1. Overview
1.1 The Quest ESSO Software Suite
1.2 Quest ESSO Architecture
1.3 Quest ESSO and Your Corporate LDAP Directory Infrastructure
2. Preparing the Storage of Security Data in the LDAP Directory
2.1 Active Directory
3 Installing Quest ESSO Controllers and Audit Databases
2.1.1 Global Installation Process within an Active Directory Infrastructure
2.1.2 Extending the Schema and Setting ACLs
2.1.3 Setting Indexes on Active Directory Attributes (Optional)
2.1.4 Configuring Secure Authentication and Data Securization
2.2 Active Directory + ADAM or AD LDS
2.2.1 Extending the Schema of ADAM/AD LDS
2.2.2 Preparing the ADAM/AD LDS Instance Administrator Account
2.2.3 Setting ACLs on ADAM/AD LDS
2.2.4 Setting Indexes on ADAM/AD LDS Attributes
2.3 OpenLDAP
2.2.4.1 Setting Indexes on Standard Attributes
2.2.4.2 Setting Indexes on Quest ESSO Specific Attributes
2.2.5 Configuring Secure Authentication and Data Securization
2.3.1 Extending the Schema of an OpenLDAP Directory
2.3.2 Setting ACLs on an OpenLDAP Directory
2.3.3 Setting Indexes on OpenLDAP Attributes
2.4 Netscape iPlanet / Sun Java System / Red Hat / Fedora Directory Server
2.3.3.1 Setting Indexes on Standard Attributes
2.3.3.2 Setting Indexes on Quest ESSO Specific Attributes
2.3.4 Integrating SAMBA
2.3.5 Configuring Secure Authentication
2.3.6 Configuring Data Securization
2.4.1. Extending the Schema of a Netscape iPlanet /Sun Java System /Red Hat / Fedora Directory Server
2.4.2 Setting ACLs on a Netscape iPlanet / Sun Java System / Red Hat / Fedora Directory Server
2.4.3 Setting Indexes on Netscape iPlanet / Sun Java System / Red Hat / Fedora Directory Server Attributes
2.5 Novell eDirectory
2.4.3.1 Setting Indexes on Standard Attributes
2.4.3.2 Setting Indexes on Quest ESSO Specific Attributes
2.4.4 Configuring Secure Authentication
2.4.5 Configuring Data Securization
2.5.1 Extending the Schema of a Novell eDirectory
2.5.2 Setting ACLs for Delegation (Optional)
2.5.3 Setting Indexes on Novell eDirectory Attributes
2.6 IBM Tivoli Directory Server
2.5.3.1 Setting Indexes on Standard Attributes
2.5.3.2 Setting Indexes on Quest ESSO Specific Attributes
2.5.4 Configuring Secure Authentication (Optional)
2.5.5 Configuring Data Securization
2.6.1 Extending the Schema of an IBM Tivoli Directory Server
2.6.2 Setting ACLs on an IBM Tivoli Directory Server
2.6.3 Setting Indexes on IBM Tivoli Directory Server Attributes
2.6.4 Configuring Secure Authentication
2.6.5 Configuring Data Securization
2.7 Deploying a Workstation LDAP User Account
3.1 Starting the Administration Tools window
3.2 Running the Default Objects Creation Tool
3.3 Initializing the Primary Controller
3.4 Initializing an Associated Controller
3.5 Publishing a New Token Data File
3.6 Defining Administrative Tokens for Self Service Password Request
3.7 Importing an External Key
3.8 Importing/Exporting the Controller Key
3.9 Installing and Configuring the Local Audit Database
4 Installing and Configuring the Software Modules on the Workstations
3.9.1 Installing the Provided Audit V2 MySQL Database Server
3.9.2 Creating Audit V2 Tables in an Existing Database
3.9.3 Setting up the Connection to the Local Audit Database
3.9.4 Updating the Audit Translation Data
3.10 Declaring the Technical Accounts Used by the Quest ESSO Controllers
3.11 Defining a Master Audit Database
3.12 Installing a Quest ESSO Controller
4.1 Configuring Workstations
5 Enabling the Self Service Password Request (SSPR) Capability
6. Enabling OTP Authentication
7 Enabling the Group Membership Modification Feature
8 Centralizing Parameters Using Group Policy Objects (GPO)
4.1.1 Quest ESSO Configuration with Active Directory
4.1.2 Quest ESSO Configuration with a User Database or Directory other than Microsoft Active Directory
4.2 Installing Microsoft Redistributables
4.3 Installing a Quest ESSO Client
4.4 Installing French Healthcare Smart Cards (CPS)
4.5 Installing Finger Vein Biometric Drivers
4.6 Modifying the Possible Domains List
8.1 Creating and Configuring Group Policy Objects Using an ADM File
8.2 Creating and Configuring Group Policy Objects Using ADMX Files (optional)
8.3 Description of the User Access Administrative Template (optional)
9 Installing Quest ESSO MSI Packages in Silent Mode
9.1 Installing Microsoft Redistributables in Silent Mode
9.2 Installing Quest ESSO Controller in Silent Mode
9.3 Installing Quest ESSO Client in Silent Mode
9.4 Installing Quest ESSO Web Server in Silent Mode
Appendix A: Advanced Configuration: Audit
A1 Audit Extension DLL Development Guide
Appendix B: Activating Traces
Appendix C: Retrieving the Serial Number on a MiFARE RFID Badge
A.1.1 Structure of Audit Event: _WG_AUDITEVENT
A.1.2 Structure of Audit Configuration: _WG_AUDITCONFIG
A.1.3 Prototypes of Functions to Export
A.2 Audited Events
2.5.4 Configuring Secure Authentication (Optional)
With Novell eDirectory, Quest ESSO supports the following SASL mechanisms:
|
• |
NMAS: the SASL/NMAS mechanism allows the use of NMAS modular authentication from Novell, and allows a choice between available authentication sequences. Quest ESSO only supports the NDS sequence, which consists in a secure authentication with login and password. |
This section explains how to configure Quest ESSO for DIGEST-MD5 and NMAS with Novell eDirectory.
 |
To use NMAS authentication, the Novell NMAS Client software must be installed on your Quest ESSO Controller.
In the Windows registry, set the DWORD value HKLM/Software/Enatel/WiseGuard/FrameWork/Directory/LdapAuthMethod as follows:
|
• |
for NMAS: 4. |
|
• |
2.5.5 Configuring Data Securization
This section describes how to configure your LDAP directory to secure authentication information and other sensitive Quest ESSO data transmitted on the network.
Quest ESSO supports TLS and SSL, but it is strongly recommended to configure your LDAP directory to support TLS.
In the Windows registry, under the HKLM/Software/Enatel/WiseGuard/FrameWork/Directory key, configure TLS with the following values:
|
• |
TLS: TLS activation. The following values are available: |
|
• |
0: TLS is not activated to secure Quest ESSO communications. |
|
|
It is strongly recommended to set the TLS value to 2. |
|
• |
TLSDemand: configures the behavior in case of TLS failure when it is activated: |
|
• |
TLSVerifyServerCertificate: checks the server certificate. |
|
• |
TLSCACertificateFile: enter the path to the CA certificate file. |
|
• |
TLSCACertificatePassword: enter the password used if needed to open the CA certificate file. |
 |
2.6 IBM Tivoli Directory Server
2.6.1 Extending the Schema of an IBM Tivoli Directory Server
To extend the schema of an IBM Tivoli Directory Server, two files are provided on the Quest ESSO installation package, in TOOLS\ESSODirectory\WGITDS:
|
|
User objects must possess the enatelUser auxiliary class to be able to use Quest ESSO. |
|
2. |