1. Overview
1.1 The Quest ESSO Software Suite
1.2 Quest ESSO Architecture
1.3 Quest ESSO and Your Corporate LDAP Directory Infrastructure
2. Preparing the Storage of Security Data in the LDAP Directory
2.1 Active Directory
3 Installing Quest ESSO Controllers and Audit Databases
2.1.1 Global Installation Process within an Active Directory Infrastructure
2.1.2 Extending the Schema and Setting ACLs
2.1.3 Setting Indexes on Active Directory Attributes (Optional)
2.1.4 Configuring Secure Authentication and Data Securization
2.2 Active Directory + ADAM or AD LDS
2.2.1 Extending the Schema of ADAM/AD LDS
2.2.2 Preparing the ADAM/AD LDS Instance Administrator Account
2.2.3 Setting ACLs on ADAM/AD LDS
2.2.4 Setting Indexes on ADAM/AD LDS Attributes
2.3 OpenLDAP
2.2.4.1 Setting Indexes on Standard Attributes
2.2.4.2 Setting Indexes on Quest ESSO Specific Attributes
2.2.5 Configuring Secure Authentication and Data Securization
2.3.1 Extending the Schema of an OpenLDAP Directory
2.3.2 Setting ACLs on an OpenLDAP Directory
2.3.3 Setting Indexes on OpenLDAP Attributes
2.4 Netscape iPlanet / Sun Java System / Red Hat / Fedora Directory Server
2.3.3.1 Setting Indexes on Standard Attributes
2.3.3.2 Setting Indexes on Quest ESSO Specific Attributes
2.3.4 Integrating SAMBA
2.3.5 Configuring Secure Authentication
2.3.6 Configuring Data Securization
2.4.1. Extending the Schema of a Netscape iPlanet /Sun Java System /Red Hat / Fedora Directory Server
2.4.2 Setting ACLs on a Netscape iPlanet / Sun Java System / Red Hat / Fedora Directory Server
2.4.3 Setting Indexes on Netscape iPlanet / Sun Java System / Red Hat / Fedora Directory Server Attributes
2.5 Novell eDirectory
2.4.3.1 Setting Indexes on Standard Attributes
2.4.3.2 Setting Indexes on Quest ESSO Specific Attributes
2.4.4 Configuring Secure Authentication
2.4.5 Configuring Data Securization
2.5.1 Extending the Schema of a Novell eDirectory
2.5.2 Setting ACLs for Delegation (Optional)
2.5.3 Setting Indexes on Novell eDirectory Attributes
2.6 IBM Tivoli Directory Server
2.5.3.1 Setting Indexes on Standard Attributes
2.5.3.2 Setting Indexes on Quest ESSO Specific Attributes
2.5.4 Configuring Secure Authentication (Optional)
2.5.5 Configuring Data Securization
2.6.1 Extending the Schema of an IBM Tivoli Directory Server
2.6.2 Setting ACLs on an IBM Tivoli Directory Server
2.6.3 Setting Indexes on IBM Tivoli Directory Server Attributes
2.6.4 Configuring Secure Authentication
2.6.5 Configuring Data Securization
2.7 Deploying a Workstation LDAP User Account
3.1 Starting the Administration Tools window
3.2 Running the Default Objects Creation Tool
3.3 Initializing the Primary Controller
3.4 Initializing an Associated Controller
3.5 Publishing a New Token Data File
3.6 Defining Administrative Tokens for Self Service Password Request
3.7 Importing an External Key
3.8 Importing/Exporting the Controller Key
3.9 Installing and Configuring the Local Audit Database
4 Installing and Configuring the Software Modules on the Workstations
3.9.1 Installing the Provided Audit V2 MySQL Database Server
3.9.2 Creating Audit V2 Tables in an Existing Database
3.9.3 Setting up the Connection to the Local Audit Database
3.9.4 Updating the Audit Translation Data
3.10 Declaring the Technical Accounts Used by the Quest ESSO Controllers
3.11 Defining a Master Audit Database
3.12 Installing a Quest ESSO Controller
4.1 Configuring Workstations
5 Enabling the Self Service Password Request (SSPR) Capability
6. Enabling OTP Authentication
7 Enabling the Group Membership Modification Feature
8 Centralizing Parameters Using Group Policy Objects (GPO)
4.1.1 Quest ESSO Configuration with Active Directory
4.1.2 Quest ESSO Configuration with a User Database or Directory other than Microsoft Active Directory
4.2 Installing Microsoft Redistributables
4.3 Installing a Quest ESSO Client
4.4 Installing French Healthcare Smart Cards (CPS)
4.5 Installing Finger Vein Biometric Drivers
4.6 Modifying the Possible Domains List
8.1 Creating and Configuring Group Policy Objects Using an ADM File
8.2 Creating and Configuring Group Policy Objects Using ADMX Files (optional)
8.3 Description of the User Access Administrative Template (optional)
9 Installing Quest ESSO MSI Packages in Silent Mode
9.1 Installing Microsoft Redistributables in Silent Mode
9.2 Installing Quest ESSO Controller in Silent Mode
9.3 Installing Quest ESSO Client in Silent Mode
9.4 Installing Quest ESSO Web Server in Silent Mode
Appendix A: Advanced Configuration: Audit
A1 Audit Extension DLL Development Guide
Appendix B: Activating Traces
Appendix C: Retrieving the Serial Number on a MiFARE RFID Badge
A.1.1 Structure of Audit Event: _WG_AUDITEVENT
A.1.2 Structure of Audit Configuration: _WG_AUDITCONFIG
A.1.3 Prototypes of Functions to Export
A.2 Audited Events
1. Overview
Quest ESSO solution enables you to deploy a high level of security. It uses the corporate LDAP directory of your company to manage single sign-on (SSO) on this distributed LDAP architecture.
This guide explains how to install Quest ESSO (Quest ESSO gathers Advanced Login and Quest ESSO SSOWatch modules).
1.1 The Quest ESSO Software Suite
1.1.1 The Quest ESSO Security Services
Quest ESSO is composed of several software applications, which are running through a middleware, called the Quest ESSO Security Services. It is a Windows service, which is automatically installed during the Quest ESSO installation process. It provides the following services:
|
• |
 |
The Quest ESSO applications do not run directly with the LDAP directory of your company with your users’ tokens. All the operations are performed by the Security Services, in a secure system environment. |
The Security Services works directly with the corporate LDAP directory, except for the audit and administration services, for which it can use the Quest ESSO Controller.
1.1.2 Quest ESSO Components
|
SSOWatch is the single sign-on (SSO) engine. It is installed on the client workstations. This software module offers many optional components. | |
|
Advanced Login software module allows you to enforce users’ authentication and to use other authentication sources than Active Directory. When installed, it is used instead of the standard Windows log on dialog box.
Advanced Login allows users to log on their workstation using several authentication methods, as login/password, smart cards, or biometrics authentication methods.
| |
|
The Quest ESSO Controller is an administration server that enables the management of administration profiles.
The administration actions are not directly sent from the workstations to the LDAP account of the Quest ESSO administrator, but through the Quest ESSO Controller: upon the Quest ESSO installation, you will have to define an LDAP account that will be used by the Quest ESSO Controller to perform any Quest ESSO administration action on the LDAP directory.
You do not have to set different ACLs depending on the Quest ESSO administrators. You just have to set ACLs only once, on the LDAP account used by the Quest ESSO Controller, which manages the administration requests depending on the administration profiles defined using Quest ESSO Console.
The Quest ESSO Controller runs also as the Quest ESSO audit server. It retrieves audit information of the Quest ESSO workstations in an SQL database. The pieces of audit data are available through Quest ESSO Console, either globally, or contextually (that is depending on the selected audited Quest ESSO object). | |
|
Quest ESSO Console is a centralized administration and audit consultation tool that can be installed on any Quest ESSO workstation client. This administration console allows you also to define extended security policies by managing Access Points, and by defining authentication scheduling. |
 |
For details on supported authentication devices, see Release Notes. |