This section describes the steps necessary for installing Logon Manager. It covers the following topics:
Before you install Logon Manager, ensure the prerequisites listed in this section have been satisfied.
Note:
Please refer to the latest release notes to find out about last-minute requirements or changes that might affect your installation.If you are installing Logon Manager on a 64-bit (x64) system, you must use the 64-bit installer files marked with the _x64 suffix. While the installers have been compiled for the 64-bit platform, Logon Manager itself is a 32-bit application that runs via the Windows-on-Windows 64-bit (WoW64) emulation engine and is installed into the "Program Files (x86)" parent directory. The 32-bit version of Logon Manager is fully compatible with the supported 64-bit operating systems listed below.
Oracle supports the installation of Logon Manager on the following 64-bit platforms:
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows XP
Windows 7
If you plan to synchronize with a database, or have the Reporting Service store application events in a database, you must install the appropriate database client in order to allow Logon Manager to connect to the database instance. Additionally, if you are installing Logon Manager on a 64-bit system and plan to connect to an Oracle database, you must install the 32-bit version of the Oracle database client on the target end-user machine; otherwise, the Reporting Service will not be able to connect to the Oracle database.
Note:
When installing on Windows XP, you must install the latest root certificate update from Microsoft, otherwise the installation will fail.For details and instructions, see the following Microsoft Knowledge Base article: http://support.microsoft.com/kb/931125
In order to successfully install Logon Manager in unattended ("silent") mode, the Windows Management Instrumentation (WMI) service must be running before the installer is executed.
To check whether the WMI service is running, and start it if necessary, do the following on each target machine:
Open the System Management Console.
Open the Services snap-in.
Navigate to the Windows Management Instrumentation service and check its status and startup mode.
Depending on the status, do one of the following:
If the status is Started, the WMI service is running; proceed to the next section.
If the status is blank, check the service's startup type and start it as follows:
Double-click the service.
In the properties box that appears, set the startup type to Manual or Automatic, as dictated by your environment and click Apply.
Click Start. The status changes to Started.
Click OK to close the service properties dialog box.
This section provides information on upgrading an existing Logon Manager installation to the latest version.
Upgrading to Logon Manager 11.1.2 is supported for the following versions of Logon Manager:
11.1.1.2.x
11.1.1.5.x
Oracle fully supports installing version 11.1.2 of Logon Manager on top of existing installations of Logon Manager as listed above. The installer will uninstall the previous version automatically, and then proceed with installation of the new version. Refer to the sections in this guide for more information on installing both the Logon Manager Administrative Console and the Logon Manager Agent.
Note:
If the original installer was customized using the Logon Manager Administrative Console, you must customize the new installer in the same manner before performing the upgrade, otherwise your current Logon Manager settings will be overwritten by the defaults in the unmodified installer.Oracle recommends that you do not change the primary logon method during an upgrade, as such a change introduces unneeded complexity to the process. Changes to the primary logon method should be undertaken as a separate project.The following are the basic recommended steps to upgrade to Logon Manager 11.1.2.
Perform a backup of your existing credentials.
Run your installation as outlined in the sections, Installing the Oracle Enterprise Single Sign-On Administrative Console and Installing the Logon Manager Client-Side Software.
If deploying on Microsoft Active Directory, set the Use secure location for storing user settings option under Global Agent Settings > [TargetSettingsSet] > ADEXT to Yes and publish this setting to the repository as an administrative override.
Note:
Only deploy this override once all instances of Logon Manager have been upgraded to version 11.1.2.0.0 or above; otherwise, once Logon Manager 11.1.2.0.0 or above synchronizes with the repository, all previous versions will no longer be able to synchronize with the repository for that user. For more information on this setting, see the guide Securing Oracle Enterprise Single Sign-On Suite.Update all of your repository objects (policies, templates, and so on) to the latest data schema used by the latest version of Logon Manager as follows:
Connect to your repository with the latest version of the Oracle Enterprise Single Sign-On Administrative Console.
Retrieve all of your templates, policies, and any other data from the repository and into the Console.
(Optional) Make any configuration changes in your templates and policies as desired.
Publish all of the retrieved objects back to your repository.
Note:
This procedure is mandatory and must be performed in a test environment before deploying Logon Manager to end-users. This is because the latest version of Logon Manager introduces a new data schema to its configuration objects, such as templates and policies, which is incompatible with objects created with previous versions of Logon Manager. Attempting to synchronize Logon Manager with a repository that has not been updated will result in data corruption. Oracle highly recommends that you create a separate OU in your repository to test your new configuration objects before deploying them enterprise-wide.Restore your backed up credentials to the new installation.
Note:
The Passphrase Suppression setting is, as of the 11.1.5.1 release, configurable under Global Agent Settings > [TargetSettingsSet] > Authentication > Windows v2 > Recovery Method. The default is to display the passphrase. If you want to suppress the passphrase, you must change this setting.Note that if you have a custom passphrase suppression (a DLL that implements the Secondary Authentication API), this DLL must return a unique GUID from its GetID function. Also, you must set the:
HKLM\Software\Passlogix\MsAuth\ResetMethods:ResetMethodGUID
registry value to that GUID.
See the guide Administering Oracle Enterprise Single Sign-On Suite for more details.
After the installer has finished and your credentials are restored, the upgrade is complete. Refer to the Oracle Enterprise Single Sign-On Suite Release Notes to learn about the new product features.
Note:
If you have a previous version of Kiosk Manager installed and are updating it during this installation, you must first uninstall the previous Kiosk Manager using the Control Panel Add/Remove Programs or the Uninstall option of the earlier software installer.For additional considerations with regard to Kiosk Manager, see the guide Administering Oracle Enterprise Single Sign-On Suite.To install and configure Logon Manager:
Close all programs.
Execute one of the following files to begin the installation:
ESSO-LM.msi for 32-bit installations.
ESSO-LMx64.msi for 64-bit installations.
Note:
If you are installing in a language other than English and would like to launch the installer in the desired language, execute the following command:msiexec /I <packagename>.msi TRANSFORMS=<language>.mst
where <packagename>
is the name of the Logon Manager installer MSI package, and <language>.mst is the name of the corresponding language transform file (included in the installer archive).
On the Welcome Panel, click Next>.
Select a setup type. Typical provides a path to select commonly used program features easily. Advanced provides a detailed tree view of all the program features available for installation. If you select a typical setup, go to step 6; for an advanced setup, go to step 7.
Click Next.
The "Typical Setup" screen appears. Select your authentication methods and indicate whether you want to use multiple authenticators.
Authentication methods. In order to authenticate a user and grant access to stored credentials, Logon Manager offers a number of authentication methods implemented as authenticator plug-ins, with the most common method being a user name and password. In Active Directory environments, Logon Manager supports this authentication method through its Windows Logon (WinAuth) v2 plug-in.
If you are using a strong authentication method, refer to the Oracle Enterprise Single Sign-On Suite Administrator's Guide which describes specific settings that must be enabled within an authenticator to work with Logon Manager. It also describes all the Logon Manager Administrative Console settings and any steps that must be taken to integrate with Kiosk Manager.
Multiple Authenticators. The Authentication Manager feature adds the capability to enable multiple logon methods to authenticate the user. These logon methods can be the standard Logon Manager supported logon methods such as LDAP and Windows Logon v2, or the strong authenticators such as smart cards, proximity devices, and RSA SecurID tokens.
Click Next.
Select your repositories and indicate which audit logging capabilities should be installed. If you install the Oracle Enterprise Single Sign-On Reporting Server, refer to the Oracle Enterprise Single Sign-On Suite Administrator's Guide for configuration information. Click Next> and continue to the next step.
If you are performing an advanced setup, choose from the following installation options:
Application Support | |
---|---|
This option installs all necessary files and settings that serve as the core of the application, and allows you to select the application types for Logon Manager to interact with. | |
Web Integration | Helper objects that allow integration with Web browsers and external Web services. |
Mozilla Firefox | Helper object that adds Logon Manager support for Mozilla-based browsers. |
OAM Support | Helper object that adds Logon Manager support for Oracle Access Manager-protected browser applications. |
Google Chrome | Helper object that adds Logon Manager support for the Google Chrome browser. |
Windows | Support for Windows desktop applications. Windows support files are installed by default. These files cannot be deselected. |
Microsoft Internet Explorer | Helper object that adds Logon Manager support for Internet Explorer. Installed by default. |
Host/Mainframe Emulators | Helper object that adds Logon Manager support for HLLAPI-based emulators. |
Console Windows | Support for Console windows (command prompt) within the Logon Manager mainframe plug-in. |
PuTTY | Support for PuTTY windows within the Logon Manager mainframe plug-in. |
Java | Helper object that adds native Logon Manager support for Java applications. |
SAP | Helper object that adds SAP application support to Logon Manager. |
SoftID | Helper object that adds Logon Manager support for SoftID applications. See the Oracle Enterprise Single Sign-On Suite Administrator's Guide for more information on using this feature.
To use this helper object, the Authentication Manager authenticator must be installed and selected as your Primary Logon Method. |
Authenticators | |
---|---|
The authenticators are plug-ins that provide different methods for logging on to Logon Manager. By default, Windows Logon v2 is installed.
If you are installing Proximity Card, Read-Only Smart Card, RSA SecurID, Secure Data Storage, or Smart Cards, see the Oracle Enterprise Single Sign-On Suite Administrator's Guide. |
|
Windows Logon (deprecated) | Deprecated plug-in that enables logging on to Logon Manager by logon to Windows. Note: Do not install this component unless explicitly instructed to do so by Oracle support. It is being provided for legacy purposes only. |
Windows Logon v2 | Plug-in that enables logging on to Logon Manager by logon to Windows with secure passphrase support. This authenticator is installed by default. |
GINA | Module that works with the Windows Logon v2 method. The GINA option is available only for Windows XP.
You must select between GINA and Network Provider. It is not possible to install both methods. |
LDAP | Plug-in that enables logging on to Logon Manager by logon to an LDAP directory. |
LDAP v2 | Plug-in that enables logging on to Logon Manager by logon to an LDAP directory. This plug-in also includes secure passphrase support. |
Network Provider | Eliminates double authentication by utilizing the Network Provider mechanism to log on to Logon Manager. Supports all current Microsoft Windows operating systems.
This feature has been moved to its own node, and is no longer a sub-feature of Windows Logon v2, as of version 11.1.1.5.1. |
Proximity Card | Authenticator plug-in that supports authentication with HID Proximity Cards. |
Smart Card | Plug-in that enables logging on to Logon Manager using MS-CAPI-capable smart cards. |
Smart Card (Read-Only) | Plug-in that enables logging on to Logon Manager using a Read-Only Smart Card. |
RSA SecurID | Plug-in that enables logging on to Logon Manager using one-time passwords generated by RSA SecurID tokens. |
Local Authentication Toolkit | Components needed to perform RSA SecurID authentication. |
Authentication Manager | This feature adds the capability to allow multiple logon methods to authenticate the user. If you want to use the Enrollment, Grade, and Order functionality, you must install this feature. |
Synchronizers | |
---|---|
This plug-in provides for the management of synchronization extensions to the application.
The available synchronization plug-ins are: |
|
Microsoft Active Directory | Synchronization plug-in that supports storage and retrieval of credentials and settings from an Active Directory server. |
Microsoft AD LDS (ADAM) | Synchronization plug-in that supports storage and retrieval of credentials and settings from an AD LDS (ADAM) server. |
LDAP | Plug-in that supports storage and retrieval of credentials and settings from an LDAP-compliant directory, such as Oracle Identity Manager. |
Database | Synchronization plug-in that supports storage and retrieval of credentials and settings from a database. |
Roaming Profile (deprecated) | Synchronization plug-in that supports roaming profiles.
Do not install this component unless explicitly instructed to do so by Oracle support. It is being provided for legacy purposes only. |
File System | Synchronization plug-in that supports storage and retrieval of credentials and settings from a file share. |
Kiosk Manager | |
---|---|
Kiosk Manager
Plug-in that is available to support kiosk scenarios. |
To use Kiosk Manager, you must install the LDAP Authenticator and a synchronizer. You must also ensure that Windows Authenticator v2 is not installed. Refer to the Oracle Enterprise Single Sign-On Suite Administrator's Guide for more information. |
Session Locking Support | Installs the Kiosk Manager session locking component to support kiosk scenarios. This component is not installed by default.
If you install this component, the Kiosk Manager Agent (SMAgent) starts automatically. If you do not install the Kiosk Manager GINA, the Kiosk Manager Agent (SMAgent) does not start automatically, but events can be triggered through the command line from other applications. Using this scenario, you can install Kiosk Manager on a workstation and have it run only when executed. See the Oracle Enterprise Single Sign-On Suite Administrator's Guide for more information on using the command-line options. |
Password Reset | |
---|---|
Password Reset Client | Installs the client-side component of Password Reset which provides knowledge-based authentication and password reset functionality.
You must install the Password Reset server-side component before you install the client-side component. Password reset is not installed as part of the Typical installation option. For more information on installing Password Reset, see Installing Password Reset. |
Provisioning Options | |
---|---|
Provisioning Gateway Client | Installs the Provisioning Gateway client-side software that provides remote credential provisioning functionality as well as credential delegation.
You must install the Provisioning Gateway server component (as described in Installing Provisioning Gateway) before you install the client-side software. |
Credential Delegation | Installs the Provisioning Gateway credential delegation component, allowing a user to temporarily delegate one or more credentials to another user.
Requires Provisioning Gateway to be installed and functional on the target machine. |
Privileged Accounts | Installs the Provisioning Gateway privileged accounts component, allowing a user to temporarily check out one or more credentials from an Oracle Privileged Account Manager server, temporarily enable single sign-on functionality for applications associated with that credential, and check the credential back in when it is no longer needed.
Requires Provisioning Gateway to be installed and functional on the target machine. |
Audit Logging Methods | |
---|---|
This plug-in provides for the management of event logging extensions to the application.
The available plug-ins are: |
|
ESSO Reporting Server | Event Management plug-in that supports logging of events to the reporting service. |
Windows Event Manager | Event Management plug-in that supports logging of events to the Windows Event Manager. |
Syslog Server | Event Management plug-in that supports logging of events to a Syslog server. |
XML File | Event Management plug-in that supports logging of events to a local XML file. |
Database | Event Management plug-in that supports logging of events to a Database. |
Backup/Restore |
---|
This plug-in provides a simple file-based backup and restore mechanism via a wizard interface. |
Languages | |
---|---|
The localized language support packages that allow the Agent to be displayed in the displayed languages. |
Note:
To change the destination folder, click Change, navigate to the desired path, and click OK.The InstallShield Wizard is ready to begin the installation. Click Install.
Wait for the installation to complete. When the "Completed" screen appears, click Finish.
The Logon Manager installation does not require restarting, except in the following scenarios:
If you installed the Windows Authentication v2 authenticator with the GINA or Network Provider components (Windows XP only), you will be prompted to restart your workstation after you click Finish. Continue with step 11 after restart.
If you installed Kiosk Manager , you must configure Logon Manager to synchronize with one of the synchronizers that you selected during installation. Refer to the Oracle Enterprise Single Sign-On Suite Administrator's Guide for instructions. Additionally, on Windows XP, do not install any other GINAs if you install the Kiosk Manager GINA. Restart your workstation after setting up synchronization, then continue with step 11.
After your workstation or server restarts, log on to Windows. The Logon Manager Welcome Screen/First Time Use (FTU) Wizard launches. Follow the instructions on the screen to complete the FTU Wizard. After the FTU is complete, an icon appears in the tool tray.
Note:
Refer to the Oracle Enterprise Single Sign-On Suite User's Guide and online help for information on completing the FTU Wizard and using Logon Manager.This section describes the contents of the Logon Manager MSI installer. The feature names listed in this section are as they appear in the "Advanced Setup" section of the Logon Manager installer.
The following are mandatory core components - omitting them during command-line installation or when creating a customized MSI package will result in a non-functional installation:
Application Support (Core)
Provisioning Gateway Client (Provisioning
At least one authenticator
At least one language pack
Oracle also recommends including the Internet Explorer support component in all Logon Manager deployments.
Additionally, note the following::
Feature names are case-sensitive.
The following features are mutually exclusive (i.e., only one can be installed at a time): SSOGINA
, SSOGINA
.x64
, SMGina
, SMAgent
, Locking
, SSONP
, SSONP.x64
The MSI package contains critical components that are not listed in this section and should not be tampered with in any way, as they are essential to the proper functioning of Logon Manager and other Enterprise Single Sign-On Suite features. Only install/include, or uninstall/remove components listed in this section.
The ADDLOCAL
command only installs components that are explicitly specified, plus their parent components and child components required by the parent. If you do not explicitly specify a component to be installed, it will not be installed. Omission of any of the mandatory core components listed above will result in a non-functional installation.
For example, specifying Chrome
will also install its parent component Core
, as well as Core_Support6
which is required by the Core component, but it will not install any language packs.
Example installation command:
msiexec /i <my.msi> ADDLOCAL="Core,Provisioning,MSauth,English_Pack, InternetExplorer"
Additional information on using the msiexec command-line tool can be found at the following URLs:
http://support.microsoft.com/kb/230781 and
http://technet.microsoft.com/en-us/library/cc759262(v=ws.10).aspx
Application Support | |||
---|---|---|---|
Title (as seen in installer) | Feature Name | Feature Parent | Additional Information |
Application Support | Core | N/A | Mandatory for a functional installation. |
Web Integration | WebIntegration | Core | |
Mozilla Firefox | Mozilla | WebIntegration | |
OAM Support | OAMSupport | WebIntegration | |
Google Chrome | Chrome | WebIntegration | |
Windows | Core_Support6 | Core | |
Microsoft Internet Explorer | InternetExplorer | Core | Recommended. |
Host/Mainframe Emulators | MainframeEmulators | Core | |
Console Windows | DOSHelper | MainframeEmulators | |
PuTTY | PuttySupport | MainframeEmulators | |
Java
J |
JavaHelper.x86 | Core | 32-bit OS only. |
JavaHelper.x64 | Core | 64-bit OS only. | |
SAP | SAP | Core | |
SoftID | SoftIdHO | Core |
Authenticators | |||
---|---|---|---|
Title (as seen in installer) | Feature Name | Feature Parent | Additional Information |
Authenticators | Authenticators | N/A | At least one authenticator is mandatory for a functional installation. |
Windows Logon | SLA | Authenticators | |
Windows Logon v2 | MSauth | Authenticators | |
GINA | SSOGina | MSauth | Windows XP 32-bit only. |
SSOGina.x64 | MSauth | Windows XP 64-bit only. | |
LDAP | LDAP | Authenticators | |
LDAP v2 | LDAPauth | Authenticators | |
Network Provider | SSONP | Authenticators | 32-bit OS only |
Network Provider | SSONP.x64 | Authenticators | 64-bit OS only |
Proximity Card | ProxCardAuth | Authenticators | |
Smart Card | SCAuth | Authenticators | |
Smart Card (Read-Only) | ROSCAuth | Authenticators | |
RSA SecurID | SecurID | Authenticators | |
Local Authentication Toolkit (LAT) | LocalAuthToolkit | SecurID | |
Authentication Manager | MultiAuth | Authenticators |
Synchronizers | |||
---|---|---|---|
Title (as seen in installer) | Feature Name | Feature Parent | Additional Information |
Synchronizers | Synchronizers | N/A | |
Microsoft Active Directory | AD_Sync | Synchronizers | |
Microsoft AD LDS (ADAM) | ADAM_sync | Synchronizers | |
LDAP | LDAP_Sync | Synchronizers | |
Database | DB_Sync | Synchronizers | |
Roaming Profile (deprecated) | Roam_Sync | Synchronizers | |
File System | File_Sync | Synchronizers |
Kiosk Manager | |||
---|---|---|---|
Title (as seen in installer) | Feature Name | Feature Parent | Additional Information |
Kiosk Manager | SMAgent_Files | N/A | |
Session Locking Support | SMGina | SMAgent_Files | Window XP only. |
SMAgent_Locking | SMAgent_Files | Window 7 and above |
Password Reset Client | |||
---|---|---|---|
Title (as seen in installer) | Feature Name | Feature Parent | Additional Information |
Password Reset Client | PR_Components | N/A |
Provisioning Gateway Client | |||
---|---|---|---|
Title (as seen in installer) | Feature Name | Feature Parent | Additional Information |
Provisioning Gateway Client | Provisioning | N/A | |
Credential Delegation | DelegateMgr | Provisioning | |
Privileged Accounts | OpamMgr | Provisioning |
Audit Logging Methods | |||
---|---|---|---|
Title (as seen in installer) | Feature Name | Feature Parent | Additional Information |
Audit Logging Methods | EventMgr | N/A | |
ESSO Reporting Server | ReportingExt_Release | EventMgr | |
Windows Event Manager | WindowsEventExt | EventMgr | |
Syslog Server | SyslogEventExt | EventMgr | |
XML File | LocalFileExt | EventMgr | |
Database | DatabaseEventExt | EventMgr |
Backup/Restore | |||
---|---|---|---|
Title (as seen in installer) | Feature Name | Feature Parent | Additional Information |
Backup/Restore | BackupMgr | N/A |
Languages | |||
---|---|---|---|
Title (as seen in installer) | Feature Name | Feature Parent | Additional Information |
Languages | Languages | _TopLevel Feature | |
English | English_Pack | Languages | Mandatory
Automatically selected if any other language is selected with ADDLOCAL |
Chinese (Simplified) | Chinese_Simplified_Pack | Languages | |
Traditional Chinese | Chinese_Traditional_Pack | Languages | |
Czech | Czech_Pack | Languages | |
Danish | Danish_Pack | Languages | |
Dutch | Dutch_Pack | Languages | |
Finnish | Finnish_Pack | Languages | |
French | French_Pack | Languages | |
German | German_Pack | Languages | |
Greek | Greek_Pack | La nguages | |
Hungarian | Hungarian_Pack | Languages | |
Italian | Italian_Pack | Languages | |
Japanese | Japanese_Pack | Languages | |
Norwegian | Norwegian_Pack | Languages | |
Korean | Korean_Pack | Languages | |
Polish | Polish_Pack | Languages | |
Portuguese (Brazil) | Portuguese_Brazilian_Pack | Languages | |
Portuguese (Portugal) | Portuguese_Portugal_Pack | Languages | |
Romanian | Romanian_Pack | Languages | |
Russian | Russian_Pack | Languages | |
Slovak | Slovak_Pack | Languages | |
Spanish | Spanish_Pack | Languages | |
Swedish | Swedish_Pack | Languages | |
Thai | Thai_Pack | Languages | |
Turkish | Turkish_Pack | Languages |
This section describes the steps necessary to complete the installation of Logon Manager.
In order to complete the installation of the Mozilla Firefox Support component of Logon Manager, you must do the following after installing Logon Manager:
If Mozilla Firefox was running during the installation, close all of its instances and re-launch it,
Ensure that the component is enabled in the "Extensions" list in the "Add-Ons" panel in Mozilla Firefox,
Restart Logon Manager.
In the online documentation center, you will find the complete set of product-specific guides for the Oracle Enterprise Single Sign-On Suite. The following table lists the high-level tasks you will need to perform to complete your installation and deployment, and the documents associated with each task.
For This Task… | Refer to… |
---|---|
Configuring a repository | Deploying Logon Manager with a Directory-Based Repository |
Configuring the Agent | Oracle Enterprise Single Sign-On Suite Administrator's Guide |
Configuring authenticators | Oracle Enterprise Single Sign-On Suite Administrator's Guide |
Configuring application templates | Configuring and Diagnosing Logon Manager Application Templates |