Client Rollout

Introduction The SECUDE Secure Login Client is usually installed on a large number of systems. Therefore, the Client setup is usually performed as an unattended installation using Microsoft MSI. The Client setup is implemented as an MSI 3.1 package.

During installation, all files used to customize the product during installation are stored in the customer subfolder, which must be located in the same directory as the MSI setup. The MSI setup reads and copies them during installation.

Contents Section 4.3.1 „

Installation‟, on page 98

98

4.3.1

Installation

Before proceeding with this section make sure that it is the stand-alone Client you want to install and not the Web Client. For details about the Web Client installation refer to chapter 5 ‘Secure Login plus Web Client - Installation, Usage, and Removal’ on page 109.

The installation wizard is usually used for a single installation of the Group Policies. 1. Double-click the MSI installer SECUDE Secure Login.msi.

2. The welcome dialog will appear:

Figure 4-1 installation – welcome dialog

Click Next.

3. The program information appears:

Figure 4-2 installation – program information dialog

99 4. The license agreement appears:

Figure 4-3 installation – license agreement dialog

Check I accept the terms of the license agreement and click Next. 5. The setup type dialog appears:

Figure 4-4 installation – setup type dialog

- Check Complete if you want to install all of the features (go to step 7).

- Check Custom if you want to install specific features (go to step 6).

The installer contains the following components (Components marked with * are pre- selected by default):

100

Component Details/Value

Business Client addins

SNC/GSS (primary) *

This installs primary the SAP Secure Network Communication support addin for SAP Clients. SNC/GSS (secondary)

This installs secondary the SAP Secure Network Communication support addin for SAP Clients. (Only required if another SNC library is already installed. The primary SNC/GSS (primary) must be de-selected in this case.)

SSF

This installs the SAP Secure Store and Forward support addin for SAP Clients.

SECUDE Secure Login Secure Login system service: Windows Network Provider addin*

Network provider addin for retrieving Windows credentials for authentication against Active Directory.

Windows Kerberos addin

Secure Login addin to use local Windows Kerberos authentication against a local Secure Login service for CITRIX.

Profile Management* PSE Service*

Personal Security Environment user service. Security Tokens:*

- Smartcard support*

PKCS#11 and TCOS-based smart card token plugins.

- CAPI support*

Microsoft CryptoAPI token plugin. SECUDE CSP* SECUDE cryptographic service provider. Group Policies Microsoft group policy templates (ADM files). Notification Notification service and GUI for tracing purposes.

Once you have chosen a setup type click Next.

6. If you chose to install specific features in the previous dialog, the custom setup dialog appears:

101

Figure 4-5 installation – custom setup dialog

- Select the features you wish to install and click Next.

- If you want to prevent the installation of a component, click on the hard drive symbol next to the component and select The feature will not be available from the context menu:

Figure 4-6 installation – component selection

- To return to the default selection click Reset.

- Once you have made your selection click Next.

102

Figure 4-7 installation – ready to install dialog

Click Install.

8. The installation status dialog appears:

Figure 4-8 installation – installation status dialog

The installation my take a few minutes, so please be patient. 9. Once the installation is complete the following dialog appears:

Figure 4-9 installation – completion dialog

Click Finish. The installation is now complete.

103 Start>Shutdown>Restart to restart.

Further Information

Section 4.3.2 „Command Line Options to Influence the MSI Setup‟, on page 103

4.3.2

Command Line Options to Influence the MSI Setup

Introduction This section details command line options that can influence the Microsoft installer (MSI) setup.

Contents Section 4.3.2.1 „Standard MSI Options‟, on page 103 Section 4.3.2.2 „Secure Login MSI Options‟, on page 104

4.3.2.1

Standard MSI Options

To help you understand the MSI options, open a command shell and enter the following syntax:

msiexec /?

The following dialog will be displayed:

104

4.3.2.2

Secure Login MSI Options

To view the options specific to the SECUDE Secure Login setup, open a command shell and enter the following syntax:

msiexec /i “<path>\SECUDE Secure Login.msi” HELP=1 For example:

msiexec /i “C:\SECUDE Secure Login.msi” HELP=1 The following dialog will be displayed:

Figure 4-11 installation – restart dialog

The components that can be installed individually have the following syntax and meaning (features marked with * are installed by default if no specific components are selected): Feature abbreviation for

command line syntax

Package name in custom setup

Description

ProfileManagement _{Profile management User components.}

PSE Service _{PSE Service User GUI and SSO process.}

Token _{Security tokens Persistent security tokens.}

Capi _{CAPI support* Microsoft Crypto API token}

plug-in.

Smartcard _{Smartcard support* PKCS#11 and TCOS based}

smartcard token plug-ins.

105 Feature abbreviation for

command line syntax

Package name in custom setup

Description

plug-in for the Microsoft Crypto API.

GroupPolicies _{Group Policies Group policies, ADM files.}

Notification _{Notification Notification service and viewer}

for SECUDE applications.

secure_login _{SECUDE Secure}

Login*

Credentials-based certificate enrollment

secure_login_Pepperbox _{n/a Basic non-persistent tokens}

support.

secure_login_Kerberos _{Windows Kerberos}

addin Kerberos support.

secure_login_NetworkProvider _{Windows network} provider addin*

Network provider add-in for retrieving Windows

credentials.

secure_login_Service _{Secure login system}

service*

SECUDE Secure Login system service for policy download and Windows credentials management.

signon_secure _{Business Client}

addins

SAPGUI security component.

signon_secure_SNC _{SNC/GSS (primary)* SAP Secure Network}

Communication support.

signon_secure_SSF _{SSF SAP Secure Store and}

Forward support

For a full list of components installed by default (i.e. when no specific components are installed) refer to section 4.3.1, step 5, on page 99.

Example Installation Syntax 1

This example has been put together to achieve the following:

Install SECUDE Secure Login without the user wizard but with the progress bar; do not install the Windows login component (option qb).

Set the personal security environment (PSE) path to that of the subfolder SECUDE in the user profile (option CREDDIR=$USERPROFILE$\SECUDE).

Install German language modules only (option SECUDE LANG=1031).

Install programs into the default folder; do not install ADM files for group policy support (option qb).

Add massive logging (option l*v sl.log).

So, to achieve the above the syntax should be as follows:

msiexec.exe /i “C:\SECUDE Secure Login.msi” /qb /l*v sl.log ADDLOCAL=ALL REMOVE=secure_login_NetworkProvider,GroupPolicies CREDDIR=$USERPROFILE$\SECUDE LANG=1031

If you execute the above syntax then you will notice after the installation that both the German and the English GUI have been installed. This is because English language support cannot be de-selected as it is the fallback GUI. No reboot is required. The system tray icon is displayed, and enrolment profiles are provided immediately.

Example Installation Syntax 2

This example has been put together to demonstrate a simple installation and feature selection:

Msiexec /i "SECUDE Secure Login.msi" INSTALLDIR="C:\Program Files\SECUDE\SL" LAUNCH=1 LANG=0000 ADDLOCAL=ALL

106

In most cases, it is the easiest way to install all but a few features, which is best configured by ADDLOCAL=ALL REMOVE=feat1,feat2,…