service command
Enabling and disabling individual Entrust IdentityGuard services
. 63
. . . . . . . . . . . . 64
CHAPTER 3
Installing Entrust IdentityGuard Server with embedded Tomcat server on
Microsoft Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Installing Entrust IdentityGuard Server
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Configuring the primary Entrust IdentityGuard Server
Using the Configuration Panel
. . . . . . . . . . . . . . . . . . . . . . . 70
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Starting the Entrust IdentityGuard Configuration wizard
Selecting your repository settings
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Selecting Entrust IdentityGuard service ports
Selecting your system host name
. . . . . . . . . . . . . . . . . . . . . . . . . . 79
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Completing Entrust IdentityGuard configuration
Initializing the primary Entrust IdentityGuard Server
What initialization does
If initialization fails
. . . . . . . . . . . . . . . . . . . . . . . 82
. . . . . . . . . . . . . . . . . . . . . . . . 83
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Running the Entrust IdentityGuard Initialization wizard
. . . . . . . . . . . . . . . . . . 84
Configuring the sample application on Microsoft Windows
. . . . . . . . . . . . . . . . . . 87
Testing your installation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Installation troubleshooting
4
. . . . . . . . . . . . . . . . . 70
IdentityGuard 8.1 Installation Guide
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Document issue: 3.0
Managing the Entrust IdentityGuard service
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
CHAPTER 4
Installing Entrust IdentityGuard Server with an existing application server . . 95
Preparing WebLogic for installation of IdentityGuard
Preparing WebLogic 8.1 for installation
. . . . . . . . . . . . . . . . . . . . . . . 96
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Configuring SSL for WebLogic 8.1
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configuring SSL for WebLogic 9.1
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Preparing WebSphere for installation of Entrust IdentityGuard
Configuring SSL for WebSphere 6.0
Installing Entrust IdentityGuard Server
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Configuring the primary Entrust IdentityGuard Server
. . . . . . . . . . . . . . . . . . . . . 109
Starting the Entrust IdentityGuard configuration
. . . . . . . . . . . . . . . . . . . . . . 109
Adding Directory information to Entrust IdentityGuard
Completing the Entrust IdentityGuard configuration
Initializing the primary Entrust IdentityGuard Server
What initialization does
If initialization fails
. . . . . . . . . . . . . . . 100
. . . . . . . . . . . . . . . . . 110
. . . . . . . . . . . . . . . . . . . 115
. . . . . . . . . . . . . . . . . . . . . . . 118
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Initializing the primary server
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Configuring the sample application on an existing application server
Running the scripts manually
. . . . . . . . . . 121
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
CHAPTER 5
Deploying Entrust IdentityGuard services on an existing application server . 127
Deploying Entrust IdentityGuard services on WebLogic
. . . . . . . . . . . . . . . . . . . . 128
Deploying Entrust IdentityGuard services on WebLogic 8.1 application server
Deploying Entrust IdentityGuard services on WebLogic 9.1 application server
Deploying Entrust IdentityGuard services on WebSphere 6.0 application server
Defining and deploying shared library settings
134
. . 142
. . . . . . . . . . . . . . . . . . . . . . . . 142
Installing Entrust IdentityGuard services on WebSphere 6.0
Testing your installation
128
. . . . . . . . . . . . . . 155
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Table of contents
5
Managing the Entrust IdentityGuard service
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Query the status of Entrust IdentityGuard service
. . . . . . . . . . . . . . . . . . . . . . 166
Stopping Entrust IdentityGuard Services on WebLogic 8.1
. . . . . . . . . . . . . . . 167
Stopping Entrust IdentityGuard Services on WebLogic 9.1
. . . . . . . . . . . . . . . 168
Stopping Entrust IdentityGuard Services on WebSphere 6.0
. . . . . . . . . . . . . . 169
CHAPTER 6
Configuring the Entrust IdentityGuard Radius proxy . . . . . . . . . . . . . . . . . .171
Radius proxy integration overview
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Configuring the Radius proxy for groups
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Using Entrust IdentityGuard groups with a VPN server
. . . . . . . . . . . . . . . . . . 175
Radius server example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
External authentication example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Matching a group to a user
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Using the Radius proxy with a Radius server
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Using the Radius proxy with a domain controller or LDAP directory
Configuring the VPN server
Configuring a Radius server for first-factor authentication
Configuring Radius server failover
Managing the Radius proxy
. . . . . . . . . . . 187
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
. . . . . . . . . . . . . . . . . . 194
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Managing the Radius proxy on UNIX
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Managing the Radius proxy on Microsoft Windows
. . . . . . . . . . . . . . . . . . . . 199
CHAPTER 7
Postinstall configuration options for Entrust IdentityGuard Server . . . . . . . . .201
Configuring Entrust IdentityGuard for external authentication
Configuring external authentication
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Adding Entrust IdentityGuard replica servers
Configuring failover on the repository
Configuring failover for a database
Configuring failover for a directory
Storing unassigned cards and tokens
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Configuring Syslog for remote logging on UNIX
6
. . . . . . . . . . . . . . . 202
. . . . . . . . . . . . . . . . . . . . . . . . . . 226
Disabling the non-SSL port on the Authentication service
. . . . . . . . . . . . . . . . . . . 228
Enabling the non-SSL port on the Administration service
. . . . . . . . . . . . . . . . . . . 230
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Disabling the SSL port on the Administration service
Securing the LDAP connection with SSL
. . . . . . . . . . . . . . . . . . . . . . 231
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Changing the Entrust IdentityGuard certificate
. . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Creating self-signed certificates
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Importing CA-signed certificates
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Exporting the certificate to client applications
. . . . . . . . . . . . . . . . . . . . . . . . 238
Updating certificates
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Enabling system binding
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
CHAPTER 8
Backing up and restoring Entrust IdentityGuard Server. . . . . . . . . . . . . . . . 243
Planning a backup strategy
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Backing up your configuration
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Restoring Entrust IdentityGuard from a backup
Restoring a file-based repository
. . . . . . . . . . . . . . . . . . . . . . . . . . 250
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Reconfiguring the system or Entrust IdentityGuard serial number
. . . . . . . . . . . . . 254
APPENDIX A
Configuring the Entrust IdentityGuard Server properties file . . . . . . . . . . . . 255
Editing property values
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Encrypting property values
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Enabling the authentication success audit
Enabling a WSDL query
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Configuring additional search bases
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Configuring LDAP directory properties
Configuring database properties
Enabling cached challenges
Caching policies
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Changing log configuration
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Changing log locations on UNIX
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Configuring master user shell formatting
Configuring license auditing
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Configuring the Entrust IdentityGuard Radius proxy properties
Configuring external authentication properties
Configuring token properties
. . . . . . . . . . . . . . 282
. . . . . . . . . . . . . . . . . . . . . . . . . . . 293
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Table of contents
7
Configuring the Administration interface properties for bulk operations
. . . . . . . . 296
Configuring the Administration interface to control the output format
. . . . . . . . . 297
APPENDIX B
Upgrading Entrust IdentityGuard Server on Linux . . . . . . . . . . . . . . . . . . . .299
Upgrading Entrust IdentityGuard Server 7.2 to 8.1
. . . . . . . . . . . . . . . . . . . . . 299
Upgrading Entrust IdentityGuard Server from 8.0 to 8.1
. . . . . . . . . . . . . . . . 302
APPENDIX C
Using the sample Web application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305
Preparing to use the sample Web application
Accessing the sample Web application
Registering as a user
Activating a card
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Registering a token
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Using machine authentication to log in
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Using generic authentication to log in
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Using step-up authentication
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Using temporary PIN authentication to log in
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Using one-step grid authentication to log in
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Using two-step grid authentication to log in
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
APPENDIX D
Uninstalling Entrust IdentityGuard Server . . . . . . . . . . . . . . . . . . . . . . . . . .335
Uninstalling Entrust IdentityGuard Server with embedded Tomcat on UNIX
Uninstalling Entrust IdentityGuard Server on Microsoft Windows
. . . . . 336
. . . . . . . . . . . . . 337
Uninstalling Entrust IdentityGuard Server with an existing application server
. . . . 338
Uninstalling Entrust IdentityGuard on WebLogic 8.1
. . . . . . . . . . . . . . . . . . . 338
Uninstalling Entrust IdentityGuard on WebLogic 9.1
. . . . . . . . . . . . . . . . . . . 340
Uninstalling Entrust IdentityGuard on WebSphere 6.0
. . . . . . . . . . . . . . . . . . 342
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .357
8
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
About this guide
The Entrust IdentityGuard Installation Guide provides detailed information for
administrators to plan, install, configure, and troubleshoot the Entrust IdentityGuard
Server installation.
This guide contains the following sections:
•
Chapter 1 “Preparing for installation” describes important preinstallation
steps for installers as well as directory and database administrators.
•
Chapter 2 “Installing Entrust IdentityGuard Server with embedded Tomcat
server on UNIX” provides all the necessary steps for installing, configuring,
initializing, and testing Entrust IdentityGuard.
•
Chapter 3 “Installing Entrust IdentityGuard Server with embedded Tomcat
server on Microsoft Windows” provides all the necessary steps for installing,
configuring, initializing, and testing Entrust IdentityGuard.
•
Chapter 4 “Installing Entrust IdentityGuard Server with an existing
application server” provides all the necessary steps for installing, configuring,
initializing, and testing Entrust IdentityGuard using WebLogic 8.1 or 9.1 and
WebSphere 6.0 applications servers.
•
Chapter 5 “Deploying Entrust IdentityGuard services on an existing
application server” provides all the necessary steps to deploy Entrust
IdentityGuard services using the WebLogic 8.1 or 9.1 or WebSphere 6.0
application servers.
•
Chapter 6 “Configuring the Entrust IdentityGuard Radius proxy” provides all
the necessary steps for configuring the Radius Proxy for VPN use and to
manage the Radius Proxy.
•
Chapter 7 “Postinstall configuration options for Entrust IdentityGuard
Server” describes steps for configuring or reconfiguring Entrust
IdentityGuard after installation.
•
Chapter 8 “Backing up and restoring Entrust IdentityGuard Server” provides
guidelines for planning a backup strategy and steps for restoring Entrust
IdentityGuard from a backup.
9
10
•
Appendix A “Configuring the Entrust IdentityGuard Server properties file”
provides guidelines to reconfigure your installation by editing or adding
settings to the identityguard.properties file.
•
Appendix B “Upgrading Entrust IdentityGuard Server on Linux” describes
steps to upgrade to Entrust IdentityGuard from a previous installation of
IdentityGuard 7.2 or 8.0.
•
Appendix C “Using the sample Web application” provides instructions for
using the “Any Bank” sample Web application.
•
Appendix D “Uninstalling Entrust IdentityGuard Server” provides
instructions for uninstalling Entrust IdentityGuard from your system.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Revision information
Table 1: Revisions in this document
Revision
Section
Description
Document issue 3.0 • “Preparing for installation” Expands the chapter introduction to
on page 19
describe the various installation scenarios
available to users.
• “Downloading Entrust
IdentityGuard software”
on page 21
Adds steps for downloading and
extracting the token patch file.
• “Installing the token
Adds instructions for installing the patch
support patch” on page 30 that supports Entrust tokens.
Changes the instructions (Step 11) to
• “Defining and deploying
shared library settings” on include adding Entrust tokens to the
page 142
WebSphere shared library.
• “Configuring the Radius
proxy for groups” on
page 175
• “Configuring the Entrust
IdentityGuard Radius
proxy properties” on
page 282
Adds an explanation of how you can
configure the Radius proxy to convert
names with the form “name@group” or
“group\name” to “group/name,” which
is the form used by Entrust IdentityGuard.
• “Configuring external
authentication” on
page 202.
Describes a problem that can occur with
the Kerberos protocol if LDAP user names
are in mixed case.
• “Configuring token
properties” on page 295
Adds a section that explains new
token-related properties added to the
identityguard.properties file.
Document Issue 2.0 • “Installing Entrust
IdentityGuard Server with
embedded Tomcat server
on UNIX” on page 31
Adds a section on required preinstallation
steps if using Linux Red Hat Enterprise 4.
About this guide
Feedback on guide
11
Table 1: Revisions in this document
Revision
Section
Description
Document Issue 1.0, • “Preparing WebSphere for Adds instructions on installing Entrust
IdentityGuard on an AIX server with IBM
patch 108508
installation of Entrust
WebSphere 6.0.
IdentityGuard” on
page 100
Modifies instructions for configuring
• “Deploying Entrust
external authentication with a domain
IdentityGuard services on controller. This patch removed the
WebSphere 6.0 application identityguard.externalauth.kerb
server” on page 142
eros.kdc property and replaced it with a
igkrb5.conf file instead.
• “Configuring the Radius
proxy for groups” on
For more information, see “External
page 175
authentication example” on page 177.
• “Configuring Entrust
IdentityGuard for external
authentication” on
page 202
12
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Documentation conventions
Following are documentation conventions which appear in this guide:
Table 2: Typographic conventions
Convention
Purpose
Example
Bold text
(other than
headings)
Indicates graphical user
interface elements and
wizards
Click Next.
Italicized text
Used for book or
document titles
Entrust TruePass 7.0 Deployment Guide
Blue text
Used for hyperlinks to
other sections in the
document
Entrust TruePass supports the use of many types
of digital ID.
Underlined blue
text
Used for Web links
For more information, visit our Web site at
www.entrust.com.
Courier type
Use the entrust-configuration.xml file
Indicates installation
paths, file names,
to change certain options for Verification Server.
Windows registry keys,
commands, and text you
must enter
Angle brackets
Indicates variables (text
you must replace with
your organization’s
correct values)
By default, the entrust.ini file is located in
<install_path>/conf/security/entrust.
ini.
Indicates optional
parameters
dsa passwd [-ldap]
<>
Square brackets
[courier type]
Note and Attention text
Throughout this guide, there are paragraphs set off by ruled lines above and below
the text. These paragraphs provide key information with two levels of importance, as
shown below.
Note: Information to help you maximize the benefits of your Entrust product.
Attention: Issues that, if ignored, may seriously affect performance, security, or
the operation of your Entrust product.
About this guide
Feedback on guide
13
Related documentation
Entrust IdentityGuard is supported by a complete documentation suite:
14
•
For instructions on installing and configuring Entrust IdentityGuard on UNIX
and Microsoft Windows, see the Entrust IdentityGuard Installation Guide.
•
For instructions on administering Entrust IdentityGuard users and groups, see
the Entrust IdentityGuard Administration Guide.
•
For information on deploying Entrust IdentityGuard, see the Entrust
IdentityGuard Deployment Guide.
•
For information on configuring Entrust IdentityGuard to work with a
supported LDAP repository—Microsoft® Active Directory, Microsoft®
Active Directory Application Mode, Critical Path InJoin Directory, IBM Tivoli
Directory, Novell eDirectory, or Sun ONE Directory—see the Entrust
IdentityGuard Directory Configuration Guide.
•
For information on configuring Entrust IdentityGuard to work with a
supported database—IBM DB2 Universal Database, Microsoft SQL Server, or
Oracle Database—see the Entrust IdentityGuard Database Configuration
Guide.
•
For information on Entrust IdentityGuard error messages, see the Entrust
IdentityGuard Error Messages.
•
For information on new features, limitations and known issues in the latest
release, see the Entrust IdentityGuard Release Notes.
•
For information on integrating the authentication and administration
processes of your applications with Entrust IdentityGuard, see the Entrust
IdentityGuard Programming Guide that applies to your development
platform (either Java Platform or C#).
•
For Entrust IdentityGuard product information and a data sheet, go to
http://www.entrust.com/strong-authentication/identityguard/index.htm
•
For information on identity theft protection seminars, go to
http://www.entrust.com/events/identityguard.htm
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Obtaining documentation
Entrust product documentation, white papers, technical notes, and a comprehensive
Knowledge Base are available through Entrust TrustedCare Online. If you are
registered for our support programs, you can use our Web-based Entrust TrustedCare
Online support services at:
https://www.entrust.com/trustedcare
Documentation feedback
You can rate and provide feedback about Entrust product documentation by
completing the online feedback form. You can access this form by
•
clicking the Feedback on guide link located in the footer of Entrust’s PDF
documents (see bottom of this page).
•
following this link:
http://sottwebdev2.entrust.com/products/feedback/index.cfm
Feedback concerning documentation can also be directed to the Customer Support
email address.
support@entrust.com
About this guide
Feedback on guide
15
Obtaining technical assistance
Entrust recognizes the importance of providing quick and easy access to our support
resources. The following subsections provide details about the technical support and
professional services available to you.
Technical support
Entrust offers a variety of technical support programs to help you keep Entrust
products up and running. To learn more about the full range of Entrust technical
support services, visit our Web site at:
http://www.entrust.com/
If you are registered for our support programs, you can use our Web-based support
services.
Entrust TrustedCare Online offers technical resources including Entrust product
documentation, white papers and technical notes, and a comprehensive Knowledge
Base at:
https://www.entrust.com/trustedcare
If you contact Entrust Customer Support, please provide as much of the following
information as possible:
•
Your contact information
•
Product name, version, and operating system information
•
Your deployment scenario
•
Description of the problem
•
Copy of log files containing error messages
•
Description of conditions under which the error occurred
•
Description of troubleshooting activities you have already performed
Telephone numbers
For support assistance by telephone call one of the numbers below:
•
1-877-754-7878 in North America
•
1-613-270-3700 outside North America
Email address
The email address for Customer Support is:
support@entrust.com
16
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Professional Services
The Entrust team assists e-businesses around the world to deploy and maintain secure
transactions and communications with their partners, customers, suppliers and
employees. We offer a full range of professional services to deploy our e-business
solutions successfully for wired and wireless networks, including planning and design,
installation, system integration, deployment support, and custom software
development.
Whether you choose to operate your Entrust solution in-house or subscribe to hosted
services, Entrust Professional Services will design and implement the right solution for
your e-business needs. For more information about Entrust Professional Services
please visit our Web site at:
http://www.entrust.com
About this guide
Feedback on guide
17
18
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Chapter 1
Preparing for installation
Use this chapter before you install Entrust IdentityGuard Server. It contains important
preinstallation steps for installers, as well as for directory and database administrators.
•
For a first-time installation of Entrust IdentityGuard, follow instructions in this
guide related to a full install on your platform. Then install the latest patch.
•
For an upgrade from an earlier version of Entrust IdentityGuard, see
“Upgrading Entrust IdentityGuard Server on Linux” on page 299.
•
To add support for tokens to an existing installation of Entrust IdentityGuard
8.1, install patch 129366 or a later patch (see “Installing the token support
patch” on page 30). (Not available for AIX.)
Attention: Complete the steps in this chapter before you install Entrust
IdentityGuard Server.
This chapter contains the following sections:
•
“Preinstallation overview” on page 20
•
“Preinstallation” on page 21
•
“Installation worksheet” on page 25
•
“Installing the token support patch” on page 30
19
Preinstallation overview
The following flowchart outlines the high level preinstallation steps you must
complete before doing a full install of Entrust IdentityGuard Server, including an install
on AIX.
Figure 1: Preinstallation overview
Download the Entrust
IdentityGuard software
Create UNIX group and
UNIX user (if you are
installing on UNIX)
Back up your repository
Preparing your data repository
JDBC
LDAP
Create database user and
table spaces
Install schema file
Install JDBC driver
Gather configuration data
Add attributes and object
classes to LDAP directory
schema
Gather configuration data
Are you using a VPN server?
VPN
Determine the group names to
use, if applicable
What method are you using for primary authentication ?
20
Radius
External
Gather addresses and shared
secrets for your VPN and Radius
servers
Decide if you will use a domain
controller or LDAP directory for
primary authentication
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Preinstallation
Complete the following procedures before you install Entrust IdentityGuard Server.
Topics in this section:
•
“Downloading Entrust IdentityGuard software” on page 21
•
“Preparing your repository” on page 22
•
“Preparing your VPN network” on page 23
Note: Some versions of Solaris may not have ZIP. If required, download ZIP from
Sun’s Web site at http://www.sun.com/software/solaris/freeware. You will need
ZIP for some procedures later in this document.
Downloading Entrust IdentityGuard software
Download the Entrust IdentityGuard software package or patch from Entrust
TrustedCare Online Web site. They include any schema files you need to set up your
repository.
To download Entrust IdentityGuard software
1
Browse to the Entrust IdentityGuard downloads page on the Entrust TrustedCare
Online Web site:
https://www.entrust.com/trustedcare
You should have an email from Entrust that includes:
2
•
your user name and password for accessing the downloads page
•
instructions on how to access the downloads page
•
activation and installation keys required for the installer
For a full install, download one of the following files (depending on the operating
system you are using) by clicking the Download link:
•
IG_81_Linux.tar
•
IG_81_Solaris.tar
•
IG_81_Windows.zip
•
IG_81_WebLogic_WebSphere.tar
•
IG_81_WebSphere_AIX.tar
Save the .tar or .zip file to any directory on the computer you want to use to
run Entrust IdentityGuard.
Preparing for installation
Feedback on guide
21
3
For the patch that adds support for Entrust tokens, download either
IG_81_129366.zip (for Windows) or IG_81_129366.tar (for Linux or
Solaris). If a newer patch is available, download it instead.
4
For a full install, extract the files to a temporary directory.
To do so:
•
On UNIX, enter the command,
tar -xvf IG_81_<your_version>.tar
where <your_version> is the file you have downloaded for your specific
installation.
•
On Microsoft Windows, locate the IG_81_Windows.zip file and extract
the files using a utility such as WinZip®.
Extracting the file for a full install creates a subdirectory called IG_81 that
contains all the Entrust IdentityGuard files and subdirectories.
5
For patch 129366 or a later patch, extract the files to the existing Entrust
IdentityGuard 8.1 root directory.
If an error occurs, try the download again. If the problem persists, contact Entrust
Customer Support.
To install patch 129366 or a later patch, skip to “Installing the token support patch”
on page 30.
For a full install (including an AIX install), continue with the preinstallation instructions
in this chapter, and then follow the applicable installation instructions in later
chapters.
Preparing your repository
Configure your repository to work with Entrust IdentityGuard before you begin the
Entrust IdentityGuard Server installation. Entrust IdentityGuard supports the use of an
Active Directory, LDAP directory, or a database as the data repository.
Whether you are upgrading Entrust IdentityGuard Server, or installing for the first
time, you must apply the Entrust IdentityGuard schema changes by running the LDIF
or SQL files.
To do so, follow the instructions in the Entrust IdentityGuard Directory Configuration
Guide or Entrust IdentityGuard Database Configuration Guide.
For up-to-date and detailed information on configuring your repository, see the
Technical Integration Guides.
These guides are available for download from Entrust TrustedCare Online at:
https://www.entrust.com/trustedcare
22
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Preparing your VPN network
To enable multifactor authentication for VPN connections, you can install and
configure the Entrust IdentityGuard Radius proxy component with your full
installation of Entrust IdentityGuard Server.
There are two ways you can set up the system to perform the required first-factor
authentication before the second-factor authentication provided by Entrust
IdentityGuard:
•
Configure a separate Radius server that will perform the first-factor
authentication, and use the Entrust IdentityGuard Radius proxy to
communicate with Entrust IdentityGuard for second-factor authentication.
For more information, see “Using the Radius proxy with a Radius server” on
page 180.
•
Configure the external authentication feature provided with Entrust
IdentityGuard. This enables Entrust IdentityGuard to perform first-factor
authentication using the Windows domain controller or the information from
the LDAP directory. For more information, see “Configuring Entrust
IdentityGuard for external authentication” on page 202.
If you are configuring Entrust IdentityGuard to add multifactor authentication to VPN
connections, ensure that the following are already installed:
•
an external Radius server installed using the instructions provided by the
vendor, if you plan to use a Radius server for first-factor authentication
For details, see the Technical Integration Guide that applies to your VPN
platform.
•
a VPN client and server installed using the instructions provided by the
vendor
Note: If you want to configure your VPN servers to recognize Entrust
IdentityGuard groups, ensure that you create the groups (or at least know what
you are going to name the groups) before installing and configuring the Entrust
IdentityGuard Radius proxy. For more information, see “Configuring the Radius
proxy for groups” on page 175.
The details of Radius use and implementation vary with the platform and provider.
Entrust supports several authentication protocols with Radius for grid authentication:
•
Challenge Handshake Authentication Protocol (CHAP)
•
Microsoft Challenge Handshake Authentication Protocol versions 1 and 2
(MS-CHAP and MS-CHAPv2)
•
Password Authentication Protocol (PAP)
For token authentication, Entrust IdentityGuard supports only PAP. If you configure
the Radius proxy to use external authentication, you must use PAP.
Preparing for installation
Feedback on guide
23
PAP supports the cell replacement properties in the card specification attributes
(cardspec) and temporary PIN attributes (pinspec) of the Entrust IdentityGuard
policies; however, CHAP and MS-CHAP do not. This means that, for example, user
entries are treated as case-sensitive in CHAP.
24
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Installation worksheet
For a full install, ensure you have the following information before installing Entrust
IdentityGuard.
Attention: If you choose to record passwords on this worksheet, remember to
always keep passwords secure. Store this worksheet in a secure place.
Table 3: Installation worksheet
Required information
Value
Which type of install of Entrust
IdentityGuard?
• Entrust IdentityGuard Server with embedded Tomcat
application server on UNIX
• Entrust IdentityGuard Server with embedded Tomcat
application server on Microsoft Windows
• Entrust IdentityGuard Server with an existing application
server on Solaris or AIX
Entrust IdentityGuard Server host
name
UNIX user and group that owns
Entrust IdentityGuard (on
embedded Tomcat application
server on UNIX install only)
Group:
Name:
Password:
Application server user and group Complete “Creating the UNIX group and user” on page 32
that owns the application server (for installation with embedded Tomcat)
(for installations with an existing
application server only).
Entrust IdentityGuard installation
directory. The default is: on UNIX
/opt/entrust; on Windows
c:\Program
Files\Entrust\IdentityGua
rd)
Radius proxy required?
yes or no
Complete “Radius proxy information” on page 28
Location of server trust store
(installs with existing application
server only)
Preparing for installation
Feedback on guide
25
Table 3: Installation worksheet (continued)
Required information
Value
Location of Java directory (installs
with existing application server
only)
Database, Active Directory, or
LDAP directory?
DB, AD, or LDAP
Complete “Database information” on page 27 or “Directory
information” on page 27
Entrust IdentityGuard
Authentication Web service port
number (8080)
Entrust IdentityGuard
Administration Web service port
number (8443)
Installation key
Activation key
Master1 password
Master2 password
Master3 password
Enable sample application?
yes or no
If yes, complete one of:
• “Configuring the sample application on Microsoft
Windows” on page 87 if you are installing on Windows
with the embedded Tomcat server
• “Configuring the sample application on UNIX” on
page 51 if you are installing on UNIX with the embedded
Tomcat server
• “Configuring the sample application on an existing
application server” on page 121 if you are installing on an
existing application server
Sample application administrator1 Name:
Password:
1. If you are using a Directory as your repository, you need to create this user in the Directory prior to installation.
26
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Table 4: Database information
Database required information
Value
Database driver .jar files.
(Ensure they are copied to the
Entrust IdentityGuard computer.)
Database driver class name
Database URL
Database user
Name:
Password:
Schema name
For a list of applicable .jar files for your database, the JDBC class name, and related
details, see the Entrust IdentityGuard Database Configuration Guide.
For details related to your Directory type, see the Entrust IdentityGuard Directory
Configuration Guide.
Table 5: Directory information
Directory required information
Value
Using the LDAP or LDAPS
protocol?
LDAP or LDAPS
If using LDAPS, copy the certificate to the Entrust
IdentityGuard computer.
LDAP host name
LDAP port number
LDAP base DN
LDAP user DN
DN:
Password:
LDAP policy RDN
LDAP user ID attribute
Preparing for installation
Feedback on guide
27
Table 6: Radius proxy information
Radius proxy required
information
Value
Radius proxy ports
VPN server information
Label:
Host name/IP address:
Port:
Shared secret:
Should VPN servers recognize
Entrust IdentityGuard groups?
yes or no
Entrust IdentityGuard groups for
VPN servers
Will the Radius proxy connect to a
Radius server, domain controller
or LDAP directory?
If the Radius proxy will use a
Radius server, what is the unique
Radius server name?
Unique name:
Host name/IP address:
Port:
Shared secret:
Table 7: External authentication information
Radius proxy required
information
Value
Will Entrust IdentityGuard use an yes or no
LDAP directory or Windows
If yes, answer one of the next two questions.
domain controller for first-factor
authentication?
For a Windows domain controller, Kerberos realm server:
what server will host the Kerberos
Kerberos KDC server:
realm and the Kerberos Key
Distribution Center (KDC)?
28
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Table 7: External authentication information
Radius proxy required
information
Value
yes or no
For an LDAP directory, Entrust
IdentityGuard must be configured
to use an LDAP repository. Is that
configuration complete?
Preparing for installation
Feedback on guide
29
Installing the token support patch
Follow these steps to install a patch that provides support for Entrust tokens on Linux
or Windows.
1
Download either IG_81_129366.zip (for Windows) or IG_81_129366.tar
(for Linux). See “Downloading Entrust IdentityGuard software” on page 21. If a
newer patch is available, download it instead.
2
To install the patch:
3
•
On Linux, run the patch install script install.sh.
•
On Windows, run the patch installer file, for example IG_81_129366.msp.
Examine the instructions in the “Installation notes” section of the readme.txt
file included with the download. It includes instructions that may be specific to
your system or environment. For example, these instructions include:
•
Deployment instructions for WebSphere and WebLogic.
•
Fixing performance problems that can occur with preproduced cards stored
in a database repository.
•
Instructions on using Oracle Internet Directory as a repository.
The patch automatically sets properties in the identityguard.properties file
related to tokens.
Reconfiguring for third-party tokens
When you run this patch, it sets up Entrust IdentityGuard to use only Entrust tokens.
If you are already using supported Vasco tokens, or plan to use them, you must add
the following entry to the identityguard.properties file after you install this
patch or a later patch:
identityguard.token.impl=
com.entrust.identityGuard.common.token.vasco.VascoTokenManager
To reset the property to use Entrust tokens, change the setting to this:
identityguard.token.impl=
com.entrust.identityGuard.common.token.activIdentity.ActivIdentity
TokenManager
Restart Entrust IdentityGuard for this setting to take effect.
You can configure Entrust IdentityGuard to use Entrust tokens or Vasco tokens, but
not both.
30
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Chapter 2
Installing Entrust IdentityGuard
Server with embedded Tomcat
server on UNIX
This chapter provides all the necessary steps to install Entrust IdentityGuard Server
(with the Apache Tomcat application server embedded) on UNIX. Complete the
instructions in this chapter to install, configure, initialize, and test a full install of the
Entrust IdentityGuard Server. Once you complete the full installation, install the latest
patch.
To install the patch that supports Entrust tokens, see “Installing the token support
patch” on page 30.
This chapter contains the following sections:
•
“Creating the UNIX group and user” on page 32
•
“Installing Entrust IdentityGuard Server” on page 33
•
“Configuring the primary Entrust IdentityGuard Server” on page 36
•
“Initializing the primary Entrust IdentityGuard Server” on page 47
•
“Configuring the sample application on UNIX” on page 51
•
“Running the scripts manually” on page 53
•
“Testing your installation” on page 58
•
“Managing the Entrust IdentityGuard service” on page 62
31
Creating the UNIX group and user
Before you install Entrust IdentityGuard Server on UNIX, create the UNIX group and
user that will own the Entrust IdentityGuard installation. In a later step (Step 4 on
page 34), you are asked to name the UNIX group and user that you create here.
Attention: Arrange to have a dedicated user account and group created on the
servers that will host Entrust IdentityGuard. You must use the same account for
any future upgrades and patches.
Note: On Solaris, use lowercase for creating groups and users. For example, use
iggroup and iguser, instead of IGgroup and IGuser.
To create a new UNIX group and user
1
As root, create a new UNIX group. For example, IGgroup:
•
on Linux and Solaris,
groupadd iggroup
2
As root, create a new UNIX user. For example, IGuser. The user is a member of
IGgroup and has a password:
•
on Linux,
useradd -g iggroup -s /bin/bash -p password123 IGuser
•
on Solaris if using c-shell,
•
– useradd -g iggroup -s /usr/bin/csh iguser
– passwd iguser
on Solaris if using b-shell,
– useradd -g iggroup -s /usr/bin/bsh iguser
– passwd iguser
When you run passwd, enter your password at the prompt. For example,
password123.
You have created a UNIX group and user.
Note: Ensure that the user and group that you create here have permissions to
access the directory to which you extracted the IG_81_Linux.tar or the
IG_81_Solaris.tar file.
32
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Installing Entrust IdentityGuard Server
Entrust IdentityGuard Server runs on UNIX and should be installed on a dedicated
machine. Other software products on the same machine can interfere with the
operation of Entrust IdentityGuard.
To install and configure Entrust IdentityGuard, you must have an understanding of
UNIX administration.
Attention: If you are installing Entrust IdentityGuard on Linux, the install
requires the native library file, libstdc++.so.5. Linux Red Hat 4.0 does not
provide this file by default. For further information on downloading this file, see
the Entrust IdentityGuard Release notes.
Note: Before installing Entrust IdentityGuard, ensure that you have completed
the tasks in “Preparing for installation” on page 19.
If you are upgrading your version of Linux, you should do so before installing
Entrust IdentityGuard 8.1.
Linux Red Hat Enterprise 4
When using Linux Red Hat Enterprise 4, you need to include libstdc++.so.5. You
can add this during Linux installation by selecting the Legacy Software Development
package.
If you have installed Linux Red Hat Enterprise 4 and have an X11 Window Manager
such as KDE or Gnome, you can add the library after installation by doing the
following:
1
Select Applications > System Settings > Add/Remove Applications.
2
On the Development tab, select Legacy Software Development.
You are prompted for your Linux installation CD.
If you have installed Linux Red Hat Enterprise 4 without access to an X11 Window
Manager, and you are using the command line interface, you must install the most
recent compat-libstdc++ package (for example,
compat-libstdc++-33-3.2.3-47.3.i386.rpm).
1
Download the most recent package from the Red Hat Web site,
www.redhat.com.
2
To install the package at the command line type
rpm -i <compat-libstdc++-33-3.2.3-47.3.i386.rpm>
Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX
Feedback on guide
33
Note: Replace the file name with the one you downloaded from the Red Hat
Web site.
To install Entrust IdentityGuard
1
As root, change to the directory that you extracted the IG_81_Linux.tar or
IG_81_Solaris.tar file to (<download_dir>/IG_81), and run
install.sh by entering:
./install.sh
Note: Cancel out of the script at any time by pressing Ctrl + C.
2
Read through the license carefully, pressing Enter until you reach the end. The
following message appears:
Do you agree to the above license terms? [yes or no]
3
Type yes and press Enter to accept the terms. Otherwise, if you do not agree
with the license, type no and press Enter. The installation will cancel. Contact
Entrust (“Obtaining technical assistance” on page 16).
The following message appears:
Enter the UNIX user name that will own the installation:
4
Type the user name for the UNIX user you created in Step 2 of “Creating the
UNIX group and user” on page 32 and press Enter.
Note: You cannot specify root as the owner.
The following message appears:
Enter the UNIX group name that will own the installation:
5
Enter the name for the UNIX group you created in Step 1 of “Creating the UNIX
group and user” on page 32 and press Enter.
The following message appears:
Enter the install directory (default /opt/entrust):
6
Press Enter to accept the default, or type in another directory location.
Note: If you have a previous installation of Entrust IdentityGuard, the
installation detects the older version and prompts you to upgrade. If you are
installing an upgrade, see the section “Upgrading Entrust IdentityGuard Server
on Linux” on page 299.
34
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
The Java Runtime license agreement appears.
7
Read through the license carefully, pressing Enter until you reach the end.
8
You are asked to accept the Java Runtime license agreement.
Do you agree to the above license terms? [yes or no]
Type yes and press Enter to accept the terms. Otherwise, if you do not agree
with the license, type no and press Enter. The installation will cancel. Contact
Entrust (“Obtaining technical assistance” on page 16).
The JRE, Java policy files, and the Application server are installed in the
installation directory you entered in Step 6.
The identityguard.zip file is automatically extracted into the directory
$IDENTITYGUARD_HOME, where $IDENTITYGUARD_HOME is usually
/opt/entrust/identityguard81.
9
The installation creates the Entrust IdentityGuard Radius service.
Creating igradius service...
Do you want the Entrust IdentityGuard Radius proxy to start
automatically when the host starts after reboot? [yes or no]
If you answer no, you can enable automatic startup later.
If you wish to enable automatic startup in the future, run the
command "chkconfig igradius reset" when logged on as root.
Note: If you want to configure your VPN servers to recognize Entrust
IdentityGuard groups, you must first install Entrust IdentityGuard and define the
groups. In this case, enter no.
See “Configuring the Entrust IdentityGuard Radius proxy” on page 171 for
further details.
10 When the initial install steps are complete, you are prompted to respond to the
following message:
Installation complete.
Do you want to configure the application now? [yes or no]
•
Answer yes and press Enter to start the configuration tasks. Proceed to
“Configuring the primary Entrust IdentityGuard Server” on page 36.
•
If you answer no, you must run the configure.sh script manually from
the $IDENTITYGUARD_HOME/bin directory before you can use Entrust
IdentityGuard. To do so, proceed to “To run the primary Entrust
IdentityGuard Server configuration manually” on page 53.
Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX
Feedback on guide
35
Configuring the primary Entrust
IdentityGuard Server
As part of the installation procedure, you are prompted to configure and initialize
Entrust IdentityGuard. You can choose to complete these configuration steps at the
same time as the installation, or after.
Refer to your installation worksheet (“Installation worksheet” on page 25) when you
complete this section.
Topics in this section:
•
“Starting the Entrust IdentityGuard configuration” on page 36
•
“Adding Directory information to Entrust IdentityGuard” on page 37
•
“Adding Database information to Entrust IdentityGuard” on page 42
•
“Completing the Entrust IdentityGuard configuration” on page 43
Starting the Entrust IdentityGuard
configuration
Complete the following steps to start configuring the primary Entrust IdentityGuard
Server.
To start the Entrust IdentityGuard configuration
1
Respond to the following prompt:
Are you configuring an Entrust IdentityGuard primary or replica
server? (PRIMARY or REPLICA):
•
Primary. If this is your first Entrust IdentityGuard Server installation, answer
primary and continue on with the steps in this procedure.
Note: There can only be one primary server.
•
Replica. If you have already installed an Entrust IdentityGuard Server, and
you want to install more instances, answer replica.
To configure and initialize a replica server, proceed to “Adding Entrust
IdentityGuard replica servers” on page 210.
2
You are asked to indicate whether the user information is stored in an Active
Directory (AD), LDAP, or database (DB) repository.
What type of repository will you use to store Entrust
IdentityGuard information?
36
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
AD - Microsoft(R) Active Directory or Microsoft Active Directory
in Application Mode
LDAP - LDAP-compliant Directory
DB - Database
(AD, LDAP or DB):
•
If you are using an LDAP repository, proceed to “To add LDAP directory
information to Entrust IdentityGuard” on page 37.
•
If you are using an Active Directory or Active Directory Application Mode
(ADAM) repository, proceed to “To add Active Directory (or ADAM)
information to Entrust IdentityGuard” on page 39.
•
If you are using a database repository, proceed to “To add Database
information to Entrust IdentityGuard” on page 42.
Note: You can cancel the script at any time by pressing Ctrl + C.
Adding Directory information to Entrust
IdentityGuard
The following steps sets up Entrust IdentityGuard to communicate with a directory
repository.
The identityguard.properties file is created based on the values you enter.
Follow the appropriate steps:
•
if you are adding a LDAP directory, proceed to “To add LDAP directory
information to Entrust IdentityGuard”
•
if you are adding Active Directory or Active Directory Application Mode,
proceed to “To add Active Directory (or ADAM) information to Entrust
IdentityGuard”
Note: For more information on LDAP and Active Directory configuration, see
the Entrust IdentityGuard Directory Configuration Guide.
To add LDAP directory information to Entrust IdentityGuard
1
Respond to the following prompt:
LDAP CONFIGURATION
Do you wish to use SSL to connect to the LDAP server? [yes or no]
Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX
Feedback on guide
37
Type yes and press Enter to add the SSL certificate. If you answer no, proceed to
Step 3 on page 38.
Note: You can enable LDAPS after installation. For instructions, see “Securing
the LDAP connection with SSL” on page 233.
2
If you answered yes, complete the following steps:
a
The following message appears:
In order to verify the SSL connection to the LDAP server,
Entrust IdentityGuard requires that the LDAP server's SSL
certificate or the certificate of the CA that issued it be
imported into its trust store.
The Entrust IdentityGuard trust
store already contains several public root CA certificates.
If
the server's certificate was not issued by a public root you
must import the certificate. If Entrust IdentityGuard cannot
trust the server's certificate, it will be unable to connect to
the LDAP server causing operations including initialization to
fail.
Do you wish to import the LDAP server's SSL certificate? [yes
or no]
Answer yes and press Enter to import the certificate.
For manual instructions on importing the certificate, see “To import the
LDAP SSL certificate” on page 233.
The following message appears:
Enter the filename of the certificate:
b
Enter the path and file name of the LDAPS certificate.
c
The installer displays the details of the certificate. If they are correct, respond
with yes to the prompt that asks if you wish to trust the certificate.
<certificate information>
Trust this certificate? [no]:
yes
Certificate was added to keystore.
3
At the following prompt, enter the host name or IP address of the computer
hosting the directory.
Enter the LDAP host (ex: identityguard.anycorp.com):
4
38
Enter the port number of the directory.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Enter the LDAP port number (default is 389):
The default port for LDAPS is 636.
5
Enter the LDAP base DN (the DN under which all Entrust IdentityGuard entries
are found).
Enter the LDAP base DN (ex: dc=anycorp,dc=com):
Note: See the Entrust IdentityGuard Directory Configuration Guide for more
information on directory configuration. It includes information on setting the DN,
RDN, and LDAP user name for several popular directories.
6
Enter the LDAP user DN information at the following prompts. The LDAP user
DN and password define the credentials used by Entrust IdentityGuard to
connect to the repository.
Enter the LDAP user DN (ex: cn=Directory Manager):
This is an existing LDAP user DN.
Enter the LDAP password:
Confirm:
This is an existing LDAP password.
7
At the following prompt, enter the RDN of the entry that Entrust IdentityGuard
should use to store its policy information.
The LDAP policy RDN defines the entry in the LDAP repository used
to store Entrust IdentityGuard policy information. The entry must
already exist. Enter the LDAP policy RDN (ex: uid=policy):
The RDN is the prefix that when joined with the base DN, comprises the full DN
of the policy object.
8
At the following prompt, enter the attribute that uniquely identifies Entrust
IdentityGuard users.
The LDAP user name is the attribute that uniquely identifies
Entrust IdentityGuard users. Entrust IdentityGuard uses this
attribute to find entries in the repository. Enter the LDAP user
name attribute (ex: uid):
Proceed to “To complete the configuration script” on page 43.
To add Active Directory (or ADAM) information to Entrust
IdentityGuard
1
Respond to the following prompt:
Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX
Feedback on guide
39
MICROSOFT ACTIVE DIRECTORY CONFIGURATION
Do you wish to use SSL to connect to the Microsoft Active
Directory server? [yes or no]
Type yes and press Enter to add the SSL certificate. If you answer no, proceed to
Step 3 on page 40.
2
If you answered yes, complete the following steps:
The following message appears:
In order to verify the SSL connection to the Microsoft Active
Directory server, Entrust IdentityGuard requires that the
Microsoft Active Directory server's SSL certificate or the
certificate of the CA that issued it be imported into its trust
store.
The Entrust IdentityGuard trust store already contains
several public root CA certificates.
If the server's certificate
was not issued by a public root you must import the certificate.
If Entrust IdentityGuard cannot trust the server's certificate, it
will be unable to connect to the Microsoft Active Directory server
causing operations including initialization to fail.
Do you wish to import the Microsoft Active Directory server's SSL
certificate? [yes or no]
a
Answer yes and press Enter to import the certificate.
The following message appears:
Enter the filename of the certificate:
b
Enter the path and file name of the Active Directory certificate.
c
The installer displays the details of the certificate. If they are correct, respond
with yes to the prompt that asks if you wish to trust the certificate.
<certificate information>
Trust this certificate? [no]:
yes
Certificate was added to keystore
3
At the following prompt, enter the host name or IP address of the computer
hosting the directory.
Enter the Microsoft Active Directory host (ex:
identityguard.anycorp.com):
4
Enter the port number of the directory.
Enter the Microsoft Active Directory port number (default is 636):
40
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
5
Enter the Active Directory base DN (the DN under which all Entrust IdentityGuard
entries are found).
Enter the Microsoft Active Directory base DN (ex:
dc=anycorp,dc=com):
Note: Entrust IdentityGuard configuration automatically converts spaces in the
Active Directory base DN to %20. If you edit the Active Directory base DN after
installation in the identityguard.properties file, remember to replace
spaces with %20.
6
Enter the Active Directory user DN information at the following prompts. The
Active Directory user DN and password define the credentials used by Entrust
IdentityGuard to connect to the repository.
Enter the Microsoft Active Directory user DN (ex:
cn=Administrator,cn=Users,dc=anycorp,dc=com):
This is an existing Active Directory user DN.
Enter the Microsoft Active Directory password:
Confirm:
This is an existing Active Directory password.
7
At the following prompt, enter the RDN of the entry that Entrust IdentityGuard
should use to store its policy information.
The policy RDN defines the entry in the Microsoft Active Directory
repository used to store Entrust IdentityGuard policy information.
The entry must already exist. Enter the Microsoft Active Directory
policy RDN (ex: cn=igpolicy,cn=Users):
The RDN is the prefix that when joined with the base DN, comprises the full DN
of the policy object.
8
At the following prompt, enter the attribute that uniquely identifies Entrust
IdentityGuard users.
The Microsoft Active Directory user name is the attribute that
identifies Entrust IdentityGuard users. Entrust IdentityGuard uses
this attribute to find entries in the repository. Enter the
Microsoft Active Directory user name attribute (ex:
sAMAccountName):
Proceed to “To complete the configuration script” on page 43.
Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX
Feedback on guide
41
Note: Use sAMAccountName for Active Directory. Use CN (common name) or
uid for ADAM. See the Entrust IdentityGuard Directory Configuration Guide for
more information on Active Directory and Active Directory Application Mode
configuration.
Adding Database information to Entrust
IdentityGuard
The following steps sets up Entrust IdentityGuard to communicate with a database
repository.
The identityguard.properties file is created based on the values you enter.
Note: For more information on database configuration, see the Entrust
IdentityGuard Database Configuration Guide. It includes information on the
drivers, classes, and database URLs used with three common databases.
To add Database information to Entrust IdentityGuard
1
Respond to the following prompt:
DATABASE CONFIGURATION
Enter the database type (Oracle, DB2, SQLServer, Other):
Type the database you are using and press Enter.
The following message appears:
Enter the JDBC driver JAR file name:
2
Enter the path of the JDBC driver file (for example, /temp/ojdbc14.jar).
Ensure the file permissions on this file allow the Entrust IdentityGuard user
(“Creating the UNIX group and user” on page 32) to read and execute it.
Note: Some databases require multiple .jar files. You can add other files in a
later step.
3
At the following prompt, enter the JDBC driver class that Entrust IdentityGuard
should use, (for example, oracle.jdbc.driver.OracleDriver).
Enter the JDBC driver class name:
The following message appears:
Are there any other JDBC JAR files to be installed? [yes or no]
42
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
4
If your database requires multiple JDBC driver files, type yes and press Enter. You
are prompted to enter more file names. If your database only requires one file,
type no and press Enter to continue.
The following message appears:
Enter the DB URL:
5
Type the database URL Entrust IdentityGuard requires to connect to the database
server and press Enter.
6
Provide Entrust IdentityGuard with the database administrator information. This
database administrator was created to own the Entrust IdentityGuard database
and schema.
a
At the following prompt, type the database administrator user name:
Enter the DB user name:
b
At the following prompts, type and confirm the database administrator
password:
Enter the DB password:
Confirm:
The following message appears:
Enter the DB schema name:
7
Type the schema name for your database.
In some databases (for example, Oracle), the schema is automatically named
with the user name associated with it. For these databases, type the database
administrator user name.
Completing the Entrust IdentityGuard
configuration
The following steps complete the initial configuration of Entrust IdentityGuard.
You are prompted for the ports that the Application server should use. Client
applications—through the Authentication API—communicate with the Entrust
IdentityGuard Authentication service to perform challenge retrieval and response
validation. The API communicates with Entrust IdentityGuard using SOAP over
HTTP/HTTPS. The following prompts define the ports that Entrust IdentityGuard
services listens on.
To complete the configuration script
1
Enter a value for each, or leave it blank and press Enter to accept the default value
at the prompts.
APPLICATION SERVER CONFIGURATION
Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX
Feedback on guide
43
a
Enter the Authentication Service HTTP port number (default
is 8080):
b
Enter the Authentication Service HTTPS port number
(default is 8443):
The Entrust IdentityGuard Authentication service and the Entrust
IdentityGuard sample application are deployed at both the HTTP and HTTPS
ports.
c
Enter the Administration Service HTTPS port number
(default is 8444):
This is the port that administration applications use to connect to the
Administration service when using SSL (HTTPS). This port is only used for
remote administration of Entrust IdentityGuard.
A self-signed SSL certificate and private key are created to protect the HTTPS
connections to the Authentication service and Administration service. This
certificate includes the host name of the Entrust IdentityGuard Server in its
distinguished name (DN) and uses the RSA-1024 algorithm.
Optionally, you can replace this certificate after configuration. See the
section “Changing the Entrust IdentityGuard certificate” on page 235 for
instructions.
Note: Ensure the host name that you use in the service URLs matches the host
name in the SSL certificate.
2
You are prompted to confirm the host name used in the service URLs and the SSL
certificate:
Entrust IdentityGuard will create a self-signed certificate for
SSL communication.
The hostname to be used in the service URLs and the SSL
certificate is <hostname>.
Do you want to use this hostname? [yes or no]
3
Enter yes to use this host name or enter no to choose another host name.
a
You are prompted to set the lifetime of the self-signed certificate:
Enter the lifetime in days of the certificate (default is 365):
Enter a new value, or leave it blank and press Enter to accept the default
value of 365 days.
The location of the certificate appears after you press Enter. Entrust
IdentityGuard automatically exports a copy of the self-signed certificate to a
file. The name and location of the file appears after you press Enter. Within
44
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
the keystore, the self-signed certificate and private key are stored under the
alias “tomcat.”
4
You are prompted to configure Entrust IdentityGuard logs:
LOG CONFIGURATION
a
The following question appears:
Should Entrust IdentityGuard log to files or syslog [FILE or
SYSLOG]:
If you answer file, Entrust IdentityGuard displays the location of the files
and configuration is complete.
b
If you answer syslog, logs are logged to Syslog. Entrust IdentityGuard
prompts you for the host name.
Enter the syslog host name (default is localhost):
Ensure that Syslog on this host is configured to accept Entrust IdentityGuard
logs. For more information, see the section “Configuring Syslog for remote
logging on UNIX” on page 226.
The following message appears:
Do you want to configure the Entrust IdentityGuard Radius
Proxy? [yes or no]
5
6
Do one of the following:
•
If you plan to use a Radius server for first-factor authentication and are not
using VPN groups, enter yes. Proceed to Step 4 in “To configure the Radius
proxy on UNIX” on page 180.
•
If you plan to use a Radius server for first-factor authentication and you want
to configure your VPN servers to recognize Entrust IdentityGuard groups,
you need to first complete the configuration and initialization of Entrust
IdentityGuard and define the groups. In this case, enter no.
•
If you plan to use a Windows domain controller or LDAP directory for
first-factor authentication, enter yes. Follow the instructions under “Using
Entrust IdentityGuard groups with a VPN server” on page 175.
•
Otherwise, enter no.
When you finish the configuration procedure, respond to the following message:
Configuration complete.
Do you wish to initialize the primary system? [yes or no]
•
Enter yes and press Enter to start the initialization tasks. Proceed to
“Initializing the primary Entrust IdentityGuard Server” on page 47.
•
If you enter no, you must run the init command in the supersh command
shell from the $IDENTITYGUARD_HOME/bin directory before you can use
Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX
Feedback on guide
45
Entrust IdentityGuard. Proceed to “To initialize the primary Entrust
IdentityGuard Server manually” on page 53.
46
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Initializing the primary Entrust
IdentityGuard Server
Read this section for instructions on initializing the primary Entrust IdentityGuard
Server in your system.
Topics in this section:
•
“What initialization does” on page 47
•
“If initialization fails” on page 47
•
“Initializing the primary server” on page 48
What initialization does
Initialization creates master keys and the various policy structures. The
identityguard.properties file specifies two files that are used to store the
keys that protect the repository and the master users. The files that store this
information are:
•
Entrust IdentityGuard master keys file (masterkeys.enc)—a file
containing the encryption keys that protect the repository.
•
Entrust IdentityGuard key protection file (masterkeys.kpf)—a file
containing an obfuscation key which is used to encrypt the three master user
passwords that are stored in the file.
The contents of the master keys file can be unlocked by a master user. The contents
of the key protection file provide access to the master user passwords. This access can
then be used to unlock the master keys file.
If initialization fails
The most likely causes of an initialization failure are:
•
The Entrust IdentityGuard properties file contains invalid values. To resolve
this, go to
$IDENTITYGUARD_HOME/etc/identityguard.properties and
edit the file.
•
Your repository is not configured correctly to work with Entrust
IdentityGuard.
•
The repository is not running.
For more information on Entrust IdentityGuard error messages, see Entrust
IdentityGuard Error Messages included with your documentation package.
Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX
Feedback on guide
47
Initializing the primary server
This section provides the steps necessary to initialize the primary server.
Attention: As previously stated, if you are installing Entrust IdentityGuard on
Linux, the install requires the native library file, libstdc++.so.5. Ensure that
you have this file for initializing the system. Linux Red Hat 4.0 does not provide
this file by default.
If you are initializing a replica server, see “Managing the Entrust IdentityGuard
service” on page 62.
To initialize the primary Entrust IdentityGuard Server during
installation
1
Respond to the following message:
PRIMARY SYSTEM INITIALIZATION
If you are reinstalling Entrust IdentityGuard, the following prompt appears:
An existing system has been detected. Overwriting an existing
system will mean the existing data can no longer be accessed. Are
you sure you want to overwrite the existing system? (y/n) [n]:
Attention: If you are using an LDAP repository, and you run init
-overwrite, you must first manually remove the fpcr folder located at
$IDENTITYGUARD_HOME/etc/fpcr/ and the ftkr folder located at
$IDENTITYGUARD_HOME/etc/ftkr.
Attention: If you reinitialize an Entrust IdentityGuard system by running init
-overwrite, you must first replace any encrypted values in the
identityguard.properties file with cleartext values because Entrust
IdentityGuard cannot decrypt the old values once the reinitialization is
performed. See the section “Editing property values” on page 257.
When you answer y, the command init -overwrite runs automatically.
The init command:
48
•
generates a new master key and stores it in the master keys file
•
generates the key protection file
•
initializes default policy settings
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
If you answer n, or if initialization fails, you must run the init command in the
master user shell (supersh) at a later time. For steps for initializing manually, see
the section “To initialize the primary Entrust IdentityGuard Server manually” on
page 53.
Note: Cancel out of the script at any time by pressing Ctrl + C.
The following messages appear:
Enter install key:
Enter activation key:
2
Enter the installation key and the activation key you received from Entrust. Once
the activation key is validated, masters keys are then generated.
Attention: The two master keys files are created in
$IDENTITYGUARD_HOME/etc. After initialization, back up masterkeys.enc.
If this file is lost, the system cannot be recovered. See the system restore
procedure in “Restoring Entrust IdentityGuard from a backup” on page 250.
Do not back up the key protection file (masterkeys.kpf). The
masterkeys.kpf file is unique to each server.
3
Type the three master user passwords for the user names—Master1, Master2,
and Master3.
The passwords must meet the following criteria:
•
be over eight characters in length
•
contain upper and lowercase characters
•
contain a numerical value
The following prompts are displayed:
Enter a new password for Master1.
Password:
Confirm:
Enter a new password for Master2.
Password:
Confirm:
Enter a new password for Master3.
Password:
Confirm:
4
When you have finished creating passwords, the following message appears:
Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX
Feedback on guide
49
System initialized.
Do you wish to setup the sample application [yes or no]
50
•
Enter yes to configure the sample application. Proceed to “Configuring the
sample application on UNIX” on page 51.
•
If you enter no, you can optionally configure the sample application later.
Proceed to “Testing your installation” on page 58.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Configuring the sample application on
UNIX
Entrust IdentityGuard provides a sample application that includes user registration
functionality as well as various authentication samples. This sample requires an
administrator user name and password. If you are using a directory, you must create
the administrator before configuring the sample application.
For more information on the sample application, see “Using the sample Web
application” on page 305 or see the Entrust IdentityGuard Administration Guide.
Attention: The sample administrator password is stored in clear text in the file
$IDENTITYGUARD_HOME/etc/igsample.properties. For security reasons,
disable the sample application when you are not using it.
The configsample.sh script creates the following:
•
a role called samplerole
•
a policy called samplepolicy
•
a group called samplegroup
•
an administrator in the samplegroup (the administrator has access to the
samplegroup)
•
an igsample.properties file
If you are configuring the sample application manually, see “To enable the sample
application manually” on page 52.
To configure the sample application
1
You are prompted to enter the user name for the sample administrator:
Enter adminid for sample administrator:
2
You are prompted to enter and confirm a password:
Enter password for sample administrator:
Confirm:
The password must meet the following criteria:
3
•
be over eight characters in length
•
contain upper and lowercase characters
•
contain a numerical value
Log in as a master user to complete the setup.
You are prompted for a master user name and password:
Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX
Feedback on guide
51
Userid:
Password:
4
When you are finished setting up the sample, the following message appears:
Setup of Entrust IdentityGuard sample successful.
5
You are prompted to enable the sample.
Do you want to enable the sample service? [yes or no]
If you answer yes, the sample is enabled.
If you answer no, the sample is disabled. You can manually enable the sample
later.
6
Once you have enabled the sample application, it is running and you can use it.
Proceed to “Using the sample Web application” on page 305 to start Entrust
IdentityGuard and test your installation.
To enable the sample application manually
1
From $IDENTITYGUARD_HOME, enter
. ./env_settings.sh
(Include a space between the two periods in the command.)
2
Enter
identityguard.sh enable sample
To disable the sample application manually
1
From $IDENTITYGUARD_HOME, enter:
. ./env_settings.sh
(Include a space between the two periods in the command.)
2
Enter
identityguard.sh disable sample
52
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Running the scripts manually
If you did not run the scripts during the installation procedure, you have the option
to manually run the configuration and initialization scripts.
To run the primary Entrust IdentityGuard Server configuration
manually
1
Log in as the UNIX user that belongs to the UNIX group that was specified during
the installation. See “To install Entrust IdentityGuard” on page 34.
2
Change to $IDENTITYGUARD_HOME (default is
/opt/entrust/identityguard81).
3
From $IDENTITYGUARD_HOME, source the environment settings file by entering:
. ./env_settings.sh
(Include a space between the two periods in the command.)
4
Run the configure.sh script.
If you have previously configured Entrust IdentityGuard, the following message
appears:
An identityguard.properties file exists. If you continue, this
file will be overwritten.
Do you want to continue? [yes or no]
5
Type yes and continue from Step 1 of the “To start the Entrust IdentityGuard
configuration” on page 36.
To initialize the primary Entrust IdentityGuard Server manually
1
Log in as the UNIX user that belongs to the UNIX group that was specified during
the installation. See “To install Entrust IdentityGuard” on page 34.
2
Change to $IDENTITYGUARD_HOME (usually
/opt/entrust/identityguard81).
3
From $IDENTITYGUARD_HOME, source the environment settings file by entering
. ./env_settings.sh
(Include a space between the two periods in the command.)
4
Enter the following command to start the master user shell:
supersh
Copyright information and the Entrust IdentityGuard version number appear,
followed by a command prompt.
Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX
Feedback on guide
53
Note: You can view copyright and version information at any time by entering
version
at the command prompt.
5
Enter
init <optionalvalues>
where <optionalvalues> are listed in the table below:
Values
Description
-sernum
To start card serial numbers at a specific number, enter:
init -sernum <num>
where <num> is a positive integer.
Defaults to 1 if not specified.
Use this option if you are adding additional cards to your
system. For example, if you have previously loaded 350
cards, enter:
init -sernum 351
-overwrite
If the system was initialized previously, this command
overwrites the existing data.
You are prompted to confirm that you want existing data
to be overwritten.
Attention: If you are using an LDAP repository, and you run
init -overwrite, you must first manually remove the
fpcr folder located at
$IDENTITYGUARD_HOME/etc/fpcr/.
Attention: If you reinitialize an Entrust IdentityGuard
system by running init -overwrite, you must first
replace any encrypted values in the
identityguard.properties file with cleartext values
because Entrust IdentityGuard cannot decrypt the old
values once the reinitialization is performed. See the section
“Editing property values” on page 257.
-force
54
If you use the -force option, you are not prompted for
confirmation.
6
Complete Step 2 and Step 3 on page 49.
7
Type exit to leave the command shell.
8
Check the log files for errors. If you chose to log to files when you installed
Entrust IdentityGuard, the logs are stored in $IDENTITYGUARD_HOME/logs.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
To configure the sample application
1
Log in as the UNIX user that belongs to the UNIX group that was specified during
the installation. See “To install Entrust IdentityGuard” on page 34.
2
Change to $IDENTITYGUARD_HOME (usually
/opt/entrust/identityguard81).
3
From $IDENTITYGUARD_HOME, source the environment settings file by entering:
. ./env_settings.sh
(Include a space between the two periods in the command.)
4
Run the configsample.sh script.
5
You are prompted to enter the user name for the sample administrator:
Enter adminid for sample administrator:
6
You are prompted to enter and confirm a password:
Enter password for sample administrator:
Confirm:
The password must meet the following criteria:
7
•
be over eight characters in length
•
contain upper and lowercase characters
•
contain a numerical value
Log in as a master user to complete the setup.
You are prompted for a master user name and password:
Userid:
Password:
When you are finished setting up the sample, the following message appears:
Setup of Entrust IdentityGuard sample successful.
8
You are prompted to enable the sample.
Do you want to enable the sample service? [yes or no]
If you answer yes, the sample is enabled.
If you answer no, the sample is disabled. You can manually enable the sample
later.
Once you have enabled the sample application, it is running and you can use it.
To make changes to the sample Web application configuration
1
Log in as the UNIX user that belongs to the UNIX group that was specified during
the installation. See “To install Entrust IdentityGuard” on page 34.
Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX
Feedback on guide
55
2
Change to $IDENTITYGUARD_HOME (usually
/opt/entrust/identityguard81).
3
From $IDENTITYGUARD_HOME, source the environment settings file by entering
. ./env_settings.sh
(Include a space between the two periods in the command.)
4
Enter the following command to start the master user shell:
supersh
Copyright information and the Entrust IdentityGuard version number appear,
followed by a command prompt.
5
Log in as a master user. For example,
Master1
6
If you have previously configured the sample, delete each of the following
individually:
•
sample administrator
•
sample group
•
sample role
•
sample policy
To do so:
a
Run the delete command for each. For example,
admin delete sample/SampleAdmin1
Note: Use the list command to list sample administrators, groups, roles, and
policies, so that you can see which ones to delete. For example, use admin list
to list all the sample administrators that have already been created. Use group
list to list the sample groups that exist, and so on.
b
Answer yes to confirm the delete.
Are you sure you wish to delete the admin? (y/n) [n]:
7
Type exit to exit the master user shell and return to the command-line.
8
Enter the following command to start configuring the sample:
configsample.sh
You are warned that the igsample.properties file already exists. For
example:
/opt/entrust/identityguar81/etc/igsample.properties file already
exists. Do you wish to continue? [yes or no]
9
56
Answer yes.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
10 Follow the steps in “To configure the sample application” on page 51.
Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX
Feedback on guide
57
Testing your installation
This section provides testing steps that determine whether your installation is working
properly. It assumes you have completed the installation, configuration, and
initialization tasks.
To test your installation
1
Check the log files for errors. If you chose to log to files when you installed
Entrust IdentityGuard, the logs are stored in $IDENTITYGUARD_HOME/logs.
2
Start the Entrust IdentityGuard Server as the Entrust IdentityGuard application
owner. For instructions, see “Starting and stopping Entrust IdentityGuard” on
page 62.
3
Check whether all Entrust IdentityGuard services are running as expected. Enter:
igservice.sh all status
The following is an example of the status report when all services are running:
Entrust IdentityGuard (pid 1247) is running...
Authentication V1 service at
http://<hostname>:8080/IdentityGuardAuthService/
services/AuthenticationService
is available.
Authentication V2 service at
http://<hostname>:8080/IdentityGuardAuthService/
services/AuthenticationServiceV2
is available.
Sample application is enabled.
Sample application at
https://<hostname>:8444/IdentityGuardSampleApp
is available.
Administration V1 service at
https://<hostname>:8444/IdentityGuardAdminService/
services/AdminService
is available.
Administration V2 service at
https://<hostname>:8444/IdentityGuardAdminService/
services/AdminServiceV2
58
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
is available.
Administration interface at
https://<hostname>:8444/IdentityGuardAdmin
is available.
Entrust IdentityGuard Radius (pid 1275) is running...
The following is an example of the output when there are no services running
(only the sample application is enabled):
Entrust IdentityGuard (pid 13267) is not running...
Sample application is enabled.
Entrust IdentityGuard Radius (pid 1275) is not running...
4
Ensure that you can log in to the Administration webservice.
a
Create an administrator account or use the sample administrator account, if
you have configured the sample application.
For information on creating an administrator, see the Entrust IdentityGuard
Administration Guide.
b
Open a browser and enter the following URL:
https://<FQDN>:<port>/IdentityGuardAdmin
where:
– <FQDN> is the Entrust IdentityGuard host name.
– <port> is the Administration webservice port (default 8444).
Note: If you cannot access the Entrust IdentityGuard services (administration or
authentication), verify that firewall rules are not blocking the HTTPS ports (by
default 8443 and 8444).
Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX
Feedback on guide
59
60
c
At the login page, enter the administrator user name and password.
Optionally, enter the group name, if the user does not belong to the default
group.
d
You are prompted to change the administrator password. (There will be no
prompt if you are using an account that has already logged in, such as the
sample account created earlier in “To configure the sample application” on
page 51.)
e
Follow the rules on the screen to change the administrator password.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
The Entrust IdentityGuard Administration interface appears:
5
Optionally, test the sample application. To do so, follow the steps in “Using the
sample Web application” on page 305.
You have completed testing of the Entrust IdentityGuard installation.
You can now:
•
complete various advanced configuration tasks (“Postinstall configuration
options for Entrust IdentityGuard Server” on page 201 and “Configuring the
Entrust IdentityGuard Server properties file” on page 255) such as adding
replica Entrust IdentityGuard Servers to your system
•
set up Entrust IdentityGuard by adding policies, groups, users, authentication
methods, and so on (see the Entrust IdentityGuard Administration Guide)
Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX
Feedback on guide
61
Managing the Entrust IdentityGuard
service
Complete the following steps to start, stop, check the status, or restart the Entrust
IdentityGuard service. You have the option of using either the identityguard.sh
command, or the UNIX service command.
Topics in this section:
•
“Starting and stopping Entrust IdentityGuard” on page 62
•
“Starting and stopping Entrust IdentityGuard with the UNIX service
command” on page 63
•
“Enabling and disabling individual Entrust IdentityGuard services” on
page 64
Starting and stopping Entrust IdentityGuard
The identityguard.sh command enables you to start, stop, restart, and query
the status of the Entrust IdentityGuard service.
Note: If you are root, you cannot start Entrust IdentityGuard using
identityguard.sh start, igradius.sh start, or the igservice
start commands. To stop the Entrust IdentityGuard service, you must be the
user who started the service.
To start and stop Entrust IdentityGuard using identityguard.sh
1
Log in as the UNIX user that belongs to the UNIX group that was specified during
the installation. See “To install Entrust IdentityGuard” on page 34.
2
From $IDENTITYGUARD_HOME, enter
. ./env_settings.sh
3
To start, stop, restart, or query the status of the Entrust IdentityGuard service,
enter
identityguard.sh
followed by one of the options in Table 8:
62
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Table 8: Starting and stopping Entrust IdentityGuard
Command
Description
start
Starts the Entrust IdentityGuard service.
You can also start the Entrust IdentityGuard service by
entering igstartup.sh
Entrust IdentityGuard generates audits that indicate if the
services have started successfully or failed to start. You
will not see an error message if the service fails to start.
stop
Stops the Entrust IdentityGuard service.
You can also stop the Entrust IdentityGuard service by
entering igservice.sh identityguard stop
status
Tells you if the Entrust IdentityGuard service is running. If
the service is running, the process ID number appears.
restart
Stops and restarts the Entrust IdentityGuard service.
When you change some settings in the
identityguard.properties file, you must restart
the service so that the server recognizes the new settings.
Note: Once IdentityGuard is installed, the service is started automatically when
you reboot.
Starting and stopping Entrust IdentityGuard
with the UNIX service command
You can also start and stop the Entrust IdentityGuard services using the UNIX
service command. If these commands are run as root, they start the service as the
UNIX user ID that installed Entrust IdentityGuard.
To start and stop Entrust IdentityGuard with the Linux service
command
1
To start, stop, restart, or query the status of the Entrust IdentityGuard service,
enter
service identityguard
followed by one of the options shown in Table 9:
Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX
Feedback on guide
63
Table 9: Linux service command
Command
Description
start
Starts the Entrust IdentityGuard service.
IdentityGuard generates audits that indicate if the
services have started successfully or failed to start. You
will not see an error message if the service fails to start.
stop
Stops the Entrust IdentityGuard service.
status
Tells you if the Entrust IdentityGuard service is running. If
the service is running, the process ID number appears.
restart
Stops and restarts the Entrust IdentityGuard service.
Changes to some settings in
identityguard.properties require a restart so that
the server recognizes the new settings.
Enabling and disabling individual Entrust
IdentityGuard services
You can use the manual command identityguard.sh to enable and disable the
following Entrust IdentityGuard individual services:
•
administration service
•
Administration interface
•
sample
To enable Entrust IdentityGuard manually using identityguard.sh
1
From $IDENTITYGUARD_HOME, enter:
. ./env_settings.sh
(Include a space between the two periods in the command.)
2
Enter
identityguard.sh enable adminservice|admininterface|sample
For example, to enable the administration service, use the command
identityguard.sh enable adminservice
To disable the Entrust IdentityGuard manually using identityguard.sh
1
64
From $IDENTITYGUARD_HOME, enter
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
. ./env_settings.sh
(Include a space between the two periods in the command.)
2
Enter
identityguard.sh disable adminservice|admininterface|sample
For example, to disable the Administration interface, use the command
identityguard.sh disable admininterface
You can also use the Entrust IdentityGuard igsvcconfig.sh command to enable
or disable Entrust identityGuard.
To enable Entrust IdentityGuard manually using igsvcconfig.sh
•
As root in $IDENTITYGUARD_HOME/bin enter
./igsvccongif.sh identityguard enable
To disable the Entrust IdentityGuard manually igsvcconfig.sh
•
As root in $IDENTITYGUARD_HOME/bin enter
./igsvccongif.sh identityguard disable
Installing Entrust IdentityGuard Server with embedded Tomcat server on UNIX
Feedback on guide
65
66
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Chapter 3
Installing Entrust IdentityGuard
Server with embedded Tomcat
server on Microsoft Windows
This chapter provides all the necessary steps to install Entrust IdentityGuard Server
(with Apache Tomcat application server embedded) on Microsoft Windows.
Complete the instructions in this chapter to unzip and run the Entrust IdentityGuard
Installation wizard. Once you complete the full installation, install the latest patch.
To install the patch that supports Entrust tokens, see “Installing the token support
patch” on page 30.
This chapter contains the following information:
•
“Installing Entrust IdentityGuard Server” on page 68.
•
“Configuring the primary Entrust IdentityGuard Server” on page 70
•
“Initializing the primary Entrust IdentityGuard Server” on page 83
•
“Configuring the sample application on Microsoft Windows” on page 87
•
“Testing your installation” on page 89
•
“Managing the Entrust IdentityGuard service” on page 94
67
Installing Entrust IdentityGuard Server
Install Entrust IdentityGuard Server on a dedicated machine. Other software products
on the same machine can interfere with the operation of Entrust IdentityGuard.
Attention: Arrange to have a dedicated account and group created on the
servers that will host Entrust IdentityGuard. You must use the same account for
any future upgrades and patches.
Note: Before installing Entrust IdentityGuard, ensure that you have completed
the tasks in “Preparing for installation” on page 19. Also, exit all Windows
programs before running the Entrust IdentityGuard Installation wizard to prevent
any conflicts in resources.
To install Entrust IdentityGuard Server
1
Change to the directory in which you extracted the Entrust IdentityGuard Server
for Windows installation package.
2
Double-click the IG_81_Windows.msi installer.
The Entrust IdentityGuard Installation wizard opens.
3
Click Next on the Entrust IdentityGuard Installation wizard Welcome page to
begin installation.
Note: If you are not prepared to install, click Cancel at any time to exit. Click
Back to re-enter previous information.
4
Read the license agreement for Entrust IdentityGuard software carefully, select I
accept the licence agreement, and then click Next.
If you do not agree with the license, select I do not accept the license agreement.
The installation cannot continue. Contact Entrust (“Obtaining technical
assistance” on page 16).
5
Read the licence agreement for Sun Microsystems, Inc. carefully, select I accept
the licence agreement, and then click Next.
If you do not agree with the license, select I do not accept the license agreement.
The installation cannot continue. Contact Entrust (“Obtaining technical
assistance” on page 16).
6
68
Click Next to accept the default destination folder for the Entrust IdentityGuard
installation (C:\Program Files\Entrust\IdentityGuard\). Alternatively,
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
click Browse to select your own destination location and then click Next to accept
it.
7
Click Next to install Entrust IdentityGuard.
8
Click Finish to exit the installation.
The Entrust IdentityGuard Configuration Panel appears. Proceed to “Configuring
the primary Entrust IdentityGuard Server” on page 70.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
69
Configuring the primary Entrust
IdentityGuard Server
As part of the installation procedure, you are prompted to configure and initialize
Entrust IdentityGuard Server using the configuration panel.
Refer to your installation worksheet (“Installation worksheet” on page 25) when you
complete this section.
Topics in this section:
•
“Starting the Entrust IdentityGuard Configuration wizard” on page 70.
•
“Selecting your repository settings” on page 72
•
“Selecting Entrust IdentityGuard service ports” on page 79
•
“Selecting your system host name” on page 81
•
“Completing Entrust IdentityGuard configuration” on page 82
Using the Configuration Panel
The Configuration Panel includes the following features:
•
The main page of the Configuration Panel contains help sections. Click
Find Out More beside any option for helpful tips.
•
You can maneuver through the options and buttons on the main page using
the Tab key.
•
Hot keys are available on the procedural pages. When you hold down the Alt
key, one letter on each option or button displays an underline. With the Alt
key still depressed, enter one of the underlined letters to navigate directly to
that option or button.
•
During any procedure, click Cancel at any time to exit. Click Back to re-enter
any previous information.
Starting the Entrust IdentityGuard
Configuration wizard
To configure Entrust IdentityGuard, use the Entrust IdentityGuard Configuration
wizard.
The Entrust IdentityGuard Configuration wizard is located on the Entrust
IdentityGuard Configuration Panel, which appears immediately after running the
Entrust IdentityGuard Installation wizard.
70
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
To start the Entrust IdentityGuard Configuration wizard
1
Launch the Entrust IdentityGuard Configuration Panel, if it is not open.
Open the Configuration Panel by clicking Start > All Programs > Entrust >
IdentityGuard > Configuration Panel.
2
From the Entrust IdentityGuard Configuration Panel, select Primary as your
system type.
Attention: You can only have one primary Entrust IdentityGuard Server. If you
are configuring another Entrust IdentityGuard Server as a replica, see “Adding
Entrust IdentityGuard replica servers” on page 210.
3
Select Configure Entrust IdentityGuard to start the Entrust IdentityGuard
Configuration wizard.
The Entrust IdentityGuard Configuration wizard Welcome page appears.
4
Click Next to begin your Entrust IdentityGuard configuration.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
71
Note: Click Back if you need to re-enter information on a previous page. No
information will be lost. You may click Cancel or close the Entrust IdentityGuard
Configuration wizard window at any time to exit the configuration process;
however, all configurations will be lost.
Selecting your repository settings
Select a repository to store and retrieve your Entrust IdentityGuard data.
To select your repository settings
1
72
On the Repository Settings page, select the repository. There are three choices:
•
Microsoft Active Directory. Proceed to “To use Active Directory as your
repository” on page 73 for the configuration procedure. See the Entrust
IdentityGuard Directory Configuration Guide before you begin this process.
It contains detailed information on the DN, RDN, and user attribute.
•
LDAP. Proceed to “To use an LDAP directory as your repository” on page 75
for the configuration procedure. See the Entrust IdentityGuard Directory
Configuration Guide before you begin this process.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
•
2
Database. Proceed to “To use a database as your repository” on page 77 for
the configuration procedure. See the Entrust IdentityGuard Database
Configuration Guide before you begin this process.
Click Next.
To use Active Directory as your repository
1
Under Microsoft Active Directory Server SSL Configuration, select Yes or No
depending on whether you want to secure Entrust IdentityGuard’s
communications with your Active Directory server by using SSL.
•
If you select Yes, click Browse to import your SSL certificate and then click
Next.
Entrust IdentityGuard verifies your SSL connection to the Active Directory
server by adding your imported certificate to its trust store. If the certificate
cannot be trusted, Entrust IdentityGuard cannot connect to the directory.
•
If you select No, click Next.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
73
2
Under Microsoft Active Directory Server Connection Information, do the
following:
a
Enter the following information into the respective fields:
– Microsoft Active Directory host name
– Microsoft Active Directory server port
– Microsoft Active Directory user DN
– Microsoft Active Directory password
– Confirm password
Once you enter this information, click Test Connection. Entrust
IdentityGuard performs a query and informs you if there is a successful
connection to the repository.
Note: If the connection attempt fails, you can still proceed to the next step in
the configuration process by clicking Next. However, all fields must be filled and
passwords must match.
b
3
74
Click Next to perform the host name validation check. If the host name
cannot be validated, a warning message gives you the option to proceed
with the configuration or enter the server connection information.
On the Microsoft Active Directory Server Settings page:
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
a
Enter the following information into the respective fields:
– Microsoft Active Directory base DN
– Policy RDN
– Microsoft Active Directory userid attribute
See the Entrust IdentityGuard Directory Configuration Guide for detailed
information on the DN, RDN, and user attribute.
b
4
Click Next.
Proceed to “Selecting Entrust IdentityGuard service ports” on page 79 to
continue your Entrust IdentityGuard configuration.
To use an LDAP directory as your repository
1
Under LDAP Server SSL Configuration, select Yes or No depending on whether
you want to secure Entrust IdentityGuard’s communications with your LDAP
server by using SSL.
•
If you select Yes, click Browse to import your SSL certificate and then click
Next.
Entrust IdentityGuard verifies your SSL connection to the LDAP server by
adding your imported certificate to its trust store. If you select Yes when you
browse for and select a certificate, a warning message displays the certificate
details and prompts you to proceed.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
75
Note: If the certificate cannot be trusted, Entrust IdentityGuard cannot connect
to the server.
•
2
If you select No, click Next.
Under LDAP Server Connection Information (see the Entrust IdentityGuard
Directory Configuration Guide for more information), do the following:
a
Enter the following information into the respective fields:
– LDAP server host name
– LDAP server port (SSL default 636, non-SSL default 389)
– LDAP user DN
– LDAP password
– Confirm password
Once you enter this information, click Test Connection. Entrust
IdentityGuard performs a query and informs you if there is a successful
connection to the repository.
Note: If the connection attempt fails, you can still proceed to the next step in
the configuration process by clicking Next. However, all fields must be filled and
passwords must match.
76
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
b
3
Click Next to perform the host name validation check. If the host name
cannot be validated, a warning message gives you the option to proceed
with the configuration or enter the server connection information.
On the LDAP Server Settings page:
a
Enter the following information into the respective fields:
– LDAP base DN
– Policy RDN
– LDAP userid attribute
See the Entrust IdentityGuard Directory Configuration Guide for detailed
information on the DN, RDN, and user attribute.
b
4
Click Next.
Proceed to “Selecting Entrust IdentityGuard service ports” on page 79 to
continue your Entrust IdentityGuard configuration.
To use a database as your repository
1
Under Database Settings, select your database from the drop-down list.
The choices are
•
Oracle
•
DB2
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
77
•
SQL Server
•
Other
Note: Use “Other” only if you are instructed to do so by Entrust Support.
2
Under JDBC Driver Information:
a
Click Browse to import your JDBC driver .jar file.
b
Enter your JDBC driver class name.
c
Click Add to include any additional JDBC .jar files (optional). Alternatively,
to remove any additional JDBC .jar files that you have added, highlight the
.jar file in the Additional JDBC JAR files list, and click Remove.
If your JDBC driver does not require additional .jar files, leave this field
blank.
3
Click Next.
4
Under Database Connection Information:
a
Enter the following information into the respective fields:
– Database URL in driver-specific format
See the vendor-specific driver documentation for additional details on URL
format.
78
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
– Database user name
– Database password
– Confirm database password
– Database schema name
Once you enter this information, click Test Connection. Entrust
IdentityGuard performs a query and informs you if there is a successful
connection to the database.
Note: If the connection test fails, you may still proceed to the next step in the
configuration process by clicking Next; however, all fields on this page must be
filled and passwords must match.
b
5
Click Next.
Proceed to “Selecting Entrust IdentityGuard service ports” on page 79 to
continue your Entrust IdentityGuard configuration.
Selecting Entrust IdentityGuard service ports
Specify the ports on which Entrust IdentityGuard services listen.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
79
Note: Ensure the ports for each Entrust IdentityGuard service are unique for that
computer.
To select Entrust IdentityGuard service ports
1
Under Authentication Service, enter a port number:
•
in the Authentication Service HTTP port number field (default 8080)
•
in the Authentication Service HTTPS port number field (default 8443)
Note: You can always disable the HTTP port later to enhance security. See
“Disabling the non-SSL port on the Authentication service” on page 228.
80
2
Under Administration Service, enter a port number in the Administration service
HTTPS port number field (default 8444).
3
Click Next.
4
Proceed to “Selecting your system host name” on page 81.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Selecting your system host name
Select a host name to generate the self-signed certificate and service URLs that are
used by Entrust IdentityGuard.
To select your system host name
1
From the System host name page,
a
Validate the system host name in the Enter the host name to be used in the
self-signed certificate and service URLs field.
The self-signed certificate secures outside communication with Entrust
IdentityGuard’s services using HTTPS.
b
Validate the certificate lifetime in the Self-signed SSL certificate lifetime (in
days) field. Optionally, change the lifetime value. Default is 365.
Note: Optionally, you can choose to reconfigure the LDAP repository
connection later. For instructions, see “To import the LDAP SSL certificate” on
page 233
c
2
Click Next.
Proceed to “Completing Entrust IdentityGuard configuration” on page 82.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
81
Completing Entrust IdentityGuard
configuration
The Configuration Summary page contains a list of all information you have entered
into the Entrust IdentityGuard Configuration wizard. Review this information
carefully and record and store the information in a secure place, if necessary.
All text boxes in the Configuration Panel include basic, context-sensitive Windows
menu commands. This lets you copy the contents of any text box. For example, you
can copy the contents of the Configuration Summary page.
To copy contents of the Configuration Summary page
1
Right-click in the content area of the Configuration Summary page.
2
Choose Select All from the menu.
3
Right-click again and select Copy from the menu.
4
Paste the copied text into a text file or other document.
To complete Entrust IdentityGuard Server configuration
1
On the Configuration Summary page, click Confirm and Save if all the
information in the summary list is complete and correct.
Note: If you choose to cancel, all information will be lost.
Note: If the system has already been initialized, when you click Initialize Entrust
IdentityGuard a warning message explains the consequences of reinitializing an
existing system.
2
Click Finish to complete the configuration process.
You can now initialize the server. Go to “Initializing the primary Entrust
IdentityGuard Server” on page 83.
82
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Initializing the primary Entrust
IdentityGuard Server
Once you configure your Entrust IdentityGuard Server, initialize it using the Entrust
IdentityGuard Initialization wizard. If you have not yet configured, see “Configuring
the primary Entrust IdentityGuard Server” on page 70.
Attention: If you are reinitializing, all stored information (such as user accounts,
cards, and groups) will be lost and all settings reset to their defaults.
Topics in this section:
•
“What initialization does” on page 83
•
“If initialization fails” on page 83
•
“Running the Entrust IdentityGuard Initialization wizard” on page 84.
What initialization does
Initialization creates master keys and the various policy structures. The
identityguard.properties file specifies two files used to store the keys that
protect the repository and the master users. The files that store this information are:
•
Entrust IdentityGuard master keys file (masterkeys.enc)—a file
containing the encryption keys that protect the repository.
•
Entrust IdentityGuard key protection file (masterkeys.kpf)—a file
containing an obfuscation key which is used to encrypt the three master user
passwords that are stored in the file.
The contents of the master keys file can be unlocked by a master user. The contents
of the key protection file provide access to the master user passwords. This access can
then be used to unlock the master keys file.
If initialization fails
Review the sytem.log file to identify the cause of failure. The log file is in
<IG_Install_Dir>\identityguard81\logs\system.log.
By default <IG_Install_Dir> is
C:\Program Files\Entrust\IdentityGuard.
Some possible causes of an initialization failure are:
•
The Entrust IdentityGuard properties file contains invalid values. To resolve
this, go to <IG_Install_Dir>\etc\identityguard.properties
and edit the file.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
83
•
Your repository is not configured correctly.
•
The repository is not running.
•
Your Entrust IdentityGuard Server service is running. See, “To check the
status of Entrust IdentityGuard” on page 94.
For more information on Entrust IdentityGuard error messages, see Entrust
IdentityGuard Error Messages included with your documentation package.
Running the Entrust IdentityGuard
Initialization wizard
Start and run the Entrust IdentityGuard Initialization wizard by completing the
following procedures.
To start the Entrust IdentityGuard Initialization wizard
84
1
If the Entrust IdentityGuard Configuration Panel is not open, open it by clicking
Start > All Programs > Entrust > IdentityGuard > Configuration Panel.
2
Select Primary as the system type.
3
Select Initialize Entrust IdentityGuard.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
The Primary System Initialization page appears.
Note: If you cancel at any time, all information will be lost.
4
5
Under License Information:
a
Type your Entrust IdentityGuard installation key in the Entrust IdentityGuard
Installation Key field.
b
Type your Entrust IdentityGuard activation key in the Entrust IdentityGuard
Activation Key field.
Click Validate.
The master user information fields are enabled as soon as the licence information
is validated.
6
Under Master User Information, enter passwords for each one of the three
master users (Master1, Master2, and Master3), and confirm each password.
The passwords must meet the following criteria:
•
be over 8 characters in length
•
contain upper and lowercase characters
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
85
•
7
contain a numerical value
Click Initialize.
The Entrust IdentityGuard Server initializes.
8
Click OK.
You can now configure the sample application or test your installation. Go to one
of:
86
•
“Configuring the sample application on Microsoft Windows” on page 87
•
“Testing your installation” on page 89
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Configuring the sample application on
Microsoft Windows
This section details how you can configure and enable the Entrust IdentityGuard
sample application.
The sample Web application demonstrates how Entrust IdentityGuard registers users
and authenticates them. This sample requires an administrator user ID and password.
If you are using a directory, create the user ID entry in the directory prior to installing
the sample Web application.
For details on how to use the sample application, see “Using the sample Web
application” on page 305.
For more information about authentication features shown in the sample application,
see the Entrust IdentityGuard Administration Guide.
Note: You cannot configure the sample application on a replica Entrust
IdentityGuard Server.
Attention: The sample administrator password is stored in clear text in the
<IG_INSTALL_DIR>\identityguard81\ect\igsamples.properties
file. For security reasons, disable the sample application when you are not using
it.
If you have previously configured the sample, delete each of the following
individually to reconfigure the sample:
•
sample administrator
•
sample group
•
sample role
•
sample policy
You can only disable or enable the sample application after initial configuration, using
the Entrust IdentityGuard Web interface and Application Manager located on the
Entrust IdentityGuard Configuration Panel.
To configure the sample application
1
If the Entrust IdentityGuard Configuration Panel is not open, open it by clicking
Start > All Programs > Entrust > IdentityGuard > Configuration Panel.
2
Under Sample Application Setup, select Set Up the Sample Application to run
the utility.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
87
The Master User Login page appears.
3
Enter your master user name and master user password in the applicable fields.
Use any one of the three master users set up in “Initializing the primary Entrust
IdentityGuard Server” on page 83.
The Entrust IdentityGuard Sample Web Application Setup page appears.
4
5
Under Configure Web Sample Administrator, type the following information:
•
Administrator user name. If you are using an LDAP or Active Directory
repository, enter the ID of a user that already exists in the directory.
•
Administrator password. The password must be over 8 characters in length,
contain upper and lower case characters, and contain a numerical value.
•
Confirm password. Re-enter the password entered in the field above.
Click Save to configure the sample application.
The sample application is configured and by default, enabled.
88
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Testing your installation
This section provides testing steps that determine whether your installation is working
properly. It assumes you have completed the installation, primary configuration, and
initialization tasks.
To test your installation
1
Check the log files in <IG_INSTALL_DIR>\identityguard81\logs for
errors, where <IG_INSTALL_DIR> is C:\Program
Files\Entrust\IdentityGuard, by default.
2
Start the Entrust IdentityGuard Server. For instructions, see “Managing the
Entrust IdentityGuard service” on page 94.
3
Check the status of all services in Entrust IdentityGuard Web interface and
Application Manager, accessible through the Entrust IdentityGuard
Configuration Panel.
a
Launch the Entrust IdentityGuard Configuration Panel and select Launch
Web Service and Application Manager.
b
On the Status tab, check the status of each service:
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
89
– Administration service
– Authentication service
– Administration interface
– Sample Web application
If the status of any of these is offline, see “Installation troubleshooting” on
page 92.
If the status of any of these is Error, ensure that the URLs correspond to valid
svcs/apps in IdentityGuard.properties. To edit the URLs, go to
<IG_Install_Dir>\etc\identityguard.properties.
4
Ensure that you can log in to the Administration Web interface.
a
Create an administrator account or use the sample administrator account, if
you have configured the sample application.
For information on creating an administrator, see the Entrust IdentityGuard
Administration Guide.
b
Once you have created an administrator, do one of the following:
– In Windows, click Start > All Programs > Entrust > IdentityGuard
>Administration Interface. This opens the interface in your default
browser.
– In a Web browser, enter the URL of your Administration interface.
https://<hostname>:<port>/IdentityGuardAdmin
Where:
<hostname> is the server host name you selected during configuration.
<port> is the administration port you selected during configuration
(default 8444).
Note: If you cannot access the Entrust IdentityGuard services (Administration or
Authentication), verify that firewall rules are not blocking the HTTPS ports (by
default 8443 and 8444).
90
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
c
At the login page, enter the administrator user name and password.
Optionally, enter the group name, if the user does not belong to the default
group.
The Entrust IdentityGuard Administration interface appears.
5
Optionally, test the sample application. To do so, follow the steps in “Using the
sample Web application” on page 305.
You have now completed testing the Entrust IdentityGuard installation.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
91
You can now:
•
Complete various advanced configuration tasks (“Postinstall configuration
options for Entrust IdentityGuard Server” on page 201 and “Configuring the
Entrust IdentityGuard Server properties file” on page 255) such as adding
replica Entrust IdentityGuard Servers to your system.
•
Set up your Entrust IdentityGuard system by adding policies, groups, users,
authentication methods, and so on (see the Entrust IdentityGuard
Administration Guide).
Installation troubleshooting
When you reinstall Entrust IdentityGuard, its Windows services may need to be
restarted. If one or more services is marked as Offline on the Status tab of the Web
Service and Application Manager page, restart the services. See “Managing the
Entrust IdentityGuard service” on page 94.
If the Administration interface does not appear, but you know the services are
running, you need to check if it is disabled.
To enable the Administration interface and service
1
Select Launch Web Service and Application Manager on the Entrust
IdentityGuard Configuration Panel.
The Web Service and Application Manager page appears.
2
Click the Controls tab.
3
Under Administration Service, select Enabled.
4
Under Administration Interface, select Enabled.
5
Click Apply Changes.
The interface is enabled.
To enable the sample application
1
92
Select Launch Web Service and Application Manager on the Entrust
IdentityGuard Configuration Panel.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
The Web Service and Application Manager page appears.
2
Click the Controls tab.
3
Under Sample Application, select Enabled.
4
Click Apply Changes.
The sample application is enabled and the IdentityGuard service is restarted.
To disable the sample application
Note: Only a configured sample application can be disabled.
1
Select Launch Web Service and Application Manager on the Entrust
IdentityGuard Configuration Panel.
2
Click the Controls tab.
3
Under Sample Application, select Disabled.
4
Click Apply Changes.
The sample application is disabled.
Installing Entrust IdentityGuard Server with embedded Tomcat server on Microsoft Windows
Feedback on guide
93
Managing the Entrust IdentityGuard
service
Complete the following steps to start, stop, check the status, or restart the Entrust
IdentityGuard service.
Starting and stopping events are logged in the Event Viewer.
Note: By default, Entrust IdentityGuard starts automatically whenever you
reboot the computer.
The following commands allow you to start, stop, restart, and query the status of the
Entrust IdentityGuard Server.
Changes to some settings in identityguard.properties require a restart so
that the server recognizes the new settings.
To start, stop, and restart Entrust IdentityGuard
1
Go to Start > All Programs > Control Panel > Administrative Tools > Services.
The Services window appears.
2
To stop, start, or restart, the Entrust IdentityGuard Server (including the sample
application), right-click Entrust IdentityGuard Server and select the appropriate
command.
3
To start, stop, or restart the Entrust IdentityGuard Radius proxy, right-click
Entrust IdentityGuard Radius Proxy and select the appropriate command.
To check the status of Entrust IdentityGuard
1
Go to Start > All Programs > Control Panel > Administrative Tools > Services.
The Services window appears.
2
Locate Entrust IdentityGuard Server and check the status column to view the
status.
The status tells you if the Entrust IdentityGuard Server is running.
94
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Chapter 4
Installing Entrust IdentityGuard
Server with an existing
application server
This chapter provides all the necessary steps to install, configure, initialize, and test
Entrust IdentityGuard Server on UNIX using a WebLogic 8.1 or 9.1 or a WebSphere
6.0 application server. Once you complete the full installation, install the latest patch.
To install the patch that supports Entrust tokens, see “Installing the token support
patch” on page 30.
This chapter contains the following sections:
•
“Preparing WebLogic for installation of IdentityGuard” on page 96
•
“Preparing WebSphere for installation of Entrust IdentityGuard” on
page 100
•
“Installing Entrust IdentityGuard Server” on page 106
•
“Configuring the primary Entrust IdentityGuard Server” on page 109
•
“Initializing the primary Entrust IdentityGuard Server” on page 118
•
“Configuring the sample application on an existing application server” on
page 121
•
“Running the scripts manually” on page 123
95
Preparing WebLogic for installation of
IdentityGuard
Complete the following tasks to prepare your WebLogic application server for Entrust
IdentityGuard.
Topics in this section:
•
“Preparing WebLogic 8.1 for installation” on page 96
•
“Configuring SSL for WebLogic 8.1” on page 97
•
“Preparing WebLogic 9.1 for install” on page 98
•
“Configuring SSL for WebLogic 9.1” on page 98
Attention: Arrange to have a dedicated user account and group created on the
servers that will host Entrust IdentityGuard. You must use the same account for
any future upgrades and patches.
Preparing WebLogic 8.1 for installation
Complete the following procedure to prepare WebLogic 8.1 server for the installation
of Entrust IdentityGuard.
Note: The following steps use $WEBLOGIC as the directory in which the
WebLogic server was installed, for example /usr/local/bea. $DOMAIN is the
directory of the WebLogic domain where Entrust IdentityGuard is being installed,
for example, /opt/bea/weblogic/samples/domains/wl_server.
To prepare for install
1
Download and install the unlimited strength cryptography policy files for the Java
Development Kit (JDK) being used to run WebLogic from the Sun Java Web site
http://java.sun.com/j2se/1.4.2/download.html, and depending on the JRE you
are using, install them in $WEBLOGIC/<java>/jre/lib/security
where <java> is the directory for the Java version used by the application
server.
Note: It is important that you install the policy files specific to your Java
Development Kit (JDK).
2
96
Extract the policy files.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
The files are extracted to a new directory called jce. You must move the two
.jar files from the jce directory to the security directory.
3
To move the jar files enter:
mv local_policy.jar $WEBLOGIC/<java>/jre/lib/security
mv US_export_policy.jar $WEBLOGIC/<java>/jre/lib/security
Note: It is recommended that you backup the existing versions of the policy
files.
Configuring SSL for WebLogic 8.1
You can configure SSL using public CA or self-signed certificates.
SSL configuration is straightforward if you are using certificates signed by a public
Certification Authority (CA) such as Entrust Certificate Services
(http://www.entrust.net/index.htm). If you are using a public CA you must:
•
Ensure that the SSL protocol is set to SSLv3.
•
Have a secure connection between administration services and Web
administration—128+ bit strength algorithms are recommended.
If you want an SSL certificate from a public CA, use the Java keytool to create a
certificate signing request (CSR). Then, follow the instructions on the public CA Web
site to create a certificate. Once the certificate is created, import it and the CA
certificate into your keystore using the Java keytool.
For detailed instructions on configuring SSL on WebLogic, refer to
http://edocs.bea.com/wls/docs91/secmanage/ssl.html.
Additional steps are required if you are using a self-signed certificate. To set up a
self-signed certificate you configure the Java Virtual Machine (JVM) property to
javax.net.ssl.trustStore by following “To set up a self-signed certificate” on
page 97 below.
To set up a self-signed certificate
1
Edit $DOMAIN/startWebLogic.sh.
2
Move to the line where JAVA_OPTIONS are specified and set the argument
-Djavax.net.ssl.trustStore=<$TRUST_STORE>.JKS
<$TRUST_STORE>.JKS refers to the file that contains the trusted certificates.
Installing Entrust IdentityGuard Server with an existing application server
Feedback on guide
97
Preparing WebLogic 9.1 for install
Complete the following procedure to prepare your WebLogic 9.1 server for
installation of Entrust IdentityGuard.
Note: In the following, $WEBLOGIC is the directory in which the WebLogic
server was installed, for example, /usr/local/bea.$DOMAIN is the directory
of the WebLogic domain where Entrust IdentityGuard is being installed, for
example /opt/bea/weblogic/samples/domains/wl_server.
To prepare for install
1
Download the unlimited strength cryptography policy files for Java 1.5.0 from
the Sun Java Web site at http://java.sun.com/j2se/1.5.0/download.jsp, and
depending on the JRE you are using, install them in
$WEBLOGIC/<java>/jre/lib/security, where <java> is the directory for
the Java version used by the application server.
Note: It is important that you install the policy files specific to your Java
Development Kit (JDK).
2
Extract the policy files.
The files are extracted to a new directory called jce. You must move the two
.jar files from the jce directory to the security directory:
3
To move the jar files enter:
mv local_policy.jar $WEBLOGIC/<java>/jre/lib/security
mv US_export_policy.jar $WEBLOGIC/<java>/jre/lib/security
where <java> is the directory for the Java version used by the application
server.
Note: It is recommended that you back up the existing versions of the policy
files.
Configuring SSL for WebLogic 9.1
You can configure SSL using public CA or self-signed certificates.
SSL configuration is straightforward if you are using certificates signed by a public
Certification Authority (CA) such as Entrust Certificate Services
(http://www.entrust.net/index.htm). If you are using a public CA you must:
•
98
Ensure that the SSL protocol is set to SSLv3.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
•
Have a secure connection between administration services and Web
administration—128+ bit strength algorithms are recommended.
If you want an SSL certificate from a public CA, use the Java keytool to create a
certificate signing request (CSR). Then, follow the instructions on the public CA Web
site to create a certificate. Once the certificate is created, import it and the CA
certificate into your keystore using the Java keytool.
For detailed instructions on configuring SSL on WebLogic, refer to
http://edocs.bea.com/wls/docs81/index.html.
Additional steps are required if you are using a self-signed certificate. You must
update the command line options to start the domain.
To set up a self-signed certificate
1
Edit $DOMAIN/setDomainEnv.sh.
2
Move to the line where JAVA_OPTIONS are specified and set the following
argument:
-Djavax.net.ssl.trustStore=<$trustStore>.jks
where <$trustStore> refers to the file that contains the trusted certificates.
Installing Entrust IdentityGuard Server with an existing application server
Feedback on guide
99
Preparing WebSphere for installation of
Entrust IdentityGuard
These instructions assume that you have already installed and tested your application
server and enabled SSL. They also assume that you are using the default Java Virtual
Machine (JVM) in $WEBSPHERE/AppServer/java.
Complete one of the following procedures, depending on your platform:
•
“To prepare for installation on Solaris” on page 100
•
“To prepare for installation on AIX” on page 100
To prepare for installation on Solaris
1
Download and install the unlimited strength cryptography policy files for the Java
Development Kit (JDK) being used to run WebSphere from the Sun Java Web site
http://java.sun.com/j2se/1.4.2/download.html, and depending on the JRE you
are using, install them in $WEBSPHERE/<java>/jre/lib/security
where <java> is the directory for Java version used by the application server.
Note: It is important that you install the policy files specific to your Java
Development Kit (JDK) if you are not using J2SE 1.4.2.
2
Extract the policy files.
The files are extracted to a new directory called jce. You must move the two jar
files from the jce directory to the security directory.
3
To move the jar files to the security directory enter:
mv local_policy.jar $WEBSPHERE/<java>/jre/lib/security
mv US_export_policy.jar $WEBSPHERE/<java>/jre/lib/security
4
Repeat Step 2 and Step 3 for each JRE on your computer.
Note: It is recommended that you back up the existing versions of the policy
files.
To prepare for installation on AIX
1
100
Download the following RPMs from AIX Toolkit for Linux applications
(http://www-03.ibm.com/servers/aix/products/aixos/linux/download.html):
•
bash
•
unzip
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
•
2
zip
Install each package on your AIX server. To do so, run the following command as
root:
rpm -i <package file>
3
Download and install the unlimited strength cryptography policy files for the Java
Development Kit (JDK) being used to run WebSphere. You can download the
policy files by browsing to
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jce
sdk and selecting “Unrestricted JCE Policy files for SDK 1.4.2”.
4
Install them in $WEBSPHERE/<java>/jre/lib/security, where <java> is
the directory for Java version used by the application server. For example,
$WEBSPHERE/AppServer/java/jre/lib/security.
For further instructions, refer to
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/topic/com.ibm.websp
here.base.doc/info/aes/ae/tsec_egs.html.
Note: It is recommended that you back up the existing versions of the policy
files.
Configuring SSL for WebSphere 6.0
You can configure SSL using public CA or self-signed certificates.
SSL configuration is straightforward if you are using certificates signed by a public
Certification Authority (CA) such as Entrust Certificate Services
(http://www.entrust.net/index.htm). If you are using a public CA you must:
•
Ensure that the SSL protocol is set to SSLv3.
•
Have a secure connection between administration services and Web
administration—128+ bit strength algorithms are recommended.
If you want an SSL certificate from a public CA, use the key management utility to
create a certificate signing request (CSR). Then, follow the instructions on the public
CA Web site to create a certificate. Once the certificate is created, import it and the
CA certificate into your keystore using the key management utility.
For detailed instructions on configuring SSL on WebSphere, refer to
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.
websphere.base.doc/info/aes/ae/tsec_ssl.html.
Additional steps are required if you are using a self-signed certificate. To set up a
self-signed certificate you can do one of the following:
•
Import the self-signed certificate into the root store for the JRE, in
$WEBSPHERE/AppServer/java/jre/lib/security/cacerts.
Installing Entrust IdentityGuard Server with an existing application server
Feedback on guide
101
•
Set the Java Virtual Machine (JVM) property to
javax.net.ssl.trustStore by following “To set up a self-signed
certificate by setting the JVM property” on page 102 below.
To set up a self-signed certificate by setting the JVM property
1
Start your WebSphere server from $WEBSPHERE/AppServer/bin by entering
./startServer.sh <server_name>
where server_name is the name of the server you are starting.
2
Start the administration console for your server.
The default URL is http://localhost:9060/ibm/console.
3
Log in to your server.
The WebSphere main page appears.
4
102
From the WebSphere main page, select Servers > Application servers.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
The Application servers page appears.
5
Click the server name on which you want to deploy Entrust IdentityGuard
services from the Application servers list.
The Server page appears.
Installing Entrust IdentityGuard Server with an existing application server
Feedback on guide
103
6
104
Under Server Infrastructure, select Java and Process Management > Process
Definition > Java Virtual machine > Custom Properties.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
The Custom Properties page appears.
7
Click New.
The Custom Properties configuration page appears.
8
Name the new property javax.net.ssl.trustStore and set the value to
<$trustStore>.jks where <$trustStore> is the name of the file that
contains the trusted certificates.
9
Click OK.
Installing Entrust IdentityGuard Server with an existing application server
Feedback on guide
105
Installing Entrust IdentityGuard Server
Install Entrust IdentityGuard on a dedicated machine. Other software products on the
same machine can interfere with the operation of Entrust identityGuard.
To install and configure Entrust IdentityGuard, you must have an understanding of
UNIX administration.
Note: Before installing Entrust IdentityGuard, ensure that you have also
completed the tasks in “Preparing for installation” on page 19.
To install Entrust IdentityGuard
1
As root, change to the IG_81 directory. This directory was created when you
extracted the download package.
2
Run install.sh by entering:
./install.sh
Note: Cancel out of the script at any time by pressing Ctrl + C or Ctrl + @.
3
Read through the license carefully, pressing Enter until you reach the end. The
following message appears:
Do you agree to the above license terms? [yes or no]
4
Enter yes to accept the terms. Otherwise, if you do not agree with the license,
type no and press Enter. The installation will cancel. Contact Entrust (“Obtaining
technical assistance” on page 16).
The following message appears:
Enter the UNIX user name that will own the installation:
5
Enter the user name already created for your WebLogic or WebSphere
application server.
The following message appears:
Enter the UNIX group name that will own the installation:
6
Enter the name for the group already created for your WebLogic or WebSphere
application server.
The following message appears:
Enter the install directory (default /opt/entrust):
106
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Note: The installer will create this directory. If someone has already created the
installation directory, you must ensure that the directory permissions allow the
installer to write to that directory.
7
Press Enter to accept the default, or type in another directory location.
After pressing Enter, the identityguard.zip file is automatically extracted
into the directory $IDENTITYGUARD_HOME, where $IDENTITYGUARD_HOME
is usually /opt/entrust/identityguard81.
To continue Java must already be installed. It is recommended that you use the
version of Java installed on your application server.
The following message appears:
Enter the Java directory:
8
Enter the full directory path of the Java directory where the JCE policy files were
installed.
The following message appears:
Entrust IdentityGuard uses the trust store of the application
server.
Enter the file name of the application server trust store:
9
Enter the full directory path and file name of the application server trust store.
See “Configuring SSL for WebSphere 6.0” on page 101. This file sets
environment variables needed to run Entrust IdentityGuard.
10 The installation creates the Entrust IdentityGuard Radius service:
Creating igradius service...
Do you wish the Entrust IdentityGuard Radius proxy to start
automatically when the host starts after reboot? [yes or no]
If you answer no, you can enable automatic startup later.
If you wish to enable automatic startup in the future, run the
command “igsvcconfig.sh igradius enable” when logged on as root.
Note: If you want to configure your VPN servers to recognize Entrust
IdentityGuard groups, you must first install Entrust IdentityGuard and define the
groups. In this case, enter no.
See “Configuring the Entrust IdentityGuard Radius proxy” on page 171 for
further details.
11 When the initial installation steps are complete, you must respond to the
following prompt:
Installing Entrust IdentityGuard Server with an existing application server
Feedback on guide
107
Installation complete.
Do you wish to configure the application now? [yes or no]
108
•
Answer yes and press Enter to start the configuration tasks. Proceed to
“Configuring the primary Entrust IdentityGuard Server” on page 109.
•
If you answer no, you must run the configure.sh script manually from
the $IDENTITYGUARD_HOME/bin directory before you can use Entrust
IdentityGuard. To do so, proceed to “To run the primary Entrust
IdentityGuard Server configuration manually” on page 123.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Configuring the primary Entrust
IdentityGuard Server
As part of the installation procedure, you are prompted to configure and initialize
Entrust IdentityGuard. You can choose to complete these configuration steps at the
same time as the installation or after.
Refer to your installation worksheet (“Installation worksheet” on page 25) when you
complete this section as you use this information to answer the prompts during
configuration.
Topics in this section:
•
“Starting the Entrust IdentityGuard configuration” on page 109
•
“Adding Directory information to Entrust IdentityGuard” on page 110
•
“Adding Database information to Entrust IdentityGuard” on page 114
•
“Completing the Entrust IdentityGuard configuration” on page 115
Starting the Entrust IdentityGuard
configuration
Complete the following steps to start configuring the primary Entrust IdentityGuard
Server.
To start the Entrust IdentityGuard configuration
1
Respond to the following prompt:
Are you configuring an Entrust IdentityGuard primary or replica
server? (PRIMARY or REPLICA):
•
Primary. If this is your first Entrust IdentityGuard Server installation, answer
primary and continue with the steps in this procedure.
Note: There can only be one primary server.
•
Replica. If you have already installed an Entrust IdentityGuard Server, and
you want to install more instances, answer replica.
To configure and initialize a replica server, proceed to“Adding Entrust
IdentityGuard replica servers” on page 210.
2
You are asked to indicate whether the user information is stored in an Active
Directory (AD), LDAP, or database (DB) repository.
Installing Entrust IdentityGuard Server with an existing application server
Feedback on guide
109
What type of repository will you use to store Entrust
IdentityGuard information?
AD - Microsoft(R) Active Directory or Microsoft Active
Directory in Application Mode
LDAP - LDAP-compliant Directory
DB - Database
(AD, LDAP or DB):
•
If you are using an LDAP repository, proceed to “To add LDAP Directory
information to Entrust IdentityGuard” on page 110.
•
If you are using an Active Directory or Active Directory Application Mode
(ADAM) repository, proceed to “To add Active Directory (or ADAM)
information to Entrust IdentityGuard” on page 112.
•
If you are using a database repository, proceed to “To add Database
information to Entrust IdentityGuard” on page 114.
Note: You can cancel the script at any time by pressing Ctrl + C.
Adding Directory information to Entrust
IdentityGuard
The following steps sets up Entrust IdentityGuard to communicate with a directory
repository. The steps create the identityguard.properties file based on the
values you enter.
Follow the appropriate steps:
•
if you are adding a LDAP Directory, proceed to “To add LDAP Directory
information to Entrust IdentityGuard”
•
if you are adding Active Directory or Active Directory Application Mode,
proceed to “To add Active Directory (or ADAM) information to Entrust
IdentityGuard”
Note: See the Entrust IdentityGuard Directory Configuration Guide for more
information on LDAP and Active Directory configuration.
To add LDAP Directory information to Entrust IdentityGuard
1
Respond to the following prompt:
LDAP CONFIGURATION
110
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Do you wish to use SSL to connect to the LDAP server? [yes or no]
Note: You can enable LDAPS after installation. For instructions, see “Securing
the LDAP connection with SSL” on page 233.
2
If you answered yes, the following message appears:
Make sure that SSL certificate of the LDAP server is installed
into the application server trust store.
If you answer no, no further message appears.
3
At the following prompt, enter the host name or IP address of the computer
hosting the Directory:
Enter the LDAP host (ex: identityguard.anycorp.com):
4
Enter the port number of the Directory:
Enter the LDAP port number (default is 389):
The default port for LDAPS is 636.
5
Enter the LDAP base DN (the DN under which all Entrust IdentityGuard entries
are found):
Enter the LDAP base DN (ex: dc=anycorp,dc=com):
Note: Entrust IdentityGuard configuration automatically converts spaces in the
Active Directory base DN to %20. If you edit the Active Directory base DN after
installation in the identityguard.properties file, remember to replace
spaces with %20.
6
Enter the LDAP user DN information at the following prompts. The LDAP user
DN and password define the credentials used by Entrust IdentityGuard to
connect to the repository.
Enter the LDAP user DN (ex: cn=Directory Manager):
This is an existing LDAP user DN.
Enter the LDAP password:
Confirm:
This is an existing LDAP password.
7
At the following prompt, enter the RDN of the entry that Entrust IdentityGuard
should use to store its policy information:
Installing Entrust IdentityGuard Server with an existing application server
Feedback on guide
111
The LDAP policy RDN defines the entry in the LDAP repository used
to store Entrust IdentityGuard policy information. The entry must
already exist. Enter the LDAP policy RDN (ex: uid=policy):
The RDN is the prefix that, when joined with the base DN, comprises the full DN
of the policy object.
8
At the following prompt, enter the attribute that uniquely identifies Entrust
IdentityGuard users:
The LDAP user name is the attribute that uniquely identifies
Entrust IdentityGuard users. Entrust IdentityGuard uses this
attribute to find entries in the repository. Enter the LDAP user
name attribute (ex: uid):
Proceed to “To complete the configuration script” on page 115.
To add Active Directory (or ADAM) information to Entrust
IdentityGuard
1
Respond to the following prompt:
MICROSOFT ACTIVE DIRECTORY CONFIGURATION
Do you wish to use SSL to connect to the Microsoft Active
Directory server? [yes or no]
2
If you answered yes, the following message appears:
Make sure that SSL certificate of the of the Microsoft Active
Directory server is installed into the application server trust
store.
If you answer no, no further message appears.
3
At the following prompt, enter the host name or IP address of the computer
hosting the Directory:
Enter the Microsoft Active Directory host (ex:
identityguard.anycorp.com):
4
Enter the port number of the Directory:
Enter the Microsoft Active Directory port number (default is 636):
If you do not use SSL to connect to ADAM, the default port is 389.
5
Enter the Active Directory base DN (the DN under which all Entrust IdentityGuard
entries are found):
Enter the Microsoft Active Directory base DN (ex:
dc=anycorp,dc=com):
112
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Note: Entrust IdentityGuard configuration automatically converts spaces in the
Active Directory base DN to %20. If you edit the Active Directory base DN after
installation in the identityguard.properties file, remember to replace
spaces with %20.
6
Enter the Active Directory user DN information at the following prompts. The
Active Directory user DN and password define the credentials used by Entrust
IdentityGuard to connect to the repository.
Enter the Microsoft Active Directory user DN (ex:
cn=Administrator,cn=Users,dc=anycorp,dc=com):
This is an existing Active Directory user DN.
Enter the Microsoft Active Directory password:
Confirm:
This is an existing Active Directory password.
7
At the following prompt, enter the RDN of the entry that Entrust IdentityGuard
should use to store its policy information:
The policy RDN defines the entry in the Microsoft Active Directory
repository used to store Entrust IdentityGuard policy information.
The entry must already exist. Enter the Microsoft Active Directory
policy RDN (ex: cn=igpolicy,cn=Users):
The RDN is the prefix that when joined with the base DN, comprises the full DN
of the policy object.
8
At the following prompt, enter the attribute that uniquely identifies Entrust
IdentityGuard users:
The Microsoft Active Directory user name is the attribute that
identifies Entrust IdentityGuard users. Entrust IdentityGuard uses
this attribute to find entries in the repository. Enter the
Microsoft Active Directory user name attribute (ex:
sAMAccountName):
Proceed to “To complete the configuration script” on page 115.
Installing Entrust IdentityGuard Server with an existing application server
Feedback on guide
113
Adding Database information to Entrust
IdentityGuard
The following steps sets up Entrust IdentityGuard to communicate with a database
repository. The steps create the identityguard.properties file based on the
values you enter.
Note: See the Entrust IdentityGuard Database Configuration Guide for more
information on database configuration.
To add Database information to Entrust IdentityGuard
1
Respond to the following prompt:
DATABASE CONFIGURATION
Enter the database type (Oracle, DB2, SQLServer, Other):
Enter the type of database you are using.
The following message appears:
Enter the JDBC driver JAR file name:
2
Enter the path of the JDBC driver file (for example, /temp/ojdbc14.jar).
Ensure that the file permissions on this file allow the Entrust IdentityGuard user
to read and execute it.
Note: Some databases require multiple .jar files. You can add other files in a
later step.
3
At the following prompt, enter the JDBC driver class that Entrust IdentityGuard
should use. For example, oracle.jdbc.driver.OracleDriver.
Enter the JDBC driver class name:
The following message appears:
Are there any other JDBC JAR files to be installed? [yes or no]
Press Enter.
4
If your database requires multiple JDBC driver files, type yes and press Enter. You
are prompted to enter more file names. If your database only requires one file,
type no and press Enter to continue.
The following message appears:
Enter the DB URL:
5
114
Enter the database URL Entrust IdentityGuard requires to connect to the
database server.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
6
Provide Entrust IdentityGuard with the database administrator information. This
database administrator was created to own the Entrust IdentityGuard database
and schema.
a
At the following prompt, enter the database administrator user name:
Enter the DB userid:
b
At the following prompts, enter and confirm the database administrator
password:
Enter the DB password:
Confirm:
The following message appears:
Enter the DB schema name:
c
Enter the schema name for your database.
In some databases (for example, Oracle), the schema is automatically named
with the user name associated with it. For these databases, type the database
administrator user name.
Completing the Entrust IdentityGuard
configuration
The following steps complete the initial configuration of Entrust IdentityGuard.
Attention: It is important that you do not allow non-SSL access to the
Administration Service. Allowing non-SSL access could severely compromise the
security of your system.
To complete the configuration script
1
You are prompted for the ports that the Application server should use.
Client applications—through the use of the IdentityGuardAuthAPI client
toolkit—communicate with the Entrust IdentityGuard Authentication service to
perform challenge retrieval and response validation. The client toolkit
communicates with Entrust IdentityGuard using SOAP over HTTP/HTTPS. The
following prompts define the ports that Entrust IdentityGuard services listen on.
Enter a value for each.
Note: The http and https ports should be the ones used by your application
server.
APPLICATION SERVER CONFIGURATION
Installing Entrust IdentityGuard Server with an existing application server
Feedback on guide
115
a
Enter the Authentication Service HTTP port number:
b
Enter the Authentication Service HTTPS port number:
The Entrust IdentityGuard Authentication service and the Entrust
IdentityGuard sample application are deployed at both the HTTP and HTTPS
ports.
c
Enter the Administration Service HTTPS port number:
This is the port that administration applications use to connect to the
Administration service when using SSL (HTTPS).
Note: The Authentication Service HTTPS and Administration Service HTTPS port
numbers can be the same.
2
You are prompted to confirm the host name used in the service URLs.
The hostname to be used in the service URLs is <hostname>.
Do you want to use this hostname? [yes or no]
Enter yes to use this host name or enter no to choose another host name.
3
You are prompted to configure Entrust IdentityGuard logs:
LOG CONFIGURATION
a
The following question appears:
Should Entrust IdentityGuard log to files or syslog? [FILE or
SYSLOG]:
If you answer file, Entrust IdentityGuard displays the location of the files
and configuration is complete.
b
If you answer syslog, logs are logged to Syslog. Entrust IdentityGuard
prompts you for the host name.
Enter the syslog host name (default is localhost):
Ensure that Syslog on this host is configured to accept Entrust IdentityGuard
logs. For more information, see the section “Configuring Syslog for remote
logging on UNIX” on page 226.
4
The following message appears:
Do you want to configure the Entrust IdentityGuard Radius
Proxy? [yes or no]
Do one of the following:
•
116
If you plan to use a Radius server for first-factor authentication and are not
using VPN groups, enter yes. Proceed to Step 4 in “To configure the Radius
proxy on UNIX” on page 180.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
5
•
If you plan to use a Radius server for first-factor authentication and you want
to configure your VPN servers to recognize Entrust IdentityGuard groups,
you need to first complete the configuration and initialization of Entrust
IdentityGuard and define the groups. In this case, enter no.
•
If you plan to use a Windows domain controller or LDAP directory for
first-factor authentication, enter yes. Follow the instructions under “Using
Entrust IdentityGuard groups with a VPN server” on page 175.
•
Otherwise, enter no.
When you finish the configuration procedure, this message appears:
Configuration complete.
Do you wish to initialize the primary system? [yes or no]
•
Enter yes to start the initialization tasks. Proceed to “Initializing the primary
Entrust IdentityGuard Server” on page 118.
•
If you enter no you must run the init command in the supersh command
shell from the $IDENTITYGUARD_HOME/bin directory before you can use
Entrust IdentityGuard. Proceed to “To initialize the primary Entrust
IdentityGuard Server manually” on page 123.
Installing Entrust IdentityGuard Server with an existing application server
Feedback on guide
117
Initializing the primary Entrust
IdentityGuard Server
Complete the following procedure to initialize the primary Entrust IdentityGuard
Server on your system.
Topics in this section:
•
“What initialization does” on page 118
•
“If initialization fails” on page 118
•
“Initializing the primary server” on page 119
What initialization does
Initialization creates master keys and the various policy structures. The
identityguard.properties file specifies two files that are used to store the
keys that protect the repository and the master users. The files that store this
information are:
•
Entrust IdentityGuard master keys file (masterkeys.enc)—a file
containing the encryption keys that protect the repository.
•
Entrust IdentityGuard key protection file (masterkeys.kpf)—a file
containing an obfuscation key which is used to encrypt the three master user
passwords that are stored in the file.
The contents of the master keys file can be unlocked by a master user. The contents
of the key protection file provide access to the master user passwords. This access can
then be used to unlock the master keys file.
If initialization fails
The most likely causes of an initialization failure are:
•
The Entrust IdentityGuard properties file contains invalid values. To resolve
this, go to
$IDENTITYGUARD_HOME/etc/identityguard.properties and
edit the file.
•
Your repository is not configured correctly to work with Entrust
IdentityGuard.
•
The repository is not running.
For more information on Entrust IdentityGuard error messages, see Entrust
IdentityGuard Error Messages included with your documentation package.
118
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Initializing the primary server
This section provides the steps necessary to initialize the primary server.
To initialize the primary Entrust IdentityGuard Server during
installation
1
Respond to the following prompt:
PRIMARY SYSTEM INITIALIZATION
If you are reinstalling Entrust IdentityGuard, the following prompt appears:
An existing system has been detected. Overwriting an existing
system will mean the existing data can no longer be accessed. Are
you sure you want to overwrite the existing system? (y/n) [n]:
Attention: If you are using an LDAP repository, and you run init
-overwrite, you must first manually remove the fpcr directory located at
$IDENTITYGUARD_HOME/etc/fpcr/ as well as the ftkr directory located at
$IDENTITYGUARD_HOME/etc/ftkr.
Attention: If you reinitialize an Entrust IdentityGuard system by running init
-overwrite, you must first replace any encrypted values in the
identityguard.properties file with cleartext values because Entrust
IdentityGuard cannot decrypt the old values once the reinitialization is
performed. See the section “Editing property values” on page 257.
When you answer y, the command init -overwrite runs automatically.
The init command:
•
generates a new master key and stores it in the master keys file
•
generates the key protection file
•
initializes default policy settings
If you answer n or if initialization fails, you must run the init command in the
master user shell (supersh) at a later time. For steps for initializing manually, see
the section “To initialize the primary Entrust IdentityGuard Server manually” on
page 123.
Note: You can cancel the script at any time by pressing Ctrl + C.
The following messages appear:
Enter install key:
Installing Entrust IdentityGuard Server with an existing application server
Feedback on guide
119
Enter activation key:
2
Enter the installation key and the activation key you received from Entrust. Once
the activation key is validated, master keys are then generated.
Attention: The two master keys files are created in
$IDENTITYGUARD_HOME/etc. After initialization, back up masterkeys.enc.
If this file is lost, the system cannot be recovered. See the system restore
procedure in “Restoring Entrust IdentityGuard from a backup” on page 250.
Do not back up the key protection file (masterkeys.kpf). The
masterkeys.kpf file is unique to each server.
3
Type the three master user passwords for the user names—Master1, Master2,
and Master3.
The passwords must meet the following criteria:
•
be over eight characters in length
•
contain upper and lowercase characters
•
contain a numerical value
The following prompts are displayed:
Enter a new password for Master1.
Password:
Confirm:
Enter a new password for Master2.
Password:
Confirm:
Enter a new password for Master3.
Password:
Confirm:
4
When you have finished creating passwords, the following message is displayed:
System initialized.
Do you wish to setup the sample application [yes or no]
120
•
Enter yes to configure the sample application. Proceed to “Configuring the
sample application on an existing application server” on page 121.
•
If you enter no you can optionally configure the sample application later.
Proceed to “Deploying Entrust IdentityGuard services on an existing
application server” on page 127.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Configuring the sample application on
an existing application server
Entrust IdentityGuard provides a sample Web application that includes user
registration functionality as well as various authentication samples. This sample
requires an administrator user name and password. If you are using a directory you
must create the administrator before configuring the sample application.
For more information on the sample application, see the Entrust IdentityGuard
Administration Guide.
Attention: The sample administrator password is stored in clear text in the file
$IDENTITYGUARD_HOME/etc/igsample.properties. For security reasons,
disable the sample application when you are not using it.
The configsample.sh script creates the following:
•
a role called samplerole
•
a policy called samplepolicy
•
a group called samplegroup
•
an administrator in the samplegroup (the administrator has access to the
samplegroup)
•
an igsample.properties file
If you are configuring the sample application manually, refer to “To configure the
Entrust IdentityGuard Server sample application manually” on page 125.
To configure the sample application
1
You are prompted to enter the user name for the sample administrator.
Enter adminid for sample administrator:
2
You are prompted to enter and confirm a password:
Enter password for sample administrator:
Confirm:
The password must meet the following criteria:
3
•
be over eight characters in length
•
contain upper and lowercase characters
•
contain a numerical value
Log in as a master user to complete the setup.
You are prompted for a master user name and password:
Installing Entrust IdentityGuard Server with an existing application server
Feedback on guide
121
Userid:
Password:
4
When you are finished setting up the sample, the following message appears:
Setup of Entrust IdentityGuard sample successful.
You can now deploy the sample Web application from your application server (see
“Deploying Entrust IdentityGuard services on an existing application server” on
page 127).
122
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Running the scripts manually
If you did not run the scripts during the installation procedure, you have the option
to manually run the configuration and initialization scripts.
To run the primary Entrust IdentityGuard Server configuration
manually
1
Log in as the UNIX user that belongs to the UNIX group that was specified during
the installation. See “To install Entrust IdentityGuard” on page 106.
2
Change to $IDENTITYGUARD_HOME
(default is /opt/entrust/identityguard81).
3
From $IDENTITYGUARD_HOME, source the environment settings file by entering
. ./env_settings.sh
(Include a space between the two periods in the command.)
4
Run the configure.sh script.
If you have previously configured Entrust IdentityGuard, the following message
appears:
An identityguard.properties file exists.
If you continue, this
file will be overwritten.
Do you want to continue? [yes or no]
5
Enter yes and continue from Step 1 of the “To start the Entrust IdentityGuard
configuration” on page 109.
To initialize the primary Entrust IdentityGuard Server manually
1
Log in as the UNIX user that belongs to the UNIX group that was specified during
the installation. See “To install Entrust IdentityGuard” on page 106.
2
Go to $IDENTITYGUARD_HOME.
3
From $IDENTITYGUARD_HOME, source the environment settings file by entering
. ./env_settings.sh
(Include a space between the two periods in the command.)
4
Enter the following command to start the master user shell:
supersh
Copyright information and the Entrust IdentityGuard version number appear,
followed by a command prompt.
Installing Entrust IdentityGuard Server with an existing application server
Feedback on guide
123
Note: You can view copyright and version information at any time by entering
version
at the command prompt.
5
Enter
init <optionalvalues>
where <optionalvalues> are listed in Table 10:
Table 10: Initialization optional values
Values
Description
-sernum
To start card serial numbers at a specific number, enter
init -sernum <num> where <num> is a positive
integer.
Defaults to 1 if not specified.
Use this option if you are adding additional cards to your
system. For example, if you have previously loaded 350
cards, enter:
init -sernum 351
-overwrite
If the system was initialized previously, this command
overwrites the existing data.
You are prompted to confirm that you want existing data
to be overwritten.
Attention: If you are using an LDAP repository, and you run
init -overwrite, you must first manually remove the
fpcr folder located at
$IDENTITYGUARD_HOME/etc/fpcr/.
Attention: If you reinitialize an Entrust IdentityGuard
system by running init -overwrite, you must first
replace any encrypted values in the
identityguard.properties file with cleartext values
because Entrust IdentityGuard cannot decrypt the old
values once the reinitialization has been performed. See the
section “Editing property values” on page 257.
-force
124
If you use the -force option, you are not prompted for
confirmation.
6
Complete Step 2 and Step 3 on page 120.
7
Type exit to leave the command shell.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
8
Check the log files for errors. If you chose to log to files when you installed
Entrust IdentityGuard, the logs are stored in $IDENTITYGUARD_HOME/logs.
To configure the Entrust IdentityGuard Server sample application
manually
1
Log in as the UNIX user that belongs to the UNIX group that was specified during
the installation. See “To install Entrust IdentityGuard” on page 106.
2
Change to $IDENTITYGUARD_HOME (usually
/opt/entrust/identityguard81).
3
From $IDENTITYGUARD_HOME, source the environment settings file by entering
. ./env_settings.sh
(Include a space between the two periods in the command.)
4
Run the configsample.sh script.
5
You are prompted to enter the user name for the sample administrator.
Enter adminid for sample administrator:
6
You are prompted to enter and confirm a password:
Enter password for sample administrator:
Confirm:
The password must meet the following criteria:
7
•
be over eight characters in length
•
contain upper and lowercase characters
•
contain a numerical value
Log in as a master user to complete the setup.
You are prompted for a master user name and password:
Userid:
Password:
8
When you are finished setting up the sample, the following message is displayed:
Setup of Entrust IdentityGuard sample successful.
To make changes to the sample Web application configuration
1
Log in as the UNIX user that belongs to the UNIX group that was specified during
the installation. See “To install Entrust IdentityGuard” on page 106.
2
Change to $IDENTITYGUARD_HOME (usually
/opt/entrust/identityguard81).
3
From $IDENTITYGUARD_HOME, source the environment settings file by entering
Installing Entrust IdentityGuard Server with an existing application server
Feedback on guide
125
. ./env_settings.sh
(Include a space between the two periods in the command.)
4
Enter the following command to start the master user shell:
supersh
Copyright information and the Entrust IdentityGuard version number appear,
followed by a command prompt.
5
Log in as a master user. For example,
Master1
6
If you have previously configured the sample, delete each of the following
individually:
•
sample administrator
•
sample group
•
sample role
•
sample policy
To do so:
a
Run the delete command for each. For example,
admin delete sample/SampleAdmin1
Note: Use the list command to list sample administrators, groups, roles, and
policies, so that you can see which ones to delete. For example, use admin list
to list all the sample administrators that have already been created. Use group
list, to list the sample groups that exist, and so on.
b
Answer yes to confirm the delete.
Are you sure you wish to delete the admin? (y/n) [n]:
7
Type exit to exit the master user shell and return to the command-line.
8
Enter the following command to start configuring the sample:
configsample.sh
9
You are warned that the igsample.properties file already exists. For
example:
/opt/entrust/identityguar81/etc/igsample.properties file already
exists. Do you wish to continue? [yes or no]
Answer yes.
10 Follow the steps in “To configure the sample application” on page 121.
126
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Chapter 5
Deploying Entrust IdentityGuard
services on an existing
application server
This chapter provides all the necessary steps to deploy Entrust IdentityGuard services
using the WebLogic 8.1 or 9.1 or WebSphere 6.0 application servers.
This chapter contains the following sections:
•
“Deploying Entrust IdentityGuard services on WebLogic” on page 128.
•
“Deploying Entrust IdentityGuard services on WebSphere 6.0 application
server” on page 142
•
“Testing your installation” on page 162
•
“Managing the Entrust IdentityGuard service” on page 166
127
Deploying Entrust IdentityGuard
services on WebLogic
Once you have installed Entrust IdentityGuard on a WebLogic 8.1 or 9.1 application
server, you must install and deploy the Entrust IdentityGuard services. The process is
different depending on the version of WebLogic you are using.
Topics in this section:
•
“Deploying Entrust IdentityGuard services on WebLogic 8.1 application
server” on page 128
•
“Deploying Entrust IdentityGuard services on WebLogic 9.1 application
server” on page 134
Deploying Entrust IdentityGuard services on
WebLogic 8.1 application server
To deploy Entrust IdentityGuard services on a WebLogic 8.1 application server you
must:
•
extract and install the Entrust IdentityGuard service files
•
deploy the Entrust IdentityGuard services
Note: In the following, $WEBLOGIC is the directory in which the WebLogic
server was installed. $DOMAIN is the directory of the WebLogic domain where
Entrust IdentityGuard is being installed, for example
/bea/weblogic81/samples/domains/wl_server.
To install Entrust IdentityGuard services
1
Install the native libraries libaal2sdk.so and libualjni.so required by
Entrust IdentityGuard to one of the directories listed in the LD_LIBRARY_PATH
environment variable.
The native libraries are located in $IDENTITYGUARD_HOME/lib/solaris.
Enter at the command line:
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/entrust/identityguard81/lib/
solaris/;export LD_LIBRARY_PATH
Note: Substitute the correct installation directory if it is different from the default
/opt/entrust.
128
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
2
Edit the domain startup script $DOMAIN/startWebLogic.sh and add
enttoolkit.jar, log4j-1.2.14.jar and any database driver .jar files to
the line that sets the CLASSPATH environment variable.
3
Still in $DOMAIN/startWebLogic.sh, move to the line where it sets
JAVA_OPTIONS, and at the end add
-Didentityguard.home=/opt/entrust/identityguard81
Note: Substitute the correct install directory if it is different from the default
/opt/entrust and add the line if there is currently no setting of
JAVA_OPTIONS.
4
At the command line, go to (cd) to $IDENTITYGUARD_HOME/services/auth.
5
Create a directory named IdentityGuardAuthService.
6
Go to (cd) to the IdentityGuardAuthService directory.
7
Using the jar tool from the WebLogic JDK
($WEBLOGIC/jdk_141_05/bin/jar), extract the file
IdentityGuardAuthService.war by entering the following at the command
line:
jar xvf ../IdentityGuardAuthService.war
A new directory called WEB-INF is created.
8
Go to (cd) to the WEB-INF directory, and create a file named weblogic.xml
and give it the following content:
Note: The file name is case-sensitive.
<!DOCTYPE weblogic-web-app PUBLIC "-//BEA Systems, Inc.//DTD Web
Application 8.1//EN" "http://www.bea.com/servers/wls810/
dtd/weblogic810-web-jar.dtd">
<weblogic-web-app>
<container-descriptor>
<prefer-web-inf-classes>true</prefer-web-inf-classes>
</container-descriptor>
</weblogic-web-app>
9
In $IDENTITYGUARD_HOME/services/admin create a directory named
IdentityGuardAdmin.
10 Go to the IdentityGuardAdmin directory.
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
129
11 Extract IdentityGuardAdmin.war by entering the following at the command
line:
jar xvf ../IdentityGuardAdmin.war
12 Repeat Step 8.
13 In $IDENTITYGUARD_HOME/services/admin, create a directory named
IdentityGuardAdminService.
14 Change to the IdentityGuardAdminService directory.
15 Extract IdentityGuardAdminService.war by entering the following at the
command line:
jar xvf ../IdentityGuardAdminService.war
16 Repeat Step 8.
17 Optionally, deploy the sample application:
a
In $IDENTITYGUARD_HOME/services/auth, create a directory named
IdentityGuardSampleApp.
b
Change to the IdentityGuardSampleApp directory.
c
Extract IdentityGuardSampleApp.war by entering the following at the
command line:
jar xvf ../IdentityGuardSampleApp.war
d
Repeat Step 8.
To deploy Entrust IdentityGuard services
1
Start your WebLogic domain from $DOMAIN by entering
./startWeblogic.sh
2
Start the administration console for your server (default URL
http://localhost:7001/console) and log in.
The WebLogic 8.1 main page appears.
130
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
3
From the WebLogic 8.1 main page, select Deployments > Web Application
Modules.
The Deploy a Web Application Module page appears.
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
131
4
Click the Deploy a New Web Application link.
The Select the archive for this Web application module page appears.
5
Browse through the location link to locate the directory where authentication
service WAR file, was extracted.
The directory is
$IDENTITYGUARD_HOME/services/auth/IdentityGuardAuthService
The Select the archive for this Web application module page appears.
132
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
6
Click the radio button to the left of the directory IdentityGuardAuthService
and then click Target Module.
The Review your choices and deploy page appears.
7
After reviewing your choices, click Deploy.
A deployment status page appears showing the status of the Web application
deployment.
8
Repeat Step 3 through Step 7 to install the Administration service from
$IDENTITYGUARD_HOME/services/admin/IdentityGuardAdminService
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
133
9
Repeat Step 3 through Step 7 to install the Administration interface from
$IDENTITYGUARD_HOME/services/admin/IdentityGuardAdmin
10 Optionally, repeat Step 3 through Step 7 to enable the sample application from
$IDENTITYGUARD_HOME/services/auth/IdentityGuardSampleApp.
Deploying Entrust IdentityGuard services on
WebLogic 9.1 application server
To deploy Entrust IdentityGuard services on a WebLogic 9.1 application server you
must:
•
extract and install the entrust IdentityGuard service files
•
deploy the Entrust IdentityGuard services
Note: In the following, $WEBLOGIC is the directory in which the WebLogic
server was installed, and $DOMAIN is the directory of the WebLogic domain
where Entrust IdentityGuard is being installed, for example
/opt/bea/weblogic91/samples/domains/wl_server.
To install and deploy Entrust IdentityGuard services
1
Install the native libraries libaal2sdk.so and libualjni.so required by
Entrust IdentityGuard to one of the directories listed in the LD_LIBRARY_PATH
environment variable.
The native libraries are located in $IDENTITYGUARD_HOME/lib/solaris.
Install them by entering at the command line:
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/entrust/identityguard81/lib/
solaris/;export LD_LIBRARY_PATH
Note: Substitute the correct installation directory if it is different than the default
/opt/entrust.
2
Copy enttoolkit.jar, log4j-1.2.14.jar found in
$IDENTITYGUARD_HOME/lib and any database driver .jar files to
$DOMAIN/lib.
All .jar files in this directory are added to the Classpath environment when
the server starts.
3
134
Edit the domain startup script that sets the environment variables,
$DOMAIN/bin/setDomainEnv.sh. Move to the line that sets JAVA_OPTIONS
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
and add -Didentityguard.home=/opt/entrust/identityguard81 to
the end of the line.
Note: Your installation directory may be different.
4
Start your WebLogic server from $DOMAIN/bin by typing:
./startWebLogic.sh
5
Start the administration console for your server (the default URL is
http://localhost:7001/console) and log in.
The WebLogic main page appears.
6
Under Change Center click Lock & Edit.
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
135
7
Under Domain Configurations, click Deployments.
The Summary of Deployments page appears.
8
Click Install.
The Install Applications Assistant page appears.
9
Click Upload your file(s) located in the Note paragraph.
The Install Application Assistant appears prompting you to upload a deployment
to the administration server.
136
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
10 Click Browse to the right of Deployment Archive to locate the authentication
service WAR file, IdentityGuardAuthService.war and click Open.
The file is located in
$IDENTITYGUARD_HOME/services/auth/IdentityGuardAuthService.war
11 Click Next on the Install Applications Assistant page to upload a deployment to
the administration server.
The Install Applications Assistant page updates so that you can locate the
deployment to install and prepare for deployment.
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
137
12 Click the radio button to the left of the file name
IdentityGuardAuthService.war to locate the deployment to install and
prepare for deployment.
13 Click Next.
The Install Applications Assistant page updates and prompts you to choose a
targeting style.
14 Select Install this deployment as an application, and then click Next.
The Install Applications Assistant page updates with optional settings.
138
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
15 Accept the default optional settings and click Next.
The Install Applications Assistant page updates to enable you to review your
choices.
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
139
16 Review the choices, and click Finish.
The Settings for IdentityGuardAuthService page appears.
17 Under Change Center in the top left of the page, click Activate Changes to
accept the changes.
18 Repeat Step 6 through Step 17 to install the Administration service
($IDENTITYGUARD_HOME/services/admin/IdentityGuardAdminServic
e.war).
19 Repeat Step 6 through Step 17 to install the Administration interface
($IDENTITYGUARD_HOME/services/admin/IdentityGuardAdmin.war).
20 Optionally, repeat Step 6 through Step 17 to enable the sample application
($IDENTITYGUARD_HOME1/services/auth/IdentityGuardSampleApp.w
ar).
21 Under Domain Structure on the main page, click Deployments.
140
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
The IdentityGuard deployments display in a prepared state, but they are not
running yet.
22 Select the checkbox for each Entrust IdentityGuard application.
23 Click the Start drop-down menu.
24 Select Start servicing all requests.
The Start Application Assistant page appears.
25 Click Yes to start deployments. Entrust IdentityGuard is now up and running.
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
141
Deploying Entrust IdentityGuard
services on WebSphere 6.0 application
server
After completing installation of Entrust IdentityGuard server, you must deploy
IdentityGuard services on a WebSphere application server.
Topics in this section:
•
“Defining and deploying shared library settings” on page 142
•
“Installing Entrust IdentityGuard services on WebSphere 6.0” on page 155
Defining and deploying shared library
settings
You must define the shared library settings for the Security Toolkit for Java Platform,
your Entrust tokens (if applicable), and the database driver.
To define shared library settings
1
Start your WebSphere server from $WEBSPHERE/AppServer/bin by entering
./startServer.sh <server_name>
where server_name is the name of the server you are starting.
2
Start the administration console for your server.
The default URL is http://localhost:9060/ibm/console.
3
Log in to your server.
The WebSphere main page appears.
142
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
4
From the WebSphere main page, click Environment > Shared Libraries.
The Shared Libraries page appears.
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
143
5
Click the Node scope for the library and click Apply.
6
Under Preferences, click New.
The New Shared Libraries page appears prompting you to define the settings for
the shared library. These are the settings for the Security Toolkit for Java Platform.
144
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
7
8
Define the Shared Library settings:
a
In the Name field, type Security Toolkit for Java Platform
b
Leave the Description field blank.
c
Set the Classpath to the enttoolkit.jar file to
/opt/entrust/identityguard81/lib/enttoolkit.jar
d
If the log4j-1.2.14.jar file is not already a shared library, also add
/opt/entrust/identityguard81/lib/log4j-1.2.14.jar
e
Set the Native library path to
/opt/entrust/identityguard81/lib/solaris or
/opt/entrust/identityguard81/lib/aix
Click OK.
You are returned to the Shared Libraries page. Security Toolkit for Java Platform
appears in the preferences list and a message displays indicating that changes
have been made to your local configuration and that the server may need to be
restarted for the changes to take place.
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
145
9
Click Save to save the changes, but do not restart the server at this time.
The Shared Libraries Save page appears prompting you to click Save to update
the master repository with changes.
146
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
10 Click Save to return to the Shared Libraries page.
11 If your installation will uses Vasco tokens, repeat Step 6 to Step 10 to define a
shared token library.
•
Add a Classpath for each of the following:
/opt/entrust/identityguard81/lib/aal2wrap.jar
•
The library path is /opt/entrust/identityguard81/lib/solaris
12 If using a database, repeat Step 6 to Step 10 to define the database driver library
file.
13 Click Save.
To deploy shared libraries
1
From the WebSphere server main page, click Servers > Application Servers.
The Application servers page appears.
2
Click the server name on which you want to deploy Entrust IdentityGuard
services from the Application servers list.
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
147
The Server page appears.
3
148
Under Server Infrastructure, click Java and Process Management > Class loader.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
The Application servers Class Loader page appears.
4
Select the class loader from the list.
If there are no class loaders defined:
a
Click New to create a new class.
The Class loader configuration page appears.
b
Select Class loader mode Parent First.
c
Click OK.
You are returned to the Server page and a Class Loader appears in the
preferences list.
d
Select the Class loader.
The Class loader configuration page appears.
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
149
5
Under Additional Properties, select Libraries.
The Application servers Library Reference page appears.
6
Click Add.
The Application server Library Reference General Properties page appears.
150
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
7
Under Library name, select Security Toolkit for Java Platform.
8
Click OK.
The Library Reference page updates with Security Toolkit for Java Platform listed
in the preferences list.
9
Repeat Step 6 to Step 8 for the Entrust token library and, optionally, the database
driver library.
10 Return to the server page from Step 2. You can do this by clicking the server
name from the Library Reference page.
11 From the server page, click Java and Process Management > Process Definition
> Java Virtual Machine > Custom Properties.
The Custom Properties page appears.
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
151
12 Click New.
The Custom Properties configuration page appears.
13 Name the new property identityguard.home.
14 Set the value to the install directory of Entrust IdentityGuard to
/opt/entrust/identityguard81
15 Click OK.
152
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Note: When using the default JDK on Solaris, applications running in
WebSphere do not understand the HTTPS protocol. To resolve this issue, you
must define another custom property with the name
java.protocol.handler.pkgs and value
com.ibm.net.ssl.www.protocol.
16 Click Save followed by Save on the Custom Properties Save page.
17 Repeat Step 12 to Step 16 to define the java.protocol.handler.pkgs
custom property.
Note: Ensure that you have also set up the javax.net.ssl.trustStore
custom property if you are using self-signed certificates (see “Configuring SSL for
WebSphere 6.0” on page 101).
18 If you are using AIX, complete this step. On Solaris, proceed to Step 19 on
page 155.
a
Return to the server page from Step 2.
b
From the server page, click Java and Process Management > Environment
Entries.
The Application server Custom Properties page opens.
c
Click New. The General Properties page opens.
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
153
d
154
Set Name to LIBPATH (all caps) and Value to the path of the native libraries.
For example, /opt/entrust/identityguard81/lib/aix.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
e
Click Apply. You are returned to the Custom Properties page.
f
Click Save followed by Save.
19 Restart the server.
Installing Entrust IdentityGuard services on
WebSphere 6.0
After setting the shared libraries you can deploy the Entrust identityGuard
authentication and administration services.
To install Entrust IdentityGuard services
1
From the WebSphere main page, select Applications > Install New Application.
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
155
The Preparing for the application installation page appears.
2
Click Browse under Specify path to locate the authentication service WAR file,
IdentityGuardAuthService.war, which is most likely in
/opt/entrust/identityguard81/services/auth/.
3
Type /IdentityGuardAuthService in the Context Root text box.
4
Click Next.
The Preparing for the application installation page updates prompting you to
choose to generate default bindings and mappings.
5
156
Select Generate Default Bindings and click Next.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
An Application Security Warnings page appears warning about contents of the
was.policy file.
6
Accept the warning and click Continue.
The Install New Application page updates prompting you to select your
installation options.
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
157
7
Select the installation options.
You can select to keep the default settings or, optionally in the Directory to install
application text box, specify an installation directory and remove _war from the
Application name.
8
Click Next.
The Map modules to servers page appears.
158
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
9
On the Map Modules to Servers page, select the server(s) on which to deploy the
Entrust IdentityGuard authentication service.
Note: You must select at least one server.
10 Click Next.
The Map virtual hosts for Web modules page appears.
11 On the Map Virtual Hosts for Web Modules page, select the virtual host to
deploy the Entrust IdentityGuard authentication service.
12 Click Next.
The Summary page appears.
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
159
13 Review the details on the Summary page, and click Finish.
WebSphere attempts to load the Entrust IdentityGuard authentication service. If
this fails, consult the WebSphere logs for the domain to see why.
When installation completes the following message appears:
Application IdentityGuardAuthServices installed successfully.
To start the application, first save changes to the master
configuration.
14 Click Save to Master Configuration.
The Save page appears.
15 Click Save.
16 Repeat Step 1 through Step 15 to install the administration service from
/opt/entrust/identityguard81/services/admin/IdentityGuardAdm
inService.war
17 Repeat Step 1 through Step 15 to install the Web interface from
/opt/entrust/identityguard81/services/admin/IdentityGuardAdm
in.war.
18 Optionally, repeat Step 1 through Step 15 to install the sample applicationfrom
opt/entrust/identityguard81/services/auth/IdentityGuardSampl
eApp.war.
160
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
To start Entrust IdentityGuard services
1
From the WebSphere main menu, select Applications > Enterprise Applications.
The Enterprise Applications page appears.
2
Select the box next to Entrust IdentityGuard service(s), and then click Start.
A message appears indicating that the services have started successfully.
Note: You can select to start multiple services simultaneously.
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
161
Testing your installation
This section provides testing steps that determine if your installation is working
properly. It assumes that you have completed the installation, configuration, and
initialization tasks.
To test your installation
1
Check the log files for errors. If you chose to log to files when you installed
Entrust IdentityGuard, the logs are stored in $IDENTITYGUARD_HOME/logs.
2
Start the Entrust IdentityGuard Server as the Entrust IdentityGuard application
owner. For instructions, see “Query the status of Entrust IdentityGuard service”
on page 166.
3
Check whether all Entrust IdentityGuard services are running as expected.
a
Source env_settings.sh by entering:
. ./env_settings.sh
b
Enter
igservice.sh all status
The following shows part of the status report generated when all services are
running:
Authentication V1 service at
http://<hostname>/IdentityGuardAuthService/services/Authenticat
ionService is available.
Authentication V1 service at
https://<hostname>/IdentityGuardAuthService/services/Authentica
tionService is available.
Authentication V2 service at
http://<hostname>/IdentityGuardAuthService/services/Authenticat
ionServiceV2 is available.
Authentication V2 service at
https://<hostname>/IdentityGuardAuthService/services/Authentica
tionServiceV2 is available.
Sample application at http://<hostname>/IdentityGuardSampleApp
is available.
162
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Administration V1 service at
https://<hostname>/IdentityGuardAdminService/services/AdminServ
ice is available.
Administration V2 service at
https://<hostname>/IdentityGuardAdminService/services/AdminServ
iceV2 is available.
Administration interface at
https://<hostname>/IdentityGuardAdmin is available.
4
Ensure that you can log in to the Administration Web interface.
a
Create an administrator account or use the sample administrator account, if
you have configured the sample application.
For information on creating an administrator, refer to the Entrust
IdentityGuard Administration Guide.
b
Open a browser and enter the following URL:
https://<FQDN>:<port>/IdentityGuardAdmin
where:
– <FQDN> is the Entrust IdentityGuard host name.
– <port> is the Administration interface service port.
Note: If you cannot access the Entrust IdentityGuard services (administration or
authentication), verify that firewall rules are not blocking the HTTP and HTTPS
ports.
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
163
c
At the login page, enter the administrator user name and password.
Optionally, enter the group name, if the user does not belong to the default
group.
d
You are prompted to change the administrator password.
e
Follow the rules on the screen to change the administrator password.
The Entrust IdentityGuard Administration interface appears:
164
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
5
Optionally, test the sample application. To do so, follow the steps in “Using the
sample Web application” on page 305.
You have now completed testing of the Entrust IdentityGuard installation.
You can now:
•
complete various advanced configuration tasks (“Postinstall configuration
options for Entrust IdentityGuard Server” on page 201 and “Configuring the
Entrust IdentityGuard Server properties file” on page 255) such as adding
replica Entrust IdentityGuard Servers to your system
•
set up Entrust IdentityGuard by adding policies, groups, users, authentication
methods, and so on (see the Entrust IdentityGuard Administration Guide)
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
165
Managing the Entrust IdentityGuard
service
Complete the following steps to check the status of the Entrust IdentityGuard service.
You have the option of using either the identityguard.sh command, or the UNIX
output command.
Topics in this section:
•
“Query the status of Entrust IdentityGuard service” on page 166
•
“Stopping Entrust IdentityGuard Services on WebLogic 8.1” on page 167
•
“Stopping Entrust IdentityGuard Services on WebLogic 9.1” on page 168
•
“Stopping Entrust IdentityGuard Services on WebSphere 6.0” on page 169
Query the status of Entrust IdentityGuard
service
The following command allows you to query the status of the Entrust IdentityGuard
service.
Note: If you are root, you cannot start Entrust IdentityGuard Radius service
using the igradius.sh start command. Also, to stop the Entrust
IdentityGuard service, you must be the user who started the service.
To query the status of Entrust IdentityGuard
1
Log in as the UNIX user that belongs to the UNIX group that was specified during
the installation.
2
From $IDENTITYGUARD_HOME, enter
. ./env_settings.sh
3
To query the status of the Entrust IdentityGuard service, enter
identityguard.sh status
Note: Once Entrust IdentityGuard is installed, the service is started automatically
when you reboot.
166
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Stopping Entrust IdentityGuard Services on
WebLogic 8.1
Complete the following procedure to stop Entrust IdentityGuard on WebLogic 8.1.
To stop Entrust IdentityGuard Services
1
From the WebLogic 8.1 main page, select Deployments > Web Application
Modules.
The Deploy a Web Application Module page appears showing a list of all
deployed Web applications.
2
Click the application name, for example, IdentityGuardAdmin.
The Deployment status page appears.
3
Click Stop.
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
167
4
Repeat Step 1 to Step 3 for each Entrust IdentityGuard service you want to stop.
Stopping Entrust IdentityGuard Services on
WebLogic 9.1
You can stop Entrust IdentityGuard Services using one of the following three options:
•
When work completes. Specifies that WebLogic Server wait for the
application to finish its work and for all currently connected users to
disconnect.
•
Force stop now. Specifies that WebLogic Server stop the application
immediately, regardless of the work that is being performed and the users
that are connected.
•
Stop, but continue servicing administrative requests. Specifies that
WebLogic Server stops the application once all its work has finished, but to
then puts the application in Administrative Mode so it can be accessed for
administrative purposes.
To stop Entrust IdentityGuard Services
1
Under Domain Structure on the left of the main page click Deployments.
The Deployment Summary Page appears with a list of Entrust IdentityGuard
services.
168
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
2
Select the checkbox for the service(s) you want to stop.
3
From the Stop drop-down menu select the desired stop option.
The Stop Application Assistant page appear.
4
Click Yes to stop the application.
You are returned to the Summary of Deployments page.
Stopping Entrust IdentityGuard Services on
WebSphere 6.0
Complete the following procedure to stop Entrust IdentityGuard on WebSphere 6.0.
To stop Entrust IdentityGuard services
1
From the WebSphere main page click Applications > Enterprise Applications.
Deploying Entrust IdentityGuard services on an existing application server
Feedback on guide
169
The Enterprise Applications page appears.
2
Select the service(s) you want to stop.
3
Click Stop.
A message appears indicating that the service was stopped successfully.
170
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Chapter 6
Configuring the Entrust
IdentityGuard Radius proxy
This chapter provides all the necessary steps for configuring the Entrust IdentityGuard
Radius proxy component for use with your VPN servers, and for managing the Radius
proxy after installation. You can configure the Entrust IdentityGuard Radius proxy
during installation of Entrust IdentityGuard Server or afterwards.
This chapter includes the following sections:
•
“Radius proxy integration overview” on page 172
•
“Configuring the Radius proxy for groups” on page 175
•
“Matching a group to a user” on page 179
•
“Using the Radius proxy with a Radius server” on page 180
•
“Using the Radius proxy with a domain controller or LDAP directory” on
page 187
•
“Configuring the VPN server” on page 193
•
“Configuring a Radius server for first-factor authentication” on page 194
•
“Configuring Radius server failover” on page 195
•
“Managing the Radius proxy” on page 196
171
Radius proxy integration overview
Entrust IdentityGuard provides a way to use the Radius authentication protocol with
a VPN server and optionally, an actual Radius server.
During configuration of the Radius proxy, you are asked to choose between a Radius
server or an external authentication resource for first-factor authentication.
Regardless of your choice, the VPN server still believes it is communicating with a
Radius server. It is actually communicating with the Entrust IdentityGuard Radius
proxy.
In a normal VPN and Radius implementation, the VPN server communicates with the
VPN client and with the Radius server, while the Radius server communicates directly
with the VPN server. When you integrate with Entrust IdentityGuard, the Entrust
IdentityGuard Radius proxy intercepts messages between the VPN server and the
first-factor authentication resource, as shown in Figure 2 on page 173. That resource
may be one of a:
•
Radius server
•
Windows domain controller
•
LDAP directory
Once your VPN server uses the Radius proxy for first-factor authentication, you can
configure Entrust IdentityGuard to add the grid, token, or temporary PIN multifactor
authentication methods to the first-factor authentication performed by the Radius
proxy.
You can configure some VPN servers to use a Radius server and some to use a
different first-factor authentication resource.
You can take advantage of the Entrust IdentityGuard groups feature to organize users
into different groups for authentication purposes. This way you can direct the users
of some groups to one first-factor authentication resource and other users to other
resources. For details, see “Configuring the Radius proxy for groups” on page 175.
Note: When you configure the Entrust IdentityGuard Radius proxy, the program
stores the results in the identityguard.properties file. You can edit this file
to change settings or to add additional VPN servers and their first-factor
authentication method later. For information on the property settings, see section
“Configuring the Entrust IdentityGuard Radius proxy properties” on page 282.
172
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Figure 2: Radius proxy integrated with a VPN and Radius server
VPN client
Entrust IdentityGuard
Server
`
VPN server
Entrust IdentityGuard
Radius proxy
Radius server
Note: In the above diagram and the next, the Entrust IdentityGuard Radius
proxy is shown as a separate physical entity just for illustration. In reality, it is a
component that resides on the Entrust IdentityGuard Server.
VPN authentication through the Entrust IdentityGuard Radius proxy follows these
steps:
1
A user enters a user name and password using a VPN client.
2
The VPN server passes this information to the Entrust IdentityGuard Radius
proxy.
3
The Entrust IdentityGuard Radius proxy forwards the request to the first-factor
authentication resource to verify the user.
4
The first-factor authentication resource responds with an accept or reject
message to the Entrust IdentityGuard Radius proxy.
If the Radius proxy receives a reject message, the Radius proxy forwards it
unchanged to the VPN server.
5
If the Radius proxy receives an accept message, it requests either a grid or token
challenge from Entrust IdentityGuard and sends it to the VPN server.
6
The VPN server forwards this to the VPN client.
The challenge requires a temporary PIN or a response from a user’s card or token.
7
The VPN server sends the user’s response to the challenge back to the Entrust
IdentityGuard Radius proxy.
8
The Radius proxy forwards the response to Entrust IdentityGuard.
9
Entrust IdentityGuard checks the response and the Radius proxy sends an accept
or reject message to the VPN server.
Configuring the Entrust IdentityGuard Radius proxy
Feedback on guide
173
10 An accept message indicates that the user has passed second-factor
authentication.
Figure 3: Radius proxy integrated with a VPN and external authentication
VPN client
Entrust IdentityGuard
Server
`
VPN server
First-factor authentication
resource: domain
controller or LDAP
directory
Entrust IdentityGuard
Radius proxy
Authentication using a Windows domain controller or LDAP directory follows these
steps:
1
A user enters a user name and password in the VPN client. The VPN server passes
the data to the Entrust IdentityGuard Radius proxy.
2
The Radius proxy forwards the request to the Entrust IdentityGuard Server to
verify the user.
3
Entrust IdentityGuard checks the first-factor authentication resource to verify the
user.
4
Entrust IdentityGuard sends a success or fail message to the Radius proxy.
5
If the Radius proxy receives a fail message, the Radius proxy generates a reject
message and sends it to the VPN server.
6
If the Radius proxy receives a success message, it requests a challenge from
Entrust IdentityGuard and sends the challenge to the VPN server.
7
The VPN server forwards this to the VPN client. The challenge requires a
temporary PIN or a response from a user’s card or token.
8
The VPN server sends the response to the Radius proxy.
9
The Radius proxy forwards the information to Entrust IdentityGuard for
authentication.
10 Entrust IdentityGuard authenticates the response (or not) and the Radius proxy
sends an accept or reject message to the VPN server.
11 An accept message indicates the user has now passed second-factor
authentication.
174
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Configuring the Radius proxy for
groups
Your VPN server must already be configured to recognize specific user groups. The
group names used by your VPN server do not have to be the same as those you
created in Entrust IdentityGuard.
Note: While VPN groups can be specifically paired with Entrust IdentityGuard
groups during configuration of the Radius proxy, this pairing is optional if the
names of users are unique in your system. In this case, Entrust IdentityGuard
determines the correct group. See “Matching a group to a user” on page 179 for
an explanation.
Entrust IdentityGuard expects group and user name pairs to be in the form
“group/name.” You can configure the Radius proxy to convert names with the form
“name@group” or “group\name” to “group/name.” See the processbackslash
and processat Radius proxy properties in the section “Configuring the Entrust
IdentityGuard Radius proxy properties” starting on page 282.
Using Entrust IdentityGuard groups with a
VPN server
This section applies if you want to associate groups of VPN users with Entrust
IdentityGuard groups.
You need to define a VPN server entry for each VPN group you wish to pair with an
Entrust IdentityGuard group. You can use the same VPN server for multiple groups or
you can use different servers for different groups.
During configuration of the Radius proxy, you are asked to respond to prompts in
UNIX or to choose options in Windows. Your answers to several of those prompts or
options determine how the VPN and Entrust IdentityGuard groups are paired. The
key prompts related to groups are:
1
When asked to enter a list of Radius ports, enter one port number for each VPN
group.
2
When asked to enter a unique VPN server host, specify either a DNS or IP
address.
If you plan to associate several groups with the same VPN server, enter the same
IP each time you run through the Radius proxy configuration. Enter a different IP
for another VPN server.
3
You are asked to enter the Radius port used by the VPN server.
Configuring the Entrust IdentityGuard Radius proxy
Feedback on guide
175
The default is all the ports you entered in Step 1. Enter a specific port only when
you want the current VPN configuration to apply to a predefined group.
4
When asked to enter the VPN server secret, enter the applicable secret for the
VPN server.
5
You are asked for the Entrust IdentityGuard group name.
Enter the group you plan to associate with the port number entered above in
Step 3.
6
You are asked to select Radius or external authentication.
For a Radius server, enter RADIUS; otherwise, enter EXTERNAL.
7
If you choose Radius in Step 6, you are asked to enter the Radius server name.
You can use the same Radius server for all VPN servers or use different servers.
Once you complete the configuration for one VPN server, the installation program
prompts you to define an additional VPN server. Answer yes at the prompt to
complete a configuration for another group. Alternatively, you can edit the
identityguard.properties file to add values for the properties related to the
prompts listed above.
Radius server example
Assume you want to set up one Radius server to provide first-factor authentication
for two VPN groups (on a single VPN server) named SalesVPN and MarketingVPN.
These groups are paired with two Entrust IdentityGuard user groups, IGSales and
IGMarketing. In this scenario, the relevant settings in the
identityguard.properties file would look like this:
# IdentityGuard Radius ports
identityguard.igradius.port=1812 1813
# VPN sales
identityguard.igradius.vpn.salesVPN.igport=1812
identityguard.igradius.vpn.salesVPN.radius=radius1
identityguard.igradius.vpn.salesVPN.host=10.12.1.1
identityguard.igradius.vpn.salesVPN.secret=xyz
identityguard.igradius.vpn.salesVPN.group=IGSales
identityguard.igradius.vpn.salesVPN.useradius=true
# VPN marketing
identityguard.igradius.vpn.marketingVPN.igport=1813
identityguard.igradius.vpn.marketingVPN.radius=radius1
identityguard.igradius.vpn.marketingVPN.host=10.12.1.1
176
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
identityguard.igradius.vpn.marketingVPN.secret=xyz
identityguard.igradius.vpn.marketingVPN.group=IGMarketing
identityguard.igradius.vpn.marketingVPN.useradius=true
You can follow the prompts in the Radius proxy configuration script twice to achieve
these results or you can edit the identityguard.properties file directly.
External authentication example
In this example, assume you want to set up an LDAP directory to provide first-factor
authentication for the same two VPN groups, SalesVPN and MarketingVPN. These
groups are paired with two Entrust IdentityGuard user groups, IGSales and
IGMarketing. In this scenario, the relevant settings in the
identityguard.properties file would look like this:
# IdentityGuard Radius ports
identityguard.igradius.port=1812 1813
# VPN sales
identityguard.igradius.vpn.salesVPN.igport=1812
identityguard.igradius.vpn.salesVPN.host=10.12.1.1
identityguard.igradius.vpn.salesVPN.secret=xyz
identityguard.igradius.vpn.salesVPN.group=IGSales
identityguard.igradius.vpn.salesVPN.useradius=false
# VPN marketing
identityguard.igradius.vpn.marketingVPN.igport=1813
identityguard.igradius.vpn.marketingVPN.host=10.12.1.1
identityguard.igradius.vpn.marketingVPN.secret=xyz
identityguard.igradius.vpn.marketingVPN.group=IGMarketing
identityguard.igradius.vpn.marketingVPN.useradius=false
# external authentication
identityguard.externalauth.impl=com.entrust.identityGuard.au
thenticationManagement.external.ldap.LdapAuthentication
If you use a domain controller as an external authentication resource, the last section
would look like this:
# external authentication
identityguard.externalauth.impl=com.entrust.identityGuard.au
thenticationManagement.external.kerberos.KerberosAuthenticat
ion
Configuring the Entrust IdentityGuard Radius proxy
Feedback on guide
177
identityguard.externalauth.kerberos.realm=ENTRUST.COM
Also, if you are using a domain controller, you will need to map each realm to its KDC
in the igkrb5.conf file. For more information, see “To set the external
authentication properties for a domain controller” on page 203.
Note: This patch removes the
identityguard.externalauth.kerberos.kdc property that existed in
previous Entrust IdentityGuard releases and replaces it with the igkrb5.conf
file.
You can follow the prompts in the Radius proxy configuration script twice to achieve
these results or you can edit the identityguard.properties file directly. The
identityguard.externalauth.impl and Kerberos-related properties must
always be added manually.
The identityguard.externalauth.impl property can include a group name.
When it does not, as in the above example, the property creates a default entry for
all users. When you include an Entrust IdentityGuard group name in the
identityguard.externalauth.impl property, it limits the authentication
resource to just members of that group. For more details, see “Using groups with
external authentication” on page 209.
Also see “Configuring Entrust IdentityGuard for external authentication” on
page 202 for more information on the identityguard.externalauth.impl and
Kerberos-related properties.
178
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Matching a group to a user
You do not need to include group names as part of a user identification if your system
contains only unique user names.
When Entrust IdentityGuard needs to verify a user and that user is not specifically
identified with a group, Entrust IdentityGuard tries to match the user with the correct
group following these rules:
•
First search the repository for all users with the given user name.
For an LDAP directory, look in all search bases.
•
If no matching user name is found, return an error.
•
If one unique user entry is found, use that entry.
•
If multiple entries are found with the same user name, return an error.
Configuring the Entrust IdentityGuard Radius proxy
Feedback on guide
179
Using the Radius proxy with a Radius
server
You can configure the Entrust IdentityGuard Radius proxy to use a Radius server for
first-factor authentication by completing one of the following procedures:
•
“To configure the Radius proxy on UNIX” on page 180
•
“To configure the Radius proxy on Microsoft Windows” on page 182
If you intend to associate specific predefined VPN group names with existing Entrust
IdentityGuard group names, read “Configuring the Radius proxy for groups” on
page 175 before you begin to configure the Radius proxy.
Attention: Entrust IdentityGuard rejects any VPN server configuration that
creates an explicit or implied duplicate VPN server/port combination. An explicit
duplicate occurs when you specify the same port more than once for the same
VPN server. An implied duplicate occurs if you select the default port (any port in
Unix or All in Windows) more than once for the same VPN server.
To configure the Radius proxy on UNIX
1
Log in as the UNIX user that belongs to the UNIX group that was specified during
the installation.
2
Navigate to the $IDENTITYGUARD_HOME
(/opt/entrust/identityguard81) directory and enter:
. ./env_settings.sh
3
Navigate to the $IDENTITYGUARD_HOME directory and enter:
configradius.sh
4
At the prompt, enter a list of Radius ports for the Radius proxy or accept the
default:
Enter a space-separated list of ports used by IdentityGuard Radius
(default: 1812):
Each port value must be an integer between 1024 and 65535.
Note: If you plan to associate different VPN server groups with separate Radius
proxy ports, enter all applicable ports separated by spaces. There can be only one
VPN server defined for each port.
5
At the next prompt, define a VPN server.
Do you wish to define a VPN server? [yes or no]
180
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
If you answer yes, continue with these configuration steps.
If you answer no, the configuration will stop. You are asked whether you want
to initialize the system. Proceed to “Initializing the primary server” on page 48.
6
At the next prompt, type a unique VPN server name. This provides a unique
string that is used by Entrust IdentityGuard to reference this server.
Note: A VPN server name must not include the equals sign (=).
Enter a unique label for the VPN server:
7
At the next prompt, enter a unique VPN server host, using either a DNS or IP
address:
Enter the VPN server host name (or IP address):
Entrust IdentityGuard Radius proxy identifies a VPN server by its host name and
the Radius port to which it sends messages. If you do not specify a port in the
next step, the Radius proxy treats all requests as coming from the same VPN
server regardless of which port receives them.
8
At the next prompt, type the Entrust IdentityGuard Radius port used by the VPN
server:
Enter the Entrust IdentityGuard Radius port used by the VPN
server:
The default is the ports you set in Step 4. If you enter a specific port, then any
communication from this VPN server uses that port only. Enter a specific port if
you want the current VPN configuration to apply to an Entrust IdentityGuard
group.
9
At the next prompt, type and confirm the VPN server secret. The secret you use
for Entrust IdentityGuard Radius proxy must match the server secret already set
for the VPN server:
Enter the VPN server shared secret:
Confirm:
10 If you have already defined Entrust IdentityGuard user groups, you can set a
specific Entrust IdentityGuard group for use with the current VPN server. If you
do, the group is included with the user ID when VPN sends requests to Entrust
IdentityGuard.
Enter the Entrust IdentityGuard group for the VPN server:
Note: You do not need to enter a group name if the names of users are unique
in your system. Entrust IdentityGuard will determine the correct group. See
“Matching a group to a user” on page 179 for an explanation.
Configuring the Entrust IdentityGuard Radius proxy
Feedback on guide
181
11 If you want the Radius proxy to use a Radius server for first-factor authentication,
enter RADIUS at the next prompt:
Do you want to use External or Radius authentication? (EXTERNAL or
RADIUS):
Enter RADIUS and continue with these configuration steps.
(If you enter EXTERNAL, the configuration will stop. Proceed to “Configuring
Entrust IdentityGuard for external authentication” on page 202.)
12 Each VPN server needs a corresponding Radius server that performs the
first-factor authentication. At the next prompt, enter the server name:
Enter the label of the Radius server for this VPN server:
13 If no Radius server configuration exists for the name you chose in Step 12, enter
it at this prompt:
No Radius server is defined with the label <your server name>
Do you wish to define a new Radius server? [yes or no]
a
If you enter no, the configradius.sh script prompts you for another
Radius server name.
b
If you enter yes, the configradius.sh script prompts you for the Radius
server host name and port:
Enter the Radius server host name (or IP address):
Enter the Radius server port (default: 1812):
This provides the address of the Radius server where the Radius proxy sends
Radius requests.
14 At the next prompt, enter and confirm the Radius server secret:
Enter the Radius server shared secret:
Confirm:
The server secret is the password value the Radius client uses to protect the
message. The secret you enter must match the server secret set for the Radius
server.
The Entrust IdentityGuard Radius proxy is now configured for this VPN server and
your Radius server. Answer yes to configure another server or no to exit.
To configure the Radius proxy on Microsoft Windows
1
If the Entrust IdentityGuard Configuration Panel is not open, open it by clicking
Start > All Programs > Entrust > IdentityGuard > Configuration Panel.
2
Select Set Up the Radius Proxy to run the Entrust IdentityGuard Radius Proxy
Setup.
The Entrust IdentityGuard Radius Proxy Configuration page appears.
182
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
3
In the Ports used by the Entrust IdentityGuard Radius Proxy field, specify the
ports that the Entrust IdentityGuard Radius Proxy will listen on.
Use commas to separate your various ports. Each port value must be an integer
between 1 and 65535. The port value entered must be unique to the system.
4
If you are using a Radius server for first-factor authentication, in the Radius
Authentication Servers section, click Add. Alternatively, you can select an existing
server definition and click Change to modify it or Remove to remove it.
The Add/Change Radius Server page appears.
Configuring the Entrust IdentityGuard Radius proxy
Feedback on guide
183
5
On the Add/Change Radius Server page, enter the connection details for a
Radius server.
Note: If you plan to use external authentication, skip this step.
6
•
Radius server label. Enter a unique string that is used by Entrust
IdentityGuard to reference this server. Once a label is saved it cannot be
changed.
•
Radius server host name. Type a unique Radius server host, using either a
DNS or IP address.
•
Radius server port. Type the port on the Radius server where the Radius
proxy sends messages. This is the same port that the VPN server uses.
•
Radius server shared secret. Type the shared secret value the client uses to
protect the message. The secret you enter must match the shared secret set
on the Radius server.
•
Confirm shared secret. Type the shared secret again.
•
Click OK.
In the VPN Servers section, click Add to map your VPN Server to your first-factor
Authentication Server. Alternatively, you can select an existing server definition
and click Change to modify it or Remove to remove it.
The Add/Change VPN Server page appears.
184
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
7
On the Add/Change VPN Server page, enter the connection details for a VPN
server:
•
VPN server label. This provides a unique string that is used by Entrust
IdentityGuard to reference this server. Once the label is saved it cannot be
changed.
•
VPN server host name. Enter a VPN server host, using either a FQDN,
hostname, or IP address.
•
VPN server shared secret. Enter the VPN server secret. This secret you use
for Entrust IdentityGuard Radius proxy must match the server secret already
set for the VPN server
•
Confirm shared secret. Enter the VPN server secret again.
•
Entrust IdentityGuard group (optional). If you have already defined Entrust
IdentityGuard user groups, you can set a specific Entrust IdentityGuard
group for use with the current VPN server.
Note: You do not need to enter a group name if the names of users are unique
in your system. Entrust IdentityGuard determines the correct group. See
“Matching a group to a user” on page 179 for an explanation.
•
Radius Proxy port. This drop-down list contains:
Configuring the Entrust IdentityGuard Radius proxy
Feedback on guide
185
– all port numbers you entered earlier in the Ports used by the Entrust
IdentityGuard Radius Proxy field
– as well as, the all option
If you enter a specific port, then any communication from this VPN server
uses that port only.
Enter a specific port if you want the current VPN configuration to apply to
an Entrust IdentityGuard group. Select all if the port used is not important.
The Server hostname and Radius proxy port number must be unique.
8
•
First-factor authentication server. This drop-down list contains the names of
all Radius servers you defined on the Add/Change Radius Server page. Select
the server to use with this VPN server.
•
Click OK.
Click Save.
A pop-up box appears validating your configuration.
The Entrust IdentityGuard Radius proxy is now configured for this VPN server and
your Radius server. You can configure additional VPN and Radius servers.
186
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Using the Radius proxy with a domain
controller or LDAP directory
Configure the Entrust IdentityGuard Radius proxy to use an external authentication
resource completing these steps.
Topics in this section:
•
“To configure Radius proxy on UNIX” on page 187
•
“To configure the Radius proxy on Microsoft Windows” on page 189
Note: When you configure Entrust IdentityGuard Radius proxy, the program
stores the results in the identityguard.properties file. You can edit this file
to change settings or to add additional VPN servers and their first-factor
authentication method later. For information on the property settings, see section
“Configuring the Entrust IdentityGuard Radius proxy properties” on page 282.
If you intend to associate specific predefined VPN group names with existing Entrust
IdentityGuard group names, read “Configuring the Radius proxy for groups” on
page 175 before you begin to configure the Radius proxy.
Attention: Entrust IdentityGuard rejects any VPN server configuration that
creates an explicit or implied duplicate VPN server/port combination. An explicit
duplicate occurs when you specify the same port more than once for the same
VPN server. An implied duplicate occurs if you select the port default (any port in
UNIX or All in Windows) more than once for the same VPN server.
To configure Radius proxy on UNIX
1
Log in as the UNIX user that belongs to the UNIX group that was specified during
the installation. See “Installing Entrust IdentityGuard Server” on page 33 for
installations with embedded Tomcat or “Installing Entrust IdentityGuard Server”
on page 106 for installation using an existing application server.
2
Navigate to the $IDENTITYGUARD_HOME
(/opt/entrust/identityguard81) directory and enter:
. ./env_settings.sh
3
Navigate to the $IDENTITYGUARD_HOME directory and enter:
configradius.sh
4
At the prompt, enter a list of Radius ports for the Radius proxy or accept the
default:
Configuring the Entrust IdentityGuard Radius proxy
Feedback on guide
187
Enter a space-separated list of ports used by IdentityGuard Radius
(default: 1812):
Each port value must be an integer between 1024 and 65535.
Note: If you plan to associate different VPN server groups with separate Radius
proxy ports, enter all applicable ports separated by spaces. There can be only one
VPN server defined for each port.
5
At the next prompt, confirm that you want to use a VPN server.
Do you wish to define a VPN server? [yes or no]
If you type no, the configuration stops. You are asked whether you want to
initialize the system. Proceed to “Initializing the primary server” on page 48 for
installations with embedded Tomcat or “Initializing the primary Entrust
IdentityGuard Server” on page 118 for installations using an existing application
server.
6
At the next prompt, enter a unique VPN server name. This provides a unique
string that is used by Entrust IdentityGuard to reference this server.
Note: A VPN server name must not include the equal sign (=).
Enter a unique label for the VPN server:
7
At the next prompt, enter a unique VPN server host, using either a DNS or IP
address:
Enter the VPN server host name (or IP address):
The Entrust IdentityGuard Radius proxy identifies a VPN server by its host name,
and the port to which it sends messages. If you do not specify a port in the next
step, the Radius proxy treats all requests as coming from the same VPN server
regardless of which port receives them.
8
At the next prompt, enter the Entrust IdentityGuard port used by the VPN server:
Enter the Entrust IdentityGuard Radius port used by the VPN
server:
The default is the ports you set in Step 4. If you enter a specific port, then any
communication from this VPN server uses that port only. Enter a specific port if
you want the current VPN configuration to apply to an Entrust IdentityGuard
group.
9
At the next prompt, enter and confirm the VPN server secret. This secret you use
for Entrust IdentityGuard Radius proxy must match the server secret already set
for the VPN server:
Enter the VPN server shared secret:
188
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Confirm:
10 If you have already defined Entrust IdentityGuard user groups, you can set a
specific Entrust IdentityGuard group for use with the current VPN server.
Enter the Entrust IdentityGuard group for the VPN server:
Note: You do not need to enter a group name if the names of users are unique
in your system. Entrust IdentityGuard determines the correct group. See
“Matching a group to a user” on page 179 for an explanation.
11 If you want the Radius proxy to use a domain controller or LDAP directory for
first-factor authentication, enter EXTERNAL at the next prompt:
Do you want to use External or Radius authentication? (EXTERNAL or
RADIUS):
(If you enter RADIUS, the configuration continues. Proceed to “To configure the
Radius proxy on UNIX” on page 180.) When you enter EXTERNAL, the
configuration script stop and you see the following message:
Make sure that the Entrust IdentityGuard Server is configured so
that External authentication is enabled.
Answer yes to configure another VPN server or no to exit.
Go to “Configuring Entrust IdentityGuard for external authentication” on
page 202 to finish this configuration.
To configure the Radius proxy on Microsoft Windows
1
If the Entrust IdentityGuard Configuration Panel is not open, open it by clicking
Start > All Programs > Entrust > IdentityGuard > Configuration Panel.
2
Select Set Up the Radius Proxy to run the Entrust IdentityGuard Radius proxy
setup program.
The Entrust IdentityGuard Radius Proxy Configuration page appears.
Configuring the Entrust IdentityGuard Radius proxy
Feedback on guide
189
3
In the Ports used by the Entrust IdentityGuard Radius Proxy field, enter a list of
Radius ports for the Radius proxy or accept the default.
Use commas to separate the port numbers. The port value entered must be
unique to the system.
190
4
Skip the Radius Authentication Servers section if you plan to use external
authentication.
5
In the VPN Servers section, click Add to configure a VPN server for use with
Entrust IdentityGuard. Alternatively, you can select an existing server definition
and click Change to modify it or Remove to remove it.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
The Add/Change VPN Server page appears.
6
On the Add/Change VPN Server page, enter the connection details for a VPN
server:
•
VPN server label. This provides a unique string that is used by Entrust
IdentityGuard to reference this server.
•
VPN server host name. Enter a unique VPN server host, using either a FQDB,
hostname, or IP address. The hostname and Radius proxy port combination
must be unique for each VPN server entry.
•
VPN server shared secret. Enter the VPN server secret. This secret you use
for Entrust IdentityGuard Radius proxy must match the server secret already
set for the VPN server
•
Confirm shared secret. Enter the VPN server secret again.
•
Entrust IdentityGuard group (optional). If you have already defined Entrust
IdentityGuard user groups, you can set a specific Entrust IdentityGuard
group for use with the current VPN server.
Note: You do not need to enter a group name if the names of users are unique
in your system. Entrust IdentityGuard will determine the correct group. See
“Matching a group to a user” on page 179 for an explanation.
•
Radius Proxy port. This drop-down list contains all port numbers you entered
earlier in the Ports used by the Entrust IdentityGuard Radius Proxy field plus
Configuring the Entrust IdentityGuard Radius proxy
Feedback on guide
191
the all option (the default). If you enter a specific port, then any
communication from this VPN server uses that port only. It makes sense to
enter a specific port if you want the current VPN configuration to apply to
an Entrust IdentityGuard group. Select all if the port used is not important.
7
•
First-factor authentication server. To use external authentication, select
IdentityGuard External.
•
Click OK.
Click Save.
A pop-up box appears validating your configuration.
The Entrust IdentityGuard Radius proxy is now configured for this VPN server.
Add as many VPN servers as required.
Go to “Configuring Entrust IdentityGuard for external authentication” on
page 202 to finish this configuration for external authentication.
192
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Configuring the VPN server
Follow these general steps to configure your VPN server to communicate with the
Entrust IdentityGuard Radius proxy. The interface details vary depending on your
platform and the interface tool you use.
For detailed integration instructions specific to your platform, see the Technical
Integration Guide that applies to your VPN server.
To configure the VPN server
1
Log in to the VPN server as administrator.
2
If applicable, select a VPN user group.
You may have more than one choice here if your VPN recognizes different groups
of users.
3
Select Radius as the server used for authentication.
(Select Radius even if you plan to use a Windows domain controller or an LDAP
directory with the Entrust IdentityGuard Radius proxy.)
4
For the authentication server, set the IP address to that of the Entrust
IdentityGuard Radius proxy instead of a Radius server.
5
If you are using groups, for the server port, enter the port assigned to the VPN
group selected in Step 10 on page 181 (UNIX) or Step 7 on page 185.
(Windows).
The default Entrust IdentityGuard Radius proxy port is 1812. (See also
“Configuring the Radius proxy for groups” above.)
6
For the server secret (configured in Step 4 on page 176 in UNIX and Step 7 on
page 185 in Windows), enter a value that matches the value known to Entrust
IdentityGuard.
7
Save your settings.
Configuring the Entrust IdentityGuard Radius proxy
Feedback on guide
193
Configuring a Radius server for
first-factor authentication
Remote Authentication Dial-In User Service (Radius) is an industry standard
authentication protocol.
Radius authenticates users through a series of communications between Radius
clients and the Radius server. A Radius client passes information about a user to a
designated Radius server and then acts on the response that the Radius server
returns. Transactions between the Radius client and the Radius server are
authenticated through a shared secret, which is never sent over the network. Many
networks use Radius to centralize and coordinate VPN authentication.
If you configure your remote VPN access gateway (IPSec or SSL) to use an existing
Radius server for configuration, the Entrust IdentityGuard Radius proxy lets you add
Entrust IdentityGuard for second-factor authentication. The Radius proxy sends the
authentication request to the Radius server to perform first-factor authentication and
then it adds an Entrust IdentityGuard authentication step. Users that do not exist in
Entrust IdentityGuard are authenticated by the first-factor authentication mechanism
only.
If you plan to use a Radius server for first-factor authentication, follow these general
steps to configure the Radius server to communicate with the Entrust IdentityGuard
Radius proxy. The interface details will vary depending on your platform and the
interface tool you use.
To configure the Radius server for first-factor authentication
194
1
Log in to the Radius server as administrator.
2
For the Radius client address, change the IP address from the VPN server to that
of the Entrust IdentityGuard Radius proxy.
3
For the server secret, enter a value that matches the value known to Entrust
IdentityGuard.
4
Save your settings.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Configuring Radius server failover
By configuring Radius server failover on the Entrust IdentityGuard Radius proxy, you
ensure that there are backup Radius servers if the primary system fails. When failover
is configured, if a timeout occurs while waiting for a response from the Radius server,
Entrust IdentityGuard Radius proxy uses the next IP address in the list (for the next
request that it receives). The current request times out. When Entrust IdentityGuard
Radius proxy reaches the end of the list of IP addresses, it restarts at the beginning of
the list.
Complete the following steps to add the list of Radius server IP addresses to the
identityguard.properties file.
For more information on high availability and disaster recovery, see the Entrust
IdentityGuard Deployment Guide.
To configure the Radius server for failover
1
Open the $IDENTITYGUARD_HOME/etc/identityguard.properties file.
2
Edit the file to include the multiple Radius servers in the Radius server address
property.
For example,
identityguard.igradius.radius.{0}.address=radius_server1:1812
radius_server2:1812 radius_server3:1813
where the {0} placeholder is replaced by the Radius server name.
Use a space to separate each of radius servers in the list.
Note: All the Radius servers should use the same secret.
Configuring the Entrust IdentityGuard Radius proxy
Feedback on guide
195
Managing the Radius proxy
You can set the Entrust IdentityGuard Radius proxy to start automatically when you
reboot, or you can start and stop it manually.
Topics in this section:
•
“Managing the Radius proxy on UNIX” on page 196
•
“Managing the Radius proxy on Microsoft Windows” on page 199
Managing the Radius proxy on UNIX
Complete one of the following procedures to manage the Radius proxy:
•
“To enable/disable automatic restart of the Radius proxy” on page 196
•
“To start and stop the Radius proxy” on page 196
•
“To start and stop Entrust IdentityGuard and the Radius proxy together” on
page 197
•
“To start and stop the Radius proxy with the Linux service command” on
page 198
To enable/disable automatic restart of the Radius proxy
•
As root in $IDENTITYGUARD_HOME/bin, enable automatic restart by
entering:
./igsvvconfig.sh igradius enable
The Entrust IdentityGuard Radius proxy will start every time the computer
reboots.
•
As root in $IDENTITYGUARD_HOME/bin disable automatic restart by
entering:
./igsvvconfig.sh igradius disable
You must start the Entrust IdentityGuard Radius proxy manually.
To start and stop the Radius proxy
1
Log in as the UNIX user that belongs to the UNIX group that was specified during
the installation. See “Installing Entrust IdentityGuard Server” on page 33 for
installations with embedded Tomcat or “Installing Entrust IdentityGuard Server”
on page 106 for installation using an existing application server.
2
Navigate to the $IDENTITYGUARD_HOME directory and enter:
. ./env_settings.sh
3
196
Enter the following command at the command prompt followed by one of the
options in Table 11:
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
igradius.sh
Table 11: Managing the Radius proxy
Command
Description
start
Starts the Radius proxy.
Entrust IdentityGuard generates audits that you can
use to determine if the services started successfully
or failed to start. You will not see an error message if
the service fails to start.
stop
Stops the Radius proxy.
status
Tells you if the Radius proxy is running. If it is
running, Entrust IdentityGuard displays the process
ID number.
restart
Stops and restarts the Radius proxy.
Note: When the Entrust IdentityGuard Radius proxy starts, it checks that at least
one VPN client and one resource (external authentication or Radius server) are
defined and that each server referred to by a client exists. If that is not the case,
it issues an error to the logs and the Radius proxy exits.
To start and stop Entrust IdentityGuard and the Radius proxy together
1
Log in as the UNIX user that belongs to the UNIX group that was specified during
the installation.
See “Installing Entrust IdentityGuard Server” on page 33 for installations with
embedded Tomcat or “Installing Entrust IdentityGuard Server” on page 106 for
installations using an existing application server.
2
Navigate to $IDENTITYGUARD_HOME directory and enter:
. ./env_settings.sh
3
Enter one of these commands at the command prompt followed by one of the
options in Table 12:
igservice.sh identityguard
igservice.sh igradius
igservice.sh all
Configuring the Entrust IdentityGuard Radius proxy
Feedback on guide
197
Table 12: Managing the Radius proxy service
Command
Description
start
Starts the specified service.
Entrust IdentityGuard does not display an error
message if the service fails to start. Check the logs to
determine if startup failed.
stop
Stops the specified service.
status
Tells you if the specified service is running.
restart
Stops and restarts the specified service.
For example, to restart Entrust IdentityGuard and the Radius proxy on
installations of Entrust IdentityGuard with embedded Tomcat, enter:
igservice.sh all restart
Note: In versions of Entrust IdentityGuard installed on an existing application
service, you can use any of these commands for the Radius proxy; however, only
the status command is available for Entrust IdentityGuard.
To start and stop the Radius proxy with the Linux service command
You can also use the Linux service command to start and stop the Entrust
IdentityGuard Radius proxy.
1
Enter this command at the command prompt followed by one of the options in
the table below:
service igradius
Command
Description
start
Starts the specified services.
Entrust IdentityGuard does not display an error
message if the service fails to start. Check the logs to
determine if startup failed.
198
stop
Stops the specified service.
status
Tells you if the specified service is running.
restart
Stops and restarts the specified service.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
If you run the service igradius command as root, the service automatically
switches to the UNIX user ID originally used to install Entrust IdentityGuard.
Managing the Radius proxy on Microsoft
Windows
You can set the Entrust IdentityGuard Radius proxy to start automatically when you
reboot, or you can start and stop it manually.
Note: You must log in as administrator to install Entrust IdentityGuard. You then
select a user/group that will own the installation. That user (or any member of
the group) can then start or stop the services as described below.
To enable automatic restart of the Radius proxy
1
Log in as a user that belongs to the group that was specified during the
installation as the owner of the installation.
2
Go to Start > Control Panel > Administrative Tools > Services.
The Services window appears.
3
Right-click Entrust IdentityGuard Radius Proxy and select Properties.
4
In the Startup type drop-down menu, select Automatic.
To disable automatic restart of the Radius proxy
1
Log in as a user that belongs to the group that was specified during the
installation as the owner of the installation.
2
Go to Control Panel > Administrative Tools > Services.
The Services window appears.
3
Right-click Entrust IdentityGuard Radius Proxy and select Properties.
4
In the Startup type drop-down menu, select Disabled. (Select Manual if you
want to start this Radius proxy service manually.)
To start and stop the Radius proxy
1
Log in as a user that belongs to the group that was specified during the
installation as the owner of the installation.
2
Go to Control Panel > Administrative Tools > Services.
The Services window appears.
3
Right-click Entrust IdentityGuard Radius Proxy and select Properties.
Configuring the Entrust IdentityGuard Radius proxy
Feedback on guide
199
4
In the Service status section, click either Start or Stop depending on your
requirements.
Note: When the Entrust IdentityGuard Radius proxy starts, it checks that at least
one VPN client and one service (external authentication or Radius server) are
defined and that each server referred to by a client exists. If that is not the case,
it issues an error and the Radius proxy exits.
200
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Chapter 7
Postinstall configuration options
for Entrust IdentityGuard Server
Use this chapter to configure or reconfigure Entrust IdentityGuard Server after
installation.
This chapter contains the following sections:
•
“Configuring Entrust IdentityGuard for external authentication” on
page 202
•
“Adding Entrust IdentityGuard replica servers” on page 210
•
“Configuring failover on the repository” on page 218
•
“Storing unassigned cards and tokens” on page 220
•
“Configuring Syslog for remote logging on UNIX” on page 226
•
*“Disabling the non-SSL port on the Authentication service” on page 228
•
*“Enabling the non-SSL port on the Administration service” on page 230
•
*“Disabling the SSL port on the Administration service” on page 231
•
“Securing the LDAP connection with SSL” on page 233
•
*“Changing the Entrust IdentityGuard certificate” on page 235
•
“Enabling system binding” on page 240
Attention: *These sections only apply to versions of Entrust IdentityGuard that
use embedded Tomcat.
201
Configuring Entrust IdentityGuard for
external authentication
The external authentication feature provided with Entrust IdentityGuard lets you use
Entrust IdentityGuard to manage first-factor authentication using the Windows
domain controller or LDAP directory information as authentication sources. Typically,
you would use external authentication as the first layer of a multifactor Entrust
IdentityGuard authentication regime.
To configure Entrust IdentityGuard for external authentication, you need to do the
following:
•
Add external authentication as an authentication option for the users in each
applicable Entrust IdentityGuard group. Use the master user shell to add the
External option to the applicable policies like this:
policy userspec set -genericauthtype GRID EXTERNAL
policy userspec set -machineauthtype GRID EXTERNAL
Note: This example shows how to add grid and External authentication options.
Add all the authentication options that you want to use with this command.
For more information, see “Modifying, exporting and importing the user
specification attributes for a policy” in the Entrust IdentityGuard
Administration Guide.
•
Edit the identityguard.properties file to set the external
authentication properties, as explained:
– If you store Entrust IdentityGuard user information in Active Directory,
ADAM, or other supported LDAP repository, proceed to “To set the
external authentication properties for an LDAP directory” on page 203.
– If you want to use the Windows domain controller for first-factor
authentication, proceed to “To set the external authentication properties
for a domain controller” on page 203.
When you configure external authentication, it applies to all deployment types
managed by Entrust IdentityGuard, whether the user is accessing your application
through VPN, a Web application, or other method.
Configuring external authentication
In the following procedures, when you make changes to the
identityguard.properties file, ensure that you restart Entrust IdentityGuard
Server. For instructions on restarting, see “Managing the Entrust IdentityGuard
service” on page 62 for installations with embedded Tomcat, “Managing the Entrust
202
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
IdentityGuard service” on page 166 for installations using an existing application
server, or “Managing the Entrust IdentityGuard service” on page 94 for Windows.
To set the external authentication properties for an LDAP directory
1
Open the identityguard.properties file located:
•
on UNIX, $IDENTITYGUARD_HOME/etc/
•
on Microsoft Windows, <IG_INSTALL_DIR>\identityguard81\etc\
2
Add the identityguard.externalauth.impl property to the file.
3
Set the property to the correct Java class for an LDAP directory. The entry appears
as follows:
identityguard.externalauth.impl=com.entrust.identityGuard.authenti
cationManagement.external.ldap.LdapAuthentication
This example creates a global or default setting for all users. This property can
also include an Entrust IdentityGuard group name, such as IGSales in this
example:
identityguard.externalauth.impl.IGSales=com.entrust.identityGuard.
authenticationManagement.external.ldap.LdapAuthentication
See “Using groups with external authentication” on page 209 for more
information using groups with external authentication.
During LDAP directory authentication, Entrust IdentityGuard attempts to bind to the
user’s LDAP entry. If the bind succeeds, the user is authenticated.
Note: The directory used for external authentication must be the same one used
as the Entrust IdentityGuard repository.
The Kerberos protocol used for authentication through a domain controller is
case-sensitive. If the user enters an ID that does not match the case Kerberos expects,
the authentication fails. If you use a Directory repository and user names are stored
in mixed case, make sure the user names entered in Entrust IdentityGuard use exactly
the same case for all letters.
Entrust IdentityGuard and LDAP do not care about the case of user names. They can
be uppercase, lowercase or mixed case. While you can specify that Kerberos convert
names to uppercase or lowercase, this is no solution for mixed case user names.
To set the external authentication properties for a domain controller
1
Open the identityguard.properties file located:
•
on UNIX, $IDENTITYGUARD_HOME/etc/
•
on Microsoft Windows, <IG_INSTALL_DIR>\identityguard81\etc\
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
203
2
Add the identityguard.externalauth.impl property to the file.
3
Set the property to the correct Java class for a domain controller. The entry looks
like this:
•
if you are not using groups:
identityguard.externalauth.impl=com.entrust.identityGuard.authenti
cationManagement.external.kerberos.KerberosAuthentication
The above example creates a global or default setting for all users.
•
If you are using groups, for example IGSales:
identityguard.externalauth.impl.IGSales=com.entrust.identityGuard.
authenticationManagement.external.kerberos.KerberosAuthentication
4
Domain controller authentication uses the Kerberos protocol. You must add a
property to specify the server acting as the Kerberos realm. For example:
identityguard.externalauth.kerberos.realm=ENTRUST.COM
The realm provides the name the domain controller. Make sure to enter the realm
name in uppercase characters.
5
Kerberos authentication is case-sensitive. If the user enters an ID that does not
match the case Kerberos expects, the authentication fails. Use this property to
convert the user ID to upper or lowercase, for example:
identityguard.externalauth.kerberos.caseconvert=lower
Valid entries are upper or lower. If this property is absent or contains another
value, Entrust IdentityGuard does not change the entered user ID.
The case should always be set to lower when using a domain controller for
external authentication.
The Kerberos properties can also include an Entrust IdentityGuard group name,
such as IGSales in this example:
identityguard.externalauth.kerberos.realm.IGSales=ENTRUST.COM
identityguard.externalauth.kerberos.caseconvert.IGSales=lower
When specified without a group name, they create a global or default setting for
users. When specified with an Entrust IdentityGuard group name, they set the
realm, KDC and user ID case to use for members of that group.
See “Using groups with external authentication” on page 209 for more
information using groups with external authentication.
204
6
Save your changes.
7
Open igkrb5.conf in a text editor, located:
•
on UNIX, $IDENTITYGUARD_HOME/etc/
•
on Microsoft Windows, <IG_INSTALL_DIR>\identityguard81\etc\
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
8
Using Kerberos syntax, map each realm to the server hosting the corresponding
Kerberos Key Distribution Center (KDC). For example:
[realms]
IG1.ENTRUST.COM = {
kdc = ig1.entrust.com
}
IG2.ENTRUST.COM = {
kdc = ig2.entrust.com
}
Make sure to enter the realm name in uppercase characters. For an example, see
the igkrb5.sample file stored in the same location.
9
Add other Kerberos-related settings as required. For example, you may want to
change the default encryption key type. For more information on syntax, refer to
http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.1/doc/krb5-admin/krb5.conf.
html.
10 Save your changes.
If you are not using WebSphere, you have finished setting up external
authentication properties for a domain controller. If you are using WebSphere,
complete the following procedure (“To finish setting up external authentication
for a domain controller on WebSphere”).
To finish setting up external authentication for a domain controller on
WebSphere
1
Start the administration console for your WebSphere server.
The default URL is http://localhost:9060/ibm/console.
2
Select Security > Global Security > JAAS Configuration.
3
In the JAAS Configuration page, click Application Logins.
4
Click New.
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
205
5
206
Set the Alias value to IGKerberos.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
6
Click Apply. The JAAS login modules link under Additional Properties becomes
available.
7
Click JAAS login modules.
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
207
8
Set the Module class name to
com.ibm.security.auth.module.Krb5LoginModule.
9
Click Apply.
10 Click Save followed by Save.
208
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Using groups with external authentication
When you include an Entrust IdentityGuard group name in one of the
identityguard.externalauth.impl property entries, it limits the
authentication resource to just members of that group. This way, you can direct users
in different groups to different authentication resources or exclude some groups from
an authentication resource.
You can have multiple entries for the identityguard.externalauth.impl
property as long as each is unique. For example, you can have one default entry with
no group name, and several entries each with a different group name.
If all entries for this property include a group name (that is, there is no entry without
a group), this means there is no default and only the users in the specified groups can
use external authentication.
You do not need to include external authentication groups unless you intend to direct
certain groups of users to specific external authentication resources.
See “Using the Radius proxy with a domain controller or LDAP directory” on
page 187 for details on configuring a VPN server to use the Radius proxy for external
authentication.
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
209
Adding Entrust IdentityGuard replica
servers
Replica systems help decrease the load on the primary Entrust IdentityGuard Server.
Add replica servers to set up a loadbalanced or failover environment when you are
administering very large numbers of users. You may add any number of replica
servers.
Note: For information on repository failover, see “Configuring failover on the
repository” on page 218. For information on high availability and disaster
recovery, see the Entrust IdentityGuard Deployment Guide.
You must have a existing Entrust IdentityGuard Server before attempting to create a
replica system.
When adding a replica, consider the following:
•
Do not enable a file-based repository on a replica server.
The replica configuration enables a file-based repository by default. For more
details, see “Storing unassigned cards and tokens” on page 220.
Note: If you are using a file-based repository, ensure that administrators and
master users log in to the primary Entrust IdentityGuard Server when assigning
tokens or cards to users.
•
The repository is not copied when you add a replica.
The replica uses the same repository that the primary Entrust IdentityGuard
Server uses.
•
With Entrust IdentityGuard Server installations with embedded Tomcat only,
a new self-signed certificate with the proper host name is created during the
replica configuration.
If you create a new SSL certificate for the replica server, ensure the host name
in the SSL certificate is the same as the host name used by the server.
For details on creating an SSL certificate, after completing this procedure, see
the section “Changing the Entrust IdentityGuard certificate” on page 235.
•
If you make any configuration changes to the primary Entrust IdentityGuard
Server, you must manually propagate the changes to any replicas.
For example, if you update the certificates or change the
identityguard.properties file, you must also update the replicas.
210
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Note: All files being added should be readable and writable by the user and
group selected during installation.
Follow the appropriate procedures in this section depending on what type of system
you are using to run Entrust IdentityGuard Server:
•
for UNIX, proceed to “To add a replica server on UNIX” on page 211
•
for Microsoft Windows, proceed to “To add a replica server on Microsoft
Windows” on page 213
To add a replica server on UNIX
1
As the UNIX user on the existing Entrust IdentityGuard Server, run the partial
backup command:
igbackup.sh -partial
For instructions and options (such as creating a partial or full backup file, and
naming a backup file), see “Backing up your configuration” on page 247.
2
Copy the backup onto the computer that will host the new Entrust IdentityGuard
replica server. The default location for the backup ZIP file is
$IDENTITYGUARD_HOME/backups.
3
Complete the following preinstallation tasks on the computer that will host the
replica:
4
a
Create a UNIX group and user for Entrust IdentityGuard (“Creating the UNIX
group and user” on page 32) or use the UNIX group already created for your
application server.
b
Copy the Entrust IdentityGuard installation package (“Downloading Entrust
IdentityGuard software” on page 21).
Start the Entrust IdentityGuard installation procedure (“Installing Entrust
IdentityGuard Server” on page 33 for installations with embedded Tomcat or
“Installing Entrust IdentityGuard Server” on page 106 for installations using an
existing application server) on the computer that will host the replica until you
see the message:
Installation complete
Do you wish to configure the application now? [yes or no]
Answer yes.
5
The following message appears:
Are you configuring an Entrust IdentityGuard primary or replica
server?(PRIMARY or REPLICA):
Answer replica.
6
You are prompted to enter the backup file name.
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
211
Enter the name of the configuration backup file:
Type the name of the partial (or full) configuration backup file that you copied in
in Step 2 in this procedure.
For example, igpartialbackup_20060224150045.zip.
7
You are prompted to select the mode of the Administration service:
How should the administration services be setup? (ENABLED,
DISABLED, or PRIMARY)?
Choose one of the three modes:
•
ENABLED enables the Administration service, which the Administration
interface uses.
The sample will use the local services.
•
DISABLED disables the Administration service and the Administration
interface.
The sample is also disabled since it uses the local Administration service.
•
PRIMARY disables the Administration service on the replica server and
enables it on the primary server.
Note: If you are using file-based repositories, select either disabled or primary.
The Administration interface is enabled on the replica server.
In this mode, the SSL certificate of the primary must be installed in the local
key store. This is done automatically with installations of Entrust
IdentityGuard with embedded Tomcat, but you must complete this manually
if your installation of Entrust IdentityGuard uses an existing application
server.
8
You are prompted for the ports that the Application server should use.
APPLICATION SERVER CONFIGURATION
Complete Step 2 to Step 4 on page 45 for installations with embedded Tomcat
or Step 1 on page 115 to Step 3 on page 116 for installations using an existing
application server.
9
You are prompted to initialize the replica.
Do you wish to initialize the replica system? [yes or no]
Answer yes, to initialize the replica.
REPLICA SYSTEM INITIALIZATION
If you want to initialize the system manually later, follow the steps below “To
initialize the replica manually on UNIX” on page 213.
10 All three master users must enter their passwords.
212
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
The following message appears:
Replica initialized.
11 If you are using a directory, remove the file-based repository settings. See
“Storing unassigned cards and tokens” on page 220.
12 Optionally, if you want to enable system binding on the replica, from the master
user shell, run the command system bind to enable system binding.
For more information on system binding, see “Enabling system binding”.
13 To configure and enable the sample application, proceed to the procedure on
“Configuring the sample application on UNIX” on page 51 for installations with
embedded Tomcat or “Configuring the sample application on an existing
application server” on page 121 for installations using an existing application
server.
Your replica server is now installed, configured, and initialized. Proceed to “Testing
your installation” on page 58 for installations with embedded Tomcat or “Testing
your installation” on page 162 for installations using an existing application server.
To initialize the replica manually on UNIX
1
As the UNIX user on the replica, change to $IDENTITYGUARD_HOME (usually
/opt/entrust/identityguard81).
2
From $IDENTITYGUARD_HOME, source the environment settings file by entering:
. ./env_settings.sh
(Include a space between the two periods in the command.)
3
Enter the following command to start the master user shell:
supersh
The copyright information and the Entrust IdentityGuard version number appear,
followed by a command prompt.
4
Enter the following command:
init -replica
All three master users must enter their passwords.
To add a replica server on Microsoft Windows
1
Copy the Entrust IdentityGuard installation package to the computer that will
host the replica (“Downloading Entrust IdentityGuard software” on page 21).
2
On an existing Entrust IdentityGuard Server, create a backup (for more
information on creating a backup, see “Backing up your configuration” on
page 247):
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
213
a
If the Entrust IdentityGuard Configuration Panel is not open, click Start > All
Programs > Entrust > IdentityGuard > Configuration Panel.
b
Select Backup Entrust IdentityGuard Configuration from the Entrust
IdentityGuard Configuration Panel.
The Backup Type page appears.
c
Select Partial as the backup type. Partial backups contain enough
information to configure a replica system.
d
In the Backup File Location section, click Browse.
The backup utility create a file name in the File name field, which includes a
date/time stamp.
e
Click OK to save the backup under the file name with the date/time stamp.
Alternatively, rename the file in the File name field and press OK.
f
Click Save.
A message appears indicating whether the backup was saved or an error
occurred.
3
214
Copy the backup onto the computer that will host the new Entrust IdentityGuard
replica server.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
4
Start the Entrust IdentityGuard installation procedure (“Installing Entrust
IdentityGuard Server” on page 68) on the computer that will host the replica.
5
When the Entrust IdentityGuard Configuration Panel appears, select Replica as
your system type.
6
Select Configure Entrust IdentityGuard.
The Entrust IdentityGuard Configuration wizard Welcome page appears.
7
Click Next to begin configuration.
The System Backup File page appears.
8
Click Browse to select your Entrust IdentityGuard backup file that you copied in
Step 3.
9
Select Next.
The Service Settings page appears.
10 Complete “Selecting Entrust IdentityGuard service ports” on page 79 and
“Selecting your system host name” on page 81.
11 On the Administration Controls page, select the administration state:
•
Enabled. This option enables both the Administration service and interface
controls on the replica system.
•
Disabled. This option disables both the Administration service and interface
controls on the replica system.
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
215
•
Primary. This option disables the Administration service on the replica system
and forwards all Administration interface requests to the primary system. The
Administration interface is enabled on the replica.
12 Select Next.
The Configuration Summary page appears.
13 On the Configuration Summary page, click Confirm and Save if all the
information in the summary list is complete and correct.
14 Click Finish to complete the configuration process.
The configuration file is extracted from the backup file and updated with the
changes made in the Entrust IdentityGuard Configuration wizard. File-based
repositories are disabled, as is the Administration service and interface controls (if
you selected it to be disabled). A new application server SSL certificate is
generated, and the primary server’s public key (SSL certificate) and the LDAP SSL
certificate (it is exists) are imported to the new key store.
To initialize a replica server on Microsoft Windows
216
1
If the Entrust IdentityGuard Configuration Panel is not open, open it by clicking
Start > All Programs > Entrust > IdentityGuard > Configuration Panel.
2
On the main page of the Configuration Panel, select Replica as the system type.
3
Select Initialize Entrust IdentityGuard.
4
Each master user must enter their password when prompted.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
5
Click Initialize.
A confirmation message appears.
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
217
Configuring failover on the repository
Attention: This section applies only to installations of Entrust IdentityGuard
with embedded Tomcat.
By configuring failover on the repository, you ensure that there are backup
repositories in the event that the primary repository fails.
Topics in this section:
•
“Configuring failover for a database” on page 218
•
“Configuring failover for a directory” on page 219
Note: For instructions on configuring the Radius server failover, see
“Configuring Radius server failover” on page 195.
Configuring failover for a database
You may have a mechanism that updates the DNS information so that the database
host name points to the IP address of the new database when the original database
fails. If so, you must make the following configuration changes to Entrust
IdentityGuard so that it will use the IP address.
Configure failover for a database by modifying the default behavior of Entrust
IdentityGuard to permanently cache the IP address of a DNS lookup. Complete the
following procedure to change the DNS lookup to expire after a period of time, rather
than permanently caching the IP address from a DNS lookup.
To configure failover for a database
1
2
Locate and back up the java.security configuration file located:
•
on UNIX, $IDENTITYGUARD_HOME/j2rel.4.2_09/lib/security
•
on Microsoft Windows,
<IG_INSTALL_DIR>\j2rel.4.2_09\lib\security
Edit the java.security file and search for the networkaddress.cache.ttl
setting.
Read the comments surrounding this setting and ensure that any changes that
you make to this setting comply with your company’s security policy.
3
218
Comment out the networkaddress.cache.ttl setting to set the IP address
expiration time on the DNS lookup.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
4
Specify a positive integer value to define how long, in seconds, the DNS lookup
will be cached for.
Define an appropriate value for this setting based on your company’s failover
requirements.
5
Restart the Entrust IdentityGuard Server. For instructions on restarting, see
“Managing the Entrust IdentityGuard service” on page 62 for UNIX installations
and “Managing the Entrust IdentityGuard service” on page 94 for Windows.
Configuring failover for a directory
For LDAP directory failover, you can specify multiple URLs in the
identityguard.ldap.url setting in the identityguard.properties file.
Entrust IdentityGuard attempts to use each URL in turn, until a successful connection
is made.
To configure failover for a directory
1
As the Entrust IdentityGuard application owner, open the
identityguard.properties file in $IDENTITYGUARD_HOME/etc/ on UNIX
or <INSTALL_DIR>\identityguard81\etc on Microsoft Windows.
2
Find the section of the properties file that identifies the LDAP URL, and specify
multiple URLs.
For example:
identityguard.ldap.url=ldap://myldapserver1.com:389/ou=users,c=ca
ldap://myldapserver2.com:389/ou=users,c=ca
ldap://myldapserver3.com:389/ou=users,c=ca
Attention: Type these statements all on the same line separated by a space only.
3
If SSL is enabled, import the certificates of all listed directories into the trust store.
4
Save the file and restart Entrust IdentityGuard.
You now have configured failover for your directory.
Note: The LDAP credentials and principal specified must work for all directories
listed.
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
219
Storing unassigned cards and tokens
Entrust IdentityGuard allows the production of cards prior to their association with
individual users—called card preproduction. It also requires that you load the token
information into the system before you can assign tokens to users.
Topics in this section:
•
“Configuring the disk files for tokens and cards” on page 221
•
“Configuring the database” on page 224
The type of repository you use (directory or database) determines where Entrust
IdentityGuard stores the unassigned cards and tokens. If you are using a database,
the unassigned cards and tokens are stored in the database. If you are using a
directory, you have a choice of storing the unassigned cards and tokens in a local file
or in a separate database.
During the installation and configuration you choose between a directory or database
to store your user information.
When you configure:
•
a directory for your user’s information, a file-based repository is
automatically configured for your preproduced cards and unassigned tokens
You can change the defaults using the “Configuring the disk files for tokens
and cards” on page 221 topic.
•
a directory for your user’s information, and if you want to use a database
repository, you must manually configure the database
For instructions, see “Configuring the database” on page 224.
Attention: If your organization plans to have a large deployment of 100,000
cards or tokens, it is recommended that you configure a database (instead of the
file-based repository).
•
a database for your user’s information, a database repository for
preproduced cards and unassigned tokens is automatically configured
For more information on storing preproduced cards and unassigned tokens, see the
Entrust IdentityGuard Administration Guide.
220
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Configuring the disk files for tokens and cards
Entrust IdentityGuard allows you to use files to store preproduced card or unassigned
token information, as this information cannot be stored in the directory itself (unlike
a database). Once the card or token is assigned to a user, then the information is
moved into the user entry in the repository.
To change a setting, add or edit the application property to the
identityguard.properties file.
Note: Do not use a file-based repository on a replica system.
The card repository settings shown in Table 13 are configured when you are using an
LDAP directory and choose to use file-based repository storage. Use the following
information to override the defaults:
Table 13: Repository properties for preproduced cards
Property
Description
identityguard.preproducedCardRepository.impl
Provides the storage location of
preproduced cards on the primary
system. It is set automatically when
you configure Entrust IdentityGuard.
When using a directory, it is set to:
com.entrust.identityGuard.car
dManagement.dataAccess.file.F
ilePreproducedCardRepository
When using a database, it is set to:
com.entrust.identityGuard.car
dManagement.dataAccess.jdbc.J
dbcPreproducedCardRepository
Note: For any replica system, make
sure it is set to:
com.entrust.identityGuard.car
dManagement.dataAccess.notImp
lemented.NotImplementedPrepro
ducedCardRepository
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
221
Table 13: Repository properties for preproduced cards (continued)
Property
Description
identityguard.preproducedCardRepository.file.name
The base name of the files that store
the preproduced cards.
The default is,
$IDENTITYGUARD.HOME/etc/fpcr/
fpcr.pcr on UNIX or
<IG_INSTALL_DIR>/identityguar
d81/etc/fpcr on Microsoft
Windows
Note: Remove this setting for a replica
system.
identityguard.preproducedCardRepository.file.maxsize The maximum number of cards in each
component file of the file-based card
preproduction repository.
If you deploy cards for over 100,000
users, and you still want to use LDAP
file-based card preproduction, set this
setting to a value higher than 200. The
value should be the (approximate)
number of cards, divided by 500. For
example 150,000 cards divided by
500, equals 300.
Defaults to 200.
Note: The preproduced card repository
needs approximately 0.5 KB of
memory per card. Therefore, 100,000
cards use about 50 MB of memory.
Note: Remove this setting for a replica
system.
The following token repository settings are configured when you are using an LDAP
directory and choose to use file-based repository storage. Use the following
information to override the defaults.
222
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Table 14: File-based repository properties for unassigned tokens
Property
Description
identityguard.tokenRepository.impl
Provides the storage location of unassigned
tokens on the primary system. It is set
automatically when you configure Entrust
IdentityGuard.
When using a directory, it is set to:
com.entrust.identityGuard.cardManagem
ent.dataAccess.file.FileTokenReposito
ry
When using a database, it is set to:
com.entrust.identityGuard.cardManagem
ent.dataAccess.jdbc.JdbcTokenReposito
ry
Note: For any replica system, make sure it is set to:
com.entrust.identityGuard.cardManagem
ent.dataAccess.notImplemented.NotImpl
ementedTokenRepository
identityguard.tokenRepository.file.name
Specifies the base file used for the file-based
repository.
The default is,
$IDENTITYGUARD_HOME/etc/ftkr/ftkr.pcr
on UNIX or
<IG_INSTALL_DIR>/identityguard81/etc/
ftkr/ftkr.pcr on Microsoft Windows
Applies to an LDAP repository only.
Note: Remove this setting for a replica system.
identityguard.tokenRepository.file.maxsize
Sets the maximum number of tokens the
file-based repository can store.
The default is 200.
Applies to an LDAP repository only.
Note: Remove this setting for a replica system.
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
223
Configuring the database
If you have configured an LDAP directory for user information and your organization
plans to have a large deployment of 100,000 cards or tokens or more, it is
recommended that you configure a database for storing the unassigned card and
token information.
Entrust IdentityGuard requires a supported database to store the preproduced card
and unassigned token information. Add the following properties for the database to
the identityguard.properties file.
To configure database settings for card preproduction
1
Load the Entrust IdentityGuard schema into your database. For instructions, see
the Entrust IdentityGuard Database Configuration Guide.
2
Add the following settings to the identityguard.properties file and enter
the values for your database:
Property
Description
identityguard.jdbc.driverClass=
The name of the JDBC driver class.
identityguard.jdbc.url=
The URL used to connect to the database server.
identityguard.jdbc.user=
The ID of the database user.
&identityguard.jdbc.password=1
The password of the database user.
identityguard.jdbc.schema=
The database schema.
1. The ampersand (&) indicates this setting will be encrypted when Entrust IdentityGuard restarts.
The values used for these database related configuration settings are similar to
the settings used if Entrust IdentityGuard was installed with a database repository
(instead of an LDAP repository). See the Entrust IdentityGuard Database
Configuration Guide for example values for these settings.
3
If you have configured Entrust IdentityGuard to use an LDAP repository and you
want to store the preproduced cards in the database instead of the file-based
repository, complete the following step:
Note: If you are configuring a replica, do not manually set this setting. When
you configure the replica, this setting is set automatically.
Change the value of identityguard.preproducedCardRepository.impl
to the following:
com.entrust.identityGuard.cardManagement.dataAccess.jdbc.JdbcPrepr
oducedCardRepository
224
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
4
If you have configured Entrust IdentityGuard to use an LDAP repository and you
want to store the unassigned tokens in the database instead of the file-based
repository, complete the following step:
Note: If you are configuring a replica, do not manually set this setting. When
you configure the replica, this setting is set automatically.
Change the value of identityguard.tokenRepository.impl to the
following:
com.entrust.identityGuard.cardManagement.dataAccess.jdbc.JdbcToken
Repository
5
On UNIX install the driver of the database .jar files in
$IDENTITYGUARD_HOME/lib/db and $CATALINA_HOME/common/lib.
On Microsoft Windows install the driver of the database .jar files in
<IG_INSTALL_DIR>\identityguard81\lib\ and
<IG_INSTALL_DIR>\jakarta-tomcat-5.0.28\common\lib
Attention: Ensure that you synchronize the backups of your LDAP directory or
database repositories. Remember that any time you restore Entrust IdentityGuard
from a backup, both the LDAP and database repositories must be restored as
well.
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
225
Configuring Syslog for remote logging
on UNIX
Configure Syslog to enable remote logging of Entrust IdentityGuard messages.
For information on Windows logs, see the “Troubleshooting” chapter in the Entrust
IdentityGuard Administration Guide.
To log Entrust IdentityGuard messages remotely on Linux
1
As root, edit the file /etc/sysconfig/syslog by changing the entry
SYSLOGD_OPTIONS to SYSLOGD_OPTIONS="-m 0 -r".
2
As root, restart Syslog by running
service syslog restart
To configure Syslog on Linux
1
As root, edit /etc/syslog.conf and make changes similar to the following:
old line:
# *.info;mail.none;authpriv.none;cron.none /var/log/messages
new line:
*.info;local1.*;local2.*;local3.*;mail.none;authpriv.none;cron.non
e /var/log/messages
2
As root, restart Syslog by running:
service syslog restart
To configure Syslog on Solaris
1
As root, edit /etc/syslog.conf and add the following line:
local1.*;local2.* /var/adm/messages
2
As root, force Syslog to reread its configuration by running:
kill -HUP ‘cat /etc/syslog.pid‘
To configure Syslog on AIX
1
As root, edit /etc/syslog.conf and add the following lines:
local1.debug /var/adm/messages
local2.debug /var/adm/messages
2
226
As root, either restart syslogd or run the following command:
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
kill -HUP <pid>
where <pid> is the process identifier of the syslogd process.
3
AIX Syslog will not log to a file unless it already exists. Run the following
command:
touch /var/adm/messages
Ensure the resulting file has the proper file permissions.
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
227
Disabling the non-SSL port on the
Authentication service
Attention: This section applies only to installations of Entrust IdentityGuard
with embedded Tomcat.
By default, the Entrust IdentityGuard Authentication service supports both non-SSL
(default: 8080) and SSL (default: 8443) ports for communication between the Entrust
IdentityGuard Server and the Authentication Web service.
To further secure your Entrust IdentityGuard Server, disable the non-SSL (HTTP) port.
To disable the non-SSL port
1
If Entrust IdentityGuard is currently running, shut it down.
See “Managing the Entrust IdentityGuard service” on page 62 for UNIX
instructions and “Managing the Entrust IdentityGuard service” on page 94 for
Windows instructions.
2
Edit the server.xml file found at:
•
on UNIX,
$CATALINA_HOME/conf
where $CATALINA_HOME is the install directory for Tomcat, for example,
/opt/entrust/jakarta-tomcat-5.0.28.
•
on Microsoft Windows,
<IG_INSTALL_DIR>\jakarta-tomcat-5.0.28\conf
3
Identify and comment out the following section:
<Connector port="8080"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443"
acceptCount="100" debug="0" connectionTimeout="20000"
disableUploadTimeout="true" />
After adding comments, the section should appear as follows:
<!-<Connector port="8080"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443"
228
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
acceptCount="100" debug="0" connectionTimeout="20000"
disableUploadTimeout="true" />
-->
4
Save the server.xml file.
5
Update the identityguard.properties file to direct the sample application
to the SSL port by modifying the identityguard.authservice.url property
to:
https://<yourhostname>:<SSL_PORT>/IdentityGuardAuthService/service
s/AuthenticationServiceV2
For example, using the default port values, the value should appear after
modification as:
identityguard.authservice.url=https://igserver.anycorp.com:8443/Id
entityGuardAuthService/services/AuthenticationServiceV2
6
Restart the Entrust IdentityGuard Server. For instructions on restarting, see
“Managing the Entrust IdentityGuard service” on page 62 for UNIX and
“Managing the Entrust IdentityGuard service” on page 94 for Windows.
Attention: Update Entrust IdentityGuard clients to use the SSL port for
communication with the Authentication service. If clients attempt to access the
Entrust IdentityGuard Authentication service at the non-SSL port, they will
receive a “Connection Refused” error.
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
229
Enabling the non-SSL port on the
Administration service
Attention: This section applies only to installations of Entrust IdentityGuard
with embedded Tomcat.
By default, the Entrust IdentityGuard Administration service runs on HTTPS (port
8444) to take advantage of better security. If necessary, complete the following steps
to allow the Administration service to run on a non-SSL port.
Note: It is important that you understand that enabling the non-SSL port on the
Administration service can seriously compromise the security of your system.
To enable the non-SSL port on the Administration service
1
Open the server.xml file found at:
•
on UNIX,
$CATALINA_HOME/conf
•
on Microsoft Windows,
<IG_INSTALL_DIR>\jakarta-tomcat-5.0.28\conf
2
Add a new <Connector> element to the second <Service> element (which
defines the Administration service).
This new <Connector> element should be the same as the first <Connector>
element in the first <Service> element, except you must pick a new port (do
not use 8080, 8443, 8444). The port number must be greater than 1024.
3
Open the web.xml file found at:
•
on UNIX,
$IDENTITYGUARD_HOME/services/admin/IdentityGuardAdminSer
vice/WEB-INF/
•
on Microsoft Windows,
<IG_INSTALL_DIR>\Identityguard81\services\admin\Identity
GuardAdminService\WEB-INF\
4
230
Remove the <security-constraint> element.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Disabling the SSL port on the
Administration service
Attention: This section applies only to installations of Entrust IdentityGuard
with embedded Tomcat.
If you have disabled the Administration service and the Administration interface,
complete the following steps to disable the default HTTPS port (8444) on the
Administration service.
After you have disabled this port, if you wish to enable either the Administration
service or the Administration interface, you must enable the SSL port on the
Administration service.
To disable the SSL port on UNIX
1
If Entrust IdentityGuard is currently running, shut it down. See “Managing the
Entrust IdentityGuard service” on page 62 for instructions.
2
Run the command to disable the Administration interface, if it is still running:
identityguard.sh disable admininterface
3
Run the command to disable the Administration service, if it is still running:
identityguard.sh disable adminservice
4
Locate and make a backup copy of the server.xml file found at:
$CATALINA_HOME/conf/server.xml
5
Identify and comment out the code between <Service ..> and </Service>
that contains <Connector port="8444">.
6
Save the server.xml file.
7
Restart the Entrust IdentityGuard Server. For instructions on restarting, see
“Managing the Entrust IdentityGuard service” on page 62.
To disable the SSL port on Microsoft Windows
1
If Entrust IdentityGuard is currently running, shut it down. See “Managing the
Entrust IdentityGuard service” on page 94 for instructions.
2
Locate and make a backup copy of the server.xml file found at:
<IG_INSTALL_DIR>\jakarta-tomcat-5.0.28\conf\server.xml
3
Identify and comment out the code between <Service ..> and </Service>
that contains <Connector port="8444">.
4
Save the server.xml file.
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
231
5
232
Restart the Entrust IdentityGuard Server. For instructions on restarting, see
“Managing the Entrust IdentityGuard service” on page 94.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Securing the LDAP connection with SSL
During installation, if you chose not to use an SSL connection to the LDAP repository,
you can reconfigure the connection without reinstalling and configuring Entrust
IdentityGuard.
Topics in this section:
•
“Creating self-signed certificates” on page 235
•
“Importing CA-signed certificates” on page 236
•
“Exporting the certificate to client applications” on page 238
•
“Updating certificates” on page 238
To reconfigure the connection, update the Entrust IdentityGuard keystore, and then
the identityguard.properties file. First ensure that you have:
•
an LDAP repository that supports SSL
•
a user with permissions to update the identityguard.properties file
•
an SSL certificate for your LDAP server
•
access to the Java keytool executable
There are two steps to this process:
•
Import the LDAP server's SSL certificate into the Entrust IdentityGuard
keystore so that Entrust IdentityGuard can communicate with the LDAP
server. Entrust IdentityGuard uses this certificate (when establishing a
connection) to verify the identity of the LDAP server.
•
Edit the properties file so that Entrust IdentityGuard will connect to the LDAP
server using SSL.
To import the LDAP SSL certificate
1
Copy the LDAP server certificate onto the Entrust IdentityGuard Server.
2
From the command line on the Entrust IdentityGuard Server, issue the following
command:
keytool -import -alias ldapssl -keystore <path_to_keystore> -file
<path_to_ldap_ssl_cert_file> -storepass <password>
Where:
•
<path_to_keystore> is:
– for UNIX, $IDENTITYGUARD_HOME/etc/keystore
– for Microsoft Windows,
<IG_INSTALL_DIR>\identityguard81\etc\keystore
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
233
Note: The path to the keystore for versions of Entrust IdentityGuard installed
using an existing application server is the location of the trustStore.jks file.
•
3
<path_to_ldap_ssl_cert_file> is the directory you chose to store the
file when you exported the certificate.
When prompted to answer whether or not you trust the certificate, review the
displayed details, and if they are correct, answer yes.
To update the Entrust IdentityGuard properties file
1
As the Entrust IdentityGuard application owner, open the
identityguard.properties file in $IDENTITYGUARD_HOME/etc/
2
Find the section of the properties file that identifies the LDAP URL:
# URL that will be used to connect to the LDAP server.
identityguard.ldap.url=ldap://myldapserver:389/ou=users,
dc=myserver,dc=com
3
Change the URL to use the LDAP SSL port on your LDAP server. The default SSL
port for LDAP servers is 636. Update the property with the value appropriate to
your environment.
identityguard.ldap.url=ldap://myldapserver:636/ou=users,
dc=myserver,dc=com
4
Find the section of the properties file that identifies the LDAP SSL connections:
# Specify whether this will be a secure SSL connection to the
directory.
# If set to true, the identityguard.ldap.url must be directed to a
# secure ldap port (default: 636).
# This property can be true or false, or commented out entirely.
identityguard.ldap.sslEnabled=false
5
Change the property value to true:
identityguard.ldap.sslEnabled=true
6
Save the file and restart Entrust IdentityGuard.
You now have a secure SSL connection between Entrust IdentityGuard and your
LDAP repository.
234
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Changing the Entrust IdentityGuard
certificate
Attention: This section applies only to installations of Entrust IdentityGuard
with embedded Tomcat.
When engaged in an SSL-secured communication, Entrust IdentityGuard requires an
SSL certificate. A client application uses the SSL certificate to identify the Entrust
IdentityGuard Server.
Note: You can purchase or renew an SSL certificate by going to
http://www.entrust.com/certificate_services/index.htm.
Note: The J2SE 1.4 installed with your Entrust IdentityGuard system includes the
keytool application. Use it to manage the Java keystore containing private keys
and SSL certificates (X.509 chains and public keys). For complete documentation
on keytool, see
http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html on Solaris,
and http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html on
Windows.
Configure one of the two different types of certificates: self-signed certificate and
CA-signed certificate.
The following topics provide procedural information for using SSL certificates:
•
“Creating self-signed certificates” on page 235
•
“Importing CA-signed certificates” on page 236
•
“Exporting the certificate to client applications” on page 238
•
“Updating certificates” on page 238
Creating self-signed certificates
A self-signed certificate is not guaranteed. Your client application must accept that
the certificate is valid, and choose to import it. For a Java client, this means that you
must add the self-signed certificate to the client keystore in order to communicate
with Entrust IdentityGuard using SSL. To create a self-signed certificate for Entrust
IdentityGuard, generate a new private key and certify it.
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
235
To create a self-signed certificate
1
Delete the existing key if there is one:
keytool -delete -alias tomcat -storepass entrust -keystore
<path_to_keystore>
Where <path_to_keystore> is:
2
•
for UNIX, $IDENTITYGUARD_HOME/etc/keystore
•
for Microsoft Windows,
<IG_INSTALL_DIR>\identityguard81\etc\keystore
Generate a new key pair:
keytool -genkey -alias tomcat -keyalg RSA -validity
<cert_lifetime_in_days> -keystore <path_to_keystore> -dname
"<subject_DN>" -keypass entrust -storepass entrust
Where:
•
<path_to_keystore> is:
– for UNIX, $IDENTITYGUARD_HOME/etc/keystore
– for Microsoft Windows,
<IG_INSTALL_DIR>/identityguard81\etc\keystore
Importing CA-signed certificates
A CA-signed certificate has the following advantages:
•
it is automatically recognized and accepted by major Web browsers
•
it is automatically recognized and accepted by a Java client using a recent JRE
•
it guarantees the identity of the owning organization
To import a CA-signed certificate
1
Delete the existing key:
keytool -delete -alias tomcat -keystore <path_to_keystore>
-keypass entrust -storepass entrust
where <path_to_keystore> is:
2
236
•
for UNIX, $IDENTITYGUARD_HOME/etc/keystore
•
for Microsoft Windows,
<IG_INSTALL_DIR>/identityguard81\etc\keystore
Before generating a certificate request, generate a public/private key pair for
your server. To generate the necessary key pair, enter:
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
keytool -genkey -alias tomcat -dname "<required DN>"
-keyalg RSA -keysize <value> -keystore <path_to_keystore> -keypass
entrust -storepass entrust
Where:
•
•
•
3
<required DN> depends on the CA that will process the certificate request.
– If you are using a certificate from, for example, the Entrust Certificate
Service, you must enter a fully qualified DN.
– If you are using an Entrust CA with Entrust Authority Enrollment Server for
Web to process the request, the DN must be "cn=<refnum>" where
<refnum> is the reference number generated by the CA.
<value> is the keysize value. Ensure the keysize value is secure, for example,
1024 or 2048.
<path_to_keystore> is one of:
– for UNIX, $IDENTITYGUARD_HOME/etc/keystore
– for Microsoft Windows,
<IG_INSTALL_DIR>/identityguard81\etc\keystore
A Certificate Signing Request (CSR) is used by the CA to generate your SSL
certificate. To create a CSR, enter:
keytool -certreq -alias tomcat -file <file to store request in>
-keystore <path_to_keystore> -keypass entrust -storepass entrust
Provide the file generated by this command to the CA. The CA takes the request
file and creates a certificate.
4
Optionally, once you receive your SSL certificate from the CA, import a chain
certificate (if the CA is not already included in the JRE Trusted CA list). To import
a CA chain certificate, enter:
keytool -import -alias root -trustcacerts -file <file containing
CA certificate> -keystore <path_to_keystore> -keypass entrust
-storepass entrust
5
To import the SSL certificate that was generated by the CA, save the certificate
file to a location on the Entrust IdentityGuard Server and enter:
keytool -import -alias tomcat -trustcacerts -file <SSL_cert_file>
-keystore <path_to_keystore> -keypass entrust -storepass entrust
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
237
Exporting the certificate to client applications
When you use SSL, you may be required to export the Entrust IdentityGuard Server
certificate so that the client has access to it. Complete the following steps to export a
server certificate that you manually created.
To export a certificate
1
Enter the following command (on one line):
keytool -export -alias tomcat -file <path_to_file.cer> -keystore
<path_to_keystore> -keypass entrust
where <path_to_keystore> is:
2
•
for UNIX, $IDENTITYGUARD_HOME/etc/keystore
•
for Microsoft Windows,
<IG_INSTALL_DIR>/identityguard81\etc\keystore
Enter the password when prompted.
Updating certificates
Whether you chose a self-signed certificate or a CA-signed certificate, the certificate
will eventually expire. It is necessary to update the keystore with the new certificate
before expiry.
As well, there are other reasons why you might want to replace the self-signed
certificate that was created during installation. For example, you may need
•
to modify the lifetime or key type
The default self-signed certificate is RSA-1024.
•
a different DN in the certificate
The default self-signed certificate has a DN of cn=<hostname>, where
<hostname> is the host name of the Entrust IdentityGuard Server. If the
client applications connecting to the Entrust IdentityGuard services are not
using this host name, you need a new self-signed certificate.
•
additional security
To update the certificate
1
If you are updating a self-signed certificate, use the Java keytool application to
issue the following command (on one line):
keytool -selfcert -alias tomcat -validity <number_of_days>
-keystore <path_to_keystore> -keypass entrust
where <path_to_keystore> is:
238
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
•
for UNIX, $IDENTITYGUARD_HOME/etc/keystore
•
for Microsoft Windows,
<IG_INSTALL_DIR>/identityguard81\etc\keystore
You should not have to delete the original alias when creating a new self-signed
certificate.
2
If Entrust IdentityGuard is using a CA-signed certificate, it is necessary to
generate a new signing request and import the response. See “Importing
CA-signed certificates” on page 236.
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
239
Enabling system binding
As a master user, you can bind the master keys to a specific machine through an
update to the key protection file (.kpf). This is called system binding. You can also
perform system unbinding of the master keys, making them portable.
Perform system binding on the master keys to:
•
rebind master keys that were unbound
•
rebind master keys after a hardware change, as required
•
complete initializing of a replica or restoring from a backup
Note: When you initialize Entrust IdentityGuard for the first time, system
binding occurs automatically.
Perform system unbinding on the master keys to copy a key protection file (.kpf) to
another computer.
To bind the master keys
1
On UNIX:
a
As the UNIX user, change to $IDENTITYGUARD_HOME.
b
From $IDENTITYGUARD_HOME, source the environment settings file by
entering:
. ./env_settings.sh
(Include a space between the two periods in the command.)
c
Enter the following command to start the master user shell:
supersh
2
On Windows, click Start > All Programs > Entrust > IdentityGuard > Master User
Shell.
The copyright information and the Entrust IdentityGuard version number appear,
followed by a command prompt.
3
Enter the following command:
system bind
You are prompted for a user name and password.
To unbind the master keys
1
On UNIX:
a
240
As the UNIX user, change to $IDENTITYGUARD_HOME.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
b
From $IDENTITYGUARD_HOME, source the environment settings file by
entering:
. ./env_settings.sh
(Include a space between the two periods in the command.)
c
Enter the following command to start the master user shell:
supersh
2
On Windows, click Start > All Programs > Entrust > IdentityGuard > Master User
Shell.
The copyright information and the Entrust IdentityGuard version number appear,
followed by a command prompt.
3
Enter the following command:
system unbind
You are prompted for a user name and password.
Postinstall configuration options for Entrust IdentityGuard Server
Feedback on guide
241
242
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Chapter 8
Backing up and restoring Entrust
IdentityGuard Server
This chapter is intended for installers and administrators who are responsible for the
backup and recovery of Entrust IdentityGuard. It provides guidelines for planning a
backup strategy and steps for restoring Entrust IdentityGuard from a backup.
This chapter contains the following sections:
•
“Planning a backup strategy” on page 244
•
“Restoring Entrust IdentityGuard from a backup” on page 250
•
“Restoring a file-based repository” on page 253
•
“Reconfiguring the system or Entrust IdentityGuard serial number” on
page 254
243
Planning a backup strategy
It is strongly recommended that you have a backup strategy in place before you install
or upgrade Entrust IdentityGuard.
Backing up provides insurance in case something unexpected happens (for example,
a hardware failure) to the servers hosting Entrust IdentityGuard and your repository.
You should consider a separate server or separate physical disk to host the backup
files in case of a hard disk failure.
Topics in this section:
•
“To plan a backup strategy on UNIX” on page 244
•
“To plan a backup strategy on Microsoft Windows” on page 245
To plan a backup strategy on UNIX
Use the following points to help you develop a backup strategy for Entrust
IdentityGuard Server and your repository on UNIX.
•
Back up the masterkeys.enc file.
•
Entrust IdentityGuard does not back up your data repository.
Ensure that you back up your repository on a regular basis and before
installing or upgrading Entrust IdentityGuard.
•
If the data is split over two repositories, back up and restore both repositories
together.
•
Back up your logs on a regular basis.
If you chose to log to files when you installed Entrust IdentityGuard, the logs
are stored in $IDENTITYGUARD_HOME/logs
•
Decide on a backup type from the following two options:
•
– Full. Full backups contain all information required to restore the
configuration, logs, and file-based repositories.
– Partial. Partial backups contain enough information to restore a replica
system.
The following Entrust IdentityGuard files are backed up during a full backup:
– $IDENTITYGUARD_HOME/etc/masterkeys.enc. This file changes
whenever a master user changes a password and should be backed up
again after such an operation.
– $IDENTITYGUARD_HOME/etc/keystore (installations with embedded
Tomcat only). This file changes whenever a new SSL key-pair is generated
or imported.
– $IDENTITYGUARD_HOME/etc/identityguard.properties
– $CATALINA_HOME/conf/server.xml (installations with embedded
Tomcat only)
244
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
•
•
– $IDENTITYGUARD_HOME/etc/igsample.properties
– $IDENTITYGUARD_HOME/etc/igkrb5.conf
Make sure you back up any files in the following directories:
– $IDENTITYGUARD_HOME/export/
– $IDENTITYGUARD_HOME/etc/fpcr/
– $IDENTITYGUARD_HOME/etc/ftkr/
If you use a database repository, save the JDBC driver .jar files you used
during installation.
•
You can create a new keystore file but then you must also generate new SSL
keys.
•
You can run configure.sh again to recreate the
identityguard.properties and server.xml files.
To plan a backup strategy on Microsoft Windows
Use the following points to help you develop a backup strategy for Entrust
IdentityGuard Server and your repository on Microsoft Windows.
•
Entrust IdentityGuard does not back up your data repository.
Ensure that you back up your repository on a regular basis and before
installing or upgrading Entrust IdentityGuard.
•
If the data is split over two repositories, back up and restore both repositories
together.
•
Back up your logs on a regular basis. The logs are stored in
<IG_INSTALL_DIR>\identityguard81\logs
•
Decide on a backup type from the following two options:
•
– Full. Full backups contain all information required to restore the
configuration, logs, and file based repository.
– Partial. Partial backups contain enough information to set up a replica
system.
The following Entrust IdentityGuard files are backed up during a full backup.
– <IG_INSTALL_DIR>\identityguard81\etc\masterkeys.enc. This
file changes whenever a master user changes their password and should be
backed up again after such an operation.
– <IG_INSTALL_DIR>\identityguard81\etc\keystore. This file
changes whenever a new SSL key-pair is generated or imported.
– <IG_INSTALL_DIR>\identityguard81\etc\identityguard.prop
erties
– <IG_INSTALL_DIR>\jakarta-tomcat-5.0.28\conf\server.xml
– <IG_INSTALL_DIR>\identityguard81\etc\igsample.properties
– <IG_INSTALL_DIR>\identityguard81\etc\igkrb5.conf
Backing up and restoring Entrust IdentityGuard Server
Feedback on guide
245
•
•
246
Make sure you back up any files in the following directories:
– <IG_INSTALL_DIR>\identityguard81\export\
– <IG_INSTALL_DIR>\identityguard81\etc\fpcr\
– <IG_INSTALL_DIR>\identityguard81\etc\ftkr\
If you use a database repository, save copies of the JDBC driver .jar files you
used during installation.
•
You cannot recover the masterkeys.enc file.
•
You can create a new keystore file but then you must also generate new SSL
keys.
•
You can use the Configuration wizard from the Entrust IdentityGuard
Configuration Panel to recreate the identityguard.properties and
server.xml files.
•
Make sure you store your backup files on a separate machine from your
Entrust IdentityGuard Server.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Backing up your configuration
Back up your Entrust IdentityGuard configuration as a precaution in case your system
fails.
Attention: Ensure that you synchronize the backups of your LDAP directory or
database repositories. Remember that any time you restore Entrust IdentityGuard
from a backup, both the LDAP and database repositories must be restored as
well.
This section contains the following procedures:
•
“To back up your configuration on UNIX” on page 247
•
“To back up your configuration on Microsoft Windows” on page 248
Attention: Backup files contain sensitive information, such as the
masterkeys.enc file and export files. The igsample.properties file
contains a clear text administrator password. As such, backup files should be
stored carefully.
To back up your configuration on UNIX
1
Log in as the UNIX user on the existing Entrust IdentityGuard Server.
2
Run the backup command:
igbackup.sh [-partial|-full]
This command creates a backup ZIP file and puts it in the default location,
$IDENTITYGUARD_HOME/backups/. The default name includes the type of
backup (partial or full), and the current date and time. For example, if you create
a partial backup file created on February 24, 2006 at 3:00:45 P.M., the file name
is: igpartialbackup_20060224150045.zip.
Optionally, you can you can specify a file name by including [-file <file
name>] in the backup command. For example,
igbackup.sh -partial -file <file name>
where <file name> is the name you choose for the backup file. The default
location is relative to your current working directory.
The partial backup ZIP file includes the following files for installations with
embedded Tomcat:
•
masterkeys.enc
•
identityguard.properties
Backing up and restoring Entrust IdentityGuard Server
Feedback on guide
247
•
igsample.properties file (if it exists)
•
igkrb5.conf
•
JDBC .jar files (if they exist)
•
identityguard.cer (contains the SSL certificate of the primary server)
•
LDAP SSL certificate (if the primary server has configured SSL to its LDAP
repository)
The partial backup ZIP file includes the following files for installations using an
existing application server:
•
masterkeys.enc
•
identityguard.properties
•
igsample.properties file (if it exists)
•
JDBC .jar files (if they exist)
The full backup ZIP file includes the following files (in addition to the files that are
backed up in the partial backup):
•
server.xml (installations with embedded Tomcat only)
•
file-based repository files (both preproduced cards and unassigned tokens)
•
keystore
•
log files
•
export files
Note: If you do not specify either -partial or -full with the igbackup.sh
command, a full backup is created.
To back up your configuration on Microsoft Windows
1
If the Entrust IdentityGuard Configuration Panel is not open, open it by clicking
Start > All Programs > Entrust > IdentityGuard > Configuration Panel.
2
Select Backup Entrust IdentityGuard Configuration.
3
Select the backup type: Full or Partial.
4
In the Backup File Location section, click Browse.
A file name including a date/time stamp will automatically be created in the File
name field. The default location is relative to your current working directory.
5
248
Click OK to save the backup under the file name with the date/time stamp.
Alternatively, rename the file in the File name field and press OK.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Note: If you are selecting your own file name, assure you can recognize which
backup is the most recent file, as over time, more than one backup file may exist.
6
Click Save.
Your backup is saved as a ZIP file.
7
Click Close to exit the Configuration Backup utility.
Note: During the Windows uninstall process, Entrust IdentityGuard attempts to
create a backup of your Entrust IdentityGuard configuration. If successful, it
displays a message listing the location of the backup file. Click OK to continue
the uninstall. This occurs only if Entrust IdentityGuard was correctly configured
and initialized.
Note: You can also use the command line backup utility, igbackup.exe,
located in <IG_INSTALL_DIR>\identityguard81\bin to back up your
configuration on Microsoft Windows.
Backing up and restoring Entrust IdentityGuard Server
Feedback on guide
249
Restoring Entrust IdentityGuard from a
backup
The following steps describe how to restore Entrust IdentityGuard from a backup.
These steps assume that you have already restored your repository.
Topics in this section:
•
“To restore Entrust IdentityGuard from a backup on UNIX” on page 250
•
“To restore Entrust IdentityGuard from a backup on Windows” on page 251
Attention: If your backup does not include the masterkeys.enc file, then
you cannot restore your system.
To restore Entrust IdentityGuard from a backup on UNIX
1
Copy the full backup ZIP file from your Entrust IdentityGuard Server to the
computer that you want to restore Entrust IdentityGuard on.
The default location for the file is $IDENTITYGUARD_HOME/backups.
Note: All files listed here should be readable and writable by the user and group
selected during installation.
2
If the computer you are restoring to has a copy of the server.xml file, delete it
before continuing with the restore.
3
Unzip the full backup ZIP file. For example, on UNIX,
unzip igfullbackup_20060324151505.zip
4
Open the files.txt file in a text editor.
This file contains a list of all the files copied into the backup ZIP file, and the
location they were copied from.
5
Copy all the files back to their proper locations.
6
For database repositories:
7
250
•
Copy the JDBC driver .jar files you used during the original installation to
$CATALINA_HOME/common/lib (installations with embedded Tomcat only)
and $IDENTITYGUARD_HOME/lib.
•
Restore the JDBC .jar files to $CATALINA_HOME/common/lib
(installations with embedded Tomcat only)
Open the manifest.txt file in a text editor and ensure you are using the
correct version of the files.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Backups between versions of Entrust IdentityGuard may not be compatible.
8
Open the master user shell.
a
Log in as the UNIX user that belongs to the UNIX group and change to
$IDENTITYGUARD_HOME (usually /opt/entrust/identityguard81).
b
From $IDENTITYGUARD_HOME, source the environment settings file by
entering:
. ./env_settings.sh
(Include a space between the two periods in the command.)
c
Enter the following command to start the master user shell:
supersh
Copyright information and the Entrust IdentityGuard version number
appear, followed by a command prompt.
9
Enter the following in the master user shell to initialize the restored system:
init -replica
All three master users must enter their passwords.
10 It is recommended that you run the command system bind from the master
user shell to enable system binding.
For more information on system binding, see “Enabling system binding” on
page 240.
Entrust IdentityGuard is now restored from backup.
11 Redeploy the Entrust IdentityGuard services:
•
see “Enabling and disabling individual Entrust IdentityGuard services” on
page 64) for installations with embedded Tomcat
•
see “Deploying Entrust IdentityGuard services on an existing application
server” on page 127) for installations using an existing application server
To restore Entrust IdentityGuard from a backup on Windows
1
Copy the full backup ZIP file from your Entrust IdentityGuard Server to the
computer that you want to restore Entrust IdentityGuard on.
The default location for the file is
<IG_INSTALL_DIR>\identityguard81\backups
2
If the computer you are restoring to has a copy of the server.xml file, delete it
before continuing with the restore.
3
Unzip the full backup ZIP file.
4
Open the files.txt file in a text editor.
This file contains a list of all the files copied into the backup ZIP file, and the
location they were copied from.
Backing up and restoring Entrust IdentityGuard Server
Feedback on guide
251
5
Copy all the files back to their proper locations.
6
For database repositories, ensure that copies of the JDBC driver .jar files you
used during installation are in these folders:
7
•
<TOMCAT_INSTALL_DIR>\common\lib
•
<IG_INSTALL_DIR>\identityguard81\lib.
Open the manifest.txt file in a text editor and ensure you are using the
correct version of the files.
Backups between versions of Entrust IdentityGuard may not be compatible.
8
Click Start > All Programs > Entrust > IdentityGuard > Configuration Panel.
9
Select Initialize Entrust IdentityGuard on the Entrust IdentityGuard
Configuration Panel to initialize the restored system.
For instructions, see “Running the Entrust IdentityGuard Initialization wizard” on
page 84.
All three master users must enter their passwords.
Entrust IdentityGuard is now restored from backup.
Note: The backup file does not contain saved settings for Entrust IdentityGuard
services. Check that the Administration service, Administration interface and the
sample application are enabled or disabled, as applicable.
252
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Restoring a file-based repository
A restore backs up the configuration files, including the .pcr and .idx files. Specific
files in the fpcr and ftkr directories should be backed up or restored with the
repository, so that they are consistent.
Topics in this section:
•
“To restore a file-based card repository on UNIX” on page 253
•
“To restore a file-based card repository on Windows” on page 253
To restore a file-based card repository on UNIX
1
Back up the files that start with fpcr.pcr (for cards) located in:
$IDENTITYGUARD_HOME/etc/fpcr
You can override the base file for cards with the identityguard.properties
setting:
identityguard.preproduced.cardRepository.file.name
2
Back up the files that start with ftkr.pcr (for tokens) located in:
$IDENTITYGUARD_HOME/etc/ftkr
You can override the base file for tokens with the
identityguard.properties setting:
identityguard.tokenRepository.file.name
3
Ensure that the files are owned (and are readable and writable) by the user that
owns Entrust IdentityGuard.
To restore a file-based card repository on Windows
1
Back up the files that start with fpcr.pcr (for cards) located in:
<IG_INSTALL_DIR>\identityguard81\etc\fpcr
You can override the base file for cards with the identityguard.properties
setting:
identityguard.preproduced.cardRepository.file.name
2
Back up the files that start with ftkr.pcr (for tokens) located in:
<IG_INSTALL_DIR>\identityguard81\etc\ftkr
You can override the base file for tokens with the
identityguard.properties setting:
identityguard.tokenRepository.file.name
Backing up and restoring Entrust IdentityGuard Server
Feedback on guide
253
Reconfiguring the system or Entrust
IdentityGuard serial number
Reconfigure the next generated serial number after you restore your repository to an
old backup. This prevents duplication of serial numbers for cards that were created
and manufactured between the backup and the time the repository was restored.
To configure the card serial number
1
Open the master user shell.
•
on UNIX:
– Log in as the UNIX user that belongs to the UNIX group and change to
$IDENTITYGUARD_HOME (usually /opt/entrust/identityguard81).
– From $IDENTITYGUARD_HOME, source the environment settings file by
entering:
. ./env_settings.sh
(Include a space between the two periods in the command.)
– Enter the following command to start the master user shell:
supersh
•
2
Copyright information and the Entrust IdentityGuard version number
appear, followed by a command prompt.
on Microsoft Windows:
– Click Start > All Programs > Entrust > IdentityGuard > Master User Shell.
To display the next available serial number, at the command line, enter
system get
3
To update to a new serial number, enter
system set -sernum <value>
254
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Appendix A
Configuring the Entrust
IdentityGuard Server properties
file
When you installed Entrust IdentityGuard, it created an
identityguard.properties file in the following directory:
•
on UNIX, $IDENTITYGUARD_HOME/etc/
•
on Microsoft Windows, <IG_INSTALL_DIR>\identityguard81\etc\
Reconfigure your installation by editing or adding settings to the
identityguard.properties file.
Note: With the exception of log settings, you must restart the Entrust
IdentityGuard service for changes to Entrust IdentityGuard properties to take
effect. See:
“Managing the Entrust IdentityGuard service” on page 62 for installation using
embedded Tomcat on UNIX,
“Managing the Entrust IdentityGuard service” on page 166 for installations
using existing application servers, or
“Managing the Entrust IdentityGuard service” on page 94 for installation using
embedded Tomcat on Microsoft Windows.
Topics in this section:
•
“Editing property values” on page 257
•
“Enabling the authentication success audit” on page 258
•
“Enabling a WSDL query” on page 259
255
256
•
“Configuring additional search bases” on page 260
•
“Configuring LDAP directory properties” on page 261
•
“Configuring database properties” on page 267
•
“Enabling cached challenges” on page 270
•
“Caching policies” on page 272
•
“Changing log configuration” on page 273
•
“Changing log locations on UNIX” on page 277
•
“Configuring master user shell formatting” on page 278
•
“Configuring license auditing” on page 281
•
“Configuring the Entrust IdentityGuard Radius proxy properties” on
page 282
•
“Configuring external authentication properties” on page 293
•
“Configuring token properties” on page 295
•
“Configuring the Administration interface properties for bulk operations” on
page 296
•
“Configuring the Administration interface to control the output format” on
page 297
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Editing property values
You can change any value in the identityguard.properties file. Change these
settings with caution, as mistakes can disrupt Entrust IdentityGuard functions:
•
any setting that starts with log4j
•
identityguard.MasterKeyFile
•
identityguard.KeyProtectionFile
•
identityguard.authservice.url
•
identityguard.adminservice.url
•
identityguard.webadmin.url
•
identityguard.authservice.https.url
•
identityguard.webadmin.bulk.maxFileSize
•
identityguard.wedadmin.bulk.inMemoryThreshold
Encrypting property values
Some values in the identityguard.properties file are encrypted, for example,
the database or LDAP password, and the Radius shared secret values.
An encrypted property has an ampersand (&) in front of its name in the properties file
(for example, &identityguard.jdbc.password).
To change an encrypted value, replace it with a new cleartext value. The next time
you start Entrust IdentityGuard, it encrypts the value.
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
257
Enabling the authentication success
audit
By default, the Entrust IdentityGuard authentication success audit is disabled. Enable
this setting if your organization wishes to audit successful authentications.
To enable the authentication success audit, in the Authentication Settings section of
the identityguard.properties file, set
identityguard.authentication.audit.success to true.
For information on audited events, see the “Troubleshooting” chapter in the Entrust
IdentityGuard Administration Guide.
258
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Enabling a WSDL query
By default, the Entrust IdentityGuard WSDL query is disabled. Enable this setting to
retrieve the WSDL definition for a service. For example, if you query the Entrust
IdentityGuard Authentication service URL with ?wsdl —
http://igserver:8080/IdentityGuardAuthService/services/
AuthService?wsdl—and the WSDL query is enabled, the WSDL definition for the
Authentication service is returned.
To enable the WSDL query, in the identityguard.properties file, set
identityguard.service.wsdlquery.enable to true.
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
259
Configuring additional search bases
Search bases allow administrators to search more quickly for users in the same domain
or in cross-certified domains if you store user information in an LDAP-compliant
directory. After you define search bases in the properties file, you can create groups
and assign each group one or more search bases.
Search bases also allow the Entrust IdentityGuard repository to span multiple
directory servers.
Note: In some cases, not all users will reside within a single search base or
directory. The reference to the user attribute (uid) should be different for each
additional search base added to Entrust IdentityGuard. For example, for the
primary search base, the reference to the user attribute may be “uid,” and for an
additional search base the reference may be “cn” or “upn.” For Active Directory,
use sAMAccountName instead of uid for the first search base.
An example of a search base URL is:
ldap://dirserver:389/ou=someunit,o=yourcompany,c=ca
Some of the characteristics of search bases are:
•
They can divide a large domain into smaller domains, simplifying searches.
•
Groups may be assigned one or more search bases.
•
A search base can be shared by multiple groups. When the user is created, a
check is performed to ensure that the user ID is unique within all search bases
assigned to that user in the group.
•
If a search base is not defined, the group will use the default search base.
Note: If you are using multiple search bases, each user ID and administrator ID
must be unique within a search base.
Search bases are defined in the identityguard.properties configuration file.
You must manually edit the identityguard.properties file to add, remove, or
modify search base definitions. See the identityguard.ldap.searchbase
setting description in Table 15 for instructions on editing search bases.
For further instructions, see the Entrust IdentityGuard Administration Guide.
260
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Configuring LDAP directory properties
To change the way that the LDAP directory is used by the Entrust IdentityGuard
server, go to the LDAP Server Settings section of identityguard.properties
and add or edit the properties described in Table 15.
If you are using an LDAP repository, the properties marked Required in the table must
have values defined in the identityguard.properties file. These values are
added to the identityguard.properties file during the configuration that you
completed during installation.
Note: Entrust IdentityGuard configuration automatically converts spaces in the
LDAP base DN to %20. If you edit the LDAP base DN after installation in the
identityguard.properties file, remember to replace spaces with %20.
Table 15: LDAP directory properties
Property
Description
identityguard.ldap.url
Required.
LDAP URL to use to find and connect to the LDAP
directory. This can include the host name, the port
number, and initial context prefix to bind to. All
lookups are relative to the given context prefix.
For example:
ldap://myldaphost:389/ou=People,
dc=AnyCorp,dc=com
binds to port 389 on the computer myldaphost,
with ou=People,dc=AnyCorp,dc=com as the
initial context prefix.
identityguard.ldap.principal
Required.
Name of the entity binding to the LDAP directory,
for example:
cn=Directory Manager
identityguard.ldap.credentials
Required.
Password of the entity binding to the LDAP
directory.
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
261
Table 15: LDAP directory properties (continued)
Property
Description
identityguard.ldap.connecttimeout
Length of time in milliseconds that Entrust
IdentityGuard waits when attempting to connect to
the LDAP directory before giving up and returning
an error.
Defaults to 30000 (30 seconds).
identityguard.ldap.useridattribute
LDAP directory attribute that contains the unique
user identifier.
Default is cn.
identityguard.ldap.policyentry
Required.
Specifies the directory that stores policies. It must
exist, and be named relative to the context prefix.
For example, if the URL is
ldap://directory.AnyCorp.com/o=
Entrust,c=ca, then the policy entry could be
cn=Some Entry, ou=R and D to represent the
DN cn=Some Entry,ou=R and
D,o=Entrust,c=ca.
identityguard.ldap.sslEnabled
Specifies if you are using a secure SSL connection to
the directory. If set to true, you must direct the
identityguard.ldap.url to a secure LDAP
port.
For more information, see the section “To import the
LDAP SSL certificate” on page 233.
identityguard.ldap.addUserObjectClass
Indicates whether the Entrust IdentityGuard Server
should add the user object class when setting up an
Entrust IdentityGuard user, or if it is expected to
already be present.
Set to false for Active Directory and to true for
an LDAP directory.
identityguard.ldap.addAdminObjectClass Indicates whether the Entrust IdentityGuard Server
should add the admin object class when setting up
an Entrust IdentityGuard administrator, or if it is
expected to already be present.
Set to false for Active Directory and to true for
an LDAP directory.
262
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Table 15: LDAP directory properties (continued)
Property
Description
identityguard.ldap.addPolicyObjectClass
Indicates whether the Entrust IdentityGuard Server
should add the policy object class when setting up
the Entrust IdentityGuard policy, or if it is expected
to already be present.
Set to false for Active Directory and to true for
an LDAP directory.
To edit the remaining LDAP properties in this table (listed below), you must first add them to the
identityguard.properties file. If a property is not included in the file, Entrust
IdentityGuard uses the default value for that property as given here.
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
263
Table 15: LDAP directory properties (continued)
Property
Description
identityguard.ldap.searchbase
Required. url.<name>=
Define one or more search bases where users can be
located. See “Configuring additional search bases”
on page 260.
For example, a search base called sbase1 looks like
this:
identityguard.ldap.searchbase.url.sbas
e1=ldap://mydirectoryhost:389/ou=Peopl
e,dc=AnyCorp,dc=com
You cannot name a search base “default” because
that is a reserved search base name. See the Entrust
IdentityGuard Administration Guide for more
details.
Note: Entrust IdentityGuard configuration
automatically converts spaces in the LDAP base DN
to %20. If you edit the LDAP base DN after
installation in the identityguard.properties
file, remember to replace spaces with %20.
Optional. The following settings are optional and
may be configured for each search base:
• principal.<name>=
• credentials.<name>=
• connecttimeout.<name>=
• searchtimeout.<name>=
• sizelimit.<name>=
• sslEnabled.<name>=
• useridattribute.<name>=
• userObjectClass.<name>=
• useridcasesensitive.<name>=
• addUserObjectClass.<name>
• adminObjectClass.<name>=
• addAdminObjectClass.<name>=
• connectionpool.max.<name>=
• connectionpool.minIdleCloseTime.<name>=
• connectionpool.closeSchedule.<name>=
264
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Table 15: LDAP directory properties (continued)
Property
Description
identityguard.ldap.searchbase
(continued)
The identityguard.ldap.searchbase
.useridattribute.<name> property defaults to
the default value for the
identityguard.ldap.useridattribute.
The other optional settings default to the
corresponding value of the default search base.
identityguard.ldap.searchtimeout
Length of time in milliseconds that Entrust
IdentityGuard waits when searching the LDAP
directory before giving up and returning an error.
Default is 30000 (30 seconds).
identityguard.ldap.sizelimit
Maximum number of entries to return in a single
LDAP search.
Default is 1000.
identityguard.ldap.userObjectClass
LDAP directory object class used to allow the user
attributes to be added to an entry.
Default is entrustIGUser.
identityguard.ldap.adminObjectClass
LDAP directory object class used to allow the
administrator attributes to be added to an entry.
Default is entrustIGAdmin.
identityguard.ldap.policyObjectClass
LDAP directory object class used to allow the policy
attributes to be added to an entry.
Default is entrustIGPolicy.
identityguard.ldap.connectionpool.max
The maximum number of connections that can be
kept in the LDAP directory connection pool. An
Entrust IdentityGuard service will not open more
connections to the directory than this value.
Default is 10.
identityguard.ldap.connectionpool.
minIdleCloseTime
The minimum number of milliseconds a connection
to the LDAP directory can be idle for before being
closed.
Default is 180000 (3 minutes).
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
265
Table 15: LDAP directory properties (continued)
Property
Description
identityguard.ldap.connectionpool.
closeSchedule
The number of milliseconds between each check for
idle LDAP directory connections and closure of those
idle longer than the value set in the
minIdleCloseTime setting.
Set to 0 to disable closing idle connections.
Default is 180000 (3 minutes).
identityguard.ldap.GeneralizedTimeWithS Some directories do not support generalized time
ubSecs
attributes that contain subseconds, while other
directories require them. If this value is set to true,
generalized time is formatted with subseconds.
Default is true.
Note: This must be false when using a Novell
eDirectory as your repository.
identityguard.ldap.useReplace
266
IdentityGuard 8.1 Installation Guide
Set this to true only if you use Oracle Internet
Directory as your repository.
Document issue: 3.0
Feedback on guide
Configuring database properties
To change the way the database is used by the Entrust IdentityGuard Server, go to
the Database Server Settings section of the identityguard.properties file and
add or edit the properties described in Table 16 on page 267.
If you are using a database, the properties marked Required in the table must have
values defined in the identityguard.properties file. These values are added to
the identityguard.properties file during the configuration that you completed
during the installation.
Table 16: JDBC properties
Property
Description
identityguard.jdbc.connectionpool.closeSchedule The number of milliseconds between each
check for idle database connections and
closure of those idle longer than the value set
in the minIdleCloseTime setting.
Set to 0 to disable closing idle connections.
Default is 180000 (3 minutes).
identityguard.jdbc.connectionpool.max
The maximum number of connections that
can be kept in the database connection pool.
An Entrust IdentityGuard service will not
open more connections than this value.
If the database server cannot accept this
number of connections, Entrust
IdentityGuard may return errors when trying
to open some of its connections.
Default is 10.
identityguard.jdbc.connectionpool.minIdleClose
Time
The minimum number of milliseconds a
connection to the database can be idle before
it is considered for closing.
Default is 180000 (3 minutes).
identityguard.jdbc.logintimeout
Number of seconds that Entrust
IdentityGuard will wait for the database login
operation to complete.
Default is 30 seconds.
identityguard.jdbc.querytimeout
Number of seconds that Entrust
IdentityGuard will wait for the database to
perform an operation. A value of 0 means
that the connection will never time out.
Default is 0.
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
267
Table 16: JDBC properties (continued)
Property
Description
identityguard.jdbc.driverClass
Required.
The class name of the JDBC driver. This value
is entered during configuration.
identityguard.jdbc.password
Required.
The password of the database user name
entered during configuration.
identityguard.jdbc.schema
Required.
The database schema name entered during
configuration.
identityguard.jdbc.url
Required.
The database URL entered during
configuration.
identityguard.jdbc.user
Required.
The database user name entered during
configuration.
identityguard.jdbc.needsEscape
Indicates whether Entrust IdentityGuard
should use escape characters in an SQL
Where clause. If you are using a MySQL
database, set this to false.
Default is true.
identityguard.jdbc.timestampDataType
Determines how timestamp expressions are
formatted in an SQL Where clause. If you set
this property to true, the SQL Where clause
will include the TIMESTAMP datatype.
This setting should be true for Oracle and
false for DB2 and SQL Server.
Default is true.
identityguard.jdbc.blobAccess
If you are using SQL Server, set this to false.
Default is true.
268
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Table 16: JDBC properties (continued)
Property
Description
identityguard.jdbc.selectLock
Defines what SQL syntax is used to lock the
policy when it is updated. Different
databases use different syntaxes. The
supported values are:
• forupdate - Oracle
• withrr - DB2
• withupdlock - SQL Server
If not set or an invalid value is provided, it
defaults to forupdate.
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
269
Enabling cached challenges
By default, Entrust IdentityGuard uses a persistent repository to store challenges in
the time between the getChallenge request and the authenticate request.
Improve performance of your Entrust IdentityGuard system by using a cache for the
challenge repository. The cache repository holds the challenge in memory and writes
the challenge to the persistent repository after a period of time. Normally, the
authenticate request is received within that time period, then the challenge is
removed from the repository.
Attention: If you enable cached challenges, you should not create replicas of
the Entrust IdentityGuard Server since the cache is not shared between the
replicas. Or, you must ensure “session stickiness” (that is, the entire session is
completed by one Entrust IdentityGuard Server.
Attention: It is recommended that you back up the
identityguard.properties file before you make changes to it. For
instructions on backing up files, see “Planning a backup strategy” on page 244.
To enable cached challenges
1
In identityguard.properties,change the following settings:
•
for an LDAP repository, change
identityguard.challengerepository.impl=com.entrust.identityGuard.c
ardManagement.dataAccess.ldap.LdapChallengeRepository
to:
identityguard.challengerepository.impl=com.entrust.identityGuard.c
ardManagement.dataAccess.cache.CacheChallengeRepository
•
for a database, change
identityguard.challengerepository.impl=com.entrust.identityGuard.c
ardManagement.dataAccess.jdbc.JdbcChallengeRepository
to:
identityguard.challengerepository.impl=com.entrust.identityGuard.c
ardManagement.dataAccess.cache.CacheChallengeRepository
2
Add the following setting:
•
270
for an LDAP repository:
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
identityguard.challengerepository.cache.persistentrepository.impl=
com.entrust.identityGuard.cardManagement.dataAccess.ldap.LdapChall
engeRepository
•
for a database:
identityguard.challengerepository.cache.persistentrepository.impl=
com.entrust.identityGuard.cardManagement.dataAccess.jdbc.JdbcChall
engeRepository
3
Optionally, add the following setting, which defines how long (in seconds) a
challenge remains in the cache before it is written to the persistent repository. The
default value is 180 (3 minutes):
identityguard.challengerepository.cache.timeout=180
4
Optionally, add the following setting, which controls the maximum size (in
number of challenges) of the challenge cache. If the setting is not set, or is an
invalid value or a non-positive number, the cache size defaults to infinite.
identityguard.challengerepository.cache.maxsize=1000
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
271
Caching policies
Edit the identityguard.properties file to control the length of time a policy is
cached (before the repository is checked for new policy definitions). The policy
caching setting is
identityguard.policyRepository.cacheTimeout=<number of
milliseconds>
The default is 30000 milliseconds (30 seconds). Set the value to 0 to disable policy
caching and enable the policy to be accessed from the repository on every operation.
Note: Disabling policy caching could delay performance.
272
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Changing log configuration
Edit the identityguard.properties file to change certain UNIX logging
behaviors.
Note: Changes to log settings take effect almost immediately.
In the Logging Configuration Settings section of identityguard.properties,
remove the comment marks before and after the logging settings to change the
default value, if necessary.
Table 17 describes the settings you can edit.
Table 17: UNIX Logging configuration settings
Logging configuration setting
Description
identityguard.refreshinterval
Defines how frequently the configuration is
checked for changes to the log settings.
Default is 10 seconds.
identityguard.log.maxstacksize
Defines the number of stack frames that are
logged for errors.
The default value, 0, means that no stack trace is
logged.
log4j.rootLogger
Defines the logging level of the root logger, and
the destination of any messages logged by the
root logger. The root logger may catch errors not
specifically logged by Entrust IdentityGuard, but
occur within the application server. The default
setting is WARN, and the appender will depend
on the choices made during installation.
Default is WARN, (other options are:
SYSTEM_SYSLOG or SYSTEM_FILELOG).
log4j.logger.IG.AUDIT
Defines the audit level of Entrust IdentityGuard
and the destination of the logged audits. The
default setting is ALL, and the appender will
depend on the choices made during installation.
Default is ALL, (other options are:
AUDIT_SYSLOG or AUDIT_FILELOG).
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
273
Table 17: UNIX Logging configuration settings (continued)
Logging configuration setting
Description
lo4j.logger.IG.SYSTEM
By default, all system log levels WARN and above
are logged.
• To reduce system logging, change WARN to
ERROR or OFF.
• To increase system logging (for example, for
troubleshooting) change WARN to INFO,
DEBUG, or ALL.
Default is WARN.
log4j.additivity.IG.AUDIT
Defines whether Entrust IdentityGuard audits
should also be added to the root logger.
Leave this value set to the default, false.
log4j.additivity.IG.SYSTEM
Defines whether Entrust IdentityGuard system
logs should also be added to the root logger.
This value should remain set to the default,
false.
log4j.appender.AUDIT_SYSLOG
Defines the log4j appender to use for audit logs.
This should not be changed.
This value should remain set to the default,
org.apache.log4j.net.SyslogAppender.
log4j.appender.AUDIT_SYSLOG.SyslogHost
Defines the Syslog host that logging information
is sent to.
If using Syslog, the default is localhost. If using
file logging, the default is $log_host}.
log4j.appender.AUDIT_SYSLOG.Facility
Defines the Syslog facility that is used to audit
logs.
Default is local1.
log4j.appender.AUDIT_SYSLOG.layout
The log4j class that converts a logging event into
a message string to be printed in the logs.
Default is
org.apache.log4j.PatternLayout.
log4j.appender.AUDIT_SYSLOG.layout
.ConversionPattern
The format of the converted logging event. See
the log4j documentation for further information.
Default is [%t] [%-5p] [%c] %m%n.
274
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Table 17: UNIX Logging configuration settings (continued)
Logging configuration setting
Description
log4j.appender.SYSTEM_SYSLOG
Defines the log4j appender to use for system logs.
This should not be changed.
Default is
org.apache.log4j.net.SyslogAppender.
log4j.appender.SYSTEM_SYSLOG
.SyslogHost
Defines the Syslog host to which logging
information is sent.
Default is localhost.
log4j.appender.SYSTEM_SYSLOG.Facility
Defines the Syslog facility that is used by Entrust
IdentityGuard system logs.
Default is local2.
log4j.appender.SYSTEM_SYSLOG.layout
The log4j class that converts a logging event into
a message string to be printed in the logs.
Default is
org.apache.log4j.PatternLayout.
log4j.appender.SYSTEM_SYSLOG.layout
.ConversionPattern
The format of the converted logging event.
Please see the log4j documentation for further
information.
Default is [%t] [%-5p] [%c] %m%n.
log4j.appender.AUDIT_FILELOG
Defines the appender that is used if audit events
are logged to files.
This value should remain set to the default,
org.apache.log4j.RollingFileAppender.
log4j.appender.AUDIT_FILELOG.File
Defines the location of the audit log.
Default is:
$IDENTITYGUARD.HOME/etc/audit.log
log4j.appender.AUDIT_FILELOG.MaxFileSize Defines the maximum size of a log file before
rolling over to a new empty file.
Default is 1000KB.
log4j.appender.AUDIT_FILELOG
.MaxBackupIndex
Defines the number of previous log files to keep
as a history.
Default is 10.
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
275
Table 17: UNIX Logging configuration settings (continued)
Logging configuration setting
Description
log4j.appender.AUDIT_FILELOG.layout
The log4j class that converts a logging event into
a message string to be printed in the logs.
Default is
org.apache.log4j.PatternLayout.
log4j.appender.AUDIT_FILELOG.layout
.ConversionPattern
The format of the converted logging event.
Please see the log4j documentation for further
information.
Default is [%d] [%t] [%-5p] [%c] %m%n.
log4j.appender.SYSTEM_FILELOG
Defines the appender that is used if audit events
are logged to files.
This value should remain set to the default,
org.apache.log4j.RollingFileAppender.
log4j.appender.SYSTEM_FILELOG.File
Defines the location of the audit log.
Default is: $IDENTITYGUARD.HOME/etc/
system.log
log4j.appender.SYSTEM_FILELOG
.MaxFileSize
Defines the maximum size of a log file before
rolling over to a new empty file.
Default is 1000KB.
log4j.appender.SYSTEM_FILELOG
.MaxBackupIndex
Defines the number of previous log files to keep
as a history.
Default is 5.
log4j.appender.SYSTEM_FILELOG
.layout
The log4j class that converts a logging event into
a message string to be printed in the logs.
Default is
org.apache.log4j.PatternLayout.
log4j.appender.SYSTEM_FILELOG.layout
.ConversionPattern
The format of the converted logging event.
Please see the log4j documentation for further
information.
Default is [%d] [%t] [%-5p] [%c] %m%n.
276
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Changing log locations on UNIX
If you chose to log to Syslog when you installed Entrust IdentityGuard, you can
reconfigure to log to a file, or, if you chose to log to a file, you can reconfigure so as
to log to Syslog.
To switch between a log file and Syslog, edit the following:
log4j.rootLogger=WARN, SYSTEM_<FILELOG> or <SYSLOG>
log4j.logger.IG.AUDIT=ALL, AUDIT_<FILELOG> or <SYSLOG>
log4j.logger.IG.SYSTEM=WARN, SYSTEM_<FILELOG> or <SYSLOG>
For example, to switch logging from files to Syslog, change
log4j.rootLogger=WARN, SYSTEM_FILELOG to
log4j.rootLogger=WARN, SYSTEM_SYSLOG.
If you are switching logging from files to Syslog, you will need to edit the following
two entries in identityguard.properties and replace ${log_host} with the
host name of your Syslog server. Use the value localhost if the Syslog server is
running on the local host.
log4j.appender.AUDIT_SYSLOG.SyslogHost=${log_host}
log4j.appender.SYSTEM_SYSLOG.SyslogHost=${log_host}
For example, if the Syslog server is running on the localhost, change the two entries
to:
log4j.appender.AUDIT_SYSLOG.SyslogHost=localhost
log4j.appender.SYSTEM_SYSLOG.SyslogHost=localhost
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
277
Configuring master user shell
formatting
Certain identityguard.properties file settings define the column widths
(measured in characters) of the output displayed by any of the list commands (for
example, user list, user card list, admin list, token list, and so on).
To change column width, add the following properties to
identityguard.properties and change the numeric value associated with the
fields in Table 18 through Table 22.
Table 18: User list column widths
Property
Description
identityguard.supersh.userlist.width.userid
Indicates the width of the user ID field.
Default is 14.
identityguard.supersh.userlist.width.haspin
Indicates the width of the temporary PIN
field.
Default is 9.
identityguard.supersh.userlist.width.numcards
Indicates the width of the number of cards
field.
Default is -1, meaning the remainder of the
width of your screen.
Table 19: User card list column widths
Property
Description
identityguard.supersh.usercardlist.width.userid
Indicates the width of the user ID field.
Default is 14.
identityguard.supersh.usercardlist.width.sernum
Indicates the width of the serial number
field.
Default is 14.
identityguard.supersh.usercardlist.width.state
Indicates the width of the state field.
Default is 9.
identityguard.supersh.usercardlist.width.create
Indicates the width of the creation date field.
Default is 19.
278
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Table 19: User card list column widths
Property
Description
identityguard.supersh.usercardlist.width.expire
Indicates the width of the expiry date field.
Default is -1, meaning the remainder of the
width of your screen.
Table 20: Preproduced cards column width
Property
Description
identityguard.supersh.preproducedcardlist.width. Indicates the width of the preproduced card
sernum
serial number field.
Default is 14.
identityguard.supersh.preproducedcardlist.width. Indicates the width of the preproduced card
create
creation date field.
Default is -1, meaning the remainder of the
width of your screen.
Table 21: Administrator list column width
Property
Description
identityguard.supersh.adminlist.width.userid
Indicates the width of the administrator ID
field.
Default is 20.
identityguard.supersh.adminlist.width.state
Indicates the width of the administrator
state field.
Default is -1, meaning the remainder of the
width of your screen.
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
279
Table 22: Token list column width
Property
Description
identityguard.supersh.tokenlist.width.pinsupport
ed
Indicates the width of the PIN Supported
field.
Default is 12 for tokens that support token
PINs; otherwise false.
280
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Configuring license auditing
Entrust IdentityGuard services performs a periodic license audit. The
identityguard.properties file settings in Table 23 control the audit behavior.
License auditing helps you determine when to renew your license or when you are
about to run out of user licenses. When you reach your license limits, contact Entrust
for more licenses.
Table 23: Audit settings
Property
Description
identityguard.audit.integrity.enabled
Enables the audit integrity check.
Default is true.
identityguard.audit.integrity.interval
Number of hours between audit integrity checks.
Default is 24.
identityguard.audit.integrity.count_limit
If set to a positive integer value, an audit is
generated when the user count gets to within the
given value of the license limit.
Default is 0. If the license has expired, the license
expired audit is generated regardless of the count
limit.
identityguard.audit.integrity.time_limit
If set to a positive integer value, an audit is
generated when the current date gets to within the
given number of days of the license expiry.
Default is 0.
The audit is enabled on all replicas of the Entrust IdentityGuard Server. To prevent
duplicate audits from being generated on replica Entrust IdentityGuard servers, use
the identityguard.audit.integrity.enabled property is to disable the audit
integrity check on all but one of the replicas.
The audit integrity check will only run for the first time after the interval has passed.
This means that if the service is always restarted within that interval, the audit
integrity is never executed.
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
281
Configuring the Entrust IdentityGuard
Radius proxy properties
When you configure the Radius proxy, it sets many of the properties in the
identityguard.properties file. However, you need to edit this file to customize
the grid and token challenge strings and other features. Edit the properties described
in the following table to modify behavior of the Entrust IdentityGuard Radius proxy.
Note: With the exception of log settings, you must restart the Radius proxy for
property changes to take effect. See the section “Managing the Radius proxy”
on page 196.
Note: When users see a challenge message through VPN, they must enter their
response as one continuous string. There is no user interface form to separate and
parse entries as people expect when using Entrust IdentityGuard. For example, if
a user’s card cells A3, H4 and J1 have the numbers 4, 8, and 9, the response to
this message
Enter a response to the challenge [A3] [H4] [J1] using a card
with serial number 1952
must be 489 with no spaces or punctuation.
Table 24: Radius proxy configuration settings
Property
Description
identityguard.igradius.url
Provides the URL of the Entrust IdentityGuard
server.
If not specified, it defaults to
http://localhost:8080/IdentityGuard
AuthService/services/Authentication
Service.
If the default is used, Entrust IdentityGuard
changes this to the value of
identityguard.authservice.https.url
during configuration.
282
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Table 24: Radius proxy configuration settings (continued)
Property
Description
identityguard.igradius.port
Provides the port used by the Entrust
IdentityGuard Radius proxy for first-factor
authentication.
If not specified, it defaults to 1812.
If you use a Radius server for first-factor
authentication and your VPN server recognizes
different groups of users, use this property to
specify a series of ports and direct those groups
to different ports. For example, if you want
requests for one group to be sent to port 1812
and requests for another group to be sent to
port 1813, configure the property like this:
identityguard.igradius.port=1812
1813
No additional ports are needed for groups for
other first-factor authentication methods.
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
283
Table 24: Radius proxy configuration settings (continued)
Property
Description
identityguard.igradius.challengestring
This property sets the contents of the default
Radius proxy challenge message for grid
authentication.
Note: This is one of six properties related to the
challenge a user may see. At the very least, this
property should be set as a default. Some or all
of the other properties may be set to provide
greater control over the challenges that apply
to users with multiple cards and/or a PIN.
The content consists of a string and one to
three placeholders. The placeholders are:
{0} = the challenge string
{1} = the serial number of the first card
{2} = the serial number of the second card.
The placeholders are filled in when the message
appears. For example, this setting
Enter a response to the challenge
{0} using cards with serial number
{1} or {2}
would result in a message like this:
Enter a response to the challenge
[A1] [B2] [C3] using cards with
serial number 1234 or 2345.
Users never have more than two valid cards:
the current card and the pending card. A user
may have a PIN and no card, or a PIN with one
or two cards.
If there is no challenge specified, this property
defaults to: Enter the response for
IdentityGuard challenge {0}. If there is
no value for {0}, no challenge is sent.
284
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Table 24: Radius proxy configuration settings (continued)
Property
Description
identityguard.igradius.challengestring
.twocardswithpin
This is one of six properties related to the
challenge a grid user sees. It takes effect when
the user has two cards and a valid PIN.
The format of the string is tailored to this
scenario: “Enter a response to the
challenge {0} using cards with
serial number {1} or {2} or your
temporary PIN.”
If not set, it defaults to the value of
igradius.challengestring.
identityguard.igradius.challengestring
.twocardsnopin
This is one of six properties related to the
challenge a grid user sees. It takes effect when
the user has two cards and no valid PIN.
The format of the string is tailored to this
scenario: “Enter a response to the
challenge {0} using cards with
serial number {1} or {2}.”
If not set, it defaults to the value of
igradius.challengestring.
identityguard.igradius.challengestring
.onecardwithpin
This is one of six properties related to the
challenge a grid user sees. It takes effect when
the user has one card and a valid PIN.
The format of the string is tailored to this
scenario: “Enter a response to the
challenge {0} using a card with
serial number {1} or your temporary
PIN.”
If not set, it defaults to the value of
igradius.challengestring.
identityguard.igradius.challengestring
.onecardnopin
This is one of six properties related to the
challenge a grid user sees. It takes effect when
the user has one card but no valid PIN.
The format of the string is tailored to this
scenario: “Enter a response to the
challenge {0} using a card with
serial number {1}.”
If not set, it defaults to the value of
igradius.challengestring.
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
285
Table 24: Radius proxy configuration settings (continued)
Property
Description
identityguard.igradius.challengestring
.nocardwithpin
This is one of six properties related to the
challenge a grid user sees. It takes effect when
the user has no cards but has a valid PIN.
The format of the string is tailored to this
scenario: “Enter a response to the
challenge {0} using your temporary
PIN.”
If not set, it defaults to the value of
igradius.challengestring.
identityguard.igradius.tokenchallengestring
This property sets the contents of the default
Radius proxy challenge message for token
authentication.
Note: This is one of eight properties related to
the challenge a token user may see. At the very
least, this property should be set as a default.
Some or all of the properties may be set to
provide greater control over the challenges that
apply to token users.
The content consists of a string and one or two
placeholders. The placeholders are:
{0} = the serial number of the first token
{1} = the serial number of the second token.
The placeholders are filled in when the message
appears. For example, this setting
Enter the response to the token with
serial number {0}.
would result in a message like this:
Enter the response to the token with
serial number 92776.
Users never have more than two valid tokens:
the current token and the pending token. A
user may have a temporary PIN and no token,
or a temporary PIN with one or two tokens.
If there is no challenge specified, this property
defaults to: Enter the response from
your Entrust IdentityGuard token.
286
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Table 24: Radius proxy configuration settings (continued)
Property
Description
identityguard.igradius.tokenchallengestring
.twotokenswithpin
This is one of eight properties related to the
challenge a token user sees. It takes effect
when the user has two tokens and a valid
temporary PIN.
The format of the string is tailored to this
scenario: “Enter the response to the
token with serial number {0} or {1}
or your temporary PIN.”
If not set, it defaults to the value of
igradius.tokenchallengestring.
identityguard.igradius.tokenchallengestring
.twotokensnopin
This is one of six properties related to the
challenge a token user sees. It takes effect
when the user has two tokens and no valid
temporary PIN.
The format of the string is tailored to this
scenario: “Enter the response to the
token with serial number {0} or
{1}.”
If not set, it defaults to the value of
igradius.tokenchallengestring.
identityguard.igradius.tokenchallengestring
.onetokenswithpin
This is one of eight properties related to the
challenge a token user sees. It takes effect
when the user has one token and a valid
temporary PIN.
The format of the string is tailored to this
scenario: “Enter the response to the
token with serial number {0} or your
temporary PIN.”
If not set, it defaults to the value of
igradius.tokenchallengestring.
identityguard.igradius.tokenchallengestring
.onetokennopin
This is one of eight properties related to the
challenge a token user sees. It takes effect
when the user has one token and no valid
temporary PIN.
The format of the string is tailored to this
scenario: “Enter the response to the
token with serial number {0}.”
If not set, it defaults to the value of
igradius.tokenchallengestring.
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
287
Table 24: Radius proxy configuration settings (continued)
Property
Description
identityguard.igradius.tokenchallengestring
.notokenswithpin
This is one of eight properties related to the
challenge a token user sees. It takes effect
when the user has no token but has a valid
temporary PIN.
The format of the string is tailored to this
scenario: “Enter your temporary PIN.”
If not set, it defaults to the value of
igradius.tokenchallengestring.
identityguard.igradius.tokenchallengestring.on This is one of eight properties related to the
etokenrequirespinupdate
challenge a token user sees and applies only to
tokens that support token PINs. Not needed for
Entrust tokens.
Add this property if you want to alert the user
that the static token PIN for a token needs an
update. It takes effect when the user has just
one token. The message is appended to the
token challenge string message.
The format of the string is tailored to this
scenario: “The static PIN for the token
with serial number {0} needs to be
updated.”
identityguard.igradius.tokenchallengestring.tw This is one of eight properties related to the
otokensrequirespinupdate
challenge a token user sees and applies only to
tokens that support token PINs. Not needed for
Entrust tokens.
Add this property if you want to alert the user
that the static token PINs for the current and
pending token need an update. The message is
appended to the token challenge string
message.
The format of the string is tailored to this
scenario: “The static PINs for the
tokens with serial number {0} and
{1} need to be updated.”
288
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Table 24: Radius proxy configuration settings (continued)
Property
Description
identityguard.igradius.skipauth.noexist
Specifies how to deal with users who do not
exist in Entrust IdentityGuard.
If set to true, the user can log in without being
prompted for Entrust IdentityGuard
authentication.
If set to false, the user login attempt
generates an error.
If not specified, it defaults to false.
identityguard.igradius.skipauth.noactive
Sets how to deal with users who exist in Entrust
IdentityGuard but who do not have an active
card or a temporary PIN.
If set to true, the user can log in without being
prompted for Entrust IdentityGuard
authentication.
If set to false, the user login attempt
generates an error.
If not specified, it defaults to false.
identityguard.igradius.msglog.enabled
If set to true, Radius messages are logged to
the file specified by the property
identityguard.igradius.msglog.file
(described below). Default is false.
identityguard.igradius.msglog.file
Provides the name of the file that logs Radius
messages. If the property does not provide an
absolute path name, the file is created in:
$IDENTITYGUARD_HOME/logs or
<IG_INSTALL_DIR>\identityguard81\lo
gs
If you enable logging on the property
identityguard.igradius.msglog.enabl
ed (described above) but this property is not
set or is not a valid file name, it generates errors
and sends them to the system log.
identityguard.igradius.vpnrequests
Provides the size of the VPN state table, that is,
the number of outstanding requests from the
VPN.
If not specified, it defaults to 1000.
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
289
Table 24: Radius proxy configuration settings (continued)
Property
Description
identityguard.igradius.vpnrequiremsgauth
If this property is set to true, incoming
messages from the VPN server must include the
Message-Authenticator attribute. If the
attribute is not found, the message is ignored.
If not specified, it defaults to false.
identityguard.igradius.vpntimeout
Provides the number of seconds that the Radius
proxy will wait for a response from the VPN
server.
If not specified, it defaults to 180 seconds.
identityguard.igradius.radiustimeout
Provides the number of seconds that the Radius
proxy will wait for a response from the Radius
server.
If not specified, it defaults to 10 seconds.
identityguard.igradius.radiusrequiremsgauth
If this property is set to true, incoming
messages from the Radius server must include
the Message-Authenticator attribute. If
the attribute is not found, the message is
ignored.
If not specified, it defaults to false.
identityguard.igradius.vpnincludemsgauth
This determines if outgoing messages to the
VPN server include the
Message-Authenticator attribute. Set this
to false if the VPN server does not
understand the attribute and rejects messages
as a result.
If not specified, it defaults to true.
identityguard.igradius.radiusincludesmsgauth
This determines if outgoing messages to the
Radius server include the
Message-Authenticator attribute. Set this
to false if the Radius server does not
understand the attribute and rejects messages
as a result.
If not specified, it defaults to true.
identityguard.igradius.radius.{0}.address
290
IdentityGuard 8.1 Installation Guide
This is the Radius server address. It is set when
you configure the Radius server. The {0}
placeholder is replaced by the Radius server
name.
Document issue: 3.0
Feedback on guide
Table 24: Radius proxy configuration settings (continued)
Property
Description
identityguard.igradius.radius.{0}.secret
This is the Radius server secret set when you
configure the Radius server. The value is usually
encrypted. The {0} placeholder is replaced by
the Radius server name.
identityguard.igradius.vpn.{0}.charset
This specifies the character set used to decode
user names sent by the VPN server and encode
messages sent back to the server. Allowed
values are UTF-8 and ISO-8859-1.
If not specified, the Radius proxy expects
UTF-8. The character set is only a concern
when extended characters are part of the
names. The {0} placeholder is replaced by the
VPN server label.
identityguard.igradius.vpn.{0}.group
This optional setting specifies the group the
VPN server is associated with. The {0}
placeholder is replaced by the VPN server label.
For information on using this and other VPN
property options, see “Configuring the Radius
proxy for groups” on page 175.
identityguard.igradius.vpn.{0}.host
This is the host of the VPN server set when you
configure the Radius server. The {0}
placeholder is replaced by the VPN server label.
identityguard.igradius.vpn.{0}.igport
This optional setting specifies the port the VPN
server is associated with. The {0} placeholder is
replaced by the VPN server label.
identityguard.igradius.vpn.{0}.processbackslash Converts group and user name pairs in the
form “group\name” coming through the
Radius proxy into the form “group/name.”
identityguard.igradius.vpn.{0}.processat
Converts group and user name pairs in the
form “name@group” coming through the
Radius proxy into the form “group/name.”
identityguard.igradius.vpn.{0}.radius
This specifies the Radius server associated with
the VPN server. The {0} placeholder is replaced
by the VPN server label.
identityguard.igradius.vpn.{0}.secret
This is the VPN server secret set when you
configure the Radius server. The value is usually
encrypted. The {0} placeholder is replaced by
the VPN server label.
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
291
Table 24: Radius proxy configuration settings (continued)
Property
Description
identityguard.igradius.vpn.{0}.useradius
This stores the results of the prompt for the
type of first-factor authentication resource to
use. When set to true, Radius is used. When
set to false, an external authentication
resource is used. The {0} placeholder is replaced
by the VPN server label.
If not specified, it defaults to true.
292
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Configuring external authentication
properties
You can configure the Entrust IdentityGuard Radius proxy component to use an
external authentication resource (Windows domain controller or an LDAP directory)
for first-factor authentication instead of a Radius server. See “Using the Radius proxy
with a domain controller or LDAP directory” on page 187. As part of that operation,
you must enter and set properties in the identityguard.properties file, as
described in the following table.
Table 25: Radius proxy configuration settings for external authentication
Property
Description
identityguard.externalauth.impl
This setting refers to the name of the Entrust
IdentityGuard Java class used for external
authentication. There are separate classes for a
Windows domain controller and an LDAP
directory.
identityguard.externalauth.impl.<group>
When specified without a group name, it
creates the global or default setting for users.
When specified with an Entrust IdentityGuard
group name, it sets the authentication resource
to use for members of that group. This way,
you can direct different groups to different
authentication resources.
If all entries for this property include a group
name (that is, there is no entry without a
group), this means there is no default and only
the users in the specified groups can use
external authentication.
identityguard.igradius.vpn.{0}.useradius
This stores the results of the prompt for the
type of first-factor authentication resource to
use. When set to true, Radius is used. When
set to false, an external authentication
resource is used.
If not specified, it defaults to true.
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
293
Table 25: Radius proxy configuration settings for external authentication (continued)
Property
Description
identityguard.externalauth.kerberos.realm
If you are using a domain controller, specify the
server acting as the Kerberos realm. Give the
identityguard.externalauth.kerberos.realm.<gr
DNS name in uppercase.
oup>
When specified without a group name, it
creates the global or default setting for users.
When specified with an Entrust IdentityGuard
group name, it sets the realm to use for
members of that group.
Note: When you specify this property, you also
need to include the server information for the
KDC server in igkrb5.conf file located:
• on UNIX, in $IDENTITYGUARD_HOME/etc/
• on Windows, in <IG_INSTALL_DIR>\etc\
For more information, see “Configuring Entrust
IdentityGuard for external authentication” on
page 202.
identityguard.externalauth.kerberos.kdc
Obsolete.
identityguard.externalauth.kerberos.kdc.<grou
p>
294
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Configuring token properties
Entrust IdentityGuard supports Entrust tokens and some third-party tokenstokens.
For details on which tokens are supported, refer the Entrust TrustedCare Online Web
site.
Note: Entrust IdentityGuard does not support ActivIdentity tokens.
Table 26: Token properties
Property
Description
identityguard.token.impl
Refers to the class name of the token library. For
Entrust tokens, the property either does not exist or is
blank. For Entrust tokens, there is an implied default
of:
com.entrust.identityGuard.common.token.
activIdentity.ActiveIdentityTokenManager
For other token vendors, add this property and set it to
the applicable class name.
identityguard.token.configfile
Names the token configuration file, if used. Choose a
name, such as token.conf, and place it:
• on UNIX, in $IDENTITYGUARD_HOME/etc/
• on Windows, in <IG_INSTALL_DIR>\etc\
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
295
Configuring the Administration
interface properties for bulk operations
It may take the Administration interface a significant period of time to process large
bulk files, and processing may consume significant amounts of memory. Entrust
IdentityGuard provides properties to manage resources used for bulk operations.
Table 27: Administration interface settings for bulk operations
296
Property
Description
identityguard.webadmin.bulk.maxFileSize
Limits the size of files imported for bulk
operations. Enter a value in bytes. The default
is 50 MB (52428800 bytes). If you attempt to
load a bulk file that exceeds the set limit, the
Administration interface cancels the operation
and displays an error message.
identityguard.webadmin.bulk.inMemoryThres
hold
Sets the maximum amount of memory used for
bulk operations. Entrust IdentityGuard writes
large bulk files to disk and caches them when
they exceed the set size. Enter a value in bytes.
The default is 1 MB (1048576 bytes).
identityguard.webadmin.url
Contains the URL of the Administration
interface. It is set during installation
configuration.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Configuring the Administration
interface to control the output format
Entrust IdentityGuard provides properties to manage the output of export operations.
Table 28: Administration interface settings for export operations
Property
Description
identityguard.export.csv
By default, files exported through the
Administration interface are in XML format. Set
this to true to have all files exported in
comma-separated-value (CSV) format. The
default is false.
identityguard.export.dir
This setting defines the directory on the Entrust
IdentityGuard server to which the export files
are written. The default setting is
$IDENTITYGUARD_HOME/export.
Configuring the Entrust IdentityGuard Server properties file
Feedback on guide
297
298
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Appendix B
Upgrading Entrust IdentityGuard
Server on Linux
You can upgrade Entrust IdentityGuard Server on Linux from a previous installation
of Entrust IdentityGuard version 7.2 or 8.0 installed on Linux.
Attention: To install an upgrade or patch, you must use the same account used
to originally install Entrust IdentityGuard.
Note: When upgrading Entrust IdentityGuard Server from version 7.2, all
existing administrators are assigned to the new default role and group in Entrust
IdentityGuard 8.1. There were no roles or groups in 7.2.
Topics in this appendix:
•
“Upgrading Entrust IdentityGuard Server 7.2 to 8.1” on page 299
•
“Upgrading Entrust IdentityGuard Server from 8.0 to 8.1” on page 302
Upgrading Entrust IdentityGuard Server 7.2 to
8.1
Complete the following steps to upgrade to Entrust IdentityGuard 8.1 directly from
version 7.2.
To upgrade Entrust IdentityGuard Server 7.2 to 8.1
1
Update your LDIF or SQL schema to apply to Entrust IdentityGuard 8.1. Refer to
the specific schema configuration instructions for your directory or database in
299
either the Entrust IdentityGuard Directory Configuration Guide or the Entrust
IdentityGuard Database Configuration Guide.
2
Download the Entrust IdentityGuard 8.1 software. To do so, complete the steps
in “Downloading Entrust IdentityGuard software” on page 21.
3
Follow the instructions under“Installing Entrust IdentityGuard Server” on
page 33.
4
The Entrust IdentityGuard installation detects version 7.2 and displays the
following prompt:
Entrust IdentityGuard 7.2 is installed.
Do you wish to install Entrust IdentityGuard 8.1 and upgrade the
7.2 data? [yes or no]
Enter yes to continue with the upgrade. You are prompted to manually back up
your configuration settings.
5
Manually back up your configuration settings if the master key file is not in the
default location (default location,
$IDENTITYGUARD_HOME/etc/masterkeys.enc).
When you upgrade Entrust IdentityGuard, a copy of the existing configuration is
made (so you can restore it later in this installation procedure) only if this file is in
the default location.
Attention: If you want to override the default configuration, do not store the
configuration settings under $IDENTITYGUARD_HOME. During an upgrade, this
directory is deleted and reinstalled.
6
The Java Runtime Environment is upgraded and you can reinstall the Application
server.
Installing Java Runtime Environment...
Installing j2re-1_4_2_09-linux-i586.bin...
Installing Tomcat...
Tomcat has already been installed.
Do you wish to reinstall it? [yes or no]
7
The installation creates the Entrust IdentityGuard service and the Entrust
IdentityGuard Radius service:
Creating igradius service...
8
The following prompt appears:
Do you want the Entrust IdentityGuard Radius proxy to start
automatically when the host starts after reboot? [yes or no]
300
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
If you answer no, you can enable automatic startup later.
If you wish to enable automatic startup in the future, run the
command "igsvcconfig.sh igradius reset" when logged on as root.
9
When the installation is complete, Entrust IdentityGuard prompts you to restore
your existing configuration data.
Configuration data from the existing installation has been backed
up.
If you wish, you can configure a new server or restore the
existing configuration data.
If you don't restore the existing
configuration data, all existing data will be removed.
Do you wish to restore the existing configuration data? [yes or
no]
To retain your Entrust IdentityGuard data, answer yes. This message appears:
Configuration parameters restored.
To configure a new server, answer no. When you answer no, all of your previous
configuration data is removed. You must complete the configuration and
initialization procedures:
•
“Configuring the primary Entrust IdentityGuard Server” on page 36
•
“Initializing the primary Entrust IdentityGuard Server” on page 47
After initialization is complete, continue to Step 11 in this procedure.
10 You may be prompted to configure the Entrust IdentityGuard Radius proxy.
Continue from Step 4 in “To configure the Radius proxy on UNIX” on page 180.
11 When you are finished, Entrust IdentityGuard displays:
PERFORMING UPGRADE
You are prompted to answer if you are upgrading a replica server:
Are you upgrading an Entrust IdentityGuard master or replica?
(PRIMARY or REPLICA):
To complete the upgrade of the first instance of Entrust IdentityGuard Server,
answer PRIMARY. Answer REPLICA to upgrade the rest of your instances of
Entrust IdentityGuard Server.
12 You are prompted to log in with your master user name and password to
complete the upgrade.
A master user must login to complete the upgrade.
Userid:
Password:
When you have successfully logged in, the following message appears:
Upgrading Entrust IdentityGuard Server on Linux
Feedback on guide
301
Upgrade complete.
Note: If the upgrade fails, ensure that your repository schema was upgraded.
After you upgrade the repository schema, you can continue with the Entrust
IdentityGuard upgrade by running the master user shell (supersh) command
system upgrade.
13 You are prompted to save a backup of your configuration data.
Do you wish to keep the backup copy of configuration data? [yes or
no]
If you answer yes, Entrust IdentityGuard displays the location of the saved
configuration data.
Your upgrade is now installed.
You are prompted to set up the sample application. Proceed to “Configuring the
sample application on UNIX” on page 51.
Upgrading Entrust IdentityGuard Server from
8.0 to 8.1
Complete the following steps to upgrade from version 8.0 to 8.1.
To upgrade Entrust IdentityGuard Server 8.0 to 8.1
1
Update your LDIF or SQL schema to apply to Entrust IdentityGuard 8.1. Refer to
the specific schema configuration instructions for your directory or database in
either the Entrust IdentityGuard Directory Configuration Guide or the Entrust
IdentityGuard Database Configuration Guide.
2
Download the Entrust IdentityGuard 8.1 software. To do so, complete the steps
in “Downloading Entrust IdentityGuard software” on page 21.
3
Follow the instructions under“Installing Entrust IdentityGuard Server” on
page 33.
4
The Entrust IdentityGuard installation detects version 8.0 and displays the
following prompt:
Entrust IdentityGuard 8.0 is installed.
Do you wish to install Entrust IdentityGuard 8.1 and upgrade the
8.0 data? [yes or no]
Enter yes to continue with the upgrade.
5
302
The Entrust IdentityGuard installation detects the Java Runtime Environment and
displays the following prompt:
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Installing Java Runtime Environment...
Java Runtime Environment has already been installed.
Do you wish to reinstall it? [yes or no]
6
The installation detects the Application server and displays the following prompt:
Installing Tomcat...
Tomcat has already been installed.
Do you wish to reinstall in? [yes or no]
7
The installation creates the Entrust IdentityGuard service and the Entrust
IdentityGuard Radius service:
Creating igradius service...
8
The following prompt appears:
Do you want the Entrust IdentityGuard Radius proxy to start
automatically when the host starts after reboot? [yes or no]
If you answer no, you can enable automatic startup later (using chkconfig
igradius reset, when logged as root).
9
When the installation is complete, Entrust IdentityGuard prompts you to restore
your configuration data.
Installation complete.
Configuration data from the existing installation has been backed
up. If you wish, you can configure a new server or restore the
existing configuration data and upgrade it to 8.1. If you don’t
restore the existing configuration data, all existing data will be
removed.
Do you wish to restore the existing configuration data? [yes or
no] yes
10 To retain your Entrust IdentityGuard data, answer yes. This message appears:
Configuration parameters restored.
To configure a new server, answer no. When you answer no, all of your previous
configuration data is removed. You must complete the configuration and
initialization procedures:
•
“Configuring the primary Entrust IdentityGuard Server” on page 36
•
“Initializing the primary Entrust IdentityGuard Server” on page 47
After initialization is complete, continue to Step 12 in this procedure.
11 You may be prompted to configure the Entrust IdentityGuard Radius proxy.
Continue from Step 4 in “To configure the Radius proxy on UNIX” on page 180.
Upgrading Entrust IdentityGuard Server on Linux
Feedback on guide
303
12 When you are finished, Entrust IdentityGuard displays:
PERFORMING UPGRADE
You are prompted to answer if you are upgrading a replica server:
Are you upgrading an Entrust IdentityGuard master or replica?
(PRIMARY or REPLICA):
To complete the upgrade of the first instance of Entrust IdentityGuard Server,
answer PRIMARY. Answer REPLICA to upgrade the rest of your instances of
Entrust IdentityGuard Server.
13 You are prompted to log in with a master user name and password to complete
the upgrade. For example, Master1.
A master user must login to complete the upgrade.
Userid:
Password:
When you have successfully logged in, the following message appears:
Upgrade complete.
Note: If the upgrade fails, ensure that your repository schema was upgraded.
After you upgrade the repository schema, you can continue with the Entrust
IdentityGuard upgrade by running the master user shell (supersh) command
system upgrade.
14 You are prompted to save a backup of your configuration data.
Do you wish to keep the backup copy of the configuration data?
[yes or no]
If you answer yes, Entrust IdentityGuard displays the location and the file name
of the saved configuration data.
Your upgrade is now installed.
304
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Appendix C
Using the sample Web
application
This appendix provides administrators with detailed instructions for using the Any
Bank sample Web application. Assuming the role of a sample end user, you will
register with the Any Bank Web site and perform the following tasks: request a card,
activate a card, register a token, and log in using several authentication methods
Attention: This sample Web application simulates a Web site with Entrust
IdentityGuard installed. The primary purpose of the application is to demonstrate
some of the authentication methods used by Entrust IdentityGuard. The sample
Web application is not intended to perform as a fully featured application.
Topics in this appendix:
•
“Preparing to use the sample Web application” on page 306
•
“Accessing the sample Web application” on page 307
•
“Registering as a user” on page 308
•
“Activating a card” on page 315
•
“Registering a token” on page 317
•
“Using machine authentication to log in” on page 321
•
“Using generic authentication to log in” on page 325
•
“Using step-up authentication” on page 327
•
“Using temporary PIN authentication to log in” on page 329
•
“Using one-step grid authentication to log in” on page 332
•
“Using two-step grid authentication to log in” on page 333
305
Preparing to use the sample Web
application
Review the following information before configuring the sample Web application:
Table 29: Preconfiguration considerations for the Sample Web application
Creating a user group
• During installation, the sample Web application creates a user
group named “samplegroup.”
• The sample Web application assigns all users to the sample group.
Creating a policy
• During installation, the sample Web application creates a policy
named “samplepolicy.”
• The sample Web application must use samplepolicy. Modify
samplepolicy using the master user shell. For information about
modifying policy settings using the master user shell, see the
Entrust IdentityGuard Administration Guide.
Loading token data
• Load all token data before attempting any token-related
operations. For information about loading token data, see the
Entrust IdentityGuard Administration Guide.
Loading preproduced card • Load all preproduced card data before attempting any
data
card-related operations. For information about loading token
data, see the Entrust IdentityGuard Administration Guide.
Locating the sample
admin ID and password
• The sample Web application installs with an admin ID and
password for the administrator. Use only the admin ID and
password.
• Locate the admin ID and password in igsample.properties in
<IDENTITYGUARD_INSTALL>\etc\ or
<IG_INSTALL_DIR>\identityguard81\etc
306
Using passwords
• The password field and user name field simulate the primary
authentication mechanism of the sample bank’s Web site. The
password field in the sample Web application is for demonstration
purposes only and is nonfunctional.
Modifying
authentication-type
settings using the master
user shell
• To complete the procedures in this appendix, you must modify the
samplepolicy’s generic and machine authentication-type settings.
For information about modifying policy settings using the master
user shell, see the Entrust IdentityGuard Administration Guide.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Accessing the sample Web application
Configure the sample Web application before accessing it. Refer to the following
instructions to configure the sample Web application:
•
for embedded Tomcat server on UNIX instructions, see “Configuring the
sample application on UNIX” on page 51
•
for embedded Tomcat server on Windows instructions, see “Configuring the
sample application on Microsoft Windows” on page 87
•
for existing application server instructions, see “Configuring the sample
application on an existing application server” on page 121
Access the configured sample Web application from a Web browser.
To access the sample Web application from a URL
Enter one of the following URLs:
https://<FQDN>:<httpsport>/IdentityGuardSampleApp
–or–
http://<FQDN>:<httpport>/IdentityGuardSampleApp
where:
•
<FQDN> is the fully qualified domain name for the Entrust IdentityGuard
host.
•
<httpsport> is the sample application HTTPS port (default 8443, if using
the embedded Tomcat server).
•
<httpport> is the sample application HTTP port (default 8080, if using the
embedded Tomcat server).
For example:
https://igserver.mycompany.com:8443/IdentityGuardSampleApp
http://igserver.mycompany.com:8080/IdentityGuardSampleApp
To access the sample Web application from the Windows start menu
Click Start > All Programs > Entrust > IdentityGuard > Sample Application.
The sample Web application opens in your default browser. By default, the
interface opens at the User registration Sign in page.
Using the sample Web application
Feedback on guide
307
Registering as a user
Note: The sample Web application’s policy, “samplepolicy,” installs with the
default settings of GRID QA OTP TOKENRO for both the generic and machine
authentication-types. The sample Web application uses only the first
authentication-type setting listed for both the generic and machine
authentication-types. A master user can modify the default settings in the master
user shell. For example, to register a sample end user to authenticate using
tokens, the master user must modify the policy setting for generic
authentication-type to appear as: TOKENRO GRID QA OTP.
To access the Any Bank Web site, a sample end user must register an account with
Entrust IdentityGuard. The end user must register contact information, a personal
image, and a personal caption for use in future authentication challenges.
Assuming the role of a sample end user:
•
register your account with Any Bank
•
have a card or token issued to you
•
optionally, configure question-and-answer authentication secrets.
To register as a sample user
1
Select User registration from the main page of the interface.
The Sign in page appears.
308
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
2
Enter a user name and password.
3
Click Continue.
The Entrust IdentityGuard user creation page appears displaying your user name.
4
Optionally, enter a valid email address and phone number.
Note: The administrator or application uses this information to deliver a
one-time password (OTP) to the end user. In a real-life scenario, a valid email
address must be entered if the policy setting for generic type is set to OTP and
email is used to deliver the OTP.
5
Click Continue.
The Entrust IdentityGuard image selection page appears.
Using the sample Web application
Feedback on guide
309
6
Click Continue to select an image.
Optionally, click here to choose another image from the Entrust IdentityGuard
image library or to upload an image.
The Entrust IdentityGuard image caption page appears.
The previous two pages demonstrate two types of organization authentication:
image and message replay authentication. For more information on image and
message replay authentication, see the Entrust IdentityGuard Deployment Guide
and the Entrust IdentityGuard Administration Guide.
7
Enter a caption for the image. For example, “hammer.”
Entrust IdentityGuard displays your image and caption at login.
310
8
Optionally, click Change to select a different image or upload an image.
9
Click Continue.
•
If the policy setting for the generic authorization-type is set to GRID, go to
“To register with GRID as the policy setting”
•
If the policy setting for the generic authorization-type is set to QA, go to
“To register with QA as the policy setting”
•
If the policy setting for the generic authorization-type is set to OTP, go
to“To register with OTP as the policy setting”
•
If the policy setting for the generic authorization-type is set to TOKENRO,
go to “To register with TOKENRO as the policy setting”
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
To register with GRID as the policy setting
Note: The following procedure has generic authentication-type set to GRID in
the samplepolicy. The setting appears as: GRID QA OTP TOKENRO.
1
The Entrust IdentityGuard card creation page appears.
This page allows the end user to request a card. Entrust IdentityGuard provides
two models for card production—produce-and-assign and preproduction cards.
For more information about card and grid production models, see the Entrust
IdentityGuard Deployment Guide.
2
Click Request a card to make Entrust IdentityGuard create the grid for a
produced-and-assign card. You can view this grid using the Administration
interface or the master user shell.
You must activate the card before using the card to authenticate to Entrust
IdentityGuard. For more information about card activation, see “Activating a
card” on page 315.
A page appears stating that your user account was successfully registered.
3
Click I already have a card if you possess a preproduced card.
You must activate the card before using the card to authenticate to Entrust
IdentityGuard. For more information about card activation, see “Activating a
card” on page 315.
A page appears stating that your user account was successfully registered.
To register with QA as the policy setting
Note: The following procedure has generic authentication-type set to question
and answer in the samplepolicy. The setting appears as: QA OTP TOKENRO GRID.
Using the sample Web application
Feedback on guide
311
1
The Entrust IdentityGuard Questions page appears.
The user can create authentication secrets from a list of predefined questions. The
sample Web application installs with six predefined questions; however, Entrust
IdentityGuard allows organizations to select a number of authentication secrets
for each user and to prompt for all answers or a subset of the answers.
For more information about knowledge-based authentication and creating good
questions, see the Entrust IdentityGuard Deployment Guide.
2
Select a different question from each drop-down list. For example, “What was
the name of your high school?”
3
Enter an answer to each question.
4
Click Continue.
A page appears stating that your user account was successfully registered.
312
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
To register with OTP as the policy setting
Note: The following procedure has generic authentication-type set to
question and answer in the samplepolicy. The setting appears as: OTP TOKENRO
GRID QA.
A page appears stating that your user account has been successfully registered.
OTP authentication-type does not require any additional user set up
or activation.
To register with TOKENRO as the policy setting
Note: The following procedure has generic authentication-type set to token in
the samplepolicy. The setting appears as: TOKENRO GRID QA OTP.
The Entrust IdentityGuard token registration page appears.
The user can proceed with token registration or defer token registration. You can
configure the policy for the sample Web application to support token PINs or to
not support token PINs.
Using the sample Web application
Feedback on guide
313
314
•
For more information on token registration without token PIN support
enabled, see “To register a token” on page 317.
•
For more information on token registration with token PIN support enabled,
see “To register a token with token PIN support enabled” on page 319.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Activating a card
A sample end user of the Any Bank Web site must activate a card before accessing a
bank account. When a sample end user requests a card, it is assigned to the end user
in a hold-pending state.
Do not use a card in the hold-pending state to authenticate to Entrust IdentityGuard.
An administrator must activate a card by changing the state of the card to current or
pending. The end user can then use the card to authenticate to Entrust IdentityGuard.
Assuming the role of a sample end user, use the sample Web application to activate
your card and access your Any Bank account.
Note: If required, use the Administration interface or the master user shell to
access the grid information for a card.
To activate a user card
1
Select Card activation from the main menu of the interface.
The Sign in page appears.
2
Enter your user name and password.
3
Click Continue to begin the card activation process.
Using the sample Web application
Feedback on guide
315
The Entrust IdentityGuard card activation page appears.
4
Enter the serial number of either your preproduced or produced-and-assign card.
Optionally, click Request a card to have a produced-and-assign card deployed to
you. For more information, see “To register as a sample user” on page 308.
5
Click Activate.
Another Entrust IdentityGuard card activation page appears displaying the
serial number.
6
Enter the specified grid coordinates.
Grid authentication is a second-factor authentication method that challenges the
end user to enter a set of grid coordinates on a printed card. For more information
on grid authentication, see the Entrust IdentityGuard Deployment Guide and the
Entrust IdentityGuard Administration Guide.
7
Click Continue.
A message appears stating that your card has been activated.
316
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Registering a token
Attention: Before you can register a token, load the token data and assign the
token data to the group, “samplegroup.” For more information on loading token
data, see “Preparing to use the sample Web application” on page 306.
Note: The following procedure has generic authentication-type set to token in
the samplepolicy. The setting appears as TOKENRO GRID QA OTP.
A sample end user of the Any Bank Web site may log in using token authentication,
a second-factor authentication method that challenges a sample end user to respond
using a token-generated dynamic password.
Entrust IdentityGuard can be configured to issue challenges requiring end users to
respond using a dynamic password or to respond using a token PIN in conjunction
with a dynamic password.
For more information about configuring token authentication, see the
Entrust IdentityGuard Deployment Guide and the Entrust IdentityGuard
Administration Guide.
Assuming the role of a sample end user, register a token for use in future
authentication requests to Entrust IdentityGuard.
•
For tokens that do not support token PINs, see “To register a token” on
page 317.
•
For tokens that support token PINs, see “To register a token with token PIN
support enabled” on page 319.
To register a token
1
Select Token registration from the main menu of the interface.
Using the sample Web application
Feedback on guide
317
The Sign in page appears.
2
Enter your user name and password.
3
Click Continue to begin the token registration process.
The Entrust IdentityGuard token registration page appears.
4
Enter the token serial number.
5
Click Register.
A token is assigned to a sample end user in a hold-pending state.
318
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
The Entrust IdentityGuard token registration page appears.
6
Enter the token-generated dynamic password as the response.
7
Click Continue.
A message appears stating that your token has been successfully registered.
To register a token with token PIN support enabled
The Entrust IdentityGuard token registration page appears.
1
Enter the token serial number.
2
Click Register.
A token is assigned to a sample end user in a hold-pending state.
Using the sample Web application
Feedback on guide
319
The Entrust IdentityGuard token registration page appears.
3
Choose and confirm a token PIN between four and eight digits in length.
For example, your token PIN could be 1234. This token PIN is used in
combination with a dynamic password for future authentication challenges.
4
Click Continue.
The Entrust IdentityGuard token registration page appears requesting the input
of a token response.
5
Enter the token PIN and the token-generated dynamic password.
For example, if the token PIN value is 1234, and the token-generated string is
567890, enter 1234567890 as the authentication challenge response.
6
Click Continue.
A message appears stating that your token has been successfully registered.
320
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Using machine authentication to log in
Note: The following procedure has machine authentication-type set to token in
the samplepolicy. The setting appears as: TOKENRO GRID QA OTP.
A sample end user of the Any Bank Web site may log in using machine
authentication. However, you can also use machine authentication with the other
authentication methods. This method of second-factor authentication associates a
sample end user with a particular computer through the use of a machine secret.
For more information on machine authentication, see the Entrust IdentityGuard
Deployment Guide and the Entrust IdentityGuard Administration Guide.
Assuming the role of a sample end user, use the sample Web application to establish
machine authentication using the machine secrets gathered during Entrust
IdentityGuard machine registration. Once machine authentication is established,
second-factor authentication becomes transparent to the end user.
To establish machine authentication
1
Select User sign in from the main page of the interface.
2
Enter your user name.
3
Be sure to check Remember me on this machine.
This initiates machine authentication.
4
Click Continue.
Using the sample Web application
Feedback on guide
321
The Entrust IdentityGuard Machine registration page appears displaying the
serial number of your token.
This page demonstrates a type of machine authentication that uses a token
password and token PIN as the default method of authentication. The end user
must enter a token PIN and a dynamic password in response to the
authentication challenge.
If the primary method of authentication was grid, this page would display a grid
authentication challenge.
For more information on machine authentication, see the Entrust IdentityGuard
Deployment Guide and the Entrust IdentityGuard Administration Guide.
5
Enter the token PIN and the dynamic password.
For example, if the token PIN value is 1234, and the dynamic password is
567890, you must enter 1234567890 as the authentication challenge response.
6
322
Click Continue.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
The Entrust IdentityGuard Application authentication page appears displaying
your image and caption.
This page demonstrates image and message replay authentication, a method of
organization authentication.
For more information on image and message replay authentication, see the
Entrust IdentityGuard Deployment Guide and the Entrust IdentityGuard
Administration Guide.
7
Enter your password.
8
Click Login.
Your sample bank account page appears. You have established machine
authentication. Future log in attempts will not require you to authenticate to
Entrust IdentityGuard.
To log in with established machine authentication
1
From a new browser window, select User sign in from the main page of the
interface.
Using the sample Web application
Feedback on guide
323
The Sign in page appears displaying your user name.
2
Be sure to check Remember me on this machine.
3
Click Continue.
The Entrust IdentityGuard Application authentication page appears.
The sample Web application checked that your machine is registered with the
Entrust IdentityGuard server. No authentication challenge was issued because
your machine was identified as a registered machine.
4
Enter your password.
5
Click Login.
Your sample bank account page appears. Once machine authentication is
established, second-factor authentication is transparent to the end user
associated with a particular computer.
324
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Using generic authentication to log in
Note: The following procedure has generic authentication-type set to question
and answer in the samplepolicy. The setting appears as: QA OTP TOKENRO GRID.
A registered end user can log in to the Any Bank Web site using generic
authentication. For more information on generic authentication, see the
Entrust IdentityGuard Deployment Guide and the Entrust IdentityGuard
Administration Guide.
Assuming the role of a sample end user, use generic authentication to log in to your
bank account.
To log in using generic authentication
1
Select User sign in from the main page of the interface.
2
Enter your user name.
3
Be sure to disable Remember me on this machine.
Uncheck the box to initialize the generic authentication challenge and remove
any machine secrets.
4
Click Continue.
Using the sample Web application
Feedback on guide
325
The Entrust IdentityGuard second-factor authentication page appears.
Entrust IdentityGuard randomly selects a series of questions.
5
Enter your predefined answers.
6
Click Continue.
Your sample bank account page appears.
326
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Using step-up authentication
Note: This procedure uses one-time password authentication as the setting for
generic authentication-type. The policy setting appears as: OTP TOKENRO
GRID QA.
For situations requiring an additional level of security, Entrust IdentityGuard provides
second-factor authentication of transactions initiated by an authenticated end user of
the Any Bank Web site.
Assuming the role of a sample end user, use step-up authentication to transfer funds
from your bank account to another bank account.
To use step-up authentication
1
Follow the procedure “To log in with established machine authentication” to
access your sample bank account page.
2
Click Transfer funds.
Using the sample Web application
Feedback on guide
327
The Entrust IdentityGuard second-factor authentication page appears.
3
Enter your one-time password.
Note: The one-time password can be viewed using the Administration interface.
4
Click Continue.
The Transfer Funds page appears.
5
Enter the amount to be transferred and the account numbers.
6
Click Transfer.
A page appears stating that the funds were transferred successfully.
328
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Using temporary PIN authentication to
log in
Note: Temporary PINs are only available for grid or token authentication. The
following procedure has generic authentication-type set to GRID in the
samplepolicy. The setting appears as: GRID QA OTP TOKENRO.
In certain situations, a sample end user of the Any Bank Web site may not have a card
or token. An administrator can issue a temporary PIN, either for a specific number of
uses or a limited period of time. Examples of this situation include lost cards or tokens,
or a newly registered end user awaiting arrival of a card or token.
For more information about temporary PINs, see the Entrust IdentityGuard
Deployment Guide.
Assuming the role of a sample end user, use the sample Web application to access
your Any Bank account using a temporary PIN.
As an administrator, use the Administration interface to issue a temporary PIN.
Temporary PINs are issued with limits on the number of uses and expiry dates to limit
exposure to attacks.
To use temporary PINs
1
Select User sign in from the main page of the interface.
2
Enter your user name.
3
Be sure to disable Remember me on this machine.
Using the sample Web application
Feedback on guide
329
Uncheck the box to initialize the generic authentication challenge and remove
any machine secrets.
4
Click Continue.
The Entrust IdentityGuard second-factor authentication page appears.
5
Use the Administration interface to issue yourself a temporary PIN.
6
Click Having problems or lost your Entrust IdentityGuard Card?
Another Entrust IdentityGuard second-factor authentication page appears.
7
Enter the temporary PIN issued to you by email or get the PIN from the
Administration interface or the master user shell.
In this example, a sample end user can call a customer support number and have
a temporary PIN issued to them. The telephone number on this second-factor
authentication page is for demonstration purposes only.
330
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
8
Click Continue.
Your sample bank account page appears.
Using the sample Web application
Feedback on guide
331
Using one-step grid authentication to
log in
A sample end user of the Any Bank Web site may log in using one-step grid
authentication. This authentication method presents first-factor and second-factor
authentication challenges to the end user at the same time. For more information on
one-step grid authentication, see the Entrust IdentityGuard Deployment Guide.
Assuming the role of a sample end user, use the sample Web application to log in
using one-step grid authentication.
To log in using one-step grid authentication
1
Select One-step grid login from the main menu of the interface.
The One-step grid authentication page appears.
2
Enter your user name, password, and the specified grid coordinates.
This step demonstrates grid authentication. For more information on grid
authentication, see the Entrust IdentityGuard Administration Guide.
3
Click Login.
Your sample bank account page appears.
332
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Using two-step grid authentication to
log in
A sample end user of the Any Bank Web site may log in using two-step grid
authentication. This method of authentication presents first-factor and second-factor
authentication challenges to the end user consecutively. The end user is authenticated
and verified using the first-factor authentication method before being challenged
with second-factor authentication.
For more information on two-step grid authentication, see the Entrust IdentityGuard
Deployment Guide and the Entrust IdentityGuard Administration Guide.
Assuming the role of a sample end user, use the sample Web application to log in
using two-step grid authentication.
To log in using two-step grid authentication
1
Select Two-step grid sign in from the main page of the interface.
The Sign in page appears.
2
Enter your user name and password.
3
Click Continue.
Using the sample Web application
Feedback on guide
333
The Entrust IdentityGuard second-factor authentication page appears displaying
the serial number on your card.
This page demonstrates a type of organization authentication called serial
number replay authentication. For more information on serial number replay
authentication, see the Entrust IdentityGuard Deployment Guide and the
Entrust IdentityGuard Administration Guide.
4
Enter the specified grid coordinates.
This step demonstrates grid authentication. For more information on grid
authentication, see the Entrust IdentityGuard Deployment Guide and the
Entrust IdentityGuard Administration Guide.
5
Click Continue.
Your sample bank account page appears.
334
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Appendix D
Uninstalling Entrust
IdentityGuard Server
This chapter provides instructions for uninstalling Entrust IdentityGuard Server from
your system.
Topics in this section:
•
“Uninstalling Entrust IdentityGuard Server with embedded Tomcat on
UNIX” on page 336
•
“Uninstalling Entrust IdentityGuard Server on Microsoft Windows” on
page 337
•
“Uninstalling Entrust IdentityGuard Server with an existing application
server” on page 338
335
Uninstalling Entrust IdentityGuard
Server with embedded Tomcat on UNIX
Entrust IdentityGuard Server does not include an uninstall script. You will need to
perform the following procedure to uninstall Entrust IdentityGuard.
Uninstalling the server also uninstalls the Radius proxy component, if configured.
To uninstall Entrust IdentityGuard on UNIX
1
Stop the Entrust IdentityGuard service using the instructions in the topic
“Managing the Entrust IdentityGuard service” on page 62.
2
Optionally, as the application owner, back up the
identityguard.properties file and the masterkeys.enc file (but not the
masterkeys.kpf).
3
As root:
a
In $IDENTITYGUARD_HOME/bin enter:
./igsvcconfig.sh igradius uninstall
b
Still in $IDENTITYGUARD_HOME/bin enter:
./igsvcconfig.sh identityguard uninstall
4
336
Optionally, remove the Entrust IdentityGuard data from the repository.
•
For a database, use the IG_81/sql/drop_v81_schema.sql file in the
.tar install package (either IG_81_Linux.tar or the
IG_81_Solaris.tar), to remove all Entrust IdentityGuard tables.
•
For a directory, you will need to remove this data manually.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Uninstalling Entrust IdentityGuard
Server on Microsoft Windows
Complete the following procedure to uninstall the Entrust IdentityGuard Server on
Microsoft Windows.
Uninstalling the server also uninstalls the Radius proxy component, if configured.
To uninstall Entrust IdentityGuard Server on Microsoft Windows
1
Go to Add or Remove Programs located in your system’s Control Panel.
2
Select Entrust IdentityGuard Server 8.1 and click Remove.
3
Optionally, remove the Entrust IdentityGuard data from the repository on the
repository server.
•
For a database, use the IG_81/sql/drop_v81_schema.sql file in the
.tar installation package to remove all Entrust IdentityGuard tables.
•
For a directory, you will need to remove this data manually.
Note: During the Windows uninstall process, Entrust IdentityGuard attempts to
create a backup of your Entrust IdentityGuard configuration. If successful, it
displays a message listing the location of the backup file. Click OK to continue
the uninstall. This occurs only if Entrust IdentityGuard was correctly configured
and initialized.
Uninstalling Entrust IdentityGuard Server
Feedback on guide
337
Uninstalling Entrust IdentityGuard
Server with an existing application
server
Entrust IdentityGuard Server does not include an uninstall script. You will need to
perform the following procedure to uninstall Entrust IdentityGuard.
Uninstalling the server also uninstalls the Radius proxy component, if configured.
Topics in this section:
•
“Uninstalling Entrust IdentityGuard on WebLogic 8.1” on page 338
•
“Uninstalling Entrust IdentityGuard on WebLogic 9.1” on page 340
•
“Uninstalling Entrust IdentityGuard on WebSphere 6.0” on page 342
Uninstalling Entrust IdentityGuard on
WebLogic 8.1
To uninstall Entrust IdentityGuard on WebLogic 8.1 you must:
•
Stop the Entrust IdentityGuard services.
•
Delete the Entrust IdentityGuard services.
•
Delete the Entrust IdentityGuard files.
To uninstall Entrust IdentityGuard on WebLogic 8.1
1
Stop the Entrust IdentityGuard services (see “Stopping Entrust IdentityGuard
Services on WebLogic 8.1” on page 167).
2
Delete the Entrust IdentityGuard services:
a
From the WebLogic 8.1 main page, select Deployments > Web Application
Modules.
The Deploy a Web Application Module page appears showing a list of all
deployed Web applications.
338
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
b
Click the trash can to the right of the Entrust IdentityGuard service.
A warning page appears prompting you to confirm that you want to delete
the Entrust IdentityGuard service.
c
Click Yes.
A message appears confirming that the Entrust IdentityGuard service has
been deleted.
d
Click Continue.
You are returned to the page listing deployed applications.
e
Repeat Step b to Step d to delete the remaining Entrust IdentityGuard
services.
Uninstalling Entrust IdentityGuard Server
Feedback on guide
339
3
Optionally, as the application owner, back up the
identityguard.properties file and the masterkeys.enc file (but not the
masterkeys.kpf).
4
As root:
a
in $IDENTITYGUARD_HOME/bin enter:
./igsvcconfig.sh igradius uninstall
b
Delete the installation directory (by default /opt/entrust) by entering:
rm -f -r /opt/entrust
5
Optionally, remove the Entrust IdentityGuard data from the repository.
•
For a database, use the IG_81/sql/drop_v81_schema.sql file in the
.tar installation package to remove all Entrust IdentityGuard tables.
•
For a directory, you will need to remove this data manually.
Uninstalling Entrust IdentityGuard on
WebLogic 9.1
To uninstall Entrust IdentityGuard on WebLogic 9.1 you must:
•
Stop the Entrust IdentityGuard services.
•
Delete the Entrust IdentityGuard services.
•
Delete the Entrust IdentityGuard files.
To uninstall Entrust IdentityGuard on WebLogic 9.1
1
Stop the Entrust IdentityGuard services (see “Stopping Entrust IdentityGuard
Services on WebLogic 9.1” on page 168).
2
Delete the Entrust IdentityGuard services:
a
Under Change Center on the WebLogic main page click Lock & Edit.
b
Under Domain Structure on the left of the main page click Deployments.
The Deployment Summary Page appears with a list of Entrust IdentityGuard
services.
340
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
c
Select the check box for the Entrust IdentityGuard Services.
d
Click Delete.
The Delete Application Assistant page appears.
e
Click Yes to delete the application(s).
You are returned to the Summary of Deployments page.
f
Under Change Center on the WebLogic main page click Activate Changes.
Uninstalling Entrust IdentityGuard Server
Feedback on guide
341
3
Optionally, as the application owner, back up the
identityguard.properties file and the masterkeys.enc file (but not the
masterkeys.kpf).
4
As root:
a
In $IDENTITYGUARD_HOME/bin enter:
./igsvcconfig.sh igradius uninstall
b
Delete the installation directory (by default /opt/entrust) by entering:
rm -f -r /opt/entrust
5
Optionally, remove the Entrust IdentityGuard data from the repository.
•
For a database, use the IG_81/sql/drop_v81_schema.sql file in the
.tar installation package to remove all Entrust IdentityGuard tables.
•
For a directory, you will need to remove this data manually.
Uninstalling Entrust IdentityGuard on
WebSphere 6.0
To uninstall Entrust IdentityGuard on WebLogic 8.1 you must:
•
Stop the Entrust IdentityGuard services
•
Delete the Entrust IdentityGuard services
•
Delete the Entrust IdentityGuard files
To uninstall Entrust IdentityGuard on WebSphere 6.0
1
Stop the Entrust IdentityGuard services (see “Stopping Entrust IdentityGuard
Services on WebSphere 6.0” on page 169).
2
Delete the Entrust IdentityGuard services:
a
From the WebSphere main menu click Applications > Enterprise
Applications.
The Enterprise Applications page appears.
342
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
b
Select the service(s) to uninstall and then click Uninstall.
The Uninstall Application page appears.
c
Click OK.
A message appears indicating that changes have been made to your local
configuration.
d
Click Save to accept the changes.
The Enterprise Applications Save page appears.
Uninstalling Entrust IdentityGuard Server
Feedback on guide
343
e
Click Save.
The Entrust IdentityGuard services are uninstalled.
3
Optionally, as the application owner, back up the
identityguard.properties file and the masterkeys.enc file (but not the
masterkeys.kpf).
4
As root:
a
In $IDENTITYGUARD_HOME/bin enter:
./igsvcconfig.sh igradius uninstall
b
Delete the installation directory (by default /opt/entrust) by entering:
rm -f -r /opt/entrust
5
344
Optionally, remove the Entrust IdentityGuard data from the repository.
•
For a database, use the IG_81/sql/drop_v81_schema.sql file in the
.tar installation package to remove all Entrust IdentityGuard tables.
•
For a directory, you will need to remove this data manually.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Glossary
active card or token
The card or token that the end user is presently using for
authentication.
Administration API
The Java Platform or C# API that applications can use to
integrate with the Administration service.
Administration interface
The Web interface used by administrators to manage end
users (see end user).
Administration service
The Entrust IdentityGuard Web service responsible for
managing administrators, users, cards, tokens, PINs, and
so on.
Administration WSDL
The WSDL definition for the Administration service.
administrator
The Entrust IdentityGuard user who manages the
day-to-day activity of end users using the Administration
service (see end user).
administrator password attributes
The policy attributes that determine the password rules
for an administrator. For example, the password length,
expiry date, and so on.
alias
An additional unique name for an end user.
See also user name.
all grouplist
A predefined grouplist that allows an administrator to
manage every Entrust IdentityGuard group.
anonymous authentication
See one-step authentication.
auditor role
A predefined role that has read access to operations
available through the Administration service.
authentication
The process of proving your identity, and/or determining
the validity of a set of credentials presented to the system.
Authentication API
The Java Platform or C# API that applications can use to
integrate with the Authentication service.
345
authentication secret
The secrets shared between the organization and the user
when organization authentication is configured.
Authentication service
The Entrust IdentityGuard Web service used for retrieving
challenge requests and authenticating user responses.
Also see Authentication API.
346
Authentication WSDL
The WSDL definition for the Authentication service.
Canceled state
The state associated with a card or token that a user can
no longer use to authenticate.
card
A physical grid that is printed and distributed to users.
cardspec attributes
See card specification attributes.
card specification attributes
The policy attributes that determine the characteristics of
a grid for grid authentication. For example, the characters
to use in a grid, its expiry based on duration or use, the
number of rows and columns, and so on.
cell
A row and column coordinate in a grid.
challenge generation algorithm
An algorithm used to produce the challenge when using
grid authentication. Entrust IdentityGuard has two
challenge generation algorithms:
•
least-used cell challenge generation algorithm
•
random challenge generation algorithm
client application
Any application that uses the Authentication API and/or
the Administration API to access Entrust IdentityGuard’s
administration and multifactor authentication capabilities
on behalf of the end user.
client authentication
The authentication process whereby users prove their
identity to an application, using, for example, Entrust
IdentityGuard Server.
Consumer deployment
An Entrust IdentityGuard deployment where the end
users are external to the organization (for example, they
are customers or partners), and are authenticating to a
Web-based application.
credentials
A set of data (for example, a user name and password,
grid, or dynamic password) that defines a user to the
system.
Current state
The state associated with a card or token that is currently
in use.
default role
A predefined role that has access to most operations
available through the Administration service.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
dynamic password
The random number displayed by a token that changes
automatically at regular intervals.
end user
A user who authenticates to Entrust IdentityGuard using
one of the available multifactor authentication methods.
Enterprise deployment
A deployment of Entrust IdentityGuard where the end
users are internal to the organization (for example,
employees) and are authenticating to internal services.
Entrust IdentityGuard Server
An Entrust product that provides multifactor
authentication to increase the security of an online
identity.
Entrust IdentityGuard Desktop for
Microsoft Windows
An Entrust IdentityGuard client that adds second-factor
authentication capabilities to the first-factor
authentication performed by Microsoft Windows
Winlogin and the RAS/IAS servers.
See also Entrust IdentityGuard Remote Access Plug-in for
Microsoft Windows Servers.
Entrust IdentityGuard Radius proxy An Entrust IdentityGuard client that adds second-factor
authentication capabilities to the first-factor
authentication performed by a Radius server or using
external authentication.
Entrust IdentityGuard Remote
Access Plug-in for Microsoft
Windows Servers
An Entrust IdentityGuard client that installs on the RAS
and IAS servers to enable Entrust IdentityGuard
second-factor authentication for remote Microsoft
Windows users.
external authentication
The first-factor authentication provided by Entrust
IdentityGuard in a deployment where remote users
connect through VPN and no external Radius server
exists.
file-based repository
A file containing preproduced cards or unassigned token
information that is located on the primary Entrust
IdentityGuard Server. Used only when your repository is
an LDAP Directory.
first-factor authentication
The first authentication challenge presented to the user.
Usually user name and password authentication.
first-factor authentication
application
The application which performs first-factor authentication
and to which Entrust IdentityGuard is added as the second
factor of authentication.
grid
An assortment or table of characters listed in row and
column format.
See also card.
Glossary
Feedback on guide
347
grid authentication
A second-factor authentication method that challenges a
user for a set of grid coordinates or cells.
grid location replay authentication
A type of organization authentication used with grid
authentication that requires the organization to display
the contents of certain coordinates in the grid once the
user has authenticated.
group
A means to organize end users, administrators, tokens,
and cards to delegate administrative tasks and assign
policy behavior (such as allowed authentication
methods).
grouplist
The set of user groups (see group) that an administrator
can manage. A master user creates grouplists.
See all grouplist and own grouplist.
Hold state
The state associated with an active card or token that an
administrator has suspended (because, for example, the
user lost the card). While in Hold, a user cannot use the
card or token to authenticate.
See also Current state.
Hold_pending state
The state associated with a card or token that an
administrator has not yet activated. Unlike the Pending
state, the end user cannot activate the card and use it for
authentication.
identityguard.properties file
The Java properties file containing all the configuration
settings for a particular Entrust IdentityGuard Server.
image replay authentication
See message or image replay authentication.
initialization
A one-time process completed while setting up Entrust
IdentityGuard that provides the system with the license
keys and creates the master users, and the master key.
If repeated, re-initialization replaces the master key,
overwrites policy data already stored in the repository,
and renders existing user, preproduced card and
unassigned token information unusable.
See master key.
348
knowledge-based authentication
A second-factor authentication method that challenges a
user for correct responses to a series of questions.
layered authentication
An authentication process in which additional
authentication challenges are presented for particular
transactions that require stronger authentication than the
user presently has.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
least-used cell challenge generation A challenge generation algorithm that uses a configured
number of least-used coordinates (cells) when creating
algorithm
the challenge.
machine authentication
An authentication process in which a user is associated
with a particular computer through the use of a machine
secret. After association, second-factor authentication is
transparent for the user on that computer.
machine authentication type list
A list of machine authentication methods assigned to a
user, based on their policy.
machine secret
One or more nonces and optional application-provided
data that uniquely identify a particular computer.
master key
The key that Entrust IdentityGuard uses to encrypt
information stored in the repository.
master key protection file
The file containing the obfuscation key used to access the
master key.
master user
The Entrust IdentityGuard user that configures how
Entrust IdentityGuard will work in your system.
Entrust IdentityGuard has three master users.
See master user shell.
master user shell
A command-line interface used by master users to
configure Entrust IdentityGuard.
See master user.
message or image replay
authentication
A type of organization authentication in which the
organization displays a predefined message or image
either before or after the user has authenticated.
multifactor authentication
An authentication process in which two or more
authentication methods are used consecutively to verify a
user and often an organization.
mutual authentication
An authentication process in which both the user and the
organization verify themselves as legitimate.
See also organization authentication and user
authentication.
nonce
A random value generated for security purposes.
Glossary
Feedback on guide
349
one-step authentication
An authentication process in which first-factor and
second-factor authentication challenges are presented to
the end user at the same time. Also referred to as
“anonymous authentication” as the system does not
know the identity of the user.
Available only when using grid authentication.
See also two-step authentication.
one-time password
A set of characters provided to a user out-of-band that
can only be used once for authentication.
See also out-of-band authentication.
organization authentication
350
An authentication process in which the organization
verifies itself as authentic to the end user. Entrust
IdentityGuard supports the following types:
•
grid location replay authentication
•
message or image replay authentication
•
serial number replay authentication
OTP
See one-time password.
out-of-band authentication
A second-factor authentication method that challenges a
user for a one-time password that is sent (for example) to
their mobile phone when the challenge occurs.
own grouplist
A predefined grouplist that allows an administrator to
manage only the group to which they belong. It is the
default grouplist.
passcode list
A list of one-time transaction numbers (TANs) that are
distributed to end users (sometimes on a physical card)
and used with passcode list authentication.
passcode list authentication
A second-factor authentication method that challenges a
user for a passcode that matches a particular number in
their passcode list. It is similar to grid authentication.
password attributes
See administrator password attributes.
Pending state
The state associated with a card or token that a user or
administrator has not yet activated. Should an end user
user a card or token in this state, it automatically changes
to the Current state.
pinspec attributes
See temporary PIN attributes.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
policy
preproduction model
A set of attributes that determines the characteristics for
each member in a group. A policy is divided into four
subsets:
•
administrator password attributes
•
user specification attributes
•
card specification attributes
•
temporary PIN attributes
A method of creating cards in which they are created
anonymously and assigned to users at a later date.
See also produce-and-assign model.
primary Entrust IdentityGuard
Server
In a replicated system, this is the Entrust IdentityGuard
Server on which the file-based repository is stored.
Therefore, it usually also is the Entrust IdentityGuard
Server hosting the Administration service to which all
instances of the Administration interface connect.
produce-and-assign model
A method of creating cards in which a card is created and
assigned to a user in one-step.
Also see preproduction model.
question and answer authentication See knowledge-based authentication.
Radius
See Remote Authentication Dial-In User Service (Radius).
Radius proxy
See Entrust IdentityGuard Radius proxy.
random challenge generation
algorithm
A challenge generation algorithm that picks coordinates in
a grid randomly when creating a challenge.
registration
The process of adding new users to Entrust IdentityGuard
by obtaining their information and setting required
attributes such as group association and authentication
method.
Remote Authentication Dial-In User Remote Authentication Dial-In User Service. An industry
standard authentication protocol used to authenticate
Service (Radius)
users with Radius clients.
A Radius client passes information about a user to a
designated Radius server and then acts on the response
that the Radius server returns. Transactions between the
Radius client and the Radius server are authenticated
through a server secret, which is never sent over the
network.
Glossary
Feedback on guide
351
repository
The Entrust IdentityGuard information associated with
users and administrators stored in a database or directory.
A repository contains information such as:
•
group association
•
available authentication methods
•
user name and aliases
•
authentication information such as grids, token data,
questions and answers, temporary PINs, one-time
passwords, and so on
•
preproduced cards and unassigned token data
replica Entrust IdentityGuard Server In a system with more than one Entrust IdentityGuard
Server, any Entrust IdentityGuard Server that does not
function as the primary Entrust IdentityGuard Server.
Replicas are usually identical to each other.
role
Defines, for administrators (see administrator), what
operations they can perform using the Administration
service.
A master user creates roles. Entrust IdentityGuard installs
with three roles:
•
auditor role
•
default role
•
superuser role
sample application
The client Web application installed with the Entrust
IdentityGuard Server that demonstrates the various
capabilities and authentication methods of Entrust
IdentityGuard.
second-factor authentication
The second authentication method in a system that uses
two independent mechanisms of authentication. It
ensures strong authenticity. See strong authentication.
serial number replay authentication A type of organization authentication used with grid
authentication that requires the organization to display
the card’s unique serial number to the user.
shared secret
352
IdentityGuard 8.1 Installation Guide
A name and value pair associated with an end user and
used by a client application only (not Entrust
IdentityGuard).
Document issue: 3.0
Feedback on guide
Simple Object Access Protocol
(SOAP)
Simple Object Access Protocol. An XML protocol that
governs the exchange of information in a distributed
environment. SOAP provides a way for programs running
in two different operating systems (such as Windows
2000 and Solaris) or written in different programming
languages (such as Java Platform and C#) to exchange
information, using HTTP and XML. Refer to
http://www.w3.org/2000/xp/Group/.
single-factor authentication
An authentication system in which the user is verified
using only one authentication method (usually a user
name and password).
See also second-factor authentication.
single-stage authentication
See one-step authentication.
SOAP
See Simple Object Access Protocol (SOAP).
state
The lifecycle status that determines what a user can do
with a card or token. Entrust IdentityGuard cards and
tokens support the following states:
static token PIN
•
Pending state
•
Hold_pending state
•
Current state
•
Hold state
•
Canceled state
A numeric value that associates a user with their token.
When a user receives a token challenge, they must prefix
their response with the static token PIN, thereby
enhancing the strength of the authentication.
Do not confuse with temporary PIN or dynamic password.
strong authentication
A form of client authentication in which users prove their
identity by logging in with credentials other than just user
name and password (for example, a grid or token).
super shell
See master user shell.
superuser role
A predefined role that has access to all operations
available through the Administration service.
supersh
See master user shell.
TAN
Transaction number. See passcode list authentication.
Glossary
Feedback on guide
353
temporary PIN
A character string assigned to a user for a brief period of
time or usage duration to substitute for a temporarily
unavailable card or token.
temporary PIN attributes
The policy attributes that determine the characteristics of
the temporary PIN. For example, the number of
characters in the PIN, its expiry date, and so on.
token
A battery-operated hardware device that provides a user
with a dynamic password that changes periodically (for
example, every minute).
token authentication
A second-factor authentication method that challenges a
user for a token-generated string. The response can
include a static token PIN.
token PIN
See static token PIN.
two-step authentication
An authentication process in which first-factor and
second-factor authentication challenges are presented to
the end user consecutively. The end user is authenticated
and verified using the first-factor authentication method
before being challenged with second-factor
authentication.
See also one-step authentication.
two-stage authentication.
See two-step authentication.
user authentication
An authentication process in which the end user is verified
as authentic by the organization. Entrust IdentityGuard
supports the following types:
user name
•
grid authentication
•
token authentication
•
knowledge-based authentication
•
passcode list authentication
•
out-of-band authentication
The name of the Entrust IdentityGuard user in their
first-factor authentication system.
A user name must be unique within its group.
354
userspec attributes
See user specification attributes.
user ID
The globally unique name of an end user or administrator.
It includes both the Entrust IdentityGuard group name
and the user name of the user in the first-factor
authentication system, written as group/username.
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
user specification attributes
The policy attributes that determine the rules for an end
user’s interaction with Entrust IdentityGuard. For
example, the number of aliases a user can have, their
authentication methods, and so on.
Web service
A program that runs within an application server that
communicates to other requesting components, often
using the Simple Object Access Protocol (SOAP). Web
services have two advantages:
•
The SOAP protocol provides a standard way for the
Web service and its clients to encode and decode (or
"parse") the program data so that programmers
don't have to write their own. The standard also
means that programs written by different companies
can communicate with the Web service.
•
SOAP envelopes are typically sent within HTTP
requests so you do not have to open additional ports
in your firewall for clients to communicate with the
Web service.
Entrust IdentityGuard has two Web services:
Administration service and Authentication service.
WSDL
Web Services Definition Language. An XML format for
describing network services as a set of endpoints
operating on messages. WSDL service definitions provide
the technical details for describing a Web service that
would be required for someone to actually invoke the
service (for example, input parameters, output format,
and so on).
Glossary
Feedback on guide
355
356
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
Feedback on guide
Index
-
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
.wsdl files 259
A
active card
definition 345
active token
definition 345
Administration API
definition 345
Administration interface
definition 345
Administration service
definition 345
Administration WSDL
definition 345
administrator
definition 345
administrator password attributes
definition 345
algorithms 97, 99, 101
alias
definition 345
all grouplist
definition 345
anonymous authentication. See one-step authentication
audit integrity check 281
auditor role
definition 345
authentication
definition 345
domain controller 172
LDAP directory 172
Radius 172
strong
definition 353
Authentication API
definition 345
authentication secret
definition 346
Authentication service
definition 346
-
Authentication WSDL
definition 346
B
backup
UNIX 211, 247
Windows 213
backups
backup strategy 244
of LDAP Directory and database 225, 247
restoring file-based card preproduction repository 253
restoring IdentityGuard 250
C
cached challenges 270
Canceled state
definition 346
card
definition 346
card preproduction
configuring 220
database 224
disk files 221
card specification attributes
definition 346
cardspec. See card specification attributes
cell
definition 346
certificate
exporting 238
importing the SSL certificate 233
updating 238
challenge cache 271
challenge generation algorithm
definition 346
client application
definition 346
client authentication
definition 346
357
-
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
commands
supersh 53, 56, 123, 126, 251, 254
version 54, 124
configuration during install
IdentityGuard 36, 109
Consumer deployment
definition 346
credentials
definition 346
cryptography
policy files 96, 98, 100, 101
Current state
definition 346
Customer support 16
D
default role
definition 346
deployment, Consumer
definition 346
deployment, Enterprise
definition 347
dynamic password
definition 347
E
end user
definition 347
Enterprise deployment
definition 347
Entrust IdentityGuard Desktop for Microsoft Windows
definition 347
Entrust IdentityGuard Radius proxy
definition 347
Entrust IdentityGuard Remote Access Plug-in for Microsoft
Windows Servers
definition 347
Entrust IdentityGuard Server
definition 347
external authentication 202
definition 347
groups 209
358
IdentityGuard 8.1 Installation Guide
F
failover
Radius 195
repository 218
file-based preproduction card repository
restoring 253
file-based repository
definition 347
first-factor authentication
definition 347
first-factor authentication application
definition 347
G
Getting help
Technical Support 16
grid
definition 347
grid authentication
definition 348
grid location replay authentication
definition 348
group
definition 348
grouplist
definition 348
own
definition 350
groups
external authentication 178, 209
H
Hold state
definition 348
Hold_pending state
definition 348
I
IdentityGuard
configuration during install 36, 109
configuring to use cached challenges 270
disabling 64, 65
enabling 64, 65
failed initialization 47, 118
Document issue: 3.0
-
-
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
initializing 47, 83, 118
installing 33
installing a replica server 210
querying status 63, 64
restarting 63, 64
sample application 51
starting 63, 64
starting automatically 63, 166
stopping 63, 64
testing 58, 162
uninstalling 336, 338
upgrading 299
WebLogic 8.1
installing 106
WebLogic 9.1
installing 106
WebSphere 6.0
installing 106
identityguard.properties
audit.integrity 281
externalauth 293
externalauth.kerberos 294
igradius.challengestring 284
igradius.msglog 289
igradius.port 283
igradius.radius 290
igradius.skipauth 289
igradius.tokenchallengestring 286
tokenrequirespinupdate 288
igradius.url 282
igradius.vpn 290
igradius.vpn.useradius 293
jdbc.blobAccess 268
jdbc.connectionpool 267
jdbc.connectionpool.max 267
jdbc.connectionpool.minIdleClose Time 267
jdbc.driverClass 268
jdbc.logintimeout 267
jdbc.needsEscape 268
jdbc.password 268
jdbc.querytimeout 267
jdbc.schema 268
jdbc.selectLock 269
jdbc.timestampDataType 268
jdbc.url 268
jdbc.user 268
ldap.addAdminObjectClass 262
ldap.addPolicyObjectClass 263
-
ldap.addUserObjectClass 262
ldap.connectionpool.max 265
ldap.connecttimeout 262
ldap.credentials 261
ldap.GeneralizedTime 266
ldap.policyentry 262
ldap.principal 261
ldap.searchbase 264
ldap.searchtimeout 265
ldap.sizelimit 265
ldap.sslEnabled 262
ldap.url 261
ldap.useridattribute 262
log.maxstacksize 273
refreshinterval 273
supersh.adminlist 279
supersh.preproducedcardlist 279
supersh.tokenlist 280
supersh.usercardlist 278
supersh.userlist 278
tokenRepository 221, 223
webadmin
bulk 296
export 297
identityguard.properties file
authentication success audit 258
caching policies 272
changing log configuration 273
changing log locations 277
column width formatting 278
configuring 255
configuring to use cached challenges 270
definition 348
enabling cached challenges 270
encrypted properties 257
JDBC properties 267
LDAP properties 261
license audit 281
properties for card preproduction 224
search bases 260
identityguard.sh 52, 63, 64
igkrb5.conf file 204
image replay authentication
definition 348, 349
initialization
definition 348
initializing IdentityGuard 47, 83, 118
reasons for failure 47, 118
Index
359
-
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
installing IdentityGuard 33, 106
J
definition 349
multifactor authentication
definition 349
mutual authentication 349
Java Development Kit 96, 98, 100
K
keytool 235
documentation 235
knowledge-based authentication
definition 348
L
layered authentication
definition 348
least-used cell challenge generation algorithm
definition 349
license audit 281
replica servers 281
loadbalancing 210
log locations
changing 277
log4j properties 273
logging
configuring 45, 116, 273
to Syslog 45, 116, 277
M
machine authentication
definition 349
machine authentication type list
definition 349
machine secret
definition 349
master key
definition 349
master key protection file
definition 349
master user
definition 349
master user shell 49, 119
configuring formatting 278
definition 349
message replay authentication
360
IdentityGuard 8.1 Installation Guide
N
native libraries 128, 134
nonce
definition 349
O
one-step authentication
definition 350
one-time password
definition 350
organization authentication 350
OTP. See one-time password
out-of-band authentication
definition 350
own grouplist
definition 350
P
passcode list
definition 350
passcode list authentication
definition 350
password attributes. See administrator password attributes
Pending state
definition 350
pinspec attributes. See temporary PIN attributes
policy
definition 351
preproduction model
definition 351
primary Entrust IdentityGuard Server
definition 351
produce-and-assign model
definition 351
Professional Services 17
properties file
authentication success audit 258
changing log configuration 273
changing log location 277
column width formatting 278
Document issue: 3.0
-
-
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
configuring to use cached challenges 270
enabling cached challenges 270
encrypted properties 257
JDBC properties 267
LDAP properties 261
license audit 281
Q
question and answer authentication. See knowledge-based
authentication
R
Radius
definition 351
Radius Proxy
automatic restart 35, 107
Radius proxy 171
architecture 173
configuring overview 172
external 187
overview 172
with domain controller 187
with LDAP server 187
with Radius server 180
Radius proxy. See Entrust IdentityGuard Radius proxy
random challenge generation algorithm
definition 351
registration
definition 351
replica
definition 352
replica server
configuring 210
initializing 210
installing 210
new SSL certificate 210
repository
definition 352
preparing 22
restoring IdentityGuard from backup 250
role
definition 352
-
S
sample application
configuring 51
definition 352
disabling 52
sample Web application
enabling 52
second-factory authentication
definition 352
serial number
reconfiguring 254
serial number replay authentication
definition 352
shared secret
definition 352
single-factor authentication
definition 353
single-page authentication. See one-step authentication
SOAP
definition 353
SSL
creating a self-signed certificate 235
exporting a certificate 238
importing the SSL certificate 233
ports 228
securing the LDAP repository, after installation 233
state
Current
definition 346
definition 353
hold
definition 348
Hold_pending
definition 348
Pending
definition 350
static token PIN
definition 353
strong authentication
definition 353
super shell. See master user shell
supersh. See master user shell
superuser role
definition 353
Syslog
configuring 226
logging to 45, 116, 277
Index
361
-
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
T
W
TAN. See passcode list authentication
Technical Integration Guides 22
Technical Support 16
temporary PIN
definition 354
temporary PIN attributes
definition 354
testing IdentityGuard 58, 162
token
definition 354
token authentication
definition 354
token PIN. See static PIN
tokens
Entrust 30
two-stage authentication. See two-step authentication
two-step authentication
definition 354
typographic conventions 13
Web service
definition 355
WebLogic 8.1 96
configuring SSL 97
deploying IdentityGuard services 128
preparing for installation 96
WebLogic 9.1 98
configuring SSL 98
deploying IdentityGuard services 134
preparing for installation 98
WebSphere 6.0 100
configuring SSL 101
deploying IdentityGuard services 142
preparing for installation 100
shared library settings 142
WSDL
definition 355
U
uninstalling IdentityGuard 336, 338
UNIX group and user
creating 32
UNIX service command
starting and stopping IdentityGuard 63
upgrading
IdentityGuard 7.2 to 8.1 299
user authentication
definition 354
user ID
definition 354
user name
definition 354
user specification attributes
definition 355
user, end
definition 347
userspec attributes. See user specification attributes
V
version command 54, 124
VPN server
configure 193
362
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
-
-
363
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
-
-
364
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
IdentityGuard 8.1 Installation Guide
Document issue: 3.0
-