Token Management System 2.0

1
Token Management System 2.0

• Nirit Bear
• eToken Technical Enablement Manager

April 17, 2007
2
Content

• TMS Overview
• End User Experience - Enrollment and Recovery
• Technical Overview
• Admin Enrollment Management of Tokens
• Installation Deployment
• TMS Configuration
• Advanced Tools
• Summary

3
TMS Overview
4
The Challenge
The management of an authentication solution in
an enterprise involves a number of interrelated
elements

• UsersThe identities in the organization
• Organizational policiesAccess rights for user
  groups required security measures
• Security devicesAuthentication devices provided
  to users
• Security applicationsApplications to be used by
  each user (e.g. SSO, network logon, disk
  encryption)

• How does a management system help?

5
Life Cycle Management is Enabled by TMS

• TMS makes token deployment and full life cycle
  management easy in any organization
• TMS provides a solution for centralized
  deployment of credentials for different systems,
  in a single action
• Enables simple adding or modification of
  credentials
• Enables easy reset of token password
• Enables token replacement or recovery including
  automatic revocation of profiles

6
TMS 2.0 Architecture
MyeToken eTokenManage eTokenRemonte
7
TMS Architecture (High Level)
8
TMS 2.0 - New Design

• TMS 2.0 is a web-based 3-tier application
• Database Active Directory (AD) or ADAM
• Application Tier ASP.NET application
• Top Tier Internet Explorer browser or a Windows
  form application
• Enhanced data security
• Enhanced role management
• Support for all Aladdin TMS 1.5 connectors
  functionality

9
TMS 2.0 - New Enhanced Functionality

• Virtual eToken ensures continued productivity
  when an employee looses an eToken
• Auditing and enhanced reporting (built-in reports
  and export capabilities for third-party reporting
  tools)
• New TMS Flash Management Connector (partitioning
  and managing of auto-run sections)
• Automatic certificate renewal for Microsoft CA
  2000/2003
• Enhanced revoke/delete user mechanism
• Support for all eToken devices including the
  eToken Pass (OTP only device)

10
Key Features of TMS 2.0

• Enhanced usability, efficiency and ease of use
• Completely new GUI design, fully Web based
• Simplified, wizard-based installation and
  configuration
• Enhanced robustness
• Enhanced scalability through a 3-tier, Web-based
  architecture
• Improved data security
• Multi domain support
• Enhanced support for large-scale deployments
• Scalability support for large enterprises
  deployments
• Multilingual Support

11
Key Features of TMS 2.0

• Enhanced support for regulations
• Enhanced reporting capabilities
• Several built-in reports
• Support for external reporting tools
• Audit capabilities (real time reports)
• Enhanced role management Role based access
• Support for authentication exceptions - employee
  on the road that lost his token
• eToken Virtual
• Self Service Website (also reduces helpdesk
  costs)

12
Key Features of TMS 2.0

• Support for Managed services
• Role based system
• Encrypted info for different OUs
• Single web interface for managing several TMS
  systems
• Enhanced PKI management
• Automatic certificate renewal for Microsoft CA
  2000/2003
• Enhanced revoke/delete user mechanism
• New NG-FLASH connector
• For partitioning and managing of auto-run area
• Support for Future Aladdin OTP devices

13
End User Experience
14
End User Self Token Enrollment

• End-user Web site ? MyeToken
• The site is recommended to be password protected
  with basic authentication
• The End-user site provides the following options
  
• Update the content of an exiting token
• Enroll a new token
• Change/Reset eToken password
• Disable an eToken
• Replace a Lost/Damaged token (including
  revocation)
• Manage OTP tokens
• More..

15
MyeToken End-user Web site
16
Enrolling a New eToken Initialization Labeling
17
Enrolling a eToken Completing the Enrollment

• Example for enrollment configuration
• Setting Manual Password for eToken Network Logon
  (GINA)

The Success screen shows details of the enrolled
profiles
18
Reset or Change eToken Password
19
Lost eToken Recovery Page
20
Employee on the Road

• An employee is about to make an important
  presentation at an overseas meeting
• The employee cannot find her token
• Some solution is necessary to enable her to
• Log on on to her computer
• Decrypt her files (in particular, the
  presentation)
• Access her email and other essential applications
  (for example, the company VPN)
• The solution - eToken Virtual
• Secured software-based token, temporarily
  activated until the employee returns to her
  office
• TMS supports several methods for using eToken
  Virtual varying in security and usability

21
Activating eToken Virtual in 3 Steps Step 1

• Browse to the TMS Remote Service Center

22
Activating eToken Virtual in 3 Steps Step 2

• Answer pre-set questions to authenticate

23
Activating eToken Virtual in 3 Steps Step 3

• Receive the eToken Virtual decryption key

24
Technical Overview
25
Tokens Enrollment and ManagementAdministrators
Operations
26
TMS Management Center - eTokenManage

• Provides Managements and Services tools
• Helpdesk options for tokens recovery and update
  (lost/damaged..)
• Deployment section for Administrator enrollment
  (init, assign..)
• Inventory section for managing enrolled tokens
  which are in the TMS DB (keeping track..)
• Built-in Reports including a search engine
• The administrator can maintain operations such
  as
• Prepare and Update tokens
• Initialize tokens
• Unlock locked tokens
• Enrolling eTPASS for the users
• Manage enrolled tokens

27
TMS Management Center Help Desk

• Quick and effective help desk service tools

28
TMS Management Center Help Desk
Example Manage Enrolled OTP Token through the
Helpdesk section
29
Deployment

• Select the user from the OU and deploy according
  to the previously set enrollment configurations

Search by User name
30
Token Inventory

• Ongoing management of token inventory

User Search by OU
31
Reports

• TMS provides a set of built-in reports Examples

32
Using Connectors
33
TMS Connectors

• TMS manages security applications using
  server-based, configurable, software plug-ins
  called TMS connectors
• A connector links to a specific security
  application
• Enabling management of the application with
  regards to token enrollment, provisioning and
  life-cycle operations
• Connectors can be added and configured
  differently for each OU in the organization
  (Flexible implementation)
• Connectors are configured through a TPO. Special
  TPO configuration can be applied as well at
  group/user level.
• Adding connectors - SDK

34
Configuring Connectors

• Adding New connectors is done using the TMS
  Settings.
• The new added connectors will be configured for
  the specific OU/Group through the TPO editor

35
TMS Installation Configuration
36
Prerequisites for Server Installation

• Windows 2003 Server with SP1 or SP2
• or Win2000 with SP4
• Microsoft Active Directory
• Install TMS on an IIS server
• .NET 2.0
• MSI 3.0
• PKI Client on the TMS enrollment machine (3.65 or
  4.0)

37
Installation Files

• There are 3 different components that need to be
  installed if the organization wants to use the
  full functionality and gain full benefit from
  TMS. These components are
• TMS_client_2.0.msi
• TMS_management_2.0.msi
• TMS_server_2.0.msi

38
Simplified Installation- TMS 2.0 Installation
Wizard
39
Installation Considerations

• TMS installation is at the domain level
• In a multi-domain environment, TMS must be
  configured on each domain, even if they are in
  the same forest.
• Changing the Schema
• When you install TMS, it changes the existing
  schema.
• To avoid this you can use the shadow domain
  model.
• This is the location of the TMS data storage,
  where the schema should be changed

40
TMS Deployment Options
41
TMS Configuration
42
TMS Configuration Settings Wizard
The TMS Configuration settings Wizard opens
automatically after the TMS 2.0 Server
Installation Wizard closes.
43
TMS Scheduling
If required select Enable Scheduling and select
one of the following - Periodically enter
every number of hours. - Daily enter the time
at which scheduling is to performed - Weekly
enter the day of the week when scheduling is to
performed
44
TMS Roles Management

• TMS encompasses three levels of assignments,
  built into a hierarchical structure
• Roles Level 1 activity (group of tasks)
• Tasks Level 2 activity (operation or group of
  operations)
• Operations Level 3 activity (single action)
• The lowest level is a single operation
• A task consists of one or more operations and may
  include other tasks.
• A role is generally performed by a single person
  (for example, an administrator) and is made up of
  a number of tasks and operations.

45
TMS Predefined Roles

• TMS encompasses three level hierarchical
  structure
• Roles Level 1 activity (group of tasks)
• Tasks Level 2 activity (operation or group of
  operations)
• Operations Level 3 activity (single action)
• TMS Administrator allowed to perform all TMS
  tasks
• TMS Helpdesk allowed to perform all TMS tasks
  except modifying TPOs
• TMS End User allowed to use all self service
  options on the eToken Remote Help Center web
• Defining roles include
• Define roles and tasks,
• Allocate role assignments
• Create additional roles, tasks, operations and
  role assignments

46
TMS Roles Management Authorization Manager
Can be launched from Start menu, Programs gt
eToken gt TMS 2.0 gt TMS Configuration Tool.
47
TPO Editor

• Enables setting all policy settings for the TMS
  system.
• When policy can be set to be Not Defined, the
  definition is taken from above policy, or set as
  Defined with a value.
• Settings include
• General Settings/Mail Server Settings
• Connectors Settings
• eToken Settings (Initialization Settings,
  Password Settings, eToken Properties
• Enrollment Settings
• eToken recovery options
• Audit Settings
• Desktop Agent Settings

48
Configuration of the Token Policy Object

• Enables setting all policy settings for the TMS
  system.
• When policy can be set to be Not Defined, the
  definition is taken from above policy, or set as
  Defined with a value.

49
TPO Connector Definitions

• OTP connector is taken as an example. All
  definitions are set by default to Not Defined and
  provided with default values.

50
TPO Connector Definitions

• OTP connector is taken as an example ? Defining
  values to all policies.

51
TMS Back-end Service

• Windows service installed on the TMS machine
• Includes a scheduler that will start according to
  a configuration set by the configuration utility
• TMS Notification Icon
• Installed on the computer running the management
  tools.
• Manages the TMS backend service.
• Enables to start, stop, pause and continue the
  TMS backend service.
• Notifies the administrator if the TMS backend
  service has stopped, started, uninstalled and
  installed again.

52
TMS Desktop Agent

• An application which provides TMS end users with
  automatic token related alerts and services.
• The Agent provides the following services
• Alerts when the token content is about to be
  expired
• Automatic retrieval of soft tokens
• An interface for TMS client applications for
  updating the token data in the TMS database
  (Agent API)
• In order to provide these features, the TMS
  Desktop Agent uses the TMS Agent Web Service
  which is installed on the TMS server.

53
TMS Migration Wizard
54
Migrating from TMS 1.5 to TMS 2.0

• To upgrade from TMS1.5 to TMS 2.0, install the
  new TMS version and then run the TMS Migration
  Wizard
• MigrationWizard.exe
• The default folder is C\Program
  Files\Aladdin\eToken\Tms20\Bin
• TMS 1.5 and TMS 2.0 can coexist in the same
  domain and even on the same computer.
• This enables you to run TMS 2.0 and TMS 1.5
  concurrently before you convert your installation
  to TMS 2.0 only.
• The user running the migration must be a member
  of the 1.5 TmsAdmins group

55
Migration Wizard
56
Migration Wizard
57
Summary
58
Token Management System (TMS)

• TMS is a full life-cycle management system
  enabling deployment, provisioning and maintenance
  of tokens and their associated security
  applications in an organization
• TMS links between
• Users
• Organizational rules
• Security device(s)
• Security application(s)

59
Summary

• TMS enables Active Directory based token
  life-cycle management
• TMS offloads user administration of
  authentication devices from IT to Human Resources
  and users
• TMS can be deployed according to the
  organizations policies, including Employee on the
  Road scenario
• Role Management is set for Domain/OU/Group level
  using the Authorization Manager
• Enrollment Policies are set at Domain/OU/Group
  level using TPO Editor

60
Thank You!

• For more information please visit
• www.Aladdin.com/eToken