IBM Client Security Software Version 5.3 ======================================== IBM Client Security Software can only be used with IBM computers that contain the IBM Embedded Security Subsystem. This software consists of applications and components that enable IBM clients to secure their sensitive information through a secure hardware chip rather than through vulnerable software. Before client user information can be protected, IBM Client Security Software must be installed on the client and users must be authorized to use the software. An easy-to-use Setup Wizard guides you through the entire installation process. WARNING: At least one client user MUST be authorized to use UVM during setup. If NO user is authorized to use UVM when initially setting up Client Security Software, your security settings will NOT be applied and your information will NOT be protected. If you completed the Setup Wizard without authorizing any users, shut down and restart your system; then run the Client Security Setup Wizard from the Windows Start menu and authorize a Windows user to use UVM. This will enable IBM Client Security Software to apply your security settings and protect your sensitive information. New in this release ------------------- - Support for National Semiconductor TPM IBM Client Security Software now supports the security chip, or Trusted Platform Module (TPM), manufactured by National Semiconductor, which is available in the ThinkCentre M51, S51, and A51p. - ThinkVantage Technologies GINA The IBM ThinkVantage Technologies (TVT) GINA is a transparent Windows logon replacement that offers improved interaction with other GINA products, and that enables multiple ThinkVantage Technology products (with their own GINAs) to coexist and work with other GINA products. - Certificate Transfer Wizard The IBM Client Security Certificate Transfer Wizard guides you through the process of transferring the private keys associated with your digital certificates from the software-based Microsoft cryptographic service provider (CSP) to the hardware-based IBM Embedded Security Subsystem CSP. After the transfer, operations using the certificates will be more secure because the private keys will be protected by the IBM Embedded Security Subsystem. - Support for TCG Software Specification (TSS) 1.1 IBM Client Security Software now supports the latest software specification from the industry-standard Trusted Computing Group. - Enhancements for credential roaming IBM Client Security Software now offers more control over removal and restriction of users and systems in the roaming environment. Recommended software versions to use with this release ------------------------------------------------------ - IBM Password Manager Release 1.3 - IBM File and Folder Encryption Release 2.01 Known issues or limitations in CSS Version 5.3 ---------------------------------------------- - Microsoft Windows XP Service Pack 2 This Warning applies to customers who use the IBM Embedded Security Subsystem on Windows XP systems: ACTION REQUIRED! This Warning applies to customers who use IBM ESS on Windows XP systems and only to those customers. Microsoft Windows XP Service Pack 2 (XP SP2) introduces a change to Windows that will prevent Client Security Software (the software component of the IBM Embedded Security Subsystem) from working. This affects all versions of Client Security Software except version 5.3. If you are using IBM ESS on a system running Windows XP and you intend to apply the Windows XP SP2, you MUST also upgrade to CSS 5.3. This is a free upgrade and is available for download at http://www.pc.ibm.com/security on the World Wide Web. - Atmel TPM device driver If you are upgrading from a previous version of IBM Client Security Software, you might need to update the TPM device driver for your system. The CSS installation process will prompt you to upgrade the device driver before proceeding. You might be prompted to upgrade your device driver if you are upgrading to CSS Release 5.3 on a system using a security chip manufactured by Atmel. If you see this prompt, you must download and install the latest device driver available on the CSS download Web site. The CSS installation process will ensure that the correct Atmel device driver is installed before allowing you to continue. If an older version of the device driver is installed, CSS will display a message prompting the user to install the new device driver before continuing. The upgrade operation for CSS and the Atmel device driver is as follows: 1. Open the Windows Control Panel. 2. Select Add/Remove Programs. 3. Select Atmel TPM in the list of currently installed programs. 4. Click the Remove button. 5. Click Yes to remove the driver from the system. 6. Install the updated Atmel device driver. 7. Install Client Security Software. Note: Do not install both the Atmel TPM device driver and the National TPM device driver. - Wireless network connection fails after transferring a user certificate Leaving the passphrase dialog open without entering a passphrase for an extended period might cause your wireless network connection to fail. If this occurs, disable and re-enable your wireless adapter after authenticating to IBM User Verification Manager (UVM). - Simultaneous right-click encryption attempts might fail Attempting to encrypt multiple files at once using the right-click button might cause the encryption to fail. This is most likely to happen if the first file is very large. If this occurs, use the right-click button to encrypt the files individually. - Fingerprint or smart card override passwords for limited users When an administrator updates a user fingerprint or smart card override password using the Administrator Console, an updated file is generated and placed in the user archive directory. The end user must then copy this updated file from the archive into the correct directory on the system. The usual means for doing this is to select Restore user configuration from archive in the User Configuration Utility. However, this option is only available to users with administrator privileges on the computer. Limited users are not be able to retrieve an updated override password. Limited users must have an administrator manually copy the appropriate file to the Windows directory on the system. - Guest users cannot use the File and Folder Encryption or Password Manager utilities The File and Folder Encryption or Password Manager utilities do not permit access to a guest user even though the guest user account is displayed in the Administrator Utility. - Help for enabling security tokens for Lotus Notes 6.x is not available in all languages When you click the CSS Help on enabling security token for Lotus Notes button, the Client Security Software help system opens, information on how to enable a security token for Lotus Notes is available in English only. - Roaming limitations - Using a CSS roaming server The CSS administrator password prompt will display whenever someone attempts to log on to the CSS roaming server. However, the computer can be used normally without entering this password. - Using the IBM Client Security Password Manager in a roaming environment Passwords stored on one system using IBM Client Security Password Manager can be used on other systems within the roaming environment. New entries are automatically retrieved from the archive when the user logs onto another system (if the archive is available) in the roaming network. Therefore, if a user is already logged onto one system, he must log off and log on again before any new entries will be available on the roaming network. - Internet Explorer certificate and roaming refresh delays Internet Explorer certificates are refreshed in the archive every 20 seconds. When a new Internet Explorer certificate is generated by a roaming user, the user must wait at least 20 seconds before importing, restoring, or changing his CSS configuration on another system. Attempting any of these actions before the 20 second refresh interval will cause the certificate to be lost. Also, if the user was not connected to the archive when the certificate was generated, the user should wait 20 seconds after connecting to the archive to be sure the certificate is updated in the archive. - Lotus Notes password and credential roaming If Lotus Notes support is enabled, users' Lotus Notes password will be stored by UVM. Users will not need to enter their Notes password to log on to Lotus Notes. They will be asked for their UVM passphrase, fingerprint, smart card, etc. (depending on the security policy settings) to gain access to Lotus Notes. If a user changes his Notes password from within Lotus Notes, the Lotus Notes ID file is updated with the new password and UVM's copy of the new Notes password is also updated. In a roaming environment, the user's UVM credentials will be available on other systems on the roaming network that the user can access. It is possible that UVM's copy of the Notes password might not match the Notes password in the ID file on other systems in the roaming network if the Notes ID file with the updated password is not also available on the other system. If this occurs, the user will not be able to access Lotus Notes. If a user's Notes ID file with updated password is not also available on another system, the updated Notes ID file should be copied to the other systems in the roaming network so that the password in the ID file will match the copy stored by UVM. Alternately, users can run Modify Your Security Settings from the Start Menu, and change the Notes password back to the old value. The Notes password can then be updated again via Lotus Notes. - Credential availability at logon in a roaming environment When an archive is located on a network share, the latest sets of user credentials are downloaded from the archive as soon as the user has access to the archive. At logon, users do not yet have access to network shares, so the latest credentials might not be downloaded until after system logon is complete. For example, if the UVM passphrase was changed on another system in the roaming network, or new fingerprints were registered on another system, those updates will not be available until the logon process is complete. If updated user credentials are not available, users should try the previous passphrase or other registered fingers to log on to the system. After log on is complete, the user's updated credentials will be available and the new passphrase and fingerprints will be registered with UVM. - Using Netscape in a roaming environment If you are using Netscape in a roaming environment, all systems in the roaming network must use the same version of Netscape. Credentials cannot be used on different versions, such as 4.8 and 7.1 - Restoring keys After performing a key restore operation, you must restart the computer before you can continue using Client Security Software. - Local and domain user names If domain and local user names are the same, you should use the same Windows password for both accounts. IBM User Verification Manager only stores one Windows password per ID, so users should use the same password for local and domain logon. If not, they will be prompted to update the IBM UVM Windows password when they switch between local and domain logons when IBM UVM secure Windows logon replacement is enabled. CSS does not provide the ability to enroll separate domain and local users with the same account name. If you attempt to enroll local and domain users with the same ID, the following message is displayed: The selected user ID has already been configured. CSS does not allow separate enrolling of common domain and local user ID's on one system so that the common user ID will have access to the same set of credentials, like certificates, stored fingerprints, etc. - Re-installing Targus fingerprint software If the Targus fingerprint software is removed and re-installed, the needed registry entries for enabling fingerprint support in Client Security Software must be added manually for fingerprint support to be enabled. Download the registry file that contains the needed entries (atplugin.reg) and double-click it to have the registry entries merged into the registry. Click Yes, when prompted, to confirm this operation. The system must be rebooted for Client Security Software to recognize the changes and enable fingerprint support. Note: You must have administrator privileges on the system in order to add these registry entries. - Targus USB fingerprint reader If you change the port that the Targus USB fingerprint reader is connected to, the IBM User Verification Manager might experience problems recognizing user fingerprints. If this occurs, switch the USB reader back to the port it was originally attached to. - BIOS supervisor passphrase IBM Client Security Software 5.3 and earlier does not support the BIOS supervisor passphrase feature available on some ThinkPad systems. If you enable use of the BIOS Supervisor Passphrase, any enabling and disabling of the security chip must be done from BIOS Setup. The IBM Embedded Security Subsystem will not be enabled during interactive installation when a BIOS supervisor password has been set. - Using Netscape 7.x Netscape 7.x behaves differently from Netscape 4.x. The passphrase prompt does not appear as soon as Netscape is started. Rather, the PKCS#11 module is only loaded when needed, so that the passphrase prompt only appears when performing an operation that requires the PKCS#11 module. - Using a diskette for archiving If you specify a diskette as your archive location when configuring the security software, long delays will be experienced as the configuration process writes data to the diskette. Some other medium, such as a network share or a USB key, might be a superior archive location. - Registering smart cards Smart cards must be registered with UVM before a user can successfully authenticate using the card. If one card is assigned to multiple users, only the last user to register the card will be able to use the card. Consequently, smart cards should be registered for one user account only. - Authenticating with smart cards If a smart card is required for authentication, UVM will display a dialog requesting the smart card. When the smart card is inserted in the reader, a dialog requesting the smart card PIN will be displayed. If the user enters an incorrect PIN, UVM will request the smart card again. The smart card must be removed and re-inserted before the PIN can be re-entered. Users must continue to remove and re-insert the smart card until the correct PIN for the card is entered. - The plus (+) character is displayed on folders after encryption After encrypting files or folders, Windows Explorer might display an extraneous plus (+) character before the folder icon. This extra character will disappear when the Explorer window is refreshed. - File count after right-click encryption When attempting to encrypt multiple files using the right-click encryption function, the operation might fail if any of the files being encrypted are of a prohibited type, such as DLL, VxD, SYS, etc. When the right-click operation fails, the number of files not encrypted displayed in the error window might be incorrect. - Archiving user credentials IBM Client Security Software attempts to keep backup information stored in the archive up-to-date by frequently backing up the information on the system into the archive directory (specified during configuration of the security subsystem). If this archive directory is stored on a removable media drive, such as a USB key, or on a network share, the archive directory might not always be available. In the event that CSS cannot access the archive directory, a message prompt will be displayed indicating that the archive is not available. Clicking Cancel will merely cancel the attempt to backup a specific file, and CSS might be attempting to backup multiple files so that the message might be displayed multiple times. In order to avoid having this message displayed repeatedly when the archive is not available, select the Do not show this message again check box. The warning message will not be displayed again. - Windows XP Home limited user limitations Windows XP Home limited users cannot update their UVM passphrase, Windows password, or update their key archive using the User Configuration Utility. - A system POST 190 error might occur under the following circumstances: - When rebooting your system after restoring keys following a clearing of the security chip - When installing a new system board To clear the POST error, complete the following procedure: 1. Restart your computer. 2. Press F1 to enter the BIOS Setup Utility when prompted. 3. Exit the BIOS Setup Utility. The POST error will be cleared when you exit the BIOS Setup Utility. CSS 5.3: Supported GINAs ------------------------ - Cisco LEAP (cswgina.dll) - Novell Netware (nwgina.dll) - IBM Rapid Restore Ultra (xpgina.dll, 2kgina.dll) Upgrading from Release 4.0x --------------------------- To completely remove Client Security Software, simply uninstall Client Security Software Release 4.0x from the Control Panel Add/Remove Programs applet. After restarting the computer, Client Security Software Release 5.3 can be installed and configured through the Setup Wizard. To complete the following procedure, you will need the public and private keys that were created when Release 4.0x was configured. Be sure to have them available. To remove Client Security Software Release 4.0x, but use your existing security data with Release 5.3, complete the following procedure: 1. Update the archive information. Before removing Client Security Release 4.0x, be sure the archive information is up-to-date. This can be done by completing the following procedure: 1. Click Start, select Programs, select IBM Client Security Software, then click Client Utility. 2. Click the Update Archive button. This updates the backup information. Take note of the archive directory. 3. Exit the utility. 2. Remove the existing Client Security Software from the computer, using the following procedure: 1. From the Control Panel, use Add/Remove Programs to remove IBM Client Security Software. 2. Select No when prompted for reboot. 3. Shut down the system using the Start menu. 3. Clear the Embedded Security Chip, using the following procedure: 1. Power up the system. 2. Press F1 during startup to enter the BIOS Setup Utility. 3. Go to Security Chip Settings and clear the security chip. 4. Exit BIOS Setup and the system will continue to reboot. Note: You might need to press and hold the Fan key during startup. The Chip Clear procedure varies between systems. Refer to the user guide that came with your computer. 4. Install IBM Client Security Release 5.3, using the following procedure: 1.Run the Release 5.3 installation program. 2. Reboot when prompted. After reboot, the Client Security Setup Wizard will automatically launch. 3. Do not run the Setup Wizard. Rather, click Cancel to exit. 5. Temporarily back up default security policy, using the following procedure: 1. Using Windows Explorer, go to the IBM Client Security Software install directory (default is c:\program files\IBM\security). 2. Right-click the UVM_Policy folder and select Copy. 3. Right-click the desktop and select Paste. This will create a temporary backup on the desktop. Note that your existing security policy settings will be replaced with new defaults. 6. Restore settings from Release 4.0, using the following procedure: 1. From the Control Panel, select the IBM Embedded Security System, and enter the chip password. 2. Click the Key Configuration button. 3. Select Yes to restore keys from the key archive. 4. Provide the location of the Release 4.0 archive directory. 5. Provide the location of the public and private key files that were created when Release 4.0x was configured. You will be notified that your archive will be updated for the new release. 6. Click OK. 7. Provide a location to create new (Release 5.3) archive keys. Be sure to create the keys in a location different from the location of your existing Release 4.0x archive keys. If you have administrator keys you already created for Release 5.3 on another system, you can select Use an existing CSS Archive key pair and provide the location of the existing keys. 8. Click Next. Your archive will be converted and restored. 9. Exit the application when finished. 7. Restore policy settings 8. Using Windows Explorer, go to the IBM Client Security Software install directory (default is c:\program files\IBM\security). 9. Using the left mouse button, drag the UVM_Policy folder from the desktop to the IBM Client Security Software install directory. 10. Answer 'Yes' to all warnings. Your security data has now been migrated from Release 4.0 to Release 5.3. If you previously changed your security policy in Release 4.0x, you might want to re-submit your security policy settings by running the IBM Embedded Security Subsystem from the Control Panel. Click Configure Application Support and Policies and then Application Policy, and then Edit Policy.