Chat now with support
Chat with Support

Enterprise Single Sign-On 8.0.6 - Quest ESSO Console Administrator Guide

1. Overview 2 Authenticating to Quest ESSO Console and Managing Protection Modes 3 Searching the Directory Tree 4 Managing Administrators 5 Managing Security Profiles
5.1 Managing Time Slices 5.2 Managing Password Format Control Policies 5.3 Managing User Security Profiles 5.4 Managing Access Point Security Profiles 5.5 Managing Application Security Profiles 5.6 Defining Security Profiles Default Values 5.7 Managing User and Access Point Security Profiles Priorities
6 Managing Directory Objects
6.1 Managing Applications 6.2 Managing Users 6.3 Managing Access Points 6.4 Managing Representative Objects 6.5 Managing Clusters of Access Points 6.6 Selecting a Domain Controller
7 Importing/Exporting Security Profiles and Directory Objects 8 Managing Smart Cards
8.1 Assigning Smart Cards to Users 8.2 Formatting Smart Cards 8.3 Forcing a new PIN 8.4 Disabling Temporarily Smart Cards 8.5 Unlocking Smart Cards 8.6 Sending Smart Cards to a Blacklist 8.7 Extending the Validity of a Smart Card 8.8 Allowing Users to Renew their Smart Card Certificates 8.9 Displaying Smart Card Properties 8.10 Displaying the List of Supported Smart Cards 8.11 Managing Smart Card Configuration Profiles 8.12 Managing Loan Cards 8.13 Managing Smart Cards' Authentication Parameters 8.14 Managing Batches of Smart Cards
9 Managing SA Server Devices 10 Managing RFID Tokens 11 Managing Biometric Enrolment 13 Enabling the Public Key Authentication Method 14 Managing the Emergency Plan 15 Managing Audit Events 16 Managing Reports 17 Customizing Configuration Files 18 Creating Scripts Appendix A: Regular Expressions - Basic Syntax Appendix B: Listing Audit Events and Error Codes Appendix C: Correspondence Between Profile and Administration Rights

1.2.2 Domain Controller Selection

On Windows server systems, a Domain Controller (DC) is a server that manages all security-related aspects between user and domain interactions (authentication, permissions and so on) within the Windows server domain.
Each domain controller has a copy of the Active Directory (synchronized by a multi-master replication) and is associated with a site.
Within the same site, replication is fast (with an appropriate data transmission), but it can take a long time between different sites, depending on the data type and the configuration of the replication.
Quest ESSO Functionality
Quest ESSO introduces a way to select a specific domain controller to work on. There are two situations where the current domain controller can be changed:

1.3 A Multi-Domain Architecture

Quest ESSO data is stored in the AD directories and is thus distributed in the forest: see the following figure showing a multi-domain architecture with Quest ESSO data stored in Active Directory.
When the Quest ESSO data is stored in the multi-domain forest AD, the propagation of the data in the other directories of the forest is made by AD, but you have to declare the Quest ESSO administrators in others domains if they have to manage data stored in theses others domains and you have to declare representatives of users and access points if the users have to connect on the workstations of the others domains.
Quest ESSO data is stored at only one place in an ADAM directory and the administration console makes it possible to see at the same time the data in AD and in ADAM: see the following figure showing a multi-domain architecture with Quest ESSO data stored in ADAM.
When the Quest ESSO data is stored in ADAM, the Quest ESSO administration is greatly simplified and identical to the mono domain administration.
The above illustration shows a Quest ESSO software architecture that allows administrators to manage users that reside in different LDAP domains.
The software architecture depends on the way the Quest ESSO module is installed. For details on the possible architectures depending on the LDAP directories infrastructures, see Quest ESSO Installation Guide
The corporate LDAP directory, which was a baseline of users of the company, before the implementation of the Quest ESSO architecture. During the installation of the software suite, the schema of this directory is extended with Quest ESSO specific classes and attributes.
The Quest ESSO Controllers (primary controller, secondary controllers, associated controllers), which provide administration and audit communications between client stations and the LDAP directory.
A centralized audit base (called the Master database), which contains all the log entries of every individual Quest ESSO Controller. This concerns both user action log entries and administration action log entries. In that case, the local SQL Server databases of individual servers are only used to store the audit events temporarily, before sending them to the Master base. This audit base can be hosted on other databases than SQL Server. For details on the supported databases, see Release Notes.
The Quest ESSO client workstations, which communicate directly with the corporate LDAP directory and the Quest ESSO Controllers (for administration and audit data). They are the user's access points to applications
The applications of the Quest ESSO module, which are based on the Quest ESSO Security Services:
Quest ESSO Console: centralized administration and audit consultation tool. This administration console can be installed on any client workstations and allows you to manage users that reside in different LDAP domains.
SSOWatch module of Quest ESSO and Enterprise SSO Studio: the Single Sign-On (SSO) tools.
Advanced Login: tool for user authentication by password, smart card, RFID, biometrics, and workstation security protection.

1.4 General Ergonomic Design

1.4.1 Home Window

Quest ESSO Console home window (QESSO Console) gives access to all Quest ESSO available modules.
The status bar displays the name of the Quest ESSO Controller that Quest ESSO Console uses.
Gives access to the Directory panel, which allows you to manage all directory objects.
Gives access to the Smart Card panel, which allows you to manage smart cards.
Gives access to the RFID panel, which allows you to manage RFID badges.
Gives access to the Biometrics panel, which allows you to display and export the list of users who have enrolled their biometric data.
Gives access to the Mobile Phones panel (optional), which allows managing access using user mobile phones.
Gives access to the Audit panel, which allows you to audit events.
Gives access to the Reporting panel, which allows you to get reports on application and user accounts.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating