IBM Client Security Solutions. Client Security Software Version 5.3 Installation Guide

(1)

IBM

®

Client

Security

Solutions

Client

Security

Software

Version

5.3 Installation

Guide

(2)

(3)

IBM

®

Client

Security

Solutions

Client

Security

Software

Version

5.3 Installation

Guide

(4)

FirstEdition(May2004)

Beforeusingthisinformationandtheproductitsupports,besuretoreadAppendixA,“U.S.exportregulationsfor ClientSecuritySoftware,”onpage43andAppendixC,“NoticesandTrademarks,”onpage49.

(5)

Preface

This sectionprovidesinformationabouthow tousethisguide.

About

this

guide

This guidecontainsinformationonhowto installIBMClient SecuritySoftwareonan IBMnetworkcomputer,also referredtoasanIBMclient,which containstheIBM embeddedSecuritySubsystem.Thisguidealsocontainsinstructionsonhow to enabletheIBMembeddedSecuritysubsystemandhowto settheadministrator passwordfor thesecuritysubsystem.

Theguideisorganizedasfollows:

″Chapter1,“Introduction,”″containsabriefoutlineof basicsecurityconcepts,an overviewof theapplicationsandcomponentsthatareincludedinthesoftware,and a descriptionof PublicKeyInfrastructure(PKI)features.

″Chapter2,“Getting started,”″containscomputer hardwareandsoftwareinstallation prerequisitesaswellasinstructionsfor downloadingthesoftware.

″Chapter3,“Before installingthesoftware,”″containsprerequisiteinstructionsfor installing IBMClientSecurity Software.

″Chapter4,“Installing, updating,anduninstallingthesoftware,”″ contains instructionsfor installing,updating,anduninstallingthesoftware.

″Chapter5,“Troubleshooting,”″containshelpfulinformationfor solvingproblems you mightexperiencewhileusingtheinstructionsprovidedinthisguide.

″AppendixA,“U.S.exportregulationsfor ClientSecuritySoftware,”″containsU.S. exportregulationinformationregardingthesoftware.

″AppendixB,“Passwordandpassphraseinformation,”″ containspassphrase criteria thatcanbeappliedto aUVMpassphrase andrulesfor administratorpasswords.

″AppendixC,“NoticesandTrademarks,”″containslegalnotices andtrademark information.

Who

should

read

this

guide

This guideisintendedfor networkor systemadministratorswhosetup

personal-computing securityonIBMclients.Knowledgeof securityconcepts,such aspublickey infrastructure(PKI)anddigitalcertificatemanagementwithin a network environment,isrequired.

How

to

use

this

guide

Usethisguidetoinstall andsetuppersonal-computing securityonIBMclients.This guideisacompanionto theClientSecuritySoftwareAdministrator’s Guide,Using Client SecuritywithTivoliAccessManager,andClientSecuritySoftwareUser’s Guide.

(10)

This guideandallotherdocumentationfor ClientSecuritycanbedownloadedfrom thehttp://www.pc.ibm.com/us/security/secdownload.html IBMweb site.

References

to

the

Client

Security

Software

Administrator’s

Guide

ReferencestotheClientSecurity SoftwareAdministrator’sGuideareprovidedin this document.TheAdministrator’sGuidecontainsinformationaboutusingUser Verification Manager(UVM)andworkingwithUVMpolicy, andinformation about usingtheAdministratorUtilityandtheUserConfigurationUtility.

Afteryouinstallthesoftware,usetheinstructionsintheAdministrator’sGuideto set upandmaintainthesecuritypolicyfor eachclient.

References

to

the

Client

Security

Software

User’s

Guide

TheClientSecurity SoftwareUser’sGuide,a companiontotheClientSecurity SoftwareAdministrator’sGuide,containshelpfulinformationabout performinguser taskswithClientSecuritySoftware,suchasusingUVMlogonprotection,creating a digital certificate,andusingtheUserConfigurationUtility.

Additional

information

You canobtainadditionalinformationandsecurityproductupdates,whenavailable, fromthehttp://www.pc.ibm.com/us/security/index.htmlIBMWebsite.

(11)

Chapter

1. Introduction

SelectThinkPadTM_and_ThinkCentreTM _computers_are_equipped_with_built-in

cryptographichardware thatworktogetherwithdownloadablesoftwaretechnologies to provideapowerfullevelofsecurityina clientPCplatform.Collectivelythis hardware andsoftwareiscalledtheIBMEmbeddedSecuritySubsystem(ESS). Thehardware componentistheIBMEmbeddedSecurityChipandthesoftware componentistheIBMClientSecuritySoftware(CSS).

Client SecuritySoftwareisdesignedfor IBMcomputersthatusetheIBMEmbedded SecurityChipto encryptfilesandstore encryptionkeys.Thissoftwareconsistsof applicationsandcomponentsthatenableIBMclientsystemsto useclientsecurity featuresthroughoutalocalnetwork,anenterprise,ortheInternet.

The

IBM

Embedded

Security

Subsystem

TheIBMESSsupportskey-managementsolutions,suchasa PublicKey Infrastructure (PKI),andiscomprisedofthefollowinglocalapplications: v _File_and_Folder_Encryption_(FFE)

v _Password_Manager v _Secure_Windows_logon

v _Multiple,_configurable_{authentication}_methods,_including: – Passphrase

– Fingerprint – SmartCard

In ordertoeffectively usethefeaturesof theIBMESSa securityadministrator must befamiliarwithsomebasicconcepts.Thefollowingsectionsdescribebasicsecurity concepts.

The

IBM

Embedded

Security

Chip

TheIBMEmbeddedSecuritySubsystemisthebuilt-incryptographichardware technology thatprovidesanextralevelofsecuritytoselectIBMPCplatforms.With theadventof thissecuritysubsystem,encryptionandauthenticationprocessesare transferred frommorevulnerablesoftwareandmovedto thesecureenvironment of dedicatedhardware.Theincreasedsecuritythisprovidesistangible.

TheIBMEmbeddedSecuritySubsystemsupports:

v _RSA3_PKI_operations,_such_as_encryption_for _privacy_and_digital_signatures_for authentication

v _RSA_key_generation

v _Pseudo_random_number_generation

v _RSA-function_computation_in₂₀₀_milliseconds v _EEPROM_memory_for_RSA_key_pair_storage

v _All_Trusted _Computing_Group_(TCG)_functions_defined_in_TCG_Main_{Specification} version1.1

v _{Communication}_with_the_main _processor_through_the_Low_Pin_Count_(LPC)_bus

(12)

IBM

Client

Security

Software

IBMClientSecuritySoftwarecomprises thefollowing softwareapplicationsand components:

v _{Administrator}_Utility:_The_{Administrator}_Utility_is_the_interface_an_{administrator} usestoactivateordeactivatetheembeddedSecuritySubsystem,andtocreate, archive,andregenerate encryptionkeysandpassphrases.In addition,an administratorcanuse thisutilitytoadduserstothesecuritypolicyprovidedby ClientSecuritySoftware.

v _{Administrator}_Console:_The_Client_Security_Software_{Administrator}_Console enablesanadministratorto configurea credentialroamingnetwork,to createand configurefilesthatenabledeployment,andto createa non-administrator

configurationandrecoveryprofile.

v _User_{Configuration}_Utility:_The_User_{Configuration}_Utility_enables _a_client_user tochangetheUVMpassphrase,toenableWindowslogonpasswordsto be recognizedbyUVM,to updatekeyarchives,andtoregisterfingerprints.Auser canalsocreatebackupcopies ofdigitalcertificatescreatedwiththeIBM embeddedSecuritySubsystem.

v _User_Verification_Manager_(UVM): _Client_Security_Software_uses_UVM _to managepassphrasesandotherelementstoauthenticatesystemusers.For example,afingerprintreader canbeused byUVMforlogonauthentication. ClientSecuritySoftwareenables thefollowing features:

– UVMclientpolicyprotection:Client SecuritySoftwareenablesasecurity administratorto settheclientsecuritypolicy,whichdictateshowa clientuser isauthenticatedonthesystem.

Ifpolicyindicatesthatfingerprintisrequiredfor logon,andtheuserhas no fingerprintsregistered,hewillbegiventheoptiontoregisterfingerprintsas partof thelogon.Also,iftheWindowspasswordisnotregistered,or

incorrectlyregistered,withUVM, theuserwillhave theopportunityto provide thecorrectWindowspasswordaspartof thelogon.

– UVMsystemlogonprotection:Client SecuritySoftwareenablesasecurity administratorto controlcomputeraccessthrougha logoninterface.UVM protectionensures thatonlyuserswhoarerecognizedbythesecuritypolicy areable toaccesstheoperating system.

The

relationship

between

passwords

and

keys

Passwords andkeysworktogether,alongwithotheroptional authentication devices,to verifytheidentity ofsystem users.Understanding therelationship betweenpasswordsandkeysisvitaltounderstandhowIBMClientSecurity Software works.

The

administrator

password

Theadministrator passwordisusedtoauthenticateanadministratorto theIBM Embedded SecuritySubsystem.Thispassword,whichmust beeightcharacters long, ismaintainedandauthenticatedinthesecurehardwareconfinesof the embeddedsecuritysubsystem.Onceauthenticated,theadministratorcan perform thefollowingactions:

v _Enroll_users

v _Launch_the_policy_interface

v _Change_the_{administrator} _password

(13)

v _Through_the_IBM_Client_Security_Setup_Wizard v _Through_the_{Administrator}_Utility

v _Using_scripts

v _Through_the_BIOS_interface_(ThinkCentre _computers_only)

It isimportanttohave astrategyfor creatingandmaintainingtheadministrator password.Theadministrator passwordcanbechanged ifit iscompromisedor forgotten.

For thosefamiliar withTrustedComputing Group(TCG)conceptsandterminology, theadministrator passwordisthesameastheownerauthorizationvalue.Sincethe administrator passwordisassociatedwiththeIBMEmbedded SecuritySubsystemit issometimes alsoreferredto asthehardware password.

The

hardware

public

and

private

keys

Thebasicpremiseof theIBMEmbedded SecuritySubsystemisthatit providesa strongrootoftrustonaclientsystem.This rootisused tosecureotherapplications andfunctions.Part ofestablishinga rootof trustistocreateahardwarepublic key anda hardwareprivatekey.Apublickeyandprivatekey,togetherreferredto asa

key pair,aremathematicallyrelatedinsuchawaythat:

v _Any_data_encrypted_with_the_public_key_can_only _be_decrypted_with correspondingprivatekey.

v _Any_data_encrypted_with_the_private_key_can_only _be_decrypted_with correspondingpublickey.

Thehardware privatekey iscreated,storedandused inthesecure,hardware confinesof thesecuritysubsystem.Thehardwarepublic keyismadeavailablefor various purposes(hencethenamepublickey), butit isneverexposedoutsideof thesecure,hardware confinesof thesecuritysubsystem.Thehardware publicand privatekeysareacriticalpartof theIBMkey-swappinghierarchydescribedina following section.

Hardwarepublicandprivatekeysarecreatedinthefollowingways: v _Through_the_IBM_Client_Security_Setup_Wizard

v _Through_the_{Administrator}_Utility v _Using_scripts

For thosefamiliar withTrustedComputing Group(TCG)conceptsandterminology, thehardware publicandprivatekeysareknownasthestoragerootkey (SRK).

The

administrator

public

and

private

keys

Theadministrator publicandprivatekeysareanintegralpartof theIBM

key-swapping hierarchy.Theyalso allowforuser-specificdata tobebackedupand restoredintheeventof systemboardor harddrivefailure.

Administrator publicandprivatekeyscaneither beuniquefor allsystemsorthey can becommon acrossallsystemsor groupsof systems.Itisimportantto notethat theseadministratorkeysmust bemanaged,sohavingastrategyfor usingunique keysversusknownkeysisimportant.

Administrator publicandprivatekeyscanbecreatedinoneof thefollowingways: v _Through_the_IBM_Client_Security_Setup_Wizard

(14)

v _Through_the_{Administrator}_Utility v _Using_scripts

ESS

User

public

and

private

keys

TheIBMEmbeddedSecuritySubsystemcreatesuserpublicandprivatekeysto protectuser-specificdata.Thesekeypairsarecreatedwhenauserisenrolledinto IBMClientSecuritySoftware.Thesekeysarecreatedandmanagedtransparently bytheUserVerificationManager(UVM)componentof IBMClientSecurity

Software.ThekeysaremanagedbaseduponwhichWindowsuserisloggedinto theoperating system.

The

IBM

key-swapping

hierarchy

An essentialelementoftheIBMEmbeddedSecuritySubsystemarchitectureisthe IBMkey-swapping hierarchy.Thebase(orroot)of theIBMkey-swappinghierarchy arethehardwarepublicandprivatekeys.Thehardwarepublicandprivatekeys, called thehardware keypair,arecreatedbyIBMClientSecuritySoftwareandare statistically uniqueoneach client.

Thenext “level”of keysupthehierarchy(abovetheroot)istheadministrator public andprivatekeys,or theadministrator keypair.Theadministratorkeypaircanbe uniqueoneachmachine,orit canbethesameonallclientsora subsetofclients. Howyoumanage thiskeypairdependsupon howyouwanttomanageyour network.Theadministratorprivatekeyisuniqueinthatit residesontheclient system (protectedbythehardwarepublickey)inanadministrator-definedlocation.

IBMClientSecuritySoftwareenrollsWindowsusersintotheEmbeddedSecurity Subsystemenvironment.Whenauserisenrolled, userpublicandprivatekeys(the

user keypair)arecreatedanda newkey″level″iscreated.Theuserprivatekeyis encryptedwiththeadministratorpublickey.Theadministratorprivatekey is

encryptedwiththehardwarepublickey.Therefore,to utilizetheuserprivatekey, theadministrator privatekey(whichisencryptedwiththehardwarepublickey) must beloadedintothesecuritysubsystem.Onceinthechip,thehardwareprivatekey decryptstheadministratorprivatekey.Theadministratorprivatekey isnow ready for useinsidethesecuritysubsystemsothatdatathatisencryptedwiththe correspondingadministrator publickeycanbeswappedintothesecurity subsystem,decryptedandutilized.ThecurrentWindowsuser’sprivatekey

(encryptedwiththeadministratorpublickey)ispassedintothesecuritysubsystem. Anydataneededbyanapplicationthatleveragestheembeddedsecurity

subsystemwouldalsobepassedintothechip,decryptedandleveragedwithinthe secureenvironment ofthesecuritysubsystem.An exampleof thisisaprivatekey used toauthenticatetoa wirelessnetwork.

Whenever akeyisneeded,it isswappedintothesecuritysubsystem.The encryptedprivatekeysareswappedintothesecuritysubsystem,andcan thenbe used intheprotected environmentofthechip.Theprivatekeysareneverexposed or usedoutsideof thishardware environment.Thisprovidesfornearlyanunlimited quantity ofdatato beprotectedthroughtheIBMEmbeddedSecurityChip.

Theprivatekeysareencryptedbecausetheymustbeheavilyprotectedand becausethereislimitedstoragespaceavailableintheIBMEmbeddedSecurity

(15)

Subsystem. Onlya coupleofkeyscanbestoredinthesecuritysubsystematany giventime.Thehardwarepublic andprivatekeysaretheonlykeysthatremain storedinthesecuritysubsystemfromboot toboot.In ordertoallowfor multiple keysandmultipleusers,CSSutilizestheIBMkey-swapping hierarchy.Whenever a key isneeded, itisswappedintotheIBMEmbedded SecuritySubsystem.The related,encryptedprivatekeysareswappedintothesecuritysubsystem,andcan then beused intheprotectedenvironment ofthechip.Theprivatekeysarenever exposedorused outsideofthis hardwareenvironment.

Theadministrator privatekeyisencryptedwiththehardwarepublickey.The hardware privatekey,whichisonlyavailable inthesecuritysubsystem,isusedto decrypttheadministrator privatekey.Oncetheadministratorprivatekeyis decryptedinthesecuritysubsystem,auser’sprivatekey(encryptedwiththe administrator publickey)canbepassedintothesecuritysubsystemanddecrypted withtheadministratorprivatekey. Multipleusers’privatekeyscanbeencryptedwith theadministrator publickey.Thisallowsforvirtuallyanunlimitednumberofusers onasystem withtheIBMESS;however,bestpracticessuggestthatlimiting enrollmentto 25userspercomputerensuresoptimalperformance.

TheIBMESSutilizesa key-swappinghierarchywherethehardware publicand privatekeysinthesecuritysubsystemareused tosecureotherdatastoredoutside thechip.Thehardware privatekeyisgeneratedinthesecuritysubsystemand never leavesthissecureenvironment.Thehardware publickeyisavailableoutside of thesecuritysubsystemandisused toencryptor secureotherpiecesofdata suchasaprivatekey.Oncethisdataisencryptedwiththehardware publickeyit can onlybedecryptedbythehardwareprivatekey.Since thehardwareprivatekey isonly availableinthesecureenvironmentof thesecuritysubsystem,theencrypted data canonlybedecryptedandused inthis samesecureenvironment.Itis

important tonotethateach computerwillhavea uniquehardwarepublicand privatekey.TherandomnumbercapabilityoftheIBMEmbeddedSecurity Subsystemensures thateachhardwarekey pairisstatistically unique.

CSS

public

key

infrastructure

(PKI)

features

Client SecuritySoftwareprovidesallof thecomponentsrequiredtocreateapublic key infrastructure(PKI)inyourbusiness,suchas:

v _{Administrator}_control_over_client_security _policy._{Authenticating}_end_users_at theclientlevelisanimportantsecuritypolicyconcern.Client SecuritySoftware providestheinterface thatisrequiredto managethesecuritypolicyof anIBM client.ThisinterfaceispartoftheauthenticatingsoftwareUserVerification Manager(UVM),which isthemain componentofClientSecuritySoftware. v _Encryption_key_management_for_public_key_{cryptography.}_{Administrators}

createencryptionkeysfor thecomputer hardwareandtheclientuserswithClient SecuritySoftware.Whenencryptionkeysarecreated,theyareboundto theIBM embeddedSecurityChipthroughakey hierarchy,whereabase levelhardware keyisusedto encryptthekeysaboveit,includingtheuserkeysthatare associatedwitheachclientuser. EncryptingandstoringkeysontheIBM

embeddedSecurityChipadds anessentialextra layerof clientsecurity,because thekeysaresecurelyboundto thecomputerhardware.

v _Digital_certificate_creation_and_storage_that _is_protected_by _the_IBM

embeddedSecurityChip.Whenyouapplyfor adigitalcertificatethatcanbe usedfor digitallysigningorencryptingane-mailmessage,ClientSecurity Softwareenablesyouto choosetheIBMembeddedSecuritySubsystemasthe cryptographicserviceproviderfor applicationsthatusetheMicrosoftCryptoAPI. Theseapplicationsinclude InternetExplorerandMicrosoftOutlookExpress.This

(16)

ensuresthattheprivatekeyof thedigitalcertificateisencryptedwiththeuser’s publickeyontheIBMembeddedSecuritySubsystem.Also, Netscapeuserscan choosetheIBMembeddedSecuritySubsystemastheprivatekeygeneratorfor digitalcertificatesused forsecurity.ApplicationsthatusethePublic-Key

CryptographyStandard(PKCS)#11,suchasNetscapeMessenger,cantake advantageoftheprotectionprovidedbytheIBMembeddedSecuritySubsystem. v _The_ability_to_transfer_digital_certificates_to_the_IBM _embedded_Security

Subsystem.TheIBMClientSecuritySoftwareCertificateTransferTool enables youtomovecertificatesthathavebeencreatedwiththedefaultMicrosoftCSPto theIBMembeddedSecuritySubsystemCSP.Thisgreatlyincreasesthe

protectionaffordedto theprivatekeysassociatedwiththecertificatesbecause theywillnowbesecurelystoredontheIBMembeddedSecuritySubsystem, insteadof onvulnerablesoftware.

Note: DigitalcertificatesprotectedbytheIBMembeddedSecuritySubsystem CSPcannotbeexported toanotherCSP.

v _A_key_archive_and_recovery_solution._An_important _PKI_function_is_creating_a keyarchivefromwhich keyscanberestorediftheoriginalkeysarelostor damaged.IBMClientSecuritySoftwareprovidesaninterfacethatenablesyouto establishanarchiveforkeysanddigitalcertificatescreatedwiththeIBM

embeddedSecuritySubsystemandtorestorethesekeysandcertificatesif necessary.

v _File_and_folder_encryption._File _and_folder_encryption_enables_a _client_user_to encryptordecryptfilesorfolders.Thisprovidesanincreasedlevelof data securityontopoftheCSSsystem-securitymeasures.

v _Fingerprint_{authentication.}_IBM_Client_Security_Software_supports _the_Targus PCcardfingerprintreader andtheTargusUSBfingerprintreaderfor

authentication.ClientSecurity Softwaremustbeinstalledbefore theTargus fingerprintdevice driversareinstalledfor correctoperation.

v _Smart_card_{authentication.}_IBM_Client_Security_Software_supports _certain_smart cardsasanauthenticationdevice.Client SecuritySoftwareenablessmart cards tobeusedasa tokenof authenticationfora singleuseratatime. Eachsmart cardisboundto asystem unlesscredentialroamingisbeingused.Requiringa smartcardmakesyour systemmoresecurebecausethis cardmustbeprovided alongwithapassword, whichcanbecompromised.

v _Credential_roaming._Credential_roaming _enables_an_authorized_network _user_to useanycomputeronthenetworkasthoughitwashisownworkstation.Aftera userisauthorizedtouseUVMonanyClientSecuritySoftware-registeredclient, hecanthenimporthispersonal datatoanyother registeredclientinthe

credentialroamingnetwork.Hispersonaldataisthenupdatedautomatically and maintainedintheCSSarchiveandonanycomputer towhichit wasimported. Updatestothispersonal data,suchasnew certificatesor passphrasechanges, areimmediatelyavailableonallothercomputersconnectedtotheroaming network.

v _FIPS_140-1_{certification.}_Client _Security_Software_supports_FIPS_140-1 _certified cryptographiclibraries.FIPS-certifiedRSABSAFElibrariesareusedon

TCG-compliantsystems.

v _Passphrase_expiration._Client_Security_Software_establishes_a_{user-specific} passphraseanda passphraseexpirationpolicywheneachuserisaddedto UVM.

(17)

Chapter

2. Getting

started

This sectioncontainshardwareandsoftwarecompatibilityrequirementsfor usewith IBMClientSecuritySoftware.Also,informationaboutdownloadingIBMClient SecuritySoftware isprovided.

Hardware

requirements

Before youdownloadandinstallthesoftware,makesurethatyourcomputer hardware iscompatiblewithIBMClientSecuritySoftware.

Themost recentinformationregardinghardware andsoftwarerequirements is availableat thehttp://www.pc.ibm.com/us/security/index.htmlIBMWebsite.

IBM

embedded

Security

Subsystem

TheIBMembeddedSecurity Subsystemisa cryptographicmicroprocessor thatis embeddedonthesystemboardof theIBMclient.Thisessentialcomponentof IBM Client Securitytransferssecuritypolicy functionsfromvulnerablesoftwareto secure hardware,radicallyincreasingthesecurityof thelocalclient.

OnlyIBMcomputersandworkstationsthatcontaintheIBMembeddedSecurity SubsystemsupportIBMClientSecuritySoftware.If youtryto downloadandinstall thesoftwareontoacomputer thatdoes notcontainanIBMembeddedSecurity Subsystem, thesoftwarewillnotinstall orrunproperly.

Supported

IBM

models

Client SecuritySoftwareislicensedfor andsupportsnumerousIBMdesktop and notebookcomputers.Fora completelist ofsupportedmodels,refertothe http://www.pc.ibm.com/us/security/index.htmlWebpage.

Software

requirements

Before youdownloadandinstallthesoftware,makesurethatyourcomputer softwareandoperatingsystem arecompatible withIBMClientSecuritySoftware.

Operating

systems

IBMClientSecuritySoftwarerequiresoneof thefollowingoperatingsystems: v _Windows_XP

v _Windows₂₀₀₀_Professional

UVM-aware

products

IBMClientSecuritycomeswithUserVerificationManager(UVM)softwarethat enables youtocustomize authenticationforyourdesktop computer.This firstlevel of policy-basedcontrolincreasesassetprotectionandtheefficiencyof password management.UVM,which iscompatible withenterprise-wide securitypolicy programs, enablesyouto useUVM-awareproducts,includingthefollowing: v _Biometrics_devices,_such_as_fingerprint_readers

UVMprovidesaplug-and-playinterfaceforbiometrics devices.Youmust install IBMClient SecuritySoftwarebeforeyouinstall aUVM-awaresensor.

(18)

TouseaUVM-awaresensorthatisalreadyinstalledonanIBMclient,youmust uninstalltheUVM-awaresensor,installIBMClientSecuritySoftware,andthen reinstalltheUVM-awaresensor.

v _Tivoli_Access _Manager_version_5.1

UVMsoftwaresimplifiesandimprovespolicymanagementbysmoothly

integratingwitha centralized,policy-basedaccesscontrolsolution,suchasTivoli AccessManager.

UVMsoftwareenforcespolicylocallywhetherthesystemisonthenetwork (desktop)or standsalone,thus creatingasingle,unified policymodel. v _Lotus_Notes_version_4.5_or_later

UVMworkswithIBMClient SecuritySoftwaretoimprovethesecurityofyour LotusNotes logon(LotusNotesversion4.5orlater).

v _Entrust_Desktop_Solutions_5.1,_6.0,_or_6.1

EntrustDesktopSolutionsenhancesInternetsecuritycapabilitiessothatcritical enterpriseprocesses canbemovedto theInternet.Entrust Entelligenceprovides asinglesecuritylayerthatcanencompassanenterprise’s entiresetofenhanced securityneedsincludingidentification, privacy,verification,andsecurity

management.

v _RSA_SecurID_Software _Token

TheRSASecurIDSoftwareTokenenables thesameseed recordthatisusedin traditionalRSAhardwaretokensto beembeddedonexistinguserplatforms. Consequently,userscanauthenticatetoprotected resourcesbyaccessingthe embeddedsoftwareinsteadof havingtocarry dedicatedauthenticationdevices. v _Targus_fingerprint_reader

TheTargusfingerprintreaderprovidesasimpleeasyinterfacethatenablesthe securitypolicy toinclude fingerprintauthentication.

v _Gemplus_GemPC400_smart_card_reader

TheGemplusGemPC400smartcardreaderenables thesecuritypolicyto includesmart cardauthentication,addinganadditionallayerof securityto the standardpassphraseprotection.

Web

browsers

IBMClientSecuritySoftwaresupports thefollowingWebbrowsersforrequesting digital certificates:

v _Internet_Explorer_5.0_or_later v _Netscape_4.8_and_Netscape_7.1

Browser

encryption

strength

information

If supportforstrongencryptionisinstalled,usethe128-bitversionof yourWeb browser.Tochecktheencryptionstrengthof yourWebbrowser,seethehelp system providedwiththebrowser.

Cryptographic

services

IBMClientSecuritySoftwaresupports thefollowingcryptographicservices: v _Microsoft_CryptoAPI:_CryptoAPI _is_the_default_{cryptographic}_service_for

Microsoftoperatingsystemsandapplications.Withbuilt-inCryptoAPIsupport, IBMClientSecuritySoftwareenablesyouto usethecryptographicoperationsof theIBMembeddedSecuritySubsystemwhenyoucreatedigital certificatesfor Microsoftapplications.

v _PKCS#11:_PKCS#11_is_the_{cryptographic}_standard_for_Netscape, _Entrust,_RSA andotherproducts.Afteryouinstall theIBMembeddedSecuritySubsystem

(19)

PKCS#11module, youcanusetheIBMembeddedSecuritySubsystemto generatedigitalcertificatesforNetscape,Entrust,RSAandotherapplications thatusePKCS#11.

E-mail

applications

IBMClientSecuritySoftwaresupports thefollowingapplicationtypesusingsecure e-mail:

v _E-mail_applications_that_use_the_Microsoft_CryptoAPI_for_{cryptographic}_operations, suchasOutlookExpressandOutlook(whenused withasupportedversionof InternetExplorer)

v _E-mail_applications_that_use_Public_Key_{Cryptographic}_Standard_#11_(PKCS#11) forcryptographicoperations,suchasNetscapeMessenger(whenusedwitha supportedversion ofNetscape)

v _Lotus_Notes _support_through_enhanced_logon_{authentication} _protection

Downloading

the

software

Client SecuritySoftwarecanbedownloadedfromthe http://www.pc.ibm.com/us/security/index.htmlIBMWebsite.

Registration

form

When youdownloadthesoftware,youmust completea registrationformand questionnaire,andagree tothelicenseterms.Followtheinstructionsprovidedon thehttp://www.pc.ibm.com/us/security/index.htmlIBMWebsiteto downloadthe software.

Theinstallationfilesfor IBMClientSecuritySoftwareareincludedwithintheCSS self-extracting executablefile.

Export

regulations

IBMClientSecuritySoftwarecontainsencryptioncode thatcan bedownloaded within NorthAmericaandinternationally. Ifyouliveinacountrywheredownloading encryptionsoftwarefromaWebsiteintheUnited Statesisprohibited,youcannot downloadIBMClientSecuritySoftware. Formoreinformationonexportregulations thatgovernIBMClientSecuritySoftware,seeAppendixA,“U.S.exportregulations for ClientSecuritySoftware,”onpage43.

(20)

(21)

Chapter

3. Before

installing

the

software

This sectioncontainsprerequisiteinstructionsforrunningtheinstallationprogram andconfiguring IBMClientSecuritySoftwareonIBMclients.

Allfilesrequiredfortheinstallationof ClientSecuritySoftwareareprovidedonthe http://www.pc.ibm.com/us/security/index.htmlIBMWebsite.TheWebsiteprovides informationthathelpsensurethatyoursystemcontainstheIBMembeddedSecurity Subsystem, andthatenables youtoselect theappropriateIBMClientSecurity offeringfor yoursystem.

Before

you

install

the

software

TheinstallationprograminstallsIBMClientSecuritySoftwareontheIBMclientand enables theIBMembeddedSecuritySubsystem;however,installationspecificsvary dependingonanumberoffactors.

Installing

on

clients

running

Windows

XP

and

Windows

2000

WindowsXPandWindows2000 usersmust logonwithadministratorrightsto install IBMClient SecuritySoftware.

Installing

for

use

with

Tivoli

Access

Manager

If youintendtouseTivoliAccess Managertocontroltheauthentication requirements foryourcomputer,youmust installsomeTivoliAccessManager componentsbeforeyouinstall IBMClient SecuritySoftware.Fordetails, seeUsing Client SecuritywithTivoliAccessManager.

Startup

feature

considerations

Two IBMstartupfeaturesmightaffectthewaythatyou enabletheIBMembedded SecuritySubsystemandgeneratetheencryptionkeys.Thesefeaturesarethe administrator passwordandEnhancedSecurityandcanbeaccessedfromthe Configuration/Setup Utilityof anIBMcomputer.IBMClientSecurity Softwarehasa separate administratorpassword.Toavoidconfusion,theadministratorpassword thatissetintheConfiguration/SetupUtilityisreferred toastheBIOSadministrator passwordintheClientSecuritySoftwaremanuals.

BIOS

Administrator

password

ABIOSadministrator passwordpreventsunauthorizedpersonsfromchangingthe configurationsettingsofanIBMcomputer.Thispasswordissetusingthe

Configuration/Setup UtilityprogramonaNetVistaorThinkCentrecomputerorthe IBMBIOSSetupUtilityprogramonaThinkPadcomputer.Theappropriateprogram can beaccessedbypressingF1duringthecomputerstartupsequence.This passwordiscalledtheAdministratorPasswordintheConfiguration/SetupUtilityand theIBMBIOSSetupUtility.

Enhanced

Security

Enhanced Securityprovidesextra protectionfor yourBIOSadministratorpassword, aswellasyourstartupsequencesettings.YoucandetermineifEnhanced Security isenabledor disabledbyusingtheConfiguration/SetupUtilityprogram,which is accessed bypressingF1duringthecomputerstartupsequence.

For moreinformationaboutpasswordsandEnhancedSecurity,seethe documentation providedwithyourcomputer.

(22)

EnhancedSecurityonNetVista models6059,6569, 6579,6649, andall NetVista Q1xmodels: Ifanadministratorpasswordhasbeen setonthese NetVista models(6059,6569, 6579,6649, 6646,andallQ1xmodels), youmust open theAdministratorUtilityto enabletheIBMembeddedSecuritySubsystemand generate theencryptionkeys.

When EnhancedSecurityisenabledonthesemodels, youmustusethe

Administrator Utilityto enabletheIBMembeddedSecuritySubsystemandgenerate theencryptionkeysafterIBMClientSecuritySoftwareisinstalled.Iftheinstallation programdetectsthatEnhanced Securityisenabled,youwillbenotified attheend of theinstallationprocess.Restartthecomputerandopen theAdministratorUtility to enabletheIBMembeddedSecuritySubsystemandgeneratetheencryption keys.

EnhancedSecurityonallotherNetVista models(otherthanmodels6059, 6569, 6579,6649, andallNetVistaQ1x models): If anadministrator passwordon other NetVistamodelshasbeenset, youarenotrequiredtotype theadministrator passwordduringtheinstallationprocess.

When EnhancedSecurityisenabledontheseNetVistamodels, youcanusethe installationprogramtoinstall thesoftware,butyoumustusethe

Configuration/Setup Utilityto enabletheIBMembeddedSecuritySubsystem.After

you haveenabledtheIBMembeddedSecuritySubsystem, youcanusethe Administrator Utilityto generatetheencryption keys.

BIOS

update

information

Before youinstallthesoftware,youmightneedto downloadthelatestbasic input/output system(BIOS)codefor yourcomputer.TodeterminetheBIOSlevel thatyour computeruses,restartyourcomputerandpressF1to startthe

Configuration/Setup Utility.Whenthemain menufor theConfiguration/Setup Utility opens,selectProductDatatoviewinformationabouttheBIOScode.TheBIOS code levelisalso calledtheEEPROMrevisionlevel.

TorunIBMClient SecuritySoftware2.1orlateronNetVistamodels(6059, 6569, 6579, 6649),youmust useBIOSlevelxxxx22axxor later;torunIBMClient Security Software2.1or lateronNetVista models(6790,6792, 6274,2283), you must useBIOSlevelxxxx20axxor later.For moreinformation,seetheREADME file includedwiththesoftwaredownload.

TofindthelatestBIOScodeupdatesfor yourcomputer,goto the

http://www.pc.ibm.com/supportIBMWebsite, typebiosinthesearchfield,and select downloadsfromthedrop-downlist; thenpressEnter.Alistof BIOScode updates isdisplayed. Clicktheappropriatemodelnumberandfollowtheinstruction ontheWebpage.

Using

the

administrator

key

pair

to

keys

Thearchivekey pairissimply acopyoftheadministratorkey pairthatyoustoreon anexternalmediafor restoration.Because theAdministratorUtilityisusedto create thearchivekey pair,youmust installIBMClient SecuritySoftwareonaninitialIBM clientbefore youcancreatetheadministrator keypair.

(23)

Chapter

4. Installing,

updating,

and

uninstalling

the

software

This sectioncontainsinstructionsfor downloading,installingandconfiguringIBM Client SecuritySoftwareonIBMclients.This sectionalsocontainsinstructionsfor uninstallingthesoftware.BesurethatyouinstallIBMClientSecuritySoftwareprior to installinganyof thevarious utilitiesthatenhance ClientSecurityfunctionality.

Important:If youareupgradingfromversionspriortoIBMClientSecuritySoftware 5.0,youmust decryptallencryptedfilesbefore installingClientSecuritySoftware 5.1or later.IBMClientSecuritySoftware5.1orlatercannotdecryptfilesthatwere encryptedusingversionspriortoClientSecuritySoftware5.0becauseofchanges initsfile-encryptionimplementation.

Downloading

and

installing

the

software

Allfilesrequiredfortheinstallationof ClientSecuritySoftwareareprovidedonthe http://www.pc.ibm.com/us/security/index.htmlIBMWebsite.TheWebsiteprovides informationthathelpsensurethatyoursystemcontainstheIBMembeddedSecurity Subsystem, andthatenables youtoselect theappropriateIBMClientSecurity offeringfor yoursystem.

Todownloadtheappropriatefilesfor yoursystem,completethefollowing procedure:

1. UsingaWebbrowser,gotothehttp://www.pc.ibm.com/us/security/index.html IBMWebsite.

2. ClickDownloadinstructionsandlinks.

3. IntheIBMClientSecuritySoftwaredownloadinformationarea,clickthe

Continuebutton.

4. ClickDetectmysystem&continueorenter yourseven-digitmachine type-modelnumberintheprovidedfield.

5. CreateauserID,registerwithIBMbyfillingouttheonlineform,andreview theLicenseAgreement; thenclickAcceptLicence.

Youwillautomaticallyberedirectedto theIBMClientSecuritydownloadpage. 6. Followthestepsonthedownloadpageto downloadthenecessary device

drivers,readmefiles,software,referencedocuments,andadditionalutilities thatconstituteIBMClient SecuritySoftware.Followthedownloadsequence specifiedontheWebsite.

7. FromtheWindowsdesktop,clickStart>Run.

8. IntheRunField,typed:\directory\csec5xxus_00yy.exe,whered:\directory\ isthedrive letteranddirectorywheretheexecutablefileislocated.xxandyy arealpha-numeric.

9. ClickOK.

TheWelcome totheInstallShieldWizardforIBMClientSecuritySoftware windowopens.

10. ClickNext.

Thewizard willextractthefilesandinstallthesoftware.Whentheinstallation iscomplete,youwillbegiventheoptionto restartyourcomputernow orto waituntil later.

11. Selectto restartyourcomputer nowandclickOK.

TheIBMClientSecuritySoftwareSetupWizardwillopenwhenyourcomputer restarts.

(24)

Using

the

IBM

Client

Security

Software

Setup

Wizard

TheIBMClientSecuritySoftwareSetupWizardprovidesaninterfacethathelpsyou install ClientSecuritySoftwareandenabletheIBMembeddedSecurityChip.The IBMClientSecuritySoftwareSetupWizardalsoguides usersthroughthe

necessary tasksinvolvedinsettingupasecuritypolicyonanIBMclient.

Thesestepsareasfollows:

v _Setting_a_Security_{Administrator} _Password

Thesecurityadministrator password,referredto inthesemanualsasthe administratorpassword, isused tocontrolaccesstotheIBMClientSecurity AdministratorUtility,whichisusedto changethesecuritysettingsforthis computer.This passwordmustbeexactlyeight characterslong.

v _Creating_{Administrator}_Security_Keys

Administratorsecuritykeysareasetof digitalkeysthatarestoredina computer file.Thesekey filesarealsoreferred toastheadministratorkeys,administrator keypair,or thearchivekeypair.It isrecommendedthatyousavethesevital securitykeysonaremovablediskordrive.When achangetothesecuritypolicy ismadeintheAdministratorUtility,you willbepromptedfor anadministrator key toprove thatthepolicychangeisauthorized.

Backupsecurityinformationisalso savedincaseyoueverneedto replacethe systemboard orharddriveof yourcomputer.Storethisbackup information somewhereoff thelocalsystem.

v _Protecting_Applications_with_IBM_Client_Security

SelecttheapplicationsthatyouwanttoprotectwithIBMClient Security.Some optionsmightnotbeavailableif youdonothave othernecessaryapplications installed.

v _Authorizing_Users

Usersneedto beauthorizedbefore theycanaccessthecomputer.Whenyou authorizea user,youmust specifythatuser’spassphrase.Unauthorizedusers arenotpermitted tousethecomputer.

v _Selecting_a _System_Security_Level

Selectinga systemsecuritylevelenables youtoestablisha basicsecuritypolicy quicklyandeasily.YoucandefineacustomsecuritypolicyintheIBMClient SecurityAdministratorUtilitylater.

TousetheIBMClientSecuritySoftwareSetupWizard,completethefollowing procedure:

1. IftheWizardisnotalreadyopen,click Start>Programs>Access IBM> IBMClientSecuritySoftware>IBMClientSecuritySetupWizard.

TheWelcometotheIBMclientSecuritySetupWizardscreendisplaysan overviewofthewizardsteps.

Note: If youintendto usefingerprintauthentication,youmustinstall the fingerprintreaderandsoftwarebeforecontinuing.

2. ClickNext tobeginusingthewizard.

TheSetSecurityAdministratorPasswordscreenisdisplayed.

3. TypeyourSecurityAdministrator PasswordintheEnterAdministrator Passwordfield andclickNext.

Note: UponinitialinstallationoraftertheIBMembeddedSecurityChiphas been cleared,youwillberequiredto confirmyourSecurityAdministrator

(25)

PasswordintheConfirmAdministratorPasswordfield.Youmightalso berequiredtoprovideyoursupervisorpassword, ifapplicable. TheCreateAdministratorSecurityKeysscreenisdisplayed.

4. Dooneofthefollowing: v _Create_new_security_keys

Tocreatenewsecuritykeys,use thefollowing procedure: a. ClicktheCreatenewsecuritykeys radiobutton.

b. Specifywhereyouwanttosavetheadministrator securitykeysbyeither typingthepathnameintheprovidedfield orbyclickingBrowseand selectingtheappropriatefolder.

c. If youwantto splitthesecuritykeyforincreasedprotection,clickthe

Split thebackupsecurity keyforincreasedsecuritycheckboxso thata checkmarkappearsinthebox, andthenusethearrowsto select thedesirednumberintheNumberofsplitsscrollbox.

v _Use _an_existing_security_key

Touseanexistingsecuritykey,usethefollowingprocedure: a. ClicktheUse anexistingsecuritykeyradiobutton.

b. SpecifythelocationofthePublicKeybyeithertypingthepathname in theprovidedfield orbyclickingBrowseandselectingtheappropriate folder.

c. SpecifythelocationofthePrivateKeybyeithertypingthepathname in theprovidedfield orbyclickingBrowseandselectingtheappropriate folder.

5. Specifywhereyouwantto savethebackupcopies ofyoursecurityinformation byeither typingthepathnameintheprovidedfieldor byclickingBrowse and selectingtheappropriatefolder.

6. ClickNext.

TheProtectApplicationswithIBMClientSecurityscreenisdisplayed.

7. EnableIBMClientSecurityprotectionbyselectingtheappropriatecheckboxes sothata checkmarkappearsineachselectedbox,andclickingNext.The availableClientSecurityselectionsareasfollows:

v _Secure_access_to_your_computer _by_replacing_the_normal_Windows

logonwiththeClientSecuritysecurelogon

Selectthisboxto replacethenormalWindowslogonwiththeClientSecurity securelogon.Thisincreasesthesecurityof yoursystem,andallowslogon only afterauthenticationwiththeIBMEmbeddedSecurityChipandoptional devices,likefingerprintreadersorsmartcards.

v _Enable_file_and_folder_encryption

Selectthisboxif youwantto securefilesonyourharddrivewiththeIBM EmbeddedSecurity Chip.(Requiresyouto downloadtheIBMClient SecurityFileandFolder Encryptionutility).

v _Enable_IBM _Client_Security_Password_Manager_support Selectthisboxif youwantto usetheIBMPasswordManagerto

convenientlyandsecurelystorepasswordsforyourWebsitelogonsand applications.(Requiresyouto downloadtheIBMClientSecurityPassword Managerapplication).

v _Replace _Lotus_Notes_logon_with_IBM _Client_Security_logon

Selectthisboxif youwantClient SecuritytoauthenticateLotusNotesusers throughtheIBMembeddedSecurityChip.

v _Enable_Entrust _support

(26)

Selectthisboxif youwantto enableintegrationwithEntrust security softwareproducts.

v _Protect_Microsoft_Internet_Explorer

Thisprotectionenables youtosecureyoure-mailcommunicationsandWeb browsingwithMicrosoftInternetExplorer(requiresadigitalcertificate). Support forMicrosoftInternetExplorerisenabledbydefault.

Afteryouhave selectedtheappropriatecheckboxes,theAuthorizingUsers screenisdisplayed.

8. CompletetheAuthorizingUsersscreenbycompleting oneofthefollowing procedures:

v _To_authorize_users_to _perform_IBM_Client_Security_functions,_do_the following:

a. SelectauserintheUnauthorizedUsersarea. b. Click AuthorizeUser.

c. Type andconfirmyourIBMClient Securitypassphraseintheprovided fieldsandclickNext.

TheUVMPassphraseExpirationscreenisdisplayed. d. Set thepassphrase expirationfortheuserandclickFinish.

e. Click Next.

v _To_unauthorize_users_from_performing_IBM_Client_Security_functions,_do_the following:

a. SelectauserintheAuthorizedUsersarea. b. Click UnauthorizeUser.

Themessage,″Areyousureyou wantto unauthorize?″isdisplayed. c. Click Yes.

d. Click Next.

TheSelectSystemSecurityLevelscreenisdisplayed. 9. Selecta systemsecuritylevelbydoingoneofthefollowing:

v _Select_the_desired_{authentication}_requirements_by_clicking_the_appropriate checkboxes.Youcanselectmore thanoneauthenticationrequirement.The

Use UVMpassphrasecheckboxisselectedasdefault.

v _The_fingerprint_reader _device_driver_and_smart _card_reader_device_driver must beinstalledbefore startingtheIBMClientSecuritySetupWizardfor thesedevicesto beavailabletotheSetupWizard.

v _Select_a_system_security_level_by_dragging_the_slide_selector _to_the_desired securitylevelandclick Next.

Note: YoucandefineacustomsecuritypolicylaterusingthePolicyEditor intheAdministratorUtility.

10. Reviewyoursecuritysettingsandtakeoneof thefollowing actions: v _To_accept_the_settings,_click_Finish.

v _To_change_the_settings,_click_Back,_make_the_appropriate_changes;_then returnto thisscreenandclickFinish.

IBMClient SecuritySoftwareconfiguresyoursettingsthroughtheIBM embeddedSecurityChip.Amessageisdisplayedconfirmingthatyour computerisnowprotected byIBMClientSecurity.

11. ClickOK.

Youcannowinstall andconfiguretheIBMClientSecurityPasswordManager andtheIBMClientSecurityFileandFolder Encryptionutilities.

(27)

Enabling

the

IBM

Security

Subsystem

TheIBMSecuritySubsystemmustbeenabledbefore youcanuseClientSecurity Software. Ifthechiphasnotbeenenabled, youcanenableitbyusingthe

Administrator Utility.InstructionsforusingtheSetupWizardarecontainedinthe previoussection.

ToenabletheIBMSecuritySubsystemusingtheAdministratorUtility,completethe following procedure:

1. Click Start>Settings>Control Panel>IBM EmbeddedSecurity Subsystem.

Ascreendisplaysa messagethatstatesthattheIBMSecuritySubsystemhas notbeenenabled, andthatasksif youwouldlike toenableitnow.

2. Click Yes.

Amessageisdisplayedstatingthatif youhavea supervisorpasswordora BIOSadministrator passwordenabled,youmust disableitintheBIOSSetup Utilitybeforecontinuing.

3. Dooneof thefollowing:

v _If_you_have _a_supervisor_password_enabled,_click_Cancel, _disable_your supervisorpassword,andthencompletethisprocedure.

v _If_you_do_not_have_a_supervisor_password_enabled, _click_OK_to _continue. 4. Close allopenapplicationsandclickOKto restartthecomputer.

5. Afterthesystemrestarts,clickStart>Settings>ControlPanel>IBM EmbeddedSecuritySubsystemtoopentheAdministrator Utility.

AmessageisdisplayedstatingthattheIBMSecuritySubsystemhasnotbeen configuredor hasbeencleared.Anew passwordisrequiredatthistime. 6. Enterandconfirmanew administratorpasswordintheappropriatefieldsand

clickOK.

Note: Thepasswordmustbeeightcharactersinlength.

Theoperation iscompleteandtheAdministratorUtilitymainscreenisdisplayed.

Installing

the

software

on

other

IBM

clients

when

the

administrator

public

key

is

available

-

unattended

installations

only

If youhaveinstalledthesoftwareonthefirstIBMclientandcreatedan administrator keypair,you caninstallthesoftwareandenablethesecurity subsystemonotherIBMclients byusingtheinstallationprogram.

Duringtheinstallation,youmust choosealocationfortheadministratorpublic key, theadministrator privatekey,andthekeyarchive.If youwantto usean

administrator publickeythatresidesonashareddirectoryor savethekeyarchive to ashareddirectory,youmust firstmapadrive letterto thedestination directory before youcanusetheinstallationprogram.Forinformationonmappingadrive letter toasharednetwork resource,seeyourWindowsoperating-system documentation.

Performing

an

unattended

installation

An unattendedinstallationenables anadministrator toinstallClient Security SoftwareonaremoteIBMclientwithout havingtophysicallygototheclient computer.

(28)

Before youbeginanunattendedinstallation,readChapter3,“Beforeinstalling the software,”onpage11.Noerrormessages aredisplayedduringunattended installations. Ifanunattendedinstallationends prematurely,youmustperforman attended installationto viewanyerrormessages thatmightbedisplayed.

Note: Usersmust logonwithadministratoruserrightstoinstall ClientSecurity Software.

Mass

deployment

Massdeployment enablessecurityadministratorsto initiatesecuritypolicyon multiplecomputerssimultaneously.Thismakesiteasierto manageanddeploy securitymeasuresandhelpsensurethatthecorrectsecuritypoliciesare implemented.

Thefollowingdevice driversmustbeinstalledbefore completingthemass deployment procedure:

v _The_SM_bus_device_driver

v _The_Atmel_TPM_device _driver_(for_TCG_systems)

There aretwomajor stepstoamassdeployment: v _Mass_installation

v _Mass_{configuration}

Mass

installation

ToinstallIBMClientSecuritySoftwareonmultipleclientssimultaneously,youwill need toperformanunattendedinstallation.Theunattendedinstallationparameteris requiredwheninitiatingamassdeployment.

Toinitiatea massinstallation,completethefollowingprocedure: 1. Createthecsec.inifile.

Thecsec.inifileiscreatedwhentheusercompletes theIBMClientSecurity Setup Wizard.Thisstepisonly requiredifyouintendtoperformamass configuration.See“Massconfiguration”onpage19formoredetails.

2. Extractthecontentsof theCSSinstallationpackagewithWinzipusingfolder names.

3. In thesetup.issfile,edittheszIniPath andszDir entries,whicharerequired for amassconfiguration.

Thefullcontentsofthis fileislistedbelow. Thefolder locationissetbythe szIniPath parameterofthecsec.inifile.TheszIniPathparameterisonly requiredif youintendtoperformamassconfiguration.

4. Encryptthecsec.inifilebycompletingthefollowingprocedure: a. OpentheAdministratorConsole.

b. Click Encrypt/DecryptSetupConfigurationFile.

c. Selectthecsec.inifile. d. Click Open.

e. Click OK.

5. Copythefilestothetargetsystem.

(29)

This command-linestatementshouldberunfromthedesktop ofauser whohas administrator rights.TheStartUpprogramgrouportheRunkey isa goodplace to dothis.

7. Removethecommand-linestatementonthenextboot.

ThefullcontentsoftheSetup.issfile, whichisincludedinthecontentsof theCSS installationpackageextractedabove,islistedbelowwithafewdescriptions: [InstallShieldSilent]

Version=v6.00.000 File=Response File szIniPath=d:\csssetup.ini

(Theaboveparameteristhenameandlocationofthe.inifile,which isrequiredfor massconfiguration.Ifthis isa networkdrive,itmust bemapped.Whena mass configurationisnotbeingused witha silentinstallation,removethis entry.) [FileTransfer] OverwrittenReadOnly=NoToAll [{7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-DlgOrder] Dlg0={7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdLicense-0 Count=4 Dlg1={7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdAskDestPath-0 Dlg2={7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdSelectFolder-0 Dlg3={7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdFinishReboot-0 [{7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdLicense-0] Result=1 [{7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdAskDestPath-0] szDir=C:\Program Files\IBM\Security

(Theaboveparameteristhedirectoryused toinstallClientSecurity. Itmustbelocal to thecomputer.)

Result=1

[{7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdSelectFolder-0] szFolder=IBMClientSecuritySoftware

(Theaboveparameteristheprogramgroup forClientSecurity.) Result=1 [Application] Name=ClientSecurity Version=5.00.002f Company=IBM Lang=0009 [{7BD2CFF6-B037-47D6-A76B-D941EE13AD96}-SdFinishReboot-0] Result=6 BootOption=3

Mass

configuration

Thefollowingfile isalso essentialwheninitiatinga massconfiguration.Thefilecan benamedanything,aslong asit hasa.iniextension. Belowishow thefileshould look.Totherightside isabriefdescriptionnotto beincludedinthefile.The following commandrunsthis filefromthecommandlinewhenthemass configurationisnotdonealongwithamassinstallation:

<CSS installation folder>\acamucli /ccf:c:\csec.ini

Note: Ifanyfilesorpathsareonanetwork drive,thedrive mustbemappedtoa letter.

[CSSSetup] SectionheaderforCSSsetup.

(30)

suppw=bootup BIOSadministrator/supervisorpassword. Leaveblankifnotrequired.

hwpw=11111111 AdministratorpasswordfortheIBMEmbeddedSecurity Subsystem.Mustbeeightcharacters.Alwaysrequired.Must becorrectifadministratorpasswordhasalreadybeenset. newkp=1 1togenerateanewadministratorkeypair

0touseanexistingadministratorkeypair.

keysplit=1 Whennewkpis1,thisdeterminesthenumberofprivatekey components.

Note: Iftheexistingkeypairusesmultipleprivatekeyparts, allprivatekeypartsmustbestoredinthesamedirectory. kpl=c:\jgk Locationoftheadministratorkeypairwhennewkpis1,ifthisis

anetworkdriveitmustbemapped. kal=c:\jgk\archive Locationoftheuserkeyarchive,

ifthisisanetworkdriveitmustbemapped.

pub=c:\jk\admin.key Locationoftheadministratorpublickeywhenusinganexisting administratorkeypair,

pri=c:\jk\private1.key Locationoftheadministratorprivatekeywhenusingan existingadministratorkeypair,

wiz=0 DeterminesifthisfilewasgeneratedbytheCSSsetupwizard. Thisentryisnotnecessary.Ifyouincludeitinthefilethevalue shouldbe0.

clean=0 1todeletethe.inifileafterinitialization, 0toleavethe.inifileafterinitialization. enableroaming=1 1toenableroamingfortheclient,

0todisableroamingfortheclient. username=

[promptcurrent]

[promptcurrent]topromptthecurrentuserfortheroaming clientregistrationpassword.

[current]whentheroamingclientregistrationpasswordforthe currentuserisprovidedbythesysregpwdentryandthecurrent userhasbeenauthorizedtoregisterthesystemwiththe roamingserver.

[<specificuseraccount>]ifthedesignateduserhasbeen authorizedtoregisterthesystemwiththeroamingserverandif thesystemregistrationpasswordforthatuserisprovidedby thesysregpwdentry.

Donotusethisentryiftheenableroamingvalueis0,orifthe enableroamingentryisnotpresent.

sysregpwd=12345678 Systemregistrationpassword.Setthisvaluetothecorrect passwordtoenablethesystemtoberegisteredwiththe roamingserver.Donotincludethisentryiftheusernamevalue issetto[promptcurrent],oriftheusernameentryisnotpresent. [UVMEnrollment] Sectionheaderforuserenrollment.

enrollall=0 1toenrollalllocaluseraccountsinUVM, 0toenrollspecificuseraccountsinUVM.

defaultuvmpw=top Whenenrollallis1,thiswillbetheUVMpassphraseforall users.

defaultwinpw=down Whenenrollallis1,thiswillbetheWindowspassword registeredwithUVMforallusers.

defaultppchange=0 Whenenrollallis1,thiswillestablishtheUVMpassphrase changepolicyforallusers.

1torequiretheusertochangetheUVMpassphraseatnext logon,

0tonotrequiretheusertochangetheUVMpassphraseat nextlogon.

(31)

defaultppexppolicy=1 Whenenrollallis1,thiswillestablishtheUVMpassphrase expirationpolicyforallusers.

0toindicatethattheUVMpassphraseexpires

1toindicatethattheUVMpassphrasedoesnotexpire defaultppexpdays=0 Whenenrollallis1,thiswillestablishthenumberofdays

untiltheUVMpassphraseexpiresforallusers.

Whenppexppolicyissetto0,setthisvaluetoestablishthe numberofdaysuntiltheUVMpassphraseexpires.

enrollusers=2 Whenenrollallis0,thisisthenumberofusersthatwillbe enrolledinUVM.

user1=jknox Enumeratenumberofuserstobeenrolledstartingwith1,user namesmustbetheaccountnames.Togettheactualaccount nameonWindows2000,dothefollowing:

1. IntheWindowsControlPanel,clickAdministrativeTools andthenclicktheComputerManagementshortcut. 2. ExpandtheLocalUsersandGroupsnode.

3. OpentheUsersfolder.

TheitemslistedintheNamecolumnaretheaccount names.

TogettheactualaccountnameonWindowsXPfromthe WindowsControlPanel,clicktheUserAccounticon.Theuser accountsaredisplayed.

user1uvmpw=chrome EnumeratenumberofuserstobeenrolledUVMpassphrase startingwith1.

user1winpw=spinning EnumeratenumberofuserstobeenrolledWindowspassword registeredwithUVMstartingwith1.

user1domain=0 0toindicatethatthisaccountislocal,

1toindicatethatthisaccountisonthedomain.

user1ppchange=0 1torequiretheusertochangetheUVMpassphraseatnext logon,

0tonotrequiretheusertochangetheUVMpassphraseat nextlogon.

user1ppexppolicy=1 0toindicatethattheUVMpassphraseexpires, 1toindicatethattheUVMpassphrasedoesnotexpire. user1ppexpdays=0 Whenppexppolicyissetto0,setthisvaluetoindicatethe

numberofdaysuntiltheUVMpassphraseexpires. user2=russell user2uvmpw=left user2winpw=right user2domain=0 user2ppchange=1 user2ppexppolicy=0 user2ppexpdays=90

[UVMAppConfig] SectionheaderforUVM-awareapplicationsetupand UVM-awaremodulesetup.

uvmlogon=0 1touseUVMlogonprotection, 0touseWindowslogon.

entrust=0 1touseUVMforentrustauthentication, 0touseentrustauthentication.

notes=1 1toenableLotusNotessupport, 0todisableLotusNotessupport.

netscape=0 1tosignandencrypte-mailswiththeIBMPKCS#11module, 0tonotsignandencrypte-mailswiththeIBMPKCS#11 module.

(32)

passman=0 1tousePasswordManager, 0tonotusePasswordManager folderprotect=0 1touseFileandFolderEncryption,

0tonotuseFileandFolderEncryption.

Upgrading

your

version

of

Client

Security

Software

Clientsthathave installedpreviousversionsofClientSecuritySoftware should updatetheirsoftwaretothis versiontotake advantageof newClient Security features.

Important:TCG-compliantsystemsthathadIBMClientSecuritySoftwareVersion 4.0x installedmustuninstallIBMClientSecuritySoftwareversion4.0xandclear the chip beforeinstalling thisversionofIBMClientSecuritySoftware. Failureto doso mightresultinaninstallationfailure,or non-responsivesoftware.

Upgrading

using

new

security

data

If youwouldliketo completelyremoveClientSecurity Softwareandstartover, completethefollowingprocedure:

1. Uninstall yourpreviousversion ofClientSecuritySoftwareusingtheControl PanelAdd/RemoveProgramsapplet.

2. Reboot thesystem.

3. CleartheIBMembeddedSecurityChipintheBIOSSetuputility. 4. Reboot yoursystem.

5. Install thelatestversionof ClientSecuritySoftwareandconfigureitusingthe IBMClientSecuritySoftwareSetupWizard.

Upgrading

from

CSS

5.0 or

later

using

existing

security

data

If youwouldliketo upgradefromClientSecuritySoftwareVersion5.0orlater versionsof thesoftwareusingyourexistingsecuritydata,completethefollowing procedure:

1. Update yourarchivebycompletingthefollowingsteps:

a. Click Start>Programs>AccessIBM>IBM ClientSecuritySoftware> ModifyYourSecuritySettings.

b. Click theUpdatekeyarchive buttonto ensurethatyourbackup information isupdated.

Notethearchivedirectory.

c. ExittheIBMClientSecuritySoftwareUserConfigurationUtility.

2. Upgrade theexistingversion ofClientSecuritySoftwarebycompletingthe following steps:

a. FromtheWindowsdesktop,clickStart>Run.

b. In theRunField,typed:\directory\csec5xxus_00yy.exe,where

d:\directory\ isthedrive letteranddirectorywheretheexecutablefileis located. xxandyyarealpha-numeric.

c. SelectUpgrade.

IBM Client Security Solutions. Client Security Software Version 5.3 Installation Guide

IBM

Client

Security

Solutions

Client

Security

Software

Version

5.3

Installation

Guide

IBM

Client

Security

Solutions

Client

Security

Software

Version

5.3

Installation

Guide

Contents

Preface

About

this

guide

Who

should

read

this

guide

How

to

use

this

guide

References

to

the

Client

Security

Software

Administrator’s

Guide

References

to

the

Client

Security

Software

User’s

Guide

Additional

information

Chapter

1.

Introduction

The

IBM

Embedded

Security

Subsystem

The

IBM

Embedded

Security

Chip

IBM

Client

Security

Software

The

relationship

between

passwords

and

keys

The